Experiments with UPnP Jul 3, 2014

This post deals with recent observations regarding UPnP (Universal Plug and Play) protocol & Routers. In few words, thanks to this protocol, devices (such as file sharing services, games, ..) can be easily connected/deployed.

First, I started to do research on my box to find relevant UPnP functionalities by hand, found some but I had trouble to exploit them. Few days ago, David Middlehurst released a tool called “UPnP Pentest Toolkit”.

...
Kioptrix 3 Write-up Jun 12, 2014

This has been some long time I haven’t written another write-up. This one’s for Kioptrix 3 that you can find here.

Host Discovery

$ nmap -sP 192.168.56.1/24

and we got the IP address : 192.168.56.101.

As it was explained, you need to add 192.168.56.101 kioptrix3.com in your /etc/hosts.

Fingerprinting

Then, let’s find what kind of services are running on the host machine.

$ nmap 192.168.56.101 -sV -A 

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-12 20:15 CEST
Nmap scan report for malicious (192.168.56.101)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
title = "kioptrix 3 write up"
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds

Quite obvious, let’s check this Web server !

...
Diving into XSS googles game Jun 2, 2014

Hi there, this post deals with the game released by Google few days ago about XSS vulnerabilities that you can find here.

I’ll enumerate some of the solution I found on the Internet which were (in my opnion) interesting/fun. This post contains the solutions for all levels. Big spoil.

Level 1: Hello, world of XSS

Well, this one was obvious:

<script>alert(1);</script>

Level 2: Persistence is key

For this one, you had different options:

...
Bobby Write-up May 15, 2014

Hi there,

Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.

Discovery

The first step is always the same: discovering the machine on the network. To do so:

$ nmap -sV 192.168.1.1/24

I managed to retrieve the IP address: 192.168.1.11.

Let’s start to fingerprint the different services to exploit it.

Fingerprinting

Then, I used Nmap to retrieve the services running:

$ nmap -sV 192.168.1.11

Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-15 20:54 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE VERSION
21/tcp  open   ftp     Microsoft ftpd
80/tcp  open   http    Microsoft IIS httpd 5.1
443/tcp closed https
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds

Using Nikto as well:

...
HTTP Security Headers on top 10k Alexa websites May 13, 2014

EDIT: Added statistics of max-age option.

Hi there,

This blog post deals with HTTP Security Headers on top 10k Alexa websites. Based on this discussion on netsec, I decided to do some statistics on Alexa ranking.

To do this study, I did a GET HTTP Request and saved the headers in the HTTP response. This has been done using Python.

...
Blind HQL Injection in REST API using H2 DMBS May 5, 2014

This post deals with some research I just did regarding (Blind) HQL injections with H2 as the DataBase Management System.

First, you should read this post which gives some really useful information regarding HQL injections in general: HQL for pentesters.

During the assessment, I checked the API calls by using Burp as a proxy and one call was:

http://application/API/Users/?req=id=1

The output was a JSON response, such as:

[{user: "admin", id: "1", firstName:"Admin"}]

If you changed the id with the numeric value 2, and so on.. it was working.

...
BSides Slides - CSRFT Apr 29, 2014

Hey,

Just a quick post to give you the link to my slides for BSides London today: Here Don’t hesitate if you have any feedback, or any good feature.

You can reach me either on Github and Twitter

Just few words about the conference which was absolutely amazing. Some really great people were here, good atmosphere and people were really helpful.

For sure, I’ll attend it next year.

Cheers,

BWApp Write-Up Apr 21, 2014

This post contains the steps to get a root shell with bWapp VM

Host discovery

As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address (192.168.1.10), we need to do some fingerprinting.

nmap -sV 192.168.1.10

Fig. Nmap scan result

A lot of services were open, such as: VNC, FTP, etc.

...
Scream Write-up Apr 16, 2014

This post contains the steps to get a root shell with Scream VM

This VM can he found here. Have a look to find even more VMs. But before starting the report, I’d like to congratulate g0tmi1k for his awesome tool : VulnInjector.

Ok, let’s do this write-up !

Host discovery

As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address (192.168.1.2), we need to do some fingerprinting.

...
Exploiting KB Vulnerable Web App 1 Write-Up Apr 15, 2014

This post contains the steps to get a root shell with Exploit KB Vulnerable Web App 1 VM

This VM can he found here. Have a look to find even more VMs

Host discovery

First, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address, we need to do some fingerprinting.

nmap -sV 192.168.1.23

Fig. Nmap scan result

...