Sunday, August 18, 2013

Rooting Samsung Galaxy S2 I9100 XWLSW Android 4.1.2 stock firmware

These are more just notes for myself, but maybe someone else will find it useful.

So I got a Samsung Galaxy S2 I9100 to play with and it had Android 4.0.4 (Ice Cream Sandwich) on it which was pretty easy to root with CF-ROOT, but I wanted to use to latest official Android firmware for this phone, which is by the time of this post is Android 4.1.2 (Jelly Bean).

Auto update was not an option, since I had CF-ROOT on it, so I had to find a stock firmware and use Odin for the update. Getting a stock firmware was the easy part. You can get it for example here: http://samsung-updates.com/. So in my case, I needed one from here: http://samsung-updates.com/device/?id=GT-I9100 and for me it was a I9100XWLSW.

So you just download, extract the files, and use Odin3_v1.85 to Download the stock firmware. You can easily find a howto on this, but here's one for example: http://theunlockr.com/2013/04/09/how-to-unroot-the-samsung-galaxy-s2/

Next, rooting the 4.1.2. Again, lots of howtos can be found on this too, but most of them suggest you to use Odin3_v3.07. Well, when I tried it, SuperSU was not correctly installed, and the whole system got a little slow, so I tried with Odin3_v1.85 and it worked like a charm.

So basically you can follow this howto: http://www.teamandroid.com/2013/07/28/root-xwlsw-android-412-galaxy-s2-i9100-stock-firmware/ but instead of Siyah-s2-v6.0b4.tar I would recommend using the SiyahKernel S2-v6.0beta5 which you can find here: http://d-h.st/frK.

And that's all! Happy hacking!

Wednesday, August 14, 2013

Cyberlympics 2013 Round 3 summary and results

So Round 3 is over. It was pretty much the same as last year; VPN connection into a network with the target machines, 2 Backtracks as pentest machines and about 3 hours to flag / report as many systems and findings as we can. :)


Just real quickly, one possible way to flag the machines were these:
  • 192.168.150.10 (STEVE-WORKSTATION) - Metasploit: exploit/windows/smb/ms08_067_netapi >> SYSTEM
  • 192.168.150.20 (GREG-WORKSTATION) - greg reused password (same password as on 192.168.150.30), word readable /etc/shadow, udev user's password hash was cracked, udev user was in sudoers >> root
  • 192.168.150.30 (STATLER) - Metasploit: exploit/windows/smb/ms08_067_netapi >> SYSTEM
  • 192.168.150.40 (ANIMAL) - Metasploit: exploit/linux/mysql/mysql_yassl_getname or exploit/linux/mysql/mysql_yassl_hello >> root
    Not sure which exploit is the one, because we tried it the hard way: the mysql root user had the password "password" and we tried writing files with it.

The jump host was 192.168.150.10 (STEVE-WORKSTATION), 2 more machines were accessible from here:

  • 10.100.1.50 (WALDORF) - ??? No one managed to p0wn this machine in the European round! (If you know what was the way to pwn, please comment!)
    UPDATE: Thx to San's comment, the solution was: Logging into the box with steve's(or greg's) credentials and then privilege escalation with a kernel exploit >> root
  • 10.100.1.60 (FOZZIEBEAR) - Metasploit: exploit/windows/smb/ms04_011_lsass >> SYSTEM

Other artifacts were like: user password hashes, sensitive information in text files, ssh keys, missing patches, etc.

I also made screenshots of the last moments of the finals:




Unfortunately, this was not enough for us to get into the finals. We ended up at the 5th (?!) place (we still trying to figure out how) but the end result on the European Round 3 was:

1. SectorC – Netherlands
2. Pruts.ERS– Netherlands
3. PRAUDITORS –Hungary
4. nanosloopers – United Kingdom
5. gula.sh – Hungary
6. Hack.ERS – Netherlands

Of course we were a bit sad, but hey, it's only a game. We had fun and we will try again next year for sure ;)

Friday, August 2, 2013

Regular expressions for IPv4 addresses and CIDR ranges

I needed these recently, and I thought it might be useful for someone else too.

IPv4 address:
((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)

IPv4 CIDR ranges:
((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)/(3[0-2]|[1-2]?[0-9])