Getting Started

picoCTF is an awesome hacking competition aimed at High School students. The great guys at CMU and PPP are putting on this innovative competition. I had some High School students ask for pointers to prepare for the picoCTF. I invited them to our weekly hacking group and talked about the hacking mindset and basic tools. They amazed me with their knowledge—I was cutting my teeth on TI-83 BASIC programming in math class when I was their age.

What follows are my notes on the lecture I gave and the discussion that we had. I hope other young hackers find these resources useful while preparing for picoCTF.

Hacker Mindset

First and foremost, we need to understand how the hacker thinks. How should you think when you’re trying to break a program?

What is hacking?

To me, hacking is using something in a different way than the designer intended. For programs, this means bending the program to your will and making it do something that the original developer didn’t intend. Note that you can hack other things than programs, but we’ll keep our focus on computer systems.

How is competition hacking different?

• Someone created this program with the specific purpose of you hacking and breaking it.

• Ask yourself – what’s my goal here?

• Get a flag, understand how a program works, find a hidden file, find hidden information, crack a code.

• What are the program’s assumptions?

Problem Solving

For me, problem solving is the most important skill for a hacker. For a programmer as well.

Before you can solve a problem, you must first understand: What is the problem? Seems simple, but it’s an important point.

Problem solving takes similar skills to debugging—something is happening that I do not expect.

Think like a scientist

You have assumptions. What are those assumptions?

Run through each one of your assumptions. Where did you get this assumption? Is this assumption still valid?

What is going on? What exactly is the problem? Does it invalidate one of your assumptions?

What is your current hypothesis?

What is the easiest way to test your hypothesis? This is the thing I see hackers fail the most. Oh, you think the database is MySQL and you’re trying to create an SQL injection exploit? Should you take an hour to finely craft a MySQL-specific SQL injection exploit? Or should you take five minutes and test that MySQL-specific comments work in your SQL-injection?

Basic Tools

• Your brain

Gotta bring your brain if you wanna compete. Sometimes you need to step away from a problem to give your brain time to chew on the problem.

• editor (vim or emacs)

I don’t care what editor you use, but choose something and learn it. That time pays dividends in the future, so do it now.

• Touch typing

Sounds silly, but when I was in college I thought I could type correctly. I used a modified hunt-and-peck developed from furious AIM conversations in 7th and 8th grade. However, I made lots of mistakes and wasn’t as fast as I could be (and am now).

When I got a job developing software professionally for Microsoft I took the time and practiced correctly touch typing for an hour a day. I’m now much faster, I type correctly, and I don’t have any wrist issues. Plus, I’m not embarrassed when other people watch me type.

• Google / Bing

• python / scapy / ipython

• bash

• Reading Code

It’s really important, not just for hackers, but for developers as a whole to be able to read other people’s code. Also useful is to use a debugger while reading the code so you can validate your assumptions about how the code works and what the code is doing.

Binary

These next four tools are what I run on every binary I get for every single hacking competition.

• file

• strings

• strace

• ltrace

Network

The following network tools are indispensable.

• netcat/nc/socat

• tcpdump/wireshark/tshark/

Trivia

Can you understand the (silly) reference we’re making?

• Google-fu

• Famous hacking instances

• Internet Memes

Forensics

Can you find the hidden flag?

• grep

• photorec

• binwalk

• Sleuth Kit + Autopsy interface

Cryptography

Can you break the code and get the flag?

• Cain an Able (windows only)

• Difference between hashing and encryption

• ent

• xor

• Cryptool

Web Exploitation

Can you compromise a web application? Lot’s of types, two biggest that you absolutely must be familiar with are XSS and SQL Injection.

• Burp Proxy

• Firefox or Chrome

Specifically here I’m talking about knowing how to use the JavaScript console and JavaScript debugging capabilities of Chrome or Firefox.

Reverse Engineering

How does this program work? Usually here you need to understand the program then once you understand the problem you can get the flag.

• objdump

• readelf

Binary Exploitation

Can you crash it? Can you force the program to give you the flag?

• smashing the stack for fun and profit

• gdb

That’s it, please feel free to add your own recommendations.

Recently, a friend asked me to recommend some classic English books for him. He’s Persian and was born in Iran, so it was fun to give him some of my favorite american books. I decided to put that list here in case you’re looking for a book to read.

Catch-22

One of the funniest books I’ve ever read. About WWII and it’s sad and funny at the same time.

A Confederacy of Dunces

The funniest book I’ve ever read. Captures the spirit of New Orleans and the characters are outlandish. Plus the book was published after the author committed suicide, so the whole book’s got a sad tinge.

Slaughterhouse-Five

One of my favorite authors, and this is his best book. About the WWII firebombing of Dresden, which killed more people than the A-bomb and the author lived through it. The science fiction aspects of the book and the third-story perspective almost seem like a coping mechanism on behalf of the author.

The Picture of Dorian Gray

British novel, but I’m haunted by this book. You can’t help but wonder, what would my portrait look like?

Their Eyes Were Watching God

Excellent book I read in high school. Deals with the south and slavery and love.

The Sun Also Rises

Hemmingway at his best. I also read this in high school so I don’t remember the details. But you need to read this closely and attentivly because Hemmingway doesn’t use a lot of words.

East of Eden

If you liked Grapes of Wrath you’ll like this book. It’s very long and that’s the downside. It’s a modern retelling of the story of Cain and Able from the bible.

1984

A British novel which is excellent and about a dystopian future. Same author as Animal Farm, but this book is much better in my opinion. If you read this, you have to read Brave New World right after.

Brave New World

Also dystopian future but in a different maner than 1984. If you want to read this, read 1984 first, then read Brave New World directly after so you can compare and contrast. Personally I think this kind of world is much more likely for us than the world in 1984.

Fahrenheit 451

Similar to 1984 and Brave New World, but here books are banned. Very good.

Hi all, I’m here to talk about a little known web vulnerability that Bryce Boe already touched on. Execution After Redirects are logic flaws in web applications that can lead to Information Disclosure and Broken Access Controls.

What’s an EAR?

Well, an Execution After Redirect (EAR) flaw is when a developer causes an HTTP redirect to occur, typically via a web framework. The developer assumes that execution stops after the redirect, however, execution continues.

Let’s look at a Ruby on Rails example (names have been changed to hide the guilty):

class TopicsController < ApplicationController
  def update
    @topic = Topic.find(params[:id])
    unless current_user.is_admin?
      redirect_to "/"
    end
    if @topic.update_attributes(params[:topic])
      flash[:notice] = "Topic updated!"
    end
  end
end

It appears that if the current user is not an admin, they are redirected to “/”, the web site root. In fact, if you access the update controller using a browser while not an admin, it will redirect you to the web site root like expected. However, if an attacker who is not an admin makes a request with topic parameters, she will be able to update your topic without being an admin!

How do I fix it?

The fix is pretty simple, always return after a redirect!

EARs can be more complicated. For example, there’s a controller that calls a method that calls a redirect. The real fix is to know where your redirects are, and what they’re for, especially if you use a redirect during authentication.

What else is vulnerable?

Web application frameworks differ on if they stop execution after a redirect. Check your web framework’s documentation to see if the redirect method stops execution.

What am I doing about it?

Bryce Boe and I are writing a paper studying this problem in depth. However, since I am alerting developers to potential EARs in their code, I wanted to have this informational blog post giving an overview. In addition, I developed a tool to staticially detect EARs in Ruby on Rails. Look for more blog posts in the future about the tool.

What is this?

In an effort to improve my writing and analysis skills, I’m going to review papers using less than 500 words. This is my first attempt.

Overview

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications is a paper written by Davide Balzarotti et. al., and was published at the IEEE Symposium on Security and Privacy in 2008.

Saner attempts to solve the problem of verifying the correctness of sanitization functions. Previous work on analyzing web applications for vulnerabilities assume that built-in sanitization functions completely protect the application from vulnerabilities. This assumption is typically extended to custom sanitization functions (regular expressions, string replacements, etc.)

Proper analysis of sanitization functions would enable a tool to be more precise about the vulnerabilities that it discovers. It can also be used to analyze a language’s built-in sanitization functions.

Saner utilizes static and dynamic approaches to analyze sanitization functions.

The static part was built by extending Pixy to keep track of the string values that each variable can hold. Saner can see if a variable can be used as output and if it is used in the output. However, the method used to keep track of the string values is an over-approximation, which might produce false-positives (but not false-negatives).

A dynamic approach is used to reduce the number of false-positives by generating inputs and seeing if those inputs trigger a vulnerability. In this way, Saner can present all the verified vulnerabilities, but if the user wishes, also present all the possible vulnerabilities so the user can investigate.

Thoughts

Possible Problems

Saner inherits the same limitations as Pixy, namely it does not support PHP’s eval function and aliased array elements.

Future Work

Context-aware

An extension to this (and other static web analyzers) would be to use the context of a variables output in the HTML page. For instance, variables that output to the headers of an HTTP response are vulnerable to HTTP Response Splitting and need to disallow ‘\r’ and ‘\n’, while these characters are safe when output in the HTML response. Another example is a variable that is output after a starting script tag but before the ending tag to customize the JavaScript sent to the user. Here’s a simple example of this:

<script>
var userName = "<?php echo $userName; ?>";
</script>

In this case, restricting only ‘<’ and ‘>’ will not work. The idea of context can be extended to attributes of HTML tags.

Database-aware

Another problem is how to treat variables from the database: are they sanitized or not? A static analyzer that is able to properly model and taint the flow of data into and out of the database would be very cool (and if you know of someone who’s done this, let me know).

Why?

While learning more about clojure, I wanted to do some network sniffing. Following a guide to raw traffic in clojure I needed to install jpcap in order to use libpcap from java.

Jpcap doesn’t provide a 64-bit version so I had to compile my own. Here’s the documentation of how I did it. A patch is provided at the end of the post.

Compiling jpcap 0.7 on 64-bit Ubuntu 10.10

1. First install sun java on ubuntu 10.10

2. Download jpcap or use the following command:

     wget http://netresearch.ics.uci.edu/kfujii/Jpcap/jpcap-0.7.tar.gz
   

3. Untar jpcap

    tar -xvf jpcap-0.7.tar.gz
   

4. Move into src directory

    cd jpcap-0.7/src/c/
   

5. Open up Makefile in your favorite editor (mine’s emacs)

    emacs Makefile
   

6. Change this line:

    JAVA_DIR = $(JAVA_HOME)
   

   To This:

    JAVA_DIR = /usr/lib/jvm/java-6-sun/
   

7. Change the compile options from this:

    COMPILE_OPTION = -shared -L.
   

   To this:

    COMPILE_OPTION = -shared -L. -fPIC
   

8. Save your file and close your editor.

9. Run make:

     make
   

10. Follow the jpcap installation instructions

Patch for more advanced users

Patch to do this automatically

How to patch

Let me know if you have any problems!

I found some information about how to do this on the web, but everything I saw talked about using an .htaccess file. I didn’t want to use an .htaccess file.

Here’s what I had to do in Ubuntu (this was on an old 8.10 server).

1. Enabled mod_rewrite:

    sudo a2enmod rewrite
   

2. Add the following in the VirtualHost section of my regular http setup to my config at /etc/apache2/sites-enabled/ :

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} ^/foldername/.\*
    RewriteRule ^(.\*)$ https://host.name.com$1 [R,L]
   

3. Restart Apache:

    sudo service apache2 restart
   

Make sure if you use this to change foldername to the name of the folder where you want to enforce HTTPS and host.name.com to the name of your host.

So after struggling for a while with this, the answer is surprisingly simple.

For a bridge that you’ve created with brctl, you can use this simple command:

brctl setageing <bridgename> 0


This command tells Linux to forget every MAC address that it sees on
the bridge, making it act as a hub.

Here’s the source.

Another fire in the Santa Barbara hills!

Two chicks at the same time.

So I was trying to switch adamdoupe.com over to posterous (an amazing service).
Adamdoupe.com is registered via GoDaddy, and posterous even has a help
section on how to switch DNS. However, the Total DNS setting was
disabled in my account, and I figured I would post my problem/solution
here so I can help out anyone else with this problem.
 
The problem was that I had Custom Nameservers enabled. With this you
can’t enable TotalDNS. The solution is simple, switch from Custom
Nameservers to Parked Nameservers. Then you can enable Total DNS
to have your domain point where ever your little heart desires.