A dirty smell in Egyptian politician iPhone

This happens in Egypt, A former member of the Egyptian parliament who decided to participate in the upcoming Egyptian presidential election of 2024 called Ahmed El-Tantawy, his mobile phone got hacked. This was not the first time for El-Tantawy’s phone to get hacked.

In this write up I will try to simplify as much as possible what happened to Ahmed El-Tantawy iPhone to be compromised.
All the information mentioned here are gathered from the references listed by the end of this page.

Institutions

I will mention few institutions and individuals who are involved in the hacking attempt either directly or indirectly.

  • Cytrox: A company established in 2017 that makes malwares used for cyberattacks and covert surveillance.
    The company was established by an Isrealy cyber security engineer called “Rotem Farkash” who served for years in the IDF (Israel Defense Forces) as per crunchbase website.
  • Predator: A spyware developed by Cytrox that targets the Android and iOS operating systems.
  • CitizenLab: Citizen Lab is a laboratory based at the Munk School of Global Affairs in University of Toronto, Canada. The lab focuses on the study of digital threats to civil society and high-level policy engagement.
  • TAG: Google’s Threat Analysis Group is a dedicated team that analyze and monitor the malicious actors attacks and responsible for patching the published and new discovered vulnerabilities.
  • Egypt: Represents the Egyptian government and the decision makers for the actions that was taken in the field of cyber security.
  • Ayman Nour: A former member of the Egyptian political opposition living in exile in Turkey.
  • Ahmed El-Tantawy: A former Egyptian member of the Parliament who previously served as the chairman of an Egyptian opposition political party called “al-Karama”.
  • Apple: The very known company that creates iPhones, iPads, Apple watches and many other products including their famous operating system iOS.
  • Vodafone: A British multinational telecommunications company that operates in multiple countries around the world including Egypt.

Timeline

The below list includes the timeline of the events:

  • 15 Sep 2021: Tantawy’s iPhone was infected through an SMS that contains Predator spyware download URL.
  • May 2023: Tantawy receives a malicious SMS that contains predator spyware download URL.
  • 24 June 2023: Tantawy receives a malicious Whatsapp message that contains Predator spyware download URL.
  • 12 July 2023: Tantawy receives another malicious Whatsapp message that contains predator spyware download URL.
  • September 2023: Tantawy receives another malicious SMS that contains predator spyware download URL.
  • August – September 2023: Tabtawy personal iPhone was targeted with a network injection attack that was originated from Egyptian Vodafone network.
  • September 2023: Tantawy suspects his phone got hacked and turns to Citizen lab to request forensic investigation on his phone.
  • September 2023: Citizen Lab do the investigation on Tantawy’s iPhone and reported all the discovered attack scenarios and CVEs accusing the Egyptian government to be responsible about the attack with high confidence.
  • September 2023: Citizen Lab reported to Apple three zero-days that have been used and discovered during their investigation on Tantawy’s iPhone.
  • 5 September: TAG fix a zero-day that is used by predator spyware against android devices which was separately reported to the Chrome vulnerability rewards program by a security researcher.
  • 21 September 2023: Apple push a new iOS update version that fix the three zero-days that were used by predator spyware and reported by Citizen Lab.

Read More

Remote Operation until last access (Part 2)

In Part 1, I outlined how during this Operation, I discovered an outdated WordPress. I researched plugins and the theme that were installed on the WordPress script and obtained reflected XSS, partially Local File Include, and time-based SQL injection.

If this was a normal pentest, this would be the end. I would write up the findings and recommendations. However, this was a remote operation. I was assessing a large corporation I am calling Target Corporate.

SQL Injection Exploitation

In Part 1, I used a Local File Include that turned to be useful to include a page that is vulnerable to SQL injection, I also created a POC regarding the SQL injection, In this part, I will explain how the time-based SQL injection was exploited.

I used the SQLMAP tool but the vulnerability can not be directly exploitable by SQLMAP, thus, I had to create a PHP page that acts as a proxy between SQLMAP and the vulnerable page and created the injection point that will be used by SQLMAP to launch successful exploitation.

The PHP page will be hosted on my localhost, it contains a user input called $inj that will be used to send the SQL injection payloads to the targeted vulnerable input in a good manner, I made it exploitable for SQLMAP to inject its time-based SQL injection payloads.

Read More

Remote Operation until last access (Part 1)

In this post, I will chronicle a remote operation that was executed. The operation took many weeks to achieve its target, I went from minimal information about the corporate into the total compromise of all customer’s users private information. The target is a large corporate with a sizable security program. For purposes of this blog, I will call them Target Corporate.

Target Corporate is a big E-commerce company that works in multiple countries. In this operation, I needed to do Web application Recon, source code review, exploitation, lateral movement and social engineering.

Let’s start

When I began this operation, I typically know nothing about their infrastructure operations. I needed to research the corporate and learn as much about their internal operations as possible.

I needed to look for outdated softwares and services that can be exploited. Maybe some applications with default passwords or custom web applications that might be vulnerable, looking for any resources that may be useful to gain more information.

Recon Phase

I spent hours doing recon at the target external systems. There were no obvious exploitable vulnerabilities on any of the applications that have been discovered. I found numerous web services and spent time investigating them. There was nothing in these tiny services.

I used Google search engine in addition to multiple tools to enumerate any reachable subdomains regarding Target Corporate, the most interesting subdomains were:

  • management.target.com (A software to Control customer data and transactions)
  • gmail.target.com (A software that is supported by google mail to provide a secure email login)
  • wordpress.target.com (WordPress software installed)

(Those are not the real names of the subdomains)

Read More

RCE Live Streaming webcam software

Today I am going to publicly disclose a vulnerability that I have discovered recently in VideoWhisper Live Streaming software. The software suffers from remote command execution vulnerability, specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands to be executed over the remote machine.

I decided to do a source code review over the VideoWhisper Live Streaming software as one of my researches.

General Review

It took me many hours reading the source code, many files caught my attention, ls_transcoder.php was one of these files that considered to be suspicious.

In line 21, $stream parameter was noticed to be inserted in a command that was sent to exec function in line 22, exec function executes commands over the remote machine and returns the output to an array that was sent as a second argument.

$stream parameter is a user-controlled input sent through the GET request in line 6, however, there is a filter function sanV($stream) in line 12, if I am able to bypass this filter then I will be able to gain a command injection over the application.

Read More

Secrets box EG-CTF write up

Today I am going to disclose the write-up of one of the most interesting challenges I have been playing recently together with my teammates in the EGCTF 2019.

The challenge was amazing and really challenging, it was only solved twice by our team and another team and today I add the full write up.
OK, let’s start.

Reconnaissance Phase

Once I launched the challenge, I see the following:

I tried to launch many bypass authentication payloads like ‘ or 1=1– and similar payloads but all my attempts failed.

Launching verb tampering attacks to bypass the firewall also resulted in a dead-end, at that point I decided to extend my recon phase, so I launched Dirbuster to search if there are more hidden endpoints and I clearly noticed a newly discovered endpoint.

Assessment phase

Now a new hidden endpoint is discovered which is “api.php”, by opening the page we can observe the following.

Read More

How I was able to hijack Instabug highest plan account without payment

Today I am going to publicly disclose a vulnerability that I have found at Instabug company.

I was able to swap my own normal registered unpaid account with the demo’s highly paid account removing the restrictions on the demo’s account to be placed on my own free account so that gaining full features of the highest plan cost(349$/month) without payment in addition to manipulating normal users to access my account when they are trying to access the demo one.

Started when a great company(Instabug) which tests bugs found in android and IOS apps opened positions for hire.

As a job seeker, I was interested to apply as a penetration tester until I found they are launching a bug bounty program.

After thinking for a while the question was “Could I find a bug at the company that works on hunting application bugs?”

The challenge started

By creating an account I started to test their backend for any unusual actions focusing on XSS vulnerabilities after I recognized that their main website is connected to a secured API that is connected to the database and manages all the user interactions and processes.

After hours of no result, I was about to quit before I noticed that Instabug has a demo account to test their services so “mmmmm let’s try”

The demo logged in automatically after pressing the button “demo account” and as I have noted their entire web application is connected to an API so I fired up the burp suite to intercept the demo request and see what happens behind the scenes. and guess what!!

Read More