Monday, August 27. 2012
This is just a quick overview of my solutions to the Stripe-CTF levels. I will not go over what each level was, just what the vulnerability is, an explanation of my solution, my solution, and any custom code generated for it. For additional details on the levels you can search the web, or go to the stipe-ctf.com page.
Read more Bellow
Continue reading "Stripe CTF Solutions "
So last night I finished the Stripe CT. Level's 6, 7, and 8 were a bear. Once the CTF is done on Wednesday I plan on doing a quick write up of my different solutions to the levels. I will be curious to see how my methods differ from others. I know my level 8 solution was not the most efficient, and required a lot more manual interaction than necessary. Either way I will happily take the T-Shirt, and wear it proudly at the next security conference I go to.
If you are interested you can see my times here. The long time for level 8 is a little disingenuous. I took Friday night and all of Saturday off from the CTF, as I had my GXPN exam Saturday afternoon (I passed), and prior family plans on Saturday night.
Wednesday, August 8. 2012
First let me start by saying I did not find this, nor did I do any of the heavy lifting in making this. All of that was the guys at NYU Poly ISIS Lab.
That being I always get a little excited I get whenever a new wireshark exploit comes out. Sometimes when I am conducting an internal pentest I get a network admin with the mentality of a Stasi. They sit there with wireshark running monitoring my port looking for any hint of malicious traffic. As soon as they see something the flag us as "caught" and put a stop to the pentest. So having a collection of wireshark exploits is helpful in stopping the network admins and allowing me to continue my work unimpeded. As such I "weaponized" the code the NYU Poly ISIS lab blog post to make my life easier.
If you know the admins IPv6 Address you can change the FF02::1 address to it so you are only targeting him
Either way just run it and wireshark should crash leaving you free to finish your pentest.
Sunday, January 9. 2011
UPDATE: The password for the service is: gemstar
Friday, April 9. 2010
So there is a lot of talk about ASLR and DEP, and other protection mechanisms in place to prevent the full exploitation of an application. But sometimes you dont need to execute arbitrary instructions on the system, only change the flow of code execution. Consider the following program;
Without figuring out what the correct password is we can get this application to execute the code in the good function. Observe;
[ring0@<System Name> ~/badc]$ gdb -q pass2
So what did we get. We managed to bypass the authentication function of the application. And since we are jumping back into our own application we do not have to deal with randomization, or finding a place for our shellcode, or anything like that. Now obviously this limits us to doing only things the application plans on doing, but we can alter the logic of the application now.
Friday, April 2. 2010
So the answer to Monday's problem was "syslog(LOG_INFO, argv);" Is a format string vulnerability. To solve the problem the line should be written as such
Monday, March 29. 2010
I had a friend ask me over the weekend to show him how a particular vulnerability works. So I wrote up a little example program and figured I would put it up here as a reference. Its nothing too complex, but some people may not have scene it before as its a rather old class of exploit, and is not a simple buffer overflow. All the program does is record the first argument passed to syslog. So an example usage is ./logit "This will be logged", then cat /var/log/syslog and you should see something to the extent of Mar 29 14:46:47 <SYSTEMNAME> logfile: This will be logged, and if you run it with out any arguments it write nothing to log to syslog. A basic example of a programs logging functions.
On friday I will do a quick write up of what the vulnerability is, how to exploit it, and how to fix it.
Friday, March 26. 2010
So there exists a chess web site, that runs a monthly contest. Everyday they post a new chess problem and you have to solve for mate. If you correctly solve the problem you get an entry entered into their monthly contest. If your entry gets picked you win the prize, an electronic chess set, a digital camera, an ipod, etc. The problem with this site, which I have contacted about before, is that in the page source for the chess problem is the solution. All one has to do is view page source, and there it is. Almost. The following is an example from their site;
If you take the string in that function and decode it as base64 you get;
Which is PGN for the solution. So in this case we move our bishop to a4 and put him in check, he either moves to c4, or kills the bishop at a4, then we do the next step, so forth and so on.
So knowing this I as an attacker can enter the puzzle everyday regardless of if I know the solution to the puzzle or not.
When will people realize that base64 is not encryption, and should not be treated as such.
Friday, March 19. 2010
In a pentest recently I was faced with an interesting problem, and I figured it may make for an interesting read. The company had only one public facing website, written in PHP and hosted on a hardened debian box. All scans and automated tools reported back nothing obviously exploitable. However there was a simple directory traversal bug in the websites php code. Using this bug I managed to gain shell access on the machine, and eventually root. The method in which I gained shell access was by far the most interesting approach I have had to come up with in a while. Recall that any php code in a file that is called by php will be executed. With this in mind I set forth in finding a place where I could dump php code into the system, and eventually browse to it using the directory traversal bug. All comments and other supplied inputs went directly into the database so I could not write to a file that way. However, what I notice was that the language value was being stored in my php session. Furthermore this session variable was not being properly filtered. So using webscarab I modified my language to a simple set of php instructions that would d/l and run netcat for me. I then used the directory traversal bug to view "/var/lib/php/sessions/<session_ID>" and execute the stored php code. From there I had a reverse shell on the machine and the rest was easy.
Wednesday, March 17. 2010
Monday, March 15. 2010
(Page 1 of 1, totaling 11 entries)