Lessons for Newbies

[Captain Segfault]

Okay, this is probably a really stupid question, but when I make the BAT file and run it, it instantly closes when I open it, I've been playing around in C++ too and when I make those little beginner programs it does the same thing, just closes as fast as it opens. Any idea on how to make it stay? I've tried running cmd and opening the file from there as well

Running from a cmd should be sufficient, but this script finishes almost immediately. You should probably see a line of output, though...

[falcon2424]

I'm in the process of writing my next little script. This one is going to be in Perl, so people who are interested might want to download perl if they don't already have it.

The reason I'm using perl is that I find it to be a nice language that's a bit more approachable than C++, and I think it has very good documentation. Also, I think Perl might be a good place for people to start programming.

I don't want to get into any 'holy-wars' (http://www.catb.org/jargon/html/H/holy-wars.html), but generally, Perl seems most useful for handy little scripts that people need to write. It isn't so good for large projects, especially not large projects that multiple people need to maintain. Generally, for those, people prefer to use other languages.

-----

There were a couple reasons I picked that batch script as a starting tutorial. The first was that I thought it would prod people towards using Google to find information. Ideally, it should have entered a couple lines into something called the 'hosts' file.

This file associates urls with IP addresses. The IP address, as someone pointed out, was for the site, 'cutelittlekittens.com'

Normally, when you load hacker.org, your computer asks a server, "what's the IP address for hacker.org" This is a lot like looking in a phone book, in that there's a big list with names on one side and numbers on the other. Your computer would then 'dial' that IP address and get information.

The hosts file is kind of like the sticky notes some people keep by a phone. The important thing is that your computer will check there before going to the 'phone book'. So, your browser would say, "oh, clearly, hacker.org is at the location 127.0.0.1, no need to do a formal lookup" and then it would show you the information sent by that site.

Firefox and internet explorer tend to only look at the 'hosts' file when they start up, so if you noticed that no changes took effect until you restarted your browser, that might be why.

Of course, this makes it so that the computer pulls up pictures of cats instead of a puzzle-site. (You can have some relatively harmless fun with this on people's computers, too. One thing to keep in mind is that your computer thinks of www.cnn.com as a different domain than cnn.com)

Next, there were the little bits of code. The command 'echo' just returns whatever was in the quotes. The command '>>' means 'concatenate' or roughly 'stick onto the end of the file'

So, "echo foo >> file" says, "take the string 'foo' and stick it onto the end of 'file'."

Finally, the little script was intended to get people used to playing around with configuration files. This is something that will come up a lot later, so I figured it would be good if people got used to the idea of playing with their computer's settings.

As a final note, there was no particular reason for cutelittlekittens.com. I considered goatse, but decided that was done to death, and that having hacker.org suddenly turn into an overly cute site would be funny and clue people in that the problem was local (instead of the hacker.org site being hacked)

[falcon2424]

Ok, this lesson is intended to be done from a *nix computer of some kind. I've verified that it works on my ubuntu box.

For those of you who don't have linux computers and want to play along, I'd recommend a boot disk.

Ok, this file I've labeled "hacker.pl"

Code: Select all

#!/usr/bin/perl

print "Please enter file to be added to log.\n"; 
$file_name = <>;
chomp $file_name;
$command = "cat $file_name >> /dev/null"; 

print "going to execute the following command:\n";
print $command;
print "\n";

`$command`; #this executes the command as if from command line.
print "command executed successfully.\n"

Normally, you're probably not going to encounter any program this basic, but the error is not entirely uncommon. And, if you're interested in writing secure code, it's definitely something you should be aware of.

Imagine that I had this script running on my server. And, I made the mistake of having the script run as root. However, because I had my file permission set correctly people can't just directly make changes to the program code.

What input could you give the program to break it?

[Kilo]

maybe this


sudo chown -R username:username /path/to/dir/

i think this command will take full ownership of dir

[falcon2424]

Very close, you're just a step or two away.

