all repos — site @ 6d0bf98b955b511e8b1f61c4e7b43274ae8678f1

source for my site, found at icyphox.sh

Syntax highlighting!

Signed-off-by: Anirudh <icyph0x@pm.me>
Anirudh icyph0x@pm.me
Sat, 23 Mar 2019 11:30:00 +0530
commit

6d0bf98b955b511e8b1f61c4e7b43274ae8678f1

parent

071fa3ed58a22a4909f357724fdf8fec433d8a47

M build/blog/break-the-ice/index.htmlbuild/blog/break-the-ice/index.html

@@ -1,34 +1,35 @@

<!DOCTYPE html> <html lang=en> <link rel="stylesheet" href="/static/style.css" type="text/css"> +<link rel="stylesheet" href="/static/syntax.css" type="text/css"> <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> -<meta content="Memeing security since forever." name=description> +<meta content="Anirudh’s blog." name=description> <meta name="viewport" content="initial-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta content="#021012" name="theme-color"> <meta name="HandheldFriendly" content="true"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@icyphox"> -<meta name="twitter:title" content="Anirudh"> -<meta name="twitter:description" content="Memeing security since forever."> +<meta name="twitter:title" content="Blog"> +<meta name="twitter:description" content="Anirudh’s blog."> <meta name="twitter:image" content="/static/icyphox.png"> -<meta property="og:title" content="Anirudh"> +<meta property="og:title" content="Blog"> <meta property="og:type" content="website"> -<meta property="og:description" content="Memeing security since forever."> +<meta property="og:description" content="Anirudh’s blog."> <meta property="og:url" content="https://icyphox.sh"> <meta property="og:image" content="/static/icyphox.png"> <html> <title> - Anirudh + Blog </title> <script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script> -<div class="container"> +<div class="container-text"> <header class="header"> - <a href="/">icyphox.sh</a> (<a href="https://github.com/icyphox/site">src</a>) + <a href="../">‹ back</a> </header> -<body class="noselect"> - <div class="introduction"> - <h1 align="center"> +<body> + <div class="content"> + <div align="left"> <h1>Break the Ice — Hardware CTF</h1> <h2>SecureLayer7’s hardware CTF at Nullcon ’19, Goa</h2>

@@ -219,7 +220,7 @@

<pre><code>› mosquitto_pub -h 'm16.cloudmqtt.com' -p 17551 -t 'inTopic/web/test' -u 'hchzbuhr' -P 'Sz4plHnlVnHc' -m '(^.^)' </code></pre> -<p><img src="1*W_iVf3vDf4UaelycMbvPvw.png" alt="UwU" /><em>UwU</em></p> +<p><img src="1*W_iVf3vDf4UaelycMbvPvw.png" alt="UwU" /></p> <p>After messing around with this for quite a bit (as is evident from the screen behind), we tried sending the string ‘flag’ as our message and… <em>dramatic pause</em> we got what you’d expect.</p>

@@ -227,24 +228,11 @@ <p><img src="1*sO9vDtGgGjejxklF46gTlg.jpeg" alt="We were 10 days late, mind you" /><em>We were 10 days late, mind you</em></p>

<h3>Conclusion</h3> -<p>This was our first time playing a hardware CTF, and to be honest, there wasn’t <em>much *of “hacking” involved — at least by the word’s textbook definition. A lot of guesswork too, which made some parts of it excruciatingly painful to figure out. But all things considered, it was probably the most fun CTF I’ve played yet. Here’s a shoutout to the folks at SL7 for making this CTF *and</em> letting us keep the ESP :)</p> +<p>This was our first time playing a hardware CTF, and to be honest, there wasn’t <em>much</em> of “hacking” involved — at least by the word’s textbook definition. A lot of guesswork too, which made some parts of it excruciatingly painful to figure out. But all things considered, it was probably the most fun CTF I’ve played yet. Here’s a shoutout to the folks at SL7 for making this CTF <em>and</em> letting us keep the ESP :)</p> <p>That’s it. The end.</p> - - </h1> + + </div> + </body> </div> - - <div class="footer"> - <div class="left"> - &copy; 2019 — <a href="mailto:icyph0x@pm.me">icyph0x@pm.me</a> - </div> - - <div class="right"> - <a href="https://github.com/icyphox" target="_blank">GitHub</a> - <a href="https://twitter.com/icyphox" target="_blank">Twitter</a> - <a href="/blog" target="_blank">Blog</a> - <a href="/about" target="_blank">About</a> - </div> - </body> - </div> </html>
M build/blog/python-for-re-1/index.htmlbuild/blog/python-for-re-1/index.html

