poniedziałek, 26 grudnia 2016

Automated scans with OpenVAS and Kali

I was wondering if we can run (some kind of ) an “automated scan”, out-of-the-box in Kali Linux. Version I used was updated to the latest one (for 26.12.2016, so 2.0). Here we go...

niedziela, 27 listopada 2016

Crontab with iptables

I created a small code in bash to check for any new requests in Apache's logs. Found IP(s) will be blocked by iptables.

sobota, 26 listopada 2016

Basics of ARM/MIPS malware analysis

On one of my honeypot's I found an interesting log line, related to some URL-encoding. I was wondering what's there if I will be able to decode that GET...

Windows logs in PowerShell

I was wondering if anyone of you remember the zap2.c :) I couldn't find "zap2.c for Windows" so I was wondering if I can do something like that... in PowerShell... in Windows... ;) This is what I found:

wtorek, 8 listopada 2016

Playing Winamp

After a while when I started to fuzz Winamp (again), I found my old directory with some (about ~300 files) results, all ready to ‘check them later’… so I think ‘now’ is a good time to do it. Let’s get to work.


sobota, 29 października 2016

HTTP Server fuzzing with Burp


In the middle of time I was working on some HTTP server fuzzer created in python. I was wondering if I can get similar results when I will use only Burp proxy. Below example results.


poniedziałek, 24 października 2016

niedziela, 23 października 2016

Playing Assasin's APK

In the middle of time I was checking some sample malwares from excellent Contagio’s Blog.  This time I decided to get back to APK files. Below you will find small analysis of Assassins_Creed.apk.


Playing with Contagio



(Still) during my „little break”, I found some directory on my disk with few samples from excellent Contagio’s Blog. I decide to check few of them, this time related to web attacks. 

Testing Meld vs PlumeCMS



TL;DR – check Meld for diffing source code. I think you will like it ;)

Crash gdb in Kali


Couple of few days ago I tried to finish one cool CTF (writeup will be here as soon as I will finally finish it;)). Because I had some troubles with that, I decide to take a ‘little break’ and move to “something else”, which was… debug in Linux. ;)



niedziela, 11 września 2016

sobota, 10 września 2016

Local resource enumeration via XSS

Probably you all already know how to "Hack Intranet Websites from the Outside" (if not, google for Jeremiah Grossman and RSnake - you can start here - and read about some attacks from 2006 and 2007). ;) There you will find similar usage of JavaScript as you can find below:

DVL Warmup poc

Yesterday I was playing with an old ISO called Dam Vulnerable Linux. If you're learning some binary exploitation, a nice 'warmup exercise' can be found here:

poniedziałek, 5 września 2016

Bitbot CTF


In the middle of the other activities and projects, I decide to sit down for a while and check another CTF. This time I decided to try Bitbot. Found again on VulnHub – thank you guys. Also big thanks for the author (bwall) for preparing this game! So… Let’s get to work.

poniedziałek, 22 sierpnia 2016

sobota, 20 sierpnia 2016

joomlash - new test in grabash.py

During couple of last few days I had a chance to check grabash code again. I am aware that this is still not even 'first' final version ;) so there is always something 'todo' or to fix to get better results from the scan. So, yeah, any feedback is welcome.

wtorek, 16 sierpnia 2016

Axis2 LFI module for CTF

Few weeks ago I tried to solve Axis2 CTF from VulnHub. It was a lot of fun. As far as there is a grabash, I decided to create small module for Metasploit to exploit LFI bug in that virtual machine...

piątek, 29 lipca 2016

piątek, 22 lipca 2016

bikoz.py



Couple of days ago I decided to write some “small script in Bash” to automate a little bit the work related to (so called) “information gathering” during the pentests. I decided to choose Bash because I’m working with it, most of time during the day anyway, so…

czwartek, 14 lipca 2016

Irfan View - Crash - WMA heap crash

WMA crash found 09.04.2016 during IrfaView fuzzing... Details below:


Irfan View - Crash - TIFF case

TIFF crash found 09.04.2016 during IrfaView fuzzing... Details below:


Irfan View - Crash - ANI poc

ANI crash found 09.04.2016 during IrfaView fuzzing...


Irfan View - Heap Crash (TIF)

Crash during TIF preview... Details and poc below.



