 Folks, I'm DuPay here, and today we're going to be looking at the Poneable.kr level ND5 calculator. This is a 200-point challenge, and this is a live hack through, so I haven't seen this before. So let's dig right in. So it says, we made a simple ND5 calculator in network service. Find a bug and exploit it to get a shell, download from Poneable.kr, so I did that. Interesting. Hit the service, shares the same machine with the Poneable.kr web service. Interesting. So there may be something interesting there, and it's running at that location. So I have it here. This has a file on it. So it tells us it's an L32 bit executable, dynamically linked. It didn't give us libc, so that's interesting. But OK, so we're running strings on it. Joy. So we can see, so these BIO curl right push, these are, I believe, OpenSSL function calls. It's been a long time since I've done OpenSSL programming, but they all start with this BIO, binary IO maybe. But do that. Anyways, ceiling, exit, SRAN puts time, and then it looks like we come now to the actual less than or equal to u, percent zero 2x. This looks like part of a format string. md5 data, percent x, welcome to free md5 factoring service. Are you a human? You put a captcha, create a wrong captcha, welcome your authenticated. Encode your data with base64, then paste me. Thank you for using our service, echo date, along. So this, so I think then this is anything interesting off there. So let's just run it locally to make sure we can run it. Are you a human? Input captcha, if I say hello, it's wrong captcha. Okay, I think it means we should copy and paste this and welcome your authenticated. So it wants base64 data, so let's echo hello world. So if you don't know base64 coding, you should look at it. If you've done a lot of md5 of your data is this. Thank you for using our service. All right, that much stuff. So when we think about what are possible ways, and actually I guess the other thing we should do is check and do this net hat here to make sure we can actually get the same thing here. Are you a human? Input captcha, base64, so there's like two parts where we can actually give data to this program, the captcha and the base64 encoded version of our data. So whatever exploit it is or the way that we can exploit this means that we have to do that using our input there. So, okay, nice, our data is the same, that's good. So then let's look at our binary. So, are you know what, let's do a redial, we'll run a check stack on it, a partially root, so it's using a canary and NX, but it's not a positioned independent executable as long as we have a fixed memory location, that's good. Okay, so non-executable canary means an overwrite on the stack is probably less likely interesting in here. Really a bunch of 30 different sections, headers, stack. So these are all of the library functions. So the global offset table is fairly large. So we can see that this md5 and dit, these are all in the open SSL library functions. So there's gonna be multiple libraries that's gonna call it open. So who knows, maybe that'll become handy for us. The dynamic symbol table and it does have symbols, so that's nice. So we'll get some, that'll at least be easier when we're reversing this binary. All right, there we go. All right, so start at main and it's got a nice main function, so that's easy. All right, let's use this decompiled version. So again, our handy-dandy set debuffs as we talked about before, it's calling puts, welcome to the free md5 calculating service, seeds. Okay, so this was my suspicion that using this, so it's seeding SRAM with the output of time. So maybe because we know that it's executing on a certain server, that we need to use the time of that server to try to do some guessing. That's just my initial thoughts on this. Okay, bar four equals my hash, are you human input capture percent d bar four? So this is that capture that we looked at, then do a scanf, and you can see that it's using this memory location, we couldn't notice that memory location is, yeah, so it's so small that it hasn't got that as a string yet. So we do that as percent d, then we go back, see that it does that, so it does percent d. So read an integer, which is gonna be the thing that this input into bar four is not equal to bar eight. Oh, it's an integer effect, so yeah, that's fine. Okay, that seems very, and we may have to think of this my hash function, see what's going on there. That seems straightforward, no overflows there. And then welcome, you're authenticated, put it out of this, it's for the case we need, process hash, inputs, system and go, facts, take, date, it's a log, interesting, we need this log, I guess I must have restricted this log file. So let's first look at this myHash function, this mode, right now I'm just trying to get a general feel of what's going on, I don't think. I don't think there's any way we can modify or mess with this value, so I'm not certain that we even know the indebtors are not here. The log stack canary, setting up the stack canary, we know it's calling brand, seven times, stuff with brand, it's generating that brand number, based on the time. So if we needed to, we can, that number is 100% different, so let's run this hash program with that upgrade to see what's going on. So yeah, we can see it first called time, so we saw that call the time, then it's calling srand with the