Monday, May 29, 2023

NcN 2015 CTF - theAnswer Writeup


1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:


But this process never ends .... let's see what strace say:


There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

  • static: understanding the cryptosystem and programming our own decryptor
  • dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)


At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:



With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:



The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.


we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.


And here we have the seed and the first bytes of the cypher-text:



With radare we can convert this to a c variable quickly:


And here is the flag cyphertext:


And with some radare magics, we have the c initialized array:


radare, is full featured :)

With a bit of rand() calibration here is the solution ...



The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c





3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:



There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.





Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:


after:



To patch the two infinite loops, just nop the two bytes of each jmp $-0



Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

  •  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
  •  Modify the pthread_cond_wait to avoid the futex()
  • We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop
Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

Related posts

  1. Easy Hack Tools
  2. Nsa Hacker Tools
  3. Pentest Tools For Windows
  4. Hacking Tools For Kali Linux
  5. Hack Tool Apk
  6. Hacking Tools Free Download
  7. Tools 4 Hack
  8. Hack Tools
  9. Free Pentest Tools For Windows
  10. Hack Tools For Mac
  11. Hak5 Tools
  12. Hackrf Tools
  13. Pentest Tools Url Fuzzer
  14. Hack Tool Apk No Root
  15. Hack Tool Apk No Root
  16. What Are Hacking Tools
  17. Pentest Tools Windows
  18. Android Hack Tools Github
  19. Pentest Tools For Windows
  20. Pentest Box Tools Download
  21. Hacking Tools Windows 10
  22. Pentest Tools Subdomain
  23. Pentest Automation Tools
  24. Hackers Toolbox
  25. Hacker Tools For Ios
  26. Hack Tools Download
  27. Pentest Tools Review
  28. Hacker Tools For Mac
  29. Hacker Tools Free
  30. Pentest Tools Free
  31. Hacking Tools Usb
  32. Wifi Hacker Tools For Windows
  33. Tools Used For Hacking
  34. Hacking Tools Windows 10
  35. Hack Website Online Tool
  36. Hacking Tools Name
  37. Hacking Tools Github
  38. Hack Tools
  39. Pentest Tools Alternative
  40. New Hacker Tools
  41. Pentest Tools Kali Linux
  42. Hacker Security Tools
  43. Hack Tools Online
  44. Hacker Tools List
  45. Pentest Tools Linux
  46. Pentest Tools For Windows
  47. Hacker Tools Free Download
  48. Pentest Tools For Ubuntu
  49. Hacking Apps
  50. Hacking Tools For Beginners
  51. Hacker Tools Apk Download
  52. Best Hacking Tools 2020
  53. Hacking Tools Name
  54. Hacking Tools Windows 10
  55. What Are Hacking Tools
  56. Hacking Tools For Windows 7
  57. Pentest Tools Alternative
  58. Pentest Tools List
  59. Hacker Tools 2020
  60. Pentest Tools Website Vulnerability
  61. Nsa Hacker Tools
  62. Hacker Tools 2019
  63. Pentest Tools Port Scanner
  64. Hacking Tools Windows
  65. Hacks And Tools
  66. Game Hacking
  67. Hacker Security Tools
  68. Hacker Tools Mac
  69. Hacking Tools For Mac
  70. Hacking Tools For Kali Linux
  71. Hacker Tools Free Download
  72. How To Make Hacking Tools
  73. How To Hack
  74. Pentest Tools Kali Linux
  75. Pentest Tools Windows
  76. Beginner Hacker Tools
  77. Pentest Tools Apk
  78. Hack Tool Apk No Root
  79. Hacker Search Tools
  80. Hacking Tools For Pc
  81. Pentest Tools Linux
  82. New Hack Tools
  83. Hacking Tools Name
  84. Hacking Tools Windows 10
  85. Hacking App
  86. Hacker Tools 2020
  87. Pentest Tools For Ubuntu
  88. Hack And Tools
  89. Black Hat Hacker Tools
  90. Bluetooth Hacking Tools Kali
  91. Pentest Tools For Mac
  92. Hacker Tool Kit
  93. Hackrf Tools
  94. Hak5 Tools
  95. Hacking Tools Software
  96. Bluetooth Hacking Tools Kali
  97. Hacking Tools Free Download
  98. Hacking Tools For Windows
  99. Pentest Tools Website Vulnerability
  100. Hacking Tools Hardware
  101. Hack Tools Mac
  102. Game Hacking
  103. Hack Tools
  104. Pentest Box Tools Download
  105. Pentest Tools Free
  106. Hack Tool Apk
  107. Hacking Tools Windows 10
  108. Pentest Tools Alternative
  109. Hacking Tools Online
  110. Nsa Hack Tools
  111. Nsa Hack Tools
  112. Hacking Tools Software
  113. Black Hat Hacker Tools
  114. Hacker Tools List
  115. How To Make Hacking Tools
  116. Pentest Tools Download
  117. Pentest Tools Online
  118. Hack Tools Download
  119. Hacking Tools For Beginners
  120. Easy Hack Tools
  121. Hacking Apps
  122. Hacker Tools Apk
  123. Hacking Tools Hardware
  124. Pentest Tools Review
  125. Hacking Tools For Pc
  126. Best Hacking Tools 2020
  127. Hacker Tools Software
  128. Pentest Tools Online
  129. Hacking Tools For Windows Free Download
  130. Bluetooth Hacking Tools Kali
  131. Hacking Tools For Kali Linux

Gotanda - Browser Web Extension For OSINT


Gotanda is OSINT(Open Source Intelligence) Web Extension for Firefox/Chrome.

This Web Extension could search OSINT information from some IOC in web page.(IP,Domain,URL,SNS...etc)

This Repository partly the studying and JavaScript practice.

Download link below.


Usage

Right click highlighted IOC strings, It will show contextmenus.(Or right clicking any link. )

When You want to search using some engine, You choose one of list.


Search Engine List
Name URL Category
Domain Tools https://whois.domaintools.com/ whois Lookup
Security Trails https://securitytrails.com/ whois lookup
whoisds https://whoisds.com/ whois lookup
ThreatCrowd https://www.threatcrowd.org/ Domain, IPv4
AbuseIPDB https://www.abuseipdb.com/ IPv4
HackerTarget https://hackertarget.com/ IPv4
Censys https://censys.io/ IP, Domain
Shodan https://shodan.io/ IP, Domain
FOFA https://fofa.so/ IP, Domain
VirusTotal https://virustotal.com/ IP, Domain, URL,Hash
GreyNoise https://viz.greynoise.io/ IPv4
IPAlyzer https://ipalyzer.com/ IPv4
Tor Relay Search https://metrics.torproject.org/ IP,Domain
Domain Watch https://domainwat.ch/ Domain, Email,whois lookup
crt.sh https://crt.sh/ SSL-certificate
SecurityHeaders https://securityheaders.com/ URL, Domain
DNSlytics https://dnslytics.com/ IPv4,IPv6,ASN
URLscan https://urlscan.io/ URL
Ultratools https://www.ultratools.com/ IPv6
Wayback Machine https://web.archive.org URL
aguse https://www.aguse.jp/ URL
check-host https://check-host.net/ URL
CIRCL https://cve.circl.lu/ CVE
FortiGuard https://fortiguard.com/ CVE
Sploitus https://sploitus.com/ CVE
Vulmon https://vulmon.com/ CVE
CXSecurity https://cxsecurity.com/ CVE
Vulncode-DB https://www.vulncode-db.com/ CVE
Malshare https://malshare.com/ MD5 Hash
ThreatCrowd https://www.threatcrowd.org/ IP,Domain
Hybrid Analysis https://www.hybrid-analysis.com/ hash
Twitter https://twitter.com/ SNS, w/TimeLine
Qiita https://qiita.com SNS
GitHub https://github.com SNS
Facebook https://www.facebook.com/ SNS, w/TimeLine
Instagram https://www.instagram.com/ SNS
LinkedIn https://linkedin.com/ SNS
Pinterest https://www.pinterest.jp SNS
reddit https://www.reddit.com/ SNS

About Twitter and FaceBook could search timeline with any words.


Misc

This extension is optimized for the Japanese environment.




Related links
  1. Usb Pentest Tools
  2. Hacker Tools For Pc
  3. Hack Apps
  4. Tools Used For Hacking
  5. Hacker Tools Mac
  6. Pentest Automation Tools
  7. Hack Tool Apk
  8. Hacking Apps
  9. Hack Tools For Pc
  10. Pentest Automation Tools
  11. Pentest Tools Website Vulnerability
  12. Hacking Tools 2020
  13. Hack Apps
  14. Best Pentesting Tools 2018
  15. Hack Tools Download
  16. Hacking Tools For Windows
  17. Hak5 Tools
  18. Hacking Tools For Beginners
  19. Hacker Tools For Windows
  20. Hacker Tools For Mac
  21. What Is Hacking Tools
  22. Hacker Tools For Mac
  23. Hacker Search Tools
  24. Pentest Tools Review
  25. Hacking Tools Github
  26. Hacking Tools Hardware
  27. Pentest Tools For Windows
  28. Hacker Tools Apk Download
  29. Hacking Tools Mac
  30. Hacking Tools For Beginners
  31. Game Hacking
  32. Hacker Tools For Ios
  33. Wifi Hacker Tools For Windows
  34. Hack Tools
  35. Android Hack Tools Github
  36. Free Pentest Tools For Windows
  37. Pentest Tools List
  38. Hacking Tools Windows 10
  39. Pentest Tools Free
  40. Pentest Recon Tools
  41. New Hacker Tools
  42. Pentest Tools Linux
  43. Pentest Tools For Mac
  44. Hack Website Online Tool
  45. Pentest Tools For Ubuntu
  46. Free Pentest Tools For Windows
  47. Hacking Tools For Windows
  48. Pentest Tools For Windows
  49. Hack Tools Online
  50. Hacker Tools Online
  51. Pentest Automation Tools
  52. Pentest Tools Free

