• Pushing git repository to multiple remotes

    I’m currently managing my dotfiles repository on both of GitHub and Bitbucket. These two repositories are the same, but I don’t want to remove one of them. I mainly use GitHub for hosting code now, but the first place I uploaded my dotfiles to was Bitbucket.

    I want to keep the HEAD of two remote repositories be the same, so when I push code to my dotfiles, the both of them must be updated at the same time.

    Default git config

    First, clone or init the repository.

    git clone https://github.com/yous/dotfiles.git
    

    Then, as you know, the origin will be set to https://github.com/yous/dotfiles.git. This is the content of .git/config:

    [core]
    	# ...
    [remote "origin"]
    	url = https://github.com/yous/dotfiles.git
    	fetch = +refs/heads/*:refs/remotes/origin/*
    [branch "master"]
    	# ...
    

    Note that there is the url attribute under remote "origin".

    git remote set-url

    Now we’re going to run git remote set-url twice so that the repository will have two push remote URLs. Setting push remote URL is slightly different from plaing git remote set-url <name> <newurl>. See man git-remote:

    set-url
        Changes URLs for the remote. Sets first URL for remote <name> that
        matches regex <oldurl> (first URL if no <oldurl> is given) to
        <newurl>. If <oldurl> doesn't match any URL, an error occurs and
        nothing is changed.
    
        With --push, push URLs are manipulated instead of fetch URLs.
    
        With --add, instead of changing existing URLs, new URL is added.
    

    So we need to run git remote set-url --push <name> <newurl>. Moreover, we need two push URL, so the second command should be git remote set-url --add --push <name> <newurl>. It’s okay to specify --add --push to the first command, too.

    git remote set-url --add --push origin https://github.com/yous/dotfiles.git
    git remote set-url --add --push origin https://bitbucket.org/yous/dotfiles.git
    

    Now, the content of .git/config would be like this:

    [core]
    	# ...
    [remote "origin"]
    	url = https://github.com/yous/dotfiles.git
    	fetch = +refs/heads/*:refs/remotes/origin/*
    	pushurl = https://github.com/yous/dotfiles.git
    	pushurl = https://bitbucket.org/yous/dotfiles.git
    [branch "master"]
    	# ...
    

    All done! Note that there are two pushurls under remote "origin". Now git push automatically pushes to the both push remote URLs.

  • Boston Key Party CTF 2017: vimjail write-up

    vimjail (pwn 150)

    • ssh ctfuser@ec2-54-200-176-5.us-west-2.compute.amazonaws.com
    • password: loginPWforVimJail

    Can you read the flag?

    UPDATES

    • (13:38 UTC Saturday): The flag is not in /tmp.
    • (13:31 EST Saturday): new ip

    Looking around

    Well, you would do ls first when you logged in, so do we. And there was ~/flagReader.

    ctfuser@ip-172-31-31-196:~$ ls -als /home/ctfuser/flagReader
    12 ---S--x--- 1 topsecretuser secretuser 8768 Feb 25 08:42 /home/ctfuser/flagReader
    

    If you try completion by pressing Tab key or try to move around using cd, it fails with an error message from rbash. It’s restricted bash, but you can simply run bash to escape.

    While moving around, we found nothing special without /.flag. Also there were some .s[a-z][a-z] files under /var/tmp/ and /tmp/, created by secretuser. But there are not in fixed location when the problem server was changed, so we thought there would be a way to run Vim under secretuser’s permission.

    ctfuser@ip-172-31-31-196:~$ ls -als /.flag
    4 -r-------- 1 topsecretuser topsecretuser 39 Feb 25 08:42 /.flag
    

    We also tried to find setuid or setgid files, but there was only the previous flagReader.

    ctfuser@ip-172-31-31-196:/tmp$ find / -perm -4000 -o -perm -2000 -type f 2>/dev/null
    /bin/ping
    /bin/ping6
    /bin/fusermount
    /bin/umount
    /bin/su
    /bin/mount
    /bin/ntfs-3g
    /sbin/unix_chkpwd
    /sbin/pam_extrausers_chkpwd
    /usr/lib/x86_64-linux-gnu/utempter/utempter
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/lib/openssh/ssh-keysign
    /usr/lib/snapd/snap-confine
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/bin/crontab
    /usr/bin/newuidmap
    /usr/bin/at
    /usr/bin/chage
    /usr/bin/sudo
    /usr/bin/bsd-write
    /usr/bin/pkexec
    /usr/bin/chfn
    /usr/bin/expiry
    /usr/bin/newgrp
    /usr/bin/screen
    /usr/bin/chsh
    /usr/bin/gpasswd
    /usr/bin/newgidmap
    /usr/bin/ssh-agent
    /usr/bin/passwd
    /usr/bin/mlocate
    /home/ctfuser/flagReader
    

    Read on →

  • 33C3 CTF 2016: pdfmaker write-up

    pdfmaker (misc 75)

    Just a tiny application, that lets the user write some files and compile them with pdflatex. What can possibly go wrong?

    nc 78.46.224.91 24242

    If you can’t download the application, please use this link.

    What is the goal?

    There are some interesting parts in pdfmaker_public.py. initConnection copies flag file into the self.directory with the name of:

    "33C3" + "%X" % randint(0, 2**31) + "%X" % randint(0, 2**31)
    

    Since the answer would be in the 33C3XXXXXXXXXXXXXXXX file, we should get the list of filenames in its directory. Note that create method can create log, tex, sty, mp, bib files.

    Behavior of \write18

    @daehee found this helpful link: “Pwning coworkers thanks to LaTeX”. According to the post, \write18 normally executes any program listed in shell_escape_commands:

    shell_escape_commands = \
    bibtex,bibtex8,\
    extractbb,\
    kpsewhich,\
    makeindex,\
    mpost,\
    repstopdf,\
    

    Note that mpost is in there, and we can create mp file! As denoted by the link, mpost takes the -tex option for text labels, so we can execute arbitrary program.

    Read on →

  • HITCON CTF 2016: ROP write-up

    ROP (Reverse 250)

    Description

    Who doesn’t like ROP?
    Let’s try some new features introduced in 2.3.

    rop.iseq

    Hint

    None

    If the above link doesn’t work, please use this link.

    New features?

    Well, see the Ruby 2.3.0 news.

    RubyVM::InstructionSequence#to_binary and .load_from_binary are introduced as experimental features. With these features, we can make a ISeq (bytecode) pre-compilation system.

    Yes, so this is about using RubyVM::InstructionSequence.load_from_binary. Let’s just start with:

    RubyVM::InstructionSequence.load_from_binary(File.read('rop.iseq'))
    

    But you can face this kind of error:

    RuntimeError: unmatched platform
            from (irb):1:in `load_from_binary'
            from (irb):1
            from /usr/bin/irb:11:in `<main>'
    

    By checking strings rop.iseq, we can find x86_64-linux. So we need Ruby 2.3 on Linux x86_64 platform. You can see the platform by ruby --version. This is the version of my one:

    ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
    

    Read on →

  • How to reset window size of Slack on Windows

    Slack application

    Slack, you may know. It rocks, and I’m also involved in several teams. Their site is great, but more teams, more tabs in my browser. I decided to use their Windows app which provides handy shortcuts for switching between teams.

    Today I just remotely connected to my Windows desktop from my notebook. But then, I realized the Slack window is shrinked. Maybe the reason is my notebook’s screen size, but I don’t know. Its content area became too small to read, so I wanted its window size back.

    Actually the default window size was my taste, so I wanted to just reset its customized window size. And I found it, so here I am to share with you.

    Resetting Slack’s window size

    Slack 2.2.1

    First of all, note that this is not the permanent solution since it’s not a part of Slack API or something that is guaranteed by them. My Windows machine is 64-bit and the version of Slack is 2.2.1.

    Slack 2.2.1

    So here is a way to resetting the window size of Slack.

    1. Quit your Slack application.
    2. Navigate to %APPDATA%\Slack. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
    3. Open redux-state.json to edit.
    4. Find windowSettings under state’s app. Its value would be like:

      \"windowSettings\":{\"size\":[1152,832],\"position\":[384,104],\"isMaximized\":false}
      
    5. Delete the whole windowSettings entry above. If you delete only a part of value of windowSettings, application may crash.
    6. Open Slack again. It will set the default window size automatically.

    Slack 2.4.1

    With updates of Slack, settings related to window were separated and moved to another location. Here is a way to resetting the window size:

    1. Quit your Slack application.
    2. Navigate to %APPDATA%\Slack\storage. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
    3. Open slack-windowFrame to edit.
    4. Delete the whole content, but do not delete the file itself.
    5. Open Slack again. It will set the default window size automatically.

    Keep calm and use Slack!