INTEL-SA-00213 Detection Script – Done!

It’s been fun and educational putting my  INTEL-SA-00213 Detection Script together. first writing it, refining it, Adding SMB Logging getting feedback from the Reddit PowerShell folks, learning about the PSScriptAnalyzer, etc.  But there comes a point where it’s time to walk away from something.  This little tool does everything I need. I could tweak and add features, and obsess further, but why? What good will come of it.  It’s been a a neat little project but it’s done.

INTEL-SA-00213 detection script

I learned a good deal during this, so for my own mental retention, and to share them let’s recap.  There is a preferred order in which to arrange comment based help. Temporary files are best handled using $env:TEMP and New-TemporaryFile. Don’t bother specifying Mandatory=$true or Mandatory=$false in parameters, as it’s implied. Use Write-Debug as a form of commenting instead of pure comments, as it has the added benefit of automatically adding -Verbose functionality. When testing a Web path for validating a parameter, use the -Method Head option for Invoke-WebRequest to avoid downloading the file twice.

This was also my first project build fully in Visual Studio Code and GitHub. Which I now love and will never go back to my old way of version control. (Which was, admittedly, kludgey and stupid…)

All in all, a fun exercise which produced a tool that I will be using to check for and mitigate live vulnerabilities. If you use it let me know, I’d love to hear how it works out for you. If you want any new features or changes, I’d be happy to do that as well.

Here’s the link to get the script.
https://github.com/pyrrh1c/Get-CsmeVulnerabilityStatus

 

INTEL-SA-00213 Detection Script – Added SMB Logging

Following up on yesterdays post about my INTEL-SA-00213 detection script I’ve added some logging functionality. It’s rudimentary, but effective. Pass a valid -LogDir argument and it will generate a results.txt file. The file contains the hostname and output separated by a comma. The script uses Add-Content as well so this can be run from multiple hosts and the results will be appended to existing content.

INTEL-SA-00213 Detection ScriptI plan to make the output file customization via argument as well, and still need to tie this thing into SCCM. As it stands right now though version 2.0 or 2.2 could easily be used for a GPO startup script.

This is rapidly becoming more than just a utility script. I’ve never drilled this deep into parameters before and am learning quite a bit. It’ll be good to keep adding more functionality until I’ve got this thing well baked and I’ve learned as much as I can from it.

Anyway, if anyone is interested, here’s a link to the GitHub repository. I’m always looking for ideas and feedback!

Advisory Page

Security Update Page

CSME Detection Tool

INTEL-SA-00213 Detection Script

So CVE-2019-0090 / INTEL-SA-00213 looks rather ugly, especially given that there is no software fix available.  So, I need to to see if any of my nodes are affected.  To that end I’m putting together a quick and dirty PowerShell script to make scanning easier. As of now it can automatically download the Intel detection utility from the web from a custom HTTP(S) location or from SMB and then run it and report results.

In the next day or two I’m going to add the ability to log to a remote location and build out a SCCM package and hardware report.

For you you can pass the -DownloadFromWeb or -DownloadFromSMB arguments to tell the script how you’d like to obtain the file. You can also specity -WebURL and -SmbPath to tell the script to download from custom locations. By default the script will download the Intel utility directly from Intel. Stay tuned for updates.

If anyone is interested, here’s a link to the GitHub repository. I’m always looking for ideas and feedback!

Intel Advisory page

Intel security update page

Intel CSME Detection Tool

HTB Postman

I spent far too long trying to enumerate this one… But I learned a good deal about a system I’ve never touched before which is always a good thing.  Once I got a foot hold the rest was fairly quick to fall into place. Overall I liked it. Will be putting together a walk through video of this one for sure.

Beating My Head Against A Wall

Hacking things is an amazingly fun past time. But also maddening sometimes.  It’s now hours 8 of trying to crack “Postman” on HTB.  I know what I need, but can I figure out how to get that thing? Nope.  But, like most of the things I do, I’ll keep going because I know at the end it will be worth it. That feeling of accomplishment is like nothing else.  This thing isn’t going to solve itself so back to work!

Halting the Compiler in Image Based PHP Attacks

So I’m working on a VM that looks to be exploitable via image upload.

It’s running apache and php, and has a custom made “upload image” form that leaves the images in a gallery. Should be easy enough, even for someone as inexperienced as me.

Well, today I learned not to use  _halt_compiler() in an image based reverse shell attempt when I accidentally crashed PHP.  Once the image was uploaded it instantly crashed all pages that load that image.  DOH.  As an upshot, I suppose this proves the PHP code is working though. Back to it.

If you’d like to try an attack like this, there’s currently on on Hack The Box I believe.

Ricing Kali Linux – Part 2

Forward

In this tutorial we will cover installing i3-gaps, the urxvt terminal emulator, feh, wal, and rofi. It’s assumed you went through part 1. If not, you may want to go read that now.

Installing i3-gaps
Logging into i3

I’m not a fan of re-inventing the wheel. There’s a wonderful how-to for installing i3-gaps on Ubuntu that works well for Kali. Head over and follow it, then come back… Done? Great. Now reboot. At the log in screen enter the username, then after hitting next you’ll see a gear.

You’re now logged into the i3 window manager. This is a different world than most window managers.  You will be very VERY well served by learning the basic commands and what they do. Take a few minutes to go over the i3 Reference Card and learn how to open up new terminal windows.

