old notes

i take one breath / mint at a time

#overthewire #wargames #leviathan #linux #ctf

There is no information given regarding these levels. Upon sshing into Lv1, I found a program called check that according to the file command is:

check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), > dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not > stripped

Running ./check gives us a prompt for password: so I tried the only password I currently have (from entering this level) and nothing.

Decided to track down this /lib/ld-linux.so.2 directory mentioned. Tracing all the symbolic links gets us to this file: /lib32/ld-2.24.so. Running the file goes us:

You have invoked ld.so', the helper program for shared library >executables. This program usually lives in the file/lib/ld.so', and >special directives in executable files using ELF shared libraries tell the >system's program loader to load the helper program from this file. This >helper program loads the shared libraries needed by the program >executable, prepares the program to run, and runs it. You may invoke >this helper program directly from the command line to load and run an >ELF executable file; this is like executing that file itself, but always uses >this helper program from the file you specified, instead of the helper >program file specified in the executable file you run. This is mostly of >use for maintainers to test new versions of this helper program; >chances are you did not intend to run this program.

So researching how to analyze Linux binaries gives us a list of commands to explore:

ldd –> print shared object dependencies. Used to run against dynamically linked binary to show its dependent libraries and their paths. Running this on check binary shows:

linux-gate.so.1 (0xf7fd7000) libc.so.6 => /lib32/libc.so.6 (0xf7e12000) /lib/ld-linux.so.2 (0xf7fd9000)

Which is info we had already ascertained from following the breadcrumbs. But at least next time, I won't need to follow the breadcrumbs.

ltrace –> displays all the functions that are being called at run time from the library. (Function names, arguments being passed into that function, and what is returned.)

hexdump –> display file contents in ASCII, decimal, hexadecimal, or octal

strings –> print the strings of printable characters in files

readelf –> display information about ELF files

objdump –> reads the binary or executable file and dumps the assembly language instructions on the screen.

strace –> traces system calls aka calls that interface with kernel

nm –> list symbols from objects > if using a binary that was not stripped, you can identify variables, functions, and other valuable info embedded in the binary during compilation

gdb –> GNU debugger: load a program, set breakpoints, analyze memory and CPU register, etc.

But what is relevant here?

Let's try ltrace check. Immediately we get prompted for the password along with information about the function calls behind that prompt:

__libc_start_main(0x804853b, 1, 0xffffd744, 0x8048610 <unfinished ...> printf("password: ") = 10 getchar(1, 0, 0x65766f6c, 0x646f6700password:

This means that the functions __libc_start_main, printf, and getchar were called in order to run the program up to the password prompt. Entering a password of rioGegei8m gives the following output:

getchar(1, 0, 0x65766f6c, 0x646f6700password: rioGegei8m ) = 114 getchar(1, 0, 0x65766f6c, 0x646f6700) = 105 getchar(1, 0, 0x65766f6c, 0x646f6700) = 111 strcmp("rio", "sex") = -1 puts("Wrong password, Good Bye ..."Wrong password, Good Bye ... ) = 29 +++ exited (status 0) +++

It looks like we used the getchar function for stndin then we called strcmp for matching rio to sex. I'm assuming that only the first three characters of my password attempt was matched because the password is only three characters longs. I will pretend not to judge that the password for here is `sex. Really?

Entering the password into the ./check binary brings us to a shell. Immediately, let's check whoami and echo $0 which tells us that we are levianthan2 and our shell is /bin/sh.

Let's check the leviathan2 home directory. There is a file called printfile that is a setuid regular file with no read permission. Checking permissions show that:

-r-sr-x--- 1 leviathan3 leviathan2 7436 Aug 26 2019 printfile

This file belongs to leviathan3 user and the group leviathan2. The s in the permissions for leviathan3 user means that the setuid bit is set, and the execute bit is set. According to research: “A file with SUID always executes as the user who owns the file, regardless of the user passing the command. But when I try to execute the file, I still get /bin/sh: 31: ./printfile: Permission denied.

Tried to change permissions for

$ chmod u-s printfile chmod: changing permissions of 'printfile': Operation not permitted

Thinking more about the permissions and checking my own with id:

uid=12002(leviathan2) gid=12001(leviathan1) groups=12001(leviathan1)

Turns out that even though I have managed to set my uid to leviathan2 from running the check binary, I am still in the leviathan group. Let's learn more about the s permissions:

“The setuid bit simply indicates that when running the executable, it will set its permissions to that of the user who created it (owner), instead of setting it to the user who launched it.”

A very, long deep dive time later...

Yeah, I just realized I didn't check the regular ol' etc/leviathan_pass/leviathanLVL file.. and there it was. The password.

Random Notes on New Knowledge

openssl to generate password + salt!

$ openssl passwd -1 "hello world" $1$Y3FAzTxG$/I/sykzmytIduJwbL4mjo1 $ openssl passwd -1 -salt "my salt" "hello world" $1$my salt$lY65QUBqL1JO3LEh3ENqe.

The shell escape feature/exploit

  • check sudo privileges: sudo -l
  • use sudo to go into a command to check if current user can execute any commands without password entry
  • if so, run that with sudo, for example: sudo /usr/bin/man man to run the man command on man with sudo
  • then drop into a bash shell with !/bin/bash

#recursion #datastructures #devstudy #sum #average

Problem 1: find sum using recursion

How to Approach the Problem:

1. Find base case:

establish base condition of arr.count == 1

def sum(arr) count = arr.count if count == 1 return arr.sum

2. Find the function for the base case: arr.sum or arr[0..count-1].sum is our base case because we have added up all the numbers in the array

3. Find the next-to-last case: arr[0..count-2].sum is our next-to-last case because we are adding up all the numbers in the array minus the last element

4. Write the recursion line by taking out the next-to-last case from the base case:

We want to take out arr[count-1] from the recursion line so that we have: recursive function call + arr[count-1] so we now have:

sum(arr[0..count-2]) + arr[count-1]

This means that we are getting the sum of the first to next-to-last numbers in the array through the recursive call and then adding to that the value of the last array number.

5. How is the program actually doing this?

Given arr = [1,2,3,4,5], we can express this with recursion call + second-to-last case to get our:

first recursion call: [1,2,3,4,5].sum = [1,2,3,4].sum + 5

Then we want to express `[1,2,3,4].sum] with with recursion to get:

second recursion call: [1,2,3,4].sum = [1,2,3].sum + 4

Continue until base case:

third recursion call: [1,2,3].sum = [1,2].sum + 3 fourth case: [1,2].sum = [1].sum + 2 base case: [1].sum = 1 and algorithm completed!

Solution:

def sum(arr) count = arr.count if arr.count == 1 arr[0..count-1].sum else sum(arr[0..count-2]) + arr[count-1] end end

Rewrite Solution in more rubyist way: TBD

Problem 2: Find average using recursion

First attempt:

using recursion

  1. Find base case: the average of the first num in the array arr[0]
  2. Find function for base case arr[0..count-1].sum/count
  3. Find next-to-last case arr[0..count-2].sum/count
  4. Write recursion line by taking out the next-to-last case from base case average(arr[0..count-2])
  5. How is the recursion actually happening? given arr = [1,2,3,4,5] and count = arr.count

[1,2,3,4,5].sum / count is the same as: [1,2,3,4].sum / count-1 * 5 [1,2,3,4].sum / count is the same as: [1,2,3].sum / count-1 * 4 [1,2,3].sum / count is the same as: [1,2].sum / count-1 * 3 [1,2].sum / count is the same as: [1].sum / count-1 * 2 [1].sum / count is the same as: 1 so our base condition has been met!

Implementation

def average(arr) count = arr.count if count == 1 arr[0..count-1].sum/count else average(arr[0..count-2].sum / (count-1)) * arr[count-1] end end

a = [1,2,3,4,5] p average(a) == 3

b = [0,10] p average(b) == 5

c = [1] p average(c) == 1

Mistake made: The input that I'm passing into my recursive call is not an array but an integer value so the program does not work since it is expecting an array.

Attempt 2: NOT YET COMPLETED

  • How do I represent the part of the averaging function that divides by the total count?
  • it needs to be in the recursive function call but how?

Attempt 2 in follow-up to this post: https://write.as/effyverse/recursion-002

#python #syntax

loop + range + printing

Use a loop def loop(num): for x in range(num): print(x)

loop(5)

recursion

def loop(num): print(num) if num == 0: return num else: loop (num = num - 1)

loop(5)

counter + default or multiple parameters + recursion

def double_array(array, index=0): if index >- len(array) return

array[index] *= 2
double(array, index + 1)

for default double_array([1,2,3,4,5])

for multiple double_array([1,2,3,4,5], 0)

#networking #OSI #tcpip

  • takes both software and hardware to move packets: MAC (hardware) and IP (software)

Packets: header + payload

  • payload = data being transferred
  • as packet traverses the network, each layer adds info to header
  • different layers use different terms for our “packet”
  • transport layer: used to encapsulate data in a “segment”
  • link layer: we refer to this as a “frame”

Sending an email example

  1. APPLICATION LAYER (in OSI application, presentation, session) will encapsulate the data from our email client

  2. application layer talks to transport layer through specific port (25 for SMTP)

  3. Data goes to Transport layer to be encapsulated into segments

Transport Layer

  • breaks data into chunks (known as “segments”) in a way networks can read and transport

**TCP handshake: – client sends a SYN segment to server requesting connection – server sends the client a SYN-ACK segment to acknowledge the client's connection request – client sense an ACK to server to acknowledge the server's connection request

092119-0753-TCP3-Way-Hand1.webp

Network layer

  • routing of packets from source host to destination host
  • “subnets” = smaller networks making up the Internet
  • IP addresses define the rules to ravel to different subnets

**Coming from Transport layer: – receives “segment” and encapsulates this segment in an IP packet – attaches source host IP + destination host IP to the packet header – sends to physical hardware layer

  • receives “segment”, encapsulates into “frame”
  • attaches source and destination MAC addresses of hosts, checksums, packet separators so that receiver can tell when packet ends

ARP: Address Resolution Protocol to find MAC address of IP

  • used within same network

DHCP: Dynamic Host Configuration Protocol

  • assigns IP addresses, subnet masks, gateways

networking1.jpg

networking.jpg

#ruby #rails #models #sessions #users

Dopa-Mine App

Find Ways To Integrate:

  • j.query & AJAX calls to front end
  • pull json/cvs data & represent in dashboard
  • create API endpoints for grabbing daily summary?
  • chat function –> code sockets –> maybe have it make calls to a pybot api?
  • search function –> by tags/suggestions?

Steps.0

  1. Determine Models
  2. Build Schema/DB (remember joint tables)
  3. Validate associations
  4. Create Sessions
  5. Write tests

To-Do Organized by Pages:

1. Home/Login

  • redirect users to last visited page if they have to login here
  • sessions controller: add timed logouts?

2. User Dashboard @ users#home

  • remove dashboard controller?
  • represent data in graphs: %/24 hours of each type of dopamine
  • add today's activities + hours
  • represent progress of the week

3.

TO DO: map all the routes > models > views

Models

User has_and_belongs_to_many :activities has_many :comments

rails generate model User username:string email:string password_digest:string

Followed by rails db:migrate

Activity has_and_belongs_to_many :users has_many :dopamine_points has_many :comments

DopaminePoints belongs_to :activity belongs_to :user

Comment belongs_to :commented_on, polymorphic: true belongs_to :user

Rolling back migrations:

  • using rails db:rollback STEP=3 will roll back the database migration but it will not remove the generated models nor the migration schema instructions so you will have manually alter those to reflect the true database schema required.

Object syntax notes

@user object is initialized by User.new class + method

In console: Activity.find(1)

#bash #scripting #bashsyntax #UofTBootCamp #homework

Takeaways

  • quotes around the array in a for loop is best practice:

Without them, the for loop will break up the array by substrings separated >by any spaces within the strings instead of by whole string elements within >the array. ie: if you had declare -a arr=("element 1" "element 2" "element 3"), >then for i in ${arr[@]} would mistakenly iterate 6 times since each string >becomes 2 substrings separated by the space in the string, whereas for i in >"${arr[@]}" would iterate 3 times, correctly, as desired, maintaining each >string as a single unit despite having a space in it.

  • you can only capture with echo. Using return is the same as exit (so you can only capture the exit code)

Syntax Quickies

quick init + iteration

read -a arr <<< "one two three" for i in ${arr[@]} do echo $i done

  • access elements

passing multiple arrays as arguments

`takesaryas_arg() { declare -a argAry1=(“${!1}”) echo “${argAry1[@]}”

declare -a argAry2=(“${!2}”) echo “${argAry2[@]}” } trywithlocalarys() { # array variables could have local scope local descTable=( “sli4-iread” “sli4-iwrite” “sli3-iread” “sli3-iwrite” ) local optsTable=( “—msix —iread” “—msix —iwrite” “—msi —iread” “—msi —iwrite” ) takesaryasarg descTable[@] optsTable[@] } trywithlocal_arys`