Automating REST Security Part 3: Practical Tests For Real-World APIs

Automating REST Security Part 3: Practical Tests for Real-World APIs

If you have read our two previous blogposts, you should now have a good grasp on the structural components used in REST APIs and where there are automation potentials for security analysis. You've also learned about REST-Attacker, the analysis tool we implemented as a framework for automated analysis.

In our final blogpost, we will dive deeper into practical testing by looking at some of the automated analysis tests implemented in REST-Attacker. Particularly, we will focus on three test categories that are well-suited for automation. Additionally, we will look at test results we acquired, when we ran these tests on the real-world API implementation of the services GitHub, Gitlab, Microsoft, Spotify, YouTube, and Zoom.

Author

Christoph Heine

Overview

Undocumented Operations

The first test that we are going to look at is the search for undocumented operations. These encompass all operations that accessible to API clients despite not being listed in the API documentation. For public-facing APIs, undocumented operations are a security risk because they can expose functionality of the service that clients are not supposed to access. Consequences can range from information leakage to extensive modification or even destruction of the resources managed by the underlying service.

A good example for an operation that should not be available is write access to the product information of a webshop API. While read operations on stock amounts, prices, etc. of a product are perfectly fine, you probably don't want to give clients the ability to change said information.

In HTTP-based REST, operations are represented by the HTTP methods used in the API request (as explained in Part 1 of the blog series). Remember that API requests are essentially HTTP requests which consist of HTTP method (operation), URI path (resource address) and optional header or body data.

GET /api/shop/items 

We can use the fact that REST operations are components from the HTTP standard to our advantage. First of all, we know that the set of possible operations is the same for all HTTP-based REST APIs (no matter their service-specific context) since each operation should map to a standardized HTTP method. As a result, we also have a rough idea what each operation does when it's applied to a resource, since it's based on the assigned purpose of the HTTP method. For example, we can infer that the DELETE method performs a destructive action a resource or that GET provides a form of read access. It also helps that in practice most APIs only use the same 4 or 5 HTTP methods representing the CRUD operations: GET, POST, PUT, PATCH, and DELETE.

If we know a URI path to a resource in the API, we can thus enumerate all possible API requests, simply by combining the URI with all possible HTTP methods:

GET    /api/shop/items POST   /api/shop/items PUT    /api/shop/items PATCH  /api/shop/items DELETE /api/shop/items 

REST-Attacker's test case undocumented.TestAllowedHTTPMethod uses the same approach to find undocumented operations. With an OpenAPI description, the generation of API requests is extremely to automate as the description lists all defined URI paths. Since the API description also documents the officially supported operations, we can slightly optimize the search by only generating API requests for operations not documented for a path (which basically are the candicates for undocumented operations).

To find out whether an undocumented operation exist, we have to determine if the generated API requests are successful. Here, we can again rely on a standard HTTP components that are used across REST APIs. By checking the HTTP response code of the API, we can see whether the API request was rejected or accepted. Since the response codes are standardized like the HTTP methods, we can also make general assumptions based on the response code received. If the operation in the API request is not available, we would expect to get the dedicated response code 405 - Method Not Allowed in the response. Other 4XX response codes can also indicate that the API request was unsuccessful for other reasons. If the operation is accepted, we would expect the API response to contain a 2XX response code.

Using the same approach, we let REST-Attacker search for undocumented operations in all 6 APIs we tested. None of them exposed undocumented operations that could be identified by the tool, which means they would be considered safe in regards to this test. However, it's interesting to see that the APIs could responded very differently to the API requests sent by the tool, especially when considering the response codes.

