Warelock

Just a student interested in security and how things work.

21 minute read

General Skills

General Warmup 1

ASCII = American Standard Code for Information Interchange
ASCII uses numbers to represent various characters required for English.

There are various hex to ASCII converters available on the internet. You could also do this by looking at an ASCII table. 4116 = 6510 = A

General Warmup 2

The binary number system uses only two digits to represent values, 0 and 1 (hence base 2).

If you want to convert from binary to decimal by hand the basic process would be:

26 25 24 23 22 21 20
64 32 16 8 4 2 1

27 in binary requires 5 digits in binary.
Then start dividing and taking the remainder and dividing that.

27/16 = 1 remainder 11
11/8 = 1 remainder 3
3/4 = 0 remainder 3
3/2 = 1 remainder 1
1/1 = 1 remainder 0

And so 2710 = 110112

General Warmup 3

The hexadecimal uses 16 digits to represent values 0 to 9 and A to F.

To convert from hex to decimal multiply the value of the digit by it’s digit position value (in decimal) then add them together.

161 160
16 1
\[\begin{align*} 3 * 16 + D * 1 = 3*16+13*1 = 61_{10} \end{align*}\]

Resources

Just go to the link, watch the video, or skip the video and just take the flag.

grep 1

grep = Global Regular Expressions Print
The command scans specified file(s) line by line and returns any lines that contain the specified pattern (regular expression).

The command looks like: grep <flags> ‘<regular expression>’ <filename>

netcat

nc = netcat
The command utility can be used for any connection using TCP or UDP

The command looks like: nc <website> <port>
For what we have to do here at least.

Strings

The file provided in an executable file that just gives you a hint when you run it.
The Strings command prints the strings of printable characters found inside files. If we want to look inside binary/executable files to find human-readable strings we can pass it the file and it will look through the bytes of the file for anything that appears to be strings (any sequence of 4 or more printable characters that end with a new-line or a null character).

A pipe ( ) in bash lets you chain commands and use the output of one command as the input of another.
Strings <filename> grep <pattern> ← finds strings then searches for pattern

pipe

Pipes are used to create “pipelines of commands”. They send the output of one command to the input of another, redirecting it from the standard output.
We need to search the strings that the nc link provided feeds into the shell.

nc <host> <port> grep <pattern>

grep 2

The bash commands use flags to specify usage and features of the commands, allowing you to use different features.

grep -R <pattern> <directory> ← will recursively search through all files in the directory.

Aca-Shell-A

Some needed basic linux commands:

Command Purpose
echo “<words>” Prints to screen or can put strings into txt files
ls <flags> Shows files in current directory -la flags give expanded info on all files
cd <path> changes directory. If no dir specified takes you to the home directory
rm <flags> <filename> deletes files/directories
whoami prints out username
cp <location of file> <destination> makes copy of file inside destination. Can also rename files
cat <filename> display contents of file

Environ

Environmental variables set up your unix shell when you log in and most affect the way your shell works.
Command to view a variables value: echo $<env name>
Command to print all variables and their values: printenv

SSH-Keyz

SSH uses public key cryptography to authenticate a remote computer to connect with a server.
To check for SSH keys: cd %userprofile% /.ssh
If there’s nothing generate a new ssh key with the command:
ssh-keygen -t rsa -C “email@example.com”
Accept the default file and directory, it creates the directory if it didn’t exist. Enter and re-enter a passphrase, you can leave it blank if you want.
To look at the public key that was generated: cat .ssh/id_rsa.pub
Copy the key onto the server in the ~/.ssh/authorized_keys
file (create the file)
Change the file permissions so it’s not word readable: chmod 600 authorized_keys
Connect to server: ssh <yourEmail@hostname>

What Base is This?

binary → ASCII
hex → ASCII
octal → ASCII

You Can’t See Me

ls → list files and directories in bare format
ls -a → do not ignore entries starting with . (hidden files)
ls -al → do not ignore hidden and give long listing
cat .\ → lets the shell know the space after \ is intentional
cat .\<tab> → tab autofills files of the same name (hit the tab key)

Cryptography

Crypto Warmup 1

A Vigenere cipher uses a keyword to give the values for a multishift cipher. Each letter in a keyword represents the shift amount. The keyword does not have to be as long as the original message instead it is used repeatedly.

T H I S I S A L I L K E Y
19 7 8 18 8 18 0 11 8 11 10 4 24

There are some online tools to do this automatically.

Crypto Warmup 2

A rot13 cipher is a specific case of a caesar cipher (aka. shift cipher) where the shift is 13. This allows a forwards or backwards shift (right or left) to give the same result. If the message is rot13 forwards vs backwards there is no difference in the cipher text, neither does it matter which direction the decryptor chooses.

Just use an online tool though.

HEEEEEEERE’S Johnny!

Traditional unix systems leep user account information in a colon-separated file called “passwd”. This file is used by various tools and needs to be world readable (meaning anyone with access to the system can read it). To secure info like passwords that would otherwise be readable in the passwd file the shadow file can be used.
If the shadow file is used the position that the password for the user would usually be in the passwd file is replaced by an ‘x’. A second file named ‘shadow’ now contains the hash and salt of the password associated to each user.

In the passwd file:
<username>;<password>;<userid>;<groupid>;<Full Name>;<home dir>;<shell>

In the shadow file: <username>;<hashtype, salt, hashed password>;<…various password info…>

The name of the challenge is in reference to the free password cracking tool John the Ripper (also the 1980 movie The Shining). You can copy the tar file for the john program onto their shell server:
wget < file from internet > ← to put it on the server
xz -d < file name > ← remove the xz compression
tar xpf < file name > ← extract from tar archive
make clean < SYSTEM > ← program installation within source folder
./unshadow < passwrd file > < shadow file > < < filename > ← combine the files into filename
./john <filename> ← when used on combined file will crack password

Caesar Cipher 1

A caesar cipher is also known as a shift cipher, the letters of the plaintext message are all shifted by the same amount up or down the alphabet.
Online tools can be used to brute force (try all 26 possible shifts) or frequency analyze the shifted ciphertext and recover the plaintext.

Hertz

A substitution cipher replaces one letter with another (it’s in the name), in this case there’s no change through the message of which letter maps to which new letter. This means that a simple letter frequency analysis can be used to determine which letters are swapped. Online tools can do this for you.

Blaise’s Cipher

Blaise de Vigenère although not the original inventor gets the credit for this type of cipher. Its a polyalphabetic cipher since it’s based on substitution. The Vigenère cipher is several Caesar ciphers in sequence with different shift values. The person sending the message chooses a keyword and repeats it until it matches the length of the plaintext, each letter in the keyword represents it’s position value in the alphabet and you shift the plaintext letter by the same amount as the associated keyword letter.

Online tools can be used to decode the message using frequency analysis.

Hertz 2

This is also a substitution cipher the same as the previous one. However here you have less message. The online tools use frequency analysis, which means the longer the message and the more letters of the alphabet in it the more accurate the decryptor will be. Luckily the first sentence of the message is a pangram (contains every letter of the alphabet) which should allow you to fill in the blanks of the decryptor.

Forensics

Forensics Warmup 1

ZIP is a popular archive file format. Like other archives a ZIP file is a data container that store one or several files in a compressed form. The convenience of having those files in a single zip archive plus the fact they are compressed to reduce storage, make transmitting them across the internet easier.

To complete the challenge download the folder → right click → Extract All… Alternatively depending on your OS some of them will open the image without extraction.

Forensics Warmup 2

I’m not actually sure what the challenge here was, as I clicked the link, the .png downloaded and opened giving me the flag.

Based on the hint I’m assuming that the file name extension is supposed to be wrong when the file is first downloaded. If you change the extension to .txt and open it then you’ll see a bunch of garbage as it tries to interpret the information. If you change it to another image file type like .bmp then the image will still open properly.

The most general way to explain this is that the operating system and applications will use the extension, file contents, and file attributes to determine how to treat a file. Rather than just the extension alone.

