Metasploit CTF – December 2020 :: Writeup

The Metasploit CTF this year was supposed to be easier, and I guess in some ways, it was. But it was entirely too easy to overthink some of the challenges. While I personally didn’t solve all of the challenges, I did manage a few. It was a lot of teamwork to get all of them solved. We didn’t make it to the top 5 this year, but it was a fun experience all the same.

With that all said, here’s the challenge writeups for the ones I did.

Continue reading

[Advisory] Streamlabs Prime Website

About

This is a disclosure for Streamlabs. Streamlabs is a company that offers tools for streamers on various platforms, such as alerts of follows, donations, or raids. They also offer tools like wheel spins that can be customized for the streamer.

When a streamer sets up a profile on Streamlabs’ customizable website, they can opt to purchase the ability to add custom links. These custom links are displayed on the personalized site that streamers can link to for receiving tips or donations. The goal is to have a single page for social media links as well as a page with elements of the streamer’s choosing.

I honestly debated about releasing this because a) it’s not so much a security issue (I’ll outline where it is) as it is a bug and b) I rather like Streamlabs. But it is important for streamers to fix this and awareness is key. Because Streamlabs has gone silent on me, I’m releasing this in the hopes it’ll be seen and affected streamers can resolve it.

Details

These custom links can be to social media like Twitter, Instagram, YouTube, Patreon, or arbitrary bit.ly links. They can also be Discord invite links.

In the case of bit.ly and Discord URLs, they are case-sensitive. The bug on Streamlabs at some unknown time made those URLs all lowercase. As a result, users would be taken to unintended places. Usually this would be an error page saying the bit.ly link or Discord invite was invalid. But not in all cases. And that’s where we have the security issue.

In at least one case, a bit.ly link redirected to malware as a result of the link being lowercased.

That’s not good.

The scary part of this is that as far as streamers know, their links are just fine.

The Fix

Fortunately the fix is pretty simple. As a streamer, go to your settings where you have the links and save them again.

Conclusion

If you are a streamer and have questions, please feel free to reach out to me. Even though this is a bug in Streamlabs, and perhaps a silly bug, the consequences can be severe if users are inadvertently redirected to malware, or worse, because of this treatment of URLs being lowercased.

Keep reading if you want a timeline of events. I only included email conversation, though I did reach out to Streamlabs on Twitter for a security contact at the beginning.

If you are a company, please maintain a visible security contact email address or web form.

Disclosure Timeline

  • August 3, 2019

    Initial support ticket detailing the issue

  • August 6, 2019

    Streamlabs responds

  • August 6, 2019

    I provide a screenshot and screen recording demonstrating the issue and confirm it is on multiple browsers and operating systems

  • August 8, 2019

    I ask for confirmation that my information was sufficient

  • August 9, 2019

    Streamlabs responds stating that there is confusion around reproducing the issue

  • August 9, 2019

    I respond that I signed up for Streamlabs Prime and was also unable to reproduce, but provide an additional list of seven streamers that are impacted by this bug

  • September 28, 2019

    I follow up requesting feedback and state that a blog post will be released

Reflections on my birthday

Every year when my birthday comes around, I try to use it as an opportunity to reflect on where I’ve been, where I am, and where I want to be. I try to use this as an opportunity to reflect positively, and maybe share some uplifting lessons I’ve learned.

But as most of us know, not everything in life is positive. I’ll be upfront: Most years my birthday is a pretty depressing time. I spend most of my birthdays alone. But I’ll try to keep those thoughts to a minimum though and try to use that sadness to reflect and offer opportunities to grow.

This is as much for me, or maybe moreso for me, as it is for anybody reading this. Maybe in some ways this is my journal. That I don’t write in nearly often enough.

Where I’ve been

Over the years, I’ve seen a lot. Both in my career and my personal life. Personally, in the last couple of years, I’ve been streaming on Twitch. I have met some incredible people. I won’t be able to list everybody here, so I’m not going to try. Instead, thank you for being in my life. I love you just doesn’t seem like enough sometimes for how much I appreciate you, enjoy having you in my life, am grateful, and hope I can be as good as a friend to you as you’ve been to me.

Last year was the first year for as long as I can remember that I actually had friends around me for my birthday. I streamed cooking some of my favorite foods and so many people stopped by. Then I had a surprise party with friends in person. It was so wonderful. I’m even smiling with nostalgia thinking about it. It meant a great deal to me.

