Sup Internet Secu.
This commit is contained in:
parent
f23c1c615e
commit
aaa1b50685
6
content/pages/stegano/crypto-Ohchae7Ohku9aQu.md
Normal file
6
content/pages/stegano/crypto-Ohchae7Ohku9aQu.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cryptography – ASCII Translation
|
||||
slug: crypto-Ohchae7Ohku9aQu
|
||||
robots: noindex
|
||||
|
||||
2, 54, 69, 76, 67, 71, 66, 0, 52, 59, 77, 66, 66, 22, 56, 56, 58, 59, 60, 56, 7, 66, 55, 1, 59, 71, 64, 63
|
6
content/pages/stegano/crypto-UNgoo7olouheiHi.md
Normal file
6
content/pages/stegano/crypto-UNgoo7olouheiHi.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cryptography – Cæsar
|
||||
slug: crypto-UNgoo7olouheiHi
|
||||
robots: noindex
|
||||
|
||||
2fu|swr0Rkfkdh:Rknx<dTx1kwpo
|
6
content/pages/stegano/crypto-ahzooCeeghie4od.md
Normal file
6
content/pages/stegano/crypto-ahzooCeeghie4od.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cryptography – XOR
|
||||
slug: crypto-ahzooCeeghie4od
|
||||
robots: noindex
|
||||
|
||||
28, 80, 65, 74, 67, 71, 92, 30, 92, 91, 93, 82, 80, 91, 70, 3, 114, 90, 71, 91, 92, 65, 10, 29, 91, 71, 94, 95
|
6
content/pages/stegano/crypto-eithei7AiGi1Nei.md
Normal file
6
content/pages/stegano/crypto-eithei7AiGi1Nei.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cryptography – Rail Fence
|
||||
slug: crypto-eithei7AiGi1Nei
|
||||
robots: noindex
|
||||
|
||||
/pUooihcyt-No7lueH.tlrogohim
|
6
content/pages/stegano/crypto-fa6tuodiethaiZ1.md
Normal file
6
content/pages/stegano/crypto-fa6tuodiethaiZ1.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Steganography
|
||||
slug: crypto-fa6tuodiethaiZ1
|
||||
robots: noindex
|
||||
|
||||
![cat]({filename}/images/cat.jpg)
|
6
content/pages/stegano/crypto-ohnachu0Aithor9.md
Normal file
6
content/pages/stegano/crypto-ohnachu0Aithor9.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cryptography – Route
|
||||
slug: crypto-ohnachu0Aithor9
|
||||
robots: noindex
|
||||
|
||||
/-dZcfi1rae.y6thpthttuamooil
|
6
content/pages/stegano/crypto-oopheeS9Pih1se7.md
Normal file
6
content/pages/stegano/crypto-oopheeS9Pih1se7.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Cybersécurité — Cryptography & Steganography
|
||||
slug: crypto-oopheeS9Pih1se7
|
||||
robots: noindex
|
||||
|
||||
GG
|
6
content/pages/stegano/crypto-pohxoh6Waegidoh.md
Normal file
6
content/pages/stegano/crypto-pohxoh6Waegidoh.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
status: hidden
|
||||
title: Steganography
|
||||
slug: crypto-pohxoh6Waegidoh
|
||||
robots: noindex
|
||||
|
||||
![cat]({filename}/images/cat.png)
|
14
content/pages/stegano/intro.md
Normal file
14
content/pages/stegano/intro.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
status: hidden
|
||||
title: Cybersécurité — Cryptography & Steganography
|
||||
robots: noindex
|
||||
|
||||
# Cryptography & Steganography training
|
||||
|
||||
Hi and welcome to a maze mixing cryptography and steganography, from
|
||||
each page you'll have to find a link to the next one.
|
||||
|
||||
All URLS start with `/stegano-` and ends with `.html`.
|
||||
|
||||
Here's the first one:
|
||||
|
||||
2f 63 72 79 70 74 6f 2d 65 69 74 68 65 69 37 41 69 47 69 31 4e 65 69 2e 68 74 6d 6c 0a
|
120
content/pages/stegano/solutions.md
Normal file
120
content/pages/stegano/solutions.md
Normal file
|
@ -0,0 +1,120 @@
|
|||
status: hidden
|
||||
title: Cybersécurité — Cryptography Solutions
|
||||
slug: crypto-solutions-jooT8pheejo7eev.html
|
||||
robots: noindex
|
||||
|
||||
|
||||
## Hexdump
|
||||
|
||||
$ echo '/crypto-eithei7AiGi1Nei.html' | hexdump -C
|
||||
00000000 2f 63 72 79 70 74 6f 2d 65 69 74 68 65 69 37 41 |/crypto-eithei7A|
|
||||
00000010 69 47 69 31 4e 65 69 2e 68 74 6d 6c 0a |iGi1Nei.html.|
|
||||
0000001d
|
||||
|
||||
>>> ''.join([chr(int(x, 16)) for x in '2f 63 72 79 70 74 6f 2d 65 69 74 68 65 69 37 41 69 47 69 31 4e 65 69 2e 68 74 6d 6c 0a'.split()])
|
||||
'/crypto-eithei7AiGi1Nei.html\n'
|
||||
|
||||
|
||||
## Rail Fence
|
||||
|
||||
/crypto-UNgoo7olouheiHi.html
|
||||
|
||||
/ p U o o i h
|
||||
c y t - N o 7 l u e H . t l
|
||||
r o g o h i m
|
||||
|
||||
/pUooihcyt-No7lueH.tlrogohim
|
||||
|
||||
|
||||
/pUooihcyt-No7lueH.tlrogohim
|
||||
|
||||
|
||||
## Mandatory Cæsar
|
||||
|
||||
>>> ''.join([chr(3 + ord(x)) for x in "/crypto-Ohchae7Ohku9aQu.html"])
|
||||
2fu|swr0Rkfkdh:Rknx<dTx1kwpo
|
||||
|
||||
>>> ''.join([chr(ord(x) - 3) for x in '2fu|swr0Rkfkdh:Rknx<dTx1kwpo'])
|
||||
'/crypto-Ohchae7Ohku9aQu.html'
|
||||
|
||||
|
||||
## ASCII Translation
|
||||
|
||||
>>> plaintext = '/crypto-ahzooCeeghie4od.html'
|
||||
>>> [ord(x) - min(ord(x) for x in plaintext) for x in plaintext]
|
||||
[2, 54, 69, 76, 67, 71, 66, 0, 52, 59, 77, 66, 66, 22, 56, 56, 58, 59, 60, 56, 7, 66, 55, 1, 59, 71, 64, 63]
|
||||
|
||||
|
||||
>>> for i in range(50):
|
||||
... ''.join([chr(i + int(x)) for x in '2, 54, 69, 76, 67, 71, 66, 0, 52, 59, 77, 66, 66, 22, 56, 56, 58, 59, 60, 56, 7, 66, 55, 1, 59, 71, 64, 63'.replace(',', ' ').split()])
|
||||
|
||||
|
||||
## XOR
|
||||
|
||||
>>> plaintext = '/crypto-ohnachu0Aithor9.html'
|
||||
>>> [ord(x) ^ 0b00110011 for x in plaintext]
|
||||
[28, 80, 65, 74, 67, 71, 92, 30, 92, 91, 93, 82, 80, 91, 70, 3, 114, 90, 71, 91, 92, 65, 10, 29, 91, 71, 94, 95]
|
||||
|
||||
|
||||
>>> 28 ^ ord('/')
|
||||
51
|
||||
>>> ''.join([chr(int(x) ^ 51) for x in '28, 80, 65, 74, 67, 71, 92, 30, 92, 91, 93, 82, 80, 91, 70, 3, 114, 90, 71, 91, 92, 65, 10, 29, 91, 71, 94, 95'.split(', ')])
|
||||
'/crypto-ohnachu0Aithor9.html'
|
||||
|
||||
|
||||
## Route Cipher
|
||||
|
||||
/crypto-fa6tuodiethaiZ1.html
|
||||
|
||||
/crypto
|
||||
-fa6tuo
|
||||
diethai
|
||||
Z1.html
|
||||
|
||||
>>> plaintext = '/crypto-fa6tuodiethaiZ1.html'
|
||||
>>> grid = list(zip(*[iter(plaintext)]*7))
|
||||
>>> for j in range(7):
|
||||
... for i in range(4):
|
||||
... print(grid[i][j], end='')
|
||||
...
|
||||
/-dZcfi1rae.y6thpthttuamooil
|
||||
|
||||
|
||||
## JPEG comment
|
||||
|
||||
|
||||
/crypto-pohxoh6Waegidoh.html
|
||||
|
||||
sha1sum content/pages/stegano/meta.jpg
|
||||
3ff77e558b89d0901b01ac7891a32fea28aef88f content/pages/stegano/meta.jpg
|
||||
|
||||
(pelican-mdk) mdk@windhowl (master)$ hexdump -C content/pages/stegano/meta.jpg | grep -C2 html
|
||||
00000240 fd a3 00 00 03 dc 00 00 c0 6e ff fe 00 1e 2f 63 |.........n..../c|
|
||||
00000250 72 79 70 74 6f 2d 70 6f 68 78 6f 68 36 57 61 65 |rypto-pohxoh6Wae|
|
||||
00000260 67 69 64 6f 68 2e 68 74 6d 6c ff db 00 43 00 08 |gidoh.html...C..|
|
||||
00000270 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d |................|
|
||||
00000280 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c |................|
|
||||
|
||||
|
||||
## PNG bits
|
||||
|
||||
/crypto-oopheeS9Pih1se7.html
|
||||
|
||||
>>> plaintext = '/crypto-oopheeS9Pih1se7.html'
|
||||
>>> binary_plaintext = ''.join("{:08b}".format(ord(c)) for c in plaintext)
|
||||
>>> input = cv2.imread('cat.png')
|
||||
>>> for i, b in enumerate(binary_plaintext):
|
||||
... input[0][i][2] = (input[0][i][2] & 0b11111110) + int(b)
|
||||
...
|
||||
>>> cv2.imwrite('cat2.png', input)
|
||||
True
|
||||
|
||||
|
||||
And in reverse:
|
||||
|
||||
>>> import cv2
|
||||
>>> cat = cv2.imread('cat.png')
|
||||
>>> low_bits = [pixel[2] & 1 for pixel in cat[0]]
|
||||
>>> bytes = list(zip(*[iter(low_bits)]*8))
|
||||
>>> ''.join([chr(int(''.join(str(bit) for bit in bits), 2)) for bits in bytes])
|
||||
'/crypto-oopheeS9Pih1se7.html#É\x1a{Ú«'
|
|
@ -6,47 +6,59 @@ robots: noindex
|
|||
# Rendu
|
||||
|
||||
Le rendu se fera par mail, par pièce jointe, sous forme d'un seul
|
||||
fichier, soit un `.zip`, soit un `.tar.gz`. Le fichier devra être
|
||||
nommé selon le format suivant : `printf("%s-%s_%s.%s", prénom, nom,
|
||||
nom_du_projet, zip ? "zip" : "tar.gz")`.
|
||||
fichier, soit un `.zip`, soit un `.tar.gz`.
|
||||
|
||||
Le fichier devra être nommé selon le format suivant :
|
||||
`printf("%s_%s.%s", nom_complet, nom_du_projet, zip ? "zip" :
|
||||
"tar.gz")`, votre nom complet étant typiquement composé de votre
|
||||
prénom puis de votre nom, séparés par un trait d'union. Tout autre
|
||||
caractères non alphabétique composant votre nom sera aussi retranscrit
|
||||
par un trait d'union. Le tout composé uniquement en bas-de-casse,
|
||||
typiquement :
|
||||
|
||||
- alan-turing_cryptanalyse.zip
|
||||
- bernard-d-orgeval_surfaces.zip
|
||||
- augusta-ada-king-noel-countess-of-lovelace_pysandbox.tar.gz
|
||||
|
||||
L'archive devra se décompresser en un seul dossier, contenant votre
|
||||
projet, au format: `printf("%s-%s_%s/", prénom, nom, nom_du_projet)`.
|
||||
```
|
||||
projet, au format: `printf("%s_%s/", nom_complet, nom_du_projet)`,
|
||||
en bas-de-casse encore.
|
||||
|
||||
|
||||
Pour une tarball, je doit donc voir quelque chose comme :
|
||||
|
||||
:::shell
|
||||
$ tar tf julien-palard_exercise.tar.gz
|
||||
julien-palard_exercise/
|
||||
julien-palard_exercise/setup.py
|
||||
julien-palard_exercise/README.md
|
||||
julien-palard_exercise/tests/
|
||||
julien-palard_exercise/tests/test_exercise.py
|
||||
julien-palard_exercise/src/exercise.py
|
||||
$ tar tf julien-palard_objdump.tar.gz
|
||||
julien-palard_objdump/
|
||||
julien-palard_objdump/setup.py
|
||||
julien-palard_objdump/README.md
|
||||
julien-palard_objdump/tests/
|
||||
julien-palard_objdump/tests/test_objdump.py
|
||||
julien-palard_objdump/src/objdump.py
|
||||
|
||||
|
||||
Ou pour un zip, quelque chose comme :
|
||||
|
||||
:::shell
|
||||
$ unzip -l julien-palard_exercise.zip
|
||||
Archive: julien-palard_exercise.zip
|
||||
$ unzip -l julien-palard_objdump.zip
|
||||
Archive: julien-palard_objdump.zip
|
||||
Length Date Time Name
|
||||
--------- ---------- ----- ----
|
||||
0 2016-11-18 09:34 julien-palard_exercise/
|
||||
0 2016-11-18 09:34 julien-palard_exercise/setup.py
|
||||
0 2016-11-18 09:34 julien-palard_exercise/README.md
|
||||
0 2016-11-18 09:34 julien-palard_exercise/tests/
|
||||
0 2016-11-18 09:34 julien-palard_exercise/tests/test_exercise.py
|
||||
0 2016-11-18 09:34 julien-palard_exercise/exercise.py
|
||||
0 2016-11-18 09:34 julien-palard_objdump/
|
||||
0 2016-11-18 09:34 julien-palard_objdump/setup.py
|
||||
0 2016-11-18 09:34 julien-palard_objdump/README.md
|
||||
0 2016-11-18 09:34 julien-palard_objdump/tests/
|
||||
0 2016-11-18 09:34 julien-palard_objdump/tests/test_objdump.py
|
||||
0 2016-11-18 09:34 julien-palard_objdump/objdump.py
|
||||
--------- -------
|
||||
0 6 files
|
||||
|
||||
|
||||
Le sujet du mail devra être au format `printf("Rendu %s",
|
||||
nom_du_projet)`, en respectant la casse.
|
||||
nom_du_projet)`. Seul le `R` de `Rendu` sera en majuscule, tout le
|
||||
reste doit être en bas-de-casse.
|
||||
|
||||
> Aucun rendu ne respectant pas strictement le format de rendu ne sera corrigé.
|
||||
> Un rendu ne respectant pas strictement le format de rendu risque de
|
||||
ne pas être corrigé.
|
||||
|
||||
Plusieurs rendus sont possibles (si vous corrigez un bug, ou ajoutez
|
||||
une fonctionalité). Seul le dernier rendu sera pris en compte.
|
||||
une fonctionalité). Seul le dernier rendu — avant l'heure limite —
|
||||
sera pris en compte.
|
||||
|
|
199
content/pages/supinternet_secu_web.md
Normal file
199
content/pages/supinternet_secu_web.md
Normal file
|
@ -0,0 +1,199 @@
|
|||
status: hidden
|
||||
title: Sup'Internet — Cybersécurité — HTTP
|
||||
slug: e5eoGhcoh3phiD-supinternet-cybersecurite-http
|
||||
robots: noindex
|
||||
|
||||
|
||||
# Attaques via HTTP
|
||||
|
||||
Chaque exemple suivant vous fournit le contenu d'un fichier PHP.
|
||||
|
||||
Copiez simplement PHP dans un `index.php` dans un dossier vide de
|
||||
votre choix et démarrez y PHP simplement avec le serveur de dev:
|
||||
|
||||
```
|
||||
$ php -S localhost:8080 -d zend.assertions=1
|
||||
```
|
||||
|
||||
Chaque code contient un ``flag``, le but est de récupérer ce flag via
|
||||
HTTP. Évidemment vous connaissez le flag à l'avance, vous l'avez vu,
|
||||
vous l'avez copié avec le code, le but reste de réussir à l'obtenir
|
||||
via http://localhost:8000/.
|
||||
|
||||
|
||||
## Injection de code
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
/* flag: sup3rs3cr3t */
|
||||
|
||||
if (isset($_GET['solve']))
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
else
|
||||
echo 'Missing "solve" in query string';
|
||||
```
|
||||
|
||||
|
||||
## Injection de code — protection
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
/* flag: sup3rs3cr3t */
|
||||
|
||||
if (isset($_GET['solve']))
|
||||
{
|
||||
$blacklisteds = ['file_get_contents', 'open', 'exec', '`', 'shell', 'cmd', 'system'];
|
||||
foreach ($blacklisteds as $blacklisted)
|
||||
{
|
||||
if (strpos($_GET['solve'], $blacklisted) !== FALSE)
|
||||
{
|
||||
die("No way.");
|
||||
}
|
||||
}
|
||||
echo eval('echo ' . $_GET['solve'] . ';');
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## Basic Auth
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
$admin_password = "Just_Imagine_You_Dont_Know_It_" . (string)rand();
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'GET' ||
|
||||
$_SERVER['REQUEST_METHOD'] == 'POST')
|
||||
{
|
||||
if ($_SERVER['HTTP_AUTHORIZATION'] != 'Basic ' .
|
||||
base64_encode("root:" . $admin_password))
|
||||
{
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
header('WWW-Authenticate: Basic realm="Admin Zone');
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
echo "Access Granted!! You got root!";
|
||||
echo "Flag: Sup3rS3cr3t";
|
||||
```
|
||||
|
||||
|
||||
## File storage
|
||||
|
||||
```
|
||||
<form method="post" enctype="multipart/form-data">
|
||||
<input type="file" name="file">
|
||||
<input type="submit" value="upload">
|
||||
</form>
|
||||
<pre>
|
||||
|
||||
<?php
|
||||
|
||||
$mysql_password = 'sup3rs3cr3t';
|
||||
|
||||
$uploaddir = './uploads';
|
||||
$whitelist = ['image/jpeg', 'image/png'];
|
||||
@mkdir("./uploads", 0700);
|
||||
$uploadfile = $uploaddir . '/' . basename($_FILES['file']['name']);
|
||||
|
||||
if (isset($_FILES['file']) && !in_array($_FILES['file']['type'], $whitelist)) {
|
||||
echo "Seulement jpg et png autorisés.";
|
||||
die();
|
||||
}
|
||||
|
||||
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
|
||||
echo "Le fichier est valide, et a été téléchargé
|
||||
avec succès : <a href='$uploadfile'>$uploadfile</a>\n";
|
||||
}
|
||||
|
||||
echo 'debug:';
|
||||
|
||||
print_r($_FILES);
|
||||
```
|
||||
|
||||
## Assert
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
/* flag: super secret */
|
||||
|
||||
// Create a handler function
|
||||
function my_assert_handler($file, $line, $code)
|
||||
{
|
||||
echo "<hr>Assertion Failed:
|
||||
File '$file'<br />
|
||||
Line '$line'<br />
|
||||
Code '$code'<br /><hr />";
|
||||
}
|
||||
|
||||
// Set up the callback
|
||||
assert_options(ASSERT_CALLBACK, 'my_assert_handler');
|
||||
|
||||
ini_set('zend.assertions', '1');
|
||||
|
||||
assert("strlen('" . $_GET["password"] . "') > 3",
|
||||
"Need a longer password");
|
||||
```
|
||||
|
||||
|
||||
## Transtypage
|
||||
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
|
||||
if (!empty($auth))
|
||||
{
|
||||
if ($auth['login'] == $username &&
|
||||
$auth['password'] == $password)
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
```
|
||||
|
||||
|
||||
## Harder transtypage
|
||||
|
||||
```
|
||||
<?php
|
||||
|
||||
$auth = json_decode($_GET['auth'], TRUE);
|
||||
|
||||
$username = 'root';
|
||||
$password = 'secret' . rand() . rand() . rand(); // Yup, you can't know it, don't attack this.
|
||||
|
||||
if (!empty($auth))
|
||||
{
|
||||
if ($auth['login'] == $username &&
|
||||
!strcmp($auth['password'], $password))
|
||||
{
|
||||
echo "flag: Super Secret Flag !";
|
||||
die();
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Bad login / password;";
|
||||
die();
|
||||
}
|
||||
}
|
||||
echo "Need a ?auth= query string with JSON like";
|
||||
echo " {'login': your_login, 'password': your_password}";
|
||||
```
|
Loading…
Reference in New Issue
Block a user