From fd98666abb1b6f62ff54def8710aa66290aca87b Mon Sep 17 00:00:00 2001 From: jdr776 Date: Fri, 6 Sep 2019 14:24:52 -0400 Subject: [PATCH 1/7] completed assignment 1 --- week/1/writeup/README.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/week/1/writeup/README.md b/week/1/writeup/README.md index f1f8619..7436022 100644 --- a/week/1/writeup/README.md +++ b/week/1/writeup/README.md @@ -1,18 +1,25 @@ # Writeup 1 - Ethics -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0201 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examniation. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (25 pts) -This was done via the ELMS assignment. +This was done via the [ELMS assignment](). (we'll post an announcement when this is ready!) ### Part 2 (75 pts) -*Replace this text with your repsonse to our prompt and your ethical argument!* +My first course of action would be to inform my supervisor or boss, whoever the head of the department is. It is crucial that we keep this information internal while we discuss solutions and attempt to +address the problem. Hopefully the company I am working for cares about its' consumers, however if they do not, I would attempt to patch the exploits myself. I would only notify the public of the +security issues if my company does not delay the release or postpone it all together. I am assuming that this would get me fired from my position as ECU auditor as exposing internal information is quite +the no-no, i might even face legal consequences for doing this. Ethically speaking, I believe my employers would be more guilty than I in this situation. If they choose to ignore my warnings they are +potentially risking the lives of all their customers. The ECU is an extremely important part of the car; comparable to the 'brain' of the vehicle. + +If I were to do nothing, I would surely be held responsible for any damage, injury, or death caused by these vulnerable ECU's. My job is to audit, and if I do not do my job properly then I deserve to be +held accountable. This is quite the tragic situation, I am sure there have been many internal whistleblowers who have lost their jobs or faced legal prosecution for something like this. From b335614bde1da5c8348d590fb9b9869cbe86b5b6 Mon Sep 17 00:00:00 2001 From: jdr776 <37964865+jdr776@users.noreply.github.com> Date: Fri, 20 Sep 2019 18:08:44 -0400 Subject: [PATCH 2/7] broken git my git wont let me pull the master branch... this is how im submitting it, hopefully you can see my files when you pull my branch for grading --- hw3_writeup.md | 15 +++++++++++++++ hw3_writeup.txt | 15 +++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 hw3_writeup.md create mode 100644 hw3_writeup.txt diff --git a/hw3_writeup.md b/hw3_writeup.md new file mode 100644 index 0000000..8fe0697 --- /dev/null +++ b/hw3_writeup.md @@ -0,0 +1,15 @@ +Part 1 +Since some of these questions can be grouped together based on topic. Mother’s maiden name, city of birth, first pet all pertain to personal information about his mother, while browser and PIN number are more technical questions. With these groupings, I will try and impersonate three different fake employees. The first employee I will impersonate is a government consensus employee, calling about data that they lost regarding Eric’s mother. I will start the social engineering by saying his mother was not picking up my calls and I figured her son might be the next best bet. I will initiate this call from a business park building, probably in the lobby. Hopefully the background noise will make it seem like I am actually in a government office building or something like that. I won't dive into the information right away, but start by being very cordial, asking him about his day what he does for a living etc. to ease him into the conversation and make my voice somewhat familiar to him. I would disclose some information about myself, maybe even give accurate information about my city of residence and my personal relationships. Then I would start asking him to assist me fill in the blanks on this fake form: + +“My records show we’re missing information about your father’s middle name and... your mother’s maiden name. Could you provide me with both of those?”, I will ask about