I run a lot of lockpicking villages and such, and have a pretty big collection of locks, picks, and knowledge. A ton of people ask me how to get started, and unfortunately I don’t think there are any particularly good walkthroughs of how to get the basic stuff needed to start. Since Peterson just announced their winter sale, and I’ve had several requests to recommend lockpicking-based Christmas gifts, I figured this would be a good time to post some info!
Lots of the advice I see is around clear (acrylic) locks and progressive locks. I’m gonna be slightly controversial here by saying: clear and progressive locks are almost universally bad for learning or training - they’re badly made, unrealistic, have cheap parts, etc. They’re great for learning how locks work, but not for any serious practice.
In this post, I will talk about a few things: what are the first picks you should get, what are some good locks to practice on, and what are good resources to use for learning?
In BSidesSF CTF, calc.exe exploits you! (Author writeup of launchcode)
In addition to genius, whose writeup I already posted, my other favourite challenge I wrote for BSidesSF CTF was called launchcode. This will be my third and final writeup for BSidesSF CTF for 2019, but you can see all the challenges and solutions on our Github releases page.
This post will be more about how I developed this, since the solution is fairly straight forward once you know how it’s implemented.
Some crypto challenges: Author writeup from BSidesSF CTF
This is yet another author’s writeup for BSidesSF CTF challenges! This one will focus on three crypto challenges I wrote: mainframe, mixer, and decrypto!
BSidesSF CTF author writeup: genius
This is going to be an author’s writeup of the BSidesSF 2019 CTF challenge: genius!
genius is probably my favourite challenge from the year, and I’m thrilled that it was solved by 6 teams! It was inspired by a few other challenges I wrote in the past, including Nibbler. You can grab the sourcecode, solution, and everything needed to run it yourself on our Github release!
It is actually implemented as a pair of programs: loader and genius. I only provide the binaries to the players, so it’s up to the player to reverse engineer them. Fortunately, for this writeup, we’ll have source to reference as needed!
Technical Rundown of WebExec
This is a technical rundown of a vulnerability that we’ve dubbed “WebExec”. The summary is: a flaw in WebEx’s WebexUpdateService allows anyone with a login to the Windows system where WebEx is installed to run SYSTEM-level code remotely. That’s right: this client-side application that doesn’t listen on any ports is actually vulnerable to remote code execution! A local or domain account will work, making this a powerful way to pivot through networks until it’s patched.
High level details and FAQ at https://webexec.org! Below is a technical writeup of how we found the bug and how it works.
Solving b-64-b-tuff: writing base64 and alphanumeric shellcode
A couple months ago, we ran BSides San Francisco CTF. It was fun, and I posted blogs about it at the time, but I wanted to do a late writeup for the level b-64-b-tuff.
The challenge was to write base64-compatible shellcode. There’s an easy solution - using an alphanumeric encoder - but what’s the fun in that? (also, I didn’t think of it :) ). I’m going to cover base64, but these exact same principles apply to alphanumeric - there’s absolutely on reason you couldn’t change the SET variable in my examples and generate alphanumeric shellcode.
In this post, we’re going to write a base64 decoder stub by hand, which encodes some super simple shellcode. I’ll also post a link to a tool I wrote to automate this.
I can’t promise that this is the best, or the easiest, or even a sane way to do this. I came up with this process all by myself, but I have to imagine that the generally available encoders do basically the same thing. :)
Book review: The Car Hacker’s Handbook
So, this is going to be a bit of an unusual blog for me. I usually focus on technical stuff, exploitation, hacking, etc. But this post will be a mixture of a book review, some discussion on my security review process, and whatever asides fall out of my keyboard when I hit it for long enough. But, don’t fear! I have a nice heavy technical blog ready to go for tomorrow!
BSidesSF CTF wrap-up
While this is technically a CTF writeup, like I frequently do, this one is going to be a bit backwards: this is for a CTF I ran, instead of one I played! I’ve gotta say, it’s been a little while since I played in a CTF, but I had a really good time running the BSidesSF CTF! I just wanted to thank the other organizers - in alphabetical order - @bmenrigh, @cornflakesavage, @itsc0rg1, and @matir. I couldn’t have done it without you folks!
BSidesSF CTF was a capture-the-flag challenge that ran in parallel with BSides San Francisco. It was designed to be easy/intermediate level, but we definitely had a few hair-pulling challenges.
Going the other way with padding oracles: Encrypting arbitrary data!
