Hello Navi

note and sharing

Posted on Edited on In Disqus: Word count in article: 207 Reading time ≈ 1 mins.

General Usage

Use -f to specify the memory image and -s for symbol directories if they are not in the default path.

1
2
3
4
5
6
7
# Basic syntax
vol -f <image> <plugin>

# Common flags
-f, --file <image>          # Path to the memory dump
-s, --symbol-dirs <path>    # Custom symbol tables directory (e.g., ~/ctf/symbolTables)
-o, --output-dir <path>     # Directory to save dumped files

System Information

1
2
# Get basic OS information
vol -f image.vmem windows.info.Info

Processes & Activity

1
2
3
4
5
6
7
8
9
10
11
# List processes (EPROCESS list)
vol -f image.vmem windows.pslist.PsList

# Scan for hidden/terminated processes
vol -f image.vmem windows.psscan.PsScan

# Show process parent-child relationships
vol -f image.vmem windows.pstree.PsTree

# Show command line arguments for processes
vol -f image.vmem windows.cmdline.CmdLine

Network

1
2
# Scan for network connections and listening ports
vol -f image.vmem windows.netscan.NetScan

Files & Memory Dumping

1
2
3
4
5
6
7
8
9
10
11
12
# Scan for file objects in memory
vol -f image.vmem windows.filescan.FileScan | grep "filename"

# Dump files using various filters
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --pid <PID>
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --virtaddr <OFFSET>

# Dump process memory map
vol -f image.vmem -o ./ windows.memmap.Memmap --pid <PID> --dump

# Scan Master File Table (MFT)
vol -f image.vmem windows.mftscan.MFTScan

Useful Tips

1
2
3
4
5
# Combine with grep for quick searching
vol -f image.vmem windows.filescan.FileScan | grep -i "flag"

# Specify custom symbol path if needed
vol -s ~/ctf/symbolTables -f image.vmem windows.info.Info

Posted on Edited on In Disqus: Word count in article: 46 Reading time ≈ 1 mins.

trytodecrypt

abcdefghijklmnopqrstuvwxyz

easy Text 1

131017171A48221A1D170F

i just guess and test helloworld, get 131017171A221A1D170F

obviously, we need a space

hello world

easy Text 2

4A3E374A4973483F3D3E4A

test abcdefghijklmnopqrstuvwxyz

get 3738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F50

z = 122 P = 80 from hex 789:;<=>?@ABCDEFGHIJKLMNOP obviously offset in ascii table is 42

Posted on Edited on In Disqus: Word count in article: 347 Reading time ≈ 1 mins.

A concise guide to common operations and tools within the Radare2 framework.

rax2 - Base Conversion

Used for converting between various numerical bases and formats.

Command Line

1
2
3
rax2 0x28       # Hex to decimal
rax2 40         # Decimal to hex
rax2 -h         # Show help

Internal (within r2)

Use the ? command to evaluate expressions or convert values. 

1
2
[0x00000000]> ? 0x28     # Convert 0x28 to all formats
[0x00000000]> ? 3+4      # Evaluate basic math

rabin2 - Binary Information

Extracts information from executable files (imports, exports, strings, etc.).

Common Commands

1
2
3
4
5
rabin2 -I file  # General binary info (arch, OS, bits, etc.)
rabin2 -z file  # List strings in data sections
rabin2 -zz file # List strings in the entire binary
rabin2 -i file  # List imports (linked libraries/functions)
rabin2 -e file  # List entry points

radare2 (r2) - Core Interactive Tool

The main interface for disassembly, analysis, and debugging.

Startup

1
2
3
r2 -A file      # Open file and run analysis (aaa)
r2 -w file      # Open file in write mode
r2 file         # Open without any analysis
1
2
3
s 0x400500      # Seek to specific address
s main          # Seek to 'main' symbol
s -             # Seek back to previous location

Analysis (a)

1
2
3
aa              # Basic analysis
aaa             # Full analysis (including functions and symbols)
afl             # List all analyzed functions

Disassembly & Printing (p)

1
2
3
4
5
pdf             # Print Disassembly of current Function
pdf @ main      # Print Disassembly of specific function
pd 10           # Print 10 lines of Disassembly
pD 32           # Print 32 bytes of Disassembly
px 64           # Print 64 bytes of Hexdump

Writing (w)

Note: Requires opening r2 with -w. 

1
2
wx 909090       # Write hex bytes (NOPs)
wa nop          # Assemble and write a single instruction

Visual Modes (v, V)

1
2
3
4
5
v               # Open visual panels
V               # Enter visual mode
VV              # Enter visual graph mode
v test          # Load saved layout 'test'
v= test         # Save current layout as 'test'

rasm2 - Assembler & Disassembler

Quickly assemble or disassemble instructions.

