As part of my bachelor’s thesis published in 2020 in information technology, I investigated a largely unknown weakness in a Bluetooth Low Energy (BT-LE) pairing process and developed a concept to prove it in practice.
The basis for this is a document by Mr. Tomáš Rosa, who claims that a mathematical function for calculating confirmation parameters can be bypassed. According to some research, this issue in particular has not been addressed by anyone since the publication of Rosa’s document in 2013.
In the blog post, I present the results of my thesis in short form. In the end, the vulnerability was practically exploited and all tested devices of all BT-LE versions (v4.0-v5.1) are affected.
Continue reading “Bypass PassKey-Entry Authentication in BT-LE”
The machine Rope2 by r4j is probably (one of) the hardest boxes on HackTheBox.eu with only 104 system owns after 202 days. The theme of the box is more or less “research”, since it requires (gaining) knowledge in many different fields: Browser Exploitation, esoteric Heap Feng-Shui, and finally Linux Kernel Exploitation. For me, all 3 fields were pretty new and thus I had a lot to learn (over the course of almost exactly 3 months).
Continue reading “Write-up: Hack The Box – Rope Two”
Desinfec’t, formerly known as Knoppicillin, is a Ubuntu-based Linux distribution that was created by the c’t Magazine for Computer Technology. It contains several anti-virus engines (currently ESET, F-Secure, Kaspersky and Sophos), as well as several tools for recovering systems from malware incidents.
Continue reading “Customizing Desinfec’t (and other Linux Live disks)”
We got quite a few cases related to CVE-2019-19781 during the past few weeks.
However, most of the NetScaler VM images we got were acquired after the appliances were shut down, so we had no RAM image data. Unfortunately, this also implicates the loss of the root file system
Continue reading “Investigating: CVE-2019-19781 on Citrix NetScaler appliances”
/, as it turned out that the root partition was mounted as a RAM disk.
Like the past few years, the HackingLab Team provided the white-hat hacking competition Hackvent in the form of a advent calendar. From December 1st to 24th , each day, a new challenge was released that has to be solved in-time for scoring full points. Like the past years, challenges were provided from various community members.
Continue reading “Write-up: Hackvent 2019”
From August 16 to September 27, FireEye’s FLARE team ran the Flare-On challenge for the 6th straight year (see announcement, here). This CTF-style challenge is comprised of 12 reverse-engineering tasks for different architectures. Like the past years, it was a great event with so much new things learned.
Continue reading “Write-up: Flare-On 6”
TL;DR: I started a tad bit late, but managed to solve 11 out of those 12 challenges (after solving “vv_max”, I had 4 hours left to break the last challenge – a malicious Windows driver – which was way too little time 😉
Not long after I took the „ARM IoT Exploit Laboratory“ training by @therealsaumil, the following tweet popped up on my timeline:
Continue reading “Write-up: DVAR ROP Challenge”
The annual Holiday Hack Challenge by SANS and the Counterhack team takes place during Christmas time and is always entertaining and great for learning a new trick (or two). This year, the challenge was organized as an online conference, called KringleCon: https://holidayhackchallenge.com/2018/ with great talks and a well thought-out story.
Continue reading “Writeup: KringleCon 2018”
First, this post will not cover the basics of recoding macros or use of the session handling rules in BurpSuite. There are a lot of basic stuff to be found in the internet . However, by default, Burp is unable to update or modify an http request HTTP header by using session handling rules and macros. This can cause in problems if you investigate REST APIs or applications which protects requests with one-time CSRF tokens. Further, the Portswigger community blog is not very useful to address this problem . Continue reading “BurpSuite – Update HTTP Header in Session Handling Rules”