2024

Introduction Quoi de plus simple que de lancer un secretsdump après avoir obtenu des droits d’administration, pas vrai ! Mais lorsqu’il s’agit d’être discret, quels sont les moyens pour éviter de se faire détecter ? Notamment quand les machines sont équipées d’EDR ? C’est ce que nous allons voir aujourd’hui avec le cas d’Elastic EDR. Cet article vous permettra aussi de comprendre pourquoi à ce jour, même avec tous les droits de réplication, en utilisant un compte non-administrateur vous ne pouvez pas réaliser de DCSync depuis Linux (via secretsdump, nxc). ...

Dojo #35 - Chatroom Introduction The 35th Dojo Challenge, Chatroom, invited participants to exploit a CWE-73: External Control of File Name or Path vulnerability and read a file containing the challenge flag. YesWeHack asked to produce a qualified report explaining the logic allowing exploitation, as set out by the challenge. Here’s my write-up for this challenge, which unfortunately didn’t make the top 3 :(. Setup Code const child_process = require('child_process') const process = require('process') const path = require('path') const ejs = require('ejs') const fs = require('fs') process.chdir("/tmp") // Flag fs.writeFileSync('flag.txt', flag) // Design fs.writeFileSync('index.ejs', ` <html> <body> <div class="wrapper"> <div class="base contacts"> <div class="header"> <input type="text" placeholder="Search..."> <img class="icon" src="https://api.iconify.design/ic:baseline-search.svg?color=%23fff"> </div> <ul> <li> <img class="profile" src="https://static.vecteezy.com/ti/gratis-foton/p1/22717360-sot-kanin-med-morot-vaska-tecknad-serie-ikon-illustration-djur-utbildning-ikon-begrepp-isolerat-generat-ai-gratis-fotona.jpg"> <div class="user"> <p>Root</p> <div class="status"> <div class="dot-active"></div> <p style="font-size: 14px;"> Online</p> </div> </div> </li> <li> <img class="profile" src="https://static.vecteezy.com/ti/gratis-foton/p1/22716493-sot-bi-flygande-tecknad-serie-ikon-illustration-djur-natur-ikon-begrepp-isolerat-generat-ai-gratis-fotona.jpg"> <div class="user"> <p>Hackerman</p> <div class="status"> <div class="dot"></div> <p style="font-size: 14px;"> Offline</p> </div> </div> </li> <li> <img class="profile" src="https://static.vecteezy.com/ti/gratis-foton/p1/22711661-hacker-rorelse-en-barbar-dator-tecknad-serie-ikon-illustration-teknologi-ikon-begrepp-isolerat-platt-tecknad-serie-stil-generat-ai-gratis-fotona.jpg"> <div class="user"> <p>Pwner</p> <div class="status"> <div class="dot"></div> <p style="font-size: 14px;"> Offline</p> </div> </div> </li> <li> <img class="profile" src="https://static.vecteezy.com/ti/gratis-foton/p1/30493982-sot-tecknad-serie-robot-med-horlurar-och-gul-blommor-vektor-illustration-ai-genererad-gratis-fotona.jpg"> <div class="user"> <p>Robo7</p> <div class="status"> <div class="dot"></div> <p style="font-size: 14px;"> Offline</p> </div> </div> </li> </ul> <img class="settings" src="https://api.iconify.design/solar:settings-bold.svg?color=%23999da5"> </div> <div class="base chat"> <div class="header"> <img class="profile" src="https://pbs.twimg.com/profile_images/1576633593203392513/7lbM_Fd0_400x400.jpg"> <p class="user" style="font-size: 22px;">Brumens</p> <div class="dot-active"></div> <img class="icon" src="https://api.iconify.design/majesticons:microphone.svg?color=%23fff"> <img class="icon" src="https://api.iconify.design/majesticons:video-camera.svg?color=%23fff"> <img class="props" src="https://api.iconify.design/mdi:dots-vertical.svg?color=%23999da5"> </div> <div class="msg"> <div class="dm1"> Hello there, so you trying to exploit this code injection? &#128526; </div> <div class="dm2"> Yes, leave me alone... &#129402; </div> </div> <div class="footer"> <img src="https://api.iconify.design/material-symbols:add-circle.svg?color=%23999da5"> <% if ( message != null ) { %> <input type="text" placeholder="<%= message %>"> <% } else { %> <input type="text" placeholder="Message..."> <% } %> <button>Send</button> </div> </div> </div> <a class="ref" href="https://www.vecteezy.com/free-vector">Images by Vecteezy</a> <!-- Only design below (ignore) --> <style> @import url('https://fonts.googleapis.com/css2?family=Anta&family=Bungee+Shade&family=Clicker+Script&family=Indie+Flower&family=Inter+Tight:ital,wght@0,100..900;1,100..900&family=League+Spartan:wght@100..900&family=Madimi+One&family=Nabla&family=Sunflower:wght@300&display=swap'); :root { --color-shadow: rgb(0,0,0,0.33); --color-btn: #7d8fc5; --color-bg: #36393e; --color-primary: #424549; --color-border: #707377; --color-transparent: rgba(255, 255, 255, 0.2); --color-txt: #999da5; --color-offline: rgb(217, 42, 42); --color-online: #5de423; } body { margin: 0px; padding: 0px; background-color: var(--color-bg); color: var(--color-txt); font-family: "Madimi One", sans-serif; font-weight: 600; font-style: normal; object-fit: cover; width: 100%; height: 100%; } input { background-color: var(--color-primary); color: var(--color-txt); border: 1px solid var(--color-border); margin: 4px; border-radius: 13px; padding-left: 10px; font-size: 16px; } button { cursor: pointer; text-decoration: none; background-color: var(--color-btn); color: #fff; border: 0; border-radius: 13px; width: 100px; height: 50px; font-size: 16px; font-weight: 900; margin: 4px; transition: 0.3s; } .icon { cursor: pointer; transition: 0.3s; width: 24px; height: 24px; } .icon:hover { transform: translate(0, 3px); } button:hover { transform: translate(0, 3px); } li { margin-top: 10px; display: flex; list-style: none; } .wrapper { position: absolute; width: 100%; height: 100%; display: flex; } .profile { margin: 8px; width: 50px; height: 50px; border-radius: 50%; border: 2px solid var(--color-border); } .contacts { border: 2px solid var(--color-border); box-shadow: 0 5px 20px var(--color-shadow); padding: 10px; flex: 30%; margin: 20px; border-radius: 22px; background-color: var(--color-primary); backdrop-filter: blur(3px); height: 100%; } .contacts input { width: 100%; height: 32px; } .contacts .header { display: flex; align-items: center; } .contacts .header .icon { background-color: var(--color-btn); border-radius: 50%; padding: 8px; } .contacts ul { margin: 0; padding: 0px; } .contacts ul li { border: 2px solid var(--color-border); border-radius: 13px; background-color: var(--color-primary); } .user .status { display: flex; align-items: center; } .dot { margin-right: 4px; width: 12px; height: 12px; background-color: var(--color-offline); border-radius: 50%; } .dot-active { margin-right: 4px; width: 12px; height: 12px; background-color: var(--color-online); border-radius: 50%; } .contacts .settings { border-radius: 50%; position: absolute; padding: 8px; width: 32px; height: 32px; bottom: 10; left: 10; } .chat { border: 2px solid var(--color-border); box-shadow: 0 5px 20px var(--color-shadow); padding: 10px; flex: 70%; margin: 20px; margin-left: 0px; border-radius: 22px; background-color: var(--color-primary); backdrop-filter: blur(3px); height: 100%; } .chat .header { border-radius: 19px 19px 0 0; padding-bottom: 10px; display: flex; align-items: center; gap: 20px; width: 100%; } .user { padding: 6px; } .user p { font-weight: 900; font-size: 16px; margin: 0; } .user .status { text-align: center; border-radius: 12px; height: 20px; width: 60px; padding: 4px; padding-left: 8px; padding-right: 8px; background-color: var(--color-bg); margin: 0; } .chat .profile { width: 80px; height: 80px; } .chat .icon { background-color: var(--color-btn); padding: 8px; border-radius: 50%; } .chat .props { padding: 6px; position: absolute; width: 32px; height: 32px; right: 50px; } .chat .msg { border-radius: 22px; padding-bottom: 10px; border: 2px solid var(--color-border); background-color: var(--color-bg); height: 50%; } /*I'm lazy*/ .chat .dm1 { border-radius: 22px 22px 22px 0; background-color: var(--color-btn); margin-left: 8px; margin-top: 20px; color: #fff; font-size: 20px; text-align: left; padding: 20px; width: 220px; height: 80px; } .chat .dm2 { position: absolute; border-radius: 22px 22px 0 22px; background-color: var(--color-btn); margin-right: 20px; margin-top: 3%; color: #fff; font-size: 20px; text-align: left; right: 0; padding: 20px; width: 220px; height: 30px; } .chat .footer { display: flex; justify-content: center; align-items: center; border-radius: 0 0 19px 19px; height: 100px; } .chat .footer { height: 70px; } .chat .footer img { border-radius: 50%; padding: 8px; width: 38px; height: 38px; } .chat .footer input{ width: 320px; height: 50px; } .ref { position: absolute; margin: 12px; color: #fff; bottom: 0; right: 0; font-weight: 100; font-size: 12px; } </style> </body> </html> `) return {fs, ejs, path, process, child_process} class Message { constructor(to, msg) { this.to = to; this.msg = msg; this.file = null } send() { console.log(`Message sent to: ${this.to}`) } makeDraft() { this.file = path.basename(`${Date.now()}_${this.to}`) fs.writeFileSync(this.file, this.msg) } getDraft() { return fs.readFileSync(this.file) } } const userData = decodeURIComponent("") var data = {"to":"", "msg":""} if ( userData != "" ) { try { data = JSON.parse(userData) } catch(err) { console.error("Error : Message could not be sent!") } } var message = new Message(data["to"], data["msg"]) message.makeDraft() console.log( ejs.render(fs.readFileSync('index.ejs', 'utf8'), {message: message.msg}) ) Description When a message is sent, it is saved in the same folder as the index.ejs file. The path.basename function is used to attempt to secure the retrieval of the username in the to POST parameter. ...

Sthack 24 - Introspection Bluetooth d’un distributeur automatique Durant quelques mois, en ce début d’année 2024, j’ai réalisé une rétro-ingénierie d’une application mobile qui, via le protocole Bluetooth, dialogue avec un distributeur automatique (cafés, boissons…) afin de valider le paiement lors de la sélection d’un produit. Il s’avère que j’ai réussi à contourner le paiement en réalisant une implémentation des échanges réalisés entre l’application et le distributeur. Durant cette conférence, j’explique ce qui m’a poussé à faire ma recherche, comment je l’ai organisée, la description des échanges et enfin une démo sous forme de vidéo de l’application réimplémentée. ...