 Hey there internet, my name is John Hammond and this is more PicoCTF back at the Binary Exploitation category in level 2 Kind of backtracking because I still think that Shell Z 55 points is actually the challenge supposed to come after Shells with an S for 70 points because it says you no longer have an Easy thing to call but you have more space Program shells and source connect on the remote link here. So let's go ahead and download these files I've got them set up in a directory. I've created for this challenge Let's go ahead and grab them and we can take a look at what the hints say here They say there's already a bunch of pre-existing shell code out there. So, okay, let's take a look what we've got here We've got a binary and some code. So let's take a look at the source code. It looks to be identical to what we were working with before However, we no longer have that win function that we could just easily call and the amount of stuff We're taking in is 40 bytes now rather than 10 So we can't do that easy like okay push the memory address on the stack return essentially call that function We've got to do something else here So initially I tried to go through this with the PwnTools method that I was explaining in a previous video Or just discussing that we can if we wanted to use PwnTools import Pwn to Pwn.ShellCraft to try and craft our own shell code with the Architecture that we're working with and we can check out the binary here again Intel 386 and Linux So 386.Linux we could just run cat and then pass in the argument flag.text to try and generate shell code to do that Operation then Pwn.Assembly to wrap that and get it in the opcodes And then we could just have Python spit this out and work with it However, I did not get that to work when I worked with this binary here I'll show it to you. We've got it out on centered output pipe it into shells once we mark that as executable Cool. So now that we've got the binary gone We can pump that into the binary However, I just get a segfault and I end up not getting a flag.text which even if I had it wouldn't display out on the screen As you can see so that didn't work for me But I point to you I point you to that in case sometimes it does I think the Pwn.Tools library for generating shell code does some strange things and for odd reasons And I don't know why so it's not always trustworthy, but worth trying The other resource that I recommended and I suggested earlier was shell storm And in this case where the challenge hint tells us that there's a bunch of pre-existing shell code out there Let's go ahead and take a look at what we've got here Shell storm shells codes database. It's just shell-storm.org and shell code And again, they are organized by architecture system. Blah blah blah. So we've got Linux the category here We're not working on an ARM processor. We're working on an Intel 386 so x86 is just fine and then we'll start to see what options do we have here? What can we run we can do some simple Caesar cipher rotations CH mods reverse TCP? reverse shells blah blah blah Binding ports etc fork bombs and there's a lot here So some cool options and we only have 40 bytes keep in mind So we wouldn't have been able to do some of these when we were only able to pass in 10 bytes in the previous challenge But we can do some good stuff in this one So as I kept scrolling here I found one that does something that I know will work well and that it's executing bin bash with attack p argument and I know that that is just trustworthy for some reason when we run bin bash and it's you got some SH and attack v there It always team it always seems to keep a stable shell for me. So that's 33 bytes. It says right here So I figured okay, let's take a look at what this code is They showcase it in what it's actually running for the assembly and it gives us just the op codes right here as a string So I'm gonna go ahead and copy and paste this I'll open up to blind text I'm gonna use some control H to find replace get rid of all those space characters pretty easy control enter to find them all Remove all those quotes and then let's remove new lines So I can copy and paste that and just pipe on will work with that super easy Taxi print and now we've got bin bash is rolling. Okay, so let's try it for our local binary Dot run shells and it doesn't error, but it doesn't give us a shell So I'm we're wondering why that is However, there's an interesting thing here or a phenomenon that's occurring where the shell is opening Not knowing that it can read in inputs and just crashing and dying on us So what we can do is we're gonna actually before we pipe all that output into the binary if we wrap it in parentheses and actually put a Semicolon here followed by cat cat will keep our standard input or that buffer open for us So it says this the shell will stay in existence and we can actually interact with it So if I had enter on this you can see the program ran through it took in our input and now a shell is actually occurring So I can type here it'll do things Okay, getting bin bash errors, please sub's not a command, but other commands are so if I wanted to we could cat Not flag dot text and we'll do that for the remote service now Now that we've got that exploit and that payload working. Let's go ahead and take the actual Connection, I don't know why download that. Whoops Take the connection string paste it in netcat to it and now we've got a shell on the remote box We've got a cool files here with shell with a SLR address space later on emization a wrapper, etc And flag dot text. Let's check out what that is cat flag dot text and we've got it cool If we wanted to we could just save all that as like a get shell script We don't need to get flag in this case because we've already like rocked this challenge and that we have a shell execution So let's go ahead and just do that bin bash Easiest your bang line Well, I failed there Stupid me did not paste the entire command and Whatever Okay, now we're rocking cool So we can mark that challenge as complete we can go ahead and submit the flag and We are good up another 55 points on the scoreboard However, it should have been 70 because of that weird challenge conflict, but whatever Quick special shout out to the people that support me on patreon Thank you guys so so much $1 a month or more a patron will give you a special shout out Just like this at the end of every video $5 or more a patron will give you early access for any release on YouTube before it goes live If you do like this video, please do like comment and subscribe link in the description to our discord server Please come out with me cool community CTO players programmers and hackers I'd love to see you guys on patreon and I'd love to see you in the next video. I Hate doing that, but I have to puts food in the table and stuff, you know