[{"content":" 05/25/2023:\nPhishing, Domain Abuse/Typo-Squatting, Chat-Bots, and C2 Deployment… This proof of concept is for educational purposes only. All resources are my own, and no individuals or sock puppets were harmed during the testing process.\nFrom my initial review of Impostoor Technology Services https://impostoor.com the company offers various global data storage services for its customers.\nI pursued an approach of active and passive reconnaissance techniques to gather valuable information about the target network and its users. In addition, I delivered test emails to its corporate addresses to understand the look and feel of company formatting and header information.\nI utilized The Harvester https://github.com/laramies/theHarvester to help identify corporate email addresses tied to the domain. One email address in particular, ksmith@impostoor.com, was reported in data leak that occurred on a large online retailer within the past two years. That leak detailed the name associated with the address (Karen Smith).\nOpen Source research quickly corroborated my user being an employee with Impostoor Technology Services. Additionally, plenty of social media evidence showed that I had the correct person.\nWhat was unique, however, was the following post.\nIndividuals are always the weakest link when targeting an organization.\nTypo-squatting | Phishing Utilizing a very similar domain to impostoor.com, like impostooor.com, I can pursue a typo-squatting attack. Notice the extra “o.”\nWith this domain; I could run a mail server with a custom-designed replica email of something employees at Impostoor Technologies would likely receive from their corporate headquarters. Before I added the body of the message, I decided to consult Karen’s trusty new friend, good ole ChatGPT.\nAs you can see, the response from my prompt entry could produce a better result. However, we can still utilize this with some minor edits. Before compiling this, though, let’s get our payload in order.\nDafrog C2 Standup Shout out to Joe Helle’s awesome book that helped me get this project going.\nhttps://github.com/MEISTSEC/dafrogc2\nFirst, I need to stand-up the framework and enable the listener.\nmv zfvccb.exe trustedsoftwareremovaltool.exe My C2 server is now up and listening on port 4444 and I have constructed a windows binary payload (trustedsoftwareremovaltool.exe) from my python source.\nI finally reach out to Karen with my Phishing email (I will detail this process at a later date). I utilize a large amount of the ChatGPT response and some screen shots to show her what exactly she needs to do.\nSubject: Urgent: Unathorized File Use Alert - Immediate Action Required Dear Karen Smith, I hope this email finds you well. I\u0026#39;m writing to address an urgent matter that requires your immediate attention. It has come to the ITS Security Teams attention that a potentially an unauthorized file \u0026lt;chatgptinstalleramd64.zip\u0026gt;, which is not intended for use on work computers, may be present on your system. To ensure the security and integrity of our workplace, it is of utmost importance that we locate and handle this file appropriately. Given the nature of the file in question, it is imperative that we take swift action to safeguard our organization\u0026#39;s confidentiality and adhere to our strict information security policies. To initiate the necessary steps, please follow the instructions below to search for and remove the file from your computer: 1. Launch Windows Explorer: You can do this by either clicking on the \u0026#34;File Explorer\u0026#34; icon on your taskbar or by pressing the Windows key + E on your keyboard. 2. Conduct a thorough search: Once Windows Explorer is open, navigate to the search bar located in the top-left corner of the window. Type in \u0026#34;chatgptinstalleramd64.zip\u0026#34;. Please ensure you enter the correct name to ensure an accurate search. This is how it plays out when she types the zip file “the domain” into the file explorer search bar.\nUpon hitting the enter button, Karen’s default browser opens, and chatgptinstalleramd64.zip receives a GET request. The domain does redirection to impostooor.com, our typo-squatted website. Karen is presented the following on her desktop in her default web browser. Karen clicked on the downloaded executable we created in the C2 framework, which we embedded into the domain via JavaScript.\nKaren is hit with a strange error. She double clicks and it goes away. She assumes all has been remediated and the corporate security team will no longer be bothering her. This action executes the payload.\nBack on the C2 machine. We receive a connection on our listener from Karen’s workstation.