ForeFlight Sentry Firmware v1.0.17

Remember these? Don’t worry, uncle Dimme is back with the latest and the greatest!

My Sentry decided to update and of course I had to do some sniffy sniffy. Here is the latest firmware for those who are interested in being able to downgrade their devices:

And just in case this is the last firmware ever, here is the request sent by the iPad upgrade Sentry. It contains all information needed to perform a downgrade too.

Or click here at http://192.168.4.1/:

How I passed OSCP in 2024

…and why it probably won’t work for you.

Background

An important factor is one’s prior experiences. It is very likely that I was coding, setting up web-servers, routers, hacking WiFi, and compiling Apache before you were born. Keep that in mind as I explain what worked for me. No I’m not 100 yet, just 37.

Beyond that, I have a Master’s in Computer Science, researched in Wireless Communications for 3 years, worked as an Embedded Software Developer for 3 more years, and worked as a Security Analyst in a SOC for a year and a half after that, before embarking on my OSCP journey. Why do I need the OSCP if I did all that? Personally, I don’t need it, but HR doesn’t care how may PhDs you have, or what you do in your free time. All that matters nowadays is certifications from private companies.

Timeline

Prior purchasing the OSCP course, I set up a plan on how to get there. I wanted to be structured and do as much as possible to maximize my chances of passing the exam. The plan was:

  1. Complete the Offensive Pentesting TryHackMe learning path.
  2. Complete TJ_Null’s list of Hack The Box OSCP-like machines.
  3. Enroll in the OSCP/PEN-200 course and complete your certification.

I completed 1. Being super-motivated in the beginning, I started on TJ_Null’s list. I did a few machines on the list and a few others that attracted my attention (Lame, Brainfuck, Shocker, Bashed, BroScience). Then life got in the way, motivation kinda went down and I didn’t do much more.

On May 25th 2023 I purchased the OSCP course. Due to work and life, by mid-April 2024 (almost a year later) I had only gone through 18 out of the 25 chapters in the training material, and I had completed zero (0) challenge labs. With a bit over a month left in my subscription, I started panicking.

So what did I do? What I do best; isolated myself from the world and focused 110% on one single task. April 21st-23rd I finished all remaining chapters in the training material and did all of the Capstone exercises. I had decided that if I’m gonna have any chance to pass, I will need the 10 bonus points. That meant that I had a bit over a week to complete 30 out of the 57 challenge labs. Starting on April 23rd, I went full beast-mode on the challenge labs. By April 28th, and after I had lost 4 kgs, I had completed 37 our of the 57 challenge labs and therefore earned the aforementioned 10 bonus points. Btw, thanks to the guys and girls in the #pen-200-challenge-labs Discord! Invaluable help!

I decided this is enough, I got of out of my cave, and had a BBQ for May 1st with some friends, to replenish my lost weight during the week of horror.

The day is May 2nd, 08:00 AM, and the exam starts. I started with the AD-set, but I was struggling to gain foothold. At around 10:30 AM I gave up on the AD-set, and started focusing on the other independent machines. By 03:20 PM I had pwned all independent machines and took a breath of relief. I had technically passed the exam since I had 60 points + 10 bonus points = 70 points.

I took a break for half an hour or so, had a cup of coffee, and went back to tackle the AD-set. No kidding, I was banging my head on the AD set for hours and hours, until around 02:00 AM the NEXT day, without getting anywhere. Eventually, I gained foothold. I cannot go into details but I can say that OffSec loves their rabbit-holes. If you get stuck somewhere it is likely a rabbit-hole. Having gained foothold, I pwn the entire AD-set and get domain admin by 04:15 AM.

By that point I’m completely exhausted. I haven’t slept for over 22 hours. I spent another hour checking that my notes are compete, I checked out and went to bed. The next day I wrote the report as detailed as possible and uploaded it to the portal according to OffSec’s instructions. By May 5th I had the pass mail in my inbox, 12 days after I started working on the challenge labs.

Reflections

Was the exam hard?
Not really. Not hard, but tricky. The recipe that works for me is curiosity. Privilege escalation was easy for me since I click and look everywhere and don’t even have to do any advanced enumeration to get there. What I suck at is initial enumeration. For that I probably needed a checklist, but my chaotic nature eventually worked out and I got in. What should you do? Do that works best for you.

Did I do any PG boxes?
Nope, didn’t touch them. Just the training material, and the following challenge labs: Medtech, Relia, OSCP-A, OSCP-B, OSCP-C.

How did I take notes? What was my structure?
I had no structure. Studying in constrained time conditions meant that I had to do the best I can with the limited time available to me. My tactic was to have a document and just dump any useful commands that I find in there. Then Ctrl+F in that document during the exam and hack on! How should you take notes? The way that works best for you!

Should I put more focus on A or B?
All subjects within the OSCP study material are equally important. Just because I got something on the exam it doesn’t mean that you will get the same.

Do I have any final thoughts?
Yes. Do like me: Assume that you suck at this and prepare for failure. The best way to prepare for failure is to ensure you have the 10 extra bonus points on the exam. By doing so, you may accidentally learn something and score 100 + 10 points on the exam.

Sagemcom F@st 2404 Original Firmware

Greetings, future me or anyone else who may stumble upon this message.

Have you encountered the unfortunate situation of being compelled to use a Sagemcom F@st 2404 ADSL modem? Perhaps you were daring enough to install OpenWRT on it, only to realize that you lack the necessary 3.3V serial cable to proceed past the “firstboot” screen.

Fear not, for Uncle Dimme once again comes to the rescue! No need to delve deep into the abyss of scouring Tunisian telecom-company forums in search of the original firmware.

Here’s a simple solution for you:

  1. Download the Original Firmware from here (F2404_3_33_8a4_fs_kernel_NONE.DAT.zip) and unzip it – hooray!
  2. Press and hold the reset button on the modem.
  3. Power up the modem while continuing to hold the reset button.
  4. After approximately 20 seconds, observe the power LED turning red, and then release the reset button.
  5. Connect an Ethernet cable and manually configure your PC’s IP address to 192.168.1.2.
  6. Open your web browser and go to 192.168.1.1, then proceed to flash the firmware.
  7. Allow a minute for the process to complete.
  8. Reboot your router using the web interface.
  9. Embrace the joy of your less-than-stellar, sluggish ADSL internet.

May your online ventures be filled with perseverance and patience!

ForeFlight Sentry Firmware

Ah, ForeFlight (uAvionix cough cough) sure knows how to restrict your freedom when it comes to upgrading or downgrading your Sentry firmware.

But fear not, for Uncle Dimme is here to save the day!

By the way, I strongly advise against using any of these files for any purpose. I cannot accept any responsibility whatsoever… Seriously, I won’t take any blame.

Oh, and if you’re not a fan of the filenames, remember to direct your frustrations towards Alonzo!

Telia Sagemcom and 1.1.1.1

If you are unfortunate enough to have been given a Telia WiFi router model F@st 5370e made by Sagemcom, you may have experienced that IP 1.1.1.1 is unreachable. [1, 2, 3]

1.1.1.1 is a public DNS server provided by Cloudflare that many of us prefer to use, instead of, let’s say, Telia’s own snooping DNSes or Google’s 8.8.8.8. Of course, an alternative is to use 1.0.0.1, which also provides the same service by Cloudflare, but where is your backup DNS in that case?

The reason it is unreachable is that the router is using this IP internally for an interface called “IP_BR_LAN_LXC“. LXC is a userspace interface that can be used to create and manage application containers.

You can disable the “IP_BR_LAN_LXC” interface by following the instructions given below:

  1. Login to you router’s “admin” (sic) interface by browsing to http://192.168.1.1
  2. If you’re using Firefox or Chrome, press “F12” and navigate to the “Console” tab.
  3. Enter the following command and press Enter: $.xmo.setValuesTree(false,"Device/IP/Interfaces/Interface[Alias='IP_BR_LAN']/IPv4Addresses/IPv4Address[Alias='IP_BR_LAN_LXC']/Enable");

That’s it, 1.1.1.1 should now be reachable. I have not experienced any issues by disabling this interface. Maybe I’ve blocked Telia from using some remote tools to mess with my router? I call this a win in that case. If for some reason, you want to reverse the setting above and re-enable this interface, you can do so by typing the following command into the console:

$.xmo.setValuesTree(true,"Device/IP/Interfaces/Interface[Alias='IP_BR_LAN']/IPv4Addresses/IPv4Address[Alias='IP_BR_LAN_LXC']/Enable");

Bonus: While you’re at it, block 8.8.8.8 and 8.8.4.4 from your network. Reason? Android, and in general Google devices, are using this DNS regardless of your DHCP settings. You can block them by going to this hidden path in your router and adding 8.8.8.8 and 8.8.4.4:

http://192.168.1.1/0.1/gui/#/access-control/parental-control/filtering

PS: You can either change the DNS servers on a per-device basis, or you can change the DNS servers that your DHCP server is announcing to your local network. This can be done using the following hidden URL:

http://192.168.1.1/0.1/gui/#/mybox/dns/server

DISCLAIMER: I don’t take any responsibility for any of your actions blah blah blah…

Can you capture the flag?

Preface

HEY! Stop cheating! Go back to the CTF and try to solve it on your own!

The required resources to solve this CTF are now offline.

During the last year or so I created a CTF out of boredom. I posted a QR code / string to various friends, work colleagues, and on-line forums where I expected people to be able to solve it.

This is the QR code which decodes to:

#QBdg%HGILH&R9vch)NBTAt5.X3oWb\BxMbn5,GR0wTQ*0xuHBc=

Sadly nobody has been able to solve it so far, which I find a bit strange. No way I’m that awesome that I have created the best way to obfuscate data on the Internet? Probably the right person to solve it has not yet come along, or maybe I wasn’t effective enough at spreading the CTF to enough people capable of solving it.

Anyway, here is the solution.

Step 1

By looking at the string the solver should recognize the striking similarity it has with a base64-encoded string, indicated by the “=” character at the end of the string. However there seem to be a bunch of other characters that do not belong in a base64 string.

A closer look will reveal that, starting with the first character, every 6th character after that doesn’t belong in a base64 string. So there is a pattern. Let’s remove every 6th character and see that we have left:

Base 64 string: QBdgHGILHR9vchNBTAt5X3oWbBxMbn5GR0wTQ0xuHBc=
Characters that don’t belong: #%&).\,*

Now we have a valid base64 string! Let’s decode it and see what we get:

@`borALy_zlLn~FGLCLn

Yeah, it doesn’t make much sense. The solver is now supposed to recognize that the base64 string decodes to binary data. Why would that be the case? Let’s go back to the extra chars that don’t make sense, why did we have those chars there? It is highly possible that the binary data is actually encrypted data and the extra chars are the key. What is the simplest cipher for binary data encryption? The XOR cipher. Alright, let’s write a small script to test this hypothesis:

<?php
$string = "QBdgHGILHR9vchNBTAt5X3oWbBxMbn5GR0wTQ0xuHBc=";
$key = "#%&).\,*";

// Base64 decode
$dec = base64_decode($string);

// XOR decode $dec with $key
for ($i = 0; $i < strlen($dec); $i++) {
  $dec{$i} = $dec{$i} ^ $key{$i % strlen($key)};
}

// Echo the result
echo $dec;

Wow it worked, we get something that makes sense:

c2F5LW15LW5hbWUuY3J5b2Rldi5jb20=

Now let’s base64 decode this and see what we get:

say-my-name.cryodev.com

Step 1 completed.

Step 2

Step 1 provided us with a hostname. Let’s open it up in a browser and see what we get:

Those Greeks have concealed my writing, keep looking…

Interesting, not much information here. But wait, “say-my-name” must be a reference to something. Name -> Domain Name System -> DNS. Alright, let’s see if there are any TXT DNS records for this subdomain:

$ host -t TXT say-my-name.cryodev.com
say-my-name.cryodev.com descriptive text "/bobby-tables"

Step 2 completed.

Step 3

Step 2 revealed a TXT DNS record. It returns "/bobby-tables". So let’s append that to the hostname previously found and visit http://say-my-name.cryodev.com/bobby-tables:

An XKCD comic appears… named exploits_of_a_mom.jpg. Is there an SQL injection vulnerability on the site? Maybe, but currently we cannot find any GET/POST variables on the site to exploit. Let’s keep looking… The solver should recognize that the image ends with .jpg. XKCD comics are always .png! Oh wait, one more thing. Do you remember this quote from earlier?

Those Greeks have concealed my writing, keep looking…

The solver is now supposed to think of Steganography. A quick Wikipedia search reveals:

The word steganography comes from New Latin steganographia, which combines the Greek words steganós (στεγανός), meaning “covered or concealed“, and -graphia (γραφή) meaning “writing“.

Got it now? There must be a message steganographically hidden within the .jpg image. A quick Google search reveals that the most common steganography tool in Linux is steghide. Let’s see if that can decode anything:

$ steghide --extract -sf exploits_of_a_mom.jpg 
Enter passphrase: # try without a passphrase
wrote extracted data to "message.txt".
$ cat message.txt 
?mom

Step 3 completed.

Step 4

Step 3 revealed what we desperately needed all along, a GET variable! Let’s visit http://say-my-name.cryodev.com/bobby-tables/?mom and see what we get:

Come on, I’m spoon-feeding you now!

Alright alright, let’s assign some value to ?mom e.g. http://say-my-name.cryodev.com/bobby-tables/?mom=1:

Name: Robert

Interesting, a reference to Robert “Bobby Tables” from the comic. Let’s seek for an SQL injection at ?mom, e.g. using something like http://say-my-name.cryodev.com/bobby-tables/?mom=1' OR 'x'='x:

Name: Robert
Name: https://www.youtube.com/watch?v=6Ejga4kJUts
Name: https://www.youtube.com/watch?v=jxjeqCd6Zm0
Name: https://upload.wikimedia.org/wikipedia/en/0/00/Machine_Head_album_cover.jpg

Step 4 completed.

Step 5

In step 4 we injected a GET variable and retrieved a bunch of database entries in the form of various links. The first link points to the Cranberries song “Zombie” with the unforgettable chorus “In your head, in your head“. RIP Dolores :'( The second and third links both refer to a band named “Machine Head“.

Did you get it yet? Yes we have to check the HTTP header! A quick inspection in your favorite browser’s inspection tool reveals the following entries that don’t belong there:

Step 5 completed.

Step 6

Step 5 revealed a telnet server and a telnet key. Let’s make a telnet connection and see what we get:

$ telnet bofh.cryodev.com 666
Trying 83.212.84.234...
Connected to bofh.cryodev.com.
Escape character is '^]'.
OQZaPmlBB1wKIGILaSooGFZRfkk7HnY0CgctVxFIUUcHJmUZBHw8B24rcgsbP2YIKXQnJX0oOlsiaDgWIXMPMXo1eEInIHYBUSoKBHggCXk4fwQJDHNBRjsyKkIBeHoVF1lXEX0wYh0jMGUQAnYZKlBcLk4xdwJLCwcyLGofdE00P2UfaSVPA30kelsoCmEJDHMQQBEDXFM3DGVCBHNfBH0/RAcYW1cEKmQrKlE5UQUxeBYMDGMbIHo1NUQPWmEfVDVCD20NAVsoN1sJMnMURBMiOk0CHAoIHHMgEVEvCRkgMG0WKAEncA==
Connection closed by foreign host.

Very interesting, yet another base64 string. Can we decode it directly?

9Z>iA\
 bi*(VQ~I;v4
-WHQG&e|<n+r?f)t'%}(:["h8!s1z5xB' vQ*
x 	y8	sAF;2*BxzYW}0b#0ev*P\.N1wK2,jtM4?ei%O}$z[(
a	s@\S7eBs_}?D[W*d+*Q9Q1xc z55DZaT5Bm
[(7[	2sD":M
s Q/	 0m('p

It doesn’t seem so, we get binary data again. Oh wait, we have the X-Telnet-Key from earlier! Let’s run the XOR cipher once more with the new key and the new base64 string and see what we get:

<?php
$string = "OQZaPmlBB1wKIGILaSooGFZRfkk7HnY0CgctVxFIUUcHJmUZBHw8B24rcgsbP2YIKXQnJX0oOlsiaDgWIXMPMXo1eEInIHYBUSoKBHggCXk4fwQJDHNBRjsyKkIBeHoVF1lXEX0wYh0jMGUQAnYZKlBcLk4xdwJLCwcyLGofdE00P2UfaSVPA30kelsoCmEJDHMQQBEDXFM3DGVCBHNfBH0/RAcYW1cEKmQrKlE5UQUxeBYMDGMbIHo1NUQPWmEfVDVCD20NAVsoN1sJMnMURBMiOk0CHAoIHHMgEVEvCRkgMG0WKAEncA==";
$key = "h4cK3rM4nh4x0rz";

// Base64 decode
$dec = base64_decode($string);

// XOR decode $dec with $key
for ($i = 0; $i < strlen($dec); $i++) {
  $dec{$i} = $dec{$i} ^ $key{$i % strlen($key)};
}

echo base64_decode($dec);

And the result is:

Congratulations! You solved the riddle! There is no prize, I’m too poor for that, I was just bored and made this. Let me know if you would like to brag: <my email here>

Step 6 completed.

Conclusion

So, that’s the CTF. Do you think it was too complicated? I think the first step was the hardest, once you recognize the XOR cipher and the fact that it can be reused in step 6 the CTF is not that complicated.

Anyway, I will leave the infrastructure for this CTF up and running for a few more weeks if anyone wants to verify my solution, but then I will take it down.

Thanks for reading!

PS: Don’t try to hack my server using the intentionally created SQL injection, it will not work ;)

Mollymawk tests

Yes, I am alive. I know I haven’t posted anything in three years. There are many reasons behind this, but I will leave this for another time.

As I mentioned in an earlier post, I got into this aviation thing back in 2015. Since then, I have taken it further and completed a commercial pilot’s license with multiple engine and instrument ratings and some other stuff. What does this all mean? I can now fly the big birds for money if an operator decides to hire me. But to the big question, how do you get an operator to hire you?

It is not a simple task; you have to submit countless applications and be prepared never to hear back from anyone. They say there is a pilot shortage, hmm…? If you are lucky, you might be called to an assessment. What? You don’t know what an assessment is? Don’t worry. I got you covered.

In the aviation industry, assessments are what job interviews are in any other field of work. But since pilots are rich (we are rich, right? somebody, please confirm?), assessments have to be complicated money and time-consuming processes. I was partially lucky and got called to an assessment for an operator called SunExpress. Spoiler alert: I didn’t get the job. I have nothing but good things to say about SunExpress. They are very professional in what they are doing and have high standards for their pilots. The reason I failed in my assessment is purely my own fault.

It basically works like this: You get a phone call, which is some kind of unofficial first interview. If they are happy with you after the phone call, you get invited to do an online ITEP English proficiency test. If you pass the ITEP test, you get invited to do some psychometric tests at SunExpress’s own premises. If you pass the psychometric tests, you get invited to do a simulator test-flight in a full-motion Boeing 737-800 simulator. The simulator was a lot of fun to fly, but this is as far as I got. If you pass the simulator test, you get invited to a formal interview, and if you pass the interview, you get the job! Phew…

Boeing 737-800 Simulator
Boeing 737-800 Full Motion Simulator

So what are the psychometric tests? They are the Mollymawk psychometric tests, also used by other operators like CargoLux and Pegasus Airlines. They are split into two categories: skill tests and aptitude tests. The skill tests test your knowledge in math, science, and English. Those were the easy ones for me. The aptitude tests test your memory, orientation skills, and ability to multitask, divided into three computer “games” named “Working Memory” “Spatial Orientation” and “Time Sharing”.

To do the Mollymawk tests, you have to purchase two packages: skill and aptitude tests. Each package costs 150€, and if you fail one subject or game in one package, you have to re-purchase the whole package to do the failed test again. The first time I did the Mollymawk tests, I passed the skill tests but failed the aptitude tests. Thus I had to re-purchase the aptitudes package to do the tests a second time. Luckily the second time, I passed. You only get one second chance. In total, I spent 450€, not counting travel expenses, as a part of what essentially is a job interview for a job that I didn’t get.

I felt that more practice would give me a better chance to pass the aptitude tests on the first go. The aptitude tests are essentially a form of primitive computer games. When you purchase the aptitudes package, they give you 10 practice runs in each game you can play at home. They argue that the learning curve is logarithmic and that after 10 practice runs, you have asymptotically reached your optimum ability in playing the games, but I doubt that. As anyone knows, practice makes perfect. So I decided to code my own version of the games and help other pilots truly reach the optimum before doing the final tests.

I have created a Mollymawk test practice website, where I have implemented my own version of the Mollymawk games. A user can register an account and purchase one of the three time-limited packages for playing the games. The games may be played unlimited times!

I have also implemented an interface for the users to track their progress as they are getting better:

Why do I ask for money and not put it out for free if I truly care about the other pilots? Somehow, I have to make back the money I lost during my earlier “job interviews”. After-all, pilots are rich. We rich guys, right? Do we have no problems paying 19€ instead of 150€ for doing the tests a second time?

Anyhow, if you are a pilot and in need of my services, I truly hope I helped and wish you the best of luck!

And remember, when in doubt, go around! (preferably above 1000 feet GND in IMC, unlike me).

Dirty Filthy PCBs

I just received 10 PCBs that I ordered from dirtypcbs.com a couple of weeks ago. I have to say that the quality is amazing. For $14, they are not dirty at all! They lack gold-plated pads, unlike PCBs from OSHpark, but if that is none of your concerns, then it’s a go! I don’t claim that OSHpark is obsolete now, but for simple prototyping, when you want to be allowed to make mistakes, dirtypcbs are filthy enough to allow you to do that.

image