 Hello everyone and welcome to the second day of the live CTF Sorry for the delay. We've had some technical difficulties and I think we're just adjusting some sound volumes here As you might see on the screen, I'm not with Jordan here today because we have instead Live overflow as a commentator Calling in remotely Hello. Hello. Thanks for having me coming in here from Germany. Unfortunately. I couldn't be there, but it looks amazing what you guys did Nice. Yeah, really really fun to have you here on the stream at least So it's gonna be super nice. We have a full packed schedule today with a lot of matches We will be talking about that more throughout the broadcast, but we need to get right into it. So As soon as I get like just another okay from production. Yeah We are ready to go. So I'm just gonna see Yeah, okay so First live CTF match of the day start the countdown Five four three two one go Let's go. I might be a bit biased in this match. Do you know why? Oh, yeah So we have the matchup right sour cloud versus dice guesser sour cloud being the German mixed team which you have been Participating in right? Yeah, I played with sour cloud before as you said big German team So lots of people I know in there. So so I might be slightly biased But of course, I'm also rooting for dice guesser who are also incredibly skilled. Nice. Yeah, it's really cool. So this Challenge that they are getting it's Sorry So it's again a portable x86 Nothing nothing you're shocking there We can see the two teams opening up the binary in some reverse engineering programs. We have Biner ninja and we have Gidra. So a little bit of a mix up there I just wanted to say I hope Jordan appreciates that I believe this was the first time we see binary ninja I want to say sour cloud coming through here with Jordan's wishes. Yeah Creating a bit of that goodwill. Maybe that can translate into some good luck for the team Yeah, John should maybe Slight them a hint Yeah, well, we do we might slide teams hint it will but in that case, of course to both of them We got a question here if we can just up the volume of live overflow a little bit So, yeah, sorry, they will be there might be like, you know few technical hitches Throughout this this the beginning of the stream, but let's try to go to yeah, so we are looking here at One of the teams sorry I'm just making sure what was the name of the challenge again. Yes, we have Fair enough is the name of the challenge and Like spelt as like fair enough, so it's kind of like a magic brewing thing theme going on here You can see in the the compilation here in Gidra that there's some kind of menu You can stir to the left stir to the right and stuff So we'll see what that Translates into yeah, and in case of people don't know these challenges are a little bit smaller They are not hardcore Defqon CTF challenges to be solved in many many hours. They are intended to be solved quickly So there's kind of just like one area it focuses on So is this challenge more reversing or more exploitation oriented? Well, what what do the players expect? Yes, so Here and this is again a a portable challenge. So We can see here on sour cloud sites if I'm not mistaken Yeah, sour cloud here using binary ninja as you said You can see that they are running the program in the GDB with Jeff to you know get some understanding of what's going on there There's some kind of Array here with data being populated in this case seven of the switch in case Did they call it scratch or does this finally come with symbols? You know oh, yes, sorry. What did you say? As a sour cloud named that that big array it seems a scratch I was just wondering if the binary comes with symbols or was that a decision. Oh, yeah I think this one is stripped right or I'm not entirely sure. I just want to point out in the corner of Sour clouds stream. They have a like speedrunner timer interface here I really like this small touch that I've added you can see that. Oh, I Actually, you know, I'm watching you right now over the internal Stream here. I thought that is a tool from you to keep track internally, but you're right It's actually on their computer. No, no. Yeah, it's it's like a live split timer for live CTF flag any percent Yeah, as a speedrunning fan. I definitely are you know appreciate those small little touches In 10 seconds for to open binary ninja We should ask Jordan if that's an acceptable time Yeah, and how much was you know how much was the program and how much was was them But yeah, as you said that trying to look like it's looking like looking like they were trying to like name Things a little bit to trying to see what these seven options is in this menu actually kind of translate to We're gonna switch over here to dice guesser to see them Starting to write a little bit of a solution script here Not, you know Not sure exactly what they think they had a Function they're called create byte So they have something in store there for for you know starting the solution Oh, they're looking up Beesuit's identity. This is like there's something can math problem involved in this. Oh, I Sorry, no, this is a math challenge. Well, so this is the thing with this challenge, right? It's basically a Shell coding challenge But they cannot just like input their their bytes, you know, however they want They have to create them by like Incrementing and decrementing. I think the idea is that you can only Increment and decrement using like prime numbers. So you have to like express your Target value as a linear combination of prime numbers. I Think I imagine the code like this in assembly like Modular math or whatever Can look quite ugly. So I'm they didn't get the source code with this They had to reverse engineer obviously in the finer and enter, right? Yes That's that's right. And you said it's stripped. So Do you know how guys because they're figured out that it's that or was it in the menu? I didn't quite know no, no, I think they were looking at the different operations. If so, so You can see them Yeah, I'm just trying to follow here a little bit what they are trying to write in their function here They seem to be thinking a little bit hard. So the importing random here, which I Not entirely sure what's the idea of the common sense brute force lol So maybe maybe maybe they are copying the check. Maybe that is also in the binary that checking something instead of Generating it. Yeah, so these yeah, so if we could switch over to No, I see there's some kind of You know discussion going on in production booth, so we are not switching over to South but I will tell you that South cloud is Doing also creating some kind of function here where they're using like for or nested for loops or something like that So they're different approaches here one using Randomization and one using anything like pure brute brute force But Yeah, so I think they're both kind of on to something here So yes here we can see South cloud again and can Try to see there like the code I think we have these options three four five and six in the In the menu where you can see that it's like adding and subtracting Value I mean first it's some kind of offset in some array I think and then they're like adding and subtracting values there I think which is I think this whole thing where you're adding and subtracting prime numbers to your shell code as Somebody who is not that experience with math I mean the menu and the description itself of the challenge doesn't really give away this Math operation behind it. So being able to see that quickly in the assembly code is really impressive to me I'm not sure if I Would have realized that it's like some math going on there that And what kind of math? Yes? Yeah, the fact that we saw the correct keyword being googled by one of the dice guesser players is Pretty nice to say I think And but yeah, it's like some of these CTF challenges, you know, like some sometimes there are a little bit of like curveballs thrown in like Problems from other domains. We saw like a Sudoku challenge Yesterday a little bit like a maths problem today as well But here you can see sorry. Yes What do you think from the difficulty level the last challenge yesterday took a lot of time and Before that were faster. What do you where do you expect this to be? Do you expect them to need a hint for this one or do you think they are on a good path? So we tried yesterday we worked a lot like yesterday evening we worked a lot on like calibrating You know difficulties for the challenges based on, you know, the first four matches that we did I think I would say this one is Night it's probably easier than the most difficult one yesterday But it's probably more difficult than the easiest one yesterday is my slight guess here We'll see how that turns out, but you can see here this loop that I mentioned Yes, but we're going over to dice guess yes, sir. Oh, and they are looking up some Like algorithms here on Google. They look at looking at linear combinations mod n. So here we get into them So they understand in what like what kind of math problem we have reduced this till to To be completely honest with you, I would have already completely lost I would be on the failing side of this table I would not be a good choice for sourclaw to sit there right now Well, it's good then that we are in the commentary booth and they are playing right Right I chickened out and stayed in Berlin while the team cremilled. Oh, yeah So we can see here the function they have written here. You have this create bite and they create a random Integer and oh no, they are selecting a random integer among those four integers And then they are appending that to a list and then Okay, so basically so you can your values that you are Inputting into the shellcode you have these three values 16 72 15 and 253 So you can I think add any of those values and Then you need that to get to your destination value So what dice kisser is doing is that they are just looking at their target and then just randomly? Picking these four values to add to it and they're checking if they have reached the target So this might well, we'll probably not yield the most efficient way to get to target value But hopefully it will get you to the target value within a reasonable amount of time Yeah, and and sorry and is it then how is the shellcode then constructed? Is it then they have to go to like a certain target value that is then accepted and move to the next one and then slowly construct shellcode Is it constraining the shellcode? No, this is yes. This is this is the way you input your shellcode So like I guess you start with like an array of all zeros or something like this I like you have some starting point. I'm not completely sure about that part But then you can like bite by bite modify those values using these rules To like modify the values in your array and then you can have this thing executed So this is like how you're brewing your magic potion here, right? You're Yeah, so you're brewing the magic potion by adding these prime numbers and then at the end I guess you're consuming your magic potion or something and we can see here are the code for for Sour Cloud They're using a C3 Constraint solver a big a big fan Do you use do you see three a lot? Yeah, whenever I have something like this where I would have to solve some equation Which might be very easy to solve but I can't do it So I try to use set three and hopefully it's a it's a formula said three can handle So yeah, if I ever face a challenge like this that three is the the tool of choice for me nice We can all sit. This is a problem that said three can solve or is this Might struggle with I think you know probably not well suited like Maybe the search space is like small enough that it can handle it, but I Am not sure that no wait. This is a completely Yeah, it's probably should be fine I'm a little bit uncertain, but you can see here. They are so for you know for our viewers So C3 is a constraint solving software. So you provide it with a sudden set of equations a Bunch of variables and a bunch of equations and then the program will figure out the values for the variables that satisfy all of these equations So in this case you could say like okay We have four unknowns like the multiples of our prime numbers and you can say like a times the first prime number Plus B times the second prime number and so on should equal our target value and then C3 tries to figure out appropriate values for ABC and D to Make this happen and then they can use that output as You know the the commands for their exploits I was just going back again and looking at the assembly code Just to get a try to understand a bit better what is happening here So basically you have an array and you the to the first two options Move the cursor in the array back and forth and then with other options You can modify the array value and that area is later your shelf code And these array values and you can just you know add or subtract a certain value But it but which seems at first very easy, but I guess it's because your input length for the choices is Sure. No, it's a while true. Hmm. I I'm looking again at this assembly and trying to figure out how How do they treat it as a math problem to me? It looks at first sight just a basic array to just so just to cut you off a little bit here I can see here on sour cloud screen that they are trying to run the program remotely and they seem to have a shell So they have a I think it's a locally Working oh No, do we have an issue here is it? No, no, that's a local. It's a locally working. They have shell locally So they are very close. We can see this You can see the submitter binary. They're running it and that should be Yeah, that's good. That's game Good luck. Good job to sour cloud for hi. Yeah, amazing. Okay. Yeah, I am so what we saw there on screen we saw them running a Submit their binary once they had the remotely working exploit That was a fairly quick one So to be honest that yeah, congratulations amazing go team Yeah, and That is the this match. We will be back in Yeah, we will we will catch up with the schedule. So we will be back in already in 20 minutes, hopefully and Yeah, I will be swapping out with Jordan and live or flow you're staying on for the next match, right? Sounds good great. So if I if I can just plug my stream in between the matches Oh, totally which TV live overflow. I'm gonna Kind of like recap what just happened trying to better understand because everything happened so fast So, you know in the meantime if you're bored come over there and then yeah, sounds like an excellent Sounds like an excellent idea to have you know recap there We will go to an intermission on this stream. Check out live overflows. You're streaming on twitch, right? Twitch live overflow. We'll go to an intermission here. We'll be back in about 20 minutes See you later Welcome back live CTF round two day two I'm back. I'm cypher Tex or Jordan. Thanks, Kyle for doing round one We still have live overflow a lot of flow. You're still there. Yes, Andy. I'm here. Excellent. All right. Good All right, so we've got round two this round. We've got coming up Samurai and perfect route. So let's get them started with a big countdown. You ready? five four three two one go All right, okay, it's quite a challenge called Jordan. Okay, so this challenge Oh, I gotta check my notes. This has been a crazy morning. This challenge is called. Oh seek and destroy Maybe a little Metallica reference was was I think the person who named it I think so we told each team a category and at this category. We told them was exploitation And we kind of we didn't say it was a Poneable Because in from my perspective a Poneable you have to like find the vulnerability and exploitation is like no No, you just you have to exploit it like there's already one in there So it's a subtle distinction. It really doesn't matter too much. I think to be good at both so I think we've got Let's see. So we're seek is definitely an a technical term. It does. You know the seek Method and so that's the challenge have to do something. It does. That's exactly right. Yeah, great great questions So seek and destroy in fact it describes exactly what the binary does You can give it a file and you can give it an offset that which it will seek to and then you get to write bytes So you can just open up any file and you can see actually here like the the actual Decompilation for the so we're back over on this screen So, okay, we're doing it. We're doing check sec On it, but yeah, some basic Yeah checks at the beginning just to make sure not to miss it Sometimes, you know, we talked about it yesterday as well that some sometimes challenges don't have Stacked canneries or don't have position independent code and maybe you you have a wrong assumption So better to check this at the start. Yeah, it's it's it's so easy Especially in a live CTF environment, right? Which is really stressful where you're trying to like keep track and remember and you just always you might just assume Oh, of course, it's gonna have railroad or it's gonna have pie or whatever. So yeah, it's such a good habit I feel like to have like it just sort of like things that you always do things you like always check off and and Oh, yeah, we're getting my name fixed here. So sorry for we'll get the The title slide changed So the yeah, so they're running check sec. They're they're looking at the protections on the binaries So if I describe this it's all I like this because you don't I think know any of the answers to these binaries, right? So we're kind of bringing you in I mean, I've peaked a little bit. Okay. You do have access. Yeah, that's right Yeah, but but yeah, I don't have a good understanding of so like the solution for this one I love this one because it's one where like the obvious solution Most of these the obvious solution from like a CTF player perspective is the one that we want you to do But we still have to see you do it, right? And we have to see see you come off of that So it doesn't have to do with that on Linux. Everything is a file and you're supposed to open I Don't know That's exactly right. Yes, everything's a file So like what are some of the things that like our files on Linux that you wouldn't expect to be a file, right? Like you've got the proc file system the damn file system like these weird things and so okay If if you were doing this and you've got proc what in there would you use to start writing to? Yeah, proc self-mem exactly exactly so proc self-mem is just gonna give you access to the memory of the binary and we see here People already looking up proc self-mem here perfect route. Well, what's just looking it up? Yep, and already building the phone scripts. So like they they know that they're looking at this thing They're just making sure that their script is gonna be formatted correctly Like, you know, do you send it hex you send decimal? Do you like how do you send the data? So it looks like they already know we're gonna open up the binary We're gonna tell it where we want to write to proc self-mem although there is one gotcha I think in our official self-script we first opened Maps right because we want to know hmm where we're actually mapped in memory, too So it's nice that we can we can open that up And I'm wondering is that it's how other ways to cheese it I mean on an actual like full Ubuntu and maybe if this is like actually running as a route You might want to you know instead of going to self-prick mem and writing some shell code. You might want to just open, you know ETC Pass WD or ETC shadow or so and write yourself a backdoor user into there or we changing the route password Which might be a bit easier or nicer to debug as well. Yeah, that's a good idea Is there a way to cheese it or is that do you have any other idea for solutions then? I mean, we didn't have an intended one But that doesn't mean that there isn't one and I would I would love to to find out that there is I Expect knowing these players that we're going to see them both go for Just the memory one, but I think you're right I think actually looking for like something more logic-based or kind of you know injection-based or anything else I script like on I mean if you if you have root permission I don't know how the challenge container is set up. It's running as rude if you could so the binaries are not running as route Excuse me, so I think you you know you did some of that stuff doesn't work, but like you could you just? So I don't know if you can create a file But if you could could you create like a dot SSH authorized keys and just log in or like there may be other Yeah, there may very well be other options, which I actually think is interesting Destroy their own challenge by instead of going for the memory, but overriding their own challenge Just overwrite the binary on disk. I try to remember how the docker setup is is done If that's possible or not that in a here we go We're gonna bring a producer and we'll see if it should not be possible to destroy anything But you know if they manage to do that we will yeah You have to reset it or something, but it should not be possible It should not be possible I think that you know the binaries are dropped in where they can they have executed and repermission of the binary But they shouldn't have right permission on on the binaries in in their folders So so I've seen perfect route is kind of like creating a script with generic methods like open file Reading file just like functions in the exploitation script to I guess easier than work with it Yep, just the usual kind of wrapper stuff exactly the primitives We talked to yesterday about like the debate between a quick one off that you just like get as quickly as possible Or like building up the primitives that you can then more easily debug and test and then chain together if you're gonna do a lot of operations And so like this is one where you know I don't know is it better to do to do the wrapper I think it probably is because this one looks like each one of your rights Well, so if you've got like the ability to like one shot it you could just send your offset your size and do the whole thing in one One shot in which case I mean you don't even really need to to wrap it up The samurai also does the same so they they are also working on an exploit Python script Where they also have the primitives open close right read And so it's all kind of like similar strategy from both teams writing a script with the wrapper primitives Yeah, it is exactly and I love to that You see I think is that just no plaid plus plus that Yeah, might be Chris Chris's music. So, you know, we have Chris Eagle from samurai who's one of the I think is certainly Been around the CTF scene longer than absolutely anybody else at this point Like still actively playing at the highest tier competition, which is just really really cool for a while I thought I was gonna be an old man CTF like him and then it got too hard for me But he kept on going and I love I love seeing him like continued. I mean the very first CTF I played Defcon CTF 22 years ago. I joined his team He was already like a legend in the CTF community and now 22 years later. He's still competing and You know, it's so far holding the zone. In fact, you can even see on on his scripture He's already he does go for the the maps reads, right? So he's gonna get the address space Yeah, that approximate maps. In fact, yeah, just looking at the two scripts kind of I think yeah, I'm perfect route I saw was still like having just that the test a test file. Yeah, but yeah, so I already has the prox self maps In there. Yeah, I hate taking bets because I've been wrong so many times But you know, it's it is fun to kind of guess and it looks like a little bit of lead to samurai But this can go either way I I think these are fun because a lot of perfect route Is just changing it to prox self mem Maybe they run into the issue as you mentioned about like where to seek to where to write to the the address Oh, no, they've got a map. They've got a maps one now. Yep. There we go. Yeah, this so they've got prox of maps Okay, so honestly these are neck and neck. Yeah, they're both pulling. Oh, this is interesting. So it I Think we're seeing what's interesting is we're seeing a targeted exploit here from samurai, right? And so I saw him like he's pulling up like you know PLT entries got entries and He's gonna go for like a very targeted exploit. I think one. Yeah. Yeah, just like a one shot kind of thing Whereas I think our our you know original solve was just really dumb It just blew out put a bunch of nops lads and put a bunch of shellcode and just like over it the whole thing Yeah, actually like I don't know like of of course theoretically it's easy to overwrite the memory But then you need to figure out where the exactly the entry point is where to write to the shellcode finding a good function Maybe to overwrite Then I don't know like What's a good target function you can overwrite where you have enough space for your shellcode So you're not trashing other code where you're still executing currently the binary. I don't know There are a few caveats, but maybe overwriting GOT is just a very Typical exploitation way if they can overwrite a GOT entry, that's what they do in regular exploitation challenges as well So well, they feel most comfortable with yeah, as I say even if maybe it's not the most efficient if it's the thing They're used to they're very fast at it and they know how to like land one like that And so yeah, I could see that even though the sort of like Hamper like, you know brute force hammer way of just not flood the whole thing Maybe that's less reliable. Maybe don't trust it They had they know you know They sort of know their their traditional thing and they're gonna go with that so yeah I would have for example not thought of the nob slide. I would have seen a thought about okay Which function can I overwrite and when can I call it or where does it do I return to after main or something? Yeah, I would have thought about this way But oh, you're absolutely right the nob slide is just the brute force easy way But I probably wouldn't have thought about this in the moment Yeah, and I think that's some of that's because like, you know in a CTF You don't see things like nobslides very often right like those tend to be more like real-worlds like You know browser-based things or something like that often times where like you you you've got to like You need that because you just don't have the precision you otherwise want and you're okay with like a probabilistic exploit I think for just CTF players even challenge authors Like we like it to be really clean and pretty pristine and like nobslides feel so dirty like it's like I don't want to You know I have a lame nobslide in my in my challenge Yeah, but but yeah, it's mainly what you said what you say that Players are maybe not used to nobslides. I mean of course these players know about nobslides They understand what it is, but yeah, they are not used to it So maybe that's also kind of the same reason why they go for overwriting the global offset table instead of You know they're going the brute force way just what they are used to from other exploitation challenges Yeah, so just looking through them I mean it definitely seems like they clearly both know exactly what to do and this is just a race to see who can Do it faster right and I think that's super fun because it's it's frustrating when like one player Doesn't see the Vaughan and you're just like oh no, they're you know, they're way behind This is just gonna be I mean it's of course. I think it's pretty obvious what you're supposed to do in this but yeah neither one got got to sidetracked and I guess that I think because these are like Ponible exploitation people when they sit and look at this and they've got a right to a file They're like, oh of course I'm gonna go for a proxelf man, right? It's like just the first thing they would think of Yeah, it was also my first thought exactly and I think other people might have been more like looking for it I still I wouldn't be at all surprised if there's a really clever like, you know, right this file And if this file is the user log into the user normally change the password, you know set some other Like add like an X off file and now you can like, you know Like remote X forward. I don't know it's something something weird like that, right? Like I wouldn't be surprised if there's something That would that would work like that Yeah, but no time for that in a head-to-head competition like this one, which is pretty stressful So you go for what you're what you're used to what you know Yeah Well, and like, you know, it's one of those like high-risk high reward, right? Like if you trust in the crazy it might just work and you're done But then there's also decency fails and they both know like, okay This clearly was designed to be owned this way and I just got to figure out exactly the right mechanism for it We did They'll say say did you see something? Well, I was gonna reply to a comment chat that we just somebody mentioned that it's nice to see The both screens are working today. Yes, we did we had replaced every component of one of our capture setups All except for the my cable and it was the HDMI cable as soon as we replaced that everything else worked We can we switch back, you know adapters and capture cards and everything else was fine So just a bad and you know brand new HDMI cable just bad. So By the way, Jordan, you cannot see me But I saw you dressing up and proudly wearing something very nice yesterday to go for real eSports Caster today, you don't see me on stream, but I'm I put on a You know a small like jacket And now I see you sitting there with a hoodie I know I know I said I said this high bar in this standard for for CTF I didn't bring that many suits So I was low people are clapping because they think that it was saltier But that was they're playing in the room by the way our last match because they want the audience in here to be able to See what's going on, but we don't want the competitors Wait. Oh, no. It was it was done No, because the video the cloud because the video Sorry about that. Yeah, so I think that's the downside to playing the video in the background From the last match both teams are still going both either side are freaked out like wait. No, did they actually do it? But both teams are still going I was worried there for the end. So yeah, so I I just didn't bring enough suits And I didn't want to wear the same the same suit three days in a row. So today. I'm in hacker garb I have my bingy t-shirt and my hoodie But we'll see I do want it. I do want that eSports vibe going so Hopefully we'll get we'll get video figured out later, too. We want to be able to have Have our remote castors coming as well and be overlaid, but All right, so let's go ahead. Yeah, they went back also again into Looking at some assembly code there. I Wondering what kind of problem they they are facing right now that that's confusing for them Yeah, yeah, see perfect route is in the debugger and is in Ida and they're kind of flipping back and forth Whereas it looks like Samurai was in a VM. They were bringing a VM up to run and test probably I Think that's another interesting difference between players approaches, right? Where some of them will go straight to debugger and then some of them will build the whole exploit Just modeled from pure static analysis and then throw it and it either works or like to fix one thing or you know There's very few Changes they need to make I one of those I feel like I'm a debugger style exploiter which like I'm sloppy like I need to figure it out on the fly and kind of see See it as it goes. No, I I need the visual feedback as well. Yeah. Yeah, I can relate to that, but then actually Rusty who built the last challenge that we saw is one of those He will write the entire exploit and just throw it never touching a debugger once and it just works the first time And it's like it's not fair. You're not you're not allowed to model the computer in your head that closely You should have more bugs So let's see. What do we look at we're looking at Samurai where? Okay, so we're testing it looks like Fail to open file though that's an interesting Response, but they did read something. No on Yeah, so prox of maps. I think they have problems with reading from prox self maps So does it maybe? So they are They should have control over the mode. Yeah, if you specify the wrong mode in the menu, I believe Okay, right so in fact, this is actually one of the things in our testing that we ran across this this in in like older platforms The the mode settings were like sloppier. I didn't really matter as much you couldn't like So like with mode you mean like File open exactly. Yeah, when you pass in like you know is the opening for reading or writing or pending or whatever You know kind of changes you're making to it And in the other different flags that you can pass in and so I think so I haven't seen I'm looking for So we're getting L trace, okay, so L trace will show us that call to open And yeah, we'll see if if he catches that and I'm actually looking back a perfect route Yeah Okay, so still looks like plumbing on the the perfect route side just kind of They're parsing out the maps so they do okay, so they've gotten a map So I would say perfect route is a little bit ahead. They're reading the map So we got it working right so they were able to dump that back out Whereas it looks like Samurai's getting in it's so frustrating, right when it's like a little little bug and You're just like what's going on and some right tried to read the prox of mess But I had an error again and then the the screen was just blank and no mouse movement for like 10 seconds I think they were staring at the screen trying to figure out what is wrong. Why can I not read? Prox self-man at least the maps. I think that at least that's my interpretation of what what happened there Yes, I'm wondering else. I mean they've got I'm just trying to see where oh, yeah, there we go. There we go. Okay. Yeah, perfect rule is getting very close now. It looks like they might be already Code is a bit small for me. Do you see how far the code is like what they are trying to do? So they are specifically Trying to get out libc and stack addresses into separate variables, right? So they're parsing out the the maps and then they're going to get the base address for each of those those regions And they're trying to make so they're they're already just passing maps essentially so once they've got their map It should be pretty quick at that point. Yeah, this is this is definitely not one I think we're going to need sudden death for they they're both Well on the way, okay, so they they know the goal. They yeah, I mean it's just technical implementation struggles at this point Yeah, and it is going to be as I look like I mean I am curious about they both going to go for God over right? Are they both going to go for like a similar kind of? You know gadget or once they have it I kind of get the sense actually, you know, it's interesting I saw them the dimension of a stack so it looks like we might actually see like a Like a some sort of stack exploit or maybe Perfectors just pulling that out. Just just to make sure maybe instead of overriding glt They go just like for the return address and then do a one gadget or something. Yeah Yeah, that's what that's one of the things I really like about a challenge like this right where it's like There's an infinite number of ways to solve it. It doesn't like that. You could you could do so many different things and then you kind of want to see like Okay, so we're ain't the debugger so So yeah, I really like how we've seen a lot of teams do this right like and the fact that like phone tools really lets you both Not only switch between your local Version that you're running and then throw it, you know remotely. Yeah, also powerful break in right in the debugger Interactively right so like you've got your script. You're like, okay right here. Actually. I want to stop and go ahead and break in like You know throwing remote versus local has been around for for a long time But the idea of like actually Specific like I used to have to like sleep some my shellcode and then attach it to bugger separately like just yeah Yeah, right exactly particular challenge exactly and this is just so much cleaner to just be able to be like Oh, and right here. I want to inspect the memory, especially like a child like this Where you're just overriding memory in the process space, right? And you want to be able to like just Pause break in and be like did my right work? Did I hit the right place and in a one-on-one? Fight like this, you know, especially when there's head-to-head like this every little Speed up you have in your process the iteration process. It's just so much faster You're just saving seconds every time you have something small to check and and that adds up in a challenge That's just maybe 30 minutes. Yeah, and even I saw Crisigal from samurai He already had his like throwing framework like he In his copy-paste buffer, so like he literally hadn't set to go and even had like a little comment I what I missed it. I missed calling it out on on stream But if you scroll to the top of his filing at all, you put it like a little comment that said my teammates abandoned me And they've made me do live CTF help me mommy So I think he kind of wanted to do to he so he actually came up earlier and was saying that he Where are we pulling out? Okay, so yeah, he came up earlier and said He was really excited about some of the ones yesterday and then really concerned about others He's like, oh, I really wanted to do the very first one, but I did not want to do You know, so it's interesting that people are kind of watching along in the audience like thinking like what are we gonna get? What are we gonna have to solve and It's so incredibly stressful and it's a situation that none of these players are used to Yeah, to looking over the shoulder and you know, just I have my utmost respect for doing this I appreciate it so much that they agree to doing this Anybody that even tries right anybody that even comes up here sits down and you know You can see a little bit on the camera here but just like this room has like the best some of the best CTF players in the world and You're gonna go sit in the middle of them and go one-on-one against somebody else like with people standing around you Looking over your shoulder people watching your screens like you yeah, that it's a totally different experience There are really really good hackers who would not do well in this like it's hard Yeah, and we know what kind of dumb problems we always run into yes It could be something really dumb that you need to Google we we had some interesting Google searches yesterday that were just some basic searches, but yes But that's what you do and and you might feel embarrassed doing it here on on stream Yeah, it's normal and what I love though And this is actually one of the things I love about your videos too right when you show your like discovery process when you show Mistakes that you've made or things that you've tried And that's the best part about this because we get to see oh wow these people are amazing They are epic both of these players are far better at me at exploitation and and yet You know I can I can still see and learn and I can say okay. They made them as a too I feel like it's both encouraging, but also you also see like oh wow They're also really fast also They're really good their tools and that's just because they practiced and they've worked at it and it's it's evil Thanks, I mean that that's the most amazing thing of life CTF and why I also of course like my appreciation also goes out Especially to you I think has been carrying this a lot But thanks for pulling this off because being able to watch it these Professionals solving these challenges seeing where they struggle and the strategies they do it's it's entertaining of course but it's also so educational and You know my name comes from because of these very yeah early life CTF that happened back in the day So, you know this is a special place in my heart as well To to be able to see this here Yeah, well, we're really really happy to have you and I will I will be clear that like I kind of like Bugged a couple people into doing it, but there have been some serious heroes that like I've only you know worked on like one of these challenges part of it like a whole bunch of people on the team from Glenn and Carl and Josh that have worked really really really hard and done lots of challenges and lots of stuff leading up to it So this has been yeah, this has been a lot I am seeing it's a looking over it at perfect route Yeah, like they are pretty far they have lip see base leak and they have been as age offsets and everything They've actually they are building your up chain So we you know we saw earlier they're going after the stack and it's sure enough it looks like that's that's their plan So let's yeah, let's this point. They seem like they're just debugging their shell called of their up chain I guess everything else seems to work Yeah, that they seem like they could be real close and I see samurai over in Over in and I just still so that's generally not against all it depends and we could be The way till they pull up the script again, but I mean perfect route. There's also opening either here all the time That's true. Yeah, you flip back and forth. You're right. Yeah, I Do wonder why though a bit. I also don't know the effects of overriding program Is that immediately visible that's like how many instructions does the CPU execute before like caches are yep? Flushing yeah, I would be very worried about weird side effects that happen because that is like not typical like Program behavior. You're exactly right. Yeah, and so that is one of the things that we debated on this exact thing was dealing with flushing and You know one way to do that is to to I think if we if we keep an eye out and next time they they bring it up Oh, I'm gonna look at Samurai real quick. So Samurai's got been a state string a system address So yeah, I find that as well. Yeah, so I think they're maybe a little bit behind but like honestly very similar level But we'll see what their overwrite target is to write that I think is even the question I think whoever gets an overwrite target to your point. Yes cash flushing is a real issue that they're gonna have to They may have to contend with depending on the solution so I Think though the way that the script works is as soon as it As soon as it closes the file handle and then the like there's a there's a retry I forget exactly what it is, but that will flush the cash, but That is something they're gonna have to worry about But that's I guess also something if you have a huge knob slide, you don't care because at one point the cash Yeah, will be washed and then suddenly your nob sliders there. Yeah. Yep. Yeah, that was one of the advantages of that kind of project Which I mean I when I first Heard this challenge described my assumption was that we would solve it exactly like we're seeing on screen So I do think it's interesting. Yeah, I didn't think not slide either first so Testing it testing in the NG to be Yeah, this is like a perfect rule is still striking. I think with parsing the maps I saw them fiddling around with the trying to leak the stack value. Oh, no, you have the address wrong maybe Yeah, I it seems like yes Maybe some maybe you know the the the maps might change because of a slr like order might change so maybe that breaks there I don't know exactly. Yeah, honestly Well, it looked like they were a little further ahead than samurai because of like how many You know primitives and and offsets and everything they kind of look like they had I'm not so sure about the stack Based attack right like that might be a little trickier and so Yeah, we'll see this actually could be a chance for For samurai to catch up. So let me look over here at samurai It is quite tough. I mean, you know the stack base, but Figuring out where exactly your return pointer is to override I mean, you can kind of spam it with just a huge pop chain kind of like a rock. Yep. Yep return chain or whatever Yeah, pop red slide red slide. Yeah, oh red slide. Yeah Yeah, but Yeah, I think it's very difficult on the stack just because of how much yeah to find the right place. So That could be quite a struggle I also don't know what the kind of mitigation turned on, you know, the the the stack offset kind of stuff moving things around Yeah, I missed the check stack results and I don't remember Some some of the challenges that we we've specifically tell the teams the exact compile flag that we use because Again for a speed live CTF kind of event You want them to go as fast as possible and you're not trying to make them waste time figuring that stuff out But I don't I don't think we did that in this case and it may have been because our particular exploit You know, it didn't really matter and so we didn't think about that And so it isn't you might be a little bit harder for teams If they're doing this more targeted attack with without, you know, knowing which of those things they can rely on so We will see in fact actually I wonder if I mean might I think so we started a little bit late normally we would be moving looking at like a sudden death here soon We've got a few extra minutes, but They're so close and I don't even looking at Samurai. I also see a stack variable lip see base and stack So maybe some rice yeah a lot also going for or writing something on the stack to be honest Okay, so now we've got a file handle Okay, there we go. So we've got the base for lip see And that may have been Yeah, they're converging you right. I think on a very similar solution so far. I also saw on Was it somewhere? I'm not sure looking at the free hook. So I'm not FH free hook. So they thinking about overriding you know going Going that route getting redirecting the code execution Not going over the stack. I think I think some of somewhere I changed their strategy Using trying to use free hook, but I'm not sure if it's called even That's up with the sorry. Yes, I think I said file handle, but you're right for the FH was if that's free hook Yeah, I saw I saw them just before they're back in in Ida. Yeah at free hook Interesting so Or is that called always at the end like When when the program exits from or is that only happening when free is really only if there was only if there was something allocated I would think unless the unless like libc in it does some allocations In which case maybe Yeah, I don't know. This is Oh, man, just look at all those like pointers up top There's all sorts of they tried something else first and they couldn't do it because maybe of caching It didn't trigger or something and they started going for the for for something else I wonder what what the reason was. Oh, actually, okay, so I'm actually back over here on perfect route And we're seeing a number of interesting guess. We've got like a pop RDI gadget. We've got a business age chain Yeah, this is this is starting to look Man, yeah, this is this is just a this is kind of a slog here now They're just trying to figure out like who's gonna get something working first Open file proc self-mem they are writing now. So I think they are So Confident now that the parsing of the maps and the offset and everything is now fitting and they I think they Feel like they can go for the actual memory right? It's funny because I mean they both within maybe 30 seconds of either both change their payloads to write to them at the memory Right, so they were both pulling everything out and now they both just switched to writing So we'll find out who has like the least bugs So looking at perfect route. Yeah, still constantly some Python exceptions still like and there's enough Perfect route has a problem. There's grip parsing maps Just runs for like five seconds before they see if they if the next stage has an error and that just costs time Yeah, every time ten seconds. It's just yeah, that's a good point Yeah, that's what they could debug this more with GDP local Oh, okay. Hold on. They're copying out the IP address. They're trying to they're getting ready to throw the remote They just okay, so let's look at it's keeping on a perfect route here. Yeah, let's keep it on a perfect route I mean if usually you're ready to throw remotely You think you think you're about done And again still looking an idea Yeah, what problem are they trying to verify or check or yeah It's it's I think yeah, I mean if you switch to remote you think you're close, right? Like there's no reason to like slow yourself down with a remote and unless I mean except maybe I think in my sense of it If you if you did your parsing locally, you want to check. Oh, that's your maps parsing work remotely as well Yeah, maybe just a sanity check if like they are on the right path But I mean they could have done it previously they are already at the next stage so Good question. I would have also thought that they are feeling pretty confident now because they were working on Yeah, but looking at it. I'm not I'm not so sure it is so funny to me that you have just even watching some extreme Especially when you're kind of going back and forth It's really hard to get a sense for like how far along they are like you think you understand and then all sudden look They're done. You're like wait a minute, or you think that they're we saw it yesterday We were looking at one stream because we had the feeling they were so far ahead and they might be able to pull it off Suddenly the winner message pops up and we realize wait the other team just won. Yeah. Yeah, that's exactly so quick quickly All right, so we did have a glance there briefly of okay, so samurai's uh script Invalid choices. Yeah, so they're still just kind of working with the the plumbing of making sure that all of their Um, and that is that that's the stuff where nerves will get you right like the the little like your parsing of the text You're sending of the data. Is it a stir isn't it did I hex encoded that I'm not like that's the stuff that like Just like especially when you're under fire like Yeah, yeah I the the scripts can get quite ugly parsing leak leaking value is parsing the response text and stuff I mean phone tools makes it very nice for the general menu work Yeah, which which almost all these have been right like all of the all eyes you toughest is like the stir Very straightforward like here's some menus do your thing Yeah, but then you have something like maps and then uh You you write your custom ugly python string splitting whatever and then I don't know Small thing changes and it throws everything thing off So we are coming up on a time where we could consider giving a hint or something, but I don't know if we want to I mean, I think they Oh, I think I lost audio Oh, no, sorry. I'm just listening for a second. I was yeah, I was so so carl and I were we're discussing uh off Uh, Mike whether Uh, whether we want to give a hint and if we do give a hint Um, I think the the the biggest thing that's that's yeah, that's basically tripping up both of these Players is that they just assumed by default. Of course the annex is on that's why you're seeing the stack over right right? So they didn't they didn't even consider Just blowing away some code And writing some shellcode directly Uh because Yeah, I I mean prox self mem is not subject to Uh Write protection right like you can overwrite your so so you program memory But they might not realize this because they are so used to well, it's it's not it's not that even it's if even if you um If you modify it like where are you writing and is what you're is the place that you're writing into like If you not slide through something that's not executable. You see you samsung like if you do a big slide And part of it was markdown x it would stop it And so you wouldn't be able to use that reliably and it'd be harder to kind of target your stuff So maybe you still need maps then to uh limit your that's true. That's true That's true maps maps is actually going to give you all your all your segmentation. So it would give you that Um, yeah, I mean but again like this this approach should be possible Uh, so we I sorry for for missing being a couple chat messages. Oh, yeah So so rachshund is mentioning Uh, imagine if this was arm within an instruction cache. Yeah, uh caching And like that where you have split caches can be especially especially annoying Honestly, if we had done that for lychee tape, we probably would have built in some cache flush like menu option Like literally just something that's like flush Um That would have done it for them Uh, and and also the comments, uh, they made earlier was that even printf or scanf can do allocations for big inputs And so free free is a pretty good target to go after so that's a that's a great point even if the The program like ostensibly didn't do it even you know, just having a bunch of of printfs or other things and there might scan Us might have might have triggered it Oh, they were trying to check if the shell works perfect route. They were just typing ls and it didn't work Uh Oh, so it is they they're they're checking if their soul script works now and it's got to go through it's go through past Difficult to say. Oh, so they were they were actually getting a bunch of nulls So they're returning whatever it said. Yeah, I just saw a bunch of like, you know the ad whatever Disassembly which means that you've landed on a run of null bytes Uh, that your debugger is um triggered an exception on So they're real close like they're They're trying to align things Looking back over at samurai 2 I mean hitting the correct offset on the stack is pretty difficult without a red slide Because yes the environment local you have all these problems that you have with regular like old school buffer overflow Yeah, just just username. Um being different right can you know a longer shorter username can throw it off all that stuff will Uh, it looks like a typo there in the script. Yeah, here we go. Um Okay, so so yeah, I I don't know. I do think perfecter feels a little closer to me, but um Yeah, they did so at the start for me as well and then suddenly somewhere. I was there Parsing maps as well. So yeah, I know I mean it feels that way. I agree But uh, I got deceived too many times already. It's exactly only few matches. Oh, I know. I don't even want to even say It's it's fun to guess. Okay. So where are we breaking? Are we still in? Oh man, the other thing It's interesting too is that uh, we talked about next year. We want to have like a pause button, right? So we want to go to like on just on our side Freeze the frame when they're looking at like a debugger thing and and because it's so hard to keep up with the things That they're looking at because they're going as fast as possible and they know their tools They know their layout I was just talking to Kalle because uh when you go and break between the challenges I on my stream had the time to go back do the freeze do the analysis And while I was doing the commentary with Kalle like I had no clue what was happening It went all just too fast. It really is able then to use the time in between Slowly looking at the solutions the last moments and so forth like that analysis makes sense So so my suggestion actually would be not to pause during I mean that oh, yeah More of like a more of like a recap. Yeah. Yeah, right like to have analysts like coming in In between the matches and and looking at more precisely at those interesting moments So so that's actually it's interesting note one of the things when we tried this So I did this I guess five years ago We we we did a version love life ctf kind of at defcon finals when it was a legit bs running it and We I messed up the audio which is what kind of ruined ruined ruined the whole the whole video unfortunately But we had four players much more like pony racing where we had four of them and we knew that like You know two people on camera trying to watch four people as impossible And so what we actually did was we had a dedicated analyst watching every screen And then they we had like an irc chat that the commentators Were reading and so someone would say hey team so-and-so is doing such-and-such or they miss this or they're making progress on this Or oh, they're really close and so we could see their summary Relay it to the to the stream, but like it takes so many people And even then it's still so hard to like to catch up because like yeah not being able to pause And you know take a second when they when they flip to something so you can kind of follow It's it's still it's still tough But that's what what i'm doing here at the cool thing about the youtube chat is that and I encourage everybody on Watching doing this as well. You can't pause the youtube stream And don't worry about missing something because then you can uh continue watching Set it on 1.5 speed and in no time you caught up again with the stream So so if there's something happening interesting on stream and you want to look more closely at the code that they are writing Or at the disassembly Uh, don't hesitate to pause and then set the speed to 1.5 and catch up with the live stream That's a that's a really good suggestion. Yeah, I really like that And or even you can even watch the normal speed and then will we break between matches? Just just get forward and go live then too. Yeah, those are both Both both perfect. All right, so we are definitely coming up on on longer than we were hoping to run But they they have been struggling very long on on they they all they both know the solution That's really just technical debugging issues programming issues. So so one option is I think we definitely need to give them a hint Um, so i'm going to let the production crew figure out a hint, uh for for us, uh and propose it Um, so let the the two of them talk it over Um, because I think I think they need a hint My guess is will be something around but so part of the problem though is it good I mean they they know the solutions or it's probably the hint more and what makes it More reliable. Maybe hinting at the the knob slide or something that that's that's exactly what I'm thinking about Yeah, just control them letting them know that by the way like You don't have to go after the stack, right? Like that's uh, because especially because they're both doing the same thing Right? Do we both see them trying to do something with with a stack? Uh, based exploit And that's definitely I think harder modes. Uh, if one of them had gotten luckier not not targeted that way We might have seen a faster solution, but Yeah, but but it's still interesting that uh, both are struggling at this point With the same strategy, which tells me that that strategy is just kind of like unreliable or has very unpredictable weird behaviors which throws off both of them It's not that well, then it's like bad at courting or something and the other person just pulls it off There there's some just they both took the more difficult route Yeah, through through the binary and that's and that's the thing is the the only downside So sometimes when there's a very constrained exploit, there's only one possible way through it They can land it and that actually even though it's maybe harder Um, sometimes it's easier because it you know every step along the way You know exactly what you're doing the more options you have I feel like, uh Yeah, it's like Either either you imagine a plane and you know exactly the rings you need to fly through and the rings are small But you know if you miss them you crash, but I mean, you know the path or Versus just an open field and you need to find the Destination, but yeah, you don't see the direction really Yeah, that could be more confusing because you just feel like well, I could go anywhere Who knows where it could possibly be and this one's kind of in between because at least Finding the vulnerability is very very Usually, you know, it's built in it's just a vulnerable service But the question then is yeah, but which path do you take to exploit it because there are You know several different ways you could do it But I find this also a great example of like real world security work oftentimes It's easy to find sometimes Often hard to find bugs, but sometimes it's easy to find bugs But then really exploiting it might be the majority of the time and here I mean time wise we have maybe one minute running the bug and you know how how far we are in We are 45 minutes or so into trying to write the exploit for it It's crazy what kind of a time it's necessary maybe to develop something like this So it looks like we have a hint proposed. I'm gonna take it from the production team here Let me I want to see the hints so I can I can read it to chat So the hint we're gonna give them is proc self-mem does not care about segment permissions So we're telling them you can overwrite Directly into something that would normally not be writable, right? Yeah, that could be a good tip I really wonder if that's like their mental model that could be It you know, it's interesting some of them Yeah, it's entirely possible to realize that and they just thought this would be an easier more reliable And they once you once you go down that that path you kind of feel like you're stuck and do it Yeah Okay, go give them that give them a hint we got a hit coming So yeah, we're gonna we're gonna send the hint over give it to And we'll we'll give them that that hints We'll see if that helps them See if that helps them So it's so I'm I'm seeing a perfect route was just So debugging their code Um, I think they if I saw it correctly they were breaking on system and then checking the first parameter which was indeed been as age So, um Stuff seems to work, but also not I have a hard time to figure out what why it's not actually landing Yeah, that's a good question. So so we'll um So I think what we're saying looks like um samurai is kind of considering the new input and trying to figure out Should they rework and that's that was the other question I debated about this hint because this hint sort of says maybe you could come up with a whole new style of exploit But is it Better to keep trying to finish this one or is it better to like rewrite to a different approach? Yeah, I wonder if that hint influences there this Oh This this are they done This might be done. Uh, we're looking at perfect route. They're very close Let's see I cannot see what's going wrong because from the debugger it kind of looked oh pretty good like they they print RDI and it's been as age Um, I mean they they were Maybe look locally maybe it might be working but not remotely. I wonder what's Well, I think that's what we saw earlier as we saw them switch into a vm Um, and they're running as route. So I think they intentionally tried to I mean they they use hard-coded offsets from libc Which maybe they have the wrong libc, you know, we we did get them libc So every single uh binary today I believe we gave them a libc because we wanted them to have like even The only downside is in some of the binaries. We really don't think they need it It's almost a distraction. We don't want them to like assume that it's required Um, but we did give them a libc just for all these if or nothing else so that They could run it, you know, even in their their local environments So let's see if this does it I this just doesn't feel like one that we're going to need sudden death time But we are coming up on the time where I think we're officially at sudden death time because we started about 10 minutes late um But I so uh perfect route did have a shell error like a syntax error like typically, you know, bin as h you pass in something bad Um, yeah, but they're still adjusting their their actual rock chain, which doesn't Wait, it seems like locally works, but maybe some offsets are just not right for the for the remote Yeah, our decision to call it off now or not I don't want to I know I'm glad I don't have to decide this now Well, we'll um, I I think we gotta do it the the good news is I think we We expect it. Um, the next two challenges are both Uh-oh somebody's pointing at something and we double check here Uh-oh We might be close to perfect route. They're trying to copy off the Yeah, they're but they're running remotely. They're running remotely Okay, okay, okay Where'd it go invalid choice what happened? Is this just oh, that's the worst feeling though if you got a thing that that runs locally doesn't remote Were they just adjusting the the stack a little bit trying? Yeah Yeah, I wonder if they didn't they changed it and then they changed it back And so I'm wondering if they're actually gonna Are they gonna rerun this with different offsets and just brute force it? I mean, I'm I'm fine with that if that's I think that's what uh offset. Yeah, there it is. Yeah. Yeah. Yeah That is that is frustrating when it's uh, oh no, I'm I think I am I've got a pop-up on it. Do I click that or not? Don't click on pop-ups The battery life. Okay. All right. Yes. So unfortunately, how much better do I have on this machine? 6% so I'm about to lose my There it is there we got a winner. Congratulations. Oh Stressful so stressful But that was very very close just before cancelling it but congratulations Yeah, all right. So that was that was fantastic. We have a very short timetable. We got to turn this one around So, uh, we're gonna go ahead and Can you reset it? Let's put it back to the break. Uh Well, so we'll be back shortly as soon as we get the next teams up and try to get back a little bit On schedule with it with a quicker one. So thanks everybody. We'll see you in, uh, just a few minutes Yeah, bye. Bye Hello, welcome back to the third match of the day from live CTF I'm back here in the commentary and I still have live overflow with me Uh, we are gonna start the match, uh, in just a second if I get an okay from uh production this seems to be a slight something going on, uh, but, uh Oh, no, is that HDMI cable? Oh, no, no, no, I think it's fine because I have them both here on the monitor. So it's just like, uh We yes, it was just we needed to like refresh the input in in our production software So we are ready to go. So let us all count down the third match five four three two One go Good luck to the contestants Yeah, so this challenge called yes, the challenge is called n-vulns And this is kind of like a reference to a sequence of challenges that they've been going on for the year called n cuts uh But uh, it's a bit of a meme, uh challenge where We have just given them a menu Where uh, they can just choose which type of vulnerability they want to use So we've said like in this menu like we have a stack buffer overflow. We have a format string vulnerability We have a you know, um, Locified we even have like, you know, some some jokes in there. There's like Missing demark records is in the menu and stuff like that as well. Um, so yeah But when you say mean challenge, you don't mean stay good challenge. No, I mean, absolutely not It's it's it's it's a legit challenge and it has like a a legit solution. Um, so we can see here on the Uh, what a paddler side. Yes, they are running the binary. Uh, you can see this menu here You have the stack buff the uh command injection. You have malloc free use Uh, you have a sequel injection. You have xss And so I would definitely check out xss first when I Yeah, I mean that makes perfect sense Yeah, totally. Um, so there you can see them here doing the the check stack as looking at what kind of protections there are here And uh, you see we have no railroad. Uh, there's no cannery no pie. So like a lot of mitigations turned off Uh, so you'll see that's important. Yeah, something like this could throw players off. It's important that they check this at the beginning Definitely, definitely. I must say I like the font that the water padder player is Using and like the color theme as well pretty pretty nice Is that is that actually it looks like kind of like compressed horizontally? No, no, no, it's a bit of a squished a bit of a squished font. Yes Um, anyway, you can see that they're already writing their, um Yeah, they have a rep already already, right? Yes So, uh, we are switching to rick a pig and we can see that they're also, uh, you know, writing their um Starting writing their exploit script here and they started running the command They are looking at the stack buffer overflow And trying to get that working However, uh, they will not get that to work because there's like a slight stroll in there where the program will call exit after it Has performed the buffer overflow So yes, oh, they just see it now. Yes, they just had the cursor on exit Hopefully they Hopefully they immediately Thrown away this idea now. Yes, and don't get caught up on that So so some of the entries in the menu are just like just will just print a joke message Some of the entries are kind of like a, uh, you know, it looks like a vulnerability But it's not actually vulnerability and there are some of the entries where you can actually do something, uh, useful Um Yeah And uh, how difficult is the expo? Is it a buffer overflow? Is it a heap in the end? Like which one of these menu items is the one that they should that they are looking for? So, uh, oh, I uh, yeah, so when we were creating this challenge late last night, I can I can disclose that much We had the different ideas for for the solutions. Uh, my reference solution involves, uh So there's a command injection vulnerability, but your command injection is limited to only a very few characters I think you have like seven character and we unset to the path So you can't really do the command injection, uh, like by itself But that length is controlled by a global variable and then we also have another vulnerability Which is an array out of bounds. So my reference solution was to do like an array out of bounds, right? And to modify that to make the command injection longer and then do the command injection Right, okay And and you you think that there are multiple solutions when you because you were saying like the way you came up with Yes, definitely. For example, they have an basically unrestricted format string Vulnerability in this as well. So if one if they want to go that route, they can definitely do that um I don't remember exactly what other things we had but uh, you can you can read any file on the system So you can do that to like leak proc self maps I just saw a rickha pick. I think going for the format string. I saw a percentage p there Oh, they are a script code. Yeah, switch over to their Yeah, there's green. Yeah So they found that one already. Yes So this is the that could go very quickly if they are good with format strings And maybe even have automated tools to make format string help them with it It could go very quickly or are there some restrictions on the format string like the length of the buffer? No, I think the format string one is basically unrestricted Uh we So you're watching Yeah, the copying in system Right offset already. So this could go very quickly. Yes So what you could do with the format string then is since we have railroad disabled you could go for uh overwriting The got entry of some function With the system and then calling one like making a call to that function through one of the other things So that's definitely a viable approach Even though they found the format string now wrecker pick also found what seems to be their command injection Um, I think I think this challenge could be a bit Evil in the sense that you could easily get sidetracked because all of them sound like very juicy Vulnerability. So which one seems to be the most reliable the one that you can internet the fastest Yeah, yeah, it could be quite tricky. Definitely. Maybe we should have like classified this as like Friarsing as the category or something because uh, you know, you really need to kind of make a judgment call on on these vulnerabilities Like is this uh exploitable or not? But but generally I think it's a good choice Format string is awesome to leak addresses and offsets. Um, but writing a format string exploit, you know writing to it is can be a bit finicky Yes, definitely. So so I think uh often CTF players like format strings for leaking stuff But then use a different vulnerability to use the leak. So maybe that's why they were back in Ida looking for Maybe now something to use the the leak they have Because they could have now continued on the format string But instead they got sidetracked now with the command injection probably because they were maybe looking for Yeah, something else now Um, definitely I wonder if that was the right decision because with the format string they could solve it So they decided to know let's let's abandon this. Let's look at something else Yeah, it looks like they're looking at the command injection and there's like looking how this how this is structured and You know seeing how this works. So, uh, maybe they're onto something this they see this global variable called injection size so We are switching over to Water paddler We can see what are they up to they have been doing like s traces of the program to just figure out what it's doing Or it looks like they just tested all the entries in there They kind of doing a little fussing almost which I think is a really cool, uh approach as well Yeah, I guess with s trace, especially if you have the vulnerable functions kind of that represented, you know the print print f of format string The free maybe uh and and things like this. So you could very easily with s trace just see Count the the vulnerabilities uh dynamically without doing reverse engineering, right? So could be a Okay approach also for the command injection seeing exactly what is called. You you might notice Exactly as well We should like maybe clarify that for for viewers if you are not maybe familiar So s trace is a program that will log all the sys calls that your program is performing So reads writes, uh, you know execution of programs and and so on Will be logged by the s trace command So it's a way to see how your program is interacting with like the rest of the system in a very easy way We can see here on the Rekka pig side As we said, they are Uh, comment it out. Yeah What is command three now? So they go from menu item three. What was that again? That was the command injection Oh, that was the command injection. Okay. So they feel like that's the way to go now, right? Uh, let's see in the ls. Is that enough characters? I guess I could that would fit probably Let's see. No, that's because the thing is that you need your inside double quotes So you need to do either double quote semicolon or uh back ticks for a sub shell So those both of those kind of operations will cost you two characters So you only really have five characters for like your payload Yeah, okay. That's not enough here. No and We unset the path so you cannot just do just like back takes an s h for example because You need to do slash bin slash s h or something like this Um, I saw on on water pet assume. They were also going for the command injection. They were also setting up some functions For for the command injection Right, they are looking at the command injection. I mean that command injection does really look very juicy like You know, you're sitting there wishing like what if this variable was just like a little bit bigger And this would be so easy, right? Yeah But they are highlighting it. So they see that size they they they see. Okay, this the size is taken from somewhere I hope they make this mental step forward to oh, I can use another vulnerability to change that size Yes, if they if they Yes, we also consider the possibility of doing dot slash s Star space one, which is but that's also one character too many For them to run. So we this seven is is very carefully chosen to be No, just oh, do you see what they are trying here? copy star eggs Oh, that's uh That's interesting But it will not work because that binary is a suede binary. So If you copy it it even if that work, which I'm not sure but even if you copy it, it will lose the The suede properties and it will not work But is the challenge itself is not like the said uid the the the actual Submitter code. Yes, exactly because the submitter program will read it It's a set uid binary. It will read a config file in the same directory to be able to contact our like Winner server That's unfortunate because to be fair to defend The player here Let's say in a typical setup that the target binary you exploit that gives you the elevated privileges and you perform in certain actions Yeah, so In in some sense, they are able to do the privilege action. But yeah, that's a bit tricky with That the submitter program do do the players know that it set uid that's the way because I don't know They don't know that but the instructions are clearly saying like you need to run this specific command to win. So Uh, like it's a very literal interpretation of that. That's that applies fair fair enough. Yeah Um, so it's a very clever idea for sure because when you have restricted shell stuff It's sometimes really crazy. What kind of creative ideas they could come up with and copying Uh, this copy command something I like, you know, my brain was brainstorming Could I do something with just five characters, you know, you know writing Files slowly a script slowly or something like that. But um With a pending or something but yeah, yeah, no, I love it. I love the I love the idea Unfortunately, it will not work. But it's like, you know, you need to try it, right? We can see her here on recce pig Um, they are we're setting up some debugging in their script They were taking another option again option two, which is the format string. So they did put that back into their script again They I guess they they must have realized the um, the length check maybe and so they maybe come back to the format string Maybe to change that because they still have um, yeah Um, yeah, they're at least they're back on the format string. Maybe they go for full format string exploit or um, they they know the The command line length injection length, right? Let's see. I have not seen any of them look at the uh Out of bounds read and write yet, which is interesting because Uh, that was the one I used in my reference, uh solution for this Yeah, and and usually that's a pretty powerful primitive because you I don't know exactly What it's doing here, but janity if it's really like fully array out of bounds It might as well be just a write anything anywhere Uh, which is a powerful primitive. Is it is it that powerful as it has some restrictions? Yes It's really great and it also defeats like, uh, you know, the islar since it's relative So it's just straight up. We have a global variable. That's an array and you can just choose any index on that array and choose Any value that's the vulnerability Okay, so yeah, that's a that's the most powerful and easiest primitive and then together with the format string even aslar It's not a problem Through that players know very well like how to leak a value Through the format string and defeat aslar. So even that wouldn't be a problem To if they want to go for like let's see or something So I want to point out here just that we see a percent n character in the format string Uh script, which means that they are trying to write something to uh Some uh pointer and you see right after that you saw like a pointer as well So it really looks like they are trying to uh write uh something and now they are Yeah Can you tell from the like the offsets that they're trying to write here the amount of characters? Um, what that could be what they tried to target? Uh, yeah So so I mean the the way this works when you present n like is you need your your the address of your Destination to be located on the stack so that you can reference it with the percent n thing and that's why you're oh, we have a winner They did it Who won? I think was the record pig. They did it. Yeah, there's record pig. They worked with the with the format string thing. So a really great job there, uh and They did that. So it was a format string overwriting the god, uh, and then Running the binary, uh, if I understood that correctly Oh, that was that was quick getting these offsets. Uh, yeah I need to I need to check back at the at the script. Yeah. Yeah. Yeah Um, so oh the the camera resets onto a wide shot. Well, let's fix that later But anyway, uh, this was this match, uh, we will go to an intermission. Uh, library for will you do your uh, Like intermission on your stream as well Yeah, I mean I'm live on twitch live overflow and I I will have a look and great photo finish here Awesome. So head over to uh, twitch tv slash live overflow rights and uh, hang out there We're going to an intermission our next match will start in about half an hour So hello and welcome back to another live ctf. I am cypher techs here and I'm joined by lightning Welcome So lightning you've been uh, you're a part of nautilus institute So I think but different people are in different stages of chaos right now But you had a challenge that was fielded yesterday and so you're kind of relaxed now, right? So you decided to come hang out with us. We're happy to have you and and you've been doing challenges for For many years too because you were also a part of uh, legit. Yes, right? So old hat Back. Yeah, we we were on the same team together. Yeah for many years it goes to chukka. So we've known each other for a long time And uh, I think I would say I always tell people you're known for making the most uh, painful challenges possible. You love It's not a bad thing. It's just like your flavor of challenges like super super, uh, like hard the top tier difficulty Had some great ones over the years. In fact, you were responsible for, um, A special architecture one year at def con as well Yes, I and I told you pure pain, right? Like this teams had to like figure out and do all that stuff We'll talk more later as we've got time We're going to get the teams going now first to let them kind of so teams we're go ahead and count you in You ready five four three two one go So the teams are going to be downloading, uh, their binaries here and we'll we'll watch them, um Get up to speed this challenge is called quick cast Uh, yeah, so the angle is a little low on our monitor. It's kind of kind of dim So we have to kind of squint for some of these Um, we've got it. So I was I was gonna look. Oh, we do have a binge user. Okay. Good. There's another binge We had a binge user who won this morning and was excited And we've got an odd user over here Binge way back under ctf. Yeah I've not used binge since then. I've not been in the position to actually have any of it. Yeah. Yeah You've been doing other other kind of tasking. Yeah, so so battery just started as a ctf tool built Actually, I don't really for this. Yeah a lot of specs. Uh, so in fact, uh, the challenge author rusty is the challenge author of This particular challenge who also wrote the old ctf binary engine is the one of the main bingo devs. So Um, this particular binary is called quick cast And we told the teams it's just it's apponable Um, but I did have something pointed out to me that I didn't even notice right away Because the the challenge is like magic themed. It's like I think it's there's a runescape or one of like one of these Kind of online games, but it's it's also the name is quick cast If you were to take that as a hint for the type of challenge Do you have any like what type of vulnerabilities might be related to either of those words? You went so my initial thought is potential c++ or casting if not that you also have the casting between Different types. Yes more than likely an object confusion As a potential tada the idea of c++ So it's not c++ only because we have to keep the time limits short, right? So we're trying to kind of minimize the time. Um, and we're already seeing teams kind of kind of make the way Yeah, this is definitely funny because we're going to watch them go back and forth But yeah, I mean that's we basically told them the the volume in the name of the it it is a type confusion vulnerability Um, and so we're going to see them. This is this is again. We're going for real simple straightforward Uh, kind of kind of vulnerabilities and we're going to watch them This will be interesting because we're going to try to see who can find the the the type confusion first Um, but it's it's it's pretty obvious because there's literally a type of value Number in text, you know in the menu choice there, so you can you can literally see it Um, it's asking them. Uh, and of course, do we see a cheque sec? Uh, yep. No, we saw a cheque sec as well on Uh, excuse me on uh, cat spin right what am I got to make sure I'm Yes, nope. No, cat spin is cat spin is over on your side. There we go. I was going to give him straight Um So cat spin in straw hat. All right So cheque sec, which we've seen several uh, several other uh competitors do as well I'm not sure why someone's blowing an air horn Oh, there we go. Yeah, see that's nice. You can see them kind of interacting with it um Over here, so they've they've actually got the uh Serves what it looks like. So I think it's pretty obvious too, right? We we don't let them make them spend an hour looking for the bug and then several hours explaining it We have to keep the whole thing down fat, you know So they're tiny binaries where like the only thing you can do is basically the bug for for a lot of these um So it's interesting how different people go after challenges Yeah, I mean some of them start a challenge and See what type of inputs wind up first and start getting other ones dive into the middle of the binary Other ones look for specific functions being used first Find all the stir copies or mem copies. Yeah. Yeah. Yeah. Yeah. And there is no one right Way, there's no right way to do it all. Yeah, that will always guarantee finding the bug It In some ways turns into a guessing game as to which one you think doesn't give you the most benefit And and you know, sometimes it changes on the challenge author or the type of challenge or Yeah, and this is this is one where You could probably have run it and instantly known the bug. Yeah, because it asks you for this. Yeah so a challenge like this where A lot of challenge authors named their challenges based on some form of hint example I did that with kazad for the door fight code bugger years ago. Yeah so You know, this one has a cast hint in the name I probably started at the beginning because I'm not going to go looking for common functions or print-offs Yep So that leads into I need to understand what's in the beginning for What type of casting your day manipulation is handling and probably at least at run the binary at least wants to see What is that you've been wanting for input? Is it pure text? Is it pure binary data or similar? And in this case because it is so straightforward the second you run it and you see type Of text or string Uh, I think it definitely Kind of would confirm that that guess that intuition in terms in terms of what it is So we we we do have over here actual like solve scripts actually on both sides. That's great Doing solve scripts already and and we have seen I think we've only had one competitor so far Didn't use Pone tools. So everyone else clearly which it's not a surprise Uh, Pone tools is is clearly the the tool of choice Um, so interesting enough. I've never actually used Pone tools tools Now do you think that's because you haven't been writing exploits because you most of when you were doing exploitation was further back And I was writing exploits before Pone tools was even around or common. Yeah, so I never got in the habit I actually have a common exploit script. In fact, it still has a comment in there about the show Because ripped off of was it iron bonds or something like that. Oh, I'm buzzing. Yeah, I'm buzzing a shellcode That was good. So every time I write an exploit script. Yeah, that's still in there because I copy from the same thing every time Yeah, that was that was I believe that was a shellcode payload Did they traded for points as like there was a joke category of bribe the organizers and ghost in the shellcode years ago And they traded they traded shellcode. Um, it was it was really good shellcode. Like, you know, you still I'm still using it on 64 bit system. That's really funny. Yeah, that was fantastic Yeah, because I think it was like 32 64 compatible in a very short Uh, short range there. Okay. So we're definitely exercising the vulnerability, right if we actually watch, um Uh In I think it both are They both are tricky. Yeah, I mean, it's they're both just kind of triggering back and forth. It's going to be interesting So like, okay Walk me through now if you're given these exploit primitives, right? You're given A type confusion between an integer and a text text variable What would you like? How would you use that? Um to start building like an actual exploit? um The first thing I do that I'd actually check Especially our simple binary like this I'd actually check and see if stacks executable. It's not common anymore But that's still something that can be turned on. Yeah, and we have in several these challenges. So you're right That's that's a good one to check if that is there then there's a lot of very easy Effectively rep the stack and just go Uh, we did get a question in chat somebody was asking for your twitter handle We forgot to to publish that so we should make sure we get your uh your twitter handle updated I believe it's manic lightning. I have to look it up though. Yeah, I used it It's been a while or you don't even have to do that if if you have something that you want to be uh want to be known as uh for for a twitter handle we can we can update that but Uh, no no worries either way manic underscore lightning Okay, there we go Do you guys see that manic underscore lightning Is our twitter handle? all right So yeah, again, we're there's this is just to see basically which one of these teams now can turn this like kind of obvious primitive of this type confusion Into a working bug. Um, and this is actually one that I haven't seen the I know we have a salt script we've tested with it I actually haven't seen the exact payload um, but it if we oh here we go. This is a nice, uh Look there and we've got yeah 256 bytes They're going to get in when it's a string So we're looking for god entries to overwrite. Yep So which one do we want to hear is there they do very similar to how I tend to do exploitation In that starting to get some of the payload together and throw it into a debugger Yeah, yeah to make sure validate what you've done so far I'm on my tracking process before everybody puts a shellcode and then one and after it was going wrong Yeah, I started debugging partway through the shellcode itself. We talked a little bit in the last room There's like there's a a lot of people that will just write a complete exploit Never touching a debugger and then only use it if they need to at the very end And other people who use the debugger as a part of the learning process and In validation while they're doing it and yeah, I do more the same same as you do as well And it's usually because I'm dealing with the harder more complex things. So Yeah, you can write the whole the shellcode, but one typo and everything falls apart And you don't know why yeah, and so you want to kind of like do incremental steps They're each verified and and you're sure kind of as you go along with these simpler ones You probably could get away with a full write and go I Certainly, there are definitely people that that's all of the guys. Yeah, but that's the thing is if it doesn't then and you got to kind of back it up If you've tested smaller bits It's less people like rusty that writes assembly that write binary with pure hex It's the shellcode goes straight in from the top of their head right exactly So he he tends to not use a debugger very much. No, he has used a hex editor. Yeah, that's that is his his phone script all right, so we are actually starting to see A couple of kind of handlers here, so The the straw hat wait am I my turn I keep getting me back around too tired straw hat In cuspin. Yes straw hat in cuspin Help me remember this chat chat won't make fun of me if I get it wrong. So I got I get it right so straw hat is Uh, it's again starting to kind of build those those helpers Um, and so we're seeing uh a prompt Uh the set number and show string So this is this is going to let them uh interact with these with these primers. All right, so what do we what do we do? We've got libc addresses. We've got a pie offset. So we're calculating the the the pie shift And they're going to do uh libc start So they're they're are they leak they're leaking a libc start it looks like So they're going to they're going to set the number To the offset for libc then they're going to show what that value is Um, but they're just going to do this interactively right so they're not actually saving it into a variable it looks like And yeah, how are we here? They're already they're working on the leak right now Yeah, I mean it looks like it. I'm seeing they've got some decimal Yeah, the guy on the bomb Yeah, I'm not exactly sure which value they're leaking probably libc though It's the common thing to go after because they need to do a straight system call Yeah, actually, you know, that's a good question. I don't remember which uh flags we compiled this on if this is uh slr'd or if it's um So so that would definitely I mean although we did see teams Run checksack right because that again the first thing they want to do is don't make any assumptions Yeah, see what that actually does if it doesn't have a slr that actually makes your show a lot easier Especially on small ones like this it takes you all of two seconds to run checksack Yeah, it might save you multiple save you several minutes of I mean which again With these with these primitives you could certainly solve it either way right? There's no question You could it's all with ways. It's a matter of you're in a race. So a couple back It may actually save you a lot of time. Yeah, exactly. So all right, uh value is Our stuff. Okay, so now we're opening up a libc Someone is looking at the uh, they're dumping symbols from libc. They're looking for libc start probably sure enough Yep And so straw has pulled out the libc starts They've got their libc base You know, actually I was just remember I think weren't you one of the were you one of the spotters when we did the other live ctf of death kind of a couple years ago where we had people watching Yes, I was I thought yeah, I just realized that I remember you were what because I was describing in the last Chat how we had like analysts specifically like watching Because because it is it's hard to like switch back and forth. Yeah, I was watching and annoying was frustrating is that the guy I was watching he had full working shellcode trying to call bennett's age for like 10 minutes However, because it's run on android. It's supposed to user bennett's age I forgot about that one. That's right Like the one I was watching like had it fully working at that time 10 minutes trying to debug it until someone else got it and someone beat him to like the final little bit It was so devastating. That's painful. Yeah, that is hard and we've seen a couple of people in fact Uh, we actually saw that earlier with a samurai player here Had a working exploit But didn't know it was working because they were breaking before a flush was called that caused that like there was a Memory being overwritten and they were breaking in in the debugger. I mean like oh, it's not working clearly I need to change my exploit. They literally just need to set the break point after the flush And they would have seen that it was it was exceeding. So well, that's the other fun part is Do we a lot of programs work with networking and stuff? It's very easy to forget about a flush Yep, and have code work local. It doesn't work remote. Yep Oh, yeah, not something that runs that works on my machine versus like you can't throw That's a painful one for whatever that whatever the reason is offsets are different Is it failing because I screwed something up or is it failing because they altered the binary? Yeah, yeah Or it's just a different lip-see or something we've got flush Can be horrible. Yeah. Yeah, that was bad in this case. We did do the flush It just the break point was was set beforehand. So let's keep an eye on it. So we're still over here on Looks like they're still working on the leak over here. So okay, I think it looks like they're actually ahead Yeah, current observation. Yeah, I think I think straw hat has a working leak And I have to be of course impartial even though we have a binge a user even though we have a binge a user I am officially impartial. Yep And we yeah, we didn't build all sorts of terrible like tool breaking bugs into these We just wanted these to be simple straightforward challenges. So there's there was there was a debate about how much we wanted to Put nasty things into it and there's basically nothing that's Um Nothing that's that's tricky. Oh, you've got you've got a high mom in chat Find all this father All right, welcome. Wait, I don't have videos out on that's right Yeah, I don't know if my family's tuned in yet or not They got a lot of a lot of you to recap if they if they catch up all right, so see but The leak was happening over here this I feel like they it's really interesting This happened the last a couple matches ago where they kind of just slowed up They hit this point where they've got all the primitives they got all the pieces and then they just kind of are working through issues Like what's the gotcha? What's going to block in them? Um And we'll see and now the other thing we were trying to remember too is we're trying to remember if we want to give hints We're going to do it earlier So let's look at the production desk and let them Whatever any the value they're calculating their offset for where the right over here Okay, so so they they already know the overwrite target And there's gonna they're going to change that let's see. Where do we Environment offset interesting Huh I don't know what they're doing with that one. So actually they're leaking Something about an environment offset Uh straw hat. I don't know It's an easy way to adjust For remote. Yeah, maybe a habit. That's that's true verify. That's not a bad idea. That makes sense Just to make sure that there's nothing else. Yeah, and that's the easy thing to do habit wise Especially when you have multiple different libcs I've done that in my own shell code where you want things to adjust knowing that You may have a newer version of libc. It's just a dot version or or even just like run it and dump it You only have to do anything with it necessarily and that way if you see it's changed You know, you have to like you don't have to put the effort in to make it account for it Right off the bat. Yep, but you're good Validated their right hit the Sterling like they wanted Okay, so if we're good if we're close to an overwrite That's a good sign although we are over in a vm in straw hat. So straw hat's actually pulled up Pulled up the challenge in a vm So they're they're trying to match the and actually I do see they're also running in a bunch of 2204 I don't know if they just Defaulted to that if they saw others on the stream where we we did specifically mention that that tends to be what we use I think my current vm is 2204. Yeah Just a newer version So they've they wanting to make sure that they've got it running running in a debugger running the challenge and This actually this may be one of the first ones in a while that they weren't using pwn tools Oh, no, this is using pwn tools pwn tools They just got it popping up in the new terminal separately. But yeah, that's that's another thing that I So here's the reason why you should use pwn tools if you knew if you're not in the habit in it Being able to write your your payload and write your script But then actually just say like break here Right and get a debugger at that point at that progress and not have to put like a sleep or some other You do you know the last time I actually competed A little while ago, I would imagine the very first year of legit bs. Okay, so that's right before I joined them That's right. Because yeah, we played on the same team that year. Didn't we? Yeah, that's right. The last time I played with you. That's right Oh, man, I feel and so that was like 10 years ago basically Just about nine or 10 four five Because because legit bs ran for five years and then a four over the overflow I don't maybe eight or eight or not. Yeah. Yeah, it'd be eight. Yeah, because the very first year I was competing wasn't actually running. Yeah Yeah, that's right Well, I need to say I brought a lot of fun for you for you guys to have fun with Yes, that's fun for you. Oh the memories Actually, I thankfully I don't think I worked on that one. I don't remember who who solved that one, but it wasn't me You guys You guys actually got screwed up with that one. Yeah, we may not have Rusty, Rusty got screwed up with that one. Yeah, it was something that that blocked it All right. So oh, here we go. Okay. So now we're starting a right over here on straw hat So straw hat's actually got a set string now, right? So they've They've got their their leaks all figured out. They're pulling out of the offsets But now they're just now starting their their their right But they're going to use the set string to change the value in memory. So Let's compare. So they're already doing the right with the location of sterlin That's going to overwrite. I do like that. By the way, this is great because they are going for the like just write the payload Yep, right. So we're seeing catspan is like just write the payload and straw hats got like the helper function and the utilities You get your three x's as a test. So do an override and see if the x's show up Oh, this is good. So they're both right now really close. So they're both working on their overwrite and once it's done They will yeah, it's I I couldn't pick I could not pick at this point. This is really close We're back into Ida So what are we looking for? We've got gdb up We got our break points I don't do it. So do we have um, I think they're getting I mean, you're mistaken. I think they're getting ready to start putting shellcode then Well, if they're just are they just going to go to like call system They might not even need any actual shellcode if they're going to overwrite like a system pointer We might just get a shell I'm curious what they they have some other values up top. I didn't catch which ones they are pointing to Yeah, so I don't know if they're If they're jumping straight to a function, I don't know what it would be at the moment All right, we're back into Ida over here Looking at the override All right. Yeah, I don't I mean they they know what to do I don't know that they need any hints at this point I think we're just uh watching them put the final polish on it here if they It's going to be who it is as soon as somebody has somebody has a All right That's just hanging now They're uh You know that might actually be one of the issues with the framework is hanging on the read Well, that's what I was gonna say one of the problems with not doing a sort of like helper function thing Is that it's easy to mess up like a read a new line or like, you know, you're far out of their infant line So that's we might be seeing the downside of that approach. I think they got that payload faster And if it works, it'll be quicker, but it's more likely to have bugs Uh, but we're still we're still over neck and neck at this point. Yeah. Yeah, it's it's they have the leak They know the offsets they I think they they both know that the address they want to target And the value they want to put they're just trying to like finish it out get this right And that determines who moves on to the round of eight. So this is the last round or that's match in round one So we've got 16 teams. Uh, we've already identified the top seven That are going to move on and then one more Uh, this this will be the last one We're actually going to take a little bit of a break in the stream So we're going to leave the like the intermission up after this one a little longer And let us recuperate after a long time And uh We'll we'll we'll put up the the rest of the schedule for the teams that are here So they know when they're going to go And we'll line up the challenges for the rest of the day and from there on out We have the just four more matches this afternoon. That'll take us all the way down to a top four So we're going to go from 16 yesterday to just four coming in tomorrow All right, good. I was half afraid somebody would land it really quickly. I was kind of like, you know talking about the the logistics, but um, I'm seeing a They're debugging their hang on the reeds. They're debugging here on a stack on a yeah um Is it the right or that yeah, they've set a break point Yeah, this is definitely the thing that I also never really used punch rules for and got into the routine of like Being able to like easily debug it. It was always much more painful for me to debug like a half working system Interesting considering that I started this type of work 11 years ago the number of tools that have come out especially after cyber grand challenge Yeah, there was such an advancement in The type of tools for this type of work like automated. Well, there's a I mean the number of like rot finding, you know tools alone like it's uh We've seen a couple teams working on before Yeah, my favorite for a long time. My favorite rot finding thing was grep and obstump and that was all I ever did Then drop gadget came out. Yep. Now I learned several more of the last uh last day as well Now I'm sure there's more that I haven't heard of because I haven't kept up on them. Yeah Yeah, well, this is why something like this is a lot of fun because you get to see Like what the what are the teams using? What are the best people currently? Um The the tools in their tool bag Now this is are we open up libc? No, we should just open up another tab. Oh All right, so we're going to libc. We're looking over here open too That's really interesting. They're both opening up libc at the same time So is it because they're looking for the the relative offset between um a pointer that they've leaked and and like system or something like that Yeah, let's keep an eye and see if we can see if we can catch them looking at uh that or are they just Actually, it looks here like we might be just looking at um the stack Uh Yeah, so we're looking at some stack addresses Do we find it? Is this a function pointer? There's an offset Uh, that's not where you're looking. That's just going to exit out There we go Look at the base address Yeah, there's no I don't think there's a hint we can give them at this point I think they both know exactly what to do Yeah, we're just waiting for the first one to to finish it and that's you I mean time-wise we're we're 30 minutes In so very within expected ranges Um, we're not kind of in a rush or or freak out I think and and the second one of them gets that right. I think we're about one is being done. Yeah Yeah, just one one reliable right is is all it's going to take Yeah, it's one we have to be careful to because this is this is the kind of situation where they're both neck and neck We're both just like a little bit away And uh, if you're looking at the wrong one when uh when it happens So having each of us here really helps to make sure that nothing slips by us Oh, here we go. So we've got a function called write address Is it working they don't see they they're not typing like they're real confident here But we've actually got a function called write so at this point when you start getting this close to it You start having to revalidate all your assumptions only all your assumptions But do I have all the right offsets? Am I doing the right math calculations? Did I swap a math? Or two variables around so I subtracted in the wrong order Try to make sure not to get any of that wrong I mean even myself tends to slow down. Yeah at the end of the shellcode. Yeah, this is true I know I have a show kind of stump in or what the last step is. Yeah, it's a extra little bit of math required Okay, so we're getting a all right So we're getting a string Okay, so we've got a bnsh string pointer This is looking real close. How are we they have hexa sterling on libc What's this? Oh, so they're gonna over at sterling To the yeah, this is I would say they have the sterling of libc also Like they're Yeah, all right. We've got a bnsh. We've got our system And now it's time to do the right Rop gadget. There we go. So here's another one of the rock finding tools. So They're gonna scan it dump it all out and let's see what they're gonna get for So I they're looking for it pivots because if they've got uh Yeah, my guess is they're gonna look for a stack pivot Right, so if they get they got a stack pivot um to move Yeah, what was it pop arty I read I think Yeah pop arty I read second Uh, or is it one of the things I mentioned at the beginning It's like a simple challenge like this going straight for stack is the easiest way to go You aren't doing with the key for other complexities So the writing that yeah the pop arty I to the stack and then they're going to write this stack. Oh, no Yeah, so that's just going to get them This could be it Okay, so if this is if this is correct, we have a we have a working exploit if there's no bugs in any this this math So let's find out Uh, let's keep an eye on straw hat and here it is. This is their local attempt. So they're still not wearing the server So we'll find out if there's anything else over there, but um We call this still still debugging or they're switching to Are they gonna make a ret slide or something? They've got a ret I can't tell I can't see enough of the screen. Yeah, it's it's a bad angle for you So so right now they're working with um working with their pop arty I gadget They're working with a pointer to bennis age They're working with their system gadget and they're using their right primitive to overwrite the stack Directly For There we go. Okay. So they got a shell. So now they're going to switch it over They're going to run it on the remote server. Here it is. That should do it if if this works on Yeah, so they're going to add that last little bit. Here it is. Okay Double check make sure they're not close to where they're going to miss it over there But I think we're about to they're still doing the debugging over here on their right and over right. I think this is it I think we've Yep, okay. All right Let's get ready very well done Yep, put the remote connection in Let's see as long as this works remotely Uh-oh Oh no, we talked about this earlier when you're The feeling when you're when you're remote Payload doesn't work so good on the remote Yeah, so they're going to double check the leaks double check the environment variables figure outs Yeah, so it definitely does look like the that environment may have been important So maybe I don't remember if when they when they dump the environment if they actually use that in any other calculations So they might now need to go back and fix up. Let's see if they use the environment now it's interesting though because Again, uh, we're using we're using docker in a 2204. It should be pretty similar The environment shifts the stack information around too. Yeah, so if you start messing with environment variables or using them as an offset That's right. You can screw you up. That's right I do in fact I remember like the poor man's defense the day used to be you would make a really really big environment variable Yep, just to throw off people's like, you know stupid, uh, stupid stat hard-coded stacks Um So yeah, it looks like we do still have a little bit of work. So that leaves the door open Uh, it is it is certainly still possible at this point Uh for cost of being Cost of being to come back. All right Come on binge users. Let's go And they have all the pieces over there. Yeah. Yeah. Yeah, I think they don't have any they're still working on The right and the right still not yeah location. Now. Are they writing are they writing this? Here's the difference though If they're not writing to the stack They may actually avoid some of the the environment shifts, right? So it's nearly possible even though they're behind now If they take it different if they write to something else um If they're able to figure out a way a way to get a right that doesn't require uh, essentially a stack pivot um But they would have to either get a different gadget or More than likely because they're doing the sterling over here. The idea is to do a um Pop psp, right? So that the stack becomes your buffer. Yeah could remove all the environment variable calculation issues. Yeah Yeah, that's uh, that's a good point Yeah, that's yeah a safer pivot. So if they can pull that off. I agree. I think you're right. I think that's going to let them Uh, avoid some of the environmental like flakiness that we're seeing over here. So Oh man, we might we might have closer than we thought That system libc I saw yeah Point in the editor system libc Because then write buffers for your command and call system on because you play system sterling. Yep Or replace sterling with system What is oh man, some of these colors are hard to see on the screen to comment out stuff Okay, so I we're about to see a four eye in range So I'm wondering I suspect we're about to see a brute force coming in here Which is also very valid in a in a live ctf environment, right? Like, oh, I don't know what my what my offset is Because the username is a different length or whatever it actually is. It's throwing off They're writing their shell code right now. This the it looks like a overwrite of sterling Oh, man system and they just pass been a state straight into the buffer So we I was there back neck and neck again honestly This this could easily go either way. This is really close So yeah, we're looking at we've got our we've got a brute force going over here from straw hat they're working on uh Just figuring out the offset between their exploit that runs locally But doesn't remotely because the environment may be slightly different and the way that they're doing the stack And they've done the overwrite of cospins over a tin sterling with system And then passing been a states directly. You just call system on it Okay. Yeah, if they're avoiding the pivot they just call system on their buffer. Yeah, absolutely Yeah, I like that. That's a much cleaner exploit. I think that's a that's a much better idea but Oh, which one This is fantastic. Okay. Yeah, I they're both like real close real close here I think I've gone back to course What's that? They're trying to fix their python typos. Oh no And that's the other thing again just as a reminder for all you like looking at home Oh, here we go. Sorry. We had a couple of uh chat questions Yeah, we're able to watch both of the teams at the same time Yep, so so with the the stream is switching back and forth between which one is kind of the main one We have some separate monitors here that we're mirroring each teams Display directly so we can kind of watch both and our products We have a couple folks in the production desk that are also Keeping an eye on things and so sometimes they'll they'll you know, listen to us Or if they see something interesting, they'll just kind of put it up to make sure we Uh, we don't miss something good for y'all One of the things actually I was making note of for next year We should we should do like a multi-camera youtube stream approach You can actually do multi-camera we could upload our audio to all of it But then you could switch and you could choose whose screen you're watching directly Which I think would be be super neat um to let people choose between them So that'll be that'll be something for something for next time We're still so yeah, we're still seeing this this um the brute force attack this brute force attack Actually, they've removed brute force attacks So did they I didn't notice if they actually calculated the offset based on that It looks like they're putting it back together Okay Uh-oh The prompt they forgot the prompt line at the end This I'm a little surprised. They're setting up a debugger at the top of this I'm not actually sure why though why they're breaking this orally Yeah, so I I don't think they've actually tried to send it remotely. So I'm not sure what they're Validating over here I think they need their prompt Command no, no, I think it's just the prompt Oh, oh was they were breaking earlier. Yeah, they missed that whole bunch. Okay. Here we go Tweaking offsets tweaking offsets trying to get it to work. Here it is. Here it is. Here it is They double check the number double check the number Congratulations Straw hat one Very good very good Awesome. So well done Well done straw hat that was a that was a great match Thank you very much lightning for for hanging out. Um, thank you I would have a great time Look forward to seeing everybody else. Like I said, we're going to leave the stream up and going But we're going to take a little bit longer break between matches We'll be back in about an hour in 10 minutes for our next match and we'll see y'all then Have a good day. Cheers. Hello and welcome back to live ctf You're back with the original crew this time Cypher dexter jordan and hi carl ceta two. So we have uh more Challenges ahead. We are done with round one. We're under round two Right away. Let's just go ahead and kick it off. Let our teams go behind us We have the new organizers and we have teams starbucks. So let's do it five four three two one go So the round is live and now everybody's an expert everyone in these rounds has won one of these rounds They know what the infrastructure is. Wow. That's like the fastest. I think to like Decompilation I've seen so far From starbucks there right so we have Yes, it seems like you'll have a capture problem with starbucks on the on the feed So we're going to go over to organizers and we'll have production Reset the capture card in the meantime No big deal So we can see here them using ida as well looking into the the binary. I will say I'm glad they've got different themes We've got a light theme and a dark thing which actually makes it really easy to see the difference So all right. Thank you for the work production. We are back live with capture We can see both of them now So, uh, this challenge is called Storytime right story time, right? Uh, this is yeah, this is the story. I saw it tell me tell me your story So I'm thinking that's uh That's the challenge, but I kind of want to look at it again. Make sure we don't start talking about the wrong I have nightmares that we like start talking about the wrong challenge. Yeah, certainly Okay, so this is story time although I have not seen this version of story time So I worked on an earlier version But I know that we've we've been you know iterating on these challenges And I haven't seen this particular iteration of it. So I know it got actually simplified a little bit And uh, we'll see what teams are doing although I did notice Somebody looked like they were running it on Uh macOS directly. I thought they ran x adder to make it actually cutable And then they ran it so it was but this was still just a linux blender. I thought right. Yeah. Yeah, okay So I kind of thought I was Missing something. I'm not sure. Maybe they were like in the ssh ignore like in the terminal or or something like this. Yeah. Yeah Um, I know let's let's jump over to Starbucks and see again with the light theme also doing some compilation. They're looking at this Function that looked a little bit difficult to understand you said you Created like the original version of this and then we did like a remix of it. Yeah, this was well Actually, I would say I worked on the one two versions ago. So this was probably the uh, the challenge I worked on the most originally And it was a little bit too convoluted So we've we've we've iterated it a couple times and I see there. We already have uh, a controlled Function pointer if I didn't wasn't that fast I would love for this to be a fast one. I might have like I mean they were certainly running into bugger I saw them run like, you know, it was a breakpoint at the call command It was a calling a register and I think I saw a control of the register value So, uh, we have some shellcode written Uh, this is I mean this could be really fast as if this is going like this I'm I'm down. I'm here like I was I've always said like look if every round is five minutes long that we made them too easy But like a couple that are just pure pwn pure speed. Yeah Uh, also as long as there's no auto pwn scripts, we haven't seen anybody who like one click solve something That would be embarrassing as an organizer. You could see Starbucks there. You had the uh, The mitigations of the binary. Well, they're looking at win right now, too There's a function called win at look right. So this one has the built-in win This might be very very quick. Did they what I could see that top line on theirs Uh, what is that right there that the long line the long lines of shell that's shellcode Okay, and then you have some uh, kind of like long sequences of some characters then sending one command and then this like payload Um, they are trying to run this doesn't seem to be working quite yet Um, let's check in with organizers quickly. They are doing some reversing Of the this function renaming some variables taking you know making sense of what's going on So, uh, so I this so this function does have uh, some compression in it So there's a compression and decompression algorithms Which that's where the bug lies and that's uh, what they've got to do at least the original one I assume that's still true. I'm actually curious We'll watch him and we'll figure it out and see how it goes. I Sometimes I like knowing and sometimes I like not knowing Yeah, you know, this is like a different feel That's kind of exciting like uh, you know seeing uh What's going on? But we can clearly see here that they are definitely putting together some payload consisting of like Two different bytes like a long sequence of one of them and another long sequence of another one of them Maybe this is unrelated to the compression Uh, I mean it's still in place So there the the compression implementation does uh, yeah being able to control whether something is highly compressible or highly uncompressed Is is absolutely something that um seems likely and and it depends on the implementation, right? Like is this a run length encoding is this, you know, there's a lot of different compression screen schemes And I am actually curious I suspect if we look at the official hint that we've got queued up for this one It would probably be something like the name of the compression algorithm Because that probably makes it easier Uh to to to land which they're doing so I mean it does seem like starbug is really Like interacting a lot. Yeah, they're doing a lot of stuff Uh, I mean sometimes you want to be thinking and sometimes you want to be writing And I think starbucks is more of the right thing and the organizing is more of the thinking side at the moment Um, and and yeah, I've seen I've seen a lot of people just sit and stare at a binary Yeah, think about it and then just write out a complete exploit like a one shot. So You see not organizers, uh switching out of ida Going into And and in fact organizers player did specifically ask us for libc So in the previous round you may have remember That was one of the rounds where they were trying to run the binary that was provided and because they didn't have the libc They weren't able to run it So we did actually update all of the rest of the challenges and and we now do include like the libc Even if they don't need it to exploit it. It might just make it easier for them to run it We don't want them to have to fiddle around and find the exact vm in the exact environment, right? Uh, I almost switch back over to starbucks and see now some of the debugging That they're doing here. Um, again, they have a like partial soul script in the works You see this call to rdx and rdx looks like a very controlled value. That's not like a Reasonable, uh, like function pointer values that they have but it did look a little bit messed up So it looks like, you know, they have like kind of control of it If there's compression, maybe if it's post or pre, you know, that that is gonna To throw it off potentially and maybe maybe this is You know Could be a situation where they might have gone a bit too fast into the like trying to go for it Actually just understanding yet fully what's happening. Yeah, I got you. Uh, but I mean that's uh, you know, we that's We will have the hindsight It's always hindsight is 2020 for sure So, yeah, yeah, so back over on the organizers We have they have been throwing together a script now. So they've actually got the start of a script And they're running locally. Yep, you can see here that pi is disabled on the binary So, uh, if they're gonna do, uh, there was a win function, right? So they would know exactly where in memory this win function is located At least I think there was one I saw I saw one that was called win So I don't know if somebody had named it before we looked at it But I do remember seeing win on, uh, starbucks screen earlier. Oh, yeah. Yeah. I also saw it there. So yes So I think I don't yeah, like I said, I haven't I haven't actually analyzed this Version the final version of binary. So yeah, we'll we'll see I'm seeing, you know, we're in the create story Oh, this is the first person who's used ida debugger I actually really here. It's everybody else has consistently been using so um Yeah Yeah, I I don't remember, uh, New Yorkers is Doing this before when they came up for a previous round Uh, but they're using the decompiler together with the debugger Right to set breakpoints like essentially the source code, which is I mean, it's a nice experience when it works well Yeah, that's the thing like in principle. I mean, it's kind of obvious that you should like integrate the the like disassembler and the the debugger Uh, in practice historically like that hasn't worked very well people don't do it No To the people resort to an external debugger sometimes using some kind of bridge between the two to various Degrees of success. Yeah. Yeah, there's a lot of like sync scripts that would you know, maybe they just make the sync the instruction pointer Yeah I have used the ida debugger a few times Kind of successfully, but it's still not like in my standard Playbook Yeah, that's why it's why it remarked on it because I don't know a lot of people for whom that's their default choice Especially I feel like in the ctf community. I mean, I feel like like jeff and you know You know peda and although I haven't actually seen like lodb. I'm waiting for lodb Yeah, we're gonna switch over to starbucks because yeah, go ahead. They are connecting to the remote service already Uh, it might mean, you know, I know might be that they're just validating that like some of their So that's a really good thing like if you're developing your exploit locally to sometime just like check off Partial steps to see that you're seeing kind of the same thing. Yeah Yeah, like if you're doing a leak locally making sure that like you can actually do oh, no With this that they are doing the remote shell and it's Winner winner chicken dinner Well done fast Congratulations starbucks. Good work starbug um Jordan would you want to do a little bit with outro here and uh, I'm gonna go and just absolutely players. That was fantastic Yeah, so well done starbug. That was Fastest match on record Good work on that one. So we said we made that one a little bit easier. It clearly was easier indeed Heartbreaking to lose but at the same time we now have our first team that's going to make it on to the the next round So, uh, we're going to go ahead and get back to the intermission We have a little bit of longer break now. We'll be back in about 45 minutes with our next round And we'll see you all then and I gotta figure out how to clear out this winner thing. Take care everybody. Bye. Bye Welcome back to match two of round two. We're here Cypher dex and Carl. Hi, Zia too. Yes, uh, jordan. I don't know. We keep changing. Yeah Maple malware magistrates versus shellfish. Let's go ahead and count this off right away five four three two one go All right, let's check them out. They're both downloading their challenge and they're going so each team was told This was a heap challenge. Yes, and that's uh, I mean, that's not false. It's true Yes, but it's not what they expect. No, exactly. Yeah And it's typically when you talk about heap challenges We're talking about like attacking the like glibc allocator like the metadata structures there This is not going to be that difficult. I think yeah I feel a little bit mean especially we didn't do this intentionally No, but it's especially somewhat mean because shellfish in fact particular the shellfish player who is here is the author of the how to heap Get hub repo. Yeah, which is a great resource. It's fantastic It describes all the there's just a myriad of number of heap attacks and they're all fantastic None of which are going to be used here today Yeah, and this this was not intentional like we did random assignments of teams and challenges It just so happened this way. Uh, so let's go ahead and take a look at the challenges that uh, the teams are looking at Let's uh switch over to Oh my god, both of them are having white. Uh, both white as I didn't fix the names. Thanks. Yes Uh new rule new rule is that uh teams must use different theme colors to mess their their theme colors Oh, we can create like custom color. We can use filters. We can color future No, no, we give the color themes for like, you know, ida biner ninja. Yeah, that's for the live CTF Anyway, um, so we are looking at the mighty ducks or mmm here And they're looking into, you know, disassembling uh renaming some variables just checking out what's going on Well, and the program was called stack Right or stacks stacks plural right stacks because there are I guess multiple I think you can like create the stack and then you can add and remove things and If I remember correctly, it's some kind of like over underflow thing Maybe you can like pop more elements that there are on the stacks or Something like this. I think but we will we will see about that. The repo that you're looking for uh, Diego is how to heap h o w underscore to underscore heap Isn't it just how a digit to and oh, it might be the digit. Uh, I just saw it on the screen They both both teams actually pulled it up earlier google shellfish how to heap you will find it and it's on github Yeah, it'll be it'll be right. I'm sure somebody else will find it in chat and paste in there Yes, uh, because it is it is quite common. This is this is a good matchup though though because we've got Two very well-known teams, right? You've got basically the the pvp and and friends And shellfish of course has been around for a very long time. Yeah So like this is this is uh, I'm excited as we move into these these top matches. Definitely. We can see here on shellfish Screen that they oh wow, that's quite a little bit of Yeah, they had it's already. Yeah, they came prepared Oh, did they like pre Bake like a bunch of useful gadgets in each type of libc or something Because that's uh, that's good for actually brilliant. Yeah. Yeah, I'd never that's that's fantastic. Oh, yeah um so Yeah, that's a little bit trying to see what they're doing Although we'll say they were a little worried when we told them it was a it was a heap challenge And it was only 45 minutes to talk before sudden death. They were like, that's not even possible Like keep challenges take longer than that like how what how are we supposed to do that? So well, just wait, you know, you'll see so hopefully that was a little bit of a hint. Yes, but uh, Yeah, we'll find out the question here from endeavor wait is this pvp versus shellfish. Yes, or I mean, it's technically mm Which is pvp plus friends endeavor is oh, he's right over there Yeah, oh, that's why he's got headphones on because so endeavor is also a nautilus. Yes And uh, so he's Working on the the main game over there and apparently has time just to watch us So things must be going really good in the game if he's over here listening to us Let's switch over to mmm And I will point out too This is actually I think the well we happen to have a whole lot of repeat matches, right? This is only the second match of round two and we have already seen a substitution So our player for mmm is not the same player that we had for round one We had I don't know if we scared them with robert came in for round one robert shell neo neo legendary city affair unbelievable Yeah, uh, one is match and now they have swapped them out for someone else And I don't know if we scared them with heap and so I I do feel bad But again, we we decide the names descriptions independent of the teams and Yeah, you know might also be like a strategic move Like, you know, maybe robert is working on something in the other part of the city right now that he was more critical Who do you send? I get I know I know a couple of teams to even debate his strategies of like do we just listen as long as we make it out of the First or second round We don't want to fight and get for the top spots and I was worried about that that was before the points were available though Yeah, so do they all know they they do know that the points the teams were given point totals And the the number one team wins 4 000 points Oh, wow, that's that's significant. So it is a lot of comparison That's almost the difference between last and first place. No, no, no, that's about 7 000 Yeah, yeah, we like okay. It's it's so from from 10th place up to it's it's a lot now By the end of the game, there will be more points. There's more challenges But it is a lot of points. So it is enough to definitely move the scoreboard Uh, so yeah, well, we'll give you a scoreboard update. We want to check on the teams and make sure we're not not forgetting them We're already seeing interaction Uh, switching to a new stack Uh, so a small exploit script in the works. They're trying out some interaction with the program Again, this is you know, we talked about this before on the stream but it's the typical situation where you might want to go for a Strategy where you kind of build up these like abstractions in your exploit script Like you map different actions within the program to kind of like rapid building blocks Yeah, and then you can then call them in like whatever order you need, uh, which can be very useful Uh, there's some like initial Cost to doing that's like in in terms of time investment But like Jim knows very efficient because he look at this. They've got a crd out like two letter functions So it's like this is this look truly looks optimized for speed where they're minimizing even the amount of like The names of the functions being called right if we switch Uh back to Stream please. We might we might be a little delayed. I think I just done our our monitor. Oh, okay. Sorry. Uh, we are Uh, what I wanted to do was to switch over to shellfish to look at their exploit script Um, you when you know, we were talking about that they had like pre made like a bunch of gadgets and stuff Um Trying to see if they're doing like some you know actual stuff related to the challenge yet Uh, I am not quite seeing it. It seems like they are messing around with gadgets So they might have a pretty good understanding of what's going on Uh hard to like it feels like you wouldn't do that unless uh, you know Uh, you have the other building blocks, uh, you need but yeah hard to tell So You can though see shellfish looking a bit in the debugger here Uh, confirming some values here on the Uh, some global variables, I think uh something called stack something called buff um And you know trying to see I guess where different inputs and stuff end up and so on to you know Maybe you have some hypotheses about This value might go in here and then you do that in your exploit script But then you want to verify the debugger that things are actually behaving the way you're expecting to Yeah Yeah, and it's you know, one of the interesting things is it's really hard to make a challenge of exactly the same difficulty Uh, and so we just didn't try like it's it we clearly have some challenge that we know are easier than others That's that's going to be the case But what matters is they're fair in the sense that each round Your opponent gets the exact same information gets the exact same binary. They get told the exact same description beforehand Uh, and so on any given binary it may give a match. It may be easier. It may be harder But you are going to go improve your metal in in both of those situations against the person you're playing with although Again, we're talking about these are some legendary ctf players that we're seeing kind of before us and It is Different to come and do this kind of an event Uh, then it is to do a normal long term ctf investigation, right? There's certainly skills. Obviously there's a lot of overlap but You can definitely specialize in like a live ctf quick punch style challenge and not be as focused on the long term stuff too Yeah, no totally. That's uh and we've seen like multiple occasions where players have uh, you know missed uh crucial information in the challenges uh leading to you know, not being able to solve them as fast and These are like, you know, there are no beginners. These are top tier. These are absolutely s tier players every every single person Playing in this event is an s tier like there's just no question, right? Like these are all good teams to even get here and then these are the Represents the best representative from each of the teams to come play. So yeah, there's no question I wouldn't stand a chance against any of these folks. I I'm sure that no, it's uh It's it's a bit scary definitely and like you're also kind of uh, you know Feeling the pressure not only from the opponent but from your own team like if you go up as your representative You know, you're representing your team and like you don't want to let your teammates down It it does look like we actually have another aided debugger. So jimmo over on the mighty ducks is Setting break points in aida using the remote debugger. So actually using the remote service to Debug the linux binary And They're running into problems actually With that. So they try to the remote debugger now. They're trying to do a local process This is actually a good example of where Honestly, just using your pondug and jeff integration might have actually been faster. Yeah, um, because we're seeing continued kind of kind of errors Um as a result and and you know remote debugging can can be really, uh, difficult too There's a lot a lot of wrinkles to it But there we go. It looks like we have a debugger Thankfully we get that that nice blue color in the background. So now we know they're debugging Yes, and you see those you saw those two break points And I think it was like jumping back and forth between those two break points Probably a loop thing going on there as well Yeah Um, I want to switch back quickly a bit to shellfish again looking a little bit at their debugger You see that they're building these abstraction functions called like alloc delete next. So yeah, uh, these are kind of like your your Primitive your primitive operations in this like heap interaction Thing so and just for folks that maybe aren't even familiar We should kind of cover what like a heap vulnerability Typically looks like versus what like, you know, what we're expecting from them in this particular event. Totally. So Um, normally like, I mean, it's a broad concept, but normally when we're talking about heap, uh, exploitation We're talking about uh, one of the like mainstream allocators like the glibc allocator or like the windows, uh, allocator And these are the allocators when a program needs a piece of memory And it doesn't even know maybe even in advance how big it's going to be It can say on the fly like hey, I need some memory. I need this much. Please give me some memory Oh, I need more memory now. Give me some more memory Right and the program could do whatever it wants with that Right and the operating system typically only provides memories in like full pages Which is like usually way too much compared to what you need. So Then you have an allocator on top of that which is responsible for like chopping these pages up into smaller bits Handing it out to the program like keeping track of them doing the bookkeeping Like when the memory is freed up like putting that back into the list of available stuff And to do all that it it stores a whole bunch of metadata about the different memory regions and so on and a lot of heap challenges are about performing sequences of like illegal heap operations to corrupt this uh, metadata about the allocated and free Memory regions to cause some kind of like mismatch or confusion. For example, you might allocate Memory and get a pointer to something that's already allocated. So you have two pointers pointing to the same Area that's like one example of like an end result of this That's a very like broad Description of this. Oh, we missed it somebody commented that shellfish pulling an inspector gadget Was this because there was an actual tool called inspector gadget or uh, or do we miss something else? I wonder Yeah, maybe because they bring, you know, oh, so we have some comments here They have like a uaf question mark. So uaf stands for use after free common concept when it comes to like Not necessarily only heap stuff, but typically when we're talking heap Exploitation stuff. Yep. And to answer your question about bender ninja. Yep. Bender ninja also does have a remote debugger It can support a couple of different styles of remote debugging too But actually I don't know if in particular It supports the the style of debugging being done and this challenge or not I'd actually have to double check. Yes Checking over with mmm They are I mean still not that much code written in the exploit script, right? I think I think they're still working it out I mean, I think they built the the interaction privitives They understand that there's something going on that they I I have not seen anything yet That indicates to me somebody knows the volume yet. Yeah, like I'm still waiting to see Uh, some indication that they're they're gonna Um do that and right now we're just they're creating things and using them I mean they may in their head know, uh, but certainly from what we've seen in the code Uh, we're just seeing them understand it Right That's I I don't know connor does anger management have a remote debugger. That's a great question Yeah, you you would know right? Better than I would Oh, uh connor is one of the um anger developers Uh connor would you say you work in anger? I just I had to use the phrase I had to be able to like Yeah, big fan of anger. It's a binary analysis framework. Um Use it for symbolic execution. Yeah A lot of automated program analysis and there's a lot of research a lot of cool research, uh, concepts that get implemented on top of it When that's It's from UC So SB, right? I mean so shellfish. Yes. Yeah, it's broadly associated with it. Um, and a lot of, uh Uh, ASU folks as well. Actually, I think the majority of the work is is actually over at ASU now, maybe Okay, um, but there's there historically it's been it's been usb usb now. It's now it's I think think think, uh ASU And thank you for that. Yeah, it's been it's been a wild amount of work just even getting the logistics going but Yeah, so far so good. I have a lot of friends here in vegas. I have not met them Nope, uh, there's a lot of people that were like, sorry, we'll see you on sunday. Maybe. Yeah, so But uh, yeah, so we uh, you know, hope that we managed to bring you some entertainment and education in these Uh streams that's that is the goal and so I still haven't seen a debugger. Yeah. All right, so back In the ducks, we're still seeing creation and I wonder if they're trying to hit a particular length size On these operations. So they're creating creating creating And it is a little funny that we told them That the challenges, uh, got a heap In it, but the program name was stacks. Oh, yeah A little bit right because you know the stack in in when you're writing the code is like a stack of plates Where you put stuff on it and then you pull it off in the reverse order that you put it on Yep, and and so that's just a stack and it gets used a lot in computer science programs And it's probably the most common data source for a lot of types of storing of data But then the heap is the the the other one that gets used a lot for other types of data So like they're kind of like different Sort of, you know regions of memory, but they're also different styles of exploitation. Yep, and we're just combining two of them I mean most programs use multiple but like they were in fact drawing that comparison. I think is I think it's funny Yeah, it's a little bit funny. Yeah, I mean that's as an organizer you are often trying to make a good joke Really, that's the that's why we make challenges. Oh, yeah a lot of challenges We almost came up with the name first and then figure out what the bug should be There's no almost it was 100% done several times In this Okay, so we are seeing some probing of some mighty ducks Yeah, so now we're looking at some probing of sizes And they're attaching to the debugger They want to actually look at the stack values They were kind of running it over and over now it looks like they've stopped to take a look at it So they were trying something in the base of the results that they were looking at They're yeah, they're going to have to set the type to get this displayed appropriately Hit d a whole bunch of times and get that get that converted Yeah So they're following through their the results We can switch over to shellfish again. We've seen up there. They are naming. They're Trying there we go. So they're also in the debugger as well. Yes. Now. This is interesting BMAP found a unique crash. Oh, are they fussing? They are fussing the program That's 100% a great strategy. Honestly, would something this simple with the menus or this this common That's not terrible. I would love to see a fuzzer solve one of these. No, I mean, I would make me happy I just think that like, you know You would have to be fairly comfortable with a fussing to Be able to like, you know set that up quickly enough for it to be, you know, worth the investment And beyond that, right the trade-off with fuzzing is that you you get to a crash very quickly Yeah, you don't necessarily get to understanding to be able to turn that crash into an exploit now Right, but the binary is small. Maybe that's not a problem. So I think that would be fantastic I'm like, I'm actually, yeah, there we go. Touch crashes. So it looks like they're gonna triage the crash now So they're trying to like take the input that caused the crash Oh, I'm like, I'm all in for this. Yeah. Yeah, uh This this would be great. I'm gonna go ahead and catch up on uh, should I almost had a Brandon for, you know, come commentary for this. He would also have Oh, we're missing out. So Gamosa is going to be joining us for the next, uh, the last two streams of the day And uh, he is a world-class expert in fuzzing. That would have been that would have been super fun I'd love to hear what he would have to say about it So, well, yeah, we'll see what his thoughts are No, I love it. We still we've seen like, you know, a range of tools being used Throughout this tournament like we're seeing a fuzzer here We saw uh c3 the constraint solver being used. We even saw like an online sudoku solver at some point. Uh, You know, we have a bunch of different gadget finder tools. They've been like rock finders Yeah, roper rp plus plus, uh, yeah, a rock gadget All of those a lot of phone tools with different debuggers different, uh, you know So it definitely says like, you know, while there are kind of like Mainstream choices. There are definitely variations of like what you can use and Yeah, all of these skilled players have been having slightly different preferences using slightly different tools And still being able to like, you know, perform at this Yeah, I think we see a lot of like variety in like their text editor, but not so much in their debuggers, right? There's really only two they've used most have predominantly been gdb Yeah, um, and then you've had a couple that are using using ida's debugger We've not seen the binary union debugger yet. Not as a debugger. Yeah. Yeah, we've not seen I mean gdr now has a debugger as well. Um, but we haven't we haven't seen that one out But I mean the radar has a debugger as well, right? Oh, yeah. Yeah. Yeah It does as well too. All right. We actually yeah, we haven't seen any radar Users yet. I will say radar users are fun to watch when they know it really well Yeah, it's um I you know to not to say anything offensive. Oh look, I saw somebody just showed us the screenshot of the shellfish team up in the room So, uh, here put us put us on camera Uh, let's uh, let's let's wave hi. Hi to all the shellfish folks up enjoying Sorry if we're sniping the rest of your pony that you're doing for the the event Uh, but let's go back. You know, let's let's give them some extra time on uh on the kyle screen just to uh Yeah, I want to see that some that sweet sweet fussing action. Yeah, let's see if this fussing or I've gotten any results We have a sick trust. Yeah, um, so they were checking it in the debugger A little bit difficult to follow right now. What's going on? They are Trying to write a couple of these operations inspecting some memory They have put some breakpoints in memory to trying to analyze this um, maybe we should go over to uh Yeah, so I've been watching mighty ducks and uh, and again to be clear The official name is something along with m's and mallard in it mallard magistrates maple No maple mallard magistrates. Yeah. Yeah. I like mighty ducks. So that's that's what I've been saying um Yeah, or the m bops Or the Oh, here we go. Okay. Okay. This looks better, right? So we just saw Oh, and that was interesting. So we're actually seeing targeted uh making immediate value Okay This looks like we actually have something interesting now. Wow, that's uh So we went from looking at the galt which is very interesting You might something you might want to overwrite. Uh, I would assume then that this is a no relero, um Challenge and just to like, you know explain what that is One of the mitigations that are available is something called relero or relocation read only in which the Got table can be made a read only at low time which prevents these kind of like got overwriting exploits that's our um, you know, it's quite a nice technique. Um But uh, I as I said, I don't think we have this enabled for this challenge, which does allow you to um Overwrite these got entries and what you then have to do is just to make that the function that was originally in that position Have it being called Uh, so you might say you have like a sterling for example in your got entry You replace it with system and then the next time Something calls a sterling it instead calls system with the same argument So that's a quite nice way of doing an exploitation. Um Yeah, this is this is like this is really fun to watch like I'm really enjoying just uh, not having to talk for a second While you explain rara so I could watch uh, uh, jimbo do this. This has been this has been pretty cool. Um So Yeah, what the building these primitives up, uh, live Yeah, so did you say we have a jimbo playing for I believe so. Yes. I believe we have oh, right Who's also like legendary ctf player top top? Yep. No question back. I used to run Something called pony racing on my youtube channel, which is like similar to this we used to have four contestants going heads up and jimbo was on one of the episodes and Like usually our episodes used to last like 60 to 90 minutes. Yeah, uh, he was done within 10 I think it was you said it was the fastest solved ever No, no, I like usually in the beginning of the episodes we do like a round where we go like Through each of the contestant introduce everything Introduce the contestant look at like what their tech stack it looks like. Yep. Yep when we kind of like went the full Round and come came back to jimbo like he was always all already like halfway through this salt script Or like two thirds through yeah, you're like, all right. We can't go anywhere else because we're gonna No, so it was it was absolutely ridiculous like most usually we stopped when someone saw it But for this one we just continued until another other people have a chance to yeah, yeah, yeah, yeah Yeah, I mean you can tell the the the speed there is is really impressive. So I think I think that might even out the advantage that shellfish might have thought they were having with heaps But I still really like that fuzzing. I mean, it's entirely possible that a fuzzer gets you to A workable close enough to an exploit you could land it right So so we'll see we've got a couple of new we guess we switch over to um Shellfish actually yeah and see that they are again doing some debugging They are trying to run these different commands are interacting with the program Trying to do some addition and it says that this command has not been implemented yet. So I'm not entirely sure what's going on there Right, so they are adding elements to the to the stack with those additions um Yes, here again, we saw a glimpse of like their fuzzer uh output and Yeah, it's it's interesting to me just watching demo like the number of times um That there was a like Decimal value return where the it was copied command run python enter Hex parenthesis number paste it just feels like something that should be like a macro or a hockey right, right, right But it was still done faster than I could have made a macro hockey I think because it's just very very quick To watch that so so setting Doing some more interaction with the program Oh, that's funny. They both they both literally wrote the exact same line of code at the exact same time Split change to split you here. They were both receiving for the same pattern Oh, this is I wonder like Because they're kind of doing a different approaches when it comes to kind of like Finding the vulnerability it seems but I wonder if like despite this they are uh pretty close I mean it's I I couldn't really tell you just looking at the source case that they were I think it was just a coincidence They happen to be in like the same pattern that they were matching on the inputs, uh, just sort of like one of those coincidences, but Farewell, uh-oh win