└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Tips 2 | Useful tips by OTA CTF members. PRs welcome! 3 | 4 | ## Assembly 5 | 6 | * Beginner's guide: [Learning to read \[AT&T\] assembly language](http://patshaughnessy.net/2016/11/26/learning-to-read-x86-assembly-language) 7 | * Big PDF: [The Art of Assembly](http://flint.cs.yale.edu/cs422/doc/art-of-asm/pdf/aoaTOC2.pdf) 8 | * Quickly see what assembly different compilers generate: [Compiler Explorer](https://godbolt.org/) 9 | * Quickly disassemble raw bytes: [ODA](https://www.onlinedisassembler.com/odaweb/) 10 | * Quickly assemble x86: [Defuse assembler](https://defuse.ca/online-x86-assembler.htm) 11 | * Azeria's guide to ARM assembly: [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/) 12 | 13 | ## Binary Exploitation Technique 14 | 15 | * [Modern Binary Exploitation](https://github.com/RPISEC/MBE) 16 | * [Basic Return Oriented Programming](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html) 17 | * [Blind Return Oriented Programming](http://www.scs.stanford.edu/brop/) 18 | * [Signature Return Oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf) 19 | * [ROP Practice Problems](https://ropemporium.com/) 20 | * [Heap Overflow](https://github.com/shellphish/how2heap) 21 | * [Pwntools Beginner Tutorial](http://www.auxy.xyz/tutorial/2018/09/01/Pwntools-Step-By-Step.html) 22 | * [File Stream Oriented Programming](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique) 23 | 24 | ## IDA 25 | * Common hotkeys: 26 | 27 | | Key | Effect | 28 | |------------------|---------------------------------| 29 | | `Esc` | Go back | 30 | | `Ctrl-Enter` | Go forward | 31 | | `H`, `Q`, `B` | View as decimal, hex, or binary | 32 | | `N`/`U` | Name/Undefine symbol | 33 | | `D`, `C`, `P` | Convert to data, code, function | 34 | | `Ctrl-w` | Save | 35 | * Learn to create and use structs. 36 | * IDAPython is very powerful and worth learning. 37 | * Use FLIRT whenever you see a static binary. You can save a ton of normally wasted time reverse engineering common functions. 38 | * Code coverage and tracing analysis is a useful technique to assist with reverse engineering. IDA has built in coverage and trace highlighting capabilities features. [Lighthouse](https://github.com/gaasedelen/lighthouse) is also a great plugin for coverage analysis. 39 | * [Keypatch](http://www.keystone-engine.org/keypatch) is a useful plugin that offers extra features compared to the built-in assembler 40 | 41 | ## Debugging 42 | 43 | ### GDB 44 | 45 | * Don't suffer through vanilla GDB. Use something like [GEF](https://github.com/hugsy/gef), [PEDA](https://github.com/longld/peda), or [Voltron](https://github.com/snare/voltron). 46 | * You can also combine [PEDA](https://github.com/longld/peda) with [Pwngdb](https://github.com/scwuaptx/Pwngdb), which is a powerful add-on that supports advanced heap exploitation and FILE stream oriented exploitation features. 47 | * Learn these! 48 | * `command ` - Run commands when a bp is hit. 49 | * `ignore ` - Ignore the next _count_ occurrences of _bp_. 50 | * `watch|rwatch|awatch [thread ] [mask ]` - Break when specified address is written to, read from, or either. 51 | * `hbreak ` - Set a hardware breakpoint. 52 | * `tbreak ` - Set a temporary breakpoint that disappears once hit. 53 | * `advance ` - Continue until the specified address. 54 | * `catch syscall [syscall]` - Break on syscall (all or the specified). 55 | * `catch signal [signal]` - Break on signal (all or the specified). 56 | * `bt` - View stack frames (backtrace). 57 | * `up`/`down` - Move up or down to a different stack frame. 58 | * `set follow-fork-mode ` - Tell gdb to either trace the parent or 'move' to the child on `fork`. 59 | * `set follow-exec-mode ` - Tell gdb to either trace the original target or 'move' to the new process on `exec*`. 60 | 61 | ### Redressing a Stripped Libc 62 | * Often times when we do pwnables, we are given the pwnable along with a stripped version of the libc that the pwnable is using on the remote server. If we want an easier time debugging with the provided libc preloaded, here are some steps we can take to add symbols back to the stripped libc. (dependencies: [eu-unstrip](https://helpmanual.io/help/eu-unstrip/)) 63 | 1. run `strings | grep glibc` to determine the libc version 64 | 1. download the associated debug symbol file (eg.[https://launchpad.net/ubuntu/xenial/amd64/libc6-dbg/2.23-0ubuntu5](https://launchpad.net/ubuntu/xenial/amd64/libc6-dbg/2.23-0ubuntu5)) 65 | 1. merge stripped libc file with debug symbol file using `eu-unstrip` like so: `eu-unstrip ` 66 | 1. now `` will be your newly redressed libc w/symbols! 67 | 68 | ## Shell-fu 69 | * `file` - Try to determine what type of file you have. 70 | * `strace` - See which syscalls an executable executes. 71 | * `ltrace` - See which library calls an executable executes. 72 | * `ldd` - See which dynamic libraries an executable loads. 73 | * `nm` - Dump a binary's symbols 74 | * Learn to use pipes and [redirection](http://wiki.bash-hackers.org/howto/redirection_tutorial)! When you want to script input, this is very handy, and doing it incorrectly can lead to successful payloads being unusable (e.g. spawning a shell whose _stdin_ is not connected to your terminal). 75 | * To pipe output to an application, but regain access to _stdin_ after, use a subshell: 76 | ```bash 77 | (python3 -c "print('AAAApayload')"; cat -) | nc pwn.me.org 5555 78 | ``` 79 | * `cd -` - Go back to your last working directory. 80 | * `!!` - Repeats your last command. Can also be used as a parameter. 81 | 82 | ```bash 83 | cd /root 84 | bash: cd: /root: Permission denied 85 | sudo !! 86 | ``` 87 | 88 | * Readline shortcuts are _super_ handy. 89 | 90 | | Key | Effect | 91 | |----------|------------------------------------| 92 | | `Ctrl-E` | Go to end of line | 93 | | `Ctrl-A` | Go to start of line | 94 | | `Ctrl-L` | Clear terminal | 95 | | `Ctrl-U` | Delete everything left of cursor | 96 | | `Ctrl-K` | Delete everything right of cursor | 97 | | `Ctrl-W` | Delete word left | 98 | | `Ctrl-Y` | Paste last deleted text | 99 | | `Ctrl-F` | Move cursor forward one char | 100 | | `Ctrl-B` | Move cursor back one char | 101 | | `Ctrl-P` | Move back one line in history | 102 | | `Ctrl-N` | Move forward one line in history | 103 | | `Ctrl-R` | Search bash history (start typing) | 104 | | `Ctrl-G` | Cancel history search | 105 | ## Crypto 106 | 107 | [Quipquip](https://quipqiup.com/) : Online tool that will help you solve almost all subsituition cipher 108 | 109 | [Decode.fr](https://www.dcode.fr/) : It contains ton of old school cipher 110 | 111 | [CyberChef](https://gchq.github.io/CyberChef/) : Try magic mode, it's real MAGIC! 112 | 113 | [kt.gy tools](https://kt.gy/tools.html) : Fast online tool to decode your string 114 | 115 | ## Jail Challenges 116 | 117 | ### Python Jails 118 | [Gynvael Python Jail tips](https://gynvael.coldwind.pl/n/python_sandbox_escape) 119 | 120 | #### Useful functions 121 | * eval() / exec() / compile(), execute any python code 122 | * dir() / type() 123 | * globals() / locals() / vars(), finding useful variables 124 | * getattr() / setattr(), useful when you need to call object.banned(). You can do getattr(object, "ban"+"ned") or something along the lines 125 | 126 | #### Interesting Behaviour 127 | * "A""B" == "AB", useful when `+` is blocked 128 | 129 | ### Bash Jails 130 | 131 | #### Reading files 132 | * Sometimes `cat` is filtered or banned, these are some alternatives 133 | * fold 134 | * nl (numbered) 135 | * head (head portion of file) 136 | * tail (tail portion of file) 137 | 138 | ## _hooks 139 | In libc, there are `*_hook` function pointers that are called that are writeable: 140 | 141 | ```bash 142 | $ less ./db/local-acd0f91e833f06b2a822be84579f70edf4e80050.symbols | grep _hook 143 | __free_hook 001b18b0 144 | argp_program_version_hook 001b3794 145 | _dl_open_hook 001b35d4 146 | __malloc_hook 001b0768 147 | __realloc_hook 001b0764 148 | __malloc_initialize_hook 001b18b4 149 | __after_morecore_hook 001b18ac 150 | __memalign_hook 001b0760 151 | ``` 152 | By default, these pointers are NULL. These function pointers are only called IF they are not NULL: 153 | 154 | ```C 155 | void 156 | __libc_free(void* mem) 157 | { 158 | mstate ar_ptr; 159 | mchunkptr p; /* chunk corresponding to mem */ 160 | 161 | void (*hook) (void *, const void *) 162 | = force_reg (__free_hook); 163 | if (__builtin_expect (hook != NULL, 0)) { 164 | (*hook)(mem, RETURN_ADDRESS (0)); 165 | return; 166 | } 167 | ``` 168 | 169 | If you can overwrite one of these pointers, you can control RIP the next time the associated libc function is called! 