voidsec2023-06-22T22:51:43+02:00Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. IMHO, all the hype behind this announcement was utterly unjustified as it is just another instance of the well-known Bring Your Own Vulnerable Driver (BYOVD) attack technique: where a legitimate signed driver is dropped on victims’ machine and later used to disable security solutions and/or deliver additional payloads.
This technique requires administrative privileges and User...
Windows Exploitation Challenge – Blue Frost Security 2022 (Ekoparty)
voidsec2023-06-14T17:52:49+02:00Last month, during Ekoparty, Blue Frost Security published a Windows challenge. Since having a Windows exploitation challenge, is one of a kind in CTFs, and since I've found the challenge interesting and very clever, I've decided to post about my reverse engineering and exploitation methodology.
Only Python solutions without external libraries will be accepted
The goal is to execute the Windows Calculator (calc.exe)
The solution should work on Windows 10 or Windows 11
Process continuation is desirable (not mandatory)