### Starting and Disassembling in GDB Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-is-gdb.md Learn how to start GDB with a program and view its disassembled code. GDB supports autocompletion for function names. ```gdb gdb [program] (gdb) disassemble [address/symbol] (gdb) disas main ``` -------------------------------- ### x86-64 Assembly Instruction Examples Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-is-assembly-machine-code.md Illustrates various common x86-64 assembly instructions, including data movement, arithmetic operations, and memory access. It shows how instructions are represented in hexadecimal and provides examples of direct data movement and memory-based data retrieval. ```assembly add rax, rbx mov rax, 0xdeadbeef mov rax, [0xdeadbeef] == 67 48 8b 05 ef be ad de "Hello" == 48 65 6c 6c 6f == 48 01 d8 == 48 c7 c0 ef be ad de ``` -------------------------------- ### Stack Buffer Example in C Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-are-buffers.md Demonstrates a stack-allocated buffer in C. The `name` array is declared on the stack and can store up to 63 characters plus a null terminator, with potential for overflow if more data is read. ```c #include int main() { char name[64] = {0}; read(0, name, 63); printf("Hello %s", name); return 0; } ``` -------------------------------- ### PHP Stream Filter Example: Stripping HTML Tags Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/php/what-is-php.md Demonstrates how to use PHP stream filters to automatically remove specific HTML tags from output. This example appends the 'string.strip_tags' filter to a file pointer opened to 'php://output'. ```php $fp = fopen('php://output', 'w'); stream_filter_append( $fp, 'string.strip_tags', STREAM_FILTER_WRITE, array('b','i','u')); fwrite($fp, "bolded text enlarged to a

level 1 heading

\n"); /* bolded text enlarged to a level 1 heading */ ``` -------------------------------- ### Substitution cipher ciphertext example Source: https://github.com/osirislab/ctf101/blob/master/docs/cryptography/what-is-a-substitution-cipher.md A sample of encrypted text representing a substitution cipher, used for demonstrating cryptanalysis techniques like frequency analysis. ```text Rbo rpktigo vcrb bwucja wj kloj hcjd, km sktpqo, cq rbwr loklgo vcgg cjqcqr kj skhcja wgkja wjd rpycja rk ltr rbcjaq cj cr. ``` -------------------------------- ### C Code Example for ROP Demonstration (32-bit) Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/return-oriented-programming.md This C code demonstrates a common scenario for Return Oriented Programming (ROP) attacks. It includes a buffer overflow vulnerability in the 'echo' buffer, allowing an attacker to control the program's execution flow when 'main' returns. The program also uses 'system("/bin/date")', which can be a target for ROP. ```c #include #include char name[32]; int main() { printf("What's your name? "); read(0, name, 32); printf("Hi %s\n", name); printf("The time is currently "); system("/bin/date"); char echo[100]; printf("What do you want me to echo back? "); read(0, echo, 1000); puts(echo); return 0; } ``` -------------------------------- ### Heap Buffer Example in C Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-are-buffers.md Shows a dynamically allocated buffer on the heap in C using `malloc`. The `name` pointer points to a memory block of 64 bytes. Proper memory management, including freeing the allocated memory, is crucial. ```c #include #include int main() { char *name = malloc(64); memset(name, 0, 64); read(0, name, 63); printf("Hello %s", name); return 0; } ``` -------------------------------- ### x86 Assembly: main function Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md The 32-bit x86 assembly code for the `main` function. It handles argument count checking, argument retrieval, and calls the `say_hi` function. The code demonstrates stack frame setup, conditional branching, and function calls. ```asm 08048427
: 8048427: 8d 4c 24 04 lea ecx,[esp+0x4] 804842b: 83 e4 f0 and esp,0xfffffff0 804842e: ff 71 fc push DWORD PTR [ecx-0x4] 8048431: 55 push ebp 8048432: 89 e5 mov ebp,esp 8048434: 51 push ecx 8048435: 83 ec 14 sub esp,0x14 8048438: 89 c8 mov eax,ecx 804843a: 83 38 02 cmp DWORD PTR [eax],0x2 804843d: 74 07 je 8048446 804843f: b8 01 00 00 00 mov eax,0x1 8048444: eb 1c jmp 8048462 8048446: 8b 40 04 mov eax,DWORD PTR [eax+0x4] 8048449: 8b 40 04 mov eax,DWORD PTR [eax+0x4] 804844c: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 804844f: 83 ec 0c sub esp,0xc 8048452: ff 75 f4 push DWORD PTR [ebp-0xc] 8048455: e8 b1 ff ff ff call 804840b 804845a: 83 c4 10 add esp,0x10 804845d: b8 00 00 00 00 mov eax,0x0 8048462: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4] 8048465: c9 leave 8048466: 8d 61 fc lea esp,[ecx-0x4] 8048469: c3 ret ``` -------------------------------- ### Bash Command Execution Example Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/command-injection/what-is-command-injection.md Illustrates how a semicolon acts as a command separator in Bash, enabling the execution of multiple commands sequentially. This is fundamental to understanding command injection, where an attacker can leverage this behavior to run unintended commands. ```bash ping ; ls ``` -------------------------------- ### PHP Login Authentication Example Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/php/what-is-php.md This PHP code snippet demonstrates a basic login authentication mechanism. It checks for POST data containing email and password, hashes the password using SHA1, and compares it with the database. Successful authentication redirects the user to index.php. ```php query("SELECT * FROM users WHERE email = '$email' AND password = '$password'"); if ($row = $res->fetch_assoc()) { $_SESSION['id'] = $row['id']; header('Location: index.php'); die(); } } ?> ... ``` -------------------------------- ### cdecl Function Argument Passing (C) Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-are-calling-conventions.md Illustrates the cdecl calling convention for 32-bit Linux binaries. Arguments are pushed onto the stack in reverse order before function invocation. This example shows a simple addition function. ```c int add(int a, int b, int c) { return a + b + c; } ``` -------------------------------- ### Python Command Injection using os.system() Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/command-injection/what-is-command-injection.md Demonstrates a basic command injection vulnerability in Python using the `os.system()` function. The code concatenates user input directly into a system command, allowing for arbitrary command execution if the input is not properly sanitized. This example highlights how a semicolon can be used to terminate the intended command and append a new one. ```python import os domain = user_input() # ctf101.org os.system('ping ' + domain) ``` ```python import os domain = user_input() # ; ls os.system('ping ' + domain) ``` -------------------------------- ### Reflected XSS Example URL Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/cross-site-scripting/what-is-cross-site-scripting.md Demonstrates a typical URL structure for a Reflected XSS attack, where the malicious script is passed as a GET parameter. The vulnerability occurs if the web application directly injects this parameter's value into the DOM without proper sanitization. ```text https://ctf101.org?data= ``` -------------------------------- ### Hello World in C Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-is-c.md A basic C program that prints 'Hello, World!' to the standard output. It demonstrates the standard library inclusion and the main function entry point. ```c #include int main() { printf("Hello, World!"); return 0; } ``` -------------------------------- ### C Program: say_hi and main functions Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md This C code defines two functions: `say_hi` which prints a greeting, and `main` which handles command-line arguments and calls `say_hi`. It serves as the basis for the stack analysis. ```c #include void say_hi(const char * name) { printf("Hello %s!\n", name); } int main(int argc, char ** argv) { char * name; if (argc != 2) { return 1; } name = argv[1]; say_hi(name); return 0; } ``` -------------------------------- ### Reflected XSS HTML Injection Example Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/cross-site-scripting/what-is-cross-site-scripting.md Illustrates how a Reflected XSS payload, when injected into the DOM by a vulnerable web application, can result in the execution of client-side scripts. This example shows a simple JavaScript alert. ```html ``` -------------------------------- ### Array Declaration and Indexing in C Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-is-c.md Shows the syntax for declaring, initializing, and accessing elements within an array. It highlights that C arrays are zero-indexed. ```c int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; int val = integers[5]; ``` -------------------------------- ### Stack State: After calling say_hi Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md Illustrates the stack layout immediately after the `call` instruction in `main` transfers control to `say_hi`. It shows the return address pushed onto the stack and the initial state of ESP and EBP. ```asm EIP = 0x0804840b (push ebp) ESP = 0xffff0000 EBP = 0xffff002c 0xffff0004: 0xffffa0a0 // say_hi argument 1 ESP -> 0xffff0000: 0x0804845a // Return address for say_hi ``` -------------------------------- ### Stack State Before printf Call (Assembly) Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md Illustrates the stack configuration just before the 'printf' function is called. It shows the arguments being pushed onto the stack, including the return address for 'say_hi'. ```Assembly 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi EBP -> 0xfffefffc: 0xffff002c // Saved EBP 0xfffefff8: UNDEFINED 0xfffefff4: UNDEFINED 0xfffefff0: UNDEFINED 0xfffeffec: UNDEFINED 0xfffeffe8: 0xffffa0a0 // printf argument 2 0xfffeffe4: 0x080484f0 // printf argument 1 ESP -> 0xfffeffe0: 0x08048421 // Return address for printf ``` -------------------------------- ### Original C Source Code Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-are-decompilers.md The original C source code for the example program. This code includes functions to print a string and a spacer line. ```c #include void printSpacer(int num){ for(int i = 0; i < num; ++i){ printf("-"); } printf("\n"); } int main() { char* string = "Hello, World!"; for(int i = 0; i < 13; ++i){ printf("%c", string[i]); for(int j = i+1; j < 13; j++){ printf("%c", string[j]); } printf("\n"); printSpacer(13 - i); } return 0; } ``` -------------------------------- ### SQL Injection Payload Examples Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/sql-injection/what-is-sql-injection.md Illustrates how malicious inputs like OR clauses and comment characters can manipulate the structure and execution of SQL statements. ```sql SELECT * FROM users WHERE username=''' SELECT * FROM users WHERE username='' OR 1=1 SELECT * FROM users WHERE username=''-- ' ``` -------------------------------- ### Demonstrate Lazy Function Resolution in C Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-got.md A simple C program illustrating the use of the puts function. This demonstrates how the dynamic linker resolves the address of puts upon its first invocation. ```c int main() { puts("Hi there!"); puts("Ok bye now."); return 0; } ``` -------------------------------- ### C Heap Allocation and Deallocation with malloc and free Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-heap.md This C code snippet demonstrates dynamic memory allocation on the heap using `malloc` and deallocation using `free`. It prompts the user for a size, allocates that many bytes, reads input into the allocated memory, prints the input, and then frees the memory. It requires the ``, ``, ``, and `` headers. ```c #include #include #include #include int main() { unsigned alloc_size = 0; char *stuff; printf("Number of bytes? "); scanf("%u", &alloc_size); stuff = malloc(alloc_size + 1); memset(stuff, 0, alloc_size + 1); read(0, stuff, alloc_size); printf("You wrote: %s", stuff); free(stuff); return 0; } ``` -------------------------------- ### Stack State: After say_hi prologue Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md Depicts the stack after the initial instructions of `say_hi` have executed, specifically after saving the old EBP. This shows how the stack pointer (ESP) decreases as values are pushed. ```asm EIP = 0x0804840c (mov ebp, esp) ESP = 0xfffefffc EBP = 0xffff002c 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi ESP -> 0xfffefffc: 0xffff002c // Saved EBP ``` -------------------------------- ### View Captured Packets with tshark Source: https://github.com/osirislab/ctf101/blob/master/docs/forensics/what-is-packet-capture.md The `tshark` command-line utility is used to read and analyze packet capture files generated by `tcpdump`. It provides detailed information about each packet in a human-readable format. ```javascript scribbl@rogstation:~/examples$ sudo tcpdump -i eth0 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 17:32:07.557403 IP rogstation.mshome.net.57621 > 172.22.207.255.57621: UDP, length 44 17:32:07.633396 IP 172.22.206.250.58387 > rogstation.mshome.net.domain: 38921+ PTR? 255.207.22.172.in-addr.arpa. (45) 17:32:07.634756 IP rogstation.mshome.net.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? 255.207.22.172.in-addr.arpa.local. (51) 17:32:07.635213 IP6 rogstation.mdns > ff02::fb.mdns: 0 PTR (QM)? 255.207.22.172.in-addr.arpa.local. (51) 17:32:07.640442 IP rogstation.mshome.net.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? 255.207.22.172.in-addr.arpa.local. (51) 17:32:07.640689 IP6 rogstation.mdns > ff02::fb.mdns: 0 PTR (QM)? 255.207.22.172.in-addr.arpa.local. (51) 17:32:08.718973 IP rogstation.mshome.net.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? 255.207.22.172.in-addr.arpa.local. (51) ... ``` ```javascript scribbl@rogstation:~/examples$ tshark -r packets.pcap 1 0.000000 172.22.192.1 → 224.0.0.251 MDNS 87 Standard query 0x0000 PTR _spotify-connect._tcp.local, "QM" question 2 0.000355 fe80::a6ee:2618:bd01:f6c5 → ff02::fb MDNS 107 Standard query 0x0000 PTR _spotify-connect._tcp.local, "QM" question 3 3.036792 172.22.192.1 → 239.255.255.250 SSDP 167 M-SEARCH * HTTP/1.1 4 12.456780 172.22.192.1 → 172.22.207.255 UDP 86 57621 → 57621 Len=44 5 45.024825 172.22.192.1 → 172.22.207.255 UDP 86 57621 → 57621 Len=44 ``` -------------------------------- ### Stack State: Before calling printf Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md Shows the stack configuration just before the `call` to `printf`. The arguments for `printf` (the format string address and the name string address) have been pushed onto the stack in reverse order. ```asm EIP = 0x0804841c (call printf@plt) ESP = 0xfffeffe4 EBP = 0xfffefffc 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi EBP -> 0xfffefffc: 0xffff002c // Saved EBP 0xfffefff8: UNDEFINED 0xfffefff4: UNDEFINED 0xfffefff0: UNDEFINED 0xfffeffec: UNDEFINED 0xfffeffe8: 0xffffa0a0 // printf argument 2 ESP -> 0xfffeffe4: 0x080484f0 // printf argument 1 ``` -------------------------------- ### Vulnerable PHP File Inclusion Source: https://github.com/osirislab/ctf101/blob/master/docs/web-exploitation/directory-traversal/what-is-directory-traversal.md Demonstrates a common Directory Traversal vulnerability in PHP where user-supplied GET parameters are directly concatenated into a file path for the include function without sanitization. ```php ``` -------------------------------- ### Generate File Hash via Command Line Source: https://github.com/osirislab/ctf101/blob/master/docs/cryptography/what-are-hashing-functions.md Demonstrates how to calculate the MD5 hash of a specific file using the md5sum utility to verify file integrity. ```bash md5sum samplefile.txt ``` -------------------------------- ### Exploit Buffer Overflow with Python Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/buffer-overflow.md Python one-liners used to generate payloads for buffer overflow exploitation. These examples demonstrate overwriting local variables and the saved EIP to redirect program execution. ```python # Overwrite 'secret' variable to pass the check print 'A'*100 + '\x37\x13\x00\x00' # Overwrite saved EIP to jump to 'give_shell' function print 'A'*108 + '\xd0\x8f\x04\x08' ``` -------------------------------- ### Generate String Hash via Command Line Source: https://github.com/osirislab/ctf101/blob/master/docs/cryptography/what-are-hashing-functions.md Demonstrates how to generate an MD5 hash for a string using the echo command piped into the md5 utility. ```bash echo -n password | md5 ``` -------------------------------- ### Global Buffer Example in C Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-are-buffers.md Illustrates a global buffer in C. The `name` array is declared outside of any function, making it accessible throughout the program. Similar to stack buffers, it is susceptible to overflow if not handled carefully. ```c #include char name[64] = {0}; int main() { read(0, name, 63); printf("Hello %s", name); return 0; } ``` -------------------------------- ### Pointer Declaration and Usage in C Source: https://github.com/osirislab/ctf101/blob/master/docs/reverse-engineering/what-is-c.md Demonstrates how to declare an integer, retrieve its memory address using the address-of operator (&), and store it in a pointer variable. It also shows how to dereference a pointer to access the original value. ```c int x = 4; int* y = &x; ``` -------------------------------- ### Capture Network Traffic with tcpdump Source: https://github.com/osirislab/ctf101/blob/master/docs/forensics/what-is-packet-capture.md The `tcpdump` utility captures network traffic on a specified interface. It can display live traffic or save it to a file for later analysis. Use filters to narrow down the captured packets. ```bash sudo tcpdump -i eth0 ``` ```bash sudo tcpdump -i eth0 -w packets.pcap src 172.22.206.250 ``` -------------------------------- ### Stack State: After saving current ESP to EBP Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/what-is-the-stack.md Shows the stack configuration after the current stack pointer (ESP) is saved into the base pointer (EBP). This establishes the base of the current stack frame. ```asm EIP = 0x0804840e (sub esp, 0x8) ESP = 0xfffefffc EBP = 0xfffefffc 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi ESP, EBP -> 0xfffefffc: 0xffff002c // Saved EBP ``` -------------------------------- ### ROP Gadgets for 64-bit Argument Control Source: https://github.com/osirislab/ctf101/blob/master/docs/binary-exploitation/return-oriented-programming.md Demonstrates the use of ROP gadgets in 64-bit systems to control registers for function arguments. Gadgets are small assembly sequences that often 'pop' values into registers and end with a 'ret', allowing them to be chained together on the stack to set up arguments before jumping to the target function. ```text ; Example ROP gadgets found using tools like rp++ or ROPgadget: ; 0x400c01: pop rdi; ret ; 0x400c03: pop rsi; pop r15; ret ; A fake call stack could be constructed like this: ; [address of pop rdi gadget] ; [address of string argument for system] ; [address of system function] ```