- Difficulty : Easy
- Type : Realist / Web (not a boot 2 root machine)
- Technologies : PHP / MySQL
- Network : DHCP
MyExpense is a deliberately vulnerable web application that allows you to train in detecting and exploiting different web vulnerabilities. Unlike a more traditional "challenge" application (which allows you to train on a single specific vulnerability), MyExpense contains a set of vulnerabilities you need to exploit to achieve the whole scenario.
As the application is deliberately vulnerable, it is not desirable to expose it on the Internet because other people than you will be able to access it. It is advisable to use a virtual machine (using for example the VirtualBox software) and to restrict the host/vulnerable machine connectivity (Host Private Network mode).
For training purposes, it is advised not to use tools for detecting or exploiting vulnerabilities (vulnerability scanner, etc) and not to look at the application source code (blackbox mode).
You are "Samuel Lamotte" and you have just been fired by your company "Furtura Business Informatique". Unfortunately because of your hasty departure, you did not have time to validate your expense report for your last business trip, which still amounts to 750 € corresponding to a return flight to your last customer.
Fearing that your former employer may not want to reimburse you for this expense report, you decide to hack into the internal application called "MyExpense " to manage employee expense reports.
So you are in your car, in the company carpark and connected to the internal Wi-Fi (the key has still not been changed after your departure). The application is protected by username/password authentication and you hope that the administrator has not yet modified or deleted your access.
Your credentials were: samuel/fzghn4lw
Once the challenge is done, the flag will be displayed on the application while being connected with your (samuel) account.
It is easier to get the application by directly downloading the virtual machine in .vbox format: MyExpense Virtual Machine
The machine is in DHCP configuration, finding its IP address is part of the challenge.
It is possible to restore the application database so that you can restart from the initial state. To do this, go to the url http://ip/config/setup.php then click on Create/restore the database. A message indicating that the operation has been carried out successfully should appear:
The installation has been tested on a Linux Debian9 operating system.
First of all it is necessary to install the Apache web server packages, PHP and the MySql database (which will be MariaDB for a Debian9):
# apt-get install apache2 mysql-server php php-mysql
Then:
# rm /var/www/html/index.html
You can install git tool to download the source files of the application or you can download the ZIP archive directly to GitHub.
# apt-get install git
# cd /tmp
# git clone https://github.com/Sharpforce/MyExpense.git
Then move the source code into the Apache directory /var/www/html/:
# mv /tmp/MyExpense/src/* /tmp/MyExpense/src/.htaccess /var/www/html/
It may be necessary to install unzip in order to extract the zip file:
# apt-get install unzip
The, extract the zip file:
# cd /tmp
# wget https://github.com/Sharpforce/MyExpense/archive/master.zip
# unzip master.zip
# mv /tmp/MyExpense-master/src/* /tmp/MyExpense-master/src/.htaccess /var/www/html
A modification must be made in the Apache2 configuration file to enable the .htacess file:
# vim /etc/apache2/apache2.conf
Change the AllowOverride None line to AllowOverride All in the <Directory /var/www/> section:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Restart Apache2 server:
# service apache2 restart
# mysql -u root
Creating a new user with specific rights :
MariaDB [(none)]> grant all on *.* to MyExpenseUser@localhost identified by 'password';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> quit
Bye
It is now necessary to fill in this information in the configuration file of MyExpense application:
# vim /var/www/html/config/config.inc.php
Then change the connection information :
// Database Configuration
$_bdd = array();
$_bdd['server'] = "127.0.0.1";
$_bdd['port'] = "3306";
$_bdd['user'] = "MyExpenseUser";
$_bdd['password'] = "password";
$_bdd['database'] = "myexpense";
The configuration of MyExpense application should now be accessible via the url http:///config/setup.php (it is possible that an error is displayed as long as the database is not created yet):
Verify database information the click on Create/Restore the database:
The application is now installed and functional. In order to complete the proposed challenge and make the experience little more immersive, it is necessary to install the employees scripts (that's simulate users).
Move the scripts present in the /var/www/html/config directory to another directory, for example /opt:
# mv /var/www/html/config/login_collab1_script.py /opt
# mv /var/www/html/config/login_collab2_script.py /opt
# mv /var/www/html/config/login_manager_script.py /opt
# mv /var/www/html/config/login_admin_script.py /opt
Scripts require several packages/components to work (Python, Selenium Webdriver and PhantomJS). First install Python:
# apt-get install python python-pip libfontconfig
Then Selenium:
# pip install selenium
And finally PhantomJS:
# wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
# tar xvjf phantomjs-2.1.1-linux-x86_64.tar.bz2
# cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/bin/
It is possible to execute the scripts directly and start attacking the application (by accessing the application via the web browser):
# python -W ignore /opt/login_collab1_script.py &
# python -W ignore /opt/login_collab2_script.py &
# python -W ignore /opt/login_manager_script.py &
# python -W ignore /opt/login_admin_script.py &
But it's simpler to run your scripts at boot time so that you don't have to run them every time:
# vim /etc/systemd/system/rc-local.service
Add the following lines in this file:
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
Create rc.local file:
# vim /etc/rc.local
Add the following lines in this file:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/usr/bin/python /opt/login_collab1_script.py > /dev/null 2>&1 &
/usr/bin/python /opt/login_collab2_script.py > /dev/null 2>&1 &
/usr/bin/python /opt/login_manager_script.py > /dev/null 2>&1 &
/usr/bin/python /opt/login_admin_script.py > /dev/null 2>&1 &
exit 0
Add the scripts at system startup:
# chmod +x /etc/rc.local
# systemctl enable rc-local
Then reboot the machine:
# reboot
The installation is now complete, the application is available at http://your_ip_.