Tuesday, October 20, 2020

Wireshark - Filtering for a Port Knocking sequence

In a recent CTF, I was required to analyze a .pcapng file to find a Port Knocking sequence. I didn't know an easy way to do this, and Google only gave up some half useful answers, so after a bit of research, I decided to write this post in the hopes that someone may stumble upon it in the future :)

Filter: (tcp.flags.reset eq 1) && (tcp.flags.ack eq 1)


Before


After


Make sure that the order number is correct (The "No." column goes from lowest to highest), and read the Port number on the left in the "Info" column.

In this case, the sequence is 7864, 8273, 9241, 12007, 60753, so a:

> knock 10.10.35.61 7864 8273 9241 12007 60753 -t 500

Would get you what you need. 

I found that sometimes you might need to knock 2 or 3 times before the filtered port opens for some reason, but there you go!

Wednesday, August 12, 2020

What looks like binary, but isn't?

Whilst doing a CTF, I came across a crypto challenge similar to the following that looked like binary:

11111111110010001010101110101111111010111111111101101101101100000110100100101111111111111100101001011110010100000000000010100110111100101001001011111111111001010011111111111111100101001011100101000101011110010100000000000000000000000000010101110010100111110010100110010100101111100101001010010100110111111111111111111111111111100101001111111111111111111111110010100100100000000000000000000000000000000000000000000000000000000000000000000000010100100000000000000000000000000000000000000000000010100010101111111001010000000000001010111111111111111001010

After it failed decoding AS binary, I tried the Magic option on CyberChef which failed, and several variations of the Baconian cipher - Which also failed.

After much searching and many failings, I came across Spoon - An esoteric programming language whose code looks like binary. A quick Google search led me to this online interpreter from dCode. Pasting in the text and clicking the "Execute" button got me the result I needed!

Wednesday, July 8, 2020

Exploiting Webmin 1.890 through cURL

In a recent CTF, I came across a legacy version of Webmin with a Metasploit module. I prefer to do things without Metasploit, so decided to use cURL.



  • In the above, you can see that Webmin is running by the page title - "Login to Webmin" and the version - "Server: MiniServ/1.890"

    This specific version of Webmin has a backdoor with an associated Metasploit Module. The exploit looked easy enough, so I decided to do it manually.



  • Basic code execution.



  • We're already root...



  • And there's the flag. I won't cat it in this post, but there you go.

    Monday, September 9, 2019

    Diagnosing a weird lack of RAM

    Whilst recently playing Warframe, the game crashed with an "Out of Memory" error. I found this to be a bit odd as I have 32GB RAM.

    Checking Task Manager, I saw my RAM Usage was weirdly high (25GB / 31.9GB). After closing everything (Chrome, Discord, Visual Studio, SQL Server, etc), it was still sitting at 19GB which was still really high.

    I downloaded the latest version of RAMMap to figure out what was going on. It didn't show any process leaking anything (I have had issues with excessive Modified Page List Bytes being used in the past since I intentionally have no Pagefile - But it wasn't the case here). Then I saw something odd.


    The "Nonpaged Pool" (Whatever that was?) was using up 13.1GB RAM. I didn't realize that was unusual until I searched around and figured out that it should be taking around 500MB - Max - On a Server - With over 100 days uptime. Something was definitely up!

    After extensive research, I found out that the "Nonpaged Pool" was a collection of RAM used up by System drivers. Most people simply recommended to reboot when it gets high, but that wasn't good enough for me - I wanted to figure out what was wrong!

    I eventually came across this awesome page which got me to install the latest Windows SDK to get a process called "poolmon.exe" (Installing a 9GB SDK for a single app seems excessive, but I couldn't figure out any other way to get it...). After running the program and ordering things, the issue was immediately apparent.


    Something with the tag of "AfdB" was using up 6821892960 Bytes (Or 6.8GB) of RAM, whilst the next highest thing "EtwB" was using up 33046784 Bytes (or 33MB) of RAM.

    I opened up CMD and ran

    > findstr /m /l /s AfdB C:\Windows\System32\Drivers\*.sys

    And came up with two results.

    > C:\Windows\System32\Drivers\afd.sys
    > C:\Windows\System32\Drivers\EasyAntiCheat.sys

    So, the problem was either in afd.sys (The "Ancillary Function Driver for WinSock"), or EasyAntiCheat.sys (A third-party anti-hacking program installed by some games). You can most likely guess which one was the issue :p

    The EastAntiCheat.sys in my System32\Drivers folder was from 2016. The latest version correctly located at C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys was from 2019. I rebooted in Safe Mode, deleted the one in System32, and rebooted again.

    After 3 days of uptime, my PC is now sitting at a happy 5GB / 31.9GB, and the Non-paged pool is at a much happier 148MB. Much better :)

    Sunday, July 28, 2019

    Running openvpn without it hanging the terminal

    Whilst messing around with HackTheBox, I attempted to connect to the VPN from an Ubuntu VM I have with Google.

    The annoying part was that after it ran, it would hang at "Initialization Sequence Completed", and required a second terminal connection to continue. If I Control+C'd, it would kill the VPN connection.

    After a bit of searching, I found that I could run it then background it by going

    > sudo openvpn Reelix.ovpn &

    In which case it would still hang at "Initialization Sequence Completed", but I could Control+C it without it killing it. Close... But the hanging annoyed me.

    After a bit more searching, I found that OpenVPN had a --daemon parameter, but going

    > sudo openvpn Reelix.ovpn --daemon

    Threw up an error

    > Options error: I'm trying to parse "Reelix.ovpn" as an --option parameter but I don't see a leading '--'
    > Use --help for more information.

    After much searching, I eventually discovered the trick!

    > sudo openvpn --config Reelix.ovpn --daemon

    Success!



    To kill the connection, I could either go

    > sudo pkill -f "openvpn --config Reelix.ovpn"

    Or

    > ps aux | grep openvpn
    > sudo kill -2 processIdHere

    Sunday, September 30, 2018

    Starcraft 2 AI Battles!

    Whilst going through my daily news, I found an article about how an AI Bot in Starcraft 2 managed to beat the hardest native SC2 AI. In my search for the videos of these battles (Which I couldn't find), I managed to find the SC2 API for bots, and with a little more searching - The SC2 AI Ladder.

    Browsing their Wiki, I came across a SC2 Bot writted in C#. So, I did what any awesome developer would do - I downloaded it, customized the daylights out of it, and entered it into the AI Ladder (Without expecting to actually get anywhere - Only a few hours work after all). After a few problems with uploading (Which the Site Admin helped me out with on Discord!), I managed to get a working bot onto their ladder.

    The initial results amazed me!

    Not only was my bot not absolutely terrible - It was winning almost every match it entered! In fact, it had a 78% Win Rate (And a 22% Crash Rate which was destroying my rating...) - And that was just the first version!!! I fixed some crashes, optimized some code, fiddled with the gameplay, and re-entered my Bot - Eager to see how the new changes affected the ratings!

    Tuesday, September 25, 2018

    Tiny C# Remote SSH Version Detector

    Whilst doing some NetSec stuff, I needed a quick way to get the SSH version of a remote target, so I coded the following.

    Demo (No Connection, Open Connection via Netcat, Actual SSH Server, Actual SSH Server on a custom port)

    SSH Version Detector

    Download: Here (5kb)

    Source

    Saturday, September 15, 2018

    Configuring MPC-HC for easy Anime watching

    Whilst watching some Anime recently, I got a bit annoyed that the default language was always set to English, so I had to change the language, and fixed the subtitles every 20 minutes or so which got super annoying.

    I eventually found a fix.

    Right Click -> Options -> Playback -> Default track preference

    Set the number to the "Subtitles" number to the order of the option you prefer at the bottom of the Right Click -> Subtitle Track list, and the "Audio" option to "jpn"


    Tuesday, September 11, 2018

    Simple C# Command-Line Twitch Bot

    Got bored one evening, so decided to create a basic Twitch bot in C#

    It can't really do anything besides watch the chat, count the users, parse Twitch user tag data (Oh gawd why...) and have the user send messages to the chat, but the basic infrastructure is there for anything more complex.

