10h Nyan Cat

Posted By admin On 27/11/21
  1. An image tagged that's the evilest thing i can imagine,funny,memes,funny memes,hair,spider.
  2. 10H Paper Roll Clamp Designed for small printers and convertors of fabric, packaging and speciality papers. Lightweight clamp with excellent specifications maximizes capacity on walkie and stand up trucks. Also ideal for handling tires on small lift trucks servicing the aircraft industry.
  3. Nyan Cat Simulator 2017 by urhec; 3d model by urhec. 10h lovroPulevic matejmeze10 Noremax carsongregory5 flowers234 FIFAJEDI10 enias2015.

Nyan Cat is a fun internet meme game about a cat with a Pop-Tart torso. It's Nyan Cat cruising through space on its quest to collect as many sweet treats as possible. Based on the popular animated gif, also known as 'Pop Tart Cat', this cute online game lets you guide Nyan Cat up and down the lanes.

17 January 2020

by yunaranyancat

Yo! This is my boot2root writeup for Aqua vm. For those who didn’t manage to play with it yet, download the vm and come back when you have finished or when you are stuck.

or…, if you want to play with an easier vm, check this out.

Name : Aqua

Difficulty : Intermediate to hard

Enumeration

In this case, the IP for the target machine is 10.0.2.6.

These are the following open ports.

When going through the webpage, we found this page.

When clicking the “Sure, I’ll help”button, we are redirected to another page which shows a potential credential.

megumin:watashiwamegumin

When running nikto on the target we found login.php.

Login.php

Using the credential found, we managed to log in.

The url is vulnerable to LFI(local file inclusion) as seen below.

Exploitation

Upon further enumeration, we found that the port 21 can be opened by using port knocking. It was filtered when nmap result showed up. The knockd config file can be found at /etc/knockd.conf in the target machine.

Image below shows the result before and after port knocking.

Using the same credential , we managed to login into the FTP service.

The content of hello.php is the same as in the index page of Megumin secret diary we saw last time. This means that if we put our php reverse shell payload in this directory, we can get a shell by browsing through the page using LFI vulnerability found earlier.

The directory “production/” is writable so we will put our reverse shell in there.

The file notes revealed the absolute path of the current directory.

This means that, by going to http://10.0.2.6/home.php?showcase=../deployment/production/ourreverseshell.php , our payload will be executed.

Privilege escalation I

Upon reading /etc/sudoers file, we found out that these users can run commands using sudo privileges without password.

Aqua : /root/quotes, /root/esp, /usr/bin/gdb

Megumin : /home/aqua/Desktop/backdoor

Using the same credential, we managed to login as megumin.

Privilege escalation II

And as megumin, we can run /home/aqua/Desktop/backdoor using sudo privilege.

When rerunning nmap on the target, we found that port 1337 is open.

We then try to connect to the port using netcat and get a shell.

Privilege escalation III - Easier method

10h

As aqua we can run gdb with sudo privilege without using the password.

We can get a root shell using gdb by following command.

sudo gdb -nx -ex '!sh' -ex quit

Privilege escalation III - Without using /usr/bin/gdb

For your information, this is my intended path of getting to root shell. But as I want to give a great experience to everyone including those who didn’t know about buffer overflow on Linux, so I have decided to make an easier method to get into root.

By running sudo /root/quotes, we know that the binary will print out our name and generate a random quote for us.

In aqua home directory, we can get the source code for /root/quotes and /root/esp binaries which is located at this link.

We also know that /root/esp shows the address of the ESP of the machine and that the ASLR is not enabled.

Based on the source code, the possible vulnerable part is at the getname method which uses strcpy. If we put a name longer than the size of the buffer, this can corrupt the memory thus can be exploited to gain a shell via buffer overflow vulnerability.

By knowing the environment of the target, we will make a debugging machine which is the exact copy of the target OS.

It seems like the target OS is using Linux Lite 3.8 32 bits.

To mimic the situation of the target machine, we will download the source code for quotes.c and esp.c as root then debug it using non root user.

By default, ASLR is enabled. To disable ASLR, run the following command.

echo 0 sudo tee /proc/sys/kernel/randomize_va_space

Nyan

Then compile the binaries using following options.

esp.c : gcc -fno-stack-protector -z execstack -no-pie esp.c -o esp

quotes.c ; gcc -fno-stack-protector -z execstack -no-pie quotes.c -o quotes

Then give sudo privilege to non root user to execute the binary and start debugging.

You can use anything you want for the exploit development but in this writeup, I will be using peda.

Open the binary in gdb by running sudo gdb -q /root/quotes .

Disassemble the main program using disas main .

