cavefxa

Breaking the Session Initiation Protocol in IMS Networks

Thu, 26 Mar 2026 10:49:00 +0200

Table of Contents Preface and Disclaimer Acknowledgement Background What is SIP? Reversing imsservice.apk libsec-ims.so A better hook Results Conclusion Preface and Disclaimer Almost a year ago I was finishing my bachelor’s degree. At the time, I was working as a penetration tester at a Danish telecommunications company, so I wanted to write a thesis that was relevant to my workplace. After speaking with colleagues, I decided to experiment with the Session Initiation Protocol, better known as SIP.

About me

Sun, 25 May 2025 13:37:13 +0200

My name is cave, I like software development, finding bugs, and exploiting said bugs. For personal inquiries, reach me on: cavequeries@protonmail.com

Little Alien Computer

Wed, 16 Apr 2025 00:00:00 +0000

Challenge from TDCNET-CTF 25 - Download the challenge files: vmbs.zip

Cosmic Go

Fri, 11 Apr 2025 00:00:00 +0000

Challenge from TDCNET-CTF 25 - Download the challenge files: cosmic_go.zip

Event Horizon

Thu, 10 Apr 2025 00:00:00 +0000

Challenge from TDCNET-CTF 25 - Download the challenge files: event_horizon.zip

Reverse engineering the license key generation of an old RPG game

Tue, 28 Jan 2025 15:06:00 +0200

Table of Contents Preface The problem Initial reversing Reversing the license checker Level 1 Level 2 Level 3 Level 4 Item achieved: Hook of joy Conclusion Preface During my exam period this semester, I did everything I could to avoid preparing. Included trying to find 0-days in a router, sleeping late, and watching YouTube. I recently discovered a channel, that has content, I really enjoy, super concise, straight to the point, and educational.

Snapcast (v0.27.0) - CVE-2023-52261: JSON RPC to RCE!

Mon, 27 Nov 2023 19:20:00 +0200

Table of Contents Preface Background information about Snapcast What is Snapcast Server client relationship How is it playing? How is it synchronizing? Exploitation Finding the bug Proof-of-Concept Script Preface Once upon a time, I went to the Danish hacking festival Bornhack. While there, fun was had, things were hacked, and wine was drunk. In one of the larger tents, that worked as a sort of meeting point, some people had set up an IoT streaming service, that allowed everyone to install a client on their phone, and listen to the same music, in camp, out of camp, and it was very synchronized!

Roll

Sun, 17 Sep 2023 00:00:00 +0000

Challenge from TDCNET-CTF 23 - Download the challenge files: roll.zip

T-dc-ron

Sun, 17 Sep 2023 00:00:00 +0000

Challenge from TDCNET-CTF 23 - Download the challenge files: tdcron.zip

Samsung GT-S7580 - Zero to Root!

Mon, 29 May 2023 15:33:45 +0200

Preface This blog post, will be discussing how I did vulnerability research on an older Samsung phone (GT-S7580) - specifically the model GT-S7580. I had not done ARM exploitation, rooting, and barely even any kernel exploitation before this. I will go through what I ended up learning and how I went from zero to root. Getting started Connecting to the phone Connecting to the phone in some way is crucial otherwise how will you interface with the phone?

ZyXEL P-2601HN - Unauthenticated to root!

Sun, 26 Mar 2023 15:33:45 +0200

Preface In this blog post, I will be going through how I, along with a few of my friends, spent the previous Sunday, hacking an old router, and getting a full exploit, that takes an attacker from unauthenticated LAN to root on the router. Hope you enjoy! Getting started Picking a target As with my last router target, this one was also picked up from a thrift store. I recall spending around 5$ on it, and that’s certainly worth a day of fun hacking.

TP-Link WR720N - CVE-2023-24362(3): UART, and code execution!

Sun, 12 Mar 2023 19:41:00 +0200

Connecting to UART To get UART, we need some kind of way to connect to it, there’s different ways one can do this, using different serial communication programs. To name a few Minicom, Putty, or Screen. We’ll be using screen in this post. Now since UART is a sort of communication protocol between two devices, they need to understand that they’re speaking the same language, just like we agree on grammar and syntax for spoken/written languages.

TP-Link WR720N - CVE-2023-24362(2): Bug, mans best friend!

Sat, 18 Feb 2023 15:49:35 +0100

Preface In the last post, we looked at the firmware, trying to get something we could analyze. We ended up writing a loader using the Binary Ninja scripting API, and finally getting something to reverse engineer. Now our search for bugs begins. In this post I will be playing around with the routers web UI, and then reverse engineering the firmware searching for bugs. Bug hunting Getting the lay of the land I started by playing around with the webportal, which we concluded in the first post was over at http://192.

TP-Link WR720N - CVE-2023-24362(1): Loading...

Fri, 17 Feb 2023 11:37:00 +0100

Preface This blog post, and the ones following it, will be discussing how I did vulnerability research on a router - specifically the model TL-WR720N. I have never done embedded vulnerability research before this, and that might be reflected in the post. The posts will be chronological from beginning to end. Enjoy! (Also no, ChatGPT did not write this) Getting started Picking a target To begin doing embedded vulnerability research, it’s quite nice to have a lot of tools.

PWS_Dashboard - CVE-2022-45291: "badweather"

Tue, 20 Dec 2022 19:49:35 +0100

Some weeks ago now, my good friend Mikbrosim, and I were sitting a Sunday evening looking for something we could hack. After searching the internet for a while, I found some really old looking site. The site had some webcam, of what looked like a private backyard (publicly exposed of course), and some sort of weather dashboard. Looking around on the site a bit, it seemed really odd, and broken; however nothing was to be found, and we obviously didn’t want to pentest something we didn’t have permissions to.

FE-CTF (HackingFromEstonia): My First Browserpwn

Mon, 12 Dec 2022 17:17:45 +0200

Introduction “My first browser pwn” was a challenge I solved with the team HackingFromEstonia during the physical on-site finals at Frederiksberg Slot, at the event FE-CTF hosted by FE (Danish Defence Intelligence Service). The challenge is created around JavaScriptCore (JSC). JSC is the JavaScript engine used by WebKit implementations such as Safari, BlackBerry browser, Kindle e-book reader, and more. Note that it’s not the same as V8, which is developed by Google, whereas JSC is developed by Apple.

FE-CTF (HackingFromEstonia): Finals and Quals Writeups

Mon, 28 Nov 2022 21:49:35 +0100

Qualifiers - Dig1 A lot of older routers, have this thing in settings that allows you to ping routers. This input is usually just smacked directly into bash, and then executed. Knowing this, we can try command injection with something as simple as: 127.0.0.1; cat /flag flag{do people still use php?} Qualifiers - Dig2 This is the same type of challenge, except now we don’t have spaces. Googling this issue: https://unix.

Symbolic Execution with Angr: pt. 2 Usage Introduction

Wed, 29 Sep 2021 13:04:00 +0200

Simple usage import angr import claripy When you’re playing with angr, inevitably at the beginning you’ll have to load a binary of some form, you can do this the following way: project_name = angr.Project("./<binary_name>") Now angr works by using a lot of states which it steps through and investigates. To load our initial state we use the following command: state = proj.factory.entry_state() There are a few ways to load binaries, as one would imagine.

Symbolic Execution with Angr: pt. 1 Theoretical Introduction

Wed, 29 Sep 2021 12:09:45 +0200

What is symbolic execution? One might relate it to symbolic equations from mathematics in school. A few examples of symbolic equations might be: a²+b²=c² E=hf F=ma These are examples of symbolic equations. Values are defined based on symbols we call different things. For the symbols we could define constraints, eg. “f” must be larger than 0. or “a” is equal to 9.82 N/kg. Thus minimizing the amount of results or outcomes.

What is format strings? How do they work?

Wed, 08 Sep 2021 15:33:45 +0200

Format string: A Mini Study - with challenge This will be a short, and practical walkthrough of the concept “format string”, with an example of how to solve a format string challenge. Research and everything format string Format is a pwn task on HackTheBox revolving around the idea of format strings (eg. %s, %d, %p), which is a C feature, that allows a strings to contain both words and variables in one.

pwn2win 2021: "Oldschool Adventures - Apple II"

Tue, 01 Jun 2021 17:17:45 +0200

Oldschool Adventures - Description Dockerfiles: Oldschool_Adventure Challenge description: We found this Rhiza’s Government Server, and we need to access it! It runs an Apple II emulator and accepts codes in Applesoft BASIC. If the result of your code generates a valid QR Code standard (not micro QR), it will be read and the content will be executed as a shell command on the Linux system. A very interesting way to interact with a server, don’t you think?

