USG Ubiquiti VPN using Strongswan

USG VPN using Strongswan Been trying to find a guide on how to setup IPsec/L2TP between USG and Linux but haven’t really found one that worked for me so this is how I have made it work. The USG There are tons of guides and videos on how to set it up on the USG so I’ll just provide a few notes on that. Created a network Turned on the server and added a preshared key Added a user Linux On my laptop running Linux (Arch) I installed strongswan and xl2tpd) (currently strongswan version 5.

Setting variables in a package on build time

Setting variables in a package on build time When building a go binary its possible to add ldflags in order to variables in build time (Like version numbers) and this is pretty well documented. But setting variables in internal/vendoring directories it not well documented. This is how its done test # tree . ├── cmd │ └── cli │ └── main.go ├── internal │ └── cmd │ └── version.go test/cmd/cli/main.

USG Ubiquiti IPv6 via DHCP

USG with IPv6 I recently bought a Ubiquiti USG which was quite easy to setup. The only problem I had was that it didn’t give out any IPv6 addresses to my clients (But router advertisement did work). My ISP gives a /48 as IPv6 delegated prefix but the USG wound’t just use that and the GUI in version 5.6.29 does not support IPv6 yet. Several documents states that you just need to enable it by adding this config.

IO Smash the stack level 10

Level10 I had a lot of issues with this level. At first I did not understand how I could exploit it so I tried several things until I finally got it. I started looking at the source code but still could not see the problem. I connected to the irc channel for help and got a few pointers on how to debug this. But the thing that helped me most I guess was this link.

IO Smash the stack level 09

Level09 level9@io:/levels$ ls -latr level09* -r-------- 1 level9 level9 182 Jan 9 2010 level09.c -r-sr-x--- 1 level10 level9 6294 Jan 9 2010 level09 level9@io:/levels$ cat level09.c #include <stdio.h> #include <string.h> int main(int argc, char **argv) { int pad = 0xbabe; char buf[1024]; strncpy(buf, argv[1], sizeof(buf) - 1); printf(buf); return 0; } A nice string format bug. Alright this should be a walk in the park using short writes when overwriting the .

IO Smash the stack level 08

Level08 level8@io:/levels$ ls -latr level08* -r-sr-x--- 1 level9 level8 14343 Sep 17 2010 level08_alt -r-------- 1 level8 level8 1927 Jan 3 2012 level08_alt.cpp -r-sr-x--- 1 level9 level8 6662 Jan 26 2012 level08 -r-------- 1 level8 level8 666 May 27 2014 level08.cpp // writen by bla for #include <iostream> #include <cstring> #include <unistd.h> class Number { public: Number(int x) : number(x) {} void setAnnotation(char *a) {memcpy(annotation, a, strlen(a));} virtual int operator+(Number &r) {return number + r.

IO Smash the stack level 07

Level07 level7@io:/levels$ cat level07.c //written by bla #include <stdio.h> #include <string.h> #include <unistd.h> int main(int argc, char **argv) { int count = atoi(argv[1]); int buf[10]; if(count >= 10 ) return 1; memcpy(buf, argv[2], count * sizeof(int)); if(count == 0x574f4c46) { printf("WIN!\n"); execl("/bin/sh", "sh" ,NULL); } else printf("Not today son\n"); return 0; } Oki so count has to be 10 or less to invoke the memcpy but in order to get a shell count has to be 0x574f4c46 (1464814662).

IO Smash the stack level 06

Level06 level6@io:/levels$ ls -la level06* -r-sr-x--- 1 level7 level6 5849 Dec 18 2013 level06 -r-sr-x--- 1 level7 level6 7293 Aug 11 2010 level06_alt -r-------- 1 level6 level6 487 Nov 14 2011 level06_alt.c -r-------- 1 level7 level7 22 Sep 14 03:31 level06_alt.pass -r-------- 1 level6 level6 1034 May 7 2015 level06.c level6@io:/levels$ cat level06.c //written by bla //inspired by nnp #include <stdio.h> #include <stdlib.h> #include <string.h> enum{ LANG_ENGLISH, LANG_FRANCAIS, LANG_DEUTSCH, }; int language = LANG_ENGLISH; struct UserRecord{ char name[40]; char password[32]; int id; }; void greetuser(struct UserRecord user){ char greeting[64]; switch(language){ case LANG_ENGLISH: strcpy(greeting, "Hi "); break; case LANG_FRANCAIS: strcpy(greeting, "Bienvenue "); break; case LANG_DEUTSCH: strcpy(greeting, "Willkommen "); break; } strcat(greeting, user.

IO Smash the stack level 05

Level05 level5@io:/levels$ ls -latr level05* -r-------- 1 level5 level5 178 Oct 4 2007 level05.c -r-sr-x--- 1 level6 level5 7140 Nov 16 2007 level05 -r-sr-x--- 1 level6 level5 8752 Feb 22 2010 level05_alt -r-------- 1 level5 level5 2954 Feb 24 2010 level05_alt.c level5@io:/levels$ cat level05.c #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } Ahh a classic bufferoverflow :)

IO Smash the stack level 04

Level04 level4@io:/levels$ ls -latr level04* -r-sr-x--- 1 level5 level4 5159 Dec 18 2013 level04 -r-------- 1 level4 level4 245 Dec 18 2013 level04.c -r-sr-x--- 1 level5 level4 5105 Sep 24 2014 level04_alt -r-------- 1 level4 level4 120 Jan 27 2015 level04_alt.c level4@io:/levels$ cat level04.c //writen by bla #include <stdlib.h> #include <stdio.h> int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } So it runs whoami without full path .