I have been through a lot. I don’t say that to be dramatic, but reflecting on where I’ve been, I realized I made it through difficulties that in the moment I didn’t think I would. Not always with the grace I wish, but I did. That included saddening attempts to date, deep depression, and anxiety. Friends have left me after taking advantage of me. Friends have died, some under suspicious circumstances.

“What doesn’t kill you makes you stronger” is a tired cliche a lot of us are tired of hearing and probably roll our eyes at. It can feel defeating and like it doesn’t encompass your battles. This can especially be true for those with battles like depression and anxiety where it feels like you are only getting by. But there is still truth to this cliche – if you let it. You can learn and grow from those sorrows and become stronger. Sometimes you’ll need to look harder, and sometimes you’ll find only a grain of sand instead of a fountain of knowledge. But if you’ll give me a little more leeway, that grain of sand can turn in to a pearl of wisdom.

Yes, life is hard. Life is painful. But life can also be beautiful. It can be easy, even tempting, to allow the sorrows drown out the peace and happiness life can bring. But don’t let it. By working, we can grow.

In my career, I’ve worked at some pretty cool places and done some awesome things. I’m proud of how hard I’ve worked to get to where I am now. Not without mistakes of course, but I have accomplished a lot in my career. I’m mostly self-taught and have been able to teach and help others learn my craft.

Where I am now

For some reason, this was the hardest section for me to write. I don’t know why. So I hope I can offer something worth the read here.

I guess the most obvious first. I moved out of California after having lived there for nearly a decade. Part of me is a little sad. I liked most of my time there. t’s different here. It’s taking time to adjust. But I am liking the weather. Oh the weather. That was probably my biggest complaint, or one of, about California. It was almost always sunny. Especially in the LA area. I’ve been made fun of for saying that, but I’ve noticed a drastic change in my mood. Though I am still quite stressed about a new area, I feel better about the fact that there’s weather here.

I’m in a decent place in my career. The last few years saw a downturn in my happiness with my job and my career. I was second-guessing even remaining in this field. But I’m feeling better about it now.

Where I want to be

Looking forward with the things I’ve learned, there are things in my life that seem less important and things that are renewed in their importance to me.

Something that I’ve been firm on over the years is “stuff” just doesn’t make me happy. Oh sure, I like to have nice things, and maybe recently I’ve been too focused on having stuff to fill some voids, but those material things aren’t what bring me joy. And those voids won’t ever be filled by things. That isn’t to say I’m dumping everything, but as I’ve looked back in the past year, the things that have come and gone are the stuff – the material things that maybe temporarily made me happy but didn’t continue. I don’t intend to sound philosophical, but when I look at what makes me happy, and what I get nostalgic about, it isn’t stuff – it’s the friendships and connections.

Someday, ideally sooner rather than later, I’d like to get married. I’ll jump on a soapbox for a brief moment. Only briefly. I have never been in a relationship. I have never had my first kiss. As silly as that sounds (and saying it …), it’s a fact.

“You only want a relationship because that’s what society says.” “You should enjoy being single.” “Some people don’t get married until they are 60.” That boils my blood. You should never, ever, ever tell someone these things. I have been single my entire life, how about I try something new? I want a relationship for me and to share my life with someone. Not because someone else thinks so. Is it supposed to make me feel better that someone else got married later in life? Because I gotta be honest, it doesn’t. That makes a variety of assumptions: That assumes that’s what I want. That assumes I’m supposed to find comfort in that. That assumes that the other person wanted that. And on and on and on. It’s disgusting.

Okay, soapbox over.

I want to continue streaming. I want to be a streamer that people enjoy and feel safe and comfortable in the community. Truth be told, I’m scared. And sad. I keep making promises with the most honest of intentions of having a regular schedule again, or completing things on time and life gets in the way. I guess the meme is true? Life, uh, finds a way. Even if that way is to get in the way? I only half-joke, because it really does feel like things happen way more often than I think they should.

As I’m sitting here trying to quantify what it is I want out of life, I’m feeling pretty content overall. Sure, I’d like to be a homeowner and to have certain material possessions, for things to go better, and to make certain changes, like losing weight. But really, on a personal level, I want to share my life with someone. To have that romantic relationship. To have that personal, loving, pure relationship with someone. And I want to continue doing the things I enjoy, because I want to share what I love – cooking, games, laughter, dad jokes, and have fun while doing it. I won’t saying nothing else matters, but this is me putting my money where my mouth is. What truly matters to me isn’t the material and the temporary. It’s the sharing of my love, my friendship, my kindness, and having those relationships, whether romantic or friendship, with others.

Things I’ve learned

In no particular order, here’s some things I’ve learned over the 30+ years I’ve been on this earth. You may have seen some of the posts I make from time to time on Twitter. Those posts stem from some of these lessons.

Lesson 1: It’s okay to be a bit selfish focus on yourself

There’s a lot of conflicting messages these days around being selfish. Be selfless. Be selfish. Self-care. Put others first. My take on it is this: Yes, be selfless, but don’t overdo it. It can be easy to be swept up in the moment, especially when you are being truly selfless. Help others when you can. Cheer others up. Donate to charity. These are all good things. But don’t forget about you. Some people may call it being selfish. Maybe to an extent it is. But to get away from the subconscious undertones selfishness has, and hopefully better describe what I want to convey here, focus on you. Feel free to say “no, I can’t do that right now” from time to time. You can get drained, even when doing heartfelt, honest selfless acts.

It can be a difficult balancing act, but learning how to properly balance it leads to a better quality of life. You can call this “learning to say no” too I suppose. Whether you call this self-care or focusing on yourself, just remember that charity is a good thing, just as is taking care of yourself.

There was a post on Twitter not too long ago, mocking the self-care posts. I say mocking, because it was, but it had some truth to it. The takeaway is that self-care isn’t just taking a nice, hot bath while continuing to drink coffee to excess and having anxiety. Self-care isn’t staying up late playing games because you find it relaxing, only to be tired in the morning because you stayed up late. Self-care is realizing your whole self needs care. It’s not the moments where we find bubble baths comforting or taking a few hours to watch a movie or play games. There’s certainly nothing wrong with those moments, but it’s realizing that maybe we have too much caffeine and adjusting to feel better. It’s eating better so we have less sugar and don’t feel drained constantly. It’s realizing a bed time that’s not at 2AM is a good idea. It’s taking care of the chores that have piled up. Take care of yourself, your whole self. Then you can help others.

Lesson 2: Friends can be the best thing – but don’t be afraid to cut ties

I love my friends, dearly. Over the years, I’ve had some pretty good friends. But it wasn’t until recently that I realized that a good friend isn’t going to treat you like a rug. Well, I’ve always realized it. But I haven’t always had that. Or acted on that. That isn’t to say that I haven’t had some good friends – I have. Some friendships have been mutual friendships. But a lot weren’t. They’d take and take and take and leave me drained. And I’d keep giving, maybe not fully realizing why I was feeling so drained. When I came to Twitch about three years ago now, that’s when I finally realized I was getting taken advantage of and even if the people I met were hundreds or thousands of miles apart, I could have the quality friendships I was craving. For the first time in a long time, I was meeting people and making friends that put as much in to the friendship as I did. And I was finding myself happier.

Again, that isn’t to say I didn’t have quality friendships before I came to Twitch. I did. But I in some ways took that for granted. I also had a number of friends who took advantage of my kindness. As much as it hurt, I cut those people from my life. Even on Twitch, there were those who wanted to take advantage of my kindness. But as strange as it may sound, now that I have the fulfilling friendships I wanted, I am also better able to see those who don’t want my friendship. Of course, not everyone I meet on Twitch or off is going to be that deep friendship that I want, and that’s okay. I’ve had to learn to accept that too.

Lesson 3: Family first, always

Whether friends are your family or your family is your family, put them first. At first, this may sound contradictory to “lesson” one, but isn’t meant to be. Instead, despite working hard in a job, in school, or just deciding to keep to yourself, don’t lose your family.

“I’m sorry, I can’t. I have to spend time with the wife.” or “I can’t make it, I have to spend time with my parents.” or any number of excuses are perfectly okay. I say excuses for lack of a better word, but really don’t apologize for spending time with family. It’s important to keep those bonds. Family helps us stay centered. Family will be there when things fall apart.

Lesson 4: Kindness is not weakness

This one is a bit different from the others. It’s less a lesson I’ve learned, and more one I wish others to learn. I don’t say that to be condescending, but over the years, I’ve really been treated poorly. I’ve been bullied at school, at work, and even by some really close to me. When it comes to friendship, family, or dating, some people have taken my kindness as an open invitation to take advantage of me. That’s not okay.

The world needs more kindness and understanding. Don’t be so quick to take advantage of someone because they are being kind. The golden rule applies here, as it does everywhere else in life. Treat others as you want to be treated. Those who use kindness to communicate with the world around them are following the golden rule.

