The Pappy Proxy Tutorial
************************
Table of Contents
=================
.. toctree::
tutorial
Getting Set Up
==============
Introduction
------------
This is a quick tutorial to get you started using Pappy like a pro. To do this, we'll be going through from `Natas `_. If you haven't done it yet and don't want it spoiled, I suggest giving it a try with Burp since we'll be telling you all the answers right off the bat.
Getting Started
---------------
The first thing you'll need to do is get Pappy installed.
Install from pypi::
$ pip install pappy
or install from source::
$ git clone --recursive https://github.com/roglew/pappy-proxy.git
$ cd pappy-proxy
$ pip install .
.. note::
Pappy only supports OS X and Linux! Nothing will work on Windows, sorry!
That was easy! Make a project directory anywhere for Natas and fire up Pappy.::
$ mkdir natas
$ cd natas
Copying default config to ./config.json
Proxy is listening on port 8000
itsPappyTime>
If you look at what's in the file, you'll notice that there's a ``data.db`` file and a ``config.json`` file.
* ``data.db`` is a SQLite file that stores all the (in-scope) requests that pass through the proxy
* ``config.json`` stores settings for the proxy
You don't need to touch either of these right now. Just hop back into Pappy.
Installing Pappy's CA Cert
--------------------------
In order to intercept HTTPS requests, you'll need to add a CA cert to your browser. Installing the cert allows Pappy to act like a certificate authority and sign certificates for whatever it wants without your browser complaining.
To generate certificates, you'll use the ``gencerts`` command. This will generate certificates in Pappy's directory. By default, all projects will use the certs in this directory, so you should only have to generate/install the certificates once.::
itsPappyTime> gencerts
This will overwrite any existing certs in /home/anonymouse/pappy/pappyproxy/certs. Are you sure?
(y/N) y
Generating certs to /home/anonymouse/pappy/pappyproxy/certs
Generating private key... Done!
Generating client cert... Done!
itsPappyTime>
The directory that the certs get put in may be different for you. Next, you'll need to add the generated ``certificate.crt`` file to your browser. This is different for each browser.
Installing the Cert in Firefox
++++++++++++++++++++++++++++++
1. Open Firefox
2. Go to ``Preferences -> Advanced -> View Certificates -> Authorities``
3. Click ``Import``
4. Navigate to the directory where the certs were generated and double click ``certificate.crt``
Installing the Cert in Chrome
+++++++++++++++++++++++++++++
1. Open Chrome
2. Go to ``Preferences -> Show advanced settings -> HTTPS/SSL -> Manage Certificates -> Authorities``
3. Click ``Import``
4. Navigate to the directory where the certs were generated and double click ``certificate.crt``
Installing the Cert in Safari
+++++++++++++++++++++++++++++
1. Use Finder to navigate to the directory where the certs were generated
2. Double click the cert and follow the prompts to add it to your system keychain
Installing the Cert in Internet Explorer
++++++++++++++++++++++++++++++++++++++++
1. No.
Configuring Your Browser
------------------------
Next, you need to configure your browser to use the proxy. This is generally done using a browser extension. This tutorial won't cover how to configure these plugins. Pappy runs on localhost on port 8000. This can be changed in ``config.json``, but don't worry about that right now.
.. note::
Configure your browser extension to use the proxy server at **loalhost** on **port 8000**
Here are some proxy plugins that should work
* Firefox: `FoxyProxy `_
* Chrome: `Proxy SwitchySharp `_
Testing it Out
--------------
Start up Pappy in Lite mode by running ``pappy -l``, enable the proxy in your browser, then navigate to a website::
/pappynatas/ $ pappy -l
Temporary datafile is /tmp/tmp5AQBrH
Proxy is listening on port 8000
itsPappyTime> ls
ID Verb Host Path S-Code Req Len Rsp Len Time Mngl
8 GET vitaly.sexy /favicon.ico 404 Not Found 0 114 0.21 --
7 GET vitaly.sexy /favicon.ico 404 Not Found 0 114 0.22 --
6 GET vitaly.sexy /esr1.jpg 200 OK 0 17653 0.29 --
5 GET vitaly.sexy /netscape.gif 200 OK 0 1135 0.22 --
4 GET vitaly.sexy /construction.gif 200 OK 0 28366 0.26 --
3 GET vitaly.sexy /vitaly2.jpg 200 OK 0 2034003 1.34 --
2 GET vitaly.sexy / 200 OK 0 1201 0.21 --
1 GET vitaly.sexy / 301 Moved Permanently 0 178 0.27 --
itsPappyTime> quit
Deleting temporary datafile
Make sure that the request you made appears on the list. When you quit, the temporary data file will be deleted, so no cleanup will be required!
