HomeLab Headaches Ep.9

I think I got this working now, the Webscarab that is.  I read the configuration part over and over and OVER AGAIN
"
During the actual tutorial at the conference, you will be in a dedicated wireless network where 
no such HTTP proxy is needed; accordingly, please delete the proxy settings in WebScarab at 
the start of the tutorial. However, to test WebScarab at your current location, you will need to 
enter the HTTP proxy settings that apply to you there (the instructor cannot help you to find 
out these settings; please ask a colleague or your help desk if you don’t know these settings). 
Here is an example for the HTTP proxy settings (do not copy: these are valid only within the 
instructor’s company network): 
"

Between that and reading the error message on the terminal window where I start the Webscarab I figured it out.  At first I started Googling the error messages on the page on Firefox errors below

WebScarab encountered an error trying to retrieve

GET http://127.0.0.1:8080/WebGoat/attack HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: JSESSIONID=608FFA0267805397313D8AB48E491DB6
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=

The error was :

proxy.proxy.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:175)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at org.owasp.webscarab.httpclient.URLFetcher.connect(URLFetcher.java:368)
at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:229)
at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:233)
at java.lang.Thread.run(Thread.java:679)

I couldn't find a straight answer but everything kept stating "Creates a socket and connects it to the specified address on the specified port" so I start thinking "WTF! Am I? ME!? Going to have to setup and configure a local proxy on this machine for it to work?"  I go back to the Configuration instructions and something stuck out


During the actual tutorial at the conference, you will be in a dedicated wireless network where 
no such HTTP proxy is needed; accordingly, please delete the proxy settings in WebScarab at 
the start of the tutorial


A thought came to mind "Maybe, just maybe I DON'T have to setup a proxt in Webscarab.  My server is not connected to the internet or any network for that matter."  So I deleted the proxy settings in Webscarab and once again try to browse to http://127.0.0.1:8080/WebGoat/attack.  Webcarab opens as it does in intercept mode and then I hit "Accept Changes" and BAM! I get the Webgoat login prompt. YAY!!!!!!!!!!!

That's it for now, until I run into another issue to document. PEACE! (^__^)v

HomeLab Headaches Ep.8

Oh Webgoat, you have tricked me once again.  Monday night I thought I had it all done since I got the login prompt and was able to login.  I called it a night at around 0030 and went to sleep.  Last night I was excited to start learning what Webgoat had instored to teach me.  I get started on the General section and I get down to useful tools and come across Webscarab.  I know it was one of the required tools for Webgoat and had it downloaded and I had even tried running it once to make sure it was working(to the extent of my knowledge it was).

I read something about a proxy, which is Webscarab and it has a intercept mode, which if I understand this correctly all the http traffic goes through Webscarab and I can analyze it and edit it and\or pass it through.

First problem was setting up the proxy, I was setting proxy as proxy.proxy.com using port 1337.  Set Firefox to use proxy for http to the same and it would not allowed traffic through.  I played around with different settings and still couldn't get it to work or Webcarab to see the traffic either.  So I know it was something I was doing wrong with the proxy.  I kept going back to the OWASP page trying to find clues to what I am doing wrong.  The install for linux was simple just run

java -jar ./webscarab-selfcontained-[numbers].jar

Which to me just does look like an install, its just telling java to run this particular .jar file.  So I decided to look in the Windows installation instructions.  On there I got a clue as to what I was doing wrong, which was to proxy settings in Firefox.  I was setting the proxy to proxy.proxy.com but it looks like I'm suppose to set it to localhost, but I set the port to 1337 which is the port I set on the Webscarab. DIDN'T WORK.  I looked at the Terminal window and I saw "Listenner something something: 8008".  I thought "Why is Webscarab listenning to port 8008.  If Webscarab is suppose to intercept my http traffic then I should send it to that port"

So I did, I set the Firefox proxy to localhost port 8008.  YAY! That worked for Webscarab to intercept the traffic, but when I hit accept changes to let the traffic through to the server it vomits some java errors at me.

I toyed with some of the settings and can't get the traffic to pass through to the Webgoat server.  Tonight I shall do some more Googling to see if I can figure this out.

The hardest part of all of this is that I'm doing all of this by myself.  I have no one but Google to depend on for help.  Which is cool because it just helps me figure things out on my own which I like because I learn more that way, but when I get frustrated and get lost trying to figure something out or I fix something or find a fix but don't know how it actually fixed or what it does it sucks because then I'm not really learning.  I wish I had someone that I could bounce ideas off of or ask how and why.  MEH! Nothing I can do but keep on going.

One thing I created myself was a .sh to run the java command above so I can start Webscarab easier.  It was nothing special at all, all I did was put that command in the text editor and name it run_webscarab.sh.  To me I got excited because I've only created simple .bat scripts at work so for me to create something like this, in linux, on my own just by thinking about it and trying and it actually working on the first try, was pretty cool.  I didn't even know if it was going to work and if the correct file type that I had to save was .sh but I tried it anyways and BAM it worked. YAY!!!!

