Blog & CTF Write-up


CODEGATE 2013 YUT CHALLENGE Write-up

posted Mar 9, 2013, 10:44 PM by Anthony Lai   [ updated Mar 12, 2013, 9:35 AM ]



It will be kept update when write-up is available from us:
VULN200
WEB400
WEB500
FOR100
FOR200
MISC200
MISC200.2
MISC300.1

More Binary, Web and forensic write-up will be published soon.


- Darkfloyd

Know your enemy "better"

posted Mar 8, 2013, 10:05 PM by Anthony Lai

After analysing attack against an ISP with another VX brother via Honeypot (www.honeynet.org),  there is a different interpretation to me (15-day deployment since 22 Feb):

Top 10 Attackers
31111|86.63.108.226
10337|189.83.55.71
10278|95.162.64.252
9235|189.83.120.25
6643|176.62.121.247
5122|189.83.29.13
3712|186.50.142.7
3638|124.247.203.114
3233|186.237.36.104
2769|128.71.208.199

For the binaries and malware downloaded from attackers' hosts:
347d214c8224fc47552addaf91609157|86.63.108.226|15437
c3852074ee50da92c2857d24471747d9|189.83.55.71|5097
7942a56800f2d4e16f95169793c66851|95.162.64.252|5052
c3852074ee50da92c2857d24471747d9|189.83.120.25|4524
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.121.247|3255
c3852074ee50da92c2857d24471747d9|189.83.29.13|2589
87136c488903474630369e232704fa4d|186.50.142.7|1854
87136c488903474630369e232704fa4d|124.247.203.114|1817
6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.104|1605
87136c488903474630369e232704fa4d|186.55.6.68|1189
87136c488903474630369e232704fa4d|186.55.58.40|1166
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.25.4|1007
87136c488903474630369e232704fa4d|186.50.134.101|868
87136c488903474630369e232704fa4d|81.181.40.16|837
c3852074ee50da92c2857d24471747d9|190.38.89.60|628
87136c488903474630369e232704fa4d|186.55.63.9|541
87136c488903474630369e232704fa4d|186.53.104.240|529
c3852074ee50da92c2857d24471747d9|186.95.68.103|460
87136c488903474630369e232704fa4d|186.55.0.148|434
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.117.104|381
9f163e7ea43ec22df3e74fb45e7dffb7|46.233.199.247|375
c3852074ee50da92c2857d24471747d9|190.72.22.126|369
6b54e187a3a6971ffe03e9aea5afcacc|186.237.39.219|363
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.99.151|356
b081022fc581decf4c8640dbc74a9198|186.51.223.218|347
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.91.140|310
c3852074ee50da92c2857d24471747d9|186.95.67.198|268
87136c488903474630369e232704fa4d|186.53.99.170|231
393e2e61ff08a8f7439e3d2cfcb8056f|117.222.195.168|204
6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.123|181
9f163e7ea43ec22df3e74fb45e7dffb7|46.233.240.154|159
b0ace06ed2168781136f13fac6bb1037|37.204.119.122|156
87136c488903474630369e232704fa4d|186.55.8.217|140
6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.32|139
393e2e61ff08a8f7439e3d2cfcb8056f|95.30.95.61|136
6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.90|115
393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.99|85
87136c488903474630369e232704fa4d|186.55.33.220|84
87136c488903474630369e232704fa4d|186.55.4.119|84
94e689d7d6bc7c769d09a59066727497|176.237.252.212|77
0c1fa21d2ae6374e1e2f754504d7c084|95.46.91.179|73
393e2e61ff08a8f7439e3d2cfcb8056f|2.95.63.148|68
0c1fa21d2ae6374e1e2f754504d7c084|95.46.86.52|64
ac851fdca8a7f4b5a185c9686165586f|190.68.43.12|62
6b54e187a3a6971ffe03e9aea5afcacc|186.237.38.221|60
9c09418c738e265a27e6c599f43d86ab|93.81.212.191|50
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.36.57|42
87136c488903474630369e232704fa4d|186.53.96.33|41
9f163e7ea43ec22df3e74fb45e7dffb7|109.120.44.63|40
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.40.62|40
0c1fa21d2ae6374e1e2f754504d7c084|95.46.92.243|37
6b54e187a3a6971ffe03e9aea5afcacc|186.237.37.157|36
393e2e61ff08a8f7439e3d2cfcb8056f|117.222.196.3|34
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.65.56|32
c3852074ee50da92c2857d24471747d9|189.83.63.113|32
87136c488903474630369e232704fa4d|186.50.137.177|29
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.102.75|28
393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.119|17
c3852074ee50da92c2857d24471747d9|124.107.74.198|16
393e2e61ff08a8f7439e3d2cfcb8056f|117.203.204.43|13
8c9367b7dc43dadaa3ec9da767c586cf|175.182.21.32|13
9c09418c738e265a27e6c599f43d86ab|93.81.222.198|13

Attack comes from various countries from Brazil, Poland, Russia, Romania, India but "China". A
 honeypot is set up in a private company for 2 months, the top 10 attackers from servers in China. The active one is from AS9800 . I would say, this is the difference between general and target attack. I have notified the affected company and hopefully he could be alerted and make corresponding action on it. 




- Darkfloyd

Plaid CTF 2012 Write-up

posted May 9, 2012, 3:24 AM by Anthony Lai   [ updated May 9, 2012, 5:34 AM ]



Dudes, we will put the write up here and keep update this post.

Published write-up
- ECE Revenge, Editors, Addition is hard, Shoulder Surfing, 3D

Solved challenges:
Addition is Hard (15 Points)
Puzzles

Shoulder Surfing (25 Points))
Puzzles

RoboDate (100 Points)
Password Guessing

Paste (100 Points))
Practical Packets

The Game (100 Points))
Potpourri

3D (100 Points)
Potpourri

ECE's Revenge II (500 Points)
Potpourri

Editors (100 Points))
Pirating

Hacking Twitter: Visualize Hacker Communities

posted Jan 23, 2012, 4:36 AM by Anthony Lai   [ updated Jan 23, 2012, 7:59 AM ]

Today is Chinese Lunar New Year, I would like to represent VXRL to say "Kung Hei Fat Choy" to you all.

As there are two high-profile hacking teams, Lulzsec and Anonymous, giving us their latest act via Twitter. I am curious about their activities and any connection in between on a snapshot basis. 

Retweet Network
I just requested the Twitter request via its provided API[1] to pass me 100 resulting records via a Python program[2].

Interestingly, from Lulzsec graph, I have found a number of similar/correlated groups of Anonymous and explicitly state that it's from British, Sweden and some are named as IRC bots indeed, I believe it is good for them to ensure their act and news are successfully propagated if Twitter closed one of their accounts, meanwhile, I may guess their major forces (or volunteers?) are from Europe.

The twitter accounts supporting Anonymous (may be owned by them or volunteers) include:
- YourAnnoNews
- AnonOpsSweden
- AnonOpsBrazil
- AnonymousIRC
- BritAnonymous
- AnonymousBrazil
- AnonymousOnly

From the graph, it shows AnonOpsSweden acts a core for people or other team/group to follow.

For LulzSec, accounts include:
- LulzSec
- LulzSec47
- LulzSecBrazil

It is quite interesting that other than Europe, we could find groups from Brazil supporting both LulzSec and Anonymous explicitly. Will the major operation reside in Brazil as well? :)



Figure 1: Mutual support and notification between LulzSec and Anonymous
Figure 2: AnonOpsSweden looks like another center?

Lulzsec looks like their friend group and retweet Anonymous's messages with good connection.

Further Exploration
Let me take a shot over AnonOpsSweden. I got two more interesting groups, AnonCentral and AnonyOps, I could say It is
readily "Anonymous Everywhere".
Figure 3: More groups are found.



I have there are many "representatives" from various countries and claim they are "AnonXXXX". 


What is their next act?
Alright, it is now the main dish and what's their recent and next act? I simply made a query with keyword "DDoS" with the following Python code. However, you need a Twitter package in prior to access Twitter API.
>>> import twitter
>>> import json
>>> twitter_search = twitter.Twitter(domain="search.twitter.com")
>>> search_results = []
>>> search_results = twitter_search.search(q="DDoS")
>>> print json.dumps(search_results, sort_keys=True, indent=1)

I simply find and highlight the conversation with "DDoS" as the keyword up to 2345 on 23 Jan 2012 (HKT). Aha, they readily have volunteers indeed to launch DDoS attack.


As an observer, it is nice for us to have their latest and planned acts, I do appreciate their mindset to
change the people mindsets to make a better security, but could we use another mean? However, it is always
a dilemma, ethics and justice looks like it cannot be balanced in the real world, some tasks must be left to the hackers to handle.  

Enjoy it ;-)

References:
[1] Twitter API
URL: https://dev.twitter.com/docs

[2] Mining the Social Web
URL: https://github.com/ptwobrussell/Mining-the-Social-Web









Easy click, easy steal

posted Oct 25, 2011, 7:15 AM by Anthony Lai

Sometimes, we may authorize third-party application via oauth to access our mailbox like findbigmails. However, you need to regularly check whether you have authorized some apps you don't know or aware of.

Please go to account setting and click on "edit" for Authorizing applications & share under Account overview section. If suspicious app(s) or/and service(s) are authorized, please revoke and remove it immediately.

Attack tricks are relatively easy. Attackers could simply offer kinds "free" helping service, and you authorize it, however, most of time the apps/services vendor do not inform the user to remove it. Your privacy and secrets are handed over to them :-)

- Darkfloyd
Figure 1: Check any service/apps accessing your Google account.

Figure 2: Do you find any suspicious service accessing your account?

APT never dies

posted Oct 25, 2011, 7:13 AM by Anthony Lai


Author: Darkfloyd
I simply published one with my Taiwanese research fellow
http://rootkit.tw/blog/?p=236

PlaidCTF 2011 - Fun with Numb3rs (100 marks)

posted Oct 25, 2011, 7:12 AM by Anthony Lai


(From Darkfloyd and AlanH0)
At the beginning, I put it in IDA Pro, and found out there is a if-then case for displaying the message. However, for better understanI simply reverse the .exe file with .NET reflector (http://reflector.red-gate.com/download.aspx?TreatAsUpdate=1) and find out that there is a condition of balancing two formula, it could display two different message boxes. 

We simply write a simply python to bruteforce those variables. The source code is shown as below:

def formula1(a,b,c):
return ((a + (c*b) - c) + (a*a) * c) - b
def formula2(x,y,z):
return ((z * (34*y + 2*x)) + 7488)
#(a + (c*b) - c) + (a*a) * c) == (z * (34y + 2x)) + 7488) && (x > 77))

for a in range(0,256):
for b in range(0,256):
for c in range(0,256):
v1 = formula1(a,b,c)
v2 = formula2(a,b,c)
if (v1 == v2):
   print str(a) + " " + str(b) + " " + str(c)
 

Finally, we have got the values of variables (89,233,144) and, we exchange the value position and got the key. 

March 2011 Webapp Security Fengshui in Hong Kong (Researchers: AlanH0 x Darkfloyd, VXRL)

posted Oct 25, 2011, 7:11 AM by Anthony Lai


In these two months, We have done a large scale of simply vulnerability digging and check whether banks and companies have put controls in Web application. We have referred to OWASP Top 10 but only spent 10-15 minutes to each site. Amazingly, we have got over 120 vulnerabilities out of 80 companies. Some banks, listed companies and departments from Hong Kong government has carried out "regular" audit and penetration test, we are doubtful whether they are just running a scanner and find nothing, they feel safe and secure and treat security as a kind of "homework". Did they undertake real test? Did they undertake secure system development lifecycle? 

By the way, we have found that we could potentially dump thousand records of job applicants (name, address and phone as well as their applied position) from a well-known listed MNC company, we have reported this issue via a connection but they simply don't take care of the issue seriously. We will publish it in a few weeks if they do not pay attention to it.

In addition, we are glad some banks CERT teams have reached us for rectification and more details. 

We will sooner publish a detailed white paper with recommendation. Please stay tuned, dudes. By the way, the crawling for vulnerability is still on-going.

#1: SSL sounds secure but we could injected iFrame over SSL. Thank you to Hang Seng Bank's mistake.


#2: Browsing API documentation and Playing JSP and Servlet samples at HSBC server when you feel bored :-))


#3. Exposure of database server name, IP, admin ID and password via its search engine


#4. XSS and Injected iframes everywhere (including Merrill Lych, RBS and BNP)



#5 When you paid a great lump of money for penetration test and audit from Big 4 companies, what is your feeling if their sites' basic web vulnerabilities could not be found and fixed? :-)
** The blog message could be found in AttackResearch as well. Thank you to my good research fellow, Val and Colin: http://carnal0wnage.attackresearch.com/node/447


October 2010 Stuxnet Analysis
We have found comprehensive analysis reports from various security and anti-virus companies:
ESET

Symantec

Antiy Lab (Sent to you before); Chinese version could be found from Antiy
Kaspersky (No softcopy available yet but please follow up if you have got the copy)


July 2010 APT never dies
Author: Darkfloyd
I simply published one with my Taiwanese research fellow
http://rootkit.tw/blog/?p=236

1-8 of 8