So it has been a couple of weeks since I posted anything, and one of the main reasons for that is because I have been spectacularly failing at doing things.
That is an awesome thing.
To many, failure at first seems like the enemy. It is the one thing that you do not want to do, but I truly believe that it is the one thing that keeps me moving forwards. As Rocky would say;
It’s about how hard you can get hit and keep moving forward; how much you can take and keep moving forward.
And he is right. It is completely about moving forwards, no matter what.
I used to work at a web agency, and at places like that, you get to meet and become friends with a lot of designers, and very creative problem solvers. They have been telling me this for years, but it takes some time to get it into my head sometimes.
For them it is all about solving problems. All their work revolves around is usually a problem, stated in the visual medium, such as how to represent some kind of data, or how to properly and efficiently communicate some thing to the user. Whatever the thing is can be completely different from day to day.
They will try, try, and try again until they have effectively boiled down what the problem is to something very small and effectively solvable. They will mold the problem into a lot of possible solutions, and start throwing things away. As they relentlessly remind me;
A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away.
– Antoine de Saint-Exupéry
Once they have thrown sometimes hundreds of possibilities away, they will eventually settle move into a direction, and then eventually into an actual design. They will in fact, only succeed once they are done throwing things away and removing things.
That is what success is, a path through multiple failures, eventually ending up in success. If you are in any doubt, do a Google image search for “path to success”, and yo will see what I mean.
That is why I am writing this, as I have just iterated through exactly this process, as I often do, with a couple of projects, and through I should document it, not only as a reminder to me that my failure is a good thing, but maybe it might help just one of you guys, in which case it was worth failing a hundred times.
So let’s look at the projects I have failed at recently, what happened with them, and what to do about them.
- Failure to write a blog in a timely manner.
- Failed to break into a Vulnerable OS from the De-Ice series.
- Failed to do some malware analysis.
Now the first one is pretty much remedied by what you see here. I also have another one “in the pipeline” which I am almost legally obliged to withhold until the 15th of March, so one week after you see this one (ooh exciting!).
I failed at writing a couple of blog posts though. In fact I tried writing one about points 2 and 3, and also about the CTF competition I took part in over the last weekend too. I even failed to score many points in it. Failure all round!
So let’s take a look at point 2, the De-Ice VM. It started pretty much like all the others. I loaded the VM (De-Ice 1.120), and started a nmap scan on the subnet it was supposed to be a part of.
Lots of ports open, so I went straight to the url in my browser to check out the game related pages. I also noted port 3306 was open. This is the default MySQL port. That made me think immediately that it was going to be a starter MySQL injection kind of exercise. Enumeration and information gathering is key though, so back to that.
The Add product link returned a very simple form with 3 fields, product name, price and description. Hitting the add product button would submit the form, and then allow you to add more. Pretty basic, even for a Marketing department. (just kidding)
What if we could tell the server to show us something different? Well we can with something called ‘SQL injection’. Perhaps that bears some quick explanation before we dive into the meat and potatoes of the VM.
That “id=1” in the url is essentially telling the database at the other end of this web connection (in the VM) that we want to see the data for whatever thing has an id of 1. If we had products 1 to 57, and you changed the url from id=1 to id=34, then you should get the data for whatever product is in the database with the id of 34.
That is kind of how SQL databases work. SQL stands for “Structured Query Language”, which is just a fancy type of language that allows you to formulate questions to ask a database. There are loads of keywords and different SQL database manufacturers that do things slightly different, but essentially it is a way of communicating with the database using a specific language.
Injection is just adding some commands from us into whatever command the browser is sending the database. SQL injection means that we are essentially asking the database to send us more data than absolutely necessary, and we are specifying which data to send. If you don’t think that is a bad thing, realise that these databases usually contain plain text user names and passwords.
It would be pretty terrible if we could just ask the database for “everything you have about whichever product is ID=1 AND everything from column USERNAMES AND everything from column PASSWORDS”. There is some weird capitalisation in that last sentence, because that is pretty much what SQL looks like.
There are some simple tests for SQL injection. Usually you are looking for when two queries return different results. The traditional method, or at least most easily visible and testable is just to add a single tick mark ( ‘ ) at the end of the URL. If this gives you an error message, it is highly likely that the URL is vulnerable to injection.
Fortuitously, that is exactly what happened with the VM. Now it is time to find out exactly what we can do. There are many methods to enumerate through databases, but one of the most effective by far is a tool called sqlmap. You can simply feed in a url with a vulnerable parameter, and sqlmap will run some quick tests to figure out if it can get information out of the machine.
If it can, it gives several options for exfiltrating the data. Below you can see sqlmap in action.
I discovered halfway through exactly this process that sqlmap has functions that I had no idea about. It found password hashes, and decrypted them on the fly. Awesome! It also managed to dump all the databases, from the usernames and password hashes (all decrypted), to the complete setup of the database and everything else in between.
So now what? Well the username and password file looked like this.
Well I logged into the VM using the previously seen SSH port, and tried as various users. In fact I tried as half the users. Most of them had nothing of note in their home directories. There were some previous names that rang a few bells though, such as ccoffee, and bbanter, who were members of the IT group.
The ccoffee user even had sudo execute rights (sudo -l) over a file in his home directory, called “getlogs.sh”. Progress! That means that we probably have to abuse this file in some way. I tried a lot of things at this point, one of them being to mv the file into some other file, and create a new file called getlogs.sh with only /bin/bash in it that I would then execute as sudo, and it would drop me into a root shell…. Right?
Well it didn’t work. The problem was, it should have. In fact I had spent the better part of a day trying to figure out why it did not. Eventually I gave in and looked up someone else’s writeup of this machine. It really, really should have worked. It is literally how you solve the VM.
I have no idea what I did to make the VM bug out on me, but its pretty much my job, so I think it is impressive that I got this far without it happening already. The passwords on the VM’s are supposed to rotate, so if you reboot, you will get a different password each time. Somehow I was just not getting the right one.
I had failed.
Worse still, I don’t even know why… This is a great excuse to keep me moving forwards though, and I have been recently hitting my head against the wall of the next VM.
Onto the next failure!
So this failure was borne of this very blog. I don’t usually receive many emails, so a few weeks ago it seemed very strange to get about 15 at once. They were all spam posts from this blog in the comments section. Now the comments do not get published unless I approve them, so essentially until I do something they are stuck.
I thought I would try to see what they were selling, or what kind of thing they were trying to get people to install. Sometimes a bad link is all that is needed for a ransomware style malware to encrypt every file that a user controls, and demand bitcoins in exchange for decryption keys.
There were 3 distinct styles of spammy comments:
- Essay posts.
- China, China, China.
- Test posts.
That second one might seem slightly ambiguous, so here is a screenshot of what I mean.
if you do some geolocation of the ip addresses, its pretty clear (china, china, china). I reported these spammy posts to the abuse email for the ip, but they control close to 117 million IP addresses, so I do not expect to hear anything back.
The Essay posts were also the same thing, lots of links to sell stuff, shoes, windows 8.1 etc, and lots and lots of words, so that they would pass some imagined spam filter (or at least they got past mine).
The third, test post, though was probably the most interesting of all. It was a test post for something called Xrumer, which I found out was a botnet C&C software! There are even YouTube Videos of proper operation.
That seems like something we should revisit in the future. First let’s try to figure out how these spammers are peddling their wares.
Obviously what we want to do is click on the links to see what is behind them. Also what we really, really, do not want to do is click on the links. This is where a VM would be super handy. Fortunately I have a windows 7 VM for exactly this reason.
I installed some programs onto it, like wireshark, so that I can see what is being sent across the wire as it happens, and rip out any http entities along the way. After taking a snapshot of the VM to revert to, I copied the location the links pointed to and fired up Internet Explorer (yes I know). Once the pcap file was saved, I dragged it to my host machine in order to break it down.
Although that is what I thought I was going to do. VIrtual box crashed. The VM fell over, and my mouse cursor was stuck as the stop signal. I couldn’t click on anything, and I couldn’t shut anything down. Even the virtual terminal would not open.
I had such high hopes of being able to find something to disassemble, or at least something to break open, see what was inside. Nothing.
I tried a couple more times, but exactly the same problem each time, essentially requiring a hard reset. My interest has been officially piqued though, so I think sometime after I buy a new home router, I will create a small honeypot virtual machine that looks like it is a juicy target to hackers. Then I will try to break open all the malware that it gets infected with.
One step at a time though.
So you may be thinking “But you hardly failed at all”, but that would be wrong. I failed in at least 30 or 40 places on my way through that first VM. I don’t mention them here for brevity. This post is already beyond 2000 words, so to keep it short, the failures that eventually led me to the big fail at the end; I learnt something each and every time.
With the malware analysis, or at least lack of, I learnt the importance (again) of proper backups, either through snap-shotting or otherwise. I also failed at assuming that people would just be posting malware to by comments section. Why bother with all that hassle, when you can just post a million links to online shops and hope?
That is what my designer friends are perhaps trying to tell me, that each time you fail, you have a beautiful opportunity in front of you to learn. To paraphrase Rocky, “pick yourself up and keep moving forwards”.
No one is amazing at something having never tried it, there is always a relevant skill somewhere there in the background, contributing to success. So get yourself out there and fail. There is almost no other more effective way of learning.
I hope you have a great week!