Rifqi Ramadhan’s Blog

If you occasionally work with WSL2 web development and wanted to try out the website over the internet but without the direct exposure to the internet, this could be the the solution for you.

To give some background, I was working with a webserver that basically do stuffs. I wanted to test it with few close friends, but I didn’t want my PC to be exposed directly to the internet. VPN looks a bit tough to setup, ZeroTier then came to mind and my friend was able to test my web through the internet.

General note that it’s tested on personal PC, though I don’t forbid you to use it in a more enterprise-y setting, this tutorial will absolutely have no guarantee to be secure and exploit-proof. Suggestion for bettering this tutorial are welcome.

There will be several major steps into doing this:

1. Opening the service with certain IP or 0.0.0.0
2. Proxying the service to be able to listen outside the network of the WSL2
3. Expose the port through firewall (expose to local network, obviously)
4. Connect your PC that has WSL2 and the client candidate to the same ZeroTier network ID

Opening the service in WSL with designated IP or 0.0.0.0

When I tested this, I use 0.0.0.0 listener. But you should be able to use designated IP with things to note that any 0.0.0.0 that will come up in this guide should be replaced with your designated IP.

Just run your website as usual, let it run, and then use command ufw allow $PORT to open the WSL’s firewall to be able to listen to outside request to the specific port. I used port 9000 in my case, so I’d use ufw allow 9000.

Also make sure that your webserver is listening to specifically IPv4. Perhaps WSL doesn’t really bother with IPv6 that the forwarding came out a bit broken if you use IPv6.

Proxying the service to be able to listen outside the network of the WSL2

Okay so the server is up, it’s time for you to go back to your Windows.

Open Powershell as Administrator, and then run this command:

netsh interface portproxy add v4tov4 listenport=$PORT listenaddress=0.0.0.0 connectport=$PORT connectaddress=127.0.0.1

Now here’s the thing, I read the documentation and basically this is just a forwarding command from one IP to another IP. That command forwards any listen address to localhost. WSL2 has the behaviour similar to VM; resetting its network IP address each time the instance restarted. So the localhost was intended to be the solution for that issue. You can directly forward it to your WSL’s IP though, and it’ll guarantee the reach of the WSL. I use localhost and it doesn’t respond after PC restart.

It should return blank newline. Then we can move forward to the next step.

Expose the port through firewall

And then this is the part where you allow the port to be accessed from the firewall.

In Windows Settings, go to Windows Defender Firewall.

A window will come up and shows you your private and public network. Look at the left sidebar, choose Advanced Settings. A window will come up again and this time it’s Windows Defender Firewall with Advanced Security.

Look at the left side, click Inbound Rule, then New Rule...

And then yada yada yada you get the idea. Port, Port number, and leave the rest to default, unless there are specific restriction you want to add. Lastly, name the profile as something that you’d notice at first glance as “ah it’s that WSL thing”.

Connect your PC that has WSL2 and the client candidate to the same ZeroTier network ID

I assume that you already used ZeroTier already (after all why are you here anyway) but I’ll still give short tutorial to install and setup ZeroTier.

• Make an account to manage ZeroTier Network ID on ZeroTier Central. Then login
• Create a network. Everything should be already set for you. Set it up as Private if you have the time to approve all the incoming connection and need it to be private. The name should be two random words as default.
• Remember the Network ID on the network you just made.
• Now download and install the ZeroTier application on the device that wants to be in the same network. In this case the computer that holds the WSL2 (which is the webserver) and the client.
• Open the ZeroTier control panel from the taskbar instance, and then use the Network ID that we saved before to join network. Do it on both client and server. Don’t forget to authenticate the client through ZeroTier Central.
• And now the client should be able to do request from the browser, using the ZeroTier WSL2’s managed IP.

That’s all! I hope you’re helped with this edge case guide.

Reference:

https://www.williamjbowman.com/blog/2020/04/25/running-a-public-server-from-wsl-2/

https://discuss.zerotier.com/t/accessing-wsl2-exposed-ports-via-zerotier-answered/4881

I have seen several security issues inside a *redacted* company, just because they think “it’s fine, no one cares about our machines.” and suddenly got rekt by ransomware.

DO NOT EVER (unless necessary) OPEN YOUR PRODUCTION SERVICES TO THE INTERNET!!! IPv4 range is relatively small compared to abundant amount of bots that scans the open and active IP all the time. You will be a target sooner or later. You can relax for a bit if the open one are not in any way critical or connected to one. But SERIOUSLY, this is a security issue! You should recheck which one should and must open to the internet, and which one that don’t really need to be. And if you have something open to the internet, I really recommend you to have like proxy or DMZ that scans and filter any poop that might come with the legit requests. That’s why in big companies that has critical assets, they will pour money for Security Operations Center to monitor and alert everyone if there is a breach and something wrong with security. They have a reason. Even they with the SOC still can be breached, so why wouldn’t you be one?

And you should have DMZ too! Ransomware do not cherry-pick its victims. If there is an opportunity, they WILL use it against you. The really basic thing you can do if you’re in a small scale environment is just firewall everything on your computer, make sure that only trusted services can contact the outside world. Many threat actor will try to inject your service with bots to be a Trojan or “agent” to be used for pawn inside your computer.

You got that? Yeah? Cool, now turn off that VPS that you use for like 10 minutes two months ago.

Password is very important to remember in this digital era. But sometimes you will have only like 2-3 different passwords that you use to login to various account. If it requires only 6 letters, you put password A. If it needs to have minimal 8 and with numbers, you use password B.

But of course in plain sense it’s not secure at all. Once one of your beloved website get breached, and someone with malicious intent break the encryption to get access to people’s accounts, including YOURS, you’re basically screwed. But what if you joined multiple websites? Like 20, 30 accounts? Does that will give you a hassle to remember it all?

I stumbled upon this tips by myself, and thinking,”why hasn’t anyone uses this?” This trick is a bit unethical to explain, because password’s trick should remain a secret for yourself, but I want to help people secure their devices. So here’s a step-by-step trick to have a different password on every sites without you need to remember so goddamn many passwords.

1. Have a master password.

This part is quite common on password manager application such as 1password and LastPass, you need to have one master password just to make sure that you can back everything up if this trick fails.

2. Make a derivative from that master password, OR make a totally randomized password for yourself. The longer, the better.

What does it mean? This will be our main key for our password generation. Yes, generate. Without you opening application. Just a simple trick.

For instance if my main password is:

valhallabrother

Then my derivative can be:

Br0th3rOfV4lh4ll4

Or it can be a totally random word that you, for some reason, remember due to a password reset from a website:

k239aman921xj007

3. Generate a password based on the website you’re entering.

Generate by looking at the website you’re entering.

I have main password:

k239aman921xj007

And I want to enter Facebook. So my password for Facebook is a portmanteau (combination) between the name of the website and your main password.

k239aman921xj007FACEBOOK

This will benefit you in two ways:

• You won’t have to remember many passwords
• It’s a longer password, so it’s a technically better password!

But of course, you can variate this password even further, by using its abbreviation, or the obfuscated version of the name of the website!

[email protected]

That’s a damn long password, and will be more obfuscated if the website you’re entering is encrypting the password by default, using a standardized encryption such as bCrypt or SHA.

With this method, you can enter as many websites as you want without needing to worry to remember different passwords.

4. If you use the master password to generate, change it once in a while by deriving it in hasty manner.

But of course, this method is not perfect. If someone managed to get the algorithm, they can reverse engineer your password by brute forcing literal words. But that will take some time. Meanwhile, you can change password once so often based on your master password, so your account will be safer and securer.

Good luck securing your accounts and have fun!

rareguy

When I went back to my village on some rural area, and my parents were away due to unexpected circumstances, I was left with my relatives doing nothing but playing laptop. And then I thought, “hey, why don’t I do CTF?” So I went to CTFtime.org to find a middleschool-highschool level CTF named BCACTF, (because BCA IAG was the sponsor) that might make me compete again after several years. So without thinking I registered myself and got into the game.

One week of BCACTF feels like some kind of new grind for me. Albeit being shit because of never played this before, it was actually kind of fun. I chatted with new people that has the same mind with me; too late taking the path of cybersecurity. So then I worked myself (with several other participants that also shared several clues to me) and got to the somewhat top placing.

One of my friend, hunterjj asked me a lot during this CTF. Even though I knew the clue from other people, I also shared it to him.

My “team” got 22nd placing, which is quite good for a first timer like me. Buuuut…..

What the shit? I didn’t reckon my personal placing as 9th. I expect myself to go lower but I guess discussing the answer with people isn’t that bad at all for learners haha!

Writeups are available at my GitHub: https://github.com/rareguy/bcactf-2019. More of the writeup coming soon!

It was really fun!