 Hey internet welcome back another Pico CTF 2017 video. This is for level 2 in the binary exploitation category The last challenge here is called VR gear console for 95 points of virtual reality gear console So here's the VR gear admin console see if you can figure out a way to get in or log in the problem Is found here and it gives us a file system path So it gives us a lot of hints that seem to be pointing towards kind of a buffer overflow like attack or Bug exploit vulnerability stuff So what happens if you read in more characters in the length of the username buffer? I guess we'll find the context of that very soon look at an ASCII table to see what characters you need to choose Numbers are showing the Lendian lowest byte of numbers first and then we can keep open the Pipe for command. So I'm assuming we're gonna end up getting some kind of shell whatever. Let's go ahead and connect to the Actual shell server that they're running this on so we can get to that location. So I'm just going to change directory into that problem location And we have as you can see the permissions here for flag.tex We won't be able to read because we are not in the VR gear console one Group so we just have to use the binary and then take advantage of it Exploit it to go ahead and read that flag I'm gonna go ahead and cat the source code because they are nice enough to give it to us It's just the VR gear console dot C and What I'm gonna do is actually just copy and paste this and put it in some blind text So we can get a little bit of syntax highlighting and just make a little bit easier to read So I'll paste all the stuff in and Let's go through this code here Just include some regular C libraries this function called login that sets them to variables off To begin with access level username password looks like these are buffers that we'll be able to read into printf username max 15 characters own then it reads in our input with the gets function So this is an immediate red flag Looks like it'll compare if the username is admin and the password is I'll create long password Huh, okay Whatever that testing may be doing to change the the access level but doesn't seem to Really particularly be using like real Perhaps passwords in here. We could we could try to change this We could try to test if we can log in with these characters this list this information of these credentials You see if it will change the access level Because artists in my password is secret will give us hex 80 and it'll return the access level That's what this login function will eventually give us it'll give the access level as the return variable Looks like it just displays kind of a banner Tries to have us log in with that login function test for the access number and it will tell us what the access level is Okay, and hex here good and then determine if we have access greater or equal to by default The two hex characters or 0x ff Or less than or equal to zero So root and create long password will be unsuccessful But if access is greater or less than less than hex 30 So I guess we want admin, but so we can try and log in with admin and that will give us a shell But otherwise we will log in successful without permission to access the resource so interesting Let's try and see if we can run it with admin and the string create long password, but I am doubtful, right? I'm Admittedly just leading us down this rabbit hole to see if we will be able to run it simply as that admin Create long password access level is 0x ff Eventually in login is unsuccessful. So that didn't work. Maybe that that is supposed to be something and it's not Perhaps that is not actually in the binary. Oh Maybe these are Passwords that we could use I don't know Maybe these are long passwords according to each user Try some of them. No looks like it still does not change the access level Okay, so that's enough of kind of just beating around the bush The vulnerability that we can take advantage of is that gets function So as you saw in the source code here gets is a C function And if you we just check out the man page where it man gets Gets will get a string from send an input However, it is deprecated because the description here tells us to never ever use this function it can essentially lead to a buffer overflow or Break computer security the bugs here and says never use gets because it's impossible to tell what without knowing the data in advance How many characters gets will return or read in gets will continue to sort characters past the end of the buffer or past the No byte that you would have expected it depending like our username was declared with 16 bytes for the buffer But we can read in more than that despite it just trying to give us a little disclaimer maximum 15 bytes It's extremely dangerous to use it's been used to break computer security use f gets instead So since the program is running with this gets function, we can essentially overwrite other information so since we're running gets with our username and we'll Break past this buffer will go essentially upwards on the stack and the other things that are being other variables and stuff That's declared so we can overwrite this access level by simply entering too much into the username So I'll show you how to do this. Let's try and use Python Python taxi And there's a string give it a command to run. We'll just print a 15 times times a times 15 and now we have a 15 times and we can just pipe that into our VR your console it says login unsuccessful and you can see our access level right over here is 0000 ff so it hasn't changed the default But if I give it 16 characters and we just breached the end of the buffer now that no bite is going to be pushed over It's going to start to overflow onto the access level. So let's try that Let's try 16 characters and notice just as I said it's two zeros at the very end The no bite has been pushed over so we can overwrite this with whatever we wanted to if we wanted to move it to 20 You can see our access level is four one four one four one four one. It's been completely overwritten with a's Now let's try and determine how we can get Into that that log in or how we can get that shell It's testing if our access is less than zero x 30 so hex 30 well Python We can just determine hex bytes with that backslash x kind of syntax and formula here, right? So if I were to use 30 times 20 Well, we have to be less than 30 so it can't be 30 30 30. Let's bring that back to 16 get our no bite 17 is we're gonna have find that sweet spot of actually overloading here now see it says login successful But we don't have permission to access the source because I gave it exactly 30 and it wants less than 30 So let's change that to 29 And it says admin access granted the flag is in flag dot text however the program just immediately closes And we don't stay inside of our shell so we got to keep in mind It's opening the stream and immediately closing it because there's nothing else for it to read So what we can do is kind of bundle our payload with some parentheses here with the cat command So that way we keep standard input open and we can continue to read and write to the shell We're gonna use a semicolon after our payload and then just cat so it'll hold the shell It'll keep it open. It'll keep running that system bin bash or bin sh let's run this and It looks like it's trying to prompt for this stuff, but we have to be keeping in mind that it may actually be After I hit enter for the password because it's going to want to hear what the password may be as well I didn't actually include a new line and include whatever password information So I just hit enter and now I can start to enter some commands in here It gives us the flag is in flag dot text and I can run commands like LS or who am I etc? Let's check out flag dot text and we've got the flag flag just like that Was that one of the strings that we saw in the binary? I feel like it is What the heck? Yeah, I see it right in there. That's peculiar. Huh? Wonder if that's intended or not whatever. Well, we still got the flag Let's still kind of take note of this go ahead and submit it 95 points and moving up on the scoreboard just about done with level two And that's that that's that challenge. That's kind of the buffer overflow Not so much trying to jump or control EIP or the instruction pointer to go to a new function But just at least overflow into a variable and change the value of it interesting stuff Quick shout out to the people that support me on patreon. Thank you guys so much I cannot say it enough one dollar a month on patreon will give you a special shout out just like this at the end Of every video five dollars or more on patreon will give you early access to everything that are released on YouTube before it goes live Because I like to record in bulk or try and get a lot of videos done all at once and then let YouTube gradually upload them with kind of like a Scheduled releases like maybe every couple hours or daily just so there's not a flood of notifications for people that are subscribed But hey 20 new videos around from John Hammond, whatever. Hopefully it'll be a little more slower But five dollars a month if you want stuff right away and just really really helps me I would appreciate that as someone trying to sustain my life Food on the table and stuff. Thank you. Just a stupid kid on the internet So hey if you like this video, please do like comment and subscribe if you're willing to join our discord server Link in the description. It is a cool community full of CTF players programmers and hackers You want to hang out with me or other cool people? We're gonna be playing Pico CTF 28 team one opens this weekend We're playing other CTFs as they come along and just build out a community in a following So please do come hang out. Thanks. Hope to see you guys on patreon. Hope to see you in the next video. Love you. Bye