Jump to content

u0m3

Active Members
  • Posts

    543
  • Joined

  • Last visited

  • Days Won

    25

Everything posted by u0m3

  1. The Encryptor Challenge-ul începe cu 2 fișiere: un executabil TheEncryptor.exe și un fișier binar encrypted.bin. Am început prin a rula executabilul, dintr-o consolă PowerShell, pentru a observa ce output generează. PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor> .\TheEncryptor.exe Enter a filename as an argument! PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor> .\TheEncryptor.exe .\dummy.txt TheEncryptor will begin encripting the file to "encrypted.bin"... Key generated: 2020-11-27-05 The source plaintext file, .\dummy.txt, is open. The destination file, encrypted.bin, is open. A cryptographic provider has been acquired. An md5 hash object has been created. The password has been added to the hash. An encryption key is derived from the password hash. Memory has been allocated for the buffer. File encrypted successfully! PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor> Observații: necesită un parametru - o cale către un fișier ce urmează a fi cryptat. întotdeauna scrie în fișierul encrypted.bin - ceea ce poate fi o problemă Pare să folosească o parolă bazată pe data curentă (YYYY-MM-DD-dayofweek); aceasta este „trecută” prin MD5, iar din acest hash este derivată cheia de criptare A urmat o perioada de analiză în x64dbg și Ghidra. Aici am pierdut o grămadă de vreme datorită unui comportament ciudat: dacă input-ul (conținutul fișierului de intrare) este un singur caracter, output-ul este de de 129 bytes. Dacă are cineva idee de ce... Metodologia mea de testare De asemenea nu a ajutat cu nimic că în timpul testelor am uitat să salvez după ce am modificat conținutul fișierului dummy.txt. În ciuda acestor greșeli, am determinat parametrii apelurilor către funcțiile criptografice ca fiind: CryptAcquireContextA ( &hProvider, NULL, MS_ENHANCED_PROV /* = "Microsoft Enhanced Cryptographic Provider v1.0" */, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_NEWKEYSET ); CryptCreateHash ( hProvider, CALG_MD5, NULL, 0, &hHash ); CryptHashData ( hHash, &bData, dwDataLen, 0 ); CryptDeriveKey ( hProvider, CALG_RC4, hHash, 0x00800000 /* keyLen<<16 | dwFlags = 128 << 16 | 0 */, &hKey ); CryptEncrypt ( hKey, NULL, TRUE, 0, &bData, &dwDataLen, 1008 ) De aici avem aproape toate datele necesare pentru a decripta fișierul. Mai puțin parola. Așa că am scris un mic script python pentru a face bruteforce.
  2. Mesajul de pe retea - IV Challenge-ul începe cu un fișier text, ce conține o listă de prăjituri/dulciuri/deserturi. Sincer, aici am avut foarte mult noroc, deoarece după ceva vreme de holbat la conținutul fișierului, mi-am adus aminte că am citit undeva, în urmă cu mai bine de un an, despre un proiect de stenografie ce permitea exfiltrarea datelor sub forma unui tabel cu scoruri de meciuri dintre echipe... sau așa îmi aminteam eu. După o scurtă sesiune de „Google”, am găsit repozitory-ul proiectului: https://github.com/TryCatchHCF/Cloakify/. Fiindu-mi prea lene să îl instalez în adevăratul sens al cuvântului, am copiat ce am avut nevoie într-un script propriu, et voila:
  3. Mesajul de pe retea - III Challenge-ul începe cu un fișier zip. Acesta conține un singur fișier .txt, dar este protejat cu o parola din nefericire. Prima tentativă a fost un atac hashcat asupra parolei, dar acesta s-a dovedit ineficient. Ca atare sa ne îndreptăm atenția spre structura și fi conținutul fișierului zip (https://en.wikipedia.org/wiki/ZIP_(file_format)#Central_directory_file_header ca referință a formatului unui fișier zip). În descrierea challenge-ului suntem informați că nu vom descoperi flag-ul, ci vom descoperi o serie de bytes, a căror sumă sha256 constituie flag-ul. De asemenea, din analiza fișierului zip, putem observa că fișierul txt din interior conține doar 5 bytes, (cel mai probabil) insuficient pentru a conține un set de instrucțiuni. Ca atare putem presupune că acest fișier conține sursa hash-ului. Pe lângă dimensiunea fișierului txt, avem si suma crc32 a fișierului, înainte de compresie. Pornind de la unele premise putem scrie un mic script care sa execute un atac bruteforce asupra conținutului fișierului/sumei crc32:
  4. Abstract: Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron. Link: https://frederik-braun.com/firefox-ui-xss-leading-to-rce.html
  5. Link: https://github.com/EdOverflow/can-i-take-over-xyz Este un repository pe GitHub ce contine discutii/lista cu CDN-uri sau alte servicii de web hosting, susceptibile la sub-domain take-over.
  6. Synopsis: Blog series about Alex Matrosov and Alexandre Gazet joint Black Hat research "Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller" presented last week in Vegas. Link: https://medium.com/@matrosov/breaking-through-another-side-bypassing-firmware-security-boundaries-85807d3fe604 Via:
  7. Series Overview This series is intended for readers who are interested in reverse engineering, but have only opened a debugger a handful of times. If you have trouble with certain concepts of reverse engineering, tooling, disassembly or debugging then you’ve come to the right place. Starting from the ground up we’ll work our way to advanced topics that aid in automating the reversal process such as heuristic analysis using a disassembly engine, and return oriented programming. If you’re new it’s recommended you start from the first article and work your way through the series, as it’s meant to guide you through the intricacies of the architecture and operating system structures. This series does expect the reader to have prerequisite knowledge of a native programming language such as C, C++, Rust, etc. Native meaning compiled to a native machine language, as opposed to interpreted. I do not cover reverse engineering Java Byte Code. If you don’t have a background in a compiled programming language this series may be confusing and esoteric. Otherwise, you’re in good hands! This series is written for reverse engineering on a 64-bit Windows OS. Windows 10 will be the OS that the author is working in, and all examples will be relevant to Windows 10 and the Intel64/AMD64 architecture. You’ll certainly be able to take what you learn from this series and apply it to other architectures and operating systems, however, you’ll have to adapt to any changes present on those platforms. Also worth noting that I will address 64-bit Assembly in detail with a small subsection regarding 16-bit and 32-bit assembly to help solidify the readers understanding of x64 Assembly. All that being said, if you’re familiar with reverse engineering and interested in a specific topic then feel free to skip around, and visit the sections you find most interesting! It’s by no means linear, but if you’re starting out going in order will be much less confusing. Note: The documentation referenced will be the Intel and AMD SDM, among other books, articles, and blogs. I’ve decided for this series that, in order to reduce the length of my articles, I’m going to cover topics in their own separate post. They will be linked here so they’re easy to find from the main navigation bar on the left side of the site. Link: https://revers.engineering/applied-reverse-engineering-series/ Via:
  8. Description: Link: https://github.com/dowjones/hammer
  9. Oamenii acestia nu au "gandit in afara cutiei", ci "in afara sistemului solar"...
  10. Synopsis: A simple misconfiguration can lead to Stored XSS. Link: https://medium.com/@nahoragg/chaining-cache-poisoning-to-stored-xss-b910076bda4f
  11. Synopsis: In external and red team engagements, we often come across different forms of IP based blocking. This prevents things like password brute forcing, password spraying, API rate limiting, and other forms of IP blocking like web application firewalls (WAFs). IP blocking has always been a simple and common way of blocking potentially malicious traffic to a website. The general method of IP based blocking is to monitor for a certain type of request or behavior, and when it is found, disable access for the IP that the request or behavior came from. In this post, we walk through the need for and creation of a Burp Suite extension that we built in order to easily circumvent IP blocking. Source: https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/
  12. Ce propune domnul @kadytgv este deja pus in aplicare de anumiti indivizi (nu stiu cu ce grad de succes). Website: https://www.tracelabs.org/ Promo:
  13. Ca sa va distrati putin si sa va gadilati paranoia https://iknowwhatyoudownload.com/en/peer/ (nu functioneaza decat cu IPv4). Parerea mea (total neavizata si lipsita de orice urma de importanta), daca vrei neaparat sa nu ai probleme, inchiriezi un server intr-un datancenter ce este intr-o tara cu legislatie mai laxa din acest punct de vedere (ideal ar fi si sediul acelei firme sa fie tot intr-o astfel de tara), si tii acolo clientul de torrents. Iar de acolo le iei prin ssh (scp/sftp). Daca ceea ce am prezentat mai sus suna prea complicat, o alta sugestie ar fi sa: dezactivezi din clientul de torrent orice metoda de a descoperi peers/seeds in afara tracker-ului activezi doar conexiuni securizate/criptate (desi nu sunt sigur ce impact ar avea asupra disponibilitatii seeds/peers) DISCLAIMER: Sunt Roman. Desi (probabil) nu stiu stiu despre ce e vorba, eu am o opinie puternica, si sunt sigur ca opinia mea e adevarul absolut, iar telul meu in viata, dat de la Ceruri, este sa conving restul lumii de adevarul meu.
  14. Synopsis: Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more. Link: https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 Stiu ca e destul de "fumat" subiectul, dar mi s-a parut interesant articolul.
  15. Link: https://github.com/Kevin-Robertson/InveighZero Source:
  16. Title: Analysing RPC With Ghidra and Neo4j Synopsis: Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of the investigating team. In previous posts I've tried to look at different ways to mix up common attack signatures. Since working on posts exploring Mimikatz and lsass internals, I've had a few requests for information on how the demonstrated lsass DLL loading techniques were found, and how it may be possible to identify others. So in this post I wanted to present a workflow which I have found to be a useful when looking at Windows RPC method internals, and walk through some of the techniques I've used to minimise the grinding required to hunt for interesting vectors. Source: https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/ Via:
  17. u0m3

    Fun stuff

    Asta e o postare in stilul Times New Roman, nu? Ca daca e realitatea... e vai de noi.
  18. Synopsis: Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! Source: https://ericzimmerman.github.io/#!index.md Blog Post: https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html?view=sidebar Demo Video:
  19. Si, daca nu sunt prea indiscret, de ce 2?
  20. Intreb asa, de curiozitate: Ce ai incercat? Ai citit cursurile? Ai cautat pe Google/DuckDuckGo/Bing/<alte_nume_de_motoare_de_cautare_aici>? Pentru ce varianta de SQL ar trebui implementat (PostgreSQL, MySQL, MSSQL, Oracle, etc)?
  21. u0m3

    GTFOBins

    Si omologul pentru Windows https://lolbas-project.github.io/
  22. La ce nivel au ajuns unii... Sa reproduci instructiuni prin mov...
×
×
  • Create New...