\nConclusion This was a fun little Proof of Concept to highlight the start of an attack chain. This is where we currently sit within the MITRE ATTACK Framework.\nIn phase 2, we will look at Defense Evasion, Establishing Persistence, Discovery, Exfiltration, and Lateral Movement. Phase 3 of this project includes establishing a second phase dropper developed in Rust, a new language I am learning, and deploying Python-written ransomware. DafrogC2 is continuously receiving new additions as I find mistakes and implement new features in the program. As I mentioned in previous posts, tackling a project like that is truly the best way to educate yourself in programming and security. The trial-and-error approach is more fun than reading a textbook, IMHO.\nCATEGORIES\n","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/attackchain1/attackchain/","summary":"\u003chr\u003e\n\u003cp\u003e05/25/2023:\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/attackchain1/images/1.png\"\u003e\u003c/p\u003e\n\u003ch5 id=\"phishing-domain-abusetypo-squatting-chat-bots-and-c2-deployment\"\u003ePhishing, Domain Abuse/Typo-Squatting, Chat-Bots, and C2 Deployment…\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eThis proof of concept is for educational purposes only. All resources are my own, and no individuals or sock puppets were harmed during the testing process.\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/attackchain1/images/2.png\"\u003e\u003c/p\u003e\n\u003cp\u003eFrom my initial review of Impostoor Technology Services \u003ca href=\"https://impostoor.com\"\u003ehttps://impostoor.com\u003c/a\u003e the company offers various global data storage services for its customers.\u003c/p\u003e\n\u003cp\u003eI pursued an approach of active and passive reconnaissance techniques to gather valuable information about the target network and its users. In addition, I delivered test emails to its corporate addresses to understand the look and feel of company formatting and header information.\u003c/p\u003e","title":"Approaching the Attack Chain"},{"content":"\nNetwork Segmentation Testing with nmap Segmentation testing is the exercise of proving — from a defined source network — that traffic into a protected network is restricted as intended. Most commonly this is driven by PCI DSS Requirement 11.4.5 (annual segmentation testing for merchants, semi-annual for service providers) and analogous controls in HIPAA, NIST 800-53, and internal zoning standards.\nThe goal is not to find vulnerabilities. It is to confirm that the firewall/ACL/SDN rules between source and target zones match the documented design — no more, no less. Findings are usually \u0026ldquo;port X is reachable that shouldn\u0026rsquo;t be\u0026rdquo; or \u0026ldquo;this source IP can reach this CDE host.\u0026rdquo;\nBelow is the playbook I lean on with nmap. Run from a representative host inside the source segment.\nPhase 1 — Host discovery You first need to know what\u0026rsquo;s actually up in the target range without committing to a full port scan. -sn (\u0026ldquo;no port scan\u0026rdquo;) performs only discovery probes.\nSwitch Example What it does -sn nmap -sn 10.1.0.0/24 Disable port scanning. Host discovery only (ICMP echo, TCP SYN/ACK to 443/80, ARP on local). -PS nmap -PS22,80,443 10.1.0.0/24 TCP SYN ping to listed ports — useful when ICMP is blocked. -PA nmap -PA22,80,443 10.1.0.0/24 TCP ACK ping — sometimes traverses stateless filters that drop SYN. -PU nmap -PU53,161 10.1.0.0/24 UDP ping — useful where TCP probes are filtered. -Pn nmap -Pn ... Skip discovery, treat all hosts as up. Use as a fallback only — it slows things down and produces noise. When you run as root, nmap will also use ARP for any targets on the local link, which is the most reliable signal you have.\nsudo nmap -sn -PE -PS22,80,443 -PA22,80,443 -PU53,161 -iL targets.txt -oA discovery -oA \u0026lt;basename\u0026gt; writes normal, grepable, and XML output in one shot — keep all three for reporting.\nPhase 2 — Port coverage Once you have the live set, you need full port coverage. Do not rely on default top-1000 for a segmentation test; partial coverage will not pass a QSA review.