Howdy internet friend, and welcome back to my blog. I appreciate you taking the time to check this out. Today I'm going to share with you about security research. I'm going to write specifically about fuzzing and my process for getting started. That will mostly take the form of sharing how I took a machine that was sitting in my garage literally gathering dust and will soon be using it for breaking software. If that is something you are interested in, read on! If you aren't, you can just jump to the dog picture
First thing I had to do was literally dust off the machine. We live in the desert and in the short amount of time we've been here, there was a substantial amount of dust on the box. Then I had to check with my wife and make sure that she didn't need any data from the harddrive. There are two other towers somewhere in the garage, but I have no idea where. I was able to find one box, and it had a broken Windows 7 image and some data from my wife's senior year of college. She said that she had the data in other places, and gave me the go-ahead to wipe the box.
I happened to have an old USB drive with a Debian 10 image on it, so I wiped the machine and installed it. I had seen a tweet earlier in the week about some cool features in Fedora 35 and I thought I would give it a spin. While the installer was very slick, I actually thought it was too slick - and let me explain why. First issue was that I installed it twice. I didn't believe the little popup window that told me it was installed because it didn't give me any options about what software packages to install. Debian 10 let me pick exactly what I wanted in terms of an X window manager, web server, SSH server, or additional packages. Fedora just gave me Gnome. It also didn't ask me to set up a username/password combo, and that seemed really strange to me. It just said "restart the machine and the changes will take effect." I didn't want to reset the machine without telling it my username and password (or what I wanted them to be) as well as the other options, but I decided to just role the dice and reset the machine.
When the machine came back, it asked me to set up my credentials but it didn't give me a choice about anything else. I can't remember if I've blogged about it in the past, but I do not like Gnome. It is for the same reason that I don't like KDE - I feel like it gets in my way by trying to help me too much. I prefer XFCE because it feels much less like it is getting in my way. It's also much easier to customize (at least for me). Could I learn a new X window system? Yeah! I've talked about it before, but my main machine for the last year and change has been a Macbook Pro. However, now that I am back on a Linux machine (where I am writing this post), I don't want to have to learn an entirely new system. It took less than twenty minutes to get a setup where I am off and running.
You might be thinking to yourself, "Alright dude, you said you don't like Gnome, and thus you probably aren't happy with Fedora." You are totally right! So I reformatted the USB drive and decided to just install Debian 11. Once again the install was smooth and easy, I could pick exactly what software I wanted installed, and set up all my stuff. There was one tricky issue, and that was in setting up sudo access. I think I've written about this before, but in Debian 11 it is slightly different to set up sudo access for the user account.
I read that there is a little trick where using the root password blank on setup gives sudo access to the first user, but I didn't know that when I was going through the install process. Instead I had to use the command "su -" rather than just regular "su" to add my user to the sudoers group. Then I had to go change the /etc/sudoers file to include my user, I think it's because whenever you try to run sudo it checks to see if the user is in the /etc/sudoers file.
Once I had that sorted out, the next order of business was to install AFL. I used the version that comes bundled with the apt package manager, and I may need to revist that decision going forward. My next step is to think about a target. I don't know if I am going to share that part of the process until I start to get some results. But if you are following along and thinking about how you might go about doing fuzzing research, this is the part where you would pause and think about what you want to pick on.
I may or may not use AFL for my fuzzing. I might try to write something custom because I think there might be even more benefit from that. In the meanwhile, I will be sure to keep this space updated with my work. I am also considering using this GNU/Linux environment to update the format for whateversauce.com but even if I do, I am still going to keep posting here as well. Whateversauce.com uses Hugo and markdown for static pages and the format it has right now is something I made custom but I don't like. It looks ugly, truth to tell. One way I might end up going is to use this as a staging box for some updates to that page, then go back to doing research. If I do, there will be posts about it!
Alright internet friend, you made it to the end. As a reward, here is a picture of my two dogs. Thanks for reading to the end. I hope you have a very nice day and a most excellent rest of your week. Cheers!
Here's how you can add an image: