A7 - gee cue elle was a hard misc challenge.
It combines a database query injection with optimizing the algorithm to perform the attack.
So also partially a programming or computer science challenge.
When I first read the title I mispronounced it as "gi que elle", so a more german
pronunciation and I totally didn't get what it tried to hint at.
But more about that later.
Let's get started.
A7 - gi que elle,
We installed a fancy automatic attack protection system to be more secure against automated
attacks from robots and hackers, so it can be fully A7 compliant.
And a hint with .yaml tilde.
So the first thing I did was look up a7 again.
because of the "fully a7 compliant" comment, I immediately thought it's probably that
OWASP thing.
So what is it again?
OWASP Top 10.
A7 insufficient attack protecion….
Ohhhh that thing.
What a bullshit item on that owasp list.
If you want to read about some infosec drama, search for a7 controversy.
And this challenge is certainly a reference to that.
Anyway, I took this as a hint that I should use some automated attack tool.
Which in retrospect I think was wrong.
But whatever.
The description has a few more hints, but we will get back to that in a minute.
Let's first check out the site.
The challenge here links a .html file with the following content.
So part of the subdomain can be random.
It's obviously to give every player a unique site.
We will see that come up later.
On the site itself we can find a simple login field and when we inspect the html, we see
a validation pattern that tells us the username has to be admin and the password has to follow
a more complex pattern.
It's basically a valid flag pattern.
CTF curly braces then some characters that start with quotas, and if you paid attention
you can see that the subdomain is basically that part here, and then followed by 64 characters.
So it seems like if we find the correct password for the admin user, we have found the flag.
Like I said I though the a7 hint meant to tell me to use some tool, so I used nikto
which basically does something like dirbuster and it found an app.yaml file.
It turns out I could have found that myself if I had looked into the robots.txt, oh well.
That qa entry here threw me a bit off but ignored it mostly.
And this is where the second hint comes into play.
The yaml tilde.
So if you didn't know what that means, some editors such as emacs or maybe vim create
files to track your current progress in case you don't save and it crashes or so.
Then it can be recovered.
And some editors create a file with the same name but append a tilde.
And that's basically what happened here, the developer apparently opened the file in
an editor and it created that tilde file and for some reasons it didn't get deleted.
The yaml file is really interesting, it's basically a web application config file for
google app engine and it tells us here where the app that handles the page lives.
I might also google a little bit to learn more about app engine to understand the structure
of this file.
So basically I'm hunting now for the application sources.
In the google app engine docs I find a hello world example using main.py, so I tried that.
And with the tilde there as well, I can leak the content.
So now we got the sources.
The code doesn't look too big, but there are some dense areas.
A first thing you might notice is, that there is something about quotas and an abuse detection
system.
Mhmh…
And when I looked at the code, there was a lot of time calculations and I hoped I didn't
have to understand that right now.
So I continued.
Here the login post request.
That must be a very important part.
And indeed, I immediately noticed a query language injection.
You see this here the colon 1 together with the parameter here is safe, but this direct
python string manipulation with percentage s is unsafe.
We can inject another single quote and break out of the string and screw with the query.
So is this an SQL injection?
Well.
kinda.
not really.
As you can see here in the function name it's gql.
Google query language.
At this point I still didn't get that the title of the challenge was supposed to hint
for that.
Gee cue elle.
But.
Oh well.
So what can we do with that, ideally we want to be able to log in.
So what kind of features could we use in the query language.
If you look up the grammar of the query language it's really short and there is not much
you can do.
So we are here in the WHERE condition and all we can do is append more conditions with
AND.
There is not even an OR.
And we could sort or limit the result but that's not really useful.
So no SQL UNION SELECT to inject a password we can control to bypass the authentication
or so.
The only output we have is either wrong username or wrong password.
So it's going to be a blind injection.
The idea is if we make the query return a password, then the password we supply would
be wrong and if we make the query return no password, we would get the wrong username
error.
We can play with this.
GQL doesn't have advanced string stuff like SQL.
For example there is no WHERE password Like A%.
Where password like B%.
to slowly bruteforce the first character.
But we can basically simulate that with greater or lower than.
So you can inject a compare if the password is bigger than A, and if that's the case
the query returns the password and we get wrong password error.
But if the password was not bigger than A, then the password might start with A or another
char that's lower than that, then the query would not return a password and we get the
wrong username error.
So we can in fact slowly bruteforce the password.
So I start writing some code to do that.
The comparison works by ascii value, so the order of chars is how they appear in ascii.
So lowercase a is bigger than capital A.
So I was writing that code but I quickly ran into the "Abuse detection system".
