Skip to main content

20 posts tagged with "Cyber Security"

View All Tags

· 8 min read

Preamble

At this point, I think it's no secret that Winamp going "open-source" has been a bit of a shit-show.

The initial outrage on the repository was in response to the apparent lack of understanding of what open-source means on the side of Winamp, as they claim that their license is "copyleft", while allowing for neither redistribution of modified versions, nor contributions to the official project, and initially not even allowing forking! Someone did point it out to them that they can't ban forking on GitHub, as that constitutes a violation of the TOS. So, Winamp updated their license to allow forking, but it still doesn't allow anything else that would constitute "open-source" - redistribution or even outside contributions.

A truly historic moment, ladies and gentlemen :)

In objective terms, this license falls in the category of "source-available" rather than open-source, and this is an important distinction to make. I have no problem with Winamp making their source available as a valuable case-study, but they really shouldn't have used the term "copyleft" if that is the intention.

But we're here to discuss more so another glaring issue with the repository, which might actually end up landing a lawsuit at Winamp's doors. And sadly, they can't really do anything about it anymore.

A rough overview of GitHub

In its simplest form, GitHub can be described as a web-hosted git server for the public. As a developer interested in open-source, you can create a git repository, write some incredible code that you AND your mum are really proud of, and share it with the world on GitHub, so everyone can appreciate your contribution to the democratisation of programming.

But GitHub is more than simply a place to host your git repository. It is also a collaboration platform, where anyone who feels like they like your code, and would like to change it until they love it, can "fork" your repository. Forking is in fact not a more aggressive version of spooning, but simply the act of making a clone of the original repository in your account. This forked repository contains all the history of the original - all the code, and all the commits that came before the fork.

Back to the beauty that is the Winamp GitHub repo

If you were to peruse the code on the Winamp repository in the first few days after its publishing, you would have noticed some very intriguing things. For example, a BuildTools directory which included things like whole executable files the 7zip, git, and other programs just hanging around, designated as "build tools". And although very odd indeed, these things seem more so stupid than harmful.

But there's much more there! Inside the repo there was proprietary code from Dolby, some questionable SDKs which Winamp may or may-not have the right to redistribute, an entire directory containing the commercial version of Qt, some, admittedly expired, credentials, and so on, and so forth.

Winamp did take some action

There are numerous pull requests deleting said files, and the maintainers did also remove a lot, if not all the unlicensed code. And they did this... in public. You can clearly see many of the commits that delete stuff right there on the commits page. Which, you know, is a problem. If you open any of the commits listed there, you can simply look at the code that was deleted. If you simply clone that repository locally, you can move around that history and see it at the times before it was removed. This public deletion without rebasing just does nothing.

They deleted some of the commits

OK well, if you just scroll around the commits history, you will notice that the commits that delete, for example the Dolby code is nowhere to be found. But in the end, that doesn't really do anything either, since you can still just go back in history to a commit before they deleted it, and just see it there.

Does this count as distribution?

Ok, what can they do?

I mean, they could just rebase everything, this would theoretically get rid of the commit history. They'd need to get rid of pull requests as well, since those contain code from certain history positions. And to be honest, at this point I'd just delete the repo from GitHub, clean up the codebase locally, and create the GitHub repo anew.

But really, even that would not be enough anymore.

A lesser-known "feature" of GitHub

Remember how I said that they deleted some of the commits from their history, so you can't simply see what code they removed? Well, even though that commit is gone from the git history, and you wouldn't see it even if you cloned the repository locally... you can still see it on GitHub.

You see, to facilitate collaboration through forking, GitHub introduces something called a "repository network". This network holds information of the "upstream" or parent repository, all of its forks, and all the commits that belong to each fork.

Additionally, GitHub caches commits, so that they can be accessed by other repositories in the repository network. As explained by GitHub themselves, "GitHub stores the parent repository along with forks in a "repository network". It is a known behavior that objects from one network member are readable via other network members. Blobs and commits are stored together, while refs are stored separately for each fork. This shared storage model is what allows for pull requests between members of the same network.".

So, not only are the deleted commits potentially visible inside of forks that may have this commit from before it was deleted in the upstream repository. No, they are also just visible in general, as long as you know the commit hash. GitHub simply caches them, and you can just visit the page for that commit, and see all the changes it has made, and the entire code-base at that point in history.

You can still see deleted commits on GitHub

So, even if you rebase your repository, the commits history is still there, cached and awaiting. And all forks that were made before the rebase, you can just peruse those anyway.

Now, to be fair - GitHub has an entire docs section about leaking sensitive data. It does mention that you can contact support, and request the cached commits to be removed, if they deem that sensitive data has been exposed.

So, what if GitHub clears the cache, and we delete the repo?

Well, nothing. It has been already forked more than 2600 thousand times as of the time I'm writing this. It's out there on GitHub :) A lot of the forks were even made before anything was deleted from the repo. So you don't even have to rely on cached commit hashes. In the same docs page I linked above, GitHub themselves say that yeah - if someone has forked your repo, you're on your own, buddy.

If you remove the upstream repository of a repository network, GitHub simply designates another fork to be the upstream one. And all of that history and cached commits are still accessible through any of the forked repositories.

Conclusion

I do find it ironic, that this same collaborative feature which Winamp tried to disallow us from using - forking their repo, is also the one which in the end will not allow them to ever escape the reality that they managed to leak some confidential data on their repository.

But hey, what's done is done, and it did allow me to learn more about how GitHub works with its repository networks and whatnot, so I guess it is possible to learn from someone else's mistakes. I hope you learned something from this too, at the very least to be very careful with what you push to GitHub. And if you do make a mistake - just delete the repo before it was forked, and try again. QED

In terms of the Winamp repository, I am happy that they decided to share their codebase. Even though you literally can't do anything with it apart from reading it, it's still a nice case-study. And I do not wish for them to regret going source-available, so I hope they don't get any legal problems.

But on the other hand, I do wish they'd gone fully open-source. I mean, what are they protecting right now? Winamp is a big part of history, everyone has at least heard of it, if not used it. But nowadays it's just that - part of history. But we've seen that through collaboration and openness of the developers, a lot of software can live for a very long time. Winamp could become something modern and fully maintained, if it allowed for outside contribution. I do hope they take that next step at some point. After they clean up this mess of a repo...

· 5 min read

This is a writeup for the Key Mission challenge, part of the Hack the box's Cyberapocalypse CTF 2021, category Forensics.

Prompt

The secretary of earth defense has been kidnapped. We have sent our elite team on the enemy's base to find his location. Our team only managed to intercept this traffic. Your mission is to retrieve secretary's hidden location.

· 2 min read

This is a writeup for the CaaS challenge, part of the Hack the box's Cyberapocalypse CTF 2021, category Web.

Prompt

cURL As A Service or CAAS is a brand new Alien application, built so that humans can test the status of their websites. However, it seems that the Aliens have not quite got the hang of Human programming and the application is riddled with issues.

· 4 min read

Well, here we go. This was the very first CTF event that I took part of while it was happening, and I'm quite proud of my results!

Most importantly, almost every challenge that I finished taught me a bunch of new concepts and techniques, and showcased what can be expected in the field of hunting vulnerabilities.

By the end of the 5-day ordeal I got to 357th place out of 4740 teams and more than 9500 players, and I'm very satisfied with such an outcome from my very first event of this type.

But, as I can now see, the learning process continues even after the event, in the form of writing write-ups! The much more level-headed approach of trying to explain and follow the process of finding the flags means that I get to see my ideas and techniques in a new light, and organise the tools and concepts much better.

Reading write-ups is also indisplensable, as there were quite a few other challenges that I was sure I was very near to solving, but never found out what I was missing. Reading other people's write-ups allowed me to see what I was did right or wrong, and how to improve on that.

So I hope you get that from reading these write-ups as well, and learn a few things from them, or at least see an another approach to solving the same problem.

Enjoy!

Category Web

Inspector Gadget - Cyberapocalypse 2021 CTF

An easy warm-up challenge in the style of a scavenger hunt

CaaS - Cyberapocalypse 2021 CTF

Exploiting curl running locally on the host, to get local file inclusion

miniSTRypalace - Cyberapocalypse 2021 CTF

Showcasing the importance of white-listing instead of black-listing commands and strings inside PHP

BlitzProp - Cyberapocalypse 2021 CTF

Exploring the interesting concept ot AST injection and prototype pollution, resulting in remote code exectution. And all of that because we use the wrong version of a library in node

E.Tree - Cyberapocalypse 2021 CTF

Blind XPATH injection with a slight twist

Wild goose hunt - Cyberapocalypse 2021 CTF

A challenge showcasing the weakness of improper handling of mongo queries

Emoji Voting - Cyberapocalypse 2021 CTF

This fun challenge showcases blind SQL injection inside of an ORDER BY clause

Category Reverse

Passphrase - Cyberapocalypse 2021 CTF

A simple reverse-engineering challenge invoving stringcompare

Authenticator - Cyberapocalypse 2021 CTF

Reverse-engineering a binary, involving both stringcompare and a bit of XOR magic

Category Forensics

Key Mission - Cyberapocalypse 2021 CTF

Having fun with USB Human Interface Devices, namely a keyboard. The twist was having to deal with the Shift key

Category Crypto

Nintendo Base64 - Cyberapocalypse 2021 CTF

An easy warm-up cryptography challenge, dealing with multilayered base64 encoding and obfuscation

Soulcrabber - Cyberapocalypse 2021 CTF

A challenge written in Rust, showcasing using known seeds for pseudo-random number generators

Phasestream 1- Cyberapocalypse 2021 CTF

The first challenge of this series showcased XOR encryption with a 5-byte key

Phasestream 2 - Cyberapocalypse 2021 CTF

Still on the topic of XOR, this time using a 1-byte key, but hiding the real flag in a list of 9999 different strings

Phasestream 3 - Cyberapocalypse 2021 CTF

A challenge showcasing the devastating effects of reusing keystreams in AES encryption

Phasestream 4 - Cyberapocalypse 2021 CTF

A direct follow-up of the previous challenge, introducing a bit of a guessing game

Category Misc

Alien Camp - Cyberapocalypse 2021 CTF

A fun scripting challenge involving the automatic handling of nc based services

Input as a Service - Cyberapocalypse 2021 CTF

input() in python2.x is scary by default

· 3 min read

This is a writeup for the Alien Camp challenge, part of the Hack the box's Cyberapocalypse CTF 2021, category Misc.

Prompt

The Ministry of Galactic Defense now accepts human applicants for their specialised warrior unit, in exchange for their debt to be erased. We do not want to subject our people to this training and to be used as pawns in their little games. We need you to answer 500 of their questions to pass their test and take them down from the inside.

· 5 min read

This is a writeup for the Authenticator challenge, part of the Hack the box's Cyberapocalypse CTF 2021, category Reverse.

Prompt

We managed to steal one of the extraterrestrials' authenticator device. If we manage to understand how it works and get their credentials, we may be able to bypass all of their security locked doors and gain access everywhere!