 What's up guys, this is John Hammond looking at Pico CTF 2017 and we started to move into the binary exploitation category now that we finished up Cryptography, let's check out this challenge 40 points bash loop It says we found a program that's hiding a flag but requires you to guess the number it's thinking of Chances are Linux has an easy way to try all the numbers and go to this location file system and try it out Sweet so we'll have to connect to this right with SSH to the web shell get to the directory And then we can do a Google search on bash loops, right? Because we want to do our own research do our own self-learning. So let's fire up a terminal Get to Pico CTF connect to our shell Cool once we're in we can move to that directory and we have the files here bash loop Which is the program it looks like and the flag which we can't just go ahead and read It has to be determined read out by the bash loop program. So alright looks like If I run bash loop it says what number am I thinking of it's between 0 and 4096, okay, so I'm assuming we can pass it as an argument, right? Let's try Elite just because we're cool. Nope. That's wrong. Okay, so now Would come the time for our own self-learning so we can just google whatever bash loops if we wanted to And first result should be cool should give us what we want. It looks like it will let us loop through numbers In a set that we can just type out if we want, but I don't want to write out 4096 numbers there that's stupid And that's like okay, essentially the the syntax or the semantics for actually writing stuff out Heading a code block of commands that we want to run etc Okay, it looks like we are able to Use this notation here with curly braces to count one to a certain number So we can probably get that variable i And have that be between 0 and 4096 with just that syntax, right? Looks like it has a start and increment syntax and a later version of bash cool So Let's try that This is the syntax for when we're doing it in a script. So let's go ahead and create a script for it We'll have to put this in the temporary directory in our case In the shell, but if we don't want to do that, let's do it so I can teach a moment Let's create our directory for ourselves in the temporary directory If you haven't seen the temporary directory before it is your home in linux when you are doing CTF game we're actually actually have access to a shell server Because you can't have any right access in other folders So you can create a home for yourself in the temporary directory. You won't be able to see anyone else's But it's a good place for you to create files and work on your own So I will now Want to copy that location because we want to be able to keep track of that in our in our command. So that's nano our script Dot s dot sh put our shebang line in here right and for i in that syntax that we just found 0 to 4096 cool And then do and done Create the code block so we can indent in there and we can just let's echo out the value of i right So in bash that dollar sign will give us the value of a variable so we can just see that working through it Let's ch mod plus x Our script go ahead and run it and it just runs through all of the numbers here perfect Okay, so let's try and give that to the program which now we need to specify by Including the absolute path here and then it's called bash loop right with an argument of That variable value so the current count that we're on now like try and run this our script. It says whoa, no such file I think it doesn't have an under the score. Is that right? Yeah, I didn't have another score My bad. All right, cool. So it's giving us output now. It says nope. That's wrong. Pick a different number so Now we can use our grep skills that even kind of hinted at here You made it use grep to filter out the responses as well If you've checked out the man page for grep you also have an option tack v To invert the match so return lines that that don't have this specific pattern in there So if we wanted to find lines that didn't have nope in them, we could just go ahead and change Our script after we run it We can pipe that to grep tack v and ignore anything that has nope in it So just like that. Boom. We have our flag because that'll only the only the confirm Success line is printed out. So there's the flag. Let's take note of that make directory What do we want to do here? We want to just take note of this flag. So that's bash loop complete And we can write a get flag script if we want to for this thing But let's go ahead and submit this for one thing Up 40 points. Heck yeah Because we are using the shell in this thing. We can determine what that uh Number is that the program is actually looking for by changing our script To echo that out. Let's echo dollar sign i And let's not include a new line. So that's minus n for an argument for uh echo and Then run that same command here So actually give it to the program, but echo minus n will just display the number that we're looking at So when we run our script, it should give us Okay, the number was 2454. You can see it just right before they say yay So if we wanted to run our shell script with that path Run bash loop With that number It should connect to the service cool and then we can rev that Get the first Column rev it back. So we have just the flag cool and that can be our get shell script Or get flag script, sorry Include our shebang line Take advantage of the shell script make sure we have our connection run that command all at once And that's all it took to get the flag super cool, right? Because bash loops allow us to brute force because we're able to use a program or some computer skills and power and processing We have automation so we can just run through a crap ton of numbers and do really cool stuff So that's awesome for brute forcing. Keep that in mind. Thanks guys. Hope you enjoyed this I want to give a special shout out and some love to people that support me on patreon I'm gonna try and run through this list to see if I can do it. I'm gonna butcher everyone's name. I'm sorry Uh, spencer clark gal Horowitz is okay. Attila. I'm sorry or colothean really destroyable. It's bastion of terror Jan grob timothy county jake of hr1fl not rolling on floor laughing, but rolling one floor laughing Uh, thomas rock dacus jt ton morris morris. Sorry con Torowitz. I was worried about the last name I was stressing myself out ben squeeny william wittcomb Justin man and kimbo you guys are phenomenal. Thank you so much for your help and support and donations $1 on patreon gives you an extra shout out just like this at the end of every video um $5 a month on patreon will give you really access to everything I create put on youtube and uh, that's it I don't have any other cool incentives until you give me ideas. So, uh, I will make something cool eventually. I promise I hope I'm a sellout If you do like this video, please do like the video Maybe leave me a comment Maybe subscribe and if you're willing to check me out on patreon and my new website www.johnhammon.org. See you soon