his father to try and split his attention so he is not sure who the target information is about. +“Thank you for your response! Now were your parents born in the same town? It says here that they were but I am not sure I can trust much of this information considering how much of it we’re missing [forced laugh]” HOPEFULLY Eric’s parents were born in different towns and he will respond with “no”. From there I would ask him to provide both of his parents' hometowns. + +The pet question is honestly very tricky. My gut reaction is to actually call his mother. Doing this would require me to obtain his mother’s personal phone number from him: “Thank you for your time Eric, I really appreciate it. I am going to try to call [Insert mother’s name here] again and verify this information with her... maybe I have the wrong number to reach her at. [Read off a fake number with the same area code that his mother is from] is this correct?” At this point I would assume he would correct me with the actual number. “Oh wow ok, way off. I’ll run this all by her right now, thanks again!” then end the call. I would take on another identity as an overly amiable petsmart employee and call his mother. “Good morning/evening Mrs Norman, this is Josiah from petsmart calling about a new initiative that petsmart is taking on! We are working with [local pound name] to sponsor and name some of their new furry friends! Now you do not have to pay money if you don't want to but we would like your suggestions for naming! I usually ask for about 3 names and I have a prompt here so it’s not too hard for you to come up with names on the spot! Your favorite flavor of ice cream, your very first pet's name, and your favorite fruit!” This prompt should distract her enough not to question the legitimacy of the entire situation and also give me the answer I am looking for. +My next and final identity I would take on is a GeekSquad employee who has been fake commissioned by Eric Norman to help improve his mother’s internet speed. (warning: this assumes his mother is technologically inept, please don't test run this prompt with a tech savvy mother). Using the phone number I received earlier from Eric, I would call his mother a few days, or even a week or two, later from a spoofed number: +“Your son had me call about your internet speeds, he told me that on his last visit (banking on Eric being a good son who visits his mother) he thought the wifi was quite slow. I won't take too much of your time, I would just like to test a few things over the phone” Ask her the typical questions, “is your router on?” “are you using a wireless connection or wired?” and the big one “what browser are you using?” +From there I would use a fake site that I developed, which looks like a GeekSquad official frontend connected to a backend that’s stood up on one of my numerous hacker VM’s i have set up in my house. What this website will do is take 3 inputs from the user and generate a randomly shuffled string with all 3 of the inputs and display it for the user. However, what it also does is store each of these 3 inputs, one of which will be her PIN. “Mrs Norman, for safety’s sake I believe we should probably reset your WiFi password, from what I am seeing it looks like someone might be leeching off your network and slowing it down.” I would then have her go to the website: “I am going to provide you with a website GeekSquad developed themselves which assists in coming up with very intricate and hard to crack passwords. Just fill out the 3 fields shown on the site and it will spit out a password for you” + +Part 2 +The first vulnerability I noticed was the strength of the user passwords. Websites like perspectiverisk.com, who do vulnerability scans on company and private networks, report that one of their most commonly found vulnerability’s are weak passwords. Perspectiverisk, along with many other security companies, suggest having an improved threshold for weak passwords. Instead of just a capital letter and a number with 8 characters, there should be more intricacies added in order to keep a standard across the board. Experts recommend using a passphrase, like a sentence commonly said around the house, as brute force attempts take exponentially longer time to crack when there are spaces involved. +The second vulnerability I picked up are the potential for SQL injections. Much of the network had no protection against SQL injections; one DROP TABLE could spell disaster for your network. ESecurity Planet and CMSC330 offer a few solutions for this, one of which is black listing or white listing phrases. Instead of permitting a user to enter anything at all, assume that every user can be malicious and take appropriate caution. Prevent certain statements or use input validation (mysql_real_escape_string()) in order to make sure a user cannot go beyond their permissions and see stuff they’re not supposed to. +The final vulnerability, and arguably the most critical, is OS command injection (see shell shock). An attacker is permitted to enter operating system commands, giving them access to the server itself and in turn wreaking havoc. The solution to these exploits is about the same as SQL injections, as they both take place on a server. One can whitelist commands, validate inputs to prevent certain entries from executing. However, portSwigger claims that one should “Never attempting to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker.” diff --git a/hw3_writeup.txt b/hw3_writeup.txt new file mode 100644 index 0000000..8fe0697 --- /dev/null +++ b/hw3_writeup.txt @@ -0,0 +1,15 @@ +Part 1 +Since some of these questions can be grouped together based on topic. Mother’s maiden name, city of birth, first pet all pertain to personal information about his mother, while browser and PIN number are more technical questions. With these groupings, I will try and impersonate three different fake employees. The first employee I will impersonate is a government consensus employee, calling about data that they lost regarding Eric’s mother. I will start the social engineering by saying his mother was not picking up my calls and I figured her son might be the next best bet. I will initiate this call from a business park building, probably in the lobby. Hopefully the background noise will make it seem like I am actually in a government office building or something like that. I won't dive into the information right away, but start by being very cordial, asking him about his day what he does for a living etc. to ease him into the conversation and make my voice somewhat familiar to him. I would disclose some information about myself, maybe even give accurate information about my city of residence and my personal relationships. Then I would start asking him to assist me fill in the blanks on this fake form: + +“My records show we’re missing information about your father’s middle name and... your mother’s maiden name. Could you provide me with both of those?”, I will ask about his father to try and split his attention so he is not sure who the target information is about. +“Thank you for your response! Now were your parents born in the same town? It says here that they were but I am not sure I can trust much of this information considering how much of it we’re missing [forced laugh]” HOPEFULLY Eric’s parents were born in different towns and he will respond with “no”. From there I would ask him to provide both of his parents' hometowns. + +The pet question is honestly very tricky. My gut reaction is to actually call his mother. Doing this would require me to obtain his mother’s personal phone number from him: “Thank you for your time Eric, I really appreciate it. I am going to try to call [Insert mother’s name here] again and verify this information with her... maybe I have the wrong number to reach her at. [Read off a fake number with the same area code that his mother is from] is this correct?” At this point I would assume he would correct me with the actual number. “Oh wow ok, way off. I’ll run this all by her right now, thanks again!” then end the call. I would take on another identity as an overly amiable petsmart employee and call his mother. “Good morning/evening Mrs Norman, this is Josiah from petsmart calling about a new initiative that petsmart is taking on! We are working with [local pound name] to sponsor and name some of their new furry friends! Now you do not have to pay money if you don't want to but we would like your suggestions for naming! I usually ask for about 3 names and I have a prompt here so it’s not too hard for you to come up with names on the spot! Your favorite flavor of ice cream, your very first pet's name, and your favorite fruit!” This prompt should distract her enough not to question the legitimacy of the entire situation and also give me the answer I am looking for. +My next and final identity I would take on is a GeekSquad employee who has been fake commissioned by Eric Norman to help improve his mother’s internet speed. (warning: this assumes his mother is technologically inept, please don't test run this prompt with a tech savvy mother). Using the phone number I received earlier from Eric, I would call his mother a few days, or even a week or two, later from a spoofed number: +“Your son had me call about your internet speeds, he told me that on his last visit (banking on Eric being a good son who visits his mother) he thought the wifi was quite slow. I won't take too much of your time, I would just like to test a few things over the phone” Ask her the typical questions, “is your router on?” “are you using a wireless connection or wired?” and the big one “what browser are you using?” +From there I would use a fake site that I developed, which looks like a GeekSquad official frontend connected to a backend that’s stood up on one of my numerous hacker VM’s i have set up in my house. What this website will do is take 3 inputs from the user and generate a randomly shuffled string with all 3 of the inputs and display it for the user. However, what it also does is store each of these 3 inputs, one of which will be her PIN. “Mrs Norman, for safety’s sake I believe we should probably reset your WiFi password, from what I am seeing it looks like someone might be leeching off your network and slowing it down.” I would then have her go to the website: “I am going to provide you with a website GeekSquad developed themselves which assists in coming up with very intricate and hard to crack passwords. Just fill out the 3 fields shown on the site and it will spit out a password for you” + +Part 2 +The first vulnerability I noticed was the strength of the user passwords. Websites like perspectiverisk.com, who do vulnerability scans on company and private networks, report that one of their most commonly found vulnerability’s are weak passwords. Perspectiverisk, along with many other security companies, suggest having an improved threshold for weak passwords. Instead of just a capital letter and a number with 8 characters, there should be more intricacies added in order to keep a standard across the board. Experts recommend using a passphrase, like a sentence commonly said around the house, as brute force attempts take exponentially longer time to crack when there are spaces involved. +The second vulnerability I picked up are the potential for SQL injections. Much of the network had no protection against SQL injections; one DROP TABLE could spell disaster for your network. ESecurity Planet and CMSC330 offer a few solutions for this, one of which is black listing or white listing phrases. Instead of permitting a user to enter anything at all, assume that every user can be malicious and take appropriate caution. Prevent certain statements or use input validation (mysql_real_escape_string()) in order to make sure a user cannot go beyond their permissions and see stuff they’re not supposed to. +The final vulnerability, and arguably the most critical, is OS command injection (see shell shock). An attacker is permitted to enter operating system commands, giving them access to the server itself and in turn wreaking havoc. The solution to these exploits is about the same as SQL injections, as they both take place on a server. One can whitelist commands, validate inputs to prevent certain entries from executing. However, portSwigger claims that one should “Never attempting to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker.” From e77c31069860128afc3bccd981fb218f54ba7073 Mon Sep 17 00:00:00 2001 From: Josiah Rapp Date: Fri, 4 Oct 2019 17:50:54 -0400 Subject: [PATCH 3/7] almost functional python stub, completed part 1 --- week/4/.DS_Store | Bin 0 -> 6148 bytes week/4/stub.py | 23 +++++++++++++++++++---- week/4/writeup/README.md | 26 ++++++++++++++++++++++---- 3 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 week/4/.DS_Store diff --git a/week/4/.DS_Store b/week/4/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..a9012e061368708a0d8d8c5a92785d4c3f43e8d9 GIT binary patch literal 6148 zcmeHK!EVz)5S>j!vkpS|P^mrc1&Kqb5<+RE3dw}@&;wG15gY)uHa66f>y2U?tArq5 z_z3z3{S>}{&w<(5O;KXth!E^Zvu}2GX4ifj?