The short answer is no. At least on some of the newer Dell PowerEdge servers. There are some places online where it sounds like it may work with certain servers.
If you are running on 120v and then plug in a 240v line on the second PSU, the PSU light flashes 3 times and then stays off.
From the iDRAC we can see that one PSU Input Line Type is Low line (120v) and the other is High line (240v)
As a side note, the Input Wattage is different because we can pull more watts from a 240v line. Watts are Amps X Voltage, so halving our voltage, halves our total wattage.
Looking through the Lifecycle Log we see the following saying that the PSU is disabled because of a input voltage mismatch.
Ran across an email that had an attachment named Payment.htm. This kind of phishing attack isn’t anything new, but the htm file had some interesting obfuscation inside of it.
Opening up the file in a virtual a Kali virtual machine, starts to load what appears to look like a Microsoft Sharepoint site. Notice the URL is the local file. It’s setup to pull the photos from the web. Since the VM had no internet available, the images never loaded.
After spinning around for a second, it loads the “log on page”, already populated with our email address. Note I changed the email address before taking the screenshot.
Typing in a random password and hitting Sign in triggers the sign in page.
Notice the ipinfo.io network connection
Going to https://ipinfo.io/json gives us a good bit of info about our IP address, location etc. It looks like this information is requested and then sent to the hackers.
Since there was not an internet connection, the malicious htm web page never received the IP information and so didn’t continue on to the next stage, it just sat there loading. Should be able to setup a fake local server and feed it the information to continue on to the next stage. Or we can just do some static code analysis
Base64, Base64 and more Base64
Opening up the file in a text editor shows tons of Base64 encoded data. The file is only about 20 lines long, but the individual lines are super long.
This first section of Base64 encoded data is by far the shortest. atob is a javascript function that decodes Base64 data. There are multiple atob functions, meaning that to actually get the data, we’ll need to decode the data multiple times. Or we can just copy out the atob functions, and run them directly in Node.js to get the output.
This is fairly easy to do, run nodejs from the command line, set the variable, and print it to console
# nodejs
> let b64 = atob(atob(etc...etc...etc...))
> console.log(b64)
Unfortunately, the next few lines are too large to do what we just did. What we can do is duplicate the file, then delete all non javascript text. Next we can replace the beginning lines where it says “document.head……atob” to
console.log(atob(atob(atob(.....))));
After we have cleaned up the file and made those changes, we save it, and now run it as a javascript file.
nodejs ./Payment.htm
If we want to, we can pipe the output into another file with the > operator
nodejs ./Payment.htm > Decoded_Payment.js
Deobfuscating the important stuff
Looking at the decoded code shows that there is still some obfuscated stuff in that last line.
The var _0x8378= array contains a lot of human unreadable text.
Fortunately, this is not hard to decode at all. In a terminal, launch nodejs again, copy the whole array as a variable, and then just print the whole array.
The last URL is the ipinfo.io one we saw in the browser developer tools. Some of the variables from the above variable also seem to map to the return info from ipinfo.
Windows 11 introduced “Suggested Actions”. When you copy a date, time, or phone number, you will get this little pop up asking if you want to “Create event” or “Call number”.
While this can be helpful, it can also be slightly annoying and get in the way. Fortunately, there is a simple way to turn it off. Hit the little down arrow, then click “Go to clipboard settings”
Once in the System settings, turn “Suggested actions” off.
atob() is a javascript function that decodes base64 encoded text. btoa() is the encoding function. We can use NodeJS to dedcode atob() functions. For instance, we can lanch nodejs woth
nodejs
and decode the sting SGVsbG8gV29ybGQgIQ==
console.log(atob("SGVsbG8gV29ybGQgIQ=="));
If we wanted to break that down into a couple variables we can do something like the following.
> var b64 = atob("SGVsbG8gV29ybGQgIQ==")
> console.log(b64");
You can also create a javascript file and then run the file with nodejs.
var b64 = atob(atob("U0dWc2JHOGdWMjl5YkdRZ0lRPT0="))
console.log(b64);
We can then run the file with
nodejs ./file.js
In the file the string “Hello World !” is double encoded so we process it twice with the “atob(atob(base64);”
There is more info available at the following links
When logged into webmail, the connection can look like the following.
Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166
Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>
Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in a different log.
use one of the following two commands to search the session log
tail /usr/local/cpanel/logs/session_log -f
grep "email@address.com" /var/log/maillog
The output should be similar to the following
[2023-03-27 12:31:17 -0500] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0
Notice it gives us the IP address of where the user signed in from.
You could also look at the “/usr/local/cpanel/logs/access_log” however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address.
Windows 11 seemingly will not let you finish the setup process unless you are connected to a network. Fortunately there is an easy way to side step this issue.
When you get to the “Let’s connect you to a network screen”
Hit the Shift + F10 keys to launch a command prompt
From here, there are two ways we can disable or skip the network setup.
Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.
There are a couple specific steps you have to follow for the bug to happen.
Take a screenshot
Save screenshot
Crop or markup screenshot in Google Markup or the Windows Snipping Tool
Save screenshot with the same name as original screenshot
The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.
For example in the following two screenshots, notice the size and dimensions
Here is the first screenshot
The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.
Am I affected?
Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.
You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.
macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.
Twitter Post about acropalypse.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