HomeLab Headaches Ep.7

For a few days I've been fighting with setting up WebGoat, this is how it went down

Day1:(Sometime last Week, prolly Monday because the wife-unit00 and I spent the rest of the week cleaning the apartment because of my parental-unit's were visiting) -  Server setup

Setting up server number 2 for web app pentesting, OS and I decided to just stick with CentOS, installed the WebServer option with Desktop which means I checked off WebServer and then customized it by adding everything in the desktop option minus KDE desktop since I prefer the GNOME desktop.

Downloaded everything that I needed for WebGoat which at first seems a bit trivial, but I found the SourceForge that had the web goat stuff.  Downloaded it.

I've never messed around with web servers and know absolutely nothing about them so this is completely new to me.

Next I downloaded Java which was abit painful to find, downloaded and installed Java1.5_11

I followed the instructions on WebGoats website to edit the .sh file

Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".

After editing the webgoat.sh I ran sh webgoat.sh start8080, got error

Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6

So I thought maybe I don't have Apache installed even though I chose the "WebServer" install option.  I then learned that there are different flavors of Apache and I needed Apache Tomcat.  So here we go.

I download Tomcat Apache and installed it, to the best of my knowledge.  I reboot, for the sake of rebooting.


Once I again I run .sh webgoat.sh start8080, and again I got error

Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6

I then looked into setting the "JAVA_HOME", found this Cyberciti.biz post, I set my JAVA_HOME

export JAVA_HOME=/usr/java/jdk1.5.0_11/

export PATH=$PATH:/usr/java/jdk1.5.0_011/bin

Once I again I run .sh webgoat.sh start8080, and again I got error

Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6

I shutdown and called it a day... night.

Day2:(4/2) I said, lets try from the beginning again.  I noticed that I had installed jdk1.5.0_11 instead of a version 6.  This was probably due to tireness and close to mid night hours lol, whatever the reason may have been.
First thing first, remove old java, I used

rm -r -f /usr/java/jdk1.5.0_11

Downloaded jdk6(jdk1.6.0_20) and installed it following this post from stackoverflow, which covered install for both jdk and tomcat. COOL COOL.  I thought I had it figured out and was on my way to getting my webgoat on... yea ok, that was quickly shutdown by another "Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6".
NOTE: I didn't follow stackoverfollow's post to the letter.  I installed java just by running the rpm.bin.  Mostly followed it more for the variable sets JAVA_HOME, PATH, CLASSPATH, etc

export JAVA_HOME=/usr/java/jdk1.6.0_20
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar

export TOMCAT_HOME=/usr/local/tomcat
export CATALINA_HOME=/usr/local/tomcat
export CLASSPATH=$CLASSPATH:$CATALINA_HOME/common/lib

I then remember on the WebGoat install page mentioned that version 5 didn't need tomcat or java installed.  So I tried pointing the JAVA_HOME to the java folder in the Webgoat 5.2 folder, no luck.  Made no difference.

I started googling for answers or to see if anyone else had this same problem.  Some did, I saw a post about someone having the same problem in Ubuntu but was fixed by install Java... that didn't help. I was clueless but not THAT clueless.  I then came across WebGoat's GoogleCode page that had a newer version, version 5.4.  Looked in the README-5.4 and it mentioned that Java and Maven needed to be installed separately. Well Maven was just another Apache flavor and to my luck I had already installed Java1.6 and Tomcat.  I download Webgoat5.4 zip and extract it.  In "Option 4: Run from the WebGoat 5.X Standard distribution (Ubuntu)" all it said was run " ./webgoat.sh start8080".  I did and I got a "Permission denied"  WTF?!?!? Permission denied?  I'm fucking root.  I then remembered I had saw somewhere else someone mentioned chmod +x on the webgoat.sh file and I ran the chmod +x

chmod +x webgoat.sh

Once again I ran ./webgoat.sh start8080 and now I got the same error message that I've been getting the dreaded "Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6"

At this point I'm steaming and frustrated.  Once I again I go back to Google, but this time I come across my light at the end of the tunnel, carnal0wnage.attackresearch.com had an old post about the same problem.  So I followed their instructions and removed the Java check shit from the beginning of the webgoat.sh

Below is a copyPasta of my webgoat.sh file.  If anyone from webgoat wants me to take this down just email me.  I don't know if this is ok or not but just email me and I'll take it down, other wise it's here for my historical reference and to help others

#! /bin/sh

SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/java/jdk1.6.0_20
chmod +x ./$CATALINA_HOME/bin/*.sh


case "$1" in
    start80)
        cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
        $CATALINA_HOME/bin/startup.sh
        printf "\n  Open http://127.0.0.1/WebGoat/attack"
        printf "\n  Username: guest"
        printf "\n  Password: guest"
        printf "\n  Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
        sleep 2
        tail -f $CATALINA_HOME/logs/catalina.out
    ;;
    start8080)
        cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml
        $CATALINA_HOME/bin/startup.sh
        printf "\n  Open http://127.0.0.1:8080/WebGoat/attack"
        printf "\n  Username: guest"
        printf "\n  Password: guest"
        printf "\n  Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
        sleep 2
        tail -f $CATALINA_HOME/logs/catalina.out
    ;;
    stop)
        $CATALINA_HOME/bin/shutdown.sh
    ;;
    *)
        echo $"Usage: $prog {start8080|start80|stop}"
        exit 1
    ;;
esac