 All right, we are live, as I say. OK, thank you for that introduction. So it's awesome to be here at Soda. So I guess I should clarify. I'm nominally the faculty advisor of Soda, and I do almost nothing. And it's not just because I'm lazy. It's because that Soda is such an amazing organization that they have become 100% self-sufficient. Like, they don't need my input. They probably don't want my input, because they already have awesome ideas and awesome events. So I love being the advisor for multiple reasons. A, because they're awesome, and B, because they're completely self-sufficient. So this is a fantastic organization. If you join them, go to their events, Soda rocks. So for those that don't know me, the science of every intro. So I'm Adam Mukai. I'm an assistant professor here in Sinti. I've been here for four years now. And a little bit about my background. So I did an equivalent of a 4 plus 1 that we have here. I did a UC Santa Barbara, so undergrad plus a master's. While I was there, I got hooked up with some security research and competed in capture the flag competitions. And then after that, I said I probably had some of you seniors in the audience graduating seniors. Only a few? Wow, you guys are going to be around for a while. So yeah, so I said I'm done with academia. I cannot wait to get out of here, go get it. I mean, I had a job. I'm going to go make tons of money. I had a software developer position at Microsoft in Seattle, where I was a full-time software developer. And I loved it, but I realized while I was there that I kept working on my research project part-time that what I really loved was research, doing something new. So I went back. I left Microsoft after a year, went back to UC Santa Barbara, and did their PhD program afterwards. I came here. And so, oh, thanks. Thank you. I appreciate that. I think I made the right choice, too. So now I'd also like to introduce my co-host for this event, Will Gibbs. Will, stand up. So you want to introduce yourself? Oh, sure. You want to stand in front of the class? Maybe. Or the group workshop, I don't know. I think in terms of the classes, sorry. The group, OK. Hello, group workshop slash class. I'm Will Gibbs. I'm the president of Pone Devils. Unlike Soda, Adam helps us out a lot, which I really appreciate. That's a very necessary thing to do. Not that we necessarily, I don't know. I'm going to use the microphone. I'm not speaking to it, but not to those who have been here. OK. Yeah, so I'm the president of Pone Devils. I guess I'll give a brief introduction to Pone Devils. Yeah, all right, cool. Sure. So basically, we're a club that participates in, capture the fly competition, CTS. And we help you guys get up to speed as well. So in our meetings, we work together and also teach you guys how to exploit these binaries, how to basically break them to either get a shell or get some sort of access or leak from some system somewhere. Yeah, that's basically what we do. Cool. So I'll say something about another freshman in here who feel like maybe they know nothing or are completely overwhelmed and maybe even into juniors, seniors, slash above. Yes, we've all been there. We all start at the beginning, right? So Will started completely at the beginning. So he was a freshman who came to interview me as part of the Grand Challenge Scholar, Grant. GCSB. Yeah, GCSB. I never can remember the order of those words. And he interviewed me as a freshman, didn't know anything. And just at the end, he's like, I really want to get interested in security. Do you know of anything that's like that here? And I was like, well, I have this super informal hacking group called the Pone Devils. We meet weekly, blah, blah, blah, blah. I send him all the stuff. He comes, starts attending our meetings. And within a semester or two, he was, I think, after about a year, he came to me and was like, we should be a real student club, not just this informal group. And so he, along with the other students, drafted a constitution, elected a leader, which was Will. And he's been running it ever since. So he started literally where a lot of you are from no security knowledge, not no knowledge at all, but no security knowledge. And he's now the president of the club helping me with this workshop. So this could be you, freshman. And he'll graduate at some point. So I need more people. Sorry. And the other thing that Will didn't mention, so we do meet Tuesdays and Thursdays for about two hours going over and improving our security skills so they compete in usually the catch of the flag competitions, range from anywhere from eight hours to 48-hour competitions. And some notable results that I can brag about, because I'm the advisor, is the undergrad. So we had a completely undergrad team playing this seesaw CTF. And they got 30th out of 240 teams. And in August last year, we competed in this ASIS CTF, which was super fun, where altogether grads, undergrads, me. We were 24th out of 590, which was the second place US team. So we're moving on up. We're learning and getting better. So what we want to do in this workshop, I want to illuminate how code is actually compiled and executed. And unlike a lot of what I'm used to in a classroom, I don't just want to stand up here and talk, although clearly you can see I've already been doing that. It's going to be hands-on. So get your laptops out or get your code tablet, maybe. Get your smart watches, whatever you need. Find a buddy if you don't have access to a laptop so you can pair attack and pair learn about these things. And we're going to look at really what it takes. We're going to look at the most common security vulnerability in binaries called buffer overflows. But to do that, we actually need to understand things. And before we get to those two things, we're going to talk about before we get started, avoiding jail. Does anyone want to be in jail? Hope no. I mean, if you want to be, there's very easy ways to do that. So I'm not going to tell you how. You're smart people in this room. You can find your way to jail if you desperately want to. Avoiding jail. So I'm going to teach you some security stuff. And it's going to be very easy to be like, oh, I should start testing my knowledge out on all these other systems. But we don't want you to do that. And I don't want anyone in my classes or a workshop that I lead to go out and do bad stuff and be like, oh, well, Professor Dupé said that this was totally fine. He taught me how to do this. And I can always point to the slide and be like, actually, I told them how to not do illegal things. So you get to do bad stuff in CTFs. Yes. So capital flags are great