echo "0xHat Security"

 As mentioned in Github, "Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution." (https://github.com/GoogleContainerTools/distroless) There are multiple reasons why distroless images are getting popular minimal size  does not include excessive binaries ( there is only sh and bash in /bin folder ) more secured ( due to presence of less binaries ) However there has been a wrong perceptions ( as per few blog posts ) that we cannot do command injection attacks in the containers made of distroless images. While this is partly true that we cannot try the usual attacks of command injection but it will be wrong to say that it is impossible. This blog post is about attacking them.  Here is my base code and the Dockerfile app.py from flask import Flask,request import os import subprocess app = Flask(__name__) @app.route("/&q

We have seen scenarios and real world impacts of secrets / api keys in public version control systems like github , gitlab. They have contributed to serious breaches, leaked personal information and so on. The risks of a leaked token is already serious but it is even worse incase it is a Github Personal Access Token. I will demonstrate in this post about the impacts of a leaked github personal access token.  As leaked Github Personal Access Tokens are on rise in public repos in github, this post is to educate about the threats and risks it poses if they are leaked.  Personal access tokens are an alternative to using passwords for authentication via commandline or github API. Github personal access tokens are popularly found in configuration files where a developer may need to clone some private repositories. Private repositories are not visible to users who don't have right authorization to view. Take for example this url https://github.com/hellctflife/myapp . It will throw a 404. 

There are plenty of great tutorials / writeups out there in the internet on these topics. As pwning is not my regular job I am documenting the topics I have learnt by reading other blogs/writeups and learning few topics in hard way. This also helps me to warmup the same topics from time to time and document some topics that I encountered and that which didn't go as smooth as the writeup. Also I will be updating the same topic from time to time with anything new I learnt. Like improving the exploit , finding new ways to solve the same topic by reading other blogs etc., some impressive methods of solving from other authors The challenge is from https://ropemporium.com/ . I will be solving both 32 bit and 64 bit versions of the binary Solving ret2win - 32 bit Steps : Create a unique pattern Send the pattern Find the pattern offset after the crash from the EIP Find the address we wish to jump The create the final payload with the offset we wish to jump Creating a pattern of 100 bytes a

In our previous post we have seen examples on how we can perform simple analysis with codeql to detect format string vulnerabilities. There are couple of issues with the previous queries we wrote. Le us take an example where the data that is passed to a printf() call is hardcoded, hence the attacker has no control over it. In that case we would end up with too much of false positives. So this is where taint analysis will come useful. Here is the code that we are going to analyze here.    Also let us try to exploit and see which are the scenarios in which they are vulnerable So as per my input %08x.%08x , there are 3 cases where my input will cause a format string attack. So my model should be able to find these 3 paths that are potentially exploitable.   Next let us try to model taint flow of source to sink in which my source will be the user's input variable and my sink will be a flow where the user's input variable will be passed as the first parameter to the printf(user

Code Review & Static Code Analysis is something that I really enjoy doing for fun and sometimes for bread and butter. CodeQL is used for variant analysis which is something like searching the codebase with a modelled code pattern. In this blog post I am going to use the following example and try to play around with CodeQL to find the exact matches against the vulnerable format string expression.   Now using the input "%08x.%08x" , I can see there are 2 scenarios where I would successfully exploit a format string vulnerability. Enter your name:%08x.%08x Executing function 1 %08x.%08x Executing function 2 1a8571fe Executing function 3 64ed32a0.00000000  ====> Exploited  Executing function 4 1a8571fe.1a857180  ====> Exploited Executing function 1 I am hardcoded Executing function 3 I am hardcoded but safe So my objective will be to play around with CodeQL and try to write few queries that will detect the code pattern where the input is directly used in format. Hence m