$volatility timeliner --output=body --output-file=timeliner.txt --profile=<profile> --filename=<ram_dump> && volatility mftparser --output=body --output-file=mftparser.txt --profile=<profile> --filename=<ram_dump> && volatility shellbags --output=body --output-file=shellbags.txt --profile=<profile> --filename=<ram_dump>
$cat timeliner.txt mftparser.txt shellbags.txt > timeline.txt
$mactime -b timeline.txt -d > mactime.txt
hacktracking
#
cat blog >> /dev/brain 2> /proc/mind
# Volatility timeline
# sysdig: System-level exploration tool
Installing #curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
Listing chisels #sysdig -cl
Listing fields to filter #sysdig -l
Using a chisel #sysdig -c topprocs_cpu
Writing events to file #sysdig -z -w tracefile.scap.gz
Reading events from file and use a chisel #sysdig -z -r tracefile.scap.gz -c topprocs_cpu
Filtering events for a specific process #sysdig proc.name=sshd
Filtering events for a specific file #sysdig fd.name=/var/log/auth.log
Filtering events for files that contain /etc #sysdig fd.name contains /etc
#sysdig evt.args contains /bin/ls
#sysdig fd.ip=1.2.3.4
#sysdig fd.l4proto=udp
Formating the output #sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'
Information about all chisels #sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i
Interesting chisels #sysdig -c topprocs_cpu
#sysdig -c echo_fds -s 2000 -A proc.name=httpd
#sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET
#sysdig -c spy_file 'RW /var/log/syslog'
#sysdig -c spy_logs
#sysdig -c spy_syslog
#sysdig -c spy_ip 1.2.3.4
#sysdig -c spy_port 443
#sysdig -c topconns
#sysdig -c topprocs_net
#sysdig -c spy_users 0|1
#sysdig -c lsof
#sysdig -c netstat
#sysdig -c ps
#sysdig -c topfiles_bytes proc.name contains tar
#sysdig -c list_login_shells ncat
#sysdig -c spy_users proc.loginshellid=1234
#sysdig -c stdin -c stdout proc.name=cat
Reference
https://github.com/draios/sysdig/wiki
Labels:
sysdig
# SimpleHTTPSServer with letsencrypt certificate
#apt-get update
#apt-get install software-properties-common
#add-apt-repository ppa:certbot/certbot
#apt-get update
#mkdir webserver
#cd webserver
#apt-get install certbot
#mkdir www
#certbot certonly --webroot -w $PWD/www -d mydomain.org -d www.mydomain.org
#cp /etc/letsencrypt/live/mydomain.org/privkey.pem .
#cp /etc/letsencrypt/live/mydomain.org/fullchain.pem .
#cat privkey.pem fullchain.pem > cert.pem
#cat https-server.py
#python https-server.py eth0
Labels:
certbot,
certificate,
https,
letsencrypt,
python,
simplehttpsserver
# HITCON CTF 2017 Quals: Sakura - Reversing
#cat sakura.py
#python sakura.py
In [1]:sakura = Popen([fn], stdin = PIPE, stdout = PIPE)
In [2]:flag = sakura.communicate(input = dump)[0]
In [3]:print flag
# Pwn2Win 2k17: Baby Regex - Misc
# cat regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt
#ipython
>import re
>data = open('regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt').read()
>def check(regex):
...print len(regex)
...print re.findall(regex, data)
# "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars: >check('(.{7}).+-(.{5})$')
# "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars: # "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars: # "<knowing the truth. >, without using "line break"", with max. "8" chars: >check('<[^>]+>')
# "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars: >check('(?i)(oPEn)')
# "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars: >check('(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s')
# "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars: >check(' .{32} (.{5})\n')
# Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars: >check('(?P<a>..a)(?P=a)')
#cat baby_regex.py
#python baby_regex.py
References
https://www.regexpal.com
https://www.debuggex.com
# GynvaelEN mission 018
# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
#curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
_:)
Source
https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)
References
https://www.whitehatsec.com/blog/magic-hashes/
# GynvaelEN mission 017
zeros = '\x00'*32 base64.b64encode(zeros) 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc' result = '' new = '{"access_level":"admin"}' for i in range(len(new)): result += chr(ord(new[i]) ^ ord(ivencrypted[i])) base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb Decrypted cookie data: {"access_level":"admin"} Flag: HMAC? What do you mean "HMAC"?
Source
https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)
References
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
# GynvaelEN mission 016
Wav to image using RX-SSTV
Slow-scan TV is a method to transmit an image over radio using frequency modulation.
This is the partial message that contains the image:
? ? R O N D I Y M A U Z ? ? ? B C K P ? ? ? V W X Y DHXDMW BQLF KDYNV
Manual decryption
Y D = I A HX = ?? DM = AY W B = ? P QL = ?? F K = ? ? DY = IM NV = RX I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX
Source
https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)
References
https://en.wikipedia.org/wiki/Slow-scan_television
Labels:
challenge,
crypto,
gynvael,
sstv,
steganography
# EkoParty CTF 2017: OnTheWire (300) - Misc
Introduction
We have sniffed some bytes of a transmission. What does it say?
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61
Hint
You will see the flag in a lcd display
Solution
#cat onthewire.py
#python onthewire.py
Reference
https://en.wikichip.org/wiki/seven-segment_display/representing_letters
# GynvaelEN mission 015
#cat mission_15.py
#python mission_15.py
Source
https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)
Labels:
bruteforce,
challenge,
crypto,
gynvael,
steganography
Subscribe to:
Posts (Atom)