Category Archives: technique

Wargames 2017 – Challenge 12 : ezfile sharing

Challenge 12 : ezfile sharing

question for challenge 12

and the hint for this challenge:

hint for challenge 12

one of our teammate was fuzzing around the website and found “.git” folder.
seems related to the hint.
we try to browse the folder/path:

.git folder/path

as a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone too far by downloading all the git folder (recursively):

download all git folder content

lets see what git -help can provide us with info:

git help menu

hmm.. lets see if “git show” can provide any clue…

and.. profit! XD

so the flag is: “wgmy:{AdminGitGudPlease}”

Wargames 2017 – Challenge 9 : unreachable

the question is:
“The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly.”
http://files.wargames.my/2/p100.7z

question for challenge 2

question for challenge 2

and the hint given to us:

hint for challenge 2

hint for challenge 2

so… RFC 792 – something related to ICMP/ping yada yada
so we open the pcap file in Wireshark, view only ICMP protocol:

open pcap using wireshark & then filter ICMP only

we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10
after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8.

lets use tshark to see it clearly:

use tshark & grep offset 0010

as noted in the hint above;
“he is tracing backwardly.”

the flag is: flag_is_p!ngp0ng~
but actually…. the flag is: p!ngp0ng~

Configure Cisco switch from Mac OS X through console port

Recently, I was searching for rollover cable that use to connect your PC/laptop to your switch via console port. It took me for a while searching this kind of cable in Low Yat Plaza, KL. Here, you can find variety of electronics stuff from PC hardware to servers stuffs.

But, it was hard for me to find this cable. After several visit to Low Yat, I managed to find the cable together with DB9 to USB converter. As you know, the rollover cable is using serial to ethernet cable. So, this post will guide you on how to install the driver and connect your rollover cable to your switch from Mac OS X.

So, for the first step, you should have rollover cable that looks like this:

Rollover to DB9/serial cable

Rollover to DB9/serial cable

And the DB9 to USB 2.0 converter. The one that I’m using is like this:
http://www.vztec.com.my/?sec=product&type=connect&sub=5&id=13776589936053

For my Mac OS X version, I’m using Mac OS X Yosemite 10.10.5 on MacBook Pro (13-inch, Early 2011). You’ll need the driver for the cables that you can download at here:
http://www.prolific.com.tw/UserFiles/files/PL2303_MacOSX_1_6_1_20160309.zip

After you’ve done downloading and extracting the driver, just click at .pkg file and proceed to install the driver. Reminder, make sure you restarted you machine after installing the driver in order for system to take effect:

DB9 to USB Converter driver

DB9 to USB Converter driver

Then, connect/plug-in the rollover cable to DB9 to USB converter. Then connect the converter USB to you Mac. After all has been connected, click on Apple logo on top left menu bar, click About This Mac, on Overview tabs, click System Report. Ensure that you DB9 converter is connected:

Mac OS X System Info

Mac OS X System Info

After restart, you can verify if the driver has successfully installed and loaded to the system by using this command:

or

Now finally, you need an application which will talk to the serial port. We’ll using Terminal app on Mac OS X. On Mac, the file which maps to the port is /dev/cu.usbserial. Once all the cable has been connected, run this command to start connecting to you switch:

Flatten a Nested Directory & File Hierarchy from Command Line of OS X

Lets say you have this kind of file/folder structure:

You can take all the *.jpg file or any file type, and move it into one folder.
Here are the command to use:

Upgrade Python packages at using pip

As you read in the title above; to update your python packages via pip:

for Linux/*nix:

p/s: you may need to run as sudo. Probably.

for Windows:

Credit: http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Recover bricked TL-MR3020 via serial console


Recently, I’ve flashed my MR3020 in attempt to make my own Wifi Pineapple. But.. You know. Shit happen. :p

In other word, i screwed up my MR3020 and bricked it. All the LED is keep on blinking, some is on and not blinking, and the network is getting connected and disconnected randomly. Guess that’s a sign you’ve mess up with the device. XD

But I’m lucky because you still can recover the device via serial console and tftpd32 method. (yeay!)

Bear in mind that this method will VOID your warranty. So, don’t do this unless you willing to sacrifice for the sake of knowledge. πŸ™‚

Things that you need:

  • Tftpd32: A free tftp and dhcp server for windows, freeware tftp server. Very efficient for booting over LAN.
  • PuTTY: SSH and telnet client, free and open-source terminal emulator, serial console and network file transfer application.
  • USB to UART converter (3.3V). I’m using this converter that I bought at Cytron Technologies.
  • A 10K resistor
  • Female to Female OR Female to Male Jumper Wires

UC00B USB-UART Converter

UC00B USB-UART Converter


So, as you can see, my USB-UART converter come with 6 ways header pin for interfacing. The voltage selector must set to 3.3V since the TL-MR3020 router have its I/O pins working at 3.3V.