result of that time, then it's calling brand, let's say seven, seven times, sort of one, two, three, four, five, six, seven, scan it, put it in, get care of your data, yes. And then we get, okay, I read that in, it calls mm open, it calls vf64, gio-new, vpush, step-like, three, three, all, close malloc, 53, and then update, that's for your dev to process hash function. And so as far as the easy to start, you're at 14, that's where we are, stack. So, while get charactered, not even when you're clearly missing apps on it, you can figure out what's going on. x, move, variable 20c, gio-to-x, load that, address here, it's in vcx, it's in c1, it's in v5, it's in c1, it's in c5, so it's like, oh, this is what I'm saying, so it's probably gonna be a really complicated instruction, you don't see it, it's gonna work properly. vcx recognition, sort of context, vcx repetition, so for the number of repetitions, vcx in this case is store the contents of vax into a vpi.2 incrementing, or decrementing, ei, that makes sense, oh, it's basically big M-sentence setting, the characters, this part, what it's seen, so basically an M-sent for the character, what it's seen, it's done with that, really calling get character, this loop is just looping over gets into their form. So, f gets, okay, so calling f gets into their x, so what does, so get s, reason at most, one last in the side of the character, so it's gonna read in 3nmx and then put in the last zero, so it can't use any tricks or whatever. So, it's gonna call that, and then it's going to load effectively the rest of the block into vax into the vx, vx, vpi, and then it's going to, so it's gonna set the number, so, just saying I want to have, ask in local block, it's ready to, so then this result, it's basically, I guess the question now is what happened to my foot again, so it looked like it did, so arc zero, so we're argument one, okay, so what I think I should probably do to get a better handle on what's going on and what this data is, is sort of debugging this, it's sort of going through hash, and then we can get a process hash, it's because I know what's happening, and this is essentially calling memset, and it could be that memset, oh yeah, so that's single step, it's called get character. Oh, so this is cleaning up all of the, so I can put the data scan app to read in the character, so I put in the character, then I put it in line, so it's just being simple, right, now we're searing out the dig buffer, so now we've moved everything on the stack, and we look the stack pointer is sort of variables, the call into f gets is this buffer, which is 0804p0p0, so that's gonna be, okay, perfect, so I just actually picked up this trick from an article I just read, doing info symbol on the address, tells you that this is gbump, so we know that that's gbump there, and then, so then we go to f gets the character bumper into the string, okay, so that's gonna read up to 400x characters, I'll just step over that, now it's waiting for 400x characters for me, so what happens if I print through x, so now, if I check that out, now I can see bunches of a's, right, and then I know less than 400, so 400x is what people want, so a good amount of gbups, right, so I just read in all of that, where am I, so now I am in just all that gets, now I'm going to, apparently the code reads and clean my buffer again, I have to call base64d code so the stack has this 0804p0p0 and then this fmfmcfpc, so this is the stack variable that we're passing in the base64d code, so at this point I kind of want to treat base64d code as purely a black box just to see what happens, I may need to dig in here to figure out exactly what's going on, but what I want to know is when I give this 400x in something that's not base64d coded, how does that actually output into my buffer, so of course I didn't sort of move up, so this is the nice thing, you can use the BT or the backtrace to show you the backtrace on the stack so you can move up the stack and then go next instruction from there, so that would, so now that just got called to now the question is I want to look at my stack and figure out what happened and what changed, so if I tried to make, let's say I tried to basically work decode my data, take out the canary, so I definitely overrode it, it broke significantly open, so yeah you can see that my backtrace is completely messed up, okay, so this is good, so I've not only overrode the canary plus, so yeah, I'm just stepping through, so now it's going to take, so what's dax, here dax is two FF, so this is the size, put it in size and then it moves to the stack, takes the edX onto the stack, load effective address, eB minus 20C, okay, so it's going to calculate the NB5 of all those characters, tell us, it's going to calculate NB5, it's going to get the result back, five is probably something we can't, that's when it's going to change because the NB5, looks like the size being passed to it looks like it's calculated correctly, basically for the X2FF, there should be the size of the buffer, so I was wondering what the size of the buffer is, it's fine, okay, so 2MC, so I gave in, 767, okay, so I did try to A64 decode the whole of my A's, so I can give it, I guess I can give it whatever value I want, I guess the question is what's the A64 decode, I can only give 400X, 1024 characters basically for coding, so I can, pretty much control and basically decode the string to inject what I want into the code, the question is, what am I doing with that, so because we have this lovely area, so I should get this action failed, it's clearly this section should fail because I put the free on the free, that string that we just allocated, to EDP minus zero XC into EAX, because the section failed into their second one again, so I actually can calculate the distance between X2 and Y3, 12, the white space is not significant, the work size would be, obviously, the A64 decode, I'm not good to be sure, so what I'm testing here is, again, I control what that's going to be, so 92, okay, so 692 characters we're doing, it's going to be my basic support output, and that'll be decoded into 512 plus four, so that will let me go right there, okay, so I think I'm seeing a path forward, but I want to just look at this, just to make sure my input is correct, but right now, if we look at minus 12, so we can see the canary is 0, 0, 6, E9, 0, 9, 0, 6, and the buffer should, okay, our buffer, we have all of our 61, so we're overriding all of the input, all of the 616161616 and all that kind of stuff, so, okay, so now that we have this problem where we'll keep hitting the stack, right, so now, if I continue, I'll eventually get stack-smatching-detected-action-determinated, and this should be the same case, but I'm not sure that I'll get the standard error, so this is why we have to be careful when we're testing it locally versus not trying to go here, and say, I don't even know what you're up, it doesn't show us, okay, so it says stack-smatching-detected, so I, oh, that'd be 5.0 or 5.0 terminated, okay, so what, so I think I see the way forward now, I believe what we're gonna have to do is, so we have the Canary on the stack, so basically there's, so this Canary is randomly generated when the process starts up, and so the idea is we need to, in order to successfully create a raw payload and be able to control this process, we need to deal with and defeat the Canary, and so there's two main ways to do that, one way is if you, so a process gets a Canary value only when it starts up, and then it gets a random Canary value, so if you have a server that allows you a lot of different requests, and even if it forks your request, the Canary will still be the same in the child port, so there's a really cool, it's called a BROC, or blind BROC, there's actually a way to figure out if you can brute force the Canary bit byte by byte to figure out what the Canary is, unfortunately we don't have that gear because we don't have that continual trying capabilities, so the other way that I'm thinking is, thinking about this whole program and what is the other thing that it does, well clearly this input capture is something that is incredibly dumb in terms of an actual capture, this is not gonna stop a human from detecting this, so what, because obviously it's not gonna stop a program from attempting this because they just copied this in case of the name, but we know that the SRAN function is seeded with time and then the my hash calls ran a certain number of times, so is it, I'm wondering if it's possible to essentially try to determine what's the Canary based on what the hash value is, so if we could maybe, yeah, try to reverse engineer and go backwards, but I'm not sure, so I'm gonna pause it here and do a little research to figure out the different types of ways of working Canaries. End of back, so I did some research, I looked at how Canaries are generated on Linux systems and essentially they're read from dev, you random, so I don't feel like that's the approach to take, and so basically the Canary is randomly generated every time we, it should be randomly generated every time we talk to the process. Going back, let's see, to the service there, shared the same machine with our web service, and why that's input, it's running there, okay, so digging around, I kind of found this calculate decoded length, which is supposed to calculate what the length of the decoded string is going to be, the base 64 string, so that they can, and this is used with base 64 decoding, is the first calculate that, the length of that string to save it as decoded length, which is then returned from the function. This is used in process hash because we're calling this, then we're storing this in the decoded size, then we're passing this decoded size in the count can be five. So I did some experiments and I saw that when we passed in garbage, base 64 values like this, so I believe when I checked this, when we put in garbage base 64, it doesn't actually copy the contents, but what I just had a thought about is what if, so if we can control this value that's base 64 decoded, we can then control this mv5, so we can basically be able to mv5 more stuff on the stack than the actual copy thing. So essentially I'm wondering if this is kind of a hail-nary, if we can essentially leak maybe the canary byte by byte using this mv5 calculation and then calculate it from there, but that would actually require the canary to be constant, but I think this is interesting. Interesting approach, I have no idea if this is gonna leak anywhere. I also look through this stack check fail function to see if there's some way we could maybe corrupt that, and I'm not 100% sure that they're gonna leak it. So it goes. So let's see, I've been thinking about