Notice the Red Error

So you have probably noticed the ugly red error message by now. That’s a result of the I3 Status bar being referenced, but not installed.  There are several options available for status bars (the i3 bar, polybarm lemon bar, etc.) in this series will just add the basic status bar for now. Maybe the polybar later. We’ll see.

The i3 Status Bar

So go ahead and open a terminal window with (usually by hitting [alt] + [enter]) and entering the following command: apt install i3status. Once that’s done log out ([alt] + [shift] + [e]) and back in. You should now see the red/white/green status bar. i3 is now ready to go in its most basic form.

Replace the default console app with URXVT

The default terminal doesn’t offer much flexibility so I like to replace it. My terminal of choice is URXVT.  Install the URXVT terminal by running apt install rxvt-unicode.

Taking a Snapshot
Take a Snapshot!

Things are about to start getting messy. Snapshot now or proceed at your own peril. 😉

Make i3 the default terminal

I’ll assume you know how to edit text files in Linux.  If not, here’s a link to using vi. I won’t lie though, if you are trying to Rice Kali Linux, and you don’t know how to edit a text file, I genuinely wonder how you ended up here. 😉

The URXVT Terminal Window

Anyway, edit the i3 config file which is ~/.i3/config. In there, find the line “bindsym Mod1+Return exec i3-sensible-terminal” and replace it with “bindsym Mod1+Return exec /usr/bin/urxvt”. Once it’s saved exit out of all terminal windows and  reload the i3 config by pressing [alt]+[shift]+[r].

Remove the URXVT Scroll Bars and Apply Transparency

Create the file ~/.Xdefaults, and in it enter the following line to get rid of the scrollbar and apply transparency:
URxvt*scrollBar: false (NOTE THE CAPITAL “B”!!!)
URxvt*transparent: true
URxvt*shading: 40

Install feh to Add a Wallpaper

Download a wallpaper you like, and save it somewhere easy to access.

Wallpaper By Dean Ashley on ArtStation

(I’ll leave how you download it up to you…) I usually put it in /wallpapers and name it wallpaper.png or something similar. Install feh by running  “apt install feh” Once it’s done edit your ~/.i3/config file to add the line exec –no-startup-id feh –bg-scale ‘/wallpapers/wallpaper.jpeg’  You now have a scaled background each time you log in. That said, the text is kind of an odd color. Let’s fix that.

Install and Configure PyWal
Terminal Colors Changed with PyWal

Running feh without pywal can make for some ugly (and possibly unusable) color schemes for the terminal. To fix that we use PyWal. Install Python3-pip by running “apt install install python3-pip”, then install pywal running “pip3 install pywal”. Once that’s done, add the following lines at the end of your .bashrc (according to the documentation you should put this in the .i3/config file but it NEVER LAUNCHES FOR ME!!!)
wal -i /wallpapers/wallpaper.jpeg
clear

Tighten up Those Gaps!

The tutorial is good, but I prefer a smaller gap.

So edit your ~/.i3/config file and update the following lines:
gaps inner 10
gaps outer 0

Wrapping Up

We made some serious progress here. We installed  i3, the i3 status bar, URXVT, feh, and PyWal. We also configured some transparency and colors. Stay tuned for Part 3 where we’ll dig a little deeper and install rofi, polybar, and other fun stuff!

Light Probe – More Woodworking

Got into the shop and (crudely) built out the next part of the light arm.  I have a seemingly endless supply of scrap 3/4″ plywood laying around, so that’s what I used. Made the lower part of the rotating mechanism 10 cm square then rounded the corners for effect. The vertical part of the rotating mechanism is a simple 10cm by 12 cm. I recessed the servo just like last time. Finally, I attached a 1/2″ x 1/2″ piece of scrap basswood to the vertical axis servo.  Ugly as sin, but it works well enough.

Here you can see the unit disassembled into its two pieces. To assemble it I just slide the servo horn onto the shaft.

 

 

Here’s the unit assembled. the top portion spins on the X axis and the arm spins on the Y axis.  I’m going to attach the photo resistors to a mechanism at the end of the arm.

 

That’s it for now.

Light Probe – Small Adjustments

Spent a few hours addressing some odds and ends today. Got the “enter” key working from CLI entry textbox. It now actually runs the command when you hit enter, then clears the entry textbox. I also added a CLI command to display the LCD Address. SHOW-LCDADDRESS is working as expected.

I made the LCD settings variables. (address, total rows, total columns). This was done just as a best practice to facilitate easier use of different LCD’s later.

The functions in the Arduino code were moved around into a more logical sequence. Doesn’t affect code flow, but does affect readability.

Latest build here.
Latest source code is on GitHub.
I’m on Twitter. 

Light Probe – Time For A (Mega) Upgrade

So as this project has grown I’ve started to see memory warnings in the IDE. “Low memory available, stability problems may occur.”  Didn’t think too much about it until today when I kept running into weird issues where stable code just wouldn’t run correctly. For example, the printNextline()  would only print half the output of the line (WTF?) and the parseAndExecuteCommands(). After spending an embarrassingly long time picking through the code looking for the problem I decided to actually the shiny new Mega 2560 I bought the first time I saw the command and put that baby into production.

Learned the Mega is not a straight pin-for-pin match of the Uno.  Mega has a SDA/SDC pins (Sweet), and for whatever reason the LCD2004 has a difference address on the Mega than on the Uno. 0x37 and 0x3f respectively.  That said, after I got the conversion done it’s running smoothly again.

Latest build here.
Latest source code is on GitHub.
I’m on Twitter.