XSS and bypassing an Imperva WAF with JSFuck
For the last year, I have been the Director of Content for ImmersiveLabs. I lead a team of people that create practical cyber training labs that can be delivered in a browser.
As part of this, I spend a lot of time creating docker containers and small applications or vulnerable services. For my day to day work, I use a Dell XPS 15 running Linux Mint with Docker and Visual Studio Code.
This works really well but if I'm on a train, a plane or just sat on the couch it's not as easy to work with. I am a big fan of Chromebooks, with one exception it was always hard to do any real dev work on them, if I wanted to do anything I had a USB stick with Gallium OS and a similar setup to my works environment, this worked fairly well but the USB RW speeds were always a bottleneck and yes I know I could just as easily used crouton.
Thankfully this is no longer an issue, ChromeOS now has native support for running Linux Applications, no need to enable developer mode with its annoying white splash page!
The whole process is fairly simple to get up and running.
Enable Linux Beta
First make sure you are running a supported version, Chrome stable Version 69 or higher. Then head to the settings page, search for Linux and then
Turn on follow the on-screen prompts and you're done.
Once it is enabled open the Launcher and search for the new Terminal App.
It will take a few seconds to a minute depending on your system but you should then see a standard Linux terminal in front of you. From here we can treat it much like a standard Linux system. Apps we install will be available to us from the chrome launcher.
Visual Studio Code
This one is fairly easy. Download the official .deb file from the VSCode site . If you downloaded using the browser you will need to copy it into the Linux Apps directory, if you used the terminal with wget or curl you're all set.
From the terminal install the deb file with
sudo dpkg -i code_1.30.2-1546901646_amd64.deb Your version number may vary. Once this finished it will probably complain it was unable to complete the install.
sudo apt install -f should fix that and once it's finished you will find Visual Studio Code listed in the Launcher. All files must be located within the Linux Files directory.
As I mentioned above I make heavy use of docker in my day to day work so being able to launch docker containers is an ideal outcome. Running
cat /etc/issue shows the Linux apps are running Debian 9, this means we can just follow the offical guide for installing Docker-CE, I have outlined the major steps here but feel free to check the source for changes and updates.
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
sudo apt update && sudo apt install docker-ce
Once that's all wrapped up you can launch your first docker container,
sudo docker run hello-world or get a bit more adventurous and run a bash container.
Next up for me was adding GitHub and my git ssh keys, these steps were exactly the same as any other Linux setup so I'm not going to go into that here.
And that's that, enjoy writing code and running Docker containers on your Chromebook.