my-asu-archive/CSE545_SS_Work
1
0
Fork 0
mirror of https://github.com/20kaushik02/CSE545_SS_Work.git synced 2025-12-06 07:54:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Kaushik Narayan R 2024-09-03 17:53:16 -07:00
commit 7edc5d5fa4
9 changed files with 810 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*/result

80
1.12/sha256_crack.py Normal file
View File

@ -0,0 +1,80 @@
import hashlib
import string
import itertools
import argparse
import time
import json
import re
def gen_perm_cipher(plain_text):
cipher_text = hashlib.sha256(plain_text.encode("ascii")).hexdigest()
return cipher_text
def gen_all_perms(
perm_len=6,
char_set=string.ascii_lowercase,
prefix_len=0,
resuming=False,
resume_pos=0,
):
"""
Permutation generator. Can specify length, character set and prefix length to rotate result files.
Can resume from a specified position as well.
If resuming, please ensure the other parameters are identical to the previous run. resume_pos is included
"""
if prefix_len == 0:
prefix_len = perm_len // 2
split_len = len(char_set) ** (perm_len - prefix_len)
print(
f"Permuting {perm_len}-character strings from {char_set}. Splitting on a {prefix_len}-character prefix."
)
if resuming:
print(f"Resuming from permutation {resume_pos}")
perms = {}
for i, item in enumerate(itertools.product(char_set, repeat=perm_len)):
if resuming and i < resume_pos:
pass
perm_plain = "".join(item)
perm_cipher = gen_perm_cipher(perm_plain)
perms[perm_plain] = perm_cipher
if (i + 1) % split_len == 0:
perms_str = json.dumps(perms, indent=0)[2:-2]
perms_str = re.sub(r'[":,]', "", perms_str)
print(f"saving {split_len} permutations...")
with open(
f"result/{next(iter(perms.keys()))[:prefix_len]}.perms", "w"
) as out_f:
print(perms_str, file=out_f)
perms = {}
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-p", "--perm_len", required=False, default=6, dest="p", type=int
)
parser.add_argument(
"-f", "--prefix_len", required=False, default=0, dest="f", type=int
)
parser.add_argument(
"-c",
"--char_set",
required=False,
default=string.ascii_lowercase,
dest="chars",
type=str,
)
args = parser.parse_args()
start_t = time.time()
gen_all_perms(args.p, args.chars, args.f)
end_t = time.time()
print(f"generated all pairs in {end_t-start_t} seconds")

28
1.12/sha256_gen.py Normal file
View File

@ -0,0 +1,28 @@
from typing import Tuple
import hashlib
import random
import string
def gen_plain_cipher() -> Tuple[str, str]:
plain_text = "".join([random.choice(string.ascii_lowercase) for _ in range(6)])
cipher_text = hashlib.sha256(plain_text.encode("ascii")).hexdigest()
return plain_text, cipher_text
def main():
plain_text, cipher_text = gen_plain_cipher()
print(f"Please submit the *plain-text string* for the SHA256 hash of \"{cipher_text}\".")
print("")
input_str = input("Your answer: ")
if input_str.strip(" \n\r") == plain_text:
with open("/flag", "r") as f:
print("Congrats! Your flag:", f.read())
else:
print("Incorrect input. Try again!")
if __name__ == "__main__":
main()

34
2.04/crack.c Normal file
View File

@ -0,0 +1,34 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int verify(unsigned int v0, unsigned int v1, unsigned int v2, unsigned int v3)
{
if (!v0 || !v1 || !v2 || !v3)
return 0;
if (v1 * v0 + v2 - v3 != 1208779703)
return 0;
if (v1 - v0 != -24223)
return 0;
if (v3 - 5 * v2 == -129519)
return (v3 + v1) % 100000 == 40256;
return 0;
}
int main()
{
for (unsigned int v1 = 1; v1 < 75777; v1++)
{
unsigned int v0 = v1 + 24223;
for (unsigned int v2 = 25904; v2 < 45904; v2++)
{
unsigned int v3 = (5 * v2) - 129519;
if (verify(v0, v1, v2, v3))
{
printf("%u-%u-%u-%u\n", v0, v1, v2, v3);
return 0;
}
}
}
return 0;
}

