May 1, 2015

How to check free disk space on an Ubuntu 14.04 machine ?

$ df -h

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda6       207G   48G  148G  25% /
none            4.0K     0  4.0K   0% /sys/fs/cgroup
udev            1.9G  4.0K  1.9G   1% /dev
tmpfs           384M  1.2M  383M   1% /run
none            5.0M     0  5.0M   0% /run/lock
none            1.9G   16M  1.9G   1% /run/shm
none            100M   56K  100M   1% /run/user

Feb 5, 2015

Bash script to transfer files via SCP

#!/bin/bash  
REMOTE_IP="x.x.x.x"
SCP_PASSWORD="mypassword"
expect -c "  
 set timeout 1
 spawn scp -r /Local/SourceFolder uname@$REMOTE_IP:/Remote/DestFolder
 expect yes/no { send yes\r ; exp_continue }
 expect password: { send $SCP_PASSWORD\r }
 expect 100%
 sleep 1
 exit
"  
Save the above script to autoscp.sh and give the execute permission. The SourceFolder is the folder whose contents are sent to DestFolder on the remote host .
$ chmod +x file.sh
$ ./file.sh
Install expect if it's not on our machine, expect  is a program that "talks" to other interactive programs according to a script. We use this in this script to provide the password when asked for by the scp command.
sudo apt-get install expect

Bash script to sync local & remote folder via rsync

#!/bin/bash  
REMOTE_IP="x.x.x.x"
SCP_PASSWORD="mypassword"
#And now transfer the file over
expect -c "  
 set timeout 1
 spawn rsync -azvv -e ssh /Local/SrcFolder uname@$REMOTE_IP:/Remote/DstFolder
 expect yes/no { send yes\r ; exp_continue }
 expect password: { send $SCP_PASSWORD\r }
 expect 100%
 sleep 1
 exit
"  
-a preserves the date and times, and permissions of the files
-z compresses the data
-vv increases the verbosity of the reporting process
-e specifies remote shell to use

Save the above script to autorsync.sh file and give the execute permission.
Refer this Ubuntu documentation for more details on rsync. Both the bash scripts mainly automate the rsync and scp transfer, so that password don't need to be supplied.

Scheduling this rsync and scp scripts to run periodically

Use crontab to schedule these scripts to run periodically. To edit crontab use
crontab -e
Add the below lines
# m h  dom mon dow   command
0 * * * * cd /location/of/script;./autoscp.sh
30 * * * * cd /location/of/script;./autorsync.sh
m - minute
h - hour
dom - day of the month
mon - month
dow - day of the week
0 * * * *  will run the script at 0 minutes every hour, every day of all the months.
30 * * * * will run the script at every 30 minutes on every hour, every day of all the months.

Aug 14, 2014

1. Check your Wifi card
Check whether your wifi card support AccessPoint (AP) infrastructure mode
iw list
Your wifi card is good to go if the output shows something like
Supported interface modes:
   * --
   * --
   * AP
   * AP/VLAN
   * --
AP means AccessPoint (AP) infrastructure mode.

2. Install "hostapd"
The latest version was buggy when I'm writing this blog. So install the just before version and hold it's updation. 
64 Bit
wget http://archive.ubuntu.com/ubuntu/pool/universe/w/wpa/hostapd_2.1-0ubuntu1.2_amd64.deb
sudo dpkg -i hostapd*.deb
sudo apt-mark hold hostapd
32 Bit
wget http://archive.ubuntu.com/ubuntu/pool/universe/w/wpa/hostapd_2.1-0ubuntu1.2_i386.deb
sudo dpkg -i hostapd*.deb
sudo apt-mark hold hostapd

3. Install dnsmasq

apt-get install dnsmasq

4. Install ap-hotspot
Install  ap-hotspot, it's a set of scripts that helps you to easily configure the hotspot settings.
Download the .deb file from the below links and double click to install.
Ubuntu 12.04 - Click to download
Ubuntu 12.10 - Click to download
Ubuntu 13.04 - Click to download
Ubuntu 13.10 - Click to download
Ubuntu 14.04 - Click to download

5. Configure WiFi hotspot
sudo ap-hotspot configure

6. Start/Stop/Restart WiFi hotspot
sudo ap-hotspot start
sudo ap-hotspot stop
sudo ap-hotspot restart

7. Common Issues/Errors
Another process already running error
When you try to start the ap-hotspot it says 'Another process already running'
sudo ap-hotspot start
Another process is already running
To fix this issue remove hotspot.pid from /tmp
sudo rm /tmp/hotspot.pid
sudo ap-hotspot start

Hope this helps and saved your time...

Mar 10, 2014

Download the file and try command 'string' on it
#file Forensics-6.png
....
....
1b|.
ya3 S
yr1bz
0bl0BchUnk    Flag :8bfe6a66710d9652e7fb10f19a75dd8e
%tEXtdate:create
2013-10-19T06:47:30+02:00
%tEXtdate:modify
2013-10-19T06:47:30+02:00
tEXtjpeg:colorspace
2,uU
 tEXtjpeg:sampling-factor
2x2,1x1,1x1I
KtEXtxapMM:DocumentID
adobe:docid:photoshop:6baf7f6c-0033-11da-9596-894fe830229dF
IEND

you got the flag 8bfe6a66710d9652e7fb10f19a75dd8e.
Download the file, extract it, check the file details using the 'file'  command
#file four
four: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x899a337216c40966fb57583c9ff45fcac0384cbb, not stripped

It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
#./four
Usage: ./four 

#./four abcd
Sorry no flag for you

So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
 public main
.text:0804856C main proc near                      ; DATA XREF: _start+17 o
.text:0804856C
.text:0804856C arg_0= dword ptr  8
.text:0804856C arg_4= dword ptr  0Ch
.text:0804856C
.text:0804856C push    ebp
.text:0804856D mov     ebp, esp
.text:0804856F and     esp, 0FFFFFFF0h
.text:08048572 sub     esp, 10h
.text:08048575 cmp     [ebp+arg_0], 2
.text:08048579 jz      short loc_8048597
.text:0804857B mov     eax, [ebp+arg_4]
.text:0804857E mov     eax, [eax]
.text:08048580 mov     [esp+4], eax
.text:08048584 mov     dword ptr [esp], offset format ; "Usage: %s \n"
.text:0804858B call    _printf
.text:08048590 mov     eax, 1
.text:08048595 jmp     short locret_80485C8
.text:08048597 ; --------------------------------------------------------
.text:08048597
.text:08048597 loc_8048597:                          ; CODE XREF: main+D j
.text:08048597 mov     eax, [ebp+arg_4]
.text:0804859A add     eax, 4
.text:0804859D mov     eax, [eax]
.text:0804859F mov     [esp], eax
.text:080485A2 call    check_key
.text:080485A7 test    eax, eax
.text:080485A9 jnz     short loc_80485B7
.text:080485AB call    display_result
.text:080485B0 mov     eax, 0
.text:080485B5 jmp     short locret_80485C8
.text:080485B7 ; ----------------------------------------------------------
.text:080485B7
.text:080485B7 loc_80485B7:                          ; CODE XREF: main+3D j
.text:080485B7 mov     dword ptr [esp], offset s ; "Sorry no flag for you"
.text:080485BE call    _puts
.text:080485C3 mov     eax, 2
.text:080485C8
.text:080485C8 locret_80485C8:                       ; CODE XREF: main+29 j
.text:080485C8                                       ; main+49 j
.text:080485C8 leave
.text:080485C9 retn
.text:080485C9 main endp
.text:080485C9


We can see that there are call to few functions like 'check_key' and 'display_result'. 'check_key' is called before 'display_result'. So we can make a wild guess like the input what we enter will be validated using the 'check_key' function and if it's correct then 'display_result' will be executed and will give out the key.
So we have to get our execution to  'display_result' function but before that there is a 'JNZ' statement. It may be this line that will decide based on the result from 'check_key' whether 'display_result' must run or not. 
Now while debugging when we reach the JNZ statement set the Zero flag to 1 so that that jump will not happen 'display_result'  will get executed. 
Luckily our guess is right and we got the file

Download the file, extract it and check the file details using the command 'file'.
#file three
three: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xdcc8c235853a156ab338ea9833f4a20a713d72a8, not stripped

So it says the file is not stripped then let's try to find out the readable string in the binary using the command 'strings'
#strings three

/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
printf
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-P
UH-P
l$ L
t$(L
|$0H
Usage: %s 
reversing_is_super_fun
Yaay! Now submit md5 of key for points
Wrong key! Look for key again!
;*3$"

The text 'reversing_is_super_fun' looks like a flag so let's find the md5 of that text and submit it....yeah it works..
Download the file and extract it.
Check the file details using the command 'file'
#file two
two: compiled Java class data, version 51.0
Executing it won't help and so we will move on to de-compile it. I used an online decompiler available in this link
Upload the class file, decompile it and download the source, it will look like this.

import java.io.*;  
 public class challenge {  
 public challenge() { }   
public static void main(string args[]) throws ioexception 
{ 
byte abyte[] = 
{ byte.valueOf((byte)106), byte.valueOf((byte)97), byte.valueOf((byte)50), byte.valueOf((byte)37), byte.valueOf((byte)36), byte.valueOf((byte)103), byte.valueOf((byte)94), byte.valueOf((byte)115), byte.valueOf((byte)94), byte.valueOf((byte)92), byte.valueOf((byte)96), byte.valueOf((byte)101), byte.valueOf((byte)94), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)98), byte.valueOf((byte)107), byte.valueOf((byte)100), byte.valueOf((byte)98), byte.valueOf((byte)112), byte.valueOf((byte)92), byte.valueOf((byte)94), byte.valueOf((byte)111), byte.valueOf((byte)98), byte.valueOf((byte)92), byte.valueOf((byte)112), byte.valueOf((byte)113), byte.valueOf((byte)102), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)92), byte.valueOf((byte)98), byte.valueOf((byte)94), byte.valueOf((byte)112), byte.valueOf((byte)118), byte.valueOf((byte)36), byte.valueOf((byte)38) 
}; 
string s = "";
 byte abyte1[] = abyte;
 int i = abyte1.length;
 for(int j = 0; j < i; j++) 
{
 byte byte0 = abyte1[j].byteValue(); s = (new StringBuilder()).append(s).append((char)(byte0 + 3)).toString(); 
}  
 bufferedreader bufferedreader = new bufferedreader(new inputstreamreader(system.in));
 bufferedreader.readLine();
 system.exit(0);
 system.out.println(s); }
 }

For a quick look through in the code you can figure out that the key is stored in variable 's' and also before the statement that print out the variable 's' there is an 'exit' statement ' system.exit(0)'.
So remove that line and remove the ' bufferedreader.readLine()' also.
Compile the new code and execute it.
The output will be
md5('java_challenges_are_still_easy')
Find the md5 of the text and it will be the flag.