BenGardiner

HelioStatic Avionics: GitHub CI Challenge Writeup

This GitHub CI challenge was fun and I learned about the dangers of misconfigured reusable workflows (via prompt injection in LLM agents).

A couple of workflows hosted within an organization (Helio Static Avionics) were publised, allowing other projects to reuse them. When triggered, these reused workflows ran in the context of the hosting organization, granting them access to its OIDC provider. This allowed the workflows to pull sensitive information directly into the environment of the runner.

There are two workflows we can reuse and trigger: a support agent and an attestation workflow. Both use LLM agents. There are two stages to the challenge: last) get the attestation key -- but first) get an officer ID so we can run the attestation workflow.

---

BenGardiner

Solving Zack Deveau's SNES NSec 2021 Challenges with radare2 and Jupyter Notebooks

Use files in this gist to make your own solve of these fun challenges by zdeveau! The extra challenge is that you must do it using only static analysis in radare2. To make things a bit easier on you we will use Jupyter (Labs) Notebooks.

Install the python (tested with python-3.10) packages you will need (a full tested pip freeze is in requirements.txt also):

pip3 install jupyterlab r2pipe

BenGardiner

BenGardiner

---

patat: wrap: true ...

Extracting CAN Signals from OpenXC with Radare2

If you haven't yet: please build and install r2 from git now : git clone https://github.com/radare/radare2; cd radare2 ; ./sys/install.sh. And also pip install r2pipe.

Download the target binary file at https://bit.ly/2ZtEJSH This is a 'FORDBOARD' vi-firmware device; here's the datasheet for a LPC1768 https://bit.ly/2XHemb5

BenGardiner

This is a writeup of the solutions to the Advent Calendar of Advanced Cyber Fun 2018. If you're not familiar, this is an advent-themed challenge so there was one new challenge each day from Dec 1st to Dec 24th. The challenges focused on exotic networking features. Usually, successfully connecting would win but sometimes challenge-response was necessary too.

The Advent Calendar of Advanced Cyber Fun 2018 was organized by @_takeshix and @lod108 and a big special thanks to them -- this was a ton of xmas fun!

Port 1

I'll quote the challenge description that they posted on https://xmas.rip here:

Sometimes it's hard to remember all of those silly port numbers. And there is this restriction of 65535 ports, but santa wanted to host this year's wishlist protocol on TCP 24122018! Wouldn't it be great to access services based on their name, and not their port number?! So Santa is hosting the wishlist service with the help of old school technology: RFC1078. Send him your wishlist!

BenGardiner

Writeup, from: https://github.com/JonathanBeverley , https://github.com/kensalter , https://github.com/BenGardiner

Notes:

• Open challenge binary and analyze it

r2 -d antir2
[...]
[0x004008c0]> aaa

BenGardiner

#!/usr/bin/env python
import string
import sys

def getPoint(c):
    if c == 0:
        return [0, 0, 0]
    elif c == 255:
        return [255, 255, 255]
    elif chr(c) in string.printable:

BenGardiner

// Run in the JavaScript console of the hterm browser window

// Clear all existing settings - you probably don't want to do this.
// Preferences are now stored in "chrome.storage.sync" instead of
// "window.localStorage" so if you clear your preferences the changes
// will be propagated to other devices.
//mosh_client_.io.terminal_.prefs_storage.clear();

mosh_client_.io.terminal_.prefs_.resetAll();
mosh_client_.io.terminal_.prefs_.set('enable-bold', true);

BenGardiner

#!/bin/bash

function echo_and_exec()
{
  echo "Executing $@" ; "$@"
}

function set_exec()
{
  if [ -z "${DRYRUN}" ]; then