Sunday, May 17, 2020

WeirdAAL update - get EC2 snapshots


I watched a good DEF CON video on abusing public AWS Snapshots



I, of course, wanted to check this out. There are tens of thousands of public snapshots in the various regions.  The talk outlines what you can do with these and Bishop Fox released a tool to do it https://github.com/BishopFox/dufflebag. I wanted to script up a few weirdAAL modules to 1) for an AWS keypair you are testing check and see what snapshots you have available 2) for an AWS accountid list public snapshots.  Useful for bug bounty or for monitoring your org for public snapshots.  The account you are using will need at least AmazonEC2ReadOnlyAccess privileges.

Screenshot of the 2nd function below

listing snapshots for a random AWS accountid

You can git clone or git pull to get the updated code from https://github.com/carnal0wnage/weirdAAL

If you just want to do it with the AWS CLI you can use the following shell script:



CG

Monday, April 27, 2020

The Duality of Attackers - Or Why Bad Guys are a Good Thing™


The Duality of Attackers - Or Why Bad Guys are a Good Thing™


It’s no secret I've been on a spiritual journey the last few years. I tell most people it’s fundamentally changed my life and how I look at the world. I’m also a hacker and I’m constantly thinking about how to apply metaphysical or spiritual concepts into my daily life. Because if they are true they should apply broadly and also to many aspects of our lives. One of the key things I’ve learned is that perspective drives an individual's opinion of a situation or event. Is something good? Is something bad? It all depends on the observer’s perspective of the situation.


My first Battalion Commander in the Army when I was having my welcome to the unit meeting said something I've never forgotten. He said “On any given day it’s better to be a Soldier, a DA Civilian, or a Local National (I was in Belgium)”. This stuck with me ever since even though i didn't know what to call it at the time….perspective. 


In late 2019 the Irresponsible Open Source Tools (intentionally not linking) debate took over Infosec twitter for a few weeks. Ever since that time I've been thinking about - “Are attackers a good thing?” Not red teaming, not pentesting but straight up criminals. The real steal your shit type, not the point and laugh type, the wreck all your things, steal all the things, potentially end your business type attackers. There were several people basically stating life would be better if attackers did not exist and I wasn't so sure about this. 


TLDR; I think Yes, attackers are a Good™ thing or rather not a Bad™ thing because they force us to adapt and grow. Growth Through Struggle.


But first, definitions:


Perspective
“The art of drawing solid objects on a two-dimensional surface so as to give the right impression of their height, width, depth, and position in relation to each other when viewed from a particular point.”


“A particular attitude toward or way of regarding something; a point of view.”




Another way to think about perspective and how everyone can have their own is that “Everything (every person, place, thing, situation, event) is fundamentally neutral - they are neutral props with no built in meaning” [1] - the observer of the situation or event gives the event meaning.


The meaning we put, the meaning we assign to these neutral things completely determines the effect that we get out of them. Every situation can be viewed in many different capacities and it solely depends upon how you perceive it and the association that you create with it and your beliefs about the situation or event.

I'm currently fascinated with TV Shows that tackle this subject. Lucifer and Good Omens come to mind where the idea that the "bad" guy is sometimes the good guy if you evaluate their actions and the "good" guy is the bad guy as dictated by their actions or listening to their superiors.


Duality
As hinted at by the word "dual" within it, duality refers to having two parts, often with opposite meanings, like the duality of good and evil.
If there are two sides to a coin, metaphorically speaking, there's a duality. Peace and war, love and hate, up and down, and black and white are dualities. Another term for a duality is a dichotomy. Duality has technical meanings in geometry and physics. In geometry, duality refers to how points and planes have interchangeable roles in projective geometry. In physics, duality is the property of matter and electromagnetic radiation to be understood best through wave theory or particle theory.


“Your truth is truth, my truth is truth, but your truth is not necessarily my truth.”
Understanding and being aware of duality is vital to our human experience, as it allows us to see things from ‘both sides of the coin’ and better understand ourselves and others amid the collective. Most individual’s version of ‘truth’ culminates according to their past and current experiences, social conventions, and worldly views. To put it simply, duality is the nature in which everything holds opposing truths — all of which are true — at least in a relative sense.
From: https://quantumstones.com/what-is-duality-the-doorway-to-all-truths/


Buddha & The Demon - Perspective

Extra Reading on Duality


I’ll be honest, after a lifetime growing up in the United States worrying about the next foreign country boogeyman and over a decade in the Army where the primary motivation was giving soldiers someone to “hate” it’s been quite a journey to try to see things other than a binary right/wrong & good/evil, etc. The intersection and interdependence of good and evil manifested for me (and I think plenty of others) in the following way: we don’t feel we are good unless we are fighting against evil. It’s the American Way! We can feel comfortable and secure in our own goodness only by attacking and destroying the evil outside us. I was, and still am to an extent, looking for evil to vanquish. This interdependence is at the core of Infosec. Without APT groups, criminals, malware, and every other form of virtual boogeyman (aka “the other(s)” or “the bad guys”) most of us have no reason for our Infosec existence.


