Archive
ECTF 2014 Forensics 400 Help Bob writeup
This is the question,
Message from Bob:
Hello Hacker!
I am having troubles in finding the unique flag assigned to me.
Here are some files from my system.
Could you please help me out?
They gave us the etc, sbin, and home directories. When I saw the word “unique flag” many things were going in my mind! Can it be a ssh-private key? Is there something in linux which uniquely identifies every machine or an user within the etc file? Or is it the actual challenge file are they asking for! I didn’t understand! I asked the admin in the IRC to explain the term unique flag, but he refused to do so. Then I was pasting the strings whatever I found which was looking like a md5sum, but none of them worked! I left the challenge unsolved and started looking the others. I came back to solve this challenge around 10 pm. I had my team mates sitting next to me. I was asking him to read the question and tell me what he understood. Different people will have different approach towards a problem.
He asked me to crack the user name’s password from the shadow file. Even I saw this in the morning but I didn’t think of cracking it since password cracking consumes more time and I am very lethargic to do that. Then I tried cracking the user name bob with JTR.
➜ etc [0] john shadow Loaded 1 password hash (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:09 99% 1/3 0g/s 302.2p/s 302.2c/s 302.2C/s b999991930..bob999991906 Phoenix1 (bob) 1g 0:00:00:24 100% 2/3 0.04084g/s 299.1p/s 299.1c/s 299.1C/s Phoenix1..Alice1 Use the "--show" option to display all of the cracked passwords reliably Session completed
➜ bob [0] cat .bash_history ls -la ls ls -la cd ../ ls cd bob/ ls ls -la firefox ls -la wget http://ancient-citadel-9348.herokuapp.com/giff_flag ls cd ../ cd bob/ vim ~/.bash_profile cd Documents
Installing Linux Profile in Volatility
As I said, in my previous blog, it is necessary to note, that you need a compatible system profile to analyse a RAM memory dump. That is, if you have a profile built for kernel 3.2.15, then you can only analyse the memory dump from a machine which runs the same kernel version 3.2.15. In case if you want to analyse some other kernel version’s RAM memory then you need to build a profile for the kernel version separately in your Volatility tool. Before going to the building part, let me put it clearly what I meant by a profile. Actually it refers to a file ( a zip file ) where we compress the kernel data structures and debug symbols. Volatility uses this zip file to mine critical information and to parse the objects inside the memory. In the next blog I will tell you the tools which you can use to collect the memory dumps from various OS’s and a demonstration with any one of a sample RAM memory dump. For now, I will tell you, how you can successfully build a Linux profile with your Volatility tool.
Determine your kernel version:
bios@bios-VirtualBox:~$ uname -mrs
Linux 3.13.0-24-generic x86_64
Installing a pre-requisite package:
bios@bios-VirtualBox:~$ sudo apt-get install dwarfdump
Creating vtypes:
Some of you might have encountered this issue while creating the vtypes.
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux$ make
make -C //lib/modules/3.13.0-24-generic/build CONFIG_DEBUG_INFO=y M=/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-3.13.0-24-generic’
CC [M] /home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o
/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.c:70:33: fatal error: linux/net_namespace.h: No such file or directory
#include <linux/net_namespace.h>
^
compilation terminated.
make[2]: *** [/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-24-generic’
make: *** [dwarf] Error 2
This is not the right way of doing this. Here is the solution, follow the steps properly.
bios@bios-VirtualBox:~/Desktop/volatility-2.3.1$ cd tools/linux
bios@bios-VirtualBox:~$ sudo chown -R bios Desktop/volatility-2.3.1/tools/linux/
Now make:
Now you should not get any errors at the end of the make.
bios@bios-VirtualBox:~/Desktop/volatility-2.3.1/tools/linux$ make
make -C //lib/modules/3.5.0-49-generic/build CONFIG_DEBUG_INFO=y M=/home/bios/Desktop/volatility-2.3.1/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’
CC [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/bios/Desktop/volatility-2.3.1/tools/linux/module.mod.o
LD [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.ko
make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/3.5.0-49-generic/build M=/home/bios/Desktop/volatility-2.3.1/tools/linux clean
make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’
CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/.tmp_versions
CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/Module.symvers
make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’
Making the Profile:
Go to the /boot directory and create a profile by zipping the kernel file.bios@bios-VirtualBox:/boot$ ls -l
total 48888
-rw-r–r– 1 root root 848290 Jan 25 2013 abi-3.5.0-23-generic
-rw-r–r– 1 root root 853859 May 3 03:16 abi-3.5.0-49-generic
-rw-r–r– 1 root root 147880 Jan 25 2013 config-3.5.0-23-generic
-rw-r–r– 1 root root 148168 May 3 03:16 config-3.5.0-49-generic
drwxr-xr-x 3 root root 12288 May 22 10:42 grub
-rw-r–r– 1 root root 15543822 May 2 14:44 initrd.img-3.5.0-23-generic
-rw-r–r– 1 root root 15694176 May 22 10:42 initrd.img-3.5.0-49-generic
-rw-r–r– 1 root root 176764 Nov 27 2011 memtest86+.bin
-rw-r–r– 1 root root 178944 Nov 27 2011 memtest86+_multiboot.bin
-rw——- 1 root root 3023265 Jan 25 2013 System.map-3.5.0-23-generic
-rw——- 1 root root 3025898 May 3 03:16 System.map-3.5.0-49-generic
-rw-r–r– 1 root root 5189248 Aug 2 2013 vmlinuz-3.5.0-23-generic
-rw——- 1 root root 5191616 May 3 03:16 vmlinuz-3.5.0-49-generic
bios@bios-VirtualBox:~$ sudo zip Desktop/volatility-2.3.1/volatility/plugins/overlays/linux/ubuntu-12.04-amd64_3.5.0-49-generic.zip Desktop/volatility-2.3.1/tools/linux/module.dwarf /boot/System.map-3.5.0-49-generic
updating: Desktop/volatility-2.3.1/tools/linux/module.dwarf (deflated 90%)
adding: boot/System.map-3.5.0-49-generic (deflated 79%)
Checking the installation:
If everything goes smooth without any error then you are done with creating Linux profile. Hurray! Now you can check, whether everything went in your way!
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “linux”
Volatility Foundation Volatility Framework 2.3.1
linux_arp – Print the ARP table
linux_banner – Prints the Linux banner information
linux_bash – Recover bash history from bash process memory
linux_check_afinfo – Verifies the operation function pointers of network protocols
linux_check_creds – Checks if any processes are sharing credential structures
linux_check_evt_arm – Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop – Check file operation structures for rootkit modifications
linux_check_idt – Checks if the IDT has been altered
[stripped]
You could see the plugins listed out, which confirms the building the linux profile.
Checking for the Linux profile version:
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “Linux”
Volatility Foundation Volatility Framework 2.3.1
linux_banner – Prints the Linux banner information
linux_yarascan – A shell in the Linux memory image
LinuxUbuntu1204x64 – A Profile for Linux Ubuntu1204 x64
Linuxubuntu-14_04-desktop-amd64_3_13_0-24-genericx64 – A Profile for Linux ubuntu-14.04-desktop-amd64_3.13.0-24-generic x64
If you face any issues while building the Linux Profile, will help you out in fixing it. Let me know through the comments.
Installing Volatility in Ubuntu
Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.
[Update] You can also refer to Volatility’s github for the latest updates about dependencies.
Step 1: Installing dependencies
h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y
Step 2: Installing PyCrypto
You can either use pip to install the library or you can download the source from here and install.
h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz
h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python setup.py build install
Step 3: Installing Distrom
Distrom is a disassemble library for x86/AMD64. You can download the source from here.
h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip distorm3.zip
h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/
h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build install
Step 4: Installing Yara
Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.
h1dd3ntru7h@bi0s:~/Apps$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz
h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install
Step 5: Installing Yara Python
Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.
h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz
h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build install
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/ld.so.conf
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig
We are done with installing the dependencies, now will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install
This will complete the installation and if everything went in the right way, then you should get a similar stdout,
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=/home/h1dd3ntru7h/.volatilityrc
[stripped]
InCTF 2014 – National Level Ethical Hacking contest
Not a day passes when several machines are compromised and infections spread rampantly in the world today. The cyber world has witnessed several dangerous attacks including the Stuxnet virus and it’s successor Duqu. Other recent attacks include the Flame malware, which managed to disguise itself as a legitimate Windows software. It exploited a bug in Windows to obtain a certificate which allowed itself to authenticate itself as genuine Windows software. Other notable examples include rise of botnets such as the highly resilient Zeus banking trojan and the Conficker worm. There have also been instances of espionage by government agencies on one another such as the recent incident where Georgia CERT discovered a Russian hacker spying on them.
Indian websites offer little or no resistance to such security incidents. The Computer Emergency Response Team, India(Cert-In) has been tracking defacements of Indian websites amongst other security incidents. Their monthly and annual bulletins detail the various vulnerabilities and malware infections in various Indian websites. It’s really sad that with so much talent and skill, Indian websites are compromised frequently and nothing can be done to stand this wave of attacks on them.
