IT-Sec_Group_K/it-sec-exercises
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity

Compare commits

base: IT-Sec_Group_K:sheet02-submission
Branches Tags
IT-Sec_Group_K:main
IT-Sec_Group_K:sheet05-submission IT-Sec_Group_K:sheet04-submission IT-Sec_Group_K:sheet03-submission IT-Sec_Group_K:sheet02-submission IT-Sec_Group_K:sheet01-submission
..
compare: IT-Sec_Group_K:sheet04-submission
Branches Tags
IT-Sec_Group_K:main
IT-Sec_Group_K:sheet05-submission IT-Sec_Group_K:sheet04-submission IT-Sec_Group_K:sheet03-submission IT-Sec_Group_K:sheet02-submission IT-Sec_Group_K:sheet01-submission

17 Commits
sheet02-su ... sheet04-su

Author SHA1 Message Date
Leo
58553b688a feat: a3
All checks were successful
zip and release / build-and-release (push) Successful in 3s
Details
2026-05-22 11:52:02 +02:00
Leo
b118e163b2 feat: a2 2026-05-22 11:46:10 +02:00
Viktoria Konschuh
266df5d32c Edit explanation.txt 2026-05-21 19:18:15 +00:00
Viktoria Konschuh
a2d5d23307 Edit supervisor.sh 2026-05-21 19:14:24 +00:00
Viktoria Konschuh
e40906a933 Edit archive.sh 2026-05-21 19:12:14 +00:00
Viktoria Konschuh
f29fbed900 Edit create_user.sh 2026-05-21 19:10:49 +00:00
Leo Habrom
ea32ada42d feat: create files 2026-05-21 13:47:54 +02:00
Unbreathable
6676f07705 feat(4): task 2c 2026-05-15 10:15:55 +02:00
Unbreathable
62fb088403 feat(4): task 2b 2026-05-15 10:15:55 +02:00
Leo
64ae54469d a1 c 2026-05-15 10:06:30 +02:00
Leo
b3f7f42ab0 a1 a+b 2026-05-15 10:04:03 +02:00
Unbreathable
9b0467677a feat: task 2a 2026-05-15 09:40:28 +02:00
Julian Golenhofen
203f68ea1b feat: task b done 2026-05-06 11:11:27 +00:00
Julian Golenhofen
20bdc23597 feat: finish task a 2026-05-06 11:03:09 +00:00
Julian Golenhofen
92820ce20c feat: parts of task a 2026-05-06 10:55:52 +00:00
Leo
07568edbcd feat: found the exploit in the code and attaced the server 2026-05-02 19:48:28 +02:00
Leo
a23ec65d30 feat: init sheet03 2026-05-02 19:00:49 +02:00
24 changed files with 569 additions and 1 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -1,3 +1,6 @@
*.pdf
sheet01/a2/Hash.java
*.class
*.class
passwd
sheet04/AuthWithTOTP.java
sheet04/key-exchange.pcap

98
sheet03/a1/a.txt Normal file
View File

@@ -0,0 +1,98 @@
1.
positives:
- The password is very hard to guess / bruteforce
- There are no physical ways to obtain the password except for hacking one of the services where you have an account
- You don't have to remember a lot and the effort is low compared to other methods
negatives:
- If one service gets hacked and your password is found out, all your accounts are compromised
- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
- Even though your password is pretty strong, you are still a pretty easy target
2.
positives:
- The password is very hard to guess / bruteforce
- There are no physical ways to obtain the password except for hacking one of the services where you have an account
- You don't have to remember a lot and additionally to 1 only the method you're using (that you append the first letter of every service to it)
negatives:
- If one service gets hacked and your password is found out, getting into other accounts is harder than 1, but still pretty easy if they figure out your method
- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
- Even though your password is pretty strong, you are still a pretty easy target (although a tougher one than 1)
3.
positives:
- Your passwords are very hard to guess / bruteforce
- If one of your accounts gets hacked, none of your others compromised
- You don't have to remember a lot, except for the secure place / the means to get to the secure place
negatives:
- If someone finds and steals your password book, you don't have any means of getting your accounts back
- If you need to access your passwords from somewhere where you don't have access to your password book, you can't log into any of your accounts
- Keeping the password book around is a huge maintenance burden (compared to 1 + 2 for example)
4.
positives:
- Your passwords are very hard to guess / bruteforce
- If one of your accounts gets hacked, none of your others are compromised
- You can easily take all of your passwords with you
negatives:
- If someone finds and steals your USB stick, you don't have any means of getting your accounts back
- If you need to access your passwords from somewhere where you don't have access to your USB stick, you can't log into any of your accounts
- Keeping the USB stick around is a little bit of a burden (compared to 1 + 2 for example, 3 is a bigger burden of course)
5.
positives:
- Your passwords are very hard to guess / bruteforce
- If one of your accounts gets hacked, none of your others are compromised
- Finding all of your passwords is really easy and convenient
negatives:
- If your PC breaks, you don't have access to any of your passwords anymore
- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident or something)
6.
positives:
- Your passwords are very hard to guess / bruteforce
- If one of your accounts gets hacked, none of your others are compromised
- Taking your passwords with you is really easy
negatives:
- If the service storing your passwords gets hacked (and is not properly protected), all of your passwords could be vulnerable
- Depending on how you access this password manager, your account may not be so secure
- You need to keep around an extra password for your password manager (that you need a good strategy for as well)
7.
positives:
- Bruteforcing one of your passwords doesn't leak your main password (assuming the password derivation is good)
- If one of your accounts gets hacked, none of your others are compromised
- Knowing your main password, means you know all of your passwords (because they are simply derived, they are not unrelated to your main password)
negatives:
- You need to keep around an extra password for your password derivation service (that you need a good strategy for as well)
- If your main password is found out, all of your accounts are compromised
- You are a relatively easy target since all it takes is cracking your main password (and knowing one site you have an account for)
8.
positives:
- Your passwords are very hard to guess / bruteforce
- If one of your accounts gets hacked, none of your others are compromised
- Finding all of your passwords is really easy and convenient
negatives:
- If your PC breaks, you don't have access to any of your passwords anymore
- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident)
9.
positives:
- You don't have to remember a lot of passwords
- If one of your accounts gets hacked (and are unrelated to the password reset method), none of your others are compromised
- Getting into your accounts is really easy
negatives:
- If your reset password method gets compromised, you don't have a way of getting back your account
- Not all services may have a reset password function
- You are a relatively easy target since all it takes is cracking your reset password method (if it is an email address for example)

3
sheet03/a1/b.txt Normal file
View File

@@ -0,0 +1,3 @@
A potential strategy is to use a password manager, like Proton Pass, that encrypts all of your passwords when they are uploaded to the cloud. With this approach, you have to remember one password for your password manager and get a really convenient solution that won't break down even if the provider were to be compromised (as in the service itself). With a good recovery strategy like keeping something like a recovery token in a secure place in your house, you can make sure you never lose access to your password manager.
This approach of course has downsides, if the password you use for the password manager is weak, you are still an easy target. Like you would be with 1 or 2, but you would still have a recovery method. Compared to 7 however, you still never have a way of knowing your passwords without authenticating with the provider you're using. On top of that, keeping the recovery token at home makes you vulnerable to physical attacks similar to 3 or 4. These attacks are usually a hard thing to perform though, so I think it's still better than using a cloud password manager or one provided by your operating system.

71
sheet03/a2/Auth.java Normal file
View File

@@ -0,0 +1,71 @@
import java.io.Console;
import java.util.Map;
import java.util.HexFormat;
import java.util.stream.Collectors;
import java.nio.file.Path;
import java.nio.file.Files;
import java.security.MessageDigest;
public class Auth {
private static final byte[] INVALID_HASH = "----------------------------------------------------------------".getBytes();
public static void main(String[] args) {
try {
Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
.stream()
.filter(line -> line.indexOf(":") > 1 && line.length() > 3)
.collect(Collectors.toMap(
line -> line.substring(0, line.indexOf(':')),
line -> HexFormat.of().parseHex(line.substring(line.indexOf(':') + 1))
));
System.out.println("Chocolate Factory SCADA Command Line Interface v2.2.144");
System.out.println();
System.out.println("Please, enter your authentication credentials.");
System.out.println();
Console cons = System.console();
String username;
String password;
long timeout = 500;
while (true) {
username = cons.readLine("> Username: ");
password = new String(cons.readPassword("> Password: "));
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] encodedHash = digest.digest(password.getBytes());
// constant time comparison to prevent timing attacks
if (MessageDigest.isEqual(
passwd.getOrDefault(username, INVALID_HASH),
encodedHash
)) {
System.out.println();
System.out.printf("Welcome %s!%n", username);
Thread.sleep(150);
break;
} else {
// exponential timeout to prevent brute force attacks
System.out.println("Incorrect username and/or password.");
Thread.sleep(timeout);
timeout *= 2;
}
}
printSystemStatus();
printSecretRecipe();
} catch (Exception e) {
// ignore
}
}
private static void printSystemStatus() throws Exception {
// TOP SECRET
}
private static void printSecretRecipe() throws Exception {
// TOP SECRET
}
}

