chapters: Use linting on Markdown files

Apply linting (via `markdownlint-cli`) to Markdown files.

Signed-off-by: Razvan Deaconescu <[email protected]>

COPYING.md

@@ -7,7 +7,7 @@ A copy of each license is below.
 
 Copy of CC BY-SA 4.0:
 
-```
+```text
 Attribution-NonCommercial-ShareAlike 4.0 International
 
 =======================================================================
@@ -449,7 +449,7 @@ Creative Commons may be contacted at creativecommons.org.
 
 Copy of BSD-3-Clause:
 
-```
+```text
 Copyright 2021 University POLITEHNICA of Bucharest
 
 Redistribution and use in source and binary forms, with or without

chapters/binary-analysis/dynamic-analysis/reading/README.md

@@ -414,7 +414,7 @@ Some of the advantages of using pwngdb include:
 An alternative to pwndbg is [Gef](https://github.com/hugsy/gef "https://github.com/hugsy/gef").
  However, this tutorial is designed with Pwndbg in mind.
 
-#### Pwndbg Commands
+### Pwndbg Commands
 
 `pdis` command gives a pretty output that is similar to what the `disas` command in GDB prints:
 
@@ -522,7 +522,7 @@ That is why examining the register or the memory location gives the same output.
 For more information on various Pwndbg commands you can always visit the Pwndbg help through the `pwndbg` command It is always a better idea to use Pwndbg commands when available.
 However you should also know the basics of using GDB as well.
 
-#### Altering variables and memory with Pwndbg and GDB
+### Altering variables and memory with Pwndbg and GDB
 
 In addition to basic registers, GDB has a two extra variables which map onto some of the existing registers, as follows:
 
@@ -701,9 +701,7 @@ In essence what they do is save the reference of the old container (`push ebp`)
 
 For a visual explanation please see below:
 
-<p align="center">
-    <img src="https://security.cs.pub.ro/summer-school/wiki/_media/session/s5_frame_pointer_picture.jpg?w=300&tok=e38db5" alt="Sublime's custom image" />
-</p>
+![Frame pointer](https://security.cs.pub.ro/summer-school/wiki/_media/session/s5_frame_pointer_picture.jpg)
 
 As you can see the EBP register always points to the stack address that corresponds to the beginning of the current function's frame.
 That is why it is most often referred to as the frame pointer.
@@ -878,9 +876,7 @@ The ret instruction could be translated into `pop eip`.
 
 The visual depiction of how the stack looks while a program is executing can be found in section 2 but will be included here as well:
 
-<p align="center">
-    <img src="https://security.cs.pub.ro/summer-school/wiki/_media/session/stack-convention.png?w=600&tok=d710e1" />
-</p>
+![Stack Convention](https://security.cs.pub.ro/summer-school/wiki/_media/session/stack-convention.png)
 
 ### Next Section Preview: Buffer Overflows
 
@@ -891,10 +887,7 @@ This takes place when a buffer overflows its boundaries and overwrites the retur
 
 A typical example of buffer overflows can be seen in the following picture:
 
-<p align="center">
-    <img src="https://security.cs.pub.ro/summer-school/wiki/_media/session/s5_buffer_overflow.jpg?w=500&tok=810778" />
-</p>
-
+![Buffer Overflow](https://security.cs.pub.ro/summer-school/wiki/_media/session/s5_buffer_overflow.jpg)
 
 ## Challenges
 

chapters/binary-analysis/executables-and-processes/drills/06-challenge-matryoshka/README.md

@@ -10,7 +10,9 @@ There's something more in the executable, isn't there?
 Vulnerability
 -------------
 
-There is a global variable storing an ELF file. The participant will retrieve it, find out what the XOR key is by matching the ELF header, extract the ELF file and run it. The executable is stripped to make things a little bit difficult for the participant.
+There is a global variable storing an ELF file.
+The participant will retrieve it, find out what the XOR key is by matching the ELF header, extract the ELF file and run it.
+The executable is stripped to make things a little bit difficult for the participant.
 
 Exploit
 -------
@@ -20,7 +22,8 @@ Script in `./sol/exploit.py`
 Environment
 -----------
 
-Nothing special. The executable file is to be downloaded by the participant.
+Nothing special.
+The executable file is to be downloaded by the participant.
 
 Deploy
 ------

chapters/binary-analysis/executables-and-processes/reading/README.md

@@ -392,11 +392,11 @@ Thus, a read access at such a location will violate the permission of that regio
 Examples:
 
 - Dereferencing a `NULL` pointer will try to read from `0x00000000` which is not (usually) mapped => `SIGSEGV` (read access on none)
-- Writing after the end of a heap buffer (if the heap buffer is exactly at the end of a mapping) will determine writes into unmapped pages => SIGSEGV (write access on none)
-- Trying to write to `.rodata` => SIGSEGV (write access on read only)
-- Overwriting the stack with "AAAAAAAAAAAAAAAAAAA" will also overwrite the return address and make the execution go to `0x41414141` => SIGSEGV (execute access on none)
-- Overwriting the stack and return address with another address to a shellcode on the stack => SIGSEGV (execute access on read/write only)
-- Trying to rewrite the binary (`int *v = main; *v = 0x90909090;`) => SIGSEGV (write access on read/execute only)
+- Writing after the end of a heap buffer (if the heap buffer is exactly at the end of a mapping) will determine writes into unmapped pages => `SIGSEGV` (write access on none)
+- Trying to write to `.rodata` => `SIGSEGV` (write access on read only)
+- Overwriting the stack with "AAAAAAAAAAAAAAAAAAA" will also overwrite the return address and make the execution go to `0x41414141` => `SIGSEGV` (execute access on none)
+- Overwriting the stack and return address with another address to a shellcode on the stack => `SIGSEGV` (execute access on read/write only)
+- Trying to rewrite the binary (`int *v = main; *v = 0x90909090;`) => `SIGSEGV` (write access on read/execute only)
 
 ## Tutorials
 
@@ -586,8 +586,8 @@ Below we will discuss the less evident aspects of the above output
 
 Again, `readelf` is used with minimum syntax:
 
-```
-readelf -l program
+```console
+$ readelf -l program
 
 Elf file type is EXEC (Executable file)
 Entry point 0x8048330
@@ -1013,7 +1013,9 @@ There should be a flag message printed in case you solve it correctly.
 You will need to modify the executable.
 We recommend you install and use [Bless](https://packages.ubuntu.com/bionic/bless).
 
-What actions does the program do? What functions does it invoke? What should it invoke?
+What actions does the program do?
+What functions does it invoke?
+What should it invoke?
 
 Follow the actions from the entry point in the ELF file and see what is the spot where the program doesn't do what it should.
 
@@ -1030,17 +1032,17 @@ You are given a binary that was stored on a USB stick in space where it was hit
 Fortunately, because the executable is so small, the only area damaged is the ELF header.
 Fix it and run it!
 
-The structure of an ELF file is briefly presented here: http://i.imgur.com/m6kL4Lv.png
+The structure of an ELF file is briefly presented [here](http://i.imgur.com/m6kL4Lv.png)
 
-A more detailed explaination of the ELF header is presented here: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#Program_header
+A more detailed explaination of the ELF header is presented [here](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#Program_header)
 
 The entry point address should be `0x8048054`.
 
-Review this tutorial on creating a minimal ELF file: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
+Review [this tutorial](http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html) on creating a minimal ELF file.
 
 ### Further Pwning
 
-http://crackmes.cf/users/geyslan/crackme.02.32/ is a challenge that will test your knowledge from the first three sessions.
+[This](http://crackmes.cf/users/geyslan/crackme.02.32/) is a challenge that will test your knowledge from the first three sessions.
 The password for the archive is `crackmes.de`.
 
 ### Further Reading

chapters/binary-analysis/exploration-tools/reading/README.md

@@ -1,27 +1,5 @@
 # Exploration Tools
 
-<details open>
-    <summary>Table of contents</summary>
-
-   * [Tutorials](#tutorials)
-      * [01. Tutorial - Poor man's technique: strings](#01-tutorial---poor-mans-technique-strings)
-      * [02. Tutorial - Execution tracing (ltrace and strace)](#02-tutorial---execution-tracing-ltrace-and-strace)
-      * [03. Tutorial - Symbols: nm](#03-tutorial---symbols-nm)
-      * [04. Tutorial - Library dependencies](#04-tutorial---library-dependencies)
-      * [05. Tutorial - Network: netstat and netcat](#05-tutorial---network-netstat-and-netcat)
-      * [06. Tutorial - Open files](#06-tutorial---open-files)
-   * [Challenges](#challenges)
-      * [07. Challenge - Perfect Answer](#07-challenge---perfect-answer)
-      * [08. Challenge - Lots of strings](#08-challenge---lots-of-strings)
-      * [09. Challenge - Sleepy cats](#09-challenge---sleepy-cats)
-      * [10. Challenge - Hidden](#10-challenge---hidden)
-      * [11. Challenge - Detective](#11-challenge---detective)
-      * [Extra](#extra)
-      * [Further pwning](#further-pwning)
-   * [Further Reading](#further-reading)
-
-</details>
-
 ## Tutorials
 
 When faced with a binary with no source or parts of the source missing you can infer some of its functionalities based upon some basic reconnaissance techniques using various tools.
@@ -149,9 +127,11 @@ Symbols are basically tags/labels, either for functions or for variables.
 If you enable debugging symbols you will get information on all the variables defined but normally symbols are only defined for functions and global variables.
 When stripping binaries even these can be deleted without any effect on the binary behavior.
 Dynamic symbols, however, have to remain so that the linker knows what functions to import:
-```
+
+```console
 $ file xy
 xy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, not stripped
+
 $ nm xy
 0804a020 B __bss_start
 0804a018 D __data_start
@@ -188,6 +168,7 @@ $ nm -D xy
          U __libc_start_main
          U puts
 ```
+
 Let's take a look at another crackme that combines crackme1 and crackme2.
 What would you do if you couldn't use neither strings nor ltrace to get anything useful?
 
@@ -346,8 +327,8 @@ But it is not the case in our example.
 For dependencies without slashes, the search order is as follows:
 
 - `DT_RPATH` attribute in the `.dynamic` section of the executable, provided there is no `DT_RUNPATH`; this is deprecated
-- `LD_LIBRARY_PATH` environment variable, which is similar to PATH; does not work with SUID/SGID programs
-- `DT_RUNPATH` attribute in the .dynamic section of the executable
+- `LD_LIBRARY_PATH` environment variable, which is similar to `PATH`; does not work with `setuid` / `setgid` programs
+- `DT_RUNPATH` attribute in the `.dynamic` section of the executable
 - `/etc/ld.so.cache`, generated by [ldconfig](https://man7.org/linux/man-pages/man8/ldconfig.8.html)
 - `/lib` and then `/usr/lib`
 
@@ -377,6 +358,7 @@ $ LD_DEBUG=libs /bin/ls
      11451:     search cache=/etc/ld.so.cache
      11451:      trying file=/lib64/libattr.so.1
 ```
+
 The `LD_DEBUG` environment variable makes the dynamic loader be verbose about what it's doing.
 Try `LD_DEBUG=help` if you're curious about what else you can find out.
 We can see in the output listed above that all the libraries are found via the loader cache.
@@ -492,9 +474,9 @@ tcp6       0      0 :::631                  :::*                    LISTEN
 ```
 
 Here we're looking at all the programs that are listening (`-l`) on a TCP port (`-t`).
-We're also telling netcat not to resolve hosts (`-n`) and to show the process that is listening (`-p`).
-We can see that our server is listening on port 31337.
-Let's keep that in mind and see how the client behaves.
+We're also telling `netcat` not to resolve hosts (`-n`) and to show the process that is listening (`-p`).
+We can see that our server is listening on port `31337`.
+Let's keep that in mind and see how the client behaves:
 
 ```console
 $ ./client
@@ -599,7 +581,7 @@ sending 'anaaremere'
 received 'ANAAREMERE'
 ```
 
-We can do the same using netcat as the client:
+We can do the same using `netcat` as the client:
 
 ```console
 $ nc localhost 9999
@@ -609,12 +591,12 @@ ANAAREMERE
 
 #### Doing it Only with netcat
 
-We can still simulate a network connection using netcat only, both for starting the server and for runing the client.
+We can still simulate a network connection using `netcat` only, both for starting the server and for runing the client.
 
 Start the server with:
 
 ```console
-$ nc -l -p 4444
+nc -l -p 4444
 ```
 
 Now run the client and send messages by writing them to standard input:
@@ -634,31 +616,33 @@ If you want to send a large chunk of data you can redirect a file.
 Start the server again:
 
 ```console
-$ nc -l -p 4444
+nc -l -p 4444
 ```
 
 and now send the file to it:
 
 ```console
-$ cat /etc/services | nc localhost 4444
+cat /etc/services | nc localhost 4444
 ```
+
 It's now on the server side.
 
 You can also do it with UDP, instead of TCP by using the `-u` flag both for the server and the client.
 Start the server using:
 
 ```console
-$ nc -u -l -p 4444
+nc -u -l -p 4444
 ```
+
 And run the client using:
 
 ```console
-$ cat /etc/services | nc -u localhost 4444
+cat /etc/services | nc -u localhost 4444
 ```
 
-That's how we use netcat (the network swiss army knife).
+That's how we use `netcat` (the network swiss army knife).
 
-You can also look into [socat](https://linux.die.net/man/1/socat) for a complex tool on dealing with sockets.
+You can also look into [`socat`](https://linux.die.net/man/1/socat) for a complex tool on dealing with sockets.
 
 ### 06. Tutorial - Open files
 
@@ -751,7 +735,7 @@ There seems to be a named pipe used by the executable.
 Let's look at it:
 
 ```console
-$ more /tmp/crackme6.fifo
+more /tmp/crackme6.fifo
 ```
 
 Now go back again at the `crackme6` console and type `start`.
@@ -794,7 +778,7 @@ For this task use the [sleepy](./activities/09-challenge-sleepy-cats/src) binary
 
 The `sleep()` function takes too much.
 Ain't nobody got time for that.
-We want the flag NOW!!
+We want the flag NOW!
 
 Modify the binary in order to get the flag.
 

chapters/binary-analysis/static-analysis/reading/README.md

@@ -185,12 +185,13 @@ mov     dword ptr [esp+434h], 1
 
 Next, we see the first branching:
 
-```
+```asm
 cmp     [ebp+arg_0], 2
 jz      short loc_8049068
 ```
 
-**Remember!** On 32 bit systems, `[ebp + 0]` is the saved `ebp`, `[ebp + 4]` is the return address and `[ebp + 8]` is the first argument to the current function.
+**Remember**:
+On 32 bit systems, `[ebp + 0]` is the saved `ebp`, `[ebp + 4]` is the return address and `[ebp + 8]` is the first argument to the current function.
 IDA follows a slightly different naming convention: `[ebp + 8]` is named `[ebp+arg_0]`. `[ebp + 12]` is named `[ebp+arg_4]` etc.
 You can rename those `arg_*` constructs if you want, anyway.
 
@@ -233,7 +234,8 @@ if(argc == 2) {
 ```
 
 Now let's do something a bit more advanced: we want to identify the 2 commands that the server accepts by using static analysis.
-How do we approach this problem as fast as possible? We already know that the server accepts multiple clients.
+How do we approach this problem as fast as possible?
+We already know that the server accepts multiple clients.
 It can do this through forking.
 Let's see where `fork` is called in the program.
 First find the `fork` function on the left panel and select it.
@@ -327,14 +329,14 @@ These settings only display the important classes and namespaces that make up ea
 
 More information about name mangling can be obtained at:
 
-- https://en.wikipedia.org/wiki/Name_mangling
-- on demand demangling: http://demangler.com/ or c++filt
+- <https://en.wikipedia.org/wiki/Name_mangling>
+- on demand demangling: <http://demangler.com/> or `c++filt`
 
 You can find out more information about the internals of C++ in general, using the following references:
 
-- https://ocw.cs.pub.ro/courses/cpl/labs/06 (in Romanian)
-- https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf
-- http://www.hexblog.com/wp-content/uploads/2011/08/Recon-2011-Skochinsky.pdf
+- <https://ocw.cs.pub.ro/courses/cpl/labs/06> (in Romanian)
+- <https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf>
+- <http://www.hexblog.com/wp-content/uploads/2011/08/Recon-2011-Skochinsky.pdf>
 
 ## Challenges
 
@@ -344,14 +346,18 @@ The `crypto_crackme` binary is an application that asks for a secret and uses it
 In order to solve this task, you have to retrieve the message.
 
 - Open the binary using IDA and determine the program control flow.
-  What is it doing after fetching the secret? It seems to be consuming a lot of CPU cycles.
+  What is it doing after fetching the secret?
+  It seems to be consuming a lot of CPU cycles.
   If possible, use IDA to patch the program and reduce the execution time of the application.
   Use `Edit -> Patch program -> Change byte...`
 - Next, it looks like the program tries to verify if the secret provided is correct.
-  Where is the secret stored? Is it stored in plain text? Find out what the validation algorithm is.
+  Where is the secret stored?
+  Is it stored in plain text?
+  Find out what the validation algorithm is.
 - Now break it and retrieve the message!
 
-**Important!**: Unfortunately, the virtual machine doesn't support the libssl1.0.0 version of SSL library.
+**Important!**:
+Unfortunately, the virtual machine doesn't support the `libssl1.0.0` version of SSL library.
 Use the library files in the task archive and run the executable using:
 
 ```console
@@ -373,5 +379,6 @@ Note that since it's not directly called, IDA doesn't think of it as a procedure
 Figure out a way around this.
 When you find that code block you can press `p` on the first instruction to help IDA see it as a procedure.
 
-**Hint**: In order to exploit the vulnerability in Ubuntu, you should use netcat-traditional.
-You can switch from netcat-openbsd to netcat-traditional using the steps described [here](https://stackoverflow.com/questions/10065993/how-to-switch-to-netcat-traditional-in-ubuntu).
+**Hint**:
+In order to exploit the vulnerability in Ubuntu, you should use `netcat-traditional`.
+You can switch from `netcat-openbsd` to `netcat-traditional` using the steps described [here](https://stackoverflow.com/questions/10065993/how-to-switch-to-netcat-traditional-in-ubuntu).