InCTF is a Capture the Flag style ethical hacking contest, a strategic war-game designed to mimic the real world security challenges. Software developers in India have little exposure to secure coding practices and the effects of not adopting such practices-one of the main reasons why systems are compromised quite easily these. Following such simple practices can help prevent such incidents.
InCTF ‘14 is from December 2013 to March 2014 and is focused exclusively on the student community. No prior exposure or experience in cyber security needed to participate.
What you need to do?
1. Form a team (minimum three and maximum five members from your college)
2. Approach a faculty/mentor and request him/her to mentor your team
3. Register online at http://portal.inctf.in
Great Rewards:
20K – The winning team receives a cash prize of up to Rs. 20000/-
15K – The first runner-up team receives a cash prize of up to Rs. 15000/-
10K – The second runner-up team receives a cash prize of up to Rs. 10000/-
See Prizes for more.
Note
- Teams are awarded prizes based on their performance
- Deserving teams are well awarded. Exciting prizes to be won.
So, what are you waiting for? It’s simple: Register, Learn, Hack!
Keep up with us
Website | Email | Facebook | Twitter | Mailing List | IRC | Google+ |
*Cash prizes are subject to their performance and participation in the CTF round. Only teams who connect to the VPN server and successfully gain points in the CTF round are eligible for prizes. In addition, cash prize winners of previous editions of InCTF and sCTF are not eligible for prizes this time. Prizes will be awarded only if all members of the team are not in final year of their education. The decision of Team InCTF is final.
Hardening Grub
The best way to delve into others Linux machine is by editing the grub. We don’t need any passwords to get access; just edit the grub and do either of these notorious things, change the root user’s password or the user’s passwords. If you are using your PC, for normal or for a rough use, it’s not too necessary that you need to take stringent precautionary steps. Indeed, you have to be secure, choice is yours. A computer without security is similar to having a house without gate, doors, and fence. For some people who works in industries, banks, system administrators, security is mandatory and it is inevitable. What happens if someone keeps a trove of confidential information such as Passwords of users, Bank accounts, Personal information etc! What happens if your enemy deletes all your sedentary works, which you kept inside your PC? If your PC has two operating systems running, say Linux and Windows, then you can easily break Windows user password by bypassing the Linux grub! So i learned few methods to secure a grub recently, and i shared it. Please follow these steps, and i can usher you that, you can eliminate the aforementioned problems to some extent.
I am going to use Ubuntu Operating system for hardening! So firstly you should know the ways how people will get into the system. Many will start by, editing the line “ro quite splash” as rw init=/bin/bash during the startup(usually by pressing button “e” on the list). Second is using the recovery mode. So the solution will be, put a GRUB password for your system and disable the recovery mode. Follow the steps carefully.
Part 1: Disabling the Recovery mode
1. Get into the /etc/default directory
2. Open the grub file
shankie@ubuntu:~$ cd /etc/default/ shankie@ubuntu:/etc/default$ sudo vim grub
3. By default the recovery mode will be commented. Just uncomment the GRUB_DISABLE_RECOVERY” line to disable the recovery mode during startup. After uncommenting it will look like this.
4. Save the file and update the grub
Use sudo to update the grub!
Part 2: Setting up a Password for your grub!
1. Be a root user
2. Move into /etc/grub.d/ directory
Description of each file:
i. 00_header – Password Protection
ii.05_debian_theme – Set background color, text and themes
iii. 10_linux – Locates Linux kernels based on results of the “lsb_release” command
iv. 20_memtest86+ – If the file /boot/memtest86+.bin exists, it is included in the menu item.
v. 30_os-prober – Searches for OS and adds in the menu
vi. 40_custom – A template for adding custom menu entries.
3. Make a backup of the 00_header file
root@ubuntu:/etc/grub.d# cp 00_header 00_header.BKP root@ubuntu:/etc/grub.d#
4. Creating a GRUB password
root@ubuntu:/etc/grub.d# grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is grub.pbkdf2.sha512.10000.0DCEEC2D624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD3A DA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E573C9BFA6DD9107F031DE BF9AA5C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE88E
5. Copy Paste the output in a text file! from—-“grub.pbkdf2.sha512.1000…..”
6. Edit the 00_header file:
Type the following commands at the end of the file. After entering the username in the third line (i.e password pbkdf2 username ), copy paste the output which we copied in a text file.I am using my username as “h1dd3ntru7h”. Enter your username in the set superuser and password option.
cat << EOF set superusers=”h1dd3ntru7h” password pbkdf2 h1dd3ntru7h grub.pbkdf2.sha512.10000.0DCEEC2D624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD3ADA1C0E1274EA0F53DC4 66100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E573C9BFA6DD9107F031DEBF9AA5C0C15531CBCEA95C31D9 CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE88E EOF
7. Save the file and update the grub.
Now you are done with Part1 and Part2. Your grub is safe now. Make sure that you are not forgetting the grub password. Reboot your system and try to edit the grub, it will prompt for username and password. Now, no one can edit the grub without the grub password which is generated by you.
InCTF’12 – National Level Ethical Hacking Contest
Amrita University & TIFAC CORE
proudly present
InCTF ’12
National Level “Capture the Flag” style ethical hacking contest. Not a day passes when several websites are compromised on a daily basis. The latest in the line of compromised websites was http://kernel.org-the home page of the Linux kernel. Several more security incidents go unreported. Security of sensitive data has several implications ranging from national security issues to defense secrets ending up in the wrong hands and much more.
Indian websites offer little or no resistance to such security intrusions. The Computer Emergency Response Team, India(Cert-In) has been tracking de-facements of Indian websites and more. Their report can be viewed here. It’s really sad that with so much talent and skill, Indian websites are compromised frequently and nothing can be done to stand this wave of attacks on them.
InCTF is a Capture the Flag style ethical hacking contest, a strategic war-game designed to mimic the real world security challenges. Software developers in India have little exposure to secure coding practices and the effects of not adopting such practices-one of the main reasons why systems are compromised quite easily these. Following such simple practices can help prevent such incidents.
InCTF ‘12 is from November 2011 to January 2012 and is focused exclusively on the student community. You can participate from your own university and no travel is required. No prior exposure or experience in cyber security needed to participate.
What you need to do?
1. Form a team (max five members from your college)
2. Approach a faculty/mentor and request him/her to mentor your team
3. Register online at http://inctf.in
In addition it’s been decided that teams which finished in the top 10 places on InCTF 2011 qualify directly for the second round-they do not have to participate in the first round. Congratulations to all these teams!
Great Rewards
25K | The winning team receives a cash prize of up to Rs. 25000/- |
20K | The first runner-up team receives a cash prize of up to Rs. 20000/- |
15K | The second runner-up team receives a cash prize of up to Rs. 15000/- |
10K | The third runner-up team receives a cash prize of up to Rs. 10000/- |
5K | The fourth runner-up team receives a cash prize of up to Rs. 5000/- |
See http://inctf.in/prizes for more.
Special Prizes*
- Teams are awarded prizes based on their performance
- Deserving teams are well awarded. Exciting prizes to be won.
So, what are you waiting for? It’s simple: Register, Learn, Hack!
Round One:
1. Learning Round
2.Contestants have to complete set of task ( off-line) which will be provided within a given period.
Round Two:
1. Consist of both Off-Line and On-Line task
2.Time limit is 3 hrs
3.Top 30 members will be selected for the final round
Round Three:
1.CTF – Defend your assigned machine and attack others machine.
Registrations starts on November 1st
Keep up with us in:
Stuxnet
Stuxnet
Day to day, technology is becoming more sophisticated. Smaller the size greater its consequences. As an example, in June last year a computer virus called Stuxnet which is found to be lurking in the Databanks and power plants, Traffic Control Systems and Factories, around the world. This is virus is 20 times more complex than other virus. It is doesn’t have a contiguous array of capabilities. Stuxnet is a weapon which is made entirely in code. What it can do? Amazing! When I heard about its effects
- It turns up the pressure in the nuclear reactors,
- Switch off oil pipe lines and it can report that everything is normal.
It exploited the security gaps that system creators are unaware of. These security holes are known as Zero days. The zero day can be sold in the black market at the rate of 100,000$. Stuxnet took the advantage of 20 Zero days. It is not like other virus annoying to users. This virus has a specific task, without that the virus remains dormant. The International Science and International Security (ISIS) says that,
1)It can shut down 1000 centrifuges.
2)It can lead to a National Electricity Blackout.
Iran has responded to this attack for the open hackers, which is reported as the 2nd largest online army in the world. Some alleged that Israel was behind this since it contains reference to Hebrew Bible and US involved in testing and development and also by Siemen mobile company since its software has been used by Iranian regime. Evolution is fast, since nine months after its detection, the first virus that can crash 100’s of power grids or destroy oil pipelines. Just imagine, the size of the virus file and its victim’s size?