Security

Jul42018 by NathuNo Comments
Bind Shell – Shellcode (Linux/x86)

Bind Shell – Shellcode (Linux/x86)

Security
A bind shell is quite common in penetration testing where it is usually combined with an exploit so a tester or assessor could connect to the machine. This basically opens a port and serves a shell as the service running on that specific port in the machine where the code is executed. First, to be able to create a working "bind shell" shellcode, a C program has been created to test the functionality of the APIs used. #include <sys/types.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <linux/net.h> int main() { struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(443); addr.sin_addr.s_addr = INADDR_ANY; int sockfd = socket(AF_INET, SOCK_STREAM, 0); ...
Read More
Jun102018 by NathuNo Comments
ZeroDays CTF 2018 – “Hodor” Challenge

ZeroDays CTF 2018 – “Hodor” Challenge

Capture The Flag, Security
Another reverse engineering challenge from the ZeroDays Capture the Flag 2018 event was named "Hodor". The challenge description went as follows: Oh you said Hodor! I thought you said Harder! The first thing to do is check what the file is: The file is a 64-bit ELF which means we need to have a 64-bit support for the debugger. Before anything else however, doing "strings" shows the following output: Since the output doesn't really show anything interesting for the flag, running the executable should output: Similar to the challenge "WhattaMan", it is asking for a flag input to check if it's correct or not. By entering the command "gdb ./Hodor", GDB should load the executable for debugging: Again, similar to the challenge "WhattaMan", doing "info...
Read More
May232018 by Nathu1 Comment
ZeroDays CTF 2018 – “Whatta Man” Challenge

ZeroDays CTF 2018 – “Whatta Man” Challenge

Capture The Flag, Security
The "Whatta Man" challenge under the "Reverse Engineering" category of the ZeroDays Capture the Flag 2018 event got me quite confused probably because I got intimidated by those system calls presented in the debugger. So to start with, the challenge description went as follows: OK ladies lets hear it for Khal Drogo First was the need to check what the file was: Another 64-bit ELF here which means the debugger has to be 64-bit too! Apart from doing the initial investigation on the file format, doing the "strings" command to extract strings in the executable gave an output of: Looking at the above picture doesn't give us any flag so the next step would be running the program to get an idea of how it works before using a debugger to do some assembly language review: ...
Read More
May152018 by NathuNo Comments
Trovisio Responsible Disclosure – Password Hash Leakage

Trovisio Responsible Disclosure – Password Hash Leakage

Security, Vulnerabilities
Getting another opportunity to become part of a hall of fame for security related contributions is pretty cool and this was because of a very simple bug which was not noticed during the development of the system. Last time I saw this kind of issue was a few months ago when I was working on a back-end system for a client and finding this again on another website basically means that it's probably common out there. During my initial non-intrusive information gathering, I found a lot of API links which made me test them for some basic responses and they seemed pretty secure until I opened the console of Chrome. After noticing that the APIs were throwing console logs, I visited a few pages and guess what popped up? It was the password hash! This happened when the page "Account Se...
Read More
May22018 by NathuNo Comments
HP Responsible Disclosure – Information Leakage

HP Responsible Disclosure – Information Leakage

Security, Vulnerabilities
After finding a security issue from the website of Asus, I started wandering through a list of tech giants and I ended up seeing information that wasn't meant to be seen by the public eyes. Hewlett-Packard or popularly known as "HP" had some information leakage on their website "recycle.ext.hp.com" which I discovered by reading a Javascript file. This client-side script had pretty interesting information that led me to read each block until I found a function that was possibly deprecated due to its function name having the word "old". When I extracted the URL and visited it manually, it was actually responsive leading me to some kind of a job order https://recycle.ext.hp.com/index.php?process=print&type=order&target=20 (This obviously won't work now because it has been fixed...
Read More