r3dey3

WH3N W0RLDS C0LL1DE

Honeynet Project - Forensics Challenge 14 - Weird Python

This is my writeup for the Honeynet Project - Forensics challenge 14 - Weird Python

I initially opened the pcapng in Wireshark and saw that there were multiple SSL and HTTP connections. Rather than combing through wireshark looking at each one I went investigating tools that would analyze HTTP traffic from a PCAP. I stumbled on pcapperf - a pretty nice web based analyzier. It shows results similar to the network tab in chrome’s inspect interface. The site does not operate on pcapng format, so I converted it to pcap using wireshark’s save feature.

Using this I was able to see the various sites visited, and also the method the attacker used (Questions 1, 2, 3, 5). Using wireshark I extracted the downloaded game from the fake website.

Answers to the various questions follow.

Choosing Sync/cloud Software

There’s a few new computers in my circle of family - my parents just bought one and my wife’s laptop and phone - and I need a better solution for backing up everything.

My previous solution CFTBackup was no longer working for windows computers as they were reinstalled or replaced. And I never got the whole part of the offline sync working; plus after using a simple rsync for almost 4 years, I’ve determined that the 150Kbit/s limit was more than adequate to back things up in a timely fasion and a lot less hastle.

So it’s time for a new solution. I recently bought two new HGST Deskstar NAS 4TB hard drives as space was starting to get full on my 1.5TB (at my house) and 1TB (my parents house) drive’s.

For refresher the hardware the drive is going into:

Now I needed to find a better solution to sync the two backup systems and backup the files off the desired systems.

BkPctf - Alewife

The name of the file should have given us a hint as to the nature of the problem.. but it took me a while as I just started working on it and didn’t pay attention to the name (nor see the problem description text).. and of course my modus operandi is to reverse engineer things to find a vulnerablity, so I didn’t connect but just dove into the reversed binary so I didn’t pay attention to the ArrayOps string.

The problem was a pwnable, which meant that there was a vulnerability somewhere. My job was to find it. But first I had to understand what the program was doing as the only output strings were:

  • “**:”
  • “***:”
  • “ii:”
  • “iii:”
  • “ss:”
  • “sss:”
  • “ArrayOps\n”
  • “–:”

The input to the program is through three functions (as I named them), after printing a prompt they do their respective action.

  • GetUint (0x400960) - gets up to 0x3f bytes into 0x40 sixed cleared stack buffer, then calls strtoul
  • GetInt (0x40097f) - gets up to 0x3f bytes into 0x40 sized cleared stack buffer, then calls atoi, returns value
  • Get_0x3f (0x400a04) - gets up to 0x3f bytes with a single read into a malloc’d buffer

Sadly, none of these were vulnerable to any overflow, so the bug had to be somewhere else.

BkPctf - Kendall

I was going to write how to solve Kendall, a “pwn” challenge, but the author posted a nice write up

I probably spent a good hour and a half looking at the binary trying to see if something is exploitable (good job!) before I managed to figure out the DNS request part. I only managed to find two bugs:

  • You could remove the null terminator on the IP address by writing an address of exactly 16 bytes (eg “1111111111111111”)
  • If you made the Source, Dest, and netmask all 16 bytes, and the Nameserver 3, the renew_client would print an error. This was due to the snprintf before the system being truncated.

I did learn an important lesson. If there’s an opportunity to put a hostname or ip somewhere PUT IN AN IP YOU CONTROL

I ended up using dnsmasq for dns as I had a server that wasn’t running dns. I’ll have to take a look at minidns for next time. I ended up using python’s SimpleHTTPServer:

1
python -m SimpleHTTPServer 80

And a real simple HTTPs server I found on the web

Simple HTTPS server
1
2
3
4
5
6
import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()

BkPctf - Wood Island and Orient Heights

This weekend was the Boston Key Party Ctf. There were a bunch of challenge, and my team did pretty well (top 10) even though we didn’t have a lot of our regulars. Two of the problems involved signing a string “There is no need to be upset” using Elgamal signing.

The TLDR version is both failed in the duplicate checks.

Both problems required “proof of work” prior to the signing test:

  1. Server reads 9 bytes of random data and generates a base64 encoded version
  2. Sever sends the base64 to client (12 bytes)
  3. Client adds up to 8 bytes
  4. Server then verifies first 12 are the ones it sent
  5. Server computes SHA1 hash of all 20 bytes
  6. Hash must end with 24 bits of 0 to pass

Once you passed the proof of work you had to send the message (“There is no need to be upset”) and signature (r and s). The format of the message and signature was json with Wood Island, and asn1 with Orient Heights. If the signature passed you were rewarded with the key.

Along with the server script and the key information, we were given a collection of valid signatures, lest we had to brute force up to a 1024 bit private key. However, even though the message that the server wanted was in the example signatures, the server checked that we weren’t sending a duplicate signature.

Here in lies the flaw we used. Wood Island used the python json library to decode the string into a dict and the duplicate check was a simple “user_dict in list” check. Adding a field to the json was enough to pass the check. Orient Heights just compared the binary ASN1 encoding; once again adding a field caused it to fail.

Ironman Lake Placid Pictures

Well, I’m finally getting around to posting pictures. First I had to figure out what blogging engine I wanted to use, then I had to figure out what theme, and then I had to figure out what iamge popup to use.. and then what thumbnailer. I still need to figure out a magic way to put pictures in so I don’t have to write a lot of HTML each time. But that’ll have to wait. I want to get this pictures up so I can work on new posts.

LED Tie Bar - Hardware

LED Tie Bar

Parts list

For each:

Other parts used:

LED Tie Bar - Overview

LED Tie Bar For my groomsmen gift for my wedding, I decided to do an LED tie bar. I think it turned out pretty well. Hopefully they will all like them (and they don’t see this before they get them!)

The bar is a metal tie bar with a 8 NeoPixel (WS2812B) LEDs on it. There is a microcontroller with a push button switch on back for changing the effects and colors. However, as the wedding colors are blue and silver, there is a jumper in place that limits the colors to blue. Cutting this jumper will enable the full range of colors.

The effects are:

  • Fickering
  • Cylon
  • Theater chase in one direction
  • Theater chase in the other direction
  • Fade between dim and bright and back
  • Fade between on and off
  • Fade between on and white
  • Sin mix between color and black (like Cylon, but only one direction)
  • Sin mix (black) in other direction
  • Sin mix between dim and bright in either direction
  • Sin mix between on and white in either direction
  • Blinking
  • On Dim
  • On Medium
  • On Bright (very very bright)

DEF CON 2014 Finals – Wdub V2

Once again I’m gonna talk about the 2nd version of a service from DEF CON 22’s CTF finals. This time it’s wdub; a simple HTTP server.
Version 1 had an integer overflow which lead to a stack overflow.
(edit: DEF CON CTF Challenges available @ http://shell-storm.org/repo/CTF/Defcon-22-finals/)

It turned out version 2 had two bugs. A use after free, and an integer overflow buf. To start with version 2 added a new http method – EVAL, where it ran something over the POST contents (with optional decompression), it also made POST requests to a file ending in ydg a script type page with <?ydg tags… that causes the same evaluating to happen.