Background I recently worked on a phishing engagement involving a malicious email attachment. The final payload was an executable file that exfiltrated some data back to a server under my control. I’d normally use my attack server for this, but my attack server was already in use, so I opted to use Burp Suite’s Collaborator to catch my exfiltration payloads. My employer has their own collaborator instance, so we don’t have to rely on Portswigger’s and we can keep our clients’ data that much more secure.

Last week I was working on a social engineering engagement that included pretext phone calls, email phishing, and USB drops. I had to build payloads for the phishing email attachments and USB drops. This engagement was standalone, and therefore was not supporting other testing efforts like an internal pentest. Therefore, the payloads didn’t have to do anything fancy. I just needed proof that they were executed. Ideally, I wanted to collect the following information with each execution:

Introduction I’m taking Offensive Security’s PEN-401 course this summer in an attempt to earn my OSEE certification. It’s the most difficult and most technical course they currently offer. I really enjoyed earning my OSCE and OSED certifications through them and I figured some day I would make an attempt at the OSEE. I wasn’t expecting to go for it in 2022, but they reached out to me with an available spot and I couldn’t pass up the chance.

Aha! I think I figured something out. I did some web searching to see if I could figure out how to identify the firmware entry point address. I found a StackExchange post that mentioned something called a “reset vector”. It sounds like a reset vector is a pointer that the CPU looks at to tell it where to begin program execution. The reset vector location is CPU-specific. I went back to the Motorola datasheet and searched for information about reset vectors.

After having dumped the firmware for my Kantronics KPC 9612+ TNC, my next thought was to try and disassemble this code with IDA Pro, however it turns out IDA Pro free edition doesn’t support this architecture. I’m not excited enough about this project to go spend the money on a professional license. Next I tried Ghidra. I hadn’t used Ghidra before, but it seemed like a good time to test it out.