Monday, 5 March 2018

CTF notes

Notes on doing some CTFs:

How to setup Vbox:

Grab an ubuntu image from
user:  osboxes 

Inside your vmm, Install open ssh on your slave:
sudo apt-get install openssh-server

Open the right ports on host:
VBoxManage modifyvm asdf --natpf1 "ssh,tcp,,3022,,22"
ssh/sftp in:
ssh -p 3022 osboxes@
 sftp -P 3022 osboxes@

How to wget / curl:

curl url

wget posting data and saving/loading data to/from cookie

wget url --post-data="password=ee&user=hr" --save-cookies sc.txt
wget url --load-cookies=sc.txt

Also don't forget simple developer mode and google chrome.

Vulnerabilities check:

File Loading:

* Look for files that load other files or data
* Look for string replacing that can be bypassed


* Check for session state not being cleared properly.

File Execution:

* Check the execution path: Add things to the path.

Disassemble files:

* objdump -d  file > raw
* gdb file
  • r (run)
  • c (contine)
  • b X (breakpoint at function X)
  • si (step one place forwards)
  • info registers (what is in my registers

nginx configuration

server {
        listen 80;
        server_name_in_redirect off;
        root /srv/www/;
        access_log /srv/www/;
        error_log /srv/www/;
        rewrite  ^/$  /andyboot.html  permanent;
        rewrite ^/favicon.ico$ /img/favicon.ico last;
        # Dont expose hidden files to the web
        location ~ /\. {
                return 404;
I want to talk about my old nginx config file.
  • server_name = What urls it should listen to
  • root = where to serve static files from
  • rewrite = These are interesting - if a client asks for X we redirect them to Y instead. - Here it was used in a desperate attempt to get more SEO juice by redirecting / to my name.

Wednesday, 7 February 2018

How to make things start automatically upstart

To run things on boot with upstart add a conf file to /etc/init/

Here is my windowfunctions conf file on my linode:

start on runlevel [2345]
stop on runlevel [!2345]

 chdir /home/andy/window_funcs/
 export PATH="/root/.cargo/bin:$PATH"
 export ROCKET_ENV="prod"
 echo "path is: $PATH"
 exec cargo +nightly run --release .
end script

To view the logs for upstart, all logs are stored in /var/log/upstart/:

cat /var/log/upstart/windowfunctions.log

Friday, 19 January 2018

track read & writes of a grep

listen to read & write calls mac:
sudo rwsnoop -n grep
 listen to read & write calls linux:
sudo strace -n grep

Wednesday, 8 March 2017


To see system calls.

Primary resource for sysdig examples:

Get 5 seconds of system calls:
  • sudo timeout 5s sysdig -w hi.cap

Analise the file [use tab completion there are loads of functions]:
  •  IO reads & No. reads that failed: 
    • sysdig -r hi.cap evt.type=read
    • sysdig -r hi.cap evt.type=read and evt.failed = true | wc -l                    
  • Calls to IP:
    • sysdig -r hi.cap fd.ip=IP
  •  Top sys calls:
    • sysdig -r hi.cap -c topscalls
  • Speed of sys calls:
    • sysdig  -c spectrogram
 Or call sysdig directly without the snapshot file:
  • See http calls:
    • sudo sysdig -c httplog        
  • See busy containers
    •  sudo sysdig -c topcontainers_cpu    
  • See the top processes in terms of network bandwidth usage 
    • sysdig -c topprocs_net
  • View the list of containers running on the machine and their resource usage
    • sudo csysdig -vcontainers


* sudo strace
eg: to see calls made by a command:
*  sudo strace touch foo 

Monday, 6 February 2017

a hard crash / kernal panic

Many 0s in a log file show like this:

.. Indicate a massive failure when writing the log. Probably kernal panic.

Check system level things
* /var/log/syslog   (all logs)
* /var/log/kern.log    (kernal logs)
* dmesg    (logs of kernal ring buffer - The IO for the kernal)

Wednesday, 26 October 2016

How 2 add new volume (disk) on AWS


  • Search for correct instance. 
  • Copy instance ID
  • Note zone.

SSH to box:

  • Look at current mounted volumes:
    • ls /dev/xcd*


  • Create a volume
    • In same zone as the instance
  • Attach volume to instance
    • Choose VOL_NAME that doesn't clash with above mounted vols (just increment the letter by one).

SSH to box and mount drive:

  • sudo fdisk /dev/VOL_NAME
  • # h -> for help
  • # p -> view existing partitioning scheme
  • # default whole volume partitioning steps:
  • # 1) n
  • # 2) p
  • # 3) enter, enter, enter
  • # 4) w

Format disk

  • Note: now VOL_NAME is partitioned the usable name will probably end in a 1
    • mke2fs -t ext4 /dev/VOL_NAME1

Attach new disk:

    • mkdir /NEWDIR
    • mount /dev/VOL_NAME1 /NEWDIR

Now add disk to fstab:

  • We will create another line mapping the new disk
  • To see the UUID of the disk
    • ls -l /dev/disk/by-uuid | grep VOL_NAME
  • The above is done in one command like this:
    • echo "UUID=$(ls -l /dev/disk/by-uuid/ | grep VOL_NAME | awk '{print $9}') /NEWDIR ext4 defaults 0 2" >> /etc/fstab