SkullSecurity

Adventures In Security

Next Page »

BSIDESSF CTF: CHOOSE YOUR OWN KEYVENTURE: RSA-DEBUGGER CHALLENGE!

Leave a reply

_Thanks to SYMMETRIC (aka Brandon Enright) for this wonderful guest post! I tried to proofread it, but holy math Batman!! --Ron / @iagox86_ Hey all, this is symmetric here! I was thrilled to be once again involved in running the BSidesSF CTF with such creative teammates and skilled CTF players. My favorite challenge this year was _RSA-DEBUGGER_ which, despite getting 12 solves, was actually quite hard. In this post I’d like to tell you a bit about the genesis of the challenge and how to solve it. CURVEBALL, BUT FOR RSA As I was really ramping up challenge making this year Microsoft had the great timing to release CVE-2020-0601

.

As something of a "crypto nerd" I was pretty interested in the details. Fortunately Thomas Ptacek (@tqbf ) wrote up a great first-take on the vulnerability on Hacker News which turned out to be essentially spot-on. tbqf also linked to Cryptopals Exercise 61 which gets even further into the math behind the Curveball attack. But the relevant part of that exercise was the final comment about

RSA:

> Since RSA signing and decryption are equivalent operations, you can > use this same technique for other surprising results. Try generating > a random (or chosen) ciphertext and creating a key to decrypt it to > a plaintext of your choice! When I read that, I _knew_ I had to make a challenge that would have

users do just that!

Continue reading →

March 2, 2020

Conferences

, Crypto

, CTFs

symmetric

BSIDESSF CTF: HARD REVERSING CHALLENGE: CHAMELEON

Leave a reply

For my third and final blog post about the BSidesSF CTF, I wanted to cover the solution to Chameleon. Chameleon is loosely based on a KringleCon challenge I wrote (video guide ), which is loosely based on a real-world penetration test from a long time ago. Except that Chameleon is much, much harder than either. Continue reading →

February 26, 2020

Conferences

, Crypto

, CTFs

, Reverse Engineering

Ron Bowes

BSIDESSF CTF: EASY TO HARD RUST REVERSING CHALLENGES

Leave a reply

As mentioned in a previous post, I was honoured to once again help run

BSidesSF CTF!

This is going to be a quick writeup for three challenges: config-me, rusty1, and rusty2. All three are reversing challenges written in Rust, although the actual amount of reversing required is low for the

first two.

Continue reading →

February 26, 2020

Conferences

, CTFs

, Reverse Engineering

Ron Bowes

BSIDESSF CTF: DIFFICULT REVERSE ENGINEERING CHALLENGE: GMAN

Leave a reply

Once again, it was my distinct privilege to be a BSidesSF CTF organizer! As somebody who played CTFs for years, it really means a lot to me to organize one, and watch folks struggle through our challenges. And more importantly, each person that comes up to us and either thanks us or tells us they learned something is a huge bonus! But this week, I want to post writeups for some of the challenges I wrote. I'm starting with my favourite - Gman! Continue reading →

February 26, 2020

Conferences

, CTFs

Ron Bowes

HOW DO I START PICKING LOCKS?

Leave a reply

Hey folks,

I run a lot of lockpicking villages and such, and have a pretty big collection of locks, picks, and knowledge. A _ton_ of people ask me how to get started, and unfortunately I don't think there are any particularly good walkthroughs of how to get the basic stuff needed to start. Since Peterson just announced their winter sale, and I've had several requests to recommend lockpicking-based Christmas gifts, I figured this would be a good time to post some info! Lots of the advice I see is around clear (acrylic) locks and progressive locks. I'm gonna be slightly controversial here by saying: clear and progressive locks are almost universally bad for learning or training - they're badly made, unrealistic, have cheap parts, etc. They're great for _learning how locks work_, but not for any serious

practice.

In this post, I will talk about a few things: what are the first picks you should get, what are some good locks to practice on, and what are good resources to use for learning? Continue reading →

December 16, 2019

Lockpicking

Ron Bowes

IN BSIDESSF CTF, CALC.EXE EXPLOITS YOU! (AUTHOR WRITEUP OF LAUNCHCODE)

2 Replies

Hey everybody,

In addition to genius, whose writeup I already posted

,

my other favourite challenge I wrote for BSidesSF CTF was called launchcode. This will be my third and final writeup for BSidesSF CTF for 2019, but you can see all the challenges and solutions on our Github releases page

.

This post will be more about how I developed this, since the solution is fairly straight forward once you know how it's implemented. Continue reading →

March 15, 2019

Conferences

, Crypto

, Forensics

, Reverse

Engineering

Ron Bowes

SOME CRYPTO CHALLENGES: AUTHOR WRITEUP FROM BSIDESSF CTF

Leave a reply

Hey everybody,

This is yet another author's writeup for BSidesSF CTF challenges! This one will focus on three crypto challenges I wrote: mainframe, mixer,

and decrypto!

Continue reading →

March 12, 2019

Conferences

, Crypto

, Passwords

, Tools

Ron Bowes

BSIDESSF CTF AUTHOR WRITEUP: GENIUS

Leave a reply

Hey all,

This is going to be an author's writeup of the BSidesSF 2019 CTF

challenge: genius!

genius is probably my favourite challenge from the year, and I'm thrilled that it was solved by 6 teams! It was inspired by a few other challenges I wrote in the past, including Nibbler

. You can

grab the sourcecode, solution, and everything needed to run it yourself on our Github release

!

It is actually implemented as a pair of programs: loader

and genius

. I only provide the binaries to the players, so it's up to the player to reverse engineer them. Fortunately, for this writeup, we'll have source to reference as

needed!

Continue reading →

March 11, 2019

Conferences

, CTFs

, Hacking

, Reverse Engineering

Ron Bowes

TECHNICAL RUNDOWN OF WEBEXEC

4 Replies

This is a technical rundown of a vulnerability that we've dubbed "WebExec". The summary is: a flaw in WebEx's WebexUpdateService allows anyone with a login to the Windows system where WebEx is installed to run SYSTEM-level code remotely. That's right: this client-side application that doesn't listen on any ports is actually vulnerable to remote code execution! A local or domain account will work, making this a powerful way to pivot through networks until it's patched. High level details and FAQ at https://webexec.org! Below is a technical writeup of how we found the bug and how it works. Continue reading →

October 24, 2018

Hacking

, NetBIOS/SMB

, Reverse

Engineering

Ron Bowes

SOLVING B-64-B-TUFF: WRITING BASE64 AND ALPHANUMERIC SHELLCODE

1 Reply

Hey everybody,

A couple months ago, we ran BSides San Francisco CTF. It was fun, and I posted blogs about it at the time, but I wanted to do a late writeup for the level b-64-b-tuff

.

The challenge was to write base64-compatible shellcode. There's an easy solution - using an alphanumeric encoder - but what's the fun in that? (also, I didn't think of it :) ). I'm going to cover base64, but these exact same principles apply to alphanumeric - there's absolutely on reason you couldn't change the SET variable in my examples and generate alphanumeric shellcode. In this post, we're going to write a base64 decoder stub by hand, which encodes some super simple shellcode. I'll also post a link to a tool I wrote to automate this. I can't promise that this is the best, or the easiest, or even a sane way to do this. I came up with this process all by myself, but I have to imagine that the generally available encoders do basically the same

thing. :)

Continue reading →

June 13, 2017

CTFs

, Hacking

Ron Bowes

BOOK REVIEW: THE CAR HACKER’S HANDBOOK

3 Replies

So, this is going to be a bit of an unusual blog for me. I usually focus on technical stuff, exploitation, hacking, etc. But this post will be a mixture of a book review, some discussion on my security review process, and whatever asides fall out of my keyboard when I hit it for long enough . But, don't fear! I have a nice heavy technical blog ready to go for tomorrow! Continue reading →

June 12, 2017

Reviews

Ron Bowes

BSIDESSF CTF WRAP-UP

Leave a reply

Welcome!

While this is technically a CTF writeup, like I frequently do, this one is going to be a bit backwards: this is for a CTF I _ran_, instead of one I played! I've gotta say, it's been a little while since I played in a CTF, but I had a really good time running the BSidesSF CTF! I just wanted to thank the other organizers - in alphabetical order - @bmenrigh

, @cornflakesavage

, @itsc0rg1

, and @matir

. I couldn't have done it without you

folks!