@@ -1,6 +1,7 @@

<!DOCTYPE html> <html lang=en> <link rel="stylesheet" href="/static/style.css" type="text/css"> +<link rel="stylesheet" href="/static/syntax.css" type="text/css"> <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> <meta content="Anirudh’s blog." name=description> <meta name="viewport" content="initial-scale=1">

@@ -61,7 +62,7 @@ <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span>

<span class="kt">char</span> <span class="o">*</span><span class="n">pw</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">9</span><span class="p">);</span> <span class="n">pw</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;a&#39;</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">8</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span> - <span class="n">pw</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">pw</span><span class="p">[</span><span class="n">i</span> <span class="err">—</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> + <span class="n">pw</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">pw</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="n">pw</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;\0&#39;</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">in</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span>

@@ -92,78 +93,78 @@

<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./chall.elf&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">e</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">for</span> <span class="n">section</span> <span class="ow">in</span> <span class="n">e</span><span class="o">.</span><span class="n">iter_sections</span><span class="p">():</span> - <span class="k">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="err">’</span><span class="n">sh_addr</span><span class="err">’</span><span class="p">]),</span> <span class="n">section</span><span class="o">.</span><span class="n">name</span><span class="p">)</span> + <span class="k">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="s1">&#39;sh_addr&#39;</span><span class="p">]),</span> <span class="n">section</span><span class="o">.</span><span class="n">name</span><span class="p">)</span> </code></pre></div> <p>This script iterates through all the sections and also shows us where it’s loaded. This will be pretty useful later. Running it gives us</p> -<pre><code>› python sections.py -0x238 .interp -0x254 .note.ABI-tag -0x274 .note.gnu.build-id -0x298 .gnu.hash -0x2c0 .dynsym -0x3e0 .dynstr -0x484 .gnu.version -0x4a0 .gnu.version_r -0x4c0 .rela.dyn -0x598 .rela.plt -0x610 .init -0x630 .plt -0x690 .plt.got -0x6a0 .text -0x8f4 .fini -0x900 .rodata -0x924 .eh_frame_hdr -0x960 .eh_frame -0x200d98 .init_array -0x200da0 .fini_array -0x200da8 .dynamic -0x200f98 .got -0x201000 .data -0x201010 .bss -0x0 .comment -0x0 .symtab -0x0 .strtab -0x0 .shstrtab -</code></pre> +<div class="codehilite"><pre><span></span><code><span class="go">› python sections.py</span> +<span class="go">0x238 .interp</span> +<span class="go">0x254 .note.ABI-tag</span> +<span class="go">0x274 .note.gnu.build-id</span> +<span class="go">0x298 .gnu.hash</span> +<span class="go">0x2c0 .dynsym</span> +<span class="go">0x3e0 .dynstr</span> +<span class="go">0x484 .gnu.version</span> +<span class="go">0x4a0 .gnu.version_r</span> +<span class="go">0x4c0 .rela.dyn</span> +<span class="go">0x598 .rela.plt</span> +<span class="go">0x610 .init</span> +<span class="go">0x630 .plt</span> +<span class="go">0x690 .plt.got</span> +<span class="go">0x6a0 .text</span> +<span class="go">0x8f4 .fini</span> +<span class="go">0x900 .rodata</span> +<span class="go">0x924 .eh_frame_hdr</span> +<span class="go">0x960 .eh_frame</span> +<span class="go">0x200d98 .init_array</span> +<span class="go">0x200da0 .fini_array</span> +<span class="go">0x200da8 .dynamic</span> +<span class="go">0x200f98 .got</span> +<span class="go">0x201000 .data</span> +<span class="go">0x201010 .bss</span> +<span class="go">0x0 .comment</span> +<span class="go">0x0 .symtab</span> +<span class="go">0x0 .strtab</span> +<span class="go">0x0 .shstrtab</span> +</code></pre></div> <p>Most of these aren’t relevant to us, but a few sections here are to be noted. The <code>.text</code> section contains the instructions (opcodes) that we’re after. The <code>.data</code> section should have strings and constants initialized at compile time. Finally, the <code>.plt</code> which is the Procedure Linkage Table and the <code>.got</code>, the Global Offset Table. If you’re unsure about what these mean, read up on the ELF format and its internals.