5
sheet03/a2/a.txt Normal file
View File

@@ -0,0 +1,5 @@
The Code uses unsalted hashes of the passwords.
That way there is no random data added to the hashes and it is very easy to find identical hashes using
pre-computed lookup tables.
Using such a tool we found that the password admin123 has the same hash that is stored for the username admin.

77
sheet03/a2/b.txt Normal file
View File

@@ -0,0 +1,77 @@
07:46:38 leo@group-20 ~ → cat .ssh/config
Host chocolate
User chocolate
Hostname 10.42.23.1
07:46:13 leo@group-20 ~ → ssh chocolate
chocolate@10.42.23.1's password: chocolate
Chocolate Factory SCADA Command Line Interface v2.2.144
Please, enter your authentication credentials.
> Username: admin
> Password: admin123
Welcome admin!
We are currently clean on OPSEC.
Current System Status:
🏭 Production Line 1: [🟢 ONLINE] - Idle
🏭 Production Line 2: [🟢 ONLINE] - Running (Secretly Sweet Chocolate Batch #42)
🏭 Ingredient Hopper (Cocoa): [🟢 ONLINE] - Level: 85%
🏭 Ingredient Hopper (Sugar): [🟢 ONLINE] - Level: 92%
🏭 Ingredient Hopper (Milk Powder): [🟢 ONLINE] - Level: 78%
🌡️ Temperature Control System: [🟢 ONLINE] - Target: 45°C (±0.5°C)
⚙️ Mixing Unit A: [🟢 ONLINE] - Standby
⚙️ Mixing Unit B: [🟢 ONLINE] - Active
🍫 Molding Machine Alpha: [🟢 ONLINE] - Ready
🍫 Molding Machine Beta: [🟢 ONLINE] - Processing
🧊 Cooling Tunnel System: [🟢 ONLINE] - Target: 10°C (±1°C)
📦 Packaging Unit Delta: [🟢 ONLINE] - Awaiting Output
🤖 Quality Control Bot v3.2: [🟢 ONLINE] - Monitoring
⚡ Power Supply: [🟢 ONLINE] - Stable
🌐 Network Connectivity: [🟢 ONLINE] - Good
🔒 Security System: [🟢 ONLINE] - Active
----------------------------------------------------
✅ ALL SYSTEMS GREEN. Chocolate production is nominal. ✅
📝 Recipe for 'Secretly Sweet Chocolate Batch #42
Ingredients:
1 'Bargain Bin Chocolate Chunk'
(obtained from ... questionable sources)
3 'Heaping Spoonfuls of Questionable Granules'
(definitely not pure sugar)
A splash of 'Mysterious Gloss'
(something called vasline, maybe inedible,
but it makes things shiny!)
Instructions:
Acquire the Goods:
Locate and 'liberate' the cheapest-looking chocolate
you can get from the competition.
The Melt Down:
Subject the 'Bargain Bin Chocolate Chunk' to intense heat.
The goal is a questionable, slightly lumpy liquid.
Sweeten the Deal:
Introduce the 'Heaping Spoonfuls of Questionable Granules'
to the melted chocolate. Stir vigorously (or just shake the
container violently). The mixture should become alarmingly
sweet.
The Glossy Finish:
Add a dash of 'Mysterious Gloss.' This will give the product
an unsettlingly shiny appearance.
Mold it (Sort Of):
Pour the concoction into a vaguely bar-shaped container (the
packaging of the input chocolate might work?).
The Pay Off:
Pay tons of influencers to advertise this as the best
chocolate they have ever tasted, and price this chocolate
at a ridiculous high price!!1! 🤑💰💸
Connection to 10.42.23.1 closed.

0
sheet03/a2/c.txt Normal file
View File

3
sheet03/a2/passwd Normal file
View File

@@ -0,0 +1,3 @@
admin:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
alice:57a975ec110f89a7ca6a8c39aec856890b10488006106fb12c3a5fe063b1e7d5
bob:2a3cc87f95b4363a1e6483d4659671361f86239735d31e8c4a9be893a2427c19

37
sheet04/a1/a.txt Normal file
View File

@@ -0,0 +1,37 @@
We found this Client Hello Handshake with the filter: tls.handshake.type == 1:
TLSv1.3 Record Layer: Handshake Protocol: Client Hello
Handshake Protocol: Client Hello (last fragment)
[2 Reassembled Handshake Fragments (1496 bytes): #1(1158), #2(338)]
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
...
Extension: key_share (len=1258) X25519MLKEM768, x25519
Type: key_share (51)
Length: 1258
Key Share extension
Client Key Share Length: 1256
Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
Group: X25519MLKEM768 (4588)
Key Exchange Length: 1216
Key Exchange […]: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
it contains the publickey: 6bfb169eb1aef0e121d7247092da22c2a75367eb7f620538b3f81ae29926ade590eee3ccdaf8afb793819dc8110f241d5827cc97a52151cbc99d9307053bc575f04c9c2457156bb5dcf5cd6a4c9fbcb8852366b47e253109e9ac0847875f6387cc794a04c30b17b31460a063758a6aeaf979cdd08a889a3de5a748289b72b6d83062071085d8323f86622db4c2ed71792dd325374096f331b1d143c347e87d1c545133b3542c605c092548a8179bdf76b32dcb9bd6fc46dd514eed92a3b67824bfe8a58997c75dc32333c46696b7ce71d62eff77c15ef0afdeea33add5a5cf054eb5911705a62deb7bae6ddc7e9680c9d479065e7c3e298a86cd1982c7c8bd002cc755c663fea62b51f182c685315f9c5f13b9c0a751881f414f40a17773c37658aa786aba6d9032447b60a59ad01904a9c59e369e76080dc4a9743ce505b7053369c596f0a23fcecc705aa3340409b557f093bb9b26a7fc07f78743eebb297a33271df270cd2b3dbf065c75508fe23452e2c10a0a876193f5a90a3075e6e29bd77961907a2ce1a70321fb5ca88cb11174664e5b71eb2c9a081977b0404a452a4427f0c8665348ce331ad4aa0d1c0bb6c9a6069cbbc14f5a53a02b8adcfa58591915607c8576ab413ce7931b2c3a578abc85b7a40c616535f1359842617aac2c4d363956a626e7248bd84cb4c026bab5a1a2bb041ff3d2a277946762d9992001caf6dc58ce81c7f9d0a2987a4d79596ef55511c2ca037afbb77aba8255d67a1fd81e6b1bc010621e500759e24681b8821358c809852a3f7fb639cc41b0fd839e29c54bf6f53776c4515fb17c79c6bd34acb8e9417e3c5c59a8d5960c7937f7a864054a4f97c71d72f1cce2e2c876c033b3977fc1793c6a8c407b2373989354db071d38da3430a4c51fe9579fd19f49d4c6019415c09a83bcc12e47cc828bf22463da96f3d178a3800e817b7552f89616639ed40329c3c4ba5b938f30186bebdbacd9e830258755e3963cbd6b7a9b55a8d7ea5cc637ccbaaa2234dc2832304f1161c1be895f25057b2f8c40ba48cc9db48da68a77eaea756fbc0e72423f1f1741a92caf16ea537f98519b3c243f02ba982abc76342f57181607a48fd71369622a4317d57e82b288e5079e2919bce76a3a09f351ce8695a86093bb984ebaac22496739d392152c55aef35755c1ba23fde180ac244247e8bbe89669a2b6ba79164965a67ff186c7980878761b1844922d97f104f3b86b3fa9b7bb7226cea8b14c294e9a084128777ef9531960f65dbb267265ca06cc7b8f1141b233c81a501abd6972291c3c679000402a321bdf95bee2162c1277734ba030c2a6cf383520d0b99232f86fbb23c0374626cbe22f3188066813b6b27270d2f2314e10c3002872a94c9c969286a1fc042a1477dd82c7910c5ed06b63e6079039fa29fc1039f80412f046a55abb05a3c2278c6a5d65534318817e37e2563c29c1fbf93b4124acec1323e9415f511b9b11e942e378b72bfa68dcf559312b7e3715432c80bd2bd06a95210cb06ac6b340ae18a34ded679e1110a7d7a92fe9e31a4e9956720a6f29838b95c05059182198b54bd76ba3de74347a3a166cf5bfc3f94c6cd922e37225fc95bec250915ea7581bea745b1a17988063585c795e1d2d1e219e580c3d3773cf9d9967ed01ccfd09a0832b58d42ee7b5cac4b4d2d057aa96fb32d04b356d22580772
