It's been a little over 3 months now since Brainpan 3 was first released. I offered stickers to those who could solve the challenge and I was not disappointed with the results! Some brilliant folks out there solved it in some very interesting ways. Since I've already given away all the stickers, I figured I'd go ahead and share my solution for the challenges. This won't be a step-by-step walkthrough. If you want a full walkthrough, you'll find some great ones here.
It turns out I've been blogging for 6 years as of today. To celebrate, here's a writeup on 64-bit ROP exploitation! It's a revist of barrebas's awesome ROP primer, but compiled for 64-bit. This isn't an official boot2root, just something I decided to do on my own for fun. barrebas provides the source code for each of the challenges in his ROP Primer so it's just a matter of compiling it on a 64-bit system.
So a while back, barrebas from our VulnHub CTF Team decided to give us a primer on Return Oriented Programming (ROP). It was a great session and he went on to give the workshop at BSides London, which I hear was well received. Anyway, to accompany the workshop, he created a VM challenge containing three binaries that you get to practice exploiting using ROP. You can grab the VM at https://www.vulnhub.com/entry/rop-primer-02,114/. I meant to do this ages ago, but procrastination, plus CTFs, plus work kind of put it on the shelf. So finally, I got bits of free time to work on it and here's my writeup on the challenges.
I saw this boot2root announced on Twitter by ly0nx and decided to give it a go. It's not on VulnHub yet, but it looks like it might make it there sometime after Blackhat and Defcon is over. The boot2root is called NullByte 0x01 and is described as beginner/intermediate level challenge. I thought it was pretty easy, but still a fun challenge nonetheless. You can grab it at http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/.
Brainpan 3 is finally here! If you've completed the previous Brainpan releases, then you'll know what to expect. This time round, I've made it a tad bit more challenging so get your caffeine shots ready!
libformatstr is a library created by hellman with the intention of simplifying format string exploitation. The GitHub repository can be found here. It's been around since 2012 but I haven't been able to find many tutorials on it. I have seen CTF writeups that use it though, so I decided to take the time to do a short writeup on it for my own reference.
This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64-bit binary using a classic stack overflow and learned that we can't just blindly expect to overwrite RIP by spamming the buffer with bytes. We turned off ASLR, NX, and stack canaries in part 1 so we could focus on the exploitation rather than bypassing these security features. This time we'll enable NX and look at how we can exploit the same binary using ret2libc.
This series of tutorials is aimed as a quick introduction to exploiting buffer overflows on 64-bit Linux binaries. It's geared primarily towards folks who are already familiar with exploiting 32-bit binaries and are wanting to apply their knowledge to exploiting 64-bit binaries. This tutorial is the result of compiling scattered notes I've collected over time into a cohesive whole.
To commemorate their second birthday, VulnHub is holding another competition with the promise of prizes for those who are chosen as winners! The challenge is Sokar; a nefarious boot2root created by rasta_mouse which features a nice balance of frustration and satisfaction. For more details about the competition, head over to VulnHub's blog post. I spent a couple of hours each evening after work to poke away at Sokar until I finally solved it. This post contains my walkthrough.
While killing time waiting for the next CTF, a handful of us from Team VulnHub decided to have a go at OverTheWire's Behemoth challenges. I hadn't played Behemoth before and found it pretty fun. The game is described as:
Happy 2015! With the holidays and merry making out of the way, it was time to resume hacking boot2roots and CTFs. To start off the new year is Pegasus, by TheKnapsy. I actually started this challenge a week before Christmas, but after getting a foothold on the target, I put it on hold to prepare for the holidays and unplug for a few days. Today I finally got around to loading it up again and finishing it off. I recommend having a go at it, so grab it from VulnHub.
A couple of years ago I successfully completed the Offensive Security Pentesting with Backtrack (PWB) course, and a year after that, the Cracking the Perimeter (CTP) course. Having a huge lab made up of different machines in different subnets to break into is just a great challenge. When I completed the courses, I was a little sadenned that I'd no longer get a chance to poke at the labs. So you can imagine my excitement when I was asked if I'd like to beta test Offensive Security's latest offering; The Playground.
