Fristileaks 1.3 CTF Writeup

This vulnerable VM is a fun and simple CTF that can be downloaded from the awesome portal VulnHub.

Note: For vmware you may need to set the MAC address to 08:00:27:A5:A6:76 to get it working. I did, see Fig 1.

srf_fristileaks_1

Let’s get ready to rumble…

As I knew the IP address let’s launch an nmap scan. From the scan we can see only 1 open port (HTTP) and the robots.txt file with some folders.

srf_fristileaks_2

Let’s open the website.

srf_fristileaks_3

Nothing interesting so far. Now let’s try robots.txt

srf_fristileaks_4

In these folders we only find a picture of Jedi Obi-Wan Kenobi and nothing else.

srf_fristileaks_5

Giving some thought and this is the fristi game, we arrive to the following URL; a login/password admin portal.

srf_fristileaks_6

Let’s check the HTML source code, we can find that the image is encoded in Base64 and also a possible login name: eezeepz

srf_fristileaks_7

Looking more closely at the HTML source code we find another potential base64 encoded text.

srf_fristileaks_8

Let’s put the base64 encoded text into a decoder like Burp Proxy. We see a PNG header. Sounds like an image!

srf_fristileaks_9

Let’s write a Python script to obtain the image.

srf_fristileaks_10

Open the image and looks to me a password 

srf_fristileaks_11

So now we have a login and a password. Let’s continue!

srf_fristileaks_12

Great, we have log in into the portal.

srf_fristileaks_13

We can upload an image.

srf_fristileaks_14

Why not a webshell? :) I modify one of Kali webshells to set my IP address.

srf_fristileaks_15

Upload the webshell but an error happens. Some kind of filter!

srf_fristileaks_16

Let’s fire up Burp Proxy to bypass the filter, change the filename to add a png extension.

srf_fristileaks_17

Great, filter bypassed and we have a webshell uploaded.

srf_fristileaks_18

Let’s call our webshell

srf_fristileaks_19

Remember before calling the webshell to set up a Netcat listener! Awesome, we got shell :)

srf_fristileaks_20

Good place to start is checking the web app code, PHP in this case. In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.

srf_fristileaks_21

Poking around /var/www/ folder we find a notes.txt file.

srf_fristileaks_22

In /home/ folder we see several users.

srf_fristileaks_23

Moving to /eezeepz/ folder we find another notes.txt file with an interesting message. We can execute commands, great!

srf_fristileaks_24

Let’s execute a command so we can access /admin/ folder by using the /tmp/runthis file trick.

srf_fristileaks_25

Inside /admin/ folder we see a bunch of interesting files.

srf_fristileaks_26

We got some encrypted files and a Python script used to encrypt the files.

srf_fristileaks_27

Time for more Python scripting, let’s modify the encrypt script to decrypt the files.

srf_fristileaks_28

Now we have some passwords, let’s change our user to fristigod user. Remember one of the encrypted files was “whoisyourgodnow.txt”. We don’t have a real terminal so let’s get one, a good cheat sheet here.

srf_fristileaks_29

Moving to /fristigod/ folder reveals nothing.

srf_fristileaks_30

Recall in /var/ folder we had a /fristigod/ folder, let’s check that folder and we can find some interesting files, a root binary we can execute!

srf_fristileaks_31

Checking the .bash_history file we learn how to execute the previous root binary.

srf_fristileaks_32

Time to see the /root/ folder content by using the root binary we can execute.

srf_fristileaks_33

Jackpot! We got root shell and the Flag :)

srf_fristileaks_34

Kudos to the author for this fun CTF!

Did you get root shell and the Flag by using other tactics?

— Simon Roses Femerling / Twitter @simonroses

Posted in Pentest, Security, Technology | Tagged , , , , , | Leave a comment

Equation APT analysis using Security Data Science platform: BinSecSweeper

As many readers already know, at VULNEX we have been working on our BinSecSweeper project whose development began in 2013 thanks to an award by US DARPA within its pilot program Cyber Fast Track (CFT) and we were the only Spanish startup to win a research award. In May 2014 I was invited to The Pentagon by DARPA to present my project, together with the other CFT participants. It was a unique and awesome experience!

