copy over web/rev guides

Author: reteps

fallctf-2024/src/SUMMARY.md

@@ -3,6 +3,8 @@
 - [Intro](./intro.md)
     - [pwntools](./pwntools.md)
 - [Misc](./misc.md)
-- [CRYPTO](./crypto/crypto.md)
+- [Web](./web/web.md)
+- [Reverse Engineering](./rev/rev.md)
+- [Crypto](./crypto/crypto.md)
 - [OSINT](./osint/osint.md)
 - [PWN](./pwn/pwn.md)

fallctf-2024/src/rev/README.md

@@ -0,0 +1 @@
+See [./rev.org](./rev.org)

fallctf-2024/src/rev/images/ghdira3.png

@@ -0,0 +1,2 @@
+# Reverse Engineering
+<embed src="./rev.pdf" type="application/pdf" style="width: 100%; height: 80vh;">

fallctf-2024/src/rev/images/ghidra1.png

@@ -0,0 +1,99 @@
+#+title: Reverse Engineering
+
+* Start here
+** General tips
+- figure out what the goal is
+  - there is usually a clear "win condition", such as printing a flag
+- figure out what the input is
+  - some parts of the program don't change depending on the input
+  - it might not matter what the input is!
+  - how does the input get used?
+** A note about past meetings
+SIGPwny has already ran two meetings on this topic! Check out [[https://sigpwny.com/meetings/fa2023/2023-09-17/][Reverse Engineering Setup]] and [[https://sigpwny.com/meetings/fa2023/2023-09-21/][Reverse Engineering I]]. We have slides and recorded meeting presentations, which you may prefer more than these notes.
+* Basics
+** What it is
+Reverse engineering is the process of understanding computer programs. The goal is to figure out what the program does. Usually, programs are difficult to understand, either intentionally or unintentionally.
+** Main types of analysis
+- Static analysis: reading code, using tools to understand code /without running it/
+  - Good place to start, not great if there's a lot of code
+- Dynamic analysis: running code, inspecting or modifying the program as it's running
+  - Generally faster, captures entire program environment
+** A word on abstractions
+- Abstract (higher level) programs are easier to understand
+- Languages like Python and JavaScript are higher level
+- Languages like assembly and C are lower level
+- As you modify a program to become more abstract (to better understand it), you lose some information in the process
+* Tools
+** Bytecode viewer
+*** Installation
+- see https://github.com/Konloch/bytecode-viewer
+*** When to use
+This program is used to decompile Java files, which usually have the .jar extension
+*** How to use
+Simply import the java jar program into the bytecode viewer and see the decompiled java code! This works by recovering the java code from the compiled java bytecode.
+** Ghidra
+*** Installation
+- see [[https://sigpwny.com/meetings/fa2023/2023-09-17/][Reverse Engineering Setup]]
+- or, just read the [[https://ghidra-sre.org/InstallationGuide.html][installation guide]]
+*** When to use
+Use this tool for binaries, not python scripts. Ghidra "decompiles", or simplifies, binary programs into more human-readable "pseudo-C" code.
+
+Ghidra is a *static analysis* tool.
+*** Interface
+[[./images/ghidra1.png]]
+
+Once you open a program in Ghidra, click "OK" for all the auto analyze popups (there should be several). Now, the interface should look like the above image.
+
+(1) is the decompiled code output. This is what you will be looking at for the most part. You can rename variables by clicking a variable and pressing =L=. Change the type by right clicking and selecting =Retype Variable=.
+
+(2) is the assembly instructions. This won't be very helpful if you don't know assembly, and can be mostly ignored for the challenges at Fall CTF.
+
+(3) is the "symbol tree". This shows you different named values that are present in the file. Click =Functions= and scroll down to select the =main= function. This shows you the first function that runs.
+
+[[./images/ghidra2.png]]
+
+Here we can see the =main= function in the symbol tree. If there is no =main=, click =_start= and see what that function calls.
+
+[[./images/ghdira3.png]]
+
+Above is a picture of the decompilation (disclaimer: this is not a challenge from Fall CTF). Almost every function you see will have an if statement with =__stack_chk_fail= at the bottom. This is a check for the "stack canary", which is not relevant to any challenges here. It may be of more interest in pwn challenge. The ~local_10 = *(long *)(in_FS_OFFSET + 0x28);~ line at the top sets up the stack canary and can also be ignored.
+
+Note that the variables are named with undescriptive names, such as =iVar1= and =local_28=. This is because the decompiler does not know the details of variables in the original function. As a result, it has to generate variable names.
+** GDB
+*** Installation
+- see [[https://sigpwny.com/meetings/fa2023/2023-09-17/][Reverse Engineering Setup]]
+*** When to use
+Similarly to Ghidra, use this tool for binaries, not python scripts. GDB is a debugger that runs programs, giving you the ability to stop, inspect, and modify code as it is executing.
+
+GDB is a *dynamic analysis* tool.
+*** Basics
+Run =gdb ./chal= on the command line, where =chal= is the name of the program. Note that you must be on Linux (WSL works too). This will not work for Apple Silicon Mac users.
+
+GDB will launch you into a program with a different terminal prompt, where each line starts with =(gdb)=. You interact with the program by typing in commands
+*** Commands
+- misc
+  - =help <command>=: get help about any of the commands listed here
+- running
+  - =run=: run the program from the start
+  - =quit=: exit GDB
+  - =start=: start the program and break on the =main= function
+- breakpoints
+  - =break <func>+<offset>=: set a breakpoint at the function =<func>= with an offset =<offset>=. Useful to get the offset from the =disas= command
+- inspecting program
+  - =disas <func>=: disassemble the =<func>= function
+  - =info reg=: print all the registers
+  - =x=: print data (see =help x= for more info)
+    - =x/4gx 0x1234=: print 4 QWORDS (64-bit values) in hex starting at address =0x1234=
+    - =x/10i $rip=: print 10 instructions starting at =$rip= (current instruction pointer)
+    - =x/7wx $rsp=: print 7 WORDS (32-bit values) in hex starting at =$rsp= (stack pointer)
+    - =x/8bd $rdi=: print 8 bytes in decimal starting at the address in =$rdi=
+  - =set=: set values
+    - ~set $rax=23~: sets =$rax= to 23
+    - ~set $rip+=4~: adds 4 to =$rip=
+      - this skips the current instruction, if it is 4 bytes long
+*** General workflow
+- first, identify interesting places to set a breakpoint in Ghidra
+- use the assembly instructions window in Ghidra to see the offset to break at
+- run the program in GDB and set a breakpoint
+- modify or print values as desired
+- repeat until solved

fallctf-2024/src/rev/images/ghidra2.png

@@ -0,0 +1,129 @@
+# Web
+
+We have run two web meeting this semester:
+
+- [Web 1](https://sigpwny.com/meetings/fa2023/2023-09-07/), covering HTML, CSS, and Javascript
+- [Web 2](https://sigpwny.com/meetings/fa2023/2023-09-14/), covering SQLi and XSS
+
+
+## Website Structure
+
+Websites use three main languages: HTML, CSS, and Javascript. HTML is the skeleton of the website, and organizes each of the different elements onto the user's screen. CSS is how you edit and develop the styles on a website. The most important and widely used language within the web is Javascript. Javascript allows you to dynamically change elements within your site, have something happen when a button is pressed, or make a requests to other computers.
+
+## Client-Server Model
+
+When you click on a link within your browser, your computer makes a request to a server located at the address of the link you clicked. This request is then processed on the server's side, and the server sends back the webpage you want to load. This is the Client-Server Model. By manipulating processes within this model's process, you can access extra content on either the server or client side!
+
+When content is sent between your computer and the server, it includes additional metadata called "Headers". Some of this data remains in your browser, either as **cookies** or **local storage** (technically more kinds).
+
+![](./images/network.png)
+
+- Cookies are saved per website, and are sent in each request. They can be changed by Javascript or a request header.
+- Local Storage is saved per website, but are not sent in each request. They can be changed by Javascript in your browser.
+
+## Devtools
+
+Developer tools is how you view additional website about an information. For our challenges, we reccommend you download Chrome or Firefox, and not use Safari.
+
+To open devtools, hit `Ctrl + Shift + C` (windows) or `Command + Shift + C` (mac). Alternatively, right click and hit inspect.
+
+![](./images/inspect_context.png)
+
+Chrome Devtools is a suite of software developer information for web development. During challenges, you will be able to poke around different tabs. Here are some helpful tabs to lookout for:
+
+* Console (you can run your own javascript in this tab)
+
+![](./images/console.png)
+
+Pro Tip: You can use breakpoints within the console by clicking next to the line number. This can allow you to stop at certain lines before the run and check variables
+
+* Network
+
+The network tab shows all information transmitted to/from your computer to the server (website).
+
+![](./images/network2.png)
+
+![](./images/network_3.png)
+
+* Sources
+
+The sources tab shows a listing of all files on the server that were requested.
+
+![](./images/sources.png)
+
+* Application
+
+The application tab shows the saved cookies, local storage, and other information stored in your browser.
+
+![](./images/application.png)
+
+This is not an exhaustive list, but just a few useful tabs within Devtools.
+
+## Encodings you should know about:
+
+base64 - Looks like this 
+![](./images/base64.png)
+
+url encoding - Looks like this
+
+![](./images/url_encode.png)
+
+You can use [CyberChef](https://gchq.github.io/CyberChef/) to decode.
+
+## SQL Injections
+
+More in-depth explanations can be found in the Web 2 slides about SQL.
+
+SQL, or Structured Query Language is a language for fetching information from a server.
+
+For example,
+
+```sql
+SELECT netid, firstname FROM students WHERE lastname = "Tables"
+```
+
+![Alt text](./images/sql.png)
+
+If code is written incorrectly, you can modify an SQL Statement as shown above.
+
+More details on SQL: https://portswigger.net/web-security/sql-injection
+Resource on SQL Union Attack: https://portswigger.net/web-security/sql-injection/union-attacks
+
+## Command Injections
+
+Command Injection lets you execute multiple linux commands at the same time. It is very similar to SQL Injection, except instead of 
+changing a database query, you are changing commands executed in the command line.
+
+For example, in your terminal, you are able to execute multiple commands using the `;` ability
+
+```
+$> echo "command 1"; echo "command 2"
+command 1
+command 2
+```
+
+If you are able to "inject" something directly into the command you are executing, you can make it do additional things.
+
+```
+$> echo "YOUR INPUT"
+```
+
+If I had set `YOUR INPUT` to `-HI"; ls ; "BYE-`
+
+then the command would look like
+
+```
+echo "-HI"; ls; "BYE-"
+```
+
+Some useful commands are:
+
++ `ls` - list files
++ `cat x.txt` - output the contents of the file `x.txt`
+
+If you want more resources on learning the linux command line...
+
++ Review our [Setup/Terminal Meeting Slides](https://sigpwny.com/meetings/fa2023/2023-09-03/)
+
+## Cross Site Scripting (XSS)
+