BSidesSF CTF was a capture-the-flag challenge that ran in parallel with BSides San Francisco . It was designed to be easy/intermediate level, but we definitely had a few hair-pulling challenges. Continue reading →

February 22, 2017

Conferences

, CTFs

Ron Bowes

GOING THE OTHER WAY WITH PADDING ORACLES: ENCRYPTING ARBITRARY DATA!

3 Replies

A long time ago, I wrote a couple

blogs

that went into a lot of detail on how to use padding oracle vulnerabilities to decrypt an encrypted string of data. It's pretty important to understand to use a padding oracle vulnerability for decryption before reading this, so I'd suggest going there for a

refresher.

When I wrote that blog and the Poracle tool originally, I didn't actually know how to encrypt arbitrary data using a padding oracle. I was vaguely aware that it was possible, but I hadn't really thought about it. But recently, I decided to figure out how it works. I thought and thought, and finally came up with this technique that seems to work. I also implemented it in Poracle in commit a5cfad76ad

.

Continue reading →

December 19, 2016

Crypto

, Hacking

, Tools

Ron Bowes

DNSCAT2 0.05: WITH TUNNELS!

3 Replies

Greetings, and I hope you're all having a great holiday! My Christmas present to you, the community, is dnscat2 version 0.05! Some of you will remember that I recently gave a talk at the SANS Hackfest Summit. At the talk, I mentioned some ideas for future plans. That's when Ed jumped on the stage and took a survey: which feature did the audience want most? The winner? Tunneling TCP via a dnscat. So now you have it! Tunneling:

Phase 1. :)

Info and downloads

.

Continue reading →

December 24, 2015

DNS

, Hacking

, Tools

Ron Bowes

SANS HACKFEST WRITEUP: HACKERS OF GRAVITY

Leave a reply

Last weekA few weeks ago, SANS hosted a private event at the Smithsonian's Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called "Hackers of Gravity" to work on while we were there! We worked in small teams (I teamed up with Eric , who's also writing this blog with me). All they told us in advance was to bring a phone, so every part of this was solved with our phones and Google. Each level began with an image, typically with a cipher embedded in it. After decoding the cipher, the solution and the image itself were used together to track down a related artifact. This is a writeup of that scavenger hunt. :) Continue reading →

December 22, 2015

Conferences

Ron Bowes

DNSCAT2: NOW WITH CRYPTO!

1 Reply

Hey everybody,

Live from the SANS Pentest Summit

, I'm excited to

announce the latest beta release of dnscat2: 0.04

! Besides some

minor cleanups and UI improvements, there is one serious improvement: all dnscat2 sessions are now encrypted by default! Read on for some user information, then some implementation details for those who are interested! For all the REALLY gory information, check out the protocol doc

!

Continue reading →

November 17, 2015

Conferences

, DNS

, Hacking

, Tools

Ron Bowes

WHY DNS IS AWESOME AND WHY YOU SHOULD LOVE IT

16 Replies

It's no secret that I love DNS. It's an awesome protocol. It's easy to understand and easy to implement. It's also easy to get dangerously

wrong

,

but that's a story for last weeka few weeks ago. :) I want to talk about interesting implication of DNS's design decisions that benefit us, as penetration testers. It's difficult to describe these decisions as good or bad, it's just what we have to work with. What I DON'T want to talk about today is DNS poisoning or spoofing

,

or similar vulnerabilities. While cool, it generally requires the attacker to take advantage of poorly configured or vulnerable DNS

servers.

Technically, I'm also releasing a tool I wrote a couple weeks ago:

dnslogger.rb

that replaces an old tool

I wrote a

million years ago.

Continue reading →

August 17, 2015

DNS

, Tools

Ron Bowes

HOW I NEARLY ALMOST SAVED THE INTERNET, STARRING AFL-FUZZ AND DNSMASQ

13 Replies

If you know me, you know that I love DNS . I'm not exactly sure how that happened, but I suspect that Ed Skoudis is at least partly to blame. Anyway, a project came up to evaluate dnsmasq, and being a DNS server - and a key piece of Internet infrastructure - I thought it would be fun! And it was! By fuzzing in a somewhat creative way, I found a really cool vulnerability that's almost certainly exploitable (though I haven't proven that for reasons that'll become apparent later). Although I started writing an exploit, I didn't finish it. I think it's almost certainly exploitable, so if you have some free time and you want to learn about exploit development, it's worthwhile having a

look! Here's a link

to the actual distribution of a vulnerable version, and I'll discuss the work I've done so far at the end of this post. You can also download my branch , which is similar to the vulnerable version (branched from it), the only difference is that it contains a bunch of fuzzing instrumentation and debug output around

parsing names.