\nTCP, all 65535 ports, with version detection and reason text (which packet flag drove each verdict — important evidence):\nsudo nmap -sS -p- -sV --reason -iL alive.txt -oA tcp_full If TCP SYN is being blocked outright by the source\u0026rsquo;s egress (e.g. an outbound proxy that only forwards established sessions), fall back to a TCP connect scan:\nnmap -sT -p- -sV --reason -iL alive.txt -oA tcp_connect UDP is slow and unreliable but required for a complete test. Cover the common service ports at minimum, and use --version-intensity 0 to keep runtime sane:\nsudo nmap -sU --top-ports 200 -sV --version-intensity 0 --reason -iL alive.txt -oA udp_top200 Phase 3 — Evidence What a reviewer (internal or external) will ask for:\nThe source IP(s) the scan was run from, with date/time. The target scope (targets.txt) and the alive list. The raw nmap output for each scan (-oA artifacts). A diff between observed open ports and the documented allow-list. Anything reachable that isn\u0026rsquo;t on the allow-list is a finding. For diffing, the grepable output (.gnmap) plus a one-liner like:\ngrep \u0026#34;/open/\u0026#34; tcp_full.gnmap | awk \u0026#39;{print $2}\u0026#39; | sort -u …gives you a clean \u0026ldquo;hosts with any open port\u0026rdquo; list to compare against expectations.\nNotes on timing and safety -T4 is usually fine on modern networks and a lot faster than the default -T3. Avoid -T5 against production unless you\u0026rsquo;ve cleared it — it will trip IDS and can knock over fragile devices. Coordinate with the SOC. A segmentation test that triggers an unannounced incident response is a bad day. If the target zone contains IDS/IPS or rate-limiting, your results may be incomplete by design. Document the controls observed; they\u0026rsquo;re part of the report, not a problem with your methodology. ","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/segtest/segtesting/","summary":"\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/segtest/images/nmap.png\"\u003e\u003c/p\u003e\n\u003ch1 id=\"network-segmentation-testing-with-nmap\"\u003eNetwork Segmentation Testing with nmap\u003c/h1\u003e\n\u003cp\u003eSegmentation testing is the exercise of proving — from a defined source network — that traffic into a protected network is restricted as intended. Most commonly this is driven by \u003cstrong\u003ePCI DSS Requirement 11.4.5\u003c/strong\u003e (annual segmentation testing for merchants, semi-annual for service providers) and analogous controls in HIPAA, NIST 800-53, and internal zoning standards.\u003c/p\u003e\n\u003cp\u003eThe goal is not to find vulnerabilities. It is to confirm that the firewall/ACL/SDN rules between source and target zones match the documented design — no more, no less. Findings are usually \u0026ldquo;port X is reachable that shouldn\u0026rsquo;t be\u0026rdquo; or \u0026ldquo;this source IP can reach this CDE host.\u0026rdquo;\u003c/p\u003e","title":"Segmentation Testing"},{"content":"\n10/30/2022:\nI love participating in Capture The Flag (CTF) events. When I first became focused on pursuing a career in cybersecurity, I was encouraged by many in the community to compete in the numerous CTFs that are available for all skill levels. What I enjoy most about them, as opposed to standard IT/Security courses, is that the CTF revolves around critical thinking and researching solutions to each challenge. There is no curriculum to reference; it’s all on you!\nThis recent CTF I participated in presented me with a similar problem I had encountered in a previous event. This Web Challenge problem hosted in a Docker instance is displayed below:\nPreviously, I tried numerous techniques to solve this problem and receive the flag. First, I tried simply copying and pasting the output into the new URL. That was, of course, to no avail. So next, I tried capturing the GET response and utilizing the repeater function in Burp Suite to speed up my response time. Unfortunately, though I had faith this method would work, it also was not providing me with the flag.\nGET Response\nInserting the GET Response into the URL answer format\nFailure 🙁\nWhen I saw this problem return in this latest event, I decided to take a different approach and write a program in Python to achieve a solution. My code is displayed below:\n#!/bin/python3 # I created this script in order to successfully complete a challenge on a recent CTF I participated in # MEISTSEC # 10/2022 import requests x = requests.get(\u0026#39;http://10.10.100.200:40589/number/\u0026#39;) blow = x.content tango = blow.decode(\u0026#39;utf-8\u0026#39;) #print(tango) r = requests.get(f\u0026#39;http://10.10.100.200:40589/number/?answer={tango}\u0026#39;) print(r.content.decode(\u0026#39;utf-8\u0026#39;)) Utilizing the requests module, I can push HTTP requests to the server and harvest the response “string” into a variable I named “blow.” The response produced in the call needs to be more readable, “UTF-8” is used to format the string, and a new variable with the name change “tango” is produced. The script then makes the second GET request with the output of the variable “tango”, and takes it’s response and outputs it into a readable format.\nSummary Utilizing Python is an excellent way to solve security issues. The old me would go down a Google rabbit hole of trying to solve the problem by leveraging a security tool or methodology a competitor has previously utilized. Applying critical thinking, addressing what is happening in the problem, and programming my own solution is a more efficient and rewarding process. Being creative and building solutions aligns with my learning style.\nCheers, Meistsec!\n","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/pythonctf/pythonctf/","summary":"\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/pythonctf/images/python.jpg\"\u003e\u003c/p\u003e\n\u003cp\u003e10/30/2022:\u003c/p\u003e\n\u003cp\u003eI love participating in Capture The Flag (CTF) events. When I first became focused on pursuing a career in cybersecurity, I was encouraged by many in the community to compete in the numerous CTFs that are available for all skill levels. What I enjoy most about them, as opposed to standard IT/Security courses, is that the CTF revolves around critical thinking and researching solutions to each challenge. There is no curriculum to reference; it’s all on you!\u003c/p\u003e","title":"Python \u0026 Capture the Flag"},{"content":"09/01/2022:\nThis is an analysis of a malware sample studied during TCM Security’s PMAT Course Practical Malware Analysis \u0026amp; Triage (PMAT)\nMalware Analysis Report\nunknown.exe Malware\nAug 2022 | Meistsec | v1.0\nExecutive Summary SHA256 Hash: 3ACA2A08CF296F1845D6171958EF0FFD1C8BDFC3E48BDD34A605CB1F7468213E\nTCM Security offers HuskyHacks Practical Malware Analysis \u0026amp; Triage Course. The PMAT course has been one of my most enjoyable experiences in learning cybersecurity thus far. The course teaches the fundamentals of malware analysis, reverse engineering, report writing, and establishing rules to prevent malware infections in a network. A sandboxed environment utilizing FlareVM and REMnux Linux on a compartmentalized network was utilized to perform the detailed analysis.\n[unkown.exe] is a malware sample first identified on Aug 31, 2022. A Nim compiled dropper, running on the x64 arch Windows Operating System.\n[unknown.exe] is a self-deleting binary in which, if it cannot make a call back to its initial callback domain, it will close that handle to that URL and delete itself from the disk. This proof of concept was demonstrated through a FlareVM instance executing the [unknown.exe] file while running the Inetsim application in a REMnux instance on a separate virtual machine and terminating the process of Inetsim during the malware execution.\nThere are no persistence mechanisms observed in the execution of this binary.\nYARA signature rules are provided at the end of this write-up. Additionally, the malware sample and hashes were submitted to VirusTotal to increase the Infosec community’s awareness of the threat.\nFig 1: Defanged binary staged to be executed in FlareVM\nHigh-Level Technical Summary [unknown.exe] consists of a single set call to a URL HTTP request to:\nhxxp://update.ec12-4-109-278-3-ubuntu20-04.local/\nwith a user-agent of Mozilla/5.0\\r\\n\nA strings extraction through Floss of the binary with the URL stated above produces no value when grepping for the value. However, in a more detailed analysis of the Wireshark Pcap sample within Inetsim, it does illuminate an exfiltration domain of hxxp://cdn.altimiter.local/feed?post=[data]\n[unknown.exe] deletes itself from the disk if it cannot make a complete TCP handshake to hxxp://update.ec12-4-109-278-3-ubuntu20-04.local/, as well as when the exfiltration of data has completed to the exfiltration domain.\nBinary contacts the initial callback domain Binary unpacks [passwrd.txt] file into C:\\Users\\Public\\ in order to encrypt the data. Binary opens a handle to targeted file/files on the victim’s desktop. In this instance, the file ‘cosmo.jpg’ is exfiltrated. Binary base64 encodes the contents of the file/files and encrypts the data with [passwrd.txt]. Encrypted data is exfiltrated through the hxxp://cdn.altimiter.local/feed?post=[data] URL. [data] being the base64 encoded data. File Name: unkown.exe~~\nSHA256 Hash 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e |\nunkown.exe\nThe initial executable that runs after a successful spearfishing of a victim via email\nFig 2: Cutter overview of [unknown.exe]\nBasic Static Analysis Fig 3: Hash output\nFig 4: VirusTotal analysis of the sha256 hash\nBasic Static Analysis Fig 5: Grep of “nim” from the strings extraction utilizing Floss\nFig 6: [passwd.txt] dropped in C:\\Users\\Public\\ directory for encryption\nAdvanced Static Analysis Fig 7: RC4 encryption protocol located in strings analysis\nFig 8: RC4 encryption function in Cutter analysis\nFig 9: sym.stealStuff_sikomode_130 function invokes the toRC4 function in Cutter when reverse engineering the binary\nFig 9: call houdini__sikomode_51 identifies networked traffic to the initial callback domain, without initial callback the function jumps to malware deletion .