I decided that this post should could be summed up pretty quickly with just a few pictures, so I’m doing this in more of a blurb format than a blog post :)

The challenge:

Selection_004

This was to allow some wiggle rooms for teams solving the same challenges.

 

geoSelection_005

Loved this challenge, was a lot of fun brainstorming ideas!

 </p>

 

Pharming my blog readers (sorry about that)

#

Sorry guys, CTF fever!

 

 

 

Luring people to my blog via Reddit posts and false Pastebin(s)

geoSelection_003

Selection_001

 

Creating a script to use all international TOR exit nodes

 

Tmux is the best thing since sliced bread

Tmux is the best thing since sliced bread

Mild amounts of proxy scraping

Pretty fruitless attempt sadly (already had many countries at this point)

Pretty fruitless attempt sadly (already had many countries at this point)

#

Making my forum signature image the “secret” link

geoSelection_006

(This works because the browser still does an automatic GET request for images, regardless of whether or not they are actually a proper image format). I ended up stirring up an international thread on the forum I used just to obtain more obscure country flags 😉

Again, sorry about farming you guys for flag points but their was no malware or anything – just a small bit of JSON!

Till next time,

-mandatory

So I was screwing around with Android app hacking and I figured the Snapchat App for Android would be a cool read. While I was originally more interested in reversing the app and making a script to automate Snapchat it turns out someone has already done it: https://github.com/dstelljes/php-snapchat

Dang it!

The process was no a complete waste however, as I stumbled upon something very weird…

Note: To get this source for yourself you’ll need to get the Snapchat APK. Then use dex2jar to create a .jar file, now you can use a Java Decompiler to view the source (in Java). This is possible because Java compiles into bytecode (an intermediary language) and not into machine code.

If you check under the “ui” package:

Selection_024

You’ll notice this:

Selection_023

 

Here is the weird code I’ve found:

package com.snapchat.android.ui;

import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.os.Build.VERSION;
import android.preference.PreferenceManager;
import android.view.MotionEvent;
import com.WazaBe.HoloEverywhere.widget.Toast;
import com.snapchat.android.util.ApiHelper;

public class PressureCooker
{
  private static final float MAX_OUTPUT = 40.0F;
  private static final float MIN_OUTPUT;
  private Context mContext;
  private CropProcessor mPressureProcessor;
  private LowpassProcessor mSizeProcessor;

  public PressureCooker(Context paramContext)
  {
    this.mContext = paramContext;
    SharedPreferences localSharedPreferences = PreferenceManager.getDefaultSharedPreferences(paramContext);
    this.mPressureProcessor = new CropProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_PRESSURE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_PRESSURE", (0.0F / 0.0F)));
    this.mSizeProcessor = new LowpassProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_SIZE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_SIZE", (0.0F / 0.0F)));
  }

  private float lerp(float paramFloat1, float paramFloat2, float paramFloat3)
  {
    return paramFloat1 * (1.0F - paramFloat3) + paramFloat3 * paramFloat2;
  }

  public float getFiltered(MotionEvent paramMotionEvent)
  {
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getPressure()); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getSize()))
      return lerp(0.0F, 40.0F, f * (f * f));
  }

  public float getHistoricalFiltered(MotionEvent paramMotionEvent, int paramInt)
  {
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getHistoricalPressure(paramInt)); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getHistoricalSize(paramInt)))
      return lerp(0.0F, 40.0F, f * (f * f));
  }

  public void onPause()
  {
    SharedPreferences.Editor localEditor = PreferenceManager.getDefaultSharedPreferences(this.mContext).edit();
    localEditor.putFloat("HISTORICAL_LOW_PRESSURE", this.mPressureProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_PRESSURE", this.mPressureProcessor.mHighestInput);
    localEditor.putFloat("HISTORICAL_LOW_SIZE", this.mSizeProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_SIZE", this.mSizeProcessor.mHighestInput);
    ApiHelper.safeSharedPreferencesSave(localEditor);
  }

  public void resetLowPassFilter()
  {
    LowpassProcessor.access$002(this.mSizeProcessor, (0.0F / 0.0F));
  }

