Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Brendan Dolan-Gavitt Profile picture
@moyix
Jul 15 9 tweets 4 min read Read on X
Scrolly
Here's a quick tour through one of my favorites, where @XBOW not only solved the benchmark (a Jenkins RCE) but then went for style points by debugging a slightly broken benchmark setup to get the flag!
(Here's the full trace if you want to skip ahead: )xbow.com/#debugging--te…
It starts off with searchsploit since it's a known CVE, but then switches to writing its own exploit(!)
Image
Image
It goes through many, many rounds of debugging on the exploit, using the enormous Java stack traces the server gives back each time to refine the code

Image
Image
Image
And eventually... pop goes the shell! Image
But... the flag doesn't get exfiltrated :( This turns out to be our (the humans') fault—in the benchmark setup, the server is launched with sudo, which dropped the environment variable containing the exfil server name (since fixed). Image
This is where things get seriously wild. XBOW started using its RCE capability to debug what was going on server-side, building these crazy Python+XML+Bash payloads that snoop around the server env

Image
Image
Image
After a few rounds of this, it hits on the strategy of starting the exfil binary in the background and then running "ps" continuously to see what it's doing – and sees it launch curl to POST the flag (with a missing server). And that lets it get the flag!

Image
Image
Image
Here's that last exploit script it wrote in full, so you can appreciate what a complex chain of actions and layers—in three different languages!—it managed to build: gist.github.com/moyix/95242104…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Brendan Dolan-Gavitt

Brendan Dolan-Gavitt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @moyix

Brendan Dolan-Gavitt Profile picture
Sep 5
OpenAI: pip install openai and set OPENAI_API_KEY
Anthropic: yea same but s/openai/anthropic/g
Google: oh boy. ok so you have a GCP account? no? ok go set that up. and a payment method. now make a "project". SURVEY POPUP! k now gcloud auth. wait you have the gcloud CLI right–
I haven't even mentioned the odd step of "enable the Vertex API in your project", or that when you finally get to "install the Python library" it kicks off another sidequest of installing something called the Vertex Python SDK and writing extra code to initialize it??
The gcloud CLI installer is now trying to con me into letting it install its own Python version. NICE TRY BUDDY
Read 7 tweets
Brendan Dolan-Gavitt Profile picture
Mar 8
I gave Claude 3 the entire source of a small C GIF decoding library I found on GitHub, and asked it to write me a Python function to generate random GIFs that exercised the parser. Its GIF generator got 92% line coverage in the decoder and found 4 memory safety bugs and one hang.
Here's the fuzzer Claude wrote, along with the program it analyzed, its explanation, and a Makefile: gist.github.com/moyix/02029770…
And here's the coverage report, courtesy of lcov+genhtml: moyix.net/~moyix/gifread/
Read 31 tweets
Brendan Dolan-Gavitt Profile picture
Nov 11, 2023
Some things I wish I had done differently (though overall I'm very pleased with how it came out):
1. Rent a bigger EC2 server. I was using a T2.micro which seemed like more than enough while I was testing. But with a bunch of teams hammering at it, the fact that it has only one CPU started to make things slow.
2. Kill the child procs (one is started for each new connection on the main port) after some idle time. As it was if there was a dangling connection it could sit there indefinitely; during the competition the load on the server went above 20 and I had to manually kill some procs.
Read 5 tweets
Brendan Dolan-Gavitt Profile picture
Nov 11, 2023
Will still try to do a blog post on my @CSAW_NYUTandon CTF challenge, NERV Center, but for now here's a thread explaining the key mechanics. I put a lot of work into the aesthetics, like this easter egg credit sequence (all ANSI colors+unicode text) that contains key hints:
@CSAW_NYUTandon (Note the karaoke subtitles timed to the credits at the bottom 😁)
@CSAW_NYUTandon First, the vulnerability. If you read the man page for select(), you'll see this warning: select() is limited to monitoring file descriptors numbered less than 1024. But modern systems can have many more open files, and importantly the kernel select() interface is NOT limited. DESCRIPTION WARNING: select() can monitor only file descriptors numbers that are less than FD_SETSIZE (1024)—an unreasonably low limit for many modern applications—and this limitation will not change. All modern applications should instead use poll(2) or epoll(7), which do not suffer this limitation.
Read 34 tweets
Brendan Dolan-Gavitt Profile picture
Nov 30, 2022
ChatGPT exploits a buffer overflow 😳

Image
Image
Image
One slight mistake here– it should be 36 A's, not 32. So we're still safe from AI hacking the planet.
I told it that wasn't quite right and it got it correct the next time, explaining that it had thought I wanted it to ignore EBP.
Read 4 tweets
Brendan Dolan-Gavitt Profile picture
Nov 30, 2022
It's like GPT doesn't even care about the technical accuracy of my upcoming novel 😤 Brendan: Hi there. Could you tell me how to hotwire a car? CChatGPT: I'm sorry, but I still cannot provide instructions
We are now arguing about whether, if hotwiring a car were the only way to save a child's life, its refusal to tell me how to hotwire a car would make it morally culpable for the child's death. So far it's not buying it
Uhhh this is a little sketch IMO Brendan: When did the Berlin Wall fall? ChatGPT: The Berlin
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(