hugo_0.80.jasper.la.rss.xml - sfeed_tests - sfeed tests and RSS and Atom files
HTML git clone git://git.codemadness.org/sfeed_tests
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
hugo_0.80.jasper.la.rss.xml (44024B)
---
1 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
2 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
3 <channel>
4 <title>jasper.la</title>
5 <link>https://jasper.la/</link>
6 <description>Recent content on jasper.la</description>
7 <generator>Hugo -- gohugo.io</generator>
8 <language>en-us</language>
9 <copyright>&copy; 2014 - 2020 Jasper Lievisse Adriaanse</copyright>
10 <lastBuildDate>Tue, 12 Jan 2021 00:00:00 +0000</lastBuildDate><atom:link href="https://jasper.la/index.xml" rel="self" type="application/rss+xml" />
11 <item>
12 <title>Holiday Hack Challenge 2020 -- KringleCon 3</title>
13 <link>https://jasper.la/posts/kringlecon-2020-write-up/</link>
14 <pubDate>Tue, 12 Jan 2021 00:00:00 +0000</pubDate>
15
16 <guid>https://jasper.la/posts/kringlecon-2020-write-up/</guid>
17 <description>Right before the end of 2020 I completed the Holiday Hack Challenge 2020. Though it&rsquo;s obviously not the first type this conference took place, it was the first time I participated. Below is my write-up of the primary objectives along with a selection of side-challenges.
18 Objectives:
19 Uncover Santa&rsquo;s Gift List Investigate S3 Bucket Point-of-Sale Password Recovery Operate the Santavator Open HID Lock Splunk Challenge Solve the Sleigh&rsquo;s CAN-D-BUS Broken Tag Generator ARP Shenanigans Defeat Fingerprint Sensor Naughty/Nice List with Blockchain Investigation (part 1, part 2) Challenges:</description>
20 </item>
21
22 <item>
23 <title>Angr 9 SimFile without SimSymbolicMemory</title>
24 <link>https://jasper.la/posts/angr-9-simfile-without-simsymbolicmemory/</link>
25 <pubDate>Mon, 11 Jan 2021 00:00:00 +0000</pubDate>
26
27 <guid>https://jasper.la/posts/angr-9-simfile-without-simsymbolicmemory/</guid>
28 <description>Whilst working on angr_ctf in order to properly dive into Angr, there was one exercise which required the use of a symbolic filesystem with SimFile backed by symbolic memory. This particular challenge requires a particular input to be present in the input file and as such act as the password. The filename can be quickly looked up in the binary; the contents however will be made symbolic so we can solve for that.</description>
29 </item>
30
31 <item>
32 <title>Brixel CTF 2020 write up</title>
33 <link>https://jasper.la/posts/brixel-ctf-2020-write-up/</link>
34 <pubDate>Mon, 04 Jan 2021 00:00:00 +0000</pubDate>
35
36 <guid>https://jasper.la/posts/brixel-ctf-2020-write-up/</guid>
37 <description>This year I participated in the Brixel CTF winter edition along with another player from the Darknet Diaries Discord community. Despite some stability issues on the server side this CTF had some fun puzzles although some more challenging puzzles would be appreciated for a future installment. Below is my write up of a few of them &ndash; I ended up solving a few more but I didn&rsquo;t keep any notes on them.</description>
38 </item>
39
40 <item>
41 <title>Creating a minimal RISC-V learning environment</title>
42 <link>https://jasper.la/posts/creating-a-minimal-risc-v-learning-environment/</link>
43 <pubDate>Sat, 24 Oct 2020 00:00:00 +0000</pubDate>
44
45 <guid>https://jasper.la/posts/creating-a-minimal-risc-v-learning-environment/</guid>
46 <description>It was while watching Bryan Cantrill&rsquo;s presentation &ldquo;The Soul of a New Machine&rdquo;1 that my interest for RISC-V was piqued. I vaguely remember looking at RISC-V a while ago but at the time hardware wasn&rsquo;t readily available unless you had an FPGA to run it on. Nowadays there&rsquo;s ample choice of both 32-bit and 64-bit hardware to buy.
47 No RISC, no fun First off, a very brief introduction to RISC-V and the different extensions which are available.</description>
48 </item>
49
50 <item>
51 <title>NetSetMan 4.7.1 Unicode exploit</title>
52 <link>https://jasper.la/posts/netsetman-unicode-exploit/</link>
53 <pubDate>Sat, 06 Jun 2020 00:00:00 +0000</pubDate>
54
55 <guid>https://jasper.la/posts/netsetman-unicode-exploit/</guid>
56 <description>As part of the this course the first assignment is to create a working exploit against NetSetMan 4.7.1 using a buffer overflow vulnerability. If you wish to follow along, the installer can be found on Exploit-DB. Additionally I&rsquo;m using a Windows XP SP3 (EN) VM making this a no-ASLR, 32-bit setup.
57 Fuzzing Since the assignment doesn&rsquo;t state where or how to trigger the overflow we have to fuzz it first, and as it doesn&rsquo;t expose any network ports this reduces the attack surface to either importing profiles or freeform text input.</description>
58 </item>
59
60 <item>
61 <title>Compiling win32 assembly on OpenBSD</title>
62 <link>https://jasper.la/posts/win32-asm-on-openbsd/</link>
63 <pubDate>Thu, 21 May 2020 00:00:00 +0000</pubDate>
64
65 <guid>https://jasper.la/posts/win32-asm-on-openbsd/</guid>
66 <description>Recently I&rsquo;ve finished the Practical Malware Analysis book and I&rsquo;ve wanted to familiarise myself a bit more with the Win32 API. After spending a good amount of time on setting up Visual Studio C++ for MASM (Microsoft Macro Assembler) I wanted to stab myself in the eye with a rusty fork due to the overload of visual clutter. Alas, running plain MASM on Windows 10 seems to be a no-go these days.</description>
67 </item>
68
69 <item>
70 <title>Poking old format string bugs</title>
71 <link>https://jasper.la/posts/poking-old-format-string-bugs/</link>
72 <pubDate>Thu, 23 Apr 2020 00:00:00 +0000</pubDate>
73
74 <guid>https://jasper.la/posts/poking-old-format-string-bugs/</guid>
75 <description>Earlier this week I ran into a fairly old format string bug in the Exuberant Ctags implementation, and it turns out this particular issue was fixed back in November 2009. However it wasn&rsquo;t picked up by vendors at the time. This isn&rsquo;t a critical issue, but seeing this fixed in SVN without a proper release being made afterwards resulted in only those who decided to ship a package based on a Subversion checkout to have the fix.</description>
76 </item>
77
78 <item>
79 <title>Exploring Zyxel GS1900 firmware with Ghidra</title>
80 <link>https://jasper.la/posts/exploring-zyxel-gs1900-firmware-with-ghidra/</link>
81 <pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate>
82
83 <guid>https://jasper.la/posts/exploring-zyxel-gs1900-firmware-with-ghidra/</guid>
84 <description>or, how I found multiple vulnerabilities on a lazy Sunday afternoon Earlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. All in all this has turned out to be an interesting exploration of both Ghidra and the GS1900-8-2.</description>
85 </item>
86
87 <item>
88 <title>ROP Emporium - ret2csu</title>
89 <link>https://jasper.la/posts/ropemporium-8-ret2csu/</link>
90 <pubDate>Thu, 05 Sep 2019 00:00:00 +0000</pubDate>
91
92 <guid>https://jasper.la/posts/ropemporium-8-ret2csu/</guid>
93 <description>ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem.
94 Exploring the binary Not much going on with this binary:
95 jasper@ropper:~/ropemporium/ret2csu$ checksec ret2csu [*] &#39;/home/jasper/ropemporium/ret2csu/ret2csu&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And as expected there is no usefulFunction or usefulGadgets:</description>
96 </item>
97
98 <item>
99 <title>ROP Emporium - pivot</title>
100 <link>https://jasper.la/posts/ropemporium-7-pivot/</link>
101 <pubDate>Wed, 04 Sep 2019 00:00:00 +0000</pubDate>
102
103 <guid>https://jasper.la/posts/ropemporium-7-pivot/</guid>
104 <description>The pivot challenge creates a situation where stack space is limited. This means that our full payload cannot be stored on the stack and instead must be located elsewhere in memory. However in order to start executing the code pointed to from the new stack we have to swap stacks! This is called pivoting and let&rsquo;s get started.
105 Exploring the binary The pivot binary is linked with libpivot.so:
106 jasper@ropper:~/ropemporium/pivot$ checksec pivot [*] &#39;/home/jasper/ropemporium/pivot/pivot&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RPATH: &#39;.</description>
107 </item>
108
109 <item>
110 <title>ROP Emporium - fluff</title>
111 <link>https://jasper.la/posts/ropemporium-6-fluff/</link>
112 <pubDate>Mon, 02 Sep 2019 00:00:00 +0000</pubDate>
113
114 <guid>https://jasper.la/posts/ropemporium-6-fluff/</guid>
115 <description>Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it&rsquo;s fairly straightforward.
116 Exploring the binary Nothing special going on still with this binary in terms of canaries or the likes:
117 [*] &#39;/home/jasper/ropemporium/fluff/fluff&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And again usefulFunction() contains a reference to system():
118 [0x00400650]&gt; afl 0x004005a0 3 26 sym.</description>
119 </item>
120
121 <item>
122 <title>ROP Emporium - badchars</title>
123 <link>https://jasper.la/posts/ropemporium-5-badchars/</link>
124 <pubDate>Fri, 30 Aug 2019 00:00:00 +0000</pubDate>
125
126 <guid>https://jasper.la/posts/ropemporium-5-badchars/</guid>
127 <description>The previous challenge taught a very important pattern of &ldquo;the mover&rdquo; by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are considered bad can be rather time consuming so plenty of tools have incorporated automatic detection. In our case the input characters which will result in badbytes have also been provided to us to make it easier to focus on the actual exploit.</description>
128 </item>
129
130 <item>
131 <title>ROP Emporium - write4</title>
132 <link>https://jasper.la/posts/ropemporium-4-write4/</link>
133 <pubDate>Wed, 28 Aug 2019 00:00:00 +0000</pubDate>
134
135 <guid>https://jasper.la/posts/ropemporium-4-write4/</guid>
136 <description>With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we&rsquo;ll look at a really helpful way of loading arbitrary data into memory.
137 Exploring the binary Just like before, let&rsquo;s start off by exploring the binary bit to get a feel for what we&rsquo;re dealing with here:</description>
138 </item>
139
140 <item>
141 <title>ROP Emporium - callme</title>
142 <link>https://jasper.la/posts/ropemporium-3-callme/</link>
143 <pubDate>Sat, 24 Aug 2019 00:00:00 +0000</pubDate>
144
145 <guid>https://jasper.la/posts/ropemporium-3-callme/</guid>
146 <description>After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using three arguments, thus exposing a little bit more of the amd64 calling convention.
147 Exploring the binary It should be a familiar routine by now to check the binary for any compiled-in security measures, followed by looking for strings and functions.</description>
148 </item>
149
150 <item>
151 <title>ROP Emporium - split</title>
152 <link>https://jasper.la/posts/ropemporium-2-split/</link>
153 <pubDate>Thu, 22 Aug 2019 00:00:00 +0000</pubDate>
154
155 <guid>https://jasper.la/posts/ropemporium-2-split/</guid>
156 <description>In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We&rsquo;ll look at finding our first gadget and how to go about using it in a chain.
157 Exploring the binary First explore the binary to see what we&rsquo;re up against:
158 $ rabin2 -I split | grep nx nx true $ rabin2 -z split [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x000008a8 0x004008a8 21 22 (.</description>
159 </item>
160
161 <item>
162 <title>ROP Emporium - ret2win</title>
163 <link>https://jasper.la/posts/ropemporium-1-ret2win/</link>
164 <pubDate>Wed, 21 Aug 2019 00:00:00 +0000</pubDate>
165
166 <guid>https://jasper.la/posts/ropemporium-1-ret2win/</guid>
167 <description>Over the past couple of week I&rsquo;ve set myself the goal of learning how Return Oriented Programming (ROP) really works. Coincidentally, over at Hack the Box there have recently been multiple instances where one needed to exploit a binary using ROP. Whilst doing some research on the topic I ran into ROP Emporium and this has proven to be very valuable resource. This site hosts eight challenges with an increasing level of difficulty and along the way it touches upon various concepts related to ROP and binary exploitation.</description>
168 </item>
169
170 <item>
171 <title>WireGuard on OpenBSD</title>
172 <link>https://jasper.la/posts/wireguard-on-openbsd/</link>
173 <pubDate>Thu, 16 May 2019 00:00:00 +0000</pubDate>
174
175 <guid>https://jasper.la/posts/wireguard-on-openbsd/</guid>
176 <description>Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current.As of June 2020 support for WireGuard has been committed to the kernel as wg(4) along with support in ifconfig(8). Please see these two posts on the WireGuard mailinglist on how to set it up or how migrate from a setup as described below: setup and migrate from Linux.</description>
177 </item>
178
179 <item>
180 <title>SLAE64 - Crypter</title>
181 <link>https://jasper.la/posts/slae64-assignment-7/</link>
182 <pubDate>Fri, 25 Jan 2019 00:00:00 +0000</pubDate>
183
184 <guid>https://jasper.la/posts/slae64-assignment-7/</guid>
185 <description>The seventh and final assignment of the SLAE64 exam states:
186 Create a custom crypto like the one shown in the &ldquo;crypters&rdquo; video Free to use any existing encryption schema Can use any programming language Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.</description>
187 </item>
188
189 <item>
190 <title>SLAE64 - Polymorphic shellcode</title>
191 <link>https://jasper.la/posts/slae64-assignment-6/</link>
192 <pubDate>Thu, 24 Jan 2019 00:00:00 +0000</pubDate>
193
194 <guid>https://jasper.la/posts/slae64-assignment-6/</guid>
195 <description>The sixth assignment of the SLAE64 exam states:
196 Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine.
197 Our polymorphic versions are a lot simpler than what is described in this seminal article.</description>
198 </item>
199
200 <item>
201 <title>SLAE64 - Metasploit analysis</title>
202 <link>https://jasper.la/posts/slae64-assignment-5/</link>
203 <pubDate>Wed, 23 Jan 2019 00:00:00 +0000</pubDate>
204
205 <guid>https://jasper.la/posts/slae64-assignment-5/</guid>
206 <description>The fifth assignment of the SLAE64 exam states:
207 Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64 Use GDB to dissect the functionality of the shellcode Document your analysis One thing that immediately stands out is the relative lack in diversity when it comes to linux/x64 payloads. In the end I chose the following payloads for my analysis:
208 linux/x64/shell_bind_tcp_random_port linux/x64/shell_bind_tcp linux/x64/shell_reverse_tcp shell_bind_tcp_random_port The latter two payloads I chose because of how often their used and I wanted to determine what exactly they do precisely because of their popularity.</description>
209 </item>
210
211 <item>
212 <title>SLAE64 - Custom Encoder</title>
213 <link>https://jasper.la/posts/slae64-assignment-4/</link>
214 <pubDate>Tue, 22 Jan 2019 00:00:00 +0000</pubDate>
215
216 <guid>https://jasper.la/posts/slae64-assignment-4/</guid>
217 <description>The fourth assignment of the SLAE64 exam states:
218 Create a custom encoding scheme like the &ldquo;insertion encoder&rdquo; we showed you PoC with using execve-stack as the shellcode to encode with your schema and execute For this assignment I wrote a script which supports two encoders and it can also help to decode shellcode.
219 I wrote a simple &ldquo;off-by-one&rdquo; encoder which increments each byte by 0x1. It&rsquo;s obviously a pun.</description>
220 </item>
221
222 <item>
223 <title>SLAE64 - Egg Hunter</title>
224 <link>https://jasper.la/posts/slae64-assignment-3/</link>
225 <pubDate>Mon, 21 Jan 2019 00:00:00 +0000</pubDate>
226
227 <guid>https://jasper.la/posts/slae64-assignment-3/</guid>
228 <description>The third assignment of the SLAE64 exam states:
229 Study about the Egg Hunter shellcode Create a working demo of the Egg Hunter It should be configurable for different payloads I for one had not heard before of the concept of an egg hunter so a little searching around led me to a (the?) paper by skape called Safely Searching Process Virtual Address Space published in 2004.
230 In a nutshell an egg hunter is a piece of code that searches the virtual address space (VAS) of a process looking for a predefined marker, called an egg.</description>
231 </item>
232
233 <item>
234 <title>SLAE64 - Reverse TCP shellcode</title>
235 <link>https://jasper.la/posts/slae64-assignment-2/</link>
236 <pubDate>Sun, 20 Jan 2019 00:00:00 +0000</pubDate>
237
238 <guid>https://jasper.la/posts/slae64-assignment-2/</guid>
239 <description>The second assignment of the SLAE64 exam states:
240 Create a Shell_Reverse_TCP shellcode: Reverse connects to configure IP and port Needs a &ldquo;passcode&rdquo; If passcode is correct then execute a shell Remove 0x00 from the Reverse TCP shellcode discussed in the course Reverse TCP shellcode This is quite a lot simpler than the previous exercise in that we don&rsquo;t have to bind to the socket before listening to it and accepting incoming connections.</description>
241 </item>
242
243 <item>
244 <title>SLAE64 - Bind TCP shellcode</title>
245 <link>https://jasper.la/posts/slae64-assignment-1/</link>
246 <pubDate>Fri, 18 Jan 2019 00:00:00 +0000</pubDate>
247
248 <guid>https://jasper.la/posts/slae64-assignment-1/</guid>
249 <description>The first assignment of the SLAE64 exam states:
250 Create a Shell_Bind_TCP shellcode: Binds to a port Needs a &ldquo;passcode&rdquo; If passcode is correct then execute a shell Remove 0x00 from the Bind TCP shellcode discussed in the course Shell Bind TCP shellcode The first assignment is to create a shell bind TCP shellcode which requires a passcode to spawn a shell. What happens when a wrong password is entered isn&rsquo;t defined so I&rsquo;ll just exit with a non-zero return code.</description>
251 </item>
252
253 <item>
254 <title>nasm on OpenBSD</title>
255 <link>https://jasper.la/posts/nasm-on-openbsd/</link>
256 <pubDate>Tue, 15 Jan 2019 00:00:00 +0000</pubDate>
257
258 <guid>https://jasper.la/posts/nasm-on-openbsd/</guid>
259 <description>Recently I decided to study for the SLAE64 course from Pentester Academy to work on my assembly knowledge, specifically on x86_64. Through the course does focus on Linux I want to apply the knowledge to OpenBSD/amd64 too and thus I installed NASM and looked at what I needed to adjust on my Linux samples to get it working on OpenBSD. Turns out, not that much actually!
260 Both operating systems use same calling convention, namely the System V AMD64 ABI.</description>
261 </item>
262
263 <item>
264 <title>Setting up NetBox on OpenBSD</title>
265 <link>https://jasper.la/posts/setting-up-netbox-on-openbsd/</link>
266 <pubDate>Sat, 12 May 2018 00:00:00 +0000</pubDate>
267
268 <guid>https://jasper.la/posts/setting-up-netbox-on-openbsd/</guid>
269 <description>The following documents the steps needed to setup NetBox on OpenBSD. I am running NetBox on a PC Engines APU which holds up fairly well and I have since migrated my own setup from RackTables to NetBox, primarily because of the API functionality NetBox offers which allows for integration with SaltStack. But more on that some other time.
270 I have ported a few dependencies but gave up after realising all of the Django applications/modules needed to be ported including their dependencies.</description>
271 </item>
272
273 <item>
274 <title>Salt managed TLS files</title>
275 <link>https://jasper.la/posts/salt-managed-tls-files/</link>
276 <pubDate>Mon, 15 Jan 2018 00:00:00 +0000</pubDate>
277
278 <guid>https://jasper.la/posts/salt-managed-tls-files/</guid>
279 <description>When managing configuration for various services, you&rsquo;ll (hopefully) end up having to install TLS certificates at some point. Instead of having to come up with the same logic in various modules, roles or formulas I&rsquo;ve had an Ansible role for a while that bundled all the logic into a single role that used the vault to obtain all certificates, keys and bundles that needed to be managed on a given node.</description>
280 </item>
281
282 <item>
283 <title>Consul with SMF on Solaris</title>
284 <link>https://jasper.la/posts/consul-with-smf-on-solaris/</link>
285 <pubDate>Tue, 28 Feb 2017 00:00:00 +0000</pubDate>
286
287 <guid>https://jasper.la/posts/consul-with-smf-on-solaris/</guid>
288 <description>Whilst setting up consul on SmartOS I noticed the packages distributed through pkgsrc were lagging behind a bit and the upstream &ldquo;distribution&rdquo; contains only the consul binary.
289 Running consul -dev in a tmux window will get boring pretty quickly, so I came up with the following SMF manifest using manifold which supports start, stop and refresh (triggers a configuration reload):
codemadness.org:70 /git/sfeed_tests/file/input/sfeed/realworld/hugo_0.80.jasper.la.rss.xml.gph:300: line too long