Posts

Showing posts from March, 2016

Weevely - PHP Backdoor

Recently at BSides SLC 2016 I had a class which introduced the usage of Weevely.  Here are a couple of links that complemented the training that I had:

http://exploiterz.blogspot.com/2013/09/how-to-backdoor-webserver-using-weevely.html

http://null-byte.wonderhowto.com/forum/hiob-generate-web-backdoors-php-using-weevely-kali-linux-0158905/

Simple Script to Configure iptables

I have been utilizing Cloud at Cost to put together a variety of labs.  I build the below iptables script to configure it for a base installation until I can configure it further.


#!/bin/bash allowedTCPInbound="22" #allowedUDPInbound="53" iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT for port in $allowedTCPInbound; do #iptables -A INPUT -p tcp --dport $port -j LOG --log-prefix '*** Allowed TCP Connection ***' iptables -A INPUT -p tcp --dport $port -j ACCEPT done #for port in $allowedUDPInbound; do # iptables -A INPUT -p udp --dport $port -j LOG --log-prefix '*** Allowed UDP Connection ***' # iptables -A INPUT -p udp --dport $port -j ACCEPT #done iptables -A INPUT -p udp --dport 67 -j DROP # Added this due to the amount of traffic that is generated from this broadcast - …

BSides 2016 Hackers Challenge

Image
At BSides 2016 I participated in their Hackers Challenge.  The challenges were based on reverse engineering, network packet analysis, and many other puzzles that you needed to figure out.  When I had hit the wall at 3AM in the morning on March 11th I was in 2nd place.  By the end of the competition which was at 10AM I had dropped to 7th.  The challenge was great! Thanks BSides...

Check-out the django.nV project.  This is a project that was used in the Hackers Challenge but was adapted from its original state.

Screenshot of being in 2nd place at 3AM.


Screenshot of being in 7th place at the end of the competition.



One thing to note is most of the challenges were worth 4,000 points in the beginning.  If you did the challenge and no-one else you kept the 4,000 points.  For each participant that accomplished the challenge you had to divide the points with them.

Responsible Disclosure of CSRF in PHP Fusion 9

Image
Recently I did some testing with PHP Fusion 9 and found that I could create additional users as the admin is logged in due to the application not protecting against CSRF.  I reached out to the development team and they had it fixed within 72 hours.  Below is the original video that I sent them and then they provided one back showing they had fixed it and to test it again.

Video - Adding a user account through CSRF




Then here is the response about fixing the vulnerability in version 9. Here is the youtube video that he posted as shown above in the screenshot:  https://www.youtube.com/watch?v=5eLfA_ZEujQ&feature=youtu.be


Forensics - Mount Windows Partition Showing the System Files

Mount a windows partition showing the system files:
mount -o ro,show_sys_files,streams_interface=windows /dev/sdb2 /mnt/analysis

Taken from "Super Time Line Analysis - SANS DFIR Webcast" https://www.youtube.com/watch?v=C4jNfXZ90fw


CyberSecurity Challenge Australia 2014 In a Box - YAWU - Yet Another Write-up

Image
This challenge can be downloaded from vulnhub.com.

Web Application Pentest Section 80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.

Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled.  Somehow we need to reenable the link to get the flag.


Below is a python script to quickly pass a GET request on the index.py page.


Notice that among the cookies returned is a vip=0.  With this sort of return you can suppose that a VIP user is going to be a value other than 0.  If I modify it to be a 1 the link to the Blog becomes enabled.  With clicking on the Blog link then the flag appears.




160 points - Gain access to the Blog as a registered user to reveal the hidden flag.

The blog allows you to insert comments.  Checking to see if XSS is possible as a comment is inserted.  At the bottom of the textbox you can see how you can make text bold, italicized…

cmd.exe Count Lines returned with netstat from the command line

I was testing the threshold of the number of connections on a web server and threw together a dos command to accomplish the minor task.  Inside the command prompt I executed:

netstat -an | find /i "<ip address>" | find /N /i "ESTABLISHED"

tshark - More than I ever wanted to know...

Recently I purchased the book, "The Practice of Network Security Monitoring" by Richard Bejtlich.  I was reading in chapter 7 of the book about the Digital Corpora project located at http://www.digitalcorpora.org.  In the chapter he presents the scenario of the "Nitroba University Harassment Scenario".  A pcap can be downloaded about how a teacher was being harassed by a student and the object of the scenario is to identify who did it and with what evidence.  The scenario and the files you need are located at the following link.

In the book they are using the scenario to explain and teach about the tool called Xplico.  However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation.

The first lead in the investigation is that of an IP Address.  "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. "

IP Address: 140.247.62.34.  I…

File and Folder Auditing with Powershell

http://blogs.technet.com/b/zarkatech/archive/2012/01/14/audit-file-server-permissions-using-powershell.aspx


$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem
    $StartPath = "\\myserver\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
             #@{N='Inherited';E={$_.IsInherited}},
             #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
      …

Audit File and Folder Permissions - Powershell

################################################################################
# AUDIT FILE & FOLDER PERMISSIONS v1.1
# by Roman Zarka | Microsoft Services
################################################################################

$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem 
    $StartPath = "\\server\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
      …

Notes from bWAPP v2.2

Image
These are my quick notes that I recorded as I worked through bWAPP v2.2

--- SQLi GET / Search Results - With security level set to low

URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search

The above query was taken from the MySQL SQL Injection Cheat Sheet located here.  The purpose of this query is to have returned the database and table names of the database.  I also had to experiment with the number of columns that were expected and how it was displayed.



Now I need to find out the structure of the tables...

URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search

The above SQL…