Using Firefox webextensions as c2 client

ATTENTION

This technique was tested only on Linux, it’ll not work on Mac or Windows.

»
Author's profile picture Matheus Bernardes on Persistence

Hosting malicious payloads on Youtube

Why that?

It’s a trick created during a red team mission, where we have a rubber ducky, which will download a bash script to run the GTRS on the victm machine, but we have problem, the traffic with the C2 will be safe using the GTRS, but the infected machine need to talk directly to the C2 to get our payload, so we had the idea to use Youtube to host our bash payload.

»
Author's profile picture Matheus Bernardes on RCE

Abusing H2 Database ALIAS

How to get a shell on a H2 Database, using ALIAS feature.

Today I was introduced to H2 Database, a in-memory and pure Java Database, because it’s a in-memory database, the developers use it most to learning, unit tests and poc’s, but you can learn more about it on H2 site.

»
Author's profile picture Matheus Bernardes on RCE

Hacking into NET router for fun and profit [FULL DISCLOSURE]

Hacking into NET router for fun and profit [FULL DISCLOSURE]

Recently I moved to another city to live alone, and as needed I contract the only ISP available on my building, NET, one of the worst ISP on Brazil, they just decided to block all my output connections on port 22/ssh, but it’s another history.

»
Author's profile picture Matheus Bernardes on Persistence

Stealing SSH credentials Another Approach.

Stealing SSH credentials Another Approach.

Recently I posted how to get ssh password using strace, but it’s no 100% effective, because the strace output changes on different distros, so searching for another approach I found this site ChokePoint where they show how to create a PAM module using python to log failed attempts on ssh, now all I have to do, was change where they log the password. Original script, use the function auth_log when the login failed.

    if not check_pw(user, resp.resp):
        auth_log("Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
        return pamh.PAM_AUTH_ERR
     return pamh.PAM_SUCCESS
»
Author's profile picture Matheus Bernardes on Persistence

Stealing SSH credentials.

Ok I became root what can I do now?.

BEFORE ALL, it’s an old trick, but all the tutorials that I found didn’t work for me, so I just wrote my own :). Sometimes when you get root access to a server or a workstation, you don’t really have the root password, sometimes you just exploit the server, and got id 0, what can I do in this case?

»
Author's profile picture Matheus Bernardes on Persistence

Testing XSS in places where you can't see.

The problem

It’s common to you find XSS vulnerabilities during an web pentests, but some times, you’re testing an application that contains more then one interface, like user interface and admin interface, so how you can test for xss on the admin interface being just a regular user? Well it’s kind of simple, but it’s not a test to find all the xss on the admin page, for example, when you register on an application, there’s some informations you provide, like, name, address, bio and other things, so we can assume that the admin interface can read this informations, so we can just send XSS payloads, to try to get a XSS exploration, but not a payload like the most common,

<script>alert('XSS')</script>
»
Author's profile picture Matheus Bernardes on Web

BWCON 2017[pt-BR]

BWCON 2017 - Phishing a Sh3ll

Esse ano pela primeira vez fui para Recife, e palestrei na BWCON evento organizado pelo mestre @Toronto com patrocínio da Tempest e da El Pescador, um evento sinistro, galera com alto nível técnico. Minha talk foi sobre Bypass de AV com VBA + Powershell, uma parada simples, mas que pode salvar ai em alguns projetos onde a única porta de entrada para a rede do cliente vai ser o phishing. Vou deixar aqui então o link do ppt(Gdrive) e os videos da PoC.

»
Author's profile picture Matheus Bernardes on Conference

Extract apk from a non root Android

When your device is not rooted, and you want to analyse some app, you can’t just pull the application apk from it, so to do that, I use this trick.

»
Author's profile picture Matheus Bernardes on Mobile

First step to create a wifi wordlist

You can find on the internet various wordlists focused on cracking wifi passwords, but it’s not the best wordlists to use in Brazil, so what about get some real brazilian passwords? There is an app called MandicMagic, it’s a social network, where the users save password of wifi network that they use or used sometime, well here is our honeypot, we just need to intercept the requests and try to discover how the app works. In my first attempt I failed, because all the requests made by the app are pinned, but thanks to Inspeckage was really easy to bypass it, the Inspeckage hooks the pinning function, I’ve just followed the tutorial of how to use Genymotion + Inspeckage + Xposed and intercept all the app requests.

»
Author's profile picture Matheus Bernardes on Mobile

Creating a simple x86 shellcode

It’s a simple x86 shellcode to call /bin/sh, but the first thing is understand how the sys_execve works, to do so you can access this site that gives to you a list with all the x86 syscalls, and the values you need to put in each register, just search for sys_execve.

»
Author's profile picture Matheus Bernardes on Reversing

Write Up GCL17 - SRI LANKA and AUSTRIA

SRI LANKA

The first thing to do is to run the “file” command, which will indicate that the file is an elf32. After that the binary was analyzed on r2 and I ended up realizing that I forgot to do the most simple and obvious thing as I am certified SGSE ( Strings grep Specialist Engineer), so I just executed the following command:

strings -e s c9c18a2c3f65bb8d1f6133765889774a1224cbe993edcc1641275be12b29b10a | less
»
Author's profile picture Matheus Bernardes on Reversing