[SOLVED] COMP5618 – Applied Cybersecurity S2 2024 Assignment 2 SQL

COMP5618 – Applied Cybersecurity S2 2024

Assignment 2

Due: Sunday the 13th of October, 2024 23:59

Assignment worth-15%of your final mark

This is an individual assignment

Task Introduction

You are given access to two vulnerable images on the Hack the Box platform, named Rental and Invalidated,for the COMP5618 Assignment dedicated lab.

Rental is a Linux machine that features an Apache server hosting the Car Rental Management    System    application.Research    reveals    that    suffers    from    SQL    injection and  Arbitrary  File  Upload  vulnerabilities.The  SQL  injection  vulnerability  is leveraged in order to gain access to the administrative panel,upload PHP code and gain   a    reverse    shell.Post-exploitation   enumeration    reveals    a    set   of    credentials    for the MySQL database,which is running in the context of the manager user.The database   user   is    found   to    have   FILE   privileges,which    is   used    to   read    the   Bash history file of the service user.The history file contains the user’s password passed over  the  command  line,allowing  us  to  move  laterally.Examination  of  sudo permissions    reveals    that    the    user    can     execute    htop    as    root.Through    the    htop command,a script. running in the context of root is identified,and the environmental variables of the process can be read.The  environmental variables of the  script contain   the   root   password.

Invalidated  is  a  business  logic  machine  that   showcases  how  improper  input validation can lead to authentication bypass and SQL injection.The former can be achieved   through    sending   an    empty({})JSON   request    to    sign   in    on   the    platform, this results in the first user being returned,in this case being the admin user.Next it  is  possible  to  exploit   SQL  injection  through  the  JSON  parameter  names.

The Report

You  need  to   complete  the   10   questions  for  the  Rental  image   and   obtain  the  root   flag on    the    Hack    the    Box    platform.Your   report    should    include    detailed    steps    with supporting           snapshots,covering           Enumeration,Foothold,SQL          Injection,Arbitrary

File Upload,Lateral Movement,and Privilege Escalation,along with the answers to the questions and the flags.Additionally,provide recommendations for addressing the discovered vulnerabilities,supported by proper references.

For the Invalidated image,you should answer the five questions and capture both the  user  and  root  flags  on  the  Hack  the  Box  platform.Your  report  should  detail  the steps with supporting snapshots,including Enumeration,SQL Injection,and JSON Sign-In   Requests,as   well   as   the   answers   to   the   questions   and   the   flags.Also,discuss the    recommended    steps     for    mitigating     the    found     vulnerabilities,with    appropriate references.

Submission Details

Your  report  is  due  by   23:59  Sunday  13th  of October.

Please   submit   your   report    in   the“Assignment”section    of   Canvas.

Allowed   submission   format   is   PDF   only.(not   DOCX).

Questions  and  flags  must  be  answered  in  the  HTB  platform.

A  video  should  be  submitted,demonstrating  vour  conducted  steps.Your  username

should  appear  in  the  recording.The  recording  should  be  up  to   10  minutes  MAX.

Late  submissions  will  be  penalised  according  to  the  late  submission  policy.

Plagiarism  will  not  be  tolerated  and  your  assignment  will  be  submitted  to  a plagiarism  checking  service.

Marking

Your  report  is  worth  15%of  your  overall  grade  for  the  course.

● Answering Questions and Capturing Flags (10 points total):

o  You  will  receive  0.5  points  for  each  correctly  answered  question/flag,up  to  a total  of  19  questions/flags  on  the  HTB  platform.Each  answer  must  be  both demonstrated  and  explained  in  your  report,clearly  outlining  the  steps  you followed,the  objective  of each  step,and  the  results  you  obtained.Additionally, a  video  demonstration  (showing  your  username)is  required  to  showcase  the conducted  steps(no  explanation  is  needed  in  the  video,only  the  execution  of commands/steps).If    either  the video or the report is missing,your answers will NOT be accepted.

●  Recommendations  (3  points  total):

o  You  will receive  0.5  points for each relevant recommendation provided for the discovered  vulnerabilities.You  must  provide  three  recommendations  for  each box.Each  recommendation  must  be  clearly  explained  and  supported  in  your report,with  proper  referencing.

● Report Structure(2 points total)

o    You   will    be    marked    based   on   the    report    structure,cover    page,organization, references   and  English   grammar.

Your   report   will   be   marked   according   to   the   following   rubric,the   maximum   score is   15  marks.