Irfan View - Crash @MSCTF!TF_CheckThreadInputIdle

I found a crash in IrfanView. The most interesting for me this time was unpacking original i_view32.exe to new exec (1,5MB). Details of the crash you will find below.


niedziela, 5 czerwca 2016

NULL Pointer Dereference in MS Publisher 2010

MS Publisher 2010 - NULL_CLASS_PTR_DEREFERENCE

-----------------------------------------------------------------------
 Found : 04.06.2016
-----------------------------------------------------------------------
Open your Windbg and run MSPUB.exe. Attach debuger to Publisher.
Ctrl+S to check the symbols, and here we go:
dbg> srv*c:\symbols*http://msdn.microsoft.com/download/symbols


piątek, 27 maja 2016

IE8 Divided by zero

Internet Explorer 8 is prone to remote denial-of-service. Below the poc and few details:


MS Office 2010 - DoS in Publisher - #3

Publisher (from MS Office 2010) is (again) prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application.
-------------------------------------------------------------------------------------------
Found  by : code16@26.05.2016


czwartek, 26 maja 2016

Few pocs for IE8

I assume that this is probably useles now so for education purpose only, you will find few
proof-of-concepts (described by !analyze as "not", "probably" and "exploitable") below:


MS Office 2010 - DoS in Publisher - #2

(AFAIK it's already published but without details.)

Below again a little bit more and poc:

MS Office 2010 - DoS in Publisher

Publisher (from MS Office 2010) is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application.
-------------------------------------------------------------------------------------------
Found  by : code16@07.05.2016

wtorek, 24 maja 2016

Crackme #2 by Pride

Cool crackme by Pride from crackmes.de:
 

CrackMe #1 by DiABLO

Cool crackme by DiABLO - thanks - you can find it here.


Crackme by qHF's Unique Code CrackMe

This one was interesting... :) As always I found it on crackmes.de:


Crackme by Am0k

Hey, another crackme solved. This time I was checking Am0kCM_2.zip from crackmes.de:





Crackme N.3 by COSTY

Another cool crackme for beginners, this time from C/C++ section from crackmes.de.


KeygenMe v1 by Ollie

I found this app on crackmes.de. Idea was to write a keygen but I've done it in other way:

niedziela, 22 maja 2016

Seattle v0.3 CTF writeup

You should check the Seattle v0.3 CTF - it is another great VM this time from GracefulSecurity.
(I found it few weeks ago on vulnhub.com and now it was a time to do it.) It was again great
pleasure and a lot of fun. Thanks!

So, after quick nmap...

sobota, 21 maja 2016

Pentester Lab CTF - Axis2 and Tomcat Manager

Here we have another one (I believe already solved) CTF from VulnHub. I had a pleasure to check it during one internal CTF prepared for the meeting with the new customer. Below you'll find a quick writeup:

Prepare the VM and run nmap against it:


Pentester Lab CTF - Web For Pentester

Another cool VM from Pentester Lab called "Web For Pentester". Just like before, you can find the ISO on vulnhub.com. Let's find out what we can do with this one. Prepare VM and let's get to work.

As always, let's scan it first to see if there is an interesting service(s) running:


Pentester Lab CTF - From SQLi to PostgreSQL shell

If you're looking for cool CTF's that you can play offline (or during the travel) this site is definitely for you. :) Today we will try if there is a way to get shell on the VM box prepared by Pentester Lab.
Thanks for preparing this!

Run and go
VM is ready, running, so let's scan it:


Crackme by BioHazard

Hey. Another nice crackme was released by BioHazard. You can as always find it here.

To be honest this was a little surprise. I was wondering by there is still an error, and that's how I found...



Crackme by TcN30

Ok, here we'll solve another simple crackme from this site. This one is prepared by TcN30 (thanks!) and is called "password_vb.exe". Let's do it:

Crackme by The Rapture - FishME

During my last visit on www.crackmes.de I found 'few' .NET crackmes to do. I decide to check them (starting from few basics) and describe them here as a small analyze (as well as a memo for me). That's how I found crackme by Rapture (thanks!)

Idea was to get the serial. Unfortunately the serial was hardcoded inside the app so quick journey with .NET Reflector, and you will find it:




Cool. Next time we will try something else...