Solving uncrackable1

bypass root

In the root bypass segement, we can see from the decomplied code that the segment where the check is taking place is:

if (c.a() || c.b() || c.c())
      a("Root detected!"); 
    if (b.a(getApplicationContext()))
      a("App is debuggable!"); 
    super.onCreate(paramBundle);

From digging down a bit more we can locate the functions declearations are under sg.vantagepoint.a.c. We will override all the functions so that they always return false and thus the application will believe that no su command exists and in the system implying that the system is not rooted.

Read more

Basic Frida commands

init

Frida is a reverse engineering framework which can be used to

installed apps

The below command will let you view applications which are on the virtual mobile device.

$ frida-ps -Uai
 PID  Name           Identifier                
----  -------------  --------------------------
3054  Calendar       com.android.calendar      
2463  Clock          com.android.deskclock     
3141  Email          com.android.email         
3175  Gallery        com.android.gallery3d     
3554  Hello App      com.example.helloapp      
3198  Messaging      com.android.messaging     
2547  Phone          com.android.dialer        
2299  Settings       com.android.settings      
3372  WebView Shell  org.chromium.webview_shell
   -  Calculator     com.android.calculator2   
   -  Camera         com.android.camera2       
   -  Contacts       com.android.contacts      
   -  Files          com.android.documentsui   
   -  Music          com.android.music         
   -  Search         com.android.quicksearchbox

run script

The below command will run the script on the application.

Read more

How to open elt file

I was faced with a difficult situation where I had to find a why a SentinelOne agent will not communicate with the management portal for some reason. I ran the troubleshooting script which generated many files and among them there was a packet captured file as we can see below:

0fad76db3e96df7164af9a12905f0beb.png

We can use the etl2pcapng.exe to convert the log files into the pcap file. The executable for the application is in the reference section a54389c92e244660a84ec0998e4c0d9b.png

Read more

Windows privilege escalation

init

When we have reverse shell from that shell we need to create a user so that we can access the domain as domain admin. However, sometimes you might have only hash of that user but unable to login locally.

In such situation, it could be beneficial to create a AD Domain user and work on it

To create the user

PS C:\users\robb.stark\Desktop> New-ADUser adm1n
New-ADUser adm1n

To check if the user has been successfully created.

Read more