Wargames on System Overlord

Useful ARM References

david@systemoverlord.com (David Tomaschik) — Tue, 21 Mar 2017 00:00:00 +0000

I started playing the excellent IOARM wargame on netgarage. No, don’t be expecting spoilers, hints, or walk-throughs, I’m not that kind of guy. This is merely a list of interesting reading I’ve discovered to help me understand the ARM architecture and ARM assembly.

Docker containers for cross-compilation
ARMwiki
ARM Syscalls (I’m not sure why they all seem to have +0x900000 to their value, you certainly don’t use them that way.)
ARM Assembly System Calls (This is part of a bigger series that looks excellent at a glance.)
Shellcode on ARM architecture
Syscall.tbl for ARM (Use with the w3challs.com version to see arguments used.)
Calling Conventions
GDB with User-Mode QEMU

SANS Holiday Hack Challenge 2016

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jan 2017 00:00:00 +0000

Table of Contents {:toc}

Introduction

This is my second time playing the SANS holiday hack challenge. It was a lot of fun, and probably took me about 8-10 hours over a period of 2-3 days, not including this writeup. Ironically, this writeup took me longer than actually completing the challenge – which brings me to a note about some of the examples in the writeup. Please ignore any dates or timelines you might see in screengrabs and other notes – I was so engrossed in playing that I did a terrible job of documenting as I went along, so a lot of these I went back and did a 2nd time (of course, knowing the solution made it a bit easier) so I could provide the quality of writeup I was hoping to.

Most importantly, a huge shout out to all the SANS Counter Hack guys – I can only imagine how much work goes into building an educational game like this and making the challenges realistic and engrossing. I’ve built wargames & similar apps for work, but never had to build them into a story – let across a story that spans multiple years. I tip my hat to their dedication and success!

(Slightly) Securing Wargame Servers

david@systemoverlord.com (David Tomaschik) — Sun, 21 Aug 2016 00:00:00 +0000

I was setting up some wargame boxes for a private group and wanted to reduce the risk of malfeasence/abuse from these boxes. One option, used by many public wargames, is locking down the firewall. While that’s a great start, I decided to go one step further and prevent directly logging in as the wargame users, requiring that the users of my private wargames have their own accounts.

Step 1: Setup the Private Accounts

This is pretty straightforward: create a group for these users that can SSH directly in, create their accounts, and setup their public keys.

printf Format String Exploitation

david@systemoverlord.com (David Tomaschik) — Wed, 12 Feb 2014 07:16:01 +0000

The format string in a printf statement is responsible for significant flow control within the program, and, if attacker-controlled, can be used to exploit the application in various ways. Specifically, an attacker can read and write arbitrary memory.

Reading memory can be accomplished through the usual operators, and the GNU extension of %<x>$ allows you to jump through the stack to arbitrary positions (as a multiple of the addressing size, anyway). The %n format specifier allows to write to a memory address: the address at that point on the stack is taken as an int *, and the number of bytes output so far will be written to the address. So this allows us to write a value by outputting the number of bytes for the value we want to write.