`8mijml^M-~s?gRoHT{`H84;r44Br z&pINbIbz76fCMsl+laP~zmWm8cP<=3jC)pK`(yv^zyP*k0uj79Oy%n^l_A9f>?7X( zMnbRTz!NxthcJf6h}&=m(MrbUN=Ap)DIug4&X=RvW+S?SDgLU|^OZ1JiT?Ea=&;Hs z=Gni5lQhYTe*Y_Lt+lVMcR26z?v3s%|5R3f5fo)U3Z^eq?nH52j#ZyX7q8LM7K2NepRwG$vQBL#tdVq6>JIC(UY&P84>51Xpy?IZ}c6a+d zac_8kK6m)$t-*uCle6>pvk&u+pNUpr_)(GEG`N5ZG&-g z)2WC$m6;NQ>2&l96XzMMHR^O=rublHWo9ZAMyuoeg2I7$8f|MCuna6Su%^4Ny8jP; zUH>m9*`8& ") + if (command == "exit" or command == "quit"): + break + elif command == "help": + print("Show this help menu") + else: + execute_cmd(command) + +if '__main__' == __name__: + main() diff --git a/week/4/writeup/README.md b/week/4/writeup/README.md index 660d427..2b8a231 100644 --- a/week/4/writeup/README.md +++ b/week/4/writeup/README.md @@ -1,17 +1,35 @@ # Writeup 2 - Pentesting -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (45 pts) -*Please use this space to writeup your answers and solutions (and how you found them!) for part 1.* +I found two flags: +-CMSC389R-{html_h@x0r_lulz} +-CMSC389R-{p1ng_as_a_$erv1c3} + +The first flag I obtained snooping around the HTML code of the wattsamp website. It was hidden on the home page near the end of the body element. + +The second flag I found was a little more tricky. I started my search by using the command provided 'nc wattsamp 1337' in my home terminal. I was then prompted by the server to enter an IP address to ping. I did that and obtained nothing but some ping data. I then remembered some of what we learned in lecture and also in CMSC330 about command injection. These are the commands I entered: +-'1' (i realized the field required some form of number to actually process the input) + ';ls' + I was able to successfully list all the libraries of the wattsamp server by concatenating a command after a semi-colon +-'1;ls -alh' + I added a '-alh' after the l's' in order to see permissions of the file. However, this had an unintended side effect: it displayed the last time those folders/files were editted. The home directory had the date of september 24th (last tuesday) and was the most recently updated file besides the ones that popped up with today's date. +-'1;cd home' + I cd'd into the directory however I could not list the contents. I could not figure out how to enter multiple commands, as the shell boots you after either 3 seconds or after you enter anything at all. But through some trial and error I was able to successfully figure out that you can enter a new command after each semi-colon. +-'1;cd home;ls' + enter the home directory then finally list the contents, which in turn displayed the flag +-'1;cd home;cat flag.txt' + the final command i entered in order to display the requested flag. + +I think Edward should really try and sanitize or whitelist his inputs. Kind of how the admin tab on the wattsamp website makes sure you have no funky or suspicious characters after the @ in the email field. This prevents any user from entering malicious code at the end of a seemingly valid input. Or you know, make a whitelist of users that can connect to his server. ### Part 2 (55 pts) From 92e95c2125bc8a1b941e8c0d5347c65f385158b6 Mon Sep 17 00:00:00 2001 From: Josiah Rapp Date: Fri, 4 Oct 2019 19:20:30 -0400 Subject: [PATCH 4/7] completed homework4 --- week/4/writeup/README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/week/4/writeup/README.md b/week/4/writeup/README.md index 2b8a231..9aec110 100644 --- a/week/4/writeup/README.md +++ b/week/4/writeup/README.md @@ -23,7 +23,7 @@ The second flag I found was a little more tricky. I started my search by using t -'1;ls -alh' I added a '-alh' after the l's' in order to see permissions of the file. However, this had an unintended side effect: it displayed the last time those folders/files were editted. The home directory had the date of