 Hey everyone and welcome to a YouTube video where we are starting to showcase some of Pico CTF or Pico captured the flag Pico CTF is a beginner friendly game kind of more aimed and targeted towards middle school students or high school students But that doesn't mean that anyone at any age can play it actually gets kind of tough as you kind of move forward But the whole point is that it's for learning. It's for fun and as I mentioned it is a beginner friendly game So throughout this series I'm kind of gonna take the approach that hey you as the person watching you with the audience You're a beginner your new in cyber security You kind of want to just learn and get your feet wet and expose yourself to as much as you can So that is the mentality that I'm gonna take and let's dive in to Pico CTF I'll try and make this as beginner friendly as I can as we get started here. So I have opened up my web browser I'm running Windows in this video and I'm using Google Chrome as my web browser So hopefully that's the same that everyone else might be using and I'll go to picoctf.com Over in the address bar and it will redirect me to picoctf.org So that is the website we'll be going to to jump in here We will need to go ahead and sign up if we'd like to play but that's the whole point We do want to play Pico CTF is all about learning through exploration again It says hey aim for middle school and high school students But really that means this is very beginner friendly This is something that anyone can kind of jump in and get started in pico CTF is excellent They do this every single year It's a normally I think a week or two week long competition But then the challenges the infrastructure everything that you want to play and tinker with is still accessible and available and online So anyone at any point can jump in and learn and play It's totally free and it's a computer security game all about learning all about practicing and when the game is on Then hey, there are some prizes available to you But right now we're kind of in the hey after the game We just want to learn and have some fun pico gym is their platform where Now that the game is over all the challenges that have been released. We can access through pico gym Pico gym does include some challenges from previous years right now I want to focus on pico CTF 2021 But for other videos you might be able to find on my channel that do showcase different challenges from pico CTF So as I mentioned the game previously ran from March 16th to March 30th in 2021 But hey, we're just here to have some fun anyway So let's go ahead and log in or sign up if you did want to sign up You would need to enter your username whatever you'd like. I'll be a elite hacks or and It has to start with a letter only containing letters and numbers do that's kind of lame. We'll just do a John Hammond Please sub Yes enter your age group and then an email that you'll be able to go ahead and receive Whatever thing at and then the password that you'd like to specify I do recommend using a password manager right now I'm using last pass but you can use whatever you'd like fill out that capture And then you'll have to validate your email But I am logged in already as this John Hammond YT or John Hammond YouTube So if we were to log in it'll bring us into Pico gym right so the pico gym interface is super nice It's pretty easy to understand in the middle here There are all these challenges that we would want to tinker with and explore and play But over on the left we can filter out what challenges are displayed We could get into a specific category of a capture the flag in a Jeopardy style game like this one There could be different categories like web exploitation or Cryptography or reverse engineering forensics, etc. Etc. Again The appearance notion here is when that challenge was released and Capture the flag for pico in their series again. I want to focus on pico CTF 2021 So I'm going to simply click on that here. Good enough now everything that's displayed in these tiles of cards here for the challenges They are specific to the pico CTF 2021 game so we'll get started we'll dive into the very very first challenge Which is in the general skills category for five points that currently has 10,488 solves so we're a little late to the punch here, but hey better late than never 82% of people liked it and the challenge is called obedient cat So if we click on that card, it'll bring down this little modal dialogue box It just displays this challenge here We can see the author or who wrote it and this would be good to know So you could ask for support if you want to jump into their discord server or reach out and maybe hey I think a challenge is broken or I need to hint or I need something That is very very common and capture the flag in the in the scene. So Reach out and don't hesitate to be a part of the community if they have a discord server or something open for players and people to communicate The description here says this file has a flag in plain sight Also known as in the clear and we can download the file or download the flag right here There are hints accessible and available to us. I will always tell folks There is no shame in taking hints especially if you're trying to learn and that's what this is all about Right, we're all about learning here. So don't worry about taking hints That you just you want to get exposure you want to learn So if you're banging your head against the wall if you're beating yourself up because you can't solve a challenge or a task That's in front of you. That's okay. Hey, maybe reach out and don't Don't be beating yourself up for a week or a day or whatever However, much of your attention span can hold Go for the hit. There's no shame in that If we want to we can kind of jump in here It says any hints about entering a command in the terminal such as the next one We'll start with a dollar sign Everything after the dollar sign will be typed or copy and paste it into your terminal. Okay, and then To get the file accessible in your shell enter the following in the terminal prompt W get and this link here is displayed with a long path and You could use man cat Okay, so those are commands that we can run before we dive into using the terminal I kind of want to showcase this in the windows sense Because I'm understanding that a lot of you newcomers a lot of the beginners might be just not spun up in Linux Yeah, and we'll get into that super duper soon because Linux is absolutely essential It is vital to do in cybersecurity work or playing capture the flag But for now, we're taking this super slow. We're taking this easy. We're going beginner friendly Here, so if I were to download this flag file You can see now down below it has created this flag and that will pop into my downloads folder on my computer I'm gonna click that arrow to show in folder. So it'll bring up this downloads page and Now you can see I have this flag file problem is it Seemingly doesn't have a file extension windows doesn't know what it is. It's not a text file It's not a executable file like a program or binary that could run. It's not a zip file It's not a JPEG or an image or PNG anything. What is it? Windows the operating system that you might be using right now Relies on that file extension to really know what the file is and how to associate different programs with it So if I were to double-click on this flag file, it's like, uh What do you want to do with this? How do you want to open this file now? No matter what this file is if it's a video if it's an image if it's a zip archive If it's a binary executable or a program If we were to try and open this up in like notepad We'd see a lot of non-principal characters are like random gibberish lots of nonsense technical jargon and stuff that maybe we don't make the most sense out of but The characters in that file that are plain text that are like an English character like ABCD or numbers 0 through 9 Those will be visible because they'll still be in that file. So even if this were a binary file We could still kind of take a look at it inside of something like notepad or a text editor, right? So notepad is a common text editor that is installed by default right on your Windows computer So if I were to simply double-click or open up notepad We can see this flag here that's displayed and this flag is in a standard flag format Which is super important when you're playing capture the flag or you're doing these these cybersecurity tasks and activities and exercises Because the flag format tells you hey, this is what you're looking for This is the key. This is the token This is the proof that says you've completed this task or this challenge now It's hard if a game doesn't have a standard flag format because you don't know what you're looking for If you were to go through a huge amount of files that a big file system and you're drilling down to each specific Directory your folder you don't know what you're really looking for because it could be a random word It could be a series of numbers. It could be a birthday. It could be anything, right? So it's important for capture the flag games to use a standard flag format and thankfully Pico CTF does that the flag format is Pico CTF with curly braces kind of beginning and ending and Inside of those curly braces is some sort of string or message in this case. It's a little leapspeak, right? Hey sanity verified and some hex or numbers and letters at the very very end going from Zero through nine and a through F. We can talk about hex later if you aren't familiar with it, but right now We have a flag and we can submit that for points We could submit that to solve that challenge and that's the whole point of capture the flag Solving as many challenges as you can learning and having fun all along the way So this is super simple, right? This was very very beginner This is a opening up this file and it just gave us the flag right away We kind of had to know or at least decipher how we could open this thing in windows It's not going to explicitly tell us the extension in this case So we don't know exactly what to open that up with but we tried notepad and now if we were to paste that in Hooray, we've earned five points that challenge card is grayed out because we have completed it And you can see little checkbox right beside that little person icon there So that is that but we did that in Windows And we didn't exactly know what that file extension was and all those hints that we were looking at they kept trying to tell us about some Commands to enter into a terminal or in the command line, right? All those words and things we would enter Can we do some of that I'm gonna grab this wget command it's wget syntax Wget is a command in Linux, which is what we'll jump into when we go into that terminal Linux being completely different operating system its own distribution stuff separate from Windows and we can access it all Inside of the browser inside of Pico CTF in the Pico gym Sure later on we'll set up a virtual machine and we'll really get our hands dirty in Linux But for now, let's kind of press the I believe button and let's enter these commands again Everything following that dollar sign prompt that they mentioned that hint number one here So let's grab Select everything for wget the right click and copy that and Over in this icon over here. There's a web shell button This web shell button if I click on that brings us into a Pico CTF web shell So I'll zoom in on this and it needs to know my Pico CTF username, which is John Hammond YT It needs to be my password also. So let me go ahead and grab that I am again using last pass So I will copy that password and paste it in See if it allows me in. All right, it does and now I'm just going to have to go ahead and grab that Wget syntax one more time. I'll pop this out and you can see there's this little pop out Icon here. Oh, and I'm gonna have to enter my username all over again Paste in my password. There we go. Now. I'm logged in. I hit control L on my keyboard Control L. Let me clear the screen or I could simply type in the word clear and hit enter nice You can hit enter to get new lines of prompt and the command line and the terminal that we're in or the web shell But we want to go ahead and copy this Wget command in so we can download something this command line This command utility that will allow us to download from a website So we'll pass in that HTTPS URL as an argument Just following that Wget command the space here to kind of denote. It's another argument or parameter Now if I were to hit enter There's a lot of stuff that comes down on our screen, but we can see it Oh, it actually were to resolve that website mercury dot pico CTF net it connects to it It sends a request downloads and saves to a flag file, but where did this flag file go? Inside of the web shell inside of our kind of Linux terminal right now, right? Well Wget will by default with normal operation drop it in our current directory Now when I say current directory, I mean where you are in your file system in Linux Now we talk about file systems and windows, right? There's the C colon and backslashes to get to like see Users your username and then your desktop or your documents and Linux you have all the same stuff, but it's kind of named differently You can see in this prompt here with a dollar sign prompt My username John Hammond yt at pico CTF at the web shell colon till day dollar sign now that dollar sign is the prompts, right? That's telling me hey dollar sign is kind of reserved for a normal user like an administrator user like the super user They would have a hashtag or little octo Thorpe the pound symbol right to denote that they are the admin We're just we're just a plebe, right? We're a regular user. I'm just John Hammond over here in the web shell But the current directory is actually noted by this till day by that squiggly line The till day refers to our home directory in Linux So the home directory in Linux is actually going to be forward slash home forward slash your username Now if you parallel that to windows windows, we had C colon backslash users your username It's a little bit different so that C colon backslash That's going to be represented by a forward slash in Linux meaning the root of the file system or the beginning start of that tree in the file system So if I were to actually enter PWD for present working directory or print working directory However, you want to think about it that command as I hit enter told me I'm in forward slash home Forward slash John Hammond YT Pico CTF. So that's my user right far to type in who am I? That's exactly what it is. That's my user John Hammond YouTube at Pico CTF Now in this current directory, we know our flag file is there, but how do we see it? How do we get to it? How do we validate that W get that command actually downloaded this file? Well, we probably want to list stuff kind of in our directory Right if we were using the windows explorer like kind of we were in our downloads folder We'd be able to see it right there inside that folder Well, we can do the very same thing in Linux in the command line by typing an LS I Think of this as like list stuff, but you can think of it however way you want So in the current directory wherever you are in The command line in that path you're till day right there Well, it enter ooh And I have a read me dot text and a flag the read me dot text That file might come from the banner that was displayed as we logged in we can kind of verify that later But for now I want to focus on this flag file Because that is in fact what we want to be able to see right and read know the value and contents of Well, the other hint back in the Pico CTF gym here. It told us to run man cat Which sounds really weird right man cat, but man Is a command To look for a manual or manual pages right to read the book to take a look at the textbook as to how a command might work right So you would pass it an argument or a space just following it to say Whatever you want to look up and that argument the parameter is what you supply following that space So we want to look up the cat command we could look up man PWD because we ran PWD just a moment ago and it tells us. Hey that prints the name of the current working directory Nice that put us in the man page But if I already use my arrow keys to move up and down left and right if we really wanted to Q will let us quit. So I just hit Q on my keyboard there now if we were to man Cat like that hint told us it says oh this will concatenate files and print on standard output Oh, so print it'll it'll just display it up, right? What is that concatenate word mean though? That's that's weird cat this program this command can take multiple Arguments right so we could display both the flag file and that read me dot text file if we wanted to we could supply them again separated by spaces, but We just want to Display out the value of that flag. So let's use that cat command a Space to note a new argument or parameter and the file name that we want to display out onto the terminal on standard output Again running LS we know that we have a flag file here in our current directory so if I am not supplying a Path or an absolute path, right? We don't have to type in going all the way from the root of the file system slash home slash John Hammond Yt slash pico CTF Forward slash we don't have to do all that because it'll know it's not an absolute path we're going to look for a Relative path so the flag file or any file relative to where we are right now in the file system We ran PWD. We're in that till day or the symbol for our home directory So if I were to hit enter here nice and easy We'll just cat the flag and now we can see just that content as we saw in notepad Pico CTF sanity verify Nice, that's it Now in Windows, I open this up with notepad Personally, I really like the text editor sublime text. I know some folks really like visual studio code I know some Linux guides really like Vim or nano or emacs Whatever whatever, you know floats your boat whatever text editor you enjoy You're more than welcome to use whatever you'd like personally I just tend to use sublime text and you can find that online if you really wanted to I'll Google Sublime text Okay, I just simply googled sublime text and you go to the website sublime text calm you can download it for Windows or whatever operating system you really want and Get a text editor that you enjoy But that's it, you know We've been talking for a long time in this video and we covered just some fundamental ideas but again Hovering over selecting all this text we can copy this and just slap it into that little submission box down below Control V. I'll use that keyboard hot key to paste and we can click submit flag It says hey you solved that challenge correctly again. So that's it That is the simple obedient cat challenge and Pico CTF that I know man for some others that kind of watch my videos You know that was very fundamental and we took like what 20 minutes to go through all that But hey, I do want to treat this as a bare bones beginner video series and I hope you enjoy that I hope you enjoy that style in that structure if you are just finding my channel now or you're just kind of getting interested in this sort Of thing then Pico CTF is a great way to practice and play I hope to showcase some other challenges here but I hope that kind of got your feet wet and Linux in the web shell and Maybe understanding more of kind of what the files look like and the file systems on Windows whether oh I I got to open this file up a notepad because it doesn't have a file extension or whatever, but anyway I hope it was fun. I hope you enjoyed Please do some of those YouTube algorithm things I'd love if you could like the video comment subscribe anything and this was a lot of fun I think that can I can wrap it up. Thanks so much for watching everybody. I'll see you in the next video. Take care