Getting StrongDM Comply Running on Windows 11 using WSL

I started this blog as a repository where I could document solutions to very niche problems I’d encountered, and this problem is about as niche as it gets…

Background

A colleague suggested StrongDM Comply as a free and open-source solution for generating SOC 2 Compliance policies. It’s a handy utility designed to run on Mac and Linux, but since I work on a Windows 11 PC, I needed to explore my options.

My first thought was to use Docker, but the image I found was a few years old and would exit immediately after starting. Three other options came to mind:

  • Dual boot a Linux distro
  • Turn up a Linux VM
  • Use the Windows Subsystem for Linux (WSL)

I only needed this for a single application, so WSL seemed to be the best solution for my [very] particular use case.

Installing WSL

Open PowerShell as an Administrator, then run:

 wsl --install

Note: This will require a reboot to finalize the installation. This command requires Windows 10 version 2004 (build 19041 or higher) or Windows 11 to function.

The default subsystem is Ubuntu, but you can choose other distributions if you like. See https://learn.microsoft.com/en-us/windows/wsl/install for additional details and instructions.

Setting Up the Linux Terminal

To access your new environment, you’ll need to install Windows Terminal from the Microsoft Store. Once installed, you can use the dropdown arrow to open a new Ubuntu terminal:

You’ll be prompted to set a UNIX username and password, and then you’ll receive a welcome screen and terminal prompt. The first command you’ll run is:

sudo apt update && sudo apt upgrade

This will get you a list of Ubuntu packages that have available updates and install them for you.

Cloning the Comply Repository

The installation instructions on the GitHub page are deprecated, so we’ll do it a little differently, using Git to clone (copy down) the repository:

git clone https://github.com/strongdm/comply.git

Dependencies

There are two dependencies Comply needs to function:

  1. Pandoc – a universal document converter
  2. PdfLatex – a tool that converts LaTeX sources into PDF (required by Pandoc to generate PDFs)

To install Pandoc, we’ll use APT again:

sudo apt install pandoc

…and then verify that it installed successfully:

pandoc --version

Installing PdfLatex is a little more involved, but these are the instructions that worked for me (From Yosep Kim):

# Install the TexLive base...
sudo apt-get install texlive-latex-base
# Install recommended fonts to avoid possible errors...
sudo apt-get install texlive-fonts-recommended
sudo apt-get install texlive-fonts-extra
# Install extra packages...
sudo apt-get install texlive-latex-extra

Compiling The App

Now that all of the dependencies are installed, we can compile the app using  Go, but first, we’ll need to install the Go package:

sudo apt install golang-go

With that done, we navigate to the “comply” directory and can compile the app using Go:

cd comply
go build

Note: This needs to be run from the folder where the go.mod resides, usually /comply relative to where you ran the ‘git clone’ command above.

Running Comply

At this point, Comply (and all of its dependencies) are installed and ready to run. This consists of:

  1. Creating an empty directory
  2. Initializing a new Comply project
  3. Building the PDF documents
  4. Running the Web Server

Here’s what that looks like:

mkdir [myCompanyName]
cd [myCompanyName]
../comply init
../comply build
../comply serve

You can access your newly created PDFs by opening File Explorer, expanding the Linux > Ubuntu folders, and then browsing to the sub-folder you created (e.g., Linux > Ubuntu > home > [Username] > comply > ExecutiveOutcomes > Output):

PDFs are created using the markdown (.MD) format documents, which you can modify using a text editor (e.g., nano, vi, etc.) within the Linux subsystem:

When you’ve finished updating your documentation, you can serve up a web interface using the aptly named “serve” parameter:

../comply serve

Then, browse to the index.html file:

There you have it! I think it’s a fantastic little tool (once you get it running), and would recommend it anyone looking for who needs customizable SOC2 Compliance documentation.

Input Form Validation Bypass Using the Browser Console

Disclaimer: The techniques described in this post are intended for educational purposes only, and specific details have been intentionally omitted.

These methods should only be used on systems you own, manage, or have explicit permission to access. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing intrusive or manipulative actions on a web application. I assume no responsibility for any misuse of the information provided!

Background

Recently, as part of my client’s periodic password change activities, they encountered a problem where the Password field on the web interface’s login screen supported fewer characters than what the password was set to, locking them out of the device.

To make matters worse (for reasons I can’t get into here), the web browser and a text editor were the only tools available to investigate, troubleshoot, and bypass the interface’s limitations.

Investigation and Troubleshooting

Using the web browser’s Developer Tools, I was able to inspect the Password input field to better understand what was happening:

<input name="pass" type="Password" size="16" maxlength="16" value="">

Looking at the last password vault entry, I saw that the password was 29 characters long, so I tried entering the same password truncated to 16 characters, but it wasn’t accepted.

Luckily, there were other identical devices in the environment, so I logged into another one and inspected the Change Password field on a hunch. Sure enough, it was longer!

<input name="passChange" type="Password" size="20" maxlength="20" value="***">

This told me that when the password was changed, it was truncated to 20 characters, not 16!

Getting Warmer…

Now that I had a clear[er] understanding of the problem and the correct password, I tried to manipulate the client-side HTTP by increasing the size and maxlength values to 20, but encountered server-side code calling a form validation function, preventing me from submitting password greater than 16 characters:

if (pass.value.length > 16) err.addError (pass, "Invalid or Missing Password"); 
    err.showError(); 
    return !err.hasError();

In order to get around the script, I tried bypassing the form using the browser’s console to manually set the user name and password and then submit the form without clicking on the submit button, triggering the validation function:

document.getElementsByName("user")[0].value = "[myUsername]";
document.getElementsByName("pwd")[0].value = "[myTruncatedPassword]";
document.forms["[myLogonForm]"].submit();

…and…

It Worked!

This got me back into the device, so I first navigated to the password change setting and reset it to an acceptable length, then verified that I could get back in using the new password.

Lastly, I wrote a detailed summary for the client to share with the device’s manufacturer so [hopefully] they’ll update future revisions to use consistent password lengths.

Targeted Email Removal with Exchange Online Powershell

In the course of administering an Exchange Online instance I’m occasionally asked to locate and remove an email (or set of emails) from the entire tenant. The quickest way to do this is via PowerShell:

Connect to the Exchange Online instance, enter your credentials when prompted:

Connect-ExchangeOnline

Next, Connect to the Security and Compliance Center PowerShell, entering your credentials again when prompted:

Connect-IPPSSession

Now that you’re connected, you can create a new compliance search to locate the email(s) you wish to remove:

New-ComplianceSearch [SearchName] -ExchangeLocation 'All' -ContentMatchQuery 'from: "*@something.com"'

In the example above, I’m searching for all content across all mailboxes from a specific domain (e.g. @something.com), but you can modify the scope of the search by adjusting the location and content match query (i.e. searching by subject or just looking at specific mailboxes/folders etc.).

Once the search is created, you will need to start it:

Start-ComplianceSearch [SearchName]

While the search is ongoing, you can check on its status:

Get-ComplianceSearch [SearchName]

NOTE: You can use the |fl parameter to obtain additional information on the compliance search status.

Once completed, you can use the purge the emails located by the search:

New-ComplianceSearchAction -SearchName [SearchName] -Purge -PurgeType SoftDelete

 

Parameter Hunting: Part II

In my last post on the subject, I discussed the concept of using Process Explorer to discover switches you can use for unattended installs/uninstalls used in enterprise software deployment.

Like before, I have a pesky setup.exe package that wants to guide me through an installation GUI, and would not respond to the usual setup.exe /s /q etc. and so forth…

This particular installer was for a very obscure serial hub manufacturer so there was Googling my way out of this; instead I needed to figure out what was used to build the installer, then work backward from there.

Once against, I launched my trusty Process Explorer (as Administrator) and inspected the setup.exe’s process…to my delight, scrolling down the “Strings” tab I came across this:

Note the string, “This installation was built with Inno Setup.” With that in mind, I was able to look up the documentation associated with the package builder to discover the built-in parameters I needed for silent installation.

While this specific technique might not work for every situation, it never hurts to have another tool in your toolbox!

Parameter Hunting

Preface: Often in our line of work, the answer requires a little digging. The purpose of this post is to walk you through my thought process in an effort to illustrate how I go about linking disparate pieces of information together to arrive at a solution.

Last week, I was tasked with creating a script to silently uninstall an application across a managed environment with nearly 800 endpoints spanning multiple physical locations and at least 3 separate domains – that was the easy part.

The hard part was that this application was installed as .EXE file rather than an MSI package (i.e. I couldn’t just script out msiexec /x…). While it did have an uninstall.exe file, this called the GUI uninstaller, and I wasn’t about to have someone go through and click ‘next’ ‘next’ ‘next’ for each one!

Many .EXE’s have CLI parameters you can invoke, so I started with the usual suspects:

  • uninstall.exe /?
  • uninstall.exe –?
  • uninstall.exe /help
  • uninstall.exe -help
  • uninstall.exe –help

None of these worked (it wouldn’t be post-worthy if it was that easy)!

Next, I went looking for any documentation that was available for the application – I had:

  • Googled the manufacturer for any documentation/examples – nada
  • Read all of the .txt files in the installation folder – zilch
  • Reviewed the .ini and .config files for clues, saw something vaguely useful – a reference to “NSIS” – tabled it and kept looking

Finally, I decided to use SysInternals Process Explorer to inspect the application:

  1. Run the application you want to inspect
  2. Open Process Explorer (as administrator)
  3. Find the application on the list
  4. Right click on the application and select “Properties…”
  5. Under the “Image” tab, you will see a field for “Command line:”

The Command line will tell you what commands/switches it runs. In this case, the uninstall.exe was running with the switch, “_?=C:\Program Files\[Application Name]”.

I decided to Google the switch itself, which lead me to the Nullsoft Scriptable Install System documentation. I was able to work out that the application used NSIS to create the installer/uninstaller package, and through that, found some examples, one of which (/S) runs the installer/uninstaller silently!

This was exactly what I was looking for! All I had to do was append the command with “/S”, and sure enough, it removed the application without any prompts or launching the GUI!

It just goes to show that persistence pays off, and a little time and effort can save your organization/client hundreds of hours of manual work.