551
2.06/soln.py Normal file
View File

@ -0,0 +1,551 @@
import argparse
import time
def verify(ctx: str) -> bool:
result = 0
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0]) > 127: # 0
result = result | 0x26
if ord(ctx[0]) & 0x40 != 0: # 0
result = result | 0x26
if ord(ctx[0]) & 0x20 == 0: # 1
result = result | 0x27
if ord(ctx[0]) & 0x10 == 0: # 1
result = result | 0x26
if ord(ctx[0]) & 8 != 0: # 0
result = result | 4
if ord(ctx[0]) & 4 == 0: # 1
result = result | 0x11
if ord(ctx[0]) & 2 == 0: # 1
result = result | 5
if ord(ctx[0]) & 1 != 0: # 0
result = result | 0x22
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[1]) > 127: # 0
result = result | 2
if ord(ctx[1]) & 0x40 != 0: # 0
result = result | 2
if ord(ctx[1]) & 0x20 == 0: # 1
result = result | 0x25
if ord(ctx[1]) & 0x10 == 0: # 1
result = result | 0x12
if ord(ctx[1]) & 8 != 0: # 0
result = result | 0x27
if ord(ctx[1]) & 4 == 0: # 1
result = result | 0x1C
if ord(ctx[1]) & 2 == 0: # 1
result = result | 9
if ord(ctx[1]) & 1 == 0: # 1
result = result | 0x11
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[2]) > 127: # 0
result = result | 0x11
if ord(ctx[2]) & 0x40 == 0: # 1
result = result | 0x15
if ord(ctx[2]) & 0x20 == 0: # 1
result = result | 0x11
if ord(ctx[2]) & 0x10 != 0: # 0
result = result | 0xD
if ord(ctx[2]) & 8 == 0: # 1
result = result | 0x29
if ord(ctx[2]) & 4 != 0: # 0
result = result | 0x23
if ord(ctx[2]) & 2 == 0: # 1
result = result | 0xD
if ord(ctx[2]) & 1 == 0: # 1
result = result | 0x1C
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[3]) > 127: # 0
result = result | 0x1E
if ord(ctx[3]) & 0x40 == 0: # 1
result = result | 0x28
if ord(ctx[3]) & 0x20 != 0: # 0
result = result | 0x28
if ord(ctx[3]) & 0x10 == 0: # 1
result = result | 0x14
if ord(ctx[3]) & 8 != 0: # 0
result = result | 0x1F
if ord(ctx[3]) & 4 == 0: # 1
result = result | 0x28
if ord(ctx[3]) & 2 == 0: # 1
result = result | 0x13
if ord(ctx[3]) & 1 == 0: # 1
result = result | 0x2C
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[4]) > 127: # 0
result = result | 0x19
if ord(ctx[4]) & 0x40 != 0: # 0
result = result | 0x11
if ord(ctx[4]) & 0x20 == 0: # 1
result = result | 0x1F
if ord(ctx[4]) & 0x10 == 0: # 1
result = result | 8
if ord(ctx[4]) & 8 != 0: # 0
result = result | 0x2D
if ord(ctx[4]) & 4 == 0: # 1
result = result | 0x1C
if ord(ctx[4]) & 2 == 0: # 1
result = result | 8
if ord(ctx[4]) & 1 != 0: # 0
result = result | 0x10
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[5]) > 127: # 0
result = result | 9
if ord(ctx[5]) & 0x40 == 0: # 1
result = result | 0x19
if ord(ctx[5]) & 0x20 != 0: # 0
result = result | 0x1C
if ord(ctx[5]) & 0x10 == 0: # 1
result = result | 0x17
if ord(ctx[5]) & 8 == 0: # 1
result = result | 0x27
if ord(ctx[5]) & 4 != 0: # 0
result = result | 0x18
if ord(ctx[5]) & 2 != 0: # 0
result = result | 0x2D
if ord(ctx[5]) & 1 == 0: # 1
result = result | 0x1A
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[6]) > 127: # 0
result = result | 0x10
if ord(ctx[6]) & 0x40 == 0: # 1
result = result | 7
if ord(ctx[6]) & 0x20 == 0: # 1
result = result | 0x2B
if ord(ctx[6]) & 0x10 != 0: # 0
result = result | 0x24
if ord(ctx[6]) & 8 == 0: # 1
result = result | 0x15
if ord(ctx[6]) & 4 == 0: # 1
result = result | 0xF
if ord(ctx[6]) & 2 == 0: # 1
result = result | 9
if ord(ctx[6]) & 1 != 0: # 0
result = result | 1
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[7]) > 127: # 0
