 What's up everybody, my name is John Hammond and welcome back to some more Pico CTF 2017 This is level two in the binary exploitation category challenges called flag say one for I think 75 points Oh 80 points nice. It says I heard you like flags So now you can make your own Exhilarating use at the binary given here and the source code and connecting with a netcat command for a host in a port The hint here is system will run exactly what the program gives it so with a little bit more context I've already got all the stuff downloaded. I just again W get it into the current director I'm in and then we can go ahead and check out the source code for this binary dot see So it defines a bunch of kind of set constants here gives us a string Kind of ask yard of say if a flag picture and it says command base being a string with a Bin echo and then a percent sign s so as we saw in the previous video and as we just kind of come to learn within see and programming is that this is a Format specifier for the print def function So it's going to expect another string to follow this and that will place it inside these quotes here double quotes you can see being escaped with a Backslash and then just an escaped new line character backslash and so it tries to place it in the flag with this place in flag Function that doesn't look like it has anything too particularly vulnerable or odd. It will just add segments of text into the flag over and over and over again until it Puts it in a new line, etc The main function just receives your input with Malik and it's using free so it's kind of handling memory on its own Maybe we could have something Maybe if there were a rabbit hole to go down that just exploring how it's handling the memory and working with these variables But that's not the clear example in the clear-cut solution that we're looking for the payload in the exploit here Actually does not come from the binary itself So you don't want to consider this too much of a Pone challenge or like a real binary exploitation challenge It's really how it's handling the commands that it's running with system this command-based string Doesn't seem to sanitize the input whatsoever So maybe we could make it run other commands since it's simply running system with that command with SN It's not using printf in this case but it's using SN printf to actually put segments in there with the length of what we've seen with What we enter as our inputs and the new flag that's gonna work with so that's enough me talking Let's go ahead and try this out if we'll actually run the connect script You can see that I will can just be tight be able to type anything and it says Please subscribe lol patreon discord humble bundle Hashtag sell out and it says oh cool Please subscribe low patreon discord humble bundle and it's filled inside this flag and it's doing this because it's just ran Through the echo command as we saw in the source code here but what's to stop us from trying to break out of this this Quotes here the string like if I said John says Hello there Let's see you can notice that our Double son or double quotes here to denote a string aren't being processed because they're being considered as part of the command So we could actually kind of start a new command Because bash just as we've done before like if we wanted to try and do something else Inside of one single line of how we're trying to connect to something or while we're trying to run commands the bash command line you can separate them with a semicolon so Let's try anything to Have some Content in the string and let's use our ending double quote to break out of the string and now we've essentially ended that echo Command because we're replacing their ending string ending quotation with ours And we can just use a semicolon and say something new like ID maybe run the ID command we can try and Hit enter and get this to execute and you can see we've successfully ran the ID command There's the output right there and bash is actually trying to interpret the rest of the flag. It's getting permission denied I'm trying to do some things. So if we wanted to we could just actually comment it out with a hashtag there and Took some time Okay, I don't know why I'm getting different answers for Or maybe it's trying to process something with the anything So maybe just ending the string immediately with the quotes will work just fine for us Anyway, let's start to try and poke around the file system here We could just end the echo command again start a new command and try and run LS and you can see okay This is the contents of the directory. It's as if we just ran LS on their server You can see the flag dot text is right there. So let's try in again and dark String and the echo command with the semicolon start a new command and just cat flag dot text and then comment that out There it is. There is the flag If we wanted to we could write a get flag script for this in Python with Pone tools or just keep track of this flag Go ahead and submit it and of course your flag will be different than mine because it's kind of pico CTF Programmatically generated ones, but that's it. That was that challenge not too hard Just kind of noticing that it's not the binary that we're exploiting right here. We're just taking advantage of the System command and how it's not properly being sanitized with our input We can just kind of do some command injection to break out of their echo command and start to run our own At the end of every video. I like to do a quick shout out to all the people that support me on patreon I haven't actually said everyone's name in a long time. So I'm gonna try and do it I'm gonna butcher everyone's name. Let's see how we do. Let's see Spencer Clark Gal Horowitz Zoke Attila, I'm so sorry. That's the one that always gets me or Galathean really destroy a world's bastion of terror Jan Grubb Timothy County Jacob H Roffel but with a one R1 FL Thomas Rogg Dacus, I was I know I'm gonna say like Rogg Rogg at this or something wrong, whatever You're the best JD ton Maurice Contaro, it's Ben squeanie William Whitcomb Justin Mann Kimbo nil pixel rich Smith I ricks then I ricks vene. I'm sorry Hasid Kureshi. I'm sorry Eagles moto Sherboon sim Silox Dave West Miguel la house muneaus I don't know how to pronounce that one. I'm sorry mid-zig make Meg Zigg Meg Zigg yep batch you but you Christopher Skogen Christa William Sklar William Overton Paul and Brewer Kaboom authors Arthur Zuck Arthur Zuck. This is this is bad man. I'm sorry everyone. You're still my favorite Super caught I'm gonna assume. I'm not actually saying the letter the numbers in that Troy master and Richard Fernandez Oscar Oh, this is a bad one. Cice Lewis Cice. Luix That accent is probably doing something crazy. I'm sorry. I'm butchering everyone's name Joseph Igric Jal Rodriguez tracks Tom Argaman, please sub Nabrook and lax Jekyll I'm just completely sorry I literally butchered everyone's name and that that was bad But hey $1 a month on patreon will give you a special shout out just like this where you too have the opportunity for me to Butcher your name and say it completely wrong So if you'd like that, hey, just $1 a month special shout out some feel-good feels it's it's nice $5 a month on patreon will give you a special shout out. It will not give you it will give you a special shout out But it will additionally Give you early access to all the everything that I record and put on YouTube or at least I'll try to because I like to record Things in bulk and then gradually let YouTube release them on kind of like a scheduled maybe a day-to-day or whatever Timeline that just kind of spreads it out a little bit So one person that subscribed doesn't have 20 plus notifications that have released a craps in a videos all at once So whatever if you don't want to wait Google access. It's a shared Google Drive folder and it's early access to some of the videos that I put together Thanks so much for watching guys. I hope you liked this video Please do like comment subscribe if you did join our discord server link in description This has become a very very long outro, and I'm so sorry. I'm just gonna leave right now. See ya