For the last few weeks I had immersed myself in several CTFs with team VulnHub. It was a nice change to return to boot2roots after tackling small and difficult challenges. This time round, it's Knock-Knock by zer0w1re. Much like other boot2roots, the goal is to get root, and find the flag. As always, head over to VulnHub to download it and have a go.
It seems like more and more boot2roots are being submitted to VulnHub as of late. OwlNest by Swappage is one of the more recent ones that packs a good challenge. Grab it over at VulnHub if you're interested in giving it a go. This was debuted at ESC 2014 CTF where no one was able to solve it. It took me several days to finish off this beast after getting stuck in a tarpit, but this was a whole lot of fun.
Flick by leonjza is a new boot2root available for download at VulnHub. I had quite a bit of fun with this one, and learned a couple of new things as well; like how I like to do some things the hard way. So without further ado, I'll jump right in and describe how I completed the challenge.
Another month, another hacking challenge! This time it's Xerxes 2 by barrebas. This boot2root promised some challenges and it definitely delivered. Xerxes 1 was a lot of fun, and when Xerxes 2 was announced, I was looking forward to getting my hands dirty. As with other boot2roots, you can download a copy of Xerxes 2 at VulnHub
One of the latest and more challenging boot2roots released on VulnHub as of late is Hell. This boot2root by Peleus has appeared to cause quite a bit of hair pulling and teeth gnashing whenever it's mentioned on IRC. I initially started off with his beta version but had to put it away when I got too busy with work. When I was finally ready to try again, the official version had been released, so I downloaded it and started over.
A few weeks ago, VulnHub hosted the Hades competition; a capture the flag challenge created by Lok_Sigma. Hades is touted as a difficult boot2root, requiring some experience in exploit writing and reverse engineering. The competition ran for a good 4 weeks, and with submissions now closed, I've decided to go ahead post my solution.
A couple of days ago, I found an interesting bug during a fuzzing session that led to me creating a 0-day exploit for it. I've been asked a few times about the methods I use to find bugs and write exploits, so I've decided to take this opportunity to describe one particular workflow I use. In this post, I'll take you through finding a bug, analzying it, and creating a functional exploit.
This is a quick guide on how to setup multi-factor authentication with SSH using Google Authenticator. The goal is to require three items from the user in order to complete the authentication: SSH authentication keys, the user's password, and a one-time password using Google Authenticator.
My first post on Blogger was on October 9, 2009. It's been a good run, and I've enjoyed using Blogger for quickly sharing things with the Internet. For various reason, I've grown tired of Blogger, and I've decided to migrate over to GitHub Pages. Making the transfer took a bit of time and trial and error. Octopress made the migration relatively simple and so far, I'm pretty happy with the results.
Kioptrix 2014 is the fifth installment of the Kioptrix boot2root series. It's been about two years since the last Kioptrix release, so I was pleasantly surprised when I found out that loneferret had decided to release a new one. Kioptrix 2014 can be downloaded from Kioptrix.com or from VulnHUB.com
This is a walkthrough on De-ICE S1.140, available for download at VulnHub. This release was much anticipated and took a while to get released to the public. It's a little tougher than the previous De-ICE challenges, but uses a similar formula of password cracking and guessing.
This is a walkthrough for the De-ICE S1.120-1 B challenge, which can be downloaded here: http://vulnhub.com/entry/de-ice_s1120-b,11/. The author describes this challenge as "moderately difficult". Itching for a good challenge, I decided to see if it lived up to its difficulty level.
This is a quick walkthrough on solving the De-ICE S1.120 A challenge which can be downloaded here: http://vulnhub.com/entry/de-ice_s1120-a,10/. Interestingly, I wasn't aware that this boot2root even existed until a couple of nights ago when someone mentioned it on IRC. After doing a bit of searching, it turns out there are at least three that I haven't had a go at popping. So with that in mind, I decided to load up S1.120 A and take the challenge.
Several weeks ago, Sagi released his own challenge named Relativity to the public. It had been a while since I'd done a good boot2root, and so eager for a challenge, I grabbed it off VulnHub and loaded it into VMware.
