Google Dork; WordPress debug.log

This is an epic sigh, failure moment.

via GIPHY

According to the documentation, WordPress allows the setup of debugging to a file, when issues are encountered inside the software. All well and good, I’d expect that. What I wouldn’t expect is the file it dumps the data into – to be WORLD READABLE!

But I suppose this is WordPress, and they’re well known for doing dumb shit like this constantly.

Google Dork: https://google.com/search?q=inurl:wp-content/debug.log

If you run WordPress, please make sure this file is not world-readable – please protect it with your Apache/Nginx/IIS config – don’t rely on it not being visible in a directory list!

I’ve submitted this to exploit-db and their Google Hacking database.

Belgian Saison, with Brettanomyces

After really enjoying the last “vanilla”(i.e. Saison yeast only) Belgian Saison I brewed, I took more of a dive into the commercial beers available in this style. There are a range of reasonably common Belgian Saisons available here; De Ranke and Dupont to name a couple, and a few from American breweries like Golden Road can be found occasionally along side Australian breweries like Bridge Road Brewers who are now also dabbling in the funkier end of the spectrum.

Unfortunately I’ve not yet had the guts to spend $35+ AUD on the bottles of Jester King that are available here, though I’m sure they will be awesome.

Continue reading Belgian Saison, with Brettanomyces

Sentraq S60x – Massdrop

Picked up this awesome little keyboard recently via Massdrop. Typically it took a while to get here, but it’s everything I wanted 😀

sentraq

I wanted clicky keys so I picked Cherry Blues. Yep. It’s clicky! Very clicky! Such a pleasurable experience typing on it. Anyway it’s billed as ‘entry level’ but Massdrop unfortunately don’t provide anything in the way of instructions or anything to assist in building or flashing firmware.

So I luckily found some images on geekhack which helped with the mounting of the stabilisers, the key is to do these FIRST before you start soldering or you’re in trouble… Also, make sure you click the wire bit into the plastic bit (if you build the kit, you’ll see what I mean) or you’ll be in a world of pain.

Next… Flashing. If you’re like me and use Linux at home, you’ll need to do this – especially if you use ‘vi’ – as the default firmware doesn’t have an ‘esc’ key mapped! That makes exiting vi, err, tricky.

To flash a new layout on Linux:
Install dfu-programmer via your favourite package manager.
Connect keyboard. Hold button for 5 seconds.
‘lsusb’ should show the keyboard in DFU bootloader mode: Bus 003 Device 020: ID 03eb:2ff4 Atmel Corp. atmega32u4 DFU bootloader
sudo dfu-programmer atmega32u4 erase
sudo dfu-programmer atmega32u4 flash <your .hex file>
sudo dfu-programmer atmega32u4 reset (or, unplug and replug – worked ok for me)
Done

DEFCON 2017

Yes, I said 2017. DEFCON 2016 hasn’t even happened as yet, but the Mrs has given approval for me to attend DEFCON 2017!

So, now to commence saving and researching flights, transfers and accommodation.

I’d like to fly over a few days before and spend some time in San Francisco, then drive down to Las Vegas over the course of a day and a bit for DEFCON. After the conference I’m likely to be pretty tired – so will probably fly from Las Vegas to Los Angeles, then home again.

Lots of flying… But I’m sure it’ll be awesome!

Bellini Supercook Yumi Wi-Fi. The (in)security Perspective.

Oh, IoT. Internet of Things. How promising you are. Like most geeks I’ve dreamed of having everything electronic I own connected to the Internet. Ever since seeing the NetBSD Toaster online in 2005, my own mind and that of other developers, has clearly wandered into areas we never thought possible previously.

But, as anyone with any interest in Security will already be acutely aware of, the actual security of the software running on many of these things is, to put it lightly, COMPLETELY AND ABSOLUTELY TERRIBLE!

We were provided a beta device for assessment of the operation, and one of the things we said to the manufacturer at the time was that we would perform a security assessment of the device and provide our findings to them.

We did that. They went silent. I have no idea if any of this is resolved, or will ever be. We have reached out to the vendor to find out if they have resolved these issues. At the time of writing, we are running the same firmware version as the latest available on Supercook.me.

Read on for my full assessment of the Supercook Wi-Fi Yumi security.

Continue reading Bellini Supercook Yumi Wi-Fi. The (in)security Perspective.

What the hell just happened! Did you just get PWND?

So, if you’ve been following this blog for a while (there aren’t many, but I do know of a couple) you may have just seen a whole bunch of infosec/ctf/hacking-related content added to the site.

No, my blog hasn’t been hacked.

No, I’m not a skript kiddie.

No, I don’t illegally access sites or servers I don’t have permission to access.

Yes, I do consider myself a hacker – but in the true sense of the word. Someone who uses hardware and software for purposes they were not originally designed for. Not the meaning of the word used by the media – someone who accesses systems illegally.

Yes, I do operate a small Information Security group – aimed at fostering knowledge and understanding of information security issues.

Yes, I am involved with assessing security of software as part of my full-time software development role.

Yes, I often undertake CTF challenges on the weekends.

Yes, I am aiming to move into a role with more involvement in Information Security in the future.

No, I will not hack your ex-girlfriends Facebook, and nor do I know anyone who can.

I was starting to operate a small blog hosted on WordPress.com to host all my CTF and security related content, but it was then becoming a little annoying to have this blog sitting here, only hosting brewing content. I can’t see a reason why it can’t do both, so I imported all the images and content over here.

So, from here on there won’t be ONLY homebrewing posts, I’ll be posting on information security related topics too. There are a stack of homebrewers who are in the IT industry too, so I think that content will also be kind of interesting for some of you anyway. Likewise, InfoSec people are often basically functioning alcoholics too – so they’ll probably get something from the homebrewing content too 🙂

Enjoy!

Urrrrrgh…. OSMC/Kodi. Default passwords. Unprotected credentials. Default directories.

We run Kodi/OSMC on Raspberry Pi’s in our house, as media players. They work brilliantly. Give them a stable power supply, and they run forever.

But, last night and tonight I needed to get access to it via the shell to repair a plugin which fails to work properly.

OSMC has a default username and password.
It has a default directory.
Plugin and account passwords are in clear-text.
Screen Shot 2016-05-19 at 9.28.01 pm

So… it would take perhaps a half an hour for someone to write some Python code which checks for the defaults and raids the system for the usernames and passwords…

Red Team Engagements

I just LOVE this video! It’s coverage of RedTeam Security doing a Red Team engagement on a small US Power Company.

This has completely confirmed my desire to move into a hands-on white-hat penetration testing career (having spent the past 15 years as a developer and sysadmin), and it was a major driver for me to start doing CTF challenges before I get into doing the Offensive Security Certified Professional certificate, via the Pentesting with Kali course.