because they basically people let you hack their systems. So that's why they're super fun. So don't do anything illegal. In a hacking context, this means never hack into a site or a system that you don't have permission. So let's say you're testing some stuff out and you find that there's a, you find some security vulnerability in a program running on your laptop. Can you test that? Yes. It's OK. You guys can talk. It's like a, you know. Because you don't own the program? Or you do not own the source code to the virtual? Interesting. I think there's a thing. It depends kind of on your license of how you've got that software. But most of those, I believe, are not enforceable. We don't do it like this. And we'll actually be doing hacking where you don't necessarily need the source code. We'll hop off. So is it legal or is it put you in jail? Why not? It's your computer and your program, right? So you bought the program, presumably, right? You purchased, you paid money for this copy of this program. It's running on your machine. And you're giving yourself permission to break into it. Now, if I find a vulnerability in a program and I notice that somebody in here is running it on their laptop, and I launch and exploit against their program running on their laptop, is that legal? No. No, why not? What's the difference? Yes. So it's OK to look for it. I would phrase it differently. I'd say you can use them with permission. So if you have the permission of the owner of the system, so if you tell me I can use it, then I can use it. And I wouldn't if I was smart, I'd want to get that in writing or something, right? In case anything bad happens. But hacking into your system is definitely legal. So this is the key point. If you don't have permission, don't do it. So don't hack into a site or a system that you don't own. Anything running locally, you can go to town on. You can download all the open source software you want, set it up, configure it on your local machine, and you are good to go. Also applies to the web. Don't try to hack random websites. That's also bad. OK, everyone could nod so I can get a yes. Don't go to jail, please. I won't visit you. Sorry, first your bubble. OK. So what is security when we say security? What do we mean when we say vulnerability? Private information, private? So keeping private information private? Yeah. So there's actually an interesting caveat there of who decides what data should or should not be kept private, right? So you probably have data that you want to be kept private. Would you agree with that statement? Or do you? Yes, I hope so. Otherwise maybe there isn't somebody out there who posts every single picture or everything they take to every social media account publicly. But I'd say that's unlikely. So we want to keep things private that we want. And if you think of government level, they have nuclear launch codes. They have the position of military bases or military troops. Those are things they want to keep secret. So we call that confidentiality. Is that the only thing that we care about in security? Accuracy of records. Accuracy. What do you mean? So you don't want someone manipulating your data? Yeah, so think about maybe your bank account balance. So you probably do want to keep that necessarily secret. You don't want to tell everyone what that value is. But you'd be really upset if somebody took that value and changed it to zero unless it was in negatives. But if it magically got changed to zero in their database somehow, and now they say you have no money, that's a huge problem, right? So we think about that as integrity. So the integrity of the data. Is there anything else? Is that the only things that are important? Ooh, why is that important? Who cares about that? Well, if I can't access what's in there. Right, so if I, let's say I'm about to use an ATM and somebody else either takes down the bank so I can't withdraw my money, right? That could be an attack against security. So these are the three. It's super easy to remember, CIA, confidentiality, integrity, availability. So these are the things when we think about the security of an application, these are the things that we're concerned about. All right, enough talking. Let's have some fun. So I created a server on Amazon and I have accounts for all of you each individually. So the awesome PONDET will helpers are going to distribute accounts. So it's gonna use an SSH. So there will be an SSH band. It'll be something like soda dash blank. These are names, one, two, three, four, whatever. At, it should be, I think I'm Adam D. at the Hack Soda, is that what I called it? Yeah, hacksoda.adamdupay.com. Awesome. I don't know. Yeah, that would be good. You've taught this a lot. So yeah, raise your hand if you're happy to help. I want everyone to get access here. Yes, this is too close. That was a way. Are these good passwords? No. Why not? No special characters, just random text. Is it random text? No, it's obvious, bad, bad. Yeah, so it's not even random. All lowercase. All lowercase, yeah. Just with this event, right? So I just made all of these. I actually made 450 accounts just in case you never know what we're going to show up. Anybody else need that? If you need an account, raise your hand. Leave it like this. Go ahead. We shouldn't say it. It's hard to get one. It's a good password, and we shouldn't say it. Sign it. And it's nine digits. Yeah, but it's, well, that's true. All right, can everybody get in and get on to the server? Here are some of you. Maybe it was because everyone was trying to log in. Is it working? Yeah. OK, good. Some of it doesn't work. Things happen. Well, why, I guess. Can you log in? I guess it's the first one. I always do. OK, that's OK. No, no, your password is the second part after the username. Just to remind you of your username, password. Pretty good. I can count everyone who's logged in. What do you think we have? It's not. It's not a normal password. I appreciate that. The V4. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yes. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. You have to do that, so they're going to vote. They're going to select the SSH, and they're going to vote. It probably has something to do with it. Oh, wait. You have to be at the U.S. State of America. Oh, I got to be at the U.S. State of America. Are you going to put the code on here? I may try to turn this into a Docker image, too, but if you bug me, if you send me an email bugging about it, I'll probably do it. Here's an essay like that. Let's do this. We're going to vote. Do you want me to turn it over? It's 1.22. 