feat: add slides

.gitignore

@@ -6,5 +6,7 @@
 checker/data
 service/data
 documentation/crc.sage.py
-documentation/tex/target
+documentation/documentation/target
+documentation/iisc-test-ctf-slides/target
+documentation/iisc-enowars-slides/target
 

documentation/README.md

@@ -1,8 +1,12 @@
 # Replme Documentation
 
 ```
-tex/              - Latex to produce documentation.pdf
-documentation.pdf - Main documentation
-benchmark.py      - Script for benchmarking the replme service
-crc.sage          - Script to calculate deltas for CRC vulnerability
+documentation/           - Latex for documentation.pdf
+iisc-enowars-slides/     - Latex for iisc-enowars-slides.pdf
+iisc-test-ctf-slides/    - Latex for iisc-test-ctf-slides.pdf
+benchmark.py             - Script for benchmarking the replme service
+crc.sage                 - Script to calculate deltas for CRC vulnerability
+documentation.pdf        - Main documentation
+iisc-enowars-slides.pdf  - Final slides
+iisc-test-ctf-slides.pdf - Slides for Test CTF
 ```

documentation/iisc-enowars-slides/Makefile

@@ -0,0 +1,22 @@
+SRCDIR = src
+SRCFILE = $(SRCDIR)/main.tex
+OUTDIR = target
+TARGET = $(OUTDIR)/main.pdf
+EXPORT = ../iisc-enowars-slides.pdf
+
+build: ${TARGET}
+
+${TARGET}: ${SRCFILE}
+	mkdir -p $(OUTDIR)
+	lualatex --interaction=batchmode --output-directory=$(OUTDIR) $(SRCFILE)
+
+export: ${TARGET}
+	cp $(TARGET) $(EXPORT)
+
+.PHONY: watch
+watch:
+	while inotifywait -e close_write -r ./src; do make build; done
+
+.PHONE: clean
+clean:
+	rm -rf $(OUTDIR)

documentation/iisc-enowars-slides/src/arch.drawio

@@ -0,0 +1,71 @@
+<mxfile host="app.diagrams.net" modified="2024-07-22T20:39:26.901Z" agent="Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" etag="yPUmrqQvly86HFDkY6S4" version="24.7.3" type="device">
+  <diagram name="Page-1" id="evIb6BeHTaSzVf6nZD_D">
+    <mxGraphModel dx="1039" dy="795" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-21" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=none;endFill=0;" edge="1" parent="1" source="tIu5kHcC8cKj6h1vcqv9-4" target="tIu5kHcC8cKj6h1vcqv9-9">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-4" value="" style="sketch=0;pointerEvents=1;shadow=0;dashed=0;html=1;strokeColor=none;fillColor=#434445;aspect=fixed;labelPosition=center;verticalLabelPosition=bottom;verticalAlign=top;align=center;outlineConnect=0;shape=mxgraph.vvd.web_browser;" vertex="1" parent="1">
+          <mxGeometry x="150" y="240" width="112.68" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-22" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=none;endFill=0;" edge="1" parent="1" source="tIu5kHcC8cKj6h1vcqv9-9" target="tIu5kHcC8cKj6h1vcqv9-10">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-28" value="&lt;font face=&quot;Courier New&quot;&gt;/...&lt;/font&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="tIu5kHcC8cKj6h1vcqv9-22">
+          <mxGeometry x="0.0289" y="-3" relative="1" as="geometry">
+            <mxPoint x="6" y="9" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-23" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=none;endFill=0;" edge="1" parent="1" source="tIu5kHcC8cKj6h1vcqv9-9" target="tIu5kHcC8cKj6h1vcqv9-12">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-29" value="/api/..." style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontFamily=Courier New;" vertex="1" connectable="0" parent="tIu5kHcC8cKj6h1vcqv9-23">
+          <mxGeometry x="-0.0679" relative="1" as="geometry">
+            <mxPoint x="23" y="-9" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-9" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://docs.altinn.studio/technology/tools/nginx/nginx.png;" vertex="1" parent="1">
+          <mxGeometry x="360" y="240" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-10" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://creazilla-store.fra1.digitaloceanspaces.com/icons/3244252/nextjs-icon-md.png;" vertex="1" parent="1">
+          <mxGeometry x="529.4" y="180" width="60" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-11" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://cdn.freebiesupply.com/logos/large/2x/postgresql-logo-png-transparent.png;" vertex="1" parent="1">
+          <mxGeometry x="680" y="180" width="58.2" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-24" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=none;endFill=0;" edge="1" parent="1" source="tIu5kHcC8cKj6h1vcqv9-12" target="tIu5kHcC8cKj6h1vcqv9-11">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-12" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://www.rewan.dev/resources/img/gin.png;" vertex="1" parent="1">
+          <mxGeometry x="527.9" y="290" width="63" height="88.63" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-15" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://res.cloudinary.com/stackrox/v1556559393/docker-hub-hack-blog-banner.png;" vertex="1" parent="1">
+          <mxGeometry x="629.1" y="310" width="160" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-16" value="&lt;font face=&quot;Courier New&quot;&gt;Nginx&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="370" y="320" width="60" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-17" value="&lt;font face=&quot;Courier New&quot;&gt;Next.js&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="529.4" y="240" width="60" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-18" value="&lt;font face=&quot;Courier New&quot;&gt;PostgreSQL&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="680" y="240" width="60" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-19" value="&lt;font face=&quot;Courier New&quot;&gt;Docker-in-Docker&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="643.65" y="390" width="130.9" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-20" value="&lt;font face=&quot;Courier New&quot;&gt;Gin Backend&lt;br&gt;&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="493.95" y="390" width="130.9" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-25" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.256;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;" edge="1" parent="1" source="tIu5kHcC8cKj6h1vcqv9-12" target="tIu5kHcC8cKj6h1vcqv9-15">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="tIu5kHcC8cKj6h1vcqv9-27" value="&lt;font face=&quot;Courier New&quot;&gt;Client&lt;/font&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="176.34" y="320" width="60" height="30" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>

documentation/iisc-enowars-slides/src/main.tex

@@ -0,0 +1,243 @@
+\documentclass[10pt]{beamer}
+
+\usepackage{tikz}
+\usepackage{graphicx}
+\usepackage{fontspec}
+\usepackage{hyperref}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{emoji}
+
+\graphicspath{ {./src/} }
+
+\usefonttheme{professionalfonts}
+\usefonttheme{serif}
+\setmainfont{DejaVuSansMono}
+\setmonofont{DejaVuSansMono-Bold}
+
+\usetheme{Berlin}
+\usecolortheme{beaver}
+
+\hypersetup{
+    colorlinks=true,
+    linkcolor=blue,
+    filecolor=magenta,
+    urlcolor=cyan,
+}
+
+
+\title{IISC/CTF: replme}
+\subtitle{Review of Enowars 8}
+\author{Jacob Bachmann}
+
+\institute
+{
+  SecT\\
+  TU Berlin
+}
+
+\logo{
+	\includegraphics[scale=0.07]{sect-logo}
+}
+
+\begin{document}
+
+\frame{\titlepage}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{About service: replme}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{About service: replme}
+	\begin{itemize}
+		\item<1-> Clone of \href{http://replit.com}{replit.com}
+		\item<2-> Provides "DEVENVs" in browser
+		\item<3-> Provides "REPLs" in browser
+	\end{itemize}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{DEMO}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Architecture}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Architecture}
+	\includegraphics[scale=.45]{arch.drawio}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Vuln 1: Path traversal}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Vuln 1: Path traversal}
+	\begin{itemize}
+		\item<1-> Flagstore is file in devenv
+		\item<2-> Devenv files are stored in FS (docker volume)
+		      \includegraphics[scale=1.4]{volume-border}
+		\item<3-> /api/devenv/\{571..\}/files/flagstore.txt \\
+		      \ \ \ \ ?uuid=\{571..\}\%2F..\%2F\{917..\}
+	\end{itemize}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Vuln 1: Path traversal}
+	\begin{minipage}{0.39\linewidth}
+		\begin{figure}
+			\includegraphics[scale=0.25]{extract-uuid}
+			\caption{service/backend/util/encoding.go}
+		\end{figure}
+	\end{minipage}
+	\hspace{0.03\linewidth}
+	\begin{minipage}{0.5\linewidth}
+		\begin{figure}
+			\includegraphics[scale=0.25]{get-file-content}
+			\caption{service/backend/controller/devenv.go}
+		\end{figure}
+	\end{minipage}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Vuln 2: 2nd preimage}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Vuln 2: 2nd preimage}
+	\begin{itemize}
+		\item<1-> Flagstore is file in FS of REPL
+		\item<2-> Identifier of REPLs is CRC(username)
+		\item<3-> CRC is no cryptographically secure hash func
+	\end{itemize}
+	\pause
+	\pause
+	\begin{align*}
+		h(a) = a\ \%\ p
+	\end{align*}
+	\begin{itemize}
+		\item<4-> Calculate deltas, such that: \\
+		      CRC(username) == CRC(username+delta) \\
+	\end{itemize}
+	\pause
+	\pause
+	\begin{align*}
+		h(a\oplus\Delta) & =(a\oplus b\cdot p)\ \%\ p \\
+		                 & =a\ \%\ p                  \\
+	\end{align*}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Vuln 3: RCE (Bonus)}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Vuln 3: RCE (Bonus)}
+	\begin{itemize}
+		\item<1-> Server on REPLs exposes register endpoint
+		\item<2-> Endpoint secured by apikey \\
+		      http://\{ip\}:\{port\}/api/\{apikey\}/auth/register
+		\item<3-> Password is not sanitized
+	\end{itemize}
+	\pause
+	\pause
+	\pause
+	\begin{figure}
+		\includegraphics[scale=.4]{register}
+		\caption{service/image/service/user.go}
+	\end{figure}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{DEMO}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{What worked}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{What worked}
+	\begin{itemize}
+		\item<1-> Service stable
+		\item<2-> SLA was suprisingly good
+		\item<3-> People had fun
+	\end{itemize}
+	\pause
+	\pause
+	\begin{figure}
+		\includegraphics[scale=.018]{replme-performance}
+	\end{figure}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{What did'nt work}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{What did'nt work}
+	\begin{itemize}
+		\item<1-> Unintended vuln
+		\item<2-> Performance issues due to strict timeout
+		\item<3-> CORS ❤️
+		\item<4-> proxy.prod.bambi.ovh blacklisted
+		\item<5-> CRC unexploited
+	\end{itemize}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Feedback}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Feedback}
+	\begin{itemize}
+		\item<1-> "the return bug was truly evil btw"
+		\item<2-> "i wanted to do that, but i missed the crypto knowledge"
+		\item<3-> "exploitation wasn't simple even with this unintended bug though, so it was a fun task"
+	\end{itemize}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\LARGE{\texttt{Lessons learned}}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+	\frametitle{Lessons learned}
+	\begin{itemize}
+		\item<1-> Stay calm and take the time to think
+		\item<2-> Do not get lost in details
+	\end{itemize}
+\end{frame}
+
+\begin{frame}
+	\begin{center}
+		\includegraphics[scale=0.29]{thanks}
+	\end{center}
+\end{frame}
+
+\end{document}

documentation/iisc-test-ctf-slides/Makefile

@@ -0,0 +1,22 @@
+SRCDIR = src
+SRCFILE = $(SRCDIR)/main.tex
+OUTDIR = target
+TARGET = $(OUTDIR)/main.pdf
+EXPORT = ../iisc-test-ctf-slides.pdf
+
+build: ${TARGET}
+
+${TARGET}: ${SRCFILE}
+	mkdir -p $(OUTDIR)
+	lualatex --interaction=batchmode --output-directory=$(OUTDIR) $(SRCFILE)
+
+export: ${TARGET}
+	cp $(TARGET) $(EXPORT)
+
+.PHONY: watch
+watch:
+	while inotifywait -e close_write -r ./src; do make build; done
+
+.PHONE: clean
+clean:
+	rm -rf $(OUTDIR)