Aug 14, 2014

1. Check your Wifi card
Check whether your wifi card support AccessPoint (AP) infrastructure mode
iw list
Your wifi card is good to go if the output shows something like
Supported interface modes:
   * --
   * --
   * AP
   * AP/VLAN
   * --
AP means AccessPoint (AP) infrastructure mode.

2. Install "hostapd"
The latest version was buggy when I'm writing this blog. So install the just before version and hold it's updation. 
64 Bit
wget http://archive.ubuntu.com/ubuntu/pool/universe/w/wpa/hostapd_2.1-0ubuntu1.2_amd64.deb
sudo dpkg -i hostapd*.deb
sudo apt-mark hold hostapd
32 Bit
wget http://archive.ubuntu.com/ubuntu/pool/universe/w/wpa/hostapd_2.1-0ubuntu1.2_i386.deb
sudo dpkg -i hostapd*.deb
sudo apt-mark hold hostapd

3. Install dnsmasq

apt-get install dnsmasq

4. Install ap-hotspot
Install  ap-hotspot, it's a set of scripts that helps you to easily configure the hotspot settings.
Download the .deb file from the below links and double click to install.
Ubuntu 12.04 - Click to download
Ubuntu 12.10 - Click to download
Ubuntu 13.04 - Click to download
Ubuntu 13.10 - Click to download
Ubuntu 14.04 - Click to download

5. Configure WiFi hotspot
sudo ap-hotspot configure

6. Start/Stop/Restart WiFi hotspot
sudo ap-hotspot start
sudo ap-hotspot stop
sudo ap-hotspot restart

7. Common Issues/Errors
Another process already running error
When you try to start the ap-hotspot it says 'Another process already running'
sudo ap-hotspot start
Another process is already running
To fix this issue remove hotspot.pid from /tmp
sudo rm /tmp/hotspot.pid
sudo ap-hotspot start

Hope this helps and saved your time...

Mar 10, 2014

Download the file and try command 'string' on it
#file Forensics-6.png
....
....
1b|.
ya3 S
yr1bz
0bl0BchUnk    Flag :8bfe6a66710d9652e7fb10f19a75dd8e
%tEXtdate:create
2013-10-19T06:47:30+02:00
%tEXtdate:modify
2013-10-19T06:47:30+02:00
tEXtjpeg:colorspace
2,uU
 tEXtjpeg:sampling-factor
2x2,1x1,1x1I
KtEXtxapMM:DocumentID
adobe:docid:photoshop:6baf7f6c-0033-11da-9596-894fe830229dF
IEND

you got the flag 8bfe6a66710d9652e7fb10f19a75dd8e.
Download the file, extract it, check the file details using the 'file'  command
#file four
four: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x899a337216c40966fb57583c9ff45fcac0384cbb, not stripped

It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
#./four
Usage: ./four 

#./four abcd
Sorry no flag for you

So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
 public main
.text:0804856C main proc near                      ; DATA XREF: _start+17 o
.text:0804856C
.text:0804856C arg_0= dword ptr  8
.text:0804856C arg_4= dword ptr  0Ch
.text:0804856C
.text:0804856C push    ebp
.text:0804856D mov     ebp, esp
.text:0804856F and     esp, 0FFFFFFF0h
.text:08048572 sub     esp, 10h
.text:08048575 cmp     [ebp+arg_0], 2
.text:08048579 jz      short loc_8048597
.text:0804857B mov     eax, [ebp+arg_4]
.text:0804857E mov     eax, [eax]
.text:08048580 mov     [esp+4], eax
.text:08048584 mov     dword ptr [esp], offset format ; "Usage: %s \n"
.text:0804858B call    _printf
.text:08048590 mov     eax, 1
.text:08048595 jmp     short locret_80485C8
.text:08048597 ; --------------------------------------------------------
.text:08048597
.text:08048597 loc_8048597:                          ; CODE XREF: main+D j
.text:08048597 mov     eax, [ebp+arg_4]
.text:0804859A add     eax, 4
.text:0804859D mov     eax, [eax]
.text:0804859F mov     [esp], eax
.text:080485A2 call    check_key
.text:080485A7 test    eax, eax
.text:080485A9 jnz     short loc_80485B7
.text:080485AB call    display_result
.text:080485B0 mov     eax, 0
.text:080485B5 jmp     short locret_80485C8
.text:080485B7 ; ----------------------------------------------------------
.text:080485B7
.text:080485B7 loc_80485B7:                          ; CODE XREF: main+3D j
.text:080485B7 mov     dword ptr [esp], offset s ; "Sorry no flag for you"
.text:080485BE call    _puts
.text:080485C3 mov     eax, 2
.text:080485C8
.text:080485C8 locret_80485C8:                       ; CODE XREF: main+29 j
.text:080485C8                                       ; main+49 j
.text:080485C8 leave
.text:080485C9 retn
.text:080485C9 main endp
.text:080485C9


We can see that there are call to few functions like 'check_key' and 'display_result'. 'check_key' is called before 'display_result'. So we can make a wild guess like the input what we enter will be validated using the 'check_key' function and if it's correct then 'display_result' will be executed and will give out the key.
So we have to get our execution to  'display_result' function but before that there is a 'JNZ' statement. It may be this line that will decide based on the result from 'check_key' whether 'display_result' must run or not. 
Now while debugging when we reach the JNZ statement set the Zero flag to 1 so that that jump will not happen 'display_result'  will get executed. 
Luckily our guess is right and we got the file

Download the file, extract it and check the file details using the command 'file'.
#file three
three: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xdcc8c235853a156ab338ea9833f4a20a713d72a8, not stripped

So it says the file is not stripped then let's try to find out the readable string in the binary using the command 'strings'
#strings three

/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
printf
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-P
UH-P
l$ L
t$(L
|$0H
Usage: %s 
reversing_is_super_fun
Yaay! Now submit md5 of key for points
Wrong key! Look for key again!
;*3$"

The text 'reversing_is_super_fun' looks like a flag so let's find the md5 of that text and submit it....yeah it works..
Download the file and extract it.
Check the file details using the command 'file'
#file two
two: compiled Java class data, version 51.0
Executing it won't help and so we will move on to de-compile it. I used an online decompiler available in this link
Upload the class file, decompile it and download the source, it will look like this.

import java.io.*;  
 public class challenge {  
 public challenge() { }   
public static void main(string args[]) throws ioexception 
{ 
byte abyte[] = 
{ byte.valueOf((byte)106), byte.valueOf((byte)97), byte.valueOf((byte)50), byte.valueOf((byte)37), byte.valueOf((byte)36), byte.valueOf((byte)103), byte.valueOf((byte)94), byte.valueOf((byte)115), byte.valueOf((byte)94), byte.valueOf((byte)92), byte.valueOf((byte)96), byte.valueOf((byte)101), byte.valueOf((byte)94), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)98), byte.valueOf((byte)107), byte.valueOf((byte)100), byte.valueOf((byte)98), byte.valueOf((byte)112), byte.valueOf((byte)92), byte.valueOf((byte)94), byte.valueOf((byte)111), byte.valueOf((byte)98), byte.valueOf((byte)92), byte.valueOf((byte)112), byte.valueOf((byte)113), byte.valueOf((byte)102), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)92), byte.valueOf((byte)98), byte.valueOf((byte)94), byte.valueOf((byte)112), byte.valueOf((byte)118), byte.valueOf((byte)36), byte.valueOf((byte)38) 
}; 
string s = "";
 byte abyte1[] = abyte;
 int i = abyte1.length;
 for(int j = 0; j < i; j++) 
{
 byte byte0 = abyte1[j].byteValue(); s = (new StringBuilder()).append(s).append((char)(byte0 + 3)).toString(); 
}  
 bufferedreader bufferedreader = new bufferedreader(new inputstreamreader(system.in));
 bufferedreader.readLine();
 system.exit(0);
 system.out.println(s); }
 }

For a quick look through in the code you can figure out that the key is stored in variable 's' and also before the statement that print out the variable 's' there is an 'exit' statement ' system.exit(0)'.
So remove that line and remove the ' bufferedreader.readLine()' also.
Compile the new code and execute it.
The output will be
md5('java_challenges_are_still_easy')
Find the md5 of the text and it will be the flag.
Download the file and extract it and we can see the file named 'one'

Check what kind of the file it is using the command 'file'
# file one
one: python 2.7 byte-compiled

Okie let's try executing it
# python one
 Gives no O/P just reads what you give as I/P and terminates.

So we have to look inside the compiled file for that we have to de-compile it. Download the tool uncompyle2[only for python2.7] and install it. Run uncomple2 on our file
#uncompyle2 one

# 2014.02.28 10:34:22 IST
#Embedded file name: one.py
eflag = [131, 138, 219, 198, 201, 158, 151, 154, 134, 129, 128, 177, 135, 157, 177, 157, 154, 135, 130, 130, 177, 141, 
 129,
 129,
 130,
 201,
 199]
flag = ''.join(map(chr, map(lambda x: x ^ 238, eflag)))
raw_input()
+++ okay decompyling one 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2014.02.28 10:34:22 IST

So they are doing some operation and getting the flag in variable 'flag'. Copy the code and modify it to output the flag, that is add the line print(flag) to the end before 'raw_input()'  and execute the new python code.
The output is
md5('python_is_still_cool')
Find the md5 and it's the flag.
Task
A login from is there, with fields to enter 'username' and 'password', we have to login somehow.

Solution
First let's have a look at the source by clicking the link 'source'
<?php
include 'foo.php';
$user = $_POST['username'];
$pass = $_POST['password'];
if( !strcasecmp($user, "admin") && !strcasecmp($pass, $secret)) {
    echo"<h1>$flag</h1>";
}
else { 
    echo"<h1>No flag for n00bs..</h1>";
}
?>

So we can see the password is obliviously 'admin' but the password is stored in the variable '$secret' which must be in the file 'foo.php', which we have no way to figure out.

Next we option is we can look out for vulnerabilities in function 'strcasecmp()'. A quick googling will reveal that 'strcasecmp()' have a vulnerabiity that when we pass array to that function it return true.

Let's edit the source of the login page and pass array to 'strcasecmp()'. In login page change the below line using 'Firebug' in Firefox or 'Developers tool' in Chrome.
<input name="password" placeholder="Password" type="password">
to the below
<input name="password[]" placeholder="Password" type="password">

And now click login and you will get the flag{fb1186d3dfd25773d51964cf0d62d302}.

Feb 28, 2014

IDA is powerful Debugger/Dis-assembler, you can read more in this link

The main road block for the installation is that IDA is a 32 bit application and so expects 32 bit libraries.
But your system being 64 bit will only have 64 bit libraries and so you have to install the 32 bit variant of the libraries that IDA requires.

I will walk you through the install steps.

Step 1: Download
Download the IDA files[link], of course it's a paid software and you can get only the demo version.

Step 2: Unzip
Unzip the files and try to run the executable 'idaq'
# ./idaq
and if your Ubuntu is 64 bit something similar may show up
./idaq: error while loading shared libraries: libgthread-2.0.so.0: cannot open shared object file: No such file or directory

Step 3: Install 32 bit libraries
So you have to install the 32 bit libraries, 64 bit version will be already present on your system by default.
Find the package that has libgthread-2.0.so.0
# dpkg -S libgthread-2.0.so.0
libglib2.0-0:amd64: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0
The package name 'libglib2.0-0:amd64' and 32 bit package will be 'libglib2.0-0:i386'
And install the package 'libglib2.0-0:i386'
#apt-get install libglib2.0-0:i386
Before trying to run IDA again you can find out all the libraries that are not found in the system using the below command
#ldd idaq | grep found

After installing all the missing libraries you can run IDA again [./idaq]

Feb 25, 2014

If you want reset your MySQL root password follow the below simple steps.

Stop MySQL server
# service mysql stop
Restart MySQL with option --skip-grant-tables, i.e permissions are not loaded and so disable networking
# /usr/sbin/mysql --skip-grant-tables --skip-networking
Now login to the mysql shell as root user, and no password
# mysql -u root
The user passwords are in the table mysql.user in password column update them
mysql>use mysql;
mysql>update user set password=password('inctfmysql') where user='root';
Now give the below command to commit the changes
mysql>flush privileges;
Restart the MySQL server
# service mysql restart

Feb 9, 2014

My Sever
OS:Ubuntu 12.04
IP: 192.168.56.100

My Client
OS:Ubuntu 13.04
IP 192.168.56.101

Task
Block the ping request from client to server, so that when client ping the server, client should not get any reply.

Solution
Add the below rule in iptable of the server
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 192.168.56.101 -j DROP

You have to specify the icmp-type as echo-request other wise the outgoing ping from server to client also will get blocked because when you ping client from server following happens
:-ICMP echo-request is send to client
:-ICMP echo-reply is send back from client to server(this get dropped if no icmp-type is indicated)

Save rules in iptables permanently
If you give iptables-save rules will be saved for the current session but will be gone once you reboot your machine. To save them permanently

  • Open '/etc/network/interfaces' file

vim /etc/network/interfaces

  • Append the below line along with your eth0 directives:

post-up /sbin/iptables-restore < /etc/iptables-up.rules

  • Now save the current iptable rules to '/etc/iptables-up.rules'

iptables-save > /etc/iptables-up.rules

About the flags used in the rule
-A: Append with the existing rules
-i: In interface name
-o: Out interface name
-p: protocol
-s: Source IP Address
-d: Destination IP Address
-j: Jump Target-> What to do when a packet that satisfy this rule comes (eg: ACCEPT, DROP, QUEUE, RETURN or name of a user specif chain)

Built in chain Names:
FORWARD:-For packets routed through the box
INPUT:-For packets coming into the box
OUTPUT:- For altering the locally generated packets before routing

Feb 6, 2014

Backup and Restore operation in MySQL Server.

Some handy MySQL tips before we move on:

How to log into mysql shell ?
Type the below command in the terminal
mysql --user=username --password=password

Know the version of my MySQL server ?
After you log in to mysql shell check out the first few lines, it will have the server version.

See all databases in mysql ?
From mysql shell, type the command 'show databases'.
mysql show databases

Set a database as working or current database ?
From mysql shell, type the command use database_name
mysql --user=username --password=password

See all the tables in my current selected database ?
From mysql shell, type the command 'show tables'
mysql show tables

How to take BackUp

To take back up of all databases
Type the the below in your terminal 
mysqldump --user=username --password=password --all-databases > alldbbck.sql

To take back up of a single database
Give the below command from your terminal
mysqldump --databases db1 > dump.sql
mysqldump  db1 > dump.sql

If we use '--databases' then the dump.sql will have 'CREATE DATABASE db1' and 'USE db1' statements, so while restoring this script you need not specify the target database name for recreation of tables, MySQL will create the database for you.

To take back up of a multiple database
Use the below command
mysqldump --databases db1 db2 db3 > dump.sql

How to Restore

If the dump script have create database and use statements (i.e created using --all-databases                  or --databases option) then it's not necessary to specify a database in which the backup is to be restored.
Fire the below command from your terminal:
mysql --user=username --password=password < dump.sql

MySQL will create the database for you as your script already have the 'CREATE DATABASE' statement.

Otherwise specify an existing database as destination database
mysql --user=username --password=password dump < dump.sql

This post covered the most basic and steps for backup and restore, a shot for the jump in guys..
Happy Hacking !!
Harden MySQL installation was a task in InCTF 2014 learning round. Below are the steps I used to harden MySQL installation on my Ubuntu 13.04 box.

Basic MySQL installation
sudo apt-get install mysql-server

Securing MySQL
Type the below command to start the secure setup script
sudo /usr/bin/mysql_secure_installation

This will launch the secure installation script

Setting root password:
If you had not set the root password at the time of installation systems asks you to set it now. I had already set the root password, so I'm skipping.

Remove anonymous users:
By default MySQL have anonymous login with no passwords, so remove it.

Disallow remote root login:
To make sure some one brute force or guess your root user password and attempt to remotely login into your database server.

Remove default 'test' database:
MySQL is shipped with a default 'test' database that anyone can access, it's purely only for testing and should be removed.

Reload the privileges table:
To make all the changes reflect reload the privileges table.

Here are the 10 steps I did to harden apache2 server on my Ubuntu 13.04 box
Securing apache2 was a task in learning round 1 of InCTF '14.

Step 1 Disable Directory Listing

Directory Listing: If there is no "index" file in a directory of your website and if u give the URL to that directory in the browser it will list out the files in that directory. Directory listing will look like this


To disable directory listing:
Open file /etc/apache2/sites-available/000-default.conf
 
sudo vim /etc/apache2/sites-available/000-default.conf 

Find the line having the path of your website and c
hange the Indexes in Options to -Indexes
    <directory /var/www/php >
    Options -Indexes
    Order allow,deny
    Allow from all
   </directory>

Step 2 Prevent Server Information leakage

Version details of Apache server and Operating system will be shown by default in error pages, directory listing, HTTP request header. This is a security threat as an attacker can figure out which kind of attack he need to use from the version details. See the server and port details beneath the directory listing above.
To disable this information leakage:

Open the file "/etc/apache2/conf-available/security.conf"
sudo vim /etc/apache2/conf-available/security.conf

Set "ServerSignature Off" and "ServerTokens Prod"
ServerSignature Off
ServerTokens Prod

Restart Apache server
sudo service apache2 restart

Step 3 Run Apache as separate User and Group

First find out under which user Apache server is running:

ps -aux | grep --color apache2

The first column shows the user under which Apache process is running, if you had just plainly installed apache2 the user must be 'root' or 'www-data'. 
Wonder wat's this 'www-data' ? 'www-data' account can be used if you want php to be able to edit the contents of that file/folder.

We have to change the user running the Apache to a low privileged one. If the user 'Nobody' is the one that is coming to your mind don't give up to it because there will be many other process running under 'Nobody' user as it's the default daemon process account in linux system. 
If an attacker some how compromise your Apache server he will also get access to all other process. So it's always better to run a process under a separate low privilege account here we will create 'apache2' account.

Create a new group apache2
groupadd apache2

Create a new user apache2
useradd -d /var/www/ -g apache2 -s /bin/nologin apache2
-d-home directory
-g-The group name or number of the user's initial login group
-s-The name of the user's login shell [/bin/nologin = login disabled]

Open /etc/apache2/envvars
sudo vim /etc/apache2/envvars

Change  export APACHE_RUN_USER and export APACHE_RUN_GROUP
export APACHE_RUN_USER=apache2
export APACHE_RUN_GROUP=apache2

Now restart [reboot may be needed] and check the user under which Apache is running.

Step 4 Use mod_security and mod_evasive modules

mod_security is a web application firewall that can do HTTP Traffic Logging to a particular web application,Real-Time Monitoring and Attack Detection,Attack Prevention and Just-in-time Patching etc..For more details check out the mod_security project website here.

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. 

mod_security Installation

Install mod_security package
sudo apt-get install libapache2-modsecurity

Enable mod_security module within the apache2 configuration
sudo a2enmod mod-security

Verify it's enabled or not
apachectl -M | grep --color security

You should see a module named security2_module (shared) which indicates that the module was loaded.

mod_evasive Installation
sudo apt-get install libapache2-mod-evasive

Create log file directory for mod_evasive
mkdir /var/log/mod_evasive/
sudo chown apache2:apache2 /var/log/mod_evasive/

Create mod-evasive.conf file and configure ModEvasive
sudo vi /etc/apache2/mods-available/mod-evasive.conf

Add the below to mod-evasive.conf
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

Check if ModEvasive is enabled and restart Apache.
sudo a2enmod mod-evasive
service apache2 restart
apache2ctl -M | grep --color evasive

Step 5 Turn off Server Side Includes and CGI Execution

If server side includes / CGI execution is not required in your website then disable them because shell code can be executed in the server through poorly designed website.

In the file '/etc/apache2/sites-available/default' change or add 'Options -Includes'
'Options -ExecCGI' to your website section.

Step 6 File permissions

Your website root directory may have files that holds sensitive information so remove write permission from those files, so that data cannot be modifies through the website or using the website in any manner.

Permission bits: Read = 4, Write = 2, Execute = 1
So if you split the octal permission 745 into 3 sections, user, group and world, you have the following permissions.
User = 7 (4+2+1 or RWX)
Group = 4 (4 or R)
Others = 5 (4+1 or RX)
Permission to sensitive file can be modified using the below command
chmod 745 sensitive_file.txt

Step 7 File/Folder Ownership

One should never run any files in apache directory with root permission
To change the ownership to apache2 user and apache2 group use the below command
chown apache2:apache2 -R /var/www/

Step 8 Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in '/etc/apache2/sites-available/default'. Secure the root directory using the below settings.
<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>

Order is one of the below:[more details here]
Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.

Deny,Allow
First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

Step 9 Disable unwanted HTTP methods

Disable unwanted potentially risky HTTP1.1 method , usually a website may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive.
<Directory /var/www/php/ >
  <LimitExcept GET POST >
 deny from all
  </LimitExcept>
</Directory>

Restrictions applied to GET will apply to HEAD, and therefore if GET is unrestricted so HEAD will also be unrestricted.
The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response.

Step 10 Keep Apache Server updated

In Ubuntu you can trigger the system update process from the Software updater, which will have the Apache updates also.