farewell. Oh, what was this? Okay, read handle command handle equation Yeah, let's go over there to to to mmm and see You're seeing something there on their screens. Just watching. I mean just even trying to keep up I will say the downside of when somebody is so fast is that you can barely follow along as they're as they're doing things Switching between their exploits So we've got a couple things going on. There is an s trace going on watching what's going through the program the Yeah, this is this is like We're gonna need to have a live overflow do like a play-by-play of this like slowed down and recapped so that we can kind of Follow what's going on because this is this is like so hard to even kind of kind of follow Yeah, we had some comments in the chat Someone said would be nice to have like the contestants do like a walkthrough after I would love to hear that I agree. Uh, you know, we're probably not going to get their time though because they're in the middle of Defconn Exactly like it's still like we're already, you know Asking them to do this, uh, and they get a lot of points that they do I mean, I've heard positive feedback, right, but you know, you should only push it so much We don't want to yeah oversteer. Yeah, but yeah, actually that's a good point. So we have a live overflow, you know Famous content creator within the security space. Uh, he is, uh, I don't know if he's online currently. Maybe He should be asleep at this point. I hope he is but it's not high high um but uh, he has been doing like kind of watch parties and Like recaps of the matches and they're doing some analysis and stuff and Uh, I've heard some really positive feedback on that as well. So uh, really good to have that as well So I think this uh, this is a point at which where we were if if we felt like they weren't making progress We were considering hints. Uh, just Looking at it. I I think we're we're we're chugging along But I will kind of ask our production booth who has a Like a salt script to kind of compare to potentially and look at like what a right right answer is Are we you think we need a hint or are we thinking we're It's hard to say Yeah, I mean Think um, they don't look stuck. They don't look uh, like they're going to dead ends. They look like they're just solving it um so far so uh, I'm Uh, I'm at this point happy to just to kind of let them go We I I will say we have had our sudden death Binary is ready to go and we haven't had to use them yet um But we have we have considered like the end of today is probably the most likely time where we might might Need to use one of those just because some of these binaries are Are difficult and we don't have time. So tomorrow we have the chance for the semifinals in the finals Yeah, uh to To spend a little bit more time on them I'm just now noticing one thing is that uh, genmo is using windows. Yep. Um, and uh, that's not something that we've seen too much of I think there's been a couple but not a yeah, not a predominant. I would say it has been Linux and Mac pretty even Yeah, there's been a lot of both of those uh, and then A couple of windows, but certainly not the most common. Yeah, I mean, uh Windows has certainly been popular like especially with like reverse engineering Windows have been pretty big Yeah, that's that's probably pretty big there. Uh, like a lot of people they're working on, you know, maybe like, you know game game hacking game cracking stuff Yeah But especially with the addition of uh, wsl. Wsl. Yeah, the windows popularity has definitely increased within like the hacking Yeah, I think I mean, I think windows became a much more viable platform for doing this kind of work Yes, when you could just like run a real terminal and get a real, you know, um, we also have Gynville, uh, also like famous ctf player who At least for many many years, uh, you used windows as his primary OS. I think he did actually switch kind of recently He was considering, I don't know if he did or not or I think he has since switched to like linux for his main os But yeah, he was like a prime example of It sounds like live overflow is still is still live. Okay. Uh, yeah, um, good evening. Good evening Yeah, we look forward to chatting more and seeing if you can help us untangle some of these some of these exploits in in hindsight as we You know ask the uh, the participants and Get a little more insight to what they were doing and we have time to kind of analyze them because it is it is difficult Uh, when you're trying to follow along live as it happens. So yeah, we had live overflow as well on commentary here Earlier today. Yeah, so if you missed that make sure to go back. You can rewatch the start of the stream, uh, right now Also, if you are you watch if you didn't watch yesterday Yesterday, we had a change of resolution halfway through and it split the stream So the day one video that was originally uploaded only was part two It only had like the end of the stream the last match. I believe the last of the four But we've since uploaded part one. So if you check our channel, you'll actually see the first three matches are also online as well At some point when we recovered We'll probably go back and add chapter marks to make sure we do time stamping. So, you know, you'll be able to more quickly navigate to each individual match But it's gonna we need some recuperation time. I don't think there's any question after after this weekend. Oh, yeah so You can see here shellfish Still or I mean again doing debugging Looking at these global variables. I think there are global variables a stack and and the buffer Considering these different actions that you can take within the program and like you know See here looking at the all creating this Struct here within ida. So this is like, you know recovering the different data structures that have been used in memory Trying to figure out like what they look like and how they are evaluated or Used in memory Really helps your understanding and helps you find where the bug or bugs are It's a very important step of like reverse engineering when we're like analyzing your binary and trying to understand what's going on Yeah, it's gonna take me. I mean, I'm gonna want to to really take some time even just to break down the The tooling that the different teams have been using as we watch Watch which which things are using and watch, you know watching even how like for example the mighty ducks are uh Attaching the debugger into the VM and I keep seeing all these like permission errors that just like blow through Blowing by them so quickly Yep So you can see here MMM Running the program They're just deleting their ida database Oh having some tooling issues maybe Yeah, I'm not sure if and yeah, they're restarting the debugger. They had problems with the debugger and Man so fast Okay, new new rule. We need a jinma mode on the stream. They just slows it down That's right. That's right. All it does is run it like have speed for a little bit so we can kind of catch up To be able to to to watch it. That is super fun to watch I feel a little bit like probably what like my my parents feel like when they see me, you know Like using tool on a computer that I know well like like I understand some of these concepts Like I think I know what they're doing, but just trying to follow the specifics can be Uh, give me challenges. Oh, it's crazy sometimes. You just like you just sit back and enjoy the ride Yes So again working with the ida debugger It's it would be interesting to like try to You know gauge the the progress of the players here, but it's it's kind of it's really difficult to do Now I will say okay. We should absolutely I think we're we knew what time we started It was only maybe five minutes later. Yeah, so I think we're about 32 minutes into it So now it's definitely hint territory. Yep. Um, if we want to try to give them a hint So let's let's see if we can come up with a good hint Yes For this particular one and I think the author is actually over there now So yeah, so maybe uh production can work with the that's I think that's happening over there. I think that's what they're doing Okay, uh, see if we can come up with a good a good hint for it that that we can Give them out And let me prepare our fancy hint system Otherwise known as a piece of paper that we write hints on and we split it to write the same message to both teams Yeah, there's our you know, I had I've been building some of the infrastructure here And I had like some you know interesting ideas would go all count How can we like send the message to both the players at the same time? But that you know in the end we didn't have time and it's like yeah, let's do paper slips But the challenge deployment the solution that that stuff is working which is right the main, you know, we went for the The most important stuff first, right? And then you know, we can see In future iterations of this what kind of like extra stuff with how we can improve this And you know, like if you uh viewers, you know, if you have any suggestions for How you know how you think this could be improved further I'll feel free to like post it in the chat or like at us at on twitter We have a live ctf twitter account We've been posting a little bit. Oh, yeah, I don't think we actually put it on the page because it's at live ctf Org, I think right? I think it's actually at live ctf org. Yes. Um, if I'm remembering correctly But I'm actually gonna go over talk to production real quick and get that I'll uh keep going here and we're gonna go over to shellfish because I saw some more sweet fussing action And we always want an in on that Um, so they're looking into the crashes. We can see here that they are uh wanting to iterate through all their crash examples and kind of try to see, uh I'm just testing them out. I think I'm seeing how if they can recreate the crashes. Um, it's uh Yeah, we can see here and then trying to run a crash they had a wrong File, sorry, they had a wrong path to the example Trying to get all their files sorted out, you know, which which one is where But here they had a You know a seismic assertion Uh, so this has caused a crash, uh, you know But here's another one. It's a Sega board Uh, there's a pop ebp instruction that's tried to do something that it shouldn't and we had a crash on that So that's a little bit what's going on with the fussing So let's go ahead and bring up, uh, the full screen view like the actual true the true full Screen yeah, we're going to go each of the teams just for a second Clean view there we go. So we're going to pull this and this is actually going to let our our production crew a little bit more easily, uh, hone in on on these these solve scripts and We've got the challenge author behind the scenes who's going to look at it and see if there's a good hint that we can give Just to make sure we we know where teams are at. Yeah, again, I I have less of a Awareness of this one too. So I don't know what the what the answer is either. We'll find out Um, or it may be that they're just really close and we just let them go and they're gonna, you know I this is this is one of those where I'm At any moment we can get a solve and I would have I really don't know I can't tell Uh, certainly if we get something like, you know, we can see a function pointer over right We might get a hint like last time but They certainly don't look like they're out of ideas in terms of what they're doing. I just don't know if So they've got a pointer to free calculating offsets You could see some extract. What's it called make jump the make make immediate make it make immediate. Okay so, uh, uh, trying to Put the value. What was the address that we're looking up? Uh, the address was the the relative offset of free. I believe Okay From from the base it looked like what they were what they were calculating So I think that's what what's the muddy ducks are doing Yeah, here minus the address right so calculating Offset calculation Actually, I use that actually invited into a lot the whole like here Property, uh, which Ida has as a function But the same kind of thing that you could just say the current address navigate somewhere else from the calculator difference between the two Uh, really really trivly just kind of up-enter Uh, so let's go ahead and see that was One of our players let's switch over to the shellfish. Uh, yep full one And take a look at what their solution is to and then I'll go back and as as you kind of keep an eye on these two I'll I'll check with production. See what we're thinking on him. Yes. So here we see a whole lot of null bytes from Shellfish and the debugger. Uh, they're inspecting this failed assertion in the in the heap Trying to figure out like exactly What kind of thing was corrupted what they're like can control on how to work with that It looks like they're using this function called heap info. So it's printing out. So these like metadata structures I was talking about earlier within the Allocators you have some utilities here to like parse those and kind of like display the different lists and stacks and stuff that The allocator itself is making use of and you can then use that to see like what what's here Can I maybe like corrupt or what values have I been able to control? So, uh, yeah, that's uh, What's going on there And we can see again, you know, they're trying to think different things over and over again Making small adjustments running it again Putting some breakpoints in the malloc and free functions to try to figure out when things are allocated and freed up again So this is important to like see the order of operation that's going on within your and that this corresponds to your, uh, you know export script and what you're trying to do and that that's actually happening in your Program in the debugger that you see those actions happening Uh So, uh, sorry about that. Um Yeah, it's uh So that's what's going on with shellfish We can try to switch back to mmm again, but uh, you know As we said before It's going very fast. So it's a bit tricky to figure out exactly what's going on, but It's you have this helper function. It's called make. Uh, imms or make immediate value So this is used, I guess to put these values in somewhere in memory on an inappropriate, uh, place With the idea that these are going to be used within the corruption, uh, like the payload So You can see again, they're like attaching the debugger using the id ida Uh debugger to analyze this program and modifying there there. Oh, we can see now they're putting their, uh Uh sh Uh, oh, oh that looks like they have it. Oh my god. Let's see. Do they have a working? That looked like a shell. They're copying the ipm port. We might see them going for a solution here They they are they have a remote exploit working. They're running the submitter and They need to run it. Yes, there they have it. They are winning That's impressive. We have a win from general from mmm. They won the match really impressive performance Uh, really great by both the players Uh this was uh Really impressive match to see We will be going to an intermission. Uh, as I said check out live overflow stream if he's doing a recap We will be back on the hour. So in about 15 minutes Um Yeah, I'll see you in a bit everyone and welcome back to live ctf. We are in Round two match three of four. We have only one more left in this round And uh, we have let's get to get through kind of right away. Let's let the team get going and then we'll do the Rest of the explanation of what's going on. So five four three two one go I'm trying to give it a clap. Nobody's gonna clap yet. Oh, so uh, welcome back everyone. Carl is not with me But I do have folk online. You might know him as gamozo Yeah, so we don't have video for our guest commentators. I apologize everyone for that But that's fine because you'll see our video anyways. We're gonna be looking at the teams most of the time Uh, folk, why don't you uh, tell people like where they may have seen you before or what you like? Cause you're uh, you know, I think you're pretty popular at this point. You got it. Yeah, apparently I am So my name is folk. Uh, I go by gamosa. I stream on twitch I stream random hacking things and I'm super excited to be here and Looking at some ctf action. It's been, uh, Maybe five or seven years since I've done a ctf. So I can't wait to see See what the new suit of the art is up to Well, and and you were one of the original people on a live ctf Like I think one of the very first ones with geohot. I was like you and him, right? Was that when I Went heads up against geohot and he completely slaughtered me. You did. It was it was hilarious. Yeah There was some serious mack talk. I watched it at the yeah, I was there when it was being set up I think it was fantastic. Uh, we all had a lot of fun. So oh another binge of user. I'm so excited. All right, hold on We got to go to let's go. Let's take a look at sour cloud Sour cloud is one of our binge of users who made it on so of course. I'm gonna go check out theirs their screen first Um, but uh, this this particular challenge. I believe this was uh pac-man, correct So folk if I told you the challenge was called pac-man p a c m a n Does that like what what do you think about when you hear is this is this an arch Linux by the way? It's not arch Linux. No pack is the package manager. That's that's one reasonable guess What else? Oh, it is a package manager. I see. Okay. Well at least according to that was that a was that a windows Like like a legacy theme in that vm. There is a yes there. I saw that too. I don't know what's going on with that one That has to be window seven, right? I that's the preferred hacking platform. I presume But I mean yeah, I mean it so if you don't have mitigations on the host Then it makes it easier to test your stuff. I guess it is a package manager, but it's sorry It's also it is also a pun on on it's an arm binary So oh, okay AR has pack instructions. So I I think at least it's meant to be like a plan words. Oh, no, I see I don't know if it's it's not it's not actual pack, but there is a pack like This thing that they're gonna encounter Okay, I already saw the I always saw the manual coming up for arm Which is always a good sign. It looks like they're looking up the intrinsic which is interesting That means they must be looking at the I l or the decompilation. I can't remember which window I saw that in yeah Yeah, if the the intrinsic is coming up It's something that binary is not actually handling. So it's just gonna just gonna show my oh my glasses I no wonder I can't see those screens. There we go That helps. Oh, and so we got so just yeah to give you a little bit of context So and to catch up our audience as well who may not have been been watching previously These are like real fast matches, right? These are meant to be speed matches This challenge Might be one of the bigger ones. So this this is the challenge that we like there's a there's a non-zero chance We go to sudden death on this one Because the idea is that every round has to like basically keep within an hour Because we have just so many of these things to do and so if the teams don't solve it in like 45 15 minutes We go to like the sudden death So really simple simple binary like separate binary we replace the original one and say changed it go So we hope and so far we've made it through a whole bunch of rounds and nobody we haven't had to use the sudden death yet So it's it's a good trend. We'd like to continue. Oh wait a psych faults. That's the wrong kind of psych fault They're trying to run Kimu and Kimi is just dying. Okay Although i'm glad I have uh, I have Falk on the line because you've done I would say a little bit with emulation It's probably a smidge here there and whenever it it's a solution to a problem It seems to me though that you often find it as a solution to many problems more so than most people I I think at this point I just enjoy it. So I think I just bend the work to it I don't know if i'm always using it correctly or if i'm just justifying my existence But I mean if it gets the job done and you know, if everything you have is a hammer then everything looks like a nail All right, like that's uh And and I will say you have solved some really really fun problems with it So if people have not watched your twitch, uh, or even some of your your check out your github repo or your youtube, uh videos Uh, they just absolutely should because you just fantastic stuff So i've got some interesting thing. We're trying to just get this binary up and running in kimu. It looks like from r3k Yes, I don't know if that's how you say them reka. So reka reka pig is the team name Reka pig. Oh, okay. Yeah, so the ease, you know, it's like we speak for for an e So we got reka pig as that team And so I think I'm trying to remember which I mean obviously just even looking at the the character set It's a it's a chinese or taiwanese team Yeah, which is pretty crazy. It's it's very strange I have not seen many like chinese installations of like vmware workstation seeing those venues that i'm so used to seeing In a different language is actually fantastic. I love seeing that. It's just It's really a glance into someone else's work. This is I mean, that's the best part about the live ctf being able to see Different tooling different workflows different. Yeah, and we have a lot of international teams at finals this year So there's a whole bunch of of teams from all over the world. In fact Uh, the um, sour cloud, uh, it's from germany as a predominantly german team And so we've got, uh, you know quite a quite a mix, uh Which is which is yeah, which is which is pretty neat. So I Looking at them. Oh, we do have it running now, right? So if we're looking Uh, in so yeah in the vm. All right, so they got it working which and I know that teams were debating um You know harbor emulation somebody had like a little uh, like um Beagle bone. I think uh that they were considering like running it on Uh, so people were just saying so we've got some sort of a little script here. It looks like, uh Exploit.pi. It looks to be the name of it There we go. Yeah, so did we see a lot of these and it's oh, I missed it. Was that one? um Calling, uh, it poem tools because it's Predominantly, yeah, the vast majorities are all using using poem tools So we're seeing a whole bunch of those launching in eric 64 or kimu instance, and then they're Remoting into it. I'm guessing that's I guess they're using gdb or poem tools for that connection I'm not too familiar with poem tools to be honest. I actually don't know how it does the cross platform stuff with With kimio. That's a good question. I've I've also not used I mean I've used poem tools But but not to do that before so i'm curious Yeah, it looks like they're trying to connect in with the debugger Maybe I I don't know I one of the one of the windows they had open was covering it up So I was curious what port they were using. Yeah Well, I will say both teams having looked at both of them now are both running it, right? So relatively quickly we've got like them actually Oh, by the way, I don't if you're watching chat. You've got some love in the chat People people are excited, uh to to have you here So I mean we are too. We're also very very excited I'm excited. I've got a I've got a great community somehow Even even though we just you know just have fun and goof around I I'm very proud of my community. No, you have any drama and weird issues I just I can't keep up with it. You're so active and you like people will just hang out and chill with you It's it's fantastic every time I dip in there and like see it. It's just very chill My chat wouldn't think I'm very active I don't know I go I go through three month disappearances At a time and uh, but they hang around for you this day still I know I know it's crazy. That's awesome. All right. So we've still got binge up from sour cloud. So we're looking But we are so so yeah package blobs. So they're creating Uh blobs and they're looking at the types of things that are built. So they're they're I would say they're in the like find the bug phase in this, right? So yes, most of our other challenges I mean we had just for for flavor. We had some other challenges that were like Open any file in the file system. It tells us what offset to write to and so people would like open proc sell Mem and just like write all over it, right? Oh, wow, we're even naming things in here, which is pretty interesting I know a lot of times when I would do cts. I would not name stuff We have seen a fair amount of folks that are actually pretty pretty diligent in like creating structures Even we've seen and and actually it's really trying to do a good job understand What these things are doing? Oh, okay. I did just see if we look back over in sour cloud There's just a whole bunch of a's which I mean come on. You got to like you got to try you got to you never know if it works You're gonna feel really bad. Exactly exactly if you lose the competition to a's That's not a good luck. We actually missed you last the very last round Which was a challenge between shellfish and mmm, which is basically ppp and a few other teams The names of what does mmm stand? Okay, so the full name is maple mallard magistrates because it comes from a team name that was like uh, maple bacon. I think was the was the canadian team And then that mallard was the duck. There's a team called the duck and of course magistrates like ppp like parliamentarians magistrate So it's mmm I I call them the mighty ducks. I that's that's my name. It's just much easier to say. Yeah, exactly Um, we all know that people don't get to decide their handles that get used No, it's it's it is given to you. The best nicknames are earned. Not yeah, not claimed exactly How interesting so they're trying to figure out the arg to open there Which is interesting that they they manually kind of specified that arg So they're trying to like fix up the database and make it a little bit more Readable, which is which is interesting because I know when I watched I tuned in a little bit before and I I saw like people writing scripts with like one letter two letter function names Yeah, just to really really speed through stuff Yep, we've seen we've actually seen a fair amount of like fairly robust primitive creation too We've seen somewhere. It's like, you know Send whatever, you know, so we've seen some some good full descriptions like things that you could post after Scripts not allowed unless Oh, okay, so sour cloud just hit something that says scripts not allowed unless pac-man unsafe equals one Is that some sort of environment variable? It looked like yeah Now that sounds super nice And if I've got a if I've got the ability to create a package that can run a script If you guys have got command injection Uh, I would sure like to flip that so I you know what like I really thought this actually was arm pack But maybe I I may have just made completely misremembering. I'm not wondering. I'm completely wrong I saw some pack uh intrinsics in there And this is where it could be interesting between Ida and binge it because I know binge is going to show those intrinsics And I don't know if it is just going to hide those. Yeah. Um And that could throw someone off potentially In either way sometimes seeing the extra info is is scary and sometimes not seeing it is scary You can you there's no perfect display that makes it matches everyone's needs, right? That's right. That's true That's why it's nice to be able to like customize it or you know choose or Change settings. So yeah, I I'm one actually, you know what I think we should probably hit an early hint on this one Because again, this is one that I think we're going to need Um to give people a hint on it's one of the bigger harder challenges Um See a mem copy into buff plus 20 and then I see a massive access at at buff plus 10 28. So I'm guessing it's uh It's a thousand hex in size. So 4k in size maybe an eight bite here or there with weird alignment stuff So I'm that I mean obviously whenever I'm doing a challenge if I if I see a buffer And it's being read in see I'm just gonna assume that's where the bug is in the ct I mean binders are not that big here, right? There's only so many things you can do So yeah and and looking at these these look like they're dynamically linked I see the the colorization showing that those are imports for those, uh, like standard lib libc functions And they're not stripped So This is Already a pretty good environment compared to a lot of cts that I remember where they would just strip it So you have to run everything through flirt sigs just yeah, just to get anything readable just because well It's so it is part of it is I think because you know our goal at live ctf is to be Really are aiming to be under an hour and it's it's hard to make something that's different and unique and interesting under an hour And so you you have to give it the players as much help as you can honestly Like you really we've we've given them a source on a couple of them or we're just like listen We don't want you having to decompile it like here's the here's a source Uh focus on like just the one like interesting thing that we're trying to get them to to hone in on Who's sturcher? Oh, I love sturcher. That's a that's a fun function right there Searching search and randomly for an unalterminated string for a character with no other regards That's always fun Um Definitely it seems like they took note of that when they were highlighting it Yeah, I do like when people use their mouse to like, you know highlight stuff and you can get a little sense of that Go ahead. Yep I definitely do a lot of highlighting when I'm playing around. I know um, I know like I've Always used plugins. I think a lot of tools now have like native support for multiple highlight cursors Where you can just click and highlight different things different colors I remember when Ida added Support for when you click like racks that then started highlighting eax and al and a x where it previously didn't do that Yeah, I remember when that went in it was like a game changer for for being able to follow things But I guess now everything's so many a's so many a's All the a's Is that even 4,096 a's because they're gonna need at least that it looks like Ah, that looks like 4,096. It might actually be. Yeah, I say it's hard to it's hard to judge when it's it's that dense But it it could be So do you know the the author of this challenge and a little bit of backstory on this challenge That is a great question I should have actually got more of the details on the back store But the author is ghost who is one of our our guest authors who who came in for us and I think Might even be on uh on the string. Oh, you've got by the way a couple people in chat suggesting You should do this on your stream too. Do a live ctf Run on your stream. I don't they want you to play it ctfs or like, yeah I forget that there's such a big community around it and it's where a lot of people go to learn It is especially I mean, there's so that's one of the things that like we're focusing here But like a lot of ctfs Yes, Defconn ctf is like that pinnacle and like you don't just walk in and We actually have had people walk into the room here and be like, how do I register for the ctf? And we're like, yeah, you you missed the boat on that one several months ago Um, but like there are so many other ctfs that are really good for helping people figure things out get into it and learn So it is it is still a pretty good community I think that's why I like the nopsert, uh at infiltrate is you could just walk in and join whenever and and yeah That was a lot of fun. It really was So, oh There so it looks like was that in a kimu environment? I was I think I know that message message quite well that was on um On reka pig. I forget the names the teams. I'm so in the windows 7 one. Oh, I have notes in front of the monitors That's the only way I keep them straight. Yeah That's my cheat sheet. Yeah, it was the non-heca pig team. Um Sarkoat So sarkoat sarkoat sarkoat is binja and reka pig is the the windows 7 vm So I saw them trying to s trace something and it failed and i'm curious if they are in a kimu user charoot because kimu Kimu user does not support s trace or debugging at all and that's something that gets in the way a lot Yeah, that's super annoying Yeah, yeah, you can't even run s trace or something So I'm curious we talked about is like, you know a team wanted to use some real hardware And we're like yeah if you want to set it up and bring it with you So the only rules were teams couldn't have interactive help from other people Right, so they were not allowed to have active humans either locally or remotely contribute in any way But any technology any website resources any tools like fair game right like they are welcome to do it So they were allowed to bring up In fact, I was gonna look behind me. I don't think they ended up doing it But they did ask if they were allowed to To bring hardware to use for some of this stuff. Um, and we said yeah back yourself out All right, so look I I want to point out one one second real quick How easy it was for them in binary ninja to make a structure there And they got a really good structure shape when they used the autostructuring and they just named a couple of the fields And it looks really good. I didn't even have to pay you for that. I didn't I wasn't even looking at that I've been trying not to shield binge uh, but I am super excited that they're uh, that they're here And this is you're right. I just watching them like this is a good use of it So you just hit that s hotkey and you're gonna get uh Yes, I mean we we let let's be honest It's not even chilling for anything at this point We know that creating structures in ida is one of the most painful experiences of a life It's there's there's a couple of advantages, but uh, you know, ida still has great decompilation I always want to you know, give credit where credit is due. Oh for sure. Yeah And and it is interesting actually a good number of the teams are Uh, are our heavy ida users, uh, but it is fun that we do have like a like a like a binge ida Kind of comparison going on although they're both dark theme too That's also been fun when we see like which state do our people light theme or dark theme I wish the binge dark theme was darker. I really yeah, it is kind of great. It's actually not intentionally not like a black Yeah, there might be some dark ones kind of in there, but yeah, that's a good question. All right, so There's the problem. They're missing a hint and we need to tell them that the hint so we're gonna um We're gonna create a hint Because I just saw a note from from ghost who mentioned that Let's I think we should probably just write the word mem copy, which is the hint that we're supposed to give them Um, okay, because I just saw him mention that unless Nick if you want to if you want to tell us something specific you want to give them to We're gonna run that hit to them right now To make sure that they get that because yes, I think if they're not seeing that Uh, they're still I mean I look on the one hand Um, yes. Okay. We're just gonna literally just go give each team a hint. It just says mem copy. That's all it says Perfect. Oh, we're getting strings Grap, what are we grabbing for? Oh looking for okay Interesting That's an interesting way to figure out what the loader is. I I wonder what they're having issues with I mean and we did I so I believe we did package up and give everyone the the ld and the uh, Libc that we used On each of these so unless it changed People aren't gonna get thrown off by that. Are they? Uh, by giving so yeah, that was one thing what I was concerned about with because We didn't want to give them those because they needed them for exploitation We gave them because they needed them to run them Potentially right and so it is a little bit of a weird signal and that was something we debated and we decided like, you know What what should we do? Um, oh they immediately into that mem copy is that hands out already. Yeah, the hint went out to them So they definitely have that uh, so we should see them Redirect their attention pretty quickly now and I'm gonna plug in my power to my laptop here Both of them have been Honestly documenting their database is quite well. It is something that I was kind of surprised with so they've made structures I I saw that allocation the calic of I think 10,018 hex bytes or 10,020 hex bytes And it seems like all of them have completely defined the fields of of that structure Uh, so they seem to really want to understand exactly what this program is doing Yeah, and you used to see more like hacky stuff in cts, right? And so even this being a speed round I think people have realized we still need to do a little bit of this work That's a lot of x that's a lot of x's What do we do? We're just creating a string. So we're just doing a lot of counts. Are we going to like save that or we're just Interesting, where are we sending that but they're they're prepending. That's an interesting way to assemble a string What is I would have just calculated the length and padded it out to the the total amount I've never seen that z fill string 10,000 not z fill command not found Left justify Are they are they manually doing uh, like string formatting? Yeah, that's that would have been a simpler way to do this. I think right like Like like this this this yells out to me like c++ string formatting where you have to see out and pipe everything and use all the classes So I think they're just trying to create this this this string. Sure. Oh, okay That matches the the pack structure remember we saw earlier when they were like dumping the structure of those packages So they're like they're create they're creating this package type notice this file directory open file Command not found so is that after it's it's hard to tell when they're sometimes when they run these commands It's really hard to tell whether is the output of the command like truncated and the rest is going to the shell And so the shell is telling the command I found which is often the case or is it actually the original program? What's that you can open no such file or directory So that's why oh no an open though would have to be from the executable. Yeah, right that wouldn't be That's curious to me. Why is a random thing getting open? Yeah, do they have the ability to include or something? I guess there's install package. So maybe it's the name of that file So we see that mem copy of file paths right there and I think that's the like thousand hex byte buffer It's hard to completely guess what it is because these scroll by so fast Oh, man You should some of these some of these people are so hard to follow because they're flipping around so quickly And you kind of like get a glimpse of something and then you have to hope you can you can recognize it What are the suggestions? It's kind of tough to think about sometimes, but like your brain Knows kind of what it's about to do like that's something I notice a lot when watching like speed runners as well is You often can't see dialogues and stuff because they are They're expecting that I guess you did rubik's cubing you do cube I know like You can't really watch someone make the decisions because they already made the decisions Before they even like it's just a smooth execution. I'm still not there yet. I have pauses in my solves, right? But yeah, the good people like it was it's already like a part of what they're doing and yeah So yeah, we've seen that in several of the players here one of the suggestions We got is what could you release the binaries too? So we didn't have it logistically figured out here But it's an interesting idea. We have to be Careful with you know teams cheating and and and piling on and somehow slipping an answer to to a competitor while they're doing it But it would be great to have a format like this where you absolutely could have a chat in an audience Although you have to like doing it not on camera is just way easier, right? It can be really really hard to To to do this like just under the pressure under the gun And like I said, I mean you you've done this you know what it's like You know you you sit on the on the hot seat So the the consensus so far from From ghost we just got a message from the the challenge author is that it looks like We've got cyra cloud on the right track So okay, which which I mean that makes sense you see them building this kind of package blob So they clearly know something about the structure of it and they're creating Creating something here to to Yeah, they've got several different types parsed Yeah, it looks like what do we have in here a a type field some padding bytes then a pointer to the buffer A file data, which is you in 64 and a file path, which isn't in 64 I'm guessing those just haven't been filled yet. That probably hasn't been correctly typed. Yeah Yeah, I think that path is actually in In line of that structure That would that would be there is a malice of I think or a calic of 10 20 or something so if it's a yeah, it's just a fixed amount right and they're not they're not adjusting it based on No such file or directory parsing object of type one. Okay, so there are types now Does it loop here? Um Trying to see if this is like a tlv or something because it looks like they have a type one and a type zero Yeah, and the way I would interpret this is There's like a there's like a 1 million or a 10 million there followed by an 8 followed by the x is followed by the zero So I think that's a type one the eights the size of the payload Which is just a single character or a string that's parsed and then the second type So it looks like you can have multiple types in here Look, so is it those eight x's is actually the eight, uh x character string or I I don't know for sure. Yeah Yeah Sometimes I sometimes I like knowing the answer and what the program supposed to do and sometimes I like figuring it out with the competitors too It's just interesting watching Watching them too. You see they're hand crafting this message now. They've kind of they seem a little frustrated. Okay. That's a hang Oh, oh, okay I we've all done that a lot So what was that? I was looking at the screen parsing object of type x So they um, they basically handcrafted the header and then they pasted a bunch of the x's And they seem to oh, they're going in for a gdb approach And when you break out a debugger, you're really kind of getting in there. What's uh, what is challenge actually? So challenge is the binary name They are every just beware a bundler wrapperscript works is that every round it will uh package up the Package up the the challenge. It's just called challenge. This is literally kimu just doesn't support this Oh, no. Yeah, this is exactly what you mentioned earlier. Right. That's exactly what you're talking about Oh, yeah, let's let's go take a look like a record pick. I don't want to like yep Yeah, yeah, they're gonna experience your pain. No, they're not going to be able to use the debugger in their environment here. Yeah And yeah, it just it just doesn't support uh p trace now it looks like they're trying to run s trace and Um, you can do kimu under s trace and there's a built in s trace It's a little bit worse than normal s trace but better than nothing right coloring. Yeah But that's that's kind of the way you have to go if you want to go with this approach Um kimu users have fantastic environments to get things up and running in but there are a lot of rough edges A lot of bugs a lot of bugs a lot of things just don't work. Yeah Well, they're bringing they're bringing their documents to something else in the meantime Let's go back over to record pick we haven't looked at them in a little while So I just I still see them in in ida and I feel like at this point at you know 30 minutes in if you're not Like still looking around in ida is probably not a good sign Like you you should hopefully be if you're you know using it as a reference Yeah, yeah, oh no, it's a good thing. We got a fast network here. Yeah, we actually have a pretty good connection honestly Because if it weren't there they're done. Yeah, that the rest of the competition I'm sorry. You only had an hour and that was your download Yeah, wow So it's it's interesting here that there does seem to be a big difference in approaches here by by record pig and and sour Sour something sour cloud. Yep. Yeah, no worries and and it looks like record pig might be a little bit more on the static side Yes, and sour might be a little bit more on the dynamic side of things Which is where I find myself is normally jamming things in seeing what messages I get back Yeah, although with this though where it's different architecture I can totally see somebody who normally goes dynamic just not wanting to mess with that, right? Like that's not a crazy thing But you've got to go do a different architecture that you try to get more static than you might normally Yeah, so how big are these teams working right now? So the teams themselves We've actually had a massive number of like combinations So some of these teams are hundred people some of these teams are 40 60 people There is like a lot of really large teams. It's so the way that that difference in fact, there's even a whole website Um, maybe we can drop a link in in chat Um, uh for for folks or somebody else can can post it um Yeah, we're getting some Spam in chat. Can you kill the spam? Oh, is this not spam? Oh, this is the good spam. Okay. So good spam. Oh, are they supporting one of the players or something? Okay This is the oh an eSports meme see I I need to uh Yep, I need to be up on my memes. Um So the uh That's all you guys I try sour clouds even installing a lot of packages as well Good thing you have good internet because both of them have already blown through their like 100 meg budgets Yeah, they're uh, they're um tethering tethering would have been would have been under the the expensive ones At this point. Let's see. So so yeah sour cloud is actually 30 people here In vegas 20 people remote so 50 people total just in sour cloud like these are these are large teams And they sent the best person From each team to come here Right, uh, I'm looking for my paper Oh, I think I give it to you that had the scores on the back. Oh, no, I can't give it to one of the teams Uh, the hit page on one of the teams actually give the scores. I was gonna so we've got the point totals that each of the teams are going to get for um For like their placement in in the live ctf. So because again, every team here uh is uh Is is here primarily for Defcon CTF and then the live ctf is basically like this extra bonus point pool That they can win depending on how they do uh here And so I forget the exact numbers. So I'll kind of I'll kind of eyeball it But I think it was uh, if you are out in the very first round So we started with 16 teams or we're done with our round one And we're now into the second round and we're working on uh, when are we down here? Everybody who made it to the second town Uh, every sorry everybody who's out in the first round zero points everybody who made it to the second round gets like 668 or 6 600 up in points Uh, and and then the everybody who makes it So that's that's going to be like basically four teams So we have eight in this current round four of them are going to get 600 because they don't move on They just get the 600 for making it here The next teams that are going to be third and fourth Uh, uh are going to make I think I want to say it's like 2000 points So somewhere in the 2000 point range, uh, and then first and second are like, uh Four and two or maybe it's a thousand something and then it's two and three four It basically between zero and four thousand points, uh, that you can get and so it so we'll pull up the exact, uh, the exact amount And for context So right now the difference between the last place team in the overall event and the top team Is about seven thousand points So four thousand points is a pretty big deal. It's a pretty big deal. It really like honestly We were I'm a little worried that like we were we didn't want to like completely disrupt the game But we wanted things to take us seriously and I definitely think we're on the serious side because Honestly any of any of the teams in the top eight, uh, at this point that that solve this if if, um You know depending on who gets second and third, but you know a second and third and fourth Basically could easily kind of get the win. So although it is interesting too the of the top, uh, eight teams in the def con ctf Seven of them were in the top eight in our bracket Wow, so this really strongly correlated between people who did well I mean it kind of makes sense that turns out they've got really good exploitation really good people and uh, they're coming here Um, oh, okay So I we're we're still okay on time, but I I'm a little worried that we've got a lot of uh, there's Left to go in terms of even like stabilizing this thing So they both seem to be fighting a little bit with their dynamic environment It looks like both of them have the binary running But neither of them seem to be getting the introspection that they really want to have Yeah, so so sour cloud did just move back into, uh, like actually building a payload So maybe yes, they've got something I would that would be great if they've got, um Uh, some some progress, but but I do think, um I yeah, I do think that it's going to hurt them not having a dynamic environment that they can instrument right not having a debugging But just in terms of most of the matches that you kind of take that for granted Uh, so I think in in hindsight this challenge being both a little more complex and being a different architecture This is unquestionably one of the hardest challenges. So we will see, uh Crossing our fingers that uh, we don't have to go to a sudden death because I think nobody wants that that competitors want to solve it and tension is so high in a sudden death Yeah, oh yeah, and it's just it feels a little more luck-based. It feels a little more like, you know It's just too too quick and too fast. Um But uh, it is still a very valid test of skill because it's just all about the speed Which is very much kind of the theme of this. So, uh, we'll see what we need to to do Interesting p64 s So string v dot z fill eight. I I I haven't seen much Python development. Well, p64 s is the is I'm pretty sure that's a ponetool wrapper um, that's going to going to Is a Pointer two string or string to point it's it's something. Yeah, I think I bet you if we pull up the the ponetool stocks We'd find that Um, because I have seen that in some of the other scripts, although I clearly need to practice more Uh, I think I you know what maybe we can have Carl come in and come on voice and tell us what p64 s is in ponetools If he knows p64 s. Yeah, so let's get him to have an implementation right there Oh, oh, do they implement? Oh, I'm I'm sorry. That's I'm I'm so foolish. I thought it was imported. It's not it's like on the screen Thank you I should just read and they really like their z fill don't they They really do and it's it's just strange because I don't think I've ever even used that in my life I've used a couple of the pills, but yeah niche that's filling. I'm gonna pull it up in my pi dock right now And just implement it real quick and see what it I just I think they could have easily just done instead like a Pad a numeric string with zeros on the left to fill a field with the given width So this is just percent, you know zero number. Yeah Yeah Ha Interesting. Oh pad pad to 64. Yeah Yeah Okay, so they're just because this can does this do like a an a2i of like a very specific length Oh, they do a well deep print f a percent 7 o u That's writing the blob. Oh, so they're reading the code that produces a blob a valid blob in there. Yeah Well, I think was it have you seen the mem copy yet because they're kind of I haven't actually I did see a mem copy at the end of the function that is handling kind of the switch So they do have like a right package blob in here, which looks like that They're implementing this functionality in python right now right just so they can create a valid package blob And there's the mem copy at the end So right after it reads it it does something with a mem copy and and they seem to be Interested in this so there's there are stat canaries. There's no pi. There's no, uh, there is nx And their railroad shouldn't really matter too much in this specific case um So I think they are this would potentially be a heap overflow because this this allocation from what it looks like is in We have a couple mallets in there of sizes that I think are user controlled And there was a calic at the start for 10 30 hex bytes, which I think is where the like big thing was rad interesting They are doing something that I do a lot is run it multiple times and see if it somehow works the next time Which never is the case, but it feels really good to do just just maybe just just Maybe Maybe the first run for some reason You've heard the definition of insane there's like a straight game that hit my my ram Flip some bits and you just you'd never want that to be the reason you lost So, uh, well, I we did see a couple of you brute forcing offsets by running And speaking of which they would just wrap it a loop and like try the whole thing at different offsets until it Worked so that's I mean, but that's that's a tried and true technique It's tough because that sort of strategy. I think is the fastest approach like if you're Quite often speed if you're doing something like Like a not sure it's the fastest way to go But the risk is so high because you build up no knowledge by doing that. Yes. So if you miss You're back to square one. Yeah. Yep. I know I totally agree And I love the sort of game theory trade-offs of that risk reward explore exploit kind of kind of thing So we do have a question in chat From j3 about who participated in the creation of all these live challenges And how much time do they create them? The time varies tremendously. This this was definitely one of the I think the bigger challenge that took a lot more time Because it was obviously a little bit the the structure of this and the the logic behind it and creating the the Working exploit was was a little bit more work compare that to like n volums for example, which is the one earlier which Carl wrote last night as I sat next to him and we laughed our butts off because it was It was just like we made a menu of every Vulna type we could think of and the ones that were jokes like crossing the scripting We just you know printed a funny message And then there was a bunch of other ones that we actually built little primitive prototypes You have a form of stream bug you added this plugin. So it was like, yeah, there's a lot of bugs Which one's fastest? I don't know figure it out um, and so like there was a couple of trolls like there was a um A stock baseball for overflow called gets, uh, but then immediately exit before you Return and so yeah, you have a pointer that you never got to it So there was a couple of just little mean things. I mean they didn't bite on that one I think everybody saw that and caught it. So we definitely had um A bit like that would took like an hour to kind of kind of throw together maybe Right even including like putting together a little exploit knowing what the intended solution So some of the very quick so someone take a lot longer time What are people chasing for here? There's not like a key or anything because this isn't server based So there's no hidden secret. So it's just Who gets oh this no so so there is a server here This is running on our infrastructure And we have got it in a commu user as well instead of docker and if they have an exploit working That they run against our instance. They get they get a shell And there's actually a suede binary that they can run and each team can run it with their like team id So depending which side of the table they're sitting on their team one or team two for each event and It will actually automatically trigger an obs overlay that we get a little winner dialogue. So occasionally That's awesome. Yeah, occasionally when we're not paying attention We're looking at one team and like the winner thing pops up and we're like, oh no, we missed it It was happening over the end of screen Shout out of course to all the people doing challenges and logistics I know how hard it is to put stuff like this on so thank you everyone for for doing all that that's I'm sure it's been a stressful week for a lot of people when and defcon is a vacation for many others It's been very very busy. Okay. So we got a hint by the way that we're going to give to the teams From from ghost and so there's a There's a hint that I it went by real quick for me But I think with the production crew and so yeah, let me just give a quick summary of like some of the folks So it was also the question of who's been working on challenges, right? So we had I was saying I think about six people I I did like I said earlier. I mentioned I worked a little bit on story time, but I primarily um, did all of the streaming infrastructure so the overlays the some of the obs setup The camera the lights the sound and like that was going to my responsibilities getting all that stuff um We had uh josh And glenn who cranked out a bunch of challenges worked on a bunch of that stuff And also did a little bit with the infrastructure for the game network for like the thing that teams are throwing against Carl did a whole lot of everything. So he wrote a lot of challenges He also helped a little bit with like the obs so that the the binary that triggers the overlay and some of this Some of the other obs stuff that like automatically updates teams. We actually have separate infrastructure that every round automatically like pulls from a challenge and will Uh update our brackets and update which team is playing any drowned and that's like that's fully automated Um It he worked on that. So yeah, it's been it's been a lot of people Uh, and and you know just for context, uh, this is like a little bit a little bit of the nautilus Institute ctf game, which is even a much broader bigger. They've got Twice the number of people that we do uh that have making challenges for a long time too. So it's you know The teams have gotten bigger, but so has the organizer. So the number of people that that are that are playing So yeah, that's pretty crazy We are coming up like reka pin was putting a bnsh in there for like a script or a string. So they They seem to have some idea that they can maybe run a script or run a command I don't know if that's the case. I I did see a system So so there is a new real quick the hint that's going at now says, uh file Data. Oh, give me the give me the full text again because I forgot already too little sleep file data and script text overlap So that's the team the hit the boat teams are at the file data and text script overlap. So there's a union between those two And that's the next tense, but I I I actually really like this challenge. I think this is a really nice challenge I just think it's a little large on one screen, right the basically all the logic is there, but I still think it's going to be Too much for the time period. So I I'm predicting this might this is going to end up a sudden death one Because I just don't see even with the second hint. I don't see anybody close. I mean, we're seeing bnsh But I don't yeah, I don't know that that's actually a wild guess. Yeah Yeah, I don't think that they're actually I would love to be wrong I would be ecstatic if all a sudden up winter pops up and it's happened before I did see a failure to open a file like file name too long, which means that they definitely passed A bunch of a's. I think that was solid cloud passed a lot of a's I think they had that one open call. I think they had that one like 20 minutes ago I think I remember seeing that same exact error message Earlier in the stream. So I don't think they're like hitting new stuff. It it feels to me like they're still They they they aren't moving with the intensity of somebody who knows what they want to do Right, right, like they're still exploring. So this is what I just feel like They they don't have enough momentum to to finish this one out and again, this is not because they're not good It's not because this is just a hard challenge to do on the time pressure on on stage And so reka pig has a comment saying overflow on that mem copy I mean Well, we did tell them to look at the overflow or look at the mem copy. So that's you know, that's a reasonable guess that's uh And then it looks like there's a file handler, which is some sort of a function pointer So there's like some sort of a dispatch maybe based on it. So here's we see The there is some sort of like a TLV structure and you can have multiple of these types kind of Kind of you know together. I wonder if there's more of a type confusion bug if there is an overlap there maybe you can Cause the you can cause validation of a path but then send a descriptor or vice versa or something like that Yeah, that's a that's a good point. Um, I mean that does make sense with the description They hint that we just gave them right that those data is overlap That does seem like a a good uh a good hint that that might be the case. Okay, so back over there So running in team you so I think the current plane is we're going to let them run So we did we start exactly on time on this one? Do you guys remember what time we started on this one? I think we were pretty close I think we're I think we were close to on time on this one. So we we can go a little bit Yeah, we don't have a whole lot of time because we again we have to do the last channel So we're going to go to them In just like four minutes and I'm going to give them the option and we're going to say We think it's time for for sudden death now unless one of you unless you both really want to keep working for a Couple more minutes and you think you're really going to do it Because we do have a sudden death that probably is doable in less than five minutes Like we've got some easy ones Um, so we can we can drop one of those Current state pretty lost how to leak gdb is broken. Yeah. Yeah, okay. So that's that's definitely a request for uh We're gonna have to we're gonna have to go to a sudden death Because I know that given that cyra cloud is not willing to To wait because they don't feel like they have any progress Yeah, yeah, you can't gdb in that environment now. Yeah, you can't so you can actually Debug this in two different ways You can use kimu under s trace equals one to enable s tracing in kimu to see like what's going on You can also do kimu under gdb equals port number and you can connect into that Um gdb session that that is spun up by you're using the gdb interface from kimu itself, right? Correct. Yeah. Yeah. Yeah, it's a little bit scoff. It is. I tried to use that before. Yeah It'll get you what you need Okay. All right. So it's not I don't think that multi or oh I don't know. I we're gonna we're gonna do bug it and that print does look like it's a kimu sort of one But we're I think we're going to try to do kimu under gdb I think we got to go to sudden death right here. So so let's let me let me let me cue this up We're gonna make sure uh sudden death is is coming up. Um Um We're gonna go to commit mission. No, we can just leave it on the camera. I think it'll be fine We don't have to go into mission. Um, well, we'll uh, we'll go over there I'll tell the teams where we're going to sudden death. Unfortunately, it was just too out of a challenge We're gonna prepare a new one and um, uh, we'll we'll Unleash them on that so I'm gonna put my headset off and I'll be right back. All right Yeah I think it's just me and y'all How's everyone doing today people enjoying the cgf content having some fun? I'm very curious to see what this sudden death challenge is going to be that's definitely gonna be interesting It sounds like they do have if they said some things can be solved in less than 15 minutes I am very curious. What kind of challenges they're gonna pull out here. They could just be Ridiculous, you know standard stack overflow sort of things. I wonder if there will be mitigations or cookies stuff like that So I I can't wait to see Alone with gamuza. Hey, how's it going? cgf content is fun for sure. I I It doesn't even cross my mind too much You know when uh, jordan reach out and like do you want to do some commentary on my ctf? Absolutely, why not? Sounds super fun So it's it's so fun to see people working kind of in their own environments Uh, I'm guessing those are the competitors right there. I actually don't know. I'm I'm not physically there I'm in the I'm in my my my house Um, but I'm guessing those are the competitors. So we're gonna go ahead and do this in five minutes We're gonna wait till five more minutes The the the conversation with the teams wins Uh, reka pig is is convinced. They got it. They think they have it All right So I love the confidence and we'll see if they could do it Sour clouds like I don't think so, but I'm willing to go for a few more minutes um And so we might uh So we'll just we'll keep an eye for five more minutes, but we're gonna be ready to go because Uh, we don't want to eat into our last match, uh, too much because we're trying to keep we're trying to keep on schedule and be fair to of the all the teams but Let's see. Let's see what they can do Someone asked have you learned anything cool from this? I I think that was directed at me when I was kind of here alone um The only thing that I saw here that really stood out to me that I really want to figure out is Someone had something that auto quoted a string they were trying to convert like an actual command line thing into the like the the Strings that you have to pass in as like an array of strings And they like did something and they were in sublime. So I don't know if I can do that I mean obviously you can do anything and then but I would like to learn how to do that because I I spent a lot of time putting quotes around things I've I've seen a couple of little tricks like that too. Yeah, somebody else earlier was using a uh, sublime with uh, uh Was it was one or what I figured what second center was uh, maybe even just visual studio code But they were doing a multi cursor thing where they did the multi select Actually, it was car last night. We were doing challenge creation. So yeah, that's that's the best part, right? It's not like the oh I learned this new heap exploitation technique sometimes it can be but like a lot of it's just like Oh, I didn't know about that command line tool. I didn't know about that that feature So yeah, this is interesting. So they're looking at the script handler. So it looks like reka pig really is is set on the script side All right, let's let's ask. Uh, I'm curious to have a challenge author Uh, if nick is still watching the stream as we're focusing here on reka pig Oh sour cloud really wants to debugger. Oh, I feel I feel that pain. I feel that pain Yeah And I I don't think their gdb is broken that string looks like the the command that you get when you run Either they're in a weird environment where ptrace is not allowed Or they're trying to run that that gdb in in that kimu environment and and kimu will not take that Yeah, but they should be able to do kimu under gdb Obviously, that's gonna be a hard one to figure out I mean if they ran kimu dash h it would be right there and like 10 lines of text Yep, and it even just grabbed it. Uh, but Maybe it's their actual host environment that isn't allowed them allowing them to debug But that message looks exactly that ptrace not supported You literally predicted it. You called that from the very very beginning. You said, oh, they're gonna run into this and sure enough They did exactly it. So I think I think you're right. Okay, so we did. Oh, all right So we're looking back over here. We got a segmentation fault, but are we looking for gadgets? I mean reka pig Might be making progress here They they were looking at that that blicks right there and when I see them looking at a It looked like they're just looking for a gadget. So, oh Is this zigzag That is actually the correct way to specify a debugger for for kimu. So this is going to start a debugger That you can then attach into with target remote. Um, so sorry, sorry So sour cloud is running it with a debugger or reka pig was was doing that reka pig Okay, yeah, so they were able to do that connected in they're connected into the kimu debugger So they passed dash g to so kimu under gdb is the environment variable But for for kimu user you can specify basically all of the arguments You can also specify through environment variables and that sometimes is really useful if you're using If you're not familiar with like bin format, which allows you to dot slash run executables that are from a different architecture And it allows you to pass those arguments Even though you're not invoking kimu where you can pass the arguments in in this case They just pass the dash g one two three four standard port everyone seems to use And then they can connect in here with their debugger and they're actually kind of seeing where they are. So, um It is interesting. I don't know. Are they shipping up an address here yet? I'm not 100 sure if they are bad object type Um So I I think they're on their way it does look like they're getting they're getting some uh, and at one point I mean they had a Yeah, I'm having a seg fault. You're usually when you have a seg fault in the ctf. You're pretty you're pretty good start Yeah, so the author is is concurring that they're they're honing in on it, but the question is Are they gonna do the time available and and we can't the problem is if we keep letting it go right Yeah, if we know it doesn't okay, so it's actually yeah listening to the author It sounds like there's actually a major component that's missing from this exploit that we don't think is gonna do it So we're gonna we're gonna cut over in one minute. We're gonna cut over to our our sudden death And uh, we're gonna challenge. Oh, gosh my heart Well, we're gonna let it go longer because we do have to go to one of them wins to move on But this will just be a very very easy challenge and it will be it'll be stressful for both of them They're looking at the the flag up there the pointer off flag And yeah, you actually could see uh in in um kimu They they were having problems running this binder until they passed in the correct dash cpu all arg Which is enabling all the features sets of kimu and i'm guessing the default cpu probably doesn't actually support um Planner authentication that that would make it make a ton of sense. All right, let me go prepare the next one we're gonna we're gonna cut over to the uh to uh to the new one so actually i think carls are Sorry, i'm gonna go put my headset now. I'll be back one second. Wow. This is this is really scary You know sitting near the flag is at the top of the helps. I've been working with Kimu way too much kimu users specifically way too much for the past like three months Shout out to can only be a fast tracing environment that I use so it's it's Kimu kimu makes things very difficult that I wasn't kidding when I said there's a lot of bugs That's not that's not really meant to be a dig at kimu. It's just it's a really rapidly You know working in environment and if you're not familiar with kimu user it it passes through Uh, basically the guests this calls to the host so it has to like hook all of the Pointers fix everything up translate things where there's five four three two one go. All right. We have a new binary Uh, sorry sir. What's it? What's it? What's it? Stop. Sorry. He's got a copy of the same Apologies Okay now go go There's like Tuesday break your major get a run to replace the challenge. I think you ran the first and not the second No, I see. Yeah. So all right. Go ahead. I was like to see how they approach these But yeah, go ahead and answer uh, the your the other question. It's not like you were I cut you off when you were you were Yeah, I was trying to explain a little bit about uh, kimu user just that environment and and how there are a lot of edge cases There are a lot of issues. There are a lot of bugs um, and that that kind of You know, it makes sense. It's it's really hard to do. Imagine you have to intercept Every single system call you have to understand all of the formats for the arguments and one of the big problems in Linux is there's a lot of weird interfaces where there's just flipped arguments on different architectures, whether it's for padding or legacy support or some weird bug fix because some GNU software in 1983 Wrote it that way and they have to maintain it because it would break too much stuff Yeah, and don't even so kimu has to handle all of those things translate them and everything and it's it's a hard environment But yeah, you'll run into a lot of weird issues p trace is not necessarily a bug They literally just don't implement it They just they haven't bothered with that api because it is one of the harder they didn't need it. That's a lot of work Yeah, okay, so this challenge and we saw this is uh, you count of zero eggs. How many groups of eggs are you counted? uh, so Yeah, nick actually if you want to drop a link to your solution into the chat You're welcome to at this point that challenge is dead from a competition perspective So if you're interested in seeing that solution, we want to focus on the teams now because we got to see who's going to win But uh for sure on the youtube chat and uh, yeah number eggs for loop Putting into an array. Oh, it can't be that easy. Is it it is exactly that easy. This is this is This is a five minute challenge, right? This is sudden death. So if we needed them, this is what we got This is this is really intimidating like I I'm terrible at challenges like this because I don't have existing Tooling like it's in a race, especially you're you're nervous. You're afraid the other person has some like auto-pwn script, right? It's just going to solve it So I feel I feel bad for the teams because I we don't want to do this either We would love for the name must be solved But uh, just given we can't let each one go on forever and ever So this is the backup plan that we do have to kind of keep on schedule. So Uh, we'll see no stat canaries. Oh god They both they both identified that almost at the same time nice That's fantastic. I'm actually watching the youtube stream. So I'm probably off from from where you are I know I have it open in discord, but I I see the preview. I see the obs window and it's too small to read So that's why I'm probably off on a lot of my calls. Sorry. No, no, you're you're good too And it's uh, I don't have a way to like make that bigger. Unfortunately. I wish yeah, we need exactly for future future issues For remote stuff. We'll figure out a way to actually one of the things we're gonna do is we're gonna have separate streams of both I want to have youtube multi-camera because you can do multiple streams to the same importance Yeah, you can and I would love to do that. I think that'd be super super fun So that's all right. So you give it a number and I'm guessing you just pass that in probably scan it for something And it's just gonna loop through it and it's gonna put num in there. I don't I haven't actually seen what num is I hope that's not a libc api man num Okay, it's not about to say I don't think I've ever seen num We're gonna send a line a hundred So that's the number of things that we're gonna put in there And all you're really doing is you're racing to find You're racing to find the layout of that stack and really what offset to to bang that into but it's it's a classic Stack overflow without a cookie. Yep. And yep for that in counts And it's just uh, send another line and this is probably just another Another inch so this is probably going to crash Um, but they're gonna this is probably gonna crash by jumping to one would be my guess unless they have to fix anything else up But I don't think that'll be the case um Interesting did that not crash Interrupted stop process. What happened? I didn't see what the end of their their throwing strip was receive until oh They're not consuming the interactive thing so they're not getting the prompt Uh, yeah, yeah Interesting read enough lights Yeah, that's a classic That's a classic. Oh boy. Even even in the five minute challenges. Yeah, there's a mistake This is why we normally like I said the original plan was at 15 minutes left. We cut over if we had to just because Yep, there's all sorts of little stuff to get you now. I'm not I'm not seeing yet I'm still seeing reverse engineering on the record pick side. I just didn't see the quick turnaround that you'd expect but Because we're we're seeing bugs on sour cloud. I I still you know, you can't predict it I don't know if the first one to like get it clean and get it landed is going to be Is going to be our winner. Yeah Yeah, I mean they're trying to figure out roughly the the land of that stack which uh, it's actually really nice in In benja because benja has that different. They're based off of uh, what the return address sp instead of bp Yeah, instead of the uh, your frame pointer. Yep Yep, and that's just so useful for when you're trying to do these sorts of challenges I think people get used to it the other way around, but yeah, it was that was a conscious choice because again Like that was our ctf kind of origin. So it made sense that that was that was how it does it I do I