 What is going on everybody? My name is John Hammond. We're looking at Pico CTF 2017 We're in the binary exploitation category on level one and now we're checking out the just no challenge for 40 points So it says a program at this file location has access to a flag but refuses to share it Can you convince it otherwise? Hence check out the difference in relative and absolute paths Yeah, okay, cool. Let's do it Run our shell script to connect to the server change directory into that location that we just pasted there looks like we have What is all this off? Whatever that is the flag file, which we can't read just know the binary they get the program We're trying to run and just no dot C. Okay, cool So we have the C source code we can cat that out just to whoa cat of the binary my bad Cat that out just no dot C and we can see a little bit of source code here So we can understand how that binary works how it works. I was written. Okay Includes a bunch of libraries to do interesting and cool things in C has the main function That looks like it tries to open up a file object off file So by the way, if you don't know C or you don't know the programming language, that's okay Like thankfully programming languages are enough of English that you can hopefully make sense of some of it If people are good and name their variables accordingly, so we'll walk through it and Hopefully you'll be able to piece it together but C is awesome and We can gather or Put together the pieces of some interesting to see like library functions if we need to but I think we'll be able to get through it So it opens up the file off here Access off file in parent directory parent directory, so they're using relative paths here Okay, and that's interesting to note because of the hint it says If it could not read this it could not find off file in all of this blah blah blah returns your character flag It's off close So it's trying to read out of that file In a variable off the string character array of eight characters, so it determines if it has the word no in it If it's not equal to no It will give you this Which is the flag right okay read the flag file perfect now that's using an absolute path So that should give you the real flag And it reads out of it and it says okay, so that will print out the flag We just have to make sure that off file says something other than no F close flag help off file says no, so no Just no okay, so we try and run this just no file that the binary the program and it says It won't let us read it because that off file says no, okay, so How can we make this work well keep in mind we have that Relative path that they're trying to use to determine the off file. So what's to stop us from faking this? like You know this actual architecture this the system path this file system setup. It says here in The hints here. Can you spoof another off file that it looks at instead? So we certainly can but because this This program itself when it's moving up directory up directory it moves out of the hash Like file name folder and out of the problems directory. So we'd have to put this Program somewhere else can we well we did that in last video We made a directory in in a temp directory that we were able to work with so John in our case So dummy one and dummy two Can be other folders that we want here. Let's make directory tack P. So it will make all the parent Directories so even if dummy one doesn't exist it will go ahead and create it if we want dummy two and that works just fine So can I copy this just no binary into that location? Oh It looks like I was able to okay, so let's CD into that now Now I can run just no and it couldn't find an off file in Parent directory, so it moves out of dummy to parent directory again. So it moves out of dummy one So we need to create the directory problems and this hash whatever yours might be out of our Directory that we're working with so let's do that one more time. Let's get this Problems stuff all here copy that CD up up so we can move into the parent directory and let's make directory tack P all this stuff so Now we can create an off file in that location that looks Identical to the other one just just auth is the same file name, but we can make it say something like yes or Even better And since it doesn't say no according to the program it should be able to just run that for us, right? So dummy one Dummy two we could have even just created this directory path. We don't even need dummy one dummy two Let me let me show you what I mean if I just copy just no Into that problems directory that we made since we had access to that directory since we can create our off file in There that'll work just fine for us Now let's run it just no Segmentation fault. Oh, okay. Looks like I didn't like that. Hmm. Maybe copying it is not the solution that we wanted We could instead create a symbolic link to it, right? Kind of like a shortcut in Windows, but if you haven't seen symbolic links before you can check them out with LN So that's the command to create a symbolic link I've done that before and some of the Leviathan series for over the wire over that wargame I have videos on that if you'd like to see more use cases of symbolic links But it will essentially create a shortcut or kind of not really a copy of the program But just referring to that program in another location. So let's not have that just no location anymore But now let's create a symbolic link to the real Just no binary and put it here. Okay, so now we have Just no and that's a link to the other binary here if I run that it says, okay, awesome The off file doesn't say no anymore. So here's the flag cool That works just great for us and now we have the flag saved. Let's make directory just no In our own notes here so we can save a copy of the flag Flap No one saw that Cool and just like that. We are done that challenge not too easy to script this. It's not an easy one-liner We can probably do it if we do a bunch of commands through the shell thing, but that's just silly We don't have the prowess right now to be able to automate some SSH connection stuff We can do that later with Python and Paramiko and Pone tools and other cool stuff if we really want to But I'll need you to bang on doors and leave me comments yelling at me to do that So hey, thank you guys for watching. Hope you enjoyed this video I hope you can pardon whatever stupid mistakes I made but I want to give some shout outs and love to the people To support me on patreon. So all of these individuals are the greatest people in the world and thank you for existing Really all jokes aside you guys are fantastic. Thank you so much for your donation and support Every little bit helps inspire me motivate me to make great things and continue to do this stuff So one dollar a month on patreon will give you this shutter at the end of every video $5 a month on patreon will give you early access to stuff that I create early before it gets on YouTube Because I normally record in bulk and then have YouTube gradually release them like day by day Hey, if you liked this video, please do press that like button Maybe leave me a comment maybe subscribe And if you want to support me check me out on patreon and my website John Hammond org Thanks later