πŸ”’
There are new articles available, click to refresh the page.
βœ‡ THALIUM

Remote ASLR Leak in Microsoft's RDP Client through Printer Cache Registry (CVE-2021-38665)

β€”

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

βœ‡ THALIUM

Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666)

β€”

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

βœ‡ THALIUM

Join Us

β€”
Offres Thalium Dans le cadre de nos travaux R&D ou pour nos besoins clients, l’équipe Thalium dΓ©veloppe son expertise autour des domaines suivants : Recherche et exploitation de vulnΓ©rabilitΓ©s Fuzzing DΓ©veloppements kernel / userland Connaissance de la menace et investigation numΓ©rique Et ce sur de multiples plateformes : Windows, Linux, macOS Android, iOS, IOT Intel, ARM Pour rΓ©pondre aux challenges de plus en plus nombreux, nous recherchons continuellement de nouveaux experts pour nos Γ©quipes Reverse, DΓ©veloppements ou encore Forensics.
βœ‡ THALIUM

Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology

β€”

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

βœ‡ THALIUM

ECW 2021 - WriteUp

β€”

For the European Cyber Week CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:

Thalium’s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are:

βœ‡ THALIUM

NT objects access tracing

β€”
Draw me a map As homework during the lockdown, I wanted to automate the attack surface analysis of a target on Windows. The main objective was to construct a view of a software architecture to highlight the attack surface (whether remote or local). The software architecture can be composed of several elements: processes privileges ipc etc Usually, software architecture analysis is done with tools that give a view at a specific time (ProcessHacker, WinObjEx, etc).
βœ‡ THALIUM

SSTIC : how to setup a ctf win10 pwn user environment

β€”
Introduction This post aims to present how to easily setup a lightweight secure user pwning environment for Windows. From your binary challenge communicating with stdin/stdout, this environment provides a multi-client broker listening on a socket, redirecting it to the IO of your binary, and executing it in a jail. This environment is mainly based on the project AppJaillauncher-rs from trailofbits, with some security fixes and some tips to easily setup the RW rights to the system files from the jail.
βœ‡ THALIUM

Cyber Apocalypse 2021 3/5 - Off the grid

β€”

Off-the-grid was the 4th hardware challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given an Saleae trace and schematics to analyse. Thalium was one of the very first of 99 players to complete it.

βœ‡ THALIUM

Cyber Apocalypse 2021 5/5 - Artillery

β€”

Artillery was a web challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given the source code of the server to help us solve the challenge. This challenge was a nice opportunity to learn more about XXE vulnerabilities.

βœ‡ THALIUM

Cyber Apocalypse 2021 1/5 - PWN challenges

β€”

Thalium participated in the Cyber Apocalypse 2021 CTF organized last week by HackTheBox. It was a great success with 4,740 teams composed of around 10,000 hackers from all over the world. Our team finished in fifth place and solved sixty out of the sixty-two challenges:

fig_scoreboard

This article explains how we solved each pwn challenge and what tools we used, it is written to be accessible to beginners:

βœ‡ THALIUM

Cyber Apocalypse 2021 4/5 - Discovery

β€”

One of the least solved challenges, yet probably not the most difficult one. It is a Hardware challenge, though it is significantly different from the other challenges of this category. The first thing to spot is that when starting the challenge machine, we have access to two network services:

  • an HTTP server, requesting an authentication
  • an AMQP broker, rabbitmq
βœ‡ THALIUM

Cyber Apocalypse 2021 2/5 - Wii-Phit

β€”

Wii-Phit was the only Hard crypto challenge designed by CryptoHack for the Cyber Apocalypse 2021 CTF (there were also 4 challenges categorized as Insane though).

There is already an excellent writeup by the challenge organizers: one could recognize a well known equation related to the ErdΕ‘s–Straus conjecture, some participants used Z3. We took a different approach.

βœ‡ THALIUM

Windows Memory Introspection with IceBox

β€”
Virtual Machine Introspection (VMI) is an extremely powerful technique to explore a guest OS. Directly acting on the hypervisor allows a stealth and precise control of the guest state, which means its CPU context as well as its memory. Basically, a common use case in VMI consists in (1) setting a breakpoint on an address, (2) wait for a break and (3) finally read some virtual memory. For example, to simply monitor the user file writing activity on Windows, just set a breakpoint on the NtWriteFile function in kernel land.
βœ‡ THALIUM

Getting Started with Icebox VMI

β€”
Icebox is a VMI (Virtual Machine Introspection) framework enabling you to stealthily trace and debug any kernel or user code system-wide. All Icebox source code can be found on our github page. Try Icebox Icebox now comes with full Python bindings enabling fast prototyping on top of VMI, whether you want to trace a user process or inspect the kernel internals. The core itself is in C++ and exposes most of its public functions into an icebox Python 3 module.
  • There are no more articles
❌