Lets Begin the Game



Target IP:  http://54.244.19.42 




On visiting the above IP address a webpage appears like above image.Now we will see the front-end source of the website by right-clicking the page and then choose View Source.The browser will open the java source code of the website and will look like below image.



Lets dig into the code :)

The code uses two variables for username and password in which the password field is actually split into two halves.The JS code uses a built in function called slice() to strip off the string specified as the second parameter.Basically the scripts strips off from the 9 th character starting the index from 0 and stored in variable 'x'.The rest of the part is fed into the variable 'y'.



This code snippet illustrates the working of slice() function in Javascript.





On analysing the Javascript code in the console , they make use of one more variable 'z' which is the MD5 hash of the data in variable 'y'.A condition is being checked in an If statement which is a clue.So lets check it out.


Now lets decode the hash.You can use any online tool for finding the reverse hash of it. Here I used CrackStation.




Meanwhile , there is one more to crack, the first password, the one stored in variable 'x'.The code stored in variable is of a hex value and lets have some fun with python.




We got the password as x= CloudSEK_ and y= Jennifer. 

Now we will append the password together and give it to URL to navigate to the page.

URL: http://54.244.19.42/loader.php?p=bWVzc2FnZTFfdG9famFyZWQudHh0Cg%3D%3D&password=CloudSEK_jeniffer





The link will redirect to a page that displays a message like this.


So as the next clue , there should be login portal as developer login portal page.Now lets see whether the page is under restricted access , for that we will look for robots.txt.

The disallow tag in robots.txt will make a page unrestricted from illegitimate access.So now we will navigate here and see.For a login page , there is a need to get the access token as an alternative to the password inorder to bypass the authentication check.


The page has a vulnerability called Local File Inclusion.By using Local File Inclusion Vulnerability,the path in which the vulnerability exist should be encoded to base64 and supplied along with the URL in the address bar.During the scan we could find that the loader.php is moreover a script that reads what ever files are present in the directory.This vulnerability lets us to comprimise the access code of the machine.


Thus the below access token will help to bypass the login page.







Now we will send a POST request with the access_token using a tool "CURL".The below image shows a curl command that takes access_token as data arguments and triggering a POST request to the login page.


The above URL ../CloudSEK_to_win_page.html will redirect to a page like one below.




The above URL will be the page which contains an image.The image has to be downloaded and it contains some strings embedded in it.

The embedded strings inside an image can be taken by using the linux command strings

When using the strings command list of strings inside the image will be displayed which contains a URL of an html page.




The above URL will show a page like this .

The Game isn't over yet.Lets see the fun part of it:)

We will now use the tool Steghide to extract the hidden text in the You Win Image.



Some of you might be thinking what's wrong with this."If you find in dark , you will find your worth".Just have a look at the above webpage and observe the dark part of it.Well Ofcourse it is the You Win image.


Lets open the text file and see our worth:)









By the advent of machine learning technology,the graph for the number of data-sets have been shot up at a faster rate.The basic idea in a machine learning is to train the system based on some data values or instances.These datasets are being fed into an algorithm which manipulates the input thus teaches the system.The system will respond in the defined way as depending on how much precise the value is.


One such data set introduced for malware analysis is MIST.The process of machine learning deals with two steps Classification and Clustering.The data sets of behavior analysis is clustered in-order to identify new malware category.On the other hand,the classification steps helps us to detect the category of a particular malware.


DESIGN:

MIST consists of machine instructions instead of textual data which will not be possible for automated analysis.In this procedure instruction set consists of individual execution flows of threads and processes are grouped in a single, sequential report.


















                                                       











Android devices are manufatured day by day that some may have exposed to vulnarabilities of certain settings in the device.So as a normal user,they won't take these bugs into considerations.Since this architecture possess an open-source license,viruses,malwares and worms are searching for devices for comprimising services.

To take down the above mentioned critical situation Rudhra comes with cutting edge solutions to help the end users of android.It is aimed at protecting Android devices in the hands of laymen. The application tells the user about the vulnerable configurations in his device (like, settings) and explains to him why it could prove to be dangerous, gives information about the overall health of the device, checks for root access etc.



Core Features :


  • Read CPU and RAM usage and represent it on a graph.
  • Check for the existance of root access in a device.
  • Check if there is a system hook.
  • Check for vulnerable settings.

We are glad to welcome:

If you wish to be a part of development team of Rudhra do the following steps:

  • Clone the repo by clicking here.
  • Fork the repository and start sharing your idea.





Many website designers rely upon CMS(Content Management System) for their developments.One such a platform is wordpress that has many users and publishes tremendous websites day by day.However many vulnarabilities are pointed out each second by the hackers and security reasearches.One such a zero day vulnarabilty is pointed in CVE(Common Vulnerabilities and Exposures) that wordpress websites are facing.This vulnarability is considered as a potentially large scale exploit as Wordpress holds about 29% of websites available in Internet.


Researches says that when a particular URL pattern is followed as

 http://site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core&ver=4.9.1 

 When we request a this particular URL ,a load [] parameter is received by load-scripts.php.To handle multiple request of CSS and JS modules.Two files are incoporated to cut down the amount of request as load-scripts.php and load-styles.php for CSS and JS files respectively.As a part of load parameter there is a list provided which stores the resource that each user requests.Because of this bug if the user enquire for a particular js request by supplying a particular path,the server will initiate a read process for the value supplied by the user.

 The above figure gives the list of resources that are present in scriptsloader.php which has nearly 181 values.So what would happen if a particular user request all the JS module in the above mentioned php file.The server will definitely take some time to process such a large request causing a Denial Of Service Attack.

Proof of Concept: 

      

As a mitigation strategy,we recommend you to use a php file that helps you to protect from this attack.All you have to do is clone the file from github and upload it your server's file manager.

 Download

 Good Luck 😄



For the past one year, Android based developments and applications have flooded international markets. Every other application is available on many third-party sites. How do we infer if we are using a legitimate, uninfected copy of the application ?

ADHRIT is an open source tool that can do this task. Basically a malware analysis tool, but can equally be used for CTFs and for APK modifications. 
How does it work ?

ADHRIT is largely automated to carry out many of the manual tasks that are, otherwise, time consuming. For instance, to acquire the source code of an apk, one has to extract the classes.dex and then use dex2jar to get the corresponding archive and then use any of the Java decompilers  to get the source code in Java.  This whole process, which takes around a minute or two, is done in less than 5 seconds by the tool !
The tool provides multiple argument filters for flexibility and the user can choose exactly how much and what he wants.  The effort is to make the tool as compact as possible by isolating the individual tools from the Android SDK. This also relieves the user from the burden of installing and configuring the Android SDK. 

 ADHRIT can :

*  Extract the APK contents into a directory
*  Dump certificate details
*  Extract source code in Smali
*  Extract source code in Java
*  Parse binary Manifest XML into readable XML
*  Searches for native libraries
*  Analyzes permissions used by the application
*  Checks for malware footprints in the VIrusTotal database



The Flow : 
What all can I do ?

*  Build custom/patched APKs if necessary in CTFs.  Java source and the AndroidManifest.xml is extracted by the tool.
*  Build APK mods using the smali code extracted using APK Tool.
*  Analyse source code.
*  Check if the malware is listed on VirusTotal.
*  Get images from the apk.



Can I reuse this code ?

Cent percent yes !  You can use any part of this code and even few of the slightly modified tools ( which are again, open source tools built by wonderful developers. ) in your projects under open source license constraints.


Where To Find ?
The project is still under progress and will implement static and dynamic analysis techniques also. Follow
ADHRIT project on GitHub for continual updates.  Stay tuned !


Have a good day !  :)


Dedsec Inside's new project TorBot has released its first beta version of the tool (v 1.0.0). TorBot is a feature rich tool developed in python 3 which crawls deep and dark web sites. It has the basic functionality of a web crawler including crawling onion links and emails. Current version of the tool also provides features like checking the status of the crawled links and searching for custom domains in crawled links etc. More features like fetching more useful info, database saving,etc will be added to torBot in the later versions. The repository is currently very active and contributions are very well welcomed. The source code can be seen in the DedSec inside's Public repository here: https://github.com/DedSecInside



Basic setup

Before you run the torBot make sure the following things are done properly:
  • Run tor service sudo service tor start
  • Set a password for tor tor --hash-password "my_password"
  • Give the password inside torbot.py from stem.control import Controller with Controller.from_port(port = 9051) as controller: controller.authenticate("your_password_hash") controller.signal(Signal.NEWNYM)
Read more about torrc here : Torrc