AfterBurn's Blog

I want to welcome everyone to class this year, hopefully we'll have fun!

Well…it's been a while since I updated.

In the final sprint before Shmoocon I spent most of the time awake, not asleep. Multiple all nights and many nights with minimum numbers of sleep were required to get the project finishing up. In that time I had to upgrade and convert the RouterStation and the Fon 2.0 beta up to speed. Figuring out the memory map, installing openwrt, upgrading the kernels, upgrading the packages, compiling perl and perl::deviceserial, installing python and pyserial…on top of helping everyone else. The last week was such a blur. I also had my tech writing course to complete which was a pain. In the end we ended up pulling an all nighter before shmoocon. This came to bite me in the ass as I passed out Friday night. The results of thursday night-friday morning were quite impressive. What we were able to do was to successfully get the whole system up, assembled, and installed into the shell of an old PlayStation. That one was cuddles idea. I came up with the idea of using an old Nintendo and some controllers as the source of connectors for rob3ar's tripwires. Overall the night was an adventure full of coffee, dough nuts, pizza, and lots of sweat.

Shmoocon
Shmoocon was an absolute blast. I had more fun than I thought. It felt almost completely different from DEFcon. I missed the HHV from Defcon but soon found I wouldn't have had time for it. I found myself spending the first half of con working on our actual presentation. Yeap that's right, at 3:20pm on Saturday we were racing to make it to our 4pm con. That's why I think our talk was considered so “disjointed” as many put it. Overall the talk went well and nothing could compare to the humor that was added by honcho's graphics. If you haven't seen the presentation please check it out, if only for that portion.

After the presentation I grabbed some food and headed off to the Hack or Halo competition. kil0hertz and I decided to team up and take on the best the Shmoo crew had to offer. The first tasks were to gain physical access to the “building”. While kil0hertz went after the lock, I stole his Shmoo Labs pass and called the receptionist pretending to be Bruce Potter of the Shmoo Group there to repair their internet. I quickly made it in. Kil0hertz passed off the lock to c0re who had the thing open in no time. Cha-Ching! points on the board! woohoo!
After gaining physical access we hoped on the network. We proceeded to connect to the ssh server they gave us while performing a scan of the 10.0.0.0/16 network. We poked around the server and didn't find much use for it. We knew it had access to the 172.16.0.0/16 network but weren't sure what they expected us to do. Break the VLAN? That's what I heard the RTI crew scream. Hmm…screw that, let's try a hunch…

route add default gw 10.0.0.30

BINGO! packets routing through the “access” server and soon the scan of 172.16.0.0/16 was underway. We submitted the 10.0.0.0/16 scan and the 172.16.0.0/16 scan and continued on. We quickly found the trap server and also submitted that. Moving onto the web applications….

There was some sort of web server running on (IIRC) 10.0.0.22. It was hosting a very colorful cgi script which provided access to the company's internals. You had to obtain access to this page by attempting to create the account. We did this by crafting an email to the secretary stating along the lines:

Due to recent server upgrades, it was necessary for us to perform an upgrade of the
password database.  In order to have your password upgraded to the new format
please click <a href="http://10.0.0.22/script.cgi?username=repairman?password=shmoocrew">here</a> to do so.

Now some of the specifics are wrong because I can't remember the syntax and we were using kil0hertz's laptop. Basically the registration script required you to be a secretary. So you basically convinced the secretary to click the link. Now if you submitted it yourself the script would return three variables: username, password, and admin. I tried messing with the admin=false field to no avail. What I forgot was to set admin=true on the email. Our account was created and we get greeted with “YOU ARE NOT AN ADMIN!” so we create a new account fixing our mistake. At this point we are 2nd out of 60!! WOW! GO US! We tried directory traversal and couldn't figure it out.

More to come later as it's 1:40am and I have class in the morning….

