Skip to content

Instantly share code, notes, and snippets.

@gkastrinis gkastrinis/hack1.md
Last active May 19, 2017

Embed
What would you like to do?

Dionysis Zindros, March 2017 - Attack failed

Dionysis asked me whether I could help him with a simple python script he was working on. He claimed he was trying to get the plain text from a ciphertext, but he was getting a weird runtime error message.

He gave me a gist with the script and wnated to know if I could see something he was missing. He suggested I run the script and see the message myself.

I told him that I would test it the next day since it was a bit late at night at the time. I was already suspicious so I wanted to first create a docker container to test it.

The next day, I looked at the script but I couldn't find something malicious so I decided to run it.

At first, I got the following error because a module was missing.

Traceback (most recent call last):
  File "get-ciphertext.py", line 1, in <module>
   from monkeypatcher import patch
ImportError: No module named monkeypatcher

The module's name (monkeypatcher) was bugging me so I google'd it. I got to the page of monkeypatch instead of monkeypatcher. But, I thought it was probably just some developer giving inconsistent names and decided to install the module!

Running the script failed of course (thankfully) since I was inside a docker container.

Traceback (most recent call last):
  File "get-ciphertext.py", line 10, in <module>
    interceptor, recv_original = patch.intercept((socket, 'recv'))
  File "/usr/local/lib/python2.7/dist-packages/monkeypatcher/patch.py", line 6, in intercept
    with open(os.path.expanduser('~/.bounty')) as fileinput:
IOError: [Errno 2] No such file or directory: '/root/.bounty'

Bottom line

Although I was suspicious from the start and although I saw an inconsistency in names I went on and installed the malicious module. What saved me was that I was running inside an isolated container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.