Welcome to my diary!

2022

August

20/08/2022

It’s been some time since I updated my diary, and similarly many things have happened since. Around a month ago, I finally released my Bachelor’s Thesis for my degree on CS about a novel type of eBPF rootkit. Under the supervision of Dr.Juan Tapiador, I researched the offensive capabilities of the eBPF technology, building the TripleCross rootkit, which we open-sourced. This rootkit incorporates the following features:

A library injection module to execute malicious code by writing at a process’ virtual memory.
An execution hijacking module that modifies data passed to the kernel to execute malicious programs.
A local privilege escalation module that allows for running malicious programs with root privileges.
A backdoor with C2 capabilities that can monitor the network and execute commands sent from a remote rootkit client. It incorporates multiple activation triggers so that these actions are transmitted stealthily.
A rootkit client that allows an attacker to establish 3 different types of shell-like connections to send commands and actions that control the rootkit state remotely.
A persistence module that ensures the rootkit remains installed maintaining full privileges even after a reboot event.
A stealth module that hides rootkit-related files and directories from the user.

Although challenging, it was an extremely exciting project to do, and it really kept me motivated for the whole of its duration. I was very satisfied with the result, and I ended up receiveing 10 over 10 points in the thesis and a nomination for a Honors award (the thesis document is also public). We also received quite a bit of attention at Twitter and other places, and I will also be presenting my work at the eBPF summit during the 28th/29th of September.

I’ll be writing some posts during the upcoming days about TripleCross and some interesting details about the project, so I’ll be back soon!

January

17/01/2022

Once again life happened and I didn’t update this on quite a long time. And actually I’ve got some news! This is a summary of some the security-related stuff that happened during the past months.

I managed to get an offensive security Final Degree Project (or TFG as we call it here in Spain) for my Computer Science degree which I am SUPER EXCITED about!! It involves lots of low-level programming and tinkering with new stuff and I have an incredible tutor too! I’ve been super motivated on it during the past few months and it is only the start, I am yet to do the most exciting stuff. I was sure I wanted to do this and I’ve been fighting for having this opportunity for a long time so I am super happy! Be sure I’ll be posting some highlights on it once it’s over ;)
I participated in Spain’s Guardia Civil National Cyber League. It was a very fun experience in which we competed to solve cybersecurity challenges (CTF-like) but unfortunately I was eliminated on the first round (out of three). I managed to get some points, but many challenges were on topics I haven’t practiced too much with (like forensics) and to be fair I still have a veeeeery long way to go with CTFs, it was actually expected. I’ll be going more serious with it this year tho, so expect a better result this coming year!
I’m quitting my job as a .NET developer! The company where I’ve been has been an absolute pleasure to work in, but I need and want to focus on my final degree project. I may buy an HTB VIP subscription to train during the course if I see I’m having lots of free time, but in principle I will be trying to focus on the former (and also I have classes so it’s not like I’ll have all the free time in the world). Buy cybersecurity is definitely taking a step forward during this last part of my degree!

2021

18/09/2021 - 8/10/2021

I’ve managed to find a copy of The Art of Computer Virus Research and Defense by Peter Szor and I’ve been really hooked with all the new concepts I learned. This has led me to start a new project: a metamorphic virus for Linux x86 which is based on the “Accordion model” by The Mental Driller and his virus METAPhor. It has led me to learn a lot about metamorphic techniques and it really boosted my Intel assembly techniques. I will probably release a quick PoC in the coming month or so.

30/08/2021 - 18/09/2021

It’s been a while since I updated this, I’ve been moving home between other things. Still, it was not a loss of time completely, since I have finished the ransomware module of Umbra! Basically, it lets you encrypt/decrypt a directory remotely, including all subdirectories on it. It has been significantly easier in terms of coding difficulty since I did not have to write too much kernel code, but anyway it was quite fun as always! I’ll take a break from it until I come up with a new idea for the next module/feature.

September

29/08/2021

I’ve been researching about XML vulnerabilities for one of HackTheBox’s boxes (BountyHunter). I’ve found about XXE and other ways of achieving information disclosure and remote code execution. Thinking I’m on the right track but still couldn’t get the flag. I’ll try again tomorrow.

27/08/2021 - 28/08/2021

Quite slow days in terms of studies, specially given that there’s only one week left for me to finish a lot of things I had planned for this summer.
I also got called from a cybersecurity company I’ve really been looking forward working with. They are the organizers of a quite unique cybersecurity internship program in my country, and I’ve gone through the first interviews. Unfortunately I had to turn down the offer because the had decided the program would take 8 hours/day, which is completely unthinkable to do without finishing my studies, and they didn’t tell me until that point. They said they would wait for me next year tho!

26/08/2021

Today I was a bit nostalgic on my old projects, so I took Greta and revised what I did almost a year ago. I updated some stuff to support multilanguage but I still can’t decide whether I want to keep working on it and release it to an online store, or just keep it as it is now, just for me.

24/08/2021 - 25/08/2021

I continued working on the ransomware module of Umbra, updating the backdoor and the Umbra Injector in order to capture the new directives.

23/08/2021

I worked on my project Umbra. I decided to develop a new set of ‘modules’, whose purpose is to enable Umbra to launch malware-like actions. The first module will be an encrytion one, to launch a ransomware attack remotely.

22/08/2021

Inaugurated this diary (for the second time, because I went on vacation and didn’t have the time to write much).
Finished the website’s EternalBlue series, where I went in-depth into what EternalBlue is and how it works, decompiling the vulnerable code, studying SMB and exploiting a real system.

August

Jump to the most recent day.