Wednesday, August 31, 2011

HSTS preloading, public key pinning and Chrome

I recently discovered Chrome's net-internals. Among other interesting things, there is a tab about HTTP Strict Transport Security (HSTS). Also, introduced with version 12/13, Chrome now has HSTS preloading and public key pinning. These two features helps improve online security:
  • HSTS preloading: browser already knows if a site has to be contacted via HTTPS only. For instance, it ensures users go to https://site even if they type http://site. This protects against MITM attacks when reaching http://site for the first time (see how sslstrip strips the "s" of https).
  • public key pinning: certificate chain must include a whitelisted public key. For instance, it ensures only whitelisted Certificate Authorities (CA) can sign certificates for *.example.com, and not any CA in your browser store.

Friday, July 08, 2011

Twitter Archiver

Twitter is great to get and share information, quickly. But it is all web 2.0 and you cannot use a simple cat or grep to view or search your tweets. I would like to have tweets saved in simple text format: date, user, text. Also, I would like a simple program to give me the list of followers/following of a user.

Fortunately, Twitter provides a web API and people started to implement it in different languages, like Mike Verdone (@sixohsix) and his great Python Twitter Tools.

So here comes twitter-archiver and twitter-follow, python programs added to Python Twitter Tools to archive any public timeline of tweets in simple text format and to view the list of following/followers of a user.

Friday, June 17, 2011

Hack in the Box Amsterdam 2011 CTF

May 19th-20th was Hack in the Box Amsterdam 2011 security conference in the Netherlands, also holding a CTF. To participate, you had to qualify to one of the two qualification rounds that involved web security and reverse engineering.

We passed qualifications with team CoP so I went there with teammate sh4ka to play, and we were lucky enough to end in the first place. Congrats to all teams, it was intense! In addition to a nice HITBSecNews jacket, staff generously awarded us two training and conference tickets to HITB Kuala-Lumpur (Malaysia) 2011. So, see you there :)


final scoreboard

Saturday, May 07, 2011

Ubuntu 10.10->11.04 encrypted LVM fail, rebuilding initramfs, rdinit

One of my workstations was an Ubuntu 10.10 on an encrypted LVM. I decided to upgrade to 11.04 and was unable to boot, falling back to initramfs busybox shell.

If you are not familiar with this kind of setup, it basically works with:
  • a non-encrypted /boot with kernel and initramfs
  • initramfs contains required modules (aes, lvm, etc.) and a few scripts to mount the filesystem: in this case, a script to ask for the password, decrypt the LVM and mount the root filesystem

Friday, April 29, 2011

pCTF 2011 #18 A small bug

Challenge #18 "A small bug" was a common TOCCTOU bug very interesting to exploit reliably.

@hellman already did a write-up on this challenge. His exploit reads the file name on stderr and hopes to win the race on symlink creation. But actually there is a way to win the race every time! Let's see that.

Wednesday, April 27, 2011

pCTF 2011 #19 Another small bug

Challenge #19 "Another small bug" was a stack-based buffer overflow.

Djo (@shell_storm) has already published a write-up (english) on Nibbles' blog, as well as @hellman on Leet More's blog, and Agix (@Agixid) on shell-storm. Just like hashcalc1 or hashcalc2, there was no NX. However, ASLR was enabled. Djo and hellman both used a big nopsled + brute-force to circumvent ASLR, Agix used a nice ret2ret, while I chose ROP to mmap rwx. Good thing is that it would also have worked if NX had been effectively enabled.

Not familiar with ROP? Have a look at the references posted on this exploit writing tutorial by @corelanc0d3r.

Tuesday, April 26, 2011

pCTF 2011 #26 Hashcalc2

Challenge #26 "Hashcalc2" was very similar to Hashcalc1.

Again, a good write-up is already available on sleepya's blog. He made an exploit bypassing any ASLR/NX using ROP.

Again since NX was not enabled, I used a similar exploitation with a few adjustements.

pCTF 2011 #22 Hashcalc1

Challenge #22 "Hashcalc 1" was binary exploitation over the network.

A good write-up is already available on sleepya's blog. He made an exploit bypassing any ASLR/NX using ROP.

However, NX was not enabled on the wargame machine... Organizers thought they did, but it was not effective :( Good for us it means only ASLR, and the binary was not even PIE. One could exploit it quickly by writing a shellcode in the GOT, let's see that.

pCTF 2011 #32 That's no bluetooth

The only networking problem at pCTF 2011 was unusual because it involved ZigBee, based on IEEE 802.15.4.

Context

We captured this network traffic from outside of an AED employee's home.

Decrypt it and find the key.

Update: Our operatives were able to decrypt packet #18 in the capture file.

The decrypted data is 18060a0700421a63343a636f6e74726f6c345f73723235303a43342
d53523235300400420830332e30312e3534050020040600213c00
or (printable text only) Bc4:control4_sr250:C4-SR250B03.01.54 !<

If you aren't getting the correct values, make sure your keys are correct,
and that they are entered correctly. Keep in mind bits sometimes flip when
transmitting signals wirelessly. 
download file

Monday, April 25, 2011

Plaid Parliament of Pwning CTF 2011

As @dinodaizovi nicely put on twitter, CTF team Plaid Parliament of Pwning have gone from winning everyone else's CTFs to hosting their own, namely the plaid CTF or pCTF (@pctf2011). It was 48 hours of intense challenge-based CTF like Defcon quals.

I expected a lot of fun challenges for this CTF because PPPs are highly skilled in areas such as binary exploitation. And I wasn't disappointed! Expect a few write-ups from me in the following posts :)

As you can see on the final scoreboard, more than 400 teams registered and 155 teams scored points. Since I no longer play with Nibbles guys, this time I played with a new team called CoP. We got the 2nd place, 1st place being taken at the last moment by our CTF friends HFS (Hacking for Soju). Good game, it was intense!


Congratulations to everyone for playing, and especially to PPP members who made this CTF possible. Very good challenges, organization, and IRC presence for support. You pwn guys!

If you want to have a look at the challenges, I mirrored them here (except remote/web of course), along with screenshots of problems, scoreboard, etc.

Monday, April 11, 2011

Hackito Ergo Sum 2011

Hackito Ergo Sum (@hackitoergosum) 2011 edition was held in Paris, France from April 7th to 10th. Three days of technical talks, like last year a wargame by Steven from OverTheWire and great people to meet and drink with!

If you did not have the opportunity to come, Gal Diskin (@gal_diskin) took the time to wrap up most of the talks: day 1 (part 1, part 2), day 2 and day 3.

During the time they release papers, slides and videos of the talks, you might want to have a look at Steven's wargame. Good levels and funny story, it starts here...

Wednesday, March 30, 2011

CRC-32 forging

You may already know that the CRC-32 of any text can be forged if you can add 4 bytes anywhere in the text. See anarchriz's paper on the subject.

A real-world example of such a situation can be seen in JB's ESET CONFidence Crackme Writeup. Good code that I recently used it in another situation, in order to forge a text of a given CRC-32 by inserting 4 bytes at a specific position.

Saturday, March 26, 2011

Honeynet Project Public Conference

Last week was held the first-ever Honeynet project public conference in Paris at ESIEA. Great speakers, interesting conferences (slides online, CV+O notes) and nice people to meet at the social event.

During the conferences was also a small capture-the-flag (CTF) competition, which I played. It was composed of 8 challenges by Mark Schloesser and Felix Leder, including a forensic one by Guillaume Arcas. This is how the challenge board looked:

Wednesday, March 09, 2011

Insomni'hack GPGPU reversing

One of the reversing challenges was exotic: we were given a ciphertext (ohv'c~f3ehnw4byzzky), a GPGPU file (kernel.bin) of the encryption routine, and the Instruction Set Architecture (ISA) of this GPU.

Since I have never played with GPGPUs (code/assembly/whatever), it seemed hard at first glance. But actually not! Open kernel.bin and see that there's some kind of disassembly. Good! And pretty small, roughly 80 lines of code.

I will explain how I reversed it and reimplemented it in Python to have the same encryption routine, discovered that it was also the decryption routine, and just run it against the ciphertext to obtain the plaintext.

Tuesday, March 08, 2011

Insomni'hack, Codegate and others

Last week-end was great. I was at Insomni'Hack 2011 security event organized by SCRT. Conferences during the day (read Bruno Kerouanton or Emilien Girault), security challenges during the evening (6pm-1am). Short time and adapted challenges, staff did great! We missed the internet but we had beers :)

I played the challenges with some friends and we ended up in the first place winning a nice trophee, a Fortinet Firewall, some tshirts and other goodies. Thanks SCRT! If you are interested in the challenges, shell-storm has mirrored some of them (offline ones at least) while Djo, Emilien Girault and Pascal Junod have already published some write-ups. Also, staff said they will publish all challenges and solutions soon.

Last week-end were also Codegate 2011 qualifications, which I unfortunately did not play this year. Different kind of challenges, strong competition. Many write-ups have been shared by @codegate_yut.

Also, some cool stuff ahead: Honeynet public conference, HITB Amsterdam CTF prequals, HES 2011, and maybe a Plaid Parliament of Pwning (PPP) CTF.

And if you don't know what to do, there's a new wargame at Smash The Stack: amateria. Worth playing :)

Friday, January 14, 2011

ShmooCon CTF Warmup Contest - JavaScrimpd

Last week-end was ShmooCon CTF Warmup Contest (aka Ghost in the Shellcode 2011). Three challenges, the last one being an ELF binary + hostname of a server.

Congrats to awesie/zoaedk & tylerni7 of team PPP for solving it pretty quickly. And since they explained the level pretty well, I really invite you to read their solution.

Thursday, January 13, 2011

Some news...

Recently I've been playing with gdb 7.2 and python. It extends what we can have with a great .gdbinit such as gdbinit73. As examples, read the following articles presenting some of the features, or just browse the Python API offered by gdb. A good introduction to gdb and python is also this article by sha on Nibbles blog (english here).

Last week-end were given nice challenges to win a ticket for ShmooCon security conference later this month. Congrats to awesie/zoaedk & tylerni7 of team PPP for solving #3 (see their writeup), a cool network binary involving JS code, a stack-based buffer overflow and some memory leak. I wasn't fast nor good enough but learned a lot!

Speaking of which, get ready for Paradox Conference this week-end in Korea: they provide an online CTF contest, should be challenge-based like defcon quals.
Update: this week-end there is also Wargame SbD I organized by our spanish friends at Security by Default (SbD). Unlike Padocon, there is a nice prize (amazon gift card which is worth an iPad). Thanks @aramosf for reminding me.

Realized again Ubuntu security features. Ptrace scope for instance, protects against same-user ptraces to peek into another process memory.

Made a very small idadif.py to patch a binary from a DIF file produced by IDA. Did not find any better method to do that :/

Also, 27c3 was great. And I love Berlin :)

Last but not least, hacky new year!