On port 4545 of the Metasploit 2020 December CTF
target machine, two files were available for download: 8_of_hearts.elf and 8_of_hearts.enc. The .elf file was a Linux ELF executable program, and the .enc file was presumably an encoded PNG flag file.
If you ran it, and entered some input, you'd be chided for not entering "buffalo". If you entered "buffalo", you'd be told "MOAR buffalo!":
In retrospect, we now know everything we need to know in order to solve it. But since I was thick, I decided to disassemble the code and try to understand what I needed to do.
Continue reading "8 of Hearts: Metasploit 2020 December CTF"
This weekend I partook in the Metasploit 2020 December CTF
. I captured three flags (8 of Hearts, Queen of Hearts, Red Joker) and this blog post will detail how I solved for the Queen of Hearts.
At http://$target:9010/ was a file available for download, QoH_Client.jar. When downloaded and run, it describes its usage:
Continue reading "Queen of Hearts: Metasploit 2020 December CTF"
Using OpenSSL to generate keys and Certificate Signing Requests is easy, unless you want to control extended attributes like Subject Alternative Names. Until recently the only way to do it was to edit the config file being fed to OpenSSL. And in my experience, once you've done that, history is a series of losing the OpenSSL config file you created and having to Google around until you figure it out again.
While trying to figure out how to make this process easier for people I'm working with, I found some clever tricks described on Stack Exchange
for feeding the config file in to OpenSSL using Bash Here Documents
. The more I played with that, though, the more complex my rewriting of the OpenSSL config file became - until I decided to inline the entire config file to the script, write it on the fly, and use it to make OpenSSL config file options seamlessly available to the command line.
The result, one_genkey, is available on github
for you to play with.
At SANS Pen Test Hackfest 2017
I presented "WAF-aiki: Pentest Techniques against a Web Application Firewall." One aspect of that presentation dealt with wafiron, a bespoke tool that I wrote to deal with a particularly troublesome pentest where the WAF was effectively thwarting all my attacks.
If you'd like to peek or play with it, the current version is here
Continue reading "WAF-aiki tool: wafiron"
Sometimes you want to grab a copy of a server's TLS certificate - usually in order to perform Certificate Pinning
. This is an additional security step used to provide additional assurance that the server you're talking to is the correct server (and is not, for example, an imposter using a bogus but legitimately issued certificate
There are a number of different methods to do so, both from browsers and from the command line. This post documents a couple command line methods; a followup post will go into browser methods.
It should be noted - while we're on the topic - that Certificate Pinning is a controversial step to take, because it breaks things
. In the ordinary course of events, when a certificate is replaced with a newer certificate, this change is invisible to the client, because both the old and the new certificate "check out" (in that they're issued by a valid CA, they're within valid dates, they're not on a CRL, etc. etc.). When you start pinning, you lose the ability to adapt when a certificate is replaced in the normal cause of business (expiration, compromise, addition of SAN names to the cert, etc. etc.). So if you're depending on access to a service, but trying to improve security by pinning, be aware that you may be shooting your availability/uptime in the foot, because when the certificate gets replaced by the server's owner your pinning will break the connectivity.
Continue reading "Grabbing a copy of a server's TLS certificate"
Spam, like the tide, ebbs and flows. Whatever spam filtering tool one is using, there will come a time when new spam messages start sneaking past it. Usually these are temporary setbacks, as the filtering tools are taught to recover from their errors. Sometimes, though, the spam is irritating enough to rate a closer look.
In this post, I'll describe my investigation of a recent surge in spam messages, the common header traits that I found which helped indicate this particular family of spam, culminating in a one-off filter I wrote to mark them as spam until my main filters catch up.
Continue reading "Analysis and blocking of structured spam headers"