Continue reading →

July 15, 2015

DNS

, Hacking

, Tools

Ron Bowes

DEFCON QUALS: WWTW (A SERIES OF VULNS)

Leave a reply

Hey folks,

This is going to be my final (and somewhat late) writeup for the Defcon Qualification CTF . The level was called "wibbly-wobbly-timey-wimey", or "wwtw", and was a combination of a few things (at least the way I solved it): programming, reverse engineering, logic bugs, format-string vulnerabilities, some return-oriented programming (for my solution), and Dr. Who references! I'm not going to spend much time on the theory of format-string vulnerabilities or return-oriented programming because I just covered

them in babyecho

and

r0pbaby

.

And by the way, I'll be building the solution in Python as we go, because the first part was solved by one of my teammates, and he's a Python guy. As much as I hated working with Python (which has become my life lately), I didn't want to re-write the first part and it was too complex to do on the shell, so I sucked it up and used his code. You can download the binary here , and you can get the exploit and other files involved on my github page

.

Continue reading →

June 9, 2015

Defcon

Quals 2015

Ron

Bowes

DEFCON QUALS: BABYECHO (FORMAT STRING VULNS IN GORY DETAIL)

8 Replies

Welcome to the third (and penultimate) blog post about the 2015 Defcon Qualification CTF ! This is going to be a writeup of the "babyecho" level, as well as a thorough overview of format-string vulnerabilities! I really like format string vulnerabilities - they're essentially a "read or write anywhere" primitive - so I'm excited to finally write about them! You can grab the binary here , and you can get my exploit and some other files on this Github repo

.

Continue reading →

May 22, 2015

Defcon

Quals 2015

Ron

Bowes

POST NAVIGATION

More →

ABOUT

* "Just another security weblog" * info-at-skullsecurity.net * #skullsecurity (Freenode)

FEATURED POSTS

* Hash extension attacks

* Facebook followup

* Facebook snatchers * Defeating lockdowns

* Javascript in DNS

* Energizer Trojan tutorial

* Weaponizing DNS

* Password lists

* VM Stealing

* Two locks, one bike

SKULLSECURITY

* Assembly tutorial

* Github

* Password lists

* Repository

* Wiki

TOOLS

* nbtool

WEBLOGS

* FilterJoe – end-user password advice

* Hash Krackin

* Hour of Wolves

* Information Technology Enthusiast * Serbo-croation translation of my blog

* Skywing’s Blog

CATEGORIES

* April Fools

* Conferences

* Crypto

* CTFs

* Default

* Defcon Quals 2014

* Defcon Quals 2015

* DNS

* Forensics

* GITS2014

* GITS2015

* Hacking

* Humour

* Lockpicking

* Malware

* NetBIOS/SMB

* Nmap

* Passwords

* PlaidCTF 2013

* PlaidCTF 2014

* Random

* Random picture

* Reverse Engineering

* Reviews

* Tools

ARCHIVES

* March 2020

* February 2020

* December 2019

* March 2019

* October 2018

* June 2017

* February 2017

* December 2016

* December 2015

* November 2015

* August 2015

* July 2015

* June 2015

* May 2015

* March 2015

* February 2015

* January 2015

* September 2014

* June 2014

* May 2014

* April 2014

* January 2014

* December 2013

* May 2013

* April 2013

* January 2013

* November 2012

* September 2012

* August 2012

* May 2012

* December 2011

* August 2011

* April 2011

* March 2011

* January 2011

* December 2010

* November 2010

* October 2010

* September 2010

* August 2010

* July 2010

* May 2010

* April 2010

* March 2010

* February 2010

* January 2010

* December 2009

* November 2009

* October 2009

* September 2009

* July 2009

* June 2009

* May 2009

* April 2009

* March 2009

* February 2009

* January 2009

* December 2008

* November 2008

* October 2008

* September 2008

* August 2008

META

* Register

* Log in

* Entries feed

* Comments feed

* WordPress.org

Proudly powered by WordPress with the Cobalt

Blue Theme .