title: "2019-2020 Officer Elections on April 25th"

author: "Zander Work"

date: 2019-04-16T00:00:00-07:00

categories: ['Meeting Notes', 'Club News']

tags: []

caption: ""

draft: false

We will be holding officer elections for next school year during our regular meeting on Week 4 (April 25th). This is a great way to be more involved with the club, and represent us to the College of Engineering.

Here are the positions (link goes to position duties):

- [President](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_5)

- [Vice President](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_10)

- [Treasurer](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_21)

- [Multimedia Coordinator](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_29)

- [Lab Manager](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_34)

To run for a position, please do the following:

- Fill out [this form](https://forms.gle/hF4Jf9TzxMTetFqTA) no later than April 23rd

- Send a slide (one slide) to [[email protected]](mailto:[email protected]) no later than April 23rd:

- Name

- Position

- Info about yourself

- Qualifications

- etc.

- Show up to our meeting on April 25th prepared for the following:

- Up to 5 minute presentation on why you should be elected for your position

- Up to 2 minutes Q/A

We will be voting in the meeting on the 25th, so if you want to vote you need to be there. If you aren’t able to be there (candidate or voter), please let me know (I might need to re-think this part).

There is lots more info on the [slides](https://docs.google.com/presentation/d/1zy1O0yru-iAo_0W-uHK87YRraQqCaZOt8MVcUy_dclc/edit#slide=id.g57d8caec5c_0_0).

Best of luck to all who run!

title: "2019-2020 Officers"

author: "Zander Work"

date: 2019-04-26T00:00:00-07:00

categories: ['Meeting Notes', 'Club News']

tags: []

caption: ""

draft: false

Here are the new officers for the 2019-2020 school year:

- President: Zander Work

- Vice President: Hadi Rahal-Arabi

- Treasurer: David Park

- Multimedia Coordinator: Adam Stewart

- Lab Manager: Ryan Kennedy

- Recruitment/Public Relations: Alex Rash

Thanks to everyone who participated!

title: "ångstromCTF lithp"

author: "Lyell Read"

date: 2019-04-26T00:00:00-07:00

categories: ['Writeups']

tags: ['angstromctf']

caption: ""

draft: false

My friend gave me [this](https://github.com/lyellread/ctf-writeups/blob/master/angstromctf-2019/lithp-60/lithp.lisp) program but I couldn’t understand what he was saying – what was he trying to tell me?

Author: fireholder

Points: 60

First things first, let’s open that lisp program . . . It actually is lisp… oh god what have I just gotten into?

The first lines were most important in solving this challenge the way I did it. It reads:

Well, then. Given that I do not want to read more lisp than I have to (lest I end up depressed), let’s try to make some sense just based on those variables. With quite a bit of certainty, it appears that reorder is as it is named – an array of indexes that will reorder something. My guess is that it is applied like this:

Now we need to try to unjumble this. I wrote up this mess to do that:

Apparently, that should be in the right order. Let’s think about it with ASCII on the mind, we should have ‘actf{…}’. Looks about right with two very similar values in the spots where we would expect ‘{‘ and ‘}’…

But those aren’t ASCII! yeah, but they are transformations of ascii values. It cannot be a scalar that is added to the ASCII values of the respective flag characters, as the ‘{‘ and ‘}’ values would have to be 2 apart (‘{‘ = 123, ‘}’ = 125). There could be a scalar value that all the ASCII codes are multiplied by. Let’s check that first value, 9312, which should be related to ASCII 97 (‘a’):

…interesting. Another: 15006 which should correspond to ‘{‘ or ASCII 123:

OK. So the algorithm to encrypt the flag is just:

Now we can complete the script:

These two scrips together make up [decode_lithp.py](https://github.com/lyellread/ctf-writeups/blob/master/angstromctf-2019/lithp-60/decode_lithp.py).

title: "ångstromCTF - streams"

author: "Lyell Read"

date: 2019-04-26T00:00:00-07:00

categories: ['Writeups']

tags: ['angstromctf']

caption: ""

draft: false

White noise is useful whether you are trying to sleep, relaxing, or concentrating on writing papers. Find some natural white noise [here](https://streams.2019.chall.actf.co/).

Note: The flag is all lowercase and follows the standard format (e.g. actf{example_flag})

Author: ctfhaxor

Points: 70

Hint: Are you sure that’s an mp4 file? What’s inside the file?

First, we deduced some information about the challenge by reading the description. “The flag is all lowercase” implies that we will be constructing it letter by letter, possibly from audio. First thing to check out is the video on the linked website – just river sounds.

