This post contains a write-up of the Bluetooth Low Energy Capture the Flag (BLE CTF) as developed by hackgnar. The CTF teaches various core concepts of Bluetooth LE. A more advanced version is now available too, the BLE_CTF_INFINITY. Prerequisites After building and flashing the CTF to the target device (see the documentation for the required steps), ensure the bluetooth service is running using systemctl start bluetooth. Next verify the target device is discoverable: sudo hcitool lescan should return an entry like this: 30:AE:A4:26:2B:E6 BLECTF.

Earlier this year I took a closer look again at the Zyxel GS1900-8 switch. Last time I mainly looked at the firmware itself, however this time I took a closer look at a different vector to test this device. Link Layer Discovery Protocol (LLDP) Based on an educated guess I started poking around the LLDP pages on the web interface. LLDP is a layer 2 network protocol described in IEEE 802.

Right before the end of 2020 I completed the Holiday Hack Challenge 2020. Though it’s obviously not the first type this conference took place, it was the first time I participated. Below is my write-up of the primary objectives along with a selection of side-challenges. Objectives: Uncover Santa’s Gift List Investigate S3 Bucket Point-of-Sale Password Recovery Operate the Santavator Open HID Lock Splunk Challenge Solve the Sleigh’s CAN-D-BUS Broken Tag Generator ARP Shenanigans Defeat Fingerprint Sensor Naughty/Nice List with Blockchain Investigation (part 1, part 2) Challenges:

Whilst working on angr_ctf in order to properly dive into Angr, there was one exercise which required the use of a symbolic filesystem with SimFile backed by symbolic memory. This particular challenge requires a particular input to be present in the input file and as such act as the password. The filename can be quickly looked up in the binary; the contents however will be made symbolic so we can solve for that.

This year I participated in the Brixel CTF winter edition along with another player from the Darknet Diaries Discord community. Despite some stability issues on the server side this CTF had some fun puzzles although some more challenging puzzles would be appreciated for a future installment. Below is my write up of a few of them – I ended up solving a few more but I didn’t keep any notes on them.

It was while watching Bryan Cantrill’s presentation “The Soul of a New Machine”1 that my interest for RISC-V was piqued. I vaguely remember looking at RISC-V a while ago but at the time hardware wasn’t readily available unless you had an FPGA to run it on. Nowadays there’s ample choice of both 32-bit and 64-bit hardware to buy. No RISC, no fun First off, a very brief introduction to RISC-V and the different extensions which are available.

As part of the this course the first assignment is to create a working exploit against NetSetMan 4.7.1 using a buffer overflow vulnerability. If you wish to follow along, the installer can be found on Exploit-DB. Additionally I’m using a Windows XP SP3 (EN) VM making this a no-ASLR, 32-bit setup. Fuzzing Since the assignment doesn’t state where or how to trigger the overflow we have to fuzz it first, and as it doesn’t expose any network ports this reduces the attack surface to either importing profiles or freeform text input.

Recently I’ve finished the Practical Malware Analysis book and I’ve wanted to familiarise myself a bit more with the Win32 API. After spending a good amount of time on setting up Visual Studio C++ for MASM (Microsoft Macro Assembler) I wanted to stab myself in the eye with a rusty fork due to the overload of visual clutter. Alas, running plain MASM on Windows 10 seems to be a no-go these days.

Earlier this week I ran into a fairly old format string bug in the Exuberant Ctags implementation, and it turns out this particular issue was fixed back in November 2009. However it wasn’t picked up by vendors at the time. This isn’t a critical issue, but seeing this fixed in SVN without a proper release being made afterwards resulted in only those who decided to ship a package based on a Subversion checkout to have the fix.

or, how I found multiple vulnerabilities on a lazy Sunday afternoon Earlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. All in all this has turned out to be an interesting exploration of both Ghidra and the GS1900-8-2.

ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem. Exploring the binary Not much going on with this binary: jasper@ropper:~/ropemporium/ret2csu$ checksec ret2csu [*] '/home/jasper/ropemporium/ret2csu/ret2csu' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And as expected there is no usefulFunction or usefulGadgets:

The pivot challenge creates a situation where stack space is limited. This means that our full payload cannot be stored on the stack and instead must be located elsewhere in memory. However in order to start executing the code pointed to from the new stack we have to swap stacks! This is called pivoting and let’s get started. Exploring the binary The pivot binary is linked with libpivot.so: jasper@ropper:~/ropemporium/pivot$ checksec pivot [*] '/home/jasper/ropemporium/pivot/pivot' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RPATH: '.

Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it’s fairly straightforward. Exploring the binary Nothing special going on still with this binary in terms of canaries or the likes: [*] '/home/jasper/ropemporium/fluff/fluff' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And again usefulFunction() contains a reference to system(): [0x00400650]> afl 0x004005a0 3 26 sym.

The previous challenge taught a very important pattern of “the mover” by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are considered bad can be rather time consuming so plenty of tools have incorporated automatic detection. In our case the input characters which will result in badbytes have also been provided to us to make it easier to focus on the actual exploit.

With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we’ll look at a really helpful way of loading arbitrary data into memory. Exploring the binary Just like before, let’s start off by exploring the binary bit to get a feel for what we’re dealing with here:

After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using three arguments, thus exposing a little bit more of the amd64 calling convention. Exploring the binary It should be a familiar routine by now to check the binary for any compiled-in security measures, followed by looking for strings and functions.

In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We’ll look at finding our first gadget and how to go about using it in a chain. Exploring the binary First explore the binary to see what we’re up against: $ rabin2 -I split | grep nx nx true $ rabin2 -z split [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x000008a8 0x004008a8 21 22 (.

Over the past couple of week I’ve set myself the goal of learning how Return Oriented Programming (ROP) really works. Coincidentally, over at Hack the Box there have recently been multiple instances where one needed to exploit a binary using ROP. Whilst doing some research on the topic I ran into ROP Emporium and this has proven to be very valuable resource. This site hosts eight challenges with an increasing level of difficulty and along the way it touches upon various concepts related to ROP and binary exploitation.

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current.As of June 2020 support for WireGuard has been committed to the kernel as wg(4) along with support in ifconfig(8). Please see these two posts on the WireGuard mailinglist on how to set it up or how migrate from a setup as described below: setup and migrate from Linux.

The seventh and final assignment of the SLAE64 exam states: Create a custom crypto like the one shown in the “crypters” video Free to use any existing encryption schema Can use any programming language Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.

The sixth assignment of the SLAE64 exam states: Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine. Our polymorphic versions are a lot simpler than what is described in this seminal article.

The fifth assignment of the SLAE64 exam states: Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64 Use GDB to dissect the functionality of the shellcode Document your analysis One thing that immediately stands out is the relative lack in diversity when it comes to linux/x64 payloads. In the end I chose the following payloads for my analysis: linux/x64/shell_bind_tcp_random_port linux/x64/shell_bind_tcp linux/x64/shell_reverse_tcp shell_bind_tcp_random_port The latter two payloads I chose because of how often their used and I wanted to determine what exactly they do precisely because of their popularity.

The fourth assignment of the SLAE64 exam states: Create a custom encoding scheme like the “insertion encoder” we showed you PoC with using execve-stack as the shellcode to encode with your schema and execute For this assignment I wrote a script which supports two encoders and it can also help to decode shellcode. I wrote a simple “off-by-one” encoder which increments each byte by 0x1. It’s obviously a pun.

The third assignment of the SLAE64 exam states: Study about the Egg Hunter shellcode Create a working demo of the Egg Hunter It should be configurable for different payloads I for one had not heard before of the concept of an egg hunter so a little searching around led me to a (the?) paper by skape called Safely Searching Process Virtual Address Space published in 2004. In a nutshell an egg hunter is a piece of code that searches the virtual address space (VAS) of a process looking for a predefined marker, called an egg.

The second assignment of the SLAE64 exam states: Create a Shell_Reverse_TCP shellcode: Reverse connects to configure IP and port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Reverse TCP shellcode discussed in the course Reverse TCP shellcode This is quite a lot simpler than the previous exercise in that we don’t have to bind to the socket before listening to it and accepting incoming connections.

The first assignment of the SLAE64 exam states: Create a Shell_Bind_TCP shellcode: Binds to a port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Bind TCP shellcode discussed in the course Shell Bind TCP shellcode The first assignment is to create a shell bind TCP shellcode which requires a passcode to spawn a shell. What happens when a wrong password is entered isn’t defined so I’ll just exit with a non-zero return code.

Recently I decided to study for the SLAE64 course from Pentester Academy to work on my assembly knowledge, specifically on x86_64. Through the course does focus on Linux I want to apply the knowledge to OpenBSD/amd64 too and thus I installed NASM and looked at what I needed to adjust on my Linux samples to get it working on OpenBSD. Turns out, not that much actually! Both operating systems use same calling convention, namely the System V AMD64 ABI.

The following documents the steps needed to setup NetBox on OpenBSD. I am running NetBox on a PC Engines APU which holds up fairly well and I have since migrated my own setup from RackTables to NetBox, primarily because of the API functionality NetBox offers which allows for integration with SaltStack. But more on that some other time. I have ported a few dependencies but gave up after realising all of the Django applications/modules needed to be ported including their dependencies.

When managing configuration for various services, you’ll (hopefully) end up having to install TLS certificates at some point. Instead of having to come up with the same logic in various modules, roles or formulas I’ve had an Ansible role for a while that bundled all the logic into a single role that used the vault to obtain all certificates, keys and bundles that needed to be managed on a given node.

Whilst setting up consul on SmartOS I noticed the packages distributed through pkgsrc were lagging behind a bit and the upstream “distribution” contains only the consul binary. Running consul -dev in a tmux window will get boring pretty quickly, so I came up with the following SMF manifest using manifold which supports start, stop and refresh (triggers a configuration reload): <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!– Created by Manifold –> <service_bundle type="manifest" name="consul"> <service name="site/consul" type="service" version="1"> <create_default_instance enabled="true"/> <single_instance/> <dependency name="network" grouping="require_all" restart_on="error" type="service"> <service_fmri value="svc:/milestone/network:default"/> </dependency> <dependency name="filesystem" grouping="require_all" restart_on="error" type="service"> <service_fmri value="svc:/system/filesystem/local"/> </dependency> <method_context> <method_credential user="consul" group="consul"/> </method_context> <exec_method type="method" name="start" exec="/usr/local/bin/consul agent -config-dir %{config_dir}" timeout_seconds="60"/> <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/> <exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="10"/> <property_group name="startd" type="framework"> <propval name="duration" type="astring" value="child"/> <propval name="ignore_error" type="astring" value="core,signal"/> </property_group> <property_group name="application" type="application"> <propval name="config_dir" type="astring" value="/etc/consul.

As mentioned in an earlier post I’d been working on two new Ansible modules; for imgadm(1M) and vmadm(1M). So here I want to demonstrate these new modules which will be part of Ansible 2.3. imgadm The imgadm module allow for managing both images and data sources. Let’s start by adding a new data source:

• name: Add datasets.at source imgadm: source: ‘http://datasets.at/' state: present And we can remove it just as easily:

None of the machines I currently run SmartOS on are big enough to run SDC/Triton, so I looked at Rundeck for creating zone definitions. and provisioning new zones as jobs. However Rundeck is unable to dynamically add new option fields. This is required for example in order to manage fields with an arbitrary number of keys, such as the network interfaces or disks. In the meantime I’ve wanted to be able to run Ansible on my SmartOS nodes for a while now.

After losing some hair over the question how does Ansible do hiera-style %{} variable interpolation?I figured I’d jot down my findings. If nothing else, it’ll serve as a handy cheatsheet for future me. Background In Hiera one can do variable interpolation and internal lookups. So that’s Hiera calls withing Hiera. Very handy to reduce deplication as it helps to compose variables out of values from other layers in your hierarchy. For example on an office level you can define your gateway, and on a node-level you can re-use the value of the gateway in your per-interface config:

Probably everyone using Ansible on OpenBSD figured this out already, but I thought it was quite a nifty application of Jinja templating. The way pkg.conf is built when using multiple installpath lines is: installpath = mirror1 installpath += mirror2 The template I settled on is: {# Magic for handling the '=' vs '+=' #} {% if 'installpath' in base_openbsd_pkgconf %} {% set first = True -%} {% for i in base_openbsd_pkgconf['installpath'] %} installpath {% if not first %}+{% endif %}= {{ i }} {% set first = False -%} {% endfor -%} {% endif -%} Where base_openbsd_conf[‘installpath’] is an array of mirror addresses:

The default pkgsrc package manager for a bunch of platforms, including SmartOS, is pkgin. While working on a role for dsapid (see: Setting up a SmartOS image server) I noticed that several pieces of functionality of pkgin were not supported by the Ansible module. As a result one couldn’t use the module in a newly provisioned zone. This was due to the fact that in a fresh zone the pkgin cache is not yet populated, so installing a package would fail.

Recently I’ve found myself in need of having a local SmartOS image server; while Joyent has a datacenter in Amsterdam, it seems that images are still pulled from the US west coast. After trying various servers and even the plain nginx setup (though that doesn’t appear to work anymore with imgadm v3), I finally ran into dsapid. After a bit of research it turns out there’s bits and pieces of documentation scattered across the web, so here’s one page which tries to bring it all together.

SmartOS supports running Docker containers through Triton (SmartDataCenter). However I don’t have an entire datacenter at my disposal and the recommended specs for Triton are a bit more than the hardware I have available. I just want to run Docker containers on a single machine. A little bit of background: SmartOS supports running native Linux binaries in LX-branded zones through their Linux emulation. This is the base for regular LX-branded zones (behaves like a normal Solaris zone) and thus also allows for pulling images from the Docker Hub and running them unmodified.

Recently I started to experiment with SmartOS a bit more than my initial ooh, I a working zone…it’s nice weather today. So far I cannot help but feel that SmartOS feels Just Right. At one point I needed to spin up a bunch of OS zones where I didn’t care about their IP addresses, thus setting their ip to dhcp. All went well and they got addresses and everything worked, except for DNS.

Several times during the past weeks I’ve found myself in need of a particular tag for a Docker image on the Docker Hub. Upstream released their software and I wanted to deploy the container with the latest version. Of course you can keep reloading the Tags page to see if something new has shown up. So I wrote a little tool called docker-tags. It keeps track of images you want to followand when asked reports either:

For some inboxes there’s no reason to keep anything beyond a certain date. For example ports-changes@ isn’t too relevant to save the emails for an extended period of time. So slowly, but very surely, that mail folder reached 30k messages. While in the past I’ve manually deleted a full year of email by putting a weight on the d key (no kidding), there had to be a simpler way. Turns out there is with tagging.

Creating cross-compiled binaries for Go projects is nothing new, and many projects build binaries for more than just linux/amd64, great. Some even build binaries for openbsd/amd64, even better. At the time of writing there’s no Go 1.5 port for OpenBSD yet, however there are some projects which requires Go >= 1.5. E.g. filebeat. So I made a simple Docker image which provides a cross-compiler for any supported Go target, but defaulting to openbsd/amd64: jasperla/go-cross.

To flex my Coffeescript muscle I wrote a tool called Dockerlinta while ago. At the time there were already several projects with this obvious name, however none actually did The Right Thing. Either they were placeholders/vaporware or they had two checks. Instead of coming up with arbitrary Dos and Donts, Dockerlint follows two documents as set forth by Docker Inc.: Best practices for writing Dockerfiles Dockerfile reference I try to keep up with Docker’s insane release schedule (closing in to releasing 4 new major versions each week?

For a long time I’ve been using the Velox theme for this blog. However recently I found myself wanting to use some of the features the default Casper theme now provides. Aside from the fact a lot of work has gone into this theme over the past two years that makes it look really good. The fact that Casper is developed by the same folks who develop Ghost means that new features the Ghost platform provides are integrated into this theme, such as the You might enjoyat the bottom of this page.

Here’s a quick howto of getting started with the new UEFI bootloader support in OpenBSD -current. This does assume the entire disk will be allocated by OpenBSD. Dual-booting in an UEFI setup requires extra steps which are not covered here. By far the easiest method is to copy the miniroot58.fs to a USB stick and boot from it. This already includes an EFI boot partition so to be sure the BIOS can correctly boot the new bootloader, start by disabling the Legacy boot option in the BIOS.

Before I switched to Sonos as my primary way of listening to audio I’ve used MPD for years. As such I collected a fair amount of audio files that Rdio, Tidal or Spotify claim I’m not allowed to stream in my region. And while Sonos is great, there’s not really a way to control it the way you can control an MPD server for which there are many clients and libraries.

As a Homebrew user I find myself searching on how to agree to the new Xcode/iOS license after every Xcode update when I into the following error message on brew update: Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo. Error: Failure while executing: git checkout -q master So as a quick reminder for myself; this pops up the new license to agree to: sudo xcrun cc UPDATE, 23 Oct 2015: it seems that Xcode > 7.

or how nuking my font caches fixed “secondary (right) click” Here’s a short tale that left me flabbergasted earlier this week. Let’s first introduce the main characters before embarking on this strange trip. First, the main character, an iMac, model “late 2013” running OS X 10.9.4, which has been loyally providing it’s services for about 10 months, without a single complaint. Next is the “Magic Mouse”, this device has been tied to it’s wireless Bluetooth leash ever since it came along the iMac.

Portscout is a neat tool that scans an entire ports tree and then checks the upstream sites for any new releases. This tool was originally written for FreeBSD and this weekend I hacked it up to work on the OpenBSD ports tree too. Welcome, OpenBSD! While adding initial OpenBSD support was surprisingly easy once a few small issues were sorted out (use show=FOO\ BAR instead of chaining -V FOO -V BAR) I actually added some new features to it.

For many devices it’s nice to have them configured with DHCP, like mobile phones. But a powerbar’d better have an IP that won’t change… By default the mPower devices come with DHCP enabled (with fallback to 192.168.1.20), in this post we’ll have a look at setting a static IP address for both the mPower mini and mPower Pro devices. Now ssh into the device on their pre-configured or DHCP-obtained IP. If it’s not been connected to the mFi controller the defaults credentials are ubnt:ubnt.

Recently I bought a Ubiquiti mPower which is part of their mFi-line of products for home automation. This comes with the mFi controller software which is a standalone Tomcat application used to control various mFi components. These can be smart powerbars, temperature/current/motion sensors, but also custom sensors (more on that later). Since this controller would need to be running 24/7 it seemed like a logical choice to install it on my home server and manage it with Puppet.

As mentioned before I started with programming VHDL and since I want to blog about that (among other topics), some nice syntax highlighting would help if when code snippets were included. So for syntax highlighting this blog uses Prism, however it lacked support for some languages and formats I work with: Puppet — .pp Yaml (Hiera/Ansible/etc) — .yml VHDL — .vdh User constraint files — .ucf Basic definitions for these languages have been added to jasperla/prism-langs, so feel free to fork and send pull requests with any improvements.

After buying a Digilent Basys2 board last year to teach myself programming FPGAs with VHDL I never really sat down for a few hours to get to know the programming environment. Partly because coming from microcontrollers where I’d always setup a Makefile to compile my code and program the boards, learning how to use a 14.5 GB piece of software was daunting. However, recently I picked up a copy of FPGAs 101 to kickstart my venture.