A long time ago, I wrote a couple blogs that went into a lot of detail on how to use padding oracle vulnerabilities to decrypt an encrypted string of data. It’s pretty important to understand to use a padding oracle vulnerability for decryption before reading this, so I’d suggest going there for a refresher.
When I wrote that blog and the Poracle tool originally, I didn’t actually know how to encrypt arbitrary data using a padding oracle. I was vaguely aware that it was possible, but I hadn’t really thought about it. But recently, I decided to figure out how it works. I thought and thought, and finally came up with this technique that seems to work. I also implemented it in Poracle in commit a5cfad76ad.
dnscat2 0.05: with tunnels!
Greetings, and I hope you’re all having a great holiday!
My Christmas present to you, the community, is dnscat2 version 0.05!
Some of you will remember that I recently gave a talk at the SANS Hackfest Summit. At the talk, I mentioned some ideas for future plans. That’s when Ed jumped on the stage and took a survey: which feature did the audience want most?
The winner? Tunneling TCP via a dnscat. So now you have it! Tunneling: Phase 1. :)
Info and downloads.
SANS Hackfest writeup: Hackers of Gravity
A few weeks ago, SANS hosted a private event at the Smithsonian’s Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called “Hackers of Gravity” to work on while we were there!
We worked in small teams (I teamed up with Eric, who’s also writing this blog with me). All they told us in advance was to bring a phone, so every part of this was solved with our phones and Google.
Each level began with an image, typically with a cipher embedded in it. After decoding the cipher, the solution and the image itself were used together to track down a related artifact.
This is a writeup of that scavenger hunt. :)
dnscat2: now with crypto!
Live from the SANS Pentest Summit, I’m excited to announce the latest beta release of dnscat2: 0.04! Besides some minor cleanups and UI improvements, there is one serious improvement: all dnscat2 sessions are now encrypted by default!
Read on for some user information, then some implementation details for those who are interested! For all the REALLY gory information, check out the protocol doc!
Why DNS is awesome and why you should love it
It’s no secret that I love DNS. It’s an awesome protocol. It’s easy to understand and easy to implement. It’s also easy to get dangerously wrong, but that’s a story for
last weeka few weeks ago. :)
I want to talk about interesting implication of DNS’s design decisions that benefit us, as penetration testers. It’s difficult to describe these decisions as good or bad, it’s just what we have to work with.
What I DON’T want to talk about today is DNS poisoning or spoofing, or similar vulnerabilities. While cool, it generally requires the attacker to take advantage of poorly configured or vulnerable DNS servers.
Technically, I’m also releasing a tool I wrote a couple weeks ago: dnslogger.rb that replaces an old tool I wrote a million years ago.
How I nearly almost saved the Internet, starring afl-fuzz and dnsmasq
If you know me, you know that I love DNS. I’m not exactly sure how that happened, but I suspect that Ed Skoudis is at least partly to blame.
Anyway, a project came up to evaluate dnsmasq, and being a DNS server - and a key piece of Internet infrastructure - I thought it would be fun! And it was! By fuzzing in a somewhat creative way, I found a really cool vulnerability that’s almost certainly exploitable (though I haven’t proven that for reasons that’ll become apparent later).
Although I started writing an exploit, I didn’t finish it. I think it’s almost certainly exploitable, so if you have some free time and you want to learn about exploit development, it’s worthwhile having a look! Here’s a link to the actual distribution of a vulnerable version, and I’ll discuss the work I’ve done so far at the end of this post.
You can also download my branch, which is similar to the vulnerable version (branched from it), the only difference is that it contains a bunch of fuzzing instrumentation and debug output around parsing names.
Defcon quals: wwtw (a series of vulns)
This is going to be my final (and somewhat late) writeup for the Defcon Qualification CTF. The level was called “wibbly-wobbly-timey-wimey”, or “wwtw”, and was a combination of a few things (at least the way I solved it): programming, reverse engineering, logic bugs, format-string vulnerabilities, some return-oriented programming (for my solution), and Dr. Who references!
I’m not going to spend much time on the theory of format-string vulnerabilities or return-oriented programming because I just covered them in babyecho and r0pbaby.
And by the way, I’ll be building the solution in Python as we go, because the first part was solved by one of my teammates, and he’s a Python guy. As much as I hated working with Python (which has become my life lately), I didn’t want to re-write the first part and it was too complex to do on the shell, so I sucked it up and used his code.
You can download the binary here, and you can get the exploit and other files involved on my github page.