Connection Diagram
* Do not connect the router VCC to USB-UART VCC, it may break your adapter or your router

For the picture of the connection diagram, refer to first picture above.

No Serial Port
So, in my case, my MR3020 is version 1.9. As you can see picture above, mine doesn’t have any serial port to connect to using female jump wire. So I use female (attach to USB-UART) to male (attach to MR3020) as picture below:
Male Jump Wire to MR3020

Male Jump Wire to MR3020

Male Jump Wire to MR3020
Take note that I only put the resistor and jumper wire without soldering. You can do a soldering to your jump wire and resistor to the port with in this tutorial, I skip with that. :p

After you have all things in place, you can start installing the UC00B (USB-UART) driver to your computer. After finished, restart your computer, and check your Device Manager. You should see something like this:

UC00B USB-UART on Device Manager

UC00B USB-UART on Device Manager


which indicated that the driver and the converter is detected by computer and the driver is properly installed.

Setting up network IP address
Assign a static IP address to the computer, using IP address 192.168.1.2 since the router IP address is 192.168.1.1. No need for Internet connection in this process.

REMEMBER! Ensure that you have disable you windows firewall. Or else, the next step will might not work.

Install OpenWRT from the U-Boot console
Download the latest OpenWRT firmware and save it to C:\Program Files\Tftpd32 (Tftpd32 default installation folder) as shown in figure below:

TFTPD

TFTPD


You also can click the “Show Dir” button and check if the file is there or not.

Run Putty, select Serial option, on Serial Line, I’m using COM3 since my USB-UART driver detected as COM3, for Speed option, I use 115200. Then click Open. Example like picture below:

Putty example for Serial COM3

Putty example for Serial COM3

After that, power up your MR3020. On Putty console, you should see something like this:

The moment after you see “Autobooting in 1 seconds“, type in word “tpl” immediately.

If everything is correct, you should see “hornet>” in your console. if you missed it, close and open back your Putty, follow the instruction above until you see the word “hornet>

Now you are in U-Boot-console, as it shows “hornet>” on your console. Now enter the following commands:
setenv ipaddr is the MR3020 IP address,
setenv serverip is the computer IP address,

Then enter this command to download openwrt .bin file:

you should see something like this:

Then enter this command to erase old firmware:

The output must be like this:

Then enter this command to start flashing:

And the output is:

After that, lets try to boot to the new firmware:

And the result is:

And.. Thats it. You’ve recover you almost-dead MR3020 to life! πŸ™‚
The device new IP is at 192.168.1.1. Happy hacking!

  • Credit to this blog for this tutorial.

WordPress HTTP error on image upload (Nginx)

HTTP Error during image upload on wordpress

HTTP Error during image upload on wordpress

Recently, I’ve encountered this kind of problem. Maybe because it has been awhile I’m not uploading any images to my post. :p

Anyway, if you came out with this kind of error and using Nginx as your web engine, here how to solve it.

Add:

to your nginx .conf file.

For example, mine looks something like this:

Hope it helps. πŸ™‚

Credit to aaronjholbrook

Dionaea simple analysis

Dionaea exploit analysis

We’ll using python bundled with Dionaea:

It will open a python console. Enter the code below line by line:


It will produce test.bin file in /tmp/ folder.

Now we analyze it and dump the output to another file:

You should see something like this:

As you can see, the malicious URL is hxxp://188.245.32.210:8147/kcfl

https://sourceforge.net/p/nepenthes/mailman/message/26862416/

Extract unique IP address from Apache & Nginx log file

Lets say you wanted to count the number of unique IP addresses hitting your Apache server. It’s very easy to do in a Linux (or compatible) shell. In this tutorial, I’m using Ubuntu server.

First, locate the log file that you want to extract. For example, apache2 log file is located at /var/log/apache2 (depending on your distro). For nginx, the log file is located at /var/log/nginx.

Here I give you the first example on how to extract & count unique IP address in Nginx log file.

Nginx Access Log file

Nginx Error Log file

Next, is the step on how to extract & count unique IP address from Apache log file.
Apache access & error log file

Apache Access Log file

Apache Error Log file

If you have any other step, you can share with me in the comment section. Hope it helps! πŸ™‚