Disassemble the getname function using disas getname and we can see that the method strcpy is being called.

Let’s try to overflow the program by running r $(python -c 'import sys;sys.stdout.write('A'*100)') which will print out 100 A’s and will be parsed to the program as our name variable.

Nyan Cat 10h

It seems like we managed to overwrite the EIP. To find the offset of the EIP, we need to use a pattern of unique strings. Since peda has this functionality, we can use them.

Create a pattern of 100 characters by running pattern_create 100 pat . This will store the pattern in a file called pat.

Rerun the program and parse the pattern as the name argument.

Using pattern_search command in peda. We will find the offset of the EIP which is at 44.

Our exploit should be like this :

A*44 + [EIP] + padding + shellcode

Now, to verify if we have the right offset. We need to change our buffer.

gdb-peda$ r $(python -c 'import sys;sys.Stdout.write(('A'*44) + ('B'*4) + ('x90'*32) + ('C'*23))')

For padding, we will add 32 bytes of NOPs (no-operation opcode) so that it will do nothing and keep sliding to the next opcode until it reaches our shellcode. This is normally called as NOPsleds or NOP slides.

As we can see below, after the execution of the EIP, our NOPs are on top of the stack where ESP points to. Based on the disassembled getname method earlier, the last instruction is ret.

So if all is good, once ret is executed, the opcodes inside the address that is pointed by EIP will be executed, which is our NOPsleds. So, we need to put the address where our NOPsleds is located into our user controlled EIP.

So let’s put a breakpoint at the ret instruction and look at the stack at the moment of the execution.

Boom! We hit our first breakpoint!

Now, we can replace our Cs after the padding with the real shellcode. This is the shellcode that we will be using. You also can use another shellcode which may spawn a reverse shell or anything else.

Rerun the program with modified payload and put a breakpoint at the end of the getname method.

Once we hit our breakpoint, run c to continue the execution.

So far so good, now run the binary outside gdb and put in our payload.

We managed to get a root shell in our debugging machine.

Now time for the tricky part. The ESP of our debugging machine and the target machine is not exactly the same at the moment. This means we need to modify our EIP address little by litte until it hits the right place. (It’s like playing jackpot, but better.)

Debugging machine ESP address: 0xbffffbe0 –> Address A

Debugging machine EIP address: 0xbffff330 –> Address I

Aqua machine ESP address: 0xbffffc30 –> Address B

Cat

Aqua machine EIP address: ? –> Address II

We can see that the B > A , means it is possible that II > I .We will run our original payload first to see the outcome.

We will slowly increment Address I by 10h and wait for the magic to happen.

And here we are. We got a shell! And a beautiful ascii art of Megumin.

Thank you for playing with my machine and do tell me what should I improve on next time. Constructive criticisms are greatly appreciated. But pls don’t attack me too much. I’m scared. >w<

Nyan Cat

Nyan Cat is the name of a YouTube video uploaded in April 2011, which became an internet meme. The video merged a Japanese pop song with an animated cartoon cat with a Pop-Tart for a torso, flying through space, and leaving a rainbow trail behind it. The video ranked at number 5 on the list of most viewed YouTube videos in 2011.[1]

Origin

Animated GIF

On April 2, 2011, the GIF animation of the cat was posted by 25-year-old Christopher Torres of Dallas, Texas, who uses the name 'prguitarman', on his website LOL-Comics.[2] Torres explained in an interview where the idea for the animation came from: 'I was doing a donation drive for the Red Cross and in-between drawings in my Livestream video chat, two different people mentioned I should draw a 'Pop Tart' and a 'cat'.' In response, he created a hybrid image of a Pop-Tart and a cat, which was developed a few days later into the animated GIF.[3] The design of Nyan Cat was influenced by Torres' pet cat Marty, who died in November 2012 from feline infectious peritonitis.[4][5]

Song

The original version of the song 'Nyanyanyanyanyanyanya!' was uploaded by user 'daniwell'[6] to the Japanese video site Niconico on July 25, 2010.[7] The song features the Vocaloid virtual singer Hatsune Miku. The Japanese word nyan is onomatopoeic, imitating the call of a cat (equivalent to English 'meow').[1] The song was later included in the rhythm gameHatsune Miku: Project DIVA F, released by Sega in August 2012.[8]

On January 30, 2011, a user named 'Momomomo' uploaded a cover of 'Nyanyanyanyanyanyanya!' featuring the UTAU voice Momone Momo.[9][10] The voice source used to create the Momone Momo voice was Momoko Fujimoto, a Japanese woman who lives in Tokyo.[11]