API Response Codes
GitHub 401, 404
Gitlab 400, 404
MS Graph 400, 401, 403, 404
Spotify 405
YouTube 404
Zoom 400, 401, 403, 404, 405

Spotify's API was the only one that used the 405 response code consistently. Other APIs returned 400, 401, 403, or 404, sometimes depending on the path used in the the API request. It should be noted that the APIs returned 401 - Unauthorized or 403 - Forbidden response codes even when supplying credentials with the highest possible level of authorization. An explanation for this behaviour could be that the internal access checks of the APIs work differently. Instead of checking whether an operation on a resource is allowed, they may check whether the client sending the request is authorized to access the resource.

Credentials Exposure

Excessive Data Exposure from OWASP's Top 10 API Security Issues is concerned with harmful "verbosity" of APIs. In other words, it describes a problem where API responses contain more information than they should return (hence excessive exposure). Examples for excessive data exposure include leaks of private user data, confidential data about the underlying service, or security parameters of the API. What counts as excessive exposure can also depend on the application context of the underlying service.

Since the definition of excessive data exposure is very broad, we will focus on a particular type of data for our practical test: Credentials. Not only do credentials exist in some form for almost any service, their exposure would also have a significant impact on the security of the API and its underlying service. Exposed credentials may be used to gain higher privileges or even account takeovers. Therefore, they are a lucrative target for attacks.

There are several credential types that can be interesting for attackers. Generally, they fit into these categories:

  • long-term credentials (e.g., passwords)
  • short-term credentials (e.g., session IDs, OAuth2 tokens)
  • service-specific credentials for user content (e.g., passwords for files on a file-hosting service)

Long- and short-term credentials should probably never be returned under any circumstances. Service-specific credentials may be less problematic in some specific circumstances, but should still be handled with care as they could be used to access resources that would otherwise be inaccessible to an API client.

The question is: Where can we start looking for exposed credentials? Since they would be part of the API responses, we could scrape the parameters in the response content. However, we may not actually need to look at any response values. Instead, we can examine the parameter names and check for association with credentials. For example, a parameter names "password" would likely contain a type of credential. The reason this can work is that parameter names in APIs are generally descriptive and human-readable, a side effect of APIs often being intended to be used by (third-party) developers.

In REST-Attacker, credentials parameter search is implemented by the resources.FindSecurityParameters test case. The test case actually only implements an offline search using the OpenAPI description, as the response parameter names can also be found there. The implementation iterates through the response parameter names of each API endpoint and matches them to keywords associated with credentials such as "pass", "auth" or "token". This naive approach is not very accurate and can produce a number of false-positives, so the resulting list of parameters has to be manually checked. However, the number of candidates is usually small enough to be searched in a small amount of time, even if the API defines thousands of unique response parameters.

API Parameter Count Candidates long-term short-term service-specific
GitHub 2110 39 0 0 0
Gitlab 1291 0 0 0 0
MS Graph 32199 117 0 0 0
Spotify 290 6 0 0 0
YouTube 703 6 0 0 0
Zoom 800 96 0 0 2

5 out of 6 APIs we tested had no problems with exposed credentials.

Zoom's API was the only one which showed signs of problematic exposure of service-specific credentials by returning the default meeting password for meetings created via the API at an endpoint. It should be noted that this information was only available to approved clients and an required authorized API request. However, the credentials could be requested with few priviledges. Another problem was that Zoom did not notify users that this type of information was accessible to third-party clients.

Default Access Priviledges

The last test category that we are going to look at addresses the access control mechanisms of REST APIs. Modern access control methods such as OAuth2 allow APIs to decide what minimum priviledges they require for each endpoint, operation, or resource. In the same way, it gives them fine-grained control on what priviledges are assigned to API clients. However, for fine-grained control to be impactful, APIs need to carefully decide which priviledges they delegate to clients by default.

But why is it important that APIs assigned do not grant too many priviledges by default? The best practice for authorization is to operate on the so-called least priviledge principle. Basically, this means that a client or user should only get the minimum necessary priviledges required for the respective task they want to do. For default priviledges, the task is usually unspecified, so there are no necessary priviledges. In that case, we would expect an API to grant either no priviledges or the overall lowest functional priviledge level.

If the API uses OAuth2 as its access control method, we can easily test what the API considers default priviledges. In OAuth2, clients can request a specific level of priviledge via the scope parameter in the initial authorization request.

Including the scope parameter in the request is optional. If it's omitted, the API can deny the authorization request or - and that's what we are interested in - decide which scope it assigns to the authorization token returned to the client. By analyzing the default scope value, we can see whether the API adheres to the least priviledge principle.

REST-Attacker can automatically retrieve this information for configured OAuth2 clients with the scopes.TestTokenRequestScopeOmit test case. For every configured OAuth2 client, an authorization request without the scope parameter is sent to the OAuth2 authorzation endpoints of the API. The tool then extracts the scope that is assigned to the returned OAuth2 token. This scope value then has to be manually analyzed.

Out of the 6 APIs we tested, 2 (MS Graph and YouTube) denied requests without a scope parameter. The other 4 APIs (GitHub, Gitlab, Spotify, and Zoom) allowed omitting the scope parameter. Therefore, only the latter 4 APIs assigned default prviledges that could be analyzed.

API Assigned Scope Least Priviledge?
GitHub (none) Yes
Gitlab api No
Spotify (default) Yes*
Zoom all approved No

* OAuth2 scope with least priviledges

Interestingly, the extent to which a least priviledge principle was followed varied between APIs.

GitHub's API assigned the overall lowest possible priviledges by default via the (none) scope. With this scope, a client could only access API endpoints that were already publicly accessible (without providing authorization). While the scope does not grant more priviledges than a public client would get, the (none) scope had other benefits such as an increased rate limit.

In comparison, the Spotify API had no publicly accessible API endpoints and required authorization for every request. By default, tokens were assigned a "default" scope which was the OAuth2 scope with the lowest available priviledges and allowed clients to access several basic API endpoints.

Gitlab's and Zoom's API went into the opposite direction and assigned the highest priviledge to their clients by default. In Gitlab's case, this was the api scope which allowed read and write access to all API endpoints. Zoom required a pre-approval of scopes that the client wants to access during client registration. After registration, Zoom returned all approved scopes by default.

Conclusion

We've seen that while REST is not a clarly defined standard, this does not result in REST APIs being too complex for a generalized automated analysis. The usage of standardized HTTP components allows the design of simple yet effective tests that work across APIs. This also applies to other components that are used across APIs such as access control mechanisms like OAuth2. The practical tests we discussed worked on all APIs we tested, even if their underlying application contexts were different. However, we've also seen that most of the APIs were generally safe against these tests.

Tool-based automation could certainly play a much larger role in REST security, not only for finding security issues but also for filtering results and streamlining otherwise manual tasks. In the long run, this will hopefully also result in an increase in security.

Acknowledgement

The REST-Attacker project was developed as part of a master's thesis at the Chair of Network & Data Security of the Ruhr University Bochum. I would like to thank my supervisors Louis Jannett, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk for their continued support during the development and review of the project.

Continue reading

  1. Hack Tools For Windows
  2. Hacking Tools Name
  3. Wifi Hacker Tools For Windows
  4. Hacking Tools For Games
  5. Hacking Tools Windows
  6. Best Pentesting Tools 2018
  7. Hacking Tools Usb
  8. Hacker Search Tools
  9. Hacking Tools Software
  10. Hacking Tools 2019
  11. Pentest Tools Apk
  12. Pentest Tools
  13. New Hack Tools
  14. Hacker Tools Windows
  15. Hacking Tools Usb
  16. Hack Tools For Ubuntu
  17. Hacking Tools Windows 10
  18. Pentest Tools
  19. Pentest Tools Download
  20. Pentest Tools List
  21. Termux Hacking Tools 2019
  22. Growth Hacker Tools
  23. Hacking Apps
  24. Hacking Tools For Windows 7
  25. Hack Tools Online
  26. Nsa Hack Tools Download
  27. Beginner Hacker Tools
  28. Hak5 Tools
  29. Wifi Hacker Tools For Windows
  30. Hacking Tools 2019
  31. Hack Tools Github
  32. Best Hacking Tools 2020
  33. Hacker Tools For Mac
  34. Nsa Hack Tools
  35. Pentest Tools Subdomain
  36. How To Install Pentest Tools In Ubuntu
  37. Hacking Tools For Windows 7
  38. Install Pentest Tools Ubuntu
  39. How To Install Pentest Tools In Ubuntu
  40. Hacker Tools 2020
  41. Hack Tools Github
  42. Hacker Tools Apk Download
  43. Hack Tools 2019
  44. Hack Tools
  45. Pentest Tools Free
  46. Hack Tools Online
  47. Pentest Recon Tools
  48. Hack Tool Apk No Root
  49. Tools 4 Hack
  50. Hack Tools 2019
  51. Growth Hacker Tools
  52. Hacks And Tools
  53. Hacking Tools For Windows
  54. Hacker Tools For Ios
  55. Hak5 Tools
  56. Hack Tools Download
  57. What Is Hacking Tools
  58. Pentest Tools Alternative
  59. Hacker Tools Linux
  60. Hacking Tools Hardware