I wanted to write a post after two years at college about everything I had learned. I didn’t, firstly because I didn’t make it a priority, and secondly because trying to write about everything I’ve learned at MIT over any nontrivial length of time is the kind of poorly scoped endeavor that I could never complete to my own satisfaction.
Two years came and went, and now it’s been two more years and I’ve learned even more things, not to mention, actually graduated. Jeez. I tried to self-impose a deadline for the big post, but it didn’t work out. There were still too many higher priorities, most of which were also natural consequences of graduating. I also couldn’t bring myself to cut anything, because unlike most of the stuff I haphazardly throw onto this blog, I can actually imagine an audience for just about everything I wanted to write about.
Finally I decided that I would break it into lots of small posts on specific topics. This way, at least the perfectionism can’t bleed between posts too much. The first topic I wanted to write about is simple, mundane, and also fairly limited in scope itself: how to choose your MIT username.
In this challenge, we get a gzipped file called perf.data and a minimal description of an environment. Googling this reveals that perf.data is a record format of the perf tool, a Linux profiler. Installing perf allows us to read perf.data and see some pretty interactive tables of statistics in our terminal describing the profiling results, from which we can see some libraries and addresses being called, but they don’t reveal much about what’s going on. One hacky way to see more of the underlying data in a more human-readable way (and to see just how much of it there is) is perf report -D, which dumps the raw data in an ASCII format, but this is still not that useful. (One might hope that one could simply grep for the flag in this big text dump, but it’s nowhere to be seen.) Still, from this file, we can definitely read off all the exact library versions that the perf record was run against.
I put this question in my FAQ, because at least two people have asked me this question, and that’s how frequent a question needs to be to be on my FAQ: I got an IMO1 gold medal in 2012, as a ninth grader, and an IOI gold medal in 2014, as an eleventh grader. I could have kept going to either, or even decided to try taking the IPhO or something, but I didn’t. Why not?
The short answer: It was a rough utilitarian calculation. By continuing, I would probably displace somebody else who would gain more from being on an IMO/IOI team than I would. Besides, I wanted to do other things in high school, so I wasn’t losing much.
I think the short answer actually captures most of my thinking when I made the decision back then, and it’s not really new; I said as much at the end of 2013. But behind it was a lot of complex thoughts and feelings that I’ve been ruminating over and trying to put into words for the better part of a decade. Hence, this post.
There is a natural question that precedes the frequently asked one that I have never been asked, something I am now realizing I never honestly asked myself and never tried to answer deeply: Why did I participate in the IMO and the IOI in the first place?
I was pretty torn between this and “The Future Soon” as the Year-End Song on this blog, but in the end I think I feel more threatened by the bland existence of the soulless adult than inspired by the starry-eyed-idealism-with-misogynist-undertones of the twelve-year-old, plus I get to show you the best kinetic typography video I have ever seen.
Halfway through 2018 I thought this would be the year of ephemeral phases. I felt like I went through a different phase every month — Online Dominion in April, crosswords in June, Only Connect in July, Jonathan Coulton in August, a brief stint of trying really hard to barre my guitar chords in October. Somewhere in the middle, I discovered Kittens Game (“the Dark Souls of Incremental Gaming”) and my summer internship mentor got me to pick up Pokémon Go again. A few intense periods of typographical study were interspersed, which involved watching the above music video dozens of times, teaching a Splash class on typography, and developing a new awareness of how Avenir was everywhere. During the last month, I went hard on Advent of Code and got second place, apparently the only person to make it on every single leaderboard. I also did a related golf side contest and poured a couple more hours into Paradoc, my personal golfing language, for rather unclear gain. At least I got a lot of GitHub followers?
It would turn out, though, that a lot of these phases had more staying power than I expected. Pokémon Go is a much better game than it was two years ago and has actually fostered a significant real-life community, which seems like one of the best possible outcomes of an augmented reality game, and I’ve found a steady pace to play at. I spread the Only Connect bug and people on my hall, intrigued by the format but annoyed by the overwhelmingly British trivia1, started writing and hosting full games for each other, with our own MIT-slanted set of trivia. One of us developed a custom site and tool to host these games. It took me a while to warm up to Jonathan Coulton’s latest album, but since it happened, I cannot get Ordinary Man or Sunshine out of my head; I’m still listening to JoCo as I finish typing up this post. Although I never got back to the peak of my crossword frenzy, I still study crosswordese from time to time and compose crosswords for some special occasions, like this one (.puz file).
The academics and technical aspects of this year have all blurred together, but I think my interests are finally crystallizing:
A more accurate but less informative title for this post would be “How I wish React and Redux were explained to me”. Note that this does not imply that this method of explanation is suitable for anybody else. I suspect it won’t be for most people.
So here’s the guide I wish I had. I think. It’s been months since I started it (as usual, for posts on this blog) and it is probably incomplete. However, I haven’t written React/Redux deeply in a while, so I didn’t have much motivation to continue to investigate the incomplete bits; and the perfect is the enemy of the good, so here it is.
We’ve burrowed ourselves deep within the facility, gaining access to the programable logic controllers (PLC) that drive their nuclear enrichment centrifuges. Kinetic damage is necessary, we need you to neutralize these machines.
A much belated post. This is a pwn challenge on a custom online wargaming platform. We are provided with the assembly of what’s ostensibly a programmable logic controller (PLC) for a centrifuge in a nuclear reactor. The challenge looks like it’s still up, so you can take a look and follow along.
This was the first ROP (okay, spoiler, it’s a ROP) I ever pulled off live during an actual CTF, which I was pretty excited about. The web platform meant I had to worry less about setup, and even though some of the tools it provided were a little lacking (no gdb shortcuts like until, no pwntools utilities for packing/unpacking numbers, … no one_gadget), I think they ultimately made the whole thing a lot more educational for me, so kudos to the folks behind it. I’ve included a brief description of all the exploit techniques that lead up to ROP when we get to that, so hopefully this post will be useful even if you don’t know much about pwning binaries. The prerequisites would be some knowledge with x86 assembly, how executables are loaded into memory, and how to use gdb (or fictionalized web knockoffs thereof).
The villains are communicating with their own proprietary file format. Figure out what it is.
$ nc proprietary.ctfcompetition.com 1337
We get a server that will talk to us on a port and a flag.ctf file that’s definitely not a binary. It’s a black-box reversing challenge! I was @-mentioned as the person who might want to due to solving bananaScript (CSAW CTF Quals 2017) as a black box, although that gave a binary that it was possible in theory to reverse. Here black-box reversing is the only option.
For the first few lines of input that the server wants, it responds with quite helpful error messages to help you appease it. If the first line you give it is not P6, it complains:
You discover this cat enthusiast chat app, but the annoying thing about it is that you’re always banned when you start talking about dogs. Maybe if you would somehow get to know the admin’s password, you could fix that.
This challenge is a simple chat app written in NodeJS. The home page redirects you to a chat room labeled with a random UUID. Anybody can join the same chat room with the URL.
In a chat room, you can chat and issue two commands, /name to set your name and /report to report that somebody is talking about dogs. After anybody in the chat room issues /report, the admin shows up, listens for a while, and bans anybody who mentions the word “dog”.
There are two more commands, /secret and /ban, which are in the server source code and also described in comments in the HTML source if you didn’t notice:
You stumbled upon someone’s “JS Safe” on the web. It’s a simple HTML file that can store secrets in the browser’s localStorage. This means that you won’t be able to extract any secret from it (the secrets are on the computer of the owner), but it looks like it was hand-crafted to work only with the password of the owner…
The hardest challenge of not very many I solved in this CTF. What a struggle! I have a long way to improve. It was pretty fun though. (I solved “You Already Know”, and got the essence of “ghettohackers: Throwback”, but didn’t guess the right flag format and believe I was asleep when they released the hint about it.)
The challenge consists of a simple PHP script that opens a MySQL connection and then feeds our input into a custom PHP extension shellme.so.
The extension basically just executes $_POST['shell'] as shellcode after a strict SECCOMP call, prctl(22, 1). This means that we can only use the four syscalls read, write, and exit, and sigreturn, where the latter two aren’t particularly useful.
The goal is to read the flag from the open MySQL connection.