CSC347: Assignment 2
Assignment 2
Due: Nov. 3, 2021 11:58PM
Late penalty: 20% if handed in up to 48 hours late. Not accepted after that.
Hand in:
Please submit your solution
electronically on Markus (directories and files; no compressed files please)
Groups: Groups of size 1 or 2.
Note:
The assignment is to be done using the Ubuntu804Server_owasp Virtual Machine (same as for L5) found in
scp -r .utoronto.ca:/virtual/csc347/Ubuntu804Server_owasp.zip .
$ md5sum Ubuntu804Server_owasp.zip
85f5dbdaa4f5df7b11c7c9571583bec9 Ubuntu804Server_owasp.zip
$ sha256sum Ubuntu804Server_owasp.zip
d8d29bd28e8c3450180b62c4676716f8ac28af53694b056db86fc9cf60dcac34 Ubuntu804Server_owasp.zip
as well as a Kali Linux VM configured to use NAT.
This allows Kali to talk both the the outside internet as well as the Ubuntu804_owasp server.
We will run your exploits/solutions on an unmodified Ubuntu804Server_owasp.
Software Security
[20 Marks] Ubuntu804Server_owasp running fourFours.
This web application is available at http://192.168.10.100/fourFours/ .
The fourFours web application has many vulnerabilities. For this exercise, we will explore
some of the vulnerabilities and then fix them. /var/www/fourFours/index_fixed.php
has directions outlining the vulnerabilities in the application as well as how you can fix them
as outlined in a2/softwareSecurity/index.html
For SQL Injection, please use SQLMAP in Kali Linux to attack index.php
What you need to do: change index_fixed.php so that the vulnerabilities are index_fixed; complete the html files in a similar fashion to printf.html and the reports from a1 (provide details, make it easy for the TAs to award you points).
You will have to learn about new vulnerabilities (listed in *.html files), exploits and how to fix them in addition to the ones we have covered in lectures.
Please refer to the index.html file for more reference.
For reference, please take a look at
The OWASP Top 10 (2013 edition).
Some pointers: To change to root, execute
sudo bash
entering arnold’s password. This user is in the sudoers group. You can find the web application in the directory /var/www.
System Security
[2 Marks] Tripwire has been installed on the Ubuntu804_owasp server.
Your job is to complete the setup of tripwire by building the database. We set all pass-phrases to “pass-phrase”.
init the tripwire database
run a tripwire check
produce a report and submit the report
[10 Marks]
If an attacker has physical access to a system, they own the system. You are going to prove this right now… (take a snapshot of the VM before you start)
You are now an attacker who has snuck into the server room.
You have ‘physical access to the Ubuntu804_owasp server’ and have brought along your Kali linux laptop.
[5 Marks]
Document the steps you took to ‘take the drive out of the Ubuntu804_owasp VM
and place it in the Kali VM’. So you will have to turn off the Ubuntu804_owasp VM.
Note: As a defender, this technique is useful for data recovery as well!!!
[3 Marks]
Copy the shadow file to the Kali VM and see if you can determine some of the passwords
using John the ripper (submit username:passwords which you detect; note: do not melt your computer).
[2 Marks]
Modify user sid so that they are now a root user with password ‘password’.
[0 Marks]
‘Remove the hard disk from Kali and place it back in the Ubuntu804_owasp vm’, start it up,
and verify that sid can now login with password ‘password’ and has root.
Have sid
touch /bin/cat
touch /bin/ps
and then logout. You can imagine that the attacker could have even modified these
for some other purposes, like installing a rootkit. The attacker then logs out.
[6 Marks] You are now the sysadmin again. Examine the system to see if there was evidence of tampering.
[2 Marks] Run tripwire again to see if anything has changed.
Submit your tripwire report. Did tripwire identify any changes that might cause some concern.
[4 Marks]
Take a look at
last # this is a command
uptime # this is a command
/var/log/* # these are log files
.bash_history # what is this, whos should you look at and why are you looking?
and report what these tell you about a possible compromise.
[2 Marks] Document updates to policy that would prevent the above attack or aid in recovery.
[2 Marks] Report on what the attacker could have done to leave fewer traces than they did in this attack.
What would you do to detect a compromise even in this case?
Bonus
[4 Marks] Guest speaker: You will receive 4 marks for attending the guest speaker presentation
on either Oct. 28th or Oct. 29th). This is a bonus, so you could receive 46/42 points on this assignment.
End of A2