What I Learned At My First CTF

The other day, my company ran a ‘Capture The Flag’ exercise, where developers attempted to complete a series of hacking challenges against a running server (set up by our Chief Research Officer).

The majority of the exercise revolved around application security, where the attacker would gain more and more information to gain further and further access.

To start, we were asked to identify what sofware the site was running. A quick look at the page source of the site showed the following:

<meta name="generator" content="Drupal 7 (http://drupal.org)" />

making it easy to determine that the site was running Drupal. With that in hand, I was able to use online scanning software to identify the exact version was 7.31 (apparently contained in a changelog that is sitting accessible).

A quick search for ‘Drupal 7.31 cve’ brought me to Exploit DB which handily contained a python script which allowed me to create an admin user in Drupal and log in to the server.

The next challenge was to try to identify users on the machine and passwords to things like databases. I spent a bunch of time poking around and trying to figure this out until I realized that Drupal, by default, allows content to be rendered as PHP. From the docs:

Body: where you put the text for the page. The "Input format" controls what 
code can go in the Body field. There are three default options: filtered HTML, 
PHP code, and full HTML.

With the ability to execute PHP, this made a few tasks pretty easy. I was able to leverage code execution to enumerate file paths on the server, and then open and render specific files. Of note was the settings.php file of Drupal to gather information on the database, as well as list the /home directory to learn more about some users.

The next step was to essentially obtain access to the machine itself, which I did not figure out in the time alloted, but I believe would build on the basis that I can potentially write files to the file system using PHP. Perhaps trying to add my own public key to a user’s .ssh folder? Or perhaps trying to create a reverse shell? The next CTF will tell.

Security Roundup - 2016-05-11

Verizon released their yearly Data Breach Investigations Reports. The Rapid 7 Community has a pretty good writeup. Reading the report has some interesting information:

  • Server assets being the cause of breaches is declining. Breaches due to people and their devices as the weak link is continuing to rise.
  • Breaches are more often than not discovered by third parties.
  • Webapp breaches have increased dramatically, which should be unsurprising given the easy of drive by scans and exploits.
  • Crimeware decreased drastically in 2015 (though this year’s ransomware reports lead me to believe it will be more prevalent in the next report)

The report also focuses on a few factors as primary points of vulnerability:

  • Patching Cadence - how long between a vulnerability being discovered and exploits being developed vs the time it takes organizations to upgrade/mitigate.
  • Social Engineering - phishing attacks are still highly effective.
  • Passwords - 63% of breaches apparently involve leaked/reused/weak passwords.

Related to the ease of drive by exploits, one anonymous user recently decided to scan for open VPC ports and make use of the screenshot facility to take some pictures. Among things found appear to be security systems, checkout systems, and desktops.

ImageTragick made the rounds this week, which results in ImageMagick running code embedded in certain image formats, as well as being able to do file manipulation on the system such as moving/deleting/reading files. Cloudflare has an article detailing usages they have seen in the wild starting at recon and escalating to attempted server takeover. Sucuri has seen some similar exploits.

Warby Parker recently decided to test their Cyber Security Response time, by staging a site takedown. Much fun was had by the ‘attackers’, practice was had, and lessons were learned.

Last week, there was news to the effect that millions of email addresses were leaked. This turned out not to be the case, with various email providers declaring the majority of the information was bogus. Troy Hunt (who is behind haveibeenpwned.com), goes into depth on how he does validation on data leaks, rather than just accept them at face value.

ThreatPost has some good ransomware articles, including a post on ‘Ransomware as a Service’, ‘A Diary of a Ransomware Victim’, where a casino’s consultant had no security precautions and allowed TeslaCrypy to spread rapidly through the network, and an update on the Bucbi ransomware which is being used as a targeted attacks, rather than randomly seeking targets.

Malwarebytes has a very in depth analysis of the 7ev3n ransomware variant. After completely reverse engineering, they were able to tell the implementor designed their own custom crypto mechanism, making it easier to recover files.

A few months ago, I mentioned people performing man in the middle attacks between free standing ATMs and networks. This week I’ve learned that sophisticated skimmers can actually be inserted into the card reader slot.

Security Roundup - 2016-05-04

One engineer recently found ‘Shellshock’ style user agent strings in his log files. After investigation, he realized that an attacker was using someone’s unsecured log files as a blind drop for scanning results.

Apparently, a few years ago, someone set up a project to try and find common factors in RSA PGP keys. Last year, they started processing keys from the public keyserver dataset. To date, they have found over 200 broken keys and 2000 keys with suspicious characteristics, including keys from Apple, Product Security, Nasa, and The Pirate Party. These keys contain things like non-prime factors and shared factors, where if you take 2 keys with one known shared factor, you can figure out the second (and thus generate a private key). This could either be due to poor sources of entropy or deliberately crippled PGP implementations.

The Verge has a good article on why fingerprints are not good for authentication. Among other things: The government has a giant database of fingerprints (mine have been scanned when traveling back and forth from Canada), and thus are leak-able. Unlike passwords, changing fingerprints (and other biometrics) is pretty hard and we leave our fingerprints everywhere. If anything, biometrics are more akin to a username then they are to a password.

Some security researchers recently realized that Slack API tokens were checked in to Github repositories. They quickly realized they could gain access to a lot of sensitive information, including passwords. Slack has indicated they are now scanning Github and revoking found tokens, similar to what other services like Amazon currently do.

In a follow up on the recent story of how quickly people plug in random USB keys, Infosecurity Magazine has an article on how the American Dental Association accidentally spread malware via USB keys they had manufactured.

After 100 breaches, Have I Been Pwned has had breach data submitted by the breached company, rather than finding the data online. A similar service, Pwnedlist, has recently had a major security vulnerability communicated to them, and has decided to shut down their public site.

Security Roundup - 2016-04-27

Apparently, the Bangladash Bank was hacked recently, and almost taken for $1 billion dollars! The attack vector? Cheap network switches, providing neither a firewall or the ability to logically separate network traffic.

The personal info of 93.4 Million Mexicans recently occurred due to a publicly exposed database.

In security, humans are the weakest element. In order to make security training more interesting and memorable, one company has started ‘Game Of Threats’ where teams compete against each other in a game to learn more about what threats organizations face.

AV products are introducing ‘sandboxing’, where they isolate a process from the rest of the system and monitor for bad behavior before allowing it to be run. Nettitude has an interesting write up on how they broke out of Avast’s Sandbox.

PeerLyst goes over some lesser known options to unregister windows functions actually allows you to trigger remote code execution.

Or how about one hackers journey to claim a Facebook bug bounty led them to find a number of vulnerabilities in a product Facebook uses? Also found: Webshells from previous attackers.

Ars has an interesting article on the ‘Nuclear’ Exploit Kit. I found it interesting about how it uses user agents to tailor payload and/or to evade detection.

Security Roundup - 2016-04-20

The Australian Federal Government just announced that the Bureau of Meteorology was the target of a cyber attack. Apparently, they also have a direct link to the Australian Defence Department, meaning a source of third party risk. The Australian Government has announced their new Cyber Security Initiative to protect against these threats.

CBS broke the story about flaws in the Signaling System Seven that allow people to be tracked. I found this similar to this Engadget story of The Untold Story of the Teen Hackers Who Transformed the Early Internet, again exploiting telecommunications systems to get unauthorized access to systems.

Companies have been increasingly encrypting all web traffic and the Let’s Encrypt traffic has been helping make it easy. 6 months since they have launched, they have created more than 1.7 million TLS certificates and are now preparing to leave beta. A number of consumer platforms like Dreamhost and Wordpress have rolled out easy integration for their customers, making secure communications accessible to the non-technical savvy. Even Sucuri has rolled it out as an option for their application firewall.

Meanwhile, Google observes ~16,500 new compromised websites a week. They outline some improvements they have made that make it easier for up to 75% of those webmasters to re-secure their sites post compromise.

A recent study demonstrates how you shouldn’t share sensitive files using URL shorteners. Essentially, the shorter links are brute forceable, allowing people to potentially access sensitive information. This study prompted Microsoft to remove this functionality from OneDrive and Google to lengthen the link and add security precautions against brute forcing.

MIT recently announced a new debugging method to detect vulnerabilities. Essentially a static analysis of source code, they were able to detect 23 vulnerabilities in 50 popular Ruby On Rails platforms in minutes.

Rapid7 combed through the National Vulnerability Database to put together a few trends. 2015 had a big jump (17%) in critical vulnerabilities

Last week I mentioned how ransomware is starting to eclipse banking malware, but the GozNym malware proves that banking malware is still a million dollar business. New ransomware include a variant dubbed Rokku which encrypts each file with a unique key, as well as one called Jigsaw which advertises a time limit to decrypt your files. For existing malware, TeslaCrypt continues to evolve by investing heavily in evasion techniques and ThreatPost indicates that 3.2 MILLION servers are impacted by the JBoss flaw that SamSam is exploiting.

Page 19 of 23