After recently releasing the Brainpan 2 hacking challenge, a handful of people asked me for tips on how to create their own hacking challenge. These virtual machine hacking challenges, more commonly known as boot2roots, are relatively easy to make, but cat be somewhat time consuming. In this post, I'd like to share some tips on how to roll out your own boot2root.
When I initially created Brainpan, my intent was to give back to the community with something fun and challenging. It didn't occur to me that others would find it so enjoyable that they would want more. I had a blast creating the first challenge, and so I thought, "What the hey, let's create a second one!". And so I present, Brainpan 2. Your goal is to break into the server and read the contents of /root/flag.txt
Several months ago I signed up for Offensive Security's Cracking the Perimeter (CTP) course. Having successfully completed the course, I wanted to write a short review on it. CTP focuses primarily on Windows exploit development, while touching a little bit on web application hacking. As CTP is marketed as a non-beginner course, students must complete a registration challenge before they will be allowed to take the course. The challenge itself is relatively easy, if you've done any hacking before, or completed Penetration Testing with Backtrack (PWB), it should be pretty straightforward.
After attempting various hacking challenges, I was inspired to come up with my own. Brainpan is my attempt at a vulnerable virtual machine. Your goal is to break in and get root access.
Unicornscan is no longer packaged with Kali Linux 1.0. One of my scripts (onetwopunch.sh) happens to use it, so I went about building Unicornscan from source. I ran into a couple of snags when building it, but I've documented it here to make things easier for others.
The other day I was working on a Windows machine and downloaded a small Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/. I wanted to extract the shellcode from the bin file and pop it into my exploit. On Linux, this can be done with the following:
In this article, we'll look at pivoting using Metasploit. If you have the option to use Metasploit, you'll find that it makes pivoting much easier. Metasploit can be installed on Linux, Windows, and Mac OS X, which makes it a pretty versatile tool. The number of modules included in the framework grows continuously, and its low learning curve makes it popular among hackers.
In the past two articles, we pivoted our exploit to our target with the help of SSH. If SSH is not available, we can try to use client-to-client and listener-to-listener relays with netcat, as described by Ed Skoudis in Secrets of America's Top Pen Testers. We will modify Skoudis' technique by using ncat instead of netcat. Ncat is meant to be a replacement for netcat, and is included in the Nmap 5.x and higher package. I prefer ncat over netcat for this as it allows us to use the same syntax to set up the relays regardless of whether the pivot is running Linux, Windows, or Mac OS X.
This is part 2 of a series of posts on pivoting techniques. In part 1, we used SSH port forwarding to pivot our exploit and obtain remote access to our Windows XP machine. In this article, we'll be performing the same attack, but instead of using SSH local port forwarding, we'll use Proxychains and an SSH SOCKS proxy.
Pivoting is a technique that allows attackers to use a compromised system to attack other machines in the same network, or more devastatingly, machines in another network that the compromised machine has access to. There are several techniques that can be used to pivot deeper into the network, and I'll be describing some of them in the next few articles. I've found that this topic can be a bit confusing to beginners, and I hope that these articles will help clear things up. In this article, we'll look at pivoting with SSH.
I use Chrome's desktop notifications when using Gtalk, and Growl notifications for other applications. I wanted a Growl style that looked like Chrome's desktop notifications, but was unable to find one after combing through Google searches. I finally said "screw it", and decided to make my own.
Nmap is a favorite tool when it comes to running port scans. The output can be a bit much however, especially when you're dealing with many targets with many services. Nmap is capable of producing reports in text, grepable, and XML formats. When I was working on my OSCP, I wanted a lightweight tool that could quickly parse my Nmap reports and display clean results. I couldn't find one that did what I wanted, so I hacked something together. The end result, is a script called scanreport.sh
The Offensive Security Certified Professional (OSCP) certification is awarded to students who successfully complete Offensive Security's Pentesting with Backtrack (PWB) course. This is an intense hands on course, where students are expected to use the knowledge and tools they've obtained, to hack into several machines in a virtual network. There is no hand holding, no spoon feeding, and the only hint a student usually receives, is "Try Harder". At the end of the course, the student must pass an exam and submit a penetration test report in order to earn the certificate. Unlike most exams, this one is 24 hours long, and the student must hack into several machines to obtain enough points to pass the exam.