May it heal as quicker than hal0's pride and spirit.
New crime to report in Evan's Hall: Attempted Rape/Assault/Broken Toe…

Cleaning up data is a pain. grungy may have imported it into a csv and all but cleaning up this data is such a pain. I've spent several hours and managed to eliminate over 200 unique entries! That only leaves….~1770 to go! Lots of work needs to be done on this. Hopefully grungy and surfingcat get some of the work done too…

Here is an example query which highlights the dilemma with the data:

mysql> select locationClean from rawdata where (locationClean like "%rodney%")\
       group by locationClean;
+------------------------------------+
| locationClean                      |
+------------------------------------+
| Rodney A                           | 
| Rodney A and B                     | 
| Rodney A and B Bike Racks          | 
| Rodney A and B Breezeway           | 
| Rodney A and B Commons             | 
| Rodney A and B Commons (bike rack) | 
| Rodney A and B Drive               | 
| Rodney A and B Firelane            | 
| Rodney and Dickinson Walkway       | 
| Rodney B                           | 
| Rodney B (parking spaces outside)  | 
| Rodney B Courtyard                 | 
| Rodney Basketball Courts           | 
| Rodney BB Courts                   | 
| Rodney C                           | 
| Rodney C (bike rack)               | 
| Rodney C and D                     | 
| Rodney C and D Commons             | 
| Rodney Complex                     | 
| Rodney Courtyard                   | 
| Rodney D                           | 
| Rodney DH (bike rack)              | 
| Rodney DH Bike Rack                | 
| Rodney Dining Hall                 | 
| Rodney Dining Hall (bike rack)     | 
| Rodney Dining Hall (roof)          | 
| Rodney Dining Hall Loading Dock    | 
| Rodney Drive                       | 
| Rodney E                           | 
| Rodney E (bike rack)               | 
| Rodney E and F                     | 
| Rodney E and F Bike Rack           | 
| Rodney E and F Breezeway           | 
| Rodney E and F Commons             | 
| Rodney E and F Commons lot         | 
| Rodney E and F Drive               | 
| Rodney E and F Firelane            | 
| Rodney F                           | 
| Rodney F (bike rack)               | 
| Rodney F Bike Rack                 | 
| Rodney F Bike Racks                | 
| Rodney F Lounge                    | 
| Rodney Fire Lane                   | 
| Rodney Hall B                      | 
| Rodney Hall E                      | 
| Rodney Lot #11                     | 
| Rodney Market                      | 
| Rodney Market (exterior)           | 
| Rodney Market Walkway              | 
| Rodney Meter Lot                   | 
| Rodney Overpass                    | 
| Rodney Quad                        | 
| Rodney Recreation Courts           | 
| Rodney Recreational Area           | 
| Rodney Tennis Courts               | 
| Rodney Underpass                   | 
| Rodney/Dickinson/Gilbert           | 
+------------------------------------+
57 rows in set (0.03 sec)

That's right…57 unique hits JUST for Rodney! It will be a pain. Things like roads make up a huge chunk and they are not as bad to deal with. The problem is going to be just cleaning up the nonsense. Bah! Aspell time mayhaps? The other problem is things like this:

| West Park and South College Avenue               | 
| West Park Place and Apple Road                   | 

I'm sure you see the fun here. I am hoping that we can create an algorithm to create a special table for streets and then sort them uniquely by their streetname. Then we could find spelling errors quickly. Fun stuff! Time for bed!

Status updates:

• grungy's code in the database and now he must clean it (txt2re?)
• rob3ar has tripwire sensing on a simple mock up
• honcho's circuit should be getting built any day
• jazzman's creating us this awesome serial comm protocol
• surfingcat is a geocoding beast and going to be lovin him some more SQL
• cuddles is AFK or in Azeroth or somethin…
• hal0 is smokin' the OpenCV pipe hardcore and again dreaming of FPGAs
• teknick is PCBing like no other
• zombie has booked rooms and will be sharing her coding charm
• cmr is keepin' everyone in shape with needed reality checks
• drk is making sure the pirate ship stays afloat

As for me:

• Router Stations Ordered
• Mini-PCI cards on their way
• Hardware Parts arriving sometime this morning
• Implementing hal0's protocol with jazzman
• Scripting a crazy web of python
• Mapping the antartic with surfingcat by confusing lat/long in the KML
• Generating KMLs!
• Discovering ucrime.com and watching grungy cry

Oh the horror! Oh the glory! User Services is not taking prisoners! The chest of money is running low and the clock is ticking away. Will we make it?! I'll say one thing: it's 4:53 AM EST and I'm posting on a freakin' blog. What does that tell you about my opinion and commitment on the subject. Nice to see the lab full up tonight. Let's see it happen more often!

Let us all continue on this Death March to Bataan Shmoocon!