Category: Cyber Security

For this assignment you will exploit a real world vulnerability: Log4Shell. This

Posted on | by Linus | Leave a Comment on For this assignment you will exploit a real world vulnerability: Log4Shell. This

For this assignment you will exploit a real world vulnerability: Log4Shell.
This will be a capture-the-flag style project where you will exploit a web application with a vulnerable version of log4j.
A correct solution will output a ‘flag’ or ‘key’. There are 7 tasks to complete for 7 total flags. 6 required and 1 extra credit for a possible total of 102%. You will submit these flags in json format to Gradescope for grading in a file named project_log4shell.json.
There is a template in the /home/log4j/Desktop/log4shell folder of the VM: project_log4shell.json. Copy this file and fill out the appropriate values for the flags found. Submit this file to Gradescope for immediate feedback with the autograder. Your grade will be reflected here in Canvas after the assignment has closed.
I will share the vm link and username and password
attached the instructions

See the instructions file attached for details instructions for this project. To

Posted on | by Linus | Leave a Comment on See the instructions file attached for details instructions for this project. To

See the instructions file attached for details instructions for this project. To successfully complete your project on modern web-based API security principles, you will need to follow the instructions provided for finding the flags. Here’s a structured approach based on the information given: FIND FLAG 1-7 AND SEE THE INSTRUCTOINS FILE FOR SUBMISSION INSTRUCTIONS THANKS ( the zip file has everything for flags after you set up vm you follow the zipfile attached instructions)
Setup Instructions
Virtual Machine Access:Download the VM from the provided link: CS6035-Fall-2024-RC2.ova.
Ensure you have VirtualBox 7.0.18 or higher installed.
Log into the VM using the credentials:Username: apisec
Password: Chris_Cornell
Starting the API:Open a terminal in the VM.
Run the command:
bash
./StartContainer.sh
Access the Swagger documentation by navigating to http://localhost:5001/swagger/index.html in Chrome.
Required Header:Make sure to include your GATECH_ID as a required header in your API calls.
Flag Collection
You will need to find and submit flags based on specific tasks outlined below.
FLAG 1: Swagger Intro (10 pts)
Create a new programming language named “SpaceScript++”.
Write a review titled “A Galactic Odyssey in Code, enhanced” with a rating of 4 by reviewer “Kara Thrace”.
Reply to this review as “Gaius Baltar” with the text “Fascinating, but lacks a certain logical coherence.”
Delete the programming language to reveal your flag.
FLAG 2: Stolen Credentials (15 pts)
Use Swagger to find an endpoint for creating new reviewers.
Look for credentials related to a recent data breach and use them to obtain an auth token.
Use this token to create a new reviewer with username “daylight” and full name “Day Light”.
FLAG 3: JWT Intro (15 pts)
Call the “flag3token” GET API to get your JWT token.
Parse the token and use its values to create a payload.
POST this payload back to the “flag3token” API.
FLAG 4: Hack JWTs – #1 (15 pts)
Use your credentials as “python_guru1” and password “The_sql_injection_vulnerabilities_are_false” to get your token.
Modify this token to gain moderator privileges and delete bad PHP reviews.
FLAG 5: Hack JWTs – #2 (20 pts)
Obtain a normal JWT token using username “Jackson5587” and password “Blasphemy2”.
Attempt to access top-secret programming languages by modifying your token with an additional claim.
FLAG 6: Hack JWTs – #3 (15 pts)
Retrieve a weak JWT token from the flag6token API.
Analyze and decrypt the weak key, then use it to access restricted APIs.
FLAG 7: Broken Access Control (10 pts)
Find an API that provides user details.
Use this information to reset an admin user’s password, allowing access to their account.
Submission Instructions
Collect all flags you retrieve into a JSON format as specified:
json
{
“flag1”: “”,
“flag2”: “”,
“flag3”: “”,
“flag4”: “”,
“flag5”: “”,
“flag6”: “”,
“flag7”: “”
}
Save this JSON file as project_apisecurity.json in your VM.
88dd181d1f368569f0

API Security Assignment: You will be learning about modern web-based API securit

Posted on | by Linus | Leave a Comment on API Security Assignment: You will be learning about modern web-based API securit

API Security Assignment:
You will be learning about modern web-based API security principles in this project. These APIs are extremely popular ways of sharing data and integrating enterprise software systems. Understanding how they work and security best practices are paramount to a well rounded security expert.
You’ll use the same virtual machine you’ve been using.
I will share username and password of the vm
Attached the instructions.

API Security Assignment: You will be learning about modern web-based API securit

Posted on | by Linus | Leave a Comment on API Security Assignment: You will be learning about modern web-based API securit

API Security Assignment:
You will be learning about modern web-based API security principles in this project. These APIs are extremely popular ways of sharing data and integrating enterprise software systems. Understanding how they work and security best practices are paramount to a well rounded security expert.
You’ll use the same virtual machine you’ve been using.
I will share username and password of the vm
Attached the instructions.

See the instructions file attached for details instructions for this project. To

Posted on | by Linus | Leave a Comment on See the instructions file attached for details instructions for this project. To

See the instructions file attached for details instructions for this project. To successfully complete your project on modern web-based API security principles, you will need to follow the instructions provided for finding the flags. Here’s a structured approach based on the information given: FIND FLAG 1-7 AND SEE THE INSTRUCTOINS FILE FOR SUBMISSION INSTRUCTIONS THANKS ( the zip file has everything for flags after you set up vm you follow the zipfile attached instructions)
Setup Instructions
Virtual Machine Access:Download the VM from the provided link: CS6035-Fall-2024-RC2.ova.
Ensure you have VirtualBox 7.0.18 or higher installed.
Log into the VM using the credentials:Username: apisec
Password: Chris_Cornell
Starting the API:Open a terminal in the VM.
Run the command:
bash
./StartContainer.sh
Access the Swagger documentation by navigating to http://localhost:5001/swagger/index.html in Chrome.
Required Header:Make sure to include your GATECH_ID as a required header in your API calls.
Flag Collection
You will need to find and submit flags based on specific tasks outlined below.
FLAG 1: Swagger Intro (10 pts)
Create a new programming language named “SpaceScript++”.
Write a review titled “A Galactic Odyssey in Code, enhanced” with a rating of 4 by reviewer “Kara Thrace”.
Reply to this review as “Gaius Baltar” with the text “Fascinating, but lacks a certain logical coherence.”
Delete the programming language to reveal your flag.
FLAG 2: Stolen Credentials (15 pts)
Use Swagger to find an endpoint for creating new reviewers.
Look for credentials related to a recent data breach and use them to obtain an auth token.
Use this token to create a new reviewer with username “daylight” and full name “Day Light”.
FLAG 3: JWT Intro (15 pts)
Call the “flag3token” GET API to get your JWT token.
Parse the token and use its values to create a payload.
POST this payload back to the “flag3token” API.
FLAG 4: Hack JWTs – #1 (15 pts)
Use your credentials as “python_guru1” and password “The_sql_injection_vulnerabilities_are_false” to get your token.
Modify this token to gain moderator privileges and delete bad PHP reviews.
FLAG 5: Hack JWTs – #2 (20 pts)
Obtain a normal JWT token using username “Jackson5587” and password “Blasphemy2”.
Attempt to access top-secret programming languages by modifying your token with an additional claim.
FLAG 6: Hack JWTs – #3 (15 pts)
Retrieve a weak JWT token from the flag6token API.
Analyze and decrypt the weak key, then use it to access restricted APIs.
FLAG 7: Broken Access Control (10 pts)
Find an API that provides user details.
Use this information to reset an admin user’s password, allowing access to their account.
Submission Instructions
Collect all flags you retrieve into a JSON format as specified:
json
{
“flag1”: “”,
“flag2”: “”,
“flag3”: “”,
“flag4”: “”,
“flag5”: “”,
“flag6”: “”,
“flag7”: “”
}
Save this JSON file as project_apisecurity.json in your VM.
88dd181d1f368569f0

API Security Assignment: You will be learning about modern web-based API securit

Posted on | by Linus | Leave a Comment on API Security Assignment: You will be learning about modern web-based API securit

API Security Assignment:
You will be learning about modern web-based API security principles in this project. These APIs are extremely popular ways of sharing data and integrating enterprise software systems. Understanding how they work and security best practices are paramount to a well rounded security expert.
You’ll use the same virtual machine you’ve been using.
I will share username and password of the vm
Attached the instructions.

API Security Assignment: You will be learning about modern web-based API securit

Posted on | by Linus | Leave a Comment on API Security Assignment: You will be learning about modern web-based API securit

API Security Assignment:
You will be learning about modern web-based API security principles in this project. These APIs are extremely popular ways of sharing data and integrating enterprise software systems. Understanding how they work and security best practices are paramount to a well rounded security expert.
You’ll use the same virtual machine you’ve been using.
I will share username and password of the vm
Attached the instructions.

You will be learning about modern web-based API security principles in this proj

Posted on | by Linus | Leave a Comment on You will be learning about modern web-based API security principles in this proj

You will be learning about modern web-based API security principles in this project. These APIs are extremely popular ways of sharing data and integrating enterprise software systems. Understanding how they work and security best practices are paramount to a well rounded security expert. FIND FLAG 1-7 AND SEE THE INSTRUCTOINS FILE FOR SUBMISSION INSTRUCTIONS THANKS ( the zip file has everything for flags after you set up vm you follow the zipfile attached instructions)
You’ll use the same virtual machine you’ve been using.
The VM username and password is apisec and Chris_Cornell
VM Download link: https://cs6035.s3.amazonaws.com/CS6035-Fall-2024-RC2.ova
The VM requires VirtualBox 7.0.18 or higher and we always recommend that you use the latest version. The current version is 7.0.20.
You are welcome to attempt to use VMWare products, Parallels, or any other hypervisor of your choice but we cannot provide help in troubleshooting for anything other than VirtualBox.
It’s also possible to emulate the VM on ARM based Macs. I’ve decided to provide some details on how I configure the emulation but again these instructions come without any warranty – we cannot grant extensions due to emulation issues.
OVA Info:
Name: CS6035-Fall-2024-RC2.ova
Size: 11873793024 bytes (11 GiB)
CRC32: D8729A2C
CRC64: D1A2D15B34FFADBD
SHA256: 87f61394d661e0a72f50c3a2121d34d15652ad7948152318aa9ff2345e0251d7
SHA1: 3ff69840f44a60c0881da6e98d0bd9a6ae43289a
BLAKE2sp: 9d032dbf6f706c8721c80b38c71e87760d9f9ad052718f88dd181d1f368569f0