CS 335: Code Snippets

This page contains links to notes and code snippets.

• Juice Shop CTF
• Juice Shop Hints
• Juice Shop Intro
• Password Cracking
• Automating sqlmap
• Installing .NET
• Clickjack
• SQL
• DNS
• TCP
• UDP
• IP
• ARP
• Networking
• Buffer Overflow
• Shellshock
• Reverse Shell
• Upgrade VM
• Setup Environment
• File Commands and Directory Navigation
• Permissions
• Networking
• Process commands
• Clone a website

Juice Shop CTF

• registration: http://cs335-juice-shop-scoreboard.eastus.cloudapp.azure.com:8000/
• team 1: http://ycpcs24-cs335-team1.eastus.azurecontainer.io:3000
• team 2: http://ycpcs24-cs335-team2.eastus.azurecontainer.io:3000
• team 3: http://ycpcs24-cs335-team3.eastus.azurecontainer.io:3000
• team 4: http://ycpcs24-cs335-team4.eastus.azurecontainer.io:3000
• Individual Users
  • Local Environment: docker run -d -e "CTF_KEY=M2ZjODVkZTM5Y2JhODVhNDViNmU2MjM0" -p 3000:3000 bkimminich/juice-shop

To top

Juice Shop Hints

• Security by obscurity
  • Review page source (hardcoded secrets or hidden links)
  • robots.txt (hidden subdomains)
  • Review .js source files (hidden or hardcoded)
• Input Validation
  • CSRF
  • XSS Cheat Sheet
  • SQLi Cheat Sheet
  • Enable HTML Elements
  • API parameters
• Network Traffic
  • Any identifiers
  • Custom Headers
  • Edit and Reply traffic
• Server Exceptions

To top

Juice Shop Intro

• OWASP Juice Shop
  • Demo at https://demo.owasp-juice.shop/#/
  • slides
• docker pull bkimminich/juice-shop
• docker run --rm -p 3000:3000 bkimminich/juice-shop
  • Navigate to http://localhost:3000

To top

Password Cracking

• John The Ripper
  • git clone https://github.com/magnumripper/JohnTheRipper.git
  • cd ./JohnTheRipper/src
  • sudo apt-get install libssl-dev
  • cd src
  • ./configure
  • make -s clean && make -sj4
  • pip install --user dpkt
• Wordlists
  • rockyou.txt, extract with tar -xvf rockyou.txt.tar.gz
  • https://www.openwall.com/wordlists/
  • More under resources …
• Crack me
  • joke.docx
  • joke.pdf
  • joke.zip

To top

Automating sqlmap

• wget https://github.com/sqlmapproject/sqlmap/archive/master.zip --no-check-certificate
• sqlmap usage
• SqlmapRequest: SqlmapRequest.cs
• Program: Program.cs
• SqlmapApi: SqlmapApi.cs
• SqlmapLog: SqlmapLog.cs

To top

Installing .NET

• wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh --no-check-certificate
• chmod +x ./dotnet-install.sh
• ./dotnet-install.sh --version latest
• Add the following to ~/.bashrc
  • export DOTNET_ROOT=$HOME/.dotnet
  • export PATH=$PATH:$DOTNET_ROOT:$DOTNET_ROOT/tools
• JSON serialization framework: Json.NET
  • dotnet add package Newtonsoft.Json --version 13.0.3

To top

Clickjack

• iframe Demo: index.html
• Labsetup: Labsetup.zip

To top

SQL

• Create Table: create-table.sql
• Insert Into: insert-into.sql

To top

DNS

• Send DNS query: send_dns_query.py
• DNS server: dns-server.py
• RFC
  • Domain Name System (DNS) IANA Considerations: 6895
  • DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION: 1035
  • Resource Records for the DNS Security Extensions: 4034
• DNS Cache
  • Dump: rndc dumpdb -cache
  • View: cat /var/cache/bind/dump.db
  • Flush: rndc flush
• Potential Traffic Issues
  • Delay by 100ms: tc qdisc add dev eth0 root netem delay 100ms
  • Delete the tc entry: tc qdisc del dev eth0 root netem
  • Show all tc entries: tc qdisc show dev eth0

To top

TCP

• Client: client.py
• Server: server.py
• Multi Server: server2.py
• Docker Compose: docker-compose.yml
• Synflood (python): synflood.py
• Synflood (C): synflood.c
• Reset: reset.py
• Auto Reset: auto_reset.py
• Hijack Session: hijack.py

To top

UDP

• Server: udp_server.py
• Attack: udp_attack.py

To top

IP

• Fragment: fragment.py
• ICMP: icmp.py
• Docker Compose: docker-compose.yml
• ICMP Redirect: icmp_redirect.py
• Ping: ping.py
• Traceroute: traceroute.py
  • sysctl net.ipv4.conf.all.accept_redirects=1

To top

ARP

• Docker Compose: docker-compose.yml
• arp_request: arp_request.py
• arp poisoning: arp.py
• arp mitm: mitm.py
  • sysctl -w net.ipv4.ip_forward=0

To top

Networking

• udp_client: udp_client.py
• udp_server: udp_server.py
• Docker Compose: docker-compose.yml
• Scapy:
  • sniff: sniff.py
  • icmp_spoof: icmp_spoof.py
  • udp_spoof: udp_spoof.py
  • sniff_spoof: sniff_spoof.py

To top

Buffer Overflow

• Buffer Overflow Example: buffer.c
• Memory Layout: layout.c
• Launching shell: launch_shell.c
• ASCII vs binary: print_zero.c
• Print esp: sp.c
• ASLR: aslr.c

To top

Shellshock

• Set-UID Example: vul.c

To top

Reverse Shell

• File Descriptors Intro: fd.c
• Redirection: redirect.c
• Duplicate a file descriptor: dup.c and dup2.c
• Redirecting IO to TCP Connections: tcp_in.c and tcp_out.c

To top

Upgrade VM

• sudo apt update - downloads package information from all configured sources.
• sudo apt upgrade - will upgrade all installed packages to their latest versions.
• sudo apt-get autoremove - deletes orphaned packages, or dependencies that remain installed after you have installed an application and then deleted it.
• sudo apt-get clean - removes all packages from the cache.

To top

Setup Environment

• Sublime: sudo snap install sublime-text --classic
• Visual Studio Code: sudo snap install --classic code
• clion: sudo snap install clion --classic

To top

File Commands and Directory Navigation

• cd go to $HOME directory.
• cd ... go one level up the directory tree.
• cd /etc to change to the /etc directory.
• ls list all files.
  • Use -R to list all-subdirectories as well
  • -a will list hidden files as well
  • Use the -al argument to view details
• pwd lists the present working directory.
• mkdir directory created a directory.
• rm -r directory removes the directory and its contents recursively. Use the f argument to forcefully remove, re: rm -rf directory.
• touch file will create an empty file.
• rm file removes a flle.
• cp file file2 will copy file to file2.
• mv file file2 renames or moves file to file2.
• cat filename will display the contests of filename.
• cat > filename creates a new file with filename.

To top

Permissions

• Legend
  • User or Owner U
  • Group G
  • World (Other Users) W
• Permission Classes
  • Read r
  • Write w
  • Execute x
• File Type
  • - regular file
  • d directory
• Examples
  • file desktop.ini: -rwxrwxrwx 1 seed seed 282 Dec 27 10:10 desktop.ini
  • directory host: drwxrwxrwx 1 seed seed 4096 Jan 20 13:22 host

  Number	Permission Type	Symbol
  0	No Permission	—
  1	Execute	–x
  2	Write	-w-
  3	Execute + Write	-wx
  4	Read	r–
  5	Read + Execute	r-x
  6	Read +Write	rw-
  7	Read + Write +Execute	rwx

• Permission Examples
  • chmod 777 filename: rwx rwx rwx
  • chmod 775 filename: rwx rwx r-x
  • chmod 755 filename: rwx r-x r-x
  • chmod 664 filename: rw- rw- r–
  • chmod 644 filename: rw- r– r–

To top

Networking

• ifconfig -a displays all network interfaces and IP address.
• hostname -I displays the IP addresses of the host (all local IP addresses).
• host domain displays IP address for domain.
• ping host sends ICMP echo request to host.
• whois domain displays whois records for domain.
• dig domain displays DNS information for domain.
• dig -x IP does reverse lookup of IP address.
• nslookup query Internet name servers interactively.
• To display the IP/kernel routing table:
  • netstat -rn
  • ip route
  • route -n

To top

Process commands

• bg sends a process to the background.
• fg runs a stopped process in the foreground.
• top shows details on all active processes.
• ps gives the status of processes running for a user.
• pidof gives the process id (PID) of a process.
• ps PID gets the status of a particular process.
• kill PID kills a process with PID .
• nice starts a process with a given priority.

To top

Clone a website

wget --mirror --convert-links --adjust-extension --page-requisites --no-check-certificate --no-parent https://site-to-copy.com

• --mirror make the download recursive.
• --no-parent do not crawl the parent/top directory.
• --convert-links makes all the links work properly with the offline copy.
• --page-requisites download JS/CSS files.
• --adjust-extension add the appropriate extensions (e.g. html, css, js) to files.
• --no-check-certificate ignores SSL certificate errors To top