Zeta-Two.com

SANS Holiday Hack Challange 2022: Writeup

Sat, 07 Jan 2023 12:00:00 +0100

This is my write-up for the SANS Holiday Hack Challenge 2022.

dJulkalender 2022: Write-up

Sun, 01 Jan 2023 00:00:00 +0100

Simpler unpickle payloads with the walrus operator

Fri, 07 Jan 2022 01:00:00 +0100

When exploiting Python deserialization, specifically, Pickle, vulnerabilities you need to craft a payload consisting of a collection of arguments and a callable that is available on the server. Most commonly you can use the eval function and a string to be evaluated. This is fairly flexible and from here you can typically import the os module and call os.system to do whatever you want. Sometimes there can be some limitations in place, for example, you might not get the output of the application directly and it might be blocking outbound connections preventing reverse shells. In some situations you need the result of the unpickle operation to return an object with specific properties. If you are lucky and convenient classes exist on the target and you have knowledge of them you might get away with simply constructing one of them. If this is not the case it is slightly trickier.

dJulkalender 2021: Write-up

Thu, 06 Jan 2022 22:30:00 +0100

CrowdStrike Adversary Quest 2021: Write-up

Wed, 03 Feb 2021 23:00:00 +0100

Recently, CrowdStrike Intelligence ran a small CTF for about two weeks with twelve challenges spread over a wide selection of categories. I managed to solve all the challenges and got eighth place. The challenges were of very high quality and I thoroughly enjoyed them so I decided to publish my solutions here. This is not a full write-up with a lot of details but more a short summary of my solution to each problem. The challenges were divided into three storylines, "adversaries" with four challenges each and as such I will structure this post in the same way.

SANS Holiday Hack Challange 2020: Writeup

Mon, 04 Jan 2021 15:00:00 +0100

This is my write-up for the SANS Holiday Hack Challenge 2020. There are two types of challenges: the main objectives and the extra terminals. In the game they are interleaved since solving terminals give you hints for the main objectives but here I have separated them into two sections.

Chalmers - Security at KRY/LIVI 2020

Wed, 29 Apr 2020 21:00:00 +0200

In April this year, I gave a lecture at Chalmers University of Technology in Gothenburg. I talked about the security work at KRY/LIVI. The talk was not recorded but you can download the slides here.

Exploiting the Starcraft 1 EUD Bug

Sun, 05 Apr 2020 23:30:00 +0200

Starcraft, released in 1998, is still one of the best strategy games ever made. Over 20 years later it still has a strong community and a remastered version was released in 2017 with updated graphics and sound. However, like most software, it has had it fair share of bugs. One of these bugs was an arbitrary read/write vulnerability in the parser for the scripts embedded in the maps of the game. As long as I've known about the bug I had assumed it could be used for exploitation but I had never seen a public example of this. Last weekend, I sat down and wrote an exploit myself and also turned this into a challenge for the Midnight Sun CTF 2020 qualifiers. In this first blog post I will go through some background, explain the bug and the exploit I wrote for it. In part two I will explain how I turned this into a CTF challenge and some of the solutions the teams came up with.

MassifCon 2020 - Theft and Doxxing

Sat, 08 Feb 2020 14:00:00 +0100

This February I gave a talk at a private event called MassifCon. The talk was not recorded but the slides are available. If you want a summary of the talk, please ask me the next time we meet.

SANS Holiday Hack Challange 2019: Writeup

Tue, 14 Jan 2020 00:30:00 +0100

Here are my solutions for the 2019 SANS Holiday Hack Challenge.

SEC-T 2019 Talks: Game Boy talks

Tue, 05 Nov 2019 14:00:00 +0100

Earlier this fall at SEC-T 2019 I gave two talks about some projects related to the Game Boy. The recording of the talks are available online at the SEC-T YouTube channel and you can download the slides from here:

SecurityFest 2019 - Software Obfuscation with LLVM

Thu, 27 Jun 2019 21:30:00 +0200

At the end of May, I gave a presentation at SecurityFest 2019. I talked about the code obfuscation and how to use the LLVM compiler framework to obfuscate code. The recorded talk is available at the SecurityFest YouTube channel and you can download the slides here.