I was banned for 90 seconds because I either triggered two errors in 30 seconds, or made
more than 13 requests per 30 seconds or it took me longer than 2240 seconds.
Oh damn.
Because with every request we get an error, we can only perform one request every 15 seconds.
To not trigger the 2 errors in 30s rule.
And not only that, we only have 2240 seconds time for that.
That's only 150 requests.
But the flag is already at least 64 bytes long.
We know parts of the password just not the main part.
This means we have only like 2 requests per character.
We will never bruteforce the password with those restrictions.
So I started to review more of the code and long story short, I couldn't find a bypass
for the abuse detection system.
Also the password is dynamically generated, but it's safe.
It's hmac with a secret key and the first part of the hostname.
Which means if you know the secret key and I give you a valid flag, you can verify that
it's valid.
The first part generates the second part.
So also no tricks possible there.
Basically I had following options in mind: Bypass detection system
Find an issue in the dynamic flag/password generation
Better gql injection Try to optimize the bruteforce
Like I said first one lead nowhere, second one was also unlikely, third one too, the
query syntax is just so short, which means the only viable way is optimization.
So an obvious first improvement to the bruteforce with greater and lower is to do a binary search.
Basically we have an oracle that tells us with a guess of the password if the real password
is greater or lower.
Which means we can lower the amount of requests necessary.
My first implementation did this per character.
Each character has 64 options and with binary search you can find the right guess in about
log N steps.
So about 4.1 steps necessary per character.
Which means we need roughly 262 steps in total, which doesn't work, because we only can
do up to 150 requests in the time we have.
So I was stuck there for a while.
A lot of time went into fixing programming bugs and testing it and because it's so
slow.
with 1 request every 15s it is just took ages.
But then when I did another round of auditing the code I noticed something.
So error requests, of which you can only have two every 30 seconds, are only counted on
exceptions.
And if you look closely in the login code you can see that only a wrong password triggers
an exception.
Wrong username is just a regular request of which you can have 13 per 30 seconds.
That's the key!
We need to optimise the binary search to favor wrong username over wrong password.
So how do we do that?
Well in binary search you always select the center of your search area.
This means there is a 50:50 chance that your item is either greater or lower.
So how can we skew that chance.
Well instead of picking the center, we pick something more towards one side.
For example if we do a 75:25 split, we have a much higher probability that our item is
going to be lower than that new index.
In our case we can have 13 requests in 30 seconds but only 2 of those can be errors,
so we have 2 divided by 13, roughly a 85 to 15% split.
Awesome.
Also I optimised the string generation by working with numbers rather than a character
string.
So basically our string we want to brute force has an alphabet of 64 characters.
So it's like a base64 number system.
Which means we can convert between base10 and base64.
Don't confuse it with base64 encoding, I'm really talking here about the mathematical
numeral system base 64.
Maybe you had to convert base 10 to base 16 or base 3 in school, that's basically what
I did.
So I created two functions to convert a base64 number to a base10 number and vice versa.
So now I can treat the binary search as a search of a number.
The highest value is basically lowercase zzzzzz, which is a huge number.
And this is the code I came up with.
I use the requests module to perform the gql injection request.
Then I define the alphabet for the flag in ascii order.
Here are my functions to convert from base64 to base10 and vice versa.
And a function to display a number line to visualise the search.
And here are the important search variables.
At the beginning the highest number is basically zzzzzzz
And lowest is obviously 0.
The current flag we will check, so the search index is initialized with 85% from the top.
So that it's skewed towards higher values and our real password is probably lower.
And those are lists to count the exceptions, so wrong passwords and regular requests I
make.
At the beginning of the search loop I have a look at the lists that remember all exceptions
and requests and remove the requests that are older than 30 seconds, because they don't
matter anymore.
But if we have had more than 1 exception in the past 30 seconds, or had more than 11 regular
requests, we are going to sleep for a second.
Then we clean up the list again and maybe sleep again, until the condition is not true
anymore.
Then we are allowed to perform another request.
So we convert the current search index to the flag string and perform the request.
Some nice log output And then we check the result.
If it was wrong username, then our guess was bigger than the real password, so we can set
the highest possible value to that and move the search index down a little bit.
But always move it in the 85:15% ratio.
If we get wrong password, we get an exception, so we rememebr the time we had the exception
and we also know our password was greater than our guess, so we take the upper part
and move the search index higher.
And that's it.
We just have to let it run now.
Doesn't it look beautiful?
Here you can see how the search index, the X always skews to the higher values and how
the search space is narrowed down.
And there is a nice ratio now of wrong username and wrong password requests.
This takes now a while.
Basically 2240 seconds or 37 minutes.
But we will still just barely make it in that time.