Since then BinSecSweeper has changed in every way possible due to a strong engineering effort. With the rise of so many APT, I thought it would be interesting to analyze using Data Science techniques a recent APT that has gained a lot of media coverage: Equation APT Group.

For this analysis, I have got 419 Windows executables of this APT that we will proceed to examine with BinSecSweeper, let’s look at the results!

In Fig. 1 we have the project dashboard and we can see a summary of the analysis. BinSecSweeper has identified malware and high-risk vulnerabilities establishing a severe threat level alert (based on the US Homeland Security System). It draws our attention to different characteristics of the executables such as Packers, Personal Identifiable Information and binary similarities.

binsecsweeper_Online1
Fig. 1.

In metrics (Fig. 2) we see more details of the analysis, the metric that most interests us, at least to me, are the risks identified and the number of affected files. BinSecSweeper has identified interesting risks in this APT.

binsecsweeper_Online2
Fig. 2.

In BinSecSweeper we can deepen the analysis of one, several or all files, but for this high-level analysis our current objective is to obtain the big picture. So let’s look at the analytics data, a very powerful tool, see Fig. 3.

binsecsweeper_Online3
Fig. 3.

BinSecSweeper offers stunning graphics that help us to understand data very quickly and visually. In Fig. 4 we see a visualization of the entropy of the binaries. Most binaries are around 0.80 with some binaries in the 0.65 and 1.00 ranges.

binsecsweeper_Online4
Fig. 4.

In Fig. 5 we can see the different types of binaries and should call our attention that most files are DLL and there is also one Driver, no doubt a file we should analyze in more detail.

binsecsweeper_Online5
Fig. 5.

In Fig. 6 we see a very interesting metric, section names of the executables. It helps us to identify suspicious sections and packers.

binsecsweeper_Online6
Fig. 6.

Fig. 7 is related to the previous metric, in this case we have the number of sections. There is a file with 10 sections.

binsecsweeper_Online7
Fig. 7.

The following metric (Fig. 8) we have the number of imported libraries by the executables.

binsecsweeper_Online8
Fig. 8.

Imported functions of the executables are interesting to understand functionality. In Fig. 9 we have this metric, specifically the Top 15 functions.

binsecsweeper_Online9
Fig. 9.

We can also see the exported functions, Fig. 10.

binsecsweeper_Online10
Fig. 10.

In Fig. 11 we see the identified compilers. It is interesting to understand the tools used by the APT authors.

binsecsweeper_Online211
Fig. 11.

The last metric that we are going to see is the compilation timestamp of the executables organized by years. Clearly in 2008 the authors were very busy.

binsecsweeper_Online212
Fig. 12.

Very quickly and easily we have obtained a good understanding of this APT without entering into complex/costly analysis or reverse engineering, which would be our next step.

Today, with millions of malware circulating and the complexity of software, it is necessary to have in our arsenal powerful analysis tools such as BinSecSweeper, which uses advanced Data Science techniques to analyze the security and privacy of software.

Perhaps it would be interesting to analyze all antivirus with BinSecSweeper 😉

Hasta la vista Baby, I’ll be back soon with more analysis 

For more information about BinSecSweeper you can contact us at BinSecSweeper@vulnex.com

Does your organization use Security Data Science? What would you like to analyze?

— Simon Roses Femerling / @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , , , , | Leave a comment

A Security Breach Can Hurt You, More Than You Think!

Week after week we read about security breaches in top websites around the world, where millions of user’s data are exposed and the company not even reply with an apology. Until now nobody in management (your typical C-level) assumed any responsibility of the breach, many times due to lack of security, but this tendency is starting to change.

Some CEOs have step down due to high profile security breaches such as Target in 2014 and infamous Ashley Madison just recently, July 2015. Management needs to start speaking cybersecurity and assume responsibility of security breaches.

A security breach can really hurt you – take for example Ashley Madison attack. 36 millions of users data exposed – but let’s be honest, although many of these users were fake profiles, anyway many real users were still affected by the breach. The problem for Ashley Madison is not the attack itself but what has been reveled: the company had plans to go public but by examining the data it looks it was a scam, ouch.

