Knowing How To Write Code Is Liberating

Last August, I decided it was time to go back to school and finish up my degree. In some ways it feels like a pointless endeavor because I’ve been writing code for years now, and I often don’t feel like I learn much at school. That was until a few days ago. This semester I am taking an Information Security class, which is very exciting to me as InfoSec is one of my passions. In my class, we’ve started going over brute forcing passwords which includes generating word lists. Since this is an introduction class, I went into it with an attitude that it would be boring and I’d just waltz right through it (and so far I have), but recently this class forced me to think differently about education.

As I mentioned before, we are going over generating word lists. To ease our way into it, the first assignment was to generate a list of possible passwords that are 4 characters long and only numeric. The instructions for the assignment were to go download some software that would allow me to just click a few options and it would produce what I needed. My first thought was, “Ugh… I don’t want to go find this software and get it installed in my Windows VM just for this.” And that’s when my thought process changed. It occurred to me that I already have everything I need at my finger tips. I know how to write code. In just a few minutes I wrote a Perl scripts and then condensed it down to this one liner.

perl -e '$i=0;while($i<=9999){printf("%04d\n", $i++)}' > list.txt

Pretty simple while loop that prints out a number with zero padding to make sure its 4 characters long. I just turned a 30 minute project into a 5 minute project, and most of that time was because I originally wrote it as a script and then turned it into a one liner.

Then I started thinking about some problems I’ve solved lately.

My wife and I use OSMC (Open Source Media Center) on a RaspberryPi for watching TV. Sometimes the Pi freezes and I have to SSH into and manually reboot it. This is great until it freezes and I’m at work. My wife is a very intelligent person, but she’s not really into learning how to SSH into something and reboot it. So I wrote a quick little desktop program for it.

#!/usr/bin/perl
use strict;
use warnings;
use Gtk2 -init;
my $output = `ping -c 1 osmc.local | head -1`;
$output =~ /(\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3})/;
my $pi_ip = $1;
my $window = Gtk2::Window->new('toplevel');
my $restart = Gtk2::Button->new('Restart');
$restart->signal_connect(clicked => sub { my $cmd = qq{ssh -o "StrictHostKeyChecking no" -i /path/to/key osmc\@$pi_ip '/usr/bin/sudo /sbin/shutdown -r now'}; `$cmd`; Gtk2->main_quit });
$window->add($restart);
$window->show_all;
Gtk2->main;

Yeah, that’s some pretty rudimentary regex, and I’m using backticks instead of something like IPC::Open3, and I’m using an SSH key with a blank password, and why am I getting the IP from the output of <code>ping</code>? I have me reasons. And I didn’t write this to be the most secure thing possible. I wrote it to give my wife a way to click a button to restart the Raspberry Pi when I’m away from home. I’ll probably rewrite it 5+ times just because I thought of a different way to do it. (Or not, because I recently got a FireTV Stick and side loaded Kodi into it.)

One more example. I use Pianobar (a CLI wrapper to Pandora). I use vim for writing code so I’m virtually always in a shell. It makes it easy to switch to a different tab to manage what I’m listening too. I’ve also used terminal-notifier (a pretty cool way to generate notifications on a Mac). Pianobar provides an event API. For example, when a song starts it will emit an event that gives the name of the song, the artist, and some other information. So I wrote a script that listens for that event to give me a notification when a new song starts.

#!/usr/bin/perl
use strict;
use warnings;
use IPC::Open3;

if (my $action = shift @ARGV) {
if ($action eq ‘songstart’) {
my $info = {};
while () {
chomp $_;
my @thing = split /\=/, $_;
$info->{$thing[0]} = $thing[1];
}

my @cmd = (‘/usr/local/bin/terminal-notifier’);
if ($info->{coverArt}) {
push @cmd, (‘-appIcon’, $info->{coverArt});
}
if ($info->{artist}) {
push @cmd, (‘-subtitle’, $info->{artist});
}
if ($info->{title}) {
push @cmd, (‘-title’, $info->{title});
}
push @cmd, (‘-sender’, ‘1’, ‘-remove’, “‘ALL'”);
if ($info->{stationName}) {
push @cmd, (‘-message’, $info->{stationName});
}
my ($in, $out);
my $pid = open3($in, $out, $out, @cmd);
waitpid($pid, 0);
}
if ($action eq ‘userlogin’) {
print “\n\n”;
printf “%20s\n”, ‘HELLO GARTH’;
print “\n\n”;
}
}

Here’s an example of the notification.

Terminal Notification

 

 

 

It’s been really handy. An addition I plan on making is making the notification clickable to skip the song.

UPDATE: Today, I wrote the addition to skip songs by clicking the notification. Its been surprisingly awesome. I wish I would’ve done it a little sooner.

I’ve learned that education isn’t about bending my mind to fit into the paradigm a teacher imposes upon me, which seems to be what a lot of my college professors believe education is. Education is about building upon the knowledge I already have. Education is improving my skills. Education is learning how to think.

Upcoming Series: Weather Station with a Raspberry Pi

Over the last few days I’ve been tinkering with my Raspberry Pi, an MCP3008 analog/digital converter, a TMP36GZ temperature reader, a breadboard and a bunch of wires. You can get most of these things in a kit here. I’ve learned some great things along the way and I’ll be sharing that with you in an up-coming series. Temperature reading will be just one part. I’m cooking up some fun things to go with it. Maybe humidity sensing, and some other fun stuff. Its still in the works, so things will probably change as we go. Stay tuned for the first part of the series 🙂

Fixing Squeaky Floors

We’ve all walked on a wood floor that’s really squeaky and its quite annoying. Luckily its pretty easy to fix. I’ve been remodeling my basement over the past little while and took advantage of my basement ceiling being ripped open. My upstairs hardwood floor was pretty squeaky. You can’t really expect much else from a house built in the 1960’s. Since the ceiling in the basement was being insulated and an drywall put up, it was really easy to access the joists for the upstairs floor. It only takes a few steps. Here’s how you do it if you have access to a crawl space or from below the floor:

Needed Materials:

Pretty cheap tools for a good floor fix.

Step 1: Use a friend to help you locate squeaky spots

While you are below the squeaky floor, have a friend walk around until they find a squeaky area. Have them rock back an forth on the squeaky spot so you can pinpoint the area from below. If you need a little extra help, have your friend knock on the floor. This makes it easier to hear and, if you need to, feel where the squeak is located.

Step 2: Shim the joists

Floor Joists

Put a little carpenters glue on the top of the skinny end of a shim and slip it between the floor joist and the sub-flooring where the squeak is occurring. Give it a few taps with your hammer, but don’t push it in too far. Pushing it in too far can raise the floor in other areas and cause more squeaks or other problems. It make take a few shims in an area depending on how much the floor moves.

Step 3: Repeat

Repeat steps 1 and 2 until you’ve eliminated all the squeaky spot.

Congratulations, enjoy your squeak free floor! (Note: You can’t eliminate every single sound your floor makes. As it ages, little pops and creaks are unavoidable. This is for fixing the loud squeaks.)

If you don’t have access to underneath the floor, here’s an instructional video from This Old House:

An Intro to WP-CLI


One of the most powerful tools in the WordPress world is the WordPress Command Line Interface or WP-CLI. From user management, to managing plugin and theme updates, WP-CLI can pretty much do anything you need it to do.

User Management

One of the easiest things to do is manage users. From updating email address and display names to user meta, capabilities, and roles. Here’s a quick example on updating a display name for a user.

$ wp user update wordpress@gmail.com --display_name="WordPress User"

This will update the user with the email address “wordpress@gmail.com” to have a display name of “WordPress User”. Pretty much any information about a user can be changed with the update command.

Plugin Management

Managing plugins can sometimes be a pain because of many factors, but WP-CLI can alleviate some of that. Here’s a quick list of plugins and information about them.

$ wp plugin list

As you can see, we have a few out of date plugins here. Luckily updating those is a breeze.

$ wp plugin update <plugin name>

You can also activate and deactivate plugins easily with:

$ wp plugin activate <plugin name>
and
$ wp plugin deactivate <plugin name>

Or to simplify it $ wp plugin toggle <plugin name> will just switch the status to the opposite of whatever it currently is.

If you’re deactivating plugins because you have a white screen of death (WSOD), you can still deactivate plugins with the --skip-plugins flag.

$ wp plugin deactivate <plugin name > --skip-plugins

This will stop all plugins from loading and allowed WordPress to deactivate plugins correctly.
Protip: $ wp plugin deactivate --all --skip-plugins

WordPress Core Management

Making sure WordPress core (and plugins/themes) are up to date is one of the best ways to keep yourself a little more safe against vulnerabilities. WP-CLI provides some awesome tools for managing WordPress core.

$ wp core verify-checksums

This is one of my favorite commands. It will check all of your WordPress core files and verify that they haven’t been modified or tampered with. This is extremely useful for fixing hacked sites because it will tell you exactly which file has been changed.

Let’s say your site has been hacked and core files have been modified. $ wp core download --force will download the latest version of all WordPress core files and undo any changes. After this you should probably make sure your themes and plugins are up to date. Sometimes, it takes a professional to make sure all hacks are eliminated.

The Power of WP-CLI

A nifty tool I’ve had the opportunity to work on is called wp-tools, which is a Perl wrapper around WP-CLI commands. One of the features of wp-tools is the ability to update core, themes, and plugins. It does this the right way by first taking a backup of your site and updating the components you specify. If any problems are detected on the site after the upgrades, your site will automatically be restored to the backup. This tool has been battle tested and used to update more than 2 million WordPress installations.

If you have any questions or comments about WP-CLI please leave a comment below or use my Contact Page.

Installing a LetsEncrypt SSL on Bluehost

So, letsencrypt is probably one of the best initiatives surrounding building a secure internet, because encryption is important. I really wanted to figure it out on my shared bluehost account, so here it is.

A few notes before we start, you will need access to a secondary server, local machine, or virtual machine that has python and other dependencies required for the letsencrypt client. Details on that can be found here: https://letsencrypt.readthedocs.org/en/latest/intro.html. I’m working on a way to get this to run on the Bluehost shared server itself so access to another server or doing it on your local machine isn’t required.

Once you’ve got letsencrypt and the required dependencies installed, stay ssh’d into your secondary server and run:

$ ./letsencrypt-auto --email your@emailaddress.com --text --authenticator manual certonly

And follow the prompts. At a certain point, it will give you some commands to run. The only one you really need is the printf command. SSH into the server you want the cert on and get to the root of the domain you’d like and run that command. It will look something like this:

$ printf "%s" aBuNchOfR4nd0mT3Xt > .well-known/acme-challenge/aBuNchOfR4nd0mT3Xt

Once that’s run, go back to the other shell session and finish following the prompts. This will generate a certificate and drop the necessary files in /etc/letsencrypt/live/(the domain you chose)/.

You’ll then need to follow the instructions here to upload the files correctly. Then contact Bluehost support to get the SSL certificate installed. Once that’s done, and any redirects you need to force people to use SSL on your site.

In the future I’ll be writing a script that automates the renewal process. Well, everything but actually re-installing the SSL certificate. You’ll still have to contact Bluehost to get the cert installed.

Compiling Node on Bluehost Shared Accounts

I’ve used node in a number of places and wanted to get it installed on my shared hosting account. Here’s how I did it. Note: To follow this, you have to have SSH access enabled. You can find instructions for that here.

Once you’re ssh’d into your account, go to your local bin directory. and download the node tarball.

$ cd ~/bin

$ wget http://nodejs.org/dist/v0.10.15/node-v0.10.15.tar.gz

Then unpack the .tar.gz and move into the node directory.

$ tar -xvzf node-v0.10.15.tar.gz

$ cd node-v0.10.15

Here’s where we configure, make, and make install node.

$ ./configure --prefix=$HOME/node

$ make -j"$(nproc)"

$ make install

Now that we have node compiled and installed, test the binary.

$ node --version

You should get v0.10.15 as the version. Now you can go about your way using node on a Bluehost shared account.

If you receive an error about the node command not being found, make sure the ~/bin directory is in your bash $PATH or make an alias to the node binary.

Compiling PHP 7 on Bluehost Shared Accounts

UPDATE: There is now an easier way to change your PHP version. Just login to your Bluehost control panel and go to “PHP Config”, select PHP 7 and click “Save Changes”.

UPDATE: This is no longer required to use PHP 7 as Bluehost has put PHP 7 on their servers. You can now put one of these directives in your .htaccess file depending on how you want PHP configured. If you don’t know what these do, just go with the first one.

AddHandler application/x-httpd-php70 .php for regular PHP
AddHandler application/x-httpd-php70f .php for FastCGI
AddHandler application/x-httpd-php70s .php for Single ini

I’ve been hearing about all these speed increases from lower PHP versions to PHP 7, so I thought I’d see if I could get it compiled on my Bluehost shared account. I was able to get it compiled and running, but I haven’t done any speed comparisons yet. I’ll just show you how I got it compiled for now. To follow this, you have to have SSH access enabled. You can find instructions for that here.

Once you’re ssh’d into your account, go to your local bin directory. and download the PHP 7 tarball.

$ cd ~/bin
$ wget http://us3.php.net/get/php-7.0.0.tar.gz/from/this/mirror

Then unpack the .tar.gz and move into the PHP 7 directory.

$ mv mirror php7.tar.gz
$ tar -xvzf php7.tar.gz
$ cd php-7.0.0

Here’s where we configure, make, and make install PHP 7.

$ ./configure --with-config-file-path=/homedir/username/etc/php/ --with-config-file-scan-dir=/homedir/username/etc/php/conf.d/ --enable-mysqlnd --with-curl --with-openssl --with-readline --with-recode --with-zlib --with-mysqli --prefix=/homedir/username/bin/ --enable-mbstring --with-gd
$ make -j"$(nproc)"
$ make install

Note: Make sure to change “/homedir/username/” to your homedir and username. You can get this with pwd. Additionally, this is compiled with only a few options. You can compile with whatever options you’d like.

Now that we have PHP 7 compiled and installed, test the binary. Make a PHP file with the following:

<?php
echo "ok\n";
?>

Then run it.

$ ~/bin/bin/php filename.php

You should see the output “ok”. The final step is to make .htaccess run your PHP files with PHP 7. Change to whatever directory you want PHP 7 to run in and make a symlink to your php binary.

$ cd ~/public_html
$ ln ~/bin/bin/php-cgi cgi-bin/php

Then drop the following in your .htaccess file:

<FilesMatch "\.php$">
Action application/x-httpd-php7 /cgi-bin/php
SetHandler application/x-httpd-php7
</FilesMatch>

And there you go. Whatever site is in that directory is now running on PHP 7.

A few notes. This isn’t exactly a great way to get on PHP 7, I’m just showing that it’s possible. If you do decide to do this, I’m not responsible for your actions. Use this with caution.

SaintCon 2015

SaintCon was amazing this year. If you aren’t familiar with SaintCon, it’s the premier internet security conference in Utah. I would contend that its one of the best in the country. At SaintCon there is always a hackers challenge (CTF). I’m going to go over some of the challenges so someone can learn the things I learned.

Binary challenge 1

A pretty straight forward challenge. We were given a binary to download. All it took was running ‘strings’ on the binary.

$ strings -a thread_edebd39bb52183389cd8f153b3ba25e1

Which resulted in the output:

As you can see, this grabbed all readable text from the binary and dumped it. The flag was in there followed by a quote.

Binary challenge 2

The title of this binary was “crashme”. To look for clues I ran strings on this file as well:

After looking into strcpy(), it was apparent that it was easy to accidentally allow a buffer overflow. We could easily test a 100,000 character buffer with a simple command.

$ ./crash $(python -c "print 'A'*100000")

Which produced the output:

After the buffer overflow, we had retrieved the flag.

Potent Pwnables last challenge

This was one of my favorite challenges. This was pretty much an exact replication of the latest Joomla! session hijacking vulnerability. There were a number of changes such as the database prefix being different and the page_id/item_id being different, but those were trivial to find out once it was identified.

The tool that made this challenge easier is called hackbar. It makes editing your SQL injection a lot easier than in the url bar. For more information on this exploit, I suggest reading the Proof of Concept linked to earlier.

I’ll get some more challenges up as I have time. Thanks for reading.