 What's up everybody, John Hammond here, wanting to showcase more of the Google Capture to Flag competition, some of the beginner's quest challenges. Before we jump in, wanted to showcase and shout out more of Live Overflow, another awesome YouTuber that does some of the same kind of stuff that I do. He was willing to play some of the Google Capture to Flag with me. We took a look at some of the harder challenges that were in the real actual set of CTF challenges Google CCF was releasing. The beginner's quest is just kind of a side tangent thing. And honestly, a lot of it was over my head. I'll be completely honest, I'm a noob. Live Overflow took a look at one of the challenges, JS Safe 2.0, and he rocked it. He solved it after a lot of hours of us taking a look at it. So props to him. He does incredible work. Check out his channel, check out his content. Really, really great guy. Hopefully we'll do a lot more CTF style stuff and hopefully collab more in the future, I don't know. All right, let's jump into where we left off in the beginner's quest. So one of this challenge is down here in green. We're getting to some more of the Pwn and Reverse Engineering stuff. This challenge is called Admin UI. I'm not gonna read this entire prompt because it has literally nothing to do with the challenge as most of these things. But we'll take our net cat connection and move on. Let's get a terminal open that we can work with this stuff. I like to work out of a folder for designated CTFs and I like to make a directory for the challenge that I'm working into. So let's go ahead and create a connect script because I always forget the host name and password for some of this stuff. Whenever I'm working with a service in a game, let's mark that executable. If I could type, hold a cow. Okay, and we are in, we are connected. So we get this little service, this little program we're talking to here and it's a management interface. We've got some options, service access, read Yula and patch notes and 3D quit. So let's check out what the first option is. Please enter the backdoor service password. Anything. Incorrect. Okay, the authorities have been informed. Okay, looks like it just logged us right out. Two, read Yula patch notes. Two, following patch notes were found, version 0.3, version 0.2, which patch notes should be shown. How about like a 0.3? Error, no such file directory. What? That's weird. That looks like a pretty explicit error. Maybe it needs the, probably full version 0.3. Yeah, okay, for 0.3, rollback of version two because of random reasons, blah, blah, blah. Okay, so that's filler data. Nothing actually important there. Anything for version 0.2. No, looks like more filler data. Okay, and three will obviously quit. Nothing else we can particularly do. Okay, so we're not given a binary in this. We don't have anything to really analyze or reverse engineer that easily. I had actually done a little bit of stuff well after I figured out what are the issues could be. Because this read Yula patch notes when you saw that error that said no such file directory when I tried to read something that wasn't quickly listed in here. That's a pretty explicit like bash error trying to open a file. So I actually was lurking in the IRC and the internet relay chat or the kind of the conversation with other players. And that's a pretty stupid, evil, cheap tactic but it happens all the time in CTFs. And I talked to someone who was working on the same challenge and he said, oh, well you can just do some legitimate file inclusion in this thing. If you really wanted to, you could move up some parent directories with your dot, dot, slash, dot, dot, slash, et cetera. And you can read things that you didn't expect to read like et cetera password. You can see that whole file is leaked for me. So I did some interesting things where I tried to like read out of proc self and then actually read out the executable. And I was able to literally dump the binary like this and I used that for some reverse engineering because I was able to get that and download it all. And I might show that because I ended up writing a Python PoneTool script for that. If you guys would like to see that, please say the word but that's not how I ended up getting the flag here. In this case, all you have to do is do a parent directory and flag. And out, it pops out CTF, I love buggy software. That was the flag for this challenge. Kind of cheesy, kind of dumb. I don't know how that could be guessed or I don't know particularly how, maybe what would have pointed me to that. But after all my reverse engineering tactic when I'm trying to figure out how to please into the backdoor service password or after I tried to dump strings that might have interesting things in this binary, nothing really happened. So I got something else with that, the up parent directory and flag, things that we know to test and try for. But let's note that it's flag.txt. We could if we wanted to create a get flag script for this because this is a little Python connection. And let's do that, actually just for kicks. Close 8.py. And I will zoom in on this just to add some more weight to this video. Let's import Pone. I want to cat out the connect script just so I know what I'm connecting to here. Okay, I like to steal that and use that. Host equals this, port equals this and that should be a number, not a string. Let's actually do it from Pone import all. So I can do a real easy remote. So I connect to it with host and port, s.close, create this window when I didn't have to, chmod plus x, eight, run it. Okay, we got the connection. If we wanted to remove that boilerplate stuff, we can do context.loglevel, set to critical or something so we don't see all those notifications or like trying to open a connection and close a connection. And we can print out s.receive if we wanted to. So we're getting all those content. Let's see where we go. Okay, s.sendline to, so we tell that we want to read some of those eulahs. We can see the following patch notes, which version would you like? Let's sendline that exploits, quote unquote, totally not an exploit, obviously not a real exploit, but the little bug or technique that will get us the flag and just like that. So let's remove all these print statements. So we're still receiving the data. It all comes in sequence, but all we care about is the flag. So I can move ape.py to get flag.py. And then when we run get flag.py, boom, we pump out the flag. Awesome. Let's throw that into xclip after our on get flag xclip. And we can submit that in our web browser for points or no points because beginner's quest doesn't have any points because of renews. But now we can mark this challenge as complete and move on. So thank you guys for watching. Hope you enjoyed this. I didn't have to, I didn't want to cover a whole lot of what that binary really was, but if you would like to see me try to write that Pwn script or that Python PwnTool script to actually literally pull the binary from bringing it from proc self, there's a lot of really cool stuff in proc self. I couldn't read the command line, but I was able to read EXE. I also looked at things like the environment variables, but there was nothing particularly interesting in there. And I can get into more of that if you'd really like me to, but Pwn, I'm sorry, PwnTools and that script was able to let me pull EXE and literally rip out the binary, which was neat. So, hey, thank you guys for watching. Hope you're enjoying these. Special shout out again to Live Overflow, check out some of his content, check in some of his videos, and hopefully we'll be able to do more stuff in the future. If you'd like to video, please click that button, like. If you'd like to leave me a comment, let me know what you think, please do that. And if you're willing to subscribe, that'd be awesome. So thanks again. See you later.