YouTube video

YouTube user 'saraj00n' (whose real name is Sara)[12] combined the cat animation with the 'Momo Momo' version of the song 'Nyanyanyanyanyanyanya!', and uploaded it to YouTube on April 5, 2011, three days after Torres had uploaded his animation, giving it the title 'Nyan Cat'.[1][3] The video rapidly became a success after being featured on websites including G4 and CollegeHumor. Christopher Torres said: 'Originally, its name was Pop Tart Cat, and I will continue to call it so, but the Internet has reached a decision to name it Nyan Cat, and I’m happy with that choice, too.'[3]

In March 2019, ownership of the YouTube channel hosting the original Nyan Cat video was transferred to Means TV, an anti-capitalist video streaming service.[13]

Reception

The Nyan Cat music video reached ninth place in Business Insider's top ten viral videos of April 2011, with 7.2 million total views.[14] The original YouTube video has received over 180 million views as of August 5, 2020. Nyan Cat won a Webby Award in 2012 for 'Meme of the Year'.[15]

Due to the video's popularity, many new remixes and cover versions have been made, some several hours long. There are also ringtones, wallpapers and applications created for operating systems and devices including Windows,[16]iPhone, iPad,[17]Symbian,[18]Android,[19]Windows Phone,[20] and HP webOS.[21] 'Nyan Cat Adventure', by 21st Street Games, is an officially licensed game.[12][22] An officially licensed cryptocurrency entitled 'Nyancoin' with the domain name nyanco.in (later nyan-coin.org) was launched in January 2014.[23]

Website

Christopher Torres initially criticized the website www.nyan.cat, which originally featured a similar-looking cat with the pop tart replaced by a slice of toast,[24] and the same background music. The site, which uses the .catsponsored top-level domain, was described by Torres as 'plagiarized'.[25][26] Since 2012 the website has been operated by Torres, and shows the authentic version of the cat.[12]

10h nyan cat song

Temporary DMCA takedown

On June 27, 2011, the original YouTube video was taken down from the site following a Digital Millennium Copyright Act complaint from someone claiming to be Torres. Torres immediately issued a statement on his website LOL-comics denying that he was the source of the complaint, and contacted Saraj00n and daniwell, who hold the copyright for the video and the song, in order to file a counter-complaint to YouTube. During the period that the video was unavailable for viewing, Torres received numerous abusive e-mails from people who wrongly believed that he had filed the DMCA complaint. On June 28, 2011, the Nyan Cat video was restored to YouTube.[27]

Lawsuit

In May 2013, Christopher Torres and Charles Schmidt, the creators of Nyan Cat and Keyboard Cat respectively, jointly sued 5th Cell and Warner Bros. for copyright infringement and trademark infringement over the appearance of these characters without permission in the Scribblenauts series of video games. Torres and Schmidt have registered copyrights on their characters and have pending trademark applications on the names.[28][29] Torres released a statement saying that he had tried to obtain compensation from 5th Cell and Warner Bros. for commercial use of the character, but was 'disrespected and snubbed' multiple times.[30][31] The suit was settled in September 2013, with Torres and Schmidt being paid for the use of the characters.[32]