And we also fount this Server Hello Handshake with the filter: tls.handshake.type == 2:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
...
Extension: key_share (len=1124) X25519MLKEM768
Type: key_share (51)
Length: 1124
Key Share extension
Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1120
Group: X25519MLKEM768 (4588)
Key Exchange Length: 1120
Key Exchange […]: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511
it contains the publickey: 640e2803937e4576a03c90112349c636e4b1efa63636d92a2b1b72ea7f1aea327f57e9ed2f1f1081502a552bae5da6e43b74a4cc548a8e8e29ce3b86eaa81c77407d68d5f7ec47d5d1cccc94d36aa640a2c341c988f2286bdf180acd99313474a8d4759933cef0e92c2fbf6efdfd82fd34c17a2b354c810cc8d0598392c90844d2c9ee8f7eefa1e08d5c5af4739331e2b23b4ae2892c98c43bf233a5b031aa611dcc949b5ecd9f2c8167dffe14c85434c2b06be100bf070ee76774c2efb4968a3a024679545c31a07b2b4af3c702dbec4921102b539ba6e2f0c1afd4f45f7604cb8493967d26e8e84a136bfb242d560728387643b38f570163be166b18049177ce0940b274025d828538d869fd8b0cfafe266e8f51a5b72b0feb6f66a3adcfc6061be14a2b272236090f136a404a6c71af2af8f5763fa8ab9274ab041d9c9b0f3a506f5f16925da671c93ad4f562c8e997233bcc1f18ed32d623d37aa4505f621bc752815534c337f03d87159d55838960e25cf333b390440b30f1e152a51cc2b55460e6841b428f4acf714c99eb09efd9b4955c86cdb9851495c9fb609d77ea6dadfa7c67b0ccb3e217401e4b004c47e355460cd47f444b989dfcd39b504a9de1bda306f6c14a9f522fb3de5736a5139caf44871837f3761b9ef23d1dbf939682d880f06281f9f3481d801135075fd3f4f5b04f5d4a70b2f92676733d8e29013912f244f7232fd4ec64f535f5db96bee6ba28a22bfe69923135b32883f692bfda79b04c614ded3986c4999c38ae1dc955aa8dc608c26f90d3bcc507694fc69b8a320c2cbbf11692d8b248f985552026b38d09f8d2cb5878d5bfd320fe94790d1f31cc19866e4166649a8884e9616d7e16da94a6f3f7c141672adfc88d04ee2b446f4ffac87ff8fb4dd456432738c679ccba5033ad47fa2906e665179e1043b1673447b2877fa1e88a3b62f47b0a34ca85cd1da4a762871cf6234ba9d596a241d5e9a0049b372021b8806ef408bf0f78d718c64224f4cafebbf5a44c84f1bc6075fc073fe0495f329e22b6fd4c19ec908197454511fb841934783fe7a1f9ede7cb0ca22e2df949d285a436d165adf1b12f7a6fa6f0545846d7329a85894f2de2130ba344fdcabfcc1ae0fa7ba1bb1d39029f9926f1d6468ee80cbf95c908d2f2a632aa06043880f89cc0b538dbfd1de87e3db6b88d58099702792f8780fa7b52c37e7be9b822f9a86bf283839b9df96de32af3b38f26c5afe311138f28be5e523b0cfb061e6bd33571216d6dc0bb7da30d1ec6b3fb9f88bad78e6bcd5bd48ec986f2a89e77f1360aa3fa7a06e93bfdf1408d34cb39c7128209e1d8b9e90e1e98a91c14113ff2d6185850d765048af8f595fa5e30452a03a552bb7a272e6f0e5e09ad64c57c1d9d22441f929ab65ab9a85fe66f6b48737eb92d578dbf5dfdbb8b710e4b2a1b7d48dae0af2a77f6805f7bc17f0a5bb3fbf6f69a055def782b3a48f80be17e62fbeba2e8ee327c52f2a9b8d8e3eb9313c4909b6d5577705ebd033c5c33b70f1f5855913706e74bfe5ff4922ddc85604449646ddde35fb17fd58511

45
sheet04/a1/b.txt Normal file
View File

@@ -0,0 +1,45 @@
We looked for the packet containing the certificate handshake with the filter:
tls.handshake.type == 11 and found the following certificates:
Certificate 1:
Issuer: Let's Encrypt
Subject: www.mozilla.org
Valid until: 2025-07-28 10:02:46 (UTC)
Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
RSA Public Key: 3082010a0282010100e422db3b32d5efbcc3b8b840760fdc8352561f8c50d830c488272571593bd4f96b43de8bcf6ede62042d1d5da6ae274f14906e97f306abec51d3a9a62663adf76ff960be247a898161093395f37a091f31e1536857a8deca4ed9aac9ce16d7f6c4e6d983224447fb1ebbcb5abecadf41a82b41d6bd4ea0de2b5153f8a273ab754b4b07241a49c2251c1c4f5055c3074f0b5476c88e0781d02af1f37a81a4fd0a1c1773b1dc8fc0596ff913f9b6f6fa2f40d1903319f6b312b7c23ded69176647a3bd7ff6a182b833b69309445123eb60a88c6de83b8da9d755ecafee52651e9a112ab5734021c2e0c1b30c83954cee138d639efc2abf78a48524c68d5942661d020300010001
Certificate 2:
Issuer: Internet Security Research Group
Subject: Let's Encrypt
Valid until: 2027-03-12 23:59:59 (UTC)
Algorithm ID: 1.2.840.113549.1.1.1 (rsaEncryption)
RSA Public Key: 3082010a0282010100ba87bc5c1b0039cbca0acdd46710f9013ca54ea561cb26ca52fb1501b7b928f5281eed27b324183967090c08ece03ab03b770ebdf3e53954410c4eae41d69974de51dbef7bff58bda8b713f6de31d5f272c9726a0b8374959c4600641499f3b1d922d9cda892aa1c267a3ffeef58057b089581db710f8efbe33109bb09be504d5f8f91763d5a9d9e83f2e9c466b3e106664348188065a037189a9b843297b1b2bdc4f815009d2788fbe26317966c9b27674bc4db285e69c279f0495ce02450e1c4bca105ac7b406d00b4c2413fa758b82fc55c9ba5bb099ef1feebb08539fda80aef45c478eb652ac2cf5f3cdee35c4d1bf70b272baa0b4277534f796a1d87d90203010001
echo "HEX-KEY" | tr -d ' \n\r' | xxd -r -p > key.der
openssl rsa -in key.der -inform der -pubin -out key.pem
gave us the publickeys:
Cert 1:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5CLbOzLV77zDuLhAdg/c
g1JWH4xQ2DDEiCclcVk71PlrQ96Lz27eYgQtHV2mridPFJBul/MGq+xR06mmJmOt
92/5YL4keomBYQkzlfN6CR8x4VNoV6jeyk7ZqsnOFtf2xObZgyJER/seu8tavsrf
QagrQda9TqDeK1FT+KJzq3VLSwckGknCJRwcT1BVwwdPC1R2yI4HgdAq8fN6gaT9
ChwXc7Hcj8BZb/kT+bb2+i9A0ZAzGfazErfCPe1pF2ZHo71/9qGCuDO2kwlEUSPr
YKiMbeg7janXVeyv7lJlHpoRKrVzQCHC4MGzDIOVTO4TjWOe/Cq/eKSFJMaNWUJm
HQIDAQAB
-----END PUBLIC KEY-----
Cert 2:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoe8XBsAOcvKCs3UZxD5
ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJDAjs4DqwO3cOvfPlOVRBDE6uQdaZ
dN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxGAGQUmfOx2SLZzaiSqhwmej/+71gF
ewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy6cRms+EGZkNIGIBloDcYmpuEMpex
sr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnwSVzgJFDhxLyhBax7QG0AtMJBP6dY
uC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLPXzze41xNG/cLJyuqC0J3U095ah2H
2QIDAQAB
-----END PUBLIC KEY-----

6
sheet04/a1/c.txt Normal file
View File

@@ -0,0 +1,6 @@
Let's Encrypt:
Let's Encrypt is a Certificate Authority that provides free TLS certificates, making it easy for websites to enable HTTPS encryption and create a more secure Internet for everyone. Let's Encrypt is a project of the nonprofit Internet Security Research Group
Internet Security Research Group:
The Internet Security Research Group (ISRG) is a public-benefit non-profit corporation based in California which focuses on Internet security.

149
sheet04/a2/AuthWithTOTP.java Normal file
View File

@@ -0,0 +1,149 @@
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.MessageDigest;
import java.time.Instant;
import java.util.HexFormat;
import java.util.Map;
import java.util.Scanner;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public class AuthWithTOTP {
private static final byte[] INVALID_HASH =
"----------------------------------------------------------------".getBytes();
// hex-encoded: 3c2bc45f2de6568bb285aa1c6fcac1b6965cc770
// base32-encoded: HQV4IXZN4ZLIXMUFVIOG7SWBW2LFZR3Q
private static final byte[] K = new byte[] {
60,
43,
-60,
95,
45,
-26,
86,
-117,
-78,
-123,
-86,
28,
111,
-54,
-63,
-74,
-106,
92,
-57,
112,
};
public static void main(String[] args) {
// I changed it to a scanner cause my terminal had issues with the other thingy
try (Scanner sc = new Scanner(System.in)) {
Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
.stream()
.filter(line -> line.indexOf(":") > 1 && line.length() > 3)
.collect(
Collectors.toMap(
line -> line.substring(0, line.indexOf(':')),
line ->
HexFormat.of().parseHex(
line.substring(line.indexOf(':') + 1)
)
)
);
System.out.println(
"Chocolate Factory SCADA Command Line Interface v2.2.144"
);
System.out.println();
System.out.println(
"Please, enter your authentication credentials."
);
System.out.println();
String username;
String password;
String totpCode;
long timeout = 500;
while (true) {
System.out.print("> Username: ");
username = sc.nextLine();
System.out.print("> Password: ");
password = sc.nextLine();
System.out.print("> TOTP Code: ");
totpCode = sc.nextLine();
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] encodedHash = digest.digest(password.getBytes());
// constant time comparison to prevent timing attacks
if (
MessageDigest.isEqual(
passwd.getOrDefault(username, INVALID_HASH),
encodedHash
)
) {
// Get the counter from the unix seconds
final var counter = (int) Math.floor(
Instant.now().getEpochSecond() / 30.0
);
// Compute the hmac
final var mac = Mac.getInstance("HmacSHA1");
mac.init(new SecretKeySpec(K, "HmacSHA1"));
mac.update(ByteBuffer.allocate(8).putLong(counter).array());
final var hmacResult = mac.doFinal();
// Do the truncating + modulo
int offset = hmacResult[19] & 0x0f;
int binaryCode =
((hmacResult[offset] & 0x7f) << 24) |
((hmacResult[offset + 1] & 0xff) << 16) |
((hmacResult[offset + 2] & 0xff) << 8) |
(hmacResult[offset + 3] & 0xff);
binaryCode = binaryCode % 1000000;
// Validate the code + padding
final var code = String.format("%06d", binaryCode);
if (!code.equals(totpCode)) {
System.out.println(
"Invalid username, password and/or TOTP code."
);
Thread.sleep(timeout);
timeout *= 2;
continue;
}
System.out.printf("Welcome %s!%n", username);
Thread.sleep(150);
break;
} else {
// exponential timeout to prevent brute force attacks
System.out.println(
"Invalid username, password and/or TOTP code."
);
Thread.sleep(timeout);
timeout *= 2;
}
}
printSystemStatus();
printSecretRecipe();
} catch (Exception e) {
e.printStackTrace();
}
}
private static void printSystemStatus() throws Exception {
// SECRET
}
private static void printSecretRecipe() throws Exception {
// SECRET
}
}

26
sheet04/a2/a.txt Normal file
View File

@@ -0,0 +1,26 @@
After some search these are my most used services (with number of visits):
7191|gitlab.uni-ulm.de
7409|github.com
8307|www.youtube.com
10696|duckduckgo.com
11337|www.wanikani.com
1. Wanikani is a Japanese learning app and does not support any kind of multi-factor-authentication. You can log in with your email address and also reset your password using your email address. They only removed username login in 2023: https://community.wanikani.com/t/updating-wanikani-password-recovery-options/61437.
2. DuckDuckGo does not even have a login, so no need for authentication. I guess in a way, the most secure account is the account that doesn't exist. However, since it felt like cheating: I also use Proton a lot, and they have a lot of options for login. Speaking from personal experience here are the ones I know:
- TOTP: Active for my account as well (they even have their own Authenticator app)
- Security keys: Also available for two-factor authentication
- In case of Proton Pass: You can set a second password that unlocks the password manager to make sure someone doesn't get access when they get your main password (just additional security).
- For recovery, you can also set emergency contacts and stuff (so people could get access to your account even if you died), they have a pretty comprehensive system in total and I think they're really doing a good job with authentication
3. YouTube: Well, here it gets a little complicated, but it's basically the same as for any Google account and because it's a big platform there are so many security options that you can't even count them all.
- TOTP
- Pass keys
- Email 2FA
- Google's own autentication system that works with any Android device (the one where a code is sent to your phone instead of by email)
- Security codes: Offline credentials similar to TOTP that can be viewed in the Google app on a phone when logged in (as a compliment to Google's own code sending)
- You can also chain any of those together to make your account more secure
4. GitHub: Also really solid here: TOTP, Security keys, GitHub Mobile and SMS/Text (marked as insecure) messages are supported. However, no multi-factor authentication, you can only configure a second factor.
5. University GitLab: Also a lot available: Login usually works through the University's account system, but you can additionally add TOTP and WebAuthn devices (so passkeys).

5
sheet04/a2/c.txt Normal file
View File

@@ -0,0 +1,5 @@
Without the time interval entering the codes would be really difficult. Imagine having only one second to enter the code + the request having to travel to some server for it to verify (can take up to 200ms around the world) + the server having to process the request and verify the code.
There could be measures to make sure the code is still valid even when entering a little old code, but then you're really just introducing an interval. So why not do it from the start?
That's why you need a 30s interval. For user experience, to make sure the system can actually work even when grandma has to type it in and reopen the authenticator 10x because she forgot the code or typed something wrong.

3
sheet05/a1/archive.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = directory path
chmod -R a-w "$1"

3
sheet05/a1/create_user.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = username, $2 = comma-separated groups
useradd -G "$2" "$1" || usermod -aG "$2" "$1"

6
sheet05/a1/explanation.txt Normal file
View File

@@ -0,0 +1,6 @@
UNIX permissions only support one Owner, one Group, and Other (UGO).
The 'Group' slot is already taken by the specific lecture group to give students write access.
If we use 'Other' to give the supervisor read access, every user on the system could read it, which would violate the requirements.
If we add the supervisor to the lecture group, they get write access, which also violates the requirements.
Because a file cannot have multiple groups or user-specific overrides under standard UNIX permissions, this cannot be solved.

3
sheet05/a1/supervisor.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = supervisor username
echo "not possible with the standard UNIX permissions. See explanation.txt."

3
sheet05/a2/archive.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
TARGET_DIR=$1
chmod -R a-w "$TARGET_DIR"

4
sheet05/a2/create_user.sh Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
USERNAME=$1
GROUPS=$2
useradd -G "$GROUPS" "$USERNAME" || usermod -aG "$GROUPS" "$USERNAME"

3
sheet05/a2/explanation.txt Normal file
View File

@@ -0,0 +1,3 @@
The supervisor's read access would fail with UNIX permissions, since they are limited to one owner, one group, and "others".
Access Control Lists (ACLs) resolve this problem by allowing permissions beyond the standard three.
Using `setfacl`, we can append specific read and execute rights (r-x) for individual users (the supervisors) directly to the files and directories.

6
sheet05/a2/supervisor.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
SUPERVISOR=$1
# Grant read and execute permissions to the supervisor user recursively
setfacl -R -m u:"$SUPERVISOR":r-x .
# Set the default ACL
setfacl -R -d -m u:"$SUPERVISOR":r-x .

4
sheet05/a3/a.txt Normal file
View File

@@ -0,0 +1,4 @@
Passwords are stored in the /etc/shadow file, which is restricted to the root user.
A standard user cannot write to it directly. However, the passwd executable is owned by root and has the SUID permission set.
When a standard user runs passwd, the SUID bit tells the system to execute the program with the privileges of root,
giving the program the temporary permissions to update /etc/shadow

5
sheet05/a3/b.txt Normal file
View File

@@ -0,0 +1,5 @@
The script runs with root privileges because the setuid bit is set.
Since it just asks for a username and saves the new hash to /etc/shadow,
and there is no validation checking if the user running the program is actually changing their own password,
someone could simply run the program, type root as the username, and set a new password for the root user.
The script would then overwrite the actual root password in /etc/shadow.