\nAdvanced Dynamic Analysis Fig 10: Inetsim utilized in REMnux in order to replicate a networked environment offering open services\nFig 11: Initial callback URL establishing communication\nFig 12: Exfiltration URL callback upon data encryption. Encrypted data is exfiltrated through the hxxp://cdn.altimiter.local/feed?post=[data] URL. The [data] portion being the base64 encoded data.\nIndicators of Compromise Network Indicators\nFig 13: WireShark Packet Capture of initial beacon check-in\nFig 14: WireShark Packet Capture of encryption/base64 data exfiltration\nHost-based Indicators\nFig 15: [passwrd.txt] upload to C:\\Users\\Public\\ directory\nFig 16: [passwrd.txt] the password to decrypt the data\nYara Signature Rule-set Callback URLs DOMAINS \u0026amp; PORT hxxps://****serv1.ec2-102-95-13-2-ubuntu.local:80 hxxps://****cdn.altimiter.local/feed?post=[data]:80\n","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/pmat/pmat/","summary":"\u003cp\u003e09/01/2022:\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/pmat/images/1.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"this-is-an-analysis-of-a-malware-sample-studied-during-tcm-securitys-pmat-course\"\u003eThis is an analysis of a malware sample studied during TCM Security’s PMAT Course\u003c/h2\u003e\n\u003cp\u003ePractical Malware Analysis \u0026amp; Triage (PMAT)\u003c/p\u003e\n\u003cp\u003eMalware Analysis Report\u003c/p\u003e\n\u003cp\u003eunknown.exe Malware\u003c/p\u003e\n\u003cp\u003eAug 2022 | Meistsec | v1.0\u003c/p\u003e\n\u003ch2 id=\"executive-summary\"\u003eExecutive Summary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eSHA256 Hash\u003c/strong\u003e: 3ACA2A08CF296F1845D6171958EF0FFD1C8BDFC3E48BDD34A605CB1F7468213E\u003c/p\u003e\n\u003cp\u003eTCM Security offers HuskyHacks Practical Malware Analysis \u0026amp; Triage Course. The PMAT course has been one of my most enjoyable experiences in learning cybersecurity thus far. The course teaches the fundamentals of malware analysis, reverse engineering, report writing, and establishing rules to prevent malware infections in a network. A sandboxed environment utilizing FlareVM and REMnux Linux on a compartmentalized network was utilized to perform the detailed analysis.\u003c/p\u003e","title":"Practical Malware Analysis \u0026 Triage"},{"content":"\nAfter years on Ubuntu, I switched my daily-driver workstation to Fedora (originally Fedora 36, around the time this post first went up). The piece I want to focus on here is firewall management — specifically, moving off of UFW and learning to drive firewalld properly on a host that runs a lot of virtual machines for security research.\nfirewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It supports IPv4, IPv6, Ethernet bridges, and ipsets, and it cleanly separates runtime and permanent configuration. — firewalld.org\nThe zone model is the important idea. Each network interface (or source) is bound to a zone, and the zone determines which services and ports are reachable on that interface. This is a much better mental model than the flat ruleset I was used to with UFW or raw iptables.\nEnvironment The host runs Fedora with QEMU/KVM managed through virt-manager (the libvirt stack). The default install puts the primary NIC into the FedoraWorkstation zone and the virtual bridge into the libvirt zone. Out of the box FedoraWorkstation permits dhcpv6-client, mdns, samba-client, and ssh — note that permitted does not mean a service is running. The OpenSSH server is not enabled by default on Fedora Workstation, so port 22 only matters once you start sshd.service. Worth checking either way.\nThe use case that drove me to actually learn this: I wanted to serve files from the host to my VMs over an ad-hoc HTTP server (e.g. python3 -m http.server 8000) without exposing that port to anything else.\nUseful commands Run as root or with sudo.\nList active zones (which zones currently have an interface or source bound):\nfirewall-cmd --get-active-zones List everything allowed in a zone:\nfirewall-cmd --zone=FedoraWorkstation --list-all firewall-cmd --zone=libvirt --list-all Remove a service you don\u0026rsquo;t need (note the hyphen — it\u0026rsquo;s --remove-service, not --remove service):\nfirewall-cmd --zone=FedoraWorkstation --remove-service=dhcpv6-client firewall-cmd --zone=FedoraWorkstation --remove-service=samba-client firewall-cmd --zone=FedoraWorkstation --remove-service=mdns The inverse uses --add-service=\u0026lt;name\u0026gt;. To see the full catalog of named services: firewall-cmd --get-services.\nLetting specific VMs reach the host Rather than open a port to the world, bind your VM\u0026rsquo;s address (or subnet) into a trusted zone as a source. Anything from that source will be evaluated against that zone\u0026rsquo;s rules:\nfirewall-cmd --zone=trusted --add-source=192.168.122.50 Now 192.168.122.50 can hit any open port on the host. Repeat per VM, or use a CIDR (192.168.122.0/24) for the whole virtual network. Confirm:\nfirewall-cmd --get-active-zones firewall-cmd --zone=trusted --list-all Runtime vs. permanent This trips a lot of people up. Every command above modifies the runtime config — gone on reboot or systemctl reload firewalld. There are two ways to make changes stick:\nStage in runtime, verify, then commit: firewall-cmd --runtime-to-permanent Or write directly to permanent and reload: firewall-cmd --permanent --zone=FedoraWorkstation --remove-service=samba-client firewall-cmd --reload I prefer option 1 for anything non-trivial — you get to confirm the rule works before locking it in.\nSanity check after a reload systemctl reload firewalld firewall-cmd --get-active-zones firewall-cmd --zone=FedoraWorkstation --list-all firewall-cmd --zone=libvirt --list-all Conclusion firewalld is more verbose than UFW, but the zone model fits the way a research host actually works: a hostile-internet-facing zone, a trusted-VM-facing zone, and explicit rules about what crosses between them. Once you internalize runtime vs. permanent and the difference between adding a service and adding a source, day-to-day management is straightforward.\n","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/firewall/firewall_configurations/","summary":"\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/firewall/images/1.png\"\u003e\u003c/p\u003e\n\u003cp\u003eAfter years on Ubuntu, I switched my daily-driver workstation to Fedora (originally Fedora 36, around the time this post first went up). The piece I want to focus on here is firewall management — specifically, moving off of UFW and learning to drive \u003ccode\u003efirewalld\u003c/code\u003e properly on a host that runs a lot of virtual machines for security research.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003efirewalld\u003c/strong\u003e provides a dynamically managed firewall with support for network/firewall \u003cem\u003ezones\u003c/em\u003e that define the trust level of network connections or interfaces. It supports IPv4, IPv6, Ethernet bridges, and ipsets, and it cleanly separates \u003cem\u003eruntime\u003c/em\u003e and \u003cem\u003epermanent\u003c/em\u003e configuration. — \u003ca href=\"https://firewalld.org/\"\u003efirewalld.org\u003c/a\u003e\u003c/p\u003e","title":"Firewall Configurations"},{"content":"3/30/2022\nSo, I initially tackled this target like most—reconnaissance, enumeration, and eventually getting stuck and seeking an external solution. In gaining an understanding of staging buffer overflow attacks, I learned that there is an operating procedure to direct the process—multiple scripts, leveraging Immunity Debugger for the proof of concept, and eventually securing a shell.\nSimilar methods are demonstrated in numerous walk-throughs on the Internet. However, these examples lack flexibility on replicating the process for like targets and vulnerabilities. So, I decided to dig a little deeper.\nOne of the best explanations of how this type of attack is staged can be studied in Heath Adam’s buffer overflow presentation –\nhttps://www.youtube.com/watch?v=ncBblM920jw\nHis explanation of the anatomy/composition of the “buffer stack” really puts this concept into perspective.\nInstead of following a similar procedure like many others who have reviewed this machine. I decided to tackle this challenge from an unconventional approach. I have been yearning to challenge myself in undertaking a Python project to give myself a better understanding of the scripting language.\nSo, I figured why not tackle two birds with one stone and automate the attack process, which I could easily modify for future encounters. In the coming future, I plan to further develop the Buffer Overflow Framework as I progress in my Python learning. Please review the code for a comprehensive understanding of how this attack procedure is implemented.\n“The Meist” A Buffer Overflow Framework\nhttps://github.com/MEISTSEC/THEMEIST\nThe Attack Process Initial Recon [sudo nmap -sC -sV -p- -pN] will give you a more detailed,but time-consuming enumeration with its nse scripting and full port analysis\nPort 9999 in browser\nPort 10000 in browser\nConduct a gobuster scan against port 10000 which reveals the [/bin] directory\nbrainpan.exe is being hosted within the /bin directory\nnetcat call of the application\nwget the application onto your Kali machine\nEnvironment Setup Start Microsoft Windows Virtual machine and within “virus and threat protection,” turn off everything to include real-time protection in manage settings. The intention is to place this executable in a controlled environment in our local network to stage a buffer overflow attack. Once our proof of concept is functional, we can leverage it against the TryHackMe server room. Within Kali, in the directory where brainpan.exe is located, run the following command to host the file: python3 -m http.server 8000 In windows, create a /brainpan directory to receive brainpan.exe from the hosted Kali directory in the previous step. Run the following command in powershell: certutil -urlcache -f http://LHOSTKALI:8000/brainpan.exe brainpan.exe Throughout the testing of this exploit you will continually reopen brainpan.exe and Immunity Debugger as an administrator.\nWith brainpan.exe running as an admin (each time). Also open Immunity Debugger as an admin (likewise throughout this process). In Immunity, select and attach brainpan.exe. Press the red arrow icon to start Immunity Debugger’s import of brainpan.exe. THE MEIST Programmed automation fuzzing the application\nSet the working folder in Immunity Debugger using Mona with the above command\nFuzzer crashes the app at 600 bytes\nCopy the generated pattern creation variable for step 3\nImport/paste the previously copied pattern generated data\nRun in immunity debugger\nTake note of the EIP. It contains the normal pattern line. Specifically the offset (524)\nEnter offset here\nEnter into Immunity Debugger\nType in the location of bytearray.bin\nStep 3\nCopy the Badchar generation and input it into the next field presented\nThe Badchar generation was inputted into THEMEIST.py script as a variable and placed in payload\nTake note of the ESP output\nRun the mona command with the ESP register point\nThis will display the BadChars needed to be identified\nEnter the Badchars\nInformation was rewritten to bytearray.bin\nOption 4\nEnter Badchars into Immunity Debugger\nNote the “Jump esp”\nThis part can be confusing. Ensure you document the retn variable and input it in little endian format “essentially reversed” at the prompt\nSelect Y if you did not download the github package or the individual SHELLPOPPER.py script\nOption 5\nOption 6\nIn your Kali instance, run [nc -lvnp 4444] to initiate a listener\nIn Kali run the following command in a new terminal window to setup a listener:\nnc -lvnp 4444\nAnd in another Kali terminal run:\npython SHELLPOPPER.py\nShell Popper in action with the TGT IP and Port\nThe Buffer Overflow proof of concept was successful. We have spawned a local shell from our testing Windows VM environment.\nAttacking the THM Hosted Application You will rerun the msfvenom command to create a new 32 bit payload for a Linux reverse shell to implement into the downloaded SHELLPOPPER.py script. This payload utilizes the tun0 interface established through your OpenVPN connection with TryHackME.\nCommand shell opened. Use the above commands to stabalize the shell\nPuck seems to be an unprivileged user\nPrivilege Escalation Do some OSINT on documented privilege escalation attacks against Ubuntu 12.10, as well as gtfobins.github.io for Unix binaries used to bypass local security restrictions.\nsudo -l reveals the anansi_util can be executed as root w/out a password\nA few options available. However, only the manual option seems to be accessible with current creds\nRun the manual “man” command with the less argument\nBy running the [!bash] command we elevate “puck’s” privileges to the root user\nElevated privs\n","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/brainpan/brainpan/","summary":"\u003cp\u003e3/30/2022\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/posts/brainpan/images/1.png\"\u003e\u003c/p\u003e\n\u003cp\u003eSo, I initially tackled this target like most—reconnaissance, enumeration, and eventually getting stuck and seeking an external solution. In gaining an understanding of staging buffer overflow attacks, I learned that there is an operating procedure to direct the process—multiple scripts, leveraging Immunity Debugger for the proof of concept, and eventually securing a shell.\u003c/p\u003e\n\u003cp\u003eSimilar methods are demonstrated in numerous walk-throughs on the Internet. However, these examples lack flexibility on replicating the process for like targets and vulnerabilities. So, I decided to dig a little deeper.\u003c/p\u003e","title":"The Meist- A Buffer Overflow Attack Framework"},{"content":"Hello World!! ","permalink":"https://718edc7a.meistsec-blog.pages.dev/posts/hello/hello_world/","summary":"\u003ch1 id=\"hello-world\"\u003eHello World!!\u003c/h1\u003e","title":"Hello_World"}]