Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Blog archives

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

> Weblog

> Sysadmin articles

> Maths teaching

Zine: "The tale of the Dubious Crypto", a pentesting adventure

2019-11-08 16:15:00

A broken padlock

If you've met me IRL, you will most likely have seen me doodling or drawing. It's an almost compulsory thing for me! I've often said that drawing is like my brain's "Idle Process", running in the background making sure I pay attention to things around me, like meetings or phone calls.

Over the past 30+ years I've mostly drawn for my own enjoyment, though I've also published yonkoma comics about my daily life and even tried my hand at a short story or two. In 2019 things took a new turn after b0rk (Julia) and SailorHG (Amy) inspired me to make a "zine".

To sum it up, a "zine" (short for magazine) is a self-published booklet about subject matter that's dear to the author's heart. The Public have a made a wonderful zine explaining zines (how meta!), which is available here: An Introduction To Zines.

For starters, I'll write about things I've learned during my work and studies which I feel are well-worth sharing with others. The first issue, "The tale of the Dubious Crypto" covers Windows security practices and bad cryptography implementations in a piece of software I pen-tested.

You can find all upcoming releases, including printing instructions and license information, over here -> https://github.com/tsluyter/Zines


kilala.nl tags: , ,

View or add comments (curr. 0)

CTF036 2019, the Secured By Design CTF

2019-04-05 09:10:00

Me, on stage

The photograph on the left was provided by Secured By Design.

I love CTFs and though I can't take part in a lot of them, I make it a point to always play in Secured By Design's CTF036. Four years in a row now and the events just keep getting better! 

I was invited to give a small talk again, this time covering the basics of PKI: public key infrastructure. In short, PKI is one of the ways to solve the challenge of "trust" in an environment: how can you trust that someone or something really is whom they claim to be? We were very much cramped for time, so I had to try and smush everything into half an hour! While the talk went smoothly, I'm not entirely happy: there was just too much info in too little time. And I didn't even cover it all! 

My slide deck for "When Alice met Bob..." is over here. 

The CTF itself was, as always, a blast! Roughly a hundred participants, attacking six copies of the same target environment: three servers and two desktop systems, part of a fake school's infrastructure. Our goal was to grab as many student IDs as possible. 

The usual suspects were there yet again: weak passwords on mailboxes, SMB shares without proper ACLs, simulated end-users and a rudimentary daemon which you could try a buffer overflow on.

I spent most of my time on attacking one of the end users: a professor. The school's website featured an open forum, with sections dedicated to each of the classes taught. One professor warned his students that their final presentations were due any day now and that they should be submitted "through the usual share". This refers to the aforementioned, open SMB share which had a subfolder "Presentations". 

I recalled that SETookit and Metasploit offered options to create Word/Powerpoint/Office payloads, but had forgotten how to. I'm rusty, it's been a while since I've done this :) After a bit of research, I turned to exploit/windows/fileformat/office_OLE*. When configuring the exploit I simply chose to target all possible options, which generated roughly twenty files with shellcode. In real life this would obviously not work, because who would fall for that?! Twenty files without content, clicking through all of them? Nope :) But in this case the script set up on the workstation (to simulate the professor) was greedy and simply went through all of them. 

Using this method I got a nice and shell_reverse_tcp to my port 443. Looking to escalate my privileges on the workstation I tried to get a Meterpreter payload to run in the same way, but failed. I guess the payload was too tricky for the target. 

I explained this particular attack vector to two teams (ex-colleagues to my right, the team in #1 slot to my left), which was a fun exercise. I love explaining stuff like this to people who're just getting their feet wet (my ex-colleagues). The #1 team quickly latched onto the idea and offered an improvement to the attack: use the reverse shell to download a Meterpreter payload .EXE file. Duh! I should've thought of that! 

Anyway: a wonderful day with fun hacking and meeting cool people! Heartily recommended :)


kilala.nl tags: , ,

View or add comments (curr. 1)

Older blog posts