 What's going on everybody? Hanjamin here with another Pico CTFD and we're looking at a handy shell code for 50 points in the Binary Exploitation category. This program executes any shell code that you give it. Can you spawn a shell and use that to read the flag dot text? You can find the program in this location on the shell server and we're given some source code. So this is the first challenge we're actually going to get into the shell server because if we were to read a flag, testing it locally with our own copy of the binary, it would just be able to read a flag dot text on our computer. Which means that we need to supply our own testable dot flag dot text dot. So that wouldn't really work for us. We want the real flag that's going to be on the remote server for Pico CTF. So let's jump over to their shell. You can access that on the very top tab of the webpage here. If you're using it for the first time, you simply need to log in with your username and then you'll have to enter your platform password. But using it in this web shell is stupid and dumb and dumb and stupid. So what you can do is actually just do this with the regular SSH clients, which I have here. Holy cow. I have all the solutions already shown. So let's start by making a directory for ourselves in this current program challenge that we're working on and let's SSH with our username to that shell one Pico CTF dot com that we could just copy there. You might need to accept whatever RSA key they're actually asking for, log in with your password and then we are on the box. So let's grab that location that they have here for us. It's kind of a long string. So I'm just going to highlight that and copy it. Let's CD into that directory. And if we check out what we're working with, we have the Vaughn, which is the actual binary. And we have Vaughn dot C, which is the source code for that, which we can check out in the flag dot text that we cannot read. You can't just simply cat flag dot text. We have to do it through the vulnerable executable. So let's check out the source code just to get an idea for what it actually is Vaughn dot C and I'll pipe that to less so we can actually look through it. We don't have syntax highlighting because we're just catting this. Maybe we can nano that or VIM. Let's try that. There we go. Okay. A little bit more syntax highlighting for us. We include some typical pre-processor definitions and libraries that C would use. We have this vulnerable function here, void so no return type. It will run gets, which is the dangerous function that the man pages advise you to never ever run. And it will simply puts to display it out on the screen. And it's using that with a buff variable that seemingly passed in as an argument that we can see that's actually used down here in the main function. That size is defined up here again in this pre-processor definition, 148. So that is going to limit our shell code to that size. But since we're using gets we couldn't very well overflow if we particularly needed to. We don't in this case because it's just going to create a little function pointer to actually execute that code as if it were real code. So what we can do is just craft and generate some shell code or machine bytes and op codes and instructions to actually run our own code and make this program do something else that it wasn't intended to do. That's the usual at least use case for shell code. So let's do that. I'll jump out of them here. And we can actually do that with Python and PON tools. And thankfully for us, the Pico server also already has PON tools installed. So we can simply import PON and then we have that available to us. We can work with it. If you want to check out the documentation for it, you could do it simply in the help function within Python or you can track it down online. And I'm going to navigate to something that you may not have seen before, but I think I've shown in other videos, you can use PON dot shellcraft actually have a quick and easy interface to allow you to simply generate shell code. You need to specify the actual kind of operating system that you're working with. In this case, we'll be on Linux and I'll run dot sh as a function call, which will actually give me the assembly information and code to run a shell simple bin bash. So this gives it to us in, if I were to try and print that out, just the actual assembly instructions. But because we need shell code, we need the actual op codes and bytes that we can just pump into the program. So I'll do that by actually wrapping that line inside of PON dot ASM, which will go ahead and convert those two of those bytes here. This in the printed form, it doesn't particularly help us. We can't just copy and paste that into the program. We need to actually give it the bytes that the program would read and interpret and then evaluate and execute. Again, we can't just simply echo this into there because it needs to understand and know what these bytes are, that backslash X format representation in Python. So we'll have to actually just use Python to pin that in there. We could copy and paste this whole thing and just have Python print that out or we could actually use a one liner import PON, run this exact same line and then grab our shell. So let's do that. I'll break out of this. I'll use Python taxi. I'll import PON. I'll use the semicolon to represent a new command. I'll run PON dot ASM wrapped around our shellcraft.linux.sh. And now that's not going to give us any output because we haven't actually told it to print that yet. So let's go ahead and include that. And now we have that exact same output that we saw and it's going to be passed through as the bytes that the program would actually need to work with. So let me, I don't like this prompt. It's really annoying. I'm going to see if I can change that to like just a simple space character. OK, cool. So now I have simply our command that we were using before printed out. That's nice and handy for us, but we need to actually bring that to our vulnerable function, our vulnerable program. Dot slash volm and it says, enter your shell code. Thanks, executing now. But we aren't really in a shell. If I brought my PS1 and my actual prompt back to it, you can see I'm not going to be running as that new user. I'm still John Hammond YouTube. I'm not going to be the actual user that we should be when we were running that binary. Our Hacksports handy shell code 2 group. So let's try and capture that shell that spawns for us with a neat little trick where we wrap our input in parentheses and then include a semicolon and cat so that our standard input stream will remain open and it's still going to actually be kind of funneled through to that binary there. Now if I were to run ID, you can see I'm actually in that group for handy shell code 2 and that would give me actual access to read that flag dot text. There we go. So that is our flag. That is how you solve this. You can do that with shellcraft if you particularly like that or if you're hunting it down on maybe Shellstorm which is an awesome resource for other shell code resources. They have one included here for bin bash. They include the tack piece so you can kind of keep your environment with you and you might just need to copy and paste these actual bytes out. You can do that in sublime text. I actually have that already here because I was tinkering with it earlier. Paste it in. Maybe carve out all of those quotes, carve out all those white space and now you have that you could just slap in and run. So let's do that just so I am doing what I actually said I would do. Well, now I've lost the location of the shell so let's grab that, hop back in there. I'll grab that. I'll use Python taxi to print that. I'm gonna use my parentheses because I'm used to that Python three goodness and now you can see that is gonna actually give us some bytes to run that bash shell. Let's go ahead and wrap that, see if we can get it to our vulnerable program. It says it will execute but remember we need to actually capture that shell. So wrap that in the parentheses, add a little semicolon for our cat command following it and now we keep our standard input open. We can run commands, we can see who we are and we can cat flag dot text. That's that, that's that challenge. Shellcraft is a good way to do it natively within Python PwnTools or if you wanna grab that external resource ShellStorm is an awesome, awesome thing. Go check out their webpage, see what other interesting things you can do and Shellcraft will even offer some other functions that allow you to do other things like go ahead and cat a specific file or read it somewhere password. If you wanna dig through this, looks like you could specify kind of the architecture if you wanted to, let's go I386 Linux and you not only have .sh to run a shell but you can also check out a cat method or a connect to maybe reach back to maybe a net cat listener that you have set up or get directory listings, et cetera, et cetera. So that's cool resource, I hope you can explore it, hope you can do some cool stuff with this. Thank you for watching, if you did like this video please do like, comment and subscribe, all the YouTube things. Love to see you on the Discord server, love to see you on Patreon, love to see you on PayPal. We just love to see you, we'll hang out, see you later.