CyberDen.sql

-- phpMyAdmin SQL Dump
-- version 4.7.0
-- https://www.phpmyadmin.net/
--
-- Host: 127.0.0.1
-- Generation Time: Feb 03, 2019 at 05:12 AM
-- Server version: 10.1.25-MariaDB
-- PHP Version: 5.6.31

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET AUTOCOMMIT = 0;
START TRANSACTION;
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `instinctme`
--

-- --------------------------------------------------------

--
-- Table structure for table `admin`
--

CREATE TABLE `admin` (
  `admin_id` int(11) NOT NULL,
  `admin_email` varchar(100) NOT NULL,
  `admin_name` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `admin`
--

INSERT INTO `admin` (`admin_id`, `admin_email`, `admin_name`, `password`, `time`) VALUES
(4, 'admin@gmail.com', 'kasireddy', '2f93473efece6e5b2dc83a81128c3263', '2018-06-06 00:29:53'),
(5, 'admin2@gmail.com', 'varma', '5e3fe9c4f4bc9346fef69cb04f86e9d7', '2018-06-06 00:30:17'),
(6, 'admin@instinctme.com', 'R&D Works', '2f93473efece6e5b2dc83a81128c3263', '2018-06-20 18:34:21');

-- --------------------------------------------------------

--
-- Table structure for table `chat`
--

CREATE TABLE `chat` (
  `sent_by` int(11) NOT NULL,
  `sent_to` int(11) NOT NULL,
  `msg` varchar(750) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `feedback`
--

CREATE TABLE `feedback` (
  `user_id` int(11) NOT NULL,
  `feedback` varchar(700) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `followers`
--

CREATE TABLE `followers` (
  `followed_by` int(11) NOT NULL,
  `following` int(11) NOT NULL,
  `status` int(11) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `followers`
--

INSERT INTO `followers` (`followed_by`, `following`, `status`, `time`) VALUES
(1, 27, 0, '2019-02-02 21:25:51');

-- --------------------------------------------------------

--
-- Table structure for table `friend_requests`
--

CREATE TABLE `friend_requests` (
  `sent_by` int(11) NOT NULL,
  `sent_to` int(11) NOT NULL,
  `status` int(11) NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `likes`
--

CREATE TABLE `likes` (
  `story_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `status` tinyint(1) DEFAULT '0',
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `likes`
--

INSERT INTO `likes` (`story_id`, `user_id`, `status`, `time`) VALUES
(8, 27, 0, '2019-02-02 20:53:30'),
(12, 27, 0, '2019-02-02 21:14:48'),
(13, 1, 1, '2019-02-03 01:03:32');

-- --------------------------------------------------------

--
-- Table structure for table `notifications`
--

CREATE TABLE `notifications` (
  `user_id` int(11) NOT NULL,
  `notification` varchar(750) NOT NULL,
  `seen` tinyint(1) NOT NULL DEFAULT '0',
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `stories`
--

CREATE TABLE `stories` (
  `story_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `title` varchar(100) NOT NULL,
  `story` text NOT NULL,
  `plain_story` text NOT NULL,
  `story_unique_hash` varchar(255) NOT NULL,
  `category` varchar(100) NOT NULL,
  `story_type` varchar(10) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `valid` tinyint(1) NOT NULL DEFAULT '1'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `stories`
--

INSERT INTO `stories` (`story_id`, `user_id`, `title`, `story`, `plain_story`, `story_unique_hash`, `category`, `story_type`, `time`, `valid`) VALUES
(1, 4, 'About life by professor in a class', '<p>A professor stood before his class with some items on the table in front of him. When the class began, he picked up a very large and empty jar and proceeded to fill it with rocks.</p>\n<p>He then asked the students if the jar was full. They agreed that it was.</p>\n<p>So the professor then picked up a box of pebbles and poured them into the jar. He shook the jar lightly. The pebbles, of course, rolled into the open areas between the rocks.</p>\n<div style="float: right; margin: 10px 0 10px 10px;"> </div>\n<p>He then asked the students again if the jar was full. They agreed it was.</p>\n<p>The professor picked up a box of sand and poured it into the jar. Of course, the sand filled up the remaining open areas of the jar.</p>\n<p>He then asked once more if the jar was full. The students responded with a unanimous “Yes.”</p>\n<p>“Now,” said the professor, “I want you to recognize that this jar represents your life. The rocks are the important things – your family, your partner, your health, your children – things that if everything else was lost and only they remained, your life would still be full. The pebbles are the other things that matter – like your job, your house, your car. The sand is everything else, the small stuff.”</p>\n<p>“If you put the sand into the jar first,” he continued, “there is no room for the pebbles or the rocks. The same goes for your life. If you spend all your time and energy on the small stuff, you will never have room for the things that are important to you. Pay attention to the things that are critical to your happiness. Play with your children. Take your partner out dancing. There will always be time to go to work, clean the house, give a dinner party, or fix the disposal.”</p>\n<p>“Take care of the rocks first – the things that really matter. Set your priorities. The rest is just sand.”</p>\n<p>It\'s not mine, I read it somewhere.</p>', 'A professor stood before his class with some items on the table in front of him. When the class began, he picked up a very large and empty jar and proceeded to fill it with rocks.\n\nHe then asked the students if the jar was full. They agreed that it was.\n\nSo the professor then picked up a box of pebbles and poured them into the jar. He shook the jar lightly. The pebbles, of course, rolled into the open areas between the rocks.\n\nHe then asked the students again if the jar was full. They agreed it was.\n\nThe professor picked up a box of sand and poured it into the jar. Of course, the sand filled up the remaining open areas of the jar.\n\nHe then asked once more if the jar was full. The students responded with a unanimous “Yes.”\n\n“Now,” said the professor, “I want you to recognize that this jar represents your life. The rocks are the important things – your family, your partner, your health, your children – things that if everything else was lost and only they remained, your life would still be full. The pebbles are the other things that matter – like your job, your house, your car. The sand is everything else, the small stuff.”\n\n“If you put the sand into the jar first,” he continued, “there is no room for the pebbles or the rocks. The same goes for your life. If you spend all your time and energy on the small stuff, you will never have room for the things that are important to you. Pay attention to the things that are critical to your happiness. Play with your children. Take your partner out dancing. There will always be time to go to work, clean the house, give a dinner party, or fix the disposal.”\n\n“Take care of the rocks first – the things that really matter. Set your priorities. The rest is just sand.”\n\nIt\'s not mine, I read it somewhere.', '5978259f0d26baaa2847b57b196405fc', 'web', 'others', '2018-09-18 04:51:09', 0),
(2, 18, '"I LOVE YOU" How it really feels.', '<p>My wife wanted me to take another woman out to dinner and a movie. She said, “I love you, but I know this other woman loves you and would love to spend some time with you.”<br /><br />The other woman that my wife wanted me to visit was my MOTHER, who has been a widow for 19 years, but the demands of my work and my three children had made it possible to visit her only occasionally. That night I called to invite her to go out for dinner and a movie.“What’s wrong, are you well?” she asked.I responded. “Just the two of us.” She thought about it for a moment, and then said, “I would like that very much.”<br /><br />I was a bit nervous. When I arrived at her house, I noticed that she, too, seemed to be nervous about our date. She waited in the door wearing the dress that she had worn to celebrate her last wedding anniversary. She smiled from a face that was as radiant as an angel’s.<br /><br />We went to a restaurant During the dinner, we had an agreeable conversation – nothing extraordinary but catching up on recent events of each other’s life. We talked so much that we missed the movie.<br /><br />During the dinner, we had an agreeable conversation – nothing extraordinary but catching up on recent events of each other’s life. We talked so much that we missed the movie.<br /><br />I returned to my home.“How was your dinner date?” asked my wife when I got home.I kissed her and said "thank you sooo much for making such a wonderful thing happen in my life".she said "I LOVE YOU".<br /><br />At that moment.I understood how some one saying "I LOVE YOU" to me really feels.</p>\n<p>                 Thank you God for giving me such a wife and family. <br /><br />-->Give our loved ones the time that they deserve. <br />-->Nothing in life is more important than your family.</p>', 'My wife wanted me to take another woman out to dinner and a movie. She said, “I love you, but I know this other woman loves you and would love to spend some time with you.”\n\nThe other woman that my wife wanted me to visit was my MOTHER, who has been a widow for 19 years, but the demands of my work and my three children had made it possible to visit her only occasionally. That night I called to invite her to go out for dinner and a movie.“What’s wrong, are you well?” she asked.I responded. “Just the two of us.” She thought about it for a moment, and then said, “I would like that very much.”\n\nI was a bit nervous. When I arrived at her house, I noticed that she, too, seemed to be nervous about our date. She waited in the door wearing the dress that she had worn to celebrate her last wedding anniversary. She smiled from a face that was as radiant as an angel’s.\n\nWe went to a restaurant During the dinner, we had an agreeable conversation – nothing extraordinary but catching up on recent events of each other’s life. We talked so much that we missed the movie.\n\nDuring the dinner, we had an agreeable conversation – nothing extraordinary but catching up on recent events of each other’s life. We talked so much that we missed the movie.\n\nI returned to my home.“How was your dinner date?” asked my wife when I got home.I kissed her and said "thank you sooo much for making such a wonderful thing happen in my life".she said "I LOVE YOU".\n\nAt that moment.I understood how some one saying "I LOVE YOU" to me really feels.\n\n                 Thank you God for giving me such a wife and family.\n\n-->Give our loved ones the time that they deserve.\n-->Nothing in life is more important than your family.', '2d122986c9068f7f6bb97277ad2c8dd4', 'crypto', 'own', '2018-09-30 19:23:13', 0),
(3, 20, 'Forget the things by evening which makes you paralyzed', '<p>when I am having my Ph.D. It\'s my first class the professor shown the pen on the table and asked can I hold it. All of us answered that "YES".<br /><br />He replied, “The absolute weight doesn’t matter. It depends on how long I hold it. If I hold it for a minute, it’s not a problem. If I hold it for an hour, I’ll have an ache in my arm. If I hold it for a day, my arm will feel numb and paralyzed. In each case, the weight of the pen doesn’t change, but the longer I hold it, the heavier it becomes.”<br /><br />He continued, “The stresses and worries in life are like that pen. Think about them for a while and nothing happens. Think about them a bit longer and they begin to hurt. And if you think about them all day long, you will feel paralyzed – incapable of doing anything.”<br /><br />It’s important to remember to let go of your stresses. As early in the evening as you can, put all your burdens down. Don’t carry them through the evening and into the night. Remember to put the pen down!<br /><br /><br /><br /></p>', 'when I am having my Ph.D. It\'s my first class the professor shown the pen on the table and asked can I hold it. All of us answered that "YES".\n\nHe replied, “The absolute weight doesn’t matter. It depends on how long I hold it. If I hold it for a minute, it’s not a problem. If I hold it for an hour, I’ll have an ache in my arm. If I hold it for a day, my arm will feel numb and paralyzed. In each case, the weight of the pen doesn’t change, but the longer I hold it, the heavier it becomes.”\n\nHe continued, “The stresses and worries in life are like that pen. Think about them for a while and nothing happens. Think about them a bit longer and they begin to hurt. And if you think about them all day long, you will feel paralyzed – incapable of doing anything.”\n\nIt’s important to remember to let go of your stresses. As early in the evening as you can, put all your burdens down. Don’t carry them through the evening and into the night. Remember to put the pen down!', 'eebb8df8354f31ef4eeed7401d422e61', 're', 'own', '2018-10-03 10:28:05', 0),
(4, 21, 'I have learned', '<p>-that either you control your attitude or it controls you.<br /><br />-that it’s taking me a long time to become the person I want to be.<br /><br />-that no matter how good a friend is, they’re going to hurt you every once in a while and you must forgive them for that.<br /><br />-.that you can do something in an instant that will give you heartache for life.<br /><br />-that it’s not what you have in your life but who you have in your life that counts.<br /><br />-that you can do something in an instant that will give you heartache for life.<br /><br />-that you should always leave loved ones with loving words. It may be the last time you see them.<br /><br />-that heroes are the people who do what has to be done when it needs to be done, regardless of the consequences.<br /><br />-that my best friend and I can do anything or nothing and have the best time.<br /><br />-that sometimes the people you expect to kick you when you’re down will be the ones to help you get back up.<br /><br />-that true friendship continues to grow, even over the longest distance. Same goes for true love.<br /><br />-that maturity has to be more than how many birthdays you’ve celebrated.<br /><br />-that our background and circumstances may have influenced who we are, but we are responsible for who we become.<br /><br />-that a rich person is not the one who has the most but is one who needs the least.<br /><br />-that just because two people argue, it doesn’t mean they don’t love each other. And just because they don’t argue, it doesn’t mean they do.<br /><br />-that we don’t have to change friends if we understand that friends change.<br /><br />-that no matter how you try to protect your children, they will eventually get hurt and you will hurt in the process.<br /><br />-that even when you think you have no more to give when a friend cries out to you, you will find the strength to help.<br /><br />-that people will forget what you said, and people will forget what you did, but people will never forget how you made them feel.</p>', '-that either you control your attitude or it controls you.\n\n-that it’s taking me a long time to become the person I want to be.\n\n-that no matter how good a friend is, they’re going to hurt you every once in a while and you must forgive them for that.\n\n-.that you can do something in an instant that will give you heartache for life.\n\n-that it’s not what you have in your life but who you have in your life that counts.\n\n-that you can do something in an instant that will give you heartache for life.\n\n-that you should always leave loved ones with loving words. It may be the last time you see them.\n\n-that heroes are the people who do what has to be done when it needs to be done, regardless of the consequences.\n\n-that my best friend and I can do anything or nothing and have the best time.\n\n-that sometimes the people you expect to kick you when you’re down will be the ones to help you get back up.\n\n-that true friendship continues to grow, even over the longest distance. Same goes for true love.\n\n-that maturity has to be more than how many birthdays you’ve celebrated.\n\n-that our background and circumstances may have influenced who we are, but we are responsible for who we become.\n\n-that a rich person is not the one who has the most but is one who needs the least.\n\n-that just because two people argue, it doesn’t mean they don’t love each other. And just because they don’t argue, it doesn’t mean they do.\n\n-that we don’t have to change friends if we understand that friends change.\n\n-that no matter how you try to protect your children, they will eventually get hurt and you will hurt in the process.\n\n-that even when you think you have no more to give when a friend cries out to you, you will find the strength to help.\n\n-that people will forget what you said, and people will forget what you did, but people will never forget how you made them feel.', 'a758c82da101f147a3049f11bef89b89', 'forensics', 'own', '2018-10-03 10:45:16', 0),
(5, 22, 'Keep yourself in the CORRECT directoin', '<p>There may be days when you get up in the morning and things aren’t the way you had hoped they would be.<br /><br />That’s when you have to tell yourself that things will get better. There are times when people disappoint you and let you down.<br /><br />But those are the times when you must remind yourself to trust your own judgments and opinions, to keep your life focused on believing in yourself.<br /><br />There will be challenges to face and changes to make in your life, and it is up to you to accept them.<br /><br />Constantly keep yourself headed in the right direction for you. It may not be easy at times, but in those times of struggle you will find a stronger sense of who you are.<br /><br />So when the days come that are filled with frustration and unexpected responsibilities, remember to believe in yourself and all you want your life to be.<br /><br />Then one day You will be there at where you want to see yourself.<br /><br />            That\'s called success.</p>', 'There may be days when you get up in the morning and things aren’t the way you had hoped they would be.\n\nThat’s when you have to tell yourself that things will get better. There are times when people disappoint you and let you down.\n\nBut those are the times when you must remind yourself to trust your own judgments and opinions, to keep your life focused on believing in yourself.\n\nThere will be challenges to face and changes to make in your life, and it is up to you to accept them.\n\nConstantly keep yourself headed in the right direction for you. It may not be easy at times, but in those times of struggle you will find a stronger sense of who you are.\n\nSo when the days come that are filled with frustration and unexpected responsibilities, remember to believe in yourself and all you want your life to be.\n\nThen one day You will be there at where you want to see yourself.\n\n            That\'s called success.', 'ba76fec7da009f5a9aadc2fa9ff59ff4', 'pwn', 'own', '2018-10-03 10:49:38', 0),
(6, 27, 'cryptoooooo', '<p>hello this is just trial about crypto. hello this is just trial about crypto. that is the main purpose of the life.</p>\n<p>hello this is just trial about crypto. hello this is just trial about crypto. that is the main purpose of the life.</p>', 'hello this is just trial about crypto. hello this is just trial about crypto. that is the main purpose of the life.\n\nhello this is just trial about crypto. hello this is just trial about crypto. that is the main purpose of the life.', '992bd726b6002ab847e9d0295b49ff9d', 'crypto', 'own', '2019-02-02 18:09:01', 0),
(7, 27, 'crypto', '<p>crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats.</p>', 'crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats. crypto means hiding the data inside the other formats.', '29fe173610e078e77220a75476f1f670', 'crypto', 'own', '2019-02-02 18:54:04', 1),
(8, 27, 'web', '<p>Web involves the solving the tricks in js, php vulnerabilities. This is only few ways where people can find the vulnerabilities. There are many ways where people can find the ways to find the vulnerabilities to hack the website.</p>', 'Web involves the solving the tricks in js, php vulnerabilities. This is only few ways where people can find the vulnerabilities. There are many ways where people can find the ways to find the vulnerabilities to hack the website.', '6aaa1a78532c4e3d903fe877231f08f8', 'web', 'own', '2019-02-02 18:56:01', 1),
(9, 27, 'Pawning', '<p>Pawning is accessing the content of website through the other. This is just like logging into other systems. But anyway, these are not such easy tasks to do all the way. But there are things going on, where people are using these techniques in order to hack or inject the bugs into the system.</p>', 'Pawning is accessing the content of website through the other. This is just like logging into other systems. But anyway, these are not such easy tasks to do all the way. But there are things going on, where people are using these techniques in order to hack or inject the bugs into the system.', 'b118df406123c4ac1355fdb097d66b71', 'pwn', 'own', '2019-02-02 18:58:28', 1),
(10, 27, 'Reverse Engineering', '<p>Reverse Engineering is the finding the solution in reverse manner. Here we are given solution first and then we need to find the question in reverse manner. It is so interesting and very powerful.   Reverse Engineering is the finding the solution in reverse manner. Here we are given solution first and then we need to find the question in reverse manner. It is so interesting and very powerful. </p>', 'Reverse Engineering is the finding the solution in reverse manner. Here we are given solution first and then we need to find the question in reverse manner. It is so interesting and very powerful.   Reverse Engineering is the finding the solution in reverse manner. Here we are given solution first and then we need to find the question in reverse manner. It is so interesting and very powerful. ', 'e1b2345ee5473a5a9d637a3b03ccd1db', 're', 'own', '2019-02-02 19:03:40', 1),
(11, 27, 'Forensics', '<p>Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. </p>', 'Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. Forensics is also very powerful area where people use in cyber security. ', 'a78ab9e2798efb71918dbd3bf16ddd62', 'forensics', 'own', '2019-02-02 19:04:33', 1),
(12, 27, 'Misc', '<p>Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. </p>', 'Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. Misc means miscellaneous which contains problems of different ranges. It contains from low to high problems. It also contains very high problems. ', '73dd607d4eb42bbc9eea6ff3257aa970', 'misc', 'own', '2019-02-02 19:05:59', 1),
(13, 1, 'Programming', '<p>Programming involves the solving the problems regarding the programming languages and the vulnerabilities in them. Also, they are not easy to solve. To solve the programming based challenges, it required much more technical and programmable knowledge.</p>', 'Programming involves the solving the problems regarding the programming languages and the vulnerabilities in them. Also, they are not easy to solve. To solve the programming based challenges, it required much more technical and programmable knowledge.', '8fb2393c91a95a23e5f49b54ba0dddf3', 'pro', 'own', '2019-02-02 21:35:58', 1);
INSERT INTO `stories` (`story_id`, `user_id`, `title`, `story`, `plain_story`, `story_unique_hash`, `category`, `story_type`, `time`, `valid`) VALUES
