THOTCON
26 May 2018

THOTCON Greetings – Synack @ THOTCON 0x9

Andre Gerard

THOTCON
This May, the Synack community team hit up THOTCON in Chicago (they have very cool badges they’ve been building on each year – you can play games on, code for or hack them!) alongside thousands of other hackers. We attended some excellent talks with some given by our SRT members, met some outstanding researchers and new potential SRT members, hosted our Synack HackerHangout at the craft brewhouse Goose Island, and soaked up all the hacking learning opportunities that we could. THOTCON’s location is always a secret until two weeks before the conference, and then only participants are given the details. 0x9’s location this year? We can’t say; you’ll have to experience it for yourself next year at 0x10!!

THOTCON 0x9 badge

THOTCON Talks
Straight from the Source

Some of the Thotcon speakers, including some of our esteemed SRT joined our HackerHangout and shared recaps of their talks with us so read on to get a glimpse into their cool talks, tools and tips!

Bug Bounty Methodologies
Jack Cable (@jackhcable), Synack Red Team member

“With a maturation in existing public bug bounty programs, bug bounty hunters are constantly looking for methods to expand attack surface. In my presentation, I outlined existing methods for expanding attack surface – enumerating subdomains, Google dorking, directory brute forcing, etc – and introduced a new tool, FileChangeMonitor, to continuously monitor websites for changes in JavaScript code. FileChangeMonitor (https://github.com/cablej/FileChangeMonitor/) periodically performs a diff of JavaScript files on a website and notifies users when new relative urls are discovered in code. Using this tool, I have been successful in discovering new features launched on websites.”

File Change Monitor


 

Best travel buddy 3vaaar!
Mikhail Sosonkin (@hexlogic), Synack Red Team Member

Mikhail Sosonkin THOTCON talk
“When I was a digital nomad, I wanted to make my life easier by purchasing a HooToo travel router. Turns out it did make my life easier, but not for traveling, rather for hacking! The HooToo TM06 is a versatile device with the form factor that of the MacBook Pro power adapter, it runs linux and has two Wi-Fi antenna’s. It is very easy to hide and dispose of. This is what allowed us to hack a VICE reporter in Moscow. We managed to execute a man-in-the-middle attack by convincing her to connect to our rogue Wi-Fi where we had control of the DNS traffic.

I discovered an exploitable unauthenticated remote vulnerability in the webserver of the travel router. This vulnerability gave me the ability to take control and persist on the device if it connected to a network I controlled. Say, if I was an AirBNB host with mal-intent or have taken over a Wi-Fi router on a hotel network. Since the TM06 is meant for traveling, it means that my malware would travel with it to home or enterprise networks. To demonstrate the capability, I built malware for the router that performs DNS poisoning. This is really useful in cases when the target browses to a popular insecure page such as http://bbc.com. For reasons unknown to me, a secure https://bbc.co.uk will actually redirect to an insecure http://bbc.com when you’re in the United States. Doing such DNS poising means that a hacker could inject executable content into the browser and launch other attacks to get at private data. The slides for the talk are available at https://speakerdeck.com/nologic/best-travel-buddy-3vaar.”


 

An Introduction to Modern Binary Exploitation
Jeremy Blackthorne, Alexei Bulazel, Sophia d’Antoine

“Alexei Bulazel, Sophia d’Antoine and I delivered the workshop titled An Introduction To Modern Binary Exploitation. The goal of our workshop was to demystify binary exploitation and give the intuition behind finding vulnerabilities and exploiting them. We covered three simple hacker truths:

  1. A program is a series of numbers that can be interpreted as code or data.
  2. You can give a program more input then it has room for. Extra input will be overflow into unauthorized locations, some of which control how the program executes.
  3. Combine 1 and 2. You can feed a series of numbers into another program as data. That data can overflow into unauthorized locations and control how the program executes. The executing program can be made to interpret the input data as code. Thus you have injected a program into another and executed it, thus hijacking control of the original program.

Alexei, Sophia, and I were students at Rensselaer Polytechnic Institute and on the CTF team RPISEC. We helped create the university course Modern Binary Exploitation, Spring 2015. The course teaches students through hands-on exercises how to perform exploitation on programs All of the materials, including VM and exercises, are available to download at https://github.com/RPISEC/MBE.”

Boot screen for the training VM for the course.


 

Synack’s HackerHangout @ THOTCON

SRT members at Synack HackerHangout at THOTCON


Thanks to everyone who joined our HackerHangout and bonus brewery tour in Chicago… fun times with our SRT and new friends!!


 

Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.

Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform  – it was designed by hackers for hackers.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.