I used to think the same thing: don’t install software using a curl command piped into bash.

But then I realized that you might as well never install anything ever again. There’s far more than just a simple bash script being run with other installation paths.

It’s not about the method of installation, it’s about how much you trust the source of it.

Whether you install something via the curl/sh method, or install via a .deb package, run someone’s .AppImage, etc… there’s nothing really making any of them better or worse in terms of security. They’re all capable of running code at some point, with the permissions you have.

At the end of the day, you have to ask yourself: do you trust the person providing you with the installer?

How you go about installing that software is a separate topic fraught with politics and opinions. And some installers have ways to verify authenticity — assuming the compromise isn’t deep in the author’s workflow.

That being missing from curl/sh is not a unique disadvantage. Especially considering how few are probably actually authenticating their installers, regardless of method.

It’s not ideal, but it’s not the singular boogeyman that some of us are making out to be.

Happy to entertain a more informed opinion on this. Maybe an angle I missed.

COUNTERPOINT!

Actually, not really. But as I was writing that I did think of one potential reason to consider it a red flag: it’s trivial for a bad actor to just write a quick script and have you run it. Other methods of attack require building the actual installer. There’s a minor effort trade-off there. A speed bump that might deter the less experienced actors.

So at worst a curl/sh installer might just be considered a red flag, but only if a stranger passed it to you via a DM, or on IRC/Discord, etc. Like how you can have an .xyz domain and it’s totally fine, but it tends to be associated with shadier sites because it has a bad history. Just a red flag. Go to yellow alert. For the red flag. (Hot dog theme?)

Anyway, if you’re clicking links from strangers, you’re in the Danger Zone anyway.

I was doing a bit of OSINT-ish poking around on this character, Mellissa Carone.

She’s a supposed voter fraud “whistleblower” for Rudy Giuliani. His star witness claims to have essentially seen all the voter fraud ever in her seemingly-drunken, insane testimony at a hearing in Michigan. You really have to see it to believe it. She made a complete ass out of herself trying to bullshit everyone in the room.

Even Rudy, at one point, had to be like “whoa, down girl”.

Ordinarily I wouldn’t be dwelling on a private individual in a blog post, but Mellissa chose to step into the public arena.

So I figured I’d see what I could dig up on the web, in relation to a couple of her claims. Just practicing some OSINT on a public figure.

Anyway, in her testimony she claimed to be an IT contractor hired by the current conspiracy scapegoat “Dominion“. Now she says she can’t get work anymore because “the Democrats destroyed her life”, and so on.

As far as jobs go, her LinkedIn says she’s been an intern at a place called Ciber Global but with the title “Cyber Security Analyst”. She mentions Ford Motor in a subheading on this one.

Next one down, same timeframe as the Ciber job, again, “Cyber Security Analyst” for Ford Motor Company. Maybe lent out as a temp?

Further back, an internship as an IT Technician at a local painting company.

And even further back, an IT Specialist/Help Deak [sic] person for Millennium Servica [sic]. This might be a Remodelling and Repair Contractor, or this unknown, defunct company.

Whichever. Doesn’t matter.

Along side all this, she’s also listed as being a graduate of ITT Technical Instutute and the University of Michigan, working on an associates degree in Computer/Information Technology Administration and Management.

UPDATE: Apparently she’s been up to some other stuff, too. Whoops…

In addition to her work experience, her profile features a set of certificates and awards:

Nothing really of interest. I can’t even verify her Ciber employment, never mind this certificate. But that’s fine. I don’t really care. Any discrepancies are probably easily explained with a little more detail. (Benefit of the doubt, and all that.)

But then I scroll over to the third cert; the “Cyber Awareness Challenge” completion certificate:

What’s that logo? Department of… hmm.  I can guess, but let’s ZOOM AND ENHANCE:

The Department of Defense?!

Woo! Impressive, right?

So I looked around for that, and found… THE 2021 CYBER AWARENESS CHALLENGE!

You too — yes, YOU — can take the unclassified training course, just like she did, and get your very own DoD Certificate of Completion for you to type “FART BUTT” on and save to a PDF and put on your own profile.

And best of all, it’s in COLOR and updated for 2021!

But in all seriousness, I encourage you to take a look at this small, free course they’re offering.

It’s actually well put together and rather creative for a multiple-choice quiz that marks you correct even when you’re wrong. You can’t lose!

The real meat of it, though, are the details it provides. There’s a lot of “duh” basic security things (don’t bring in external devices, don’t hold security doors open for anyone, etc), but it actually gives some interesting insights into how they handle working with classified security information, among other things.

