Critical Thinking - Bug Bounty Podcast
Posts
[HackerNotes Ep. 120] SpaceRaccoon - From Day Zero to Zero Day

[HackerNotes Ep. 120] SpaceRaccoon - From Day Zero to Zero Day

In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.

Yujilik
May 06, 2025

Hacker TL;DR

Eugene Lim (@spaceraccoonsec) joined us to talk about his book From Day Zero to Zero Day. We cover some topics like:

Taint Analysis and Binary Taxonomy: Automating source → sink discovery, we don’t always need to manually find what to hack on. Also, don’t blindly jump into disassembly, understand and figure out the binary type and reverse accordingly. The Binary Taxonomy chapter is available for free in the link below if you want to take a look!
Quick & Coverage-Guided Fuzzing: Fuzzing is really useful and can sometimes help us discover a lot of things we wouldn’t have discovered manually. On the other hand, smart fuzzing can help us achieve even more by fuzzing based on what is discovered during the process.
Discount code: Code ZERODAYDEAL for 30% off at https://nostarch.com/zero-day. We’re also giving away 6 free copies on Discord for the Critical Thinkers: https://ctbb.show/discord

ThreatLocker Cloud Control leverages built-in intelligence to assess whether a connection from a protected device originates from a trusted network.

By analyzing connection patterns from protected computers and mobile devices, it automatically identifies and allows trusted connections.

Find out more here:

https://www.threatlocker.com/platform/cloud-control

From Day Zero to Zero Day

In this episode, Eugene Lim (@spaceraccoonsec) joins us to talk about his new book! We'll walk through each chapter, and pick his brain a little bit to know what each chapter is about.

— Where To Buy

If you want to learn more about vulnerability research from a bug bounty hunter's perspective, check out his book at: https://nostarch.com/zero-day

ZERODAYDEAL: For our listeners, you can use the code ZERODAYDEAL to get 30% off!

— Giveaway

By the way, we're giving away 6 copies of the book to our Critical Thinkers on Discord! If you're already a Critical Thinker or interested in joining, you could win a free copy.

Join our community at https://ctbb.show/discord and become a Critical Thinker by heading to the "Server Shop" in the top left corner (desktop client) to subscribe to the Critical Thinker's tier.

Taint Analysis

This chapter of the book is about finding sinks, potential things that could break your flow and how to not have to do it manually, because a good part of this can be automated. So, this part of the book is all about making this part of the process more practical.

Binary Taxonomy

This chapter is available for free! Here, Eugene lays out a strategic approach to reverse engineering by classifying binaries into scripts, intermediate representations, and native machine code, each of them require different analysis methods. Instead of rushing into low-level disassembly, the focus is on quickly identifying the binary type and using the right tools to unpack and understand it, the goal is to work smarter.

By recognising common packaging patterns and leveraging metadata, we can recover near-original source code, spot dangerous constructs like eval(), and prioritise targets that offer the most potential.

Source & Sink Discovery

This conversation started with Justin’s question of “what do we do? Source to sink, or sink to source?”

For Eugene, if you already have the source code, just stick to the source code, but it’s important to know how to work both ways because in reverse engineering, you cannot rely on any specific methodology for everything. So in this chapter, he broke down strategies to understand the code better and how to analyse it depending on the context you’re in.

Quick Fuzzing & Coverage Guided Fuzzing

There are some hackers that have fuzzing as a go-to methodology and it really pays off to fuzz stuff a lot of times. Eugene argued that there are a lot of CVEs that you read and realise that you could have found that bug or initial attack vector with a dumb fuzzer too, without too much hassle.

One other thing, nowadays it is not too hard to have LLMs go through the input fields and understand what they are used for, by doing that we can fuzz a little bit more intelligently without spending too much time configuring things.

For the Coverage Guided Fuzzing chapter, Eugene guides the reader beyond the dumb fuzzing. He talks about understanding the application and the output it gives while fuzzing so we can build smarter fuzzers to cover more ground and be more efficient.

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking

We wrote about this one a few weeks ago on episode 118 so we’ll just copy that over here:

Another iOT PWN. Spaceraccoon dropped a nice blog post on pwning millions of smart weighing machines - scales - and it highlights how wild some of the IOT landscape really is from a security perspective.

Instead of focusing on hardware alone, the spaceraccoon focused on the user-device association flow - how your app links to your specific scale. Turns out, it was wildly insecure in one OEM's implementation, letting anyone take over any device.

The idea of user-device association (aka how a device associates itself with a user or a user account) has been mentioned a lot on the pod. The device → Cloud communications is where a lot of the juice seems to be, as developers often have a lot of assumptions around the communications as it’s often assumed they won’t be seen or interacted with outside of the device.

This was noted historically on episodes with Sharon, Elliot Brown and Sinsynology - check them out if you want more IOT goodness:

Anyway, some cool takeaways from this research:

Shared OEM Libraries = Supply Chain Multipliers

Multiple smart scale brands reused common SDKs/libraries (ie com.qingniu.heightscale) across Android apps, this means Identical API structures + auth logic = shared attack surface across vendors.

SQL Injection + BT-WAF Bypass

Discovered an API in one of the endpoints - /api/device/getDeviceInfo - whereby the serial number param of the device was unsanitized, and bypassed a Baota Cloud WAF in the process using the payload:

{ "serialnumber": "'or\\n@@version\\nlimit 1\\noffset 100#" }

\\n (newline) instead of space for payload separation.
@@version as a Boolean true primitive.

Broken User-Device Association Logic = Full Takeover

The backend supported two flows for user↔device linking; meaning it was possible to trick the server into interpreting a user-initiated flow as device-initiated. This was combined with the server not confirming the session token matched the target deviceid. This meant:

Use the attacker’s valid user session token for both Session-Id header and sessionidtoken.
Supply victim’s deviceid in body → device gets bound to the attacker.

Pretty cool research and worth a read. Check it out here:

https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking

Short HN this week! If you want to know more about the stuff we talked about on the pod, go grab the book and don't forget that we got a discount code. See y'all next week.

And as always, keep hacking!