Matt Spraggs - Matt Spraggs

Go, Strings and Timing Attacks

Matt Spraggs — Sat, 31 Jan 2026 00:00:00 +0000

I actually quite like Go. Sure, it's not perfect, but I really like how brutally simple it is. There's very few frills, and this makes code easy to understand, most of the time.

One of the things I find really interesting about Go is how it implements string comparsions. Let's say you're building an internet-facing application with user accounts. The site doesn't matter so much as long as there's some user input that must be checked for validity. It could be a discount code, or perhaps you want to check whether a particular username exists already. The crucial point is that, for whatever reason, you've decided to do this validation in Go¹.

At some point you may need to compare two strings, either to authenticate a user or for some other reason. This is pretty simple in Go:

var luckyGiveaway = "GIMMEFREESTUFF"

type Order struct {
    // ...
    DiscountCode string
}

func validateDiscount(order …

StackSmash CTF: Refreshments

Matt Spraggs — Sat, 25 Oct 2025 00:00:00 +0100

Hack The Box ran a CTF earlier in the year based exclusively around binary exploitation. StackSmash CTF contained six challenges across two and a bit days.

This is a deep dive into Refreshments, rated hard for difficulty. I'd be lying if I said I solved this challenge without help, but there's a few aspects to the official write-up that aren't really covered anywhere, so I figured it might be useful to document those here.

The Challenge

As with all other challenges in StackSmash, Refreshments is a binary exploitation challenge. Let's start with the usual binary analyses:

$ checksec refreshments
[*] './refreshments'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    RUNPATH:    b'./glibc/'
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
$ ./glibc/ld-linux-x86-64.so.2 glibc/libc.so.6 | grep version
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU …

Hack The Box: Blue

Matt Spraggs — Tue, 31 Oct 2023 00:00:00 +0000

It's been a while, but this is my last write-up of the machines in the Hack The Box Beginner Track. This machine is called Blue.

Enumeration

As with several of the other challenges, all we're given to start with is the IP address of the target. Let's start with a simple nmap port scan:

$ nmap -A -Pn blue.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-23 23:03 BST
Nmap scan report for blue.htb (10.129.126.4)
Host is up (0.045s latency).
rDNS record for 10.129.126.4: blue
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp …

Hack The Box: Snow Scan

Matt Spraggs — Tue, 22 Aug 2023 00:00:00 +0100

Thought Machine recently entered the Hack The Box (HTB) Business CTF 2023. This is a capture the flag (CTF) contest open to companies. Keen to put my skills to the test, I naively joined our small team.

The contest was organised by category, with challenges ranging from hacking (emulated) SCADA devices (industrial control systems) to breaking blockchain systems.

Perhaps unsurprisingly, the challenges were waaaay harder than I expected. There were various difficulty levels, but they were pretty far removed from the levels on regular HTB machines and challenges.

Needless to say, I didn't contribute much to my team's effort. I completed the Drilling Platform challenge and most of Intelligence Service. I started on the Snow Scan challenge as well, but I ran out of time.

Being an "easy" challenge, I naively expected it to fall well within my abilities. Surely I could do this? After the main contest finished, what … Read more

Hack The Box: Under Construction

Matt Spraggs — Tue, 25 Jul 2023 00:00:00 +0100

This is my seventh write-up of the Hack The Box Beginner Track. This is the first machine or challenge in the track labelled "medium" difficulty. The others have so far been "easy", so this could be a bit more involved than what we've seen so far. Let's dive in.

The Challenge

As with You Know 0xDiablos and Weak RSA, we're given a zip archive to download, along with an IP/port combination. The former appears to contain the source for a Node.js web app. Visiting the IP/port, we see the following in the browser:

We don't have an account to log in with, so let's try registering a user. Surprisingly, this works, and we can now log in with the new account:

Looks like the site is still a work in progress. Using the source code, perhaps there's a weakness we can leverage to get past this page … Read more

Hack The Box: Netmon

Matt Spraggs — Tue, 23 May 2023 00:00:00 +0100

This is my sixth write-up of the Hack The Box Beginner Track. This challenge is called Netmon.

Enumeration

Similarly to Lame and Jerry, we're given the IP address of the machine we need to break into. As in those cases, we start by running nmap against the target:

$ nmap -A -Pn netmon.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-03 22:47 BST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 20.00% done; ETC: 22:48 (0:00:24 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.27% done; ETC: 22:47 (0:00:00 remaining)
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.00% done; ETC: 22:47 (0:00:00 remaining)
Nmap scan report …

Hack The Box: You Know 0xDiablos

Matt Spraggs — Thu, 27 Apr 2023 00:00:00 +0100

I've been steadily working my way through the Hack The Box Beginner Track, writing each challenge up here as I go. This is the fifth write-up. So far the challenges have ranged from exploiting well-known vulnerabilities in Windows to breaking weak RSA public keys.

The Challenge

This challenge is a little different to the ones we've covered on the track so far. We're given a file to download and an IP/port to attack. Downloading the file, named vuln, it looks like a Linux executable:

$ file vuln
vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped

Intriguing... We can use objdump to examine the executable's symbols:

$ objdump -t vuln

vuln:     file format elf32-i386

SYMBOL TABLE:
...
00000000       F *UND*    00000000              printf@@GLIBC_2.0
00000000       F *UND*    00000000              gets@@GLIBC_2.0
08049391 g …

Hack The Box: Jerry

Matt Spraggs — Wed, 12 Apr 2023 00:00:00 +0100

This is my fourth write-up in a series on the Hack The Box Beginner Track. This challenge is called Jerry, and it's a lot more like a classic CTF than the previous two in my view, Find the Easy Pass and Weak RSA.

Enumeration

Firing up the box and our attack machine, let's start with a straightforward Nmap scan:

$ nmap -Pn -A -T4 jerry.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 16:11 GMT
Nmap scan report for jerry.htb (10.129.24.108)
Host is up (0.014s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned …

Hack The Box: Weak RSA

Matt Spraggs — Fri, 31 Mar 2023 00:00:00 +0100

This is the third in a series of write-ups of challenges from the Hack The Box Beginner Track.

The Challenge

The previous challenge, Find The Easy Pass, gave us a Windows executable to reverse engineer. In this sense it didn't align with my expectations of what a CTF involves.

This challenge, Weak RSA, is similar in the sense that we're given two files to download. This time though, neither of them are executable:

$ file key.pub
key.pub: ASCII text
$ file flag.enc 
flag.enc: data

Looking at the contents of key.pub, it looks like an RSA public key:

$ cat key.pub 
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----

We can confirm this with OpenSSL:

$ openssl rsa -pubin -in key.pub -text -noout
RSA Public-Key: (1026 bit)
Modulus:
    03:30:3b:79:0f:b1:49:da:34:06:d4 …

Hack The Box: Find The Easy Pass

Matt Spraggs — Sun, 22 Jan 2023 00:00:00 +0000

This is the second in a series of write-ups of challenges from the Hack The Box Beginner Track.

In my first write-up, Lame, I talked about how capture the flag (CTF) challenges can generally be broken down into three phases: enumeration, gaining a foothold, and privilege escalation.

This challenge, Find The Easy Pass, is a bit different from a regular CTF, because there is no machine to break into. Instead, we're given a Windows executable file.

Leaving aside the question of whether it's safe to run random executables you downloaded from the internet, this is what appears when the file is launched:

Entering a possible password into the text box and clicking Check Password tells us whether we have the right password:

Given the name of the challenge, it's pretty clear that the password is the flag we have to find.

We have a program that we can use to … Read more

Hack The Box: Lame

Matt Spraggs — Mon, 02 Jan 2023 00:00:00 +0000

I've been doing a lot of Hack The Box lately. For those who don't know, Hack The Box (HTB) is a playground for would-be hackers to test their skills against machines with various security vulnerabilities. The point isn't to use these skills for nefarious or illegal purposes. Instead, the aim is to train people to think more critically about potential security weaknesses in software so that they can design and implement systems with security in mind. Each machine on HTB has a digital flag (typically a file on the machine containing some secret string) that the hacker must capture. This type of set up is called capture the flag, or CTF.

Newcomers to HTB can start with the Starting Point machines to familiarise themselves with the CTF process. Generally speaking, gaining admin privileges on a target machine is achieved in three stages:

Enumeration - determining the services the target is running …

West Coast Road Trip: Highlights

Matt Spraggs — Thu, 29 Dec 2022 00:00:00 +0000

With travel restrictions easing after COVID-19, we went on a long-overdue honeymoon road trip to the western United States.

Rust + WebAssembly + JavaScript = Joy

Matt Spraggs — Sun, 12 Apr 2020 00:00:00 +0100

Despite the title, this blog post doesn't start with Rust. Instead, it starts with the tradgedy of the ongoing global COVID-19 pandemic. Numberphile had recently uploaded a video about the SIR model, which describes the spread of an infectious disease. The simple yet powerful nature of the model and its relevance to current events struck a chord with me: I had to code this up for myself.

Python seemed like the best candidate for the job, given the existence of numerical libraries such as NumPy and SciPy. My first iteration needed just 35 lines of code, a testament to Python's expressiveness and the well-designed library interfaces.

The next step seemed clear to me: how cool would it be to put this on the web? Sure, it's a simple model, but one of great relevance given recent events, so maybe it might interest some.

I weighed my options. I had a … Read more

Coming to you Live from a Cloudfront Server Near you!

Matt Spraggs — Thu, 18 Jul 2019 23:36:00 +0100

Wow... it's been a year since I last wrote here.

Awkward.

I do have some excuses. This time last year I was in the middle of getting ready to get married. It's not exactly something you can do over a weekend. Unless you get married in Vegas. Maybe. Anyway, we didn't go to Vegas.

Not long after that I started job-hunting again after feeling the urge for something new. Like so many things, this expanded to fill almost all of my free time, since the application process for development roles is apparently more stressful than doing a presentation in front of thousands of people. Or maybe that's just me? Not sure. In any case, it was a big time sink.

Then we moved flat. I was offered a job in London, and commuting from Southampton was about as much fun as trimming your toenails with a hammer, so my wife … Read more

Loxx: Implementing Bob Nystrom's Lox in C++14

Matt Spraggs — Tue, 29 May 2018 22:24:03 +0100

Last autumn I discovered Crafting Interpreters, a book by Bob Nystrom that gives readers a comprehensive guide to writing interpreters for a toy programming language, Lox. To me the world of compilers and interpreters has always been a total mystery. Okay, so I know what a syntax tree is, and I've occassionally even been brave enough to look at the assembly output for a program I've written. Also doesn't parsing need to happen at some point? Anyway, I was pretty intrigued, so in I dived.

Bob's book is divided into two parts. The first details how to write a tree-walking interpreter in Java. Code is parsed and a syntax tree is generated from it, which is then evaluated in-place. By his own admission, this isn't a particularly efficient way to evaluate code, so the second part of the book describes how to write a stack-based virtual machine in C, which … Read more

Embedded Software Practices: My Take

Matt Spraggs — Wed, 25 Oct 2017 19:55:32 +0100

A friend and I were discussing the relative merits of LabVIEW the other day. Coming from a theoretical, software-focused background, I struggle with LabVIEW, which I think hides too many of the underlying workings of a program from the user for the sake of simplicity. My friend, on the other hand, does a lot of experimental engineering work and loves that LabVIEW frees him from the need to look at line after line of code.

This got me thinking: should engineers, particularly those working in electronics, be more prepared to work with low-level code? I mean obviously they work with it already, but my (admittedly limited) experience so far is that few engineers take the time to engineer software that is clear, testable and maintainable. In a world where both hardware and software are advancing at an exponential rate, shouldn't we be cultivating engineers who at least appreciate the need … Read more

Windows 10/Microsoft Rant

Matt Spraggs — Fri, 12 May 2017 15:58:38 +0100

Note: This shitpost was originally going to be titled "Windows 10: My Take", but I changed it, for reasons that should become immediately apparent in the next paragraph.

You know what really pisses me off with Microsoft's latest OS offering? Windows fricking update. Specifically: why Microsoft hasn't addressed the age-old problem of having updates that can only be installed during the shutdown/restart process.

Okay, so it's true that I have just been through this little lesson in tedium, all because I had to restart my computer for unrelated reasons, but still. Given that, in the words of Tony Prophet, Microsoft's corporate vice president, "Windows 10 is not going to be an incremental step from Windows 8.1," you'd think this is one of the issues they could address. It's true that I have little to no understanding of the internals of Windows, and I appreciate that part of Tony's … Read more

"New" Job!

