hw5 part 1 done

hw4/hw4.md

@@ -115,18 +115,22 @@ DECIMAL       HEXADECIMAL     DESCRIPTION
 
 ## Questions
 1) What architecture is the firmware intended to run on?
+
 The architecture appears to be MIPS 32-bit. This is shown by running `file` on the busybox binary
 ![architecture.png](./architecture.png)
 
 2) What OS is the firmware running?
+
 As shown in etc/os-release, the OS appears to be OpenWRT
 ![os.png](./os.png)
 
 3) What users are present on the system?
+
 root, daemon, ftp, network, nobody, and dnsmasq are the users present (seen in /etc/shadow and /etc/passwd)
 ![users.png](./users.png)
 
 4) What is the root password?
+
 The hash of the root password shown above is as follows
 ```
 root:$6$19yJir3t$DKemu8nRjxvuPbDZdZcdtsJiiVd7zAXN7Q63.eepYT.R0LqsDMYCzwetEO58sPROWiVfhY1Aeu3O3awr57fv50:17994:0:99999:7:::
@@ -137,7 +141,7 @@ For sha512, we will want to use -m 1800 flag with hashcat
 
 ![man-hashcat](./man-hashcat.png)
 
-I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simple gave us the password for this exercise)
+I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simply gave us the password for this exercise)
 
 For fun, I'll crack the password anyways running `hashcat -O -m 1800 -a 0 -o found.txt hash.txt ~/Downloads/rockyou.txt -r ~/Downloads/leetspeak.rule`
 

hw5/hw5.md

@@ -6,6 +6,8 @@ The first step I took for this asignment was setting up the docker container. Th
 
 ![docker](./step0/docker.png)
 
+# Part 1 - Tutorial
+
 ## Step-0
 
 Here, I have followed the instructions the run the sample RTSP client and server
@@ -34,6 +36,13 @@ Lets take a look at this file with `wireshark rtsp.pcap`
 
 Following the instruction, we can save the raw TCP stream of the request messages to [rtsp_requests_wav.raw](./step1/rtsp_requests_wav.raw)
 
+![tcp-raw](./step1/tcp-raw.png)
+
+## Step-2 Modifications
+
+As understood in the Step 0 instructions, we have already applied the `ceeb4f4` patch to make fuzzing more effective.
+
+
 ## Step-3 Fuzzing
 
 We begin the fuzzing process running the supplied command
@@ -45,4 +54,33 @@ It seems off to a good start, and I will let this run for some time and check ba
 
 ![begin-fuzz](./step3/begin-fuzz.png)
 
-![afl](./step3/afl.png)
+![afl](./step3/afl-start.png)
+
+After about 44 hours of running this test it is time to move on. We notice we have 40 unique craches at this point, and the last one found was about 3 hours ago
+
+![afl](./step3/afl-end.png)
+
+These crashes can be found in the `replayable-crashes` directory of our run
+
+![replayable-crashes.png](./step3/replayable-crashes.png)
+
+## Step-4 Reproducing
+
+As noted in the instructions, with `afl-replay` we can replay the crashing client input on the running test server, as shown with the provided example input CVS_2019_7314.poc
+
+![CVE_2019_7314.poc_crash.png](./step4/CVE_2019_7314.poc_crash.png)
+
+Here is another example of performing and `aflnet-replay` with one of the replayable crashes results I found to again crash the RTSP server
+
+![fuzz-crash.png](./step4/fuzz-crash.png)
+
+# Part 2 - Our own example
+
+I will run through this exercise again choosing my own example
+
+## Step-1. Prepare message sequences as seed inputs
+## Step-2 Modifications
+## Step-3 Fuzzing
+## Step-4 Reproducing
+
+