Introduction

A variety of hardware is available to interface and sniff I2C communications. These devices range in capabilities, from basic logic analyzers to more complex devices that permit injecting data into the bus.

Summary of hardware used

• Adafruit Stemma QT PCT-2075 (Datasheet ¹)
• Sparkfun Logic Analyzer
• Generic ESP-8266 module

The Inter-Integrated Circuit Bus (I2C) is a common protocol that allows a microcontroller to interact with some peripheral component. This allows a number of devices to be connected in parallel using only 4 wires.

Recently I’ve been revisiting some hardware hacking techniques. I purchased a Hydrabus and a standard SOIC-8 clip from DigiKey to assist with this task. For practice, I decided I wanted to attempt to extract the firmware from the same DVR system I experimented with back in 2015. Link to post.

After inspecting the circuit board, I found a flash memory chip on the back.

Some careful lighting adjustments revealed the chip was a Winbond W25Q128FV, which is supported by flashrom.

Introduction

Most security professionals are very familiar with the pitfalls of default configurations. However, the larger Open Source Software community may not. Recently, I have been researching the nature of these configurations and specifically how it relates to the self-hosting community.

This journey started when I was looking for a replacement to the app I used to track my vehicle's fuel economy/expenses. I found a self-hosted solution that appeared to suit my needs. Given my security background it was important that I vet anything that I was considering putting on my server. The application in question is called "Hammond", and is available on Github. The backend is written in Go, a language I am not super familiar with, but know enough to be dangerous. The readme lists a few ways to start the server. The first option is to run the server using a docker command.

Google Dorks are a great way to uncover infomation semi-passively. Primarily, it involves special search queries that lead to information that shouldn't be public. In this blog post, I will showcase some useful queries and show the impact these queries have and provide some remediation steps.

The Queries

Both queries I'll show are very similar.

intitle:"index of /" intext:"config.py"

and

intitle:"index of /" intext:".env"

The core is the intitle:"index of /". This returns results that contain "index of /" in the title. Pages with results like this are open directories being listed by the underlying http server.

Recently, Intigrity (https://twitter.com/intigriti) posted a challenge on Twitter. I found this challenge to be pretty interesting, as I had not really heard of any issues regarding GUIDs (Global Unique IDentifier), sometimes also listed as UUID (Universally unique identifier). These are all what I had previously assumed were essentially random and non-predictable. Unfortunately, some versions of the UUID are not so random, at least for UUIDv1.

The rest of the post continues after the break.

Introduction

Search is a retired HackTheBox machine which contains several common windows exploits. I completed this box a while ago, but it now that it has retired, I can post my writeup. Some of the tools used to complete this box are: crackmapexec, gmsadumper, bloodhound, smbclient, and rpcclient.

Recon

Start with an nmap scan :

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 20:46 EDT
Nmap scan report for 10.10.11.129
Host is up (0.042s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-25 00:46:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-03-25T00:47:41+00:00; +1s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| tls-alpn:
|_  http/1.1
|_ssl-date: 2022-03-25T00:47:41+00:00; +1s from scanner time.
| http-methods:
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2022-03-25T00:47:41+00:00; +1s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-03-25T00:47:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-03-25T00:47:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-03-25T00:47:04
|_  start_date: N/A

The nmap scan returned a lot of information, however, there are a few key ports that reveal information about the machine.

I've been trying some bugbounty programs recently. I often alternate between using BurpSuite and ZAP. Many programs want you to add a custom header to your requests so the traffic can be identified, and in some cases, bypass some roadblocks. In this post, I'll show how to configure ZAP to add the custom header.

At first, I was pretty confused about how to do this. Through some googling and some github issue searching, I found the answer.

This challenge was part of the hardware category, and was pretty interesting. Here is the challenge description:

One of our enhanced radio telescopes captured some weird fluctuations from a nearby star. It was idle for decades due to the fact that it was fully enclosed by a Dyson Sphere but its patterns began to change drastically leading us to believe that someone is controlling part of the megastructure to release energy and send these pulses directed to us in order to transmit a message. They must have known that our equipment can read even the slightest fluctuations.

This was the first web challenge I solved in the Cyber Apocalypse 2022 CTF. This challenge had a downloadable portion with a fake flag as well as a web instance with an actual flag. Since the CTF has been over for a while and I didn't capture any of the actual challenge, I am recreating the steps I took here using the docker container.

Recon

First, I took a look at the challenge in a browser.

I recently competed in the Cyber Apocalypse 2022 CTF on Hackthebox. This was a really fun experience (and my first ever live CTF). I only solved a few challenges (which I'll be writing in subsequent posts), but there was one vexating challenge which I wasn't able to complete. I kinda had the right idea, but I was missing some key pieces of information. The point of this post is to explain what I was missing and how it works (and to document how I would have done it).