 Hey, YouTube! My name is John Hammond. More Pico CTF 2018 video write-ups for your faces. Here we go. So this challenge is called Hex Editor. The challenge prompt is, this cat has a secret to teach you. You can also find the file at this location on the shell server. We're given download, so if you wanted to, you can copy the link address, W, get it, etc. I've already got it downloaded here. HexEditor.jpg. Let's check out what this file is. It's a picture of a cat. It says, I helped you edit your Hex. It's... I think this cat is hysterical. I love it. Alright, so the purpose of this challenge, right, is to look at this file within a HexEditor. So you can look at this in HexEdit, if you want. The command line version that I like to use. You can look at it in GeX. You can look at it in Bless, or whatever you... Whatever you like as your HexEditor. If you haven't seen HexEditor before, let's go with HexEdit, because that's what I like to use. So I'm going to run HexEdit on the file, and on the... In the middle column, the stuff right here, you can see the HexEd decimal stuff for it. On the right-hand side, you can see the ASCII representation of some of the stuff. And you can see, okay, it's a JPEG. We got a JPEG header. You can hit Page Up, Page Down. You can move around with the arrow keys. Hit Tab to switch between the Hex side and the ASCII side. And you could go all the way to the very, very endless file, if you wanted to. And you'll find at the very, very end, in the ASCII, it says, your flag is PicoCTF. And that's how you Hex... How do you... That's how you edit HexKittos. And it's silly. That's it. That's that. If you want to do it in a simple way, you could do XXD, HexEdit. And that way, you don't need to see the entire thing in its own buffer thing. You could use TacP to just print it all on one line. And if you wanted to, you could use Tac... What is it? Maybe that'll just display it in Hex, whatever. What we could do, otherwise, is display the plain text that we're seeing out of it with strings. Which, literally, you could get the flag just like that with strings. Get the very, very last line, cut it up with the double quote as the delimiter here. And that's that. That's how you could literally just get the flag with the strings command. So, pretty handy, right? Let's make a GetFlag script for that. Super simple. And then we can run it, redirect it to a static file to keep track of it. Let's X-clip it so it's in our clipboard, and we can go ahead and submit it. So, that's simple. Nice. Next challenge is SSH keys. It says as nice as it is to use our web shell. Sometimes it's helpful to connect directly to our machine. To do so, please add your own public key to SSH authorized keys using the web shell. Flag is in the SSH banner, which will be displayed when you log in remotely with SSH to your username. So, we've done this before in Pico CTF 2017, right? It's not too hard. It's not too difficult. But an interesting thing happened where if we were to just use this domain, a 2018 shell, maybe not too, depending on your account or whatever, or just too, whatever, you can just simply SSH to it if you wanted to. Let me mark Hex Editor as complete and I'll show you. Or if you wanted to just run SSH to this thing, you could get there. And if I were to just say my username account, right? John Hamm in YouTube at that host. Sure, I'll accept this key and it just gives me the flag right away. I don't need to do any SSH private key setup that it's kind of suggesting within the challenge prompt. So, that I thought was odd and maybe it's intentional, maybe it's not intentional. I don't know, maybe it's going to be patched or fixed later, but that's just what I saw. So, let's jot that down in the SSH keys challenge here. Save the flag for ourselves. A new line in there, so I want to copy it one more time. We can paste it in and just like that, simple stuff. So, we didn't have to go through that whole process, although there is a lot of good documentations and stuff how to do it. I have a video from the 2017 SSH keys challenge and again, Mr. Martin Carlisle has a good video on it too. You can check out some of his stuff. Cool guy, awesome guy. Irish name repo is the next challenge. It's a web exploitation category challenge. It says, there's a website running at this address with the given link. Whoa, sorry, I didn't mean to just kind of jump the gun on that. Do you think you can log in? Try and see if you can log in, whatever. Let's open that in a new tab. A list of the Irish. That girl is a girl that is Alice in Duty. Nice. Alright, there are pictures here of Irish people and it's funny, there are more pages except they're not. I was really sad when this was happening because I just want to look at more pictures of, preferably, people that look like that girl. So, there's a menu. There's a little hamburger button over on the top left that you can check out and there's an admin login page. So, you can go to login.html and you can try and log in with some username here. Let's just try to fault credentials, admin and password, login failed. So, you try whatever you wanted to, but that's just not going to work here. So, the hint in this is it says there doesn't seem to be any way to interact with this. I wonder if the users are kept in a database. So, that's your clue as to what kind of attack this is. It's SQL injection. SQL injection being SQL, right? So, structure query language, how you're interacting with the database or like structure queries stuff. SQL injection will kind of just allow you to inject specific database code or SQL into maybe how the server will interpret it. And you'll trick the backend server to thinking that what it would have expected as data, just what you are supplying, except it's really code. So, we can even use some of those easy kind of low hanging fruit. Simple ones with an or one equals one or a condition that always returns true. See if we could log in. So, I'm going to try that just here. You can comment out the very end of it. And I've covered this in a lot of other videos before. You can see it in plenty of Pico CTF 2017 videos. It logs us in with the password. Awesome. It says your flag is Pico CTF coin really is an Irish. Nice. That's funny. If you wanted to get ready to get flag script for that, I'm not going to for this one. Irish name repo complete. I think that was the name of the challenge. Place the flag in there and we'll get back to scoring points on the scoreboard. I love it. All right. Hey, I want to give a shout out to the people that support me on Patreon. You guys are phenomenal. I love it. I love you. It overwhelms me. My cup overflow with $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything that are released on YouTube before it goes live. Because I like to try and record videos in bulk and let YouTube gradually release them over time. So, if you'd like content right when it's ready, right when it's hot, that's the way to do it. And I'm super grateful for anything you're willing to give. Thank you. Hey, if you like this video, please do like, comment, and subscribe. Join our Discord server. Link in the description. It is an awesome community full of CTF players, programmers, and hackers. We're going to be tackling capture the flag competitions just like this all the time. Pico CTF 2018 is going to stay online. So, it's going to be an awesome war game. It's going to be an incredible place to test your skills. And if you just need to jam out with some other people, talk about stuff, ask questions. It's a cool community and that's where you can do it. So, all right. Thanks guys. Hope to see you in the next video. Hope to see you on Patreon later.