The Tutorial
============
Setting the Scope
-----------------
The first thing we'll do is set up Pappy so that it only intercepts requests going to ``*.natas.labs.overthewire.org``::
itsPappyTime> filter host containsr "natas\.labs\.overthewire\.org$"
itsPappyTime> scope_save
What these commands do:
1. Make the current context only include requests whose host ends in ``natas.labs.overthewire.org``.
2. Save the current context as the scope
The context is basically requests that pass a list of rules. In this case, we have one rule that says that in order for a request to be in the current context, it must pass the regexp ``natas\.labs\.overthewire\.org$``. When we save the scope, we're saying that any request that doesn't pass this regexp is out of scope and shouldn't be touched.
If this doesn't make sense, don't worry, we'll come back to this.
Natas 0
-------
First, go to ``_ and log in with the default creds of ``natas0`` / ``natas0``. You should see a site that says "You can find the password for the next level on this page". You don't need Pappy for this one.
1. Right click the page and select "view source"
2. Read the password for natas1
3. Visit ``_ and log in with the username ``natas1`` and the password you found.
Natas 1
-------
Haha! This is the same as natas0, but they got tricky and shut off right-clicking. There's still ways to view the source in the browser, but we'll use Pappy here. The two commands we'll learn here are ``ls``, ``vfq``, and ``vfs``.
* ``ls`` lists the most current requests that are in the current context. You'll be using this a lot to get the IDs of requests you want to do things with.
* ``vfq `` prints the full request of a request you specify
* ``vfs `` prints the full response to a request you specify
So to solve natas1, we'll want to view the full response to our request to the page::
itsPappyTime> ls
ID Verb Host Path S-Code Req Len Rsp Len Time Mngl
16 GET natas1.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.27 --
15 GET natas1.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.27 --
14 GET natas1.natas.labs.overthewire.org / 200 OK 0 1063 0.27 --
13 GET natas1.natas.labs.overthewire.org / 401 Unauthorized 0 479 0.27 --
12 GET natas0.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.27 --
11 GET natas0.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.26 --
10 GET natas.labs.overthewire.org /img/wechall.gif 200 OK 0 9279 0.28 --
9 GET natas.labs.overthewire.org /js/wechall.js 200 OK 0 1074 0.50 --
8 GET natas.labs.overthewire.org /js/wechall-data.js 200 OK 0 564 0.48 --
7 GET natas.labs.overthewire.org /js/jquery-ui.js 200 OK 0 435844 1.37 --
6 GET natas.labs.overthewire.org /js/jquery-1.9.1.js 200 OK 0 268381 1.20 --
4 GET natas.labs.overthewire.org /css/wechall.css 200 OK 0 677 0.48 --
5 GET natas.labs.overthewire.org /css/jquery-ui.css 200 OK 0 32046 0.49 --
3 GET natas.labs.overthewire.org /css/level.css 200 OK 0 1332 0.48 --
2 GET natas0.natas.labs.overthewire.org / 200 OK 0 918 0.26 --
1 GET natas0.natas.labs.overthewire.org / 401 Unauthorized 0 479 0.26 --
itsPappyTime> vfs 14
HTTP/1.1 200 OK
Date: Fri, 18 Dec 2015 19:47:21 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 14 Nov 2014 10:32:33 GMT
ETag: "427-507cf258a5240-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 1063
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
... snip ...
... snip ...
itsPappyTime>
Yay!
Natas 2
-------
When you visit this page, you get a message saying "There is nothing on this page". That is probably a blatant lie. Let's see what was in that response.::
itsPappyTime> ls
ID Verb Host Path S-Code Req Len Rsp Len Time Mngl
30 GET natas2.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.27 --
29 GET natas2.natas.labs.overthewire.org /favicon.ico 404 Not Found 0 307 0.27 --
28 GET natas2.natas.labs.overthewire.org /files/pixel.png 200 OK 0 303 0.27 --
27 GET natas2.natas.labs.overthewire.org / 200 OK 0 872 0.27 --
26 GET natas2.natas.labs.overthewire.org / 401 Unauthorized 0 479 0.27 --
... snip ...
itsPappyTime> vfs 27
HTTP/1.1 200 OK
... snip ...