 Hey folks! So today we're going to be going over the Ponebles.kr, the very first challenge in the Toddlers Bottle series, which indicates clearly that it's a much easier challenge. So we're going to go over the FD challenge and this is going to be a bit of a walkthrough, which means I already know kind of the direction that we should go here. So here's the FD challenge and as I get closer and closer I'll start trying to do these lives so you can actually see kind of how I think when I'm trying to solve these challenges. So the first thing we got to do is we always have to read these challenges. This is actually very clear there are hints sprinkled all throughout all types of Capture the Flag and Wargaming challenges. For instance, the name of this challenge is called FD. FD that kind of sounds like a file descriptor, so maybe that's a hint of some sort. And the text even says, mommy, what is a file descriptor in Linux? So this would actually be a good thing if you actually don't know anything about file descriptors in Linux. Here's a hint right off the bat that you should go and learn and read about file descriptors on Linux. This is something that's critical to competing successfully and capture the flags and other types of wargames. It's all about knowledge. So if you don't have the knowledge, if you don't understand what file descriptors are or you don't know how file descriptors work in Linux, you're never going to be able to solve this challenge. And here, because this is the very first one, it says, hey, try to play the wargame yourself. And this is actually a huge key is really, you know, if you're watching this video without attempting this challenge first, you should really not do that. You should be approaching these challenges, banging your head against the wall, trying to solve these things. And only then when you break through and solve it, then you can go back, watch this, see how I did it, see how I thought about approaching this. And that maybe can give you some pointers or some tips and maybe you can go, oh, that's just such a cool thing. I haven't thought about doing it that way. So here's this link. So try to play the wargame yourself. But if you're an absolute beginner, follow this tutorial link. And so here's a link to a YouTube video, but we won't get started there. So the first thing we got to do we need to SSH. So it gives us a command, it's telling us to SSH as the FD user at the server ponible.kr and the dash P option here in the SSH means on port 2222. So this means rather than the default SSH port of I believe 22 off the top of my head, we actually want to SSH to a different port and it's telling us the password to use the password to use is guest. So what we're going to do is we're going to copy this lovely command. Oh, and you can see I've already done it here. So let's reset this. So I'm here inside my Ubuntu and cat etc issue. So you can see I'm running I'm inside a VM running Ubuntu 16 oh four dot three, which is running on my local machine and VMware. I pretty much always work out of this. And as you can see here, I actually got rid of all of the, the gooey elements. So I pretty much always when I am running a virtual machine, like a Linux virtual machine, I like to run the server edition. So I can just get out of this. So I can SSH into it. And then I usually like to work out of a screen and environment. So here I have a nice screen environment. So now I can start working on this challenge. So I can copy and paste this. Actually, very much dislike to have the arguments afterwards, but everything will still work. So SSH, it may take a little bit even though I was already there. So we wait. And so depending on the challenge, try to play the word yourself, could not resolve hostname. That's not good. See this. So there's the hostname. I don't know why. Let's try substituting this in for the dig. So dig is a command that does a DNS query. So tries to map the ponable dot k r name to the to the IP address. And it's telling us, Hey, ponable dot k r is this IP address. So that way, temporary, so that way we can get around that, but we're still not getting any. And this is an issue, obviously, if we cannot access the service, then we won't be able to play this game at all. Important thing to do is to try to figure out, okay, is this server offline or am I offline? So we can do a curl Google.com. And yes, it appears that I'm offline. So I don't cut all of this. Let's see what happens when I Oh, there we go. Got to Google. So I should be able to get here. There we go. All right, guest, we can see that it's being very slow. Finally, we are on. And we notice that it doesn't tell us anything, right? It just drops us directly into this user, this FD user. So if we run the ID command, we'll be able to see that we're running as ID FD. And as the FD user on this system or group FD, and we have the groups FD. And so the directory we're out of should be slash home slash FD. But of course, you can completely change that in a Linux machine. So there's no guarantee. But when we LS dash LA, so we see we're in slash home slash FD. So when we look here, what we're looking at, and we're trying to see, okay, what's the goal here? And that's actually a very important part of CTFs and war games. What is my goal? So if we go back here, we can see that it's asking us for some kind of flag. So we need to find a flag. Okay, hey, look, there's a file called flags. Let's just cat out that flag. And then it's game over and we won, right? So when the massive latency here picks up, we should be able to see that this well, actually, I can preview this. So we know we are user FD, we can see that the flag file is so here we got cat flag permission denied. So why did we get permission denied? Well, when we look back at the permissions here in the flag user, we can see that the flag file is owned by FD underscore poem, which is not our user. And the group is root. And the permissions on this file specifically, so the Linux permissions, you have read, write and execute for owner, group and other. So that's three, three tuples there. So you can see that the FD underscore poem user who owns this flag file is readable. That user can read this file. The group of root can also read this file, but everyone else. So we are neither of those two people. We're not the owner of this file. We're not in the same group as this file. So we're in the other category. So we have zero permissions on this file. So by ourselves, we cannot read this flag file. So how does this work? How are we supposed to find the flag then? Well, we can see that there is a an FD file here. And if we run file on that, it should tell us something interesting about this file. But we can jump ahead a little bit and say, okay, yes, this is an elf 32 bit executable, which is awesome. That's what we want. And so we look and we say, okay, can we execute this file? Well, who owns this file, the owner is FD underscore Pone, and the user is FD. So what this does, so when we look at these permissions, we can see we first see read blank s. So we'll go back to the s in a second for FD Pone. But we can say read and execute for FD. This means only the FD user only us, we're the only this group can execute this file. And also the FD underscore Pone, this means that it's that the FD Pone user can read it and execute it. But also that s is a special bit that means it's set you ID, which means when this FD binary executes, it's rather than so when I run, let's say LS, this LS command is running and executing with the permissions of the FD user. But this FD binary, because of this set you ID bit in Linux, it's running as with the permissions of FD underscore Pone PWM. So that means if we can trick this FD executable into reading this file, we'll be able to read the flag file, which is our ultimate goal here. So this is awesome. So this gives us a direction to go, we want to break the FD binary. And since this server is going to be slow, I've actually already, Oh, I did not. Okay. So I'm going to add a little pause marker, do is copy these things down. So what I want to do is I want to analyze this binary and the C file offline. So I'm going to use scp, which is a secure copy, which uses SSH to copy a file from a remote machine to our local machine. So I'm going to scp, it's FD at Poneable dot kr. And the other important thing is the port. So we know we're on port 2222. It's only from experience earlier today that scp uses the dash capital P flag for the port, whereas SSH uses dash lowercase p, I've never remembered that otherwise. And what file do we want to get, we want to get the FD file, we want to copy it here. So this is going to attempt to SSH into that server as that user to copy the FD file locally. And we can see it will we will wait for it to give us the result. And now I'm going to have to go and copy the let's do it by IP address since DNS is having weird issues. We'll blame it on other people, not on me, but who knows password guest. So now it'll copy that FD binary locally. And this is important so we can look at it and understand what it's doing. We also noticed the other important thing is that there's this FD dot C, a C code. So this is good. And this makes sense, right? So the important thing is as you're doing these challenges to always go back and verify your assumptions, right? What are our assumptions here? Well, this is a in the toddlers battle category. And it's the very first challenge and it's worth one point. Now we haven't looked at anything else. So we don't necessarily know the point structure yet. But we should think that it's an easier challenge. And if you have C code, you're going to have a much easier time because you don't have to necessarily reverse the binary. So we get that let's get FD dot C. And we can start looking at these things locally. There we go. Guest. Great. All right. So let's cat FD dot C. So we can look at this application. See it has a main function. It's not very big. So that's actually a good plus for us. We can see the first check if argv is less than two past argv one a number. So remember, so argv is the first argument that gets passed in the main argv tells how many arguments are in the argv vector argc. Yeah, argc specifies how many arguments are in the argv vector argv bracket zero is usually the name of the file that gets executed. So if we were to run FD, the argc would be one. Now we need so