About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Priv Esc on GOG Galaxy Client to System- 242

Joseph Testa - Positron SecurityPosted 5 Years Ago
  • GOG Galaxy is a video management software by GOG.
  • After installing the client, the author was looking at Wireshark packets to see what was happening. He noticed a file path within the Wireshark dump and thought this was interesting.
  • First, the author just replayed the original packet sent and the System command was ran. Upon modifying the payload, it did not work.
  • From reversing it, he noticed that the code was using an HMAC with a key on the local system. After finding out the key and the algorithm, the author was able to sign the payload and execute arbitrary commands. Because this was running as System (on Windows), it allowed for a very serious priv esc.
  • For the devs, secrets inside of executables are not secret!
  • Decoding protocols on the system in Wireshark is a good way to find issues; local traffic (on the machine) is rarely authenticated for third-party services.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed