The Danger of Exposing Docker.Sock

Thu, 11 Apr 2019 08:00:00 -0400

By default, when the docker command is executed on a host, an API call to the docker daemon is made via a non-networked UNIX socket located at /var/run/docker.sock. This socket file is the main API to control any of the docker containers running on that host. However, many containers and guides require you to expose this socket file as a volume within a container^[1]^[2]^[3]^[4]^[5]^[6] or in some cases, expose it on a TCP port^[1]^[2]^[3]. Docker containers that expose /var/run/docker.sock, locally or remotely, could lead to a full environment...

NoBots - AppSec USA 2018 CTF Solution

Tue, 29 Jan 2019 15:18:30 -0500

Running the challenge

docker run -p 5050:80 -e SECRET_KEY="YourSecretKey" -e SITE_KEY="YourSiteKey" dejandayoff/nobots

Using a browser, visit http://localhost:5050 (do not visit 127.0.0.1:5050, the domain must be localhost)

The SECRETKEY and SITEKEY are required if you want to run the second challenge with Google reCAPTCHA. This only takes a minute to set up:

Go to https://www.google.com/recaptcha/admin
Fill out "Register a new site" section with the following information:
Add your secret key and site key to the docker command above.

Solution

The challenge is to automate...

RCE Cornucopia - AppSec USA 2018 CTF Solution

Sun, 21 Oct 2018 15:51:38 -0400

Running the challenge

All of the challenges in RCE Cornucopia is designed to run in docker. Each challenge runs in it’s own container to prevent one RCE affecting the stability of the other challenges. During a CTF, these containers were rotated out ever 10 seconds. However, to run RCE Cornucopia locally you don’t have to worry about that. To run the challenge, simply create a file name docker-compose.yml with the following contents:

version: '3' services: frontend: image: dejandayoff/rce_cornucopia_frontend ports: - 8080:80 challenge1

Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment
Mon, 27 Nov 2017 12:05:00 -0500
TL;DR
 Customers can utilize AWS' DNS infrastructure in VPCs (enabled by default). Traffic destined to the AmazonProvidedDNS is traffic bound for AWS management infrastructure and does not egress via the same network links as standard customer traffic and is not evaluated by Security Groups. Using DNS exfiltration, it is possible to exfiltrate data out of an isolated network.
 
 DNS exfiltration allows an attacker to bypass outbound firewall rules, and exfiltrate data or perform command and control activity with an external service, by only using the DNS protocol. In this case, DNS Exfiltration can even be used to exfiltrate data...


CactusCon and AppSec USA CTF Challenges and Walkthrough
Tue, 03 Oct 2017 10:33:02 -0400
This year my colleagues and I hosted a CTF at AppSec USA in Orlando, Florida and CactusCon in Phoenix, Arizona. I developed two of the challenges for the CTF. In this post, I will give you the source code and how to set up the challenge locally. I am also providing an official walkthrough describing how I expected people to go through the challenges.
 Set-up
 Set up for both challenges is fairly similar.
 Prerequisites
 Note: I did all my development on a Mac, I see no reason why this wouldn't work on a Linux machine, and in theory this should...


HTTP Route Busting
Fri, 29 Sep 2017 07:33:05 -0400
I did a talk at CactusCon 2017 about HTTP Route Busting.
 Here is the slides if you would like a copy: HTTP Route Busting
 Apparently there were more questions that just didn’t load so I will get to them in this post:
 The slides are very difficult to read from halfway back in the room, especially the text that's in light.. pink? maybe? Can they be reposted online somewhere?
  Yes! The slides can be downloaded here. The AV team was having some issues with the projector and that was the best we could have done. Sorry about that...


4 Ways to Transfer Files With a Limited Shell
Sat, 22 Apr 2017 04:42:48 -0400
Commonly during pentests I might be stuck on getting a file over to a system with only a limited shell. To be honest, this problem has mostly occurred to me on Windows so the solutions below will all work on Windows.
 Echo One Line at a Time
 The first method is to prefix the “echo” command to the beginning of each line and redirect the output to a file. You would then be able to simply paste the script into the limited shell and your file will be transferred. This method would really only be useful to transfer ASCII only...


OSCP Review - Felt the Pain and Suffered through it
Mon, 03 Apr 2017 16:30:16 -0400
On March 15th 2017 I received my Offensive Security Certified Professional (OSCP) Certificate. Well I guess I have yet to receive the physical certificate (they say it could take 60 days), but I have received confirmation that I have passed the test. Over 1 year of studying, 1 failed attempt, and countless hours spent in the lab, I have finally achieved my goal. In this post, I will review the PWK course process, my study strategy, and my exam strategy.
 The course and exam break down into the following sections:
  PWK Course book and exercises
 In-person PWK Course and...


CMD+CTRL CTF at DEF CON 24 Review
Sat, 13 Aug 2016 13:07:23 -0400
This year our CTF team (Savage Submarine) took first place in CMD+CTRL at DEF CON 24! This is my review of the CTF challenges and scoreboard and the overall experience. I will not be providing any walkthroughs or answers since the CMD+CTRL creators will be using these challenges again in other competitions.
 Savage Submarine consisted of:
 @amoldp18
 @crowdshield site
 @dejandayoff
 @hackerbyhobby
 @tibaal89 site
 We started off by walking around the DEF CON contest area trying to find the SecureNinja CTF. However, we ran into the CMD+CTRL booth and they convinced us to sign...


YoBlog CactusCon CTF Walkthrough
Mon, 16 May 2016 12:37:41 -0400
So, you’ve competed in the YoBlog Root-the-box challenge and you want to know the official answer? Well you’ve come to the right place! I am the creator of the YoBlog challenge and here is the official walkthrough. You can run the challenge locally (VirtualBox) by downloading the ova:
 Download OVA
 Flag One - /etc/passwd
 When you first visit the YoBlog homepage, you are greeted with a banner, some articles, and a theme button.
  
 When the theme button is clicked, the user is given a few choices in color. If “White” is selected, the source will...