SANS Holiday Hack 2016

It all starts on https://holidayhackchallenge.com/2016/ – where we’re shown Santa Claus’s business card, told the story, and asked to solve some questions/challenges.

Part 1: A Most Curious Business Card

1) What is the secret message in Santa’s tweets?
2) What is inside the ZIP file distributed by Santa’s team?

We’re told to look at Santa’s business card, and enter the game, then answer the questions:


Read More

MIPSEL reverse engineering in Docker

While I’m not much a reverse engineer myself, there have been times when I’ve needed to poke at a MIPSEL binary – be it for a hacking challenge or just some firmware I’m looking at – and while there are tools to identify and reverse engineer these binaries on a different host architecture, sometimes it really helps to be able to run and watch the files more natively.

Read More

BSides 2016 NES Game

For our 2016 BSides Cape Town information security conference I made an 8bit NES game as a challenge – inspired by the amazing challenge @s4gi_ put together for ZaCon 2015 (featuring Leisure Suit Larry of old “quest game” infamy) and the incredible def con challenges 1o57 comes up with (though a little more specifically his “how to build a processor in 10 minutes or less” talk I got to attend at this year’s def con). I wanted to do something game related and retro – not just something in “retro style”, something actually retro – and I decided on the Nintendo NES.

Needless to say I learnt a LOT in the process, and have a lot more respect for the game developers of 80’s for the quirkly, limited, hardware they were coding for. There are some great tutorials and videos about the NES hardware that I found on this journey that I’ll hopefully blog about soon.

The .nes ROM can be downloaded here and the source code is available on GitHub.

Read More

NodeJS Tips and Tricks

Some tips and tricks when coding NodeJS:

(Caution: highly opinionated thoughts follow)

  • keep code tidy with “jscs” (decide on a style guide and find or make a jscs template for it) and “jshint” or “eslint
  • use “slow-deps” to find out which packages are slowing down your “npm install” (possibly “jscs” – consider installing it globally) – more info on “slow-deps”
  • lock down your package versions, and their dependencies verisons, with “shrinkwrap” (this is good for stability and security!)
  • scan your dependencies regularly for security issues, using tools like “snyk” (pronounced “sneak”) or “nsp” – I made a docker image for this
  • vax” will help with some other security stuff – run it
  • “you can’t manage what you don’t monitor”… run a “statsd” server to gather metrics on events, actions and durations in your app – I made a docker image to help with this during development
  • improve console  debug/output/start-up output with “cli-tables” and “colors” – personally I like to (programmatically) print out all of the endpoints an application exposes… which saves on external documentation
  • expressjs” is popular, but “restify” lets you add all kinds of extra metadata on to your routes which you can then act on (easier permission handling, debug data output, etc)
  • make use of “sinon“s “sandbox” functionality to easily stub and reset object properties and methods (for testing in isolation) – and “istanbul” makes code coverage easy
  • restrict and validate data with “joi” – note: it does not prevent SQL Injection or HTML characters in strings, that’s on you (take a look at “striptags” and “xss“)
  • update your packages more easily with “npm-check” (run with “-Ue”)
  • pnpm” attempts to speed up “npm install” by downloading in parallel, but I had some issues (seemingly race conditions) – might be worth keeping an eye on and trying
  • be aware of some of the unicode issues: https://www.youtube.com/watch?v=qFfjJ8pOrWY

On NPM, left-pad, and Azer Koçulu’s modules

My working day today started with the drama of 273 node modules being removed from a public repository everyone uses, with one module in particular – “left-pad” – breaking a surprisingly large number of other modules. Talk about a great disturbance in the Force, as if millions of voices suddenly cried out in terror, and were suddenly silenced.

The author of the module posted the reason for his actions: https://medium.com/@azerbike/i-ve-just-liberated-my-modules-9045c06be67c#.xp2dkmk69 and while I mostly agree with him, I do wish the impact weren’t quite so large. A list of the modules he removed was also posted: https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt

Apart from breaking application deployments and causing inconvenience, there’s also the very real risk of malicious code being pushed up to the NPM repository under the names of these removed modules, so I did some digging…

Several people have already registered some of the modules names on the NPM repository, hopefully to replace the modules with their previous version or prevent people from doing something malicious as mentioned above:

hypnza: 1
ccbikai: 1
westlac: 1
strml: 1
msanford: 1
ehsalazar: 2
hassoncs: 2
iclanzan: 5
backup: 5
kazmer: 8
case: 8
nj48: 238

Read More

Adventures in “aircrack” with cheap wifi dongles

I recently bought 3 cheap’ish wifi dongles and wanted to see how they’d do with “aircrack” in Kali Linux. I had difficulty getting any of them to work in Kali Linux 2.0 so this blog post contains Kali Linux 1.0 instructions.