think you're right though. I think that sort of Looking at stack layouts is one of those things where I think dynamic excels Just throw it in the debugger and just look just count try it and look at what what uh, your office is pretty easy to find your return addresses I also like that binary ninja shows you where the return is Ita does not so they already know from this minus 38 hex so plus 38 hex from the start of their buffer Is the return address? Yep Whereas in ita you're gonna have to know that there's an rbp there because you can see the index for i But you have to know there's rbp there which might may or may not be in there You have to just look for the prologue and then the return address after that So there's just a little bit more guesswork there and I know that's bit me before and like not certain before All right, so So we are seeing uh interactive from uh sourclasso again, they kind of went debugger and they went interactive. They're looking at the counting And we're still but I see I I am not ruling out reka pig I because I I've seen too many times where like the person just looking at the decompilation Just stares at it and then all of a sudden comes up with the Uh comes up with a solution. So yeah, just as reminder for for chat. We are in sudden death mode Uh great challenge a really cool challenge. I like my last round, but it didn't uh, what do we got? I'm I'm really uh, they're they're getting so close. Yeah. No, no this I mean it shouldn't uh Shouldn't take too much. So we'll see where they where they land Okay, I have you here is actually really nice. Uh, it shows very obviously what it's doing. It just How many groups of eggs do you give it groups of eggs? Yeah, which is a number Then you have to give it a number eggs in the group and then you have to give it all of the eggs that it tallies up there and I think Both of them I think have been running into issues where they're trying to like send stuff But I think it's going to block until you read read that string depending on how you're interacting with that process Well, and that is the nice thing about you mentioned earlier having like, you know A custom throwing framework or doing one officer, you know using something like bone tools They're both using bone tools And that can do a lot of that for you right if you properly set it up Or it will just be a receive until for you it makes a huge difference instead of having to rewrite your own each time or Uh, pull it in see that record pig is trying to uh, they're trying to um Basically figure out what g-libc version that is so I don't know if they just have pre-made payloads for basically all of these Yeah, I'm curious. That's actually a good question and they're They're setting the context manually and so they're gonna I Don't think I've seen a crash yet from either side. That's a great point. Yeah, that'll be when we know we're we're close right And I I think the main issue that that is happening here is is probably just sending those things in because i'm pretty sure that Just goes straight out of bounds. I think you have to give it one group of eggs Yep, a million eggs and then just give it the egg values, but I think they're just not interacting with the program Yeah, if it's gonna if it's gonna block on that then they're so All right, so we actually just saw wreck a pig is uh running um LD directly I don't know you could do that. Yes, you can. I have seen that that trick before Yeah, you can evoke the loader directly which if you're on a different, you know architecture But you've been provided the loader. You can just have it run it for you to match the state Yeah, it's a it's a cool trick. Huh. I know that's what happens under the hood But I guess I've literally never tried ever considered like whatever you were doing manually. Yep. Yeah, that'll totally work Huh All right, so they've at least got like a little interactive framework just uh like poke at it under the Under their input, but are they so I mean I'm kind of wondering yeah, they're I have expected them to be on like a uh Like an m1 mac or something right like if why were they like running this under? Uh That So is the actually ways the content's there for emulation or is that uh, oh would I miss Did we get a crash or is it bugger all stack in reed? But I don't think it's a crash. I think that was maybe a break point breaking in or even manually, uh, interrupting Oh, come on sour Dropping into an interactive terminal is definitely high energy. That's not something I normally do I know I like I like the interaction terminal like you can automate up to a point and then drop in and then poke at it And then and then oh simple. Oh Wreck-a-pigs got a seg fault. Okay And I'm guessing that's just going to be pc control there. They're going to have control of execution So what was the payload? I didn't think they'd actually written them into a payload yet Uh, yeah, I didn't either wasn't it like fault in like the infrastructure. I'm just a little worried that it's like Oh, maybe they just you must did a manner manually Did they say fault manually or did they? Oh, yeah, yeah zero. Oh, okay They did something interactive. All right, so again as we said That might be sufficient. Uh, this taken the time Yeah, this is Come on. Uh, this is nerve-wracking Yeah, it really is It looks like, uh, wreck-a-pigs going to like trying to actually write a little bit of their python right now To probably construct that payload, but I think they're consistently getting a crash Yeah, I have I still haven't actually seen well It's it is hard to tell with some of these uh payloads where they're actually using Phone tools to prop open a separate debugging process after Look at that. They're looking for the end of that specific string. Both of them I think are fighting with the same issue. Yeah, they're literally they they I mean that's that f flush of bss start. I'm guessing that is zero. Um, which is that's flushing standard out and that flush Might really be blocking And they might need to consume the it kind of depends on how you're interacting with this if you have like the output going to dev No, like that I think would be my approach is just So that's a proper way to do it. Yeah, no that output. I'm sure that I would say here's where like if you really know Phone tools, I'm sure there's just straight up an option in there to do that Yeah, and honestly, that's actually one of the funny things like They might be better off just sending it directly and then throwing everything away Like you could do this with echo in a shell script, right? Like it might actually be better off Yeah, because they they have to consume that information right now And yeah, I'm seeing like a uh exception in the tubes uh over on sour cloud. They Uh, yeah, so the tubes library being the phone tools thing that does a lot of this kind of interaction stuff I I don't think we expected to need a hint in our our sudden death and I'm hoping it goes Uh, I guess quickly. I think the hint might be like dev null Yeah, that might probably just confuse him as because they're all fighting with it You can see both both of them right now are trying to find ways that they can consume that output so they can actually provide The command line input. I mean receive until should should absolutely do it though, right? They should be able to receive until I don't know if they're just not doing it or or again ignore it entirely Like either receive until or just absolutely like send it ignore all the output toss it away use something else Yeah, so I think we're getting the first throw attempt here from wreck it back. Yeah, I agree There we go. What do we have here? Oh, they're they're script Crash I don't know how I think they just they just well the one I'm watching they just switched away They're back in back and I just for a little bit All right, we do actually have a hint Coming for sudden death Watch out for clobbered counters Do it. Oh, let's write it up Oh So there's a side effect to what you're overriding and oh look at that We actually see wreck it pig in ida right now Naming those things on the stack and I think they're figuring out that they have to fill in those fields because they are clobbering them Oh, okay. They might not even need the hints actually. So if one of them makes progress on it Uh, I mean wreck it pig just named every stack variable and I think they're thinking through what are the ramifications right now I see it in their mind right now. It's what are the ramifications to Overriding the length the j and the i And I think they're trying to figure out what what that means Yes, it's it's the problem is so we got to decide Do we give the hint anyways because we don't know for certain they could just be like staring at it or Do we hold off because one team kind of has an idea the other one doesn't This is tough. I would be really surprised if wreck it pig doesn't doesn't see this right now They they just wanted to name those they they're looking at where they're used. Yeah Specifically they're not looking where their buffers used. They're looking at where the things that they're clobbering are being used I think they are entirely aware of the fact that they are damaging other locals um This is actually an interesting challenge in that the uh A buffer that you're copying into is actually at the start of the stack and honestly I think that's almost a dead giveaway Because that would never happen the compiler would always put the uh buffer at the end of the stack especially any modern Um, yeah, and you need to look like it's a large buffer and like that your character or anything like that It automatically gets put there Right, you would have to go out of your way to put it ahead by like writing an assembly or doing really weird command line Args and like setting that up so you know that they intentionally put the buffer before those stack locals Which I think is a pretty big giveaway of Hey, there's something going on here. You know These values on the stack are are intentionally after your buffer for a reason So we're really going to need to see them constructing something where they're they're passing in Those correct fields that match up with probably what they're actually sending. Yeah, they're sending a count They're sending I think number of a number of egg groups and number of eggs in a group And I think we'll see them fixing those up such that they overwrite them so that they stay the same Yeah, and I'm even looking even sour cloud is looking at uh the stack As they overwrite me They might be in a debugger trying to trying to figure that out Yeah, I want to see if they're doing they might be doing something similar Which which which makes sense if you've got this overwrite and it appears to be Involved was easier than this. Yes Yes, I think you're not wrong Oh, come on. Yeah, I I think I think both teams are basically on the right path now No hint is going to be necessary to this is this is the knopsert problem where you are fighting your dev environment Yeah, you're not actually they all understand what the bug is they might not fully understand the ramifications of That overflow we can see a break point being set specifically on that sub rsp so where it's setting up the stack I think they're confirming the exact layout of the stack matches what they expect I think sour cloud's going the more dynamic route to see what is actually on that stack Um, I'm waiting for somebody to do something else like uh, geohots, uh, kira tool, right where it was like a Because honestly like being able to actually just visualize and look at a stack and something like this Would be really really neat because you could you could look at the before you looked after you want to be able to Rewind and pull out those values and like figure out where offset to put it into your payload like you could just Visually build your your your exploit essentially that way Um, I think one of the easier dynamic approaches here would be there's no pointers on the stacks. That's pretty easy Uh, I think that the easy approach that I would go with is throw a non overflowing payload They know that the size of that buffer is oh spare. Yeah So if you throw a non overflowing payload put a break point on ret and look at what the stack looks like At the end of the function, you know what it is supposed to look like in a valid function You can probably find your 20 hex patch that in and then Correctly fill in those stacks just build it block by block where you first like get to the local Then you then you include it in your overwrite Then you get to your next one and you include it in your overwrite Then you keep going through it one at a time or actually you can probably just do a straight shot Looking them all and then if they're all going to be contiguous anyway, it's only 20 hex bites How many locals where they're like 18 hex worth of locals which is I miss that you know, it's funny. I was mentioning Kira I had somebody in chat pointed out that sarah cloud actually used rr to do a rewind That's another that is actually another way to do it right like you can blow it out But then you can rewind on the stack and look at the value there too. Yep That's okay, uh sarah cloud right now at least for me probably 10 seconds behind they are um, they're constructing They're putting the right values on the stack right now Or they're putting what they think are the right values on the stack I don't know if they're right or not But they they definitely are aware that they're clobbering things that they need to fix up Oh, man, I'm gonna need a good a good break for for this this stream Thankfully, uh, Carl's gonna take over and join you for the last Second I'm gonna need to rest my voice. This one's been this one's been crazy Absolutely. Oh gosh, it's really coming down to the wire on this and it's it's It's really fighting fighting tooling here is what it really feels like a lot of getting debuggers set up I mean sarah cloud Obviously was very frustrated. They couldn't get uh a debugger running on a key challenge Yep, that's yeah, especially if that if you are more dynamic and your debugger is not working And that's that's where ctf's like this can be really challenging is you go head to head with someone who's static And you do debuggers and your debugger doesn't work Yeah, and I can guarantee you they're aida. They're benja. Whatever they're using statically is going to work In every ctf challenge. Yeah. Yeah, very few very rarely will somebody build something designed to break a tool like that Which is basically what it takes at this point to to make one when not usable Yeah, exactly in chat. Uh, we're we're saying photo finish here. I agree. I mean, that's kind of the nature of a sudden death Is it you're you're likely to get it? Um But we're looking at yeah, I I'm waiting to see this one happen. This one is I guess I'm glad this didn't happen earlier in the day because if it happened at the very very beginning We would have been uh a long day We do actually have the option of actually moving our last match of the day to tomorrow morning So it's it's entirely possible that we actually decide to to rearrange And and move that which might be a little bit before your normal waking hours fog, but uh That it will be you are you are you were a night owl even by west coast standards So Which I actually often see you like you're awake. You're awake and I'm Uh, you know waking up in the morning and we're interacting on like opposite coast and opposite days times the day like relative Yep. Yeah, right now. I'm going to bed at like six or seven a.m. So It's uh, it's rough. I've been working on a fun project though. So oh, neat neat neat neat All right. Yeah, actually having something good to do and having something you're you're excited about though Actually, absolutely makes it harder to like To go to bed early like you just it's too easy to get consumed. Oh come on I see them creating bite arrays. Uh calc known egg Yeah, I don't yeah, they're both they're both I'm just really surprised because I'm pretty sure my my view is that you could just You could throw something inbounds and not corrupt the stack right and then just literally fill in everything verbatim The way it existed. Yeah max maximize the size of what it could be without overflowing and then use that to As a 10 point. Yeah. Yeah break there. There you go So we got actually a chat question. Do you get a sudden death sudden death? It certainly wasn't planned Uh, in hindsight, we're gonna switch to a challenge where it's just a foot race first one to Reach the other end of the biggest strip win Oh, that would I'd rather do this challenge than that for sure Uh, respite. Yeah, especially the the heated is right now here. It's crazy So what what happened? I heard there were floods There yeah two nights ago. There was oh, it was it was like this massive like monsoon. They just hit I mean actually a month. Oh, hold on process stopped with code 11 six like v Hey, I think that is sour's first, uh thankful Okay, so that's a good sign, but I'm yeah I'm I'm putting my okay. I'm moving my chips over in a sour, but uh, I might hold some in reserve because reka pig I could see them Reka pig is architecting. Yeah, reka pig is going for the solution where they're gonna run it and it's just gonna work Exactly, exactly if it doesn't that's when it really starts to be frustrating because it's like oh, what did I do? And now you're reading over your code 50 times Yeah, exactly whereas on the other hand sour clouds kind of incrementally like Trying break and try and break until it's gonna like just all of a sudden like build up to a correct solution So yeah, I love to see the differences It's a completely different approach You see this programming as well of you know the the type of person who writes 2000 lines of code Then fixes the 3000 compiler areas. Yes, or the person who every time they change one byte in the code They recompile their whole code. Yeah Or the very very rare people that write 500 lines of code and it's flawless and you're just like how did you how does your brain work like that? I don't understand All right, so we did you know we did get a question in in chat about uh I'm not a question but a response the flooding was clearly because sour cloud arrived that happened. So that's I think that's the flooding I see You know, there was parking garages that people were like swimming in like just Flood water that had like flowed through it. There was dripping in the hotels It's uh, it's been a little crazy Wow Oh, man Yeah, I think we needed a command injection bug where you put semi colon into a variable name and uh, yeah, I guess so Run it that way for our next one. So this was this was slightly harder than although I will actually I will say I think they're making this harder than it has to be And and I think yes Yes, this this is a problem that that I definitely suffer with when you go from a much more difficult challenge into a Simpler challenge, whether it's just life or whatever you're still in that mode. You're still in that mindset. Yep And you're still in that we need to architect this we need to Make everything nice and pretty and good And sometimes that that fights you because you end up Overthinking the the problem. Yeah, I agree. And in fact, I think that in some ways You know, we didn't it compensate and kind of in our game design think about like a psychological effect If you just spent an hour or 50 minutes on a really hard challenge or make a progress and also you get something Brand new like that's worse than starting from zero. That's like starting from negative, right? So you were you were I had all this mental energy like Focused on that one thing and now you have to completely like step back into something else It is going to be even kind of kind of something extra So I think if we had if we had launched this from the start, they'd both be done by now I've no doubt right like they would have absolutely really curious what's going on with wreck a pig because they haven't run anything For like five minutes. They are architecting They are like yes reading statically analyzing the code and they are they are constructing that stack perfectly Well, I will say wreck a pig was was frustrated I think by the end and was thinking they had more time to finish the other exploit I think so this may have been a different So teams can send a different team member between rounds, right? And so some so everybody who played in round one should have already been very familiar coming back They knew you know, they've been out. They've been told twice now about the sudden death and they knew that kind of set up of it Whereas it may not they may not have been as aware as this this is their first round And so I love this challenge. So this is great. This is a fantastic challenge eggs in the eggs in the basket This actually could have been a this is this is very uh, I know I keep saying it's very not sturdy Yeah, it just you you see someone come in and sit down and just do it in 30 seconds And it's like oh god. Oh, yeah was my approach so bad. Yeah, why couldn't I have done it that way? Yep, yep, exactly because everyone here absolutely has the capacity to probably solve this challenge in under a minute Oh, like pop it up and just just It's that mindset. It's really where your head's at It's it's the first issue that you ran into that causes you to just Change that focus and really really drive down a certain path And I don't love if uh, if we switch back over to the uh, to the camera in the room If we show that like if you can see there is a crowd gathering kind of around them like off to the side here Like there's actually let me see if I can zoom out the camera a little bit um There is like a just off camera. There's actually some big groups of people here Um, where they are like kind of surrounded by people. So that really can be nerve wracking like that can add and amp up the um, the the difficulty of like, you know, you're just trying to solve a challenge and you've got People around you you just failed with this other challenge and this is uh, yeah, this is this is rough So, I don't know record pig. We've got googling python bites to array Oh, no, just use python 2 We didn't have this problem Yes, yes, listen listen. I'm sorry that ship has sailed it is time for three. I don't disagree It is worse for that problem But there's actually python 2 has gotten better it's it's gotten a whole lot better It really has I yeah I switched to python 3 like six years ago and and it pains me how long it's taking others to to shift Yeah, uh, although I now that both ida and benja have fully deprecated python 2 I think ghidra is your only option if you want to run python 2 and then you're running python 2 through jython Which is which is its own monstrosity Yeah, I mean Oh graph view and benja over here, uh, for I think the first time maybe we're I mean, we're just just disassembling graph view graph view is is personally what I always use like it's it You can infer a lot of what the program is doing based on the shape of the graph and you lose that in ils You lose that in disassembly decompilation and uh, ghidra really really put the um Um The the well the code on the side and the like disassembly on the other side and now that's what I do in all my environments I do that and I do that in ida side by side Graph view is like mandatory and that's actually you want to decompilation on one side and then graph you disassembly on the other side Or yeah. Yeah. Yeah. Yeah. I I still prefer disassembly and graph view personally Really? Yeah, like disassembly is is like graph view. Oh, sorry not for my default, right? I want to have I want to have a high-level isle as well. But like if I'm looking at this assembly I want I want my graph view Oh, come on. I think we're about to see wreck a pig. How many like they're just Calc known egg. They're they're calling their phones. They just spent a lot of time constructing this function And now they are using it. Yeah. Yeah, and there's a lot of math and a lot of constants and a lot of numbers in here I have no idea if it's right, but all right It's it feels it feels Far over engineered versus just breaking a debugger and then look at it But you know what? I'm pretty sure you could just meant you could just like gdb attach Write mem the stack load that up into your thing and then write the first 40 bytes from an existing valid copy It paste the buffer and just put it right there. What did we just get there? We got some sort of a crash from wreck a pig Oh Ooh, did they crash on leave? No They are on Oh, can't play see it. Yeah. Okay. We are giving them a hint that tells them exactly what the exploit is It is what they basically say Too many bytes here Stack over stack smash and there's a win function like no shell code. There's a win function built in We're trying to give them like this is this is the handbook and stuff With wreck a pig. I think wreck a pig just they either put a break point on the red to see where they are Or they just crashed on it. I saw them looking at it Now there's win Yeah, there we go Just get the address of it like copy address. You only got to look at it. Just run it. You just got to run it Come on No, just copy the address of it. Oh, no, there you go. There you go There it is My favorite hockey and bidges can uh command shift egg. It's copy address I was just gonna say that copying addresses and ita is so so hard Yeah, I always hit and I hit space and then I go over and scroll and copy to the side and binge It's like a default hockey. Uh, it's just like copy current address So they're throwing this against their local run where they're debugging it and so sorry I'm guessing these habits are just going to be seen on the on the physical build Come on wreck a pig. Oh, there is pie Oh, is pie what's killing them on uh So are they partial override if so well you have a solution script you can look at what does that do So there is pie I said I think I said there isn't pie This is not live overflow. We've got gamoso. Uh, and I'm cypher techs jordan, uh, I will brain in gamoso folk and jordan cypher techs. We are watching Yes Involved was was a true speed run for sure So they're they're working up on hints. I feel a little bad now because the hints themselves are almost distracting Yeah, but like We are We are really trying to uh There is pie did the hint say there was no pie or did I just say there was no pie now? I'm just I'm just confused too. All right, this one is Go fix go tell them deletions from wreck a pig. Go fix it get a pen or something. I don't know what's going Okay, I think the hint may have been incorrect. This is this is madness This one. No Oh man, I feel bad I feel bad I've been here so many times. I will say commentating this is a lot easier It is right. It's so much nicer than not being sitting right here and and having to deal with it I'm not feeling the pain myself No, but you still feel some empathy right because you know, I I definitely feel the uh, what is it? What is it called the Is it is it a german word? There's some word for like when you feel the You pleasure at not having to experience their pain or something or like you you directly like kind of feel their pain Not it not I know what empathy is. Okay. Yeah But like there's there's a word for it. I think Gosh, I mean there's a german word for everything. So of course. Well, yeah, there just is so you're getting questions in the chat If when are they gonna see you do ctf poem challenges? It's been years This is exactly what would happen if I do ctf poem challenges And I'm gonna feel really bad about myself when I go to bed But you would you would then get you get better at it. You'd practice it if you uh segmentation fault number of eggs I am I need a break if I was one of these teammates. I might just close my eyes start over like Man, oh, there we go. So we've got some translation Friend shaman from shaman. I'm saying that wrong This is secondhand embarrassment Yo, oh, this is I think I have heard of that Yeah, yeah to feel secondhand embarrassment Yep. There we go. Thank you chat. That's what chat's for. Oh So number of eggs dollar sign. There's lots of dollar sign eggs We're running it in rr Oh my god, I I do know like this is one of the Validated post we have a simple post script that does solve this And I thought it was pretty straightforward, but man I uh I think we have we have broken our players and I I think we actually have We just need one of them to win though and they can they can go go rest and relax And we'll we'll pick it up tomorrow with the the next round I I know exactly what these um Oh, we got a little bit of spam Yeah, and classic to doing this like, uh You know normally like in an actual ctf at home um You you have the option of like stepping away, right and actually am I trying to challenge stepping away is what? Saves you time. It's but here Or like going to bed right same thing in your ctf and it's like no no you just need sleep Like you're actually not being productive anymore. You got to know when to walk away You don't have that option in this and so we're just yeah We're seeing them like just really struggle And again, these are great players. They're good solvers. This the challenges are fine. It's just Sometimes you get stuck in this rut and your brain is Uh, I think I've been here so many times like I know exactly like I I know all of the emotions that are going on right now. Yes I know I apologize. We should put a trigger warning Apologizing chat for all the anxiety that you guys are getting to we're all like but listen The relief is going to be so good when we see that winter logo when somebody gets a shell It's going to feel real good. So the problem is I know that when you lose a challenge like this You just do you think about it for the next hour and you're like, oh, what I could have done I could have written A two followed by a one followed by a six and then a couple nulls and then a return address and it'd be over Yep, yeah We had one earlier We had one earlier that chris eagle actually was in where he lost the round That he lost it because so, uh, I think I mentioned this was the the file override where you could write a prox self mem And he was getting stuck not letting it flush, right? So by not Oh, no He like he'd overwrite worked but his break point when we went to go check it was before the flush And so he's like, oh, it's just not working. What's wrong with my script? He was he was fighting something that wasn't broken Because he just broke in at the wrong time. So like just something like that And then you're just kicking yourself, you know the the whole next time Wow, so we don't cover psychiatrists cost chat. Unfortunately, that is not, uh, we our business insurance doesn't We don't have business insurance. We're not a business. This is this is a nonprofit or not even a nonprofit This is just like a bunch of people doing something for fun So, uh, I know you're you're you're joking. I wish I wish we could though. We should give them like A big bear pillows or something to like, you know squeeze afterwards Bring a an empathy pet or something they could the dog they can They're not they're not even being actively heckled though. And that's that's what's really throwing me off here It could be worse. It could be could be worse. Yeah, and I think I think at the You know, eventually when live ctf gets really really common and it's happened all the time and people are really used to it That's when we're going to amp up the heckling. That's when it's going to be like, oh, no No, take off the headphones and we're just going to troll you. Well, I mean, that's what like, you know infiltrate is like Right when they would do the nob serves Are you going to be going to offensive con? And what is that February? Uh, yeah, that's the plan. Uh, we were just just talking to them But yeah, I'm looking looking forward to going out there Maybe I heard that that has the most similar vibe to an infiltrate and I need infiltrate back in my life I agree with you. I miss infiltrate strongly and so far that's it. The other one that might be similar is coming up this year Which is in paris. Uh hexagon In i want to say september or october. So you might want to check out that one Um that this year. Oh, yeah. Yeah, it's coming up this year. Maybe he's still too too soon to travel I don't have to look at my employer. I he says it's fine Yeah, you you turn around and ask yourself Isn't it nice Yeah, it's got yeah, there's certainly pluses anyways So let's see it like I I saw a lot of code being deleted from sara cloud, which is really scary Wrecker pig is really commit to this one function and they just keep adding args and magic constants to it I it looks like a crack me. I don't I don't know I don't know what's going on with that They it's like the dissection to madness I do and this is that we took it up a chat question of did the team send their web players? No These are good exploiters. They really are this is this is this can happen to the best of us What top tier binary exploitation people look like in in the in the heat of it Yeah, it's just the the the constraints that are under here are very different than the constraints that are normally under And the the the shift to sudden death. This is the very first time we've ever had to do a sudden death and like that I think it's done things off So so we'll we'll see uh, I think Yeah, come on. What are we what are we even at? There's a lot of up arrow answers and a lot of I think hope All right. Are we gonna are we gonna like recompile it gets and actually have a sudden death sudden death? I don't know what uh Are we close? Yeah, which one which one? Okay, so so I'm the Carl who's been watching recompile closely is like they are really close. They're yeah, they're perfect function is it so Okay, I just I'm gonna sit for a second I need a break It's been high energy high energy So we're now looking at the the memory maps and trying to figure out I guess maybe what these addresses are So in aida The addresses are going to be based at zero because this is uh like a dynamically Moved thing So I think right now they're actually trying to figure out the true absolute address of where these things are loaded Uh, I've definitely clicked on addresses a bunch of times highlighting them hoping that hoping that it clicks It's crazy because the same Um I don't want to I don't want to say ticks but like same ticks of like clicking the same thing the up arrow Yeah, the highlighting the address over and over and over You know, we all do that. Yeah. Oh, so the the address also somebody's earlier showed me a trick that I hadn't seen that was uh The ability for jeff to automatically like repoint your stuff based on relative addresses of of uh loads So that was really really nifty. I hadn't actually seen that one before because usually I would either Rebase binger or aida right like at the base like load address or just do a bunch of math separately, but There's no reason here. You can't do a partial overwrite You can do a two byte overwrite of the return address That isn't the exactly the intended solution That is exactly what you're supposed to do is that's why we said there's a win You're trying to hit the win It it is pi which was which was I think clearly a mistake You should have just uh, although even still they would have otherwise I mean even then you would want to do the partial overwrite because you don't have a pointer Uh, you would have to also on the server side. Yeah. Yeah, and so Come on Where are we at? Oh It really comes down to how quickly can you do stack math? And like know the layout of the stack in your head because there's a lot of guessing every time you see like a comma one adding something to array Every time that happens. I know exactly. It's like, oh, maybe there is a frame former Maybe I counted for the frame pointer. I need to go one behind it Yeah, and you're just fiddling with all your stuff And then you you fiddle with something that was working and made it broken and then later on you think yeah It is just compounds. I I think the most important skill at this point is honestly just resiliency it's like the ability to to Just stay calm Stay focused kind of keep not let yourself get like weighed down because I think that's what we're seeing I think we're seeing people just kind of like I mean I was joking. I said we broke our players But I I feel a little bit like that like we just kind of crushed them too much And and that's this is the result of it. And unfortunately We other than another sudden death, which I feel like would they would just quit and walk off Like I you know, we don't have a lot of uh of levers to pull So we're gonna see him out. Although I will I will say having had uh so far This is the 11th match. I guess we've had we had eight in the first round and this is the third match of the second round This is the first time we've had it kind of go go to this point. So Yeah, it could have it could have been worse. I was this was my fears that we'd end up in this kind of a situation On all of them. That's okay. We we can we can make it fun and entertaining. I mean, it's it's uh This this is the essence of ctf. Yes If you can here's the thing when you're in this situation It is the worst feeling and then you get past it and you're just like the relief and relaxation. Yes Uh, the valleys match the the the mountains, but so we got a question in chat. Actually, what's your right now? What's your bet? Who who do you think is going to win? We've got wrecker that was felt behind but now has that I see I see a lot of support saura cloud, but i'm going with wreck a pig. Yeah. Yeah. I mean, I think their approach I felt like for a while they weren't making as much progress, but I uh right now I just don't know That was Every time i'm seeing a terminal open with wreck a pig It's in like a a crash call stack or a break point on the red right and saura cloud every time i'm seeing them Run in it. It's not even crashing And i'm i'm so Concerned I I think saura cloud went from great start to I'm just confused and now i'm lost and now i'm off in the middle of weeds trying rain of things without really being intentional right so instead of just slow and steady and consistent and like Testing your assumptions measuring things. You know moving forward Um, yeah, we're seeing I mean I would love to be wrong. I'd love to see see i'm seeing pulled out I mean that's that's it. We we want to see that big flip. Yep, but but right now. I think I think so So we'll see. Yeah in chat. What are your bets? I want to hear uh, I want to hear the chats About so a one, uh, we have wreck a pig and we have uh team saura cloud our two teams You can the upper left corner You can see a little bit unfortunately wreck a pig and we have like a white title bar This is part of the title, but you can see who's who's competing usually when we've we've got that uh That screen up there Congratulations. Did that do it submitter two? Yes, that's it Oh, there it was wreck a pig wanted. Congratulations a brutal brutal Wow watching the the replay or more specifically the youtube just a little after and they're just fixing up Oh, they're switching it over. Yeah, and they throw it at the actual thing. There it is. Well done. Yeah, uh, that was that was Excellent. Well, thanks. Uh, so folks. Thank you so much. Um, maybe one of our later matches today We'll we'll we'll get my texture we get you because I think we are basically done For the day here. We've got it. The whole room is getting shut down. And so we gotta we gotta kind of clear out here Yeah, no problem But it was a blast hanging out with you. Thank you very much for joining us. Everybody in chat. Thanks for watching Um, I think we're we're gonna go to intermission for a little bit just to let that kind of run out and what but I I don't think we're coming back today. We're probably gonna move our last, uh, match of this round to tomorrow morning And we'll finish up the last four matches of the whole event, uh, then All righty. Thanks everybody Cheers. Thanks for coming by, Ron. Take it easy Hello, everybody. Welcome to the last quarterfinals of the live ctf We are a bit behind the schedule, but we're gonna do this match today and uh, Yeah, uh, we just heard the the main ctf Day end, but yeah, we are gonna still go on with this match. So we're gonna have the players ready We're ready with production. Yes, so we're gonna count us in in five four three two one go All right so Thanks for saying with us everybody we actually I I apologize I told you wrong We just tweeted out a correction, but we I thought we were gonna be done We were a little bit behind but we decided it was uh better to stay late Finish it up today and stay on schedule. Give us more time tomorrow because tomorrow we're gonna have some More fun challenges interesting things. So we don't want to lose that time. So here we are Cool. And the challenge we are looking at is one of my creations It's called no roplam. It's uh I mean, I think this is not the first time. Is it gonna be is it gonna be a problem? Well, I mean, it will be hopefully only a slight problem Like well, they should have no roplams. No, exactly. Exactly. Yeah, it's a slight slight problem, right? Yeah. Um but um It's an idea that's been around uh on multiple like this is not the first time it's it's inspired by previous challenges in the same vein basically get a more or less random blob of data and you're supposed to Get a rough gadgets out of that and uh, oh, that's right. So I I'm excited because I I don't know the rock tools I don't know the current state of the art in the rock tools and our people are going to like are they gonna have Smart searches. Are they going to just grep? Are they gonna like actually? Yeah, so I'm curious to see what people are going to end up doing Right in this we can start by going to perfect route one of our two teams in this match They are opening up Aida I think we gave them. I mean we did give them the source code as well for this one I think however the source code doesn't tell you the the full story, right? You might want to go like all sets and and so on so looking at item might still be Useful even though you have the source code Honestly, sometimes even I have source code and things I'll use binges just for the cross-reference system being able to quickly navigate it Or if I want to script up something that maybe it's harder if it's just pure text right text stuff So anyway, they're taking they're also you can also see them there taking a look at the source code Uh, let's switch over to straw hat and see them doing basically the same thing They're looking at source code getting a feel for the challenge so Roughly the way this works is that I said more or less random They uh, they can provide a an encryption key Which will for all intents and purposes act as a random random seed. Yes. Yeah And then after we have generated that we sprinkle a bunch of red Instructions into this to make sure that there are Appropriately sized gadgets if something was truly random you'd expect red to happen like only you know Yeah, one in 256 right like you know and so you would have not a whole lot of functional gadgets Throughout it. So it makes sense. So you know every n were n is much smaller than that. You know, you yeah I think I did every 16 bytes. Yeah, you just ended up with much more gadgets in the same space right and they have like A megabyte. I think of gadgets as well. This is what I want to see I'm curious how the rock binding tools work with like a bigger blob of memory I know a lot of ctf binaries tend to be pretty small Right Yeah, so this is I think where one of the new tools uh, Ropper Really shine really shined it. I think it crunched through the whole linux kernel in like a couple of seconds. Oh, wow Yeah, except no problem with something one big no, but yes, this Can have been like a little bit of an issue for some of uh, you know the the older tools any kind of pure python based tool For example, it's not gonna be very performant. Yeah, you want just like, you know When you have something that you just want to process a large amount of like binary data like this then you Probably want something that's like compiled code. Yeah. Yeah something something native So we're already in a debugger of our perfect route. We can actually see that they've got Got their jeff prompt up and there it is rock gadgets. So they're going to run rock gadget on On the binary checking the name And yep, I'll say that's pretty quick, right? So and there's the techs like we've seen now checks like on both teams. I saw straw had to do it earlier. So they're both I love I'm I'm so happy that nobody has made the mistake of of not running Tech tech that I've seen so far like they seem to be pretty Pretty doing that right and the program does have basically all mitigations turned on but it doesn't really matter We do give them the address of where all of these gadgets are located so they can easily calculate the addresses Well now wait a minute. We lost the fee for a little bit. Okay, so I'm a little confused though because they I saw something that said 110 gadgets found Were they looking for gadgets in the binaries? It must have been looking the gadgets in the binary Yes, not in the payload it generates, right? They need to actually first dump that re or they either can just modify the source code Give it a fixed key and then generate it or yeah, so now like Yeah, I'm curious if they if teams elect to Make it work with just one of a range of key or if they actually incorporate Trying different keys until they get one that produces a really easily, you know gadgetable Right, you can basically approach this challenge from like two directions You can fix the key and like make do what with what you have or kind of set up restrictions on what gadgets you need And then just to randomize the key until you get those things I think the ladder if executed properly is probably more effective But you need to kind of like formulate that the the notion of I need some of these gadgets into like a strict Thing that you can put into code Yeah, because you have to be able to like measure the fitness of whatever you're producing Because you might like you might need like, okay. I need this or this or this and this or this Like, you know, I could even see kind of a hybrid approach, right? We're like, I would probably just think of like what is the most complicated gadget Right And then like everything else I can work around like I can get things into registers pretty easily, right? But what is going to be the one that Stephen has really tall shoes on right now. I was I was very good. Wait a minute. That's not how it's all all right And just in time There we go. Yeah, and um, so Let's see we do have Someone googling a little bit There are I think was was what were they looking at the rc4? No, they yes. Yeah. Yeah, that's Not good not correct. Well, it's not that it's not correct It's just not what we want them to be doing right because the encryption we're using here is rc4 Uh, it's a big it's a big favorite of mine. I tried to overuse it and stuff because it's like it's so easy to implement It's very very fast. Yeah, you actually don't even need a library for it. No, no, it's like, uh I think like in python you can implement it in like three lines of python So here's the thing is this implemented in the program or and does it so I I'm a yeah I'm a little worried after last round I'm worried about sink calling teams into like these dead ends or something. So I hope Right. I just maybe I should have in 10 minutes. We might want to throw out a hint I guess what I'm saying. Yeah, like this is the encryption. Yeah, that's not the challenge. Yes, right? Like just don't it's just don't worry about random. Um, but We'll we'll see. Uh, we'll see what we end up with So, uh, yeah, because I think uh in the function they are just named like Key scheduling algorithm and like prng or something like something like this and that's actually I mean, it's also it's it's just by chance I guess but it's also because it doesn't really matter like you just as long as you are able to do The same thing of your own if you do some kind of brute forcing or whatever It doesn't really matter. Well and and uh, I mean remembering back the Some of my crypto classes back in the day like, you know Good encryption is functionally identical from from a random C generator. Anyways, and so it you know It hopefully is is it's somewhat intuitive that that's you know, essentially kind of what what they're doing Right, that was a new there's a website. I hadn't seen for real is just asm dot something dot Oh, I didn't see that. That's yeah, they actually yeah next time they next time they bring that up I'm like to keep an eye on it. So it looks like perfect groups using a website I wonder if it's just a very fast straight disassembler or disassemble at every offset type thing Interesting. Um, you can see straw hat here using, uh, rub gadgets, uh The same one that I think we saw from perfectly right over them are going like old school Can't think not using ropper, which is I guess that's the new hotness Well, as yeah, we talked about this throughout throughout the weekend. Uh Uh, no, so what are they running out though here though? Here's the question is try running it on a dump It looks well. No, you have you have a bend dot raw. So they have 16 megs. Is that that's uh Large wasn't well, maybe they just dumped like too much like, you know the whole memory segment that it was Or maybe it was actually 16 meg Could be could be that large. Yes. Well, I guess we'll find out how fast Rob gadget is so basically what we saw there was that they have they have run the program with some key Generated this collection of gadgets Dump that memory to a file Then they run it through the rob gadgets finder and they since it's not an else file The program cannot automatically detect like what what is this so though instead they manually specify like this is x86 64 bit like trust me. Yeah, and And you know, we're not worried about virtual and offsets or addresses like just disassemble at every offset, please. Yeah Are you guys doing it here again? Just dumping into a text file so that they can like easily search through this and see what they have to work with Now they they last time they backgrounded that I didn't notice that are they on a different tab So do they just like kick off multiple ones and let them go to one finish and they ran another one? I'm not sure which it was because I feel like that could go either way Oh, here we go. We're looking at the man page for Rob gadgets. So yep same kind of thing They're both using this same tool. You can see they're hovering over the raw mode Which is the same that they're looking for this like how do I wait this actually no, they're using ropper That man page was for Rob gadget before but now they're actually running ropper Sure, was that not just like they they had ropper on screen They 100% were running so one of their one of their terminals down here was actually running ropper The other one they're looking at the Rob gadget man page. So I think they're hedging their bets Right and trying multiple So yeah, so now now to this perfect group. We're talking about here. There's still uh Um, check it out. There we go. Rob. Yeah, that was it. It was there. I saw right. So yeah, they definitely Uh have it up. I actually I like that idea. I like the idea of you know, just run multiple tools. Oh, yeah Yeah, there's uh, there have been uh situations where I think one of the tools uh have found stuff where Uh, the other one hasn't uh, I don't remember specific samples, but you know, there are things tricky situations where Like, uh, the different tools can like Different in what they consider executable code. Interesting. Yeah, I mean with three just different just assembly libraries, right? Or have different Like you can even see them doing different things with like the state such that like, you know, one of them Sees memory that's not writable being written to and then stops You know stops analysis after that where the other one continues and it may or may not be depending on your situation Whether that actually is a valid thing to do. So there's I can see a lot of context mattering there Right Yeah, so they're just like checking the documentation for like, how do I actually Specify the parameters for this raw mode. Now they got it. Um, that's just wrong. So they're doing the same thing as uh, Stroll hats, uh, Was doing I think their arguments are out of order. I think they're putting the argument. I bet this thing has has Uh, poor parsing. Oh, yeah, and see roper's still going Okay, so they still got roper going. I think they're they're uh Okay, so tell me a little about like the you know in in your kind of approach to solving this Um, if you're you're I would imagine you're going to look for The shortest working payload Uh, that you can come up with. Yeah, I will I mean you always have the kind of generic, um You know M map read and protect Uh, kind of rob chain where you allocate the regional memory you make that memory Readable writeable executable you read, um, shellcode into it and jump to it. Um, that's like A generic approach. Yeah, uh, so I would probably try to look for something like this I mean you will need some uh, you need some pop gadgets To populate the registers. I mean that's that's gonna be trivial. They're gonna they're gonna find a bunch of those Yes, just sitting around and it's there you always have the like a nice thing where like it doesn't really matter If like maybe you're popping another register as well like as long as you just can just rearrange those Populations do with the right order. Yeah, it will not matter um And I wouldn't that you basically just need Uh, the syscall. So in a sense you need like well if you do the mmap, uh, it's like the that needs like all the registers Like the six, uh, so you need like a couple of pops in a syscall Uh, and from there, I think you should be all good. So I learned a new trick from christy Yesterday, which is why wouldn't you just use break? Right, but then, uh It's not gonna be executable. There'll be a rewrite data Yes, but it won't be executed and it would have been a perfect solution in that specific context because you only needed Read writeable in that case. In this case that means, uh, but it is actually a good idea because Then you can split up the mmap into a break and m protect Yeah, uh, so you only need like one and three, uh, arguments respectively. Yeah. So yes, that is actually, uh, Still probably a better solution, I think. Yeah, there's been trying to actually some of those like pop r8 or something can be a bit Yeah annoying more rare or you've got to deal with more side effects and then you know, right again I'm curious to see as they start looking. So we've seen them, uh, run this And dump this out But again, are they going to just treat that seed as a fixed value? Are they going to just treat it as like I'm only going to ever look at one buffer Or are they going to build a framework that searches and finds and can try multiple values until it gets a quote-unquote good one Right, so, uh Yeah, I think, uh Doing the variant where you like as long as you have this just calling a few pops like you're we can switch back to Strong hat and see that they have started writing an expectation script here now. So Using pwn tools like most of our players have been doing They are setting up the initial interaction They are getting that leak to get that base address where all the gadgets will be located that's the The base that they will then need to add a bunch of offsets to to get to these different gadgets And to clarify again, like what the program is doing it's Asking for a key from the user generating these like 60 megabytes of rock gadgets and then you basically just can input large buffer And then it will pivot the stack to this large buffer and just it will be a rock chain So I don't know if you know your anime well, but one of the chat questions is what anime is that background from straw hat? And I actually don't know right. I'm not much of an I have seen a like I don't know apart from like I can answer a faster than weekend Yeah, apart from individual episodes of stuff like the only like full season of anything I've seen is neon genesis Evangelion, yeah when I was like 14 that was great I've seen a couple ghosts in the shell and uh, you know a few more one punch, but Yeah, not uh, not a huge amount. So unfortunately couldn't couldn't tell you. I'm curious Yeah, so chat will have to help us and that's All right, so looking back at the source code Please provide a key the toolbox area. Okay, so I mean Yeah, I I'm really curious again. I mean what is the I I feel like this this should just be doable with just this call and registers Right, like you really don't well, right. Oh, like here's the question though. Look here. Yeah. Look here. We have Over on straw hats side They are looking for the syscall. They're looking for the pop rdi. So they are like, you know picking their different pieces here and yeah, they are Getting slowly getting there. I think I think they they are on to that strategy that I was talking about Well, we're seeing the same thing. I think from perfect route. They've got all the register control first They haven't gone for a syscall yet, but um, they're actually going for some ads. This is interesting Yeah, so maybe they're going to add the base address to know I'm trying to think of what they If there's a return address that comes back from like mmap or break or something. Are they going to add I can't think of a reason they would need to add to it though. They just need the Need to move it to a different register really so they already have this change. That reminds me of one difficulty of the if you would go for the break and protect Route is that I would break you cannot Specify the address yourself. You will get the address back in the rex register. So you just exchange it to a different register Right, yes Except actually what you might need is to copy it to another register because you may have to use it more than once Yeah, because you're probably going to have to do like some sort of jump to it at the end as well So you actually save a copy that yeah, that's a good point. You actually might be better off with mmap with the Yeah, so depends on the flags that you control you're switching mmap for maybe like five or so Or more one of the things that strikes me just now is this you know, it's funny that you don't think of this right off the bat But you know when I'm looking at Much like that some of the earlier ones where you're like, oh, here's a bunch of syscalls and then it's like oh But getting the string is hard in this case. You've got a bunch of Uh, you don't just have a rot payload that you provided right You are using a payload exists So you don't get constant like constants which normally are really easy, right like a pop art eis great except It's it's you don't you don't get all the stack that it's running from right? No, no you are you are. Oh you do actually like you create a huge buffer of like whatever you want But well, but do you you'd have to find that value in the stack is my point, right? So you're not going to get necessarily all Random values in your 16 megabytes all 32 bit random values or 8 bit random values Oh, no no no like the the the gadget area and your rob chain Or like oh separate area So I thought the rob chain was specified based on offsets into the payload in which case you can only use values that exist in the The the region. Oh, no, no, no like you You provide basically you provide the like a normal normal rob chain And then there is this 16 megabyte area of random gadgets. Oh, thank you. Thank you. I understand that right, okay So yes, so getting control over here So that makes me want to do another challenge though. So maybe maybe a later not this one, obviously Yeah, a later one that'd be an interesting variant But yeah, we can switch over to perfect root and see that they are scrolling through Get it I think over like this will be a theme throughout this challenge. It would be a lot of scrolling through gadgets Yes, and searching for Gadgets yeah I'm curious Nobody came in and we did warn them. This is a rot payload. Yeah And some of our stuff has been a little cheeky like the stacks and the the the heat versus you know heat exploitation, but I will say that in this particular case um Something, you know a a a Rob compiler type situation might have been pretty nice Especially when you can let it fail a try new random seed until it succeeds You could just sit back and let your tool do all the work. So I am a little curious that nobody Nobody came in with something more automated. This is something I've actually on several occasions thought about There's like a very interesting Programming projects thing is to do like a Constraint based automatic chain builder thing like Never really gotten around to it, but it's a problem. I mean, you know, you know When on in the bathroom or something like thinking about the problem like that It's sure you take a shower and you think about uh, rot payload generation Yeah, I mean, yeah, as one does. Yes. Yes Of course We're completely I still haven't seen. Yeah, this is this is not strange. This is not strange. I promise. Yeah Um, I still haven't seen a a syscall yet from perpetuity, which is interesting and I haven't seen uh straw hats payload in a while So I don't know if they're building Right a similar payload or not I actually one of these I really like though about this particular challenge sometimes again We have no idea of the state of a challenge We don't know how far they've got or what they've got but here where they're just creating these gadgets It's actually really quite nice to to get a sense for kind of how far along they are and The players like we've been talking about like whether it's you know, the finding the bugs that's difficult or performing the exploitation Here it's 100% like performing the exploitation. Oh clearly. Yeah. The bug is just handed to you. You're told exactly how to do it Right if the question is how do you make it do something useful? Yes, even though you've got that So I've mentioned earlier that uh, a lot of the challenges in this event A lot of the work was done by a few people who are not here on site We've had glenoff camera, but uh negasora in chat. Hey, josh. Thanks for hanging out with us It's the I say it's not too late. We're you're at but Good to see you josh has written several of the challenges that are in the competition Yeah, happy to have you And we miss you. I hope you're having a good a good time. Thank you Slaughter at least one of my challenges, right In terms of rewriting it. Yes. Oh, yeah. Yeah. Yeah, josh has gone through and fixed up several challenges that started to look too hard and Yeah, I'm saying I'm saying slaughtered what I mean. What really mean is salvage. Yeah made it. Yeah. Yeah, it's fieldable Yeah, oh, he did it to mine too. So like I said, I had started one that was just pretty broken and so All right, so rock team we've got um We've got a rock team come together. So we've got a pop racks looking at the syscall reference. I leak with m They're going with the m-map routes classic. Okay So in the if that if that's the case like if they're doing that that means that they have all the component because if you can do the M-map syscall You can do all the syscalls. Yeah, I need to populate all the registers except they don't actually have a syscall So I don't see a catcher for a syscall yet. Oh, they still get to find that. Yeah But that's not going to be hard. No, no, no, there's going to be plenty of whatever Just by like statistics because that one doesn't even need to be like Before like with the rats or like it can be there's quite a bit of leeway What can come after? Well, it's yeah, also it's a cd80 wet right for for uh, uh, uh, syscall Yes, all right, it's two bytes. So it's two bytes, but that's still not 65 k You know, you know 50% chance and whatever like it's yeah, that's very doable Especially 16 megabytes. You're definitely going to get some syscall. So that makes sense that you would be I mean, I think if you wanted to play games you could make it much smaller And then then you make them really tackle the problem of like how Many random seeds should they try to get that hardest thing? I was uh, you know, considering going that route when we're making this but I realize not for life Yes, I think for for a longer more interesting variant. Absolutely. That would be really cool. I was like, oh, it's only like, you know 50k big or a you know, you know, 100k. Yeah I was sitting there writing the challenge and then you got to the like, okay How large should this buffer be and I just like, you know Two ten put a bunch of numbers. Yeah, I think you did like six thousand times six thousand because that's felt cool I'm going to be real happy when I finally see a perfect route put a uh, a syscall one because I'm just seeing a lot of uh Yeah, but are they putting all of the arguments? No, no, this is completely fine. They're building up the rob chain here Well, they're missing the syscall thing, right? So they just that's why I said I'm going to be real happy when they Do they I think they did they forget it? Oh, they're looking up the shellcode as well, which they need to do like After like after they done this after they done the m-map read They need to actually read the shell the shellcode into that but they they they haven't Right unless I'm missing something. There's still no syscall. No, but I want to switch over to Yeah straw hat because I saw uh here. They just tabbed away from it. Unfortunately, but I saw they were also looking at a syscall table Well, and they put up this they had a syscall gadget in particular earlier So let's see how many of the other gadgets they have You can see that they have a rob2.txt. So and then our robxx.txt. So they might have switched the uh seas around a little bit Just to try something else. Yes Um, yeah, let's hang here hang with them for a little bit just to see if we'll get their their payload By the way with this since you have such a big, uh Like rob chain. Yep, something you can actually go for here is actually a sig return Uh to like pop all kinds of stuff of the stack So I think you could basically do this with two gadgets You need a pop rex to set the the syscall and then you need a syscall and that's all you need interesting And there's even like a utility function in Pwn tools to build your a sig return frame that you put on really Yes, you tell it which registers you want to populate Which ones you care about yeah, and then you just like Serialize this into the thing you put out on the stack hint for the audience or for somebody else Who might have to tackle a challenge like that one later? Keep that keep that one in mind because that's going to solve some of those challenge like guarantee you in the next year Yes, the that like the good the good thing with it is like really simple The bad side is that it consumes a lot of space because like it's it's like a you know You're popping off like all the registers of the stack basically. Yeah, but I mean So even on like x64, it's not an absurd amount No, no, no, no, but but like, you know in in some rock situations Might only have like a couple of elements. So it's not it's not a silver bullet Yeah, but it's something you should have in your second stage kind of thing, right? So your first stage is going to pivot you to a bigger region potentially or something and that's the one that you feel Just because you can because one can be constrained on space The other can be constrained on the type of gadgets you have actually available, right? Yeah, we're losing one of our displays here. I don't know if it's Let me see if we can do some troubleshooting. We've it's been flickering off now I don't know if you have a bad cable or not Yes, so while Jordan is looking at that we will continue looking at straw hands and they are putting their Uh Export script together, uh, so We'll see maybe they are Getting a bit closer there. They're looking at variable attributes. I'm not entirely sure what What that will be used for in this context again looking for the Rob gadgets, uh tool looking at the, uh Uh What do you call it documentation is the name? Sorry, I'm getting a bit tired here. Um, But yes, I do see Perfect route here. Yeah, so we have perfect route back On the stream. So let's check them out. Do they have a syscall gadget? I don't see a syscall gadget, but I also only got like a very short glance, uh at the script Um Yeah, still missing that syscall gadget. Talk about talking about nerves in the middle of a company if that's right You have like everything you've got everything except for the one thing you know. Yeah. Yeah. Yeah Really, uh, really here we go. Hold on. Hold on type s by at 41 space I'll wait address. Why are they searching? Are they looking for? Oh, they're looking for a constant So they want to be able to I'm not sure what that was about Yeah, it's I'm not entirely sure So Well, they they blew through looking for building the right gadgets. Oh, look here I think this is uh, you saw that they they changed the key from 16 bytes to 15 bytes I think that's something that's been messing up their input because uh, I think I only read actually 15 bytes of input for the key So that might be them the 16 input byte might be spilling over into the rob chain and messing with them So they're fixing that up and now you can see they're stepping through the rob chain Okay, it makes sure the gadgets are right. It's all fine except they still don't have a syscall Well, they should realize that though as they actually walk through that right Now they have a syscall Did they get there? No, no, they're getting it out. There we go. Oh, there they have it. Okay. So this is gonna be uh Yeah, I mean this should be it. This should be it Like is it well, there's still a couple of pieces. There's still there's still several pieces Yes, well, okay. They're not sending the shellcode yet, but Uh, let's see No Well, they've actually got a copy the shellcode to the buffer too, right? Or do they already do that? No, no, no So you're like, uh, yeah, that's the read uh, you see they're doing two syscalls like At the top of the script, you see the map set up and then it's the read. Uh, and then finally, uh, you see the the Leak plus 2000 that's where the location. Oh, they have a oh, they have off by one typo They have a typo that was 20 000 and 2000 it's off by one. Oh my god. They are like one keystroke basically a way I think from Solving this Oh, that's nerve-wracking Let's go to the split view at least we can see a little bit of what's going on with straw hat while they are debugging that They are still finding different drop gadgets Not quite there. I think if perfect root can just figure out this small little, uh, Yeah You know issue. What are they doing now? They are Here's the problem is once once something's not working. Oh, yeah, all such other stuff. It is. Yeah, it's that's annoying Oh, that was so important. I mean, maybe there was some issue with the m-map call as well That could be yeah, but but there was definitely a keystroke wrong there So we have some from some excellent puns here in the chat by the way. What do we have? So we have first it's Dangan ropa gadget. Happy we have it. I'm not sure I take that reference But we have a swap drop and roll And a proper pun. Yeah, and glad you could tell it's the end of a long day when you're you're putting puns in the chat Yeah, I'm with you though. I mean, I'm here for the puns right and s-drop is Also specific in the name of a technique uh as well Uh, so it's a bonus points for the specificity. I suppose but uh, yeah, I I I think uh, we've got a a clearly a correct approach. Yeah, early see perfect to debugging their Rob chain. Yeah. Yeah, and then have we seen have we oh wait did start over straw hat That's a real small Yeah, let's look at the experts. Yeah, they think they are, you know, a bit struggling with like Maybe they're trying to do something more complicated But they are looking at the syscall table. So it feels like you know, it should be Well, and they've yeah, they've had the rap gadgets for a while. They've had a working payload But they're kind of back backing off from that. Right. Okay. Here we go So switching back to perfect drood So what you did not see on screen was that uh, they stepped through it and then they checked the memory mappings probably to see whether The m-map call uh succeeded or not And they're trying to figure out I guess why it's not or uh, yeah, so just there's just this call So they're checking the arguments now they're comparing the arguments here Oh, I think this is an issue. I think they only put they took a syscall gadget that was not followed by a rep Yeah, so the inline one earlier isn't gonna work. Right. So they will do the syscall But then it will just continue to into bad code. Wait a minute. I think Uh with the R Right, so they took another offset Was that to a syscall with a ret though? I didn't see yeah, I think so they put it from some results of binge So they might have been like, you know preparing some other stuff Earlier here when they're doing this you can see the stepping through they do the syscall and now they're passing Yeah, yeah, so now they have this working. Oh, that might be it. So let's see they just continue and go for it or I don't remember if they Actually pivot to it syscall. I think they're just Trying to see here whether and now they still have the typo. They still have the 2000 versus the 20 000 So everything else now they fixed, but they still have the 2000 versus 20 000 Well, and they're gonna notice that if they actually check the argument. Yes. Yes, right? That's what's gonna like, you know, you won't notice it till until like you can get really blind to these things Right, and this is where having like I think in a you know, normal ccf when you're with a team And you've got other people that can like pair program with somebody else catches that and just say something I also do when doing this kind of stuff. It's like like any offset. I always put in variables. Yeah, always always always Like I'm almost like on the pedantic side where I would put the like the memory protection constants like in variables Or even use the ponetools constant library that they have for this Um So like I would have like a variable called like shellcode offset or something which would include that and you would not have this issue Yeah, or this is why like you have this trade-off with like how much of like proper software development practices Do you apply to your export? Yeah, because if you put unit tests into your exploit, obviously, that's not a great use of your time Right, like I'm there's a limit. Definitely on the side of being like You know overly formal in my Exploit scripts. Oh, here we go. So, okay They've got their checker and they're going to compile it. They're going to look at the look at the arguments Right, you're going to double check that the constants are the numeric constants that they think they're right They do have to check the constants. Yes, the problem is it's not the one that they're thinking about. Yeah, it's not the flags It's not a problem. It's the other type and finally enough if we look here with straw straw hat They are also writing some kind of doing a verifier as well So they're probably yes, you can see pointer equals mmap They're going to double check that this is what I want Like the arguments are what they believe they should be So, yes, definitely on the right track It's it really comes down to whether perfect root manages to discover this Small type. No, it's needed clearly clearly. We've got uh, oh, yeah, this will be like the question is like Will it take one minute or 10 minutes? But it will be that like yeah, this this feels like I'm going to avoid a a descent into madness and keep this one It is right. Oh come on. Oh, yeah, every time you see the cursor go like right by yeah, yeah, yeah Oh, oh So they are putting another address in here searing out some parts of it Uh It's close. It's close. You can see they're starting to type really fast now The I mean you can't I can't even imagine the pressure here, right? It's uh, so hold on. Okay Stepping through it. I can actually hear them getting in or so hard behind. Yeah. Yeah. Yeah, this is like they are They are roping so hard right now. This is a roping so hard for sure um There it is Just fixed it. Okay. They fixed it. Just fixed it. They found the typo. They just fixed it. Okay. What's that issue? So they have a local working solution. Yep. They will be going for the kill here. Shall we They're getting ready. Get ready. They're doing submit there And there it is. Congratulations. Perfect root. Well done. Well done. Well done. Perfect Great job All right. Thanks for hanging with us chat. That was fantastic Whoo. Yeah. What a day. What a day. A lot of great matches. Um If you missed any of them, uh, you can go check out the stream. Yeah, you can check out the stream We will back tomorrow with the semifinals and the finals. Uh, what time are we starting? Uh, we start tomorrow I believe at 10 a.m. 10 a.m. Pacific time. Pacific. Yep. Um, we will put up another YouTube event so, you know, you can just bookmark it to put on the reminder thing Yeah, I know like Just glad you all came out here to watch. Uh, and, uh We'll see you tomorrow, right? Sounds perfect. All right, everybody. Take it easy. Good night