hackerfantastic.x Profile picture
Co-Founder @myhackerhouse cyber security assurance & hacker training ~ ISBN9781119561453 ~ a book on professional hacking. Offensive Lua project.
3 subscribers
Jun 25 9 tweets 4 min read
Buy a stingray device for intercepting cellular traffic, only $100k on eBay 😂 ebay.com/itm/4049333960…
Image That eBay seller must have gotten his hands on some liquidated government-backed monitoring equipment. This is old equipment but a bargain at $600 - frequency counter, AOR wide-band receiver and numerous antennas for wireless signal detection and monitoring. Used to cost $1000's Image
Jun 11 7 tweets 5 min read
Someone left a "secure" Russian phablet on the back of a bus in Salisbury, England. It was running Aurora OS, a so-called "trustphone" device for use by Russian Government and corporations... here's the flash ROM dumps for 4.0.2.249, 4.0.2.82 and 3.2.1.65. mega.nz/file/V3tgEAKJ#…



Image

Image
Image
When generating "secure random" passwords in "SecretKeeper", it's important to always seed random number generator qsrand() with the current time. That way you can easily recover your passwords for sensitive Russian environments in case you were ever logged out of them....
Image
Image
May 1 22 tweets 6 min read
Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.
Image
Image
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
Jan 2 12 tweets 3 min read
Stinger is a Vault7 privilege escalation module from "Fine Dining", the only information is that it is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator" - the video shows my implementation. I started with only the information above, and tried to work out what this UAC bypass could be. It turns out you can read the process token of an auto-elevated binary (even on Win 11!), ShellExecuteEx returns process handle to high integrity process and you can access its token.
Dec 30, 2023 20 tweets 4 min read
This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away. I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
Dec 22, 2023 10 tweets 3 min read
Here is an example of the CIA's Marble Framework being used in a simple project to obfuscate and de-obfuscate strings. I used AI to re-create missing library and components needed to use the framework in Visual Studio projects, usually handled inside CIA with "EDG Project Wizard"


Image
Image
Image
Image
This shows the complete workflow that an analyst would use when creating malware at the CIA using Marble for string obfuscation. An attacker could essentially now follow leaked wiki instructions to obfuscate their strings in runtimes they create. More: wikileaks.org/ciav7p1/cms/pa…
Mar 30, 2023 7 tweets 3 min read
The "EU Digital Green Certificates (DGC)" which was implemented to curb freedom of movement unless individuals gave over medical decisions to their government, against all of our human rights - is leaking the Health Authority of Bulgaria's private keys since 2021. #NoGreenPass The above private key could be used to authenticate to the "on-boarding gateway" and falsify health records as authentic & valid from Bulgaria, additionally as it allowed authentication it could've been used to exploit Log4Shell (post-authentication) which was patched last year.
Jan 2, 2023 5 tweets 2 min read
👀 French police stopped a woman driving a car in someone else's name on suspicion of drug use and discovered a wireless hacking device in the trunk. Professional looking build too. It's so beautiful, power modules on top, fans for cooling, what look like modular radio blocks, amp, filter, SDR radio and the icing on the cake is the "decoy" antenna system made to look like a hotspot. Whatever they are hacking with this, someone spent money to build it.
Sep 29, 2022 14 tweets 3 min read
Iranian CIA source webpage that assets were instructed to use we keep hearing about as faulty? They were sent to iraniangoals[dot]com and instructed to enter password to message CIA handlers.. in a search box called "password"😂

<input type="password" id="pw" size="20" value=""> "clandestine" operations....