  1. 150Mbps High Speed USB Wireless Wifi 802.11n
    Chipset: Realtek 8179 (R8188EU)
    Drivers: https://github.com/lwfinger/rtl8188eu
    Instructions:

    # none – monitor mode doesn’t work 🙁

    Read More

American Fuzzy Lop (fuzzer)

I’ve been a fan of lcamtuf for years and recently came across an awesome project of his named “american fuzzy lop“.  The basic idea is that it fuzzes input files for the target application, monitoring the execution paths taken – or more importantly crashes detected. Rather than just bruteforcing and hoping for results it ends up navigating different logic paths in the app (eg: after generating a valid image header).

Read More

Huawei MediaPad T1 Tablet

I recently bought a Huawei MediaPad T1 8″ tablet (for a real bargain, thanks to Hot SA Deals). I’m not much of an Android fan, and really hate how manufacturers push their own user interface (usually degrading the experience further), but I must say I’m rather impressed with this device. Although it has Huawei’s “UI Emotion” interface, and few custom system apps, it really is pretty good. This device is also known as the “Huawei Honor T1”.

Because of the special I bought it on, mine came with a bunch of bloatware that I wanted to get off – and it wasn’t (immediately) root’able. Both of these problems were fairly easy to solve thanks to this forum post. The process is straight forward (assuming you have a “S8-701u” device) :

NOTE: This will wipe your device and all data + settings… so make sure you backup anything you want to keep!

  1. Download the official Russian firmware from here (yes, that’s right, Russian)
  2. Extract the zip file, and copy the “dload” folder (buried in some other folders, that will be extracted) to an SD card, then insert it in to the tablet
  3. Power off the tablet, then hold down the “volume down” button and turn it on – release all buttons when the Huawei logo start screen shows
  4. The firmware should start installing and will take a while – you should see a progress bar on the screen . You’ll be prompted to remove the SD card when it’s complete (the device should reboot automatically, and may show the Huawei logo screen for a while during startup)
  5. Once the tablet boots, use the language selector at the top of setup wizard screen to select the desired language (assuming you don’t want Russian)
  6. To root it, head over to TowelRoot.com, click the lambda (image) and choose to open with “Browser” (not Chrome), then run the “.apk” once it’s downloaded
  7. Click the “make it ra1n” button in the app and it should do the rest
  8. Download “Super SU” from the Google Play store (and a “root checker” if need be)

That should be it – worked for me! 🙂

 

Bonus: my device came with two saved wireless access points (“Arbalest” and “Darknet2”) which seem to belong to the reseller and partner that put all the bloatware on my device… getting the passwords to these access points (prior to changing the firmware) was just a matter of running the pre-installed “Backup” app and saving to SD card, then grabbing the config file from the .zip backup on my PC 😉 Now to find out where those access points are located…

Time-based “Blind Command Injection” Un-blinding

While blind command injection web vulnerabilities are incredibly useful, there’s no reason we shouldn’t make them un-blind. Chaining slow running commands to useful commands we can enumerate (or bruteforce) data – such as filenames, paths or strings… similar to what’s done in blind SQL Injection attacks: Blind_SQL_Injection#Time-based.

Consider the following chained commands:

ls -l a* && ping -c 10 127.0.0.1

Read More

VirtualBox tips and tricks

I’ve recently build a rather large VM collection of different operating systems (mostly versions of Windows) using Virtual Box, and here are a few things I learnt along the way. Admittedly these are more aimed at running Windows as your host machine.

1. Shrinking disk images:

While “.vmdk” disk image files may be more compatible with other virtualization software (eg: VMWare), using “.vdi” files can be shrunk to reduce the space used on your host drive. After regular use, or system upgrades, your dynamically expanding disk can end up using more space than necessary, so here’s how to reduce it:

Read More