Loophole is another wargame, created by Beller0ph0n and released at the HackingDojo forums. The image itself can be downloaded from http://vulnhub.com. I'm rating this one as a beginner challenge.
Another virtual machine hacking challenge! This one is called vulnimage and can be downloaded from http://vulnhub.com This one is a little more advanced, requiring the attacker to craft a custom exploit to root the server. Give it a go if you're interested in exploit development.
The third Kioptrix challenge is level 1.2, which can be downloaded from http://www.kioptrix.com/blog/?page_id=135. This challenge is definitely a bit more involved than the first two. When the Kioptrix VM starts up, it informs us that /etc/hosts file should be modified to map the Kioptrix IP address to kioptrix3.com
The second Kioptrix challenge isn't quite as scan and exploit as the first, but still a relatively easy beginner challenge. The Kioptrix challenges can be downloaded from http://www.kioptrix.com/blog/?page_id=135. It's actually labeled as Level 1.1. The author mentions that there are multiple ways to compromise the system. I've only explored one method, which is what I'll be describing here.
Kioptrix is another set of virtual machines that are intended to be hacked into. As of this writing there are currently four Kioptrix challenges. Each one increases in difficulty and is a good start for someone new to penetration testing. Towards the end of last April, I started playing around with it and documented the steps to exploit it. Kioptrix 1 is geared towards the beginner, and is one of the easiest challenges out there.
In Part 1, we talked about getting a shell-like interface when attacking a target vulnerable to directory traversals. We continue with an article on exploiting Remote File Inclusion (RFI) attacks with a shell.
Web applications that are vulnerable to directory traversals offer a small window into viewing the contents of a target server. In a way, you've semi-penetrated the system, albeit with minimal privileges, mostly just reading files. However, that's not necessarily a bad thing. Being able to read /etc/passwd for instance will give you an idea of what user accounts are on the system, thereby aiding in a brute force attack. If you can read the contents of C:\Windows\repair\sam and C:\Windows\repair\system, you can download those files and start cracking Windows passwords.
Information gathering is an important step in a penetration test, or any hack attempt. Various attack vectors open up based on the findings in the information gathering stage. Port scanning provides a large amount of information on open services and possible exploits that target these services. The problem with port scanning is that it can take a lot of time to generate the results depending on the type of scan, the protocol that's being scanned, the number of targets, whether or not any IDS is in the way, and a slew of other variables.
Wireshark on OS X runs on top of X11. As most people who've used X11 applications on OS X are aware, they look ugly, and don't match the theme on OS X. In an effort to prettify Wireshark, the developers have included a default theme to go with it: Clearlooks-Quicksilver-OSX. At first, this looks nice, up until you actually start using any of the menu items on Wireshark. The text just disappears. White text on white background. Have a look:
There are legitimate reasons for wanting to stay anonymous online. You don't have to be living in an oppressed country, or be a criminal, or an activist. Sometimes you just don't want Facebook or Twitter to know where you're connecting from.
On to Holynix 2, the last Holynix challenge as of this writing. Holynix 2 can be downloaded from http://sourceforge.net/projects/holynix/files/2.0/. As before, Backtrack Linux is used as the attacking machine, and everything is run in a virtualized environment. Holynix 2 has a static IP address, so go over the README.txt file before starting and setup your network accordingly.
I've been playing a few of these hacking challenges over the past few months, some are extremely easy, while others force you to think out of the box. Completing a challenge is rewarding, but the journey to completion is sometimes fraught with frustration. In this post I'm going to be describing how I completed the Holynix 1 challenge. Holynix 1 can be downloaded from http://sourceforge.net/projects/holynix/files/1.0/ As before I'll be using Backtrack Linux to perform the attack and running Holynix on VMware. Both machines were running on the same network, so a netdiscover revealed the IP address of the target. I ran nmap against the target and pointed my browser to that IP address to see if a website was present:
This is a walkthrough on how I completed level 2 of the De-ICE penetration testing Live CDs. I had completed level 1 a week before and talked about my experiences in a two part post (part 1 and part 2). If you're interested in learning some hacking in a safe environment, I recommend checking out HackingDojo and downloading the De-ICE Live CDs.
