Posts

flaws.cloud - Level 1

6 minute read Published:

flAWS.cloud is a set of CTF-like challenges that teach you common security issues in AWS accounts. This post is the first of a series of walkthroughs for these challenges. It's basically a short writeup on how to solve level 1, followed by a brief explanation of the AWS configuration that leads to this flaw and how to mitigate it. Before reading, go [here](http://flaws.cloud/) and try yourself first! ;)
Adoption of cloud computing is rising rapidly. Studies predict it will soon surpass on-premises hosting also for enterprise workloads. Large corporates are hesitant mostly due to security concerns, which are partly of more general nature (“uploading data to the cloud”), but also due to the myriad of cloud security failures you read about every day in the news. For example, many companies misconfigure AWS S3 bucket permissions and leave sensitive data unprotected.

Steganography challenge - The Book of Secrets

10 minute read Published:

A small steganography challenge illustrating basic tricks used to hide data inside images. This post introduces the challenge, walks you through the soliution, and ends by describing how the challenge was created. The solution involves some basic JPG image screening, hexedit surgery, and password cracking with custom wordlists.
Steganography is the practice of hiding information inside other media like images, audio or video files, text, or pretty much anything else. It is different from encryption in that it aims not at making information unreadable but at concealing the very fact that it is there. Steganography and steganalysis (detection of steganography) are long-standing fields of research. Overviews of the field can be found, e.g., in Subhedar/Mankar (2014) or ZieliƄska/Mazurczyk/Szczypiorski (2014).

Hack The Box Write-up - SolidState

12 minute read Published:

Write-up for the machine SolidState from Hack The Box. Requires thorough port scanning to find an esoteric telnet admin interface of the Apache James email server. With default root credentials, you become James admin and break into people's email inboxes. Inside, you find SSH credentials, bypass a restricted shell and finally find an insecure cron job to escalate to root.
This is my second write-up for a machine from Hack The Box. It is again a rather easy one but still lots of fun. Lots of opportunities to do some oldschool telnet work on email servers. It starts with port scanning and illustrates the importance of scanning also more unpopular ports. After finding the email server with default credentials, you must use your administrator power to get code execution. Once on the box, all you have to do is finding an insecure cron job and you are root.

Hack The Box Write-up - Calamity

10 minute read Published:

Write-up for the Hack The Box machine called Calamity. Involves basic enumeration, finding a way into a hidden admin panel of the webserver, injecting PHP code after getting past the login, evading an intrusion detection system, recovering an SSH password hidden inside audio files and finally using LXD/LXD to exploit a user administration mistake to get root.
Hack The Box is a new company offering lab servers you can test penetration testing techniques on. It is quite educative and a lot of fun. They have multiple machines and all follow a similar pattern. You start with an IP address, have to find a way to get code execution on the machine (usually as an unprivileged user) and have to escalate from there to root. This post is about one of the machines called calamity.

4 minute read Published:

Level 1 Explore the application Submit a valid PIN. IMG 01 Submit invalid PIN -> you get a Javascript error (client-side). What will the server do if you submit this? IMG 02 Do do that quickly, locate the validation. Check out the page (curl http://level1.flaws2.cloud/index.htm), it is just inline JS: <!DOCTYPE html> <html lang="en"> ... <body> ... <script type="text/javascript"> function validateForm() { var code = document.forms["myForm"]["code"].value; if (!(!isNaN(parseFloat(code)) && isFinite(code))) { alert("Code must be a number"); return false; } } </script> .

6 minute read Published:

Level 2 Now we have a container-based application running at container.target.flaws2.cloud. The hint is that the repository containing its image is called “level2”. Note: you will need your own AWS account to give yourself access to ECR. Explore the application We go to container.target.flaws2.cloud with a browser and all we get is a basic auth prompt. Let’s just assume it is uncrackable. IMG 01 Checking out the details we can see it is hosted on Ubuntu, with nginx 1.

5 minute read Published:

Level 3 Exploring the proxy We can use the proxy to request more or less any website (HTTP only). Confirm with icanhazip.com, which reflects the requesters IP. For the proxy it is “3.85.224.200”: [email protected]:/# curl -i http://container.target.flaws2.cloud/proxy/http://icanhazip.com/ HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Fri, 22 Nov 2019 08:36:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive 3.85.224.200 This is indeed the public IP of the proxy: [email protected]:/# dig container.