  private class CropProcessor
  {
    private static final float DEFAULT_VALUE = 0.01F;
    private static final int INITIALIZATION_SAMPLES = 400;
    public float mHighestInput;
    public float mLowestInput;
    private int mNeededSamples;

    public CropProcessor(float paramFloat1, float arg3)
    {
      this.mLowestInput = paramFloat1;
      Object localObject;
      this.mHighestInput = localObject;
      this.mNeededSamples = 0;
    }

    public float getFiltered(float paramFloat)
    {
      if ((this.mLowestInput != this.mLowestInput) || (this.mHighestInput != this.mHighestInput))
      {
        this.mLowestInput = paramFloat;
        this.mHighestInput = paramFloat;
        this.mNeededSamples = 400;
        Toast.makeText(PressureCooker.this.mContext, 2131624111, 1).show();
      }
      float f1;
      if (paramFloat < this.mLowestInput)
      {
        this.mLowestInput = paramFloat;
        f1 = (paramFloat - this.mLowestInput) / (this.mHighestInput - this.mLowestInput);
        if (f1 <= 1.0F)
          break label152;
        f1 = 1.0F;
      }
      while (true)
      {
        if (this.mNeededSamples > 0)
        {
          this.mNeededSamples = (-1 + this.mNeededSamples);
          float f2 = this.mNeededSamples / 400.0F;
          f1 = 0.01F * f2 + f1 * (1.0F - f2);
        }
        return f1;
        if (paramFloat <= this.mHighestInput)
          break;
        this.mHighestInput = paramFloat;
        break;
        label152: if (f1 < 0.0F)
          f1 = 0.0F;
      }
    }
  }

  private class LowpassProcessor extends PressureCooker.CropProcessor
  {
    private static final float LOWPASS_RATE = 0.1F;
    private float mOldVal = (0.0F / 0.0F);

    public LowpassProcessor(float paramFloat1, float arg3)
    {
      super(paramFloat1, localObject);
    }

    public float getFiltered(float paramFloat)
    {
      if (this.mOldVal != this.mOldVal)
        this.mOldVal = paramFloat;
      for (float f = this.mOldVal; ; f = this.mOldVal)
      {
        return super.getFiltered(f);
        this.mOldVal = (0.9F * this.mOldVal + 0.1F * paramFloat);
      }
    }
  }
}

To make things even more weird it’s not reference or used anywhere!

Seriously. It’s just a random class that’s never actually used anywhere:

Not sure what to think about this, I’ve put it here to see if anyone else reverses the Snapchat app and Googles this code ;). If you are reversing the code and have more info please let me know in the comments or personally as I’m interested as to why this is here at all.

Until next time,

-mandatory

So I recently had a good idea (probably in the shower).

One of the biggest issues when trying to penetrate a network is getting past the perimeter. The outside is almost most protected and if you had an internal user hacked you’d be well on your way to full compromise.

The normal idea here is usually to utilize spear phishing or attempt to get a user to click a link to a browser autopwn page, etc. Sadly, most people aren’t too keen on clicking random links they get in emails.

I started to think what email links do I click on? More specifically what links do I click on from users I don’t already know?

Spam.

Yes, spam, and you probably do as well. I’m not talking Viagra ads, I’m talking the newsletters I’ve been signed up for (that I clearly never signed up for). Having a popular email address (mandatory et gmail) I often get subscribed to a lot of random newsletters. What do you do when you get a lot of newsletters? You click the unsubscribe link. Usually it’s just one click and your unsubscribed, so why wouldn’t you click it?

I hate all you people who use “mandatory” as fake email address.

The idea is literally to spam your users with newsletter emails, eventually they will get fed up with them and click the unsubscribe link. Even better, you don’t have to pretend to be anyone they trust so their is no research that needs to be done. Just spam and wait for them to unsubscribe.

Some issues with this method:

  • Gmail users might just filter your emails straight to spam (just make more newsletters mwuahaha)
  • Creating newsletters that look legit (I’d personally just clone another newsletter)
  • Admins will quickly start marking your emails as spam
  • Cat facts are not a viable newsletter anymore

Personally I think it’d be a lot more effective if you made the unsubscribe link large/noticeable. It’d be even better if you actually didn’t stop sending them the newsletters – forcing non-techy users to forward the emails to the IT guys.

I think you see where this is going…

Even further if you made the newsletters embarrassing it might make the users even more inclined to click the unsubscribe link (porn sites/dating sites/etc). Other ideas I had include making the unsubscribe link an email and perhaps force users to display images so you can get their IP, etc. Perhaps even having an email that says to reply to the email with an unsubscribe link for simple email client fingerprinting…

To end, I’m surprised I haven’t read about this idea before! It seems so simple :)

TL;DR: Spam, Click, Pwn

Till next time,

-mandatory

The beginning of the Web 200 problem for the Sharif University CTF Quals started with a screen like this:

Selection_002

 

So it’s a hybrid login/sign-up form, probably due to the fact that coding two pages is a lot of work for a temporary CTF.

Once you’ve logged in you are presented with a website like so:

Selection_003

 

Ah, I love the smell of weird input in the morning.

Selection_005

 

Ooh, and there is the flag we are looking for!

We have the ability to create new “items” as well, let’s try that out.

Selection_004

 

Once we’ve added the item we are shown this:

Selection_006

So we can delete or view the “item” we’ve added, let’s checkout what’s under “View”.

 

Selection_007

 

Neat, what’s the URL look like decoded?

Selection_008

 

 

Ooh! Looks like they are including a file with the path name in the URL!

Let’s modify that a bit and see what happens.

Selection_009

 

Interesting, this looks like a local file inclusion vulnerability? But is it?

 

Selection_011

 

After putting that URL in your browser you get this as output:

Selection_012

 

Neat! So you can now see the PHP source code of any files inside of the root web directory!

So I’d just like to say something here, I spent literally 2 hours banging my head to beat the above piece of code. I was so sure you had to beat the security measures by reading some configuration file!

Spoiler alert: That’s not the vulnerability you’re exploiting at all.

 

Before you continue reading, try practicing by looking through the mirrored PHP code below for vulnerabilities:

The main page for logging in: http://thehackerblog.com/ctf_content/sherif/index.php.html

The page that allows us to view the source of pages: http://thehackerblog.com/ctf_content/sherif/getfile.php.html

The panel page that lets you view your items/other items: http://thehackerblog.com/ctf_content/sherif/panel.php.html

See if you can find the answer yourself, else continue on reading.

Let’s try reading another file shall we?

Selection_010

Selection_020

 

 

 

Long story short, their SQL looked clean, their wasn’t anything to obvious until I saw this:

Selection_021

 

Getting closer to the answer? Notice how after you create an account it does this:**

**

Selection_014

 

So hopefully you’ve got a whiff of what’s bad about this but in case you haven’t, this is how registration works:

  1. Username is checked to ensure it’s not “admin”
  2. Username and password are checked to ensure nobody else is using them
  3. If they don’t exist then it registers them
  4. After it has registered you, the program removes tab characters from your username.
  5. The cookies are then generated, the “auth_user” is your username and the “auth_hmac” is your username HMAC MD5 hashed with a secret $hmackey
  6. You are then redirected to the panel page to view/create items.

So what if my name was “admin[TAB]”?

  1. Username is checked to ensure it’s not “admin”, which it isn’t (it’s “admin[TAB]”)
  2. The username is checked to ensure nobody else has used it (which it hadn’t been, the CTF people probably made sure of this)
  3. Since “admin[TAB]” wasn’t registered it was created in the database
  4. My username was then stripped of the tab characters, meaning my username is now just “admin”
  5. My cookies are now generated, using HMAC MD5 with my username “admin” and the secret $hmackey
  6. I’m then redirected to the panel page.

Neat, let’s try it!

Selection_015

 

Tamper Data Firefox Addon

Tamper Data Firefox Addon

Let’s just grab a tab character…

Selection_017

And put it after my username…

Selection_018

Notice the tab character after “admin” for my username

After submitting it, we get this:

Selection_019

I like the look of that! Come on baby, let’s see an admin account!

Selection_020

Perfect, we were authenticated as admin and can now view the flag!

Selection_021

 

Woohoo!

Selection_022

Ah, no better feeling

 

I also will include the other things I tried (just in case it’s helpful to anyone):

  • Tried to brute-force the secret key (because I had the algorithm + my username)
  • Thought their was a way to somehow to read the credentials.php file

 

While everyone is preparing writeups for the cool challenges I think a lot of people would also be interested in the funny things that went on during CSAW.

Poor Kevin

One of the recon assignments was to find a hidden flag for “Kevin Chung”, the challenge simply starts like this:

Selection_001

What could possibly go wrong right?

Spoiler alert! Where you were supposed to end up was here: https://github.com/historypeats/putscan/commit/a31512af6e8f2ae76bce11c0bd363f899e3488d1

Which I didn’t exactly find out about right away – I did however find his website http://coderkevin.com/. This site initially taunted users about the key (via a Youtube video and some text) which brings us to the next point…

Being a judge and having public whois info for recon challenges is a REALLY bad idea.

Why?

People like me might get desperate enough for a key were I might actually just look you up and call you for the key. (http://www.networksolutions.com/whois/results.jsp?domain=coderkevin.com)

Which I did and the call went something like this (sorry Kevin, I can’t imagine your pain):

Me: “Hello?”

Kevin: “Is this about the whois info?!”

Me: “Oh…no…but if it was about that and if you did know a key…would the first letter be A?”

Kevin: *laughs* Oh god people have been calling me all day *hangs up*

So naturally, as satisfying as this was I am clearly not aware of social bounds so I decided to text him.

kevin_text

 

As if this wasn’t bad _enough _Kevin also forgot (or was not aware of) EXIF data.

Winner of the "Shoot yourself in the foot" CTF awards

 

So that’s horrifying, considering that search EXIF data is the exact thing _that you’d have to do to find a key.

_

TL;DR – Kevin is probably changing his number and address relatively soon. Also internet points are serious business!

Funny False Flag-ery

So I personally enjoyed the effort that people would put into having false flags. I encountered a few (and placed a few), it’s really all part of the game with CTFs though.

Exibit A – Wikipedia getting bombarded:**

It would appear that for a brief time someone managed to add a false flag to the Wikipedia article “Odin”, which was removed shortly afterwords. This one made it through and I have no idea if many more were being done to other Wikipedia articles (if you know of some please post it!) I find it hilarious that people would suddenly be bombarded will crap additions to pages because of some random CTF competition.

Here’s an image of this:

Hue hue hue

Exibit B – Widget False Flagging

Initially while doing the “widget” challenge for CSAW I thought the idea was to get the key by viewing someone else’s widget. This seemed reasonable enough unti I actually did it.

Just no so much crap and derping in those widget fields – people running Acunetix and false flags to throw you off were everywhere.

Luckily enough if you _did _want to see those entries I have some of them saved in a very screwed up format here: http://thehackerblog.com/downloads/internet_culture_gone_wild.txt

Please notice fabulous entries such as:

  • key{grep this bitch} (hehe, might've been me)
  • "Please something" (I can taste the desperateness)
  • howlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouhandleinsideofyouhowlongcanyouha (Apparently about that long)
    
  • <script>alert("key{0ecb449efc3}")</script> (more false flagging)
  • Widget: fuck Value: mygucciasswhole (HUNDREDS OF THESE, what the hell man?)
  • Change this to the value you want tested (Some time of automated software?)

Their are plenty more but those were some of the funnier values I found.

CSAW Actively Scanning our Browsers for Vulnerabilities

How many of you noticed that? Seriously it’s like right in the source and it does it pretty often.

Basically in every CSAW CTF page they had the following:

<script src=”http://browserscan.rapid7.com/EM-209038687/1/0/1/0/collect.js”></script>

The browserscan.rapid7.com homepage looks like this:

Selection_006

Nothing to sketchy right? Here’s an example scan of my browser.

Pfft, doubt malware writers made linux shellcode for their drivebys

I really hope that this whole thing was just a way to hack a ton of CTF players but it really was probably more to gain lulzy statistics about players.

So that’s all I have for now but if I think of anything else funny I’ll add it – if you have anything funny to add please post it in the comments below!

This concludes the CSAW lulz writeup, I hope you learned something!

-mandatory