Desrouleaux

JSON = JavaScript Object Notation, and it is a way to store information in an organized, easy-to-access manner. In a nutshell, it gives a human-readable collection of data that we can access in a logical manner.

To make finding the information easier you can use a python script to read through the JSON file.

  1. read JSON into python
  2. To find the most common source ip:
    • create an empty dictionary
    • iterate through the src ip’s for each ticket storing the ip in the dictionary with it’s tally of appearances as the key
    • find the largest key
  3. To find how many unique destination ip’s a source receives:
    • specify the source ip
    • for every ticket with matching src ip check dst ip
    • fill dicitonary with dst ip and tally
  4. To find avg number of unique destination ip’s a file is sent
    • use dictionary iteration to get unique dst’s in file
    • use dictionary to get unique src’s in file
    • dst tally / src tally

Reading Between the Eyes

Steganography = the practice of concealing a file message, image, or video within another. The hidden info appears to be (or to be a part of) something else.

Taking the provided image and putting it into an online decoder will reveal the message hidden in the image.

Recovering From the Snap

When you delete a file on a computer, it is moved to the computer’s Recycle Bin, Trash, etc. depending on your OS. Later, when you empty the Recycle Bin or Trash, the files are “deleted”.

When you delete a file from the Recycle Bin the computer removes the reference to the file on the hard drive. Once this reference (the file header) is removed, the computer can no longer see the file. The space the file took up on the hard drive is no longer reserved for that file, and a new file can be stored in that location.

This means the file is no longer readable by the computer. However, the file is still on the hard drive, at least until another file or part of another file is saved to that location. Since the file is technically there, it may be able to be recovered using data recovery software, designed to rebuild the file header and allow the computer to see the file again. This software only works if no other file or data was saved in the location of the deleted file.

Using a disk recovery tool like FTK Imager will recover the files and get the flag.

Admin Panel

pcap = packet capture file

Pcap files can be analyzed by tools like Wireshark that can read network traffic. Once you load the file in the program you can look through the HTTP requests.

In HTTP there are 7 methods:

  • GET - used to request data from a specified resource
  • POST - used to send data to a server to create/update a resource
  • PUT - used to send data to a server to create/update a resource
  • HEAD - almost identical to GET, but without the response body
  • DELETE - deletes the specified resource
  • PATCH - for making partial changes to an existing resource
  • OPTIONS - describes the communication options for the target resource

If you look through the GET requests, logins, POST requests etc. you’ll find the flag.

Hex Editor

A hex editor allows you to view and manipulate the fundamental binary data that makes up a file. They show the bytes as hex values instead of binary digits.
bvi is a hex editor available in the unix.
You can use /<search term> to search for something.

Truly an Artist

To see the metadata of a file in unix use the exiftool utility.
exfitool <filename>

Now You Don’t

If you open the image in paint and use the flood fill tool on the background you’ll see the flag.

Ext Super Magic

The way humans look at the file system on a computer is using nested folders. This abstraction fails in a few ways. For example, a single file is often stored in several chunks throughout a hard drive. The beginning and end of each file chunk must be specifically recorded since the entire contents of the hard disk is just a big long string of bits.

The protocol which bridges the gap between the low level disk file chunks and the nested folders abstraction is a file system. There are many types FAT32, NTFS, ext2, ext3, HFS Plus. For this challenge the disk image file is of the second extended file system type or ext2.

We can run a file system consistency check or fsck on the image.
fsck ext-super-magic.img
Which doesn’t really help. There is a version of fsck that is specific to the ext2 file system e2fsck. Using this gives a statement that the file is corrupted.

In ext2 the space is split up into blocks. These blocks are grouped into block groups. Each block group contains a copy of the superblock and block group descriptor table, and all block groups contain a block bitmap, an inode bitmap, an inode table, and finally the actual data blocks.

The superblock contains important information that is crucial to the booting of the operating system. Thus backup copies are made in multiple block groups in the file system. However, typically only the first copy of it, which is found at the first block of the file system, is used when booting.

Reversing

Reversing Warmup 1

For the picoCTF shell, just go to the link for the shell at the top of the page, sign in.
It’s a unix bash shell, so ‘cd [directory]’ to change directory.
Then ‘./[filename]’ to run the program.