0xFF - Talk and workshop about CTF

Thu, 27 Jun 2019 21:20:00 +0200

Back in April, I gave a presentation and hosted a workshop on CTF at the 0xFF meetup. I talked about what CTFs are, why you should play them and how to get started. At the workshop, the participants got to try some basic CTF challenges from various categories. The recorded talk is available at the 0xFF YouTube channel and you can download the slides (from both the talk and the workshop) here.

KonsulaTED - Basics of binary exploitation

Thu, 27 Jun 2019 21:10:00 +0200

Back in February, I gave a presentation at a private meet-up that I run together with some friends where we talk about various technical topics roughly once per month. I talked about the basics of binary exploitation. This lecture was heavily based on the presentation I gave at KTH last year but presented in Swedish this time. The recorded talk (in Swedish) is available my YouTube channel and you can download the slides here.

SecuriTea - Lecture on basics of binary exploitation

Thu, 27 Jun 2019 21:00:00 +0200

Back in February this year, I gave a lecture at the SecuriTea meetup hosted by Foo Café in Malmö. I talked about the basics of binary exploitation. This lecture was heavily based on the presentation I gave at KTH a few months ago but a bit shortened and adapted to be slightly more beginner friendly. The talk was not recorded but you can download the slides here.

Chalmers - Security at KRY/LIVI 2019

Thu, 11 Apr 2019 21:00:00 +0200

In April this year, I gave a lecture at Chalmers University of Technology in Gothenburg. I talked about the security work at KRY/LIVI. The talk was not recorded but you can download the slides here.

KTH - Guest lecture on basics of binary exploitation

Tue, 05 Feb 2019 00:20:00 +0100

Last week, I gave a guest lecture at the Ethical Hacking course at KTH. I talked about the basics of binary exploitation. This lecture was heavily based on the presentation I gave at Google last year but with some extra content added. The recorded talk is available my YouTube channel and you can download the slides here.

SANS Holiday Hack Challange 2018: Writeup

Tue, 15 Jan 2019 20:45:00 +0100

Like the previous past years, SANS organized their Holiday Hack Challenge. It's a great entry level CTF which introduces the players to a wide range of interesting problems. As always, it's packaged as a nice game with a cute story and I try to play through it every year. This post contains the write-up I submitted as part of the challenge.

PasswordsCon 2018: Passwordless authentication

Thu, 03 Jan 2019 02:00:00 +0100

On November 19-20 this fall, I presented at PasswordsCon 2018 which was co-hosted at Internetdagarna in Stockholm. My talk was titled "Protecting medical data with passwordless authentication" and I talked a little bit about how we work with authentication and identification at my work, KRY/LIVI. The recorded talk is available on YouTube and you can download the slides here.

SEC-T 2018: Fun with Symbolic Execution

Thu, 03 Jan 2019 01:50:00 +0100

In September this fall, I gave a lightning talk at SEC-T 2018. My talk was titled "Fun with Symbolic Execution" where I described the basics of symbolic execution and gave examples on how it can be used in exploitation and reverse engineering. The recorded talk is available on YouTube and you can download the slides here. In the talk I show some code examples which you also can download as a zip.

Talk at Google: From Overflow to Shell

Thu, 03 Jan 2019 01:40:00 +0100

In December, I gave a presentation at the Google Stockholm office. It was a presentation for developers working there about the basics of binary exploitation. There was no publicly available recording of the talk but you can download the slides here.

Detectify Hacker School: From Zero to Zero Day

Thu, 03 Jan 2019 01:30:00 +0100

In December, I gave a presentation at a Detectify customer event called "Hacker School". My talk was titled "From Zero to Zero Day" where I talked about my background and journey into security and a cool remote code execution bug we found in GitHub enterprise. There was no publicly available recording of the talk but you can download the slides here.

NixuCon 2018: SMT solvers for analysis and exploitation

Thu, 03 Jan 2019 01:20:00 +0100

In September this fall, I gave a presentation at NixuCon 2018. My talk was titled "Using SMT solvers for binary analysis and exploitation" where I described the basics of symbolic execution and gave examples on how it can be used in exploitation and reverse engineering. I have yet to find the recording of the talk but you can download the slides here. Essentially, the talk was a combination of my SEC-T 2016 and 2018 talks with some extra introduction. In the talk I show some code examples which you also can download as a zip.

Talk at Försäkringsföreningen

Thu, 03 Jan 2019 01:10:00 +0100

In October this fall, I gave a short presentation at "Försäkringsföreningen". My talk was titled "Hacking som utbildning och tävling" where I talked about CTFs and why they are a fun and powerful tool to learn security. You can download the slides here.

Talk at IDG Cloud Confessions 2017

Thu, 03 Jan 2019 01:00:00 +0100

Last year, I gave a presentation at "IDG Cloud Confessions 2017". My talk was titled "GDPR ur ett startup-perspektiv" where I talked about how we at KRY/LIVI have worked with GDPR. You can download the slides here.

Boldport Club Secret Santa - Build Log

Tue, 18 Dec 2018 22:10:00 +0100

As I have written about previously I'm a member of the Boldport Club. Apart from producing amazing DIY electronics projects it's also a great community where electronics interested people interact. Like many communities, this christmas one member took the initiative to organize a secret santa. I thought this sounded like an excellent idea an signed up to this. You can see the end result on my Instagram. This blog post is a short description of what I made and what the process looked like.

T2 Conference 2018: My reflections

Tue, 13 Nov 2018 22:41:00 +0100

As mentioned previously on this blog, I managed to win myself a ticket to the T2 conference in Helsinki. I have visisted the conference once before, last time I won a ticket, in 2016 and had a great experience at that time so expectations were high. This post is a short summary of my experience at the conference.

T2 Challenge 2018 Winner

Thu, 18 Oct 2018 22:52:00 +0200

This year the annual T2 conference decided that their "challenge" would be a little bit different than previous years. I visited the conference in 2016 after winning a ticket through the T2 challenge and I was very impressed by the high quality of the event. This year the challenge was to submit an application proving "To showcase technical excellence and prove you deserve a free ticket". Being from Sweden, as anyone who know about Swedish culture, this required en enormous amount of willpower as boasting about your skills is about as un-Swedish as it gets. However, I pushed through an submitted a motivational letter in the form of a classic five paragraph essay. To my slight surprise and great joy, I won the challenge! This means I'm going to the T2 conference next week. I'm really looking forward to it and hope to see you there. Again casting aside my cultural heritage, I have published the text I submitted to deserve this below.

Security Fest 2018 Challenge Badge & Prize Assembly

Fri, 20 Jul 2018 01:28:00 +0200

At this year's Security Fest fellow security enthusiast Weckzén (@Wecksten) had created a challenge badge since he (rightly) believe that every con needs a challenge badge. I solved the challenge badge, got a prize from him in the form of a Pimoroni Pirate Radio which I assembled and documented here.

Static Jekyll site with S3, CloudFront & CodePipeline

Mon, 09 Jul 2018 23:21:00 +0200

Through my day job I been exposed a lot to AWS. I really like AWS and I think they create some cool services. Until now I have hosted this website on my own server (AWS EC2) using a stack of Ubuntu, Apache and Jekyll. With alternative solutions than doing everything yourself being all the rage now I decided to get rid of managing the server and try to host my website on AWS S3 instead. Yesterday I went ahead and did this migration. It was fairly easy and I went ahead and tweeted about it to which I got this reply by my friend Olle.

H1-702 2018: Writeups

Sat, 30 Jun 2018 16:54:00 +0200

The last two weeks Hackerone have been hosting a CTF as a qualifier for their Las Vegas H1-702 event. The goal was to solve a few Android challenges and a web challenge. To qualifiy for the main event you had to, apart from solving the levels, submit writeups of how you did it. These are the writeups I submitted for my solutions.

