evandrix .


Read this first

31C3 CTF writeup


  • pwn
  • crypto
  • reversing
  • malware
  • signals
  • web

web > 5CHAN (15pts)

  • only img ids 1 thru 8 inclusive are displayed
  • flag should be in img id 9
  • @;– 6web-5chan-flag.png

View →

How I gained access to Amazon EC2 servers from Github Search (adapted)

Github Search allows advanced filters that allow us to search for these private keys @ link.

This looks for:

  • private keys with a .pem extension
  • “BEGIN RSA PRIVATE KEY” text that marks the beginning of a private key
  • sorted by most recently indexed

Although a decent amount of people have dummy keys, a large amount have real pem files. In addition, there are cases in which people notice that they have accidentally pushed a private key and push a new commit stripping their private key. This does not prevent anyone slightly determined from finding your private key, as the original key will still exist in your git history (publicly accessible)

As a proof of concept to warn people of the dangers of accidentally posting sensitive information such as private keys to their github repos, I attempted to gain access to Amazon EC2 servers with a couple of Bash/Python scripts by scraping Github...

Continue reading →

OSX 10.9 Intel Reverse Engineering Tutorial (adapted)

Toolkit to get started

  1. gcc 4.9 + gdb 7.6 w/ ~/.gdbinit (or clang 5.0/llvm 3.3 + lldb 300.2.51)
  2. decent hex editor: 0xEd/Hex Fiend (gui) or od, chex, hexdump/hexedit (cli)
  3. diagnostics: otool/XCode, file, strings; inspect universal binary - moatool, lipo; OSX - class-dump v3.4
  4. Hopper Disassembler/IDA Pro

Mac OSX Application Architecture

Challenge.app package content structure

  • Contents
    • Info.plist
    • MacOS - contains main binary (also look for ‘Frameworks’ folder)
    • PkgInfo
    • Resources Inspect if fat/universal binary (>1 arch): file <binary> or otool -h <binary> Check .gdbinit via help user within gdb
  • debug by attaching to <pid>, or running live using exec-file <binary>
  • command-line arguments: set args or r/run < <input>

Basic gdb command

  • breakpoint w/ condition
    • set: b/bp on mem loc, eg. bp 0x1234, or symbol, eg. bp [NSControl stringValue]
    • list all: bpl
    • enable/disable: bpe/bp...

Continue reading →

CSAW CTF 2013: Web200 writeup

Nevernote - 200 Points @ https://ctf.isis.poly.edu/challenges

from: Nevernote Admin < **nevernoteadmin@nevernote.com** >
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.

Nevernote Admin


  1. Visit URL as instructed
  2. Login via SQL injection with username/password 'OR''='
  3. Using the given hint that ‘Admin’ always checks links, setup a script (I used PHP) somewhere on a public-facing server to capture the superglobals, esp. $_REQUEST, $_GET, $_POST & $_FILES, before sending a message to the Admin’s email address via the system itself
  4. One of these...

Continue reading →