See also

References

Nyan
  1. ^ abc'Talking Twin Babies, Nyan Cat among YouTube's top videos of 2011'. Los Angeles Times. December 20, 2011. Archived from the original on 2012-09-08. Retrieved December 20, 2011.
  2. ^prguitarman (April 2, 2011). 'Pop Tart / Nyan Cat!'. LOL-comics. Archived from the original on September 8, 2012. Retrieved November 13, 2011.
  3. ^ abc'POP Profile: The Guy Behind The Viral Phenomenon 'Nyan Cat''. Pop goes the Week. April 19, 2011. Retrieved October 28, 2011.
  4. ^'RIP Marty --The Inspiration for Nyan Cat'. mashable.com. November 2, 2012. Retrieved November 2, 2012.
  5. ^'From Meme To Memory: RIP Marty, Nyan Cat's Inspiration'. petslady.com. November 2, 2012. Retrieved November 2, 2012.
  6. ^'daniwell' is variously credited on the web as daniwellP and Daniwell-P; the account that uploaded the song 'Nyanyanyanyanyanyanya!' uses the name daniwell.
  7. ^ニコニコ動画(原宿).【初音ミク】Nyanyanyanyanyanyanya!【オリジナループ】. From nicovideo.jpArchived 2011-06-06 at the Wayback Machine July 25, 2010. Retrieved May 30, 2011.
  8. ^'Watch The Nyan Cat Song In Hatsune Miku Project Diva f'. Siliconera. 9 August 2012. Retrieved 15 April 2020.
  9. ^Nyan Cat hit 10M viewsArchived 2011-06-20 at the Wayback MachineVocaloidism, May 22, 2011. Retrieved November 13, 2011.
  10. ^【UTAU】Nyanyanyanyanyanyanya!【桃音モモ】【ミクカバー】 ‐ ニコニコ動画(原宿). From nicovideo.jpArchived 2011-04-26 at the Wayback Machine, January 31, 2011. Retrieved May 30, 2011.
  11. ^Momone Momo Official ChannelArchived 2017-04-29 at the Wayback Machine YouTube. Retrieved November 13, 2011.
  12. ^ abc'Profiles in Geekdom: Chris Torres, Creator of Nyan Cat'. PCWorld. February 4, 2012. Archived from the original on 2012-03-08. Retrieved March 22, 2012.
  13. ^'Means TV, with a boost from the Nyan Cat, launches a post-capitalist streaming service'. Theintercept.com. March 21, 2019. Retrieved April 10, 2019.
  14. ^'Top viral videos of April: What's A 'Nyan Cat'?'. May 3, 2011. Retrieved November 13, 2011.
  15. ^'Special Achievement: Meme of the Year: Nyan Cat'. webbyawards.com. Retrieved 13 December 2019.
  16. ^Brandrick, Chris (2011-07-13). 'Nyan Cat Invades Windows 7, Dances Along Progress Bars'. PCWorld. Archived from the original on 2012-09-08. Retrieved 2011-09-22.
  17. ^Dredge, Stuart (May 14, 2011). 'Apps rush: Nutkin, Nyan Cat and more'. The Guardian. London. Retrieved November 13, 2011.
  18. ^'Nyan Cat on the Nokia Cell Phone'. Pdadevice.com. 2011-07-02. Retrieved 2011-09-22.
  19. ^'Nyan Cat: Lost In Space'. Retrieved April 10, 2015.
  20. ^'Nyan Cat strays into the Marketplace'. wpcentral.com. Archived from the original on October 19, 2014. Retrieved November 13, 2011.
  21. ^'Nyan Cat for HP webOS'. Developer.palm.com. Archived from the original on 2012-09-08. Retrieved 2011-07-04.
  22. ^'Nyan Cat Adventure (Xbox 360 – Indie Game) Review'. thegamerplex.com. Archived from the original on April 6, 2012. Retrieved December 21, 2011.
  23. ^Sharwood, Simon (January 23, 2014). 'Cryptocurrencies now being pooped out by cartoon cat'. The Register. Retrieved January 24, 2014.
  24. ^Non-Stop Nyan Cat! The original nyan.cat, archived by the Wayback Machine. Retrieved 19 January 2014.
  25. ^nyan.catArchived 2011-05-31 at the Wayback Machine Retrieved November 13, 2011.
  26. ^'Huy Hong: so tremendously humbled, thank you. Lies and thievery'. prguitarman.tumblr.com. Archived from the original on April 26, 2012. Retrieved November 13, 2011.
  27. ^'I did NOT file a Youtube Copyright Complaint'. prguitarman.com. June 27, 2011. Archived from the original on September 8, 2012. Retrieved November 13, 2011.
  28. ^'Nyan Cat and Keyboard Cat creators sue Warner Bros'. BBC News. 2013-05-02. Archived from the original on 2013-05-04. Retrieved 2013-05-02.
  29. ^Adi Robertson (2013-02-12). 'Nyan Cat and Keyboard Cat creators sue 'Scribblenauts' studio for using their memes'. The Verge. Archived from the original on 2013-05-05. Retrieved 2013-05-03.
  30. ^'Nyan Cat Creator Comments on Warner Bros. Lawsuit'. GamePolitics. 2013-05-07. Retrieved 2013-05-07.
  31. ^Phillips, Tom (2013-05-03). 'Warner Bros. and 5th Cell targeted by Keyboard Cat, Nyan Cat lawsuit • News •'. Eurogamer.net. Archived from the original on 2013-06-25. Retrieved 2013-06-27.
  32. ^Van Syckle, Katie (2013-09-26). 'Keyboard Cat and Nyan Cat Come Out Ahead in Lawsuit Against Warner Bros'. Nymag.com. Archived from the original on 2013-09-30. Retrieved 2013-10-02.

External links

10h Nyan Cat Song

  • Nyan Cat on LOL-Comics, the original GIF animation by prguitarman (Christopher Torres), April 2, 2011.
  • Nyan Cat original video on YouTube by saraj00n, April 5, 2011.

10h Nyan Cat Meme

Retrieved from 'https://en.wikipedia.org/w/index.php?title=Nyan_Cat&oldid=984032784'