Create a gist now

Instantly share code, notes, and snippets.

@gkastrinis /hack1.md
Last active May 19, 2017

What would you like to do?

Dionysis Zindros, March 2017 - Attack failed

Dionysis asked me whether I could help him with a simple python script he was working on. He claimed he was trying to get the plain text from a ciphertext, but he was getting a weird runtime error message.

He gave me a gist with the script and wnated to know if I could see something he was missing. He suggested I run the script and see the message myself.

I told him that I would test it the next day since it was a bit late at night at the time. I was already suspicious so I wanted to first create a docker container to test it.

The next day, I looked at the script but I couldn't find something malicious so I decided to run it.

At first, I got the following error because a module was missing.

Traceback (most recent call last):
  File "get-ciphertext.py", line 1, in <module>
   from monkeypatcher import patch
ImportError: No module named monkeypatcher

The module's name (monkeypatcher) was bugging me so I google'd it. I got to the page of monkeypatch instead of monkeypatcher. But, I thought it was probably just some developer giving inconsistent names and decided to install the module!

Running the script failed of course (thankfully) since I was inside a docker container.

Traceback (most recent call last):
  File "get-ciphertext.py", line 10, in <module>
    interceptor, recv_original = patch.intercept((socket, 'recv'))
  File "/usr/local/lib/python2.7/dist-packages/monkeypatcher/patch.py", line 6, in intercept
    with open(os.path.expanduser('~/.bounty')) as fileinput:
IOError: [Errno 2] No such file or directory: '/root/.bounty'

Bottom line

Although I was suspicious from the start and although I saw an inconsistency in names I went on and installed the malicious module. What saved me was that I was running inside an isolated container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment