SeekL x Killer Chat - The Beginning

Lyra sits at her PC. Looking at her monitor. She's just finished learning ArnoldC. Her recent obsession with all of Arnold Schwarzenegger's movies led her to learn of the existence of ArnoldC.

Coding was but another way to write. It could be artistic; it was unique.

They look at their previous works with other coding languages. Brainfuck and JSFuck, both were very interesting. Especially having JSFuck running on actual web pages. Another favorite, similar to ArnoldC, Shakespeare. A language that looks similar to Shakespearen. The language she learnt right before ArnoldC.

She whistles and looked through the internet to see if there was anything that could expand her esoteric coding languages.

They squint at the name of one, SeekL? An interesting name without a description. With a shrug they start to comb through the internet. Nothing was showing up as a learning tool for the coding language. However, there were a few articles about how it was used by some hackers.

She hums to herself and double checks her shields and makes sure her data is locked up tight. Then she hops onto the dark web to see if there was anything.

"Oh, well that's interesting," she said looking at the page that came with more information, but just barely.

*SeekL is similar to SQL. If you wish to learn, click here*

'Should I click to learn it?' The idea bounced around their brain, but she found no reason to reject it. So she clicked it.

She was automatically joined into a group chat. There she learnt basic SeekL and some SQL. She made friends with the others in the chat and helped them with their last hacks. They got to be part of a group for a few days, chat with Odxny on video calls each day, and become Thrim. They learnt how much coding could be used to for a vendetta and how easily some people crumble to a ransom.

It was interesting and she wanted to continue in this new world.

Then came the final day for the server to shut down. Her hands trembled as she typed in the phone number for Odxny, hoping she didn't mess anything up. She only had one shot.

exec dial(555-448-4746)

It rang once.

Twice.

Thri-

"Hey"

Relief flooded her.

if you thought javascript sucked, behold: JSFuck

My brain hurts so fucking much just trying to understand even the basic example, just who in their right mind thought any of this shit was a good idea

Tierlist part 10: JS

You might think that JS is another easy addition to the fire, but the type coercion is so bad that it wraps around to being incredibly funny. So yes, JSFuck is what saves it from the flames. But only barely. It is still hell to work with and thus still needs to feel the heat. To E tier it goes, just beside the flame.

Part 9

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>+++.<++.>>+++++++++++++++++++.--------.-.<<+++++++.>>++++++.<<-------.>>------------------.+++++++.+++++++++++.---------------.<<+.-.>.>+++++++++++++++.<<+++++++.>>-.<<-------.>+.+++++++++.-------------.>++.------------------.++++++++.<<.>>++++++++++++++.----------.++++++.<<.>>-------------.-------.+++++++++++++++++++++.-----------------.<<.>>+++++++++++++++.-----.<<.>>++++++++.--------.+++..+++++++.<<.>>------------------------.+.+++++++++++++.++++++.-.<<++++++++++++++.

programming languages are usually at least kind of legible, and then there's regular expressions, which look like arcane symbols used for summoning every demon in hell

this is technically human readable. someone wrote this.

Matrix Breakout: 2 Morpheus

Hello everyone, it's been a while. :)

Haven't been posting much recently as I haven't really done anything noteworthy- I've just been working on methodologies for different types of penetration tests, nothing interesting enough to write about!

However, I have my methodologies largely covered now and so I'll have the time to do things again. There are a few things I want to look into, particularly binary exploit development and OS level security vulnerabilities, but as a bit of a breather I decided to root Morpheus from VulnHub.

It is rated as medium to hard, however I don't feel there's any real difficulty to it at all.

Initial Foothold

Run the standard nmap scans and 3 open ports will be discovered:

Port 22: SSH

Port 80: HTTP

Port 31337: Elite

I began with the web server listening at port 80.

The landing page is the only page offered- directory enumeration isn't possible as requests to pages just time out. However, there is the hint to "Follow the White Rabbit", along with an image of a rabbit on the page. Inspecting the image of the rabbit led to a hint in the image name- p0rt_31337.png. Would never have rooted this machine if I'd known how unrealistic and CTF-like it was. *sigh*

The above is the landing page of the web server listening at port 31337, along with the page's source code. There's a commented out paragraph with a base64 encoded string inside.

The string as it is cannot be decoded, however the part beyond the plus sign can be- it decodes to 'Cypher.matrix'.

This is a file on the web server at port 31337 and visiting it triggers a download. Open the file in a text editor and see this voodoo:

Upon seeing the ciphertext, I was immediately reminded of JSFuck. However, it seemed to include additional characters. It took me a little while of looking around before I came across this cipher identifier.

I'd never heard of Brainfuck, but I was confident this was going to be the in-use encryption cipher due to the similarity in name to JSFuck. So, I brainfucked the cipher and voila, plaintext. :P

Here, we are given a username and a majority of the password for accessing SSH apart from the last two character that were 'forgotten'.

I used this as an excuse to use some Python- it's been a while and it was a simple script to create. I used the itertools and string modules.

The script generates a password file with the base password 'k1ll0r' along with every possible 2-character combination appended. I simply piped the output into a text file and then ran hydra.

The password is eventually revealed to be 'k1ll0r7n'. Surely enough this grants access to SSH; we are put into an rbash shell with no other shells immediately available. It didn't take me long to discover how to bypass this- I searched 'rbash escape' and came across this helpful cheatsheet from PSJoshi. Surely enough, the first suggested command worked:

The t flag is used to force tty allocation, needed for programs that require user input. The "bash --noprofile" argument will cause bash to be run; it will be in the exec channel rather than the shell channel, thus the need to force tty allocation.

Privilege Escalation

With access to Bash commands now, it is revealed that we have sudo access to everything, making privilege escalation trivial- the same rbash shell is created, but this time bash is directly available.

Thoughts

I did enjoy working on Morpheus- the CTF element of it was fun, and I've never came across rbash before so that was new.

However, it certainly did not live up to the given rating of medium to hard. I'm honestly not sure why it was given such a high rating as the decoding and decryption elements are trivial to overcome if you have a foundational knowledge of hacking and there is alot of information on bypassing rbash.

It also wasn't realistic in any way, really, and the skills required are not going to be quite as relevant in real-world penetration testing (except from the decoding element!)

Match 1A[4]

Introducing an awful, cursed monstrosity that somehow spawned because people weren't satisfied with another language that a lot of people really love to hate on but is actually pretty alright... and JSFuck.

JSFuck

Everyone complains that JavaScript has too much going on. null *and* undefined? == and ===? where does it end? That's why I decided to thanos my keyboard so it only had 6 characters left. And it's still probably more usable than angular.js

C++

C is a highly performant, minimal language, that can do almost anything you put it to. It's often described as packing everything you need, and nothing you don't. C++ is not that language.

Today I became aware of JSFuck, which is amazing. The above-linked article nicely walks through just how brainbreaking it is (...probably only understandable to programmers). Javascript, man.

Desmos runs on JavaScript right? There's a similar thing with JavaScript that might be causing this.

JSFuck is valid JavaScript, except it only uses the characters (, ), {, }, +, and !

This works because JavaScript is pretty much a toy language that people take seriously for some reason, and the type system is fucked up.

Desmos uses Three.js to render its 3d graphs, so it likely uses JavaScript for the rest of the site to avoid making a foreign function interface or something equally complicated. Only problem is that it limits the syntax in ways that are impatient, and extends it in ways that are completely esoteric and impractical.

I'm definitely going to do my own experiments on this later.

y'know, one of the goofiest things I've learnt from the desmos community is that { } with nothing inside equals 1

but that's not just it, you can also add { }s

and it functions just the same as adding 2 1s

but therein lies the funniest part, that you can perform almost any function on it, from minus

to exponents

to even factorials!

and lists too!!!

you can even compare solutions of { }s in { }s

there's almost no restrictions, if you can do it with numbers, you can do it with { }

and this leads me to what I've seen a lot of people calling "desmosfuck" after the infamous programming language brainfuck, and it restricts you by not allowing any letters and no numbers, that includes sin, log, x, y and all the others. The only thing you can make out of { }s are points and numbers though, but thankfully that's usually enough to make a bunch of stuff.

like, if you need π, just use (-0.5)!^2

you need e? you already have π and i, just use e^(iπ)=-1 and rearrange it to e=-1^(1/(iπ)) and get -1^((π^-1)(i^-1))

want phi? sure, just use it's surd representation of (1+sqrt(5))/2

okay, but what if you really wanna do functions? well, if you're desperate, you can sorta do that, you just gotta use a concentration of points.

cos(x) and sin(x)? use the identities

cos seems easier

and x just has to be a dense list of numbers

now that we have x, let us... REWRITE!

that's dense... buuuut, it does the job as soon as we add the x part to the x coordinate!

absolute insanity

you can also get sin by subtracting x by half of pi

awesome

here's tan, btw

go play around with it yourself! it's very silly

I think we should all take a moment to appreciate JSFuck, Martin Kleppe’s method by which you can write arbitrary javascript code using only the six characters [, ], (, ), !, and +.

How it works:

Basics:

Because we have [], we have the empty array and the ability to index things with other things. We can immediately construct undefined by [][[]].

! turns anything into a boolean. So ![] is false, and !![] is true.

+, used as a unary operator, casts anything to a number. So +[] is 0, and +!![] is 1. Of course, we also have + as a binary operator, so you can get any other number just be chaining - 5 is +!![]+!![]+!![]+!![]+!![], for example.

Adding an empty array to something turns it into a string, because javascript is terrible. So since ![] is false, ![] + [] is the string ‘false’.

This means we can make individual letters:  (![] + [])[+[]] becomes ‘false’[0] becomes ‘f’.

Building an alphabet:

At this point everything becomes about getting more letters. We’ve already built false, true, and undefined, as well as all integers, so we can build any string as long as it only uses characters from ‘0123456789adefilnrstu’.