In my previous post I talked about how I completed part 1 of the De-ICE hacking challenge. If you're not sure what De-ICE is, I recommend reading my last post and checking out HackingDojo, home of the De-ICE penetration testing Live CDs.
Over the weekend I decided to take the De-ICE Live CD Level 1 challenge. De-ICE provides a safe environment where you can practice your penetration testing skills. If you've never done a penetration test before, or are looking for practice, these Live CDs are a good place to start.
If you need to do a brute force attack against a particular service, you'll need a couple of things. A good wordlist containing possible passwords, and a list of user names to try. It's easy to get a password list on the Internet, but user lists often have to be customized for the target. You'll need to do some research to find email addresses and employee names. Once you do have a list of names however, you'll need to guess what the format of the login ID is for that user. John Doe could be johndoe, or john.doe, or jdoe, and so on.
It can be tempting to hop onto an open wireless network when you just need to check your email, or you want to send off a tweet. Stop for a moment though, because an open wireless network might not be as safe as you think. With the right tools, an attacker can turn his laptop into an open wireless access point that captures your online activity.
Man-in-the-middle (MITM) attacks are an effective way to capture data flowing between a target and the router. In a nutshell, the attacker places himself between the target and the router so that all data flows through the attacker's machine. The target thinks he's communicating with the router, and the router thinks it's communicating with the target, when in reality, they are communicating with the attacker and the attacker just relays the information back and forth. It's like a malicious mailman who reads your letters before sealing them and sending them off.
I wanted to audit the security of a server running the MoinMoin Wiki Engine version 1.9.2 and needed to see if I could crack the passwords on the site. Each user's information is stored in a file located in the site's data/user directory, for example: 1308083750.39.64129. This is a plaintext file which contains key-value pairs. There are two keys that we're interested in: enc_password and name
In the computer world, when you delete a file and empty the Trash or Recycle Bin, it's not really gone. This can be a good thing for when you accidentally delete something critical, or your hard drive crashes and you need to hire professionals to recover these files for you. These files are still recoverable because they're still on the disk, just that you no longer have access to them. However in some cases, you may want to delete a file permanently and ensure that it is unrecoverable.
Most wireless routers have a security feature called MAC filtering. Each network card on a computer comes with a unique MAC address. MAC filtering allows the user to specify which computers are allowed to use the wireless network by entering the computer's MAC address into the whitelist. This is a security tip that I see often when reading about securing wireless networks. When used by itself, or with WEP, it can give the user a false sense of security. I'm going to show you how this security layer can be bypassed.
Capturing the 4-way handshake required to crack WPA-PSK can be a bit frustrating when you can't get a client to deauthenticate and reauthenticate with the access point. One option is to deauthenticate all the clients by not providing the client's MAC address when running the deauthentication attack:
I got frustrated with Windows not having a default program for checking the MD5 hash of a file, so I wrote my own. It's written in Java and has been tested on Windows and OS X, although it should work on any system that has a JRE installed. To use it, just drag the file(s) whose hashes you need to check into the window and it will display the MD5 and SHA-1 hashes for you.
Finally got around to doing this. I'm writing this guide as a future reference in case I need to do this again. First you need to upgrade to Android 2.1, so follow the instructions in: Samsung Galaxy Spica: Upgrading Android 1.5 to 2.1.
Dropbox is a service that allows you to sync files and folders on multiple computers. It does this by syncing the files and folders to the Dropbox server and then syncing them to any other device (computers or smartphones) that you may have installed Dropbox on. Its primary purpose is to ensure that any files in your Dropbox folder are immediately accessible to any other device that you have installed Dropbox on. We can take advantage of this syncing feature and use it as a means to transfer instructions from one device to another. Here's a basic example of using a smartphone to tell a computer (the target) to print out some documents.
In the last post I discussed a method for activating screensavers remotely on multiple Macs. Turns out that it's just as much of a hassle to deactivate them, particularly if the screensaver is just meant to hide the desktop and not lock it. If you need to unlock the screen then this script will do you no good.
My work setup in the lab consists of two Mac Minis, one Mac Pro, and my Macbook Pro. I do all my typing on my Macbook and use teleport to remotely control the other computers. Whenever I leave my desk, I make it a habit to lock all my computers using the screensaver. It has become a bit of a pain to do this manually, so I came up with a way to lock all my computers with a single command from my Macbook.
Email notifications are handy for when you need to be alerted to an event that happens on your machine. Sometimes I might write a shell script that looks for a specific string in a log file, and I might want it to send me an email. Now most Unix systems come with a command called mail. What frustrates me about this command is that there's no way to tell it which mail server to use. It always assumes that the localhost is the SMTP server.
For my friend's birthday I decided to give him something geeky. Birthday code cake. It won't win any obfuscated C contests, but it works and was done in short notice.
About two months ago I decided I was tired of my Blackberry and wanted something a lot more fun, so I started hunting around for an Android phone. I purchased the Samsung Galaxy Spica off of eBay for about USD $300. The device came with Android 1.5 (Cupcake). It wasn't long before I started looking for ways to upgrade it to 2.1 (Eclair).
The techniques used to crack WEP vary depending on whether or not it uses MAC filtering, if it uses shared key or open key authentication, if we need to perform a deauthentication, and so on. I've found that the majority of WEP networks I've audited usually don't employ MAC filtering and they use open key authentication. The series of steps I begin with goes like this.
Coffee shops can make an excellent location for attacking wireless networks. If a hacker can pick up your access point's signal, they can break into it from a coffee shop, the parking lot, or across the street. Most coffee shops such as Starbucks are popular hang outs for students with laptops, allowing the hacker to easily blend in without attracting suspicion. And of course there's the coffee and a comfortable place to sit.
Wikipedia defines scareware as:
A long time ago I altered my iTunes library to include only artist name and song title. That's it. I removed any additional information including album name, genre, all of that.
Leopard Server and Snow Leopard Server have feature called an adaptive firewall (af). When the system detects several failed login attempts from the same IP address, the af kicks in and blocks the offending IP address for 15 minutes.
I often see IP addresses in log files on my servers and wonder where they might be coming from. Tools such as traceroute and whois are great when you need to dig further, But if you just want a quick answer to the question "where are you?", here's a possible solution.
I successfully completed the GIAC GSEC certification. Work paid for the OnDemand course and the exam. The exam is open book. I didn't bring any of the books SANS provided, they were too many and too heavy. Instead I compiled my own set of notes which I found to be sufficient for the sample exams and the actual exam.
Twitter has two forms of authentication that it exposes to developers. The first is OAuth and the second is basic authentication.
So I managed to "forget" the passphrase to unlock my PGP private key. I kind of knew what the passphrase was, just wasn't quite sure what it looked like. For instance, I knew it flowed as "alice smacked the jabberwock", but I couldn't remember if it was "Alice smacked the Jabberwock", "alice SMACKED the jabberwock" or "Alice Smacked The Jabberwock" and so on...
Encryption is a great way to protect your data. Generally you select some awesome algorithm, pick a passphrase and encrypt your data. When you want to access your data, you decrypt it using the passphrase.
There've been a few times where I've found myself in need of a default username/password for a wireless router that has been factory reset, or was just improperly configured. Going through manufacturer websites searching for the manuals and the information can be a pain.
Once upon a time I used to write tutorials for a site called Linuxnewbie.org
I recently purchased a Blackberry on eBay. I needed a new phone and I thought a smartphone might be nice to play with. The Blackberry Pearl 8120 has built in wifi capabilities which means you can bum off a wireless network at Starbucks without paying for a data plan. This also means that if we join the wireless network, we can "see" what other computers have joined in as well and even probe them for interesting information.
Another blog to clutter the already garbage infested Internet? Yes. But why?