The very first Humla session at Null Delhi Chapter meet. Awkay, I am going to try and make this not sound like Chinese to people who have, no idea about what this is.
So “null” is an open community. Created and run by Aseem Jahakar sir, nation wide(india). This community is for hackers, for anybody and everybody who relates or wishes to relate him/herself with security. Atleast that’s what I have experienced till now! :)
So as a community what do we do?
As hackers or security enthusiasts we are always indulged in something or the other. Trying things and all possible combinations of those things… we accomplish things and get stuck at many places too…and at the end of the we are the kind of geeks who like to have fun and mean no harm. All this. All of it is what is null about. We meet. Monthly. Present what we have learned. Learn what others show. Discuss our technical problems. And have the chit chat we like to have. :D So this is what a null meet is about.
Coming to the humla session. “Humla” is a hindi word meaning “attack“. Or mapping it to our domain it simply means “offensive-security“. Now when u are a working in security u can specialize in any of its sub domains like web application security, reverse engineering, network security, forensics, auditing etc. And if for example I wish to try out a diff sub domain then that means I would have to dedicate some time each day and start learning from scratch. Not that we would not love to do it or can not do it.. but instead we have the concept of a “humla” session. This is basically a workshop wherein u are given a kick start in that sub domain by someone who is already an expert. He is called the “humla champion” by the way, the trainer for that day. The duration of the workshop is typically 6 to 8 hours with small breaks in between. And all of this is organized free of cost but yes their is a selection process prior to this. And that is because there is only limited space available plus since advance concepts are covered so people with atleast a little pre requisite knowledge are preferred.
Now a little about the venue. This is how you reach the building. If you are coming for the first time you might need this.
Reached till here ? Cool. Next you have to get yourself a pass made at the reception and the guard there would tell you where do you need to go. At the entrance of the section where you were guided to by the previous gurad, sits another guard who would give you a document on which particulars of your laptop are to be mentioned. *security reasons* . Hehe. And he’d further guide you to “Tlabs“. And you’d realize that you have reached the place because generally its just us in there! :D If you dont, just in case, then look for either Sandeep Bhaiya or Vaibhav Bhaiya. The honorable mods of our chapter! :) From the inside the place is really nice just as one would imagine any office.
Coming back to the topic of this post! :D This time’s session was on “linux exploitation” & our trainer or the humla champion was “mr. sohail”.(read 1337). I was really really excited. There have been a few subdomains of security I havent touched or infact touched and left them for a full fledged research to be done later. Exploit writing was one of them. I did try doing it… just read a few tutes from https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ and some stuff here and there to back it up. The stuff was really great but when I had started reading this, I did not know enough to go further. So kinda left that in between but this was the chance for me..as some one was there to spoon feed all of that to me! What better ?
Hence, I reached the venue half an hour early. :D Its just the excitement that can do this to me. Usually i am late. Serious Late. No problem. Since perhaps there was this one other guy who was, i guess, more excited than I was.. and had reached earlier to me. Cool.! Around an hour later Vaibhav Bhaiya came and told us that this session would not be conducted at the place we usually sit. It would be conducted in a room that was at the end of the place we usually are in the beginning of. But when we went there it was a conference room YAY! a conference room! I was already getting the feel. :D
Now everybody started coming in I am only going to talk about the ones I know :D So the first surprise was to see rahul gurnani sir there. He is currently pursuing his ms in information security from IIIT ahemdabad so he is generally not able to join us for all the meets. Then there was ashutosh bhaiya… sandy bhaiya came in.. and the star rishi narang sir, the most interesting guy since the last two meets came in… and there was anupam sir… aah about anupam sir.. the very first time you see him you’d feel he is the kind of strict disciplined guy you’d rather not talk to… but then you gotta look at his presentation on cloud forensics!! maahnn! That was one hilariously put together presentation. You would rather come to know about his fun loving side.! :) i can almost go on writing about each member present there… (i obviously miss shubham bhaiya the most.)
In a conference table… the u shaped one… as you would already know … they have ports(3 inside one small box covered with a white coloured lid in the table itself…for every 3 chairs they would have one such box) to charge your laptops (or anything else for that matter). So there was this one lid that wont open.. and i figured it was all the lids that had the same problem. So on looking at it carefully i learned that it wasnt actually a problem.. that was THE locking mechanism. All you need to do it put your finger inside it and push a stick towards the opposite side. TADA!! it opened.
All right so finally came in our champion *drum roll please* the humla champion and he told us that he wasn’t prepared and wasn’t able to complete his sleep too because of some work… sorry about the second part… but not being prepared… that was even better… because this just means we would do a lot more practicals and very less theory.. and that’s exactly what happened. We started of with very basics of virtual memory, stack, stack frames, calling conventions etc. Then there was the first hands on… it was basically about overwriting the return address by exploiting the strcpy function. Was nice but yes just the beginning. Ahh! Also we were told to install virtual box on our machines so that sohail sir could equip us with the right tools. Now we started off with copying the “vdi” file to pendrives and distributing the software… this took about half an hour till we all had copies of the file. Normally a vmware workstation user would just just double click on the vdx file and it would run with the workstation software but this was a vdi file we had with us.. so what we needed to do was basically add this as a hardrive while creating a machine on virtual box…The operating system was ubuntu 6. We used this particular version because it does not have “Address Space Layout Randomization“. That is, now we can code our exploit without using registers we could directly use memory addresses. And we used gdb to do all the reverse engineering on the program we were running. Ohkay, after all of this was done.. Then we had our first break. We ordered pizzas and subs.(only ordered during the first break) and had coffee. Then we came back and did our second hands on which was putting in the shell code at the return address. So we the did the typical putting in the shellcode at in the input string then loading the address where the shellcode starts as the return address. Nicely done. By the way we used metasploit’s tools every now and then. We used the pattern-create and pattern-offset to get the string that we fed into the strcpy function. This done basically to get the exact address in memory of the place where the return address gets overwritten. All about number. ;) Now generating the shellcode was also fun since we first tried using metasploit’s payloads for that but later we used a shell-gen script and that quickly gave us the 96byte shell code and we used that in our code. Was really nice doing all this. By the way sohail sir also told us that the code is generally called shell code because back in the days this kind of code would generally be used to return a shell. YOU MUST GIVE IT A SHOT!.
After this we had our second break! We had pizza’s in this break and after a small wait the subs arrived for those who ordered them, they were definitely much tastier now! :D And then was the third and the last section where we took an exploit and sohail sir explained that exploit by sort of going step by step and discussing how that was developed. In this exploit we did not use hard coded memory addresses but rather an address of an instruction that would call the register which would have the value of the offset to our entered code. ;)
Sohail sir was very expressive and i was getting everything that he was saying. And yes one more thing… i now knew most of the concepts that were required as I have been studying Reverse Engineering for a lot of time now! and that is probably why it all sounded very familiar.
All in all it was one nice experience and for the Null Delhi Chapter. #Achivement Unlocked.
You Might Want To Check Out:
by Adwiteeya Agrawal
So, what do you think ?