result = result | 0x27
if ord(ctx[7]) & 0x40 == 0: # 1
result = result | 0xC
if ord(ctx[7]) & 0x20 != 0: # 0
result = result | 4
if ord(ctx[7]) & 0x10 != 0: # 0
result = result | 0x1A
if ord(ctx[7]) & 8 == 0: # 1
result = result | 0x14
if ord(ctx[7]) & 4 != 0: # 0
result = result | 0x1A
if ord(ctx[7]) & 2 == 0: # 1
result = result | 8
if ord(ctx[7]) & 1 == 0: # 1
result = result | 9
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[8]) > 127: # 0
result = result | 0x2C
if ord(ctx[8]) & 0x40 == 0: # 1
result = result | 0x16
if ord(ctx[8]) & 0x20 == 0: # 1
result = result | 0x22
if ord(ctx[8]) & 0x10 == 0: # 1
result = result | 0x28
if ord(ctx[8]) & 8 != 0: # 0
result = result | 0x22
if ord(ctx[8]) & 4 == 0: # 1
result = result | 9
if ord(ctx[8]) & 2 == 0: # 1
result = result | 0x17
if ord(ctx[8]) & 1 != 0: # 0
result = result | 0x22
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[9]) > 127: # 0
result = result | 0x19
if ord(ctx[9]) & 0x40 == 0: # 1
result = result | 0x29
if ord(ctx[9]) & 0x20 != 0: # 0
result = result | 0x2D
if ord(ctx[9]) & 0x10 == 0: # 1
result = result | 0x23
if ord(ctx[9]) & 8 != 0: # 0
result = result | 0x12
if ord(ctx[9]) & 4 == 0: # 1
result = result | 2
if ord(ctx[9]) & 2 != 0: # 0
result = result | 0x11
if ord(ctx[9]) & 1 != 0: # 0
result = result | 4
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[10]) > 127: # 0
result = result | 0x26
if ord(ctx[10]) & 0x40 == 0: # 1
result = result | 0x15
if ord(ctx[10]) & 0x20 == 0: # 1
result = result | 0xC
if ord(ctx[10]) & 0x10 == 0: # 1
result = 0x1B
if ord(ctx[10]) & 8 != 0: # 0
result = result | 0xD
if ord(ctx[10]) & 4 != 0: # 0
result = result | 0x24
if ord(ctx[10]) & 2 != 0: # 0
result = result | 0x21
if ord(ctx[10]) & 1 != 0: # 0
result = result | 0x23
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0xB]) > 127: # 0
result = result | 0x16
if ord(ctx[0xB]) & 0x40 == 0: # 1
result = result | 0x11
if ord(ctx[0xB]) & 0x20 == 0: # 1
result = result | 7
if ord(ctx[0xB]) & 0x10 != 0: # 0
result = result | 0x19
if ord(ctx[0xB]) & 8 != 0: # 0
result = result | 0x1A
if ord(ctx[0xB]) & 4 != 0: # 0
result = result | 0x29
if ord(ctx[0xB]) & 2 != 0: # 0
result = result | 0x23
if ord(ctx[0xB]) & 1 == 0: # 1
result = result | 0x2A
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0xC]) > 127: # 0
result = result | 0x2B
if ord(ctx[0xC]) & 0x40 == 0: # 1
result = result | 0x10
if ord(ctx[0xC]) & 0x20 == 0: # 1
result = result | 0x12
if ord(ctx[0xC]) & 0x10 == 0: # 1
result = result | 0x29
if ord(ctx[0xC]) & 8 != 0: # 0
result = result | 3
if ord(ctx[0xC]) & 4 != 0: # 0
result = result | 0x1C
if ord(ctx[0xC]) & 2 != 0: # 0
result = result | 0x11
if ord(ctx[0xC]) & 1 == 0: # 1
result = result | 4
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0xD]) > 127: # 0
result = result | 0x16
if ord(ctx[0xD]) & 0x40 == 0: # 1
result = result | 0x21
if ord(ctx[0xD]) & 0x20 == 0: # 1
result = result | 2
if ord(ctx[0xD]) & 0x10 != 0: # 0
result = result | 0x2D
if ord(ctx[0xD]) & 8 == 0: # 1
result = result | 0x1D
if ord(ctx[0xD]) & 4 == 0: # 1
result = result | 0xB
if ord(ctx[0xD]) & 2 == 0: # 1
result = result | 9
if ord(ctx[0xD]) & 1 == 0: # 1
result = result | 0xC
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0xE]) > 127: # 0
result = result | 0x24
if ord(ctx[0xE]) & 0x40 == 0: # 1
result = result | 0x12
if ord(ctx[0xE]) & 0x20 != 0: # 0
result = result | 0x22
if ord(ctx[0xE]) & 0x10 != 0: # 0
result = result | 0xE
if ord(ctx[0xE]) & 8 != 0: # 0
result = result | 9
if ord(ctx[0xE]) & 4 != 0: # 0
result = result | 2
if ord(ctx[0xE]) & 2 == 0: # 1
result = result | 0x28
if ord(ctx[0xE]) & 1 != 0: # 0
result = result | 0x2C
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0xF]) > 127: # 0
result = result | 0x2B
if ord(ctx[0xF]) & 0x40 == 0: # 1
result = result | 0x27
if ord(ctx[0xF]) & 0x20 != 0: # 0
result = result | 0x21
if ord(ctx[0xF]) & 0x10 == 0: # 1
result = result | 0x1F
if ord(ctx[0xF]) & 8 == 0: # 1
result = result | 9
if ord(ctx[0xF]) & 4 != 0: # 0
result = result | 10
if ord(ctx[0xF]) & 2 != 0: # 0
result = result | 0xC
if ord(ctx[0xF]) & 1 != 0: # 0
result = result | 0x23
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0x10]) > 127: # 0
result = result | 7
if ord(ctx[0x10]) & 0x40 != 0: # 0
result = result | 0x2B
if ord(ctx[0x10]) & 0x20 == 0: # 1
result = result | 0x21
if ord(ctx[0x10]) & 0x10 == 0: # 1
result = result | 0x28
if ord(ctx[0x10]) & 8 != 0: # 0
result = result | 0x2B
if ord(ctx[0x10]) & 4 != 0: # 0
result = result | 4
if ord(ctx[0x10]) & 2 != 0: # 0
result = result | 8
if ord(ctx[0x10]) & 1 == 0: # 1
result = result | 0x26
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0x11]) > 127: # 0
result = result | 0x1E
if ord(ctx[0x11]) & 0x40 == 0: # 1
result = result | 0x11
if ord(ctx[0x11]) & 0x20 != 0: # 0
result = result | 2
if ord(ctx[0x11]) & 0x10 != 0: # 0
result = result | 0x19
if ord(ctx[0x11]) & 8 != 0: # 0
result = result | 0x29
if ord(ctx[0x11]) & 4 == 0: # 1
result = result | 0x18
if ord(ctx[0x11]) & 2 == 0: # 1
result = result | 3
if ord(ctx[0x11]) & 1 != 0: # 0
result = result | 0x1D
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0x12]) > 127: # 0
result = result | 0x1A
if ord(ctx[0x12]) & 0x40 != 0: # 0
result = result | 0x25
if ord(ctx[0x12]) & 0x20 == 0: # 1
result = result | 0x26
if ord(ctx[0x12]) & 0x10 == 0: # 1
result = result | 0x11
if ord(ctx[0x12]) & 8 == 0: # 1
result = result | 0x1A
if ord(ctx[0x12]) & 4 != 0: # 0
result = result | 0x28
if ord(ctx[0x12]) & 2 != 0: # 0
result = result | 0x15
if ord(ctx[0x12]) & 1 != 0: # 0
result = result | 0x10
"""""" """""" """""" """""" """""" """""" """""" """""" """""" """"""
if ord(ctx[0x13]) > 127: # 0
result = result | 0x27
if ord(ctx[0x13]) & 0x40 == 0: # 1
result = result | 0xB
if ord(ctx[0x13]) & 0x20 == 0: # 1
result = result | 0x21
if ord(ctx[0x13]) & 0x10 != 0: # 0
result = result | 0x2C
if ord(ctx[0x13]) & 8 == 0: # 1
result = result | 0x1C
if ord(ctx[0x13]) & 4 == 0: # 1
result = result | 0xD
if ord(ctx[0x13]) & 2 != 0: # 0
result = result | 0x14
if ord(ctx[0x13]) & 1 != 0: # 0
result = result | 0x14
# 00110110 00110111 01101011 01010111 00110110 01011001 01101110 01001011 01110110 01010100 01110000 01100001 01110001 01101111 01000010 01011000 00110001 01000110 00111000 01101100
return result == 0
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-s", "--binary_str", required=True, dest="in_str", type=str)
args = parser.parse_args()
target_str = "".join([chr(int(x, base=2)) for x in args.in_str.split()])
print(target_str)
start_t = time.time()
if verify(target_str):
print("OMG")
print(args.in_str)
print(target_str)
end_t = time.time()
print(f"checked string in {end_t-start_t} seconds")
if __name__ == "__main__":
main()

115
Dojo Notes.md Normal file
View File

@ -0,0 +1,115 @@
# CSE 545 pwn.college Dojo
## Project 01 Linux Lifter
### .05 - find
- `find / randomly_placed_file` - way too many files
- read the man page. `find -name randomly_placed_file` found it
- didn't specify a folder to search in tho, ig it's cuz cwd is /
### .06 - find and exec
- "Optional Exercise: Why do they think it worked with `-exec` parameter of the `find` command, but we get permission denied using standalone `cat` command? Hint: SUID bit was set for the `find` command."
- indeed, we see that `/usr/bin/find` has its *setuid* bit set:
![-rwsr-xr-x 1 root root 320160 Feb 18 2020 /usr/bin/find*](ss1.png)
- [see here](https://unix.stackexchange.com/a/389706/595039) for find stuff
- `find / -name random_cant_flag -exec cat {} ';'` worked
### .07 - return code
- `$?` is the return code of the last executed command
- range 0 to 255
### .08 - python
- SUID on python this time
### .11 - search me
- `/challenge/tester.sh` is printing `/flag` but the file is missing
- `/challenge/cp` has SUID bit set
- preliminary find revealed a possible file deep in `/tmp`
- `find /tmp/that/full/path -name flag -exec /challenge/cp {} /flag ';'`
### .12 - hash it out
- used online tool to generate SHA256
### .13 - hash full
- here we go
- a-z, 6 spaces, so 26^6 possibilities
- plaintext is 6 letters, so 48 bits. hash is SHA256 so 256 bits.
- storage per line:`<hash><plaintext>` that's 304 bits, 312 if including newline character
- total storage exceeds 11GB!!
- refinement 1: 256-bit hash is pretty unique. if we cut down on the portion of the hash stored, we should be able to save a ton of space while only slightly increasing the margin of error. let's assume plaintext has to be stored entirely for now, so total per line is 184 bits.
- eh fk it, just generated all permutations. 22GB storage, 20 min to generate, search using VSCode search took a few more minutes
## Project 02 Unwinding Binaries (Reversing)
### .01 - looking inside
- not sure how to use ghidra, didn't seem to work either
- `angr decompile /challenge/run` revealed a `strcmp` with the key, ez
### .02 - the mangler
- 'mangling' is just subtracting 3 from the char's ascii value. so just add 3 to the key
### .03 - xor plus
- mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3
#### lab 2a.02
![lab code snippet](ss2.png)
- ascii values
### .04 - solve for x
- NOTE: angr screwed up, and gave an incorrect result (== instead of !=)
- use ghidra (GUI) or [dogbolt](https://dogbolt.org) for binaries under 2MB
- anyway, math solving:
- we get a few eqns:
- v1 = v0 - 24223
- v3 = 5v2 - 129519
- use these eqns to reduce from brute-force 4 nested loops to 2 nested loops
- then verifying the rest gets us one soln
- runtime < 3 seconds
### .05 - extra verification
- angr just straight up hangs lol
- holy sh*t so many if statements
- boils down to byte by byte, check 1 or 0, check +ve or -ve (MSB)
- 00 - 00110111
- 01 - 01000111
- 02 - 01000011
- 03 - 01010110
- 04 - 00110100
- 05 - 01010010
- 06 - 01011010
- 07 - 01001001
- 08 - 01000001
- 09 - 00110100
- 10 - 01011001
- 11 - 00111000
- 12 - 01111001
- 13 - 00110011
- 14 - 01110011
- 15 - 01001000
- 16 - 00110101
- 17 - 00111000
- 18 - 01101010
- 19 - 01010111 (binary ninja and hex-rays disagreed on this, binary ninja was right)
- could have automated this smh
### .06 - extra verification II
- first ordered all if statements to get bitwise order of the string (hell.)
- for result to be 0 at the end, just don't modify it at all
- so for each if statement, check which of 0/1 makes it false (find and replace ftw)
- ascii string is 67kW6YnKvTpaqoBX1F8l
- really should have automated this

1
README.md Normal file
View File

@ -0,0 +1 @@
# Assignments for Fall 2024 CSE545 - Software Security at ASU

BIN
ss1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
ss2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB