Wednesday, May 31, 2023

Blockchain Decentralized Application Hacking Course Part 2 - A Continuation Into Smart Contract Hacking And DApp Penetration Testing (Web 3) With Python

New Course Announcement:  
Python  Based Blockchain Hacking, Smart Contract exploitation and Automation


Twitter: https://twitter.com/ficti0n
Website: http://cclabs.io

This is the course announcement for part 2 of our smart contract hacking journey, this time we are going to pick up where we left off leveraging frameworks, automation, other tools.. Starting out learning all the ways to interact with things programmatically with python... Then automate it, attack it, and get into all kinds of other things you have not seen before...  

Note:  This is NOT a re-hash of old material, NOR is it an update of the previous course.. This is all new material and the old course stands on its own as a Pre-Requisite to this course..  Also requiring knowledge of basic python scripting to follow along... 

This course has 3 sections:

  1. Web3.py in depth, Manual attacks and interactions
  2. Automation, Frameworks, Fun things and Automated Attacks
  3. Forensics and DEFI Attacks, Blockchain IDS and information gathering


Here is the Course intro Overview Outline: 


Here is the Overview of Section 1 which is in depth Web3.py basics: 




Other Videos to follow... 

To keep up to date follow the following playlist and follow on twitter: 

https://www.youtube.com/playlist?list=PLCwnLq3tOElrubfUWHa1qKrJv1apO8Aag

More articles

No comments:

Ransomware.OSX.KeRanger Samples


Research: New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer by Claud Xiao

Sample credit: Claud Xiao


File information

d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1 
1d6297e2427f1d00a5b355d6d50809cb 
Transmission-2.90.dmg

 e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574 
56b1d956112b0b7bd3e44f20cf1f2c19 
Transmission

 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9
14a4df1df622562b3bf5bc9a94e6a783 
General.rtf

 d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5 
24a8f01cfdc4228b4fc9bb87fedf6eb7 
Transmission2.90.dmg

 ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a
3151d9a085d14508fa9f10d48afc7016 
Transmission

 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153 
861c3da2bbce6c09eda2709c8994f34c 
General.rtf



Download
Related news

  1. Hacking App
  2. Pentest Tools Review
  3. Hacker Tools Free Download
  4. Best Hacking Tools 2019
  5. Pentest Tools Apk
  6. Pentest Tools For Ubuntu
  7. Hack Tools
  8. Hack Tools For Windows
  9. Pentest Tools Download
  10. Hack Tools
  11. Beginner Hacker Tools
  12. How To Hack
  13. Hacking Tools Windows
  14. Hacker Tools Linux
  15. Hack App
  16. Hack And Tools
  17. Hacking Tools Usb
  18. Hack Tools For Ubuntu
  19. Hack Tools Github
  20. Growth Hacker Tools
  21. Beginner Hacker Tools
  22. Hack Apps
  23. Hacker Tools Free
  24. Hacker Security Tools
  25. Hacker Techniques Tools And Incident Handling
  26. Pentest Tools Framework
  27. Hacker Tools Online
  28. Hacker Tools Free Download
  29. Hacking Tools Kit
  30. Hack Tools Download
  31. Pentest Recon Tools
  32. Hacker Tools Windows
  33. How To Hack
  34. Hacking Tools Software
  35. Github Hacking Tools
  36. Hack Apps
  37. Pentest Tools List
  38. Tools 4 Hack
  39. Pentest Tools Download
  40. Hacking Tools 2020
  41. Pentest Automation Tools
  42. Pentest Tools Tcp Port Scanner
  43. Hacker Tools Apk
  44. Hacker Tools For Mac
  45. New Hack Tools
  46. Hacking Tools Online
  47. Pentest Tools For Mac
  48. Nsa Hacker Tools
  49. Hacking Tools
  50. Hacker Tools Github
  51. Pentest Tools For Android
  52. Hacker Tools Mac
  53. Hacking Tools Windows 10
  54. Hacking Tools For Windows
  55. Android Hack Tools Github
  56. Hackrf Tools
  57. Hack And Tools
  58. Pentest Tools Linux
  59. Pentest Tools Kali Linux
  60. Hacking Tools Download
  61. Tools For Hacker
  62. Hacking Tools Name
  63. Hacking Tools Mac
  64. Bluetooth Hacking Tools Kali
  65. Hack Tools 2019
  66. Pentest Tools Free
  67. Hacker Tools 2019
  68. Hacking Tools Free Download
No comments:

NcN 2015 CTF - theAnswer Writeup


1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:


But this process never ends .... let's see what strace say:


There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

  • static: understanding the cryptosystem and programming our own decryptor
  • dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)


At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:



With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:



The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.


we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.


And here we have the seed and the first bytes of the cypher-text:



With radare we can convert this to a c variable quickly:


And here is the flag cyphertext:


And with some radare magics, we have the c initialized array:


radare, is full featured :)

With a bit of rand() calibration here is the solution ...



The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c





3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:



There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.





Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:


after:



To patch the two infinite loops, just nop the two bytes of each jmp $-0



Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

  •  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
  •  Modify the pthread_cond_wait to avoid the futex()
  • We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop
Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

More info


No comments:
Subscribe to: Posts (Atom)