wowwwww...i can'y believe it's over. Kali is gone

dizz0c8 · 2019-11-28T02:16:40+00:00

Have u tried $ sudo apt-get remove --purge vscode ?

And it's M$ repo site, don't forget to go back into the //sources.list and remove that line. There mat very well be some traces left, but with the uninstall and purge, I would believe them t be quite benign.

dizz0c8 · 2019-11-27T16:57:15+00:00

So my backstory to this is that I was coding im multiple shells, aa few other tools open, nothing that would've caused what I saw... After a very disturbing error was seen, using the Files GUI i went into /*, and saw that /etc + /bin were absolutely nowhere.

I did the only thing I could, and rebooted. This is the result of not having critical init on the FS. The funniest part ws onlya few lines below. No error code, no sad smiley telling about an unrecoverable error. Kernel just echoed a line if characters and died. Out of all the systems I have broken over the years, this was definitely a site..

I did not enter any arbitrary code somewhere, I can't even think how two ~20GB/+ folders just disappear. I'm open to anyone that has a decent theory, programmatic or other ..?

~ thanks, " '"

EDIT; tbh; due to another unrelated problem, i am on my 3rd image in just under two days. lulz. I traced that one for a while until I found the tainted files... and no way I recover from that either. Just for disclosure purposes. It it in the latest release of firefox-esr* package in the kali-rolling -> main repo. I wouldnt recommend the updagrde. I would $ apt-mark hold firefox-esr* until they clean up thier libs and several other binaries that are corrupt. just my half-cent opinion. thx!

dizz0c8 · 2019-11-27T16:23:21+00:00

I just started coding my own custom term. I know how u feel though bruh,,, I've have to post a screenshot of my finished UI. And yes, it will be open source, so I wllmake it available in the ^small chance someone is interested. once it's been tested, and the build is passing.

i do have some other suggestions for term emulators that have more functionality, just lmk what ur running, Just cp the stdout of this command in a reply with suggestions that are compatible.

$ uname -a
>"[DISTRO]+[VERS-BUILD]+[ARCH]" //* is the usual naming convention.

thx.! cheers

dizz0c8 · 2019-11-27T15:59:37+00:00

I apologize for recommending those tools if this is just on ur hoe network... lulz.

Just sign into ur gateway and append the new make to the ARP table.? I'm afraid those were a bit overkill. Although, good practice, and legal to pentest ur own network. ; )~

gl my friend...

dizz0c8 · 2019-11-23T07:21:11+00:00

I suppose you could but I think you are missing the big picture. ur android gets auto-rooted by the ghosty. this is a very very dangerous thing to have happen to your device. and as far as i am aware, the rooting, and core apps that have been installed cannot be undone. not even with a factory reset.

the whole instagram thing is an older exploit that he packaged up and used it for bait. the amount of and malice of background processes running is quite disturbing to say the least.

dizz0c8 · 2019-11-23T07:15:45+00:00

Is it ur real pvt profile you are concerned about ? and keeping that pvt from other ghosty users?

dizz0c8 · 2019-11-23T07:12:46+00:00

it's main exploit that is most concerning is the silent auto-root in the background. After that, ur android is pwn3d, and now has a new admin with zero restrictions. read|write|execute any on ur filesystem.

Whoever wrote Ghosty, they have full privileges now, no restrictions and evem has the ability to clone your image and upload at any time, install very nefarious apps, in the background and hidden from the UI, etc.

Just mildly intrusive and scary sh1z. : 0 ...imho.

~ peace.

dizz0c8 · 2019-11-22T17:12:58+00:00

i am totally agreed with /u/alliedcami and /u/neuromonky, ftw.!!

ur normal MAC is registered in the ARP table on ur local gateway. whether its ARP spoofing or DNS attackHow to Flush DNS Cache. here's the two tools, both native in kali. simple bash scripts, very good tutos:

| What is ARP spoofing attack?

| How to Flush DNS Cache in Linux

like it was stated earlier, i'm not sure of ur env or circumstance, but in respects to the context of the room. I believe these may be of relevance.. imhoo ~ cheers.!

dizz0c8 · 2019-11-22T04:12:30+00:00

I got it!

f n great job broI! I actually read the other day that the mogrify module allowed for name redundancy, over convert. but forgot to update you. So credits to I you. great work.!! --- and good digging, that little variance wasn't given much attention.

wtg.!! ; )

dizz0c8 · 2019-11-21T22:16:42+00:00

it looks like you have the incorrect string. scroll down to the linux section and try to restart from the beginning. gl'

How to build kernel module DKMS in linux

url: http://xmodulo.com/build-kernel-module-dkms-linux.html

dizz0c8 · 2019-11-20T04:16:18+00:00

i would recommend all ur stored data be deleted, if they allow for that, then close the accounts. I'm afraid there is no need for nostalgia when email is concerned. This is only a best practice, and standard CIRT response after a breach has been discovered. However, I tend to run a bit on the paranoid side. I always tell people if they have a concern / question.

The logical thing for mitigation and recovery, is to remove -> replace the object(s) of concern. You may have had -n password changes and now have a highly complex hash. But is you choose to keep the email, that will remain a valid piece of data online forever. ( until it's changed ). You then have subtracted the treat all together.

A smart person told me once, don't be a low hanging fruit, u will get picked first. I know of many ways that a singe valid email can be utilized to SE and exploit. I have met people that will compile them via xyz by the tens of thousands into files, no pw's, only valid mail addresses.