</p> <p>Since we know that the <code>.text</code> section has the opcodes, let’s disassemble the binary starting at that address.</p> -<pre><code># disas1.py +<div class="codehilite"><pre><span></span><code><span class="c1"># disas1.py</span> -from elftools.elf.elffile import ELFFile -from capstone import * +<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span> +<span class="kn">from</span> <span class="nn">capstone</span> <span class="kn">import</span> <span class="o">*</span> -with open('./bin.elf', 'rb') as f: - elf = ELFFile(f) - code = elf.get_section_by_name('.text') - ops = code.data() - addr = code['sh_addr'] - md = Cs(CS_ARCH_X86, CS_MODE_64) - for i in md.disasm(ops, addr): - print(f'0x{i.address:x}:\t{i.mnemonic}\t{i.op_str}') -</code></pre> +<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./bin.elf&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> + <span class="n">elf</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> + <span class="n">code</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">get_section_by_name</span><span class="p">(</span><span class="s1">&#39;.text&#39;</span><span class="p">)</span> + <span class="n">ops</span> <span class="o">=</span> <span class="n">code</span><span class="o">.</span><span class="n">data</span><span class="p">()</span> + <span class="n">addr</span> <span class="o">=</span> <span class="n">code</span><span class="p">[</span><span class="s1">&#39;sh_addr&#39;</span><span class="p">]</span> + <span class="n">md</span> <span class="o">=</span> <span class="n">Cs</span><span class="p">(</span><span class="n">CS_ARCH_X86</span><span class="p">,</span> <span class="n">CS_MODE_64</span><span class="p">)</span> + <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">md</span><span class="o">.</span><span class="n">disasm</span><span class="p">(</span><span class="n">ops</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span> + <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">&#39;0x{i.address:x}:</span><span class="se">\t</span><span class="s1">{i.mnemonic}</span><span class="se">\t</span><span class="s1">{i.op_str}&#39;</span><span class="p">)</span> +</code></pre></div> <p>The code is fairly straightforward (I think). We should be seeing this, on running</p> -<pre><code>› python disas1.py | less -0x6a0: xor ebp, ebp -0x6a2: mov r9, rdx -0x6a5: pop rsi -0x6a6: mov rdx, rsp -0x6a9: and rsp, 0xfffffffffffffff0 -0x6ad: push rax -0x6ae: push rsp -0x6af: lea r8, [rip + 0x23a] -0x6b6: lea rcx, [rip + 0x1c3] -0x6bd: lea rdi, [rip + 0xe6] -**0x6c4: call qword ptr [rip + 0x200916]** -0x6ca: hlt -... snip ... -</code></pre> +<div class="codehilite"><pre><span></span><code><span class="go">› python disas1.py | less </span> +<span class="go">0x6a0: xor ebp, ebp</span> +<span class="go">0x6a2: mov r9, rdx</span> +<span class="go">0x6a5: pop rsi</span> +<span class="go">0x6a6: mov rdx, rsp</span> +<span class="go">0x6a9: and rsp, 0xfffffffffffffff0</span> +<span class="go">0x6ad: push rax</span> +<span class="go">0x6ae: push rsp</span> +<span class="go">0x6af: lea r8, [rip + 0x23a]</span> +<span class="go">0x6b6: lea rcx, [rip + 0x1c3]</span> +<span class="go">0x6bd: lea rdi, [rip + 0xe6]</span> +<span class="go">**0x6c4: call qword ptr [rip + 0x200916]**</span> +<span class="go">0x6ca: hlt</span> +<span class="go">... snip ...</span> +</code></pre></div> <p>The line in bold is fairly interesting to us. The address at <code>[rip + 0x200916]</code> is equivalent to <code>[0x6ca + 0x200916]</code>, which in turn evaluates to <code>0x200fe0</code>. The first <code>call</code> being made to a function at <code>0x200fe0</code>? What could this function be?</p>

@@ -195,24 +196,24 @@ </code></pre></div>

<p>Let’s run through this code real quick. We first loop through the sections, and check if it’s of the type <code>RelocationSection</code>. We then iterate through the relocations from the symbol table for each section. Finally, running this gives us</p> -<pre><code>› python relocations.py -.rela.dyn: - 0x200d98 - 0x200da0 - 0x201008 -_ITM_deregisterTMCloneTable 0x200fd8 -**__libc_start_main 0x200fe0** -__gmon_start__ 0x200fe8 -_ITM_registerTMCloneTable 0x200ff0 -__cxa_finalize 0x200ff8 -stdin 0x201010 -.rela.plt: -puts 0x200fb0 -printf 0x200fb8 -fgets 0x200fc0 -strcmp 0x200fc8 -malloc 0x200fd0 -</code></pre> +<div class="codehilite"><pre><span></span><code><span class="go">› python relocations.py</span> +<span class="go">.rela.dyn:</span> +<span class="go"> 0x200d98</span> +<span class="go"> 0x200da0</span> +<span class="go"> 0x201008</span> +<span class="go">_ITM_deregisterTMCloneTable 0x200fd8</span> +<span class="go">**__libc_start_main 0x200fe0**</span> +<span class="go">__gmon_start__ 0x200fe8</span> +<span class="go">_ITM_registerTMCloneTable 0x200ff0</span> +<span class="go">__cxa_finalize 0x200ff8</span> +<span class="go">stdin 0x201010</span> +<span class="go">.rela.plt:</span> +<span class="go">puts 0x200fb0</span> +<span class="go">printf 0x200fb8</span> +<span class="go">fgets 0x200fc0</span> +<span class="go">strcmp 0x200fc8</span> +<span class="go">malloc 0x200fd0</span> +</code></pre></div> <p>Remember the function call at <code>0x200fe0</code> from earlier? Yep, so that was a call to the well known <code>__libc_start_main</code>. Again, according to <a href="http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib---libc-start-main-.html">linuxbase.org</a></p>

@@ -222,13 +223,13 @@ </blockquote>

<p>And its definition is like so</p> -<pre><code>int __libc_start_main(int *(main) (int, char * *, char * *), -int argc, char * * ubp_av, -void (*init) (void), -void (*fini) (void), -void (*rtld_fini) (void), -void (* stack_end)); -</code></pre> +<div class="codehilite"><pre><span></span><code><span class="kt">int</span> <span class="nf">__libc_start_main</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span><span class="p">(</span><span class="n">main</span><span class="p">)</span> <span class="p">(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">),</span> +<span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span> <span class="n">ubp_av</span><span class="p">,</span> +<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">init</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> +<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> +<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">rtld_fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> +<span class="kt">void</span> <span class="p">(</span><span class="o">*</span> <span class="n">stack_end</span><span class="p">));</span> +</code></pre></div> <p>Looking back at our disassembly</p>
A build/static/syntax.css

@@ -0,0 +1,78 @@

+.codehilite .hll { background-color: #404040 } +.codehilite { background: #202020; color: #d0d0d0 } +.codehilite .c { color: #999999; font-style: italic } /* Comment */ +.codehilite .err { color: #a61717; background-color: #e3d2d2 } /* Error */ +.codehilite .esc { color: #d0d0d0 } /* Escape */ +.codehilite .g { color: #d0d0d0 } /* Generic */ +.codehilite .k { color: #6ab825; font-weight: bold } /* Keyword */ +.codehilite .l { color: #d0d0d0 } /* Literal */ +.codehilite .n { color: #d0d0d0 } /* Name */ +.codehilite .o { color: #d0d0d0 } /* Operator */ +.codehilite .x { color: #d0d0d0 } /* Other */ +.codehilite .p { color: #d0d0d0 } /* Punctuation */ +.codehilite .ch { color: #999999; font-style: italic } /* Comment.Hashbang */ +.codehilite .cm { color: #999999; font-style: italic } /* Comment.Multiline */ +.codehilite .cp { color: #cd2828; font-weight: bold } /* Comment.Preproc */ +.codehilite .cpf { color: #999999; font-style: italic } /* Comment.PreprocFile */ +.codehilite .c1 { color: #999999; font-style: italic } /* Comment.Single */ +.codehilite .cs { color: #e50808; font-weight: bold; background-color: #520000 } /* Comment.Special */ +.codehilite .gd { color: #d22323 } /* Generic.Deleted */ +.codehilite .ge { color: #d0d0d0; font-style: italic } /* Generic.Emph */ +.codehilite .gr { color: #d22323 } /* Generic.Error */ +.codehilite .gh { color: #ffffff; font-weight: bold } /* Generic.Heading */ +.codehilite .gi { color: #589819 } /* Generic.Inserted */ +.codehilite .go { color: #cccccc } /* Generic.Output */ +.codehilite .gp { color: #aaaaaa } /* Generic.Prompt */ +.codehilite .gs { color: #d0d0d0; font-weight: bold } /* Generic.Strong */ +.codehilite .gu { color: #ffffff; text-decoration: underline } /* Generic.Subheading */ +.codehilite .gt { color: #d22323 } /* Generic.Traceback */ +.codehilite .kc { color: #6ab825; font-weight: bold } /* Keyword.Constant */ +.codehilite .kd { color: #6ab825; font-weight: bold } /* Keyword.Declaration */ +.codehilite .kn { color: #6ab825; font-weight: bold } /* Keyword.Namespace */ +.codehilite .kp { color: #6ab825 } /* Keyword.Pseudo */ +.codehilite .kr { color: #6ab825; font-weight: bold } /* Keyword.Reserved */ +.codehilite .kt { color: #6ab825; font-weight: bold } /* Keyword.Type */ +.codehilite .ld { color: #d0d0d0 } /* Literal.Date */ +.codehilite .m { color: #3677a9 } /* Literal.Number */ +.codehilite .s { color: #ed9d13 } /* Literal.String */ +.codehilite .na { color: #bbbbbb } /* Name.Attribute */ +.codehilite .nb { color: #24909d } /* Name.Builtin */ +.codehilite .nc { color: #447fcf; text-decoration: underline } /* Name.Class */ +.codehilite .no { color: #40ffff } /* Name.Constant */ +.codehilite .nd { color: #ffa500 } /* Name.Decorator */ +.codehilite .ni { color: #d0d0d0 } /* Name.Entity */ +.codehilite .ne { color: #bbbbbb } /* Name.Exception */ +.codehilite .nf { color: #447fcf } /* Name.Function */ +.codehilite .nl { color: #d0d0d0 } /* Name.Label */ +.codehilite .nn { color: #447fcf; text-decoration: underline } /* Name.Namespace */ +.codehilite .nx { color: #d0d0d0 } /* Name.Other */ +.codehilite .py { color: #d0d0d0 } /* Name.Property */ +.codehilite .nt { color: #6ab825; font-weight: bold } /* Name.Tag */ +.codehilite .nv { color: #40ffff } /* Name.Variable */ +.codehilite .ow { color: #6ab825; font-weight: bold } /* Operator.Word */ +.codehilite .w { color: #666666 } /* Text.Whitespace */ +.codehilite .mb { color: #3677a9 } /* Literal.Number.Bin */ +.codehilite .mf { color: #3677a9 } /* Literal.Number.Float */ +.codehilite .mh { color: #3677a9 } /* Literal.Number.Hex */ +.codehilite .mi { color: #3677a9 } /* Literal.Number.Integer */ +.codehilite .mo { color: #3677a9 } /* Literal.Number.Oct */ +.codehilite .sa { color: #ed9d13 } /* Literal.String.Affix */ +.codehilite .sb { color: #ed9d13 } /* Literal.String.Backtick */ +.codehilite .sc { color: #ed9d13 } /* Literal.String.Char */ +.codehilite .dl { color: #ed9d13 } /* Literal.String.Delimiter */ +.codehilite .sd { color: #ed9d13 } /* Literal.String.Doc */ +.codehilite .s2 { color: #ed9d13 } /* Literal.String.Double */ +.codehilite .se { color: #ed9d13 } /* Literal.String.Escape */ +.codehilite .sh { color: #ed9d13 } /* Literal.String.Heredoc */ +.codehilite .si { color: #ed9d13 } /* Literal.String.Interpol */ +.codehilite .sx { color: #ffa500 } /* Literal.String.Other */ +.codehilite .sr { color: #ed9d13 } /* Literal.String.Regex */ +.codehilite .s1 { color: #ed9d13 } /* Literal.String.Single */ +.codehilite .ss { color: #ed9d13 } /* Literal.String.Symbol */ +.codehilite .bp { color: #24909d } /* Name.Builtin.Pseudo */ +.codehilite .fm { color: #447fcf } /* Name.Function.Magic */ +.codehilite .vc { color: #40ffff } /* Name.Variable.Class */ +.codehilite .vg { color: #40ffff } /* Name.Variable.Global */ +.codehilite .vi { color: #40ffff } /* Name.Variable.Instance */ +.codehilite .vm { color: #40ffff } /* Name.Variable.Magic */ +.codehilite .il { color: #3677a9 } /* Literal.Number.Integer.Long */
M pages/blog/break-the-ice.mdpages/blog/break-the-ice.md

@@ -1,3 +1,7 @@

+--- +template: text.html +--- + # Break the Ice — Hardware CTF ## SecureLayer7’s hardware CTF at Nullcon ’19, Goa

@@ -202,7 +206,7 @@ › mosquitto_pub -h 'm16.cloudmqtt.com' -p 17551 -t 'inTopic/web/test' -u 'hchzbuhr' -P 'Sz4plHnlVnHc' -m '(^.^)'

``` -![UwU](1*W_iVf3vDf4UaelycMbvPvw.png)*UwU* +![UwU](1*W_iVf3vDf4UaelycMbvPvw.png) After messing around with this for quite a bit (as is evident from the screen behind), we tried sending the string ‘flag’ as our message and… *dramatic pause* we got what you’d expect.

@@ -210,6 +214,6 @@ ![We were 10 days late, mind you](1*sO9vDtGgGjejxklF46gTlg.jpeg)*We were 10 days late, mind you*

### Conclusion -This was our first time playing a hardware CTF, and to be honest, there wasn’t *much *of “hacking” involved — at least by the word’s textbook definition. A lot of guesswork too, which made some parts of it excruciatingly painful to figure out. But all things considered, it was probably the most fun CTF I’ve played yet. Here’s a shoutout to the folks at SL7 for making this CTF *and* letting us keep the ESP :) +This was our first time playing a hardware CTF, and to be honest, there wasn’t *much* of “hacking” involved — at least by the word’s textbook definition. A lot of guesswork too, which made some parts of it excruciatingly painful to figure out. But all things considered, it was probably the most fun CTF I’ve played yet. Here’s a shoutout to the folks at SL7 for making this CTF *and* letting us keep the ESP :) That’s it. The end.
M pages/blog/python-for-re-1.mdpages/blog/python-for-re-1.md

@@ -36,7 +36,7 @@ int main() {

char *pw = malloc(9); pw[0] = 'a'; for(int i = 1; i <= 8; i++){ - pw[i] = pw[i — 1] + 1; + pw[i] = pw[i - 1] + 1; } pw[9] = '\0'; char *in = malloc(10);

@@ -71,13 +71,13 @@

with open('./chall.elf', 'rb') as f: e = ELFFile(f) for section in e.iter_sections(): - print(hex(section[’sh_addr’]), section.name) + print(hex(section['sh_addr']), section.name) ``` This script iterates through all the sections and also shows us where it’s loaded. This will be pretty useful later. Running it gives us -``` +```console › python sections.py 0x238 .interp 0x254 .note.ABI-tag

@@ -114,7 +114,7 @@ Most of these aren’t relevant to us, but a few sections here are to be noted. The `.text` section contains the instructions (opcodes) that we’re after. The `.data` section should have strings and constants initialized at compile time. Finally, the `.plt` which is the Procedure Linkage Table and the `.got`, the Global Offset Table. If you’re unsure about what these mean, read up on the ELF format and its internals.

Since we know that the `.text` section has the opcodes, let’s disassemble the binary starting at that address. -``` +```python # disas1.py from elftools.elf.elffile import ELFFile

@@ -133,7 +133,7 @@

The code is fairly straightforward (I think). We should be seeing this, on running -``` +```console › python disas1.py | less 0x6a0: xor ebp, ebp 0x6a2: mov r9, rdx

@@ -180,7 +180,7 @@

Let’s run through this code real quick. We first loop through the sections, and check if it’s of the type `RelocationSection`. We then iterate through the relocations from the symbol table for each section. Finally, running this gives us -``` +```console › python relocations.py .rela.dyn: 0x200d98

@@ -206,7 +206,7 @@ > The `__libc_start_main()` function shall perform any necessary initialization of the execution environment, call the *main* function with appropriate arguments, and handle the return from `main()`. If the `main()` function returns, the return value shall be passed to the `exit()` function.

And its definition is like so -``` +```c int __libc_start_main(int *(main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void),
A static/syntax.css

@@ -0,0 +1,78 @@

+.codehilite .hll { background-color: #404040 } +.codehilite { background: #202020; color: #d0d0d0 } +.codehilite .c { color: #999999; font-style: italic } /* Comment */ +.codehilite .err { color: #a61717; background-color: #e3d2d2 } /* Error */ +.codehilite .esc { color: #d0d0d0 } /* Escape */ +.codehilite .g { color: #d0d0d0 } /* Generic */ +.codehilite .k { color: #6ab825; font-weight: bold } /* Keyword */ +.codehilite .l { color: #d0d0d0 } /* Literal */ +.codehilite .n { color: #d0d0d0 } /* Name */ +.codehilite .o { color: #d0d0d0 } /* Operator */ +.codehilite .x { color: #d0d0d0 } /* Other */ +.codehilite .p { color: #d0d0d0 } /* Punctuation */ +.codehilite .ch { color: #999999; font-style: italic } /* Comment.Hashbang */ +.codehilite .cm { color: #999999; font-style: italic } /* Comment.Multiline */ +.codehilite .cp { color: #cd2828; font-weight: bold } /* Comment.Preproc */ +.codehilite .cpf { color: #999999; font-style: italic } /* Comment.PreprocFile */ +.codehilite .c1 { color: #999999; font-style: italic } /* Comment.Single */ +.codehilite .cs { color: #e50808; font-weight: bold; background-color: #520000 } /* Comment.Special */ +.codehilite .gd { color: #d22323 } /* Generic.Deleted */ +.codehilite .ge { color: #d0d0d0; font-style: italic } /* Generic.Emph */ +.codehilite .gr { color: #d22323 } /* Generic.Error */ +.codehilite .gh { color: #ffffff; font-weight: bold } /* Generic.Heading */ +.codehilite .gi { color: #589819 } /* Generic.Inserted */ +.codehilite .go { color: #cccccc } /* Generic.Output */ +.codehilite .gp { color: #aaaaaa } /* Generic.Prompt */ +.codehilite .gs { color: #d0d0d0; font-weight: bold } /* Generic.Strong */ +.codehilite .gu { color: #ffffff; text-decoration: underline } /* Generic.Subheading */ +.codehilite .gt { color: #d22323 } /* Generic.Traceback */ +.codehilite .kc { color: #6ab825; font-weight: bold } /* Keyword.Constant */ +.codehilite .kd { color: #6ab825; font-weight: bold } /* Keyword.Declaration */ +.codehilite .kn { color: #6ab825; font-weight: bold } /* Keyword.Namespace */ +.codehilite .kp { color: #6ab825 } /* Keyword.Pseudo */ +.codehilite .kr { color: #6ab825; font-weight: bold } /* Keyword.Reserved */ +.codehilite .kt { color: #6ab825; font-weight: bold } /* Keyword.Type */ +.codehilite .ld { color: #d0d0d0 } /* Literal.Date */ +.codehilite .m { color: #3677a9 } /* Literal.Number */ +.codehilite .s { color: #ed9d13 } /* Literal.String */ +.codehilite .na { color: #bbbbbb } /* Name.Attribute */ +.codehilite .nb { color: #24909d } /* Name.Builtin */ +.codehilite .nc { color: #447fcf; text-decoration: underline } /* Name.Class */ +.codehilite .no { color: #40ffff } /* Name.Constant */ +.codehilite .nd { color: #ffa500 } /* Name.Decorator */ +.codehilite .ni { color: #d0d0d0 } /* Name.Entity */ +.codehilite .ne { color: #bbbbbb } /* Name.Exception */ +.codehilite .nf { color: #447fcf } /* Name.Function */ +.codehilite .nl { color: #d0d0d0 } /* Name.Label */ +.codehilite .nn { color: #447fcf; text-decoration: underline } /* Name.Namespace */ +.codehilite .nx { color: #d0d0d0 } /* Name.Other */ +.codehilite .py { color: #d0d0d0 } /* Name.Property */ +.codehilite .nt { color: #6ab825; font-weight: bold } /* Name.Tag */ +.codehilite .nv { color: #40ffff } /* Name.Variable */ +.codehilite .ow { color: #6ab825; font-weight: bold } /* Operator.Word */ +.codehilite .w { color: #666666 } /* Text.Whitespace */ +.codehilite .mb { color: #3677a9 } /* Literal.Number.Bin */ +.codehilite .mf { color: #3677a9 } /* Literal.Number.Float */ +.codehilite .mh { color: #3677a9 } /* Literal.Number.Hex */ +.codehilite .mi { color: #3677a9 } /* Literal.Number.Integer */ +.codehilite .mo { color: #3677a9 } /* Literal.Number.Oct */ +.codehilite .sa { color: #ed9d13 } /* Literal.String.Affix */ +.codehilite .sb { color: #ed9d13 } /* Literal.String.Backtick */ +.codehilite .sc { color: #ed9d13 } /* Literal.String.Char */ +.codehilite .dl { color: #ed9d13 } /* Literal.String.Delimiter */ +.codehilite .sd { color: #ed9d13 } /* Literal.String.Doc */ +.codehilite .s2 { color: #ed9d13 } /* Literal.String.Double */ +.codehilite .se { color: #ed9d13 } /* Literal.String.Escape */ +.codehilite .sh { color: #ed9d13 } /* Literal.String.Heredoc */ +.codehilite .si { color: #ed9d13 } /* Literal.String.Interpol */ +.codehilite .sx { color: #ffa500 } /* Literal.String.Other */ +.codehilite .sr { color: #ed9d13 } /* Literal.String.Regex */ +.codehilite .s1 { color: #ed9d13 } /* Literal.String.Single */ +.codehilite .ss { color: #ed9d13 } /* Literal.String.Symbol */ +.codehilite .bp { color: #24909d } /* Name.Builtin.Pseudo */ +.codehilite .fm { color: #447fcf } /* Name.Function.Magic */ +.codehilite .vc { color: #40ffff } /* Name.Variable.Class */ +.codehilite .vg { color: #40ffff } /* Name.Variable.Global */ +.codehilite .vi { color: #40ffff } /* Name.Variable.Instance */ +.codehilite .vm { color: #40ffff } /* Name.Variable.Magic */ +.codehilite .il { color: #3677a9 } /* Literal.Number.Integer.Long */
M templates/text.htmltemplates/text.html

@@ -1,6 +1,7 @@

<!DOCTYPE html> <html lang=en> <link rel="stylesheet" href="/static/style.css" type="text/css"> +<link rel="stylesheet" href="/static/syntax.css" type="text/css"> <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> <meta content="Anirudh’s blog." name=description> <meta name="viewport" content="initial-scale=1">