Wargames 2017 – Challenge 12 : ezfile sharing

Challenge 12 : ezfile sharing

question for challenge 12

and the hint for this challenge:

hint for challenge 12

one of our teammate was fuzzing around the website and found “.git” folder.
seems related to the hint.
we try to browse the folder/path:

.git folder/path

as a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone too far by downloading all the git folder (recursively):

download all git folder content

lets see what git -help can provide us with info:

git help menu

hmm.. lets see if “git show” can provide any clue…

and.. profit! XD

so the flag is: “wgmy:{AdminGitGudPlease}”

Wargames 2017 – Challenge 9 : unreachable

the question is:
“The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly.”

question for challenge 2

question for challenge 2

and the hint given to us:

hint for challenge 2

hint for challenge 2

so… RFC 792 – something related to ICMP/ping yada yada
so we open the pcap file in Wireshark, view only ICMP protocol:

open pcap using wireshark & then filter ICMP only

we can see ICMP traffic involving 2 IPs; &
after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP

lets use tshark to see it clearly:

use tshark & grep offset 0010

as noted in the hint above;
“he is tracing backwardly.”

the flag is: flag_is_p!ngp0ng~
but actually…. the flag is: p!ngp0ng~

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:

Not sure it is. Maybe bin file to run a process:

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

Here the MD5 for file above:

Configuring proxy for APT in Ubuntu

Recently, I have a problem where when I tried to update Ubuntu package via apt-get, it shows HTTP 401 proxy error related.
Just a note, I’m running the VM using my office network which has a proxy servers.

From this site;

APT configuration file method
This method uses the apt.conf file which is found in your /etc/apt/ directory. This method is useful if you only want apt-get (and not other applications) to use a http-proxy permanently.
On some installations there will be no apt-conf file set up. This procedure will either edit an existing apt-conf file or create a new apt-conf file.
gksudo gedit /etc/apt/apt.conf
Add this line to your /etc/apt/apt.conf file (substitute your details for yourproxyaddress and proxyport).
Acquire::http::Proxy “http://username:[email protected]:proxyport”;
Save the apt.conf file.

References :

Configure Cisco switch from Mac OS X through console port

Recently, I was searching for rollover cable that use to connect your PC/laptop to your switch via console port. It took me for a while searching this kind of cable in Low Yat Plaza, KL. Here, you can find variety of electronics stuff from PC hardware to servers stuffs.

But, it was hard for me to find this cable. After several visit to Low Yat, I managed to find the cable together with DB9 to USB converter. As you know, the rollover cable is using serial to ethernet cable. So, this post will guide you on how to install the driver and connect your rollover cable to your switch from Mac OS X.

So, for the first step, you should have rollover cable that looks like this:

Rollover to DB9/serial cable

Rollover to DB9/serial cable

And the DB9 to USB 2.0 converter. The one that I’m using is like this:

For my Mac OS X version, I’m using Mac OS X Yosemite 10.10.5 on MacBook Pro (13-inch, Early 2011). You’ll need the driver for the cables that you can download at here:

After you’ve done downloading and extracting the driver, just click at .pkg file and proceed to install the driver. Reminder, make sure you restarted you machine after installing the driver in order for system to take effect:

DB9 to USB Converter driver

DB9 to USB Converter driver

Then, connect/plug-in the rollover cable to DB9 to USB converter. Then connect the converter USB to you Mac. After all has been connected, click on Apple logo on top left menu bar, click About This Mac, on Overview tabs, click System Report. Ensure that you DB9 converter is connected:

Mac OS X System Info

Mac OS X System Info

After restart, you can verify if the driver has successfully installed and loaded to the system by using this command:


Now finally, you need an application which will talk to the serial port. We’ll using Terminal app on Mac OS X. On Mac, the file which maps to the port is /dev/cu.usbserial. Once all the cable has been connected, run this command to start connecting to you switch:

Flatten a Nested Directory & File Hierarchy from Command Line of OS X

Lets say you have this kind of file/folder structure:

You can take all the *.jpg file or any file type, and move it into one folder.
Here are the command to use:

Upgrade Python packages at using pip

As you read in the title above; to update your python packages via pip:

for Linux/*nix:

p/s: you may need to run as sudo. Probably.

for Windows:

Credit: http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Fixing wp_termmeta doesn’t exist error

One day, I open my mailbox and see bunch of error mail written something like this:

Upon diving in Google ocean, I found this solution that may solve the problem:

Use this SQL query to add manually the wp_termmeta table in your WordPress database if there is the wp_termmeta table doesn’t exist in your DB.

Credit: http://zanca.it/tutorials/wp_termmeta-doesnt-exist-error-solved/