september 24th (last tuesday) and was the most recently updated file besides the ones that popped up with today's date. -'1;cd home' - I cd'd into the directory however I could not list the contents. I could not figure out how to enter multiple commands, as the shell boots you after either 3 seconds or after you enter anything at all. But through some trial and error I was able to successfully figure out that you can enter a new command after each semi-colon. + I cd'd into the directory but I could not list the contents. I could not figure out how to enter multiple commands, as the shell boots you after either 3 seconds or after you enter anything at all. But through some trial and error I was able to successfully figure out that you can enter a new command after each semi-colon. -'1;cd home;ls' enter the home directory then finally list the contents, which in turn displayed the flag -'1;cd home;cat flag.txt' @@ -33,4 +33,8 @@ I think Edward should really try and sanitize or whitelist his inputs. Kind of h ### Part 2 (55 pts) -*Please use this space to detail your approach and solutions for part 2. Don't forget to upload your completed source code to this /writeup directory as well!* +I wrote a script using python in order to run command injection on the wattsamp server. We had a 216 project that required us to write a shell similar to this one, except in python the syntax is much better, I referenced that a lot while I was writing. This is my second time having to write in python so i was quite confused, but found the language to be quite convenient. + +My shell takes the users input and appends a '1;' to the front of it. This is to initiate the commabnd injection, as the wattsamp server reads the number, pings it, then takes the rest of the input as a command. After the semi colon I inject the command passed into the shell so that the server will execute the command. I then concatenate a new line character at the end of the users input to complete the input. + +I could not figure out how to go about download, as you can tell by my code. I overheard some other students talking about utilizing the 'cat' function in order to basically make a copy of the requested file and put it in the local path that is passed in. However, when i attempted to implement this, I could not quite figure out how to properly pass the users requested file locations into the payload. \ No newline at end of file From b7da6f9c5d5e243aaa42151acbcfbb216c31ae10 Mon Sep 17 00:00:00 2001 From: jdr776 <37964865+jdr776@users.noreply.github.com> Date: Fri, 4 Oct 2019 19:23:26 -0400 Subject: [PATCH 5/7] Update README.md --- week/4/writeup/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/week/4/writeup/README.md b/week/4/writeup/README.md index 9aec110..42bd86a 100644 --- a/week/4/writeup/README.md +++ b/week/4/writeup/README.md @@ -18,14 +18,19 @@ I found two flags: The first flag I obtained snooping around the HTML code of the wattsamp website. It was hidden on the home page near the end of the body element. The second flag I found was a little more tricky. I started my search by using the command provided 'nc wattsamp 1337' in my home terminal. I was then prompted by the server to enter an IP address to ping. I did that and obtained nothing but some ping data. I then remembered some of what we learned in lecture and also in CMSC330 about command injection. These are the commands I entered: + -'1' (i realized the field required some form of number to actually process the input) + ';ls' I was able to successfully list all the libraries of the wattsamp server by concatenating a command after a semi-colon + -'1;ls -alh' I added a '-alh' after the l's' in order to see permissions of the file. However, this had an unintended side effect: it displayed the last time those folders/files were editted. The home directory had the date of september 24th (last tuesday) and was the most recently updated file besides the ones that popped up with today's date. + -'1;cd home' I cd'd into the directory but I could not list the contents. I could not figure out how to enter multiple commands, as the shell boots you after either 3 seconds or after you enter anything at all. But through some trial and error I was able