Usage

1
2
3
4
5
# Assemble an instruction (x86, 64-bit)
rasm2 -a x86 -b 64 "nop"

# Disassemble hex code (machine code)
rasm2 -a x86 -b 64 -d "90"

Useful Shortcuts (Internal)

  • ? - Show general help
  • V - Enter visual mode
  • VV - Enter visual graph mode
  • q - Exit current mode or r2

Posted on Edited on In Disqus: Word count in article: 135 Reading time ≈ 1 mins.

challenges

Game 01

Code Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<%
str = Request("str")

    If not str = "" Then
        result = Replace(str,"a","aad")
        result = Replace(result,"i","in")
        result1 = Mid(result,2,2)
        result2 = Mid(result,4,6)
        result = result1 & result2
        Response.write result
        If result = "admin" Then
            pw = "????????"
        End if
    End if
%>
  1. Replace(str, "a", "aad"): Replaces every 'a' with 'aad'.
  2. Replace(result, "i", "in"): Replaces every 'i' with 'in'.
  3. Mid(result, 2, 2): Extracts 2 characters starting from the 2nd index.
  4. Mid(result, 4, 6): Extracts up to 6 characters starting from the 4th index.
  5. The goal is to make the final concatenated result equal to admin.

If we input ami: - a -> aad - i -> in - Intermediate result: aadmin - result1 = Mid("aadmin", 2, 2) = ad - result2 = Mid("aadmin", 4, 6) = min - result = ad + min = admin

ami

Posted on Edited on In Disqus: Word count in article: 101 Reading time ≈ 1 mins.

challenges

Game 02

Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script>
  function chk_form() {
    var id = document.web02.id.value;
    var pw = document.web02.pw.value;
    if (id == pw) {
      alert("You can't join! Try again");
      document.web02.id.focus();
      document.web02.id.value = "";
      document.web02.pw.value = "";
    } else {
      document.web02.submit();
    }
  }
</script>
<!-- Hint : Join / id = pw -->
<!-- M@de by 2theT0P -->

The script prevents the form from being submitted if the id is equal to the pw. However, the hint explicitly states that for the Join challenge, we need id = pw.

Bypass

Intercept the request with a proxy (like Burp Suite or Zaproxy) or use the browser's Network tab to replay a modified request.

id=admin&pw=admin

Posted on Edited on In Disqus: Word count in article: 10 Reading time ≈ 1 mins.

challenges

Game 03

1
http://suninatas.com/board/notice/write
1q2w3e4r5t6y7u8i9o0p

Posted on Edited on In Disqus: Word count in article: 174 Reading time ≈ 1 mins.

challenges

Game 04

Hint: Make your point to 50 & 'SuNiNaTaS'

Tool: ZAProxy

Initial Request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST http://suninatas.com/challenge/web04/web04_ck.asp HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Origin: http://suninatas.com
Connection: keep-alive
Referer: http://suninatas.com/challenge/web04/web04.asp
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ
Upgrade-Insecure-Requests: 1
Priority: u=0, i

total=0

Solution Steps

  1. Set fuzz location with numbers from 0 → 23
  2. Click plus in browser with the same cookie
  3. Receive alert: "I like the SuNiNaTaS browser!"
  4. Change User-Agent to include "SuNiNaTaS":
1
2
3
4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 SuNiNaTaS/147.0
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ

total=25
  1. Fuzz again until points reach 50 (avoid overflow)

Response

1
2
3
4
<td class="table_top">
  <font size="2"><b>Auth key</b></font>
</td>
<td class="table_top">***********************</td>

Posted on Edited on In Disqus: Word count in article: 222 Reading time ≈ 1 mins.

challenges

Game 05

Concepts: JS Packer, JSObfuscator

Challenge Code

1
2
3
4
5
6
7
8
9
10
11
12
<input name="password" value="" style="width:180" />

<script>
  eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('g l=m o('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');p q(n){g h='';g j=r;s(g i=t;i>0;){i-=4;g k=(n>>i)&u;v(!j||k!=0){j=w;h+=l[k]}}x(h==''?'0':h)}',34,34,'||||||||||||||||var|result||start|digit|digitArray|new||Array|function|PASS|true|for|32|0xf|if|false|return'.split('|'),0,{}))
</script>

<script>
  function init() {
    document.frm.password.value = "";
    document.frm.password.focus();
  }
</script>

Deobfuscated Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
var digitArray = new Array(
  "0",
  "1",
  "2",
  "3",
  "4",
  "5",
  "6",
  "7",
  "8",
  "9",
  "a",
  "b",
  "c",
  "d",
  "e",
  "f",
);

function PASS(n) {
  var result = "";
  var start = true;
  for (var i = 32; i > 0; ) {
    i -= 4;
    var digit = (n >> i) & 0xf;
    if (!start || digit != 0) {
      start = false;
      result += digitArray[digit];
    }
  }
  return result == "" ? "0" : result;
}

Solution

Convert the hint using the PASS() function:

1
PASS(12342046413275659);