Post 74 - Picklenose, we hardly knew ye

23 Dec 2024

Task 20, Day 14 Certificate mismanagement Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!

Parts of a certificate:

• Public key: Part of the cryptographic keys, the public key is made available to anyone and is used to encrypt data.
• Private key: Other part of the keys, the private key remains secret and is used by the server/website to decrypt the data.
• Metadata: Provides additional information about the certificate holder (the website/server) and the certificate. Usually will contain info about the CA, subject (website/server), uniquely identifiable number, validity period, signature, and hashing algorithm.

How it Works

Breakdown of what happens with a certificate:

• Handshake: Browser requests a secure connection, website responds by sending a certifcate with only the public key and metadata.
• Verification: Browser checks validity by checking to see if it’s a trusted CA. If it is current, not tampered with, and a trusted CA, it’s a green light.
• Key exchange: Browser uses the public key to encrypt a session key, which encrypts all communications between the browser and the website.
• Decryption: Server uses its private key to decrypt the (symmetric) session key. Once both browser and website share a secret session key there is a secure and encrypted connection.

Self-Signed Certificates vs. Trusted CA Certificates

Browsers typically don’t trust self-signed certificates because there is no third-party verification. Just because you say you’re ths entity doesn’t mean you are. Being too trusting leads to man-in-the-middle attacks. Trusted CA certificates are verified by a CA that acts as a trusted third party to confirm an entity is who they say they are.

Attack Vector

Resolve the target website to self in order to prevent DNS logs from alerting others. echo "<ip-address> <web-address.tld>" >> /etc/hosts. Can confirm with cat /etc/hosts. Next, use Burp to set self up as the man-in-the-middle (mitm). Proxy > Intercept off > Proxy Settings. Add new listener for our IP address. Set to port 8080 and toggle on Specific address to specify own address. Burp comes with its own self-signed certificate, and since users were already used to clicking advanced and accept, it won’t phase them with this new cert.

Sniff From the Middle

Reroute all traffic to own machine by adding resolution for website to own IP, setting self up as gateway (full attack is more in depth, just out of scope for this task).

(Dummy mode for this task involves running a script to simulate interactions with the website. If in the wild, it’s not necessary.)

Go to HTTP History section of Burp to see intercepted requests.

The Task

Use the mitm attack to sniff out admin creds and find flags along the way.

Recommeded Stuff

Burp Suite module.