Thứ Sáu, 30 tháng 6, 2017

Youtube daily google Jun 30 2017

A7 - gee cue elle was a hard misc challenge.

It combines a database query injection with optimizing the algorithm to perform the attack.

So also partially a programming or computer science challenge.

When I first read the title I mispronounced it as "gi que elle", so a more german

pronunciation and I totally didn't get what it tried to hint at.

But more about that later.

Let's get started.

A7 - gi que elle,

We installed a fancy automatic attack protection system to be more secure against automated

attacks from robots and hackers, so it can be fully A7 compliant.

And a hint with .yaml tilde.

So the first thing I did was look up a7 again.

because of the "fully a7 compliant" comment, I immediately thought it's probably that

OWASP thing.

So what is it again?

OWASP Top 10.

A7 insufficient attack protecion….

Ohhhh that thing.

What a bullshit item on that owasp list.

If you want to read about some infosec drama, search for a7 controversy.

And this challenge is certainly a reference to that.

Anyway, I took this as a hint that I should use some automated attack tool.

Which in retrospect I think was wrong.

But whatever.

The description has a few more hints, but we will get back to that in a minute.

Let's first check out the site.

The challenge here links a .html file with the following content.

So part of the subdomain can be random.

It's obviously to give every player a unique site.

We will see that come up later.

On the site itself we can find a simple login field and when we inspect the html, we see

a validation pattern that tells us the username has to be admin and the password has to follow

a more complex pattern.

It's basically a valid flag pattern.

CTF curly braces then some characters that start with quotas, and if you paid attention

you can see that the subdomain is basically that part here, and then followed by 64 characters.

So it seems like if we find the correct password for the admin user, we have found the flag.

Like I said I though the a7 hint meant to tell me to use some tool, so I used nikto

which basically does something like dirbuster and it found an app.yaml file.

It turns out I could have found that myself if I had looked into the robots.txt, oh well.

That qa entry here threw me a bit off but ignored it mostly.

And this is where the second hint comes into play.

The yaml tilde.

So if you didn't know what that means, some editors such as emacs or maybe vim create

files to track your current progress in case you don't save and it crashes or so.

Then it can be recovered.

And some editors create a file with the same name but append a tilde.

And that's basically what happened here, the developer apparently opened the file in

an editor and it created that tilde file and for some reasons it didn't get deleted.

The yaml file is really interesting, it's basically a web application config file for

google app engine and it tells us here where the app that handles the page lives.

I might also google a little bit to learn more about app engine to understand the structure

of this file.

So basically I'm hunting now for the application sources.

In the google app engine docs I find a hello world example using main.py, so I tried that.

And with the tilde there as well, I can leak the content.

So now we got the sources.

The code doesn't look too big, but there are some dense areas.

A first thing you might notice is, that there is something about quotas and an abuse detection

system.

Mhmh…

And when I looked at the code, there was a lot of time calculations and I hoped I didn't

have to understand that right now.

So I continued.

Here the login post request.

That must be a very important part.

And indeed, I immediately noticed a query language injection.

You see this here the colon 1 together with the parameter here is safe, but this direct

python string manipulation with percentage s is unsafe.

We can inject another single quote and break out of the string and screw with the query.

So is this an SQL injection?

Well.

kinda.

not really.

As you can see here in the function name it's gql.

Google query language.

At this point I still didn't get that the title of the challenge was supposed to hint

for that.

Gee cue elle.

But.

Oh well.

So what can we do with that, ideally we want to be able to log in.

So what kind of features could we use in the query language.

If you look up the grammar of the query language it's really short and there is not much

you can do.

So we are here in the WHERE condition and all we can do is append more conditions with

AND.

There is not even an OR.

And we could sort or limit the result but that's not really useful.

So no SQL UNION SELECT to inject a password we can control to bypass the authentication

or so.

The only output we have is either wrong username or wrong password.

So it's going to be a blind injection.

The idea is if we make the query return a password, then the password we supply would

be wrong and if we make the query return no password, we would get the wrong username

error.

We can play with this.

GQL doesn't have advanced string stuff like SQL.

For example there is no WHERE password Like A%.

Where password like B%.

to slowly bruteforce the first character.

But we can basically simulate that with greater or lower than.

So you can inject a compare if the password is bigger than A, and if that's the case

the query returns the password and we get wrong password error.

But if the password was not bigger than A, then the password might start with A or another

char that's lower than that, then the query would not return a password and we get the

wrong username error.

So we can in fact slowly bruteforce the password.

So I start writing some code to do that.

The comparison works by ascii value, so the order of chars is how they appear in ascii.

So lowercase a is bigger than capital A.

So I was writing that code but I quickly ran into the "Abuse detection system".