Another recent high profile security breach has been Hacking Team, a security company that develops offensive solutions for LEA and has been selling their products to oppressive regimes worldwide. Hacking Team was a known company for a while of suspicious activities but was not confirmed until a security breach revealed 400 gigabytes of their data containing products source code, client contracts, emails, and much more, the dark side of this company. Really ouch!

MBA schools need to start including cybersecurity awareness into their courses so management understands the problems and how to deal with them. It is not enough to have a good CSO/CSIO these days; management needs to be involved 100%, if not a security breach could hurt your company.

Should high management be involved in cybersecurity matters?

— Simon Roses Femerling – @simonroses

Posted in Security, Technology | Tagged , , , | Leave a comment

Race to 0day in Nation State Operating Systems

Operating System change is coming…

We all know that Windows still dominates the desktop arena with Linux and MacOS trying to catch up and that Android dominates the mobile space with iOS and Windows Phone trying to catch up as well. What many of these OSs have in common is that they are developed by USA companies (hello NSA!).

With the silent (or not that silent :) cyber guerrilla going on in the Internet between the West and the East it is not surprising that many Nation States are developing their own operating systems to cut the dependency on USA software vendors.

The Sony cyber attack by North Korea (supposedly, not proven yet) has caught a lot of media attention -even President Obama has spoken about the need of increasing cybersecurity- and to make things more interesting the operating system used by North Korea government was leaked on Internet and it is currently being analyzed by many security companies and intelligence agencies to find 0day.

Several Nation States have announced the development of their own “secure (cough)” operating system, the ones I know of:

  • Red Star OS: Linux based (Red Hat) with a Windows XP look & feel used by North Korea.
  • China: Several custom OSs.
    • COS: China Operating System based on Linux for mobile devices.
    • Kylin: First version was based on FreeBSD but current version is based on Ubuntu.
  • Russia: Several custom OSs.
    • RoMOS: A customized Android OS for mobile devices (this OS doesn’t send any information to Google).
    • Linux: Russia government announced switching to Linux as the national OS this year.
  • France: Not really their own operating system but the French military switched to Linux Ubuntu (allegedly to save money).
  • India: Also announced their own secure OSs (not much details published).
  • United State of America: Several custom OSs.
    • The Defense Information Systems Agency (DISA) is developing a secure version of Android to be used in mobile devices across the government.
    • Plan X: An OS develop by DARPA to be used by the military for cyber warfare operations in real time.

The fact that Nation States are developing their own customized OS for defensive purposes forces adversaries to obtain copies of these OSs to find 0day if they want to perform offensive actions, so we can expect the 0day market to grow in the incoming years for exploits and rootkits in all of these Nation State OSs.

There is a good chance for Nation States counterintelligence to publish fake OSs and software pretending to be the real thing for adversaries so they waste their resources trying to obtain copies and time analyzing the software or why not putting offensive software inside the OS to attack the systems used to analyze the software and compromise the network.

For sure security companies and intelligence agencies from both sides (West and East) must keep an eye on the technologies used by their adversaries and have ready a bunch of 0days on these OSs as the standard/regular Windows, Android and Linux versions will probably go away.

Nation States not putting enough resources to develop their offensive capabilities will be unable to perform any actions against adversaries that use custom OSs in the future.

Reader: If you know any more Nation States OS, please let me know and if you got copies of any of them send them my way, please!! (Already got Red Star OS, thanks)

What do you think of Nation States developing their own OSs?

— Simon Roses Femerling | @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , | Leave a comment

Cyber Intelligence Universe

In recent years all “cyber” is fashionable, and intelligence applied to the cyber world could not be less! The concept of intelligence has an offensive meaning due to the use by intelligence and military agencies, but now too many security vendors position their products as intelligence solutions able to identify potential threats.

With the use of these security products many private organizations “believe” that they are getting intelligence but their vision is very limited:

  1. The intelligence is obtained by the quantity and quality of their sources (many organizations don’t know nor their sources of information).
  2. The human analysis factor is vital (is not about installing a product and expect a detailed report, like everything is automated.)
  3. The focus is just outside threats (Internet) as internal threats do not exist.

It is funny or sad (depending on how you look at it) when many organizations and security vendors talk about their ability to monitor and analyze systems logs, antivirus, firewall, IDS, Honeypots, etc. to provide intelligence and then they don’t know the number of computers, users or software installed in the organization. Intelligence applied only to the outside is insufficient when internal threats are unknown.

In VULNEX (disclaimer: cybersecurity startup founded by my) we gave it some thought and developed some solutions that help in this regard, for example BinSecSweeper: a tool to analyze Windows, Linux and MacOS binaries. We can take an operating system and analyze all the binaries to determine their security posture (for example scanning all the 7000aprox binaries in Kali Linux in 30 minutes 😉 or determine if software is using obsolete libraries among other things.)

Software today is not written but composed: programmers use different libraries and commercial or open source code to compose their product in the shortest time possible and push it to market. Organizations use all kind of software without knowing whether it is safe or what is composed of, huge mistake!

bss1_cap_int_univ
Fig. 1 – Scanning software with BinSecSweeper, a peak under the hood

Another need we got in VULNEX is to obtain intelligence from source when doing code audits. These audits are complex, long and usually limited in time so it is necessary to obtain valuable information to focus on the work. In this sense we have developed Tintorera, a plugin for GCC that, while we compile a project in C, performs an analysis that helps us understand the code without having read the source itself. At this point we are not looking for vulnerabilities, but we do want to understand the relationship between functions, code metrics, complexity, and other parameters that help us be more effective to scrutinize the code and find vulnerabilities. Intelligence applied to source code! 

tintorera1
Fig. 2 – Tintorera report

tintorera2
Fig. 3 – Tintorera Graph

If you believe that your organization is doing cyber intelligence, think again and really determine your analysis capabilities and what is your vision that surely are not as good as you think…

No doubt much remains to be done in the Cyber intelligence at both internal and external sources to obtain a real and global view of threats.

Does your organization have a cyber intelligence program?

— Simon Roses Femerling @simonroses

Posted in Pentest, Security, Technology, Threat Modeling | Tagged , , , , | Leave a comment

Theoretical attacks on a Sex Robot: Roxxxy

The True Companion company markets for the last few years the first robot to have sex with: Roxxxy. Unfortunately it is not possible to find too much information about the technical features of the robot on the company website, but with the available information a few conclusions can be drawn, so I thought it would be fun to do a post about possible attack vectors.

Disclaimer: everything described here is based on information obtained from the company website and my imagination, no attack has been tested in real (yet) because I do not have this robot, but if any reader wants to send me a pair of robots to make reverse engineering, I will be happy to inform you first of all the 0day I find :)

Roxxxy-Poupee-Robot-Sexuel-True-Companion-01

You can choose different customizable versions: hair color, personality (up to 5 profiles that you can customize even more!), and according to the model it/she can even talk, have some understanding and respond to touch. These features make me think that the robot must have different types of sensors and microprocessors. Also it has USB port, Ethernet and Wi-fi so it also has the ability to communicate (can receive updates via the Internet). The USB must be connected to a Windows computer so that the robot can talk to us.

An interesting concept is that we can give our custom robot personality to other users registered at the company Forum (aka Swingers for robots) temporarily, this means that the robot can replace its personality for a limited time with another one created by other users.

Now with this information, we propose different theoretical/fictitious attack scenarios:

1. The robot could bring from manufacture some malware implant to compromise the user computer via USB.
2. It could include a malicious AP, Wifi Pineapple style, inside the robot to carry out further attacks on the network/systems.
3. An attacker could steal the robot profile (personality) to resell it to the customer (Ransomware).
4. An attacker could modify the internal engines of the robot to do damage to the customer when “having sex” (although I doubt that the robot has sufficiently powerful engines in the current version).
5. Nothing is said of the sight (vision) of the robot, but if does have it, you could use the cameras to spy on the user (Hello, NSA!)
6. Also the robot could be used to record the voice of the customer.
7. And, with all this information, blackmail the customer to not make public their sexual tastes/tendencies.
8. An attacker could send a malicious personality to the forum so victims install it on their robots with different purposes.

