Publications

Is it post quantum time yet?

28/09/2021 Quantum computing. Among all the fashionable IT buzzwords, this one comes prominently. Quantum computing, or the idea people get of it, feeds a lot of fantasy. This trend is supported by the news that sometimes relay hazy information about a topic they do not fully grasp. Getting a precise view of the state of quantum computing and its implications on security is not easy if you are not familiar with the topic. In this article, we will try to answer this seemingly simple question: is it post quantum time yet?

Cracking Radmin Server 3 passwords

17/09/2021 Reverse-engineering a hashing mechanism and optimizing password cracking

macOS XPC Exploitation - Sandbox Share case study

08/09/2021 Usually we don't do blog posts about CTF challenges but we recently stumbled across a challenge that was a good opportunity to talk about several macOS/iOS internals, security mechanisms and exploit methods...

Your vulnerability is in another OEM!

02/09/2021 Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100. We took a look at both, and quickly found out Western Digital PR4100 was vulnerable via its webserver. However, exploitation was not THAT easy (it was not that hard either) and ultimately it did not even mattered since the vulnerability was wiped by a major OS update pushed mere days before the contest. In the end, the vulnerable code we audited might not have even been written by Western D...

HTB Business CTF Write-ups

02/08/2021 Synacktiv participated in the first edition of the HackTheBox Business CTF, which took place from the 23rd to the 25th of July. The event included multiple categories: pwn, crypto, reverse, forensic, cloud, web and fullpwn (standard HTB boxes). We managed to get 2nd place after a fierce competition. We had quite a lot of fun so we decided to publish write-ups of the most interesting challenges we solved.

Writing a (toy) symbolic interpreter, and solving challenges, part 4

30/07/2021 This is the last part of series, where we solve the challenge using our symbolic interpreter, and an external SMT solver. Huge success!

Writing a (toy) symbolic interpreter, and solving challenges, part 3

28/07/2021 In this installment, we turn the concrete interpreter into a symbolic interpreter. How exciting!

Writing a (toy) symbolic interpreter, and solving challenges, part 2

23/07/2021 In the second part of this series, we write a concrete interpreter for a subset of WebAssembly.

Writing a (toy) symbolic interpreter, and solving challenges, part 1

19/07/2021 Writing a symbolic interpreter, and wiring it to a solver in order to solve reverse engineering challenges (or other uses), might seem like a daunting task. Even simply using an existing symbolic interpretation framework is far from easy when one has no experience in it. This serie of articles will describe, throughout the summer, how such an engine is built, and showcase implementation tricks and some trade offs to be aware off. Do not worry, the interpreter will be kept as simple as possible though! In the end, we...

Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)

13/07/2021 This year again, the international contest Pwn2Own Vancouver took place in the beginning of April. Among the different categories, two major operating systems were suggested for the Local Escalation of Privilege category (LPE): Linux (Ubuntu) and Windows 10. This article describes how a Ubuntu kernel vulnerability was found and exploited during this contest allowing to gain root access from an unprivileged user.