Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Akash is a decentralized cloud computing platform built for the Cosmos ecosystem. It appears to have offer a product similar to EC2 instances on AWS.

There are four main parties involved:

• Blockchain layer: Handles payments of tokens and used for governance.
• Application layer: Intermediary between buyers and sellers. Sellers want people to use their resources and buyers need resources.
• Provider layer: The instance where computational resources are located. There is a daemon from Akash that integrates with the usres to give them access.
• User layer: Where users buy the resources.

On the Akash network, the authentication process is solely down through TLS certificates. Here's the flow:

1. Auser creates a certificate and submits it to the blockchain.
2. The user initiates an mTLS connection with the provider.
3. Provider verifies the client certificate to ensure that it's valid. They check the common name, subject and serial number.
4. The cert is added to the certificate pool of valid users that can access the system.

You know what's really important about certificates? The signatures! In this case, the fingerprint is not checked to see if the client certificate and the registered certificate are the same! So, a self signed certificate with the spoofed information is good enough to bypass this.

To do this, we generate a self-signed root CA with the target's address in the common name. Next, we add the serial number to the cert of the target. Finally, we use this cert to run arbitrary commands on the instance, giving us free access to everything.

How did they fix this? Check the fingerprints! I would guess that since this by design allows for self-signed CAs, they didn't consider the ability to spoof all of the things. Great find by the team at Chainlight!