I was banned for 90 seconds because I either triggered two errors in 30 seconds, or made

more than 13 requests per 30 seconds or it took me longer than 2240 seconds.

Oh damn.

Because with every request we get an error, we can only perform one request every 15 seconds.

To not trigger the 2 errors in 30s rule.

And not only that, we only have 2240 seconds time for that.

That's only 150 requests.

But the flag is already at least 64 bytes long.

We know parts of the password just not the main part.

This means we have only like 2 requests per character.

We will never bruteforce the password with those restrictions.

So I started to review more of the code and long story short, I couldn't find a bypass

for the abuse detection system.

Also the password is dynamically generated, but it's safe.

It's hmac with a secret key and the first part of the hostname.

Which means if you know the secret key and I give you a valid flag, you can verify that

it's valid.

The first part generates the second part.

So also no tricks possible there.

Basically I had following options in mind: Bypass detection system

Find an issue in the dynamic flag/password generation

Better gql injection Try to optimize the bruteforce

Like I said first one lead nowhere, second one was also unlikely, third one too, the

query syntax is just so short, which means the only viable way is optimization.

So an obvious first improvement to the bruteforce with greater and lower is to do a binary search.

Basically we have an oracle that tells us with a guess of the password if the real password

is greater or lower.

Which means we can lower the amount of requests necessary.

My first implementation did this per character.

Each character has 64 options and with binary search you can find the right guess in about

log N steps.

So about 4.1 steps necessary per character.

Which means we need roughly 262 steps in total, which doesn't work, because we only can

do up to 150 requests in the time we have.

So I was stuck there for a while.

A lot of time went into fixing programming bugs and testing it and because it's so

slow.

with 1 request every 15s it is just took ages.

But then when I did another round of auditing the code I noticed something.

So error requests, of which you can only have two every 30 seconds, are only counted on

exceptions.

And if you look closely in the login code you can see that only a wrong password triggers

an exception.

Wrong username is just a regular request of which you can have 13 per 30 seconds.

That's the key!

We need to optimise the binary search to favor wrong username over wrong password.

So how do we do that?

Well in binary search you always select the center of your search area.

This means there is a 50:50 chance that your item is either greater or lower.

So how can we skew that chance.

Well instead of picking the center, we pick something more towards one side.

For example if we do a 75:25 split, we have a much higher probability that our item is

going to be lower than that new index.

In our case we can have 13 requests in 30 seconds but only 2 of those can be errors,

so we have 2 divided by 13, roughly a 85 to 15% split.

Awesome.

Also I optimised the string generation by working with numbers rather than a character

string.

So basically our string we want to brute force has an alphabet of 64 characters.

So it's like a base64 number system.

Which means we can convert between base10 and base64.

Don't confuse it with base64 encoding, I'm really talking here about the mathematical

numeral system base 64.

Maybe you had to convert base 10 to base 16 or base 3 in school, that's basically what

I did.

So I created two functions to convert a base64 number to a base10 number and vice versa.

So now I can treat the binary search as a search of a number.

The highest value is basically lowercase zzzzzz, which is a huge number.

And this is the code I came up with.

I use the requests module to perform the gql injection request.

Then I define the alphabet for the flag in ascii order.

Here are my functions to convert from base64 to base10 and vice versa.

And a function to display a number line to visualise the search.

And here are the important search variables.

At the beginning the highest number is basically zzzzzzz

And lowest is obviously 0.

The current flag we will check, so the search index is initialized with 85% from the top.

So that it's skewed towards higher values and our real password is probably lower.

And those are lists to count the exceptions, so wrong passwords and regular requests I

make.

At the beginning of the search loop I have a look at the lists that remember all exceptions

and requests and remove the requests that are older than 30 seconds, because they don't

matter anymore.

But if we have had more than 1 exception in the past 30 seconds, or had more than 11 regular

requests, we are going to sleep for a second.

Then we clean up the list again and maybe sleep again, until the condition is not true

anymore.

Then we are allowed to perform another request.

So we convert the current search index to the flag string and perform the request.

Some nice log output And then we check the result.

If it was wrong username, then our guess was bigger than the real password, so we can set

the highest possible value to that and move the search index down a little bit.

But always move it in the 85:15% ratio.

If we get wrong password, we get an exception, so we rememebr the time we had the exception

and we also know our password was greater than our guess, so we take the upper part

and move the search index higher.

And that's it.

We just have to let it run now.

Doesn't it look beautiful?

Here you can see how the search index, the X always skews to the higher values and how

the search space is narrowed down.

And there is a nice ratio now of wrong username and wrong password requests.

This takes now a while.

Basically 2240 seconds or 37 minutes.

But we will still just barely make it in that time.