SANS Holiday Hack Challange 2017: Writeup

Thu, 11 Jan 2018 19:30:00 +0100

SANS hosted their yearly Holiday Hack Challenge this year as well. It was a fun event, even though I think the story/non-hacking part was better last year. Here is my writeup of the challenges. It's not the most thorough writeup I've done but it outlines my process of solving them.

H1-212 2017: Writeup

Mon, 20 Nov 2017 23:10:00 +0100

Hackerone is hosting an event in New York this december and ran a CTF as a secondary way to get an invite to the event. I visited the H1-702 event in Las Vegas this summer and it was really fun so of course I had to give this a shot as well. The following information was given on the CTF page.

SEC-T 2017 Talk: Unauthenticated encryption in the wild

Sun, 22 Oct 2017 14:00:00 +0200

Earlier this fall at SEC-T 2017 I gave a talk about unauthenticated cryptography. The recording of the talk is available online at the SEC-T YouTube channel.

Security Fest 2017 Talk: Reversing with determination

Thu, 21 Sep 2017 23:20:00 +0200

Earlier this summer at Security Fest 2017 I gave a talk about reverse engineering. The recording of the talk is available online at the Security Fest YouTube channel.

H1-702 2017: Writeups

Mon, 17 Jul 2017 11:17:00 +0200

The last few weeks Hackerone have been hosting a mobile CTF as a qualifier for their Las Vegas H1-702 event. The goal was to reverse engineer a handful of Android and iOS mobile applications and get the flags. To qualifiy for the main event you had to, apart from solving the levels, submit writeups of how you did it. These are the writeups I submitted for my solutions.

Reversing malware USB drives in Gothenburg

Mon, 20 Mar 2017 14:00:00 +0100

This Wednesday reports about USB-drives with malicious code being found in the area Lindholmen in Gothenburg, spread in Swedish media. It was reported by, among others, IDG, Expressen, SVT and even far-right sites such as Nordfront. This quickly spread in social media and all kinds of wild theories started to appear including industrial espionage and Russian hackers using "military-grade encryption". All of this, of course, without any kind of evidence to back it up. Being a strong opponent to the FUD that is very commonly spread in security related events I sought to dig deeper into this.

SANS Holiday Hack Challange 2016: Writeup

Thu, 05 Jan 2017 02:00:00 +0100

This post contains my report for the SANS Holiday Hack challenge 2016.

dJulkalender 2016: Writeups

Mon, 26 Dec 2016 17:22:00 +0100

The computer science chapter at my alma mater, KTH, arranges an advent calendar called "dJulkalendern". It is a CTF-like puzzle with challenges (almost) every day until christmas and also a competition. In 2013 I won the compeition and last year I ended up third. This year I managed to improve a little and take the second place.

SEC-T 2016 Talk: SMT in RE

Thu, 08 Sep 2016 12:50:00 +0200

Today at around 16:00 I'm doing a lightning talk at the SEC-T security conference titled "SMT in reverse engineering, for dummies". ~~A stream to the talk should be available on YouTube where you hopefully will be able to see the talk.~~ It will probably also be available online afterwards. I will update this post with a link.

Boldport Club project 5: The Tap

Wed, 03 Aug 2016 22:34:00 +0200

I have long had the wish to learn more about hardware and DIY electronics but never really found the right motivator or opportunity, that is until now. It was the day following "brexit" I saw a tweet retweeted by Travis Goodspeed promoting the Boldport Club (with a 20% discount). The Boldport Club is kind of like an old school book club which sent you a monthly book, only they send you a monthly DIY electronics kit to assemble. I thought this would be the perfect way to finally get into some hardware so I signed up for three months to try it out. In this post I will guide you through the process of assembling the first project: The Tap.

SANS Holiday Hack Challange 2015: Writeup

Tue, 29 Dec 2015 08:30:00 +0100

This post contains the write-up I submitted for the 2015 SANS Holiday Hack challenge. Enojy.

dJulkalender 2015: Writeups

Fri, 25 Dec 2015 19:06:00 +0100

The computer science chapter at my alma mater, KTH, arranges an advent calendar called "dJulkalendern". It is a CTF-like puzzle with challenges (almost) every day until christmas and also a competition. Last time it was arranged in 2013, I won the challenge but this year I had to settle for a third place.

Solving the GCHQ christmas challenge with Microsoft Z3

Mon, 14 Dec 2015 00:00:00 +0100

British intelligence agency GCHQ has released a christmas card. It contains a sudoku like puzzle where you color squares in a grid according to a set of constraints. The christmas card challenge along with a description can be found on their website. It looked like it could be solved by hand without too much effort but I figured it would be more fun to write a program to solve it for me. Recently I have been playing with Microsoft's constraint solver, Z3. I thought this would be a perfect tool to solve the challenge with.

As stated previously, the challenge consists of a grid, specifically a 25x25 grid with series of numbers written next to each column and row and with some of the cells already filled in. Below is an image of the grid. Apparently, this is famous type of puzzle called a Nonogram. I didn't know this until after I wrote this and a friend pointed it out. You know what they say, you learn something every day.

DefCamp D-CTF Qualifiers 2015: Writeups

Sun, 22 Nov 2015 17:10:00 +0100

A few weeks ago we participated in the DefCamp D-CTF qualifiers. We performed really well and ended up in fourth place, just a single point behind number three. This earned us a place in the finals in Bucharest at the DefCamp conference.

SEC-T CTF 2015: Writeups

Sun, 04 Oct 2015 13:43:00 +0200

Earlier this month I was at the SEC-T conference. In addition to listening to several awesome talks by very interesting speakers I also participated in the CTF which was held during the conference. We, HackingForSoju, chose to play individually rather than together in this CTF, which was available for remote players. We did this because it was a small competition and we thought it would be more fun to let everybody practice.

PoliCTF 2015: Writeups

Tue, 14 Jul 2015 13:49:00 +0200

This weekend we participacted in PoliCTF, a CTF arranged by Italian team Tower of Hanoi. It was a very well arranged 48 hours CTF with good variety and minimal amount of guesswork. We had five players working throughout the weekend: mxn, capsl, ZetaTwo, avlidienbrunn and hspe. We performed very well and ended up on second place. This brought us up to 12th place on the season scoreboard. In this post I will explain the challenges I solved:

On-Off Keying (ASK) with SDR

Tue, 23 Jun 2015 18:22:00 +0200

About a year ago I bought a HackRF from Great Scott Gadgets with the goal to learn more about radio and in particular software defined radio, SDR. Michael Ossmann of GSG has created a course in SDR which I started following which covers a lot of the basics. After completing the "hello world" of SDR, namely a FM radio receiver and listening to the episode about on-off keying, I started to think about what the next step for me would be. My family have a wireless doorbell which hasn't been installed yet. It seemed like a perfect candidate for learning more about on-off keying, OOK, or amplitude shift keying, ASK, which it is also called.

Generating uniform random numbers

Mon, 18 May 2015 23:55:00 +0200

We have all probably at some point in our programming career been required to generate a uniformly distributed random number in an interval $[A,B]$.

Site up again

Mon, 18 May 2015 23:28:00 +0200

After like two years or so, my site is up again. There is stuff missing but I may add some things back later. If you find any problems with the site, contact me or open an issue on the GitHub repo. A big thanks to f0qnax for providing me with the design.

About me

Mon, 01 Jan 0001 00:00:00 +0000

My name is Calle "Zeta Two" Svensson. I'm a 35 year old graduate in engineering physics with a master's degree in computer science focused on IT security. Computers and programming have been a very large part of my life since I was very young. This site is the fifth incarnation of Zeta-Two.com since the original site I created in 2005 and acts as a blog about IT and other technology topics. I currently work as a security engineer at XTX Markets in London.

Challenges

Mon, 01 Jan 0001 00:00:00 +0000

On this page I plan to publish various challenges I have created. I currently only have one challenge here but I have an ambition to create more over time, especially focused on game hacking.

Starcraft: Brood War - EUD Pwnable

The goal of this challenge is to exploit an old bug in Starcraft: Brood War. It was originally developed for the Midnight Sun 2020 CTF but I have now published it here for anyone to try out. To attempt the challenge, download the materials, follow the instructions and start hacking. Once you have solved the challenge, please send me an email as outlined in the README file. If there are any issues with the challenge, reach out to me. Note that there are public write-ups of the challenge but I expect you to not simply copy-paste an existing solution. I will soon also publish a post about building the infrastrucure for this challenge as it was quite a project.

Services

Mon, 01 Jan 0001 00:00:00 +0000

My primary skills are within IT security, reverse engineering and software development. I have a full time job but am available for short freelance projects after hours. If you are interested in hiring me for a shorter engagement, please send me an email at calle.svensson@zeta-two.com.

Consulting

I provide consulting services within application security, software development or systems administration. My speciality is reverse engineering where I have experience with a broad range of architectures and systems. Typically, I'm available for shorter projects, from a couple of hours up towards a week as I don't want to commit to anything longer while already working full time.

Talks

Mon, 01 Jan 0001 00:00:00 +0000

I have given a few talks at various conferences and other contexts. I have collected them all here for your enjoyment. If you want me to come and give a presentation at your event or your company, feel free to contact me by e-mail directly.

Talks in English

SEC-T 2016 Talk: SMT in RE - A talk about how SMT can be used in Reverse Engineering originally given at SEC-T 2016.
Security Fest 2017 Talk: Reversing with determination - A talk about Reverse Engineering techniques at Security Fest 2017.
SEC-T 2017 Talk: Unauthenticated encryption in the wild - A talk about the problems of using unauthenticated encryption given at SEC-T 2017.
Nixucon 2018: Using SMT solvers for binary analysis and exploitation - Essentially my SEC-T 2016 and 2018 talks combined into a longer talk.
SEC-T 2018 Talk: Fun with symbolic execution - A talk about symbolic exection and examples on how to use it.
PasswordsCon 2018 - Protecting medical data with passwordless authentication - A talk about how we do authentication and identification at KRY/LIVI.
Talk at Detectify - From Zero to Zero Day - A talk about my background how to get into security and an RCE in GitHub.
Talk at Google Stockholm - From Overflow to Shell - A presentation about the basics of binary exploitation.
Guest lecture at KTH - The Basics of Binary Exploitation - A presentation about the basics of binary exploitation.
SecuriTea - Lecture on basics of binary exploitation - A presentation about the basics of binary exploitation.
0xFF - Talk and workshop about CTF - A presentation and workshop about CTFs.
SecurityFest 2019 - Software Obfuscation with LLVM - A presentation about code obfuscation and LLVM.
SEC-T 2019 - Game Boy hacking / Bringing VGA to the Game Boy - Two presentations given at SEC-T 2019 about Game Boy hacking and building a Game Boy VGA adapter
Chalmers - Security at KRY/LIVI 2019 - A presentation I gave to students at Chalmers University about the security work at KRY/LIVI.
Chalmers - Security at KRY/LIVI 2020 - A presentation I gave to students at Chalmers University about the security work at KRY/LIVI.
MassifCon 2020 - Theft and Doxxing - A talk about the two most unethical things I have done in my career.

Upcoming talks

Currently none

Trainings

Mon, 01 Jan 0001 00:00:00 +0000

Basics of Binary Exploitation

This is the training I gave at Security Fest and SEC-T during 2019. It is a basic training that serves as an introduction to the area of binary exploitation. The text below is a copy of the information available on the SEC-T registration page. If you or your organisation is interested in buying a training on this topic, please contact me at calle.svensson@zeta-two.com

Overview

Binary exploitation is the topic concerning the finding and exploitation of vulnerabilities in low-level code, particularly machine level code. It is usually considered one of the more complex areas of IT security and some of the exploits produced sometimes chain together dozens of moving parts in mind-boggling ways to cause programs to behave in a completely unintended manner. The field is the basis of high-severity exploits such as OS privilege escalation, jailbreaks and browser exploits.