1. Discovery of two vulnerabilities in secure world components
2. Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
3. Leverage of aarch32 T32 instruction set to find nice stack pivots
4. Turning an arbitrary write into an arbitrary code execution

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

For the European Cyber Week CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:

• Chest (36 solve) - reverse
• FSB as a service (3 solve) - exploitation
• WYSIWYG (3 solve) - reverse
• Pipe Dream (1 solve) - reverse
  • the author posted his solution on his personal blog

Thalium’s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are:

Draw me a map

As homework during the lockdown, I wanted to automate the attack surface analysis of a target on Windows. The main objective was to construct a view of a software architecture to highlight the attack surface (whether remote or local).

The software architecture can be composed of several elements:

• processes
• privileges
• ipc
• etc

Usually, software architecture analysis is done with tools that give a view at a specific time (ProcessHacker, WinObjEx, etc). However, the different components of the software architecture might be invoked dynamically and temporarily on certain conditions. Monitoring tools such as ProcMon can help in this context but these involve manual operations.

Introduction

This post aims to present how to easily setup a lightweight secure user pwning environment for Windows. From your binary challenge communicating with stdin/stdout, this environment provides a multi-client broker listening on a socket, redirecting it to the IO of your binary, and executing it in a jail. This environment is mainly based on the project AppJaillauncher-rs from trailofbits, with some security fixes and some tips to easily setup the RW rights to the system files from the jail.

Artillery was a web challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given the source code of the server to help us solve the challenge. This challenge was a nice opportunity to learn more about XXE vulnerabilities.