# Volatility timeline

$ volatility timeliner --output=body --output-file=timeliner.txt --profile=<profile> --filename=<ram_dump> && volatility mftparser --output=body --output-file=mftparser.txt --profile=<profile> --filename=<ram_dump> && volatility shellbags --output=body --output-file=shellbags.txt --profile=<profile> --filename=<ram_dump>
$ cat timeliner.txt mftparser.txt shellbags.txt > timeline.txt
$ mactime -b timeline.txt -d > mactime.txt

# sysdig: System-level exploration tool

Installing
# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Listing chisels
# sysdig -cl

Listing fields to filter
# sysdig -l

Using a chisel
# sysdig -c topprocs_cpu

Writing events to file
# sysdig -z -w tracefile.scap.gz

Reading events from file and use a chisel
# sysdig -z -r tracefile.scap.gz -c topprocs_cpu

Filtering events for a specific process
# sysdig proc.name=sshd

Filtering events for a specific file
# sysdig fd.name=/var/log/auth.log

Filtering events for files that contain /etc
# sysdig fd.name contains /etc
# sysdig evt.args contains /bin/ls
# sysdig fd.ip=1.2.3.4
# sysdig fd.l4proto=udp

Formating the output
# sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'

Information about all chisels
# sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i

Interesting chisels
# sysdig -c topprocs_cpu
# sysdig -c echo_fds -s 2000 -A proc.name=httpd
# sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET
# sysdig -c spy_file 'RW /var/log/syslog'
# sysdig -c spy_logs
# sysdig -c spy_syslog
# sysdig -c spy_ip 1.2.3.4
# sysdig -c spy_port 443
# sysdig -c topconns
# sysdig -c topprocs_net
# sysdig -c spy_users 0|1
# sysdig -c lsof
# sysdig -c netstat
# sysdig -c ps
# sysdig -c topfiles_bytes proc.name contains tar
# sysdig -c list_login_shells ncat
# sysdig -c spy_users proc.loginshellid=1234
# sysdig -c stdin -c stdout proc.name=cat

Reference

https://github.com/draios/sysdig/wiki

# SimpleHTTPSServer with letsencrypt certificate

# apt-get update
# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# mkdir webserver
# cd webserver
# apt-get install certbot
# mkdir www
# certbot certonly --webroot -w $PWD/www -d mydomain.org -d www.mydomain.org
# cp /etc/letsencrypt/live/mydomain.org/privkey.pem .
# cp /etc/letsencrypt/live/mydomain.org/fullchain.pem .
# cat privkey.pem fullchain.pem > cert.pem
# cat https-server.py
import BaseHTTPServer, SimpleHTTPServer
import os
import ssl
import sys

port = 443

iface = sys.argv[1]
ipv4 = os.popen('ip addr show ' + iface).read().split('inet ')[1].split('/')[0]

cwd = os.getcwd()
certfile = cwd + '/cert.pem'
wwwdir = cwd + '/www'

os.chdir(wwwdir)

httpd = BaseHTTPServer.HTTPServer((ipv4, port), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile = certfile, server_side = True)
httpd.serve_forever()
# python https-server.py eth0

# HITCON CTF 2017 Quals: Sakura - Reversing

# cat sakura.py
import IPython
import angr
import json
import logging
import r2pipe

#angr.manager.l.setLevel(logging.DEBUG)

fn = './sakura-fdb3c896d8a3029f40a38150b2e30a79'

base  = 0x400000
toFind  = base + 0x110ca
toAvoid = []

r2 = r2pipe.open(filename = fn)
# mov byte [rbp - 0x1e49], 0 == \xc6\x85\xb7\xe1\xff\xff\x00
r2output = json.loads(r2.cmd('/j \\xc6\\x85\\xb7\\xe1\\xff\\xff\\x00'))
for e in r2output:
 toAvoid.append(base + int(e['offset']))

#userInputBuffer = base + 0x2121e0
#afterUserInput = base + 0x110ba
#state = p.factory.blank_state(addr = afterUserInput)
#state.memory.store(userInputBuffer, state.se.BVS('userinput', 400 * 8))
#for i in range(400):
# state.mem[userinput + i].char = state.se.BVS('x' + str(i), 8)

p = angr.Project(fn)
print p.arch
print p.entry
print p.filename
p.factory.block(toFind).pp()
print

state = p.factory.entry_state()

sm = p.factory.simgr(state)
sm.explore(find = toFind, avoid = toAvoid)
found = sm.found[0]
dump = found.posix.dumps(0)
print repr(dump)
IPython.embed()

# python sakura.py

<Arch AMD64 (LE)>
4196128
sakura-fdb3c896d8a3029f40a38150b2e30a79
0x4110ca: lea rdi, qword ptr [rip + 0x2f9]
0x4110d1: mov eax, 0
0x4110d6: call 0x4006e0

'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0092\x00\x00\x00\x0041\x00\x00\x00\x0091\x0017\x00378192\x00\x00638\x004683\x0029618\x00\x0081\x0071\x009837\x00\x00\x00\x0089\x0092\x00\x00\x00\x00936\x00915\x00\x00\x00\x00\x0081\x0012\x00\x00\x008216\x002843\x00\x00\x00\x0031\x0012\x00\x00\x00\x00498\x00931\x0037\x00\x0029341\x00\x00\x003792\x0062\x00192837\x0012\x007128\x00172\x00\x00\x00\x0019\x00\x00\x00\x00\x00\x0092\x00\x00\x00\x0091\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0014\x0065\x00\x00\x00271\x0049\x00\x00\x00\x0041835792\x00\x0089641275\x00125\x0013\x0073\x0091\x00\x0053\x0037\x0076\x0072\x0086\x00\x0086\x00\x00\x0026\x00\x00\x00\x00948\x00512\x00\x00\x0053\x00\x00\x0036\x00\x00\x0057\x0018\x0086\x00\x00\x0052\x00\x00\x0051\x0048\x0049\x00538\x0085\x0069\x00\x0085\x0017863294\x00\x0073615284\x00\x00\x0031\x0074\x00\x00\x00\x00\x00\x0035\x00123\x00'

In [1]: sakura = Popen([fn], stdin = PIPE, stdout = PIPE)
In [2]: flag = sakura.communicate(input = dump)[0]
In [3]: print flag
Out [3]: hitcon{6c0d62189adfd27a12289890d5b89c0dc8098bc976ecc3f6d61ec0429cccae61}

# Pwn2Win 2k17: Baby Regex - Misc

# cat regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt
Open your eyes is all that is needing. The heart lies and the head plays tricks with us, but the eyes see true. Look with your eyes. Hear with your ears. Taste with your mouth. Smell with your nose. Feel with your skin. Then comes the thinking, afterward, and in that way <knowing the truth.
>
Open way to combat the horizon effect is to continue search when an otherwise terminal situation is judged to be particularly dynamic. Such heuristic continuation is sometimes called feedover.

The mind which is created quick to love, is responsive to everything that is pleasing, soon as by pleasure it is awakened into activity. Your apprehensive faculty draws an impression from a real object, and unfolds it within you, so that it makes the mind turn thereto. And if, being turned, it inclines towards it, that inclination is love, for don't say blabla; that is nature, which through pleasure is bound anew within you.

Tune up your circuits, check out your Chips

Because you're going to live a Long Life.
Check the identity card, it shows your code.

Listen to the white noise in your ears - it Fades AWAY.

Watching the sunset on the end of the HIGHWAY ---
City meditation in curving reflections of NEON signs on the Chrome of the Cars.
The WeT Concrete and mirrored Streets recall shows the traffic away,
recalls you to the smell of scratching cloudy sheets.
Billboards and Cholo-Ads above are the unfocused bottle of Time.
Drink it away, FLY to the ORBITAL Fly.
Away to drivin' the ocean of blue-green.
Drivin' away to the ocean of green-blue.

# ipython
> import re
> data = open('regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt').read()
> def check(regex):
... print len(regex)
... print re.findall(regex, data)

# "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
> check('(.{7}).+-(.{5})$')
16
[("Drivin'", 'blue.')]

# "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:

# "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:

# "<knowing the truth. >, without using "line break"", with max. "8" chars:
> check('<[^>]+>')
7
['<knowing the truth. \n>']

# "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
> check('(?i)(oPEn)')
10
['Open', 'Open']

# "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
> check('(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s')
36
['unfolds', 'within', 'makes', 'inclines', 'shows']

# "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
> check(' .{32} (.{5})\n')
14
['Chips', 'code.']

# Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
> check('(?P<a>..a)(?P=a)')
16
['bla']

# cat baby_regex.py
from pwn import *

qa = {
 'BONUS': 'cnn',
 'knowing the truth': '<[^>]+>',
 'FLY': '(?i)(F.y).+\\1',
 '[Pa]': '(?P<a>..a)(?P=a)',
 '[Ope-]': '(?i)(oPEn)',
 'Drivin': '(.{7}).+-(.{5})$',
 'unfolds': '(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s',
 'Chips': ' .{32} (.{5})\\n'
}

nqa = len(qa)

host = '200.136.213.148'
port = 5000

correct = 0

while True:
 r = remote(host, port)

 while True:
  q = r.read(1024)
  print q
  if 'CTF-BR' in q: sys.exit(0)
  for k in qa:
   if k in q:
    a = qa[k]
    print 'Sending... ' + a
    r.sendline(a)
    resp = r.readline()
    if 'Nice, next...' in resp:
     correct += 1
     print '[*] OK!', correct
     print
    break
 r.close()

# python baby_regex.py
Type the regex that capture: "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
Sending...  .{32} (.{5})\n
[*] OK! 1

Type the regex that capture: "<knowing the truth. >, without using "line break"", with max. "8" chars:
Sending... <[^>]+>
[*] OK! 2

Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
Sending... (?P<a>..a)(?P=a)
[*] OK! 3

Type the regex that capture: "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
Sending... (?i)(oPEn)
[*] OK! 4

Type the regex that capture: "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:
Sending... cnn
[*] OK! 5

Type the regex that capture: "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
Sending... (.{7}).+-(.{5})$
[*] OK! 6

Type the regex that capture: "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
Sending... (?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s
[*] OK! 7

Type the regex that capture: "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:
Sending... (?i)(F.y).+\1
[*] OK! 8

CTF-BR{Counterintelligence_wants_you!}

References

https://www.regexpal.com
https://www.debuggex.com

# GynvaelEN mission 018

# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.

Now try with <a href='superadmin.php'>superadmin.php</a>!

# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...
_:)

Source

https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)

References

https://www.whitehatsec.com/blog/magic-hashes/

# GynvaelEN mission 017

zeros = '\x00'*32

base64.b64encode(zeros)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='

Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc'

result = ''
new = '{"access_level":"admin"}'
for i in range(len(new)):
 result += chr(ord(new[i]) ^ ord(ivencrypted[i]))

base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb

Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb
Decrypted cookie data: {"access_level":"admin"}
Flag: HMAC? What do you mean "HMAC"?

Source

https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)

References

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

# GynvaelEN mission 016

Wav to image using RX-SSTV

Slow-scan TV is a method to transmit an image over radio using frequency modulation.
This is the partial message that contains the image:

? ? R O N
D I Y M A
U Z ? ? ?
B C K P ?
? ? V W X

Y DHXDMW BQLF KDYNV

Manual decryption

Y D = I A
HX  = ??
DM  = AY
W B = ? P
QL  = ??
F K = ? ?
DY  = IM
NV  = RX

I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX

Source

https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)

References

https://en.wikipedia.org/wiki/Slow-scan_television

# EkoParty CTF 2017: OnTheWire (300) - Misc

Introduction

We have sniffed some bytes of a transmission. What does it say?
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61

Hint
You will see the flag in a lcd display

Solution

# cat onthewire.py

bytes = [51, 91, 51, 31, 51, 71, 112, 31, 51, 123, 91, 71, 95, 127, 121, 51, 112, 95, 121, 121, 91, 71, 112, 126, 112, 112, 95, 79, 121, 121, 95, 51, 91, 71, 112, 123, 121, 126, 112, 91, 112, 109, 91, 71, 95, 51, 121, 48, 112, 121, 112, 126, 95, 78, 121, 51, 112, 123, 112, 61]

r = ''
table = {}

for b in bytes:
 if hex(b) not in table:
  letter = raw_input(hex(b) + '? ')
  table[hex(b)] = letter
 else:
  letter = table[hex(b)]
 r += letter

print r.decode('hex')

# python onthewire.py
0x33? 4
0x5b? 5
0x1f? b
0x47? f
0x70? 7
0x7b? 9
0x5f? 6
0x7f? 8
0x79? 3
0x7e? 0
0x4f? e
0x6d? 2
0x30? 1
0x4e? c
0x3d? d
EKO{I_h4v3_pwn3d_y0ur_d1spl4y}

Reference

https://en.wikichip.org/wiki/seven-segment_display/representing_letters

# GynvaelEN mission 015

# cat mission_15.py
import hashlib
import itertools
import png
import numpy as np

r = png.Reader(file = open('leak.png'))
(width, height, iterator, info) = r.read()

b = [0] * width

for i in iterator:
 row = i.tolist()
 for i in xrange(0, len(row), 3):
  value = row[i:i + 3]
  if value == [255, 0, 0]:
   b[i / 3] += 1

print ''.join([chr(c) for c in b])

hashes = [
 'e6d9fe6df8fd2a07ca6636729d4a615a',
 '273e97dc41693b152c71715d099a1049',
 'bd014fafb6f235929c73a6e9d5f1e458',
 'ab892a96d92d434432d23429483c0a39',
 'b56a807858d5948a4e4604c117a62c2d'
]

alphabet = ' !ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

password = [' '] * 5
counter = 0

for result in itertools.product(alphabet, repeat = 5):
 word = ''.join(list(result))
 m = hashlib.md5()
 m.update(word)
 hd = m.hexdigest()
 if hd in hashes:
  pos = hashes.index(hd)
  print pos, word
  password[pos] = word
  counter += 1
  if counter == 5: break

print ''.join(password)

# python mission_15.py
<?php

if (!isset($_GET['password']) || !is_string($_GET['password'])) {
  die("bad password");
}

$p = $_GET['password'];

if (strlen($p) !== 25) {
  die("bad password");
}

if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
  die("bad password");
}

// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
  0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
  5 => '273e97dc41693b152c71715d099a1049',
  10 => 'bd014fafb6f235929c73a6e9d5f1e458',
  15 => 'ab892a96d92d434432d23429483c0a39',
  20 => 'b56a807858d5948a4e4604c117a62c2d'
);

for ($i = 0; $i < 25; $i += 5) {
  if (md5(substr($p, $i, 5)) !== $values[$i]) {
    die("bad password");
  }
}

die("GW!");

2  are
0 Pie c
3 delic
1 harts
4 ious!
Pie charts are delicious!

Source

https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)