Update to New Format and add PicoCTF19

.github/CONTRIBUTING.md

@@ -15,10 +15,22 @@ Welcome to Cal Poly's White Hat Club's CTF Write-Up Repository! If you're readin
         * The ````README.md```` file for the folder is an exception to this rule.
         * Any pull requests on the ````LICENSE```` file or any files in the ````.github```` folder are an exception to this rule.
     3. All associated, non-markdown files should be placed in a subfolder named ````assets````
-        * All non-markdown files must use __camel case__.
+        * Asset file names should be prefixed with the challenge name.
+        * Asset files __do not__ have to use camel case if following another naming convention such as snake case for Python files.
     4. The folder containing the write-ups must contain a README.md
         * This file must contain:
             * The __full CTF name__,
             * The year,
             * And a bulleted list of formatted links to all write-up markdown files.
-                * This list must be in alphabetical order.
+                * This list should be sorted by category then by point value then by alphabetical order
+                * The links should be named `challenge name - point value`
+
+An example file structure for picoCTF19:
+```
+writeups
+└── picoCTF19
+     ├── assets
+     │    └── handyShellcodeCallGraph.png
+     ├── handyShellCode.md
+     └── README.md
+```

.github/TECHNIQUE_TEMPLATE.md

@@ -0,0 +1,29 @@
+# Technique Name
+Author: Feel free to put your name or alias
+
+## Result(s)
+- Result 1
+- Result 2
+
+## Requirement(s)
+- Requirement 1
+- Requirement 2
+
+## Steps
+
+1. Step One
+
+    Detailed general explanation of step one. You can include an example.
+
+2. Step Two
+
+    Detailed general explanation of step two. You can include an example.
+
+
+## Notes
+
+    Write any notes here. Some things you can write include clearing up when this technique is applicable or other techniques/tools that are relevant to this technique.
+
+## Example
+
+    Optional

.github/WRITEUP_TEMPLATE.md

@@ -0,0 +1,17 @@
+# CTF Name - Challenge Name
+Author: Feel free to put your name or alias \
+Date: Optional
+
+Category - Points
+
+> Copy/paste the challenge description here
+
+## TL;DR
+
+The TL;DR should include a brief description of both the challenge and the solution.
+
+# Writeup
+
+This is where your content goes. This should include the solution as well as how you got to that solution. Do not just post code without an explanation of the code. Any magic numbers/strings should have an explanation. Be sure to include and images, screenshots and any other figures if necessary. Writeups can be informal and don't have to be a purely technical document so feel free to include any entertaining or comedic content to keep the reader interested.
+
+Any important content you link to should be backed up in the `assets` folder to protect them from [link rot](https://en.wikipedia.org/wiki/Link_rot). Don't forget to cite any resources placed in `assets` or copied elsewhere.

README.md

@@ -1,2 +1,24 @@
-# ctf-writeups
-CTF Write Ups
+# White Hat CTF Writeups
+
+## Table of Contents
+
+- [Tools and Resources](tools/tools.md#tools-and-resources)
+    - [Binary Exploitation](tools/tools.md#binary-exploitation)
+    - [Cryptography](tools/tools.md#cryptography)
+    - [Forensics](tools/tools.md#forensics)
+    - [Reverse Engineering](tools/tools.md#reverse-engineering)
+    - [Web](tools/tools.md#web)
+- [Techniques](techniques/techniques.md#techniques)
+    - [Binary Exploitation](techniques/techniques.md#binary-exploitation-toc)
+    - [Cryptography](techniques/techniques.md#cryptography-toc)
+    - [Forensics](techniques/techniques.md#forensics-toc)
+    - [Reverse Engineering](techniques/techniques.md#reverse-engineering-toc)
+    - [Web](techniques/techniques.md#web-toc)
+- Writeups
+    - [PicoCTF 2019](writeups/picoCTF19/README.md)
+    - [UTCTF 2019](writeups/utctf19/README.md)
+    - [DEF CON Quals 2018](writeups/defConQuals18/README.md)
+    - [iFixit Trihackathon 2018](writeups/iFixitTrihackathon18/README.md)
+- Contributing
+    - [Code of Conduct](.github/CODE_OF_CONDUCT.md)
+    - [Contributing Guidelines](.github/CONTRIBUTING.md)

