Last active
July 3, 2024 01:08
-
-
Save hickskl/cf87eec960d86afaf07c53024a1d5dd6 to your computer and use it in GitHub Desktop.
OTW
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bandit0: bandit0 | |
Compiler flags: | |
-m32 compile for 32bit | |
-fno-stack-protector disable ProPolice | |
-Wl,-z,norelro disable relro | |
execstack tool: can be used to flag the stack as executable on ELF binaries | |
Stack Canary: -fstack-protector | |
- rudimentary check for buffer overflows on the stack | |
- the canary is an extra word of memory at the end of the stack frame with a value set at runtime | |
- value is (should) be unknown to an attacker and checked for modification before jumping out of the function | |
- standard GCC: stack protector off by default; some Linux distros enable it by default | |
- compiling with-fstack-protector: more space allocated on the stack and more overhead on entry to a return from a function (checks made) | |
- stack-protector will head off stack overflow attacks quickly | |
SafeStack and Shadow Stack: -mshstk, -fsanitize=safe-stack | |
- splits stack into 2 non-contiguous areas: important variable store + user variable store | |
- process occurs in hardware (e.g. x86_64 shadow stack) or software (e.g. LLVM's SafeStack) | |
Fortified Source: -D_FORTIFY_SOURCE=<n> preproc flag | |
- glibc provides alternate implementations of some commonly used functions to smash the stack | |
- implementations typically use compler support to check for memory bounds of objects | |
- causes programs to terminate if operation flows out of bounds | |
Control Flow Integrity | |
- ensures jump and return addresses are correct using hardware or software support | |
- Intel's Control-flow Enforcement Technology (CET): -fcf-protection=[full] | |
- Branch Target Identification (BTI) on AArch64: -mbranch-protection=... | |
- Software implementation of CFI: -fsanitize=cfi | |
Stack Allocation Control: | |
- operations that have an impact on stack allocation, but not necessarily designed to provide extra security | |
- allocate discontinuous stack when running out of memory: -fsplit-stack | |
- stack limiting in linker (via symbol or register): -fno-stack-array | |
- -fstack-limit-register, -fstack-limit-symbol | |
- stack-allocated arrays common entry point for stack-based attacks | |
- compiler can disallow this patter, preventing use of stack-allocated arrays | |
Stack usage and stats | |
- alloca(): allocates dynamically sized objects on the stack | |
- common target for overflowing stacks or making them clash with other maps in memory | |
- flags allow finer control over stack usage, provide warnings when alloca() or variable-length arrays cross thresholds | |
- -Wframe-larger-than, -Walloca, -Walloca-larger-than, -Wvla -Wvla-larger-than | |
- -Wstack-usage, -fstack-usage | |
Identifying Compilation Switches | |
- If program is ELF, compiled by GCCv4.3+, used flag -frecord-gcc-switches, | |
- shows what switches were used: readelf -p .GCC.command.line a.out | |
- frecord-gcc-switches adds .GCC.comment.line section to the ELF | |
- checksec command can be used to check for stack protection measures | |
- checksec --file /path/to/binary | |
- Shows relro, stack canary, NX, PIE, RPATH, RUNPATH, Symbol, FORTIFY | |
Object Formats | |
- .o, .out, .so: executables, object code, shared libraries; superseded by ELF | |
- Read Later: https://medium.com/@holdengrissett/linux-101-understanding-the-insides-of-your-program-2be2480ba366 | |
Position-Independent Executable (PIE) | |
- Position Independent Executables (PIE): mechanism to harden ELFs, output of the hardened package build process | |
- PIE binary + dependencies are loaded into randomized locations in virtual memory each time app is executed | |
Relocation Read-Only (RelRo) | |
- some network daemons and suid-root programs are built with RELRO support | |
- all ELF binaries in Fedora 23+ have full relro support | |
- Global Offset Table (GOT): used by dynamically linked ELF binary to dynamically resolve functions in shared libraries | |
- Procedure Linkage Table (PLT): calls to resolve shared lib functions point to PLT | |
- .plt: library function calls point to the Procedure Linkage Table (PLT) in the .plt section of the binary | |
- .got.plt: PLT points to GOT, which contains pointers to the actual location of the functions/shared lib in memory | |
- GOT populated dynamically as the program is running | |
- first time a shared function is called, GOT contains a pointer back to PLT, where dynamic linker finds actual location | |
- location found is written to GOT | |
- next time function is called, GOT contains known location of the function ("lazy binding") | |
- PLT needs to be located at a fixed offset from .text section | |
- GOT needs to be allocated at a known static address in memory; needs to be writable | |
- if an attacker could write 4 bytes at a controlled place in memory, GOT could be exploited | |
- gcc -g -O0 -Wl,-z,relro,-z,now -o <binary_name> <source_code> | |
- RELRO ensures that the GOT cannot be overwritten in vulnerable ELF binaries | |
- the linker resolves all dynamically linked functions at the beginning of exeuction | |
- makes the GOT read-only | |
- Partial RELRO: non-PLT part of GOT (.got) is read-only; .got.plt is writable | |
- partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in BO | |
gef: GDB Enhanced Features | |
- commands for x86/64, ARM, MIPS, PowerPC, SPARC to enhance GDB | |
- Uses Python API to assist during dynamic analysis and exploit development | |
pwndbg: GDB plugin, features for low-level software dev, hardware hacking, reverse-engineering, exploit dev | |
- Python module loaded into GDB, provides utilities | |
peda: Python Exploit Development Assistance for GDB | |
- adds commands to support debugging and exploit dev | |
- aslr, dump args, elf header, lookup, etc. | |
gdbinit: GDB initialization scripts | |
- fGDB commands to automatically execute during GDB startup | |
pwntools: CTF framework and exploit dev library | |
- python, rapid prototyping and development | |
radare2: reverse engineering framework | |
- libraries, tools, plugins for reverse engineering tasks | |
- suite of plugins | |
puTTY: shift+insert to paste | |
bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If | |
bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx | |
bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx | |
bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ | |
bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw | |
file <filename> #info about encoding | |
find . -exec ls -ls {} \; #file size | |
find . -exec file {} \; | |
find = expression + action | |
- {} results placeholder, can use results {} multiple times as input to other commands | |
- \; or + delimiter (don't want shell to interpret ;, so \;) | |
- determines how find handles expression results | |
- ; = -exec command repeated for each result separately | |
- + = all expression results will be concat'd and passed whole to -exec, which will run only once | |
- -exec doesn't use shell to execute command, but Linux's Exec directly (shell expansion won't work) | |
- to run coqmmands, need to export shell function and run as part of a spawned shell | |
$ export -f mp3info | |
$ find . -name "*.mp3" -exec bash -c "mp3info \"{}\"" \; | |
$ find . -name "*.mp3" -exec bash -c "basename \"{}\" && file \"{}\" | awk -F: '{\$1=\"\"; print \$0 }'" \; | |
awk: formatting lines for print | |
- scans file by line, splits input line into fields, compares input line/fields to pattern, perform action on matches | |
- -f <file> (or first arg) | |
- -F fs field separator | |
- $1-$n fields, delimited by -F fs, $0 whole line | |
- NR current count of number of input records | |
- NF keeps count of number of fields within current input records | |
- FS contains field separator character used to divide line (default whitespace) | |
- RS stores current record separator character (default newline) | |
- OFS output field separator (default blank space) | |
- ORS output record separator (default newline) | |
awk '{print}' <file.txt> #prints file | |
awk '/pattern/ {print}' <file.txt> #prints lines matching pattern | |
awk '{print $1,$4}' <file.txt> #print field 1 and 4 | |
awk '{print NR,$0}' <file.txt> #prints line count and full line | |
awk '{print $1,$NR}' <file.txt> #prints first and last field | |
awk '{NR==3, NR==6 {print NR,$0}' <file.txt> #from count 3 to 6, print line number and full line | |
awk '{print NR "- " $1} <file.txt> #print line number - field #1 | |
awk 'END { print NR }' <file.txt> #count lines in file | |
awk 'length($0) > 10' <file.txt> #print lines with more than 10 characters | |
awk '{ if($3 == "B6") print $0;} <file.txt> #check string for specific column | |
awk 'BEGIN { for(i=1;i<=6;i++) print "square of", i, "is", i*i; } #"square of 1 is 1"... | |
bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG | |
stat: file size, blocks, inode, links, access, uid, guid, timestamps | |
find / -exec stat {} \; | |
find / -exec stat {} \; | grep -B 1 -A 3 "Size: 33 " | |
find / -exec stat {} \; | grep -B 1 -A 3 "Size: 33 " | grep -B 3 "bandit6" | |
File: /var/lib/dpkg/info/bandit7.password | |
Size: 33 Blocks: 8 IO Block: 4096 regular file | |
Device: 259,1 Inode: 75615 Links: 1 | |
Access: (0640/-rw-r-----) Uid: (11007/ bandit7) Gid: (11006/ bandit6) | |
Linux Variables: | |
- $@ arguments stored as array | |
- $$ process ID of current shell | |
- $# number of arguments supplied in given scripts | |
- $* connects all given arguments together | |
- $! shows ID of last background job | |
- $? displays exit status code of last exec'd command | |
- $0 filename of current scripts | |
- $_ sets the variable to the latest argument of the last command | |
- $- current used flags on bash shell | |
- $1-$n data of first n arguments | |
bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj | |
bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc | |
sort data.txt | uniq -c | grep " 1 " | |
bandit9: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM | |
grep "===*" --text data.txt | |
bandit10: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey | |
base64 --decode <data.txt | |
bandit11: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr | |
tr: translate | |
tr '{}' '()' | |
tr '-' '_' | |
ROT13: tr '[a-zA-Z]' '[n-za-mN-ZA-M]' <data.txt | |
bandit12: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4 | |
mktemp -d | |
/tmp/tmp.k30dNjc0wk | |
Magic numbers: https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5 | |
- 1f8b / x88 / x08 = gzip, gz, BZ | |
- 425a = bzip, bz, .. | |
- 1f9d = compress, z, .. | |
- 50 4b 03 04 = pkzip, zip, PK.. | |
- ? = tar | |
- Binary -> executable, machine readable | |
- Hex Dump -> human readable, non-executable | |
tar -xvf file.tar | |
gzip -dk file.gz #decompress, keep file | |
bzip2 -dk file.bz2 # -f to force override output | |
gzip --> zcat | |
bzip2 --> bzcat | |
xxd - make a hex dump, or convert from hex dump; -r to revert | |
xxd -r data.txt > data | |
gzip -dk file | |
...| file - #reads from STDOUT into STDIN | |
bandit13: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment