A Virginia DEF CON community
Just a little curious exploration. I googled something, happened to notice that there was a takedown listed for that search result, so I clicked on it to see what it was. Did you know you can get the list of URLs on the takedown request by just supplying an email address?
None of this is what I was looking for, by the way. [file attached]
So a couple of us were working on a reverse engineering challenge in a CTF.
We were provided with an ELF binary and an encrypted file. The goal was apparently to decrypt the file into a .PNG, the MD5SUM of which would be the flag to solve the challenge.
A cursory look at the code, either in IDA or in radare2, clearly showed that the primary purpose of the code was to XOR the entire file with the letter A.
AHA, we thought, all we have to do is an XOR. We don’t need to RE to do that. Enter xortools, a pip-installable python module. Installed, ran xor against the file, with the output as a .PNG file. Success, it looked like. The linux “file” command recognized the new file as a PNG, and we could even browse and view the image, which is exactly what we expected to see. Excitedly, we entered the MD5 of the PNG into the flag field. NOPE. Not accepted.
So it quickly became clear that the binary was doing something hinky to the file in addition to the obvious XOR, because the XOR worked and decrypted the file in a working PNG.
So Kevin and I rolled up our sleeves and got down to some RE work in radare2. I prefer IDA because it’s so much prettier, and easier to navigate and see everything, but connecting an ELF debugger to IDA is no trivial matter, and Kevin is a whiz at radare2, so off to the races we went.
First, we identified the code segment that opens, translates (via XOR) and closes the file. I’m no genius at radare2, and time constraints prevented me from fully learning assembly, but it was clear to me that the goal was to get the binary to execute that segment, and experience had showed us that earlier tricks were proving just to dance around that section of the code with evil trickery.
So we followed the desired code segment backwards, and found two decision points that would normally have an opportunity to redirect program flow. We decided to change them both in a way that would guarantee program flow in our desired direction, whether that’s changing a je/jne (jump if equal, jump if not equal) to a jmp (unconditional jump), or a NOP (no operation).
After we did that, and entered the password, program flow moved as expected, and the encrypted file was successfully decrypted to a .png. Sure enough, the md5sum of the new .png was different from the one we xor’ed manually. I put the new md5sum into the flag field, and it was ACCEPTED! Yay, we won.
But I wasn’t satisfied, I wanted to know what was different from our manually-xor’ed decryption and the one that the binary did.
So I used xxd to dump the hex output of both versions of the .png to files, then ran a diff between them.
The only difference? The very last line of the new file contained the following:
0000f380: 0a .
Meaning a single character, hex 0x0A, was appended to the file, which of course changes the checksum of the entire file without distorting the image in any way.
Let’s go back to the code and see if we can figure out why it does that.
…
Nope. No idea. Guess I’m still a noob. But we solved the challenge, and I learned some things about navigating radare2 and focusing and recognizing what’s going on in the program flow, and that’s what counts, right?
I was feeling like I would literally drown in paperwork. Stacks and stacks of unfiled documents. Statements, legal documents, mortgage paperwork, car loans, instructions, you name it.
I had been looking casually for years for a solution to paper clutter. I always felt like just a shared drive was somehow insufficient. Sure you can store things in folders and name them properly, but that’s not enough — for me, anyway.
I wanted something that I could scan directly into (over the network — it has to live on a server, not on my desktop), something that I could replicate file cabinet functionality without storing the paper.
I finally got around to putting focus on it. I looked at PaperMerge. I like the layout and responsiveness of PaperMerge, but when I got to messing with the import and API upload functionality, neither one of them worked despite following the somewhat convoluted instructions to a T. Then I looked at their support page, and it really feels like it’s just one person doing the development, and that one person might be a little bit overwhelmed. There were comments about completely rewriting a portion of it, and I didn’t want any part of that. However, in PaperMerge’s own materials, a comparison is made between PM and two other products, one of which is Mayan EDMS.
I gave it a shot. I built an Ubuntu server VM, followed the detailed yet streamlined installation instructions, and it worked on the first try. I messed with the API, and it responded as expected. And then I found the import feature, and it was everything I wanted and more. I set up a Samba share on the server for the scanner (a Ricoh all-in-one) to drop files into, and started scanning. Documents started flowing into the EDMS. I created cabinets and assigned documents to cabinets. I renamed documents. Then I realized that all of those documents weren’t just being imported, they were also being OCR’d. With no additional effort on my part, I can now text search documents I scanned.
It’s not perfect. The interface gets a little bit clunky and less responsive once you have a page full of documents to display. I hope to dig in and find out of there’s a way to make that more snappy, maybe disable the previews, or reduce the number of documents per screen or something. I went to the website to see if there was a support forum — I guess I won’t be contacting THEM for support, holy crap. They want $699 per MONTH for support. It feels like a great product, but I’ll keep my eyes peeled for community support or just dig into the internals myself. Or maybe I’ll buy the book and see if I learn anything from that.
One thing I’m really curious about is whether it’s possible to have it automatically categorize/”cabinet” new documents for me during the OCR stage, based on keywords. That’d be amazing.
Oh, and it supports LDAP. That’s cool. I don’t think Papermerge does.
So someone on my feed mentioned the TryHackMe Advent of Cyber 2 event that’s coming up, and I figured, f it, I’ve been all in on the last few events, what’s one more, right? So I looked into it…
I kinda like the idea. It’s a new challenge every day from 12/1 to xmas. Billed as “beginner-friendly” challenges, which is fine, because any practice is good practice, keep your skills fresh and all that.
I especially like TryHackMe’s platform. If you haven’t explored it yet, it works like this. When there’s a machine to attack for a challenge, they offer it as a deployable machine, on their network. The way you attack them can be either through a VPN (they will give you a personalized .ovpn file that you can drop onto your Kali box or whatever your chosen attack platform is) –OR– they will give you a fully-configured attack platform in the browser. Best of both worlds. If you’re just getting your feet wet and don’t have an attack platform set up yet, they’ve got you covered. And if you’ve got a fully-refined set of tools you’d prefer to use (and continue to refine and beef up while you’re at it), they’ve got you covered there too.
I signed up nine days ago, and I’ve already leveled up to level 5 and earned 10 badges. None of this was part of the Advent of Cyber event, this was just part of their regular offerings. I’m comfortable with the platform and ready to hit the ground running.
The other thing I like about this event is that the prizes, of which there are quite a few, are not awarded in order of performance. Instead, you get a raffle ticket for every task you complete. That means n00b hacker just getting his or her feet wet stands a reasonable chance of winning something, and it’s not all going to be locked in by the best of the best.
Hope to see some of you on the leaderboard. It starts Tuesday. Get signed in now at https://tryhackme.com and get comfortable now so you can plow through. I expect the time commitments will be light, even if you try to hit every challenge.
Today I installed SigintOS into a VM and captured it with FOG for lab deployment, got the Wifi Pineapple upgraded, and installed “Damn Vulnerable Windows” into my lab for sploit practice. ‘Twas a good day, and now I’m going fishing in VR.
Well, I can’t complain. That was a super quick delivery.
I ordered both of these things three days ago at 2:30AM.
Let’s start with the Eurorack frame from Synthrotek. For just over $30, you get top and bottom rails with channels for the included M3 Eurorack square nuts (50ish I think?), and a pair of rack ears that screw into the ends of the rails with self-tapping 10-24 machine screws. Considering that the cheapest comparable size unpowered Eurorack skiff is probably the Moog 60HP for $90, and I already have a place to rack it, I think I got a good deal.
Now, onto the Behringer CP1A Eurorack power supply. Most everywhere I looked in the US, this unit sells for over $100. However, gear4music in the UK sold it to me for $58 + like $12 shipping, and unlike China, it arrived on my doorstep in three days via DHL.
I’ve held a so-so opinion of Behringer for years due to shitty audio gear I’ve owned. Feature-poor and muddy sound. But I talked to a synth addict colleague of mine, and he says they’re making a lot of serious moves into synth territory, and becoming a respected name. And I thought, “Well, I can’t go wrong with a simple power supply, right?”
I was pleasantly surprised with the packaging, first of all. Some thought went into the internal packaging and foam design. That’s always a good sign.
Then I noticed the power supply. It came with a brick-style transformer which takes in 100-240V AC and outputs 13V DC in a standard barrel connector, but the power connector from the wall to the brick was UK AC to relatively ubiquitous C8. If I wasn’t an electronics hoarder who recently rearranged all of my power cables, I’d be in a bit of a quandary there. But of course I have a standard ungrounded US AC power to C8 cable. Not a problem at all.
The unit has two sockets for bus connectors in the rear, and they were kind enough to include two flying bus ribbon cables in the box. There’s a good chance this unit will power two racks rather than just the one I intended it for. Time will tell. Looks nice, takes up very little space, and has an on-off switch. I’m pleased. Now we wait for the modules to start arriving.
And I’m excited for how it fits into the overall plan, too…. Muahahahahahaha.