Characters so far: ‘0123456789adefilnrstu’

Those characters are enough to make ‘find’:  (![]+[])[+[]] + ([][[]]+[])[+!![]+!![]+!![]+!![]+!![]] + ([][[]]+[])[+!![]] + ([][[]]+[])[+!![]+!![]]

Well, [].find is a method of arrays, so [][”find”]+[] is a string that starts with “function find() {” (there’s more to this string, but in some environments like firefox there are newlines and in some there aren’t, so we can’t reliably get the rest).

Characters so far: ' ()0123456789acdefilnorstu{'

Now we can spell “constructor”, so we do ([]+[])["constructor"] to get the String type; String[”name”] is the string “String”.

Characters so far: ' ()0123456789Sacdefgilnorstu{'

The S and g were all we were missing for toString. Number.toString takes a base, so e.g. 17[”toString”](36) returns 17 in base 36, which is “h”. We can do this for every number 10-36 to get all lowercase letters.

Characters so far: ' ()0123456789Sabcdefghijklmnopqrstuvwxyz{'

Going Global:

[][”find”][”constructor”] is Function, the function type. Applied to a string, this yields a function whose code is that string. This means that we can execute any javascript as long as we can write it. In particular, we already have enough letters to call Function(”return this”)(). This gives us the global object (called ‘global’ in node, ‘window’ in the browser), which means we can now call any global function if we can spell it. We’re nearly there!

Finishing the set:

Finally, we can now access global[”escape”] and global[”unescape”]. escape(”(”) gives us “%28” and thus the % sign, and now we’re done: we can make any hex number, prefix it with %, and call unescape on it. For example, unescape(”%27″) is a single quote, unescape(”%7e”) is a tilde, and so forth. Every single ascii character is now available to us.

Characters so far: ALL

Putting it together 

So now, given any javascript, you can compile it into an enormous, unreadable mass of ()!+[]s! All you have to do is encode it grossly, wrap it in a Function() call, and call the resulting function!

In practice, there are lots of optimizations - you don’t have to build the full unescape sequence to get ‘N’, for example, because +[![]] is NaN so “N” is the relatively short (+[![]]+[])[+![]].

For reference, alert(0) looks like this:

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

and alert(”Hello, world!”) is 18,616 characters long.

And now you know!

If JavaScript is not chaotic enough for you, this classic library (released 07-05-09 and available here via the Wayback Machine) adds the goto statement, which sadly was not included in JS’s official specification.

If you really want to mess with JS, however, there’s also my FatFinger.JS dialect, which makes misspellings of JS valid code, and of course JSFuck, building all of JS out of six punctuation symbols.

Who knew JS could get worse than it already is.

Nope!

javascript has got to be the worst esolang

(Favourite tidbit of information you've gathered in your endless eternal wisdom?)

jsfuck is an esoteric programming language assembled from exploits in loose javascript typing so it only uses punctuation, and you can use it to run malicious hard to detect scripts on web pages. people used to do that on eBay because the malicious script filter couldn’t read it. it’s a little like brainfuck which is an esolang with a similar concept but jsfuck actually has a practical use which is hilarious

PLorbo showdown bracket

It's showdown time!

With over 42 form submissions, and 32 languages submitted, we're ready to rock and roll like we're a 1972 Bell Labs team.

I've put all the entries in, shuffled it, shuffled it some more for good luck, and shuffled it again to be sure.

With that all said and done, we have rounds 1A and 1B ready to go with the following matchups:

Match 1A[0] ActionScript vs Powershell

Match 1A[1] Mathematica vs VBA

Match 1A[2] Lisp vs Java (I'm expecting some good propaganda on this)

Match 1A[3] HTML + CSS vs MATLAB

Match 1A[4] JSFuck vs C++

Match 1A[5] Octave vs SCADA

Match 1A[6] Scheme vs VHDL

Match 1A[7] Assembly vs Lite-C

Match 1B[0] C vs Chicken

Match 1B[1] MIT App Inventor vs Rust

Match 1B[2] LabView vs TypeScript

Match 1B[3] SQL vs Haskell

Match 1B[4] Karel vs Scratch

Match 1B[5] C# vs JavaScript

Match 1B[6] MS Power Automate vs Forth

Match 1B[7] BrainFuck vs Python

I'll be posting these hopefully around 9AM UTC on Tuesday 7th March, and I'll have them all up for 24 hours.

Propaganda is very welcome, but be nice to each other ;)

Otherwise, happy voting, and may the best (or worst) language win

i hate that JSFuck is a real thing it’s literally so fucking funny....people were really like *codes a malicious script using nothing but long strings of punctuation so it’s undetectable and hides it in a webpage*

FUCK YOU!!!!! What did i ever do to deserve this i JSFUCK EVERYBODY GETS TO BE HEATLTBY EXCEPT FOR ME THERE IS SNO FUVKING WINNING