Updated: 2017.03.03

One of the interesting things about Node.js (server-side JavaScript) apps/APIs is that they’re event driven. As an attacker, this means there are new options for post-exploitation code execution, so I wrote a little PoC to demonstrate that.

In the scenario below, we’re going to assume we’ve already identified Server-Side JavaScript Injection (SSJI) in the app. This is not a new vulnerability in Express, but an experiment in post-exploitation. There are many posts on how to exploit SSJI in which they show how to read files with require(‘fs’).readFile or execute commands with require('child_process').spawn. But what if we could add our own event through the SSJI? We could modify the running app’s behavior without touching disk and have it harvest sensitive information or perform other nefarious activities.

Mozilla recently released a security header grading site, https://observatory.mozilla.org/. Of course I had to plug my site into the scanner and found that I got an F. Not good for a security guy.

According to April King of Mozilla, the Observatory “grading is set very aggressively to promote best practices in web security”. And by looking at the scores, we can see that the far majority of sites fail the Observatory tests.

[20:03:53-160913][kali:~]# scapy
INFO: Can’t import python gnuplot wrapper . Won’t be able to plot.
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> packets = rdpcap(“ctf.pcap”)

packets[7] >>>

Read More…

sudo visudo -f /etc/sudoers.d/vagrant

vagrant ALL=(ALL) NOPASSWD:ALL

mkdir -p /home/vagrant/.ssh
chmod 0700 /home/vagrant/.ssh
wget –no-check-certificate 

    https://raw.github.com/mitchellh/vagrant/master/keys/vagrant.pub 

    -O /home/vagrant/.ssh/authorized_keys
chmod 0600 /home/vagrant/.ssh/authorized_keys
chown -R vagrant /home/vagrant/.ssh

Ubuntu

Older training VMs use

sudo sed -i -re ’s/([a-z]{2}.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g’ /etc/apt/sources.list

References

• Building a Vagrant Box from Start to Finish
• How to Install Software or Upgrade From an Old Unsupported Release (Ubuntu)

On a recent engagement, I came across Electronic Code Book (ECB) encrypted data. While there’s a plethora of documentation about performing bit flipping in ECB, I couldn’t find any decent writeups on how to perform adaptive chosen plaintext attacks to recover ciphertext.

In ECB mode, each block of plaintext is encrypted independently with the key as illustrated by the diagram below.

Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext. The classic and poignant example of this property is an encrypted image of the Linux mascot, Tux. Below are three images, the original Tux image, an ECB encrypted Tux and a CBC encrypted Tux. The ECB encrypted Tux leaves visible artifacts whereas the CBC encrypted Tux looks like random data.