So I started many instances in parallel and hoped that at least one will succeed.

And this is where I started to become nervous.

Because the end of the CTF was approaching and I was not sure if it will work, I didn't

have one successful run yet.

Will the flag I find work or will it break?

Will I do my calculations right?

Do I have bugs?

And about 10 minutes before the end two processes approach the final guesses.

There we go, search space is apparently now 0.

We found our flag.

hopefully.

So I tried to enter the flag, super shaky hands because I had to be fast with minutes

left but it didn't work.

Wrong flag.

Also I couldn't login with this flag.

It was not correct.

DAMN.

But I had a hunch what the problem was.

I probably didn't quite get the calculations correct, so I was probably 1 or 2 numbers

off.

So i just adjusted the last character of the flag and after a few attempts, I got the right

flag.

Damn that was close.

But really happy at the end, because just FYI, I spend probably like 12 hours on this

challenge.

For more infomation >> Blind GQL injection and optimised binary search - A7 ~ Gee cue elle (misc) Google CTF 2017 - Duration: 14:25.

-------------------------------------------

Modifying events with the Google Calendar API (The G Suite Dev Show) - Duration: 6:33.

For more infomation >> Modifying events with the Google Calendar API (The G Suite Dev Show) - Duration: 6:33.

-------------------------------------------

Google Trends - ingyenes SEO eszköz - Duration: 11:19.

For more infomation >> Google Trends - ingyenes SEO eszköz - Duration: 11:19.

-------------------------------------------

Utilizing Google Classroom - Duration: 10:50.

Hi, all!

Welcome to Utilizing Google Classroom.

My name is Mary John, and I will be walking you through how to create your own Google

Classroom.

Let's start off with a very simple question.

What IS Google Classroom?

Well, we all have heard of Google, but now, Google is more than just an Internet search

engine.

You can keep a calendar, look at maps, stay organized, take your documents with you wherever

you go, and so much more!

Google Classroom just so happens to be one of these amazing features offered by Google.

For those that are familiar, Google Classroom is similar to Blackboard, Moodle, and Canvas,

to name a few systems.

The difference, though, is that with Google Classroom, the teacher does not need to wait

for a license from an organization.

Rather, the teacher is able to create his/her own classroom provided that he/she has an

account with Google.

Now, just like with most concepts, there are pros and there are cons.

Let's start with the pros.

Google Classroom can be utilized anywhere and everywhere.

Communication and sharing of documents is very simple and effective.

Furthermore, students are able to receive immediate and effective feedback.

With that said, just like with any product, there are negative aspects in addition to

the positive aspects.

Some people note that Google Classroom seems "Googlish" and is impersonal.

There are no automated updates, quizzes or tests.

It should be noted, though, that technology constantly is changing, so it is likely that

a lot of these negative aspects will be remedied soon enough.

Now, once upon a time, teaching was done using pen and paper, textbooks, and blackboards.

For those lucky instructors, they were graced with whiteboards!

With the world changing as it has, though, the classroom has changed as well.

In most every classroom, you will be able to find updated technologies, including SMARTBoards,

tablets, and laptops.

In some classrooms, you might even be able to spot a laptop or an iPad cart.

Many districts also have adopted a BYOD mentality as well.

BYOD stands for "Bring Your Own Device".

Not only does my current district follow the BYOD mentality, but we also will be moving

to a one-to-one initiative in the fall, which will enable every student at the high school

level to have his/her own Google Chromebook!

At the end of the day, the principles of learning are still the same.

The end goal, for every educator, is to enhance learning in the classroom.

In order to do this, teachers must tap into the following aspects of learning: Teachers

need to find a way to make learning Human, Fun and Social, Language Based, and Meaning

Centered.

Let's take a look back at Bloom's Taxonomy, which essentially is a scaffolding model.

Bloom's Taxonomy begins with a simple concept that continues to be built upon until a new

innovation is created, based on the original simple concept.

Speaking of building, let's now take a look at the SAMR Model.

SAMR is a scaffolding model, much like Bloom; however, SAMR is utilized with technology.

At the end of the day, SAMR is Bloom, just in a technological setting.

So how is SAMR utilized?

For the sake of this demonstration, let's pretend that a History lesson requires students

to contact Congress about a social issue, such as poverty.

We will begin at the bottom of the model with Substitution, which occurs when a tool directly

is substituted, with no functional change.

So, instead of writing a letter by hand, students might use a computer to write a letter to

a Congressman.

From Substitution, we then move up to Augmentation, which occurs when a tool directly is substituted

AND a functional improvement occurs.

Now, the students use the computer, HOWEVER, they might use Google Docs to work collaboratively

on the email to the Congressman.

Modification is the next step in SAMR, which occurs when a significant task has been redesigned.