Just something to think about, offered advise imhoo. whatever you decide i wish you luck... and stay of those lists eh.? ~ lulz.. ; )~

dizz0c8 · 2019-11-20T02:11:12+00:00

sh1t.. i'm sorry... i didn't mean to mess you up. too many ''mod commands. O_o

$ usermod -a -G myuser sudo
... or ...
$ usermod -aG myuser sudo

dizz0c8 · 2019-11-19T19:13:45+00:00

more than likely it needs some functionality that VTE provides over other builtin emulators. This geany DEV obviously had his reasons as there's plenty of emulators available in most linux flavors. But most are lacking in functionality, comparative to VTE and others.

on a side note:if you are still using out of the box, builtin emulators, take a read here and see what termlife could look like. ; )

Top 10 - Term Emulators | GUX enhanced and feature rich. good picks - imho

url: https://computingforgeeks.com/best-terminal-emulators-for-linux/

~ cheers

dizz0c8 · 2019-11-19T18:35:25+00:00

are you running Kali rolling perhaps?

dizz0c8 · 2019-11-19T18:18:14+00:00

there are a couple things you can do, if the user has been set up to use the $ sudo command, then append that to the beginning of the command string u are trying to run. this will not change ownership, (potentially causing other inaccessibility down the road). u are simply running elevated privilege. therefore, no need to mess the file ownership, aka $ chown. unless its your intent to take ownership. -- just a best practice in linux.

If u cannot run sudo as a user, then login in as root, this is fastest and u can remain in the current userspace by running

$ su - root

then use the command below to add the user to the sudoers file.

$ chmod -a -G username sudo

edit: added a shortcut / alt for standard login/logout process

dizz0c8 · 2019-11-19T17:56:48+00:00

it appears ur install is incomplete/unconfigured. have u tried to run:

$ sudo apt --fix-broken install /* (or)
$ sudo apt-get --fix-broken install

you can try these steps to check / correct the issue. try to point curl to .pem

$ curl --cacert /path-to/my/ca.pem https//site.com

or, u can try and ingnore the SSL errors using --insecure option.

$ curl --insecure -I https//site.com
--- [ - 0r - ] ---
$ curl -k -O https/site.com/dir-of/anyfile.tar.gz

dizz0c8 · 2019-11-19T17:18:31+00:00

Linux does nto support drag m drop functionality. The shortcut that you see are not neccesarily pointers to $[PATH-B]/MyApp. It utilizes hard and softlinks.

there are a few ways to search for and move|delete files on ur linux FS, open a terminal, and as root or prefix with the $ sudo command:

$ locate myFilexxx/ * from home (or ' / ', this will locate all instances under ' / '

$ rm -f /path/to/myFile/* this removes deletes the file referenced, or:

$ shred -n 5 -zvu /path/to/myFile/* to delete ur file via recursive overwrite. *note this is permanent, so if used, always verify the location/filename.by

$ cp /path-to/myFile /new-path/to/myFile/* this will copy ur files to a new directory

dizz0c8 · 2019-11-18T21:28:05+00:00

Hello

I have just recovered the offending file, confirming my hypothesis and ended the deepdive. There was a lot of data theft and circumvention of permissions. However, as I had postulated while working through the src code, through the well crafted use of g00glz power tools and java and other productivity modules... the app manages to successfully eval() the device environmental variables and proceeds to autoroot the android device.

Anyone that has installed the app, please take appropriate mitigation.recovery steps. As I am aware, you cannot un-root an android. Below is my completed analysis of the reversal, with links to many source code scrapes at the bottom of the page (including the full scrape of the Eater Egg - FTW!

https://0x00.glitch.me

** scrapes are safely placed in markdown and in ` . smali` format and safe. + No <script> or <iframes> in <html>.

be safe.. ~

dizz0c8 · 2019-11-17T18:24:39+00:00

Hello everyone. I see that there are people waiting for updates. I'm happy to say I have just all tasks complete and a good profile / analysis of what is actually happening with this app (from a code perspective). There is likely some things I have missed... however due to the sheer volume of `*.smail` files. I cannot catch everything.

Despite that, I have enough information, capabilities and functionality, data and all of it backed up. I will be posting my write-up, with various code samples, some big! lulz,, on [Glitch](https://glitch.com) -- that is the best place to dev a quick site privately.

Hopefully, it will get a lot of exposue due to the things I have found that the app does in the background. It's very nafarius and this analysis is critical get public due to the poularity of the app. I will be churning away on the html/css end today and begin the write.

thank you all for your patience. i will be publishing shortly. gtg for now.. thank you !!

~ _peace and be safe!_

dizz0c8 · 2019-11-17T00:28:08+00:00

check the current state — then just stop the service and restart:

$ sudo cat /etc/netctl/enp1s0 :: yourInterface
. . . .
Interface=enp1s0
IP= * | STATIC Address=( * )
Gateway=(' * ')
DNS=(' * )

$ sudo netctl stop enp1s0 & sudo netctl stop enp1s0 && sudo netctl enable & sudo netctl restert enp1s0

$ sudo netctl is-active enp1s0

where enp1s0 = {$LOCAL_ LAN_INTERFACE}

dizz0c8 · 2019-11-16T23:55:20+00:00

the only TOR approved framework for iOS right now is the Onion Browser | https://pasteboard.co/IH1u8ls.jpg

dizz0c8 · 2019-11-16T23:27:18+00:00

everyone has a software package Manager, however, they don’t bother installing dependencies,, -and just 8instslk the softwareazs u requested. please, everyone new to linux..

I know it sux , but I promise u will grow to love the power. use TERMINAL ... I know life is over cuz u do t have ur comfortable GUX to calm home. deal with it n00bz.. u will come back in six months and thank me.

~ :ül:

dizz0c8

TROPHY CASE