Running your text produces this:

Code: Select all

user@ubuntu:~$ perl hacker.pl 
Please enter file to be added to log.
sudo chown -R username:username /path/to/dir/
going to execute the following command:
cat sudo chown -R username:username /path/to/dir/ >> /dev/null
cat: invalid option -- R
Try `cat --help' for more information.
command executed successfully.
user@ubuntu:~$ 

[gorzak]

I am interested.

I could use lessons, and I am a newbie.

I knew what the hosts file is/does. I did know what echo did. I did not know that >> printed to a file. I did know that I needed to run from a command prompt if I wanted to see the results.

When echo didnt print to the screen for the hosts file references, I knew i was in trouble. I admit I was not super trusting. I figured out what happened immediately, and I repaired my hosts file before I reloaded the page. Then I did a whois to see where you were referring me to see if it was safe. I never entered that IP until even after i posted this. The whois only referred me to the host not the ip owner. I was too newb to figure out that it pointed to a kittens site. even after reading it did here, I assumed that the site was down, and posted before checking. I had to edit this post to cut out a bunch of stuff that was wrong, because of my false assumptions. I don't mind being newbish, but i do mind giving out false info.

I haven't gotten to the second yet, I have the feeling I have a lot of learning to do to make the switch from windows to *nix and learn programming concepts & perl. I do hope to get around to it and appreciate the spirit of these challenges.

[<<D.A.>>]

well, this script can be exploited like this: & command-you-want-to-execute

[Skywalker748]

Only one problem I own a Mac, running OS-X . Could you please add Mac samples of code?
Thanks, Skywalker748

[<<D.A.>>]

Only one problem I own a Mac, running OS-X . Could you please add Mac samples of code?
Thanks, Skywalker748

Try googling for some HOWTOs, you can install Linux on your Mac

[Kilo]

mac i horrible sorry to say.

[Skywalker748]

Only one problem I own a Mac, running OS-X . Could you please add Mac samples of code?
Thanks, Skywalker748

Try googling for some HOWTOs, you can install Linux on your Mac

I do have the application Terminal (which goes to the lowest level to command a Mac), and I can run C, C++, C#, Java, and Carbon code on my Mac, but these programs A) Can't run in Unix, apparently and B) are aimed at Windows machines, as Macs don't have most of the files that are mentioned here. The OS folder is called System, and the Library is called Library. I just can't do these programs.

[jack krauser]

Only one problem I own a Mac, running OS-X . Could you please add Mac samples of code?
Thanks, Skywalker748

Try googling for some HOWTOs, you can install Linux on your Mac

I do have the application Terminal (which goes to the lowest level to command a Mac), and I can run C, C++, C#, Java, and Carbon code on my Mac, but these programs A) Can't run in Unix, apparently and B) are aimed at Windows machines, as Macs don't have most of the files that are mentioned here. The OS folder is called System, and the Library is called Library. I just can't do these programs.

i suggest you get linux or windowz

[0.Dark.Thought]

Only one problem I own a Mac, running OS-X . Could you please add Mac samples of code?
Thanks, Skywalker748

Try googling for some HOWTOs, you can install Linux on your Mac

yeah, mac may be user freindly but if youre hacking, its a nightmare

[NeptuneSaint]

I really desire to join you,but I am a newbie.

I am very interested in computer、programme and hacker.But I just kown
a little about programme with c++. There are so many things for me to
learn. I don't kown where I should start. So,could you give some suggession
or free information online which I can learn myslef. THANK YOU!

[<<D.A.>>]

I really desire to join you,but I am a newbie.

I am very interested in computer、programme and hacker.But I just kown
a little about programme with c++. There are so many things for me to
learn. I don't kown where I should start. So,could you give some suggession
or free information online which I can learn myslef. THANK YOU!

Get yourelf Linux, learn it... Learn programming - if you have started with C++ - keep it going... If you are interested in webhacking learn HTML, Javascript, PHP. Learn about networking. These are the basic knowledges. I've written an article for newbies, you can check it out: http://tha-hell-hackers.kx.cz/forum/vie ... f=15&t=365