search

PeCoReT / pecoret

A Pentest Collaboration and Reporting Tool
https://pecoret.github.io
GNU General Public License v3.0
50 stars 4 forks source link

Can't login after docker installation #169

Closed lululunaa closed 8 months ago

lululunaa commented 9 months ago

Summary

After downloading the docker-compose.yaml file and running docker compose up, the install seems to go fine. I have tried to use the default username and passwords present in the yaml file, and changed them to custom values but neither option seems to work (A message pops up saying unauthenticated). The output/docker logs show the server has been started and is listening:

Starting server
[2024-02-11 14:47:22 +0000] [11] [INFO] Starting gunicorn 21.2.0
[2024-02-11 14:47:22 +0000] [11] [INFO] Listening at: http://0.0.0.0:8000 (11)
[2024-02-11 14:47:22 +0000] [11] [INFO] Using worker: sync
[2024-02-11 14:47:22 +0000] [12] [INFO] Booting worker with pid: 12

There is only one warning present in any of the docker logs which is:

/usr/local/lib/python3.12/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported. 
warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)

After changing the email in the yaml, I attempted to reset my password using the newly entered email address and got no message delivered to my email. I saw in the database, the users admin and Ghost exist but I cannot login to the application. Is there something I am missing or doing wrong?

Steps to reproduce?

No response

Additional Information

No response

blockisec commented 9 months ago

Hi, thanks for reporting this issue. To receive emails you must configure it in the django settings file. To receive the mail in the console for debugging, you could add EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend" to the django settings file. I just tested the default docker-compose file and I can login, so it may be related to your setup. Is there any error in the browsers dev console?

Edit: The "admin" user is the one created during container start. The "Ghost" user is just used in some places, to keep findings, and other stuff, if a user is removed. Please note, that the "admin" user is not yet designed to use the application. The admin user should only be used to configure things. You may want to create new users for the available groups to use the application.

lululunaa commented 9 months ago

What user/credentials should we be using to login to the application? I don't see that information in the documentation anywhere, and I can't create a new user without first getting access to it. There are no errors when navigating to the application, but when I login I just get a 403.

Edit: looks like the 403 is coming back with Bad Request

image

I tried using a few different username/pw combinations but in this specific example i tried pentester1:InitialPassword123 the whole error is below:

{
  "stack": "Re@http://ubuntu/assets/index-sd1OVlcc.js:25:28300\niw@http://ubuntu/assets/index-sd1OVlcc.js:27:1045\ny@http://ubuntu/assets/index-sd1OVlcc.js:27:4239\nEventHandlerNonNull*dw</<@http://ubuntu/assets/index-sd1OVlcc.js:27:4311\ndw<@http://ubuntu/assets/index-sd1OVlcc.js:27:3216\nad@http://ubuntu/assets/index-sd1OVlcc.js:29:512\npromise callback*_request@http://ubuntu/assets/index-sd1OVlcc.js:30:1071\nrequest@http://ubuntu/assets/index-sd1OVlcc.js:29:3032\nn/<@http://ubuntu/assets/index-sd1OVlcc.js:30:1663\nsm/<@http://ubuntu/assets/index-sd1OVlcc.js:25:23034\nlogin@http://ubuntu/assets/index-sd1OVlcc.js:21:4508\nlogin@http://ubuntu/assets/Login-mRZW6cmq.js:1:509\nIn@http://ubuntu/assets/index-sd1OVlcc.js:13:39\nLt@http://ubuntu/assets/index-sd1OVlcc.js:13:120\nn@http://ubuntu/assets/index-sd1OVlcc.js:17:7230\nEventListener.handleEvent*ii@http://ubuntu/assets/index-sd1OVlcc.js:17:6572\nb1@http://ubuntu/assets/index-sd1OVlcc.js:17:6800\nO1@http://ubuntu/assets/index-sd1OVlcc.js:17:7662\nZ@http://ubuntu/assets/index-sd1OVlcc.js:13:24672\nX@http://ubuntu/assets/index-sd1OVlcc.js:13:24339\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23715\n_@http://ubuntu/assets/index-sd1OVlcc.js:13:28241\nrun@http://ubuntu/assets/index-sd1OVlcc.js:9:1517\n$v/ve/k.update@http://ubuntu/assets/index-sd1OVlcc.js:13:28532\nve@http://ubuntu/assets/index-sd1OVlcc.js:13:28559\n$e@http://ubuntu/assets/index-sd1OVlcc.js:13:27198\nOe@http://ubuntu/assets/index-sd1OVlcc.js:13:26983\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23744\nW@http://ubuntu/assets/index-sd1OVlcc.js:13:25250\nJ@http://ubuntu/assets/index-sd1OVlcc.js:13:26704\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23673\nW@http://ubuntu/assets/index-sd1OVlcc.js:13:25250\nZ@http://ubuntu/assets/index-sd1OVlcc.js:13:24535\nX@http://ubuntu/assets/index-sd1OVlcc.js:13:24339\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23715\nW@http://ubuntu/assets/index-sd1OVlcc.js:13:25250\nZ@http://ubuntu/assets/index-sd1OVlcc.js:13:24535\nX@http://ubuntu/assets/index-sd1OVlcc.js:13:24339\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23715\nW@http://ubuntu/assets/index-sd1OVlcc.js:13:25250\nZ@http://ubuntu/assets/index-sd1OVlcc.js:13:24535\nX@http://ubuntu/assets/index-sd1OVlcc.js:13:24339\nC@http://ubuntu/assets/index-sd1OVlcc.js:13:23715\nW@http://ubuntu/assets/index-sd1OVlcc.js:13:25250\nZ@http://ubuntu/assets/index-sd1OVlcc.js:13:24535\n",
  "message": "Request failed with status code 403",
  "name": "AxiosError",
  "code": "ERR_BAD_REQUEST",
  "config": {
    "transitional": {
      "silentJSONParsing": true,
      "forcedJSONParsing": true,
      "clarifyTimeoutError": false
    },
    "adapter": [
      "xhr",
      "http"
    ],
    "transformRequest": [
      null
    ],
    "transformResponse": [
      null
    ],
    "timeout": 0,
    "xsrfCookieName": "XSRF-TOKEN",
    "xsrfHeaderName": "X-XSRF-TOKEN",
    "maxContentLength": -1,
    "maxBodyLength": -1,
    "env": {},
    "headers": {
      "Accept": "application/json, text/plain, */*",
      "Content-Type": "application/json",
      "X-CSRFToken": "z1JxkL8QqIsVcWE4OPwGP99di8hax8LQ"
    },
    "baseURL": "http://ubuntu/api",
    "withCredentials": true,
    "method": "post",
    "url": "/auth/login/",
    "data": "{\"username\":\"pentester1\",\"password\":\"InitialPassword123\"}"
  },
  "request": {},
  "response": {
    "data": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n  <meta name=\"robots\" content=\"NONE,NOARCHIVE\">\n  <title>403 Forbidden</title>\n  <style type=\"text/css\">\n    html * { padding:0; margin:0; }\n    body * { padding:10px 20px; }\n    body * * { padding:0; }\n    body { font:small sans-serif; background:#eee; color:#000; }\n    body>div { border-bottom:1px solid #ddd; }\n    h1 { font-weight:normal; margin-bottom:.4em; }\n    h1 span { font-size:60%; color:#666; font-weight:normal; }\n    #info { background:#f6f6f6; }\n    #info ul { margin: 0.5em 4em; }\n    #info p, #summary p { padding-top:10px; }\n    #summary { background: #ffc; }\n    #explanation { background:#eee; border-bottom: 0px none; }\n  </style>\n</head>\n<body>\n<div id=\"summary\">\n  <h1>Forbidden <span>(403)</span></h1>\n  <p>CSRF verification failed. Request aborted.</p>\n\n\n</div>\n\n<div id=\"explanation\">\n  <p><small>More information is available with DEBUG=True.</small></p>\n</div>\n\n</body>\n</html>\n",
    "status": 403,
    "statusText": "Forbidden",
    "headers": {
      "allow": "POST, OPTIONS",
      "connection": "keep-alive",
      "content-length": "1018",
      "content-type": "text/html; charset=utf-8",
      "cross-origin-opener-policy": "same-origin",
      "date": "Tue, 13 Feb 2024 19:50:56 GMT",
      "referrer-policy": "same-origin",
      "server": "nginx",
      "vary": "origin",
      "x-content-type-options": "nosniff",
      "x-frame-options": "DENY"
    },
    "config": {
      "transitional": {
        "silentJSONParsing": true,
        "forcedJSONParsing": true,
        "clarifyTimeoutError": false
      },
      "adapter": [
        "xhr",
        "http"
      ],
      "transformRequest": [
        null
      ],
      "transformResponse": [
        null
      ],
      "timeout": 0,
      "xsrfCookieName": "XSRF-TOKEN",
      "xsrfHeaderName": "X-XSRF-TOKEN",
      "maxContentLength": -1,
      "maxBodyLength": -1,
      "env": {},
      "headers": {
        "Accept": "application/json, text/plain, */*",
        "Content-Type": "application/json",
        "X-CSRFToken": "z1JxkL8QqIsVcWE4OPwGP99di8hax8LQ"
      },
      "baseURL": "http://ubuntu/api",
      "withCredentials": true,
      "method": "post",
      "url": "/auth/login/",
      "data": "{\"username\":\"pentester1\",\"password\":\"InitialPassword123\"}"
    },
    "request": {}
  }
}
blockisec commented 9 months ago

The login should be working with the credentials from the docker-compose file. In the default compose file the credentials are admin:dontusethispasswordtoo. I will update the docs with this information. The URL seems to be not "localhost". You may need to change the CORS and Allowed Hosts settings in django. This is an example from my volumes/server/conf/production.py file which allows login using the previously mentioned credentials using "http://ubuntu"

CSRF_TRUSTED_ORIGINS = ['http://ubuntu', 'http://localhost']
CORS_ALLOWED_ORIGINS = ['http://ubuntu', 'http://localhost']
ALLOWED_HOSTS = ['backend', 'ubuntu']
CSRF_COOKIE_SECURE = False
SESSION_COOKIE_SECURE = False
DEBUG = False
blockisec commented 8 months ago

were you able to solve your problem?

blockisec commented 8 months ago

I am closing this issue because of missing information.