Added more documentation, will finish second exploit and rest tomorrow :D

Author: Robert Quander

documentation/001register.png

@@ -3,6 +3,7 @@ Facepalm Documentation
 
 ## Table of Contents
 
+ [Facepalm Documentation](#facepalm-documentation)
 - [Facepalm Documentation](#facepalm-documentation)
   - [Table of Contents](#table-of-contents)
   - [1. Introduction](#1-introduction)
@@ -11,6 +12,15 @@ Facepalm Documentation
     - [3.1 Clone the Repository](#31-clone-the-repository)
     - [3.2 Running the Service](#32-running-the-service)
     - [3.3 Running the Checker](#33-running-the-checker)
+  - [4. Usage](#4-usage)
+    - [Registering](#registering)
+    - [Posting](#posting)
+    - [Uploading profile pic and bio](#uploading-profile-pic-and-bio)
+    - [Creating, viewing and joining Events](#creating-viewing-and-joining-events)
+  - [5. The Exploits and their fixes](#5-the-exploits-and-their-fixes)
+    - [5.1 Insecure UUID Generation](#51-insecure-uuid-generation)
+      - [Exploit](#exploit)
+      - [The Fix](#the-fix)
 
 
 ## 1. Introduction
@@ -62,7 +72,12 @@ cd service
 docker compose up --build -d
 ```
 
-*Note: It could take some time for compilation, Swift build times are a little much sometimes*
+*Note: It could take some time for compilation, Swift build times are a little much sometimes (5th gen mobile ryzen 5 ~200s)*
+
+Taking a look at the running containers, either in the Docker UI or using `docker ps`, three containers can be seen running associated with facepalm:
+1. The service itself
+2. The DB to store the user data
+3. A cleanup container that keeps the DB footprint small
 
 ### 3.3 Running the Checker
 
@@ -72,4 +87,74 @@ In the same fashion as the service has been started, the checker can be deployed
 cd checker
 docker compose up --build -d
 ```
+Taking a look inside the running containers, we can now observe 2: the checker itself, and a Mongo DB it needs for its data.
+
+## 4. Usage
+
+Once Facepalm has finished building, you can access the web interface with any browser. The service can be found on port `4269` (i.e. `localhost:4269`).
+
+While using, special attention is required at the top bar - the buttons move around, just to keep the users on their toes.
+
+### Registering
+
+Registering must be done with a unique user name
+
+![registration](001register.png)
+
+### Posting
+
+Posts can be made either privately or publically, by unchecking the private checkmark.
+
+![creating post](002posting.png)
+![Successfully posted](003posting.png)
+
+### Uploading profile pic and bio
+
+The profile picture and bio can both always be seen publically on the home-of address
+
+![Settings Profile pic and bio](image.png)
+![Profile pic and bio set](image-1.png)
+
+### Creating, viewing and joining Events
+
+When creating an event, the date can be set freely, since it's stored as a string. Private fields are noted as such. The only important field to set is the title, the rest is optional
+
+![Create Event](image-2.png)
+
+After all data for the event has been entered, a key is shown for one time (similarly to a token on GitLab) and can be forwarded to anyone who wants help organize the event. However, an event can also be joined by sending a request to the given event and then being accepted by an event invitee. This can be accomplished on the event info page.
+![Key shown](image-3.png)
+![Finished event](image-4.png)
+
+Then all events can be viewed, and, if not already in it, access can be requested, and granted (here, another user logged in to view the event, who is not invited:).
+
+![All events](image-5.png)
+![hidden event details](image-6.png)
+
+## 5. The Exploits and their fixes
+
+### 5.1 Insecure UUID Generation
+
+The User IDs and the Post IDs are both derived deterministically (in the classes `IdentifierGenerator.swift` and `PostIDGenerator.swift`, respectively).
+
+The User ID is directly derived from a (padded or cut) username, while the PostID is derived from the User ID, a counter (initialized to 0) and a timestamp (with `minute` precision). These values are `XOR`ed together, and then form the (derivable) PostID.
+
+#### Exploit
+
+`Flag hint: username`
+The 'fun' in this exploit is the difference between python and Swift handling uppercase vs. lowercase (hex) strings, and the different ways they `XOR` things.
+
+The easy mode of the exploit might be just copying the given swift files, and then writing a little python script that calls it with the given time stamp of the current system time, and username, and then passing the result forward. However, if the exploit is to be written in python, specific libraries have to be used to achieve the same result. This even baffles most (current) AI systems that have been tested, and solving  it using LLMs results in quite long troubleshooting steps, since it should work, but somehow just does not.
+
+A working and annotated example of a python implementation for the exploit can be seen in `checker/src/FinalFinalTry.py`.
+
+#### The Fix
+
+Fixing the exploit is as simple as replaxing the entire class contained in `service/Sources/App/Models/IdentifierGenerator.swift` with
+
+```Swift
+return uuid()
+```
+
+This returns a secure uuid, from which the postID is then derived. For additional security, this could also be replaced by the same logic. 
 
+Alternatively, only the PostID generation could be made secure. In the current state of development for facepalm, the deterministic User ID does not have implications (that have been found).