Adventures in Heap: Malloc, Free, and Fastbin Dup

Tue, 25 May 2021 18:20:00 +0200

Heap is like the wild west of binary exploitation in my opinion, or perhaps more like an alien, no one knows what is happening (atleast I don’t). A lot of CTF pwn challenges these days are heap exploitations, even the simpler ones, so let’s learn some heap. Let’s get started. Malloc Malloc is a function in C, which can handle the allocation of memory. Which is why it’s called m alloc [memory alloc].

ROPEmporium: badchars 32-bit

Mon, 24 May 2021 19:58:00 +0200

Writeup of bad characters [badchars] on ROPEmporium Prerequisites: Knowledge from previous challs, XOR (Exclusive Or) This was a more difficult exploit to create, due to the fact that we had bad characters As usual I started checking the security settings on the binary provided cave@noobpwn:~/binexp/ROP-emperium/badchars_32$ checksec badchars32 [*] '/home/cave/binexp/ROP-emperium/badchars_32/badchars32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) RUNPATH: b'.' We see that there is NX enabled.

ROPEmporium: write4 32-bit

Mon, 24 May 2021 19:41:00 +0200

Writeup of write four [write4] on ROPEmporium Prerequisites: Basic knowledge of assembly, disassembling tools, the previous challenges, and calling convention We’re told the following: “A PLT entry for a function named print_file() exists within the challenge binary, simply call it with the name of a file you wish to read (like ‘flag.txt’) as the 1st argument. The ‘flag.txt’ isn’t present in the binary” We need a writeable part of memory, because we need to write the string into the binary.

ROPEmporium: callme 32-bit

Mon, 24 May 2021 14:57:00 +0200

Writeup of callme [callme] on ROPEmporium How do you make consecutive calls to a function from your ROP chain that won’t crash afterwards? If you keep using the call instructions already present in the binary your chains will eventually fail, especially when exploiting 32 bit binaries. Consider why this might be the case. This is the information we’re greeted with in the callme challenge. What we need to do is call the functions “callmeone”, “callmetwo”, “callmethree” all with the same arguments: 0xdeadbeef, 0xcafebabe, 0xd00df00d.

ROPEmporium: split 32-bit

Mon, 24 May 2021 14:38:00 +0200

Writeup of split [split] on ROPEmporium Prerequisites: Basic knowledge of assembly, disassembling tools, and having solved ret2win for 32bit Let’s start this time by checking the security settings of the binary with checksec. cave@noobpwn:~/binexp/ROP-emperium/split_32$ checksec split32 [*] '/home/cave/binexp/ROP-emperium/split_32/split32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) So NX is enabled, this means that we can’t just put shellcode on the stack and return to it.

ROPEmporium: ret2win 32-bit

Mon, 24 May 2021 14:20:00 +0200

Writeup of return to win [Ret2win] on ROPEmporium Prerequisites: Basic knowledge of assembly and disassembling tools [Note: Main difference between 32-bit and 64-bit is that the arguments are passed on the stack instead of in registers, and that the sizes of 32-bit and 64-bit addresses are in said order, 4 bytes and 8 bytes of size, reason for the sizes being that is that each byte consists of two nibbles each of which has 4 bits.

What is a stack, and how does it overflow?

Sun, 23 May 2021 18:03:05 +0200

Stack Memory is divided into three regions: Data, Text, and Stack In the data segment, one usually finds strings or other statically created variables. In a C program, these are variables that reside outside of functions and are therefore static. In the text segment, one will find compiled C code turned into machine code. Machine code is not assembly, but directly consists of binaries which can be executed by the computer, while assembly is a low-level programming language that first requires assembling to be converted into machine code.

Mon, 01 Jan 0001 00:00:00 +0000

Whoops! Du gik ind på den forkerte side - Whoops! You seem to have come to a wrong site Dansk Phishing er en form for svindel, hvor skadelige aktører forsøger at få adgang til følsomme oplysninger som brugernavne, adgangskoder eller kreditkortoplysninger ved at udgive sig for at være en pålidelig hjemmeside eller enhed. Et eksempel på dette kunne være en ondsindet aktør, der køber et domænenavn, der ligner et legitimt, såsom minid.