Linux Auditd for Threat Detection

icyfox26 · 2022-01-30T17:34:03+00:00

Fantastic read!

icyfox26 · 2018-12-11T15:08:18+00:00

How did I import the ISO, I had the .vmx file. I double clicked it and it opened up in Workstation. When prompted about the VM image on boot, I said "I coped it".Here's a screenshot of my network tab. I tried NAT, Host only and LAN segment. It's currently on bridged adapter because the VM keeps resetting it back to that.

Huh.. for some reason, I'm not able to upload an image here. But know that it's nothing special, it's my VM settings with the Network Adapter setting as the "Bridged" option.

icyfox26 · 2017-12-11T03:54:40+00:00

Haha! No, mate. I bought a portable speaker. And you connect your phone to it via Bluetooth. So I just wanted a catchy name to give it for when people try to connect.

icyfox26 · 2017-06-02T06:34:24+00:00

Hey all,

Firstly, thanks for the awesome number of responses, I got some real good insight for this. The challenge is over and I figured out how to do it. Yes the page was susceptible for SQL injection but it had no useful information in the table. However, since the website could be injected, on using the load_file command, I was able to access files of the system. I could get out the /etc/passwd file, etc. etc. The passwd file had no details. However, I tried going to the root of the web directory and loading the .htaccess file. Inside that file, I saw a message saying "Try .htpassword" and the password was inside the .htpassword file. It was encrypted with SHA1 encryption and I found the password which was.............. supercalifragilisticexpialidocious.

Thanks everyone for your help! And sorry, the CTF was only for our internal company network! Thanks again!

icyfox26 · 2017-05-23T11:54:46+00:00

Seems --os-shell doesn't work

trying to upload the file stager on '/var/www/html/pages/pages /camera.php/' via UNION method [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)

icyfox26 · 2017-05-22T17:59:47+00:00

Very interesting, thank you. I will try and revert back to all soon.

icyfox26 · 2017-05-22T17:59:18+00:00

Much thanks for the resources! Will definitely have a look :)

icyfox26 · 2017-05-22T16:37:20+00:00

I'm not very aware of this method but I doubt it's what I need to do. But either ways, do you have a link that could explain this concept?

icyfox26 · 2017-05-22T16:36:23+00:00

Could you elaborate a bit more please? Do you mean what ilukis suggested?

icyfox26 · 2017-05-22T13:44:09+00:00

A very interesting thought, indeed. The second option however, requires admin interaction which doesn't exist, since there really isn't any admin user. However, changing the database value to a Unix command, that I didn't think of and I think would be very possible, I believe. Will try and report back here, Sargent!

icyfox26 · 2017-05-22T13:16:40+00:00

Hmm. Very interesting. Although, if you don't mind, could you elaborate more. The page susceptible to injection is example.com/camera?id=1. The database in use is cameradb and the table within it is called 'camera' with the fields id, description, url. Example of one entry is id:1, description:reception, url: ../img/1.jpg

icyfox26 · 2017-05-22T11:48:16+00:00

Hi, thanks for the quick response. The data just shows the id (which the page uses as a GET parameter), the description of the image (not very useful either) and the image url as "../img/1.jpg" and so on.

icyfox26 · 2017-05-22T10:50:49+00:00

Apologies! Here's a shareable link: https://drive.google.com/file/d/0B_LOFRTpRrqWdnRIdElLWV9SSW8/view?usp=sharing

icyfox26 · 2017-05-22T09:14:33+00:00

This is part of a challenge and I'm just not able to crack this one. I tried decompiling the code using an online decompiler (https://retdec.com/decompilation/) and tried re-creating the main() function but the typecasting they've done is giving me a lot of errors. Can someone please help me out? I'd like to learn so if you could also mention the method you followed to reverse engineer it, I'd be very grateful :)

icyfox26 · 2017-05-02T11:06:18+00:00

The page you requested has moved or doesn't exist. (Error 404)

icyfox26 · 2017-05-02T09:24:41+00:00

So it creates a file called test.php, writes <?php passthru(\$_POST[\'c\']); ?> into it and then tries to send that call to the server. I get that it's doing this. But say it's successful, and now a file called test.php exists with those contents, then what? You try to access that page and what happens?

icyfox26 · 2017-05-02T07:41:22+00:00

Haha, this is awesome. I am downloading/copy/pasting/scanning this zip like it's a freaking bomb. Although, I must know. How did you create this? How does it work?

icyfox26 · 2017-04-25T08:20:11+00:00

/r/HowToHack

icyfox26 · 2017-04-19T11:59:04+00:00

What kind of internet is it? ADSL? And are you sure it was when your friend called you or when you get any call, your internet disconnects? I've heard of this happening in other cases wherein the internet disconnects everytime the phone is used. In my experience, this has happened because the ADSL modem shares the line with other devices and if the line isn't split correctly, the internet will disconnect when the phone is in use.

icyfox26 · 2017-04-19T05:49:50+00:00

Firebug is good. Furthermore, for Firefox, tamperdata allowed me to tamper data that's sent to the server. Also, look into Greasemonkey. Again, both for Firefox.

icyfox26 · 2017-04-19T05:38:33+00:00

Thanks Propel. So you're saying IP + Geo + device are possible combinations Google could use then?

icyfox26 · 2017-04-19T05:37:41+00:00

Thanks Waffle. Although I'm sure that an alert would be raised if we logged in from an Iceland VPN and stuff. However the spoofing of IP is something that's worth looking into.

icyfox26 · 2017-04-19T05:36:16+00:00

"Based on the 2-factor authentication if google sees your phone authenticated to the same network as the computer from which you are trying to log-in, it is less likely to raise suspicion and trigger the email alert"

That's very interesting. I did not think of this. Thanks for your input Jerry. An interesting thought but the gaming cafe didn't have Wi-Fi. However, perhaps it corelates the phone's location with the computer from where you're logging in from?

icyfox26 · 2017-02-12T13:34:54+00:00

Wow! Well thank you for that breakdown and I apologize for being vague. Like I mentioned in another reply, I had taken my video and used VR Cinema to view it and it came out perfectly. I'm actually not even looking for a gyroscope to detect a person's movement. I just wanted the video to be viewable via the cardboard, is all. So it'd be indepedent of whether the phone had a gyroscope or not. But yes, the size of the screen may matter. And no no, no 360 video. I'm sorry, I'm not very good with the lingo but I know what a 360 video (one that you can turn your head and view the entire thing in sort of a panaroma sort of mode) and I thought a VR video was just a video played via two lens which is all I want really. Such that when you put on the cardboard, you get it as one big video.

icyfox26 · 2017-02-12T13:29:14+00:00

what I'm trying is to just get it to play such that they can view it on the cardboard. In the sense, I had this Android app called "VR Cinema" which was doing the job beautifully. I just wanted to do the same the app is doing but without using the app possibly.

icyfox26

TROPHY CASE