Friday, November 30, 2018

Cracking the Perimeter and OSCE Review

After a short break from finishing up OSCP, I decided to plunge into more Offensive Security pain, and it was well worth it. With a much more focused curriculum, the Cracking the Perimeter course and the accompanying OSCE certification test was once again another amazing Offsec experience. With everything fresh in my mind, here are my personal thoughts and some advice for those who are gearing up to take the course.


General Thoughts

Offensive Security is the best at explaining things. Hands down. I had already felt this way from PWK, but all of the case studies and teachings for CTP really drove this point home. While the lab may not be nearly as extensive and immersive as the PWK course, it gives you what you need to drill in the initial material, but then it is up to you to go out on your own and find ways to practice what you have learned. In terms of value for the price you pay, some may argue that the lab is lacking, and while I am guilty of thinking this way initially, I think the way the material was presented and taught was well worth the cost and my opinion definitely changed after the course was over.

In terms of the other argument that the material is dated, who cares? I feel that this provides an awesome foundation of exploit development and arms you with the initial skills needed to grow more. You have to walk before you can run, and this course was awesome at building a base of knowledge to then take and look at more modern exploitation techniques.

I would definitely recommend this course to anyone who is interested in exploit development and advanced penetration testing techniques.

The Examination

For the OSCE exam you get a full 48 hours to complete the challenges, and an additional 24 hours to turn in the report. It sounds like a lot of time, but with proper rest and other functions necessary to keep your mind healthy and on point, I would say it is the perfect amount of time. The pressure is still very real, but I did not feel strapped for time.

My exam started at 2PM, and I used most of the given time to complete all challenges and ensure I had everything needed for report documentation. This time frame included maintaining a schedule of breaks, which also contained some thinking time at the gym to overcome some of Offsec's usual curveballs. I had secured enough points to pass early on, but I strove for full completion of all objectives, which I was able to do. After completing my report and turning it in, I was happily greeted with an email about a day later stating that I had passed.

It was definitely a challenging exam, but as long as you take the time to exercise what you learned during the course on other things (see below), you will be in tip-top shape for the test. I would say that the real hold-ups for me were constant typos and other silly blunders that cost me a lot of time. It's hard to stay calm when you have epiphanies during the test, nerves are making you jittery, and adrenaline is rushing because its go-time, so if you run into a similar situation, try to stop for a moment to catch a breath.

Pre-course Knowledge / Preparation 

Everyone's situation and background is different, but these are some of the things you should be comfortable with going into CTP (note that I say comfortable and not 'be a pro at'):

  • Scripting with Python
  • Assembly
  • Working knowledge of vanilla buffer overflows
  • Basic shellcoding


There have been recommendations to do SLAE before taking OSCE, and while I can see that it would definitely help, it is by no means a prerequisite. I opted to go right for OSCE. However, this all depends on how much prior exposure you have to assembly, exploitation development, and shellcoding, so YMMV.

Study Materials and Further Practice

  • Vulnserver
  • Hack the Box
    • https://www.hackthebox.eu/
    • For the web application-side of things, this is indispensable for practice. HTB has a ton of great boxes to really test out-of-the-box thinking for web application hacking.












Monday, November 19, 2018

Square CTF - Dot-n-Dash

This was a fun little programming challenge from the recent Square CTF.

We are given an html file and an encoded 'instructions.txt' file, which is a cipher of sorts containing nothing but dots and dashes.

Loading the html file shows that there is JavaScript running that can encode and decode text. Unfortunately, the developers never finished the decode function off, so it is up to us to find a way to decode the message.



Looking at the source code, we can get a better understanding of what is going on, and also strip away functions and play with the app to get a clearer picture.


function encode() {
  var t = input.value;
  if (/^[-.]+$/.test(t)) {
    alert("Your text is already e'coded!");
  } else {
    input.value = _encode(t);
  }
  return false;
}

function decode() {
  var t = input.value;
  if (/^[-.]*$/.test(t)) {
    input.value = _decode(t);
  } else {
    alert("Your text is not e'coded!");
  }
  return false;
}

function _encode(input) {
  var a=[];
  for (var i=0; i < input.length; i++) {
    var t = input.charCodeAt(i);
    for (var j=0; j<8 if="" j="" t="">> j) & 1) {
        a.push(1 + j + (input.length - 1 - i) * 8);
      }
    }
  }

  var b = [];
  while (a.length) {
    var t = (Math.random() * a.length)|0;
    b.push(a[t]);
    a = a.slice(0, t).concat(a.slice(t+1));
  }

  var r = '';
  while (b.length) {
    var t = b.pop();
    r = r + "-".repeat(t) + ".";
  }
  return r;
}

// Everything below this line was lost due to cosmis radiation. The engineer who knows
// where the backups are stored already left.
function _decode(input) {
  return "";
}


Trying to encode "a":


Trying to encode "aa":




Essentially what this code is doing is taking the input given, converting all characters in the string to a decimal value, and then determining which bits are active and creates an array based on the bit numbers that are a 1. The next part randomizes all of the numbers in the array, and then each number is represented by dashes equal to how large it is. Each number is delimited by dots.

Now that we have this information, we can create a Python script to convert the encoded instructions.txt into an array.


stri = open("instructions.txt","r").read()
stri_list = stri.split('.')
a = []
for i in stri_list[:-1]:
    #print len(i)
    a.append(len(i))
print a




While the encoder tries to make it tricky by randomizing all the numbers, the idea is that this is a very long binary string, and each "1" is being represented by a number in a total of 1296 bits, so we can sort the numbers easily.



Now it is just a matter of adding to our script to create a binary string with these numbers as the "1" and the other numbers as "0", and then convert that binary string to ASCII text. 


import binascii

stri = open("instructions.txt","r").read()
stri_list = stri.split('.')
a = []
for i in stri_list[:-1]:
    #print len(i)
    a.append(len(i))

print "Encoded array: "
print sorted(a, key=int)
print "\n"

allbits = []
for bits in range(1,1297):
    allbits.append(bits)

modbits = []
for i in allbits:
    if i in a and i in allbits:
        i=1
        modbits.append(i)
    else:
        i=0
        modbits.append(i)

binstring = ''.join(str(e) for e in modbits)

flag = int(binstring[::-1],2)
print binascii.unhexlify('%x' % flag)

Running the script and we get the flag!




























Subscribe to: Posts (Atom)
Powered by Blogger.