Quite a bit of video, too. Here’s my favorite:

Another Hack the Box write-up. This one is pretty short (EDIT: is it?), but it illustrates an unintended, but important gotcha that hit me.

But first…

I found out last time that a seemingly unspoken HTB convention* is that you only post write-ups for challenges that are retired (accessible to the paid VIP folks).

* Honestly, I only saw it mentioned while digging into the forums, and was told about it later when I posted the previous one on Reddit.

While I didn’t see an official explanation for this behavior, I suspect this is keep people from simply Googling for the flag. If that IS the case, I disagree with that idea: any good CTF’er will know to exclude the flag identifier -HTB or the CTF name (-"Hack the Box") when looking for information to help them legitimately solve the problem.

If someone is going to be a rotten rat and cheat their way through the challenges, well, that’s kind of the risk you take when it’s open to the public. Hiding the answers just means they’ll squirrel them away out of sight for the rats to find. (Boy there’s a lot of animals in this paragraph.)

And, of course, if it’s simply to give value to VIP members, well, I have no interest in helping a business maintain a poor model. But I don’t expect that to be the motive here. 😉

Suffice it to say, considering this one hasn’t been retired since 2018, I won’t be sharing it anywhere outside my own blog, apparently. And maybe Twitter. (Hi, Twitter!)

The Case Against Windows

I did this challenge, initially, using Windows. Mostly because this seemed like a pretty easy challenge, and I didn’t think that would be a problem.

The challenge provides you with a zip file, appropriately named misDIRection.zip.

Unzipping the file produces a .secret/ directory, and inside a series of directories labelled 0-9a-zA-Z. Some of these are empty. But some have 0-byte files named after integers. There were no duplicates among them.

Archive:  ../misDIRection.zip
   creating: .secret/
   creating: .secret/S/
 extracting: .secret/S/1
   creating: .secret/V/
 extracting: .secret/V/35
   creating: .secret/F/
 extracting: .secret/F/2
 extracting: .secret/F/19
 extracting: .secret/F/27
   creating: .secret/o/
   creating: .secret/H/
   creating: .secret/A/
   creating: .secret/r/
   creating: .secret/m/
   creating: .secret/B/
 extracting: .secret/B/23

...etc...

I thought about this one for a bit, and considered how a message could be encoded.

Then I had an idea: what if the numbers map to a position in an output. Like, where file “1” is, that’s in the S directory.  “2” is in F, etc.

So I started charting this out in Notepad, but I got about 4 letters deep and realized — wait, I should be doing this in a programmatic way. There are tools for this. Work smarter.

So I pull up the WSL bash prompt and throw down: find . -type f | sort -k 1.13 -n

This finds all the file-type entries under the current directory and pipes the result into sort. The -k argument basically says to sort on the 13th column, and -n specifies a numeric sort.

This gave a pretty clear arrangement: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9. NICE!

Not So Fast, Son

While this wasn’t the flag, of course, it seemed like a solid lead into a second phase.

So I pull up CyberChef and start messing around with it. I go through the usual transformations I try, and Base64 immediately catches my eye: HZÜ{JãR3cuåù_1T_PR5ÑT_SO7e}.

It’s so painfully close to what I’m looking for. You can SEE the skeleton of a legit Hack the Box flag: HTB{xxx_xxx_xxx_xxx}. You can see the curly braces, and the underscores, and even the opening “H”. Presumably some of the other letters are correct as well, but you can’t know that yet, of course.

So I went down some weird rabbit holes. The hashid tool thought it was BigCrypt:

Analyzing 'SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9'
\[+\] BigCrypt

And The Towel Was Thrown In

Everything I tried wound up being big time wasters.

So I gave up and looked for a write-up. Inside that write-up, the guy did everything I did:

WHAT?

I do a search for SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9 — and sure enough, there it is.

Am I going crazy? It’s just a basic Base64 decoding. Why is mine different?

Just to verify, I pipe it through the same base64 tool on my end. Nope. Still different.

What am I doing differently here?!

Then it dawns on me: I’m using Windows.

I’d gotten used to doing some formerly Unix-style command line stuff in Windows, thanks to WSL letting me bounce between the two worlds. And that was my mistake.

A Return to Relative Sanity

Let’s take a look:

• Some characters showed up fine.
• The same string gave two different decodings.
• How could that be?

Well, unzipping a file that creates an alphabet… both upper AND lowercase letters… oh shit.

Riiight… unzipping in Windows means .secret/s is the same directory as .secret/S.

Which one you get depends on which one unzipped first. So I had a jumble of upper and lowercase directories that Windows went all YOLO on. And when I jumped over to WSL to do my find command, the damage was already done.