#prose #writing

Crickets

My dad and I rattled down the highway in a car full of boxes packed with shirts and pants and socks and a kettle and silverware and his embarrassing records and albums full of photographs we didn’t ever look at and our cat in her cage. My bare legs stuck to the seats and made slurping sounds every time I moved. Outside the windows were green hills spotted with tipped houses, as if God himself had thrown them like dice upon the earth, and I imagined us to be pilgrims, driving our station wagon to a holy land. I wore my dad’s construction headphones for silence and he listened to Deep Purple. Every twenty minutes, he flung his packet of rolling papers in my lap. I put down my book and my flashlight, laid the paper out on the dashboard, sprinkled tobacco with my dirty fingers, pinched the corners, and felt it round into a cigarette. I looked over the racingfields as I licked it closed, put the cigarette between my lips and sucked as I set it flame, handing it to my dad as the smoke dribbled out of my mouth. Sometimes, in between drags, my dad would mumble and curse at people not there. I watched his mouth and listened to my empty headphones, and wondered if he was talking to my mother or God, if he was reciting all the prayers he should have prayed or kindnesses he should have given. I wondered if he told her cruel things and hoped that she would hear them in her heart, the way I sometimes did. Sailing through the thin darkness, we sat side by side like ghosts with a woman-shaped emptiness curled between us. My dad got a perm that summer. A divorce perm, I overheard Mrs. Walden call it when she did not know I was on the other side of the grocery aisle. He had stopped wearing his shirt that said ‘Garage’ at night while listening to Joni Mitchell albums. I had taken my mom’s leaving as an opportunity to cut short the hair she had been saving atop my head for all my fourteen years. I stood on a stool in the bathroom and cut it with her abandoned pinking shears. When my dad came home, he sighed like a slowly dying balloon and I wanted to paste all that severed hair back onto my head for him to pull that sigh back in. In our house there was such a silence; I felt heavy all the time. It pressed against my chest while I ate breakfast and hovered above my bed at night and some days I could feel it sitting next to me on the sofa. It was as if all her sounds had been sucked up and their echoing shells left behind. I sometimes told people that my mother had been swindled away by feminists. Like the wife two houses down from us had been, women who liberated themselves of their husbands and children and disappeared into freedom. I sometimes told tales of her wearing a wide-brimmed hat and sunglasses, and driving off to California to become a movie star or a waitress, while I stood in the driveway waving. I thought of her in bikinis hanging from strings and her hair in braids, spending her days bobbing up and down in the ocean, waiting for waves to carry her into shore. I sometimes thought, but never said, that she was dead. In my mind, I hung soft portraits of her with black-clad arms and watched her be reborn a saint, as is a habit of the dead, stitched into holiness by our false memories. I didn’t tell anyone that she left us for the pharmacist who filled her sleeping pill prescriptions and had once shown her how to give me ear drops after a summer of too much swimming, or that she told me love can die slowly and secretly, until the cold heart gets lit anew by someone else. But that’s what she said. The car slowed on a bony shoulder of the empty road, kicking up rocks until it stood still. My dad touched my headphones like he was ringing a doorbell, and when I took them off he said, “Come on out and stretch your legs. We still have hours to go.” He got out and started doing gym class stretches next to the car, raising his skinny arms to the sky. I stood there staring at him. They looked like divorce stretches to me. Then he got a blanket from the trunk and spread it over the hood of the car. “Hop up there so you can see the stars.” I climbed up and sat with my legs crossed, listening to the clinks and clanks of the cooling engine, wondering if this is what it would be like now, if our old silence would follow us, slide out of one of my boxes and live in our new house. Maybe it would wait for me in the bathroom, while I brushed my teeth, and press against my dad at night, in the place where my mom used to be. I wondered what kind of woman he might love soon. I thought some cruel thoughts and hoped my mom’s lit heart could feel them. My dad put two rolling papers on the blanket and filled them with tobacco. His cigarettes were much more beautiful than mine. “It’s not ladylike, but I don’t suppose you care about that,” he said, looking at my best of hair and handing me one. We lay on a blanket on the hood of the car with our backs against the windshield, looking up at the sweet round sky, under which all things lived, and the only sounds were soft exhales and small voices of crickets.

(First published in Kiss Machine 2010.)

#poetry #writing

Reverse-Side-Cover.jpg

I take one breath / mint at a time

breathmint-01.jpg

breathmint-02.jpg

breathmint-03.jpg

Drymouth (Or, Breathmint Part II)

drymouth-01.jpg

drymouth-02.jpg

FRONT SIDE: https://write.as/be8c8s88q15ooa19.md

#poetry #prose #writing

maxine-01.jpg

For Maxine

maxine-02.jpg

maxine-04.jpg

maxine-05.jpg

maxine-06.jpg

maxine-07.jpg

maxine-08.jpg

maxine-09.jpg

maxine-10.jpg

maxine-11.jpg

maxine-12.jpg

maxine-13.jpg

REVERSE: https://write.as/effyverse/blood-oranges-vol

Hashing

  • creates a unique fingerprint
  • MD5

Windows vs Linux

  • sand database vs shadow file

Salt

  • randomly generated salt value taking time/date as input

commands: – `locate @ 7:38