DEV Community: Rafal Hofman

Sekurak MSHP CTF Summary - Part 1

Rafal Hofman — Mon, 17 Oct 2022 15:25:29 +0000

Recently (15.10-16.10) I took part in the Sekurak Mega Hacking Party CTF contest. For those who did not hear of it, CTF is kind of a security hackathon with pre-prepared tasks in which you have to find a flag within known vulnerabilities. This was the first time I have taken part in such a contest. It was quite interesting! Below you will find the first post in series describing the tasks which I solved or tried to solve ;).

deobf

So the first task was as follows:

// deobfuscate the code, or call appropriate function after executing it, to get the flag
var _0x553b6f=_0x4c5c;(function(_0x1e3834,_0x3f47f5){var _0x5dc057=_0x4c5c,_0x3162e1=_0x1e3834();while(!![]){try{var _0x4d3ec8=parseInt(_0x5dc057(0xc5,'q)cg'))/0x1+parseInt(_0x5dc057(0xc9,'rLxo'))/0x2*(parseInt(_0x5dc057(0xc8,'Khqd'))/0x3)+-parseInt(_0x5dc057(0xb8,'ucN2'))/0x4*(parseInt(_0x5dc057(0xb7,'g0t9'))/0x5)+-parseInt(_0x5dc057(0xb6,'rW2u'))/0x6+parseInt(_0x5dc057(0xbe,'X0LD'))/0x7+parseInt(_0x5dc057(0xba,'KPPr'))/0x8*(-parseInt(_0x5dc057(0xbf,'9ewY'))/0x9)+parseInt(_0x5dc057(0xbb,'H%x$'))/0xa*(parseInt(_0x5dc057(0xcc,'rNIa'))/0xb);if(_0x4d3ec8===_0x3f47f5)break;else _0x3162e1['push'](_0x3162e1['shift']());}catch(_0x1ec551){_0x3162e1['push'](_0x3162e1['shift']());}}}(_0x4ade,0xade96),[][_0x553b6f(0xbc,'Kmu$')][_0x553b6f(0xc0,'De1O')]=()=>window[_0x553b6f(0xca,'xKir')](_0x553b6f(0xc2,'rW2u')));function _0x4c5c(_0x17c2b0,_0x231ba2){var _0x4adec6=_0x4ade();return _0x4c5c=function(_0x4c5c7a,_0x22dce2){_0x4c5c7a=_0x4c5c7a-0xb6;var _0x3f97df=_0x4adec6[_0x4c5c7a];if(_0x4c5c['KZZRud']===undefined){var _0x39ebb7=function(_0x507494){var _0x54c208='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0x2eca4b='',_0x180c44='';for(var _0x31cf09=0x0,_0x153548,_0x11dd12,_0x3e2f84=0x0;_0x11dd12=_0x507494['charAt'](_0x3e2f84++);~_0x11dd12&&(_0x153548=_0x31cf09%0x4?_0x153548*0x40+_0x11dd12:_0x11dd12,_0x31cf09++%0x4)?_0x2eca4b+=String['fromCharCode'](0xff&_0x153548>>(-0x2*_0x31cf09&0x6)):0x0){_0x11dd12=_0x54c208['indexOf'](_0x11dd12);}for(var _0x4d8e2b=0x0,_0x4afade=_0x2eca4b['length'];_0x4d8e2b<_0x4afade;_0x4d8e2b++){_0x180c44+='%'+('00'+_0x2eca4b['charCodeAt'](_0x4d8e2b)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x180c44);};var _0x40e39c=function(_0x14c145,_0x38c081){var _0x181656=[],_0x3d9ee9=0x0,_0x3afb58,_0x3dd4ab='';_0x14c145=_0x39ebb7(_0x14c145);var _0x31f48b;for(_0x31f48b=0x0;_0x31f48b<0x100;_0x31f48b++){_0x181656[_0x31f48b]=_0x31f48b;}for(_0x31f48b=0x0;_0x31f48b<0x100;_0x31f48b++){_0x3d9ee9=(_0x3d9ee9+_0x181656[_0x31f48b]+_0x38c081['charCodeAt'](_0x31f48b%_0x38c081['length']))%0x100,_0x3afb58=_0x181656[_0x31f48b],_0x181656[_0x31f48b]=_0x181656[_0x3d9ee9],_0x181656[_0x3d9ee9]=_0x3afb58;}_0x31f48b=0x0,_0x3d9ee9=0x0;for(var _0x3b0565=0x0;_0x3b0565<_0x14c145['length'];_0x3b0565++){_0x31f48b=(_0x31f48b+0x1)%0x100,_0x3d9ee9=(_0x3d9ee9+_0x181656[_0x31f48b])%0x100,_0x3afb58=_0x181656[_0x31f48b],_0x181656[_0x31f48b]=_0x181656[_0x3d9ee9],_0x181656[_0x3d9ee9]=_0x3afb58,_0x3dd4ab+=String['fromCharCode'](_0x14c145['charCodeAt'](_0x3b0565)^_0x181656[(_0x181656[_0x31f48b]+_0x181656[_0x3d9ee9])%0x100]);}return _0x3dd4ab;};_0x4c5c['cCKsUi']=_0x40e39c,_0x17c2b0=arguments,_0x4c5c['KZZRud']=!![];}var _0x277549=_0x4adec6[0x0],_0x534e81=_0x4c5c7a+_0x277549,_0x4a09ac=_0x17c2b0[_0x534e81];return!_0x4a09ac?(_0x4c5c['nXMkoz']===undefined&&(_0x4c5c['nXMkoz']=!![]),_0x3f97df=_0x4c5c['cCKsUi'](_0x3f97df,_0x22dce2),_0x17c2b0[_0x534e81]=_0x3f97df):_0x3f97df=_0x4a09ac,_0x3f97df;},_0x4c5c(_0x17c2b0,_0x231ba2);}function _0x4ade(){var _0x2f84c2=['W6FcR8kFaCoHWOv8','x14FoxX0WQ3cVG','WQ4IWQRdIc8UW6CthW','cSoCW4i7t14EWPeKWQKBW6dcMW','vmoVja7cUSo+vb7dGhfRWRK','W6qpbriGWPCga8k9WRBcJrmz','dwvRW4xcHW','DSokWO3dNrekW4/cRa','WRDDWPSZc8oOW6ldV8kJrN1beComsXbiimosW53cHmoEe8kMea','W5/dImo/WPxcUCoxjmo9ehD6Bmou','W6FcU8obWPNdNCkiW7RcKCokE0xcRG','W5ldGSkbAZy/WQvyqrOGW4S','WOJcPaHrW7m/WPRcJIxdUr3dSa','gqrMsCkWWR3cNKyN','W6hdMxxcQ14qW5Pl','jxxcLCk+grNcGsmTW4PlDa','tq/cNWJcTq','cmk+W5hcL8o2WPxcOKtdSLZcSbi','WRDrW4VcImkwbmo2ySolq0ym','W4a7W65uuCkMWRNdGCkguwz6hW','fmo+q8kSW7dcLxdcKea','DmogW5NcUWGEW6/cTZi1','i8kxzmormmkyWRD1'];_0x4ade=function(){return _0x2f84c2;};return _0x4ade();}

Instead of deobfuscation which might be too cumbersome, I had formatted the code and looked into it.

After investigation, it looked like this function here could be executed (and this was also indicated in a hint to the task).

I followed to Chrome dev tools and executed code in the console calling a function. Results?

I have the flag!

traversal

So in next task, we got page like this:

As you can see, this is web app written in .NET. After clicking on one of the files, I got following view:

So it looks like files were referenced by the filename query param.

After looking in the code, it looks like .. path would throw Bad Request error. I guess this was protection of reusing know payloads for path traversal vulnerability by other contestants :D. Simple change from CV file to flag file given the expected result:

Bingo!

For the next post in series I will present other tasks which I have tried to solve - still, even if not successful, I have learned something valuable :)

SQL Performance - pagination scalability

Rafal Hofman — Thu, 26 Aug 2021 09:46:14 +0000

Recently I have been reading SQL Performance Explained by Markus Winand and I wanted to share with you what I have learned regarding SQL pagination scalability.

Probably if you would be given the task to implement pagination, you would do it with LIMIT and OFFSET in a query. This would be completely fine, but it is good to know the limitations of it.

The more you browse back in history (increase LIMIT and OFFSET) the more response time increases. This is due to the fact that DB has to count all rows until it reaches the requested page.

An answer for that would be to include a WHERE statement in a query with FETCH FIRST X ROWS ONLY, which does not select previous results. Each "page" is limited with a different WHERE statement. It also has its own limitations (harder to implement pagination, harder to browser backward, fetch arbitrary pages) but at a cost of simplicity, you get a performance increase.

Which option we should choose? As always in computer science - it depends :)

Let me know how do you use pagination and if you ever had any performance issues related to that.

P.S Remember that pagination needs deterministic order and do include ORDER BY in your queries when needed ;)

SQL Performance - composite indexes

Rafal Hofman — Fri, 23 Jul 2021 13:05:45 +0000

Recently I have been reading SQL Performance Explained by Markus Winand and I wanted to share with you what I have learned about the composite index.

You are probably familiar with the concept of the index in the Database. In very simple terms, you can imagine that it is similar to telephone directory (B-tree structure in DB) - instead of traversing through the whole book (DB), you are using directory (DB index) to find it faster. For more about indexes, you can read here.

Imagine you have table employees with columns id, department, name.

As you have some SELECT queries accessing those fields, you have created index for department and index for name:

CREATE INDEX department_index ON employees(department);

CREATE INDEX name_index ON employees(name);

It works well for queries like:

SELECT * FROM "employees" WHERE "department" = 'IT';

SELECT * FROM "employees" WHERE "name" = 'Rafal';

Now, imagine you have a query that selects both department and surname:

SELECT * FROM "employees" WHERE "department" = 'IT' AND "name" = 'Rafal';

You already have an index on those fields, right? So what is the problem?

DB engine will use only one of the indexes you have created. Going back to the example with telephone directory - you have created two separate directories - those are two separate structures and you either look in one or another. When two fields are selected, one of the fields will be selected to choose index structure and then found in this index to select the results. The second field will be traversed based on the selected results. You can imagine with department index example: department (IT) index will be selected and then the name (Rafal) entry will be searched for in the leaf nodes of index. So if the name column will consit of "Agata, Tomek, Rafal, Zenek, (...)" it will traverse through several entries to find a correct entry (Rafal).

A Solution for that would be to use a composite index. You can create it like:
CREATE INDEX composite_index_name on employees(department, name)

It will then create an index on two columns. With telephone directory example - you will have a directory that consists of both of those informations and directs to the right place. So query:

SELECT * FROM "employees" WHERE "department" = 'IT' AND "name" = 'Rafal';

will hit exactly one entry in the index with one leaf node.

Might be useful if you are using heavy queries used at hot spots in the system and performance there is crucial.

DISCLAIMER: Be aware indexes also do use storage and every INSERT/UPDATE needs to update the index structure as well :)

XSS - are you sure you are protected?

Rafal Hofman — Mon, 05 Jul 2021 06:15:23 +0000

As a developer, you probably have heard what XSS is and how to defend against it by escaping user input. You also probably might have heard that modern frontend frameworks like React or Angular are XSS safe (due to escaping). Still, though there are some XSS caveats worth remembering:

Imagine you have a form where the user adds an address to his page/Facebook/Instagram etc. You might have HTML code like:

<a href="https://brightinventions.pl/">User page</a>

When taking input from the user which later will be displayed in a href tag (or any other "new link" click tag-like frame) it is important to validate the protocol of the URL. User can simply add their page with javascript protocol and execute XSS.

<a href="javascript:alert('XSS!');">User page</a>

To conclude: to defend against XSS, besides escaping user input do validate the protocol of URL. Let me know if you have any other interesting thoughts when it comes to XSS!

CloudWatch Insights - how to find the context of multiple requests?

Rafal Hofman — Thu, 06 May 2021 08:34:33 +0000

Recently I was searching through our application logs. The task was to extract extra context for a group of requests (ex. errors in the external provider system with the original request). For our app, we are using CloudWatch to store the logs. I have used CloudWatch Insights as out of the box tool to analyze them.

Our logs have a format like below, with each console output in a separate line:

2021-02-06T13:38:31.730Z info [some request id 1; some user id 1] Some external provider error message
2021-02-06T14:21:00.000Z info [some request id 2; some user id 2] Some external provider error message

We can use Cloudwatch Insights to extract all the information related to that requests:

filter @message like "Some context to error message log"
| parse @message "* * [* *] *" as timestamp,type,requestId, user, textMessage
| filter requestId in ["some request id 1;", "some request id 2"]
| sort @ingestionTime desc

If the field you are searching for is a JSON array, you can search it like:

filter @message like "Some context to error message log {
    "someInfo": [
        some1,
        some2
    ]
}"
| parse @message "* * [* *] *" as timestamp,type,requestId, user, textMessage
| parse textMessage '"someInfo":[*]' as someInfo
| filter requestId in ["some request id 1;", "some request id 2"]
| sort @ingestionTime desc

You can then export the data that you need or build some stats around it.

Let me know in the comments if you found CloudWatch Insights useful too and how you are using them.

Mocha.js - how to enable multiple test runners on CI/CD?

Rafal Hofman — Thu, 15 Apr 2021 12:40:37 +0000

One of our projects is running automated tests on CI/CD AzurePipelines.

For the test runner, AzurePipeline supports several test results templates but not the default Mocha spec one.

This is why tests are running on the mocha Junit reporter producing the JUnit XML result.

As there was a difference between running tests locally and on CI/CD environment, I wanted to debug the logs of the job. That what not possible as the Mocha JUnit reporter was not collecting console outputs/errors.

Mocha.js does not support multiple runners right now. The solution for that was to introduce own runner, which combines both Mocha JUnit reporter and default spec Mocha reporter:

'use strict';

const Mocha = require('mocha');
const JUnit = require('mocha-junit-reporter');
const Spec = Mocha.reporters.Spec;
const Base = Mocha.reporters.Base;

// This is combination of spec (mocha normal) + junit reporter so both is displayed on azure
class AzurePipelinesReporter extends Base {
    constructor(runner, options) {
        super(runner, options);
        this._junitReporter = new JUnit(runner, options);
        this._specReporter = new Spec(runner, options);
    }
}
module.exports = AzurePipelinesReporter;

Then, the custom reporter can be used by specyfing the file name and flags to both reporters if needed:

mocha --reporter azurePipelinesReporter.js --reporter-options mochaFile=some_path_to_results

Let me know if you had a similar problem, stay tuned for the next tips & tricks!

This blog post was original posted on https://brightinventions.pl/blog/mocha-js-how-to-enable-multiple-test-runners-on-ci-cd