Leon Jacobs
sensecon 2021 – wargames edition
If last year taught us anything, it was that we can move quickly to organise a fully online hacker conference in little over a month. This year our annual, internal hacker conference ran from the 16th to the 18th of September, was attended by 102 hackers from 9 countries across 2 timezones, and was once again filled with epic hacks and laughs! In this post I’ll tell you more about the run up and execution of our internal SenseCon 2021! Some of this year’s challenges are available to play for a limited time on our Orange Cyberdefense Hacker Discord server as well. You can join using this link: https://discord.gg/yhfPKyBGbp.
blackhat_defcon_virtual_vegas_2021.zip
Phew! This year’s hacker summer camp is packed with presentations from several hackers across the globe at Orange Cyberdefense. I can’t possibly go into all of the many details, but hope to give a somewhat compressed view of the highlights!
This year we have a total of 10 representations. Four of those are DEF CON 29 talks, where two are main stage talks, one a demo labs talk and one a radio frequency village talk. On the training side of things, we’re delivering five courses at BlackHat USA 21, and one course at Ringzer0. I’ve been fortunate enough to see the behind the scenes preparation that goes into these and can’t wait for the world to see and experience them too!
on ios binary protections
I just got off a call with a client, and realised we need to think about how we report binary protections a bit more. More specifically the ios info binary command in objection. They can be a pain to explain if not well understood, and even harder to remediate! Binary protections make exploitation attempts much harder so, naturally we want all of them on. However, as you’d see in this article, not everything can always be enabled and sometimes it’s hard to understand why.
dwn – a docker pwn tool manager experiment
Years ago I learnt docker basics because I just couldn’t get that $ruby_tool to install. The bits of progress I’d make usually left my host’s ruby install in shambles. With docker though, I had quick reproducible build & run environments I could clean up easily without leaving a mess behind. The more I used docker, the more I’ve come to love it, and today it’s become a natural part of my daily workflow. It’s not without its flaws though, so in this post I want to show you an experiment of mine where I tried to write a docker pwn tool manager. A “docker-compose for hackers” if you will, called dwn (/don/). You can find it here: https://github.com/sensepost/dwn.
sconwar – sensecon 2020
Much like other events in 2020, our annual internal hackathon took a remote format this year, sporting over 120 hackers from across the globe. We had many challenges available during the conference which included a password cracking challenge, a discord bot challenge and a programming challenge. This post will talk about the programming challenge called sconwar. You can get the source code for it here.
incubation Admittedly I was really nervous about the idea for a hacker hackathon in general, but we can only become better hackers by understanding technologies better, more specifically, understanding them by using them. I often hear people say they want to get into programming, for which there are many options, but more often that not the drive ends with “well, what do I code?”.
sensecon 2020 ex post facto
When we finally decided on a date, sensecon 2020 was little over a month away. Unlike our public client events, internally sensecon is a three day conference filled with trainings, a hackathon and a ton of fun. Traditionally we would have had the hackathon in person, but this year our only option was to do it remotely. Overall we had a blast, both in the preparation phase but also during the conference. It was the largest one we had to date, consisting of over 120 Orange Cyberdefense hackers from 8 countries around the globe! This blog post will be a reflection on these three days filled with incredibly exciting hacks, talking about how we got there, how it went and what we had learned along the way. All while I recover from a little sleep deprivation.
building a hipster-aware pi home server
The end of the year is getting closer, fast, so I figured it was a perfect time to talk about my side project from last year. In this post I want to walk you through setting up a Raspberry Pi as a home server with all of your services running in docker containers with valid Let’s Encrypt certificates without exposing the Pi to the Internet. We will be setting up a myriad of services such as Pihole, SmokePing and Grafana as well as WireGuard for remote access, so buckle up!
Hacking doom for fun, health and ammo
Remember iddqd and idkfa? Those are two strings were etched into my brain at a very young age where fond memories of playing shareware Doom live. For SenseCon ’19, Lauren and Reino joined me as we dove into some reversing of chocolate-doom with the aim of recreating similar cheats. The results? Well, a video of it is shown below. We managed to get cheats working that would:
Increment your ammo instead of decrement it.Increment everyone’s health for the amount it would have gone down for. Yes, you read right, everyone.Toggle cheats just like how they behaved in classic doom. The source code for our cheats live here if you want to play along, or maybe even contribute new ones :)
mettle your ios with frida
For a long time I have wondered about getting Meterpreter running on an iOS device using Frida. It wasn’t until I had a Twitter conversation with @timwr that I was reminded of Mettle. It was finally time to give it a try. I built an objection plugin that would load it for you, which you can find here. My talk at DEF CON 27 mainly covered some ideas on how we could interact with live object instances in interesting ways. However, there were also some examples of how we could use Frida’s Module.load() API to side load existing external tooling that come in the form of shared libraries (either by default or wrapping them ourselves). With Mettle targeting low-resource or embedded devices, its native code approach meant it also supported iOS. So if we could get a compiled Mettle dylib, we could load it with Frida. You don’t need Frida to load a dylib of course. Using something like insert_dylib would work just as well. The nice thing about using something like Frida though is that we have some external control over the loading process and any post processing that we may need.
recreating known universal windows password backdoors with Frida
tl;dr I have been actively using Frida for little over a year now, but primarily on mobile devices while building the objection toolkit. My interest in using it on other platforms has been growing, and I decided to play with it on Windows to get a feel. I needed an objective, and decided to try port a well-known local Windows password backdoor to Frida. This post is mostly about the process of how Frida will let you quickly investigate and prototype using dynamic instrumentation.