to successfully figure out that you can enter a new command after each semi-colon. + -'1;cd home;ls' enter the home directory then finally list the contents, which in turn displayed the flag + -'1;cd home;cat flag.txt' the final command i entered in order to display the requested flag. @@ -37,4 +42,4 @@ I wrote a script using python in order to run command injection on the wattsamp My shell takes the users input and appends a '1;' to the front of it. This is to initiate the commabnd injection, as the wattsamp server reads the number, pings it, then takes the rest of the input as a command. After the semi colon I inject the command passed into the shell so that the server will execute the command. I then concatenate a new line character at the end of the users input to complete the input. -I could not figure out how to go about download, as you can tell by my code. I overheard some other students talking about utilizing the 'cat' function in order to basically make a copy of the requested file and put it in the local path that is passed in. However, when i attempted to implement this, I could not quite figure out how to properly pass the users requested file locations into the payload. \ No newline at end of file +I could not figure out how to go about download, as you can tell by my code. I overheard some other students talking about utilizing the 'cat' function in order to basically make a copy of the requested file and put it in the local path that is passed in. However, when i attempted to implement this, I could not quite figure out how to properly pass the users requested file locations into the payload. From 8b94c9fd2414046027e8f6a9c1a04fb94dccca46 Mon Sep 17 00:00:00 2001 From: Josiah Rapp Date: Fri, 11 Oct 2019 17:53:42 -0400 Subject: [PATCH 6/7] completed wu6 --- week/6/writeup/README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/week/6/writeup/README.md b/week/6/writeup/README.md index 335d2f2..81db8f2 100644 --- a/week/6/writeup/README.md +++ b/week/6/writeup/README.md @@ -1,19 +1,18 @@ # Writeup 6 - Binaries I -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (50 pts) -*Please use this space to provide flag from program* +CMSC389R-{di5a55_0r_d13} ### Part 2 (50 pts) -*Please use this space to detail your approach and solutions for part 2. Include -descriptions of checks implemented as well as your final input to produce flag.* +There were 3 checks I had to clear in order to obtain this flag. I started this process by running './crackme' to get my bearings. Nothing happened as expected and i proceeded to run binary ninja on the c file. I decided to start with the main method at the direction of one of the professors, and followed the comparison branches labled 'cmp'. From my limited 216 and 411 knowledge I was able to deduce that there were some string comparisons taking place within the last line of the main method. On an incorrect comparison, it would branch right, and a correct comparison would branch left. Obviously I wanted a correct answer so i proceeded left. Reading this block helped me understand some of what the code did: it was a lot of shifting around of registers and pointer arithmetic to pass certain variables around, but most importantly, calling a function called 'update_flag'. check1 seems to do a strcmp between some register and "Oh God". I ran './crackme "Oh God"' successfully which cleared the first check and updated the flag, which was stored in a register. Check2 required a little more thinking; i noticed there was a getenv call, but couldnt figure out why or what it did. Research led me to learn about environments as a whole and understand that the assembly was trying to retrieve the value of a certain environment named FOOBAR. i ran the command 'export FOOBAR = ""' (which makes a new environment) and ran './crackme' again. It did not pass the check as the value it was comparing too was incorrect, so i tried 'export FOOBAR="seye ym "'. This also did not work, i analyzed the add and comparison statements and realized that the desired string shown after the check2 call was backwards, resulting in 'export FOOBAR=" my eyes"' and cleared the check/updated the flag. check3 ran open, which opens a file named 'sesame' and reads