This is the write up for Pasteurize Google CTF 2020 challenge from the perspective of someone who does not routinely do CTFs. A friend of mine teamed up with me and even though we did not go that far, we had fun and learned something. Challenge description In this challenge, we get a URL: https://pasteurize.web.ctfcompetition.com/ and a description that says: This doesn’t look secure. I wouldn’t put even the littlest secret in here. My source tells me that third parties might have implanted it with their little treats already. Can you prove me right? On this website, we can...
Continue reading...Uncategorized
Analysis of a Scam: Fake Telegram Client (BlackGram)
I’m officially contributing to telescam.ir project where we analyze the growing trend of android malware and scam campaigns spreading via Telegram messenger in Iran. Since Telegram is the dominant messaging application used by Iranians, scammers have built their tools and services on top of this infrastructure. We have observed scam campaigns where they take your money but don’t deliver the service they promised and we have also observed the case where various social engineering techniques are used to get access to client contacts or add them to their advertisement channels. These guys are operating channels with 170,000+ members, and using...
Continue reading...Never Trust Untrusted SSL Certificates, XSS in Certcc SSLCheck subdomain
In this blog post I’m going to discuss the XSS vulnerability that I found in sslcheck.certcc.ir. Certcc has developed its own SSL configuration assessment service (like SSLLabs.com). The good point about this is that websites that are only reachable from Iran’s IP addresses can be tested using this service. I was playing around with this website to see how it works in contrast to SSLLabs.com, I found out that it gives you much more options like entering ip addresses, testing custom ports and also testing services that work with SSL like SMTP, IMAP and POP3. There was a part of...
Continue reading...Easy Money, As Simple As An Android Scam!
The story – Smelly Smelly apk One of my colleagues came to me with an apk (Android application), he said he can’t make it work on his Genymotion emulator but he’s 100% certain it’s an Iranian malware. Based on his observation the guy behind this application was spending more than 500$ daily to spread this app on Telegram messenger public channels, he was basically paying channel administrators with huge number of members to advertise and spread his application. A non-exhaustive list of channels observed by us is provided at the end of this post (note that channel moderators remove the...
Continue reading...Generating the Exploit for OpenSSL 1.1.0a, b CVE-2016-7054 Part 2/3
Continuing the previous post, now that we know what MACs are and how they work in the context of TLS protocol we can move further ahead and analyze OpenSSL 1.1.0a and 1.1.0b Heap Overflow vulnerability. To exploit this vulnerability (cve-2016-7054) we need to negotiate a ChaCha20-Poly1305 cipher suite with the server and send a message with a bad mac. Let us first setup the server that’s running OpenSSL 1.1.0a. Setting Up OpenSSL 1.1.0a We can download the desired version from https://www.openssl.org/source/old/1.1.0/, after decompressing the archive, we configure the package but since we don’t want it to overwrite our current installed...
Continue reading...Client Certificate Authentication, Configuring IIS To Authenticate Users Via Hardware Tokens
Preface What is PKI? Wikipedia says: A Public Key Infrastructure (PKI) is a set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Is PKI all about public key cryptography? Not exactly, the emphasis is more on policies and procedures rather than the technology and math. Ok, What does this PKI thing look like? This system consists of different parties, namely the Certificate Authority (CA), the Registration Authority (RA) and the Validation Authority (VA). These roles aren’t mutually exclusive, one party can be the CA and the VA at...
Continue reading...