if this decode gets us into this buffer, this buff on the stack, questions I don't really think that anything, anything we want to, I'm not sure we don't believe we don't use anything that goes above that buffer, so we don't, so you can see here that our write is going up, it's the only thing we're gonna over close in an area, we don't over-flow any of the other variables, so. So anyways, let's just see if we can get in some bad values in here, so I was looking up essentially how this decode like is a pretty dense function, so I'm just gonna assume it's similar to this code that I found here, in fact I'm playing times three by like four, so essentially what I want, let's see, I want to give it some invalid input that's not basically four proper coding, I'm gonna see what the input's gonna give this value as a company of six percent, it's a character that has 10 characters, I'm gonna do five data of eight characters on the stack at that location, I remember those have been zeroed out, so this makes sense, so I want this value to be what I want, in a process hash, I want to do five, 12 plus four, basically I want that length to be five, 13, six, 84, so let's see what happens if I do 16, I have six, 84, carbon values, two, two, one, so five, 13, okay great, so this NB five should be NB five with a whole block or everything that's on the stack, plus, and actually I'm just looking at this, so we are basically working, so I wanna look, examine, EVP, so everything is all zeroed out, as you can see, so I should be doing, so EVP, so this address, basically plus five, 13, that's going to include, so the five, 13th byte is, I think it should be the zero byte of, so that's that 80, 204, that should be the same value, it should be beginning, so now if I do a, right before counting NB five, you can see there's gonna be five value of this, 201 character, so value here, step over that, it's gonna return, so that's the string, so I believe this is the same string that I had, and now if I do this, you can get the same value, because I'm essentially reading some value on the stack, so if I do, I can examine the same, and then now, if I want to do, so that was five for 13, if I wanna do five for 14, six for 85, I'm being scared, and so what that means is that this tells us that the last character of the area value is always the zero, zero, so let's restart this, okay, so this then should give us the calculated value is, should be 202, so this is gonna get us the NB five of all the zeros plus the second byte of the variant, so continue, it's 642 code, so now we can see that this is still old zeros, okay, value is gonna be here, so then I continue, it's instruction after that, so actually, the NB five, so now the NB five is different because it includes that value, that extra value, and we'll see that that value should be different every time, so then the question, and really why I'm doing this is I wanna see my connected there server what is this NB five value going to be and it's gonna be different every time because essentially what I'm leaking here is the NB five of all those zeros plus the second byte of the variant, so if it's the same hash value, I can actually break and force that value, so we can see that the NB five now is different and then let's see what happens when we go back one more time, so it is different every time, so this is a good validation on our part that we're not using a static memory, we can see that what we do is in 684 characters, we get this 70 zero A, which I believe should be the NB five of all, but when we give one more character 685, this gives us different NB fives every time we're doing it, so the interesting thing is I could, so if I was doing this in a loop, I could essentially use this NB five and so now basically I can brute force what's all zeros plus all different bytes, I could NB five that's why 256 tries, and so I can figure out at least that byte of the canary and I can actually keep doing that byte by byte if the canary value is not changing, but I know the canary value is actually changing, that is where now we run into this problem where now, so I've validated that that byte is, and even if I say I do like a pre-init attack and figure out all the NB fives of all the possible values or something crazy like that, it still doesn't help me because it gives me this NB five of the data before it's actually, so anyways, this was my attempt, maybe I think the other thing is gonna be to study this, their hash function that they're doing, like so I definitely know that if we go back to the main function, if we go back to main, we know that we're calling time, which outputs if we look at that, this returns the time as the number of seconds that's being epochs, so this is the next time same, so this is a second value, we're passing that to SRAND, which with this value, it's the SRAND value is setting it's arguments as the C for a new sequence, it's for a brand, we see this in our keyboard by SRAND. Yes, okay, so basically the output of brand will be the same, so I believe, let's see if I'm not sure this will work, I think if I do this netcat very quickly in multiple terminals, it should give me this roughly the same value, if I don't believe that it's possible to, I mean maybe I'll look at it, I don't think it's possible to reverse the Mary value based on this SRAND value, but I'll get the thing that's possible, see the leaks are super difficult to hear, I'm not sure how you can get a leak. Get a leak, maybe there's something on this stack that's interesting, I think zero out all of our buffers, so really nothing on this stack that's of interest to us, maybe there's some stuff higher up above the community. Okay, I'm gonna dig a little bit more because it's just gonna be me looking at things and trying to come up with ideas, but before I try anything out, I'll definitely turn the camera back on. Thanks. All right folks, I'm back, so what I've been doing is reading up a lot about a lot of good articles about how to mess with and change the SSP, so I actually think right now I'm on the right track necessarily, so in the sense that I don't think it's gonna actually get me to leak the pointer, but I wanted to play around with it, I think it's familiar with, see what I can change, so we know from looking at the program that we get this stack smashing detected dot slash hash terminated, and the interesting thing here is we get that remotely, and what we can actually do with this is we can, so the way this works is actually by doing a lot of digging, happens is, let's see, fatal, or the fire fail. Yeah, so this is the command that gets called when your check fails, so it calls a libc message, and this too means to execute, and this is the string we're passing in, dollar sign s, which is the message that we're passing in, and then percent s, so the message in this case is gonna be stacks actually detected, and then now it's going to pass in here for the secondary event libc-rv-0, so what that actually does is that looks up in the process, where's rv, and then dereferences that to go to rv-0, and the really cool thing is I calculated up here, I went in debug and I looked at, so this is my buffer that I can overwrite, and this is the target buffer, where rv-0 is, so using this I should be able to change that value, so essentially what I'm gonna try to do is, I'm gonna try to, I can leak some bytes from the remote process, so this can give me some idea about how random the process is being, and how random maybe the libraries are. I honestly don't know that this is going to lead us into a beautiful exploitation scenario, but who knows, we might as well try it in Z, and so while I was doing this, I figured, well, this could be interesting, so even if this is, one of those things where it's nice to see that, hey, try to see all of the bad paths, because this is part of why I wanna do this video series, it's very easy to read some of these walkthrough and just think that these people are brilliant, they just do X, Y, and Z and they get the flag, but oftentimes you have a lot of false starts down a lot of paths, but in the meantime, you're learning a lot of interesting things, so what I'm trying to hear with this script is I'm trying to, so what I realized, and what I'm gonna try is, I think what I can do is basically change the RV value on the stack to point into that global variable, that Gbub that gets all of my data, and from there, I can construct my own RV pointer to leak whatever I want from the process, so I think I should be able to do this correctly if I pass in, so here is, so I'm gonna base 64 encode my payload, that's what's gonna be decoded and copied onto the local buffer on the stack, and doing so will overwrite, so I should have calculated this correctly where I have 512 As in the buffer, then I have VCDE, which is going to be the canary value, and then I have 68 apps to get that up to where I calculated the RV parameter is, and then I get RV, and for now I should put in this value because I wanna see this baby crash, so I wanted to try to dereference that inside that code that we just looked at, and so, and then what I'm trying to do is I'm trying to append essentially a null byte and then my own value because this, the program's using math gets to read in all of my input into the global buffer, so I should be able to put in whatever variables I want in there at the end of this, and I'm hoping it's gonna base 64 decode just the things before null byte, which I believe should work, but this is why we test these things out to see what's going on, so I think with that, I have what I want in line, guess what I do, and so I'm gonna set that line, and then I'm going to see, so this will, I added a debugging clause at the beginning, so it should be a debugger for us, capture. No, we're not actually interacting. See, regex, that on there, you queue a bit, to receive regex, right, let's choose my regex, see where it needs to be, oh, foiled again, my silly capture. Silly but understandable, so the problem was, the end was considered optional because of the question mark, which would be good, now we can read that in, so okay, so the thing I really want to check is what happened to, so maybe we'll examine a lot, we can see great, okay, so we did get our zero byte in there, and this 0804B0B0, awesome, all of that got in there, and then the other stack looked like, so we have our, so here we have 512As, then we have our canary, we just overwrote, which is BCBE, then we have 68Fs, we have our 09807060, so if we continue, we should continue, then we'll get into a, stack smashing detected, which is exactly what we wanted, hash terminated, so let's start this then, so let's go the backtrace, I need to figure out the value, and