1.22. Okay, so first they request. So this is a shared resource. We're all using the same system. So they're the attacks are super lame, don't do it. And I have prevention mechanisms in here, hopefully, so you can't take down the system, but please refrain from doing so if you can't. Anybody not on the system who wants to be? There's about 70 of you. I can find this stuff out. 71 people on the server. Good? All right, let's move on. So, where's... Oh, will sound like someone. Good. So, how do you be an elite hacker? Watch the movie Hackers. Watching movies will not help you. Yeah? No, go to hacker.com and randomly typing. The media will tell you you just type random things in and somehow things break, or you make a really cool visualization by passing firewalls, which also doesn't work. Brian, you said something. What did you say? Think like a hacker. Yeah, that's part of it. So how do you think like a hacker? How do you think like a hacker? Break stuff. It's part of it. I didn't think of it like... Has anyone ever got locked out of their house or apartment? What's the first thing you do? You look for a way to break into your own apartment or house, right? And it's probably something you've never done before in your life up to that point, because why would you ever think about breaking into your own apartment? Right? I don't know about you, but I started valuating like, okay, which windows are probably open? Are there any windows on the first floor that are open that I can just pop the screen off and then get open? If there's nothing on the first floor, maybe like the bathroom window on the second floor is closed enough to that tree, or maybe I can get on top of that fence and then jimmy over and try not to kill yourself and fall. So that's kind of the mindset you need to have in security when you're thinking about these things. That's part of the hacker mindset, is thinking about things and thinking about how can I break it? How can I make it do something that it was never supposed to do? That's part of it. So that's definitely part of what you need. What else do you need? Tools. Tools. I'd say no. You can... Yes and no is probably the answer. Yes, in the sense that... Yes, you need to know what the tools are. There are what they do. Know in the sense that being able to use tools alone is lame. So there's actually a term for that in the hacker community called a script kitty, which is somebody who just knows how to use a tool to cause havoc and damage. So what your goal should be... So this is a person who you give them some exploit script and they can run it against the system and maybe even get access, which is kind of cool. But what's really cool is to be the person to write that script or to be the person to write the tools that you use. And that's... So how do you get to that level? You have to learn how it works. You have to learn how it works. I can't possibly stress this enough. Security is really just all about knowledge. Like there's nothing... Computers are not magic. Has anybody ever told you that before? Maybe CPUs are. I still don't fully understand. I mean, I can draw a switch diagram or whatever, but how those electrons all move around and it still works. But in a computing system, from the software up, so from basically the assembly that the CPU executes, you need to fully understand all of that information. And that's really what it means when somebody calls you like a weak hacker. It's not just because you can do cool stuff. It's because you know how things work to the level that you can make them do what you want to do. Have you seen the movie The Matrix? Like Neo. You're going to be at that level where you can control things. You can control The Matrix. You can see The Matrix code in front of you when you're looking at a binary. And I'm not making this stuff up, but it's not easy. You don't just wake up one day and have mad, awesome hacking skills. You have to put in time and effort to understand how things work. But when you do that, I firmly believe anyone can be a weak hacker. Like all it takes is knowledge. So you all have that inside of you. I'm fired up now. What was that? I'm fired up now. Good. That was a good dip. So let's hack. Okay. So in the vein of knowledge, what happens... So has everyone coded a C program before? Most people? So what happens? So you write your C code. You want it to execute by the CPU. What happens next? Has anybody... There are some seniors in here. Have you ever got any of these questions on an interview? Like the famous one is basically telling everything that happens after you type in www.google.com into your browser bar and then hit Enter. Telling everything that happens. It's actually a really good question because it's almost infinite in what you can get and what you can do. Keep press, interrupt, driver operating system to the lookup and then you have DNS and all kinds of stuff, right? So it's a similar thing that we're talking about here. So you write a C code. We've all done it. We're all guilty of writing C. And then what? You compile it. What does that mean? A binary. How do you compile it? These aren't trick questions, by the way. Just so we're clear. I'm not trying to trick anybody up. What was it? A GCC. You use a compiler like GCC. How does that work? What is its job? What does it do? Convert C code to assembly level. So to turn C code into assembly, why does it do that? So that the CPU can understand. Your CPU, your processor, right? You've all seen a chip. It doesn't know anything about C. It couldn't care less about C. It doesn't understand C. All it understands is actually, well, ones and zeros, but you program that CPU by an assembly language. So you need a tool to translate from C code to assembly language. And then what? So what is your compiler output? What was that? What's an elf binary? Like, it's a small binary? I'm sorry. Can I understand? Is that a linkable format? Executable or linkable format? Something like that. So besides the name, what actually is an elf? See, this is when we start digging deep. This is what I'm talking about. This is that knowledge of what actually happens. What is every single step that happens until that code actually executes? It's like tagged in it, like symbolic. It's tagged that are going to be resolved by the linker. Yes. So it kind of depends on exactly what elf, if you have an executable format or the linkable format, executable is ready to go. But basically the way I think about it is that an elf binary is the assembly code. So it's the translation of your C code to assembly, which has then been translated basically to hexadecimal to raw bytes. And then that's essentially a file on your disk with some metadata to tell, including symbols and all these other kind of things, to actually allow the operating system to execute the program. So you've done that. So let's actually, you want to compile some stuff. So you probably can't type this, so don't worry about typing this either. I don't remember my password, so I'm just going to use my superpowers. So inside each of your home directories on this server, there are various C code. I think. It's just going to work. So you use GCC, and I'll be honest, your GCC is lying to you. So let's do calling convention.c. So you can compile it. And what does it output? A.out. What is A.out? How do we figure out what A.out is? What is .out? .out means nothing. So one thing you have to abandon when you use a Linux system, file extensions are meaningless, 100% meaningless. On a Windows system, this would be .exe, which has a very specific meaning and means that it can be executed. On Linux, it doesn't matter at all. So how do we figure out what kind of file this is? Use the file command. Yes. So file is a command. So the question then is how does Linux know, if I just said extensions don't matter, how does it know what things to execute? And that is an L file. Metadata. So yeah, there's actually a sequence of magic bytes in most file formats to specify exactly what type of file it is. So I don't know. Did anybody else run a file? This is working. I see. It's because you didn't re-log in. You didn't re-run batch. I don't know my password and I don't want everyone to. Just do .exe. Oh, okay. I can do it. It's my... Yeah, it's this... You can do .exe. There we go. All right. I have to figure out why. Let's see this alias. Slide debugging, folks. Oh, it doesn't work on sudo. I should use bashrc. Just sudo dash. That doesn't have all the other options. It's going to be super annoying. Do you need those? Dately. All right. Yeah, so real quick, the big... You have to turn it on. Again, I don't know how to use microphones. So the big GCC command, we're taking some liberties as an introduction. It just turns off some security features that might be more difficult to navigate around for an introduction to this stuff. So we're just trying to give you guys a basic platform to start on. Keep pumping. What? So you're still... Oh, no. You guys really don't want that. What's your setting? Go. See? There we go. All right. Just to make sure everybody compiled their stuff, right? Nobody's having problems, right? Perfect. And then you're in file on 8.0. Good. The correct words. Okay. We have an ELF 32-bit LSB executable. So basically, file is reading and parsing those metric bytes to figure out that it's an ELF file and then it's parsing the ELF file format to extract all of this metadata that's contained within that one file. So it's telling us that it's a 32-bit program, which is actually pretty important, right? We want to know is it a 64-bit or a 32-bit program? It is other things. Talked about linking. It's dynamically linked, which means it's using libraries that are going to be loaded at runtime. It... What are some of the interesting things? The not stripped of the end is kind of interesting because that means that somebody mentioned symbols that are in the ELF file format. So that means those symbols are still there. So how do I view... How do I peek into this binary and view the assembly code? Disassemble it. Disassemble it. So you use GDB to debug it and get the code that way. What else? Object down. What was that? Object down? Object down. Yeah, so there's a tool, object down, which is a great tool. The other thing I'm going to highly, highly rep is using a manual. So this is what... I think... I think there's some students from my 545 class that are super sick of me telling them to read the manual for everything and probably also people in the Pundails group because I appreciated that three times today. But the manual is your source of all information. If you're like, hi, I don't... I don't know how this object down tool works that Adam talked about. Well, you just run man space object down and you literally get everything the developers want you to know about object down. Every single option, links to other things that you can look up more information on. You can even search. So... It's a VI-like interface, right? Yes. Yeah, so you can use... So for you crazy VI people, you can use slash to start searching. Maybe... So you want to know how do I disassemble? Maybe you could spell it correctly first. So you can see that the dash... lowercase t is disassembled and dash capital D is the disassemble all. So that sounds promising. So let's do object down dash capital D a dot out. What's going to happen next? What? It doesn't matter. Maybe the less because we want to look at it, right? It's a lot of output. So how do we know what are we looking for in here? Because there's a lot of output. How do we know how to find what we want? Main. Main, let's look for main. We can search for main. There's actually a lot of mains. So there's a lot of other magic that you eventually need to know about. About how does actually the main function... So you're all used to writing a main function in a C program in order to have that be the first thing that your program executes. Right? I hate to burst your bubble, but that's not the first thing that executes. So there's a whole bunch of other things that actually happen first in terms of lib C and the linkers and all this kind of fun stuff. So that's why there's this underscore underscore lib C underscore start underscore main. But if you keep going, you will get to main. So then what is this stuff? Like what are we looking at here? 86 instructions. Yes, so this is not... When you learn assembly, you guys learn MIPS, right? Yeah, MIPS. So some things do use MIPS. So it's useful to learn MIPS. But every single laptop in here is running x86 or x8664. What are your phones running? ARM. ARM? Yeah, so that's another one you have to learn. So actually, that can be very annoying as a security person that you have to learn all these different assembly languages. I think you would agree. Very much so. Yes. I remember one big CTF we got there and it turns out everything was in ARM and I was like, I spent like the next 48 hours reading manuals and doing all that stuff. But it's much better to prepare in advance. Cool. Okay, so how do we interpret this output? So we set it to x86 code. So is this 80483CB and x86 instruction? What is it the address of? So what's the middle column here? Up? Well, yes and no, I could say. Is it the address of the instruction? The middle one? Oh, so on the left, what about in the middle? What's this 55? Yeah, the hex representation of the opcode pushEDP, right? So on the right is the decoded instruction. So a hex value of 55, if the CPU sees that at where the current instruction pointer is pointing, that means pushEDP. And 89EF, these are not things you have to memorize though, so this is something I should say now. So when I said knowledge, it does not include compiling things from team memory, yes. So that 55 is the hex representation of the actual, like the ones and zeroes of the instruction, the entire instruction. Yes, exactly. So, and specifically on the left, we have the address where basically part of the metadata in the ELF header says when you load this program into memory, make sure that location 80483CB is the hex value 55. And make sure that it address 80483CC are the two hex values 89 and then E5. And you can actually verify this yourself in the fact that all of these memory addresses, the delta there is exactly the size of each of these instructions. Just to clarify it by size of instruction, the instruction size is not 55. Each of these is a single byte and so in case you guys didn't know, it's a representative byte. And if you look on the address side, what he was pointing to before the location of the instruction, that is four bytes long and that's why it's a 32 bit ELF binary. So what are the range, so how many addresses can you reference in a 32 bit program? Two to the 32, right? You can go from zero all the way up to, well, FF, FF, FF, FF. What about a 64 bit system? Yeah, a lot more. So that's actually the important thing to remember. The key difference between these different architectures is the size of pointers. A pointer is essentially an address in memory and we know that a memory address can be four bytes or 32 bits. Yeah, that was a good point. Cool. Yeah, so each of these is eight bits or one single byte in the middle and these are the actual values there. Cool. Anything else I'm missing? Because that was good. I think that's not all good. Cool. I mean, it's not going to hit ourselves. So we are going to play the game. I like games. I like prizes except for the prize of knowledge. Knowledge. So if you run the score command, whoa, I did not test this with 450 people. That does work. Okay. You are all at level one, which is the first level. I guess you've cracked level zero, so good for you to be logged onto the system. Me versus the Soda world. Okay. So the idea is we have, in var challenge, we have a series of levels, level one, level two, level three, level four. So what's inside the level two directory? Twenty dollars for the first person that tells me in the next two minutes. What's the question? What's inside the directory? Slash var slash challenge slash level two. Maybe. Da, good try. That was a good try. Level two executable? No. What's the size of the level two executable inside of the level two directory? And I have twenty dollars down there. I'm good for you. One more minute. I'll be upset if somebody's ultimate at the end of the time. I knew that was a risk, but... All right, time's up. You all lose. Sorry. That's tough. I can't win all the time. Yeah. Plus, yeah. I knew somebody would get it, but... All right. So why couldn't you find out? No permissions. What? Permissions. What are permissions? Nonsense. Access control, garbage, shiverish. Specifically, what's the technical reason why you could not list the files? So, A, do you know that a directory exists called var challenge level two? Yes. Why do you know that and not know the contents of the directory var challenge level two? We can run the list command on the challenge, the parent directory of level two. Yeah. So it all comes down to how access control permission. So this is how I can all give you access to this server and verify that you're not going to... Well, not verify, but I have some assurance that you're not going to completely crash and hose my server. Or let's say there's a Bitcoin wallet under var... Don't look at me like that. So let's say there was one in var home atom D, right? But I let all of you monsters onto my machine. And so what am I... What's my... So I'm relying on the permission system of Linux to enforce the fact that I say that nobody can view my home directory. So my home directory, if you go home atom D, you'll see that... So you've got to look at the dot directory, and the way... Well, okay, let's go back to var challenge. So the reason why we can do this is because var challenge... So we have to look at the permissions on the left-hand side of ls-la. So ls-la, that l is to list all files, including ones that start with dot. Is that right? Yes. So long. l is long to list this output. l is the other way, and a is to list all files. Yes, there's actually a reason behind those things. So who owns the var challenge directory? Group. So the... What is this? One, two, three. The third column is the owner of the folder, and the fourth column is the group owner of the... So if you're on the id command, which is a good command to know, this tells you who are you. Actually, there is also who am I, but id is much more information. So id says that I am user id AdamD, and because it's an operating system who would refer to people by actual names. Computers hate strings and names. I just want to refer to people by numbers. So I'm number 1002 according to the operating system, and I'm in group id AdamD, and I'm also in the groups AdamD and level 1. So can you tell me what's inside for no money? What's inside the var challenge level 1 directory? So how can you see this and not level 2? Because the permissions of the level 1 directory... So if you were the challenge user, you can list... So the challenge user owns all of level 1, level 2, level 3, level 4. If you become a challenge user, you can see into these directories because they are readable, rival, and executable by the challenge user. Where are we going to exactly what they mean? The dash is basically empty. So this means that the level 1 user is readable and executable, which means you can list the files there, but you can't go and create a new file in that directory. Go ahead and try it. You can't do it. You shouldn't be able to. Even though you're a level 1 user. And the last three dashes mean everyone else on the system. So if you're not the user, you're not the group, you are effectively everyone else. So then when we do ls-la var challenge level 1, so how do we actually become level 2? How do we get to that beautiful level 2 group? One gets what we want. What was that? You tricked the one executable into somehow using the... Yeah, so, okay, a slight detour. But when I run ls-la, what user is that running as? So every process on a Unixy system is running as a user. So when I run ls, who is it running as? It's running as Adam D. If you're curious, you can run htop, I think, but I restricted it again so you can only see your own process running. I think I'm at the boot of a new one, because I don't think I can become pseudo in there without the password. Yeah, see, I don't have the password. Yeah, yeah, just a second. I just want to show them their stuff. So I can run this as pseudo. So you can see, let's see, who's my favorite? So, see, somebody, Soda132 is running vi, looking at probably the one binary. And you can see that it's running as user Soda-132. But I'm not going to get super into it, but there are things that the operating system wants to do. For instance, what's a good example? So basically everything you run runs as your user. But an administrator may want to create a program for you to, let's say, change what shell you're using when you log in from bash to something else. So you can easily do that with the CHSH program, which, if we look at it, is that user bin CHSH. And what this does, just a very quick overview, is this is going to add the user. One of the things it does is edit the etc-p-a-s-s-w-d file. So if you can actually look at this, there's a lot of you. All of your shells are bin-bashed. If you wanted to change that, you run the CHSH program, input your password, and it will alter. So can I edit the etc-password file? Right, because I'm not root. Only root can write to this file. But if I run CHSH, I can change that file. How come? Because the administrator and the thing that should tip you off bash is even showing you that user bin CHSH is in red. That this bit, the odor execute bit has an s instead of an x, which means that binary is set UID, which means when it executes, it's running as root. So I can show you this. I run a user bin CHSH, and then in another terminal, I can ship, ah, stop doing stuff. Oh, no, stop. Somebody's looking at a man page. They're looking for binary points. Awesome. So you can see the CHSH is running as root, even though I ran the program. And that's why the CHSH program can edit the etc-password file. So that's like regression. Now when we look at the level one folder, what is this one binary? Yeah, so it's not set UID on the user. There's no s on the execute bit for the user, but there is an s for the group for level two, which means when this program executes, it executes with the permissions of group two. And so what your goal is to do, essentially what you need to do is to trick this executable to add you to the group level two. Because that's kind of annoying, I made a program called LEET, which you can run. You can run it now. It's not going to do anything because you don't have a group ID. But if you trick level one into executing this LEET, user local bin LEET, then you will get to level two. So do it. You know what level one's code is? Yeah, I gave this C code. So look at it. That's what was up here. Let's walk around. Oh, I do want to mention real quick that just for these challenges, something that might be obvious to some people, but wasn't really obvious to me when I started, was that always trying to identify what your goal is with the challenge. Like in this case, our goal is going to be to set the UID, to call whatever set UID or LEET in this case, and try and get ourselves to the level two group. And I kind of try and work backwards from there to see what could possibly get me there. And that always helps me out. Just a bit of advice. If you're reading the C code, you don't know what a function does. Yes, use the man page. You can get so good you can actually, I know this is shocking, not use the internet and Google when you're coding. I know. Also guys, I'm here to help. So if you guys need help, just ask. We're going to get it in right now. This is not just running a wall. So happy to have the answers. So that's it. Thank you. Thank you. So, the cases of the race and the rules are challenging. The level one is right. There's three rules. The one is probably the right one. And so, I think it depends on the ideas that you don't get to try and see what we can do to get ourselves to the level two group. And because we have the level two group, the level two is not exactly right, but because we have the level two group, if you wouldn't use the program right, then you would see that the rest is set for the level two. So this program, I think it's worth asking. So if you somehow get this problem, then I'll send you an idea. Sorry, if you can get this problem to the level two. Then it would actually be a little bit of a challenge. And then the answer is, you know, where you are trying to get the level two. So, that's it. I love what you're talking about. What's the, what's the, so, is there any questions? I'm just trying to get the questions right. I'm just trying to get the questions right. Oh, you have a question? Okay, I'll get it all. I'm going to choose the other team. It seems pretty much a deal. Well, you can get it as a challenge. I'll get it all. Let's do it the way I know. This is very easy. I think I already know how to come up with it. Okay. I'll try to possibly do it. Yeah, I don't know. Anything else? Like, let's do this. Yeah. Yeah. Yeah. So, but I think you can pretty much guess what comes around. Because you're level one. Yeah. So, things that have been in one time. So, talk about, right, you see how it has been. Yeah. Oh. Oh, yeah. Sorry. Okay. Okay. Okay. Okay. I'm going to show you. I'm going to show you. Okay. Well, I'm going to show you. I'm going to show you. Okay. Okay. Okay. That's because your bash, the process that you logged in in, doesn't have that view. So you need to either log in again or you can run a bash. That's a good point. So when you do break the level, if you're trying to go on a level 2, you need to usually log out or log back in. Because if you run ID, you'll see that you don't have the level 2 permission to log back in. But if you're in score, you'll see that you broke the level and you got it. That's a good point. You don't have to worry about logging out. This is shelter. I'm going to sit down. Thanks. It can't be true. Can I do that? Yeah. Oh, no. Oh, no. No. I think that you just made a call. I can make it sound like it's public. I just wanted to make it sound like it's public. I'm going to sit down. I'm going to sit down. I'm going to sit down. I'm going to sit down. Okay, so in the meantime, can you make it sound like it's public? No. I could personally press this button. Yes, that's better. Now, right, and then press this button. Yeah, it's public. Okay. If