diff --git a/hw4/hw4.md b/hw4/hw4.md index e4998d6..3afd7a6 100644 --- a/hw4/hw4.md +++ b/hw4/hw4.md @@ -115,18 +115,22 @@ DECIMAL HEXADECIMAL DESCRIPTION ## Questions 1) What architecture is the firmware intended to run on? + The architecture appears to be MIPS 32-bit. This is shown by running `file` on the busybox binary ![architecture.png](./architecture.png) 2) What OS is the firmware running? + As shown in etc/os-release, the OS appears to be OpenWRT ![os.png](./os.png) 3) What users are present on the system? + root, daemon, ftp, network, nobody, and dnsmasq are the users present (seen in /etc/shadow and /etc/passwd) ![users.png](./users.png) 4) What is the root password? + The hash of the root password shown above is as follows ``` root:$6$19yJir3t$DKemu8nRjxvuPbDZdZcdtsJiiVd7zAXN7Q63.eepYT.R0LqsDMYCzwetEO58sPROWiVfhY1Aeu3O3awr57fv50:17994:0:99999:7::: @@ -137,7 +141,7 @@ For sha512, we will want to use -m 1800 flag with hashcat ![man-hashcat](./man-hashcat.png) -I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simple gave us the password for this exercise) +I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simply gave us the password for this exercise) For fun, I'll crack the password anyways running `hashcat -O -m 1800 -a 0 -o found.txt hash.txt ~/Downloads/rockyou.txt -r ~/Downloads/leetspeak.rule` diff --git a/hw5/hw5.md b/hw5/hw5.md index d9db12f..5063809 100644 --- a/hw5/hw5.md +++ b/hw5/hw5.md @@ -6,6 +6,8 @@ The first step I took for this asignment was setting up the docker container. Th ![docker](./step0/docker.png) +# Part 1 - Tutorial + ## Step-0 Here, I have followed the instructions the run the sample RTSP client and server @@ -34,6 +36,13 @@ Lets take a look at this file with `wireshark rtsp.pcap` Following the instruction, we can save the raw TCP stream of the request messages to [rtsp_requests_wav.raw](./step1/rtsp_requests_wav.raw) +![tcp-raw](./step1/tcp-raw.png) + +## Step-2 Modifications + +As understood in the Step 0 instructions, we have already applied the `ceeb4f4` patch to make fuzzing more effective. + + ## Step-3 Fuzzing We begin the fuzzing process running the supplied command @@ -45,4 +54,33 @@ It seems off to a good start, and I will let this run for some time and check ba ![begin-fuzz](./step3/begin-fuzz.png) -![afl](./step3/afl.png) \ No newline at end of file +![afl](./step3/afl-start.png) + +After about 44 hours of running this test it is time to move on. We notice we have 40 unique craches at this point, and the last one found was about 3 hours ago + +![afl](./step3/afl-end.png) + +These crashes can be found in the `replayable-crashes` directory of our run + +![replayable-crashes.png](./step3/replayable-crashes.png) + +## Step-4 Reproducing + +As noted in the instructions, with `afl-replay` we can replay the crashing client input on the running test server, as shown with the provided example input CVS_2019_7314.poc + +![CVE_2019_7314.poc_crash.png](./step4/CVE_2019_7314.poc_crash.png) + +Here is another example of performing and `aflnet-replay` with one of the replayable crashes results I found to again crash the RTSP server + +![fuzz-crash.png](./step4/fuzz-crash.png) + +# Part 2 - Our own example + +I will run through this exercise again choosing my own example + +## Step-1. Prepare message sequences as seed inputs +## Step-2 Modifications +## Step-3 Fuzzing +## Step-4 Reproducing + + diff --git a/hw5/step3/afl-end.png b/hw5/step3/afl-end.png new file mode 100644 index 0000000..2f4c6ad Binary files /dev/null and b/hw5/step3/afl-end.png differ diff --git a/hw5/step3/afl.png b/hw5/step3/afl-start.png similarity index 100% rename from hw5/step3/afl.png rename to hw5/step3/afl-start.png diff --git a/hw5/step3/replayable-crashes.png b/hw5/step3/replayable-crashes.png new file mode 100644 index 0000000..ba17968 Binary files /dev/null and b/hw5/step3/replayable-crashes.png differ diff --git a/hw5/step4/CVE_2019_7314.poc_crash.png b/hw5/step4/CVE_2019_7314.poc_crash.png new file mode 100644 index 0000000..24bbf87 Binary files /dev/null and b/hw5/step4/CVE_2019_7314.poc_crash.png differ diff --git a/hw5/step4/fuzz-crash.png b/hw5/step4/fuzz-crash.png new file mode 100644 index 0000000..8b8e577 Binary files /dev/null and b/hw5/step4/fuzz-crash.png differ