### Install rCTF using curl Source: https://ctf101.org/intro/how-to-run-a-ctf Installs the rCTF framework by downloading and executing a script from the provided URL. This is a quick method to set up the rCTF environment. ```shell curl https://get.rctf.redpwn.net | sh ``` -------------------------------- ### Hello World in C Source: https://ctf101.org/reverse-engineering/what-is-c A basic 'Hello, World!' program in C, demonstrating the standard input/output library and the main function structure. This is a fundamental example for beginners. ```c #include int main() { printf("Hello, World!"); return 0; } ``` -------------------------------- ### Global Buffer Example in C Source: https://ctf101.org/binary-exploitation/what-are-buffers This C code illustrates a global buffer named 'name'. Similar to the stack buffer example, it has a size of 64 bytes and is initialized to zeros. User input is read into this global buffer, followed by a greeting output. Global buffers can also be targets for security exploits. ```c #include char name[64] = {0}; int main() { read(0, name, 63); printf("Hello %s", name); return 0; } ``` -------------------------------- ### x86-64 Assembly Instructions Examples Source: https://ctf101.org/reverse-engineering/what-is-assembly-machine-code Provides examples of common x86-64 assembly instructions, including data movement, arithmetic operations, and string representations in hexadecimal. These examples illustrate direct CPU operations. ```assembly add rax, rbx mov rax, 0xdeadbeef mov rax, [0xdeadbeef] == 67 48 8b 05 ef be ad de "Hello" == 48 65 6c 6c 6f == 48 01 d8 == 48 c7 c0 ef be ad de ``` -------------------------------- ### MD5 Hash Collision Example Source: https://ctf101.org/cryptography/what-are-hashing-functions Presents an example of two different data blocks that result in the same MD5 hash. This illustrates the concept of hash collisions, where a hash function produces identical outputs for different inputs. ```text # Two different blocks with the same MD5 hash: 79054025255fb1a26e4bc422aef54eb4 ``` -------------------------------- ### 32-bit x86 Assembly for main Function Source: https://ctf101.org/binary-exploitation/what-is-the-stack The assembly instructions for the 'main' function in 32-bit x86 architecture. This code demonstrates argument checking, variable assignment, and the call to the 'say_hi' function, including stack frame setup and teardown. ```assembly 08048427
: 8048427: 8d 4c 24 04 lea ecx,[esp+0x4] 804842b: 83 e4 f0 and esp,0xfffffff0 804842e: ff 71 fc push DWORD PTR [ecx-0x4] 8048431: 55 push ebp 8048432: 89 e5 mov ebp,esp 8048434: 51 push ecx 8048435: 83 ec 14 sub esp,0x14 8048438: 89 c8 mov eax,ecx 804843a: 83 38 02 cmp DWORD PTR [eax],0x2 804843d: 74 07 je 8048446 804843f: b8 01 00 00 00 mov eax,0x1 8048444: eb 1c jmp 8048462 8048446: 8b 40 04 mov eax,DWORD PTR [eax+0x4] 8048449: 8b 40 04 mov eax,DWORD PTR [eax+0x4] 804844c: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 804844f: 83 ec 0c sub esp,0xc 8048452: ff 75 f4 push DWORD PTR [ebp-0xc] 8048455: e8 b1 ff ff ff call 804840b 804845a: 83 c4 10 add esp,0x10 804845d: b8 00 00 00 00 mov eax,0x0 8048462: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4] 8048465: c9 leave 8048466: 8d 61 fc lea esp,[ecx-0x4] 8048469: c3 ret ``` -------------------------------- ### Run CTFd Docker Instance Source: https://ctf101.org/intro/how-to-run-a-ctf Starts a local CTFd instance using Docker. This is a simple way to get a CTF platform up and running quickly. It exposes the CTFd service on port 8000. ```docker docker run -p 8000:8000 -it ctfd/ctfd ``` -------------------------------- ### Array Declaration and Initialization in C Source: https://ctf101.org/reverse-engineering/what-is-c Demonstrates the syntax for declaring an array of a specific type and size in C, and how to initialize it with values. It also shows how arrays are indexed starting from 0. ```c int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; ``` -------------------------------- ### ROP Gadget Examples (64-bit) Source: https://ctf101.org/binary-exploitation/return-oriented-programming These are example ROP gadgets commonly found in 64-bit binaries. Gadgets are small sequences of assembly instructions that end in a 'ret' instruction. By chaining these gadgets, an attacker can control registers like RDI and RSI, which are used for passing function arguments in 64-bit Linux, before jumping to a target function like 'system'. ```assembly 0x400c01: pop rdi; ret 0x400c03: pop rsi; pop r15; ret ``` -------------------------------- ### Restore File Header with hexcurse Source: https://ctf101.org/forensics/what-is-a-hex-editor This example demonstrates using a hex editor like `hexcurse` to modify a file's header. By changing the incorrect byte sequence back to the standard `FF` for a JPEG header, the file becomes recognizable again by the `file` command and other programs. ```bash scribbl@rogstation:~/examples$ file example example: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 1024x576, components 3 ``` -------------------------------- ### Original C Source Code Example Source: https://ctf101.org/reverse-engineering/what-are-decompilers This C code snippet defines two functions: `printSpacer` which prints a given number of hyphens, and `main` which prints a modified 'Hello, World!' string and uses `printSpacer`. ```c #include void printSpacer(int num){ for(int i = 0; i < num; ++i){ printf("-"); } printf("\n"); } int main() { char* string = "Hello, World!"; for(int i = 0; i < 13; ++i){ printf("%c", string[i]); for(int j = i+1; j < 13; j++){ printf("%c", string[j]); } printf("\n"); printSpacer(13 - i); } return 0; } ``` -------------------------------- ### C Code Example for ROP Vulnerability (32-bit) Source: https://ctf101.org/binary-exploitation/return-oriented-programming This C code demonstrates a common scenario for Return Oriented Programming (ROP) in 32-bit Linux. It contains a stack buffer overflow vulnerability in the 'echo' buffer, allowing an attacker to overwrite the saved instruction pointer (EIP) when the 'main' function returns. This example is crucial for understanding how stack control can be leveraged in ROP attacks. ```c #include #include char name[32]; int main() { printf("What's your name? "); read(0, name, 32); printf("Hi %s\n", name); printf("The time is currently "); system("/bin/date"); char echo[100]; printf("What do you want me to echo back? "); read(0, echo, 1000); puts(echo); return 0; } ``` -------------------------------- ### Variable Declaration and Pointer Initialization in C Source: https://ctf101.org/reverse-engineering/what-is-c Illustrates how to declare an integer variable and then create a pointer that stores the memory address of that variable. It shows the use of '&' to get the address and '*' to declare a pointer type. ```c int x = 4; int* y = &x; ``` -------------------------------- ### Python XOR Encryption and Decryption Example Source: https://ctf101.org/cryptography/what-is-xor Demonstrates how to encrypt and decrypt a string using a single-byte XOR key in Python. It highlights the reversibility of the XOR operation for decryption. No external libraries are required. ```python >>> data = 'CAPTURETHEFLAG' >>> key = 'A' >>> encrypted = ''.join([chr(ord(x) ^ ord(key)) for x in data]) >>> encrypted '\x02\x00\x11\x15\x14\x13\x04\x15\t\x04\x07\r\x00\x06' >>> decrypted = ''.join([chr(ord(x) ^ ord(key)) for x in encrypted]) >>> decrypted 'CAPTURETHEFLAG' ``` -------------------------------- ### Accessing Array Elements in C Source: https://ctf101.org/reverse-engineering/what-is-c Shows how to access individual elements within an array in C using their respective index. It clarifies that array indexing starts from 0. ```c int integers[ 10 ] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; /* indexes 0 1 2 3 4 5 6 7 8 9 */ integers[5]; ``` -------------------------------- ### Stack Buffer Example in C Source: https://ctf101.org/binary-exploitation/what-are-buffers This C code demonstrates a stack-allocated buffer named 'name'. The buffer has a size of 64 bytes and is initialized to zeros. User input is read into the buffer, and then a greeting is printed. This is a common scenario where buffer vulnerabilities might arise. ```c #include int main() { char name[64] = {0}; read(0, name, 63); printf("Hello %s", name); return 0; } ``` -------------------------------- ### x86-64 Assembly Example Execution Trace Source: https://ctf101.org/reverse-engineering/what-is-assembly-machine-code This snippet demonstrates a step-by-step execution trace of x86-64 assembly instructions, showing the changes in register values (RIP, RAX, RBX, RCX, RDX) after each instruction. It illustrates basic operations like moving values, addition, incrementing, and subtraction. ```assembly -> 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x0804000 0x080400a: add, rax, rbx RAX = 0x0 0x080400d: inc rbx RBX = 0x0 0x0804010: sub rax, rbx RCX = 0x0 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: -> 0x0804005: mov ebx, 0x1234 RIP = 0x0804005 0x080400a: add, rax, rbx RAX = 0xdeadbeef 0x080400d: inc rbx RBX = 0x0 0x0804010: sub rax, rbx RCX = 0x0 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x080400a -> 0x080400a: add, rax, rbx RAX = 0xdeadbeef 0x080400d: inc rbx RBX = 0x1234 0x0804010: sub rax, rbx RCX = 0x0 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x080400d 0x080400a: add, rax, rbx RAX = 0xdeadd123 -> 0x080400d: inc rbx RBX = 0x1234 0x0804010: sub rax, rbx RCX = 0x0 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x0804010 0x080400a: add, rax, rbx RAX = 0xdeadd123 0x080400d: inc rbx RBX = 0x1235 -> 0x0804010: sub rax, rbx RCX = 0x0 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x0804013 0x080400a: add, rax, rbx RAX = 0xdeadbeee 0x080400d: inc rbx RBX = 0x1235 0x0804010: sub rax, rbx RCX = 0x0 -> 0x0804013: mov rcx, rax RDX = 0x0 ``` ```assembly 0x0804000: mov eax, 0xdeadbeef Register Values: 0x0804005: mov ebx, 0x1234 RIP = 0x0804005 0x080400a: add, rax, rbx RAX = 0xdeadbeee 0x080400d: inc rbx RBX = 0x1235 0x0804010: sub rax, rbx RCX = 0xdeadbeee 0x0804013: mov rcx, rax RDX = 0x0 ``` -------------------------------- ### Decompiled C Pseudocode Example Source: https://ctf101.org/reverse-engineering/what-are-decompilers This C pseudocode represents the decompiled version of the original C source code. It shows how a decompiler might reconstruct the logic, including variable declarations and function calls, as seen by the decompiler. ```c int __fastcall printSpacer(int a1) { int i; // [rsp+8h] [rbp-8h] for ( i = 0; i < a1; ++i ) printf("-"); return printf("\n"); } int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+18h] [rbp-18h] signed int i; // [rsp+1Ch] [rbp-14h] for ( i = 0; i < 13; ++i ) { v4 = i + 1; printf("%c", (unsigned int)aHelloWorld[i], envp); while ( v4 < 13 ) printf("%c", (unsigned int)aHelloWorld[v4++]); printf("\n"); printSpacer(13 - i); } return 0; } ``` -------------------------------- ### View File Header with xxd Source: https://ctf101.org/forensics/what-is-a-hex-editor This command uses `xxd` to display the hexadecimal and ASCII representation of a file's content, showing the first few lines. It's useful for inspecting raw file data, particularly headers, to identify specific byte sequences. ```bash scribbl@rogstation:~/examples$ xxd example | head 00000000: aad8 ffe0 0010 4a46 4946 0001 0101 0060 ......JFIF.....` 00000010: 0060 0000 fffe 003b 4352 4541 544f 523a .`.....;CREATOR: 00000020: 2067 642d 6a70 6567 2076 312e 3020 2875 gd-jpeg v1.0 (u 00000030: 7369 6e67 2049 4a47 204a 5045 4720 7638 sing IJG JPEG v8 00000040: 3029 2c20 7175 616c 6974 7920 3d20 3930 0), quality = 90 00000050: 0aff db00 4300 0302 0203 0202 0303 0303 ....C 00000060: 0403 0304 0508 0505 0404 050a 0707 0608 00000070: 0c0a 0c0c 0b0a 0b0b 0d0e 1210 0d0e 110e 00000080: 0b0b 1016 1011 1314 1515 150c 0f17 1816 00000090: 1418 1214 1514 ffdb 0043 0103 0404 0504 ........C ``` -------------------------------- ### x86-64 Assembly Instruction Examples (Data Movement) Source: https://ctf101.org/reverse-engineering/what-is-assembly-machine-code Illustrates two specific data movement instructions in x86-64 assembly. The first moves an immediate value into a register, and the second moves data from a memory address (calculated with an offset and another register) into a register. ```assembly mov rax, 0xdeadbeef ``` ```assembly mov rax, [0xdeadbeef + rbx * 4] ``` -------------------------------- ### C Function Example for cdecl Convention (32-bit) Source: https://ctf101.org/binary-exploitation/what-are-calling-conventions Demonstrates a simple C function 'add' that takes three integer arguments. In 32-bit Linux binaries using the cdecl convention, these arguments would be pushed onto the stack in reverse order before the function is called. ```c int add(int a, int b, int c) { return a + b + c; } ``` -------------------------------- ### C Heap Allocation and Deallocation Example Source: https://ctf101.org/binary-exploitation/what-is-the-heap Demonstrates dynamic memory allocation on the heap using malloc and freeing the allocated memory with free in C. It reads user input for allocation size, reads data into the allocated buffer, and prints it back. It requires stdio.h, stdlib.h, string.h, and unistd.h. ```c #include #include #include #include int main() { unsigned alloc_size = 0; char *stuff; printf("Number of bytes? "); scanf("%u", &alloc_size); stuff = malloc(alloc_size + 1); memset(stuff, 0, alloc_size + 1); read(0, stuff, alloc_size); printf("You wrote: %s", stuff); free(stuff); return 0; } ``` -------------------------------- ### Reflected XSS Example URL Source: https://ctf101.org/web-exploitation/cross-site-scripting/what-is-cross-site-scripting This example demonstrates a typical URL structure for a Reflected XSS attack. The malicious JavaScript payload is embedded within the 'data' GET parameter. This type of attack relies on the server reflecting the parameter value directly into the HTML response without proper sanitization. ```plaintext https://ctf101.org?data= ``` -------------------------------- ### C Program: say_hi and main Functions Source: https://ctf101.org/binary-exploitation/what-is-the-stack The C source code for the 'say_hi' function, which prints a greeting, and the 'main' function, which handles command-line arguments and calls 'say_hi'. This code forms the basis for the subsequent stack analysis. ```c #include void say_hi(const char * name) { printf("Hello %s!\n", name); } int main(int argc, char ** argv) { char * name; if (argc != 2) { return 1; } name = argv[1]; say_hi(name); return 0; } ``` -------------------------------- ### Stack State after say_hi prologue Source: https://ctf101.org/binary-exploitation/what-is-the-stack Details the stack's state after the initial 'push ebp' and 'mov ebp, esp' instructions within the 'say_hi' function. This shows the saved EBP value on the stack. ```text EIP = 0x0804840c (mov ebp, esp) ESP = 0xfffefffc EBP = 0xffff002c 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi ESP -> 0xfffefffc: 0xffff002c // Saved EBP ``` -------------------------------- ### Generate MD5 Hash for a String (Command Line) Source: https://ctf101.org/cryptography/what-are-hashing-functions Demonstrates how to generate an MD5 hash for a given string using the 'echo' and 'md5' commands. This is useful for quick hash generation and verification of text data. ```bash echo -n password | md5 # Expected output: 5f4dcc3b5aa765d61d8327deb882cf99 ``` -------------------------------- ### Stack State after calling say_hi Source: https://ctf101.org/binary-exploitation/what-is-the-stack Illustrates the stack memory layout immediately after the 'call' instruction to 'say_hi' is executed. This shows the return address pushed onto the stack and the initial state of ESP and EBP. ```text EIP = 0x0804840b (push ebp) ESP = 0xffff0000 EBP = 0xffff002c 0xffff0004: 0xffffa0a0 // say_hi argument 1 ESP -> 0xffff0000: 0x0804845a // Return address for say_hi ``` -------------------------------- ### C Use After Free (UAF) Vulnerability Example Source: https://ctf101.org/binary-exploitation/heap-exploitation Demonstrates a use-after-free vulnerability in C. The code allocates memory for a string structure, frees the data pointer, then allocates new memory which may reuse the freed pointer. Accessing the freed pointer afterwards can lead to unpredictable behavior or exploits. This example specifically shows how a subsequent allocation can overwrite the freed memory, leading to a UAF when the original pointer is used. ```c #include #include #include #include typedef struct string { unsigned length; char *data; } string; int main() { struct string* s = malloc(sizeof(string)); puts("Length:"); scanf("%u", &s->length); s->data = malloc(s->length + 1); memset(s->data, 0, s->length + 1); puts("Data:"); read(0, s->data, s->length); free(s->data); free(s); char *s2 = malloc(16); memset(s2, 0, 16); puts("More data:"); read(0, s2, 15); // Now using s again, a UAF puts(s->data); return 0; } ``` -------------------------------- ### Generate MD5 Hash for a File (Command Line) Source: https://ctf101.org/cryptography/what-are-hashing-functions Shows how to calculate the MD5 hash of a file using the 'md5sum' command. This is useful for verifying file integrity and identification. ```bash $ md5sum samplefile.txt # Expected output: 3b85ec9ab2984b91070128be6aae25eb samplefile.txt ``` -------------------------------- ### Generate SHA-2 Hash for a String (Command Line) Source: https://ctf101.org/cryptography/what-are-hashing-functions Illustrates the generation of a SHA-2 hash for a string using command-line utilities. SHA-2 is a more secure alternative to SHA-1 and is recommended for cryptographic purposes. ```bash # Example for 'password' string # SHA-2: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 ``` -------------------------------- ### Stack State after growing stack in say_hi Source: https://ctf101.org/binary-exploitation/what-is-the-stack Shows the stack's configuration after local variables are allocated within 'say_hi' by decrementing the stack pointer (ESP). Undefined memory regions are shown for uninitialized local variables. ```text EIP = 0x08048414 (push [ebp + 0x8]) ESP = 0xfffeffec // sub x2 EBP = 0xfffefffc 0xffff0004: 0xffffa0a0 // say_hi argument 1 0xffff0000: 0x0804845a // Return address for say_hi EBP -> 0xfffefffc: 0xffff002c // Saved EBP 0xfffefff8: UNDEFINED 0xfffefff4: UNDEFINED 0xfffefff0: UNDEFINED ESP -> 0xfffeffec: UNDEFINED ``` -------------------------------- ### ROP Exploit Stack Setup (32-bit Linux) Source: https://ctf101.org/binary-exploitation/return-oriented-programming This illustrates the desired stack layout in a 32-bit Linux ROP exploit. When the 'main' function returns, the program should jump to the 'system' function's PLT entry. The stack is carefully crafted to provide the necessary return address for 'main' (pointing to 'system') and the argument for 'system' (the address of the 'name' global variable). ```assembly ... // More arguments 0xffff0008: 0x00000002 // Argument 2 0xffff0004: 0x00000001 // Argument 1 ESP -> 0xffff0000: 0x080484d0 // Return address ``` ```assembly 0xffff0008: 0xdeadbeef // system argument 1 0xffff0004: 0xdeadbeef // return address for system ESP -> 0xffff0000: 0x08048450 // return address for main (system's PLT entry) ``` -------------------------------- ### Python Command Injection Example Source: https://ctf101.org/web-exploitation/command-injection/what-is-command-injection This Python code demonstrates a command injection vulnerability. The `os.system()` function directly concatenates user input into a system command without sanitization, allowing an attacker to inject additional commands. ```python import os domain = user_input() # ctf101.org os.system('ping ' + domain) ``` ```python import os domain = user_input() # ; ls os.system('ping ' + domain) ``` -------------------------------- ### 32-bit x86 Assembly for say_hi Function Source: https://ctf101.org/binary-exploitation/what-is-the-stack The assembly instructions for the 'say_hi' function in 32-bit x86 architecture. This code shows the function prologue, argument handling, call to printf, and function epilogue. ```assembly 0804840b : 804840b: 55 push ebp 804840c: 89 e5 mov ebp,esp 804840e: 83 ec 08 sub esp,0x8 8048411: 83 ec 08 sub esp,0x8 8048414: ff 75 08 push DWORD PTR [ebp+0x8] 8048417: 68 f0 84 04 08 push 0x80484f0 804841c: e8 bf fe ff ff call 80482e0 8048421: 83 c4 10 add esp,0x10 8048424: 90 nop 8048425: c9 leave 8048426: c3 ret ``` -------------------------------- ### Identify File Type with file command Source: https://ctf101.org/forensics/what-is-a-hex-editor The `file` command attempts to determine the type of a file by examining its contents. When a file header is corrupted or non-standard, `file` may report it as generic 'data', indicating a problem with the file's structure. ```bash scribbl@rogstation:~/examples$ file example example: data ``` -------------------------------- ### SQL Injection: Example Malicious Input (PHP) Source: https://ctf101.org/web-exploitation/sql-injection/what-is-sql-injection This PHP code snippet demonstrates a basic SQL injection vulnerability. It directly embeds user-provided 'username' into a SQL query without proper sanitization, allowing for malicious input to alter query logic. ```php ``` -------------------------------- ### Generate SHA-1 Hash for a String (Command Line) Source: https://ctf101.org/cryptography/what-are-hashing-functions Shows how to generate a SHA-1 hash for a given string using command-line tools. SHA-1 is a widely used cryptographic hash function, though it has known weaknesses. ```bash # Example for 'password' string # SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 ```