PWNCOLLEGE SHH: ssh -i key hacker@dojo.pwn.college
Protocols
Protocols are used by websites to communicate with internet and the world wide web. We use different
protocols such as HTTP, TCP/IP, IMAP, POP3 etc.
HTTP: Websites used HTTP requests to communicate with websites. It consists of headers, which show
us how the website communicates.
We can interact with websites using a tool like curl. Curl allows us to send, receive and update HTTP
requests.
Different types of requests: GET, PUT, POST, HEAD.
GET: Helps us retrieve data from web server/website
POST: Helps us put data on a website/web server
HEAD: Helps us retrieve the various HTTP headers/like GET but without data
PUT: Helps us change uploaded data on a web server/website.
NOTE: You can use GET and HEAD from almost all websites if they are public/authorized. If they are not
authorized, the headers are still returned but with the code 4XX or 5XX. You cannot POST to all websites.
Websites which have forms/user input information usually allow POST requests.
HTTP is a stateless request. This means that they do not collect data from the previous requests.
Example: If you login to your twitter account, the new website which loads will not remember your
userID and password. This is why use cookies through HTTP requests. Use curl -vI website to see
set_cookies. c
(See commands below)
Always remember that when on web server, the localhost is the main server. It is also known as
127.0.0.1, port 80, OR just localhost.
Curl commands:
COMMAND
curl {website}
curl -o {destination_file} {website}
curl -v {website}
curl -L website
curl -i website
curl -I website/ curl –head website
curl -O website
curl -O --limit-rate 100B
curl --data {content in html/json format}
website/curl -X --data {content in html/json
format} website
DESCRIPTION
GET request
Writes contents of website to destination file
Prints how a website communicates.
Redirects to new website
Gives header and website (in form of html/json)
Gives only HTTP headers
Download images
Download images at provided rate
POST request. For any other request except GET,
using -X is encouraged. -X is position dependent.
curl -X PUT –data {content in html/json format}
website
curl -X DELETE {website}
curl -u id:password {website}
curl Wikipedia.com/[1-100].html
PUT request
DELETE request. Always returns empty string.
Securely connects you to the website.
URL Globbing. Search for multiple files with same
host name.
Examples :
curl -I example.com :
HEADERS: METADATA ABOUT HOW HTTP COMMUNICATES
TYPES : REQUEST HEADER, RESPONSE HEADER, REPRESENTATION HEADER
ASSEMBLY
Computer Architecture: We write programs in languages we understand, such as Python, Java, C etc.
But these languages are processed/compiled by compilers/interpreters into assembly which are passed
on the CPU. The CPU sends instructions in assembly, which is then displayed as output.
Design of CPU: The CPU consists of 4 main parts: Registers, Cache, CU and the ALU. The CPU is divided
into cores, which basically divide tasks. More cores means the tasks are divided into different parts,
thereby increasing the speed of execution.
Parts:
ALU: Does arithmetic functions such as invert, add, and, carry in.
Register: Stores whatever signal is provided.
Cache: Temporary memory. Instead of accessing the RAM, the system can get data from cache memory
quicker.
Design of a register:
A register is a hardware component used to store data. The amount of storage it has depends on your
system build (32 or 64 bit). We generally talk about 64 bits, because they are more widely used. Each
register can store up to 64 bits which is 8 bytes (each of 8 bits). We can use specific commands to access
specific bits of a register.
This is a register of 8 bytes/64 bits.
01011010
|
MSB
63
11110000
10101010
01110111
10000100
10000000
11111111
10011010
|
LSB
0
Types of Registers:
In a 64-bit system, there are 16 registers – 8 32-bit registers and 8 64-bit registers.
AX - Accumulator register. Used for arithmetic ops.
CX – Counter register. Used as a counter, to shift and rotate operations.
DX – Data Register. Used to hold data from the RAM.
BX – Base Register. Used to hold addresses and indices.
SP – Stack Pointer. Points to the top a stack.
BP – Base Pointer. Points to the base of the stack.
SI – Source Index Register. Used to process strings and arrays. Points towards a source array.
DI- Destination Index Register. Used to process strings and arrays. Points to the destination
where data is to be moved.
These are each 16-bit registers. E## refers to the 32-bit registers. R## refers to the 64-bit registers.
Loading registers:
We use mov command to load data into register.
Syntax: mov REGISTER_NAME DATA.
The data is always hexadecimal i.e., 4 bits. We can also move data between two registers. But this
copies instead of deleting old values.
SYNTAX: mov REGISTER_1 REGISTER_2.
Both registers must have the same size. Also, if we move a certain value in eax or lower bit registers, the
leftmost bits are zeroed out.
Example- mov eax -1 will result in register set to 0x00000000ffffffff.
Extending data: Consider the above data. If we wanted to set the entire register to a negative value
using a lower bit command such as eax, we can use movsx.
SYNTAX: movsx REGISTER_NAME DATA
Arithmetic Operations:
add REGISTER_1 REGISTER_2
sub REGISTER_1 REGISTER_2
imul REGISTER_1 REGISTER_2
inc REGISTER
dec REGISTER
neg REGISTER
not REGISTER
and REGISTER REGISTER
or REGISTER REGISTER
xor REGISTER REGISTER
shl REGISTER DATA – shifts register’s bits left by DATA, and filling DATA new spaces with 0.
shr REGISTER DATA
sar REGISTER DATA – same as shr, but with sign extension. (similar to movsx)
ror REGISTER DATA – rotates the bits of register by DATA
rol REGISTER DATA
To use any arithmetic operations with registers, you have to move each value into a register first. For
example, if you want to do the following equation: m*x + b, you write the following code
Move first register into rax and use div register2 on it – mov rax, rsi; div rdi. This code sets rax to
rsi/rdi.
Next, add rdx to rax – add rax, rdx.
MODULUS Operation
In registers, quotients are rounded of. 10/3 = 3 instead of 3.33. The modulus i.e the remainder
which is 1 in this case, is stored in some other register, which you need to move through the
following code: mov rax, rdi; div rsi. Use int3 to check the register where modulus is stored, say
rdx, and move that to rax.
/challenge/embryoasm: lv6 – It says that we have to compute the following:
rax = rdi modulo 256
rbx = rsi modulo 65536
rdi and rsi are set to random hex values
Solution: As said above, for any operation, we need to move values from one register to other register.
For this question, if we notice, 256 is 162 and 65536 is 164. Converting hex to decimal values, 256
acts like 100, and 65536 acts like 10000. We know that x/10n returns us the nth last digit. That’s
what we do here.
rax stores the last 2 digits and rbx stores the last 4 digits. Take any two free registers say rcx and
rdx. Use mov rcx, rax and mov rdx, rbx. Now, use partial registers to access the last n digits. Last
2 digits mean 2 bits in hex i.e given by the #l register. Similarly, last 4 digits are given by #x.
Move #x/#l to al and bx. The code looks like following:
p.write(pwn.asm("""
...: mov rcx, rdi
...: mov al, cl
...: mov rdx, rsi
...: mov bx, dx
...: """
...: ))
[]: Use [] to move contents of x to y. For example, mov rax, [0x232322] moves contents at address at
inside[] to rax. Similarly, mov [0x232322], rax would move the contents at rax to the address 0x232322.
Functions: byte, word, dword, qword. Use mov rax, byte/word/dword/qword [0x###] to move certain
bytes.
/challenge/embryoasm: lv14: Replace first element of stack rax with first element of rdi
Solution: We can do this easily using pop, push and sub. The line sub rax, rdi, will return rdi only with the
fist element. Then use pop rax, and then push rax.
