Blog & CTF Write-up
CODEGATE 2013 YUT CHALLENGE Write-up
 VULN200 WEB400 WEB500 FOR100 FOR200 MISC200 MISC200.2 MISC300.1 More Binary, Web and forensic write-up will be published soon. - Darkfloyd |
Know your enemy "better"
After analysing attack against an ISP with another VX brother via Honeypot (www.honeynet.org), there is a different interpretation to me (15-day deployment since 22 Feb): Top 10 Attackers 31111|86.63.108.226 10337|189.83.55.71 10278|95.162.64.252 9235|189.83.120.25 6643|176.62.121.247 5122|189.83.29.13 3712|186.50.142.7 3638|124.247.203.114 3233|186.237.36.104 2769|128.71.208.199 For the binaries and malware downloaded from attackers' hosts: 347d214c8224fc47552addaf91609157|86.63.108.226|15437 c3852074ee50da92c2857d24471747d9|189.83.55.71|5097 7942a56800f2d4e16f95169793c66851|95.162.64.252|5052 c3852074ee50da92c2857d24471747d9|189.83.120.25|4524 9f163e7ea43ec22df3e74fb45e7dffb7|176.62.121.247|3255 c3852074ee50da92c2857d24471747d9|189.83.29.13|2589 87136c488903474630369e232704fa4d|186.50.142.7|1854 87136c488903474630369e232704fa4d|124.247.203.114|1817 6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.104|1605 87136c488903474630369e232704fa4d|186.55.6.68|1189 87136c488903474630369e232704fa4d|186.55.58.40|1166 9f163e7ea43ec22df3e74fb45e7dffb7|94.137.25.4|1007 87136c488903474630369e232704fa4d|186.50.134.101|868 87136c488903474630369e232704fa4d|81.181.40.16|837 c3852074ee50da92c2857d24471747d9|190.38.89.60|628 87136c488903474630369e232704fa4d|186.55.63.9|541 87136c488903474630369e232704fa4d|186.53.104.240|529 c3852074ee50da92c2857d24471747d9|186.95.68.103|460 87136c488903474630369e232704fa4d|186.55.0.148|434 9f163e7ea43ec22df3e74fb45e7dffb7|178.74.117.104|381 9f163e7ea43ec22df3e74fb45e7dffb7|46.233.199.247|375 c3852074ee50da92c2857d24471747d9|190.72.22.126|369 6b54e187a3a6971ffe03e9aea5afcacc|186.237.39.219|363 9f163e7ea43ec22df3e74fb45e7dffb7|176.62.99.151|356 b081022fc581decf4c8640dbc74a9198|186.51.223.218|347 9f163e7ea43ec22df3e74fb45e7dffb7|178.74.91.140|310 c3852074ee50da92c2857d24471747d9|186.95.67.198|268 87136c488903474630369e232704fa4d|186.53.99.170|231 393e2e61ff08a8f7439e3d2cfcb8056f|117.222.195.168|204 6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.123|181 9f163e7ea43ec22df3e74fb45e7dffb7|46.233.240.154|159 b0ace06ed2168781136f13fac6bb1037|37.204.119.122|156 87136c488903474630369e232704fa4d|186.55.8.217|140 6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.32|139 393e2e61ff08a8f7439e3d2cfcb8056f|95.30.95.61|136 6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.90|115 393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.99|85 87136c488903474630369e232704fa4d|186.55.33.220|84 87136c488903474630369e232704fa4d|186.55.4.119|84 94e689d7d6bc7c769d09a59066727497|176.237.252.212|77 0c1fa21d2ae6374e1e2f754504d7c084|95.46.91.179|73 393e2e61ff08a8f7439e3d2cfcb8056f|2.95.63.148|68 0c1fa21d2ae6374e1e2f754504d7c084|95.46.86.52|64 ac851fdca8a7f4b5a185c9686165586f|190.68.43.12|62 6b54e187a3a6971ffe03e9aea5afcacc|186.237.38.221|60 9c09418c738e265a27e6c599f43d86ab|93.81.212.191|50 9f163e7ea43ec22df3e74fb45e7dffb7|94.137.36.57|42 87136c488903474630369e232704fa4d|186.53.96.33|41 9f163e7ea43ec22df3e74fb45e7dffb7|109.120.44.63|40 9f163e7ea43ec22df3e74fb45e7dffb7|94.137.40.62|40 0c1fa21d2ae6374e1e2f754504d7c084|95.46.92.243|37 6b54e187a3a6971ffe03e9aea5afcacc|186.237.37.157|36 393e2e61ff08a8f7439e3d2cfcb8056f|117.222.196.3|34 9f163e7ea43ec22df3e74fb45e7dffb7|178.74.65.56|32 c3852074ee50da92c2857d24471747d9|189.83.63.113|32 87136c488903474630369e232704fa4d|186.50.137.177|29 9f163e7ea43ec22df3e74fb45e7dffb7|176.62.102.75|28 393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.119|17 c3852074ee50da92c2857d24471747d9|124.107.74.198|16 393e2e61ff08a8f7439e3d2cfcb8056f|117.203.204.43|13 8c9367b7dc43dadaa3ec9da767c586cf|175.182.21.32|13 9c09418c738e265a27e6c599f43d86ab|93.81.222.198|13 Attack comes from various countries from Brazil, Poland, Russia, Romania, India but "China". A honeypot is set up in a private company for 2 months, the top 10 attackers from servers in China. The active one is from AS9800 . I would say, this is the difference between general and target attack. I have notified the affected company and hopefully he could be alerted and make corresponding action on it.  - Darkfloyd |
