Intro This article covers the two CVE’s we found during our thesis work earlier this year. The devices concerned are two D-Link IP cameras. In the table below you can see the names and models and respectively their hardware and software versions. Manufacturer Model Software Version Hardware Version D-Link DCS-5000L 1.05 A D-Link DCS-932L 2.17 B Table 1 – Software and Hardware Versions The setup Our testing setup was pretty simple. In this scenario we connected the two cameras, a client running MacOS and evil client running Linux to a router. For an exact setup see Figure 1. Affected http://CAMERA_IP:80 (CVE-2021-41504) http://CAMERA_IP/video.cgi (CVE-2021-41503) Reproducibility This section contains the step necessary…
-
-
Bucket Write Up – Hack The Box
Enumeration: Lets start with running nmap. You can see the picture bellow and the command used to obtain that scan. nmap -T4 -A -Pn 10.10.10.212 From the scan we see that there is a redirect to http://bucket.htb/, So what I did is add it to the /etc/hosts. After go to the domain. I usually check the source to see if there is something interesting. And there it was. I added this new domain to the hosts file. I checked both places. The next step is to scan for other directories. I used gobuster. Bellow you can see the command and use it. sudo gobuster dir -w '/usr/share/wordlists/dirb/big.txt' -t 50 -e…
-
Delivery Write Up – Hack The Box
Enumeration: To start the enumeration as always I am using nmap to see which ports are open and what services are available on that ports. As you can see from the screen shot, there are two ports open. Port 80 and port 22. Usually I start on port 80. Lets see what do we have there. Oh look it is a website what a surprise. Lets see the source and if we can find something. Oh.. thats good. we found a url. http://helpdesk.delivery.htb That is nice. After some more enumeration I found one more url:delivery.htb:8065 This can be seen in other place if you follow the links on the “Contact”…
-
5 tips for personal cyber security
Hello there. In this post I will talk about five simple tips that can increase your personal awareness when it comes to cyber security. 1. Update your software Well that point is kind of no brainer. Usually software updates carry fixes for different problems and bugs. If there is any found vulnerability most of the time, the developers of the software would make a patch and send an update as soon as they can. Not all updates carry security stuff inside but actually you are not loosing anything. Also you can check in the description box what the update will include. That applies for all your electronics or platforms that…
-
Fuse Write Up – Hack The Box
Enumeration: Lets start with whats open on the box and what we can exploit. A quick nmap scan gives us: Holly Fu@k so many ports. I usually start with port 80. By going to the webpage I noticed that the URL is wired, so i decided to add it to the /etc/hosts. Ok so now we have a website. I started browsing around and hoping I can use something. Then I start seeing some users that have used the specific printer. I made a list of all users. You can check it bellow: pmerton, tlavel, sthompson, bhult, administrator Well time to collect some passwords because now we have bunch of…
-
Protection ByPass and Brute Force attack – Bludit v. 3.9.2
So this post will describe a how to bypass protection in Bludit CMS v. 3.9.2 that is if you have a username. After managing to find the password I will discuss what metasploit module can help you to get a reverse shell. So, lets begin. If we check the documentation that Bludit provides we can see how they are preventing brute force attacks. Here is a screenshot and the link if you want to read through the whole documentation. https://docs.bludit.com/en/security/brute-force-protection After some googling I found a script that I just edited. I will post the script here and the link to the original article. https://rastating.github.io/bludit-brute-force-mitigation-bypass/ What you will need to…
-
Catalias – #Virseccon2020
This was a fun challenge, just because I didn’t pay attention in the beginning. To start log in with the provided credentials. After logging of course I used “ls” to see what I have in the current directory. Oh … the flag is here. That looks to easy, but lets use “cat” to see what is the content in the file. Shit…. nothing is happening. How can I view the file. Now … when doing CTFs usually there is a clue in the name of the challenge. This one is called Catalias – “cat”, “alias”. Lets list the alias to see what we work with. As you can see from…
-
Hidden – #Virseccon2020
This was an interesting small challenge. We have been given the password to ssh in to the machine. After we do of course we would like to run a “sl” or sl -al” commands to see what we have in the current directory. Oh wow a directory with a name secret. Lets cd in to that folder. Opps we can’t! This command tells us something important. We are working on “restricted bash”. Please see the image bellow. Now it is a matter of knowing how to escape that. A simple google search can give you the result. As always I will post a link in the end of the article.…
-
Magician – #Virseccon2020
Wow lets do some magic! For this challenge we are presented with an input field a submit button and some kind of comparison in the button. I will go through my thought process instead of going directly to the solution because I think some of the things I did can be used in enumeration in the future. First I took a look what 0e953532678923638053842468642408 is. I used Hash Analyzer provided by https://www.tunnelsup.com/hash-analyzer/ The result was that this hash is an MD5 or MD4. Because we see the ‘ == ‘ that means that some comparison will be done. After playing with the input I discovered that there is a function…
-
HotAccess – #Virseccon2020
We are greeted with page talking about modules. The recon part was clicking the two provided links and checking what changes. Then I noticed this. My first though was can I get somewhere else in the dir? Yes I can. I used the Repeater in Burp again to explore this. Can we view the password file in /etc ? Yes we can! That means I can traverse directories from the url and that is awesome! After some trail and error I find the correct file to be checking (.htaccess). Oh look what do we have here in the response! Lets put that directory in the URL and see what happens.…