techniques/binary-exploitation/unknown-glibc.md

@@ -0,0 +1,23 @@
+# Determine Unknown Glibc Version from Leaked Addresses
+Author: PinkNoize
+
+## Result
+- Glibc version used by a process
+
+## Requirement
+- Address of 1 or more glibc functions
+
+## Steps
+
+1. Get the addresses of some glibc functions
+
+    You can get these addresses however you want. Some examples include debug statements or an arbitrary memory read to read the addresses out of the .got.plt section.
+
+2. Compare the addresses to known glibc address offsets
+
+    You should not do this manually. Use a tool like [libc-database](https://github.com/niklasb/libc-database). The online version is at [https://libc.rip/](https://libc.rip/).
+
+
+## Notes
+
+This technique is useful when you are supplied a challenge without a glibc ELF where exploitation would be simplified by having the glibc ELF. This can be combined with [one_gadget](https://github.com/david942j/one_gadget) to speed up the creation of shell dropping ROP chains.

techniques/techniques.md

@@ -0,0 +1,12 @@
+# Techniques
+
+## <a name="binary-exploitation-toc"></a> Binary Exploitation
+- [Determine Unknown Glibc Version from Leaked Addresses](binary-exploitation/unknown-glibc.md)
+
+## <a name="cryptography-toc"></a> Cryptography
+
+## <a name="forensics-toc"></a> Forensics
+
+## <a name="reverse-engineering-toc"></a> Reverse Engineering
+
+## <a name="web-toc"></a> Web

tools/tools.md

@@ -0,0 +1,63 @@
+# Tools and Resources
+## Table of Contents
+- [Binary Exploitation](#binary-exploitation)
+- [Cryptography](#cryptography)
+- [Forensics](#forensics)
+- [Reverse Engineering](#reverse-engineering)
+- [Web](#web)
+
+# Binary Exploitation
+- [Angr](https://angr.io/)
+- [BAP](https://github.com/BinaryAnalysisPlatform/bap)
+- [Pwntools](https://github.com/Gallopsled/pwntools)
+
+    Tutorial available [here](https://github.com/Gallopsled/pwntools-tutorial#readme) 
+
+- [LiveOverflow Binary Hacking Course](https://old.liveoverflow.com/binary_hacking/)
+
+# Cryptography
+
+
+# Forensics
+- [Autopsy/The Sleuth Kit](https://www.sleuthkit.org)
+
+# Reverse Engineering
+- [Binary Ninja](https://binary.ninja/)
+
+    - `Price:` $74 with student discount
+    - Comes with a BNIL(Binary Ninja Intermediate Languages) which approaches decompiled output.
+    - Debugger is hard to use.
+
+- [Cutter](https://cutter.re/)
+
+    - `Price:` Free
+    - GUI frontend of radare2
+    - Comes with Ghidra decompiler and many others can be installed
+    - Debugger support
+
+- [Ghidra](https://ghidra-sre.org/)
+
+    - `Price:` Free
+    - A free solid decompiler
+    - Spinning dragon animation
+
+- [Hopper](https://www.hopperapp.com/)
+
+    - `Price:` $99
+
+- [IDA](https://www.hex-rays.com/products/ida/)
+
+    - `Price:` Check the website, pricing page is too complicated
+    - Decompiler and debugger
+
+- [Radare2](https://www.radare.org)
+
+    - `Price:` Free
+    - Decompilers including Ghidra's can be installed
+    - Great debugger
+    - Pure commandline
+
+# Web
+- [Burp](https://portswigger.net/burp)
+- [gobuster](https://github.com/OJ/gobuster)
+- [sqlmap](https://github.com/sqlmapproject/sqlmap)

writeups/picoCTF19/13.md

@@ -0,0 +1,11 @@
+# PicoCTF 2019 - 13
+Author: PinkNoize
+
+Cryptography - 50
+
+> Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
+
+
+# Writeup
+
+The challenge provides us with the flag but it appears to be [ROT13](https://en.wikipedia.org/wiki/ROT13) encoded. I used [CyberChef](https://gchq.github.io/CyberChef/) for this challenge as it is useful in many crypto challenges. First, input the provided encoded flag in the input section. Then search for ROT13 and drag it into the recipe column. The flag is `picoCTF{not_too_bad_of_a_problem}`

writeups/picoCTF19/README.md

@@ -0,0 +1,62 @@
+# PicoCTF 2019
+### Table of Contents
+- [Binary Exploitation](#binary-exploitation)
+- [Cryptography](#cryptography)
+- [Forensics](#forensics)
+- [General Skills](#general-skills)
+- [Reverse Engineering](#reverse-engineering)
+- [Web Exploitation](#web-exploitation)
+
+## Binary Exploitation
+- [handy-shellcode - 50 points](handyShellcode.md)
+- [practice-run-1 - 50 points](practiceRun1.md)
+- [Overflow-0 - 100 points](overflow0.md)
+- [Overflow-1 - 150 points](overflow1.md)
+- [slippery-shellcode - 200 points](slipperyShellcode.md)
+- [OverFlow 2 - 250 points](overflow2.md)
+- [pointy - 350 points](pointy.md)
+- [seed-sPRiNG - 350 points](seed-sPRiNG.md)
+
+## Cryptography
+- [The Numbers - 50 points](theNumbers.md)
+- [13 - 50 points](13.md)
+- [caeser - 100 points](caeser.md)
+- [flags - 200 points](flags.md)
+- [la cifra de - 200 points](laCifraDe.md)
+- [rsa-pop-quiz - 200 points](rsaPopQuiz.md)
+- [miniRSA - 300 points](miniRSA.md)
+- [waves over lambda - 300 points](wavesOverLambda.md)
+
+## Forensics
+- [Glory of the Garden - 50 points](gloryOfTheGarden.md)
+- [unzip - 50 points](unzip.md)
+- [So Meta - 150 points](soMeta.md)
+- [What Lies Within - 150 points](whatLiesWithin.md)
+- [extensions - 150 points](extensions.md)
+- [shark on wire 1 - 150 points](sharkOnWire1.md)
+- [c0rrupt - 250 points](c0rrupt.md)
+- [like1000 - 250 points](like1000.md)
+
+## General Skills
+- [flag_shop - 300 points](flagShop.md)
+- [mus1c - 300 points](mus1c.md)
+
+## Reverse Engineering
+- [vault-door-training - 50 points](vaultDoorTraining.md)
+- [vault-door-1 - 100 points](vaultDoor1.md)
+- [asm1 - 200 points](asm1.md)
+- [vault-door-3 - 200 points](vaultDoor3.md)
+- [asm2 - 250 points](asm2.md)
+- [vault-door-4 - 250 points](vaultDoor4.md)
+- [reverse_cipher - 300 points](reverseCipher.md)
+- [Need For Speed - 400 points](needForSpeed.md)
+
+## Web Exploitation
+- [Insp3ct0r - 50 Points](insp3ct0r.md)
+- [dont-use-client-side - 100 Points](dontUseClientSide.md)
+- [logon - 100 Points](logon.md)
+- [where-are-the-robots - 100 points](whereAreTheRobots.md)
+- [Client-side-again - 200 points](clientSideAgain.md)
+- [Open-to-admin - 200 points](openToAdmins.md)
+- [picobrowser - 200 points](picobrowser.md)
+- [Irish-Name-Repo 1 - 300 points](irishNameRepo1.md)

writeups/picoCTF19/asm1.md

@@ -0,0 +1,82 @@
+# PicoCTF 2019 - asm1
+Author: PinkNoize
+
+Reverse Engineering - 200
+
+> What does asm1(0x610) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm1_1_95494d904d73b330976420bc1cd763ec.
+
+## TL;DR
+
+This challenge provides and assembly function and an input. The return value in hex is the flag.
+
+# Writeup
+
+The challenge description asks us to determine the return value of the given assembly function when the argument is 0x610.
+
+```gas
+asm1:
+        <+0>:   push   ebp
+        <+1>:   mov    ebp,esp
+        <+3>:   cmp    DWORD PTR [ebp+0x8],0x3b9
+        <+10>:  jg     0x50f <asm1+34>
+        <+12>:  cmp    DWORD PTR [ebp+0x8],0x1
+        <+16>:  jne    0x507 <asm1+26>
+        <+18>:  mov    eax,DWORD PTR [ebp+0x8]
+        <+21>:  add    eax,0x11
+        <+24>:  jmp    0x526 <asm1+57>
+        <+26>:  mov    eax,DWORD PTR [ebp+0x8]
+        <+29>:  sub    eax,0x11
+        <+32>:  jmp    0x526 <asm1+57>
+        <+34>:  cmp    DWORD PTR [ebp+0x8],0x477
+        <+41>:  jne    0x520 <asm1+51>
+        <+43>:  mov    eax,DWORD PTR [ebp+0x8]
+        <+46>:  sub    eax,0x11
+        <+49>:  jmp    0x526 <asm1+57>
+        <+51>:  mov    eax,DWORD PTR [ebp+0x8]
+        <+54>:  add    eax,0x11
+        <+57>:  pop    ebp
+        <+58>:  ret    
+```
+
+Before we can understand how this function will behave, we first have to understand a little about how it is called. As this is x86 (32-bit) assembly, function arguments are placed on the stack. For a better description of the stack, read [this](overflow0.md).
+
+To call the function with 0x610 we would write...
+
+```gas
+...
+push 0x610
+call asm1
+...
+```
+
+This means that when the function is called, the return address is esp+0 and the argument is esp+4.
+The first instruction, `<+0>:   push   ebp`, backs up the previous stack frame's base pointer. This moves the stack down by 4 so the argument is now at esp+8.
+
+The second instruction, `<+1>:   mov    ebp,esp`, sets ebp=esp. This sets up the current base pointer so its easy to find arguments and local variables. The first argument will now be referenced by ebp+8. From here on its a matter of keeping track of the jumps and eax. The green lines are instructions that are executed.
+
+```diff
+asm1:
++       <+0>:   push   ebp
++       <+1>:   mov    ebp,esp
++       <+3>:   cmp    DWORD PTR [ebp+0x8],0x3b9
++       <+10>:  jg     0x50f <asm1+34> --------------
+-       <+12>:  cmp    DWORD PTR [ebp+0x8],0x1      |
+-       <+16>:  jne    0x507 <asm1+26>              |
+-       <+18>:  mov    eax,DWORD PTR [ebp+0x8]      |
+-       <+21>:  add    eax,0x11                     |
+-       <+24>:  jmp    0x526 <asm1+57>              |
+-       <+26>:  mov    eax,DWORD PTR [ebp+0x8]      |
+-       <+29>:  sub    eax,0x11                     |
+-       <+32>:  jmp    0x526 <asm1+57>              |
++       <+34>:  cmp    DWORD PTR [ebp+0x8],0x477 <---
++    --- <+41>:  jne    0x520 <asm1+51>
+-    |  <+43>:  mov    eax,DWORD PTR [ebp+0x8]
+-    |  <+46>:  sub    eax,0x11
+-    |  <+49>:  jmp    0x526 <asm1+57>
++    -> <+51>:  mov    eax,DWORD PTR [ebp+0x8] ; eax=0x610
++       <+54>:  add    eax,0x11 ; eax + 0x11 = 0x621
++       <+57>:  pop    ebp
++       <+58>:  ret    
+```
+
+To get the return value after the function returns, we read eax. This means the return value is 0x621, which is the flag.