2020-01-03

AppSec Lab: RasPwn with a MiFi-8800L JetPack Router

I'm hosting a few Application Security workshops later this year. I settled on RasPwn for the lab because it comes pre-configured with a bunch of vulnerable applications out of the box.

RasPwn acts as a stand-alone wireless access point using the Raspberry Pi's on-board Wi-Fi. If you plug in ethernet, it can route packets, but DNS forwarding seems broken. Some of the participants will have to be online and available during the workshops, so I wanted to make sure the lab has full Internet access. Additionally, it helps when folks can look up information about vulnerabilities while learning new concepts. I won't always be able to rely on on-site ethernet to provide Internet access to participants, so I decided to set up my MiFi 8800L hotspot as an Internet gateway on RasPwn, and I had to make sure DNS worked.

Hotspot setup:
When you plug in most WiFi hotspots over USB, some will only charge the internal battery, while others will immediately show up as a network device. Some also show up as a "virtual USB drive" with drivers and software. The Inseego MiFi-8800L touch-screen model prompts you when you plug it in, and has an option to serve Internet via USB only or USB+WiFi.

If you use the Web UI, you can set this option as the default. There's no way to set it up from the touch-screen interface. All other Inseego (and their previous brand, Novatel) hotspots I've used can be set up to provide USB Internet access by default, using the web admin portal. See owners' manual for details on accessing the admin portal. It'll probably vary widely by model. Example from my 8800L:



RasPwn setup:
  • Download the RasPwn software and follow the install instructions on the download page. If you've messed with Raspberry Pi distributions before, this should be pretty self-explanatory.
  • Place the card into a Raspberry Pi 3 and power it up. You won't need a screen or keyboard for anything. I did have to power-cycle the Raspberry Pi after the first boot for the WiFi network to show up. You may have to do the same.  
  • When RasPwn boots up, you'll see a new WiFi network called RasPwnOS show up. Connect to it. The default WiFi password is In53cur3! 
  • SSH to 192.168.99.1. The username is pi and the password is pwnme!
    • ssh pi@192.168.99.1
  • Set up eth1 (for the hotspot's USB interface)
    • edit /etc/network/interfaces with vi or nano
    • insert the two lines below, preferably after "eth0" is specified:
      allow-hotplug eth1
      iface eth1 inet dhcp
    • Save the file
  • Change the IP masquerading rules for iptables to use eth1
    • edit /etc/iptables.up.rules with vi or nano
    • change the MASQUERADE rule from
      -A POSTROUTING -o eth0 -j MASQUERADE
      to
      -A POSTROUTING -o eth1 -j MASQUERADE
    • save the file
  •  Set up the DHCP server to issue an external backup resolver
    • edit /etc/udhcpd.conf with vi or nano
    • change the "opt dns" line from
      opt     dns     192.168.99.1 192.168.99.10
      to
      opt     dns     192.168.99.1 8.8.8.8
(Note: the DNS stuff is kind of hacky. You could configure the on-board bind9 DNS server to resolve recursively, but it's more complicated and this works just fine)
  • Reboot RasPwn and test Internet connectivity.
    • sudo reboot
    • Close your SSH window
    • Wait a minute or so
    • Reconnect to the RasPwnOS wifi network
    • Try browsing the internet. If it doesn't work, make sure the HotSpot is showing a USB connection. You may need to unplug it and plug it back in, or unplug the hotspot, reboot RasPwn again, and plug the hotspot in after RasPwn boots up all the way. 
Okay, so let's hack something!
  • Go to playground.raspwn.org from your RasPwn WiFi connection 
  • Pick an app and start hacking!
The first thing in the playground is the OWASP Bricks practice application. It's intentionally vulnerable and designed to be increasingly complex with each challenge building on what you learned with the previous ones.

Some of the exercises will require an intercepting proxy such as BurpSuite, Charles Proxy, or OWASP ZAP, but the first login page can be hacked with just a browser. I actually didn't read any documentation for Bricks, and had never played with it before setting up RasPwn. My first login attempt was "admin" with a password of "admin" and it logged me in.

It wasn't until I saw the SQL in the footer that I knew this was supposed to be an SQL Injection challenge.Whoops. Okay, let's try this again with foo and a password of bar.
Okay, so that's what "access denied" looks like. Now let's throw some SQL injection into the username field. Here, I used a username of "foo ' OR 1=1 -- " (note the space after the -- comment, that's needed for MySQL and maybe other databases to acknowledge a comment).

And we've successfully used SQL Injection to hack the first Bricks challenge.

Happy hacking, friends!