Hacme Shipping is a ColdFusion Web Application from the Foundstone, Inc series of vulnerable "Hacme" tools. As its name implies, Hacme Shipping is a mock Shipping application much like one you would find major on-line retailers using, except loaded with insecure code (on purpose!).
So in continuing the theme of my previous post, which detailed the process of Installing Hacme Bank, this article will hopefully provide another easy to follow, step-by-step guide to installing and configuring the application.
While writing this walk-through all testing was done on a newly built XP Pro VMWare image with Service Pack 3 and all available updates applied via Windows Updater. You may experience inconsistencies if your lab machine differs from above.
Install Internet Information Services
Hacme Shipping installs as a Virtual Directory under Internet Information Services so our first order of business is to get IIS installed.
- Place your Windows XP Pro CD into the drive.
- Run the Add or Remove Programs option found in the Control Panel.
- Select Add/Remove Windows Components from the left-hand side.
- In the Windows Components Wizard highlight Internet Information Services (IIS) and click the Details button.
- Put a check in the boxes next to: Common Files, Internet Information Services Snap-In, and World Wide Web Service.
- Highlight World Wide Service and click Details, then uncheck Printers Virtual Directory and click Ok.
- Click Ok again to close the IIS options window, and click Next to complete the install.
When the install completes, click Finish and exit out of the Control Panel.
- Download MySQL Community Server; the Windows Essentials version is fine for this project. (Version 5.1.38 at time of writing)
- Launch the installer, and for 'Setup Type' choose Typical. When the installer reaches the "Wizard Completed" screen verify that the "Configure the MySQL Server now" box is checked and click finish.
- Choose "Detailed Configuration" and leave all settings as their defaults on each of the screens until you reach the option screen for TCP/IP Networking and SQL mode. On this screen uncheck "Enable Strict Mode" and click next.
- Continue installing with the default settings until you reach the "Windows Options" screen. On this screen put a check-mark in the "Include Bin directory in Windows PATH" option and click next.
- On the "Security Options" screen verify that "Modify Security Settings" is checked and enter 53cr37 for the root password (or anything else that you'll remember for later in this install) then click next.
- Finally press the execute button to perform the install and the click finish.
- If you haven't done so already, download Hacme Shipping from Foundstone, Inc website.
- Launch the MSI installer and accept all the default settings until you reach the 'Database Setup' page. In the password box enter the MySQL root password that you chose during the MySQL install step and click 'Next'. Once the install finishes click 'Close' to exit out.
In Step #4, if a browser doesn't appear, you can access the admin page by manually going to:
- Download ColdFusion 8 Developer Edition [English | Windows] (registration required) from Adobe's website (Version 8.01 at time of writing)
- Run the installer and on the "Install Type" screen tick the checkbox for the "Developer Edition" option and click next.
- Accept the default settings for the remaining configuration screens. Be sure to enter an Administrator password that you'll remember!
- When the installation is complete, click Done. This will launch an IE browser with the ColdFusion admin login page. Enter the password you chose during install and click login.
- Configuration of the server will begin automatically, this takes a minute or two so be patient. When the setup is complete the page will refresh and an 'Ok' button will appear; click the 'Ok' button to continue configuring.
- In the left hand window click on "Data Sources" found under the Data & Services section. On the "Add New Data Source" page enter "hacmeshipping" for DataSource Name and choose MySQL (4/5) from the Driver pulldown, then click 'Add'.
- On the next screen, in the "Database" field enter "hacmeshipping", for 'Server' enter "127.0.0.1", and leave the port set to 3306. The user will be "root" and enter the same password you chose when installing MySQL. Now click the 'Submit' button.
- You're now done installing and configuring the necessary components.
Testing Hackme Shipping
You should now be able to launch a browser and access the application at http://127.0.0.1/HacmeShipping_MG/index.cfm using 'admin' and 'password' for credentials. If everything is working as it should you'll be logged into the application and can begin crafting you application based attacks!
Also, be sure to read the Hacme Shipping User Guide that was installed with the application, you'll find a shortcut to it under the "Foundstone Free Tools" folder in the Start Menu. It provides a detailed description of each vulnerability, it's impact, and an example of how to exploit it. So don't read ahead too early or you'll ruin the fun of the discovery process!
Bonus! Remote Access to Hacme Shipping!
Ok, so this really isn't that great a bonus (like with Hacme Bank) since it doesn't appear that Hacme Shipping has any built-in restrictions for remote access to the application. So all we need to do is configure the Windows Firewall to allow HTTP traffic through.
- Open the Windows Security Center located in the Control Panel and select Windows Firewall at the bottom of the panel.
- Click on the Exceptions tab.
- Click the Add Port button.
- For the Name field enter "IIS" and "80" for the Port field, then click Ok and Ok to make the change. You can now exit out of the control panel as well.
Now open a browser on the host machine (or other machine on your network). And browse to the remote web instance: http://[IP Address of the VM Image]/HacmeShipping_MG/index.cfm/