The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being CALL_LOG, which gives access to all incoming and outgoing calls.

This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.

1. Discovery of two vulnerabilities in secure world components
2. Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
3. Leverage of aarch32 T32 instruction set to find nice stack pivots
4. Turning an arbitrary write into an arbitrary code execution

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

For the European Cyber Week CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:

• Chest (36 solve) - reverse
• FSB as a service (3 solve) - exploitation
• WYSIWYG (3 solve) - reverse
• Pipe Dream (1 solve) - reverse
  • the author posted his solution on his personal blog

Thalium’s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are:

Artillery was a web challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given the source code of the server to help us solve the challenge. This challenge was a nice opportunity to learn more about XXE vulnerabilities.

One of the least solved challenges, yet probably not the most difficult one. It is a Hardware challenge, though it is significantly different from the other challenges of this category. The first thing to spot is that when starting the challenge machine, we have access to two network services:

• an HTTP server, requesting an authentication
• an AMQP broker, rabbitmq

Off-the-grid was the 4th hardware challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given an Saleae trace and schematics to analyse. Thalium was one of the very first of 99 players to complete it.

Wii-Phit was the only Hard crypto challenge designed by CryptoHack for the Cyber Apocalypse 2021 CTF (there were also 4 challenges categorized as Insane though).

There is already an excellent writeup by the challenge organizers: one could recognize a well known equation related to the Erdős–Straus conjecture, some participants used Z3. We took a different approach.

Thalium participated in the Cyber Apocalypse 2021 CTF organized last week by HackTheBox. It was a great success with 4,740 teams composed of around 10,000 hackers from all over the world. Our team finished in fifth place and solved sixty out of the sixty-two challenges:

This article explains how we solved each pwn challenge and what tools we used, it is written to be accessible to beginners:

1. Discovery of two vulnerabilities in secure world components
2. Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
3. Leverage of aarch32 T32 instruction set to find nice stack pivots
4. Turning an arbitrary write into an arbitrary code execution

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

For the European Cyber Week CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:

• Chest (36 solve) - reverse
• FSB as a service (3 solve) - exploitation
• WYSIWYG (3 solve) - reverse
• Pipe Dream (1 solve) - reverse
  • the author posted his solution on his personal blog

Thalium’s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are: