march april 2019

Author: cacama-valvata

content/blog/2019-2020-officer-elections-on-april-25th.md

@@ -0,0 +1,39 @@
+---
+title: "2019-2020 Officer Elections on April 25th"
+author: "Zander Work"
+date: 2019-04-16T00:00:00-07:00
+categories: ['Meeting Notes', 'Club News']
+tags: []
+caption: ""
+
+draft: false
+---
+
+We will be holding officer elections for next school year during our regular meeting on Week 4 (April 25th). This is a great way to be more involved with the club, and represent us to the College of Engineering.
+
+Here are the positions (link goes to position duties):
+
+- [President](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_5)
+- [Vice President](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_10)
+- [Treasurer](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_21)
+- [Multimedia Coordinator](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_29)
+- [Lab Manager](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_34)
+
+To run for a position, please do the following:
+
+- Fill out [this form](https://forms.gle/hF4Jf9TzxMTetFqTA) no later than April 23rd
+- Send a slide (one slide) to [security.club@oregonstate.edu](mailto:security.club@oregonstate.edu) no later than April 23rd:
+    - Name
+    - Position
+    - Info about yourself
+    - Qualifications
+    - etc.
+- Show up to our meeting on April 25th prepared for the following:
+    - Up to 5 minute presentation on why you should be elected for your position
+    - Up to 2 minutes Q/A
+
+We will be voting in the meeting on the 25th, so if you want to vote you need to be there. If you aren’t able to be there (candidate or voter), please let me know (I might need to re-think this part).
+
+There is lots more info on the [slides](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_0).
+
+Best of luck to all who run!

content/blog/2019-2020-officers.md

@@ -0,0 +1,21 @@
+---
+title: "2019-2020 Officers"
+author: "Zander Work"
+date: 2019-04-26T00:00:00-07:00
+categories: ['Meeting Notes', 'Club News']
+tags: []
+caption: ""
+
+draft: false
+---
+
+Here are the new officers for the 2019-2020 school year:
+
+- President: Zander Work
+- Vice President: Hadi Rahal-Arabi
+- Treasurer: David Park
+- Multimedia Coordinator: Adam Stewart
+- Lab Manager: Ryan Kennedy
+- Recruitment/Public Relations: Alex Rash
+
+Thanks to everyone who participated!

content/blog/angstromCTF-lithp.md

@@ -0,0 +1,110 @@
+---
+title: "ångstromCTF lithp"
+author: "Lyell Read"
+date: 2019-04-26T00:00:00-07:00
+categories: ['Writeups']
+tags: ['angstromctf']
+caption: ""
+
+draft: false
+---
+
+## Problem
+
+My friend gave me [this](https://github.com/lyellread/ctf-writeups/blob/master/angstromctf-2019/lithp-60/lithp.lisp) program but I couldn’t understand what he was saying – what was he trying to tell me?
+
+Author: fireholder
+
+Points: 60
+
+## Solution
+
+First things first, let’s open that lisp program . . . It actually is lisp… oh god what have I just gotten into?
+
+The first lines were most important in solving this challenge the way I did it. It reads:
+
+```
+(defparameter *encrypted* '(8930 15006 8930 10302 11772 13806 13340 11556 12432 13340 10712 10100 11556 12432 9312 10712 10100 10100 8930 10920 8930 5256 9312 9702 8930 10712 15500 9312))
+(defparameter *flag* '(redacted))
+(defparameter *reorder* '(19 4 14 3 10 17 24 22 8 2 5 11 7 26 0 25 18 6 21 23 9 13 16 1 12 15 27 20))
+```
+
+Well, then. Given that I do not want to read more lisp than I have to (lest I end up depressed), let’s try to make some sense just based on those variables. With quite a bit of certainty, it appears that reorder is as it is named – an array of indexes that will reorder something. My guess is that it is applied like this:
+
+```
+flag: 97 99 116 102 123 ... 125
+encrypt flag
+for entry[i] in encrypted_flag: place that element at output[reorder[i]]
+```
+
+Now we need to try to unjumble this. I wrote up this mess to do that:
+
+```
+#!/usr/bin/python
+
+positions = [19, 4, 14, 3, 10, 17, 24, 22, 8, 2, 5, 11, 7, 26, 0, 25, 18, 6, 21, 23, 9, 13, 16, 1, 12, 15, 27, 20]
+values = [8930, 15006, 8930, 10302, 11772, 13806, 13340, 11556, 12432, 13340, 10712, 10100, 11556, 12432, 9312, 10712, 10100, 10100, 8930, 10920, 8930, 5256, 9312, 9702, 8930, 10712, 15500, 9312]
+output = []
+
+for item in range (0, max(positions) + 1):
+	index = positions.index(item) #get the index in values of element number item
+	output.append(values[index])  #place that at the end of the output list 
+
+print (output)
+	
+$python3 ./undo_reorder.py
+[9312, 9702, 13340, 10302, 15006, 10712, 10100, 11556, 12432, 8930, 11772, 10100, 8930, 5256, 8930, 10712, 9312, 13806, 10100, 8930, 9312, 8930, 11556, 10920, 13340, 10712, 12432, 15500]
+```
+
+Apparently, that should be in the right order. Let’s think about it with ASCII on the mind, we should have ‘actf{…}’. Looks about right with two very similar values in the spots where we would expect ‘{‘ and ‘}’…
+
+But those aren’t ASCII! yeah, but they are transformations of ascii values. It cannot be a scalar that is added to the ASCII values of the respective flag characters, as the ‘{‘ and ‘}’ values would have to be 2 apart (‘{‘ = 123, ‘}’ = 125). There could be a scalar value that all the ASCII codes are multiplied by. Let’s check that first value, 9312, which should be related to ASCII 97 (‘a’):
+
+```
+>>>9312/97
+96
+```
+
+…interesting. Another: 15006 which should correspond to ‘{‘ or ASCII 123:
+
+```
+>>>15006/123
+122
+```
+
+OK. So the algorithm to encrypt the flag is just:
+
+```
+for x in flag: 
+	code = ascii value of x
+	encrypted_value = code * (code-1)
+```
+
+Now we can complete the script:
+
+```
+sorted = [9312, 9702, 13340, 10302, 15006, 10712, 10100, 11556, 12432, 8930, 11772, 10100, 8930, 5256, 8930, 10712, 9312, 13806, 10100, 8930, 9312, 8930, 11556, 10920, 13340, 10712, 12432, 15500]
+
+letters = []
+decoded = []
+solved = []
+
+for ascii in range (0, 128):
+	letters.append(ascii*(ascii-1))	#create an array of all ascii values such that the index is the original value, and the value at that index is the encoded value.
+
+for x in sorted:
+	if x in letters:
+		decoded.append(letters.index(x)) #create a decoded array of values
+
+for x in decoded:
+	solved.append(chr(x))					#convert to chars
+
+print (''.join(solved))	#print that flag
+```
+
+These two scrips together make up [decode_lithp.py](https://github.com/lyellread/ctf-writeups/blob/master/angstromctf-2019/lithp-60/decode_lithp.py).
+
+```
+$python3 ./undo_encrypt.py
+actf{help_me_I_have_a_lithp}
+```

content/blog/angstromCTF-streams.md

@@ -0,0 +1,158 @@
+---
+title: "ångstromCTF - streams"
+author: "Lyell Read"
+date: 2019-04-26T00:00:00-07:00
+categories: ['Writeups']
+tags: ['angstromctf']
+caption: ""
+
+draft: false
+---
+
+## Problem
+
+White noise is useful whether you are trying to sleep, relaxing, or concentrating on writing papers. Find some natural white noise [here](https://streams.2019.chall.actf.co/).
+
+Note: The flag is all lowercase and follows the standard format (e.g. actf{example_flag})
+
+Author: ctfhaxor
+
+Points: 70
+
+Hint: Are you sure that’s an mp4 file? What’s inside the file?
+
+## Solution
+
+First, we deduced some information about the challenge by reading the description. “The flag is all lowercase” implies that we will be constructing it letter by letter, possibly from audio. First thing to check out is the video on the linked website – just river sounds.
+
+We then proceeded to inspect the website – the HTML looks pretty standard, and I decided to leave player.js alone and come back to it if we failed to find a solution (would be more of a web challenge at that point). Under the ‘Network’ tab, we see that there appear to be two streams of chunks:
+
+![Screenshot of Network monitor on ](/static/blog/angstromctf-streams-network.jpg)
+
+- chunk-stream0-0000*.m4s chunks initiated by init-stream0.m4s
+- chunk-stream1-0000*.m4s chunks initiated by init-stream1.m4s 
+
+In addition there are two attempts to get a file called stream.mp4 (one that has a status of 206 – partial content, and one 200 – complete)… interesting. We got the file using the “Request URL”:
+
+```
+$wget https://streams.2019.chall.actf.co/video/stream.mp4
+$file stream.mp4
+stream.mp4: XML 1.0 document, ASCII text
+```
+
+That’s interesting… Let’s open that in an editor. The XML reads as follows (cleaned up for conciseness):
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+	
+			<AdaptationSet id="0" contentType="video" segmentAlignment="true" bitstreamSwitching="true" frameRate="30/1" lang="und">
+				<Representation id="0" mimeType="video/mp4" codecs="avc1.64001f" bandwidth="278539187" width="1280" height="720" frameRate="30/1">
+					...
+				</Representation>
+			</AdaptationSet>
+			<AdaptationSet id="1" contentType="audio" segmentAlignment="true" bitstreamSwitching="true" lang="eng">
+				<Representation id="1" mimeType="audio/mp4" codecs="mp4a.40.2" bandwidth="128000" audioSamplingRate="44100">
+					<AudioChannelConfiguration schemeIdUri="urn:mpeg:dash:23003:3:audio_channel_configuration:2011" value="2" />
+					...
+				</Representation>
+			</AdaptationSet>
+			<AdaptationSet id="2" contentType="audio" segmentAlignment="true" bitstreamSwitching="true" lang="und">
+				<Representation id="2" mimeType="audio/mp4" codecs="mp4a.40.2" bandwidth="48000" audioSamplingRate="8000">
+					<AudioChannelConfiguration schemeIdUri="urn:mpeg:dash:23003:3:audio_channel_configuration:2011" value="1" />
+					...
+				</Representation>
+			</AdaptationSet>
+		</Period>
+	</MPD>
+```
+
+Notice that there are actually 3 streams: 0: mp4 video, 1, 2: mp4 audio. Our hunch that some audio will contain our flag is looking good, but how to get this last audio file? To ensure that we know how this process of ‘getting’ a channel looks and works, we try it on a channel we know to exist: channel 0: mp4 video.
+
+From our examination of the files required for the page, we know there are 4 chunks needed, and an init file. We know their names too.
+
+```
+$wget https://streams.2019.chall.actf.co/video/init-stream0.m4s
+$wget https://streams.2019.chall.actf.co/video/chunk-stream0-00001.m4s
+...
+$wget https://streams.2019.chall.actf.co/video/chunk-stream0-00004.m4s
+$ls
+chunk-stream0-00001.m4s
+chunk-stream0-00002.m4s
+chunk-stream0-00003.m4s
+chunk-stream0-00004.m4s
+init-stream0.m4s
+```
+
+Now that we have all our m4s chunks, we can concatenate them into an mp4 file:
+
+```
+$cat init-stream0.m4s $(ls -vx chunk-stream0-*.m4s) > stream0.mp4
+```
+
+That file plays the video of the brook that is on the site! Now onto grabbing the unknown audio stream. We need:
+
+    init file for stream2
+    chunks 1..n for stream2
+
+…and because we think we know naming conventions, we can guess that those files will be called:
+
+- init-stream2.m4s
+- chunk-stream2-0000x.m4s | x in 1..n
+
+Lets go try to grab that init file:
+
+```
+$wget https://streams.2019.chall.actf.co/video/init-stream2.m4s
+‘init-stream2.m4s’ saved [741/741] 
+```
+
+It exists! We’re go to get the chunks now, but how do we know how many to grab? What I did was to keep wget-ing the next one while the size of the file was reasonably large:
+
+```
+$wget https://streams.2019.chall.actf.co/video/chunk-stream2-00001.m4s
+‘chunk-stream2-00001.m4s’ saved [32629/32629]
+```
+
+… rinse repeat:
+
+```
+$ls -lah 
+32K  chunk-stream2-00001.m4s
+31K  chunk-stream2-00002.m4s
+32K  chunk-stream2-00003.m4s
+33K  chunk-stream2-00004.m4s
+32K  chunk-stream2-00005.m4s
+33K  chunk-stream2-00006.m4s
+9.7K chunk-stream2-00007.m4s
+1.5K chunk-stream2-00008.m4s
+883  chunk-stream2-00009.m4s
+883  chunk-stream2-00010.m4s
+883  chunk-stream2-00011.m4s
+741  init-stream2.m4s
+```
+
+Notice how the sizes drop off at the end? Chunks 9, 10, 11 are not even fetching chunks anymore, they are getting the HTML for the site. We can delete those, and keep 1..8.
+
+Now we turn those good chunks into a mp4 file:
+
+```
+$cat init-stream2.m4s $(ls -vx chunk-stream2-*.m4s) > stream2.mp4
+```
+
+Listening to this file makes it obvious that morse code is at play, so off to the [online audio file to text (via morse) converter](https://morsecode.scphillips.com/labs/audio-decoder-adaptive/). There we upload the mp4, and get this result:
+
+```
+ACTF<KN>F#45H-15-B34D-10N9-11V3-M#39-D45H)
+```
+
+Well that looks ok… but what are those ‘#’? running it again cleans some of this up:
+
+```
+ACTF<KN>F145H-15-B34D-10N9-11V3-MP39-D45H)
+```
+
+Let’s try to understand what it is saying. “flash is bead long live mpeg-dash”. They likely meant ‘dead’ not ‘bead’ so let’s fix that and give that flag a try:
+
+```
+actf{f145h_15_d34d_10n9_11v3_mp39_d45h}
+```

content/blog/meeting-notes-3-7.md

@@ -0,0 +1,16 @@
+---
+title: "Meeting Notes - 3/7"
+author: "Zander Work"
+date: 2019-03-07T00:00:00-07:00
+categories: ['Meeting Notes']
+tags: []
+caption: ""
+
+draft: false
+---
+
+Thanks to Kees Cook for an awesome look at kernel security! Kees talked about how the kernel exploit for CVE-2017-7038 was discovered, which allowed privilege escalation due to a heap overflow.
+
+You can see his slides [here](https://drive.google.com/file/d/1T4pHribl-TFyw02ho7goFhVGfSzXkqXB/view?usp=sharing), which also has information for building the POC images for the exploit.
+
+This was our last meeting for Winter 2019, so I’ll see you all next term! Our first meeting will be on Week 2.

content/blog/meeting-notes-4-18.md

@@ -0,0 +1,16 @@
+---
+title: "Meeting Notes 4/18"
+author: "Zander Work"
+date: 2019-04-18T00:00:00-07:00
+categories: ['Meeting Notes']
+tags: []
+caption: ""
+
+draft: false
+---
+
+Tonight I gave a tutorial on IDA Pro basics, and how to get started with this awesome tool. I also released some new binaries on the CTF site for you to practice IDA.
+
+Remember, as a OSU Security Club member you have access to our lab systems, which has the full version of IDA Pro and the Hex-Rays Decompiler installed, so make sure to use those if you want to take advantage of the advanced functionality.
+
+[Link to the slides](https://docs.google.com/presentation/d/1hjS17xuQy3TXWGvnDxQHi0oSoadHruOOrJtmlPW1GT8/edit?usp=sharing)

content/blog/prccdc-2019-results.md

@@ -0,0 +1,30 @@
+---
+title: "PRCCDC 2019 Results"
+author: "Zander Work"
+date: 2019-03-24T00:00:00-07:00
+categories: ['Club News']
+tags: []
+caption: "Victory photo of 6 OSUSEC students, with one holding a trophy"
+
+draft: false
+---
+
+This past weekend, OSUSEC competed at the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) hosted by Highline College. I’m pleased to announce that we placed 3rd out of 13 teams in this tough competition.
+
+PRCCDC is a 2 day competition where each team must secure a mix of approximately 10 Windows and Linux systems, configure a border firewall, monitor and defend against attacks from the Red Team, and work with business users over the phone throughout the event.
+
+!["Photo of full team for PRCCDC 2019 and Emily Longman"](/static/blog/prccdc-2019-results-everyone.jpg)
+
+Here’s the full team (from left to right):
+
+- Emily Longman (Faculty Advisor)
+- Lyell Read
+- Ryan Kennedy
+- Zander Work
+- Hadi Rahal-Arabi
+- Khoung Luu
+- Zach Rogers
+- Curtis Warrick
+- Matt Jansen
+
+For more information on the competition, please see the P[RCCDC website](http://prccdc.org/).