Sunday, March 27, 2016

VolgaCTF 2016 - Optional Cats WriteUp

The Challenge:

Optional Cats - Web 150 Points

Our agent has found out that GAI loves animals. It has created a banner network to support animal welfare organizations.
Reveal its secrets!

The Solution:


This was a fun challenge to tackle! Going to the provided link simply yields a site with an input box for a domain.



Testing a few domains, it seems that a valid domain must be inserted. This already makes me think that the use of a lookup is involved...perhaps a "dig" against the target. To test this theory I do a insert of the invalid domain "swag" and receive an error:

"We cannot verify your host!"

Repeating the submission with a semicolon in front -- ";swag" seems to work and moves on to the next page:


This is a good sign! It means that I see Remote Command Execution in the future :) If the use of a semicolon terminates the "dig" command then there is a good chance we can exploit this. The next step is to obtain the output of the command.

The returned script code references /js/plugin.js , so a quick navigation returns the content of this script:

(function(e,c){var d=function(a,b){this.element=a;this.id=b;this.init()};d.prototype.init=function(){this.loadImg();this.interval=setInterval(this.loadImg.bind(this),3E3)};d.prototype.loadImg=function(){var a=new XMLHttpRequest;a.open("GET","http://optcat.2016.volgactf.ru:8080/nextBanner?domain="+c.location.hostname);a.setRequestHeader("X-USER-ID",this.id);a.responseType="blob";a.onload=function(b){b=(c.URL||c.webkitURL).createObjectURL(a.response);this.element.attr("src",b)}.bind(this);a.onerror=function(){clearInterval(this.interval)}.bind(this);
    a.send()};e.fn.catbanner=function(a){return this.each(function(){var b=e(this),c=new d(b,a);b.data("stickyInstance",c)})}})($,window);$(document).ready(function(){$("#cat").catbanner(1)});
Awesome, so it looks like this script is using a XMLHttpRequest in the background to retrieve /nextBanner?domain= along with a custom header "X-USER-ID".

I played around with this custom header for a while, as well as with various values for domain. After a lot of testing I came to the conclusion the the domain value must already exist in the database. AKA we must have submitted this domain previously. Still, we must get a more verbose output from the server if we are to successfully grab this flag.

Finally I replay the request in Burp Suite but using the HTTP method of "OPTIONS" in attempt to get some more information. Low and behold, it returns the ever-generous header of "X-DEBUG-ANSWER:" along with some juicy details of a dig output.




The header contents URL-Decoded:

Server: 188.93.16.19
Address: 188.93.16.19#53
Non-authoritative+answer:
Name: google.com
Address:+64.233.161.101
Name: google.com
Address:+64.233.161.113
Name: google.com
Address:+64.233.161.102
Name: google.com
Address:+64.233.161.100
Name: google.com
Address:+64.233.161.138
Name: google.com
Address:+64.233.161.139
Hi
nobody:~$+nobody:~$ 
That's it :D That's the verbosity we needed. The final steps are to test the RCE hypothesis and make a submission on the homepage for the domain ";ls;", then to check the output of this by using out OPTIONS header trick.

The URL Decoded content of the debug header with this new domain:

banners
cats.mv.db
flag.txt
naughty-options-1.0-SNAPSHOT-standalone.jar
public
Hi
nobody:~$+nobody:~$
Last but not least, we repeat this process but with the domain ";cat flag.txt" and use the OPTIONS header to request ";cat+flag.txt".

URL decoding the contents of the resulting debug header reveals our flag :)

Sunday, March 20, 2016

My Modern Honeypot Network




Recently I have been struggling to find a steady stream of fresh malware samples to play with. Originally I had an educational research agreement with VirusTotal to gain access to their awesome Intelligence community which allows me to create my own YARA rules for catching samples. Unfortunately, this contract has expired and I do not foresee a new one any time soon.

That said, I decided it was about time I go hunting for my own samples...well...more like let the samples come to me. I took it upon myself to set up my own small honeypot network on a couple of EC2 instances (Thanks Amazon for the free credit :D ). On these instances I have deployed the Modern Honeypot Network to help manage my fake services.

My Sensors

Being new to running my own honeypots, I decided to get as much bang-for-my-buck as I could on my two EC2 instances. One instance is running as my MHN Master while the other is my MHN slave with multiple sensors and services deployed ready to log malicious traffic. A quick overview of my setup view the MHN admin UI is below:



As you can see I'm running quite a few services: P0f, Kippo, glastopf, snort, and dionea. Asides from Kippo, this is my first experience using any of these honeypot services but MHN makes it super easy to deploy these as sensor by offering scripts to handle the setup and configuration for you. After that just a few tweaks are needed to make sure the sensors are relaying all of the logging information to the Master server properly.

The Results

Within MINUTES of deploying my sensors I was raking in the attack logs. Isn't the wild internet great? I was very impressed with the results and speed. It's been about two days now and I have decided I would share some attack overview thus far.


As you can see...the attacks are plentiful and in just the last 24 hours I have eaten 480 hits. What's nice about MHN is that it aggregates all of the relevant information onto a single dashboard. It even allows for easy viewing of payload information such as SNORT triggers and GET requests:





My final favorite feature of MHN is the Kippo graph reports. Kippo is simply an SSH honeypot that logs attempted logins and attacks. What's nice about MHN is that it will give a quick overview of the top attacker IPs and user:password combinations.



Conclusion

While I have not yet captured any actual malware binaries (dionea's capture feature), I have already learned quite a bit about not only running my own honeypots, but also the nature of internet attacks in the wild. It's only been a few days but I am already starting to see a pattern in attack times and spikes in traffic that seems to hint at botnets carrying out the majority of these attacks. If this is the case then it is quite clear that malicious actors or leveraging their infected zombies as spreaders, essentially a botnet internet worm. In time I hope to gather more information from this new setup and perhaps even build analysis charts with Kibana and Elasticsearch to confirm my hypothesis.

God Speed.