Reversing Warmup 2

base64 is a way of encoding binary data into text. ASCII maps a character to a 7 bit binary value (max value 127) because networks often have a 7 bit limit (due to hardware costs mostly). But most files are organized into 8-bit byte groupings.
base64 takes 3 bytes concatenates them, splits them into 4 6-bit groups, maps the values to one of the 64 simple ASCII characters, and now they can be transmitted.

e.g. inside and email: “Hey” → ASCII = 72 101 121
ASCII → 8-bit Binary = 01001000 01100101 01111001
Concatenate into 1 string → 010010000110010101111001
Break into 4 groups of 6 bits → 010010 000110 010101 111001
Convert to characters

Binary 010010 000110 010101 111001
Decimal 18 6 21 57
Mapped Char S G V 5

Assembly-0

An assembly language is any low level language with a strong correspondence between the program statements and the computer’s machine code instructions.

The program itself can be divided into sections used for:

  • data - declaring initialized data or constants
  • bss - declaring variables
  • text - the actual code

You can read the contents of the assembly code file simply using vim to read it out or a cat command in the linux command line.

Basic assembly commands or :

  • push - pushes specified data to the stack
  • mov - copies data from one place to another
  • eax - an accumulator used for input/output

Assembly-1

Similar to the previous assembly question you have to read through the assembly code and find what is returned.
cmp dest, src → compares two values
jg destination → jumps to destination if greater than
jne destination → jumps to destination if not equal
sub a,b → a - b result stored in a

Be-Quick-Or-Be-Dead 1

This gives an executable file. You can disassemble a binary file using object dump which displays information about object files.
objdump [options] <filename>
The -d flag option –disassemble
When you read through the dump you can see that there is a timer that gets set. You would have to beat the timer. When you open it in the debugger you can see more.
gdb ./<filename> → opens the debugger
break main → sets a break point in main
call get_key() → function found using disassembler
call print_flag() → runs another function we found

Quackme

objdump -D [file]

This displays the assembler contents of .exe files. In the main function two things get printed to the screen, then a do-magic function gets called.
Do-magic reads an input then does some stuff.

objdump -s -j .rodata [exefile]

This command will give a side by side hex/ASCII dump of the rodata section. Which shows us the things that get printed to the screen.

Inside of do-magic there is a loop:
add A B → A = A + B
mov A B → A ← B
mov zb1 → z = zero, b = bytes, 1 = 32 bits, the zero pads the value.
add1 A B → B = A + B, A is a constant

So the loop:
input xor’d with a secret message = A.
Compare A to greeting about duckweb.
if 25 are right the right thing will happen.

So if our message = the xor of the greeting message with the “secret string” then we should get the flag.
The secret message is at the address 0x8048858 according to the .rodata info dump. So let’s make a python script.

sekret = [all 26 bytes from .rodata @ 0x8048858 in hex format]
greet = "You have entered the duck ..."
flag = ' '
for i in range(25):
  flag += chr(ord(greet[i])^sekret[i])
print(flag)

Web Exploitation

Inspect Me

Webpages are built from html, in chrome to read the underlying html you can use the ‘developer tools’ in the options under ‘More tools’. Alternatively right click and select either ‘Inspect’ or ‘View page source’.

This will give 1/3rd of the flag.

Clicking the linked cascading style sheet (css) in the header of the html will reveal another 1/3rd of the flag. CSS describes how HTML elements are to be displayed.

Clicking the linked JavaScript file in the html header will reveal the final 1/3rd of the flag. JavaScript is used in webpages to calculate, manipulate, and validate data, as well as update and change both the html and css. This allows modern dynamic websites.

Client Side is Still Bad

As in ‘Inspect me’ you need to inspect the underlying html of the website. In this case they used the html to verify the password entered into the form, and they left the correct password in plaintext.

Logon

This website uses cookies to store and check usernames, passwords, and admin flags. Cookies can be edited from within the browser session.
If you “inspect” the site as before in chrome, then go to the “application tab”, you can see the website’s cookies. If you try to log on with random info you can see the values of the cookies get entered.
Edit the admin cookie to read as true and reload the page.

Irish Name Repo

On the support page for the site there are comments that indicate that the website uses SQL. There is an area to enter login info on the main page that SQL injection can be used on.
Enter anything for the user name value.
Enter ‘ OR ‘1’=’1’ for the password.

To understand the SQL injection might look like (the blanks being what gets entered by the form):
SELECT * from users where username=’__’ and password=’__

Mr. Robots

If there are pages on a website that for some reason do not need to be seen by the search engine the website uses a file ‘robots.txt’ to tell the search engine where not to search for pages.
<site>/robots.txt
<site>/’hidden page’

No Login

Similar to the ‘logon’ challenge if you inspect the webpage and look at the cookies you can create one called ‘admin’ and give it the value of true.

Secret Agent

A user agent is software (a software agent) that is acting on behalf of a user. When a browser makes a web request a user-agent string is sent to the server to let it know some details about the browser you are running and tailor it’s responses to avoid limitations of the software.

The User-Agent string is one of the criteria by which Web crawlers may be excluded from accessing certain parts of a website using the Robots Exclusion Standard (robots.txt file). For example when google crawls the internet looking for data to index it uses a particular agent string to let the servers know that it is interacting with the google engine.

Search for googlebot user agent and copy one of their user agent strings. You can manually alter the user agent of your browser a few ways, in the unix terminal use the command:
wget –useragent=”<google’s user agent string>” <website to visit>

Buttons

The second button on the site is actually an html link. You can inspect the code and then edit the html. If you change button 2 to the same code as button 1. Then click button 2 again.
Button two is a POST html request, so you could also do this from the command line.

Binary Exploitation

Buffer Overflow 0

A buffer overflow is where a program writing data to a buffer overruns the boundary of the memory allocated to it and writes to the adjacent memory locations.

The program vuln takes an argument from the command line then passes it to a 16-bit buffer. If you overflow this by a bit it writes up over the return address and crashes. If you look in the source code there is a function void sigsegv_handler to deal with crashes. In this case it dumps the flag if the program crashes.

Buffer Overflow 1

If you open the source file and read the c code you can see that the buffer this time is spaces for 32 bits. It also uses the gets() function to read a string into that buffer. The gets() function reads into the buffer without checking the size of the string.

If you run the program then you can see that the program has a hardcoded jump. If you overflow the buffer you can see that jump address change.

To get the address of the function that you want to jump to use the object dump command.
objdump -d ./<program>

Use the right number of letters and then place the desired address (in ASCII) at the end of the string. Make sure to account for little endian.

Leak-Me

In the source code you can see that it finds the end of the name by looking for the newline character (\n). The name variable can be 256 characters long, after taking in your name it then prints your name.

If you read in something that’s larger than 256 for the name and don’t give it the newline character it’s looking for it will print out the next variable on the stack as well. In this case the password.

Shellcode

If you open the source code you can see that the program takes in the string that the user enters and then executes that using the line of code below to run the buffer as a function.
((void(*)())buf)()

Shellcode = a small piece of code used as the payload in the exploitation of a software vulnerability. Typically the code starts a command shell so the attacker can gain control of the machine.

shell-storm.org has tons of shellcode, we need something for linux-x86 that opens bin/bash. (execve(“/bin/bash”,[“/bin/bash”,”-p”])). To then use in a python command.

(python -c "print 'hex shellcode'";cat)| ./vuln

You May Also Enjoy

One-Time Pad

5 minute read

I hear about this a lot when looking into cryptography, usually in reference to the possibility of perfect security. So what is a one-time pad?

Old School Cryptography

3 minute read

Cryptography, the methodology of concealing the content of messages, comes from the Greek root words kryptos, meaning hidden and graphikos, meaning writin...

Shell Commands

3 minute read

These lists will be all over the internet, just lists of commands and what they do. This is just a comprehensive list of the ones that I’ve used or found use...

Privacy Measures

8 minute read

There is a philosophical principle that explains that each event, each living being, each object, each person, or each circumstance has the characteristic of...