{"id":231,"date":"2012-10-01T00:51:13","date_gmt":"2012-10-01T00:51:13","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=231"},"modified":"2014-07-31T22:46:05","modified_gmt":"2014-07-31T22:46:05","slug":"tenable-nessus-appsec-interview-spoilers","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2012\/10\/tenable-nessus-appsec-interview-spoilers\/","title":{"rendered":"Tenable Nessus Appsec Interview Spoilers"},"content":{"rendered":"

Hello everyone,<\/p>\n

Today we will be going over the answers to the test offered by Tenable \/ Nessus when you interview with them to be an appsec guy. I was told I was the first to ace all 3 tests, so I might as well be the first to spoil all 3 tests.
\n\"\"<\/a><\/p>\n

What they want is a hash which is provided at the end of the test. It’s 01b689a06ed6be8c01434eb92101d092<\/p>\n

Of course you can’t just hand em the hash, you should tell them how you solved the challenges. Here is how:<\/p>\n

Question 1)
\nSolved by a nullbyte after index.php ie: http:\/\/restest.tenable.com\/?f=index.php%00
\nlook at blank source for this:
\n<\/p>\n

\n
<?php<\/span>\r\n\/*<\/span>\r\n * Great, you made it! That's already one challenge you knocked out ;)<\/span>\r\n *<\/span>\r\n * Please go to http:\/\/restest.tenable.com\/497c189133bcdd0f24bd11710e630420.html for the next<\/span>\r\n * one!<\/span>\r\n *<\/span>\r\n *\/<\/span>\r\n\r\n$file<\/span> =<\/span> $_REQUEST<\/span>["f"<\/span>];\r\nif<\/span> ( !<\/span>isset<\/span>($file<\/span>) )\r\n{\r\n header("Location: http:\/\/restest.tenable.com\/?f=main"<\/span>);\r\n exit<\/span>(0<\/span>);\r\n}\r\n\r\n$file<\/span> =<\/span> $file<\/span> .<\/span> ".txt"<\/span>;\r\nif<\/span> ( strstr($file<\/span>, "\/"<\/span>) )\r\n{\r\n $buf<\/span> =<\/span> "Invalid character in file name"<\/span>;\r\n}\r\nelse<\/span> if<\/span> ( file_exists<\/span>($file<\/span>) )\r\n{\r\n $buf<\/span> =<\/span> file_get_contents<\/span>($file<\/span>);\r\n}\r\nelse<\/span> $buf<\/span> =<\/span> "File not found"<\/span>;\r\n\r\necho<\/span> $buf<\/span>;\r\n?><\/span>\r\n<\/pre>\n<\/div>\n
Question 2)
\nThe second one is an archive file, but I wasn’t sure which. Inspecting the header and comparing it (see attachments) showed the header off by about 20 bytes, so a correction with a hex editor made the file right.
\n\"\"<\/a><\/p>\n
Not quite an ELF file, but you can see the comparison here:
\n\"\"<\/a><\/p>\n
The server is essentially looking for a string by doing a string comparison (typical of the repe cmpsb \/ setnbe instrctions). It loops for the characters ‘bind’ referenced inside read-only data at 0x08048877<\/p>\n
<\/p>\n
\n
.text:<\/span>08048707<\/span>                 mov<\/span>     dword<\/span> ptr<\/span> [ebp<\/span>-<\/span>454h<\/span>], offset<\/span> 08048877<\/span>\r\n.text:<\/span>08048711<\/span>                 mov<\/span>     dword<\/span> ptr<\/span> [ebp<\/span>-<\/span>458h<\/span>], 4<\/span>\r\n.text:<\/span>0804871<\/span>B<\/span>                 cl<\/span>d<\/span>\r\n.text:<\/span>0804871<\/span>C<\/span>                 mov<\/span>     esi<\/span>, [ebp<\/span>-<\/span>450h<\/span>]\r\n.text:<\/span>08048722<\/span>                 mov<\/span>     edi<\/span>, [ebp<\/span>-<\/span>454h<\/span>]\r\n.text:<\/span>08048728<\/span>                 mov<\/span>     ecx<\/span>, [ebp<\/span>-<\/span>458h<\/span>]\r\n.text:<\/span>0804872<\/span>E<\/span>                 repe<\/span> cmpsb<\/span>\r\n.text:<\/span>08048730<\/span>                 setnbe<\/span>  dl<\/span>\r\n.text:<\/span>08048733<\/span>                 setb<\/span>    al<\/span>\r\n.text:<\/span>08048736<\/span>                 mov<\/span>     ecx<\/span>, edx<\/span>\r\n.text:<\/span>08048738<\/span>                 sub<\/span>     cl<\/span>, al<\/span>\r\n.text:<\/span>0804873<\/span>A<\/span>                 mov<\/span>     eax<\/span>, ecx<\/span>\r\n.text:<\/span>0804873<\/span>C<\/span>                 movsx<\/span>   eax<\/span>, al<\/span>\r\n.text:<\/span>0804873<\/span>F<\/span>                 test<\/span>    eax<\/span>, eax<\/span>\r\n.text:<\/span>08048741<\/span>                 jnz<\/span>     short<\/span> loc_8048766<\/span>\r\n<\/pre>\n<\/div>\n
By entering “bind” after telnet-ing to the the service \/ port, I got the answer for the next part as shown in the next attachment.
\n\"\"<\/a><\/p>\n
Question 3)<\/p>\n
