Tag Archives: Reverse Engineering

Red Team Revelations: Exposing and Addressing Vulnerabilities in Ivanti Workspace Control

In this blogpost I explain how me and my colleagues found two vulnerabilities during one of our Red Team engagements which allowed us to elevate our privileges and lateral move in the client’s network. It explains the vulnerabilities, and defensive and mitigating advice.

It was a Red Team with an assumed compromise scenario where we entered the network through a VPN and had RDP access to one machine. From here we were very limited in the network. It was a small network with no significant misconfigurations in Active Directory, with no possibility to escalate our privileges. The customer did strict network segmentation which limited us from reaching other hosts in the network but a few. We started enumerating the few network shares that we did have access to and this is were it gets interesting. We found the installer for Ivanti Workspace Control 10.5.50.0 and a file called ‘WMDBConn.txt’.

Ivanti Workspace Control is a software solution that centralises the management of user workspaces across various platforms and devices. It allows IT administrators to control applications, user settings, and security policies to ensure consistent user experiences and optimise resource use. Continue reading →

Decrypting OpenSSH sessions for fun and profit

This is a copy of the original article for archival purposes: https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/

Introduction

A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot of the system on the moment it was compromised. We started wondering if it was possible to decrypt the SSH session and gain knowledge of it by recovering key material from the memory snapshot. In this blogpost I will cover the research I have done into OpenSSH and release some tools to dump OpenSSH session keys from memory and decrypt and parse sessions in combinarion with pcaps. I have also submitted my research to the 2020 Volatility framework plugin contest.

Continue reading →

Pandora’s Box

After c0ne build the vulnerable binary for the knock-knock challenge, he now made a complete boot2root VM with 5 levels: Pandora’s Box! I had the pleasure of being one of the testers for the vulnurable binaries, so I got a sneak peek for level 2 and 3 (after which level 2 changed quite a bit). I’l be splitting up the writeup per level and I’l only describe the final levels that ended up in the VM. Continue reading →

Pwnium CTF – Kernel land write-up

So.. My first CTF writeup! I participated with a few others in the Pwnium capture-the-flag. One of the challenges I looked at was the Reverse Engineering challenge “Kernel Land”. The challenge gave a link to a binary with the tip: “The third Tick gives you the answer ;)”. After a first peek it appeared to be a linux binary:

root@kalipwn:~/Downloads# file kernel kernel: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped Continue reading →