Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

TinyCheck is a portable network analyzer. Nicely, the source code for the device is on Github.

The first bug is one seen on IoT devices everywhere: default credentials. The device had the default username and password tinycheck/tinycheck. This opens up the attack surface significantly. Although this could be changed, nobody forces a change here.

With the ability to hit the backend (on the public network), the author found an SSRF in a YAML configuration file. This bug is important because another server runs on localhost, which is the main target in this attack.

The localhost server had no reason to have authentication or expect anything malicious. Once you compromise the perimeter the bugs usually fall right out. By using the SSRF, a trivial command injection was found in a Python script.

Chaining all three bugs together (assuming the password has not changed), the device can be completely taken over.