We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses at Black Hat this year. This would allow the winner to attend any one of the following:
Simply trying out this feature and viewing how it functions. Viewing the feed tester result, we noticed that the contents of the XML formatted RSS feed were echoed and it became clear that this may be vulnerable to XXE. The first step would be to try a simple XML payload such as:
It looks like we have some more XML being submitted.. Again we tried XXE and found that using "file://" in our payload created an error. There were ways around this, however the returned data would be truncated and we would not be able to see the full contents of flag2.txt... When stuck with XXE and not being able to see the result (or complete result) there is always the chance that we can get the data out via the network. To do this we needed to generate a payload that would allow us to fetch an external DTD and then "submit" the contents of our target file to a server under our control. Our payload on our server looked like this:
As soon as the XML decoder parsed our malicious payload, we would receive the base64 encoded contents on our server:
Now it was a simple matter of decoding the payload and we had the second flag. This was not the only way to get flag 2! It was the most "fun" way of doing it though and used a really handy method. Remember it for your next pentest...
The two runners up who both can claim one of our awesome 2014 t-shirts:
Vitaly aka @send9
Sash aka @secdefect
The course has undergone the full reloaded treatment, with our trainers pouring new tips, tricks and skills into the course, along with incorporating feedback from previous students.
The training introduces all the core skills required to test applications across the major mobile platforms, particularly:
For a full break-down of the course structure check-out our BlackHat training page (https://www.blackhat.com/us-14/training/hacking-by-numbers-reloaded-mobile-bootcamp.html)
Your trainers will be Etienne (@kamp_staaldraad) and Jurgens, both crazy about mobile security and have executed numerous killshots on all the major mobile platforms.
- Etienne and Jurgens -
Why Infrastructure Hacking Isn't Dead
If you work in IT Security you may have heard people utter the phrase,
“Infrastructure hacking is dead!”
We hear this all the time but in all honesty, our everyday experience of working in the industry tells a completely different story.
With this in mind we've decided to factor out our “infrastructure related h@x0ry” from our Bootcamp Course and create a brand spanking new one, completely dedicated to all things ‘infrastructure'.
What You'll Learn
We've re-loaded this course to not only reinforce basic footprinting methodologies - which to be honest, are essential for target acquisition - but to also enable you to exploit common, real-world vulnerabilities.
But that's not all.
We've also highlighted methods for compromising Microsoft Active Directory infrastructures - something that's typical for corporate environments. The way in which we approach this is thorough, effective and shows you how to become DA without necessarily pulling all of your hair out.
A complete company takeover is really just a matter of time.
Get Hands-On Experience
As with all SensePost training courses, we don't just want you to sit there and watch us talk for a few days. Where's the fun in that and how on earth will you get real, tangible experience if you're just sat in a chair?
Not only will we all be doing practicals at the end of each topic, we've also created a brilliant culmination exercise:
“You'll need to compromise a company via the Internet and steal as much data as possible!”
The Bottom Line
The brand new Bootcamp Reloaded Infrastructure will provide you with a thorough introduction to real world hacking of corporate environments. You'll learn everything you need to successfully compromise most corporate networks out there.
For more information on our training offering, head over to here.
BlackOps you say?
At SensePost we have a range of courses in our Hacking by Numbers reloaded series. We feel each one has its own special place. I've delivered almost all the courses over the years, but my somewhat biased favourite is our recently updated BlackOps Edition. Myself (Glenn) and Vlad will be presenting this course at BlackHat Vegas in August.
Where Does BlackOps fit in?
Our introductory courses (Cadet and Bootcamp) are meant to establish the hacker mindset - they introduce the student to psychological aspects of an attacker, and build on that to demonstrate real world capability. BlackOps is designed for students who understand the basics of hacking (either from attending Bootcamp/Cadet, or from real-world experience) and want to acquire deeper knowledge of techniques we use. We built the course based on our 13 years of experience of performing security assessments.
But really, what's the course about?
This course is aimed at those who've been performing penetration testing for a while, but still feel a bit lost when they've compromised a host, or network and want to know the best possible approach to take for the next step. All of the labs in this course come from real life assessments, with the final lab being a full-blown social engineering attack against an admin with pivoting, exfiltration and the works. Specifically, we're going to cover the following topics:
1. Advanced Targeting
A hacker who can quickly and effectively identify targets is a successful attacker. We'll be looking at non-standard techniques for identifying targets, such as mDNS, IPv6, and other rapid reconnaissance techniques.
You may know how to roll a generic metasploit payload, but we'll be looking at some lesser utilised approaches to compromise. From WPAD injection, to rogue routers in IPv6, to good old smbrelay attacks, to crypto attacks against obfuscated credentials.
4. Privilege Escalation
So you've gotten a shell, now what?
Following on somewhat succinctly, how do you elevate your privileges after compromising a box? Everyone wants to be root or enterprise admin, but how do you go about this without raising the alarm and keeping your shell?
Don't underestimate the importance, or intricacies of this topic. Once you've compromised a lowly network edge server, or the receptionist PC, how do you bounce through that box to get to the good stuff, three DMZs deep? We'll show you how. A must-have for every hackers box of tricks.
6. Open Source Intelligence (OSINT)
Finding out as much as possible about an adversary from publicly available information is one of the most important steps of any hack. This relates to both infrastructure (domains, IP ranges, etc) and personnel. In this section we'll focus mainly on the latter. How can you find out more information about the girlfriend of the son of your target company's CEO? We'll show you. Why would you want to? A good social engineering attack abuses trust relationships, so nothing makes a dad click on that dodgy looking email if it was from his son.
7. HIPS Evasion
Hackers don't like getting caught. So we'll teach you how to evade 100% (yes, 100%) of anti-virus products on the market, as well as hiding from smart traffic filtering devices. Bring your own ninja outfits, we'll provide the skill-set.
8. Client Side Attacks
The weakest layer of the OSI stack - the human. Trust us, if you really want to compromise an organization, going after the receptionist's outdated Windows box is the first stepping stone. After all, why wouldn't she open an email that appears to come from her boss, and has a harmless .xls attached?
Each module of the above modules has a theory section followed by a practical lab to allow you to practise your newly acquired skills. The course finishes with a Capture-the-Flag, with a grand prize. Honestly, this final lab is enjoyable and guaranteed to bring a smile on your face whilst doing it.
We're looking forward to sharing out knowledge, experience, and passion for security with you. Please sign up here.
-Glenn & Vlad
Recently a security researcher reported a bug in Facebook that could potentially allow Remote Code Execution (RCE). His writeup of the incident is available here if you are interested. The thing that caught my attention about his writeup was not the fact that he had pwned Facebook or earned $33,500 doing it, but the fact that he used OpenID to accomplish this. After having a quick look at the output from the PoC and rereading the vulnerability description I had a pretty good idea of how the vulnerability was triggered and decided to see if any other platforms were vulnerable.
The basic premise behind the vulnerability is that when a user authenticates with a site using OpenID, that site does a 'discovery' of the user's identity. To accomplish this the server contacts the identity server specified by the user, downloads information regarding the identity endpoint and proceeds with authentication. There are two ways that a site may do this discovery process, either through HTML or a YADIS discovery. Now this is where it gets interesting, HTML look-up is simply a HTML document with some meta information contained in the head tags:
Whereas the Yadis discovery relies on a XRDS document:
Now if you have been paying attention the potential for exploitation should be jumping out at you. XRDS is simply XML and as you may know, when XML is used there is a good chance that an application may be vulnerable to exploitation via XML External Entity (XXE) processing. XXE is explained by OWASP and I'm not going to delve into it here, but the basic premise behind it is that you can specify entities in the XML DTD that when processed by an XML parser get interpreted and 'executed'.
From the description given by Reginaldo the vulnerability would be triggered by having the victim (Facebook) perform the YADIS discovery to a host we control. Our host would serve a tainted XRDS and our XXE would be triggered when the document was parsed by our victim. I whipped together a little PoC XRDS document that would cause the target host to request a second file (198.x.x.143:7806/success.txt) from a server under my control. I ensured that the tainted XRDS was well formed XML and would not cause the parser to fail (a quick check can be done by using http://www.xmlvalidation.com/index.php)
In our example the fist <Service> element would parse correctly as a valid OpenID discovery, while the second <Service> element contains our XXE in the form of <URI>&a;</URI>. To test this we set spun up a standard LAMP instance on DigitalOcean and followed the official installation instructions for a popular, OpenSource, Social platform that allowed for OpenID authentication. And then we tried out our PoC.
It worked! The initial YADIS discovery (orange) was done by our victim (107.x.x.117) and we served up our tainted XRDS document. This resulted in our victim requesting the success.txt file (red). So now we know we have some XXE going on. Next we needed to turn this into something a little more useful and emulate Reginaldo's Facebook success. A small modification was made to our XXE payload by changing the Entity description for our 'a' entity as follows: <!ENTITY a SYSTEM 'php://filter/read=convert.base64-encode/resource=/etc/passwd'>. This will cause the PHP filter function to be applied to our input stream (the file read) before the text was rendered. This served two purposes, firstly to ensure the file we were reading to introduce any XML parsing errors and secondly to make the output a little more user friendly.
The first run with this modified payload didn't yield the expected results and simply resulted in the OpenID discovery being completed and my browser trying to download the identity file. A quick look at the URL, I realised that OpenID expected the identity server to automatically instruct the user's browser to return to the site which initiated the OpenID discovery. As I'd just created a simple python web server with no intelligence, this wasn't happening. Fortunately this behaviour could be emulated by hitting 'back' in the browser and then initiating the OpenID discovery again. Instead of attempting a new discovery, the victim host would use the cached identity response (with our tainted XRDS) and the result was returned in the URL.
Finally all we needed to do was base64 decode the result from the URL and we would have the contents of /etc/passwd.
This left us with the ability to read *any* file on the filesystem, granted we knew the path and that the web server user had permissions to access that file. In the case of this particular platform, an interesting file to read would be config.php which yields the admin username+password as well as the mysql database credentials. The final trick was to try and turn this into RCE as was hinted in the Facebook disclosure. As the platform was written in PHP we could use the expect:// handler to execute code. <!ENTITY a SYSTEM 'expect://id'>, which should execute the system command 'id'. One dependency here is that the expect module is installed and loaded (http://de2.php.net/manual/en/expect.installation.php). Not too sure how often this is the case but other attempts at RCE haven't been too successful. Armed with our new XRDS document we reenact our steps from above and we end up with some code execution.
And Boom goes the dynamite.
All in all a really fun vulnerability to play with and a good reminder that data validation errors don't just occur in the obvious places. All data should be treated as untrusted and tainted, no matter where it originates from. To protect against this form of attack in PHP the following should be set when using the default XML parser:
A good document with PHP security tips can be found here: http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html