Right after the recv call (function that accepts our data) there is a byte comparison checking the length of our input. if its greater than 7, then continue, otherwise the program quits:
\n\"\"<\/a>
\n<\/p>\n
\n
.text:<\/span>08048718<\/span>                 call<\/span>    _recv<\/span>\r\n.text:<\/span>0804871<\/span>D<\/span>                 mov<\/span>     [ebp<\/span>-<\/span>8<\/span>], eax<\/span>\r\n.text:<\/span>08048720<\/span>                 mov<\/span>     eax<\/span>, [ebp<\/span>-<\/span>8<\/span>]\r\n.text:<\/span>08048723<\/span>                 cmp<\/span>     eax<\/span>, 7<\/span>\r\n.text:<\/span>08048726<\/span>                 ja<\/span>      short<\/span> loc_8048734<\/span>\r\n.text:<\/span>08048728<\/span>                 mov<\/span>     dword<\/span> ptr<\/span> [esp<\/span>], 0<\/span>\r\n.text:<\/span>0804872<\/span>F<\/span>                 call<\/span>    _exit<\/span>\r\n<\/pre>\n<\/div>\n
So after passing that I noticed the value sent from the recv() call was being stored into the EAX register, and then doing a numerical \/ binary comparison against the value stored inside, specifically checking if the value of EAX is equal to 1024 in hex (4132 in decimal):
\n<\/p>\n
\n
.text:<\/span>08048734<\/span>                 mov<\/span>     eax<\/span>, [ebp<\/span>-<\/span>40h<\/span>]\r\n.text:<\/span>08048737<\/span>                 mov<\/span>     [esp<\/span>], eax<\/span>\r\n.text:<\/span>0804873<\/span>A<\/span>                 call<\/span>    _ntohl<\/span>\r\n.text:<\/span>0804873<\/span>F<\/span>                 mov<\/span>     [ebp<\/span>-<\/span>40h<\/span>], eax<\/span>\r\n.text:<\/span>08048742<\/span>                 mov<\/span>     eax<\/span>, [ebp<\/span>-<\/span>3Ch<\/span>]\r\n.text:<\/span>08048745<\/span>                 mov<\/span>     [esp<\/span>], eax<\/span>\r\n.text:<\/span>08048748<\/span>                 call<\/span>    _ntohl<\/span>\r\n.text:<\/span>0804874<\/span>D<\/span>                 mov<\/span>     [ebp<\/span>-<\/span>3Ch<\/span>], eax<\/span>\r\n.text:<\/span>08048750<\/span>                 mov<\/span>     eax<\/span>, [ebp<\/span>-<\/span>3Ch<\/span>]\r\n.text:<\/span>08048753<\/span>                 cmp<\/span>     eax<\/span>, 1024h<\/span>\r\n.text:<\/span>08048758<\/span>                 jnz<\/span>     short<\/span> loc_804877F<\/span>\r\n<\/pre>\n<\/div>\n
So all I had to do was stick the value 1024 in hex into the recv call. The problem is it wants something 8 bytes in length, but 1024 is only 2 bytes. I solved this by passing the data with NULL values 0x00 in hex.
\nI used php to do this:
\n<\/p>\n
\n
<?php<\/span>\r\n$host<\/span> =<\/span> "restest.tenable.com"<\/span>;\r\n$port<\/span> =<\/span> 31338<\/span>;\r\n$timeout<\/span> =<\/span> 20<\/span>;\r\n$data<\/span> =<\/span> "<\/span>\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x24<\/span>"<\/span>;\r\n$fp<\/span> =<\/span> fsockopen<\/span>($host<\/span>,$port<\/span>,$errno<\/span>,$errstr<\/span>,$timeout<\/span>);\r\nif<\/span> (!<\/span>$fp<\/span>)\r\n{\r\n    die<\/span>("<\/span>$errstr<\/span> (<\/span>$errno<\/span>)<\/span>\\n<\/span>"<\/span>);\r\n\r\n} else<\/span>\r\n{\r\n    fwrite<\/span>($fp<\/span>,$data<\/span>);\r\n\r\n    while<\/span>(!<\/span>feof<\/span>($fp<\/span>))\r\n        {\r\n        echo<\/span> fgets<\/span>($fp<\/span>, 512<\/span>);\r\n        }\r\n        fclose<\/span>($fp<\/span>);\r\n}\r\n?><\/span>\r\n<\/pre>\n<\/div>\n
And here it is working:
\n\"\"<\/a><\/p>\n
Just copy this verbatim and you too can have a crack at Tenable \/ Nessus, well at least until they find this and change the answers. Be warned though, they don’t want smart people, they want clay to mold. <\/p>\n
Good luck and happy hacking =)<\/p>\n
And no, I didn’t forget the funny image.<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello everyone, Today we will be going over the answers to the test offered by Tenable \/ Nessus when you interview with them to be an appsec guy. I was told I was the first to ace all 3 tests, so I might as well be the first to spoil all 3 tests. What they […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,5,6,7],"tags":[104,28,27,25,26],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/231"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=231"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/231\/revisions"}],"predecessor-version":[{"id":866,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/231\/revisions\/866"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}