Matt Spraggs — Tue, 21 Feb 2017 17:38:51 +0000

So the title of this post was originally going to be "New Job!", but since I've been in my current post since September I figured that might be a bit misleading, so I added some lovely quotes to make it feel less like a blatant lie.

Since the end of my PhD I've been working in the department of Electronics and Computer Science at the University of Southampton, doing software engineering as part of a project called SMARTmove. The project aims to rehabilitate the upper limbs of stroke patients using a technique known as functional electrical stimulation (FES). By electrically stimulating the arm muscles of stroke patients as they attempt a series of functional tasks it is anticipated that they will recover some control over the arm that was debilitated by the stroke.

The electrical stimulation is provided via an electrode array printed onto a wearable sleeve, and the patient's … Read more

Updates and such

Matt Spraggs — Thu, 15 Dec 2016 10:35:13 +0000

I'm acutely aware I haven't written here for... [looks for last post] nearly six months. This is mainly due to being busy, which in turn has fostered a "sure, I'll write another blog post, when I have time" sort of mentality. I started thinking this in September and, well, here we are.

To force me to get my act together and start writing here again, I offer you this mediocre excuse for a meaningful blog post. This isn't going to be very long but is going to be a bit more wishy-washy, so if you don't care for that sort of thing, feel free to ignore the rest of this and check back here later.

So anyway, what's kept me so busy for the past few months? Well, finishing my PhD by way of writing my thesis was the main thing. The actual writing part filled up my summer entirely … Read more

Brexit

Matt Spraggs — Sat, 25 Jun 2016 12:38:30 +0100

It's been a while since I last posted here. Sorry. I hope you can forgive me in the fullness of time.

So Thursday the UK decided to leave the EU for some bizarre reason that I still don't fully understand. Many of those who voted to remain feel angry and cheated out of what may have been a more prosperous future than they are now faced with. However, I don't want to rant and rave about how we've made a terrible mistake. I've already done that on Facebook.

Sickeningly, there are already stories and rumours of open racism and/or xenophobia between citizens and EU migrants. As a country we cannot let this happen. This is something we have to fight before it becomes a societal norm.

Here's my simple request, regardless of how you voted: next time you see or hear someone dishing out the racial or xenophobic abuse … Read more

Upgrading Mesa on Debian Stable (Jessie)

Matt Spraggs — Wed, 06 Jan 2016 17:45:13 +0000

Hello! Belated merry Christmas and a very happy New Year!

Right, now the social niceties are out the way let's get down to it. I play World of Warcraft (WoW). There, I said it. No/some shame. I also run Linux. LMDE 2 Betsy to be exact. That's Linux Mint but based on the Debian repositories, so I'm not shackled to the whims of Canonical. WoW is targetted at Windows and OSX, but that's okay, as Wine handles WoW fairly well.

LMDE Betsy is currently based on Debian stable (Jessie), which uses Mesa 10.3.2. Let's see how the Battle.net desktop client renders with this setup:

Erm... right... obviously some issues there. Reading around a while back, I learned that this is because I'm running an Intel chipset with an old version of Mesa. To get things looking pretty, I'd need Mesa 10.4 or later. So now … Read more

How to Get Around the Telegraph's Article Limit

Matt Spraggs — Sun, 27 Sep 2015 19:05:45 +0100

If you read The Telegraph online, you might have seen this appear recently:

Today I discovered how easy this is to get around: just delete the cookies The Telegraph deposits on your computer. To do this on Firefox, check out this link, and for Chrome, check this link out. Finally, for Internet Explorer, click here for IE 6 to 9 and here for IE 10 to 11.

Jeremy Corbyn: One Week In

Matt Spraggs — Sat, 19 Sep 2015 15:25:03 +0100

I didn't put Jeremy Corbyn on my ballot for the Labour leadership. He came across as very genuine during the leadership campaign, but I just couldn't get behind his policies. We lost the election because we didn't appeal to enough of the electorate, so running for the leadership with policies that only appeal to one segment of society seemed like pure folly.

So as you might imagine I was pretty disappointed when the election result was announced. Corbyn was of course tipped to win, but winning in the first round of vote counting with a landslide majority certainly demonstrated a strong mandate for his leadership. I wasn't happy, but I couldn't argue with the democratic process.

The next few days were like watching a train crash in agonisingly slow motion. Here's a list of Corbyn-related blunders I can think of off the top of my head right now:

dropping out …

Jurassic World Review

Matt Spraggs — Sun, 14 Jun 2015 11:48:43 +0100

The latest in the franchise doesn't quite capture the charm of the original, but with plenty of nods to the first film, eye-popping visuals and intense action scenes, you'll be thoroughly entertained to the end.

I really liked the first Jurassic Park film, like so many others, and I'm an even bigger fan of the book. So when rumours started circulating a few years ago that another film was in the works, I was pretty excited. Naturally, Spielberg wanted to ensure that the screenplay would be great, no doubt wanting to avoid a repeat of Jurassic Park III, so for many years production of Jurassic World was held up by several rewrites.

The film is set twenty-two years after the incident in the first film. InGen has been bought out by Masrani Global, which has achieved what the former never did: a theme park home to living dinosaurs.

The filmmakers … Read more

LEGO and Arduino: This Is the Droid You're Looking For

Matt Spraggs — Mon, 08 Jun 2015 21:15:29 +0100

Like any self-respecting geek, as soon as I heard about the Arduino, I wanted one. Admittedly I was pretty late to the party, way past what could pass for fashionably late, as I only found out about it a year and a half ago. But anyway, no sooner had I heard about it than I was adding an Arduino Uno to my basket and checking out on Amazon.

I diligently worked my way through the first few projects in the book that came with the Uno, which provides a nice and gentle introduction to electronic circuits. Inevitably I started dreaming up grand designs for what I was going to do with my new toy. I had visions of some artificially intelligent robot that could rove amiably around my flat without smashing into anything, learning the layout as it went, and perhaps letting me know if it's going to rain later … Read more

Southampton Code Dojo - March 2015

Matt Spraggs — Thu, 19 Mar 2015 20:26:53 +0000

I went along to the most recent Southampton Code Dojo last week (12th March). I'd been meaning to go along for a while, and given how much I enjoyed the Game Jam in January (see here), I signed up earlier this month. The Dojo is basically a meet-up in the Southampton area for those interested in programming/coding, taking place on the second Thursday of each month. Unlike the Game Jam, which lasts all weekend, the Dojo takes place in two hours on one evening.

I managed to get off to a good start by showing up a bit late, a result of me being under the strange notion that the event was being held in the Nuffield Theatre. The first twenty minutes were dedicated to mingling, getting to know people and having some free pizza and beer. During this time, we generated a list of potential projects for the … Read more

Global Game Jam 2015 (Part II)

Matt Spraggs — Sat, 07 Feb 2015 23:01:40 +0000

Click here for part I.

Much of Saturday was spent laying down the game code. I worked on some of the game backend, creating an object-orientated interface to the game world and levels. The world would be split into several rooms, and each room would contain a series of blocks, some of which the player could interact with. Inspired by Spelunky, we decided to store our level layouts in ASCII files to simplify level editing.

At 6pm on Saturday a mini-showcase was held. This was supposed to be an intermediate deadline to work towards to try and get something playable that could be worked with over the next 21 hours. By this point we had code that compiled and a character that could be moved around the screen. But the rest of world and all the game physics were missing, so we still had some way to go. In actuality … Read more

Global Game Jam 2015 (Part I)

Matt Spraggs — Sat, 31 Jan 2015 00:27:27 +0000

It's 10pm on Friday night and I'm sat in the computer lab in ECS at the University of Southampton. My mind is racing, full of what needs to be done and what I have to do; it's hard not to feel a little overwhelmed. No, this isn't some desperate slog in the last chance saloon to make a university assignment deadline. Earlier this year I signed up to take part in the Global Game Jam 2015.

I'd never written a computer game before, and the opportunity to get stuck in and work with others to produce something like a game really grabbed me. So, perhaps naively, I signed up. But still, I couldn't help but feel a little apprehensive. I wouldn't describe myself as a hardcore gamer. I play TF2, Minecraft and WoW on occasion, but I've never really got past the casual stage of gaming. Did I have enough … Read more