31400

We talk much about the risks to critical infrastructure, the Cloud, Big Data and the Internet of Things (IoT), but in the coming years the security and risks of robots will become more relevant when they are more and more present in our personal and professional lives…

What additional attacks can you think of? 😉

— Simon Roses Femerling / @simonroses

Posted in Security, Technology, Uncategorized | Tagged , , | 2 Comments

Heartbleed: pain, blood and code

All alarms went off last week when a serious security flaw called Heartbleed in the OpenSSL cryptographic library was published. This library is used by a large part of the servers on the Internet as well as much security software.

As it could not be otherwise, the conspiracy theories claim this bug was introduced or abused for some time by the NSA. Anyway, this bug proves that Open Source software isn’t safer if nobody looks at it (it has taken two years to identify this bug!) and if secure development practices are not followed.

I do not know if the OpenSSL team follows any secure development framework but the fact that a single programmer can make changes to the code without any kind of validation ¿? is a much more serious mistake than the bug itself.

It is certainly a severe blow to the Open Source community that is often presented as safer since everyone can read the code. This bug makes clear that just being Open Source isn’t enough.

I will not get tired of repeating it: it doesn’t matter if you are Open Source software or commercial software, if your company only develops software for internal use or has an ISV that develops for you, it will never be secure software if not developed following a secure development framework such as MS SDL, BSIMM or OpenSAMM.

We hope that this bug is a wake-up call for anyone who develops software about the importance of security and investing in it.

I can also confirm that this bug works like a charm 😉

What do you think about this bug?

— Simon Roses Femerling

Posted in Pentest, Security, Technology | Tagged , , , | Leave a comment

Spaniards in the Black Hat ASIA

I’m back from Black Hat ASIA 2014 in Singapore, where I had the pleasure of giving a talk on the security of cross-platform mobile technologies for developing mobile apps. The last Black Hat ASIA was in 2008 and the last time in Singapore was in 2003, time flies!

srf_bhasia2014_1

In the event there were several Spaniards such as Jose Miguel Esparza with its workshop on PDF analysis, Leonardo Nve with DNS attacks and finally Alberto García Illera and Javier Vázquez Vidal on hacking cars.

The event took place at the amazing Marina Bay Sands hotel (I recommend you to google it), and it was a success with around 1000 attendees. At the speaker dinner the organization took us to a Chinese restaurant where we could taste different specialties and drink red wine from the la Rioja (Argentina 😉 ; then, as it could not be otherwise, we explored Singapore nightlife!

srf_bhasia2014_2

My talk was the first on the first day of the event and was a great success, a roomful of people even standing (no chairs for everyone) and many questions, somewhat atypical in the Asian culture, so I would like to thank all attendees!!

My first time in Singapore but it certainly won’t be the last, perhaps next year 

My presentation available on VULNEX website.

— Simon Roses Femerling

Posted in Conference, Pentest, Technology | Tagged , , , , , , | Leave a comment

The need to evolve defensive security to offensive security

This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.

Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!

Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.

As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.

It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.

It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.

Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.

Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.

Has your company offensive security capabilities? How are they used?

— Simon Roses Femerling

Posted in Pentest, Security | Tagged , , , | 2 Comments

VULNEX Award and RSA USA speaker experience!

February has been both very interesting and busy! On February 17th I had the pleasure of collecting the first award of VULNEX by Spanish security magazine Red Seguridad for IT Innovation for our collaboration with DARPA (Defense Advanced Research Projects Agency of the Department of Defense, USA) which produced BinSecSweeper, a technology that allows us to verify the security posture of any binary.

You can find a great chronicle of the event here and below I am including a photo of the trophy :)

Trofeo_VULNEX

On 24-28 February I did attend for the first time the legendary RSA USA conference in San Francisco, in which I participated with a talk on security in software development and using BinSecSweeper to assess binaries entitled: “Writing Secure Software is hard, but at least add mitigations!“. I take this opportunity to thank attendees for the good feedback, I’m glad that so many liked my presentation! And of course also thank the organization for a great event.

RSA

The presentation is already available on VULNEX website.

BinSecSweeper_RSAUSA2014_1

BinSecSweeper_RSAUSA2014_2

It was my first time at RSA USA but certainly won’t be the last! In my opinion a must-attend event for all cybersecurity professionals.

Until next year!

— Simon Roses Femerling

Posted in Conference, Privacy, Security, Technology | Tagged , , , , , | Leave a comment