So, I went to Shmoocon for the first time this year, and I had a blast. Met some good people and saw a lot of great talks. A few highlights:
- Stephen Breen of FoxGlove Security showed how to chain together a series of existing Windows vulnerabilities to build a new privilege escalation exploit based on the Windows network broadcast name service (NBNS)
- Jay Beale of InGuardians gave a great talk on using Docker containers to limit attacks on apps
- Mandiant’s Matt Dunwoody and Nick Carr provided a postmortem on a massive breach they’d recently had to contain and remediate. Key takeaways: as an incident responder, your operational tempo has to outpace the attacker, and if you’ve got PowerShell in your environment, upgrade to v4 to take advantage of the logging capabilities
The links above point to the Shmoocon schedule; I’ll add links to the slides as they become available.
Update: videos are available here.
On a recent capture-the-flag event, I came across a web app that had a somewhat troublesome SQL injection vulnerability. Identifying that the query was vulnerable was easy enough, but fingerprinting the underlying database was troublesome. No matter what I tried to do to find the version or even just identify tables, usernames, etc. using standard MySQL and PostgreSQL queries and tables, I kept getting errors.
Eventually, it occurred to me to try sqlite, which is what it turned out to be. The really frustrating thing was a most of the sql injection references I found didn’t deal with sqlite, and developer tips for finding database metadata focused on using commands in the sqlite command-line tool, rather than SQL queries. Eventually I found a post on stackoverflow that gave me the SQL I needed to find the data I was looking for.
Finding the sqlite version:
Finding tables and columns:
SELECT name FROM sqlite_master WHERE type = ‘table’;
SANS had an excellent Holiday Hack challenge this year, full of firmware analysis, web app hacking and exploit development. I’ve been trying these for the past few years, and for the first time, I was able to complete the entire thing. Here’s the PDF of my solution, it’s kind of a rush job. In a couple of days I should have time to pretty it up and make it into a proper post here. Cheers.