Tag Archives: coding

Hunting for possible attacker Cobalt-Strike infra

Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to
atakai[-]technologies[.]host; according to pDNS in Virustotal [1].

So, further digging on this IP found it has port 50050 open. Based on Recorded Future threat analysis report & Cobalt Strike Team Server Population Study, it mentioned that default port for Cobalt Strike controller is on port 50050.

So, I asked to myself. What if the neighboring IPs were also been setup for Cobalt Strike infrastructure? So I decided to go on this journey…

First, we know that the IP range is 172.241.24.0/21. By using this tool, we can convert CIDR notation to a range of IP addresses.

The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.

Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:

To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..

After you have enough credit, you can use the script as below:

#!/bin/bash

url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip="

for i in $(cat ip.txt); do
	content="$(curl -s "$url$i")"
	echo "$content" >> output.txt
done

Remember to put your API key into the script. It will basically produce result into “output.txt“.

After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:

Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.

To use it, we’ll using script as below:

$ curl -s https://api.shodan.io/shodan/host/{172.241.27.17,172.241.27.44,172.241.27.62,172.241.27.65,172.241.27.66,172.241.27.68,172.241.27.72,172.241.27.225,172.241.29.155,172.241.29.156,172.241.29.157}?key=shodan_apikey | jq -r '. | "IP: \(.ip_str) Ports: \(.ports)"'

The output should be like this:

Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.

Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉

Check bulk IP for reverse DNS (rDNS)

Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for domains that tied to these IPs. We can do that by using dig command to perform reverse DNS (rDNS).

Reverse DNS (rDNS) is a method of resolving an IP address into domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

I found this script at this site:

#!/bin/bash

for item
    do
        domain=$(dig -x "$item"  +short)
        if [ -n "$domain"  ] ;
            then
            echo "$item" - "$domain"
        else
            echo "$item" result is NULL
        fi
    done

Just save this code above in your Linux/*nix machine, and run this command as below:

[email protected]:~# cat ip.txt | xargs bash reverse_dns

The result should be like this:

Upgrade Python packages at using pip

As you read in the title above; to update your Python packages via pip.

for Linux/*nix:

pip freeze --local | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U

p/s: you may need to run as sudo. Probably.

for Windows:

for /F "delims===" %i in ('pip freeze -l') do pip install -U %i

Credit:

http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Shell script fails: Syntax error: “(” unexpected

There’s one time I encountered this error when executing a bash code/script:

install.sh: Syntax error: "(" unexpected

The script does not begin with a shebang line, so the kernel executes it with /bin/sh. On Ubuntu, /bin/sh is dash, a shell designed for fast startup and execution with only standard features. When dash reaches the line, it sees a syntax error: that parenthesis doesn’t mean anything to it in context.

Since dash (like all other shells) is an interpreter, it won’t complain until the execution reaches the problematic line. So even if the script successfully started at some point in your testing, it would have aborted once the problematic line was reached.

The shebang line must be the very first thing in the file. Since you use bash features, the first line of the file must be #!/bin/bash or #!/usr/bin/env bash.

Credit:
http://unix.stackexchange.com/questions/45781/shell-script-fails-syntax-error-unexpected

Python Error – InsecurePlatformWarning

There is one time I see this kind of error:

          InsecurePlatformWarning: A true SSLContext object is not available. 
This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail.
For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

If you’re on Ubuntu, you may run into trouble installing pyopenssl, so you’ll need these dependencies:

apt-get install libffi-dev libssl-dev

Then you’ll only need to install the security package extras:

pip install requests[security]

or, install them directly via pip:

pip install pyopenssl ndg-httpsclient pyasn1

Requests package/library will then automatically inject pyopenssl into urllib3

Credit:
http://stackoverflow.com/questions/29134512/insecureplatformwarning-a-true-sslcontext-object-is-not-available-this-prevent

Unable to run autoconf on configure.ac

configure.ac:15: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow
See the Autoconf documentation

You can use this solution to solve it.
– sudo pacman -S pkg-config xorg-server-devel libtool automake
– libtoolize –force
– vim configure.ac
– Add AC_CONFIG_MACRO_DIR([m4]) into configure.ac
– libtoolize –force
– aclocal
– autoheader
– automake –force-missing –add-missing
– autoconf

After that, just run ./configure as usual.

socket.io’s `listen()` method expects an `http.server` instance

 For people that has this problem when using node.js & express app, here I show you way to solve it.

The error that you will see upon start the node.js:

Warning: express.createServer() is deprecated, express
applications no longer inherit from http.Server,
please use:

  var express = require(“express”);
  var app = express();

Socket.IO’s `listen()` method expects an `http.Server` instance
as its first parameter. Are you migrating from Express 2.x to 3.x?
If so, check out the “Socket.IO compatibility” section at:
https://github.com/visionmedia/express/wiki/Migrating-from-2.x-to-3.x
   info  – socket.io started

The solution is to change this line:

var app = require(‘express’).createServer(),
    io = require(‘socket.io’).listen(app),
    scores = {};                               

// listen for new web clients:
app.listen(8080);

to this:

var express = require(‘express’),
    app = express()
  , http = require(‘http’)
  , server = http.createServer(app)
  , io = require(‘socket.io’).listen(server);

// listen for new web clients:
server.listen(8080);

Try to start again. Problem solve. 🙂

CSRF in SpiceFuse Shoutbox (MyBB)

bagi sape2 yg ade forum yg berasaskan MyBB, dan yg menggunakan SpiceFuse Shoutbox, baik korg baca bnd ni..
sbb ade bnd yg menarik kat sini.. 🙂
bnd ni Johnburn dr tbd.my yg jmp.. jd aku share kn kat sini..
special thanx to Johnburn utk artikel & solution ni.. 🙂

The stories:
Tadi xda keje aku tgk2 code mybb dengan target nk bypass xss filter mybb melalui bbcode dia. dlm aku tgk2 tu aku nmpk satu bnda yg agak menarik pada code shoutbox (aku install plugin SpiceFuse Shoutbox yg sama mcm kt TBD and my0d). Plugin ni vulnerable kepada CSRF melalui image tag.

PoC:
Jika user post yang berikut kat shoutbox, mana2 user len yg view shoutbox secara automatik akan turut post sebarang post jika browser diset untuk load image (default).

http://www.tbd.my/v2/xmlhttp.php?action=add_shout&shout_data=sebarangPost

Quick Fix:
Bleh elak dengan menggunakan token pada shoutbox. Untuk tmbah token, bleh ikut yg berikut:

Edit file ni:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line:

tambah line berikut selpas code di atas:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line berikut:

tambah code berikut selepas baris code di atas:

p/s: mungkin perlu reactivate blk shoutbox supaya apa yg diubah pada template untuk take effect.