Sunday, July 19, 2020
Wednesday, July 8, 2020
Exploiting Webmin 1.890 through cURL
In a recent CTF, I came across a legacy version of Webmin with a Metasploit module. I prefer to do things without Metasploit, so decided to use cURL.
In the above, you can see that Webmin is running by the page title - "Login to Webmin" and the version - "Server: MiniServ/1.890"
This specific version of Webmin has a backdoor with an associated Metasploit Module. The exploit looked easy enough, so I decided to do it manually.
Basic code execution.
We're already root...
And there's the flag. I won't cat it in this post, but there you go.
In the above, you can see that Webmin is running by the page title - "Login to Webmin" and the version - "Server: MiniServ/1.890"
This specific version of Webmin has a backdoor with an associated Metasploit Module. The exploit looked easy enough, so I decided to do it manually.
Basic code execution.
We're already root...
And there's the flag. I won't cat it in this post, but there you go.
Monday, September 9, 2019
Diagnosing a weird lack of RAM
Whilst recently playing Warframe, the game crashed with an "Out of Memory" error. I found this to be a bit odd as I have 32GB RAM.
Checking Task Manager, I saw my RAM Usage was weirdly high (25GB / 31.9GB). After closing everything (Chrome, Discord, Visual Studio, SQL Server, etc), it was still sitting at 19GB which was still really high.
I downloaded the latest version of RAMMap to figure out what was going on. It didn't show any process leaking anything (I have had issues with excessive Modified Page List Bytes being used in the past since I intentionally have no Pagefile - But it wasn't the case here). Then I saw something odd.
The "Nonpaged Pool" (Whatever that was?) was using up 13.1GB RAM. I didn't realize that was unusual until I searched around and figured out that it should be taking around 500MB - Max - On a Server - With over 100 days uptime. Something was definitely up!
After extensive research, I found out that the "Nonpaged Pool" was a collection of RAM used up by System drivers. Most people simply recommended to reboot when it gets high, but that wasn't good enough for me - I wanted to figure out what was wrong!
I eventually came across this awesome page which got me to install the latest Windows SDK to get a process called "poolmon.exe" (Installing a 9GB SDK for a single app seems excessive, but I couldn't figure out any other way to get it...). After running the program and ordering things, the issue was immediately apparent.
After 3 days of uptime, my PC is now sitting at a happy 5GB / 31.9GB, and the Non-paged pool is at a much happier 148MB. Much better :)
Checking Task Manager, I saw my RAM Usage was weirdly high (25GB / 31.9GB). After closing everything (Chrome, Discord, Visual Studio, SQL Server, etc), it was still sitting at 19GB which was still really high.
I downloaded the latest version of RAMMap to figure out what was going on. It didn't show any process leaking anything (I have had issues with excessive Modified Page List Bytes being used in the past since I intentionally have no Pagefile - But it wasn't the case here). Then I saw something odd.
The "Nonpaged Pool" (Whatever that was?) was using up 13.1GB RAM. I didn't realize that was unusual until I searched around and figured out that it should be taking around 500MB - Max - On a Server - With over 100 days uptime. Something was definitely up!
After extensive research, I found out that the "Nonpaged Pool" was a collection of RAM used up by System drivers. Most people simply recommended to reboot when it gets high, but that wasn't good enough for me - I wanted to figure out what was wrong!
I eventually came across this awesome page which got me to install the latest Windows SDK to get a process called "poolmon.exe" (Installing a 9GB SDK for a single app seems excessive, but I couldn't figure out any other way to get it...). After running the program and ordering things, the issue was immediately apparent.
Something with the tag of "AfdB" was using up 6821892960 Bytes (Or 6.8GB) of RAM, whilst the next highest thing "EtwB" was using up 33046784 Bytes (or 33MB) of RAM.
I opened up CMD and ran
> findstr /m /l /s AfdB C:\Windows\System32\Drivers\*.sys
And came up with two results.
> C:\Windows\System32\Drivers\afd.sys
> C:\Windows\System32\Drivers\EasyAntiCheat.sys
So, the problem was either in afd.sys (The "Ancillary Function Driver for WinSock"), or EasyAntiCheat.sys (A third-party anti-hacking program installed by some games). You can most likely guess which one was the issue :p
The EastAntiCheat.sys in my System32\Drivers folder was from 2016. The latest version correctly located at C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys was from 2019. I rebooted in Safe Mode, deleted the one in System32, and rebooted again.
After 3 days of uptime, my PC is now sitting at a happy 5GB / 31.9GB, and the Non-paged pool is at a much happier 148MB. Much better :)
Sunday, July 28, 2019
Running openvpn without it hanging the terminal
Whilst messing around with HackTheBox, I attempted to connect to the VPN from an Ubuntu VM I have with Google.
The annoying part was that after it ran, it would hang at "Initialization Sequence Completed", and required a second terminal connection to continue. If I Control+C'd, it would kill the VPN connection.
After a bit of searching, I found that I could run it then background it by going
> sudo openvpn Reelix.ovpn &
In which case it would still hang at "Initialization Sequence Completed", but I could Control+C it without it killing it. Close... But the hanging annoyed me.
