Nyastrid @nyastrid@computerfairi.es
- Pronouns
- She/Her
Computer nerd of IT-(in)security, hacking & ctf, loves to design stickers, radio signals interest me.
Joined Nov 2024
Self-OH
She's yawn baiting me
Nyastrid
boosted
Cellebrite payload dump from a Samsung phone in this thread: https://donotsta.re/objects/482cd0c0-449b-4dbb-8cd4-d63fb86b6334
I’d suggest two things
a) people mirror the download
B) Google and others take a look. From a quick look, it appears they use a zero day in a Linux USB device driver to unlock phone
Nyastrid
boosted
they killed god and replaced her with an autocomplete and a subscription model and the devil does not haunt this world anymore because our souls are no longer worth taking
Nyastrid
boosted
About 1.5 years ago my friend was (wrongly) accused of terrorism.
All of their electronic devices have been seized, plus my stash of hard drives (which were at their place for reasons).
Of course they didn’t find any evidence. Culprit that framed my friend (and many others) was arrested (article in Polish).
Upon returning the hardware, I found that all of my harddrives have been destroyed, which made me (understandably) pissed.
We’re very good friends, so I’ve been given their personal phone that was pwned with cellebrite. It hasn’t been turned on since police extracted data from it so I decided to do some forensics on it.
As it turns out, police forgot to clean after themselves. Took a peek at the first-stage payload but it’s too complex for me to reverse-engineer. It’s clear it’s full of obfuscations and is even using TLS to talk to Cellebrite box.
If you’re a security researcher (or just curious nerd with more spoons than me) and you wanted to take a look at it - here you go.
Payload was uploaded onto the device on 2024-02-21. If you want to re-create the environment it was executed on, you will need a:
- Samsung Z Flip3 5G (SM-F711B)
- Android build SP2A_220305.013.F711BXXS2CVHF
Rough execution flow:
1. USB device plugged in (Cellebrite Cheetah)
2. USB controller switches to host mode
3. Gadget switching USB VID/PID to load kernel modules
4. Module 'hid_akeys' leaks memory
5. Screen unlocked
6. ADB key '82:E5:EA:F3:DC:D1:7D:CA:65:3C:D4:58:65:CD:81:8E' added to trusted keys on the device
7. First-stage payload '/data/local/tmp/falcon' copied onto the device.
8. Second-stage payload executed as root:
- /data/local/tmp/chrome-command-line
- /data/local/tmp/android-webview-command-line
- /data/local/tmp/webview-command-line
- /data/local/tmp/content-shell-command-line
- /data/local/tmp/frida-server-16.1.4-android-arm64
- /data/local/tmp/init
9. Data extraction (photos, telegram, firefox, downloads)
# Unanswered question: What the hell is "jtcb.sdylj.axpa" running as root? Seems to have been dropped around the same time...
Have fun!
@niko Ubuntu server installation does something similar where you can enter your GitHub username and it will pull the pubkey from there. I don't remember exactly but i think they support some other platform as well but no generic url.
Nyastrid
boosted
song lyrics parody, if you get this reference you're *cool*
@cuddlebug @buffet @jessew @sodiboo
PLEASE let this be a reference to flying a kite in a public place
@kitten Microsoft o365 does actually implement this, at least internally for an organization. However it's just something like five corporate-approved positive emojis
Nyastrid
boosted
Nyastrid
boosted
🔥 us-east-1 🔥
Nyastrid
boosted
ethical hacker is when you don't disclose vulnerabilities to corporations but instead use them against them
Nyastrid
boosted
Lewd
A participant reviewed it as *two thumbs up* after trying it
Lewd
They just invented the reverse cuck chair right infront of me
Nyastrid
boosted
Nyastrid
boosted
OH
(she bites me) "oh wait nvm I'm a vegetarian"
OH
The AnPLi chair
- Pronouns
- She/Her
Computer nerd of IT-(in)security, hacking & ctf, loves to design stickers, radio signals interest me.
Joined Nov 2024