you could, do this again. You have a popsicle of that, okay. Now, let's get down. And I guess, you know, I, uh, I think it might be much worse than I thought it would be, but I'm not sure how much I can do. I don't know. So I'll be in the top of the show. I don't know. I don't know. I don't know. Oh, wait. I can't get it out of here. Oh, you just do the beat. It's a nice thing, because otherwise, the guy himself will be very annoying. Yeah. Okay, I got it. So I should be able to... ... ... ... ... ... ... You think they may really have to take out what's going to happen? I guess you don't know what they're doing with this. Okay, is everybody solved level one? A bunch of people solved level one. So, I'm going to spoil it. You just need to do slash var, slash challenge, slash level one, slash one, and then what do you pass in as the parameter? Oh, you can't see the projector? Is that a problem? You have to leave. So, what do you pass in as the parameter? The path to lead. The path to lead. So, user, slash user, slash bin, local, or user local bin. What is it, lead? I'm the wrong user. I guess so. Yay! And now I'm the last one in level two, great. So, it's ordered by time. I actually, as many of you know, I can't check out var challenge level two yet because I need to basically log out and log back in, which is not going to be good. Okay, so now I can finally look at that. Okay, so to understand what level two is, we need a very brief introduction to my beautiful drawings and to the stack, yes, I know some of you. This is bringing back bad memories. Okay, so first we need to look at our, I'm going to look at our calling convention dot c, which I already compiled. Okay, let's look at this function, call e. So we're going to look at this and we are going to draw what's happening. So first off, we're going to talk about the stack. So the stack, as we will draw it, starts with all f's at the top and grows down. So when we push things onto the stack, it's going to go down and when we pop things off, it's going to go up. Stack is your standard stack data structure, but the stack itself in your process is a part of memory. So let's say your stack pointer is here at, maybe that's too low. So let's go through. Once this function call e starts executing, what's this first instruction here? What's push EVP mean? Push the base pointer. So EVP is a register. The important thing to remember is the CPU only has registers in memory. It has nothing else. There's no such thing as variables. It's all just hex, which is actually kind of nice when we think about it, because all these abstractions go away. So when we push EVP, that means there must be some value. We'll call it the saved base pointer or save EVP of whoever called us. So the first thing that we do is put saved EVP on the stack and now the stack pointer points here. And then we move the stack pointer into the base pointer. So we have, now we're setting up our new variables ESP, EVP. We're going to do some stuff. We're going to skip over this part. And we're going to get to the end where now we do pop EVP. So what is a pop EVP going to do with the stack pointer points here? Yeah, move the stack pointer up one and put whatever's in save EVP in this memory location into the base pointer address. Does it change this value on the stack? Does it zero this out? No. No, why would it do that? That's an insane optimization, right? Because it's going to reuse it later on. We just popped it, right? That's basically garbage. And now it's going to return. What's a RET instruction? Go back to whoever called you. How does it know how to go back? Not the base pointer. Because the base pointer, this saved the base pointer was already, so we have a base pointer so use for function frames. We'll go to that in a second. Yeah. Does it stop the return address? The return address. So in this, what actually we missed a step here before we actually started executing this function, the stack here looked like this, and actually we cheat up here, we can see that there's this value of 0xA on the stack, above that 0x28. And we have this call instruction to call 80483BB. What are the semantics of the call instruction? Semantics, these are the things that you actually don't even know what the bytecode version of call is. What we need to know is what does that actually mean? What actually happens semantically to the processor and the memory when the CPU executes a call instruction? It's going to jump. So it's going to change. EIP is our instruction pointer in x86. So that points to the current instruction. And basically it says, set the instruction pointer equal to 80483BB and that's how call least starts executing. What else happens? Push onto the stack, the next address to be executed. So in this case it's 80483DA is the instruction after the call instruction. So it's going to push 0x80483DA. So the stack pointer points to here. We then go up here, we do push EVP. All this stuff happens. We then pop EVP. The stack is going to be in exactly the same place right before the return instruction. So then what happens with the return instruction? What are the semantics of a return instruction? Go back to the caller because it has no idea what the caller is. The CPU only knows registers and memory. Yes, change the instruction pointer to whatever, it's basically a pop-VIP. So take wherever the stack is currently pointing, take that value, those 4 bytes, put them in the instruction pointer and start executing from there. So what will happen is the stack pointer will increase, it's going to point to here and then it's going to start executing right here. So this is your crash course in buffer overflows. So let's create a function that, when it's executing, so we'll change this call e function to have some arbitrary amount of value on the stack and let's say there's a buffer located here at, this is the base pointer, EVP, buffer is at EVP minus 10x. And the stack pointer is going to point all the way down here. So, how are buffers in C? Anybody written code in C with a buffer? Yes. What buffer means character array? Character array, also called a buffer, known by many names. So character bracket, the size and then the name of the variable. So what prevents you from writing 100 bytes into a character array of size 50? Can you do it in Java? No. Why not? Why is it strongly sized? It's close. The runtime checks. The runtime checks, every single array access in Java checks, is this access within the bounds? Is it greater than zero and is it less than the size? Whereas in C, there's nothing that prevents that. All you have are pointers to memory. And so there's nothing stopping