    Code: Here

    Sample Screenshot


    Ready Player One - Audio Book (Free)

    It seems that the Audio Book for Ready Player One has become free. It's read by Wil Wheaton, and it's an awesome listen!

    Go here to see and sample, or just download the entire thing in .ogg format here (480MB)

    Friday, July 27, 2018

    My Chrome Theme

    This is the Fluttershy-themed Chrome theme I use.

    This post is here because I had a few people asking me which it was.

    Theme link: Here

    Thursday, December 28, 2017

    NetSec - A simple .zip dictionary attacker

    I couldn't find a simple app to dictionary attack .zip files on Windows for a NetSec challenge, so I coded one.

    Download Link: Here (106kb)
    Github Repo: Here

    If you're looking for something more intensive, try John the Ripper

    Sample Screenshot

    Sunday, December 18, 2016

    JavaScript - Sum of the first X prime numbers

    I recently had a programming challenge where I had to find the sum of the first X prime numbers in JavaScript in a slightly compressed format, and couldn't find anything decent online.

    So I coded this.


    It could be far better, although the challenge was timed :P

    Thanks to The Polyglot Developer for their "isPrime" function :)

    Wednesday, November 23, 2016

    A Textbox that only allows numbers

    Since this seems so hard to do... An actual working example :)

    Usage HTML: <input type="text" onkeypress="return isNumericKeyPress(event.keyCode);" onpaste="isNumericPaste(this);" />

    OR

    ASP.NET: <asp:textbox ID="txtNumsOnly" runat="server" onkeypress="return isNumericKeyPress(event.keyCode);" onpaste="isNumericPaste(this);"></asp:textbox>

    Demo Type or paste something:

    Samples
    - 1!2@3#
    - Test
    - Test1
    - 1a2b3c

    Saturday, October 29, 2016

    C# - Finding the Median value of a List

    I love using Lists in C#. Unfortunately, the List class lacks some functionality - Like finding the median value in a set.

    Definition: The median is the value separating the higher half of a data sample, a population, or a probability distribution, from the lower half. In simple terms, it may be thought of as the "middle" value of a data set. For example, in the data set {1, 3, 3, 6, 7, 8, 9}, the median is 6, the fourth number in the sample. The median is a commonly used measure of the properties of a data set in statistics and probability theory.

    Examples:

    1.) If there is an odd number of numbers, the middle one is picked. For example, consider the set of numbers:
    1, 3, 3, 6, 7, 8, 9
    This set contains seven numbers. The median is the fourth of them, which is 6.

    2.) In the data set:
    1, 2, 3, 4, 5, 6, 8, 9
    The median is the mean of the middle two numbers: this is (4 + 5) ÷ 2, which is 4.5.
    - Median on Wikipedia

    So - Here's some code to do it :)

    Monday, July 6, 2015

    ASP.NET - Fixing Entity Framework Migration Errors

    AKA

    "The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information."

    OR

    "Exception Details: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information."

     

    Whilst doing migrations from EF4 to EF6, I came across the following error. This is caused by two different things

    1.) Your project contains both EF4 and EF6 references. If you're using EF6, only EF6 can be in the project. Either remove everything EF4 related, or upgrade it to EF6.

    2.) You're missing a DLL. This seems to be the most common error. Navigate to applicationPath\bin\ on the server, and look for EntityFramework.SqlServer.dll (Should be around 600KB). For some odd reason, it rarely gets included in deployments. If it's not there, simply copy the version from your development machine onto the server, and you're good to go!

    Sunday, July 27, 2014

    The End Of Windows Defender

    I recently had a rather rampant piece of Adware that was effecting Chrome, and causing several miscellaneous words to underline, and hyperlink their way to ad sites. I eventually found the location of the executable, and submitted it to Windows Defender (The Anti Virus I was using at the time).
     
    What I got back shocked me. A result of "Not detected". This means that the executable had been previously submitted, and had been found by the Microsoft researchers to not be harmful.
     
    Curious about the result, I decided to submit the same file to several online virus scanners - All of which detected the file as harmful by no less than 15 separate anti virus scanners, none of which were Windows Defender.  
     
    Curious, I decided to check some previous submissions of mine. The early ones (Back in the Windows 7 / Early Windows 8 period) had all subsequently been added within a few days of my submission. The later ones were either Not Detected or simply No Scan Result Available. Keep in mind that both of those submissions are picked up by the majority of other Anti-Virus's (AVG, F-Secure, Malwarebytes, McAfee, Etc), so I decided to switch.
     
    Having 3 known virus files at my disposal, I decided to look around to various free alternatives. I used to use AVG when they were still located at http://free.grisoft.com/ before they went corporate, but they have since severely dwindled in quality. Norton was out of the question (Any tech-savvy person will know how useless and bloatware-esque it is), so I decided to try Malwarebytes. I downloaded their free version located here (16.5MB), and it quickly scanned my PC, effortlessly finding the 3 files I had, as well as some registry entries that the Adware had created. Happy, I acquired a premium version (Real Time Protection), and went merrily on my way.

    Friday, May 23, 2014

    Convert Number To Month Name In Excel

    A simple Excel function to convert a digit to a month name

    The first letter of the month (Eg: "N" of "November" for 9)
    =TEXT(DATE(2000,A1,1),"MMMMM")

    The complete month name (Eg: "November" for 9)
    =TEXT(DATE(2000,A1,1),"MMMM")

    The abbreviation of the month name (Eg: "Nov" for 9)
    =TEXT(DATE(2000,A1,1),"MMM")

    Thank to this thread.

    Friday, January 17, 2014

    CSS equivalent of the center tag

    From: <center>dataHere</center> to
    To: <div style="margin: auto; text-align: center;">dataHere</div>

    Thanks to Isaksen from Stack Overflow

    Thursday, January 16, 2014

    Online Wh to mAh Converter

    Just a useful little utility :)

    Wh (Eg: 4.44):
    V (Eg: 3.7):
    mAh:

    Formula: mAh = Wh * 1000 / V

    <script type="text/javascript">
    function convertWhtomAh()
    {
    var WhValue = document.getElementById('convertWh').value;
    var VValue= document.getElementById('convertV').value;
    var result = (WhValue * 1000) / VValue;
    void(document.getElementById('convertmAh').value = result);
    }
    </script>

    HTML Font Size Conversion

    Whilst getting rid of font tags today, I needed an easy reference point to find what size rating in one coding format was equivalent to another (Eg: Is <font size="1"> the same as <span style = "font-size: 8px;"> or... ?) and came across this fantastic chart!

    http://www.trishasdesignstudio.com/font-size-conversion-chart.asp

    As the link died, here is a version of it hosted on imgur.

    Monday, January 13, 2014

    How To Rename Google Maps Saved Locations

    Whilst saving various places on Google Maps for navigation on my Android phone, I got annoyed that the phone only listed the address (Which gets confusing when you have a list)

    To rename them to something more friendy, do the following:

    1.) Star a place as per usual.
    2.) Browse to https://www.google.com/bookmarks/
    3.) Click "Edit" next to the one you want to change.
    4.) Change the top line (That currently has the address) to the name you want.
    5.) Click "Save"

    Your Android device will automatically sync, and you will now see the user-friendly name when navigating :)

    Friday, December 20, 2013

    Skype - Ultra High CPU Usage

    The past few days I've noticed that my office laptops Skype was permanently sitting at +- 90%+ CPU usage. Since I use Skype for work, not using it was not exactly a viable option, and restarting it (And updating to the latest version) didn't help.

    I did, however - Find a solution!

    1.) Download Process Explorer
    2.) Run it
    3.) Right click on Skype, and click "Properties"
    4.) Click "Threads" (Ignore the potential message about something not being up to date)
    5.) Sort by CPU usage by clicking the 2nd tab from the left twice.
    6.) Find that a single thread is using all the CPU (For me it was Skype.exe+0x705c although it's also known to be Skype.exe+0x7074)
    7.) Click the offending thread, and click  "Kill"

    Skype's CPU usage will drop to what it's meant to be (0% average for me), with no visible side effects.

    Seems like Microsoft have some threading bug with Skype that's existed for awhile :)