Compiling exploit 764.c in 2017 (using libssl-dev 1.1.0f )

One of the popular boot-to-root VMs has an exploit (764.c) which doesn’t compile so well in modern Kali, producing the errors:

764d.c:643:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764d.c:651:2: error: unknown type name ‘RC4_KEY’
764d.c:652:2: error: unknown type name ‘RC4_KEY’
764d.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:845:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764d.c:882:2: error: unknown type name ‘MD5_CTX’
764d.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:977:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764d.c:1069:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764d.c:1106:2: error: unknown type name ‘MD5_CTX’
764d.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764d.c:1127:31: error: expected expression before ‘)’ token
764d.c:1131:32: error: expected expression before ‘)’ token
764d.c:1146:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764d.c:1158:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764d.c:1171:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

Read More

AWS Lambda Mischief

After attending a great talk by @marcoslaviero about AWS cloud security and persisting your access through AWS Lambda and EC2, I realised there was another nasty way to “inject” malicious code in to an account and execute it on demand (or have it executed for you)… by inserting it as a “version” of an existing Lambda function, and restoring that Lambda’s functionality. Again, this assumes you have already compromised the AWS account.

Given an existing Lambda function (eg: “hypn-lambda-mischief” below) :

Read More

Misc binaries for *nix

I’ve been doing some boot-to-root VMs lately and some of the classics are quite old, with Kioptrix: Level 1 going all the way back to 2010. While the puzzles and exploits still hold up, it’s not always easy to get hold of tooling – especially newer stuff like “socat” – for these older distros.

For that reason I’ve compiled a bunch of variants of busybox, netcat, and socat for different architectures and distro’s (mostly older Debian) and put them up on github: https://github.com/hypn/misc-binaries. While you definitely shouldn’t download and run executable files a stranger told you to, they will likely help you upgrade your reverse shells in VMs should you choose to use them.

Read More

Compiling binaries for different CPU architectures using Docker

If you’re running on a 64bit cpu but need to compile some code to 32bit, you can usually get away with doing:

gcc <filename.c> -o <filename> -m32

or in the case of “configure” and “make” you can probably go with:

./configure –build=i686-pc-linux-gnu “CFLAGS=-m32”

Unless of course you’re greeted with this error:

Read More

Running Kioptrix: Level 1 (and others?) in VirtualBox

The “Kioptrix” boot-to-root VMs are some of the most popular hacking challenges but are intended for use with VMWare. If your choice of virtualization is VirtualBox you can choose to mount the VMDK disk image of “Kioptrix: Level 1 (#1)” but will likely end up with a Kernel panic. To get it working in VirtualBox do the following:

Read More

ASCII Skulls

I needed an ASCII Skull for… err… reasons, so decided to post the best ones I could find here. Unfortunately nearly all of them are on multiple websites without any credit to the authors, so if you made them or know who did I’ll happily give credit where credit is due.

Read More

Alpine Linux as a Docker host and portable dev VM

I’m a fan of Docker – especially for software development, allowing me to switch machines or operating systems and not have to spend hours re-configuring them to have the same services and configuration. There’s a growing trend to use Alpine Linux for Docker containers, rather than something like Ubuntu, because it has a smaller footprint (making it faster to download and more convenient for smaller, such as solid state, drives).

While all the operating systems I switch between (Linux, Mac and Windows) can run Docker and thus let me easily run my code, I’ve found there’s still a lot of config I want to keep bundled together but would prefer to keep out of “the cloud” – stuff like AWS environment variables, bash history and various utility scripts. I’ve settled on using a (previously Ubuntu) VM as the Docker host and file server, with Samba providing file sharing access so I can edit code in a native editor (Sublime). All I need is an operating system that can run Virtual Box and an SSH client and I’m “home”, able to dev and commit code with everything where I left it. I also don’t have to juggle SSH keys (either for connecting out or authorized keys for connecting in), guessing what IP my host is running on (the VM’s mac address and ip config remains fixed across machines).

Read More

The death of a hard drive, and eBay shopping…

Just weeks out of warranty my Western Digital Green 2TB hard drive died. Here are some of my thoughts and findings while trying to find a new replacement drive.

The Western Digital Green drives, which are supposed to be “energy efficient” and “quiet”, have a bit of a poor track record. It seems the drive powers down when not in use, and spins back up when you access it (but this causes a delay). All this stopping and starting is likely a cause of some wear and tear. I wont be buying one again.

BackBlaze (a “cloud backup” provider) publish “Hard Drive Reliability” stats which shows “HGST” hard drives as one of the the most reliable. Unfortunately HGST are now owned by Western Digital, but there is hope… “In May 2012, WD divested to Toshiba assets that enabled Toshiba to manufacture and sell 3.5-inch hard drives for the desktop“. Apart from this the Toshiba drives fare rather well anyway… so my next drive will be a Toshiba 3.5″.

Read More

Custom ROMS on the NES Classic Mini

(If you’ve used the older method below – “hakchi 1” – make sure you backup your “dump” folder which should contain your original kernel files)

Dumping your kernel:
(this is a relatively safe step – at leat for your NES Classic – as it only reads from it)

  • Download “hakchi2
  • Run hakchi2, from the menu select “Kernel” and “Dump kernel” (say “yes” when asked if you’re sure, and follow the instructions it gives)
  • Once you’ve held down reset and pressed the power like the instructions tell you it, it should automatically start dumping your kernel
  • Do yourself a favour and backup the “dump” folder created in the “hakchi2” folder – this contains your original firmware which can be used later to reset/fix your NES Classic
  • If you get a “Kernel dumped but MD5 checksum is unknown: {0} xxxxxxxxxxxxxxxxxxxx. Maybe kernel already patched or it’s unknown revision.” error, it’s probably best not to continue (unless you used the older method below in which case you should be able to copy that “dump” folder of the hakchi2 “dump” folder and choose “Kernel” -> “Flash original kernel” to reset your device to the original firmware)

Read More

SANS Holiday Hack 2016

It all starts on https://holidayhackchallenge.com/2016/ – where we’re shown Santa Claus’s business card, told the story, and asked to solve some questions/challenges.

Part 1: A Most Curious Business Card

1) What is the secret message in Santa’s tweets?
2) What is inside the ZIP file distributed by Santa’s team?

We’re told to look at Santa’s business card, and enter the game, then answer the questions:


Read More