it byte by byte, specifically with a switch statement analyzing each character of a string and comparing it to a hex value. I converted said hex value into ASCII to reveal it was equality checking " they burn". I entered 'nano sesame' into the command line, entered " they burn" into the file and saved it. I then ran './crackme "Oh God"' one last time that revealed the flag above. From d14ed2486c02caa182017e7412deda90eb5afefa Mon Sep 17 00:00:00 2001 From: Josiah Rapp Date: Fri, 18 Oct 2019 17:05:26 -0400 Subject: [PATCH 7/7] week 7 homework --- .DS_Store | Bin 0 -> 6148 bytes week/.DS_Store | Bin 0 -> 6148 bytes week/6/.DS_Store | Bin 0 -> 6148 bytes week/7/.DS_Store | Bin 0 -> 6148 bytes week/7/writeup/README.md | 18 +++++++++--------- 5 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 .DS_Store create mode 100644 week/.DS_Store create mode 100644 week/6/.DS_Store create mode 100644 week/7/.DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..b9328a7357e31629ac5a9bbf95918522c3b88c2b GIT binary patch literal 6148 zcmeHKO>Wab6#k|))Cq!mfz&R&L1GbAsa(jSLNaM8(FGF16)XUyc5O9QT|0^$+!BJk z;Sg{Gj=~8z2nT>SKdFe*Y*-)^&5LHfnK$p7$@`+2$pB#8akvXu08A?p}jgCq+? zEU-`b@Ru-=&OO@oB^>mr9wA0SXTX@4JGekN&t;!$+|8xj0+%Ri?4LDu121uir|981 z;SKBITa97RcZ}$BUYmJqSzJ)&LzVmYV3@>t(Qf}>YwO0X+Z(3YG@Eyu@4P`)dWBz% z^R7R7!+S6MVi2hIah4_5Z9jMwM`ho-e~_hxAE(hskmE3-khibnG|b9wHcrD_%;U)c z(`=ZHzO_A>IL@P%?d)}?Eql`Gv|IL`^LRRKm|G8apB$ZBTz!~)oPPR3$&fKRl!a|7 zoWWOWTnq8u8>LB>o{?`BKa112(h8`b+q|>VS?c7p0$PE;QGlNhHWiMp!b+kzI;av) z078S@!l=#P5}aczbQM+-X@rbPDxst@^~7M3PJUa(xe6lH%C{$$V*qA7$>P*7_PsBSPE z$5OE+?s)_%aSjuMhf}@a5hsp-BXE}q*mt+Ho0|7=T6%w<{UW2Amtu1v;yd)0BfN5i zT(3lQ7b3n?BjV}!l<(t5e3~ZXyxqQ(OUt#D2dhdoRO4~uU3g-qVIJj^aX%Wp#nxVw zpTz9%8?jC(OJD+`;fBr^@goIBZ*%Q`lxd2Cs?#FPH zr6xP37WVWOaQuXkGSc2%!{H&0uKyQs^eQ;~G7j29zLwUYe}8fK3plRV&aEmhSoQE$ zui_?m1RR0?kpO-lG!)c;wXjN`4yfn|09u1?GVt*LfH|5qU@fe|2$-~~pf*+V5kuN^ z=+_(Evya9y_#xy#h0c&9udcfR|0AX;I JBk)fNTmho*1<(Kh literal 0 HcmV?d00001 diff --git a/week/6/.DS_Store b/week/6/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..34821fcd045aed2ee8c7b1f0205a411f74265951 GIT binary patch literal 6148 zcmeHKO>Wab6n@hNVh0deAhkDNX8_KE|3sLumIHBu}iHwb`(1p2tnR( z2jB)Ag%fZP4glZ$1l2aMgb2-(-h9t9-7ZTh&hX3kElyT2ApH7gXR~;$GJCb zOZAvQCgzw^L?LB#lV%OJ?$8Qo1vX6q{_b8T2k&h{9-V)G13Ed3(}^FaJ~+HU9KdgU z7lw$aO%r5zXwPU$VU7K{!4Bya*i+PoxXxxfHMWU5a*mCPGO5nb-q$h=x{ukEq| zWn0^=3m4ml(J?w#I?vtHv~Y7TUu2Fqf6AX8c=@TX;zwy3|BOBVaTFFu-D~&KB=@2u zoQvcr2tj%FBuav`aMDE*WMUpy4j6`Mm`B~+<#I5%)w2fs!&T2(4u}1owLiGMTA9Yq z^}RcX$J5tumTy<@K4MEShT<;ls=_sVLeQp)C@gYHfck@sOB?pP z^v}@>Xa)Yg0=zz0aE`XZQlcmwXv7r&*h053#Qal%=U57Dg{4G{z?e)0%2cMV7)++4 z-%>nVVJT6j6H}KDrdDR^hQh?^nBNj~VzxxxY6Y|cRRy-?W0#-*eN9m5K<@|QZJAYL2vNrq){cpY4W`jPQJaVyxWtBw;uj|SrLS1S zv}^&H8Y82e5;{RST4CFUzfl3Xb~orT37Sw$Kd;{&jVYqHqg0%PsR+T7Ka%_KJKvQd zBHF}ypHo1m6xWzvYD|}&(IGvgAw2=^AuC$WU^}&pZ7MOVgbK`TO5+;)60TrrqVM>{t>&tRodrxP=m4`!as%ngO9r(=As=)^pYwzLXZ1(p@q(ABm){}0#S z|Cf_&%_?9O_@@+L&7nUW;FZkTy7F@JtmW`yxHQSDG+w13P)9Mi@+jVgD?>Y%0njs8 TX+#Umeh4TTY+)7nqYC^0!l#Ap literal 0 HcmV?d00001 diff --git a/week/7/writeup/README.md b/week/7/writeup/README.md index 1f14e25..687410c 100644 --- a/week/7/writeup/README.md +++ b/week/7/writeup/README.md @@ -1,27 +1,27 @@ # Writeup 7 - Forensics I -Name: *PUT YOUR NAME HERE* -Section: *PUT YOUR SECTION NUMBER HERE* +Name: Josiah Rapp +Section: 0101 I pledge on my honor that I have not given or received any unauthorized assistance on this assignment or examination. -Digital acknowledgement: *PUT YOUR NAME HERE* +Digital acknowledgement: Josiah Rapp ## Assignment Writeup ### Part 1 (100 pts) Answer the following questions regarding [this](../image) file: -1. What kind of file is it? +1. JPEG -2. Where was this photo taken? Provide a city, state and the name of the building in your answer. +2. Chicago, Illinois, John Hancock Center -3. When was this photo taken? Provide a timestamp in your answer. +3. 2018:08:22 11:33:24 -4. What kind of camera took this photo? +4. iPhone 8 back camera 3.99mm f/1.8 -5. How high up was this photo taken? Provide an answer in meters. +5. 539.5 m Above Sea Level -6. Provide any found flags in this file in standard flag format. +6. CMSC389R--{look_I_f0und_a_str1ng} *Please use this space to provide flag from program*