So I started many instances in parallel and hoped that at least one will succeed.
And this is where I started to become nervous.
Because the end of the CTF was approaching and I was not sure if it will work, I didn't
have one successful run yet.
Will the flag I find work or will it break?
Will I do my calculations right?
Do I have bugs?
And about 10 minutes before the end two processes approach the final guesses.
There we go, search space is apparently now 0.
We found our flag.
hopefully.
So I tried to enter the flag, super shaky hands because I had to be fast with minutes
left but it didn't work.
Wrong flag.
Also I couldn't login with this flag.
It was not correct.
DAMN.
But I had a hunch what the problem was.
I probably didn't quite get the calculations correct, so I was probably 1 or 2 numbers
off.
So i just adjusted the last character of the flag and after a few attempts, I got the right
flag.
Damn that was close.
But really happy at the end, because just FYI, I spend probably like 12 hours on this
challenge.
For more infomation >> Blind GQL injection and optimised binary search - A7 ~ Gee cue elle (misc) Google CTF 2017 - Duration: 14:25.-------------------------------------------
Modifying events with the Google Calendar API (The G Suite Dev Show) - Duration: 6:33.
For more infomation >> Modifying events with the Google Calendar API (The G Suite Dev Show) - Duration: 6:33. -------------------------------------------
Google Trends - ingyenes SEO eszköz - Duration: 11:19.
For more infomation >> Google Trends - ingyenes SEO eszköz - Duration: 11:19. -------------------------------------------
Utilizing Google Classroom - Duration: 10:50.
Hi, all!
Welcome to Utilizing Google Classroom.
My name is Mary John, and I will be walking you through how to create your own Google
Classroom.
Let's start off with a very simple question.
What IS Google Classroom?
Well, we all have heard of Google, but now, Google is more than just an Internet search
engine.
You can keep a calendar, look at maps, stay organized, take your documents with you wherever
you go, and so much more!
Google Classroom just so happens to be one of these amazing features offered by Google.
For those that are familiar, Google Classroom is similar to Blackboard, Moodle, and Canvas,
to name a few systems.
The difference, though, is that with Google Classroom, the teacher does not need to wait
for a license from an organization.
Rather, the teacher is able to create his/her own classroom provided that he/she has an
account with Google.
Now, just like with most concepts, there are pros and there are cons.
Let's start with the pros.
Google Classroom can be utilized anywhere and everywhere.
Communication and sharing of documents is very simple and effective.
Furthermore, students are able to receive immediate and effective feedback.
With that said, just like with any product, there are negative aspects in addition to
the positive aspects.
Some people note that Google Classroom seems "Googlish" and is impersonal.
There are no automated updates, quizzes or tests.
It should be noted, though, that technology constantly is changing, so it is likely that
a lot of these negative aspects will be remedied soon enough.
Now, once upon a time, teaching was done using pen and paper, textbooks, and blackboards.
For those lucky instructors, they were graced with whiteboards!
With the world changing as it has, though, the classroom has changed as well.
In most every classroom, you will be able to find updated technologies, including SMARTBoards,
tablets, and laptops.
In some classrooms, you might even be able to spot a laptop or an iPad cart.
Many districts also have adopted a BYOD mentality as well.
BYOD stands for "Bring Your Own Device".
Not only does my current district follow the BYOD mentality, but we also will be moving
to a one-to-one initiative in the fall, which will enable every student at the high school
level to have his/her own Google Chromebook!
At the end of the day, the principles of learning are still the same.
The end goal, for every educator, is to enhance learning in the classroom.
In order to do this, teachers must tap into the following aspects of learning: Teachers
need to find a way to make learning Human, Fun and Social, Language Based, and Meaning
Centered.
Let's take a look back at Bloom's Taxonomy, which essentially is a scaffolding model.
Bloom's Taxonomy begins with a simple concept that continues to be built upon until a new
innovation is created, based on the original simple concept.
Speaking of building, let's now take a look at the SAMR Model.
SAMR is a scaffolding model, much like Bloom; however, SAMR is utilized with technology.
At the end of the day, SAMR is Bloom, just in a technological setting.
So how is SAMR utilized?
For the sake of this demonstration, let's pretend that a History lesson requires students
to contact Congress about a social issue, such as poverty.
We will begin at the bottom of the model with Substitution, which occurs when a tool directly
is substituted, with no functional change.
So, instead of writing a letter by hand, students might use a computer to write a letter to
a Congressman.
From Substitution, we then move up to Augmentation, which occurs when a tool directly is substituted
AND a functional improvement occurs.
Now, the students use the computer, HOWEVER, they might use Google Docs to work collaboratively
on the email to the Congressman.
Modification is the next step in SAMR, which occurs when a significant task has been redesigned.
Here, students create and collaborate on a video about the social issue.
Finally, we have Redefinition, which occurs when new tasks are created that previously
were thought inconceivable.
In our example, students take the video they made and utilize social media to create awareness
across the globe about poverty.
SAMR is vital because it enables us to know that there is insane potential utilizing technology
in the classroom.
So, let's begin by utilizing Google Classroom in the classroom.
Let's start by setting up your Google Classroom.
Today I will walk you through how to post an announcement, an assignment, and how to
delay posts.
If you haven't done so already, you'll want to log in to your Google account.
Click on the tiny squares in the upper right-hand corner.
You may have to scroll down a bit to find Google Classroom.
Click on Google Classroom and notify Google that you are, indeed, a teacher.
From here, we will CREATE A CLASSROOM!
I've already created a classroom, but in order to create a classroom, go up to the
plus (+) sign, click "Create Class" and name your class.
Don't worry so much about the section or subject right now.
I currently teach a Social Skills group, named my class Social Skills.
You also will be able to add students by going to "Students", and inviting students by
typing in their emails to invite them to join your Google Classroom.
Let's now move to the bottom right-hand corner, where you will see a plus (+) sign.
Hovering over this plus sign will enable you to add announcements, assignments, create
questions or re-use posts.
Right now, I will demonstrate how to add an announcement and an assignment, in addition
to how to delay a post.
First, I am going to hover back over that plus (+) sign and click on "Create Announcement".
I am going to tell my students to have a safe and enjoyable summer!
Then I will post it.
My post – my announcement now has been added.
Now, we will move on to the assignments.
Again, I will hover over the plus (+) sign, and I will click on "Create Assignment".
When creating an assignment, you have two options to attach files.
You can either click on the paperclip and attach files directly from your computer,
or if your documents are already in your Google Drive, you can attach your documents from
your Google Drive.
Fortunately, my documents already are in my Google Drive.
I would like my students to create a comic strip.
So, I will title this: "Comic Strip Assignment".
I then will go to my Google Drive, go in through my folders, to my unit, and I will add the
Comic Strip Assignment Rubric.
The Rubric has instructions for what I would like my students to do.
However, I also would like to incorporate the instructions on this post.
So, I will tell my students to "Create a comic strip based on a self-awareness and
a self-advocating scenario".
In addition to the comic strip, though, I would also like to provide them with a sample
comic strip.
For the sake of this demonstration, I am going to delay this post until my student return
in September.
To delay a post, all you'll have to do is click on the due date and time, and add the
date and time you would like to make this available to your students.
Because my students will not be returning until September, I am going to make this post
available on September 13 at 7:30 am.
Now, not only have I assigned an assignment, but I have also delayed the assignment as
well.
This post will not be available for my students to see until September 13 at 7:30 am.
In addition to adding files from Google Drive, you'll have the opportunity to add a video
from YouTube or link a website to some aspect of your announcements or assignments.
If you would like to link your entire Google Classroom to your Google Drive, I've attached
a link with step-by-step directions to this slide.
Aside from that, you are all set to go!
So, now it's your turn to have fun modifying and personalizing your Google Classroom!
Enjoy!
-------------------------------------------
How do I save a picture that has been shared by the "shared libraries" of the "Google Photos" - Duration: 2:12.
How do I save a picture that has been shared by the "shared libraries" of the "Google Photos"
Hello everyone
This time, we will introduce how to save the photos that have been shared by the "Google Photos" in the "Shared Library"
Photos that have been shared by the "shared libraries" of the "Google Photos" will be stored in the "Shared Library" category as a photograph from users sharing
Only it is possible to circulate the photos that are shared in this state, not stored in the library of users sharing
Photos from users who have been shared, or save it to individually own library, it is possible to store in bulk
The photos that are classified in all of the photos and face grouping that is shared It also has become possible to set to automatically save to their own library
If the first individual to save the photo, display the photo you want to save, touch the download icon that appears in the upper right corner
Further, it is also possible to batch download by specifying multiple photos on the list screen
The downloaded photos will be saved in its own library
To be stored in the library automatically, touch the "Let's turn on the auto-save" of the list screen,
Select the "All photos" or "photos that captured the particular person"
By the way, "photos that captured the particular person" is, or has been shared all of the photos from a shared source of users, available only in the case where a plurality of face grouping has been specified
By storing the photographic its own library shared by "shared library", or used in the SNS, you will be able to include or use as a smartphone wallpaper
Please by all means try to set with reference
Above, it was the introduction of how to save the photos that have been shared by the "shared libraries" of the "Google Photos"
Không có nhận xét nào:
Đăng nhận xét