Lesson 5: Kindness is strength

“Wait, you just got done with this.” Sort of. What I’m trying to say here is that when it comes to being kind and caring, that’s something that can be, should be, and will be useful to uplifting others and yourself.

By using it to uplift others, you can demonstrate a strength of character and resolve that can break through the emotional walls that we all put up to protect ourselves from bullying, harassment, and the pains that this world sometimes causes and reach a fellow human being. Kindness is a pillar that builds our character. If you aren’t careful, you’ll not only tear others down, but yourself. It’ll be a vicious cycle.

In the end, love one another.

What’s in a version number?

You’re assessing a website. You get an HTTP response that looks like this:

HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
expires: Sat, 01 Jan 2000 00:00:00 GMT
x-frame-options: DENY
x-powered-by: PHP/5.1.5
pragma: no-cache
strict-transport-security: max-age=15552000; preload
cache-control: private, no-cache, no-store, must-revalidate
date: Tue, 18 Jun 2019 04:28:37 GMT
X-Firefox-Spdy: h2

What do you report? If you’ve spent any time in Information Security, you’re probably eyeing that X-Powered-By header. You’d probably report that, right? But why? Why would you report it? Because of its presence in the response?

There’s a mixed bag here. I used to be one of those people that would say “oh no, hide the version number!” But what does that solve?

Put another way, you’d probably take that version number and look up known exploits for it, right? So why hide it? It doesn’t fix the problem. It just hides the problem, obscures it. The mantra “security by obscurity” still holds here. By recommending that people hide the version number, we are encouraging security by obscurity while still beating the drum that it doesn’t work for everything else. So where did this come from?

I remember years ago PHP Group released a guide for hiding the version number, and even at one point openly stated that it was useless. This guide was released some 17 years ago. This was the earliest that I remember seeing something written about hiding and the value of hiding it. I do remember hearing the advice passed around (or rather seeing) on bulletin boards and probably even some books I had read. But nobody was talking about the value.

Let’s talk value.

BenefitsDrawbacks
Reveals less about the environment, slowing down attackersAttackers are still going to keep probing and looking
Harder for IT/security/SEs to identify out-of-date software through scanning, such as Qualys, Nessus, and other tools in their environment
Doesn’t actually fix what is being reported – out of date software

To me, this is a clear win. Yes, I’m a little biased, having spent some time now in the enterprise and seeing things differently. However, the main reason why I used, and many others, would recommend hiding the version number of ASP.NET, PHP, and others, is to reveal less about the environment and slow down attackers. There aren’t many other benefits that I can see, even if I try to sit here and think about them.

I think we all would rather people patch and keep updated on the stack they are using rather than hide the fact that they don’t have good patch maintenance.

What’s the version number actually telling you? “Hey, I’m here!” or “Hey, I’m here and I need patches.” We can exploit lack of patches. Simply being there not so much. If we can exploit lack of patches, we can patch it.

Git secret surfing

One-liner to checkout all git revisions

git log --format=oneline | cut -d " " -f 1 > log.txt; for rev in $(cat log.txt); do mkdir $rev && git --work-tree=./$rev/ checkout $rev -- .;done;

Why? This will get you the ability to look through git history in a set of folders. This is especially useful when you need to find credentials that were removed from the current revision, but not changed. *cough*

Let’s break it down:

git log --format=oneline | cut -d " " -f 1 > log.txt

I’m asking for the commit log in a oneline format, piping to cut and asking for the first field.

for rev in $(cat log.txt)

Each revision is stored in log.txt for reference. We use this to loop through so that we can pass it to git.

do mkdir $rev && git --work-tree=./$rev/ checkout $rev -- .

For each revision in git, we are creating a directory with the name of the revision and then setting the work tree to that revision so that we can check it out.

Though it can stand to be improved, I did it this way for a couple of reasons:

  • Auditing: We have the full revision, and each revision, there to navigate through.
  • Easy grepping later.

Now that we have the full checkout for each revision, we can start grepping for what we want. Usually this is credentials, but really anything we want.

Downsides

As nice and fast as this is, we are missing a few things:

  • Branches
  • History changes (e.g. rebase)

Alternatives

I’ve come to really, really, really like Trufflehog. It too has its downsides I’ve discovered. Namely, it produces a human-readable format, but friendly for the terminal (color codes and all) or it produces a machine-readable format in the form of a JSON file. You’ll then need to write code to parse it. But Trufflehog is in Python (yay!) and extensible. This takes the hard work out of ensuring you manage searching across everything.

But there’s plenty of juicy things to be had, stored in version control.