Here, students create and collaborate on a video about the social issue.

Finally, we have Redefinition, which occurs when new tasks are created that previously

were thought inconceivable.

In our example, students take the video they made and utilize social media to create awareness

across the globe about poverty.

SAMR is vital because it enables us to know that there is insane potential utilizing technology

in the classroom.

So, let's begin by utilizing Google Classroom in the classroom.

Let's start by setting up your Google Classroom.

Today I will walk you through how to post an announcement, an assignment, and how to

delay posts.

If you haven't done so already, you'll want to log in to your Google account.

Click on the tiny squares in the upper right-hand corner.

You may have to scroll down a bit to find Google Classroom.

Click on Google Classroom and notify Google that you are, indeed, a teacher.

From here, we will CREATE A CLASSROOM!

I've already created a classroom, but in order to create a classroom, go up to the

plus (+) sign, click "Create Class" and name your class.

Don't worry so much about the section or subject right now.

I currently teach a Social Skills group, named my class Social Skills.

You also will be able to add students by going to "Students", and inviting students by

typing in their emails to invite them to join your Google Classroom.

Let's now move to the bottom right-hand corner, where you will see a plus (+) sign.

Hovering over this plus sign will enable you to add announcements, assignments, create

questions or re-use posts.

Right now, I will demonstrate how to add an announcement and an assignment, in addition

to how to delay a post.

First, I am going to hover back over that plus (+) sign and click on "Create Announcement".

I am going to tell my students to have a safe and enjoyable summer!

Then I will post it.

My post – my announcement now has been added.

Now, we will move on to the assignments.

Again, I will hover over the plus (+) sign, and I will click on "Create Assignment".

When creating an assignment, you have two options to attach files.

You can either click on the paperclip and attach files directly from your computer,

or if your documents are already in your Google Drive, you can attach your documents from

your Google Drive.

Fortunately, my documents already are in my Google Drive.

I would like my students to create a comic strip.

So, I will title this: "Comic Strip Assignment".

I then will go to my Google Drive, go in through my folders, to my unit, and I will add the

Comic Strip Assignment Rubric.

The Rubric has instructions for what I would like my students to do.

However, I also would like to incorporate the instructions on this post.

So, I will tell my students to "Create a comic strip based on a self-awareness and

a self-advocating scenario".

In addition to the comic strip, though, I would also like to provide them with a sample

comic strip.

For the sake of this demonstration, I am going to delay this post until my student return

in September.

To delay a post, all you'll have to do is click on the due date and time, and add the

date and time you would like to make this available to your students.

Because my students will not be returning until September, I am going to make this post

available on September 13 at 7:30 am.

Now, not only have I assigned an assignment, but I have also delayed the assignment as

well.

This post will not be available for my students to see until September 13 at 7:30 am.

In addition to adding files from Google Drive, you'll have the opportunity to add a video

from YouTube or link a website to some aspect of your announcements or assignments.

If you would like to link your entire Google Classroom to your Google Drive, I've attached

a link with step-by-step directions to this slide.

Aside from that, you are all set to go!

So, now it's your turn to have fun modifying and personalizing your Google Classroom!

Enjoy!

For more infomation >> Utilizing Google Classroom - Duration: 10:50.

-------------------------------------------

How do I save a picture that has been shared by the "shared libraries" of the "Google Photos" - Duration: 2:12.

How do I save a picture that has been shared by the "shared libraries" of the "Google Photos"

Hello everyone

This time, we will introduce how to save the photos that have been shared by the "Google Photos" in the "Shared Library"

Photos that have been shared by the "shared libraries" of the "Google Photos" will be stored in the "Shared Library" category as a photograph from users sharing

Only it is possible to circulate the photos that are shared in this state, not stored in the library of users sharing

Photos from users who have been shared, or save it to individually own library, it is possible to store in bulk

The photos that are classified in all of the photos and face grouping that is shared It also has become possible to set to automatically save to their own library

If the first individual to save the photo, display the photo you want to save, touch the download icon that appears in the upper right corner

Further, it is also possible to batch download by specifying multiple photos on the list screen

The downloaded photos will be saved in its own library

To be stored in the library automatically, touch the "Let's turn on the auto-save" of the list screen,

Select the "All photos" or "photos that captured the particular person"

By the way, "photos that captured the particular person" is, or has been shared all of the photos from a shared source of users, available only in the case where a plurality of face grouping has been specified

By storing the photographic its own library shared by "shared library", or used in the SNS, you will be able to include or use as a smartphone wallpaper

Please by all means try to set with reference

Above, it was the introduction of how to save the photos that have been shared by the "shared libraries" of the "Google Photos"

Không có nhận xét nào:

Đăng nhận xét