Plaid CTF 2012 Write-up
 Published write-up - ECE Revenge, Editors, Addition is hard, Shoulder Surfing, 3D Solved challenges: Addition is Hard (15 Points) Puzzles Shoulder Surfing (25 Points)) Puzzles RoboDate (100 Points) Password Guessing Paste (100 Points)) Practical Packets The Game (100 Points)) Potpourri 3D (100 Points) Potpourri ECE's Revenge II (500 Points) Potpourri Editors (100 Points)) Pirating |
| Attachments:
3D.zip
Addition.txt
ECE_Revenge.zip
ShoulderSurfing.txt
pirating100.txt
Hacking Twitter: Visualize Hacker Communities
Today is Chinese Lunar New Year, I would like to represent VXRL to say "Kung Hei Fat Choy" to you all. As there are two high-profile hacking teams, Lulzsec and Anonymous, giving us their latest act via Twitter. I am curious about their activities and any connection in between on a snapshot basis. Retweet Network I just requested the Twitter request via its provided API[1] to pass me 100 resulting records via a Python program[2]. Interestingly, from Lulzsec graph, I have found a number of similar/correlated groups of Anonymous and explicitly state that it's from British, Sweden and some are named as IRC bots indeed, I believe it is good for them to ensure their act and news are successfully propagated if Twitter closed one of their accounts, meanwhile, I may guess their major forces (or volunteers?) are from Europe. The twitter accounts supporting Anonymous (may be owned by them or volunteers) include: - YourAnnoNews - AnonOpsSweden - AnonOpsBrazil - AnonymousIRC - BritAnonymous - AnonymousBrazil - AnonymousOnly From the graph, it shows AnonOpsSweden acts a core for people or other team/group to follow. For LulzSec, accounts include: - LulzSec - LulzSec47 - LulzSecBrazil It is quite interesting that other than Europe, we could find groups from Brazil supporting both LulzSec and Anonymous explicitly. Will the major operation reside in Brazil as well? :)  Figure 1: Mutual support and notification between LulzSec and Anonymous  Figure 2: AnonOpsSweden looks like another center? Lulzsec looks like their friend group and retweet Anonymous's messages with good connection. Further Exploration Let me take a shot over AnonOpsSweden. I got two more interesting groups, AnonCentral and AnonyOps, I could say It is readily "Anonymous Everywhere".  Figure 3: More groups are found. I have there are many "representatives" from various countries and claim they are "AnonXXXX". What is their next act? Alright, it is now the main dish and what's their recent and next act? I simply made a query with keyword "DDoS" with the following Python code. However, you need a Twitter package in prior to access Twitter API. >>> import twitter >>> import json >>> twitter_search = twitter.Twitter(domain="search.twitter.com") >>> search_results = [] >>> search_results = twitter_search.search(q="DDoS") >>> print json.dumps(search_results, sort_keys=True, indent=1) I simply find and highlight the conversation with "DDoS" as the keyword up to 2345 on 23 Jan 2012 (HKT). Aha, they readily have volunteers indeed to launch DDoS attack.  As an observer, it is nice for us to have their latest and planned acts, I do appreciate their mindset to change the people mindsets to make a better security, but could we use another mean? However, it is always a dilemma, ethics and justice looks like it cannot be balanced in the real world, some tasks must be left to the hackers to handle. Enjoy it ;-) References: [1] Twitter API URL: https://dev.twitter.com/docs [2] Mining the Social Web URL: https://github.com/ptwobrussell/Mining-the-Social-Web |
Easy click, easy steal
Sometimes, we may authorize third-party application via oauth to access our mailbox like findbigmails. However, you need to regularly check whether you have authorized some apps you don't know or aware of. Please go to account setting and click on "edit" for Authorizing applications & share under Account overview section. If suspicious app(s) or/and service(s) are authorized, please revoke and remove it immediately. Attack tricks are relatively easy. Attackers could simply offer kinds "free" helping service, and you authorize it, however, most of time the apps/services vendor do not inform the user to remove it. Your privacy and secrets are handed over to them :-) - Darkfloyd  Figure 1: Check any service/apps accessing your Google account.  Figure 2: Do you find any suspicious service accessing your account? |
APT never dies
Author: Darkfloyd I simply published one with my Taiwanese research fellow http://rootkit.tw/blog/?p=236 |
PlaidCTF 2011 - Fun with Numb3rs (100 marks)
(From Darkfloyd and AlanH0) At the beginning, I put it in IDA Pro, and found out there is a if-then case for displaying the message. However, for better understanI simply reverse the .exe file with .NET reflector (http://reflector.red-gate.com/download.aspx?TreatAsUpdate=1) and find out that there is a condition of balancing two formula, it could display two different message boxes.  We simply write a simply python to bruteforce those variables. The source code is shown as below: def formula1(a,b,c): return ((a + (c*b) - c) + (a*a) * c) - b def formula2(x,y,z): return ((z * (34*y + 2*x)) + 7488) #(a + (c*b) - c) + (a*a) * c) == (z * (34y + 2x)) + 7488) && (x > 77)) for a in range(0,256): for b in range(0,256): for c in range(0,256): v1 = formula1(a,b,c) v2 = formula2(a,b,c) if (v1 == v2): print str(a) + " " + str(b) + " " + str(c) Finally, we have got the values of variables (89,233,144) and, we exchange the value position and got the key.  |
March 2011 Webapp Security Fengshui in Hong Kong (Researchers: AlanH0 x Darkfloyd, VXRL)
In these two months, We have done a large scale of simply vulnerability digging and check whether banks and companies have put controls in Web application. We have referred to OWASP Top 10 but only spent 10-15 minutes to each site. Amazingly, we have got over 120 vulnerabilities out of 80 companies. Some banks, listed companies and departments from Hong Kong government has carried out "regular" audit and penetration test, we are doubtful whether they are just running a scanner and find nothing, they feel safe and secure and treat security as a kind of "homework". Did they undertake real test? Did they undertake secure system development lifecycle? By the way, we have found that we could potentially dump thousand records of job applicants (name, address and phone as well as their applied position) from a well-known listed MNC company, we have reported this issue via a connection but they simply don't take care of the issue seriously. We will publish it in a few weeks if they do not pay attention to it. In addition, we are glad some banks CERT teams have reached us for rectification and more details. We will sooner publish a detailed white paper with recommendation. Please stay tuned, dudes. By the way, the crawling for vulnerability is still on-going. #1: SSL sounds secure but we could injected iFrame over SSL. Thank you to Hang Seng Bank's mistake.  #2: Browsing API documentation and Playing JSP and Servlet samples at HSBC server when you feel bored :-))   #3. Exposure of database server name, IP, admin ID and password via its search engine  #4. XSS and Injected iframes everywhere (including Merrill Lych, RBS and BNP)    #5 When you paid a great lump of money for penetration test and audit from Big 4 companies, what is your feeling if their sites' basic web vulnerabilities could not be found and fixed? :-)   ** The blog message could be found in AttackResearch as well. Thank you to my good research fellow, Val and Colin: http://carnal0wnage.attackresearch.com/node/447 October 2010 Stuxnet Analysis We have found comprehensive analysis reports from various security and anti-virus companies: ESET Antiy Lab (Sent to you before); Chinese version could be found from Antiy Kaspersky (No softcopy available yet but please follow up if you have got the copy) Author: Darkfloyd I simply published one with my Taiwanese research fellow http://rootkit.tw/blog/?p=236 |
1-8 of 8