 Hello, everyone. This is a video write-up for the challenge math whiz for 20 points on TJ CTF the recent capture the flag competition Challenge prompt here is the neighborhood math whiz won't stop bragging about the registration form source. He coded show him Who's boss? So it gives us a netcat command to connect to this remotely gives us a binary and some source code So let's copy these and actually get our hands on them W get these to download And if we wanted to create a little connect script to just automatically jump over to our Remote source we can just a simple bash script mark that as executable Easy, so we have the register dot C. Let's go ahead and see what the source code is checking this out here See C source code defines a flag that is okay. Obviously not visible in this case Creates an input function that does some things to handle input in a custom manner. It looks like Main function is gathering an admin variable and a bunch of character strings or buffers here full name username etc etc Gives us some special privileges for running on the server flushes in an output for a buffer here And then we'll work with it getting input for a full name username password, etc So just registration stuff it looks like and if admin is set to something other than zero it will Okay, give us the flag here. Otherwise, it just registers it as normal So we can play with that if you wanted to connect to it full name John username, please sub password blah blah blah Etc etc nonsense nonsense, so it will just register as a user account. That's silly All right, let's start to break this. I actually need to give some credit to Yiggles Modo who was awesome and incredible help for the CTF shout out to you man I hope we get to do this more and more again because this was awesome We actually he had solved this challenge just a bit before me by simply spamming it So I think that is the move that is definitely what we want to go for and we can do that pretty easily And we just get it to spit out a flag because we know essentially we're doing a buffer overflow here these variables these buffers are Bounded by their length here, but this input function that they're using as a custom form Looks like it's taking the multiple of the input that we're taking for one or whatever Taking it as a string argument Etc determining if we actually pass something in if we don't determine a specific characters in there It'll keep adding it on and eventually it tries to add in its own null byte in a weird way at the very end So not the most secure thing or so we assume so let's just hammer it Let's just throw stuff at it and see what we can do. Let's create a remote session with the hostname that we're working with and The port number supplied for us s.close and what we can do is we can just simply s.receive to see what we're working with here Let's just print that out. It's the registration form as we are expecting great So let's just receive again to get the prompt Good and let's send stuff. Let's say We want it to be something other than zero. We wanted our admin variable to be overflowed to something That's just not zero. So literally anything in our case. I think we could see we could get something true here Let's go ahead and do that with just a bunch of ones So I literally sent it one a hundred times and then we would again just receive Etc as we needed to and it would move us to the next prompt So I was pretty lazy when I actually wrote this for real So I literally just threw it in a while loop turn the crank and watched it go And you can see it spat out just there We overflowed successfully and we got our flag dangerous buffer overflows. So peculiar just spammed it through a bunch of crap at it and we got it just like that if we wanted to we could Right a get flag script cut this up But I was pretty lazy where I just turned the crank on that so let's go ahead and save this as flag dot text We can submit that and move on Hey, I want to give a special shout-out to the people that support me on patreon. Thank you guys so much I cannot say it enough one dollar a month on patreon We'll give you a special shout-out just like this at the end of every video Five dollars or more on patreon will give you early access everything that release on YouTube before it is Like set to go live. Hey, if you like this video and you want to see more of it other capture the flag video Write-ups or programming tutorials stuff that I do. Please do like comment and subscribe Link in the description is to join our discord server it's a really cool community of other CTF players you can tag team with me and other awesome people on games like this and It's just cool hang out with programmers hackers Sweet I'd love to see you on patreon and I'd love to see you in the next video. See you soon