libcrack.so – non-sleep thinking

CodeBits CTF f200 – Extracting RSA keys

23.07.2014 (10:57 pm) – Filed under: ctf,debugging,hacking,linux ::

In this post I will describe the process of reverse engineering a Linux 64 bit ELF binary to extract an encryption key. This challenge was presented at CodeBits CTF. The binary is available here

more »

NcN 2013 CTF canada write up

17.11.2013 (2:40 pm) – Filed under: ctf,debugging,hacking,linux ::

In this post I will cover the second binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 stripped elf file which prompts for a flag:

borja@PanoramaBar $ file ./howtobasic
./howtobasic: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=4f288f1a66ad673dc50b51c7e85635358bb11da0, stripped
borja@PanoramaBar $ ./howtobasic
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
borja@PanoramaBar $ 

more »

NcN 2013 CTF Algeria write up

17.11.2013 (5:06 am) – Filed under: ctf,hacking,programming,scripting ::

In this post I will cover a challenge of the No Con Name 2013 CTF driven by the Facebook security team. The challenge is based on a firefox extension which is available here

borja@PanoramaBar $ file autologin.xpi 
autologin.xpi: Zip archive data, at least v2.0 to extract
borja@PanoramaBar $ 

more »

NcN 2013 CTF australia bin write up

17.11.2013 (4:32 am) – Filed under: ctf,debugging,hacking ::

In this post I will cover the first binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 elf file which prompts for a flag:

borja@PanoramaBar $ file ./derp 
./derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=b77361bfdab4b30a5ed258ee173fe306184a4438, not stripped
borja@PanoramaBar $ ./derp 
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
borja@PanoramaBar $ 

more »

OVH Dedicated Server Security Issues

14.08.2013 (10:17 pm) – Filed under: freebsd ::

I just arranged a OVH FreeBSD dedicated server. The first time I logged in, I noticed some issues I would like to comment…

more »

ebCTF bin300 write up

06.08.2013 (1:13 am) – Filed under: hacking,linux ::

In this post I will cover the third binary challenge of the Eindbazen CTF located at http://ebctf.nl/.

more »

ebCTF bin100 write up

05.08.2013 (10:12 pm) – Filed under: debugging,hacking,linux ::

Hi people!

The OHM2013 has been a great experience. I’ve met lot of interesting people, and tons of nice talks. Meanwhile the OHM2013 was undergoing, the people from Eindbazen set up a nice Capture The Flag.

In this post I will cover the first binary challenge of the Eindbazen CTF located at http://ebctf.nl/.

more »

Hacking the AR-DRONE Parrot

13.10.2012 (11:36 pm) – Filed under: ar-drone,embedded,hacking,wireless ::

In this post I will talk about the AR-Drone Parrot.
These user-controlled helicopters are getting very popular, and a lot of people are using them in city parks and gardens.

Time ago, a friend told me he had bought one of this helicopters, so I meet him and his toy to perform some investigations. I now these is nothing new, and very good presentations does exist regarding UAVs (check rootedCon 2012 presentation by Hugo Teso), but is the first time I see this kind of drone in the Real-World :-D

First to be said, this drones can be controlled with an iPhone app via open wireless connection, so evil things can happend meanwhile the drone is operated by an legitime user ]:-)

more »

PF_RING + intel igb + snort + DAQ on debian

21.09.2012 (3:12 pm) – Filed under: linux,snort ::

In this article, I’m going to resume the steps to have a full packet capture solution with snort IDS and Intel NIC’s.

This solutions is based on Luca Deri’s software PF_RING, a new type of socket to exploit the capabilities of packet capture and snort.

We will follow these steps

  1. Download and compile PF_RING
  2. Compile the PF_RING aware network driver
  3. Compile the libpcap
  4. Download and compile DAQ
  5. Compile PF_RING DAQ module
  6. Download and compile snort agains DAQ

more »

bypassing devmem_is_allowed with kernel probes

02.09.2012 (5:09 am) – Filed under: debugging,hacking,linux,programming ::

In this article I’m going to illustrate how to read the full content of /dev/mem on linux 3.x machines. I will bypass the function devmem_is_allowed with a kernel return probe.

The kernel probes is a kernel component designed for kernel developers to debug the system internals.It can dynamically break into any kernel routine and modify the function’s behavour. This proves had been heavily since yeah by kernel developers. RedHat has build an user interface to kprobes called SystemTap
You can find kprobes’ documentation in Documentation/kprobes.txt. You should also download the article example files kprobe.tgz

more »

NetBSD i386 shellcoding

01.09.2012 (9:58 pm) – Filed under: debugging,hacking,NetBSD ::

This article shows basic shellcoding on NetBSD/i386. I hope this won’t be the last on exploitation BSD archs.
The playground is prepared with a fresh NetBSD 5.1.2 installation, virtualized with kvm.

net# uname -a
NetBSD net 5.1.2 NetBSD 5.1.2 (GENERIC) #0: Thu Feb  2 17:22:10 UTC 2012  
builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-2-RELEASE/i386/201202021012Z-obj/home/builds/ab/netbsd-5-1-2-RELEASE/src/sys/arch/i386/compile/GENERIC i386

more »

glTail on ArchLinux

17.05.2012 (10:58 pm) – Filed under: linux,logs ::

Gltail is another real-time data and statistics tool like gltrail. It works by drawing via OpenGL the remote logs of a machine, using SSH transport.

Grab the gltail source code at https://github.com/Fudge/gltail.git

more »

glTrail on ArchLinux

17.05.2012 (10:41 pm) – Filed under: linux,logs ::

Gltrail is a software for real-time viewing the relations and activities from any supported logfile format.

Nice visualization for websites (you can easily see the most visited sections on the website), SSH connections, etc.
You can tune the logs parsing by modifing the configuration file gltrail.ini.

You can grab the source code at https://github.com/Fudge/gltrail/

more »

Install XEN on Debian wheeze

15.05.2012 (3:36 pm) – Filed under: linux ::

Quick recipe on XEN installation on Debian whizzle (testing) dom0

Host XEN installation

Install the packages with apt:

root@xen:~# apt-get install xen-hypervisor-4.1-amd64
root@xen:~# apt-get install xen-utils-4.1
root@xen:~# apt-get install xen-tools

After installing, a reboot is neede to start the new xen-kernel.

more »

Reduce BTRFS on LVM (quick recipe)

15.05.2012 (3:26 pm) – Filed under: linux,scripting ::

This is a quick recipe on reducing a btrfs FS inside a LMV structure.

First, the will reduce the “content”, then we will operate over the “container”.

This is the algorithm:

  1. umount /path/to/fs
  2. resize2fs /dev/mapper/vol SIZE (see man resize2fs)
  3. deactivate the volume
  4. lvreduce -L nG /dev/mapper/vol
  5. resize2fs /dev/mapper/vol nG

btrfs is actually considered “experimental”, but is included since stable kernel 3.0.0. Btrfs is the answer from the GNU/Linux community to Sun Microsystems ZFS. You will find more info on wikipedia:

http://es.wikipedia.org/wiki/Btrfs
http://es.wikipedia.org/wiki/ZFS_%28sistema_de_archivos%29

more »

Sound on pfSense 2.0.1

15.05.2012 (3:14 pm) – Filed under: embedded,freebsd,pfsense ::

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router.

I got it running inside an Alix2d2 board.

Alix2d2

Sometimes, with the help of a cron daemon and mpg123, I use this device as alarm clock. I attached a USB soundcard and loaded the proper kernel modules to get It working. Then, I installed mpg123 from the PKG repos. As last step, I added the “cron” package with the pfSense package manager.

more »

PAM + barada on Debian wheeze

15.05.2012 (2:46 pm) – Filed under: android,linux ::

Barada (Barada Ain’t Respecting Any Devious Adversaries) is a two factor authentication software based on a pam module for Linux and an Android client.

Get the software for Linux here:

http://barada.sourceforge.net/

* apt-get install libpam-barada
* apt-get install libboost-system-dev
* apt-get install libboost-filesystem-dev

Configure the PAM module. You can read in the README file the install instructions:

 12 
 13 # Disallow non-root logins when /etc/nologin exists.
 14 account    required     pam_nologin.so
 15 
 16 # XXX
 17 # surmano barada 
 18 auth       sufficient   pam_barada.so
 19 
 20 # Uncomment and edit /etc/security/access.conf if you need to set complex
 21 # access limits that are hard to express in sshd_config.
 22 # account  required     pam_access.so
 23 

Then, add an user with barada-add:

/usr/local/bin/barada-add <username> <pin>

PanoramaBar barada-pam-0.5 # barada-add borja 1234
Added borja with key:
8fcb943e2294f75196675cac7e6efe81

As the final step, go to Android Market and install the Barada Client.
Configure it with the key generated by barada-add. When logging into the system, PAM will ask the key which is generated by the barada android cliente.

Happy login! :-D

LUKS on debian – quick recipe

26.03.2012 (6:05 pm) – Filed under: linux ::

This approach do not take LVM into consideration!

  1. Clean badblock and check the disk
    badblocks -c 10240 -s -w -t random -v /dev/sdb

  2. Install software
    apt-get install cryptsetup

  3. Create a partition
    fdisk /dev/sdb

  4. Create encrypted partition
    cryptsetup –verbose –verify-passphrase luksFormat /dev/sdb1

  5. Unlock encrypted partition
    cryptsetup luksOpen /dev/sdb1 disco_cifrado

  6. Create FS within encrypted partition
    mkfs.ext3 -j -m1 -O dir_index,filetype,sparse_super /dev/mapper/disco_cifrado

  7. Mount encrypted partition
    mount /dev/mapper/disco_cifrado /mnt/cifrado

  8. Umount encrypted partition
    umount /mnt/cifrado

  9. Lock encrypted partition
    cryptsetup luksClose disco_cifrado

Installing Tor + Polipo in pfsense 2.0

25.02.2012 (6:30 am) – Filed under: embedded,freebsd,pfsense ::

In this post, I’m going to cover the installation of Tor on a Alix 2d2 running Pfsense.

The method I will use is the instalation via package binaries (just like a default FreeBSD system). The FreeBSD package site I will use is located at ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/

Let’s do it!!

more »

x86_64 format string bugs

21.02.2012 (3:23 am) – Filed under: debugging,hacking,linux,programming ::

Este articulo va sobre explotacion de format string bugs sobre x86_64. Son necesario conocimientos de explotacion sobre i386 (no me voy a parar a explicar nada, sorry :-P).

Para empezar, teniendo el siguiente programa vulnerable, compilandolo y arrancando el gdb:

more »