Sunday, June 28, 2015

BSides Asheville 2015 CTF

BSides Asheville 2015 was this weekend in North Carolina and is one of my favorite BSides as they live stream some of their presentations and this year hosted an online CTF for remote attendees. I actually built the CTF for BSides Asheville 2015, which was the first CTF I've built and run on my own (although modeled off of the BSides San Francisco CTF). Again, I used Matir's scoreboard and a similar server configuration as before. We ran the ctf for 10 hours, I whipped together 16 challenges totaling 1,800 points, and we had 26 players on 14 teams. Overall, 15 of the challenges were solved and the teams collectively scored 4,865 points, with only 8 of the teams breaking 0.  I had 3 network analysis, 4 malware analysis, 6 crypto, and 3 miscellaneous challenges. The CTF was themed around celebrating the Sneakers movie, similar to how the BSides SF CTF was Hackers themed. Feel free to check it out, I'm going to leave the server up for the next few days for anyone who wants to play around on it at https://setec.science (I have since taken the server down, if you want access to any of the challenges still please let me know).  Finally, I've included a screenshot of the final scoreboard below:


Thanks for playing everyone! Would love to hear feedback!! I'm looking at you SamSlam of IcePiratesv6 or anyone from Cha-Ha who played!

Friday, June 26, 2015

PHP, PDO, and Prepared Statements

Hey all! Seeing as how PDO can be such a massive proponent to preventing sql injection, and seeing as how so few people use it in PHP (due to being new to PHP / programming or just unexposed), I thought I would take a moment to expand on how to do use PDO to help prevent sql injection.

Recently, my college wrote a brief post on switching a legacy PHP application from the old mysql connector to PDO, however one key element I want to highlight is the way PDO helps prevent sql injection, which is through prepared statements. In his example he puts variables directly in the statements (all though he does escape and quote the input), as opposed to using PDO's features of place holders in a prepared statement then assigning the input dynamically. You can see this below:


I've updated it a bit to use prepared statements, which should help prevent sql injection (granted, we still need to verify our input, I use a custom input validation class when accepting the data from the user) and allows us to reuse more code by dynamically reassigning variables and executing the statement again (as is shown in the commented out Optional Step):


Finally, there are tons of resources out there on how to use PDO, but there are so many different ways to implement it, I find it can be a bit of information overload. If your sticking to the method I described here, then this other post can show you some other prepared statements in similar PDO fashion. There are also really good posts on using more PDO functionality for various statements in other ways. Until next time!!

Saturday, June 20, 2015

SecurityTube Python Scripting Expert Course Review (SPSE)

Hey Guys! I've been taking securitytube.net's Python Scripting Expert Course lately (SPSE for short), and thought I would write a quick review of the course before I go for the certification it offers at the end. The videos can be cheap, giving you access for as little as $39, however with the certification the course can cost $250, which seems a bit pricy! When you register for the course, there is also an odd 24-48 hour delay from payment to receiving the video packages. However, this course is epic, it dives deep into the details of the python language, providing a solid computer science background for the many security focused tasks it puts before the students. Some critique that Vivek (the course instructor), has a thick Indian accent that makes the lessons hard to understand, however I disagree and had no problems with his speech. There are 9 modules, with roughly  6-10 videos each, however the videos are short, ranging from 6-20 minutes, ultimately totaling only a few hours of video. Vivek spends a lot of time guiding the users through programs, and then assigns difficult tasks based on the lessons learned in the guided programs at the end of every video. Overall, I highly recommend this series for both those looking to learn python, improve their python game, and get deeper into the details of computer security engineering. Basically, I would suggest this video guided python course over the Cybary.it course I reviewed last time. Personally I think, if your familiar with Python then it should be easy to skip the first and second modules, however I had fun going over them. That said, the later modules are challenging and fun, taking common security tasks and guiding you to implementing them yourself in a variety of different ways. I've included the syllabus bellow for those interested in the course material:

Module 1: Python Scripting – Language Essentials
Introduction to Interpreted Languages and Python
Data Types and variables
Operators and Expressions
Program Structure and Control
Functions and Functional Programming
Classes, Objects and other OOPS concepts
Modules, Packages and Distribution
Python in Linux and Unixes
Python in Windows
Python in Mobiles: iPhone and Androids
Python in Embedded Devices: Routers
Program Portability
Lab Exercises

Module 2: System Programming and Security
I/O in Python
File and Directory Access
Multithreading and Concurrency
Inter Process Communication (IPC)
Permissions and Controls
Case Studies
Lab Exercises

Module 3: Network Security Programming – Sniffers and Packet Injectors

Raw Socket basics
Socket Libraries and Functionality
Programming Servers and Clients
Programming Wired and Wireless Sniffers
Programming arbitrary packet injectors
PCAP file parsing and analysis
Case Studies
Lab Exercises

Module 4: Web Application Security
Web Servers and Client scripting
Web Application Fuzzers
Scraping Web Applications – HTML and XML file analysis
Web Browser Emulation
Attacking Web Services
Application Proxies and Data Mangling
Automation of attacks such as SQL Injection, XSS etc.
Case Studies
Lab Exercises

Module 5: Exploitation Techniques
Exploit Development techniques
Immunity Debuggers and Libs
Writing plugins in Python
Binary data analysis
Exploit analysis Automation
Case Studies
Lab Exercises

Module 6: Malware Analysis and Reverse Engineering
Process Debugging basics
Pydbg and its applications
Analyzing live applications
Setting breakpoints, reading memory etc.
In-memory modifications and patching
Case Studies
Lab Exercises

Module 7: Attack Task Automation
Task Automation with Python
Libraries and Applications
Case Studies
Lab Exercises

Module 8: Further Study and Roadmap
Course consolidation
Interesting project ideas to pursue

Module 9: Exam Pattern and Mock Exam

Exam format
Example Questions
Mock Exam

But like I always say, it's all about the code. Which is why I've been documenting my progress and small scripts in an open github repo to help others with template code. It's a fun little repo and I hope others will contribute comments and more template code. I will check back in when I have passed the certification, but in the mean time keep your eyes on the repo and here is my favorite sample video from the course:

Monday, June 1, 2015

Book Review: "Android Security Internals"

"Android Security Internals: An In-Depth Guide to Android's Security Architecture" By Nikolay Elenkov, who also runs a blog on Android Security, is one of the best technical books I've read in awhile. It should be said right off the bat, this book focuses on Android 4.4 (kitkat), which dosn't cover Lolipop or the new Android M (that we saw at Google I/O). That said, this book is amazing and one of the most comprehensive Android texts I have read to date, really bringing me up to speed on Android since my trek into it ages ago.  This 430 page book is a steal at ~$35 (on Amazon, $50 at NoStarch)!! The "Android Security Internals" is a highly technical book, the writing is descriptive and utilizes lots of graphics, system screen-shots, and code to help illustrate it's points, as you can see in the public first chapter of the book. Overall, I give the book 8 out of 10 stars, as it's highly technical and provides great insight to the security architecture of Android, but unfortunately is already a bit dated due to the incredibly fast innovation rate of Android. Below is a high level overview of the table of contents, although a more in-depth Table of Contents is available via NoStarch.

Chapter 1: Android’s Security Model
  • Android’s Architecture
  • Android’s Security Model
Chapter 2: Permissions
  • The Nature of Permissions
  • Requesting Permissions
  • Permission Management
  • Permission Protection Levels
  • Permission Assignment
  • Permission Enforcement
  • System Permissions
  • Shared User ID
  • Custom Permissions
  • Public and Private Components
  • Activity and Service Permissions
  • Broadcast Permissions
  • Content Provider Permissions
  • Pending Intents
Chapter 3: Package Management
  • Android Application Package Format
  • Code signing
  • APK Install Process
  • Package Verification
Chapter 4: User Management
  • Multi-User Support Overview
  • Types of Users
  • User Management
  • User Metadata
  • Per-User Application Management
  • External Storage
  • Other Multi-User Features
Chapter 5: Cryptographic Providers
  • JCA Provider Architecture
  • JCA Engine Classes
  • Android JCA Providers
  • Using a Custom Provider
Chapter 6: Network Security and PKI
  • PKI and SSL Overview
  • JSSE Introduction
  • Android JSSE Implementation
Chapter 7: Credential Storage
  • VPN and Wi-Fi EAP Credentials
  • Credential Storage Implementation
  • Public APIs
Chapter 8: Online Account Management
  • Android Account Management Overview
  • Account Management Implementation
  • Google Accounts Support
Chapter 9: Enterprise Security
  • Device Administration
  • VPN Support
  • Wi-Fi EAP
Chapter 10: Device Security
  • Controlling OS Boot-Up and Installation
  • Verified Boot
  • Disk Encryption
  • Screen Security
  • Secure USB Debugging
  • Android Backup
Chapter 11: NFC and Secure Elements
  • NFC Overview
  • Android NFC Support
  • Secure Elements
  • Software Card Emulation
Chapter 12: SElinux
  • SELinux Introduction
  • Android Implementation
  • Android 4.4 SELinux Policy
Chapter 13: System Updates and Root Access
  • Bootloader
  • Recovery
  • Root Access
  • Root Access on Production Builds
Some of my favorite bits include the in-depth dive on the Permissions enforcement, I really liked all of the code examples in Chapter 2, showing the various socket calls for resources. Chapter 10 was another of my favorite chapters, focusing on the device security, this chapter really conveyed how the trusted boot process worked. Overall, this book was great, unified, deep dive on Android.

Wednesday, May 27, 2015

Google I/O 2015 Conference Live Stream and Blog

Hey all! Google's I/O 2015 conference falls on Thursday and Friday this year, May 28th and 29th of 2015. I've decided to include a live stream below, so it's easy for people remote to follow along, as well as live posting some of my favorite talks and updates! Enjoy the stream below and stay tuned for my updates, where I will highlight cool new security features and Android features below the steam!!



Live Update (Day1 9:00am PT):
Keynote kicks off in a half hour! While we wait it was cool to watch a giant conference sized game of Pong being played via projectors in the main conference room.

Live Update (Day1 9:45am PT): Keynote
A lot of this keynote covered the explosive growth and market share of Android. One of the key facts cited that I noted is that, "8 out of 10 mobile devices shipping today are running Android". Now they are starting to put Android into automobiles, with Android-Auto! Android-TV is also growing massively, with large retailers such as Sony using it, as well as Chromecast! Google announced App Permissions, you can now selectively agree to app permissions that make sense to you, such that an application will now ask for permissions the first time it tries to use a feature, no longer at instillation! This is a one time request (although you can modify those selected permissions in settings), however it gives the users selective control over permissions, which was unheard of before (it was all or nothing at install). They also added in platform application linking, which is a secure and interesting way to handle links to sites, which then redirect to specific applications.  Android Pay was also another big announcement, using NFC to perform transactions. This is interesting because it dosn't use your real credit card to perform the transaction, but rather a sudo-account number managed by Google. They also introducing system support for fingerprint readers, which can be used from an API perspective to integrate fingerprint support or from a user perspective can use this to authenticate stuff such as Android Pay.

Live Update (Day1 1:00pm PT): What's new in Android?
Talking more about Android M, of specific note is again the user getting full control of App Permissions, both at use and in Settings. There will be an entire session on App Permissions in M, later in Google I/O 2015. There were also lots of quality updates to the OS, although less security updates.

Live Update (Day1 2:00pm PT): What's New in Android Development Tools? 
New compiler for Android applications called Jack! They are also releasing a suite of Android testing libraries, a virtual lab environment to enable testing, and even Google Play Store testing!

Live Update (Day1 3:00pm PT): Android Pay: The next generation of payments on Android
This talk was great, as it discussed how Google opened up key APIs for developers to be able to use the NFC components on Android phones, to enable Android Pay. Android Pay will work on any carrier phone that supports KitKat or greater. Further, they worked with the payment networks to avoid storing any actual credit card data on the phone, but rather a secure token that authorizes payments through Android Pay (a great security feature)! The Android Pay feature is also protected with the screen lock, requiring that extra step of verification before a payment is processed. This was followed with some live demos of Android Pay for the first time on stage, which worked flawlessly on stage (despite leaking the presenters lock screen code)! The next demo showed Android Pay being used with a vending machine (and apparently there are already 85k vending machines equipped w/ Android Pay support around the world). Android Pay also supports in app purchases, which is again secured with an additional unlock authentication screen.

Live Update (Day1 4:00pm PT): Making apps context aware: Opportunities, tools, lessons and the future
This talk was all about using the sensors built into the phone to bring more context to the actions we take on the phone. This was an interesting talk, as they introduced a bunch of security controls that revolved around sensor data. One example was an unlocked phone, gets picked up, walked around with, and then was still unlocked, based on 'On-Body' detection. This also introduced Trusted Places, which can keep the device unlocked in selected places (based on the Place Picker and Geofencing APIs). This was all rolled into the Activity Recognition API, which attempts to detect the physical activity in action and then lets the application developers trigger events based on these physical activities.

Live Update (Day2 11:00am PT): Helping Moonshots Survive Contact with the Real World
This was a very interesting talk, but I only caught some of it, discussing interesting projects used and tested by GoogleX. It presented a very interesting and pragmatic methodology of failing fast and finding huge hangups which restrict such projects. This was a good presentation not only for the insight into GoogleX but also as advice for feeling out the potential success factor of any project.

Live Update (Day2 2:00pm PT): Android M Permissions
Back into Android! And this time into the nitty gritty details of what was covered in the key note regarding the granular, accept at run-time, permission model of Android M. In the past with Android we've seen limited control over app permissions, install friction with the all or nothing model, amd no control over permission control in regards to updates.  Android M introduces fewer and simpler permissions, prompts the user for access at run time, and finally the user can audit all permissions granted to apps through the settings. New high-level permissions groups also simplify things, reducing the groups to: location, camera, microphone, phone, sms, contacts, calendar, sensors. This also enables app installs and updates to happen automatically and seamlessly as permissions are now granted at run time vs the install wall.  This is also unique per user, so different users can run the same apps differently as they see fit. Apps can ask for privileges multiple times (if rejected), but subsequent requests can also be permanently silenced by users, creating interesting new dynamics with apps and users. Finally, with all apps now subject to toggle permissions in their settings, the users finally have the power to concisely audit the permissions exposed on their phone. This even works for apps published before M that are now running on M (lol can't wait to see what that breaks). Really looking forward to this fine grained permissions control that has been missing from Android for a long while, basically can't wait to main one of the Android M phones!

Thursday, May 21, 2015

PwnPi 3 Final Review

I recently got to use the PwnPi 3 Final release, I thought I would do a little review, as traditionally this product didn't live up to the standard of the PwnPlug, but the idea of $35 alternative to the $695 famous drop box was intriguing. You can use this tutorial for flashing the image. For our review, I'm using a Raspberry Pi 1 model B and the PwnPi 3 Final release listed below:



The PwnPi comes with an impressive list of tools, a nice busybox UI, and some preconfigure remote administrative capabilities. The OS is based on Raspbian but feels more like Kali. I really enjoy the preconfigured Conky setup, it gives a lot of nice information and hacker feel to the desktop. The tools included make it an effective network pen test suite, however the CPU on my Pi 1 model B was a limiting factor with a number of the tools. That said, the preconfigured callback features make it an easy rouge device to add to a network. Your likely going to want to use the VNC callback (it comes preconfigured with a VNC and netcat call back), as the netcat callback will be unencrypted and insecure. The tool list is below, in a mashup of the PwnPi site and sourceforce tool list:

Information Gathering
---------------------
theharvester - gather emails, subdomains, hosts, employee names, open ports and banners      
tcpspy - Incoming and Outgoing TCP/IP connections logger            
tcpflow - TCP flow recorder            
pscan - Format string security checker for C files              
ngrep - nmap tool for parsing scan results        
bing-ip2hosts - Enumerate hostnames for an IP using bing
hostmap - hostnames and virtual hosts discovery tool            
metagoofil - an information gathering tool designed for extracting metadata        
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood              
lynis - security auditing tool for Unix based systems              
enum4linux - a tool for enumerating information from Windows and Samba systems        
chaosreader - trace network sessions and export it to html format        
kismet - Wireless 802.11b monitoring tool            
btscanner - ncurses-based scanner for Bluetooth devices          
airodump-ng - Wireless tool for capturing handshakes
ike-scan - discover and fingerprint IKE hosts (IPsec VPN Servers)
svmap              
sslscan - Fast SSL scanner
ncat              
ipcalc            
nbtscan - A program for scanning networks for NetBIOS name information
amap - a powerful application mapper
sslstrip - SSL/TLS man-in-the-middle attack tool
sslsniff - SSL/TLS man-in-the-middle attack tool
ssldump - An SSLv3/TLS network protocol analyzer
onesixtyone - fast and simple SNMP scanner
swaks - SMTP command-line test tool
smbclient          
tcptraceroute      
netmask            
dmitry - Deepmagic Information Gathering Tool
xprobe2            
p0f - Passive OS fingerprinting tool
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
zenmap - The Network Mapper Front End
svwar              
nmap - The Network Mapper
netdiscover - active/passive network address scanner using arp requests
hping3 - Active Network Smashing Tool            
fping - sends ICMP ECHO_REQUEST packets to network hosts
arp-fingerprint  
arping            
dnswalk - Checks dns zone information using nameserver lookups
dnstracer          

Vulnerability Assessment
------------------------
wbox - HTTP testing tool and configuration-less HTTP server
ratproxy - passive web application security assessment tool
netwox - networking utilities
lsat                
bfbtester - Brute Force Binary Tester
sqlninja - SQL Server injection and takeover tool
airodump-ng              
sqlbrute - a tool for brute forcing data out of databases using blind SQL injection
wash - scan for vunerable WPS access points
wapiti - Web application vulnerability scanner
w3af - framework to find and exploit web application vulnerabilities
mysqloit - SQL Injection takeover tool focused on LAMP
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
skipfish - fully automated, active web application security reconnaissance tool
nikto - web server security scanner
metagoofil - an information gathering tool designed for extracting metadata          
openvas-client - Remote network security auditor, the client
openvas-server - remote network security auditor - server
svcrack - Sipvicious tool for cracking Voip logins              

Exploitation Tools
------------------
w3af-console - framework to find and exploit web application vulnerabilities (CLI only)
msfpayload - payload generation tool from metasploit
exploit-db - Exploit Database
bsqlbf - Blind SQL injection brute forcer tool
inguma - Open source penetration testing toolkit
msfencode - payload encoding tool from metasploit
msfvenom - payload generation and encoding tool from metasploit
msfconsole - metasploit console
s.e.t - Social Engineers Toolkit
aircrack-ng - WEP/WPA cracking program
reaver - brute force attack tool against Wifi Protected Setup PIN number
airmon-ng    
airodump-ng  
aireplay-ng  
sslstrip - SSL/TLS man-in-the-middle attack tool
mysqloit - SQL Injection takeover tool focused on LAMP
sqlninja - SQL Server injection and takeover tool          
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
isr-evilgrade - take advantage of poor upgrade implementations by injecting fake updates

Privilege Escalation
--------------------
voiphopper - VoIP infrastructure security testing tool
yersinia - Network vulnerabilities check software
voipong - VoIP sniffer and call detector
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
ettercap - Network man in the middle tool
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
tcpick - TCP stream sniffer and connection tracker
pdfcrack - PDF files password cracker
packit - Network Injection and Capture
packeth - Ethernet packet generator
netsed - network packet-altering stream editor
filesnarf
mailsnarf
msgsnarf
urlsnarf
dsniff - Various tools to sniff network traffic for cleartext insecurities
darkstat - network traffic analyzer
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
pentbox - Suite that packs security and stability testing oriented tools
medusa - fast, parallel, modular, login brute-forcer for network services
hydra - Very fast network logon cracker
sipcrack - SIP login dumper/cracker
john the ripper -active password cracking tool
fcrackzip - password cracker for zip archives

Maintaining Access
------------------
6tunnel - TCP proxy for non-IPv6 applications
vidalia - controller GUI for Tor
ptunnel - Tunnel TCP connections over ICMP packets
netcat-traditional - TCP/IP swiss army knife
ftp-proxy - application level proxy for the FTP protocol
udptunnel - tunnel UDP packets over a TCP connection
tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
stunnel4 - Universal SSL tunnel for network daemons
socat - multipurpose relay for bidirectional data transfer
proxychains - proxy chains - redirect connections through proxy servers
iodine - tool for tunneling IPv4 data through a DNS server
dns2tcp - TCP over DNS tunnel client and server
cryptcat - A lightweight version netcat extended with twofish encryption

Stress Testing
--------------
mz - versatile packet creation and network traffic generation tool
siege - HTTP regression testing and benchmarking utility

Reverse Engineering
-------------------
dissy - graphical frontend for objdump
splint - tool for statically checking C programs for bugs

Adding a wireless card to your Pi is a nice touch as well. I sure was relived when my TP-Link TL-WN722N played nicely, even though it's not on the following supported wireless list, it instantly showed up on iwconfig. Using wireless, it would be easy to drop this kind of device anywhere in a corporate environment, under or behind a desk. The following is the list of officially supported wifi cards:

3COM 3CRUSB10075
7DayShop W-3S01BLK
Alfa AWUS036NEH
Alfa AWUS036NH
Alfa AWUS036H
Alfa AWUS036H
Alfa AWUS036NHA
AirLink101 AWLL5088
Asus USB-N10
Asus USB-N13
Asus WL-167G v1
Asus WL-167G v3
AusPi Technologies WiFi Adapter
Belkin F5D7050 v3000
Belkin F5D8053 ver6001
Belkin F5D8053 ver6001
Belkin F7D1101 v1
Belkin F7D2102 N300 Micro
Belkin F9L1001v1 N150
Belkin Surf Micro
BlueProton BT3
Buffalo WLI-UC-GNM
Buffalo WLI-UC-G300N
Conceptronic C300RU
Conrad N150 mini
DELL Wireless 1450
DIGICOM USBWAVE54
DIGICOM USBWAVE300C
D-Link AirPlus G DWL-G122
D-Link DWA-110 Version A1
D-Link DWA-121 Version A1
D-Link DWA-131 Version A1
D-Link DWA-140 Version B1
D-Link DWA-160 Version B1
D-Link DWA-160 Version A2
D-Link WUA-1340(Version A1
Edimax EW-7811Un
Edimax EW-7318USg
Edimax EW-7711UAn
Edup 150MBPS Wi-Fi Adapter
Edup Ultra-Mini Nano
Edup EP-N8508
Eminent EM4575
EnGenius EUB9603
Gigabyte GN-WB32L
IOGear GWU625
Linksys WUSB100 v2
Linksys WUSB600N
Linksys Linksys WUSB54GC
LogiLink Nano Adapter 802.11n
Mvix Nubbin MS-811N
Netgear N150
Netgear N150
Netgear WG111v1
Netgear WG111v2
Netgear WNA1000M
OvisLink Evo-W300USB
Patriot Memory PCBOWAU2-N
Ralink RT2770F
Ralink RT3070
Ralink RT2501
Ralink RT2573
Ralink RT5370
Rosewill RNX-N180UBE
Rosewill RNX-G1 Wireless B/G Adapter
Rosewill RNX-MiniN1
Sabrent USB-A11N
Sagem XG-760N
Sempre WU300-2
Sitecom N300
SL SL-1507N
SMC SMCWUSBS-N
SMC SMCWUSB-G
Sony UWA-BR100
Tenda W311MI
Tenda W311U
The Pi Hut USB 802.11n
TP-Link TL-WN422G v2
TP-Link TL-WN721N
TP-Link TL-WN723N
TP-Link TL-WN821N
Trendnet TEW-648UBM
Widemac RT5370
ZyXEL NWD2105
ZyXEL G-202

In conclusion, the PwnPi 3 makes an effective pen test drop box solution. You can't beat that price, and I've even ordered a new Raspberry Pi 2 to try it out on the upgraded hardware. Here's a good example at using it for arp spoofing and backdooring unencrypted binaries. Here's to adding another tool to the arsenal, especially one can enable such lasting network persistence for so cheap!

Sunday, May 17, 2015

DefCon CTF 2015 Quals WriteUp: BabyCmd and MathWhiz

Hey all! I got to play some of DefCon CTF 2015 Quals early on Friday evening, during which I was able to solve the BabyCmd challenge. First, they provided you with this binary, and also a service to connect to and pwn. The binary was a striped, 64bit ELF, that gave the user a limited command shell, consisting of these four commands:



and if you take too long:


After playing around I discovered a format string vulnerability, but this didn't seem to yield much:


Next I found I could escape the input and get command injection:


Which quickly led to being able to traverse the disk, and locate the flag (note, our commands couldn't include spaces or pipes):


And then read the flag:



MathWhiz was another quick solve, this one came with no binary, just a socket connection where they throw a ton of math questions at you with various differences, such as brackets, braces, exponents, and the numbers written as words. You only have a few seconds to solve each question, and have to solve well over 500, so an automated solution is the way to go. I drafted up a quick python script, which you can find below:

This does the trick too, as you can tell from the output below:



Just some more quick CTF solutions :)