 What's up YouTube? My name is John Hammond. This is another Pico CTF 2018 video. This challenge we're looking at is called Echo with a couple extra ease. It has about 300 points in value in the Binary Exploitation category. And the challenge from here says this program prints any input you give it. Can you leak the flag connect with this netcat service? And we're given the source code and the binary. So if we want to we can just go ahead and create a simple netcat sh little connect script. Cool. Mark that as executable. And then if you want to you can connect just like that. And it will tell us time to learn about format strings will evaluate any format string you give us with print f see if you can get the flag. So if you wanted to you can download the binary and the source code here. I'll just download the source code because it would be good to see what this is actually made of. And let's open it up in sublime text. Okay, so now we've got the main function that's go ahead that sets up a buffer for us with standard output. We'll read in a buffer or actually reading the flag get the flag pointer etc. And it looks like it will set the effective user ID so that way it'll be able to read the flag file on the actual like shell server because they're going to use that to only be able to access the file if you were to log in through this binary. So then it goes ahead and sorry, it goes ahead. Wow, I can't seem to say those words today creates the memory allocation for these variables here the flag in the buffer opens up the flag file puts it actually as part of the flag variable and that's accessible on the stack right that is actually read so the flag variable is something that we can access if we control the stack. And thankfully we do because of this format string bug and vulnerability print f is a vulnerable function right if you don't give any other arguments or any format specifiers following someone's input that you can control right so if you Google this there's plenty of resources on this format string vulnerability. And I think a wasp and code arcana I think that's a code arcana that might be the best explanation of it or at least showcasing a hardcore bug in which case you can write values on the stack or write values any location memory and eventually give yourself a shell. So it eventually at the very very core right the format string attack is based off of the format specifiers that the print f function would expect. So given it anything here you can actually see on this chart and this table and there are plenty of the references for this. But if you were to enter percent p whatever is displayed would be returned as kind of an external representation of a pointer or percent d for a number or decimal percent x for hexadecimal etc. and percent x or I'm sorry percent s for a string. So we won't always be able to see percent x I'm sorry percent s really because sometimes we can't represent that data that we're looking at as a string and the binary might go ahead and in seg fault. Let's go ahead and try that. Let's actually just download the binary the binary or you can run on the shell server whatever you are more comfortable with. I think the binary will be a little bit easier in our case. We will just download it and mark it as executable. So when we run it we can work with it. Let's create a fake flag file though because it will need something to actually work with. So let's do please subscribe. Cool. Now we can run this. Let's say we wanted to get anything returned back at us. That's what printf will do. But if we were to use those format specifiers with no other arguments given in the source code what it's going to do is it will leak up the stack because it's not expecting any other arguments that would be formatted in the source code. It's just going to reach upward to something that's not there and keep reading back into memory. So if I were to use that percent x you can see okay I'm getting some numbers here percent p maybe right zero x 40 and I can do this as much as I would like and you can do this to literally leak up the stack. So very very cool right but we want to get percent s right or a string because we know the flag is going to be read as read in as a string but we want to get it at whatever location because if we were to keep trying percent s percent s percent s etc etc we're going to get a segmentation fault regardless at that very very first one. So we want to kind of pinpoint what it is that we're looking at and how we're going to leak up the stack. Now you can do this in a very cool way. Maybe printf man page will show how you can get a specific number. Guess not. Probably some other notions might want to see if this page actually explains a little bit. Nope. Okay. How about this? Just trying to showcase how you can do your research. You can learn a little bit about it because yes while you can print percent s over and over again or percent x you can also just say I want a specific location on the stack this many pieces in. So that's talking about writing with percent n. Let's say code arcana. This is the article that I was mentioning earlier that just talks about how you can take advantage of this to fully write onto the stack right in the memory and then essentially get shell. So super cool. But what I wanted to showcase is how you can say yeah I want a specific position maybe 10 characters in. So if you were to reach the 10th argument of printf or whatever the case may be you would use the percent there. Percent before the number and then a dollar sign following or just proceeding the format specifier that you actually want to use. So I could run this again and we saw 848647 on the third percent x. So if I were to say percent three dollar sign x now will only be returned this. So awesome. We can take advantage of this now to leak out potentially all the strings. So let's write a loop or write something that will actually do this for us. I'll create a Python script that will handle it because we are going to be connecting to the remote service so you can actually get the flag. Let's do from Pone import everything context log level equals critical. So that way we don't get that annoying connected and connection ended stuff. So let's do remote host and port and we'll say s can equal that for our service or a session and we'll say host and port is equal to cat connect. Go ahead. Do I do I have x flip yet. I don't think I set it up. I did. Excellent. Heck yeah. So host will be that string here and port will be the number following it. Now s.close once you're connected to it will do s.receive until that prompts here. Let's print all that out. And now when we run Python eight context log level my bad a little fast on that. Okay. Now we are all the way to the prompt and we can keep sending it new thing. So let's do s dot send line percent x print s.receive and we get that. Okay. So we've got the response. Let's say if we want it to be percent s, we can print this but we get an error. So okay. Is that s.receive returning to us? We can say if timeout or how about let's say this is a variable right here. Let's say response is equal to this. If timeout in response or dump score is probably better than print seg fault. So we know okay we're getting a seg fault on this but let's say we wanted the second string else we can print what we receive. Okay. Now we're getting some interesting things. Let's loop this right. Let's go ahead and keep repeatedly connecting because who knows if we get a seg fault or not. So we will want to continually increase our increments are here. So let's just say string of I and we'll do for I in range how about 10. So 10 characters up the stack will keep leaking and building those out. Let's see how we do seg fault, seg fault, etc. And we got Pico CTF format strings are dangerous. So if you want to see what position that was, we can just print I and let's actually do that before everything. Because if I use a comma there, it won't give me a new line, a new line, but everything else will. So at the eighth position Pico CTF will give us the flag eight position up on the stack will get that information. So if I were to do that with manually right connect and I use percent eight dollar sign s we are leaked out the flag that we saw on the stack because of f gets and they read it earlier. So that's it. That's awesome. That's how we can do it. Let's go ahead and just carve that out. Now let's do a simple get flag script. Echo this into connect. Oh, we'll probably want single quotes here. So we don't get as I keep doing is it going to keep connecting over and over again? Otherwise, I want just a head attack. Or grep pico. How about that? Yeah, it's going to keep connecting over and over again. So that's silly. We can have our Python shall do it if we wanted to just trying to set up a simple one line or command that we could just go ahead and say, Hey, get flag and return allow for us. So once we receive until let's send line eight. Now that we know that that is where the flag is, we don't need to print any of that. We just need to print the response. Python eight. And just like that. All right, let's go ahead and strip out all of that. All the new line characters that came from it. And then we have a simple get flag script. Let's move ape to get flag dot pi market as executable. Run it redirected to flag dot text. Now that we've got the real flag. And we can go ahead and put that in our clip board and submit it for all of those points. So I hope that was kind of cool. Hope that was kind of interesting. I think that's an interesting technique whenever you see a format string vulnerability, you may as well start climbing the stack and just ignoring the seg faults and just trying to see if there's any interesting strings you can read out. So in fact, if we wanted to let's actually keep working with that, that, well, now we don't have an eight script anymore. But let's just say eight dot pi again. And let's bring this up to like maybe 100 or whatever we want to go ahead and leak out. We can keep running this until we see interesting strings like who knows the environment variables in the box that's running or anything else that you might find valuable on the system. So I think it's always a good idea to try and leak up the stack as much as you can whenever you're given a printf vulnerability. So yeah, see, now you can see we're leaking out the environment realas are set for that shell. So a very, very cool thing. Maybe some people will hide valuable information in that. So things to know when you're looking at a format string vulnerability. Alrighty, thanks for watching everybody. Before I go, I did want to give a quick shout out to the people that support me on Patreon. Thank you guys so much. I cannot say enough $1 a month or more on Patreon will give you a special shout out just like this at the end of every video. No, it's not a lot. But hey, maybe your name up in lights for a little bit just a little quick, good warm fuzzy feeling at the end of each video warm your heart up or stuff like that. I'm grateful for it. If you do whatever good Samaritan deed to help a dude put food on the table. Thank you. Thank you. Thank you. $5 a month or more will give you early access to everything that are released on YouTube before it goes live. So I'll try and pour the videos that I create once I have things recorded into a shared Google Drive folder. And that way, when my content is complete, it's all ready and recorded. Normally I'll have YouTube scheduled them a couple days in advance. If I've got a lot of stuff backlog and ready to roll. If you want the content right when it's ready, right when it's warm, right when it's hot, that's the best way to do it. Just $5 a month on Patreon. And I am very, very grateful for your support. If you did like this video, please do like comment and subscribe, join our discord server link in the description. It's a cool community full of CTF players, programmers and hackers. And hey, I hope to see you there. Hope to see in the next video. I love you. Talk to you later.