After a bit more searching, I found that OpenVPN had a --daemon parameter, but going
> sudo openvpn Reelix.ovpn --daemon
Threw up an error
> Options error: I'm trying to parse "Reelix.ovpn" as an --option parameter but I don't see a leading '--'
> Use --help for more information.
After much searching, I eventually discovered the trick!
> sudo openvpn --config Reelix.ovpn --daemon
Success!
To kill the connection, I could either go
> sudo pkill -f "openvpn --config Reelix.ovpn"
Or
> ps aux | grep openvpn
> sudo kill -2 processIdHere
The annoying part was that after it ran, it would hang at "Initialization Sequence Completed", and required a second terminal connection to continue. If I Control+C'd, it would kill the VPN connection.
After a bit of searching, I found that I could run it then background it by going
> sudo openvpn Reelix.ovpn &
In which case it would still hang at "Initialization Sequence Completed", but I could Control+C it without it killing it. Close... But the hanging annoyed me.
After a bit more searching, I found that OpenVPN had a --daemon parameter, but going
> sudo openvpn Reelix.ovpn --daemon
Threw up an error
> Options error: I'm trying to parse "Reelix.ovpn" as an --option parameter but I don't see a leading '--'
> Use --help for more information.
After much searching, I eventually discovered the trick!
> sudo openvpn --config Reelix.ovpn --daemon
Success!
To kill the connection, I could either go
> sudo pkill -f "openvpn --config Reelix.ovpn"
Or
> ps aux | grep openvpn
> sudo kill -2 processIdHere
Sunday, September 30, 2018
Starcraft 2 AI Battles!
Whilst going through my daily news, I found an article about how an AI Bot in Starcraft 2 managed to beat the hardest native SC2 AI. In my search for the videos of these battles (Which I couldn't find), I managed to find the SC2 API for bots, and with a little more searching - The SC2 AI Ladder.
Browsing their Wiki, I came across a SC2 Bot writted in C#. So, I did what any awesome developer would do - I downloaded it, customized the daylights out of it, and entered it into the AI Ladder (Without expecting to actually get anywhere - Only a few hours work after all). After a few problems with uploading (Which the Site Admin helped me out with on Discord!), I managed to get a working bot onto their ladder.
The initial results amazed me!
Not only was my bot not absolutely terrible - It was winning almost every match it entered! In fact, it had a 78% Win Rate (And a 22% Crash Rate which was destroying my rating...) - And that was just the first version!!! I fixed some crashes, optimized some code, fiddled with the gameplay, and re-entered my Bot - Eager to see how the new changes affected the ratings!
Browsing their Wiki, I came across a SC2 Bot writted in C#. So, I did what any awesome developer would do - I downloaded it, customized the daylights out of it, and entered it into the AI Ladder (Without expecting to actually get anywhere - Only a few hours work after all). After a few problems with uploading (Which the Site Admin helped me out with on Discord!), I managed to get a working bot onto their ladder.
The initial results amazed me!
Not only was my bot not absolutely terrible - It was winning almost every match it entered! In fact, it had a 78% Win Rate (And a 22% Crash Rate which was destroying my rating...) - And that was just the first version!!! I fixed some crashes, optimized some code, fiddled with the gameplay, and re-entered my Bot - Eager to see how the new changes affected the ratings!
Tuesday, September 25, 2018
Tiny C# Remote SSH Version Detector
Whilst doing some NetSec stuff, I needed a quick way to get the SSH version of a remote target, so I coded the following.
Demo (No Connection, Open Connection via Netcat, Actual SSH Server, Actual SSH Server on a custom port)
Download: Here (5kb)
Source
Demo (No Connection, Open Connection via Netcat, Actual SSH Server, Actual SSH Server on a custom port)
Download: Here (5kb)
Source
Saturday, September 15, 2018
Configuring MPC-HC for easy Anime watching
Whilst watching some Anime recently, I got a bit annoyed that the default language was always set to English, so I had to change the language, and fixed the subtitles every 20 minutes or so which got super annoying.
I eventually found a fix.
Right Click -> Options -> Playback -> Default track preference
Set the number to the "Subtitles" number to the order of the option you prefer at the bottom of the Right Click -> Subtitle Track list, and the "Audio" option to "jpn"
I eventually found a fix.
Right Click -> Options -> Playback -> Default track preference
Set the number to the "Subtitles" number to the order of the option you prefer at the bottom of the Right Click -> Subtitle Track list, and the "Audio" option to "jpn"
Tuesday, September 11, 2018
Simple C# Command-Line Twitch Bot
Got bored one evening, so decided to create a basic Twitch bot in C#
It can't really do anything besides watch the chat, count the users, parse Twitch user tag data (Oh gawd why...) and have the user send messages to the chat, but the basic infrastructure is there for anything more complex.
Code: Here
Sample Screenshot
It can't really do anything besides watch the chat, count the users, parse Twitch user tag data (Oh gawd why...) and have the user send messages to the chat, but the basic infrastructure is there for anything more complex.
Code: Here
Sample Screenshot
Ready Player One - Audio Book (Free)
Friday, July 27, 2018
My Chrome Theme
This is the Fluttershy-themed Chrome theme I use.
This post is here because I had a few people asking me which it was.
Theme link: Here
This post is here because I had a few people asking me which it was.
Theme link: Here
Subscribe to:
Posts
(
Atom
)