Again, RandoriSec was at Hack In The Box for the 2019 edition in Amsterdam! It was really great!
The first 3 days of the event are dedicated for the trainings. About that, we heard that the training from Nicolas Grégoire (aka @Agarri) was really great and got very good feedback from the attendees. If you want to improve your skills on Burp Suite Pro, you should attend this training.
The event was divided in 2 main parts:
- HITB Sec Conf: which is the main event providing 3 different tracks including one almost dedicated to workshops
- HAXPO conference: free event with only one presentation track and a village / exhibition space with different activities (lockpicking, CTF, retro-gaming, machine learning with cars and so on)
All the slides from HITB and also the HAXPO conferences are already available online:
The End Is The Beginning Is The End: Ten Years In The NL Box
Dhillon ‘L33tdawg’ Kannabhiran, who is the Founder and Chief Executive Officer of Hack in The Box, organiser of the HITBSecConf series of network security conferences, made a retrospective of the ten years of HITB. He presented the team working behind the scenes and also the volunteers helping to make this event. The big news of the keynote was the creation of a new event called HITB Cyber Week. This event will be held in Abu Dhabi from 12th to 17th October, 2019. Many activities are already planned such as: Attack/Defense CTF, Machine learning contests, Bug bounties competition and so on.
Make ARM Shellcode Great Again
The presentation performed by Saumil Shah aimed to create an ARM shellcode able to evade IDS signatures and YARA rules.
The idea, quite simple, is to design a kind of polyglot ARM shellcode. How to create a polyglot ARM shellcode? By abusing the ARM and Thumb modes. The shellcode presented by Saumil started in ARM mode and then switch on Thumb mode. In order to avoid signatures, the part of the shellcode in ARM mode can also be executed in Thumb mode if needed.
If you want to play with ARM shellcoding, you can look at the Github of Saumil:
A Decade of Infosec Tools
Thomas Debize performed a study about the most famous tools used by the infosec community. The idea was to look at the last 10 years and to know:
- How are these new tools built?
- Where are they hosted?
- How long are they maintained?
- Are they really better made than the old ones?
He analyzed the data providing from PacketStorm, ToolsWatch, Kitploit and n0where. This study showed some interesting figures:
- With no surprise, Github is the most used platform for hosting code
- The MISP project has the biggest number of open issues
- Nmap is the second project with the biggest number of pull requests
- Python is the most frequent programming language followed by Shell and HTML
- Almost half of the Python tools used PyCrypto which is not maintained since 2013!
All the data is available on his Github, if you want to play with it:
Overcoming Fear: Reversing with Radare2
In the afternoon, Arnau Gàmez i Montolio performed a workshop about Radare2. We really recommend to check the slides and to take some spare time, if you want to improve your r2 skills!
TCP/IP Networking Session
The first day ended with a small party in order to share some drinks ;)
The second day started with a lucky draw in order to win a ticket for the HITB GSEC conference in August. The conference will be held in Singapore from 26th to 30th of August 2019. Unfortunately, we didn’t win a prize this time :(
The second day started with a keynote from Runa Sandvik. She is the Senior Director of Information Security at the New York Times.
The aim of this talk was to present the challenges of enhancing security in the context of journalism. The main points are to secure the newsroom, protect the sources, avoid online threats and harassment.
Compiler Bugs and Bug Compilers
Marion Marschalek started her talk with a quote from Ken Thompson:
To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trut the people who wrote the software
The aim of the talk was to show that compilation process provided by GCC can be easily tampered by an attacker. Indeed, since GCC 4.5, it is possible to plug passes, using plugins, in the compilation process. In short, those plugins are shared objects loaded by GCC as dedicated passes. Marion showed various demos in how it is easy to create a plugin in order to modify the compilation process in order to modify the program’s behavior. In conclusion, take care of your GCC plugins and protect your build environment.
For us, it was the most interesting presentation of the event. The talk started with this quote:
There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
During his talk, Orange Tsai presented how he chained 3 different vulnerabilities in order to obtain pre-auth RCE on Jenkins! No slides are available but all information needed to exploit the vulnerabilities found by Orange Tsai are available on his Github repository:
In addition, we strongly recommend to have a look to the blog posts provided by Orange Tsai on this subject:
And of course, watch the video when it will be available!
I Own Your Building (Management System)
Gjoko Krstic, Senior Security Researcher at Applied Risks, made a research on Building Management Systems (BMS) or also known as Building Automation Systems (BAS).
Gjoko Krstic, Applied Risk Senior ICS/IoT Security Researcher presented "I Own Your Building (Management System)" presentation at @HITBHaxpo, which explored critical vulnerabilities in commonly #BuildingManagement & #AccessControl Systems. See advisories https://t.co/hF2nRnfDrI pic.twitter.com/AXYDe6ihVo— Applied Risk - Critical Infrastructure Made Secure (@AppliedRisk) May 10, 2019
A BMS or a BAS is a computer-based control system installed in buildings that controls and monitors the building’s mechanical and electrical equipment such as ventilation, lighting, power systems, fire systems, and security systems.
He focused his research on different devices such as:
- Computrols CBAS-Web
- Optergy Proton
- Prima Systems FlexAir
- Nortek Linear eMerge 50P/5000
- Nortek Linear eMerge E3
Sadly, he found many critical vulnerabilities allowing unauthenticated remote code execution and also many access control bypasses. Some advisories can be found on their website.
Unfortunately, no slides are available, but a whitepaper will be available on their website, which is expected for June 2019.