Leaderboard

This course looks at web users from a few different perspectives. First, we look at identifying techniques to determine web user identities from a server perspective. Second, we will look at obfuscating techniques from a user whom seeks to be anonymous. Finally, we look at forensic techniques, which, when given a hard drive or similar media, we identify users who accessed that server. Slides: http://opensecuritytraining.info/WebIdentity_files/WebIdentity_all_slides_pptx_1.zip HD video: Sursa: http://opensecuritytraining.info/WebIdentity.html

http://www.smarter.org/research/superhuman/ Super human brain facts

Stack Based Buffer Overflows on x86 (Windows) – Part II In the first part of this article, we discussed about the basics that we need to have in order to properly understand this type of vulnerability. As we went through how the compiling process works, how assembly looks like and how the stack works, we can go further and explore how a Stack Based Buffer Overflow vulnerability can be exploited. Introduction We previously discussed that the stack (during a function call) contains the following (in the below order, where the “local variables” are stored at the “smallest address” and “function parameters” are stored at the highest address): Local variables of the function (for example 20 bytes) Previous EBP value (to create the stack frame, saved with PUSH EBP) Return address (placed on the stack by the CALL instruction) Parameters of the function (placed on the stack using PUSH instructions) Sursa: https://nytrosecurity.com/2017/12/20/stack-based-buffer-overflows-on-x86-windows-part-ii/

WordPress CSV Import-Export plugin version 1.1 suffers from a cross site scripting vulnerability. Product: CSV Import-Export Wordpress Plugin - https://wordpress.org/plugins/csv-import-export/ Vendor: eSparkBiz Tested version: 1.1 CVE ID: CVE-2017-17753 ** CVE description ** Multiple cross-site scripting (XSS) vulnerabilities in the esb-csv-import-export plugin through 1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cie_type, (2) cie_import, (3) cie_update, or (4) cie_ignore parameter to includes/admin/views/esb-cie-import-export-page.php. ** Technical details ** In the conditional block at includes/admin/views/esb-cie-import-export-page.php:21, the cie_type, cie_import, cie_update and cie_ignore HTTP GET parameters are echoed back to user without proper sanitization. Vulnerable code: https://plugins.trac.wordpress.org/browser/csv-import-export/trunk/includes/admin/views/esb-cie-import-export-page.php#L21 ** Proof of Concept ** http://<host>/wordpress/wp-admin/admin.php?page=esb-cie-import-export-page&cie_ignore=<script>alert(document.cookie);</script> ** Solution ** No fix available yet. ** Timeline ** 12/10/2017: vendor contacted; no reply 24/10/2017: vendor contacted; no reply 31/10/2017: vendor contacted; vendor asks for more details then stops replying 05/12/2017: vendor contacted; no reply 19/12/2017: report published ** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). -- Best Regards, Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI) _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. # 0day.today [2017-12-20] # Source: 0day.today

Walkthrough: Facut pe Lubuntu 17.04 1. Descarcam imaginea si verificam daca este integra(cred ca am descarcat-o de trei ori pana sa o iau pe cea buna, in rest descarcam doar thumbnail-ul) deci pasul asta e destul de important. $ md5sum crack_me.jpg c720e708ab375e531bb77dca9dd08d38 crack_me.jpg # Deci e ok 2. Dupa cum observam, in imagine este un lacat cu trei rotite. O deschidem cu un editor hex si cautam sa vedem daca in afara de imagine mai este ceva. Ne uitam sa vedem daca dupa biti FF D9 mai este ceva: PK sa_nu_uitam.jpg Observam ca dupa biti de sfarsit al jpg-ului sunt initialele PK ceea ce inseamna ca avem o arhiva zip.(inițialele lui Phil Katz, creatorul formatului zip). In arhiva observam ca mai este o poza "sa_nu_uitam.jpg" 3. Incercam sa o dezarhivam, dar observam ca ne cere o parola, ne intoarcem la poza initiala si asteptam sa ne vina o idee. Prima idee e sa generam toate codurile posibile pentru acel lacat. Am folosit C++ pt asta(lucrez in el si mi-a fost mai usor): #include <iostream> using namespace std; int main() { char digits[] = "0123456789"; char pass[4]; pass[3] = 0; for( int i = 0; i < 10; i++) { pass[0] = digits[i]; for( int j = 0; j < 10; j++) { pass[1] = digits[j]; for( int z = 0; z < 10; z++) { pass[2] = digits[z]; cout << pass << endl; } } } return 0; } /// Il compilam iar cand il rulam ii redirectionam iesirea intr-un fisier: $ g++ main.cpp -o executabil $ ./executabil >> fisier.txt Se poate face in orice limbaj, aici aveti si ceva in python: https://stackoverflow.com/questions/22214949/generate-numbers-with-3-digits 4. Dupa ce am generat toate numerele e timpul sa trecem la bruteforce. Am folosit fcrackzip + am redenumit imaginea crack_me.zip(am schimbat extensia ca se plangea fcrackzip-ul): $ fcrackzip -D -p fisier.txt -u crack_me.zip 5. Primim confirmarea ca parola este : "PASSWORD FOUND!!!!: pw == 099". Dezarhivam si obtinem o nou imagine. 6. Repetam pasul doi si observam ca si aceasta imagine e tot o arhiva cu parola. Prima idee care mi-a venit in minte a fost sa incerc sa pun coordonatele boturilor avioanelor(cei care au jucat avioane stiu ca daca nimeresti botul avionul e pierdut). Asa ca am luat-o in ordine: avionul gri, cel albastru si cel portocaliu -> c2c8j5. Asta e parola. 7. Obtinem un fisier text "acum_e_acum.txt" cu mai cuvinte, fiecare pe o singura linie. La inceput am incercat Caesar's Cipher, dar fara vreun rezultata. Dupa ce am cerut un hint, mi s-a zis sa numar literele de pe fiecare linie. Deci vom avea: d o v g d u 6 - > F p j c d r 5 - > E a j i u g j s t k x r y 12 -> L c l f t c c p c g 9 -> I o l q 3 -> C z w w m y i l k a 9 -> I c o e g a p i c p f q h t j w x i p r t 20 -> T d 1 -> A e z v q o x b h d r g g d l t f z r 18 -> R n s v p m s r t l 9 -> I z m j j b 5 -> E p s r o g e m h p d d u v p k y y s a 19 -> S b e m p y l h o m m f w a j a o p c o s 20 -> T e j r q t u i u e 9 -> I g x m c o f a n b o q q w q u y t l i s a 21 -> U q b e g h l f b i f y o j k 14 -> N b y v a l i b t i h r z i c g l n t 18 -> R s h r f v i u h d g p q g s k 15 -> O g x c v s g q s u k v u s 13 -> M c 1 -> A z k o j u v l c l z w u h o 14 -> N k 1 -> A x i g c 4 -> D l c g b e 5 -> E x j t g r e i v d i r d s g d j t k j t g q 22 -> V n 1 -> A x k j k b c c u a j c p s t g m v e 18 -> R g 1 -> A m e k j w w o b j o y w w b u h a y p t 20 -> T Dupa ce am numarat literele fiecarui cuvant am pus in loc de numarul de litere, litera din alfabet care se afla la pozitia data de numarul literelor. Asa ca am obtinut: FELICITARI ESTI UN ROMAN ADEVARAT. Alte challenge-uri: [Easy] The big fat panda si The Eye of ... Multumesc @Usr6

This talk was performed on 7 July 2017 at Camp++ 0x7e1, MKV downloads and presentation slides are available at https://camp.hsbp.org/2017/pp7e1/fahrplan/events/31.html

Disassembler and Runtime Analysis (or how IDA Pro has some difficulties when displaying correctly the assembly of the patched run-time whilst using a Graph view) Link: http://blog.talosintelligence.com/2017/10/disassembler-and-runtime-analysis.html

La noi astia cu carnea, ne lasa gura apa cand vedem ce a dat albastrel. La voi astia vegani, cand vedeti stadioane cu gazon, va saliveaza gura ?

Acesta este primul dintr-o serie de tutoriale care prezinta diverse comenzi si scurtaturi in bash. Lista de comenzi se afla mai jos: sudo !! Comanda de mai sus ruleaza comanda anterioara ca si r00t. du | sort -gr > dimensiune_fisiere Comanda sorteaza dimensiunea fisierelor in ordine crescatoare dupa care salveaza rezultatele in "dimensiune_fisiere". echo La miezul noptii | at midnight Comanda de mai sus se executa de fiecare data la miezul noptii(echo poate fi inlocuita cu orice comanda). find . -type f | wc -l Comanda numara toate fisierele care se gasesc in directorul curent. Numara, de asemenea, si fisierele situate in subdirectoare ale directorului curent. ps aux | sort -nk +4 | tail Comanda afiseaza primele 10 procese dupa consumul acestora de memorie(+4 reprezinta a patra coloana dupa executia comenzii ps aux). tail afiseaza ultimele zece linii ale unui fisier in stdout. In cazul nostru acestea sunt procesele care consuma cea mai mare cantitate de memorie. tar czv fisier folder1 fisier2 | ssh user@server tar zxv -C /destinatie Comanda de mai sus arhiveaza fisier, folder1 si fisier2 dupa care le scrie in stdout. Rezultatul este transmis pe server prin ssh dupa care este dezarhivat in directorul /destinatie de pe server. nslookup rstforums.com | tee rst_dns.txt Comanda tee face o copie a iesirii standard(stdout) a comnezii nslookup in fisierul rst_dns.txt reset Comanda restaureaza sesiune unui terminal inchis. URL=rstforums.com && wget -rq --spider --force-html "https://$URL" && find $URL -type d > link-uri_rst.txt && rm -rf $URL Comanda de mai sus extrage toate link-urile de pe forum dupa care le salveaza in link-uri_rst.txt. watch -n 30 uptime Cu aceasta comanda putem pastra o sesiune ssh activa(watch este rulata la fiecare 30 de secunde; conexiunea este inchisa dupa un anumit timp de inactivitate). ssh user@192.168.6.7 "ps aux | grep apache2" Putem rula o comanda pe un server. Comanda de mai sus verifica daca apache este pornit pe 192.168.6.7. (cd /tmp && ls -la) Cu aceasta comanda putem naviga intr-un director, executam o comanda dupa care revenim in directorul initial. find /cale/catre/director -type f -print0 | xargs -0 rm Comanda de mai sus permite stergerea fisierelor din /cale/catre/director(directoarele sunt pastrate). mkdir ~/Proiecte/proiect{1..3} Comanda de mai sus permite crearea unui numar mare de directoare itntr-o singura linie de comanda. Acestea vor avea forma proiect1, proiect2, proiect3. du -s * | sort -n | tail Comanda de mai sus afiseaza primele zece cele mai mari fisiere/directoare din directorul curent. whereis numecomanda which numecomanda locate numecomanda Comenzile de mai sus permit localizarea unui executabil. ssh -N -L2000:localhost:80 statieladistanta Crearea unui tunel ssh de la portul 80 al unei statii la distanta si portul 2000 al statiei curente(pe cea care a fost rulata comanda). echo "rm -rf /director-mare/nefolositor" | batch Comanda de mai sus sterge directorul daca acesta ocupa mai mult de 80 la suta din dimensiunea capacitatii de stocare in care se gaseste. ssh user@host cat /cale/catre/fisier/ladistanta | diff /cale/catre/fisier/local- Comanda de mai sus compara doua fisiere:unul situat pe statia locala iar celalalt pe o statie la distanta. cat /etc/issue Comanda de mai sus afiseaza numele distributiei curente. iptables -A INPUT -s 192.168.2.3/32 -j DROP Comanda de mai sus blocheaza conexiuni care vin din partea statiilor ce au urmatoarele IP-uri 192.168.2.xx . lspci -vv Comanda de mai sus afiseaza toate drivere-le instalate. python -m HTTPServer Comanda de mai sus creeaza un server http care poate fi accesat la adresa http://$HOSTNAME:8000/ lsof -i -n | grep ESTABLISHED Comanda de mai sus afiseaza toate conxiunile TCP active. curl -I rstforums.com Comanda de mai sus preia antetele HTTP(HTTP headers) ale forum-ului.

Oare un link la breviarvactiv are cineva?