So within the last year, I saw the Moog Subharmonicon demos, and decided that this is something I really really wanted to experience for myself. Then, per my standard response, I went all in, obtaining the Subharmonicon, then the DFAM, then the Mother32. “But wait,” you’re thinking, “that’s not modular, that’s semimodular!” Yeah. I know. Believe me, I know. But it’s close enough to have given me the bug.
I started looking at modular setups. Going fully modular can be really, really expensive. Anything beyond a minimal setup starts at maybe $1000 and goes way, way, way up from there. It’s difficult to imagine how people afford some of the rigs they’ve put together.
But recently, Winterbloom opened up preorders for a module I’ve been watching the progress on — the Castor & Pollux module. I like it because (a) it’s unique — I don’t think there’s another module like it; (b) it has functionality I think I’ll truly enjoy, rather than just utilitarian modules that you simply have to buy if you go fully modular; and (c) it’s open — I can decide to use the ins, outs and knobs for different functionality than originally intended, and it’s DESIGNED to be that way. So I’m excited about it, and placed a preorder. Oh, and (d) it’s fucking beautiful, visually.
Here’s the difficulty. I don’t have ANY Eurorack modular gear yet, and at the very least I will need a housing and power. So I weighed my options. I could go with a Moog 60HP case that will aesthetically match the three Moog semimodulars I have now — about $90 for the case, plus the cost of a power distribution module for it. I could shell out hundreds for a powered or unpowered Eurorack skiff. I think most of them are drastically overpriced for what they are.
What I settled on was a DIY solution, which isn’t TRUE DIY, but also happens to be the best budget solution out there for getting started in Eurorack.
Years ago, I built a DIY Ikea 19″ rack. I probably posted about it here. It’s 6U of rack connected to an Ikea side table. I recently retired it and offered it to my friends, and nobody took me up on it. Good thing. When I started looking for 19″-rack compatible Eurorack housings, I found that Synthrotek offers one for just over $30. An 84HP 3U rack with ears, compatible with 19″ racks, for just $35. And then I found that Behringer offers a decent power module for Eurorack (the CP1A) which can be found for well under $100, including flying bus board and a wall wart to power it. So I get to recycle my DIY Ikea rack and start filling it with Eurorack modules as the whim hits me.
I also decided that I can’t have a Eurorack with only power and Castor & Pollux. I needed something else to round it out. So I went with another module kit that I’ve had my eye on for a while. I need a source of “randomness” that I can use with any of my semi-modular gear, because it suits my style of synthesis. So I ordered a “Sauce of Unce,” inspired by Buchla’s Source of Uncertainty. I’ll have to assemble it myself, including soldering components, but it’s worth it.
I may ditch my most recent effects pedal as well, the Source Audio Collider, in favor of a Eurorack reverb unit. Pedals take up unnecessary surface space if they’re on the desk, and you can’t see them or work them easily if they’re on the floor. I like the Collider a lot, but the available Eurorack reverbs almost had me make the jump to modular when I was making that decision. Fortunately, when you buy the good shit, it holds its value.
It’s a slippery slope, but for better or worse, I’m on it.
For those who don’t have access to one of these, you can live vicariously through this video.
I recently blogged about obtaining Chinese UID-writable magic backdoor Hello Kitty MIFARE fobs to test cloning HF RFID cards. My hope was that I’d be able to clone my kid’s college card, so she wouldn’t have to dig out a card every time she enters a space, just use a fob on her keyring, just like I cloned my LF HID card to a fob for work.
At the time I ordered them, she was away at school, so I had no way of knowing what format her card was. If her student card was MIFARE, I’d probably have a fighting chance. I believe I have successfully cloned MIFARE cards. I say I believe, because I don’t have access to a testing platform until my next hotel stay.
Alas, it seems like schools (at least her school) are a bit ahead of the RFID game compared to hotels. Rather than simple MIFARE, it’s DESFire EV1 2K, and from the searching I’ve been conducting tonight, it doesn’t seem like DESFire has been cracked as far as retrieving the master key. DESFire EV1 is not bleeding edge, though. According to MIFARE, it’s not recommended for new designs. Instead, MIFARE recommends DESFire EV3.
In any case, it’s a hell of a lot of fun to learn the ins and outs of the various formats, protocols, etc., and how these cards and readers work.
I’ll keep on it on the sideburner. I suspect if I do nothing and someone cracks it, it will make its way into the PM3 firmware rather quickly.
I did read something on the forums indicating that the master key might be derived through side-channel attacks involving response speed.
I’ve been wanting to slap this together for a while. Since we have so many members who have never seen the space (thanks Covid!), I thought I’d give you a taste.