it's going on, why is my break month not getting set, start the process then, so now that I'm here at the beginning, I can go backtrace, which is the, I guess I need to alter its value, so what's the difference between, there's what's the difference between, we've got to work, we want to write, there we go, so now I got this dereference here, where it is trying to dereference this EAX, okay, so I don't actually have to use, so now I'm changing the arc B zero pointer on the stack, apparently it doesn't use the arc B pointer, it looked that up, it just wants to know where arc B is, and then figure that out, so then the question is, okay, so basically now I can read any memory location, the process, which is really my goal here, so the question is, I want to read the catables, what about like, let's say what's the value here, like what's the underscore stack check here, so it's saying that, that's smashing detected, space, okay, so it's like you're printing out all that, yeah, it makes sense because of those values, so f7, 3B, 60, 80, f7, 3, 5, 20, 6, 0, so this is going to print out all of the, and I guess I could do this entire table, but it'll stop one, obviously it's an old value, so basically it's doing stack check all the way down, so now the question is, what are those against the real program, and do they, so stack smashing detected, and really what I want to do is just like, pair this, space, so 60, 28, so f7, 4A, 28, 60, f7, 4A, 60, 40, so f7, now the question is, what happens when I do this again, f7, 47, 8, 8, 6, 7, 4, 8, so now, read out values, so for instance, if the flag was somewhere inside this binary, then it would be very easy to see that we could then read the flag out with this exploit, because now here we're leaking bytes from the process, the key problem though, is that it's clearly killing my application, and so that is not too good, so the question is, how do I use this to then control the structure pointer? Because I can read memory right now, but I can't actually write out memory, so I think now that I've proved that this does work, and I can leak out memory locations, that's good, but I need to do, and I did, so I guess I should, I did go through and look at my hash function, I know it must exist for a reason, I think that's the one thing that really makes sense, but it's pretty clear, gets the hash, uses a buffer on this, it creates a 32 byte buffer on the stack, and then it calls ran, and it puts, so 32 bytes, it does eight, four bytes of random integers, and then it creates this, so you can see the return value of dax, which is a far 30, I think it's in the sense of counter or simulator, and it's ebx, so it's the 16th four byte offset, minus the 18th four byte offset, plus all of these other additions, so it's basically combining all of those values that have attracted to try to come up with one value, and of course, so one of the things that you could do is you could say, hey, is this, and because we know that this is seeded with time, so we know where this is called, hash, it's called here, it's seeded with the current time, so you could figure out the current time just by, you know about where it is, you can use brute force, a bunch of values, and keep trying, but I don't fail to see how this actually helps you, and furthermore, once using, so yes, this my hash will create some values on the stack, I tried looking for the canary before we do our overflow, and see if we can find the canary anywhere else that maybe we could try to, I would fit some interesting things online that had a CTF challenge walkthrough where they tried overriding the, so looking at the, if you could corrupt any of the other values afterwards, if you could print out the value that you could control like something on the stack, then you could control the argument to the format string, then you could do a print death order though here, but I don't see that here, so I think for now I'm gonna address and work on this while today, so we'll see and I'll pick back up at the later point, thanks. All right folks, I've made a breakthrough, so basically I spent the time thinking, and actually not thinking about this project, and doing other things, I'm just about to start dinner, and I said, you know what, let's go back, look at it for a little bit, and I was just thinking, okay, so we're in this program, what are our inputs to this program, and so I was like, okay, maybe I'll review this MyHash function, and I remembered something that I had thought about, but I didn't think about it at the time, so the interesting thing when looking over this, you know, this is a slightly complicated function, P2 plus four plus 14, one thing I didn't notice is that, I mean I did notice, but didn't mention or pop the forefront of my brain, is that this, okay, is that the, there is no P2 above zero, which means I thought, hey maybe there's an overflow here, and that the canary is actually being leaked in this hash to us, and further on when I thought about it, I thought, oh, that actually makes sense because we couldn't get it to where it would give us the same canary if we did it at exactly the same time, so then I just quickly tried to debug that to not debug it, but to verify my assumption, so what I did was I put a break point at the beginning of MyHash to fetch out the canary, where you can see here this execution in the canary is 339C0500, and then I set a break point right after where it's accessing this, and it's accessing 00005339C0500, so what this means is this means that the canary is actually being included into the hash that's being set out for us, and so because this is all just a mathematical formula to get the end value, what we can do is we can actually end, and because it's being seeded with time, we know that we can predict that, which means we can predict all of these random values, and which means we can ultimately get the canary, so this is super awesome because I can definitely see a path forward now, so the idea is going back to our 95 calculator, okay, so the idea is with this input capture, this is the goal, so we need to be able to, and this may need, we may need a few times to do this because it depends on what it thinks is the kind of time and I think the trick I'll use is that we'll use, we'll be executing this exploit from their server, so that that way it'll be really, really quick, and we obviously want to check this locally to make sure we can do this locally, so now what we need to do is essentially, okay, what we'll need to do is get the same, be able to get the same variables out of the brand, the question is, the question is the Python random the same but see if not I need to do some, so I need to make sure that I get exactly the same, that we still have a lot to go, so hopefully I'll be able to do that. But if this and this go around, we're like, honestly I'm super tired about thinking about the problem, but now I'm really stoned, and we're good, let's see that, so it's, I mean, using the same random number, very, very easy, I really dug deep into the, it's good to report that my investigation is just typically, the areas are secure, so I basically have to try to do the 24 bits of entropy, so if you have the first byte, the area is only zero, so it would have required 16,000,000, so it's not something that's one zero. Strongly believe this is an important first step, it's so terrifying that what, because if we're not generating the same random values, we're gonna be so close to, we're gonna be like, good, they're the same, awesome. Cool. So we can use this, it's a g-w-c random number generator, the trick is what are we gonna do is we're gonna try the prime time and just see if we're, right at the new times. So, g-w-c, just like that, so, okay, 4 bit, I think we want to get some, it's all we're gonna use, around 30, so we're gonna keep it at, around 30, so it's two plus, 3 plus value 4 minus 6. I'll be able to easily test this once I've got this done. Test this in a number of ways. Without the solution that I have, I can work in all the kind of time I'm debugging it. I can plug it in here and test these. So they're going to definitely want to do that. So the result is equal to 5 puts values 1 to 2 minus values 3, 1 to Mary, 1 to value 7. So this is the song, this is the song, basically the form. So I can't do the song, I can't do the song. This is welcome. OK, and of course, if I'm making a math mistakes, I will be super embarrassed later on. Actually, I'm 7, so I believe, let's say, I believe I have the values here. So I should be able to say, take this here I got, basically, I'm going to do the second memory. So now I need to verify that I've been working. This should be my hash, this should be my math. Ooh, I've got sql, see all. So now that we've got 3, so basically I have, I think it's probably the result of getting all of those over close and everything correct. So this is just, is there a relation between this and sql? It did work. It's an unsigned thing. Oh, OK. Now we've got in-patch, so we'll check this. And this is good. Now I'm going to find that slip check. So we've got the binary process hash function. So let's see if we can be done. This is where the sql registers. Oh, perfect. OK, yeah, this is super easy. Microphone in my segment. So I was thinking, OK, what's on the stack? So what's going to be the argument to? Obviously, we control it on the stack and we know we can shove additional data inside of our base 64 encoded payload. So we can figure out exactly where that it is. We can know exactly where that is in memory. That's the fixed memory location. We put that on the stack. And then now we've jumped to system. So now we're going to jump. It's second-�all because it can't read what that really didn't bring to view. So I do want to call system. We'll call system. And after that, so we'll get to system. System will make that, so it will be a ret. So it thinks that the next value should be the jump. So the next value will be the return value of where system will return to. Obviously, we don't want system to return anywhere. All of this base is even more encoded. So that's only exactly where it's at. So we go for the return to system. And we can see that we have this big, the same VIP. And then on the second-�all, it's a call. What's the deal, yo? OK, so single step. So it's the OT and input system. Since it's getting single step, you can do program in dash. So awesome. All right, so I think if we run this within their system, it should be good. Let's try this remote. If I'm calculating this to be in real time, it's going to be all good. So it's going to be a really good example of the stuff that we're doing with this. So I call this, it makes a lot of you learn some things. I don't know how you do it.