Thinking of everything as fundamentally neutral has helped me drop some, but not all, of my old vocabulary and has given me space to pause and to think about how I feel about issues at a micro level and macro level. Taking that pause allows me to understand that my perspective on the situation is entirely what matters and that another person could have a TOTALLY different perspective on the situation (and Infosec twitter shows me...quite frequently does).


Criminals, Attackers, Bad People, etc and their actions can have a multitude of perspectives.


Take a company that gets compromised so badly they go out of business. From the perspective of the company CEO this is BAD. From another perspective, perhaps of a competing company CEO, this is GOOD, from the perspective of the attacker they got what they wanted so (GOOD) perhaps a bonus is coming, perhaps their family gets to eat or maybe they just get another BTC in their nano ledger. In-house defenders have “failed their mission” and now are out of work or maybe this was the event that finally prompted management to spend that money they’ve been asking for. Perhaps their failures were so embarrassing they have made it by name in tech-crunch articles and their careers may be over or at least paused. Perhaps they “lost” but their response was good enough that the general public thinks things are ok inside the company anyway.


For Infosec, I’m going to make the case that attackers are GOOD; at least from my perspective (as every opinion piece is). But, I’ll attempt to lay out bullet points for rationale for my current perspective. The following can be summed as “Growth through struggle”:


  • Attackers force defenders to consistently up their game. Attackers constantly innovate to get around the current detection techniques and technologies.
  • Attackers force Red Teams to up their game to keep up with their TTPs.
  • Defenders force attackers and Red Teams to up their game to keep up with current defenses.
  • Without virtual cyber boogeymen a 100+ billion dollar industry would sell less product and be required to innovate less.
  • Attackers force visibility into their politics and perspectives through the investigations into their motivations and TTPs. 
  • They give a large portion of Infosec a “purpose”. I’ve dedicated the last 20 years of my life in various verticals of IT to “keep bad guys out” and I'm positive I'm not alone.


If you’ve made it this far. Thank you! I realize the title is a bit click-baity and not really in line with the idea of duality or perspective but no one would have read “attackers are fundamentally neutral.” Although my hope is that are open to exploring that perspective now. I welcome your thoughts on the subject.


CG
CG

Friday, March 13, 2020

What is your GCP infra worth?...about ~$700 [Bugbounty]



BugBounty story #bugbountytips

A fixed but they didn't pay the bugbounty story...

Timeline:
  • reported 21 Oct 2019
  • validated at Critical  23 Oct 2019
  • validated as fixed 30 Oct 2019
  • Bounty amount stated (IDR 10.000.000 = ~700 USD) 12 Nov 2019
  • Information provided for payment 16 Nov 2019
  • 13 March 2020 - Never paid - blog post posted
  • 19 March 2020  - received bounty of $565.86

There are lots of applications that are SAAS - Shell as a Service. Jupyter Notebook is one of these with its running code feature as well as its terminal functionality.

While I was trolling shodan looking for vulnerable boxes i came across an open Jupyter notebook belonging to Tokopedia. This wasn't obvious at first , but it will become clear how I identified this as you check out the screenshots.

Open Jupyter notebook server

I did a post on what do do when you find a GCP key in a previous post

This is especially important when people leave their GCP service account keys in folders
When you leave your service token in the folder for all to find/use

In this case it was base64 encoded - but easy to fix

service account token b64 decoded
It was also in the error output of one of the jupyter notebooks



I had used the terminal to do some basic poking around to find the owner



Once I identified it was owned by someone with a bug bounty program I figured it was ok to prove access and impact.

Per the GCP blog post once you have the service account token you authenticate and interact with services your token has access to


The handy thing about getting a shell on a GCP compute host is that all the GCP utils are installed and "just work" I actually didn't need to do anything from an external host I was able to start ssh'ing to other hosts from within the jupyter terminal.





Bigquery tables o_0

[+] Bigquery access [+]
bq ls --format=prettyjson --project_id tokopedia-970

Dat billing table yo

I love payments tables


Along the way I searched who this company was.  https://en.wikipedia.org/wiki/Tokopedia

Most interestingly...

In 2017, Tokopedia received $1.1 billion investment from Chinese e-commerce giant Alibaba.[7] Again in 2018, the company secured $1.1 billion funding round led by Chinese e-commerce giant Alibaba Group Holding and Japan's SoftBank Group[8] putting its valuation to about $7B.[9]
So being a good person (tm) I reported the issue and it was assigned a critical severity. The fixed it super quickly and the team was decently responsive until it was fixed. After that it took 2 weeks to get information on the bounty, I promptly provided payment info, but I was never paid and they have stopped responding to my inquiries.


Solutions:
Run in a limited privilege container (doesn't protect against cloud metadata attack)

New versions of Juypter notebook allow for password protecting access. Do that instead of open to all
CG