it's saying, okay, we need to pass a number. What does it do? It has an int fd for file descriptor, probably a toi, which means it takes in an important a super important thing to do. If you don't understand what something does or what some function does, always, always, always read the documentation on that function. So here, if we didn't know what a toi meant, we could say, oh, it's we know at least here from its signature, it's something that takes in a character pointer and returns an int. And we can actually read the description converts the initial portion of the screen pointed to by and pointed to int. And so basically, it's just going to going to try to convert a string into the integer representation of that string value. So it's going to set that. But the important thing is here, it's going to subtract hex 1234 from that. It's then going to have a length. It's then going to say, read in from that file descriptor into buffer. So buffer here is a global buffer. That's 32 characters, 32 bytes. So it's going to read 32 bytes from the file descriptor into the buffer. And then it's going to check does that buffer equal, let me win new line. If it does, so this is an important thing of strCmp will return zero if the strings match. So that's what there's not string compare is doing. Then it will say print to have good job, and then cat out the flag and then exit and say, saying, hey, learn about Linux file IO. So this is actually a nice thing that the developer of this challenge has put in to help us learn and understand and try to, if we've never experienced this before or played this before, to know how to go learn more things about this. So I can run FD and say pass argv as a number, I'll say 10, and it says act, you need to learn more about file IO. And so what's the goal here? Well, the goal is to pass this check. Well, the goal is to event ultimately get the flag, right? That's always our ultimate goal. So how can we do that? Well, the interesting thing is basically our input, our file descriptor input is being passed into the read function. So if we do read, we can see that in the man page, read is a function that takes in a file descriptor, a buffer and a count. And the description said read attempts to read up to count bytes from file descriptor FD into the buffer starting at buff. So, so what we need to do so now we want it so now they the key to understanding this challenge is we can completely control this FD parameter, we can completely control what this FD parameter does. So the question is what do we want this parameter to be, right? And it's important to remember these are, this is one thing you want to burn into your mind when you're doing CTFs and CTF challenges is that file this by default, file descriptor zero will be standard input. And that's so for instance, when you type in cat, it's waiting for input from standard input, and it's going to write that to standard output. So standard input is file descriptor zero standard output is file descriptor one, and standard error is file descriptor two. And these are constant in all, I believe, POSIX based systems, but I don't know, but it's a something to definitely burn into your brain. So we can see on our local machine, if we do, if we do zero x 1234. So that did not work because ATOI is not using hex values. So we need to convert. So basically we want the FD variable to be zero, right? We can't pass in zero, because it's subtracting 1234 from it. So if we do what's binary 1234, hex 1234 convert that is 4 660. So if we do FD 4 660. And now so what is it doing now it hung, right? That's an important thing. So what it's doing is now it's breeding 32 bytes from our input. And what do we want our input to be? We want it to be let me win. Let me win new line. And a bunch of stuff just happened. That is okay. See if I can recover. All right, well, I killed that window. That is interesting. So let's see what happens when I do that here, because that is very interesting. So I want 4 660. I want to input let me win new line. Great. And so it says mommy, I think I know what a file descriptor is. So we copy that. And we put that. Okay, I know what happened. So we put that in here and it would tell us that yes, this is a good flag. So what happened here? Well, if we look at my local machine, I've already worked over some challenges. So when it did system cat flag, flag is actually already a binary that I have in this file. So output a binary, some of those characters were control codes that messed up our shell. If you ever find yourself in that position, sometimes you'll be able to type in reset and hit enter. And that will try to reset your terminal or clear. But we can see if I do this again, it actually really messes up the terminal. So I'm in a screen session. So I can hit I can just hit control D to get out of that that screen terminal window. And there you go. I'm out. So all right. So now we've successfully broken. We've gotten one point for this first file descriptor. This is actually a interesting challenge. I like that it's not super straightforward, but it's a little bit complicated and makes you really think about what's going on with file descriptors. So thanks, everyone. Bye.