Just another weblog

I recently participated in STEM CTF and there was one challenge that I found particularly fun to figure out. The situation was quite straight forward: gain access to an account on a social networking website.

At first you are presented with a login page, allowing you to register or request that your password be e-mailed to your account’s associated e-mail address through a POST of the username to an email_password function. So, I decided to create an account and see what else I could do. Sure enough, there was an update e-mail ability which turned out to POST the new values for account attributes. This means, that you could visit /EditProf?attribute=email&newValue= to update the e-mail address for your current logged in account.

These in combination seem like they could be great for a CSRF (can be pronounced sea surf) attack! CSRF is essentially the ability to change values in a URL and send that URL to the target, having them click it to update values, transfer money etc in their account. For example, if wutbook.com was vulnerable, somebody could click a link such as wutbook.com/EditProf?attribute=email&newValue=lulz@gmail.com to change their e-mail address to a possibly malicious address.

Now it would have been nice if the target just clicked on the link, but we had to take it a step further in the competition. The messaging system involved no removal of special characters, and simply wrapped your message with textarea tags. Once you notice that, you should be able to deduce that you can just close that tag, and add whatever you would like to the page. Now you can have a web browser attempt to load a URL through use of img tags. Of course no image will be loaded on the page, but the call will be made none the less.

With all of that in mind, I crafted (roughly) the following message to the user

hello!</textarea><img src="http://{url}/default/EditProf?attribute=email&newValue=my@email.com" /><img src="http://{url}/default/email_password?username=target" />

When the user viewed the message, it automatically set his e-mail to mine, and sent me his password!

So today I’ve decided to go back and go through some web challenges. Just compiling a list at this time, and going to play with Security Traps first. I’d suggest anybody that is just starting into security-related games to take a look at HackThisSite.org first – there is a lot of help as it’s an older more well known target.

HackThisSite.org
Security Traps
Smash the Stack
Hack Quest
Intruded.net

I’ll likely be posting some of my thoughts on random challenges in these sites, omitting the site name itself so that I’m not just giving out answers.

This is an amazing tool, especially related to my last post. We came across this tool in the wild and I was able to track down the newest version of it and test it out – it has to be the most convenient PHP shell once it has been placed on a server. Some features include:

• Authorization for cookies
• Server Information
• File manager (copy, rename, move, delete, chmod, touch, creating files and folders)
• View, hexview, editing, downloading, uploading files
• Working with zip archives (packing, unpacking) + compression tar.gz
• Console
• SQL Manager (MySql, PostgreSql)
• Execute PHP code
• Working with Strings + hash search online databases
• Bindport and back-Connect (Perl)
• Bruteforce FTP, MySQL, PgSQL
• Search files, search text in files
• Support for * nix-like and Windows systems
• Antipoiskovik (check User-Agent, if a search engine then returns 404 error)
• You can use AJAX
• Small size. The packed version is 22.8 Kb
• Choice of encoding, which employs a shell.

I’m including a download of the packed version, but if you’re interested in seeing the source code feel free to let me know or even Google it, it’s out there!

Download WSO 2.5 Packed

I’ve noticed that I’ve been very inactive on this blog, so today I’ll be touching on a rather recent topic that has struck my interest – Unrestricted File Uploads.

In this vulnerability, we consider the dangers of not having proper controls on a upload feature to stop an attacker from uploading malicious code. There are many types of attacks here, ranging from overwriting critical files (if the web user has rights to do so) to having a virtual interface to go further into the server. I was able to be introduced to the latter of the two – a situation where no handler was defined for PHP code, but the uploader allowed .htaccess files and even allowed those rules to be applied to the current directory. An example file that would allow PHP could would be configured as follows:

allow from all
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php

Of course this could be modified to allow execution of most any filetype, and barring the idea that the web/apache user be denied rights to execute, a hacker could land anything they desired.

So, once that was in place, I was able to upload a PHP Shell and had direct access to a terminal running on the server. It turned out that the web user had read access nearly everywhere, and quite a bit of write access in web-facing directories. From this stage we would be able to do more thorough recon of the machine, and as we had local access to a terminal, ultimately find an elevation of privileges exploit to run.

Now aside from being able to get root, if you can land a shell on the machine, you’ll be able to see whatever the web user can see correct? Thinking further into that, you should be able to traverse the web site’s main directory and take a look at the source for server-side scripting languages, including those that may have SQL passwords in them! Once you have SQL passwords, you could very easily get all database information with no need for SQL injections – though if the upload hole is open, SQLi may very well be present as well.

Seems like a fun exploit right? It seems rather prevalent as well, especially in non-commercial applications, so keep your eyes open for this one!

It turns out that the book I was reading (CompTIA Strata – Green IT by Manning) made the test out to be a bit more difficult than it really was. The questions were mostly in regards to actual technology implementation or energy efficiency, rather than knowing mechanisms of the Kyoto Protocol as I was lead to believe. I ended up getting an 88% and only took 15 of the allotted 75 minutes to complete the 30 question test.

I recommend anybody that wants to be able to prove that they at least know what virtualization is along with some energy efficiency practices and green procedures are take the test, I think it’s only $100 which is one of CompTIA’s cheaper exams.

With a recent promotion by CompTIA I was able to get a voucher for the Strata Green exam for about $50 while purchasing my practical A+ voucher.   The content seems pretty easy yet very applicable to companies making moves to be more green or cost efficient.  I recently finished reading CompTIA Strata Green IT by William Manning and it’s a mere 120 pages of content at a font size of what one may find in a pre-teen novel.  It doesn’t seem like there are many online resources for the test so the $26 is really the only option for study materials.  We’ll see how this goes.

It looks like there’s a new virus spreading around USF disguised as a resume which is working very well on our clients which I’ve so far seen coming from creativeness@rassil.com (we’re working with ADEx admins to setup a trap for incoming mail which should help alleviate some of the hit).   The ‘resume’ is attached as ‘resume.html’, which turns out to be a little blurb of JavaScript, which is running hex code.  The hex code when converted to ascii can be found to be pointing to (do not go here)

http://www.residentiebeveiligingstechniek.nl/x.html

which then runs

http://brocuphdislock.cz.cc/scanner10/?afid=24

and

http://fast-addon.in/news/index.php?map=rect&vid=4&bid=151&a=get&action=ecard&e=hidden

When a client becomes infected they will see what looks like a Windows XP explorer window containing what you would normally see if you opened ‘My Computer,’ except in this case there are little red flashing icons indicating malware on all drives.  We actually had one customer stifle it’s progress by pulling the plug on her machine before the virus could be fully installed.

This seems to be being caught by Malwarebytes’ AntiMalware successfully, so Safemode as an administrator and scan away!