I needed to unzip the file from Unix.

So I nuked the entire directory and unpacked all of this from a proper Linux bash shell in my lab VM. And sure enough, I have a lot more directories.

I run my find command, and I get a slightly different version of my string: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9.

Note the case differences:

Wrong: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9
Right: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9

So I pump that through base64 -d, and we get the CORRECT flag this time: HTB{DIR3ctLy_1n_Pl41n_Si7e}.

The Takeaway

This was frustrating, but still quite educational: in the future I might encounter an issue similar to this, and hopefully I’ll remember this experience. I mean, I didn’t look closely enough at my string, and searching for it in the write-up made me think it was 1:1 exactly the same. All because search tools are, by default, case insensitive. And Windows is case insensitive.

But I’m very sensitive. 😢

Seriously, though don’t get too comfortable with Windows, man. It’ll stab you when you’re not looking!

I don’t for a moment think the author of this challenge intended for this outcome. (I sure didn’t.) But hey: thank goodness SOMEONE wrote a write-up on a non-retired Hack the Box challenge, huh? 😏

I’ve been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I’ve never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I’ve never encountered before.

We are looking for Sara Medson Cruz’s last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine…

Sherluckin’ Out

First, I looked for the username saramedsoncruz using Sherlock. It’s a tool written in Python that queries a ton of social media services. (There’s websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/ 
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she’d just found.

This seemed to be a lock… but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In…

At this point, I’m trying everything I know. Manually clawing though “Sara Cruz” accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar — I thought to myself “Some dumb hacker shit! Surely, this must be it!”

But, no. Another dead end.

As I’m searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I’m about to give up — which is fine by me. Yeah, I’m always a little disappointed when I throw in the towel, but that’s part of the reason I do these CTF challenges: to test what I know, and if it’s something I don’t know: learn. (From write-ups. Like this. 😏)

…when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

“ID Exposed”… hey, waaaait a minute…

I think for a moment as that piece of information zip-zaps across my mind over to the article I’d found earlier: Getting a Grasp on GoogleIDs.

I’d completely overlooked a clue in the title. Turns out this was VERY relevant!

I’ll leave the article for you to see the details, but long story short: there’s a profile ID number attached to every Google account. There’s a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you’ll need to give permission for your own Google account.

Following the instructions in the article, I plugged in “people/c6412528252752365100” for the resourceName, and “metadata” for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": \[
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",   // <----
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": \[
            "GOOGLE_USER"
          \]
        }
      }
    \],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That’s Brazilliant

From here, we can look for various things (again, check the article for what’s possible).

As it turns out, you can take a look at the ‘contributions’ that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL… https://www.google.com/maps/contrib/117395327982835488254/

…and sure enough:

“Flag Watcher”, huh? 😏

No photos, but they’ve posted a review for the ‘Museu do Futebol’ in Brazil, giving it a whopping five stars, and a terse comment of “really nice museum”…

Wait, there’s more.

Like, literally ‘More’.

Click it.

And there’s our flag, buried in a bunch of percent signs to force the comment to collapse. 🙂

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It’s okay to give up, as long as you’re willing to learn.

Just be careful that you’re not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳

The Backstory

I’ve been on the hunt for a decent, small netbook for a while. I’d hoped to wipe ChromeOS off of the Samsung Chromebook Plus that I’d acquired — a decent little device in it’s own right — but the effort required to do it properly was simply not worth it.

(TLDR on that: there’s no ‘write-protect screw’ like other Chromebooks; instead you have to remove the battery, among other things. I’d rather keep it as is, preserve the value, and sell it in trade for a more traditional laptop!)

I went through a couple other laptops all with various concessions that I wasn’t too happy about.

My demands:

• Small (11.6″ or so)
• Light
• Decent battery life
• Peppy speed
• Runs Linux without any fuss
• Is under $300 — cheaper the better, but I don’t want immense remorse if it’s broken, unlike a $900 (or more) beast

In my half-hearted on again, off again search you could hit most of these if you were willing to void the warranty of a Chromebook, or were willing to sacrifice any kind of aforementioned pep. It’s the ol’ “small/fast/cheap — pick two” kind of thing.

I’d been eyeballing the Acer Spin One (SP111-33) at Walmart for a while. Not exactly the place to pick a winner, I confess, but I kind of liked how it looked and felt; it was solid as hell, with a sturdy aluminum frame. But at almost $400, I wasn’t sure if it was worth gambling on.

So I hit Walmart.com and I see there’s actually two entries; one is the Acer Spin One at the expected price. But then there’s another SKU with a slightly different model number.

As it turns out, it’s a slightly faster model, but about $100 cheaper. And it’s not solid aluminum. And it’s all black. But it’s still a super light 2-in-1 convertible laptop. They saddled it with Windows 10 S (the one you can only install from the Windows app store from). And it’s a lower res screen instead of the full HD of the more expensive model.

I get in the store, and I see them mostly side by side. The more expensive one SURE IS PRETTY in comparison. And the screen is definitely brighter and nicer to read.

They’re both locked, but that wasn’t a problem. The password was the store number, which is on the login screen.

Once I’m logged in, I load up Edge and pull up an online JS speed test. It won’t be comprehensive, but it’ll at least give me a ballpark.

The two churn through the test, neck and neck. I get some side-eye from the clerk, but I ignore him. I’m shopping, damn it!

By the end, it turns out the uglier, cheaper one actually beat the hell out of it’s more expensive brother.

Some quick googling showed people WERE installing Linux, but one guy said he had trouble with most distros except Kali (and some other one). Hey, that’s fine by me: that’s exactly what I intended to install! 😏

Maybe it didn’t QUITE hit the sub-$300 mark, but it came really close. And considering it hits the rest of the bullet points…

So I bring it home. Cortana’s happy greeting is cut short by a reboot after I insert a bootable USB stick.

There were some issues, so I’m going to outline them here for future users.

Installation

Use F2 at the boot screen (don’t hold Fn) to enter the BIOS.

Here’s what I did in there:

• Disabled all of the secure boot stuff.
• Set the boot drive to the USB stick (for the install; throw it back after)
• Internal KB Numpad: Disabled (preference)
• Function key behavior: Function Key (preference)
• Lid Open Resume: Disabled
• Reboot

I kind of shotgunned my way around this whole area, so YMMV. But I think if I took the path I outlined here, first, I’d have had more immediate success…

At this point, you should have the Kali boot screen; perform a full install.

Since there’s only 64GB on the internal EMMC drive (which is enough for my purposes), I instructed the installer to wipe the entire drive. You didn’t want Windows 10 S anyway. 😎

Hardware Surprises

There’s a couple gotchas with the hardware, but most of it can be fixed easily.

Screen Rotation

During the installation process, everything is fine. But once you boot into the desktop, you’ll find yourself craning your neck sideways. The driver for the accelerometer is reporting the wrong orientation information, so the screen is rotated improperly. And if you rotate it into portrait mode, woosh, it’s in landscape.

The Quick GUI-based Fix

Turn the device on it’s side, giving a portrait orientation. It will render the desktop in a landscape orientation. Turn your head sideways and tap the user menu on the far end of the system bar along the top… (…er… right?)

Then tap the second icon on the bottom; the one right next to settings, to lock the orientation as ‘landscape’. Then you can flip the device back to it’s normal landscape orientation and it will stay in place.

Alternatively, you can run xrandr -o normal on the command line to force the rotation. You can view the current rotation state, as reported by the accelerometer, with monitor-sensor.

The Real Fix

The more involved fix goes like this (thanks to CupOfTea over on the Acer Community Forums):

Create /lib/udev/hwdb.d/61-sensor-local.hwdb

Inside that file, add:

sensor:modalias:acpi:BOSC0200*:dmi:*svn*Acer*:*pn*Spin*SP111-33*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1

Note the single space before ACCEL_!

The Nuclear Option

Disabling the accelerometer entirely is another possibility, but that is left as an exercise for the reader. 😏

WiFi

Wifi works great. It’s an Intel Wireless-AC 9560 that can be used for various things. Nice!

Bluetooth

As of this writing, I still haven’t gotten Bluetooth working. But I’ve had it for about half a day at this point, poking at other problem areas, so we’ll see how that goes. I’ll update this when I get it fixed.

I don’t know where the trouble lies, but the service just isn’t running on boot. Here’s what I did to start it up by default. First, call systemctl enable bluetooth.service to set it to load on boot.

After this, I was able to reboot, and my mouse connected on login. Good times. 👌

(If you’d rather not have it start automatically, you can just use systemctl start bluetooth.service to start it manually.)

Other hardware with no obvious issues

• Audio
• Touch screen
• Micro SD card reader
• On-board video – There’s some brief black and white glitching on the very top of the login screen, but you don’t see it anywhere else.
• HDMI – worked as second monitor on a 4K display; didn’t DPI scale out of the box of course.

Sweet.

So yeah, I’m pretty jazzed about this little guy. It’s about as close to perfect as I’ll probably get for now.

I guess I’ll keep it. 😏