170 | Useful if FULL RELRO is enabled/the GOT is read-only and we have a write-what-where! 171 | 172 | ### Protips 173 | * `printf()` actually calls `malloc()` if printing anything out with a width > 65535-32! 174 | * any memory corruption error you trigger will call `alloca()`/`__malloc_hook` 175 | 176 | ## Null Termination 177 | #### Do NOT read past first null byte 178 | * strcpy() 179 | * strncpy() 180 | 181 | #### Do read past first null byte 182 | * read() 183 | * gets() 184 | * fgets() 185 | * memcpy() 186 | * scanf() 187 | 188 | #### Does copy the terminating nullbyte from src to dst 189 | * strcpy() 190 | 191 | ## Hacking channel/stream/podcast/blog : 192 | * Gynvael : [youtube](https://www.youtube.com/user/GynvaelEN/featured) - A channel about computer, security, ctf, etc... Gynvael is GOD 193 | * LiveOverflow : [youtube](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) - This guy is actually hard working, smart and he explains his idea using animations making things easy to understand 194 | * Socratica : [youtube](https://www.youtube.com/user/SocraticaStudios) - It's not about security (directly), but it's a good channel for Math, you CAN'T escape MATH if you are doing ANYTHING with COMPUTERS. I learnt that the hard way, don't be like me. 195 | * Ricardo Narvaja : [youtube](https://www.youtube.com/channel/UCDeWwrp2LUWkDSymrmnfKDQ) - If you are an old school cracker, you WOULD know this guy. HE is Brilliant. He also has IDA tutorials that taught me a lot about IDA, patching, unpacking...etc. It is orginally in Spanish (i guess so) but the English translated version is available here [drive](https://drive.google.com/drive/u/0/folders/0B13TW0I0f8O2ckd2T0lsbXRoYmc) 196 | * SecurityTube : [youtube](https://www.youtube.com/user/TheSecurityTube) - Good educational resources about Security. 197 | * Murmus CTF: [youtube](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A) - CTF player who livestreams walkthroughs from various ctfs. 198 | * 360 Core Security : [link](http://blogs.360.cn/post/) a blog all about security research, 0day... of 360 Core Security Team. Very interesting and advanced. 199 | ## Stories 200 | * Stuxnet : [wired](https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/) - A story about Stuxnet, the malware that wrecked havoc in Iran's nuclear power plant 201 | * Mirai : [wired](https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/) - A story about Mirai, the IOT botnet that brought down the Internet 202 | * Edward Snowden : [wired](https://www.wired.com/2014/08/edward-snowden/) - The untold story of Edward Snowden 203 | * SilkRoad [wired](https://www.wired.com/2015/04/silk-road-1/ https://www.wired.com/2015/04/silk-road-2/) - A story about the rise and fall of Silk Road, an online drug marketplace by Ross Ulbricht(Dread Pirate Roberts) 204 | * SilkRoad [wired](https://www.wired.com/story/russian-hackers-attack-ukraine/) - A story about the Russian attacks on critical infrastructure of Ukraine 205 | * Finfisher hack [pastebin](https://pastebin.com/cRYvK4jb) - A story by the person claiming to be Phineas Fisher who hacked a spyware company, pretty good read in my opinion 206 | * HackingTeam hack [pastebin](https://pastebin.com/0SNSvyjJ) - A story by the person claiming to be Phineas Fisher who hacked the Italian company HackingTeam and leaked their data, again a very good read 207 | * Spanish Police hack [vimeo](https://vimeo.com/167411059) - A video by Phineas Fisher showing how he hacked the Spanish Police because of their human rights violation 208 | --------------------------------------------------------------------------------