you, even if this buffer is supposed to be size 10 on the stack. If you copy something of size 100, what's going to happen is the CPU is just going to start writing bytes into memory, overwriting bytes. And then what happens if it overwrites this saved instruction pointer on the stack? It doesn't know that it can address it. When we finally get to that return instruction in the program, that will crash the program because it's going to try to access some random bytes. What if we are incredibly clever, and we've written some, what we'll call shell code, some code, and we've injected it into the process. So rather than random bytes here, we have bytes that get us a shell. So as you can maybe see, I had 100 slides prepared. Our shell code is actually going to be very similar to what we wanted. It's going to call execve-bin-sh to get a shell. So bin-sh is called the shell program. What we want to do is get a shell because that shell has those setUID permissions that we talked about in the beginning. So we can create using assembly some super cool shell code that has no null and no new lines, which will do that. And if we get that shell code, copy it into the process and then change this instruction, the saved instruction pointer on the stack to point to wherever this memory location is, where the start of that shell code is, we can start executing code there. So basically the next series of levels walk you through this. So you can see that 2C actually already has the shell code in there. So I've written that that shell code works. There is some address. You're trying to execute that shell code. So you want to execute this shell code, which exists on the stack. So this is simulating the first part of a buffer overflow where you have shell code on the stack and you need to figure out what set of address that goes in there. You have 10 minutes. Do level 2. You can do it. I know you can. We'll all walk around. I'd like to go out to the side of the bunker. Oh, shit, I got 30%. Ah, shit. I'm running off to the other corner. There you go. Thing was amazing about this. So thank you. Thank you. I can't do it. I can't do it. I was like general, we don't want to go on that. So it could happen. Yeah. So in that address, you know we need to put uh, yeah, we'll sort of we'll sort of like, um, and then, uh, and then, But in much more detail, what distance you have is probably more fun by this point. I forgot how to use this. Yeah. Yeah. So, y'all, yeah, there are... Those are just a bunch of interviews, but there's still good videos to see. But, yeah, we don't record our meetings. Go ahead. Oh, yeah. That's a little bit... Actually... I think... Some of them, please. But, yeah. If you don't know, go see them. Come to the meeting. Come to me also. To the drama studio. And then we'll have a discussion. Oh, are you not in set? What is this? What is this? What is this? So, what is this? What is this? Oh, you want to... This is less than I expected. We want only us. Okay. Barbara. Okay. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Barbara. Well, what's with David's probably just he was working while he was performing today and he's also been working with us today. So that's how you combine your past function and the function and see that I didn't connect you to your perfect oriented sense of mind. So I'm going to get you to afford it to the center people. You know, I'll leave this all to you. Thank you. Thanks. No, that's not 60. No, it's not 60. No, it's not 60. Yeah, I'll take it some resources to be on the site and show you real quick the tools we have. Actually, the packing is pretty good there. So this kind of action actually has a lot of material is going to cover. Okay. No, these aren't done yet. Okay. Eventually we'll add more stuff here. Yeah, this goes over a lot of things. Absolutely. You do. So I found out that I put 60 Q in left. I think I'm going to put it in the right. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Alright, folks. We are reaching the end of our time together here. We will be kicked out very, very soon. Before you go so I want to say a couple of things. A, Thanks for coming B, what was I going to say? Yes. was that keep this up for like a week over spring break or something it's like so you can play with it I'll take it down in about a week also if you bug me about it I'll try to release the source code I'll also upload this video so if you want to go back to anything you can go back to it the other thing that'll really help you with this so my website is Ponevils.com it's super difficult to remember and not only does it have information about us the club but it has a super awesome how to hack section that will put together based on this material which has basically literally everything I was going to cover in my slides in a much better form online that you can read and understand your own pace. There are fun buttons to click. Including a workable x86 stack in JavaScript which is actually I'll tell you because you're all computer nerds this is actually not just an animation this is JavaScript code that is interpreting these these x86 instructions and executing it as if it was a stack. Is that true can I look at this and show them? I mean yeah you can. I mean if I show them this yeah so as Adam's doing that the website the front page will allow you to join our mailing list and our Slack and it'll tell you will I email all the meeting times whatever we meet we have free food there you can if you want to learn more stuff before coming to the meetings you can come look at the website and come to the meeting and tell me how terribly it was written. So this is that calling convention example so you can walk through this and see exactly what's happening I should have just brought this up. I don't know why I decided to do anything else. That can walk you through everything so like I said earlier all the resources are out there there's not only this obviously we're plugging our own stuff there's lots of resources out there you know enough knowledge now to be dangerous and Googleable so you know what to do before buffer overflows smashing the stack and thanks and thanks again to Soda for hosting this event with us I alright one last thing so give a round of applause to Dr. DeVay and as you guys leave we have one last treat for you we have a lot of the Google gift cards left over from one of our previous events so as you walk out we have stickers Google gift cards for Google web services that they'll be handing out it's limited to per person if you already got one of the previous event you can leave to your account but they will be handing them out on the way out.