(14, 1, 'Shell Exploit', '<h3 style="box-sizing: border-box; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; margin-top: 0px !important;">messagebox (Attack and Defense)</h3>\n<hr style="box-sizing: content-box; height: 0.25em; background: #e1e4e8; border: 0px; margin: 24px 0px; padding: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;" />\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">messagebox is a tcp server which allows us to read and save files in directory named data.</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">service is running on port <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">5050</code></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Actually, it asks username and read/write the file with that username.</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\n$ ./message\nEnter username: s1r1u5\n=======Menu======\n1. Save message\n2. View message\nYour choice: 1\nEnter size (<50): 30\nEnter input: Hello World\nInput saved successfully.\n</code></pre>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\n$ ./message\nEnter username: s1r1u5\n=======Menu======\n1. Save message\n2. View message\nYour choice: 2\nHello World\n</code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Let us start our search for finding the vulnerabilities...</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Oh wait! Do we have to reverse engineer the binary? 😳 No, we got the source code there. 😌 Now our only task is to find the vulnerabilities in the source code <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/51r1u5/ctf_writeups/blob/master/Inctf_2018/messagebox/message.c">message.c</a>.</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\nvoid readfile(char* filename)\n{\n  char* ptr;\n  char* temp="cat ";\n  ptr=(char*)malloc(sizeof(char)*(strlen(temp)+strlen(filename)+1));\n  strcpy(ptr, temp);\n  strcat(ptr, filename);\n  system(ptr);\n  free(ptr);\n  printf("n");\n}\n</code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Are you able to find any vulnerabilities there????</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Yes, there it is <span style="box-sizing: border-box; font-weight: 600;">cat</span> and <span style="box-sizing: border-box; font-weight: 600;">system</span> call</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">To read the file called filename from the local directory it is using cat command. Here filename is nothing but the username which we have given.</p>\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-bug-1" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/51r1u5/ctf_writeups/tree/master/Inctf_2018/messagebox#bug-1" aria-hidden="true"></a>Bug 1</h3>\n<p><span style="color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">username = *</span></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">exploit : <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/51r1u5/ctf_writeups/blob/master/Inctf_2018/messagebox/exp.py">exp.py</a></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">what if we give the username as *. It just read all the files in the current directory</p>\n<hr style="box-sizing: content-box; height: 0.25em; background: #e1e4e8; border: 0px; margin: 24px 0px; padding: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;" />\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-bug-2" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/51r1u5/ctf_writeups/tree/master/Inctf_2018/messagebox#bug-2" aria-hidden="true"></a>Bug 2</h3>\n<p><span style="color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">username = *; sh</span></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">exploit : <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/51r1u5/ctf_writeups/blob/master/Inctf_2018/messagebox/exp3.py">exp3.py</a></p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\ncat *; sh\n</code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">we can get the shell by ending first command by <span style="box-sizing: border-box; font-weight: 600;">;</span></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Patch for above bugs : Rather than using dangerous system call, we can just read the files in the directory by file handling in C language.</p>\n<hr style="box-sizing: content-box; height: 0.25em; background: #e1e4e8; border: 0px; margin: 24px 0px; padding: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;" />\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-bug-3" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/51r1u5/ctf_writeups/tree/master/Inctf_2018/messagebox#bug-3" aria-hidden="true"></a>Bug 3</h3>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\nvoid view(char* user)\n{\n  int len;\n  int flag=0;\n  listdir();\n  for(int i=0; i < count ;i++)\n  {\n    len=strlen(user);\n    if(!strncmp(user, files[i], len))\n    {\n      readfile(files[i]);\n      flag=1;\n    }\n  }\n  if(!flag)\n    puts("No such user");\n}\n</code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Another bug if we give empty username as input then strncmp("",files[i],0) is always 0.</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">exploit : <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/51r1u5/ctf_writeups/blob/master/Inctf_2018/messagebox/exp2.py">exp2.py</a></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Patch : Simple patch can be user input must be some length.</p>\n<hr style="box-sizing: content-box; height: 0.25em; background: #e1e4e8; border: 0px; margin: 24px 0px; padding: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;" />\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Here is the final bug and my favorite one</p>\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-bug-4-bufferoverflow" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/51r1u5/ctf_writeups/tree/master/Inctf_2018/messagebox#bug-4-bufferoverflow" aria-hidden="true"></a>Bug 4 (Bufferoverflow)</h3>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">void save(char* user)\n{\n  listdir(); //storing the list of files in the data directory in the global variable named files</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  char* temp=(char*)malloc(50<em style="box-sizing: border-box;">sizeof(char)); //allocating 50 bytes on the heap.\n  bool</em> exist=(bool*)malloc(count*sizeof(bool)); //allocating n bytes on the heap, here n is number of files in the directory.</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  int size=0;</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  if(!check_existence(user,exist))\n  {\n    FILE *fp;\n    fp=fopen(user, "w");\n    printf("Enter size ( < 50): "); //wtf\n    size=getint();\n    if(size > = 50) // we need to somehow bypass this constraint\n    {\n      puts("Sorry, Your data is too big!");\n      exit(0);\n    }\n    printf("Enter input: ");\n    get_inp(temp, size);\n    fprintf(fp, "%s", temp);\n    fclose(fp);\n    puts("Input saved successfully.");\n  }</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  else\n  {\n    puts("save: Permission denied. You can only view :- ");\n  }</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  for(int i=0;i < count;i++)\n  {\n    if(exist[i])  //change the value of exist[i] other than 0, so we can read the files in the directory.\n    {\n      readfile(files[i]);\n    }\n  }</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;">  return;\n}</p>\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 16px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; color: #24292e;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; background: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; word-break: normal; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;">\n</code></pre>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px;"><code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 11.56px; background-color: transparent; border-radius: 3px; margin: 0px; padding: 0px; border: 0px; display: inline; line-height: inherit; overflow: visible; overflow-wrap: normal;"></code></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;"> </p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">If you look at keenly, the allocation of <span style="box-sizing: border-box; font-weight: 600;">exist(bool)</span> is just after the allocation of <span style="box-sizing: border-box; font-weight: 600;">temp</span>. So overflowing temp, we can overwrite the exist array with any value other than 0.</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">There is a constrain that the size of temp must be < 50. So we can bypass this by giving size = -1 (0xffffffff).</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Now we can use pwn tools to do the automation stuff.</p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">exploit : <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/51r1u5/ctf_writeups/blob/master/Inctf_2018/messagebox/exp4.py">exp4.py</a></p>\n<p style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">Patch: It is just enough to change unsigned int to int in the getint function.</p>\n<p style="box-sizing: border-box; margin-top: 0px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px; margin-bottom: 0px !important;">😌</p>', 'messagebox (Attack and Defense)\nmessagebox is a tcp server which allows us to read and save files in directory named data.\n\nservice is running on port 5050\n\nActually, it asks username and read/write the file with that username.\n\n\n$ ./message\nEnter username: s1r1u5\n=======Menu======\n1. Save message\n2. View message\nYour choice: 1\nEnter size (<50): 30\nEnter input: Hello World\nInput saved successfully.\n\n\n$ ./message\nEnter username: s1r1u5\n=======Menu======\n1. Save message\n2. View message\nYour choice: 2\nHello World\n\nLet us start our search for finding the vulnerabilities...\n\nOh wait! Do we have to reverse engineer the binary? 😳 No, we got the source code there. 😌 Now our only task is to find the vulnerabilities in the source code message.c.\n\n\nvoid readfile(char* filename)\n{\n  char* ptr;\n  char* temp="cat ";\n  ptr=(char*)malloc(sizeof(char)*(strlen(temp)+strlen(filename)+1));\n  strcpy(ptr, temp);\n  strcat(ptr, filename);\n  system(ptr);\n  free(ptr);\n  printf("n");\n}\nAre you able to find any vulnerabilities there????\n\nYes, there it is cat and system call\n\nTo read the file called filename from the local directory it is using cat command. Here filename is nothing but the username which we have given.\n\nBug 1\nusername = *\n\nexploit : exp.py\n\nwhat if we give the username as *. It just read all the files in the current directory\n\nBug 2\nusername = *; sh\n\nexploit : exp3.py\n\n\ncat *; sh\n\nwe can get the shell by ending first command by ;\n\nPatch for above bugs : Rather than using dangerous system call, we can just read the files in the directory by file handling in C language.\n\nBug 3\n\nvoid view(char* user)\n{\n  int len;\n  int flag=0;\n  listdir();\n  for(int i=0; i < count ;i++)\n  {\n    len=strlen(user);\n    if(!strncmp(user, files[i], len))\n    {\n      readfile(files[i]);\n      flag=1;\n    }\n  }\n  if(!flag)\n    puts("No such user");\n}\nAnother bug if we give empty username as input then strncmp("",files[i],0) is always 0.\n\nexploit : exp2.py\n\nPatch : Simple patch can be user input must be some length.\n\nHere is the final bug and my favorite one\n\nBug 4 (Bufferoverflow)\n\nvoid save(char* user)\n{\n  listdir(); //storing the list of files in the data directory in the global variable named files\n\n\n  char* temp=(char*)malloc(50sizeof(char)); //allocating 50 bytes on the heap.\n  bool exist=(bool*)malloc(count*sizeof(bool)); //allocating n bytes on the heap, here n is number of files in the directory.\n\n\n  int size=0;\n\n\n  if(!check_existence(user,exist))\n  {\n    FILE *fp;\n    fp=fopen(user, "w");\n    printf("Enter size ( < 50): "); //wtf\n    size=getint();\n    if(size > = 50) // we need to somehow bypass this constraint\n    {\n      puts("Sorry, Your data is too big!");\n      exit(0);\n    }\n    printf("Enter input: ");\n    get_inp(temp, size);\n    fprintf(fp, "%s", temp);\n    fclose(fp);\n    puts("Input saved successfully.");\n  }\n\n\n  else\n  {\n    puts("save: Permission denied. You can only view :- ");\n  }\n\n\n  for(int i=0;i < count;i++)\n  {\n    if(exist[i])  //change the value of exist[i] other than 0, so we can read the files in the directory.\n    {\n      readfile(files[i]);\n    }\n  }\n\n\n  return;\n}\n\n\n\nIf you look at keenly, the allocation of exist(bool) is just after the allocation of temp. So overflowing temp, we can overwrite the exist array with any value other than 0.\n\nThere is a constrain that the size of temp must be < 50. So we can bypass this by giving size = -1 (0xffffffff).\n\nNow we can use pwn tools to do the automation stuff.\n\nexploit : exp4.py\n\nPatch: It is just enough to change unsigned int to int in the getint function.\n\n😌', '3d657b6e6efe5cfcd0a1ce1d85284f30', 'pwn', 'own', '2019-02-03 02:56:39', 1);
INSERT INTO `stories` (`story_id`, `user_id`, `title`, `story`, `plain_story`, `story_unique_hash`, `category`, `story_type`, `time`, `valid`) VALUES
(15, 1, 'authrw', '<h1 style="box-sizing: border-box; line-height: 1.25; border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; margin: 0px !important 0px 16px 0px;">authrw</h1>\n<ul style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; padding-left: 2em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<li style="box-sizing: border-box;"><a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge/authrw">authrw</a> is a <span style="box-sizing: border-box; font-weight: 600;">Crypto Challenge</span> given in InCTF-2018 Finals Attack and Defence</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;">It uses the <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">AES 128-bit CBC mode Encrytion</code>.<code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">IV(16 bytes)</code> is given in iv.txt but we have to <span style="box-sizing: border-box; font-weight: 600;">generate the key</span> using <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/blob/master/authrw-Crypto%20Challenge/authrw/generate_key.py">generate_key.py</a> which takes the Team password as input.The generated Key is <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">md5 hash of Team password</code>.</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;"><span style="box-sizing: border-box; font-weight: 600;">It Runs a Crypto Service in which it has <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">Login</code> and <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">Register</code> services</span> <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/1.png" target="_blank" rel="noopener noreferrer"><img style="box-sizing: content-box; border-style: none; max-width: 100%;" title="Service" src="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/1.png" alt="Login,Register" /></a></li>\n</ul>\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-1---register" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge#1---register" aria-hidden="true"></a>1 - Register</h3>\n<div class="highlight highlight-source-python" style="box-sizing: border-box; margin-bottom: 16px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; word-break: normal;">    <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">def</span> <span class="pl-en" style="box-sizing: border-box; color: #6f42c1;">register</span>(<span class="pl-smi" style="box-sizing: border-box;">username</span>):\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">global</span> iv, key\n        username <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> <span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>username=<span class="pl-pds" style="box-sizing: border-box;">"</span></span> <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">+</span> username <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">+</span> <span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>:role=ordinary<span class="pl-pds" style="box-sizing: border-box;">"</span></span>\n        cookie <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> iv <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">+</span> _encrypt(username, iv, key)\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">return</span> cookie.encode(<span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>hex<span class="pl-pds" style="box-sizing: border-box;">"</span></span>)</pre>\n</div>\n<ul style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; padding-left: 2em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<li style="box-sizing: border-box;">For the Register it asks the user for <span style="box-sizing: border-box; font-weight: 600;">username</span> (username != \'admin\')</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;">Then it Encrypts the <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">pad("username=input():role=ordinary")</code> with AES CBC 128-bit Encryption</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;">After that It returns a cookie which is <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">"IV+Cipher_text".encode(\'hex\')</code> <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/R.png" target="_blank" rel="noopener noreferrer"><img style="box-sizing: content-box; border-style: none; max-width: 100%;" title="Register" src="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/R.png" alt="Register" /></a></li>\n</ul>\n<blockquote style="box-sizing: border-box; margin: 0px 0px 16px; border-left: 0.25em solid #dfe2e5; color: #6a737d; padding: 0px 1em; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<p style="box-sizing: border-box; margin-bottom: 0px; margin-top: 0px;">Analyze the cookie <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/S.png" target="_blank" rel="noopener noreferrer"><img style="box-sizing: content-box; border-style: none; max-width: 100%;" title="Register" src="https://raw.githubusercontent.com/Ajay-Aj-00/Test/master/Images/S.png" alt="Register" /></a></p>\n</blockquote>\n<h3 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; font-size: 1.25em; line-height: 1.25; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-2---login" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge#2---login" aria-hidden="true"></a>2 - Login</h3>\n<div class="highlight highlight-source-python" style="box-sizing: border-box; margin-bottom: 16px; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<pre style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: normal; background-color: #f6f8fa; border-radius: 3px; line-height: 1.45; overflow: auto; padding: 16px; word-break: normal;">    <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">def</span> <span class="pl-en" style="box-sizing: border-box; color: #6f42c1;">login</span>(<span class="pl-smi" style="box-sizing: border-box;">cookie</span>):\n        cookie <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> cookie.decode(<span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>hex<span class="pl-pds" style="box-sizing: border-box;">"</span></span>)\n        iv <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> cookie[:<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">16</span>]\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">global</span> key\n        ciphertext <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> cookie[<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">16</span>:]\n        plaintext <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> _decrypt(ciphertext, iv, key)\n        plaintext <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">=</span> plaintext.split(<span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>:<span class="pl-pds" style="box-sizing: border-box;">"</span></span>)\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">assert</span> <span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">len</span>(plaintext) <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">==</span> <span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">2</span>\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">assert</span> plaintext[<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">0</span>][:<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">9</span>] <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">==</span> <span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>username=<span class="pl-pds" style="box-sizing: border-box;">"</span></span>\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">assert</span> plaintext[<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">1</span>][:<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">5</span>] <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">==</span> <span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>role=<span class="pl-pds" style="box-sizing: border-box;">"</span></span>\n        <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">return</span> (plaintext[<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">0</span>][<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">9</span>:], plaintext[<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">1</span>][<span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">5</span>:])\n        <span class="pl-c1" style="box-sizing: border-box; color: #005cc5;">print</span> colors.red <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">+</span> <span class="pl-s" style="box-sizing: border-box; color: #032f62;"><span class="pl-pds" style="box-sizing: border-box;">"</span>[-] Invalid cookie!<span class="pl-pds" style="box-sizing: border-box;">"</span></span> <span class="pl-k" style="box-sizing: border-box; color: #d73a49;">+</span> colors.reset</pre>\n</div>\n<ul style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; padding-left: 2em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<li style="box-sizing: border-box;">For the Login it asks for cookie(Provided after registration)</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;">Then It Decrypts it , unpad it >> <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">username=(username):role=ordinary</code> and It parses the string and saves username and role in user , role variables</li>\n</ul>\n<blockquote style="box-sizing: border-box; margin: 0px 0px 16px; border-left: 0.25em solid #dfe2e5; color: #6a737d; padding: 0px 1em; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<p style="box-sizing: border-box; margin-bottom: 0px; margin-top: 0px;">After All these There are Three conditions to check the <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">user,role values</code><br style="box-sizing: border-box;" />1 <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">user==\'admin\' and role==\'ordinary\'</code><br style="box-sizing: border-box;" />2 <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">user==\'admin\' and role==\'admin\'</code><br style="box-sizing: border-box;" />3 <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">else condition:</code></p>\n</blockquote>\n<ul style="box-sizing: border-box; margin-bottom: 16px; margin-top: 0px; padding-left: 2em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<li style="box-sizing: border-box;">Here Comes the Problem We cant give the \'admin\' as username while registering Then we cant get user as \'admin\' after decryption so we move to else condition.</li>\n<li style="box-sizing: border-box; margin-top: 0.25em;">But they have some Vullnerabilities. See the Below links(<code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: 13.6px; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">Exploiting the Vulnerabilities</code>)</li>\n</ul>\n<blockquote style="box-sizing: border-box; margin: 0px 0px 16px; border-left: 0.25em solid #dfe2e5; color: #6a737d; padding: 0px 1em; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px;">\n<p style="box-sizing: border-box; margin-bottom: 0px; margin-top: 0px;">In Those 3 conditions<br style="box-sizing: border-box;" />1 Provides us Reading rights of Flag(<a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge/authR_Exploit">Reading authorization</a>)<br style="box-sizing: border-box;" />2 Provides us Writing rights of Flag(<a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge/authW_Exploit">Writing authorization</a>)</p>\n</blockquote>\n<h2 style="box-sizing: border-box; margin-bottom: 16px; margin-top: 24px; line-height: 1.25; border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\';"><a id="user-content-now-the-name-authrw-is-making-sense-authrization-for-reading-and-writing" class="anchor" style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none; float: left; line-height: 1; margin-left: -20px; padding-right: 4px;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge#now-the-name-authrw-is-making-sense-authrization-for-reading-and-writing" aria-hidden="true"></a>Now the name <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: inherit; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">authrw</code> is making sense <code style="box-sizing: border-box; font-family: SFMono-Regular, Consolas, \'Liberation Mono\', Menlo, Courier, monospace; font-size: inherit; background-color: rgba(27, 31, 35, 0.05); border-radius: 3px; margin: 0px; padding: 0.2em 0.4em;">authrization for Reading and Writing</code></h2>\n<ul style="box-sizing: border-box; margin-top: 0px; padding-left: 2em; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Helvetica, Arial, sans-serif, \'Apple Color Emoji\', \'Segoe UI Emoji\', \'Segoe UI Symbol\'; font-size: 16px; margin-bottom: 0px !important;">\n<li style="box-sizing: border-box;">Defending our services is also important. So we have to <a style="box-sizing: border-box; background-color: transparent; color: #0366d6; text-decoration-line: none;" href="https://github.com/D1r3Wolf/InCTF-2018-Finals/tree/master/authrw-Crypto%20Challenge/patch">patch</a> the Vulnerabilities.</li>\n</ul>', 'authrw\nauthrw is a Crypto Challenge given in InCTF-2018 Finals Attack and Defence\nIt uses the AES 128-bit CBC mode Encrytion.IV(16 bytes) is given in iv.txt but we have to generate the key using generate_key.py which takes the Team password as input.The generated Key is md5 hash of Team password.\nIt Runs a Crypto Service in which it has Login and Register services \n1 - Register\n    def register(username):\n        global iv, key\n        username = "username=" + username + ":role=ordinary"\n        cookie = iv + _encrypt(username, iv, key)\n        return cookie.encode("hex")\nFor the Register it asks the user for username (username != \'admin\')\nThen it Encrypts the pad("username=input():role=ordinary") with AES CBC 128-bit Encryption\nAfter that It returns a cookie which is "IV+Cipher_text".encode(\'hex\') \nAnalyze the cookie \n\n2 - Login\n    def login(cookie):\n        cookie = cookie.decode("hex")\n        iv = cookie[:16]\n        global key\n        ciphertext = cookie[16:]\n        plaintext = _decrypt(ciphertext, iv, key)\n        plaintext = plaintext.split(":")\n        assert len(plaintext) == 2\n        assert plaintext[0][:9] == "username="\n        assert plaintext[1][:5] == "role="\n        return (plaintext[0][9:], plaintext[1][5:])\n        print colors.red + "[-] Invalid cookie!" + colors.reset\nFor the Login it asks for cookie(Provided after registration)\nThen It Decrypts it , unpad it >> username=(username):role=ordinary and It parses the string and saves username and role in user , role variables\nAfter All these There are Three conditions to check the user,role values\n1 user==\'admin\' and role==\'ordinary\'\n2 user==\'admin\' and role==\'admin\'\n3 else condition:\n\nHere Comes the Problem We cant give the \'admin\' as username while registering Then we cant get user as \'admin\' after decryption so we move to else condition.\nBut they have some Vullnerabilities. See the Below links(Exploiting the Vulnerabilities)\nIn Those 3 conditions\n1 Provides us Reading rights of Flag(Reading authorization)\n2 Provides us Writing rights of Flag(Writing authorization)\n\nNow the name authrw is making sense authrization for Reading and Writing\nDefending our services is also important. So we have to patch the Vulnerabilities.', '571f4ece86a967e3530ef0137c8e259f', 'crypto', 'own', '2019-02-03 03:03:35', 1);
INSERT INTO `stories` (`story_id`, `user_id`, `title`, `story`, `plain_story`, `story_unique_hash`, `category`, `story_type`, `time`, `valid`) VALUES
(16, 28, 'Basic Forensics', '<h1>Forensics Writeup:</h1>\n<p>Here Are The Writeups Of Five Forensics Challenges From InvaderCTF</p>\n<h1> </h1>\n<h1>1. Easy Peasy (150)</h1>\n<h2> </h2>\n<h2>Don\'t Mess The Things Up...!</h2>\n<p>In This Challenge You\'ll Find A QR Code.Scan QR Code.</p>\n<p>After Scanning The QR Code We\'ll Get: "w3lc0m3_70_1nVd3r_CtFstrings challenge.png"</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51113676-d0a8e980-1828-11e9-8005-931a40a131a9.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51113676-d0a8e980-1828-11e9-8005-931a40a131a9.png" alt="screenshot from 2019-01-14 18-06-52" /></a></p>\n<p>But Actually Here There Is A Main Hint "Strings".Strings Is a Linux Command Which will Give Us All Readable Strings In That Image</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114044-1fa34e80-182a-11e9-867a-a75b6019d9e7.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114044-1fa34e80-182a-11e9-867a-a75b6019d9e7.png" alt="screenshot from 2019-01-14 18-07-19" /></a></p>\n<p>Something Is Weird Right...! Actually It Is Base32 Encoding,So Simply Decoding It Gives You The Flag</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114062-2cc03d80-182a-11e9-8637-ea1931525d99.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114062-2cc03d80-182a-11e9-8637-ea1931525d99.png" alt="screenshot from 2019-01-14 18-08-03" /></a></p>\n<p>Flag: \'invader{345y_P34sY_l3m0n_Squ33zy!!}\'</p>\n<p>.Simplest Challenge.But This Challenge Has Got Many Wrong Submissions.....Lol :)</p>\n<h1> </h1>\n<h1>Dirty Room (100)</h1>\n<p>In This Challenge Linux Users Will Face Extraction Problem, Actually It Was An Intended One, I Changed Magical Numbers Of Zip File.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114909-b2dd8380-182c-11e9-9874-b3cbbb217db5.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114909-b2dd8380-182c-11e9-9874-b3cbbb217db5.png" alt="screenshot from 2019-01-14 18-36-09" /></a></p>\n<p>So, Inorder to Extract It You\'ve To Change "11 91" with "50 4B" (Magical Numbers Of Zip File: 50 4B 03 04),SO after Changing Magical Numbers You Can Extract The Zip.</p>\n<p>After Unzipping you\'ll Find Some Random Images, Among Those U Can See A Password. Now We\'ve The Password,But What To Do With That.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114919-bb35be80-182c-11e9-9b81-9c6741dbe6aa.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114919-bb35be80-182c-11e9-9b81-9c6741dbe6aa.png" alt="screenshot from 2019-01-14 18-38-22" /></a></p>\n<p>If U Can Observe Clearly There Is An Image(\'maxeresdefault(1).jpeg\') Which Doesn\'t Showup. Using Linux Command "File" We Can Find The Type Of File <a href="https://user-images.githubusercontent.com/46676598/51114933-c688ea00-182c-11e9-85f7-e258bc4cda74.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114933-c688ea00-182c-11e9-85f7-e258bc4cda74.png" alt="screenshot from 2019-01-14 18-44-05" /></a></p>\n<p>Woww...! It\'s A Zip File.Change Image Extension "jpeg" To "zip".</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114941-cd176180-182c-11e9-9527-7ba2226566cc.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114941-cd176180-182c-11e9-9527-7ba2226566cc.png" alt="screenshot from 2019-01-14 18-44-12" /></a></p>\n<p>Now Try to Unzip The File. It\'ll Prompt For Password.Hey...! We\'ve A Password Right? Enter The Password, You\'ll Get The Flag :)</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51114952-d4d70600-182c-11e9-838d-2070748181bc.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51114952-d4d70600-182c-11e9-838d-2070748181bc.png" alt="screenshot from 2019-01-14 18-45-00" /></a></p>\n<p>Flag : \'invader{1_l0v3_f1l3_f0r3n51c5}\'</p>\n<h1> </h1>\n<h1>Dig Deeper (300)</h1>\n<p>In This Challenge You\'ll Have An Image With A Hint</p>\n<h1> </h1>\n<h1>Hint</h1>\n<p>we use "nopassword" to dig more...............</p>\n<p>Now We\'ve A Password "nopassword", And We\'ve An Image.</p>\n<p>So Try Steganography(It Is An Art Of Hiding Data)</p>\n<p>We\'ve Many Online Tools For Steganography. But I\'ve Steghide.</p>\n<p>So Trying Steghide Will Give U A File Named "Flag.txt". But Inside You\'ll Find "You can\'t find flag here.Better dig once again" Sorry Just For Fun :)</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51116548-73656600-1831-11e9-8362-9d36d39bba9c.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51116548-73656600-1831-11e9-8362-9d36d39bba9c.png" alt="screenshot from 2019-01-14 19-11-05" /></a></p>\n<p>So There Trying Strings, And Other Commands Will Leave U No Clue.So There Is Nothing Inside</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51116550-73fdfc80-1831-11e9-9fce-94783421db02.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51116550-73fdfc80-1831-11e9-9fce-94783421db02.png" alt="screenshot from 2019-01-14 19-13-24" /></a></p>\n<p>Try to Analyse The Given Zip File. Using Binwalk(Linux Command To Show Embedded Files In A File) You\'ll Find An Image. (Command: binwalk Challenge3.zip)</p>\n<p>Now Try To Extract Image (Command: binwalk --dd=\'.*\' Challenge3.zip).</p>\n<p>Now Try Steganography On This Image With Given Password.</p>\n<p>You\'ll Get Flag.txt, containing "Yeah Man...! You nailed it You Deserve The Flag. Here You Are Link:<a href="https://drive.google.com/open?id=12OMTbBiJ0oXsukdcnypE_S3mlqBgN9NU" rel="nofollow">https://drive.google.com/open?id=12OMTbBiJ0oXsukdcnypE_S3mlqBgN9NU</a>"</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51116556-76f8ed00-1831-11e9-8346-5848e60024b7.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51116556-76f8ed00-1831-11e9-8346-5848e60024b7.png" alt="screenshot from 2019-01-14 19-14-41" /></a></p>\n<p>Using Link We\'ll Get Flag</p>\n<p>Flag : invader{W3LCoM3_70_F0r3N51C5}</p>\n<h1> </h1>\n<h1>Long Walk To Freedom</h1>\n<p>We\'ve An Audio File & Image</p>\n<p>Search For Audio Forensics.You\'ll Find Many Tools & Now I\'ll be using Audacity.</p>\n<p>Open Audio File With Audacity.You\'ll get Waveform Of Audio</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51118752-1ff61680-1837-11e9-8878-5aa80b9a282d.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51118752-1ff61680-1837-11e9-8878-5aa80b9a282d.png" alt="screenshot from 2019-01-14 19-47-58" /></a></p>\n<p>Change It To Spectrogram.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51118754-208ead00-1837-11e9-894f-e11535261b0c.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51118754-208ead00-1837-11e9-894f-e11535261b0c.png" alt="screenshot from 2019-01-14 19-48-17" /></a></p>\n<p>"5h1zuk4_143" (Shizuka_143)...A Password It Seems.We\'ve An Image Too.Soo Try Steganograpy</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51120364-ecb58680-183a-11e9-88e3-d42324c16751.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51120364-ecb58680-183a-11e9-88e3-d42324c16751.png" alt="screenshot from 2019-01-14 19-51-51" /></a></p>\n<p>Wow ....! It Returned Redirect.txt & We\'ve A Mediafire Link,It Gives Us "Nobitha.mp3"</p>\n<p>Listen To It Once,This Sound Indicates Morse Code In It.</p>\n<p>We\'ve A Online Decoder : \'<a href="https://morsecode.scphillips.com/labs/audio-decoder-adaptive/" rel="nofollow">https://morsecode.scphillips.com/labs/audio-decoder-adaptive/</a>\'</p>\n<p>Upload Audio & Play.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51118756-21274380-1837-11e9-9486-ccdab4ff11e5.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51118756-21274380-1837-11e9-9486-ccdab4ff11e5.png" alt="screenshot from 2019-01-14 19-55-10" /></a></p>\n<p>Decoded Text Is Full Of \'A\' & \'B\'. Search For Ciphers With \'A\' & \'B\'.</p>\n<p>"Baconian Cipher"</p>\n<p>Exclude "QWZXWEDC" And Decode It. Link: "<a href="http://rumkin.com/tools/cipher/baconian.php" rel="nofollow">http://rumkin.com/tools/cipher/baconian.php</a>"</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51118757-21bfda00-1837-11e9-916d-6a05f23d0a93.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51118757-21bfda00-1837-11e9-916d-6a05f23d0a93.png" alt="screenshot from 2019-01-14 19-56-11" /></a></p>\n<p>Flag : invader{YOUHAVEGREATPATIENCE}</p>\n<h1> </h1>\n<h1>Brain WhiteWash (550)</h1>\n<p>Really Cool Challenge :)</p>\n<p>We are Provided With A Zip File & Hint</p>\n<h1> </h1>\n<h1>Hint :</h1>\n<p>This Time A Little Bit Crypto :) Cipher Text: kyreb5wfiaf1exfli7urpvmvek4euefntfdzexk0tyrcc3exvefvhlrcjpdsfcjaljkgrjjnfiuzjtrktyd331wlt4ee==</p>\n<p>It Is "Caeser Cipher With Shift 17" & Zip Password : "catchm331fuc4nn"</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125635-1379ba00-1847-11e9-9604-f27691bf1896.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125635-1379ba00-1847-11e9-9604-f27691bf1896.png" alt="screenshot from 2019-01-14 21-45-50" /></a> Extract The Zip With Decoded Password. Inside You\'ll Find Three Files "Chal.png" Which Is Useless(Use Strings & you Can Find Waste Many A Times) , "MainHint.txt" Which Is Full Of Binaries & Finally "No Security In This World".</p>\n<p>Consider "MainHint.txt".Use LSB(Least Significant Bits Of Each Binary) And Decode It.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125650-15dc1400-1847-11e9-85de-aed2336f946b.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125650-15dc1400-1847-11e9-85de-aed2336f946b.png" alt="screenshot from 2019-01-14 21-53-56" /></a></p>\n<p>Code For Decoding</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125636-14125080-1847-11e9-8c1b-aab6d1390c79.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125636-14125080-1847-11e9-8c1b-aab6d1390c79.png" alt="screenshot from 2019-01-14 21-50-09" /></a></p>\n<p>Woww...! "snowstegisawesome".</p>\n<p>I Guess It Is Related To Snow Steganography.</p>\n<p>Then What About The Other File...?</p>\n<p>Run Binwalk. You\'ll Find A JPEG File Extract It. <a href="https://user-images.githubusercontent.com/46676598/51125639-14125080-1847-11e9-95e0-a2cdb30930f8.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125639-14125080-1847-11e9-95e0-a2cdb30930f8.png" alt="screenshot from 2019-01-14 21-50-53" /></a></p>\n<p>But This Time We Only Have Image Bt No Password..... :(</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125641-14125080-1847-11e9-8699-415955c33c84.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125641-14125080-1847-11e9-8699-415955c33c84.png" alt="screenshot from 2019-01-14 21-51-59" /></a></p>\n<p>Wait..! What Was The File Name "No Security In This World". I Guess There Is no Password.</p>\n<p>Yeah Extracted Hint File. <a href="https://user-images.githubusercontent.com/46676598/51125644-14aae700-1847-11e9-87a7-cd4c85cb1e96.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125644-14aae700-1847-11e9-87a7-cd4c85cb1e96.png" alt="screenshot from 2019-01-14 21-52-24" /></a> In The Begining I Thought It Was Empty. <a href="https://user-images.githubusercontent.com/46676598/51125645-14aae700-1847-11e9-9c25-9b0cb04a9d31.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125645-14aae700-1847-11e9-9c25-9b0cb04a9d31.png" alt="screenshot from 2019-01-14 21-52-43" /></a> But In The End We\'ve A Clue.Which Won\'t Help Us.</p>\n<p>Hold on...! Challenge Name "Brain WhiteWash" Right....</p>\n<p>Yeah If u Have Really Enquired Abt Stegsnow,You Could Easily Find It Out What It Is.It Is White Space Steganography</p>\n<p>See This Is White Space Stego.Really The Best Stego Ever.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125646-15437d80-1847-11e9-9410-3b10a3a96180.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125646-15437d80-1847-11e9-9410-3b10a3a96180.png" alt="screenshot from 2019-01-14 21-52-52" /></a></p>\n<p>Using Snow Steg & Password We can Retreive The Flag.</p>\n<p><a href="https://user-images.githubusercontent.com/46676598/51125648-15437d80-1847-11e9-9623-b6be3f8c22de.png" target="_blank" rel="noopener noreferrer"><img style="max-width: 100%;" src="https://user-images.githubusercontent.com/46676598/51125648-15437d80-1847-11e9-9623-b6be3f8c22de.png" alt="screenshot from 2019-01-14 21-53-32" /></a></p>\n<p>Flag: \'invader{W0W_Y0u_h4v3_gr34t_futur3}\'</p>', 'Forensics Writeup:\n\nHere Are The Writeups Of Five Forensics Challenges From InvaderCTF\n\n1. Easy Peasy (150)\nDon\'t Mess The Things Up...!\n\nIn This Challenge You\'ll Find A QR Code.Scan QR Code.\n\nAfter Scanning The QR Code We\'ll Get: "w3lc0m3_70_1nVd3r_CtFstrings challenge.png"\n\nBut Actually Here There Is A Main Hint "Strings".Strings Is a Linux Command Which will Give Us All Readable Strings In That Image\n\nSomething Is Weird Right...! Actually It Is Base32 Encoding,So Simply Decoding It Gives You The Flag\n\nFlag: \'invader{345y_P34sY_l3m0n_Squ33zy!!}\'\n\n.Simplest Challenge.But This Challenge Has Got Many Wrong Submissions.....Lol :)\n\nDirty Room (100)\n\nIn This Challenge Linux Users Will Face Extraction Problem, Actually It Was An Intended One, I Changed Magical Numbers Of Zip File.\n\nSo, Inorder to Extract It You\'ve To Change "11 91" with "50 4B" (Magical Numbers Of Zip File: 50 4B 03 04),SO after Changing Magical Numbers You Can Extract The Zip.\n\nAfter Unzipping you\'ll Find Some Random Images, Among Those U Can See A Password. Now We\'ve The Password,But What To Do With That.\n\nIf U Can Observe Clearly There Is An Image(\'maxeresdefault(1).jpeg\') Which Doesn\'t Showup. Using Linux Command "File" We Can Find The Type Of File \n\nWoww...! It\'s A Zip File.Change Image Extension "jpeg" To "zip".\n\nNow Try to Unzip The File. It\'ll Prompt For Password.Hey...! We\'ve A Password Right? Enter The Password, You\'ll Get The Flag :)\n\nFlag : \'invader{1_l0v3_f1l3_f0r3n51c5}\'\n\nDig Deeper (300)\n\nIn This Challenge You\'ll Have An Image With A Hint\n\nHint\n\nwe use "nopassword" to dig more...............\n\nNow We\'ve A Password "nopassword", And We\'ve An Image.\n\nSo Try Steganography(It Is An Art Of Hiding Data)\n\nWe\'ve Many Online Tools For Steganography. But I\'ve Steghide.\n\nSo Trying Steghide Will Give U A File Named "Flag.txt". But Inside You\'ll Find "You can\'t find flag here.Better dig once again" Sorry Just For Fun :)\n\nSo There Trying Strings, And Other Commands Will Leave U No Clue.So There Is Nothing Inside\n\nTry to Analyse The Given Zip File. Using Binwalk(Linux Command To Show Embedded Files In A File) You\'ll Find An Image. (Command: binwalk Challenge3.zip)\n\nNow Try To Extract Image (Command: binwalk --dd=\'.*\' Challenge3.zip).\n\nNow Try Steganography On This Image With Given Password.\n\nYou\'ll Get Flag.txt, containing "Yeah Man...! You nailed it You Deserve The Flag. Here You Are Link:https://drive.google.com/open?id=12OMTbBiJ0oXsukdcnypE_S3mlqBgN9NU"\n\nUsing Link We\'ll Get Flag\n\nFlag : invader{W3LCoM3_70_F0r3N51C5}\n\nLong Walk To Freedom\n\nWe\'ve An Audio File & Image\n\nSearch For Audio Forensics.You\'ll Find Many Tools & Now I\'ll be using Audacity.\n\nOpen Audio File With Audacity.You\'ll get Waveform Of Audio\n\nChange It To Spectrogram.\n\n"5h1zuk4_143" (Shizuka_143)...A Password It Seems.We\'ve An Image Too.Soo Try Steganograpy\n\nWow ....! It Returned Redirect.txt & We\'ve A Mediafire Link,It Gives Us "Nobitha.mp3"\n\nListen To It Once,This Sound Indicates Morse Code In It.\n\nWe\'ve A Online Decoder : \'https://morsecode.scphillips.com/labs/audio-decoder-adaptive/\'\n\nUpload Audio & Play.\n\nDecoded Text Is Full Of \'A\' & \'B\'. Search For Ciphers With \'A\' & \'B\'.\n\n"Baconian Cipher"\n\nExclude "QWZXWEDC" And Decode It. Link: "http://rumkin.com/tools/cipher/baconian.php"\n\nFlag : invader{YOUHAVEGREATPATIENCE}\n\nBrain WhiteWash (550)\n\nReally Cool Challenge :)\n\nWe are Provided With A Zip File & Hint\n\nHint :\n\nThis Time A Little Bit Crypto :) Cipher Text: kyreb5wfiaf1exfli7urpvmvek4euefntfdzexk0tyrcc3exvefvhlrcjpdsfcjaljkgrjjnfiuzjtrktyd331wlt4ee==\n\nIt Is "Caeser Cipher With Shift 17" & Zip Password : "catchm331fuc4nn"\n\n Extract The Zip With Decoded Password. Inside You\'ll Find Three Files "Chal.png" Which Is Useless(Use Strings & you Can Find Waste Many A Times) , "MainHint.txt" Which Is Full Of Binaries & Finally "No Security In This World".\n\nConsider "MainHint.txt".Use LSB(Least Significant Bits Of Each Binary) And Decode It.\n\nCode For Decoding\n\nWoww...! "snowstegisawesome".\n\nI Guess It Is Related To Snow Steganography.\n\nThen What About The Other File...?\n\nRun Binwalk. You\'ll Find A JPEG File Extract It. \n\nBut This Time We Only Have Image Bt No Password..... :(\n\nWait..! What Was The File Name "No Security In This World". I Guess There Is no Password.\n\nYeah Extracted Hint File.  In The Begining I Thought It Was Empty.  But In The End We\'ve A Clue.Which Won\'t Help Us.\n\nHold on...! Challenge Name "Brain WhiteWash" Right....\n\nYeah If u Have Really Enquired Abt Stegsnow,You Could Easily Find It Out What It Is.It Is White Space Steganography\n\nSee This Is White Space Stego.Really The Best Stego Ever.\n\nUsing Snow Steg & Password We can Retreive The Flag.\n\nFlag: \'invader{W0W_Y0u_h4v3_gr34t_futur3}\'', '7fe6c3f642b229faa8994e31674c2df0', 'forensics', 'own', '2019-02-03 03:12:35', 1);

-- --------------------------------------------------------

--
-- Table structure for table `stories_complaints`
--

CREATE TABLE `stories_complaints` (
  `complaint_user_id` int(11) NOT NULL,
  `story_id` int(11) NOT NULL,
  `story_user_id` int(11) NOT NULL,
  `status` tinyint(1) NOT NULL DEFAULT '0',
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `story_categories`
--

CREATE TABLE `story_categories` (
  `story_id` int(11) NOT NULL,
  `category` varchar(100) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `story_categories`
--

INSERT INTO `story_categories` (`story_id`, `category`) VALUES
(7, 'crypto'),
(8, 'web'),
(9, 'pwn'),
(10, 're'),
(11, 'forensics'),
(12, 'misc'),
(13, 'pro'),
(14, 'pwn'),
(14, 're'),
(15, 'crypto'),
(16, 'forensics');

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE `users` (
  `user_id` int(11) NOT NULL,
  `user_name` varchar(100) NOT NULL,
  `user_email` varchar(100) NOT NULL,
  `user_image` varchar(200) DEFAULT 'user.png',
  `password` varchar(100) NOT NULL,
  `signup_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `is_active` tinyint(1) NOT NULL DEFAULT '0',
  `score` int(11) NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`user_id`, `user_name`, `user_email`, `user_image`, `password`, `signup_time`, `is_active`, `score`) VALUES
(1, 'KasiReddy', 'duggempudi111@gmail.com', 'user.png', '2f40377ad146ed9c6633b677fc5ef84f', '2018-09-17 04:02:54', 0, 300),
(2, 'n', '12@gmail.com', 'user.png', '25d55ad283aa400af464c76d713c07ad', '2018-09-17 06:24:49', 0, 0),
(3, 'MVSatyam', 'mvsatyam606@gmail.com', 'user.png', '54a63d968cfefd373f0fd57e7f196218', '2018-09-17 08:47:29', 0, 0),
(4, 'Satya', 'rudrarajusatyavarma@gmail.com', 'a87ff679a2f3e71d9181a67b7542122c_o.jpg', 'e6f5017b6c1335d758889951c6ebc888', '2018-09-17 10:47:03', 0, 0),
(5, 'ajay', 'n141011@rguktn.ac.in', 'user.png', '25d55ad283aa400af464c76d713c07ad', '2018-09-17 11:02:35', 0, 0),
(6, 'Vinod', 'vinodyedla678@gmail.com', 'user.png', '4e5faacf52291871fe6a5aeec38e1f2b', '2018-09-17 15:04:01', 0, 0),
(7, 'swetha', 'tswetha352@gmal.com', 'user.png', 'e1a0bff1cce68eac85e42942c5dda564', '2018-09-17 15:27:13', 0, 0),
(8, 'swetha', 'tswetha352@gmail.com', 'user.png', 'e1a0bff1cce68eac85e42942c5dda564', '2018-09-17 15:30:02', 0, 0),
(9, 'Gayathri', 'gaya.amma@gmail.com', 'user.png', 'a7761de0787dd387f1ba2dc5bb886629', '2018-09-17 15:52:49', 0, 0),
(10, 'nagamanikanta', 'manichummadi747@gmail.com', 'user.png', '7d4b0081ce4ecc2c4c6f4a587d42d61c', '2018-09-18 04:53:44', 0, 0),
(11, 'deekshitha', 'deekshiatti@gmail.com', 'user.png', '02760c718327079efab31b2104d959d4', '2018-09-18 06:09:27', 0, 0),
(12, 'Ameena', 'shaikameena333@gmail.com', 'user.png', '04eb7829189876000b38e4e6be29190c', '2018-09-18 06:37:07', 0, 0),
(13, 'vinodkumar', 'vinodkumarmuppera@gmail.com', 'user.png', 'f2d026a241aba6ee7b97e655e935db94', '2018-09-18 08:02:43', 0, 0),
(14, 'lucky', 'lucky@gmail.com', 'user.png', '25d55ad283aa400af464c76d713c07ad', '2018-09-18 16:20:50', 0, 0),
(15, 'Niranjan', 'niranjangottam199221@gmail.com', 'user.png', '2ae29d4b7a3ba90ada8bfb95e2a8d852', '2018-09-19 11:33:02', 0, 0),
(16, 'Devdatta supnekar', 'devdattasupnekar.ds@gmail.com', 'user.png', '256d957c7aa7b9b3aa4e15dfa6f131b0', '2018-09-21 14:04:23', 0, 0),
(17, 'jagadesh', 'jagasdsadfdffa@gmail.com', 'user.png', '6f527af6690c57d0283d87350ce03c29', '2018-09-30 19:16:53', 0, 0),
(18, 'jagadesh', 'jagadesh1@gmail.com', 'user.png', '6f527af6690c57d0283d87350ce03c29', '2018-09-30 19:17:33', 0, 0),
(19, 'sri harsha', 'harsha.surapaneni11@gmail.com', 'user.png', '724126829bc4b9a571575354f917c9c6', '2018-10-03 09:06:05', 0, 0),
(20, 'Pravallika', 'pravallika1@gmail.com', 'user.png', '801eaa465392e41d95807b11811338f1', '2018-10-03 10:26:17', 0, 0),
(21, 'RevanthKumar', 'revanth1@gmail.com', 'user.png', '4c39b062e6f79792fa91c3d7ddf07b18', '2018-10-03 10:40:38', 0, 0),
(22, 'Ragavendra', 'ragavendra1@gmail.com', 'user.png', 'e0e1d1b118aaa99b43e8c4e84dad89d2', '2018-10-03 10:48:27', 0, 0),
(23, 'Mohan srk', 'pedhapatimohansrirammakrishna@gmail.com', 'user.png', 'f1f7d48b1dc306ae10601b42b317d90e', '2018-10-04 11:51:39', 0, 0),
(24, 'Kanti Reddy', 'kntirmy9@gmail.com', 'user.png', '3bfbecaab2c3f7421513f6daa21a7648', '2018-10-19 18:47:14', 0, 0),
(25, 'Rathod Srinu', 'srinusrinivas847@gmail.com', 'user.png', '4e2e41f68681936c6f9a4788f1e0604e', '2018-11-10 01:07:15', 0, 0),
(26, 'Davidson', 'harish.eagle623@gmail.com', 'user.png', '4175d86b85ceaeda14e35ff83caa105a', '2018-11-11 05:12:12', 0, 0),
(27, 'sravan', 'sravan@gmail.com', 'user.png', '2f4cad9a71db95765f9b5c27c378aadf', '2019-02-02 17:21:20', 0, 900),
(28, 's1r1u5', 'n151140@rguktn.ac.in', 'user.png', 'b04d96ea22a25aae1e11a5f7d58d5ea1', '2019-02-03 01:34:38', 0, 300);

-- --------------------------------------------------------

--
-- Table structure for table `views`
--

CREATE TABLE `views` (
  `story_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `views`
--

INSERT INTO `views` (`story_id`, `user_id`, `time`) VALUES
(5, 27, '2019-02-02 18:02:08'),
(6, 27, '2019-02-02 18:18:33'),
(11, 27, '2019-02-02 19:06:29'),
(12, 27, '2019-02-02 20:54:30'),
(13, 1, '2019-02-03 01:03:35'),
(14, 1, '2019-02-03 02:56:44'),
(15, 1, '2019-02-03 03:03:43');

-- --------------------------------------------------------

--
-- Table structure for table `visitors`
--

CREATE TABLE `visitors` (
  `visitor_ip` varchar(20) NOT NULL,
  `visit_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `writeups`
--

CREATE TABLE `writeups` (
  `write_id` int(11) NOT NULL,
  `story` text NOT NULL,
  `user_id` int(11) NOT NULL,
  `status` tinyint(1) NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `writeups`
--

INSERT INTO `writeups` (`write_id`, `story`, `user_id`, `status`) VALUES
(1, '<p>aksjh akhd kajsh dkashd kajsh dkjashdkja jshd </p>', 1, 0);

--
-- Indexes for dumped tables
--

--
-- Indexes for table `admin`
--
ALTER TABLE `admin`
  ADD PRIMARY KEY (`admin_id`),
  ADD UNIQUE KEY `admin_email` (`admin_email`);

--
-- Indexes for table `chat`
--
ALTER TABLE `chat`
  ADD KEY `sent_by` (`sent_by`),
  ADD KEY `sent_to` (`sent_to`);

--
-- Indexes for table `feedback`
--
ALTER TABLE `feedback`
  ADD PRIMARY KEY (`user_id`),
  ADD UNIQUE KEY `user_id` (`user_id`,`feedback`);

--
-- Indexes for table `followers`
--
ALTER TABLE `followers`
  ADD UNIQUE KEY `followed_by` (`followed_by`,`following`),
  ADD KEY `following` (`following`);

--
-- Indexes for table `friend_requests`
--
ALTER TABLE `friend_requests`
  ADD UNIQUE KEY `sent_by` (`sent_by`,`sent_to`),
  ADD KEY `sent_to` (`sent_to`);

--
-- Indexes for table `likes`
--
ALTER TABLE `likes`
  ADD KEY `user_id` (`user_id`),
  ADD KEY `story_id` (`story_id`) USING BTREE;

--
-- Indexes for table `stories`
--
ALTER TABLE `stories`
  ADD PRIMARY KEY (`story_id`),
  ADD UNIQUE KEY `story_unique_hash` (`story_unique_hash`),
  ADD KEY `user_id` (`user_id`);

--
-- Indexes for table `stories_complaints`
--
ALTER TABLE `stories_complaints`
  ADD KEY `complaint_user_id` (`complaint_user_id`),
  ADD KEY `story_id` (`story_id`),
  ADD KEY `story_user_id` (`story_user_id`);

--
-- Indexes for table `story_categories`
--
ALTER TABLE `story_categories`
  ADD KEY `story_id` (`story_id`);

--
-- Indexes for table `users`
--
ALTER TABLE `users`
  ADD PRIMARY KEY (`user_id`),
  ADD UNIQUE KEY `user_email` (`user_email`);

--
-- Indexes for table `views`
--
ALTER TABLE `views`
  ADD UNIQUE KEY `story_id` (`story_id`,`user_id`),
  ADD KEY `user_id` (`user_id`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `admin`
--
ALTER TABLE `admin`
  MODIFY `admin_id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=7;
--
-- AUTO_INCREMENT for table `stories`
--
ALTER TABLE `stories`
  MODIFY `story_id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=17;
--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
  MODIFY `user_id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=29;
--
-- Constraints for dumped tables
--

--
-- Constraints for table `chat`
--
ALTER TABLE `chat`
  ADD CONSTRAINT `chat_ibfk_1` FOREIGN KEY (`sent_by`) REFERENCES `users` (`user_id`),
  ADD CONSTRAINT `chat_ibfk_2` FOREIGN KEY (`sent_to`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `feedback`
--
ALTER TABLE `feedback`
  ADD CONSTRAINT `feedback_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `friend_requests`
--
ALTER TABLE `friend_requests`
  ADD CONSTRAINT `friend_requests_ibfk_1` FOREIGN KEY (`sent_by`) REFERENCES `users` (`user_id`),
  ADD CONSTRAINT `friend_requests_ibfk_2` FOREIGN KEY (`sent_to`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `likes`
--
ALTER TABLE `likes`
  ADD CONSTRAINT `likes_ibfk_1` FOREIGN KEY (`story_id`) REFERENCES `stories` (`story_id`),
  ADD CONSTRAINT `likes_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `stories`
--
ALTER TABLE `stories`
  ADD CONSTRAINT `stories_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `stories_complaints`
--
ALTER TABLE `stories_complaints`
  ADD CONSTRAINT `stories_complaints_ibfk_1` FOREIGN KEY (`complaint_user_id`) REFERENCES `users` (`user_id`),
  ADD CONSTRAINT `stories_complaints_ibfk_2` FOREIGN KEY (`story_id`) REFERENCES `stories` (`story_id`),
  ADD CONSTRAINT `stories_complaints_ibfk_3` FOREIGN KEY (`story_user_id`) REFERENCES `users` (`user_id`);

--
-- Constraints for table `story_categories`
--
ALTER TABLE `story_categories`
  ADD CONSTRAINT `story_categories_ibfk_1` FOREIGN KEY (`story_id`) REFERENCES `stories` (`story_id`);

--
-- Constraints for table `views`
--
ALTER TABLE `views`
  ADD CONSTRAINT `views_ibfk_1` FOREIGN KEY (`story_id`) REFERENCES `stories` (`story_id`),
  ADD CONSTRAINT `views_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`);
COMMIT;

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;