Posts

Fuzzing IoT devices for Memory corruption 0' Days.

Image
TL;DR  Summery This article is about discovering the memory corruption vulnerabilities in IoT Device, Upon reading this article you will understand from setting up device for fuzzing to developing a complete working exploit. what we called it Zero to hero kind of stuff also you can expect a lot of memes and some extra ज्ञान..  
Prerequisite   Before we start I would like to give some basics about the post and terms which we are using here.
IoT Devices

IoT Devices generally consist of RISC mechanism those who are not able to recollect this you can remember your old days of engineering where you might have broke your head for understanding the  working of 8041/8051 micro-controllers. so RISC stands for Reduced Instruction Set Computer and below are the list of processor which you can see widely used in IoT. MIPS.ARM.ST Micro-controller.MediaTek MT3620.Quectel BG96. There are plenty of resources available on internet to read/explore about this stuff. so suggest have a look at datasheets …

The Story of Blind SSRF leads to internal Host discovery.

Image
Background  After reading a Lots of tweets on SSRF, I have decided to test for only SSRF for bug bounty. Generally I work on Synack platform due to precise scope and response time.  I Love Hackerone also  but due to limited resource and lack of automation I fails/hate to to do lots of discovery stuff. whether its a content discovery or assets discovery I hate both lol.  Because sometimes it take too long on my  intel Core i5 with 16 GB and 20MBPS connection just to discover a assest/content, Hence I prefer to have a defined scope for testing so that I can spend more time on  or sharpening the my testing skills than Discovery skills. 
Approach Since on this platform also there are many targets and many skilled researcher hence you have to be very specific while selecting targets, its really hard to believe that the bug submitted after 20 Mins of target getting Live can be dup and the bug identifier says your  bug id is targetname-13 

     So that's different pain altogether. Also …

How to get Severity and CVSS Score on command line.

Preface
HI All,

While working on some project, i face a challenge for obtaining CVSS score and severity for multiple CVE ID's.
So one thought was to obtain the same using lame method visiting mitre page and noting in excel but in future may be i have to perform this activity again. 
so I gave a try to write a script which will fetch the CVSS 2 and CVSS 3 score from the mitre and give it to terminal.
so here the journey began.  for cve2rating. 
Birth of cve2rating.pycve2rating.pyA simple python script which shows the CVSS 2 and CVSS 3 Score on command line interface Sample python cve2rating.py CVE-2017-1337 ('CVE Details for', 'CVE-2017-1337') CVSS Score 3 for CVE-2017-1337 CVE score is: 8.1 Severity for is: High CVSS Score 2 for CVE-2017-1337 CVE score is: 4.3 Severity for i…

NullCON #ackIm CTF 2017 Write-UP(Web-1)

Image
we are always excited for #ackIm CTF.

I was palying this CTF from 2k12. and This is the one of the best CTF I ever play.so lets not waste time and start the Journey.


When you login to Portal you find the below details.

Obliviously the first step Is to Hit the WEB challenge coz I assume that it will be easy but that assumption got killed bruatally.


So the challange was

Chris Martin wants to go home. Can you help him get there as soon as possible? And the URL which ask for the username password.

after looking source code I notice that my scroll bar is too long




In The End i think I Found the Flag


And i think its easy but, it wasnt a flag.

it was base64  sting which gives the md5 hash

Base64 -->; MD5 -->; Coldplayparadise.


This Time I was sure that this must be username/password.


When i put this as username password.

It Gives me

Mismatch in host table! Please contact your administrator for access. IP logged.


A quick idea to add X-Forwded-For: 127.0.0.1 will give you the first flag.




A…

diff alternative for window

Image
Dear all


Background :- you must wondering why i am writing this but believe me when you have only windows environment without internet access its hell lot of difficult to find the difference.

Scenario :- you have two csv/text/xls  that having more than 10k Lines and you need to find out the difference in between. condition is that you have only windows machine that too without internet access.

...So after googling on my cellphone i come up with command call fc which save my life ;) from performing too many manual check to automating whole task.


Example:-  We have two file with below data

                     File 1                                                                          File 2 

This data is same                                                                   This data is same
This data is missing


Now See how fc find the difference




Note :- White space make's hell lot of difference in result.





How to get registry value using cmd

Image
HI ALL,

While I was working on automation somewhere, I came across situation where I need registry value to validate in script. so hunt began guess simply typing reg command in cmd and wow the command return valid.


So after looking help I understand  that either export will help me or query

Task was to get the firewall setting firewall state of windows, so after googling  I got the below path

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\

Then running reg query path-to-query  got expected out output

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\

 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
DisplayNotification    REG_DWORD    0x1
    DefaultInboundAction    REG_DWORD    0x1
    AllowLocalIPsecPolicyMerge    REG_DWORD    0x1
    AllowLocalPolicyMerge    REG_DWORD    0x1
    DefaultOutboundAction    REG_DWORD    0x0
    EnableFirewall    REG_DWORD    0x0



Simply using findstr will give…

How to verify Windows credential using command line

Image
HI All,

We were working on some assignment where we had requirement to verify the credential using command line

After fighting a lot with net command I came to conclusion that we can map a domain default share using net use command.

So simple script which try to authenticate with given credential to domain using net use.
Script:- ::TITLE :- credential check using command line ::Author :- Kaustubh Padwad ::Copyright (C) 2016 Kaustubh Padwad ::Contact :- kingkaustubh @ me .com @@echo off echo "Please Enter username password to verify" set /p username="Enter Username: " set /p password="Enter Password: set /p Domain="Enter Domain: " set /p DomainFQDN="Enter FQDN: " echo "checking details using echo "Username = %username%" echo "Password = %password%" echo "DOmain =  %Domain%" echo "DomainFQDN = %DomainFQDN%" net use  \\%DomainFQDN%\c$ /user:%Domain%\%username% %password% pause

Note :- password …