We then proceeded to inspect the website – the HTML looks pretty standard, and I decided to leave player.js alone and come back to it if we failed to find a solution (would be more of a web challenge at that point). Under the ‘Network’ tab, we see that there appear to be two streams of chunks:


- chunk-stream0-0000*.m4s chunks initiated by init-stream0.m4s

- chunk-stream1-0000*.m4s chunks initiated by init-stream1.m4s

In addition there are two attempts to get a file called stream.mp4 (one that has a status of 206 – partial content, and one 200 – complete)… interesting. We got the file using the “Request URL”:

That’s interesting… Let’s open that in an editor. The XML reads as follows (cleaned up for conciseness):

Notice that there are actually 3 streams: 0: mp4 video, 1, 2: mp4 audio. Our hunch that some audio will contain our flag is looking good, but how to get this last audio file? To ensure that we know how this process of ‘getting’ a channel looks and works, we try it on a channel we know to exist: channel 0: mp4 video.

From our examination of the files required for the page, we know there are 4 chunks needed, and an init file. We know their names too.

Now that we have all our m4s chunks, we can concatenate them into an mp4 file:

That file plays the video of the brook that is on the site! Now onto grabbing the unknown audio stream. We need:

init file for stream2

chunks 1..n for stream2

…and because we think we know naming conventions, we can guess that those files will be called:

- init-stream2.m4s

- chunk-stream2-0000x.m4s | x in 1..n

Lets go try to grab that init file:

It exists! We’re go to get the chunks now, but how do we know how many to grab? What I did was to keep wget-ing the next one while the size of the file was reasonably large:

… rinse repeat:

Notice how the sizes drop off at the end? Chunks 9, 10, 11 are not even fetching chunks anymore, they are getting the HTML for the site. We can delete those, and keep 1..8.

Now we turn those good chunks into a mp4 file:

Listening to this file makes it obvious that morse code is at play, so off to the [online audio file to text (via morse) converter](https://morsecode.scphillips.com/labs/audio-decoder-adaptive/). There we upload the mp4, and get this result:

Well that looks ok… but what are those ‘#’? running it again cleans some of this up:

Let’s try to understand what it is saying. “flash is bead long live mpeg-dash”. They likely meant ‘dead’ not ‘bead’ so let’s fix that and give that flag a try:

title: "Meeting Notes - 3/7"

author: "Zander Work"

date: 2019-03-07T00:00:00-07:00

categories: ['Meeting Notes']

tags: []

caption: ""

draft: false

Thanks to Kees Cook for an awesome look at kernel security! Kees talked about how the kernel exploit for CVE-2017-7038 was discovered, which allowed privilege escalation due to a heap overflow.

You can see his slides [here](https://drive.google.com/file/d/1T4pHribl-TFyw02ho7goFhVGfSzXkqXB/view?usp=sharing), which also has information for building the POC images for the exploit.

This was our last meeting for Winter 2019, so I’ll see you all next term! Our first meeting will be on Week 2.

title: "Meeting Notes 4/18"

author: "Zander Work"

date: 2019-04-18T00:00:00-07:00

categories: ['Meeting Notes']

tags: []

caption: ""

draft: false

Tonight I gave a tutorial on IDA Pro basics, and how to get started with this awesome tool. I also released some new binaries on the CTF site for you to practice IDA.

Remember, as a OSU Security Club member you have access to our lab systems, which has the full version of IDA Pro and the Hex-Rays Decompiler installed, so make sure to use those if you want to take advantage of the advanced functionality.

[Link to the slides](https://docs.google.com/presentation/d/1hjS17xuQy3TXWGvnDxQHi0oSoadHruOOrJtmlPW1GT8/edit?usp=sharing)

title: "PRCCDC 2019 Results"

author: "Zander Work"

date: 2019-03-24T00:00:00-07:00

categories: ['Club News']

tags: []

caption: "Victory photo of 6 OSUSEC students, with one holding a trophy"

draft: false

This past weekend, OSUSEC competed at the Pacific Rim Collegiate Cyber Defense Competition (PRCCDC) hosted by Highline College. I’m pleased to announce that we placed 3rd out of 13 teams in this tough competition.

PRCCDC is a 2 day competition where each team must secure a mix of approximately 10 Windows and Linux systems, configure a border firewall, monitor and defend against attacks from the Red Team, and work with business users over the phone throughout the event.


Here’s the full team (from left to right):

- Emily Longman (Faculty Advisor)

- Lyell Read

- Ryan Kennedy

- Zander Work

- Hadi Rahal-Arabi

- Khoung Luu

- Zach Rogers

- Curtis Warrick

- Matt Jansen

For more information on the competition, please see the P[RCCDC website](http://prccdc.org/).