Categories
Forensics

Export packet data

One of the recent challenges I completed consisted of identifying specific data exchanged over the network in a Wireshark file. I noticed one ip was sending to another ip small packets of data using the ICMP protocol.

The first package contained the PNG hex headers so I figured the sender was trying to pass an image to the recipient without being detected. Because small packets were being sent, Wireshark did not identify the image as an object sent over the network, so I had to combine the packages in a single file. There were around 2000 packages sent, so this is definitely not manual work.

For this task I used tshark, another network traffic analyzer. After running the command in the terminal:

tshark -r capture.pcap -Y 'icmp and ip.dst == 10.0.0.41' -T fields -e data > output.png

the exported file contained a full PNG built using the data sent over all the ping requests. Indeed, the user sent an encrypted password as a screenshot.

Categories
Shell

Shell wildcards

A wildcard is a character that can replace one or more characters. Linux uses 3 wildcards:

  • star (*) – substitutes zero or more characters
  • questions mark (?) – matches a single character
  • square brackets ([]) – represents any of the characters enclosed in the brackets

These wildcards are mainly used when specifying file names or paths.

One nice trick is you can use wildcards to also run Linux utilities. Let’s take head for example. head is a command-line utility for outputting the first part of files given to it via standard input

head text

is the same as running

/usr/bin/head text

However, using wildcards we can run the following command:

/?s?/b*/h*ad t?xt

and we’d get the beginning of the text file

This is mostly used when you need to run specific commands, but you can only use a limited set of characters or you encounter a validator that rejects certain words (cat, tail, head, bin, usr etc)

Categories
PHP

PHP strcmp() bypass

PHP strcmp() documentation here: https://www.php.net/manual/en/function.strcmp.php

If you pass an array to the strcmp() function instead of a string, PHP will throw a warning, but the compare result returns 0.

if(strcmp([], "text") == 0) {
echo 'This is 0';
} else {
echo 'This is not 0';
}

Running this PHP code we’d get:

Warning: strcmp() expects parameter 1 to be string, array given in <filename> on line <line number>
This is 0

This is useful to know when trying to bypass PHP strcmp() string comparison when doing Capture the Flag challenges.

This is also something you should keep in mind when writing secure PHP code