 Ben c'est parce qu'on live stream, mais il ne fait que pas pour vous autres. Il n'y a pas eu le temps de cette épaisseur les gars, ils sont dans le jus. Ah, j'ai mis ça sur Yoto. Ouais, c'est normal. C'est un gros profil ici. Moi il y a rien maintenant. Je viens d'avoir un petit présent que j'ai fait et que j'ai installé au parlogue. Donc là, allez tout. Pour la 0% sur le stream, vous devez aller sur ctf101.nordsec.io et faites sure de créer un compte. Et puis je vais parler avec les gens dans l'audience. Be back, be right back. I'm sorry I'm not looking at you. I'm gonna actually just stop this thing and then share my screen. This should be good. All right. Ben, is there anyone who speaks English on me? Toute Francophe. Tf101.nordsec.io D'accord, je suis là. Il n'y a pas vraiment de temps pour si vous êtes meilleur. Vous en avez du plus de temps et il n'y a pas de temps. Ben pour le vrai, c'est l'idée, c'est de t'attendre. Moi je donne beaucoup de théorie comme ça. Je vais passer comme beaucoup de temps sur la société. Je vais passer sur la société. Je vais passer sur la société pour moi, c'est quelque chose qui est assez important. En fait, c'est dans la mobilisation de la société. Donc je suis à confiance. Anordsec c'est un expérience, un petit peu de temps. C'est un rétour qu'on fait à l'execution. Oui, c'est ça. Il faut avoir une machine dans le monde. Et puis il faut faire un wallet. Donc c'est quand même un wallet. C'est assez de la porte. Je ne sais pas comment le faire là-dessus. Mais là, c'est ici. Un moment donné, on est dans 6, 7. On est 5. C'est un moment donné, je vois qu'il y a 5 sols. Ben là, tu sais, je ne vais pas plus. On va passer à l'autre place. Puis, c'est très intime. C'est pour l'enjeu intime. C'est bien pour l'enjeu. Je ne sais pas comment le faire. Vous voyez ce qu'il y avait de la porte. C'est ça que l'on va faire sans gain. Donc là, le CPS1, le CIP, c'est un peu du jeu de mettre un break. Mais il n'y a pas de quoi. Il faut rentrer dans le temps. C'est tout d'un compte. Là, vous allez pouvoir commencer à faire le challenge. Là, le CPS1 et le CLAOS, ce n'est pas comment. Ils ne sont pas comme eux. Ils ne sont pas comme eux. Ils sont pas comme eux. Ils sont pas comme eux eux. Ils sont pas comme eux, mais ils sont en l' scratching. On va apprécier ziemlich su vulnerables pour les AmOr, pour les AmOr. On va monter notre waveup ! Alors, comme je l'ai dit dans la salle, on va commencer par la basse, par Sys & Min, et ensuite on va travailler sur la salle de Sys & Min, sur la salle de Forensic Reverse Engineering. J'ai pas le droit de savoir si il y a quelqu'un en ligne, donc je ne m'oublierai pas de vous complètement, en ce cas, vous devriez venir sur le site. Je suis désolé pour cela, en avance. Ok, donc on va regarder le SSH. Le moyen que l'on va connecter avec le SSH est d'utiliser une clé. Donc, est-ce que tout le monde ici est familier avec le SSH? Ou n'est-ce que vous n'avez jamais entendu de ça? Femineur? Le SSH est basicement comme des remotes desktop, mais pour un console. Et c'est généralement pour administrer les systèmes Linux, mais c'est très utile aussi, parce qu'il peut y avoir des données arbitraires à travers un tunnel. On ne va pas faire le tunnel, mais le SSH a un concept important. Donc, à l'aide des passwords, vous pouvez utiliser les clés. Et comme administrateur, l'utilisation des clés est très clé, mais c'est le fait que vous avez assez d'assurance de la complexité de l'utilisation que l'on utilise pour l'authentifier. Et on parle d'une complexité de 150-60 bits, à l'aide des cryptographies spécifiques, mais c'est une sécurité plus forte. Donc, c'est très simple. Vous avez le nom de l'host, vous avez le port, vous avez le nom de l'usage. Et puis tout est installé à la fin pour vous. Donc, on va essayer de connecter et voir ce qu'il nous aide à faire. Donc, si j'utilise ça. Maintenant, vous pouvez utiliser le système Windows pour Linux. Il y a un SSH maintenant, vous pouvez l'utiliser. Mais vous pouvez aussi utiliser PuTTY. Donc, nous avons utilisé le nom du format PuTTY. PuTTY est un client de SSH très bien connu. Mais pour la démonstration, je vais utiliser SSH. Donc, je vais retirer le trust que j'ai installé avant. Le nom de l'host, c'est un peu... C'est parce que j'ai testé tous mes défis d'hier. C'est pourquoi j'ai une manière différente. Je vais aussi aller dans ce folder et je vais retirer tout. Pour vous montrer que je ne suis pas venu de l'utiliser. Donc, on a utilisé un slate clean. Maintenant, on a essayé de l'utiliser. C'est la première fois que nous connectons. Donc, SSH est considéré comme le trust en 1er utilisation. Ce qui signifie que l'host qu'il est exchangeé sur le 1er utilisation. Donc, vous pourriez être managés au milieu du 1er utilisation. Le 1er utilisation, vous connectez à un serveur de SSH unknown. Mais après que vous avez utilisé le 1er utilisation. C'est normalement, vous avez juste installé le serveur. Donc, vous connectez à cela à l'avenir. Mais donc, quand le 1er utilisation est installé. Alors, si quelque chose de la cryptographie change. Après-midi, vous allez avoir une grosse horreur. Une horreur qui dit que vous êtes attaqué. C'est quelque chose qu'il y a dans le milieu. Le secret que vous exchangez sur le 1er utilisation est différent. Donc, pour nos purposes, dans le contexte CTF. Vous, basiquement, vous essayez d'attaquer le système. Donc, vous croyez que c'est quelque chose d'autant. Mais ici, ce que nous avons, c'est que nous nous demandons pour un password. Donc, nous savons qu'il y a un paire d'auteurs qui a été donné. Donc, maintenant, let's try to use that. Donc, nous allons le downloader. Donc, vous commencez le CTF. Vous créez un folder avec le nom de la CTF. Et ensuite, vous pouvez mettre vos choses dans les places correctes. Donc, le tract est appelé System Min. Je vais mettre le paire d'auteurs là-bas. Et ensuite, let's look at the options. Je veux passer un paire d'auteurs. Alors, nous avons ici l'identity file. On choisit un file de l'identity. Private key for public key authentication is red. Donc, nous allons essayer ça. C'est un peu direct. Je suis un peu chiant ici. Donc, nous allons passer l'oeil. Et ensuite, un lien à la clé SSH key pair. Je vais essayer de connecter. Oh, je suis en train d'avoir un erreur. Une clé non protégée. Private key. Alors, SSH est essayant de vous enseigner comment faire les choses correctes. Il dit que ce truc ne devrait pas être readable par d'autres. Donc, il dit que les permissions sont trop grandes. Et sur Linux, par exemple, les autres ont reçu l'accès à vos files. Et ils ne savent pas que c'est un système single-user. Donc, ils me donnent cette réaction. Donc, nous allons changer la permission. Donc, la permission... Vous savez, c'est CTF 101. Nous allons changer les permissions. Et c'est partie de la challenge. Vous savez, c'est tout bon. Donc, nous allons utiliser la mode change. Et j'aime la manière symbolique de changer la permission. On le voit au bout, oui? J'aime la manière symbolique, je peux... Je vais le mettre en place. Ah, je ne peux pas, en fait. Je vais être clair. D'accord. Donc, j'aime la manière symbolique de changer la permission. Parce que c'est super facile de le souvenir comme opposed au octo, comme 0, 6, 4, 4, ou 7, 7, 7. Donc, la manière amusante, vous avez basically U pour l'usage, J pour la groupe, et O pour les autres. C'est le système de permission que vous voyez ici, oui? Donc, la première séquence de 3 est l'utilisateur. La deuxième séquence de 3 est la groupe. Et la dernière est d'autres. Ou des gens, des gens n'aiment pas le monde. Donc, les erreurs que j'ai, c'est que les permissions étaient trop grandes, elles étaient trop permissives. Donc, on va avoir la paix pour les groupes et les autres. Maintenant, avec la manière symbolique, ceci est accompli par dire que l'utilisateur doit être equal à la paix, les groupes et les autres n'ont pas l'équivalent. C'est aussi simple que ça. Il ne faut pas rappeler les trucs octols. Et puis, je l'ai toujours oublié. Je n'ai pas l'intention du directeur. Et puis, le nom de l'application. Donc, ce qui s'est passé, c'est qu'on a retiré les bêtes de l'alimentation par dire qu'on ne veut rien pour les groupes et les autres. Maintenant, est-ce qu'on complète? Non, on l'a mis. On était dans le système. Oh, on liste les applications. Et il y a un flag. Regardez-le. C'est un flag de TXT. L'application d'utiliser le SSH et le SSH-Key est une très importante skill. Et on a le flag là-bas. On va essayer. Allez, on l'a pris. Donc, let's check how we're doing. OK, OK. So, anyone has, so we're gonna move on to the next one, but anyone has questions or you guys are not set up properly or this is just too easy, you haven't attempted. Don't leave. So, oh yeah, so I'm gonna look at the challenge first, right? Because we need to have a goal oriented resolve, it's good. OK, so SSH tunnel. It's a very important skill to understand. So, you're gonna leverage the machine that you had you just gain access to in order to reach another machine behind that machine. This other machine is not available on the internet. And this is what's written here is that you could try to reach that other machine from the first one. So, the goal is to query a service on the SIS and MIN service machine, OK? I'm gonna do a little diagram here. So, so this is PivotBox and the machine behind is SIS and MIN service, OK? This is the internet. This is us. So, what we did in the previous exercise is access PivotBox, OK? Now what we are asked is there is a service running here, so a process running here on port 5555. What we are asked is to query that service, OK? But the problem is that this, so the host name is called SIS and MIN service, we're gonna try from our my computer. We're gonna try to access it, right? But this is not an internet. This is not a global IP address. This is not something that is reachable from my computer right now. OK, well, what about from the server we just got access to, so from PivotBox? Can we access that system? So, let's try to ping it. Oh, I can't. There's no ping is not installed. Ping is not installed. Can we resolve it? We don't have an S-lookup. OK, can we... Is there a dig, another DNS tool? No. Is there system D resolve? No. So, basically, I don't know how from that system. It's a very restricted system and it's part of the challenge, OK? This is why we have to learn about SSH tunnels. So, again, back to our little diagram here. So, we did SSH into PivotBox. Ça va? Je t'ai dedans? All right. So, we did SSH into PivotBox. But there is nothing here that gives us the power to reach the port 555 that we need to reach on this other system. We're not even sure that system exists because we have no tools to query DNS that I found. Does anyone here know another DNS resolving tool that I haven't tried? Host file, the host file. Let's take a look at the host file. That's a good point. So, a host file on Linux is ATC host. Oh, it's there. All right, so we know the IP. That's good. We made progress. So now, it's there. OK, so we have... So, the host file... I didn't even know Docker work that way. So, Docker did inject the IP in the host file. So, we know now that this is on a different subnet. It's not an internet accessible address, right? We're gonna put that in our diagram here. Oh, that's the IP of this system. And since it's not an internet accessible address, we need to find a way to query it. We need to find a way, but we are in pivot box. So, here we probably have an IP in this subnet. So, I tried to look at our IP. It says command not found. I'll try if config command not found. Is there a way I can find my own IP in that subnet? Is it an ATC host? It's not. So, there's probably a couple ways. And one of the things is we have access to Python, right? So, we could put Python code to figure out what's my IP or what are all my IPs because Python is basically an interpreter of a lot of things. But we're not go there because it's kind of out of scope a little bit, but still an important part of the mindset, right? Of what do you have at hand that can help you solve the problem which is I need to query that service. So, we're going to try... We're going to forget what's our IP. We're going to assume that we can connect to this IP. So, we're going to try maybe, you know... So, Netcat doesn't exist. Doesn't exist. Curl doesn't exist. So, NC is basically low-level TCP. It's called the TCP Swiss Army Knife. So, it allows you to connect, you know, to any IP and port. It's a very useful tool for port exploration and stuff like that. But it's very manual. It's very low-level. Curl is for querying HTTP stuff. And it's not there. And then there's WGet. WGet is another... It's Curl-like. So, we can see... OK, can we connect to the host? So, by default, it will try port 80 for HTTP stuff. And it says connection refuse. But we know that it was on port 5555. So, we can do that. And then it says connection refuse. OK. Now, we tried all our options to leverage pivot box. So, we were here, right? We tried everything from here. And the result is sad face. Now, we have all the tools that we need on our attack machine. Why don't we have a mechanism to reach this port? And this is why SSH is so powerful. You can. And so, basically, what happens is that with SSH, you create a tunnel that will go up to here. I'll try to make that more clear, I guess. And so, what we'll do is that we'll send our data here and it will go out like it's coming from here to go there. OK? That's what we're gonna try to do with our SSH tunnel. SSH tunnel. Now, the syntax for SSH tunnel and you can figure this out on your own with the man page. But if you search for tunnel, so searching in man page, you just write slash and then we search in the man page. Search for tunnel. Couple words. Maybe it's not super clear. That's not the type. So, SSH has basically a lot of different types of tunnel. It's not helping. I know the name of the option. I'm gonna reverse figure it out. OK. So, dash capital L. Here, if you look at the man page, it says, specify that connection to the given TCP port or your Linux socket on the client host are to be forwarded to the given host and port. So, what's interesting is that a SSH tunnel doesn't only allow you to do port here, which is already in itself very interesting, right? You're tunneling securely, getting out and poking the local system. But it allows you to go from the system you are connecting to, to another system only available from that system. So, capital L. And then you have port, host and host port. This is what we're gonna build. So, port is the port on the client. Host is the host after the original SSH connection. In our case, this is sysadmin service. So, our original SSH is to pivot box. But from there, our tunnel, we want it to be destined to sysadmin service at the remote end. And then there's host port. So, if host is sysadmin service, host port is 5555. And so, let's try it, okay? We had our previous command. We still need the key because we're still authenticated to that system. We're just adding another feature on top of it. So, dash capital L, port. Our port is local. Basically, we invent it, right? As long as we remember what value we put there, this is local. This is for us for later. Because, although we're set up in that tunnel, that tunnel, it's not giving us the flag instantly. We still need to query that service. But instead of doing it from the target system, we will do it from our own system. It's all gonna make sense very soon. But this port, we can figure it out on our own. One, a really good value is 12345. It doesn't matter, to be honest. Okay, then it was host. Host will put sysadmin service because pivot box knows what that means. It translates to 172.1.0.8. And then 5555. So, what's weird about the first time you do an SSH tunnel is that you think that the SSH tunnel is so important that it's gonna change the behavior of SSH from the common line perspective. But it doesn't. So, you press enter and you still have your shell. But what you don't know or what is not obvious is that the tunnel was connected at the same time. So, you do have your command interpreter, but the tunnel was created. So, if we look at our local machine. So, I'm opening a new command line on my local machine. And you do a netstat to look at what our open service is. And let's grab 12345. So, the flag that I'm using, the P flag is to show the process associated with a socket. This requires root. This is why I added sudo and I need to type my password. But so, unfortunate positioning of zoom. Okay, let's just run it another time. All right. So, what you can see from this is that on my local system, now that I did the tunnel, I have something on port 12345 that is listening and it's SSH. So, SSH created that tunnel for me. Now, I wanna find the flag. What was I requested to do? I was requested to poke the service. So, that's what I wanna do. But now, let's go back to our diagram. So, now that I have this tunnel and I'm here, how can I query it? I can query it by accessing my local system on port 12345. So, if I drop a packet distance to localhost 12345, this will magically go to sysadmin service port 5555. Let's do this. So, I'm gonna use NCAT because it's the superior alternative to NC, which is a netcat, which is the old venerable at this point, TCP Swiss Army Knife. So, I'm gonna NCAT 127.010.1, which is localhost. And I'm gonna do the port 12345. This will magically enter the tunnel, go through pivot box encrypted by SSH, get out at the other side of pivot box and go to port 5555, and I'll get the flag. And this is what happened. Congratulations, you pivoted. So, imagine all the firewall bypass capabilities that you have once you master SSH tunnels. It's incredible. You can do so much shadow IT with SSH tunnels. And there's even a concept in SSH where it's called proxy command, where you can SSH into a box behind an SSH tunnel. SSH is very, very powerful. And so, let's try to put that password in. And we got it. So, let's look at how we're doing. This is, you know, again, very hard to know where everyone is at, right? So, I'm taking it really slow, maybe too slow for some of you, maybe too fast for others, right? Trying to do my best, trying to be respectful of everyone's time. So, we got six solve for the first one, which is very good. And then the last one, oh, five solves. Okay, so, we're doing great. All right. So, the pivot box service is useful. So, keep it close, because once you do XSS attack on other people on the internet, you need them to be able to exfiltrate their secret to a server somewhere. Their browser will want to talk to something and you need something to listen there. So, don't forget that system. We're going to use it for the last challenge of the web track. Now, let's look at the web track. Or, you know what, since it's a beginning of a new track, we can take a couple minutes. I'll ask the people on site how they feel. Be right back. Okay. Bienvenue. On a le fort. Là, il faut manquer la taxisserie. On est allé au bon moment. Merci de m'aller dans la track web. Donc, pas de connaissance, de challenge, mais d'exercice. On a des différents premiers. On a un moment de contact. Oh, sorry. Okay. Okay. So, for the web, for the web one, the first one is a true classic of all CTFs that are easy to have access to. And it's use the source. So, we're going to open it. And then what we have is a web page. And we're like, what? I don't know. Admin, admin. Login failed. User, user. Login failed. Okay. I don't know what can I do? I can try to look at the source. And if I do this, what do I have? I have. Oh, okay. Use the source. Not even using my own advice. All right. So, you know, web pages have HTML code and that code is all open, no matter how complicated it can be to look at it nowadays. It's still all there, right? It's still instructions given to the browser that are readily available. Merci beaucoup. So, in that code, there can be comments. There often is comments. So, when you see an advise or a joke around using the source, the, oh, you put power. Then it's just look at the source. And sometimes it can be really misleading. Like, for example, a classic of just a twist on that use the source trick is you put a thousand empty lines and then the password or the flag is there, right? So, if there's a thousand empty lines, you don't see it in the first screen. You see nothing. But then you realize, oh, there is a scroll bar and then you scroll at the bottom and you have your flag. So, you know, baby steps. But so it says, if needed, support account is support welcome to. So, we're gonna do support. Welcome to login. Hey, hidden account activated. Here's your flag. Now, it's really simple, right? It's 101. But the reason why it needs to be explained is that sometimes there's a hint in the source and then you're told you're hinted towards the right direction. So, it's always something to look at. And a lot of other places where people will hide hints include robots.txt and stuff like that. Common HTTP stuff hidden behind web servers. So, we got this. All right. So, to view the source, you can use... I think Zoom is messing up with my... All right. So, you can use the view source like this, control U. But the inspect mode is pretty powerful and it's something we're gonna use more and more as we go through the web track. So, inspect mode has a source component but with a nice navigation mechanism you can... And then there's the network where you'll see queries from your browser. So, it's all good stuff. Oh, and you can see that I'm using like a preset to simulate a phone. Okay. All right. So, first one, quite easy. View source. You have a clear text, username, password. You can get in. Now, let's move on to the SQL. Okay. So, SQL, what's going on here? I'm gonna do test, right? Search for test. Now, this is a made up challenge, right? But what is key in understanding SQL injection is that it goes into a database and SQL is a programming language. So, it goes into something that is a programming language. So, it must be syntactically accurate and you must think like the programmer. So, now, to help us understand all this, we show the query in this challenge. So, basically, when I wrote test in the search here, what happened is there was a select star from items where name, like, and then test is there. So, we can say, oh, okay. So, this is where it's going. All right. I imagine that the flag will be in the table that it's querying already. So, I'm gonna try to look for a flag. So, someone in the system is messing with me. In that database, there is already an item in the items table that has name flag, but the description is nice try. So, someone's messing with me, right? But this was not SQL injection. So, what is SQL injection is when you're trying to mess up that query. So, what defines the boundaries of tokens in an SQL statement? In this case, are double quotes. So, if the person who programmed this webpage didn't account that I can put double quotes, then he has a problem, right? So, I'm gonna try putting in double quotes. Oh, something fucked up. Now, why did the page broke? Let's think about it. Let's replace in our head flag with a double quote. So, what we have is like double quote, percent double quote, percent double quote. This is invalid syntax. So, of course, the SQL lexer, when it arrives in the SQL engine, it says, this is not SQL, man. Fuck you, I blew up. And PHP was made to fail in this case. I'm not ignoring errors. I am bubbling up errors. So, let's try, let's start by thinking, okay, but how can we make it legit, okay? So, let's put double quote, and then put or, and then let's put name. I'm trying to think, okay. I don't wanna spoil the flag too fast, right? So, I'm gonna put like A, B, C, and then or name, and then I'm gonna finish, because the thing is, we need to finish that double quote correctly for it to pass, right? So, or name equals, and then I'm gonna do A, B, C, and then leave it like that, right? So, what does this look like? So, this works, and let's look at why. It works, but we don't get the flag, right? So, it says like double quote, percent A, B, C, double quote, or name equal double quote, A, B, C, percent double quote. So, it's syntactically valid, but it doesn't yield the result that we're looking for. Now, what would? All right, so, the where clause is using Boolean logic, okay? So, if we can do or, we can do or true. So, it's like where name like false or true. Then, if it's true, all rows are gonna be evaluated to true, which means that I will get in my result set all rows. So, we can do then, okay, let's do a true statement. So, we're gonna close that bracket here, and we're gonna do or, and then the classic true statement that we see in every joke online about extra injection is or one equals one, okay? But this could be simplified to one. One is a positive value, is a true value when evaluated. So, it's always, you guys should come up front, it's very loud, you'll not hear anything. One, we're on the room here, or you can sit together as you want. But so, we'll do the one equals one because, you know, it's the XKCD joke and stuff, but people should do or one, and I'm explaining why, one equals one is like in every fucking filter out there, right? So, if you do or one, it's harder to filter one because it could be a legit value input by a customer. Yes, come on. There are many ways to bypass that challenge, many ways. So, I'm gonna show you one, but now I'm teaching SQL injection. So, we'll do the legit first, but then there's one, you're close. Ça doit pas marcher semicolumn. Semicolumn probably doesn't work, but there's one simpler that works. And you have everything, semicolumn works, okay? No, but I don't wanna spoil it, man. No, we'll get there, we'll get there. But so, okay, let's do or one equals one. Man, I'm too in a hurry, like I'm too excited, I do or one equal one, and I'll do search right away. Ah, shit, error, why is that? Now, since we have the query, it's easy for us to answer that, but imagine when you're doing CTF, you don't have the query output in your face. So, oftentimes you need to go in an actual SQL engine and try the stuff, right? And we could do that if we want. I don't know how, I think I'm slow, I won't do this, but you have SQL lite on your system where you can do that. But so, one of the important tricks is to know how to comment in SQL. So, if you comment the rest of the sentence, you can avoid to having it syntactically valid. So comment in my SQL and many SQL databases is two dash followed by a space. So now, I'm closing the first part of the where clause saying or true value, and then the rest we ignore. It's a comment for programmers, you know. Let's try that. And boom, here we go. We look at the like. So it's like everything or one equal one and the rest is ignored by the SQL database, the SQL engine. And so now we have like congratulations and then flag equals nanananan. And we realize that we had a little bit of trolling material in there. Like if you put just one equal one, you are on to something. But so our flag is here. Now, let's get creative as our friend just suggested. So I never expected comma semicolumn to work. So person sign in the like clause is a wild card. It's like star in most things. I don't know the old farts who designed SQL decided back then that it was a different character. It's not star. But so here's the behavior and I'm getting back at you regarding the semicolon because I don't understand what's going on. But if we do person sign and we search, it's gonna work, right? But you see it here. It's showing up. So you put in person in search. When you look at the query, the person that you've written is in the query. And basically why does it work? It's because this query is, I want anything, anything, anything. And it works, right? Now, the behavior of semicolumn troubles me and I'll show you why because it's not showing in the query. So it's probably not the SQL engine that gobbles it. It's probably something that PHP is doing. Yeah, yeah, you can do that, but it would show. We would see it. Because what is displayed is what is sent to the SQL engine. So I don't know, I don't know what's going on, but it works. You know what? Let's look at the source, maybe. Maybe it is showing. No, it's not. Yes, it could be, but I would need to be convinced. I'm not 100% on this one. And I think right now I think about it. I think there's a bug in this challenge. If I put nothing, is there an error? Ah, I validated the case where there is nothing. Because then let's say that I wouldn't have put this case. The query would be percent Oliver. Yeah, yeah, but why is the semicolon isn't in the query? Where does it disappear? It still should be string concatenation inside a PHP variable. Okay, so let's look at the inspect. Okay, let's look at this from the inspect console. Let's look at what is sent by the browser when I put a semicolon. Whoops. All right. We are sending payload. We are sending a semicolon. So this is URL encoded as percent B3B, which it should be URL decoded by PHP, then injected in a variable that is string concatenated. For me, I still can't explain it. I'm still a bit dissatisfied, but I'm sure there's an explanation. So let's take the F here. So if we have the proper F, it will work. So let's do the F and then semicolon. See what it does. Semicolon really disappears. Oh, my G sucks. That's my mistake though. So I tried to use UTF-8 characters, but there is a collation in SQL where similar characters will be interpreted differently. Anyway, we dug deep and you can see how it can be more complicated. But let's move on with our next one, which is the self-excess. Any questions on the SQL injection? You can see how once you understand what's happening, it's kind of simple, but it gets complicated when you try to exploit it because most of the challenges will not be the simplest cases. You really need to think like a programmer, basically. All right. Oh, a lot of people solved the self-excess. That's good. Okay, so what's the difference between what we had before and the self-excess? Boom. Okay, so we have a search very similar looking to the SQL injection. So we'll do right away or 1 equals 1, right? This is not the SQL injection challenge. But what's different here is our output is there in the web page. Now, being able to modify a web page is something that we know and we deal with the web since ages, right? We're really familiar with that. But what's the attack behind that? Well, the attack is if I can inject JavaScript, I can then have your browser do something as a third party. So, okay, I'll do a diagram. So we'll have like the user, the let's say attacker and then the victim and then the web server. So when we were doing nothing on the internet, it didn't matter excess people. I was one like in the 90s downplaying the importance of the vulnerability. Even in early 2000s, I was like no one gives a shit about XSS. It's like remote code execution or nothing, right? But then the thing is that the relationship between the web server and the victim grew in importance and a lot of trust is behind it, right? Let's say the victim is Donald Trump and the web server is Twitter. Impersonate Donald Trump on Twitter. I am pretty fucking powerful. Not right now anymore, but at some point in the past I would have been pretty fucking powerful, right? But this is what I would get people to invest in my crypto for sure. So this is basically what XSS is. You are sending a URL. So let's my diagrams always start elegant and they always become a mess. You follow along, please. So you send an URL, no matter how. A Twitter, DM, an email, whatever. The victim clicks on it. It is in that URL. There is code injected JavaScript that will be sent to the web server and interpreted by your browser. And it's another thing weird. And this is called the reflected XSS. So the victim is carrying the payload to the browser. The web server reflects the payload in its page. When it comes back to the victim, there is JavaScript and the browser is like JavaScript fuck yeah. I'm executing this. And so this is the attack. And now we will do a simple case which we call self XSS. XSS yourself. It's very for demonstration or academic purposes. But then the real attack is going to be on the next one where we are attacking someone who clicks on everything we send his way. So the first one. So in the first scenario, we're basically attacking ourselves. But what we can see is that we are modifying a web page with input. So this is always the first place you start to dig it. Okay. Are they doing any filtering? Well, let's find out. Can I do this, right? Oh, look at that. The HTML bracket disappeared. But the thing is bold. This is exactly what I asked. And you can see here that there are bold tags. Well, you might not see. I don't know how small this is. But the bold tags were carried. This is the beginning of something very dangerous. So what if we do put script tag and then some JavaScript? What is going to happen? And this is all valid. So script tag, valid JavaScript close the script tag. Then let's do the search. Oh my god, it's written hello and it's not written, document not right. So what happened? What happened is we actually had the JavaScript executed. We can see that what we have is still the script tag. It's still there, right? The browser, the web server reflected all of what I've written to the browser. The browser, when it saw that line it did its job. It said, oh, this is script. I'm executing JavaScript now. This is what I do. And then boom, hello is printed. And then the rest of the page is rendered. Okay, let's go back to the challenge description now because we pretty much have excess. Challenge description says your payload must absolutely contain alert one. This is just a cheat hack so that the web server could send you the flag. It's not really important. But let's do it. So script, alert one. We got the alert. So as the page was rendered it stumbled upon the place so that the thing is not even available in the inspector and spec console. But we did get the alert. Then let's do okay. And then search for nothing because it was just pure JavaScript. Nothing was output. It was all hidden by the browser interpreting code. But you have the flag here, right? Congratulations. You ex-assessed yourself. And we have the flag. Again, super fake to understand. Next one is the real one. You'll see this step up a bit. It's probably the hardest challenge of CTF 101 for the next one. And it's because ex-assessed are complicated to perform. These are complicated attack to do. All right. So ex-assessed Larry. I should have called him ex-assessed Trump now with the example I made earlier. But so we have the challenge. So similar page. Actually I think it's the same page. So you can submit URLs for Larry to visit here. So basically Larry is a very enthusiastic page visitor. So whenever you send him stuff he will visit. So let's have him visit I don't know google.com. So here behind the talking it was written that Larry visited the page. So we have no output. We don't know. Larry doesn't reply to us. He's just an enthusiastic person browsing Reddit. So we have no output. So how are we going to steal Larry's secret? Well it's tough, right? Let's continue reading the description. Our goal is to steal Larry's browser cookies for the CTF101 the insect.io domain. So a browser will not send unrelated cookies to unrelated web servers. We will need to find an XSS under that name space that domain and have him execute JavaScript that will send his secret to us a third party that's getting pretty fucking complicated. For this task you will need an accessible web server you can use pivot bot and this is where it brings back to the SSH track where we have SSH to a server that is reachable from that victim. So let's, so the Sysnmin SSH system that yeah, the Sysnmin SSH system is shared, okay? We're all on it together. So we will all need to use different ports. So I'm going to use a port you're going to have to use a different one but you will not be able to start a web server on the same port. It's important to understand. So I'm going to go there and run a server python3-m http.server and I'm going to pick one, two, three, four, five. Okay, it started which means that it's running which is great. Now I want to confirm first before getting into any XSS any complicated payload what you want to do is confirm that Larry the clicker can go to that web server. I want to see him browse. I want to see him work. So in the challenge description we were told sysnmin.ssh is going to resolve to the good host but I use a different port so I'm going to use that port here. I'm going to send this to Larry the clicker one, two, three, four, five Larry click Larry let's go. Oh, I got a request. I have a get slash http 1.1 didn't have that before so Larry visited, Larry delivered he clicked on that link now I'm not stealing any of his secret here. I need to figure a way to steal his fucking secret. What I'm after and I need to do this under the CTF 101 domain. Luckily I have a web page that is vulnerable to reflected cross-site scripting so what I'm going to do is I'm going to attack myself now but then eventually I'll build the perfect URL in order to be able to attack Larry okay. So the secret are going to be in a cookie one way of having access to a cookie is the document that cookie so let's do this on myself nothing it could be normal at the same time I think I forgot to write it maybe that's the problem document.write document.cookie you can see that I've done this before right nothing well maybe I don't have cookies do I have cookies it might not be one that is available for javascript so you can have cookies that are HTTP only and that the javascript context cannot access it so it's not it might not be the best test let's do this confirm that we still have injection we still have injection okay so instead of doing the cookie we're going to do a query yeah let's now that's a bit too much oh no that's not bad actually okay so we're going to just decomplexify this a little bit so okay no no no I'm sorry I'm going to start with something simpler so I need to exfiltrate information to a third party to do so there are various mechanism but one classic is the image tag and html you can basically request an image from everywhere there's no notion of third party security when it regards to pulling resources like images so we're going to pull an image from the the the SSH service that I used before so sys and min the SSH I should use double quotes and I should double quotes if they're going to work let's try that whoops double quotes are not working let's use single quotes alright so you can see that my browser is still working and then I have a broken image so what happens in here is I do have the htp column slash slash sys and min ssh a.gif okay so this works now I don't have access to sys and min dash ssh this is not a public ip so and my web server unfortunately isn't the ctf101 docker environment but will this work on the victim we can try and this challenge is helpful helpful in the sense to learn because we don't have the query in the URL so I can you have only to copy and paste the content of the URL and send it to Larry so it's kind of making life easier for you here so let's do that so Larry visited this we should get a request oh you know what no I so one two three four five in my case your case is different right so let's search and then copy and then visit just before so I put a couple of new carriage return so that it's obvious that it's a new request oh so we did get the get so when I put an image tag in this via injection via access I and when Larry clicks on that link his browser is trying to pull that image now I just need to add the cookie to it and this is where you need to learn JavaScript so the double quote limitation is an important one you almost always need to put double quotes especially if you nest JavaScript and HTML so because of that limitation pure JavaScript it's just simpler but so I'm jumping a little bit forward here but I'm going to explain everything line by line and you'll follow you'll see no worries there so the only complexity that I'm adding now is that I'm doing this pure JavaScript and I'm adding the fact that it's going to be dynamically created in order to avoid double quotes so what we have here is I'm using JavaScript to create an image tag okay that image tag I'm assigning it the this URL so the URL and so this URL is HTTP dash descendant oh I almost forgot my custom port column 1, 2, 3, 4, 5 so my web server that I control what is the name it could already already be like just the forward slash then to that I'm appending document.cookie semicolumn so this is ending so the image in the JavaScript memory this image tag has this URL but if it doesn't exist on the DOM it will never be queried that image so that last section is to add it to the DOM the document object model so that the browser will be oh there's an image I need to go fetch it because I want to display it to the user so and then image which is the name of the variable that we assign at the beginning right so with this we should have a pretty good recipe I see one risk one risk here is that my cookie is not URL encoded so it could fail because if there's a value that is not legal in URLs something either Larry when he clicks on it or something in the chain is going to fail but we're going to execute it like that and see so we know in advance that for us all we're going to have is a broken image because sysadmin-ssh it's not reachable from my computer so let's do that I'm going to add a little like column A equals so it becomes a parameter and not appended at the end of the dot gif or gif I don't know which club you're in ok so this is a complicated payload that I'm going to lose so I'm going to write it down here I'm going to create a web and then do a read me and then read me and then put this put this here ok search as expected browser waiting it's going to get broken image and it's not visible now let's send this to Larry and see we're going to do a couple carriage return so we see if it's new or not let's do this oh no need for url encoding we have the flag so let's recap what happened what the fuck is this fucking complex shit that's called an XSS it is we the attacker sent to Donald Trump a url it's contained and if you look at the url that we we sent right it's it contains a search with characters that are html characters that should be filtered or escape or whatever that is not escaped or filtered or whatever that is reflected by the web server so this victim's browser sending that query that query is processed by the web server the web server is back as a web page which has the angle brackets and stuff like that that was un escape and this goes to the victim and the victim is like oh it's javascript and it's coming from a web server I trust let's execute it and then part of that javascript is injecting an image in the DOM and saying there is something at a.gif on our attacker's machine which is not in the diagram and then this is the browser that is going there and then we are hiding the secret in the query we're saying I want an image but this image has this url which have the flag in it it's pretty fucking cool XSS and this is a simple one like the ones at Nordsec are just completely crazy I don't even understand them anymore it's like oh I find a bug in this and if you do this so a twist on XSS so we saw the reflected style but a twist on it is the stored XSS so stored XSS is basically one that goes into the database and then that when you view a web page it's sent back to you and the stored XSS is very dangerous and can be wormable for example if my space you there's a stored XSS in it and you write to a forum post and you trigger an XSS then everyone visiting that forum post can execute that javascript and if part of that javascript payload you are posting another post on that forum with the payload to everyone it just becomes crazy so the hard core ship is behind us we're back with encoding which is our forensics one on one so there are many flavors and types of forensics challenges in CTFs a lot of them are fairly well I would say easy it's not true as you know everything complexity gets in and I remember Defconquals where we had like pieces of a raid array and you had to rebuild the raid array using those pieces and then mount it and you had to hunt basically the file system structure and reconstruct it was very complicated but so a lot of it has to do with having the eye for something or having the idea of oh this sounds like a pointer or encoded or something so now this stuff does anyone have any idea what this is like what is this encoded with base 64 correct so we're gonna learn our favorite tool for those types of stuff it's from the UK Secret Service it's called Cyber Chef it's basically a Swiss Army knife for encoding and escaping and crypto and so it has from base 64 recipe so at the top you put in the crypto at the bottom you get the result that the flag is here so let's read it out loud in this field you should recognize basic encoding techniques just by looking at them congrats because it looks like you just did so here is your flag so basically just base 64 decoding here and we are correct alright now we have a document and in that document we'll have 2 flags let's look at it I used to teach cyber security at ETS University nearby and so this is an old class summary that I use for that challenge so ok what are the things and these CTF challenges why is this included in the 101 it's because I was very salty about not succeeding doing a challenge one day and these are 2 techniques that I didn't succeed at first and I was like it's so fucking stupid that I need to teach that to everyone so that they don't fall victim of my stupidity back then and so how can you hide stuff in a document well anyway yeah using encryption and stuff legit yeah but let's think secret service like hiding in plain site type stuff right and so a thing should draw our attention but it's normal that it doesn't but yeah it's kind of stag if you want but so what you can do is document is super flexible allows you to have all sorts of you can put white on white you can put you know tiny tiny tiny fonts and shit like that so one trick is to copy that paste all that stuff into a dumb ass text editor and then search in it we're in a CTF what are we gonna search for flag right boom I got a flag at the end at the bottom end that you probably don't see sorry about that oops somehow dragged zoom at the bottom bottom end there's something that matched flag okay now what we're gonna do is we're gonna go back to the document select that text and we see that there is text there and then we're gonna make it darker here we go ah ça marche c'est nice on a du son je pense que les vieilles tu ne vas pas parler mogement mais j'ai du monde sur le stream j'ai du monde sur le stream tu as tu un petit pied ça serait vraiment cool ça va être bon ça t'as pris ça va être bon ça va être bon ça va être bon je me suis dit ça va plus de gorge ok so the yeah so basically one trick is white on white type stuff let's place it in the thing and move on to the next one oops we succeeded on a réussi so the next one so it says the flag is in French but it still starts with flag dash alright okay let's go back to the document J'ai un peu de chute ici, mais c'est l'un que je n'ai jamais réussi dans la première CTF et je l'ai apprécié quand j'ai appris l'answer. Un hint est le spéalcheck. Pourquoi est le spéalcheck clair ? Ici, nous avons des noms de personnes. Le spéalcheck n'est pas clair, ce n'est pas trop mal, mais pourquoi nous avons à la top tous les sortes de erreurs dans les mots qui semblent que l'on devrait passer. Donc, nous allons spacer, spécifiquement, cette partie dans un console. Alors, si nous regardons en texte, ce que nous pouvons voir, c'est des choses bizarres. Donc, le premier mot qui est un buggy est informatique. Et puis, A est fine, R n'est pas fine. Et donc, si nous regardons dans notre console, nous regardons F, capital F. Nous regardons capital L, nous regardons capital A, et puis capital J. G, capital G. C'est tout de même un flag, c'est-à-dire. Donc, c'est là-bas, quelque part, on va le mettre dans la rède. Ce n'est pas seulement la rède. C'est comme petit, petit, petit. Donc, on va le mettre dans, vous savez, 60. Donc, F, L, A, G. À ce point, vous devez le faire manuellement. Mais c'est CTF 101. Un autre lesson que je veux que vous puissiez réaliser, c'est que la différence entre un challenge régulier et un challenge, c'est qu'ils vont prendre quelque chose simple, par exemple, de solider une capture. Et ils vont vous demander de le faire 5 000 fois, ce qui signifie que vous ne devriez pas le faire en main, ce qui signifie que vous avez besoin d'un code, quelque chose. L'entraînement du script est une partie importante de les problèmes de solider les CTF. Il y a un whole subcategory de ces qui sont usually called programming or programming-related. Donc, on va le faire, mais programmatiquement. En ce cas, ici, vous devez le faire en main. Je vais perdre plus de temps en programmant, mais les lessons sont importantes. Et vous devez aussi voir la façon dont vous advisez les gens à l'opérer. Les étapes d'enfants ne font pas tout, mais ils veulent construire la solution. On va le faire. Donc, j'ai assigné la force à un variable. On va le retirer. Ici, les mots sont normales. On va le substraîner pour juste cette partie. Donc, ici. Imaginez que ce problème est beaucoup plus grand. Imaginez que nous avons des milliers de personnages et que c'est comme un binary encodé dans un document. Donc, nous devons le faire 1 000 fois. Nous ne pouvons pas le faire, mais on va le faire programmatiquement. Donc, maintenant, ce que je veux faire, c'est que je veux que tous les mots soient différents. Et je veux le dernier caractère de tous les mots. Donc, j'ai expliqué les mots. Maintenant, le dernier caractère. Le dernier caractère. On va faire un test. Donc, maintenant, j'ai réalisé que c'est à la bas. Et je dois le mettre plus haut. Donc, je vais faire quelque chose un peu bizarre, mais c'est bon avec moi. Si c'est bien, vous pouvez le voir à la bas. Ok, parfait. On va le faire. Donc, en C, j'ai un... Ah, ce n'est pas une bonne chose. Donc, en C, j'ai mis un mot comme un test. Maintenant, je veux le dernier caractère. Qu'est-ce que c'est le syntaxe? Oh, oui, j'ai compris. Allez-y, on va retourner à notre liste. Ok. Donc, c'est une liste de compréhension. Un concept de Python très puissant. J'adresse à tous ceux qui programment semi régulièrement pour vraiment regarder à ce qu'ils sont très puissants, et de la priorité, c'est que les lesquels nous avons les derniers caractères, mais il y a des garbages. Donc, nous avons des commas, des trucs, il y a un problème sur la façon dont nous faisons les choses, pourquoi est-ce que ça? Parce que, quand on a expliqué, on a gardé les commas. Donc, on va juste les faire, en quelque part, avant de faire notre dernier caractère. Ok. Donc, pas parfait, mais assez près. Mais ce que j'ai fait, c'est que j'ai remplacé le string avec rien, column avec rien, dot avec rien et puis j'ai extracté le dernier caractère à l'intérieur de la compréhension de liste. Donc maintenant, let's join that back together cause I'm too lazy, I want to cut and paste. So the string object in Python has a join attribute which takes a list and you select on what you want to join so I join with nothing so I have this. So I told before it was written that the flag was in French so this is flag with a T, it's a mistake. Le fleu du fin observateur. So it's le flag du fin observateur and the FL part we can figure out from the string by looking at it. We have dumb end and then A and then a carriage return and then a zero and column so I don't know how the document got like that but I mean we can figure it out and solve it. So let's go back, put that in, fix the little thingies that are offset flag and then here it's also flag. So le flag du fin observateur. And here we go, we are correct. All right, we're almost close to challenge left but the crack me at the end. All right, network. Well, pretty much all CTFs have PCAPs. I don't know why it's a religion for security people, PCAPs and you know what, I love them. Guilty as charge. So PCAPs are opened by Wireshark. We're going to do things a bit inefficiently here because you'll learn some stuff while we do so. So I clicked on something, I fucked it up. What we have is a very small PCAP with a sequence of ping and reply and we can look at them like that. And the problem with PCAPs is that it can go in all sorts of directions, right? There's so much data. If you start, you could look at timestamp. If you have TCP, you could look at sequence number. You could look at all sorts of stuff. You can get drowned in noise. But now ping is pretty simple. And usually, well, people who looked at PCAPs before know the ping pattern for Linux and Windows by heart. It's like a crescendo and it used to be to detect error correction, not error correction, error on the media. So if some bits were corrupted, you would see it in the ping reply. And so ping is comparing what it sends, what you send it and what you, it sends back what you send it. So here are data packets for someone experienced in networking. You would see that it's not regular. Someone is using a different data package in ping and this is allowed by the protocol, but no one does that. So if we scroll down and look at here the data section, okay? We will figure out what the solution is pretty easily. F, L, A, G, dash, N, E. So easy solve would be to write this down and then submit the flag. But we want to learn something else. We're going to do it the complicated way. So what is a good way to scale wire shark analysis is to use T-Shark. T-Shark is the sister tool that is on the common line. So what I'm going to do now is I'm going to find a way to extract the data out of the P-CAP, just the data section. All right, so if we use a dash R for read and then send the P-CAP to T-Shark, what we get is kind of a nice text-based summary of pretty much the information we have in wire shark's upper pane, which in itself is not what we're looking for. So the key component of T-Shark, if you want to scale it and automate it, is the dash capital T fields. This puts T-Shark in a mode of field extraction. Now the fields that you want to extract, you will add them individually adding dash E and the name of the field. So what we're going to do is capital T fields dash E and then we're going to add names of the field. How can you know what's the name of the field you asked? Well, let me tell you that wire shark is very helpful because there is a feature when you right-click that is called prepare filter. So if you do prepare filter and selected or not selected, it doesn't matter. What you have is that it will create a query for you at the top. So this allows us to learn. So what is let's say ICMP checksum? What is the name of that field? Let's do prepare filter selected. We know that it's ICMP dash checksum. Pretty convenient because we didn't have to look through pages and pages of fucking fields name. So I just swear on the stream, I'm sorry, and here, sorry. So we want data, so let's select data. And then I'm going to do all of what I just mentioned after I drop the mic. OK, so we have our data here. Interesting. Everything is separated by one line. It's very neat. But now I need to scale that up. Another thing I want you guys to learn. I Python or interactive Python console is powerful. I Python notebook is like powerful and documentation at the same time. If you guys never use this stuff, you should learn it. And it's called Jupyter notebooks now. But we're going to use a Jupyter notebook to solve that challenge. So I don't know if you know about this, but Jupyter notebook's pretty cool. So we can do like, you know, OK, it's marked down. I'm going to write, I never do this, but for the demonstration purposes, I will. I'm going to document what I'm doing. So you can embed markdown directly into it. But the other cool thing is, so this is Python basically. OK, but the I Python kernel allows you to mix with common line. So let's do that. The syntax for it is exclamation mark. So exclamation mark, everything that comes after is executed in a shell. OK, and you can assign it to Python variables. This is sick, right? Because shell script usually are fucking nightmare to maintain because no one documents them properly. Now you can mix them with code and just focus on the interesting bit and have markdown for your documentation around. It's pretty neat. So now we have this. And we know that this as a list in Python will be easy to process. So now in the next couple of steps, what I want to do is, since it's 4, 6, 4, 6, 4, 6, 4C, 4C, 4C, 4C, 4C, et stuff like that, I'm going to grab just the last two character of every line, but not every line necessarily, every line out of two. So we're going to do this together. So as I was saying, I'm going baby steps, right? So I figured out that extracting the last two character is to use dash minus two column with anything. And this is in Python to say start from the last, go back to characters and adding the column means, but I want to get the rest of the string up till the end. So this way you get the last two character. Now I did this for one item because I wanted to confirm that it works. But if we do again a list comprehension, you can do that on all lines. So let's do that. The way I was interested in having, but now I still have it duplicated. Is there a shortcut to get rid of every one out of two in Python? There is. And luckily I Googled this before being here. So for me, it will look easy, but it's not quite easy. But actually lists take three parameters beginning and then kind of this iterator fancy iterator. So we're going to do just that in order to extract one out of two fields in the data list. Okay, we're getting closer to a solution. So we cleaned that up. So now what we have is X for the characters that we want to do. Now let's just run on top of this CHR. So that we get the character value associated with this X. And the programmers in the room will know that this is not going to work, but I'm still doing it. And the reason I say that is because I recognize the Boston key party people at the back. And I know that they're going to laugh about my programming and my stuff here. I'm teaching CTF 101, guys. Okay, so the reason it fails is because the character I extracted were out of a console. So it will fail because it's considered text. So now I need to cast this somehow into an integer because CHR expect integers. So in Python 3, the hint method, they added a very nice convenience function where you can set the base. So you basically pass the string to the int and you say it's base 16. And so it will interpret it as the proper integer and the proper base, and then you pass CHR into it. And then we're going to do the trick we did last time. We're going to join that list on an empty string, which will assemble it for us and then we'll have the fact. So again, doing this from the PCAP would have been faster. But now you've learned about I Python notebook, the fact that it's kind of documenting itself and the fact that you have the recipe for later. So it's a pretty neat toolchain that I like to use a lot in work and in CTFs. There was a Montreal hack yesterday evening about embedding radar, the reverse engineering tool inside I Python. So you could have like interactive, easy to share web-based reverse engineering toolkit inside of I Python, a Jupyter notebook, which is very sick when you think about it. Okay, moving on to crack me. So the goal of that crack me, okay, is so that you're not scared and we're not going to understand all of what we're going to look at now. Actually, we're going to understand very little of what we're going to look at. But the idea is that we're going to open tools that are scary and that the first time I opened them, I closed them. I was like, I think I infected my computer, right? It's so weird, full of zeros and ones and shit and the guys doing the reverse engineering are so better than me that I'm not going to ever do that. It's too complicated. But that's not true. You can take it bite-size pun intended, I guess, but you can take it little by little and sometimes the challenges are quite easy. It's just the way to approach it, not being scared and taking baby steps. And this one is a particularly easy one. You can do it in static. You can do it in dynamic. It's quite easy to approach, actually. Let's do it. So first, we're going to look at it statically. So static analysis means without executing anything. And so for that, we're going to use Ghidra. I used to joke about the NSA having access of my computer, but now they're friends. I forgot Snowden. I forgot them. Bad joke. Is it too soon? I don't know. But Snowden in Russia, you know. Okay, it complains. I don't know why. I know it doesn't exist. Give me a break. All right. I don't want that. Okay. So Ghidra wants you to set a project and you haven't added the binary to it yet, but you open it. It's Java. It takes a while. It's pretty powerful, though. And Ida Pro is like 3 grand. This is free. So who wants Ida Pro except those that can afford it? Oh, let's go. Let's load that crack me. Okay. Nice. And what I like about modern tools like that is that for someone stupid like me, you can go and look at the decompiler. Like I'm not even a C programmer. It's not true that I will understand the assembly, right? So why is there an error? Okay. So some libraries are not found. It's going to make me running it complicated. Okay. So now we opened it. Okay. We have access to all that stuff. The important pieces are exported. The calls that the operating system makes to run your code, it needs something to be exported. So the first thing you want to look at when you open a binary like that is the export table. What's stuff that is exported to the operating system? Everything that starts with an underscore, you should ignore, right? And in this specific case, you saw in the browser that there were two files. So there's one that is dash hard and there's one that is regular. So the dash hard is stripped. So what does stripped mean? That means that to save space in the 70s, they decided that we should remove symbols because the machine doesn't need them. And so it means that there is no human readable strings in the file itself, except if you print stuff and stuff that interacts with the user. But so things like this would not have nice strings that are readable. Instead, it would be just f with an address, an address in the binary. So we're doing the easy version here, but oftentimes you'll have stripped binaries, unfortunately, for the real reverse engineering challenges. Okay, so all of this is exported. So it's more than anticipated, but there's a name that stands out and it's called main. So we're going to click on main. So now we see the assembly of the main function, but let's take a look at the compiled. It's better. So now we see buffer, printf, dramatic. Oh, a function called dramatic. What is dramatic? When I look at it, oh, it's a for loop with a sleep. And then it's writing a put char on something. Can I cast it as something else here? So in char, this is a dot. So it's basically doing a dot for how many times? It's not clear. It's for a perimeter. All right, it's coming from the main. Let's go back. So it should, oh, dramatic three. So it will print basically three dots separated by sleep. And then x10 is carriage return. So x10 is decimal, but 10 is carriage return. So you'll see after that a carriage return. Okay, okay. So far it's safe. Like I could run it if I want to. So that's good. Then compute. Okay, what does compute do? Oh, compute is a lot scarier. There is a bunch of stuff here, you know, crypto mumbo jumbo. Then there's char one function here. And then some comparison. And then it's returning md. What's md? Oh, it's a malloc. So it's a buffer. Okay, okay. Compute is scarier. Let's move on. And then, oops. And then it prints the flag, the beginning of the flag, and then raise. What is raise? Well, when you don't know about a function in a C library, you can always use man pages to find what it is. So let's do that. Okay, so the programming API of the C library is in the section three of the man page. So because raise has other man pages and stuff higher level, you need to specify that you are interested in section three. So send a signal to the caller. So basically this will send a signal to my process, which means that it can destroy it or fuck it up, right? Which is not what we want. So we have to keep that in mind for later. Then it looks like it's going to print. So it's printed flag and then it's about to print. But there's this damn raise at the middle. And then put char, another carriage return. Okay, you know what? I've seen enough. I'm ready to run it. I'm not scared. I'm no longer scared that I'm going to infect myself. By the way, I don't recommend this doing this in most CTFs. Here, Nordsek is friendly. Nothing will destroy your computer unless it's clearly written in the challenge description. But there are some CTFs out there that have been known to have malware or destructive payloads. So always do this stuff in a VM. Usually. So I'm making it executable and then I'm going to run it. And we're going to look what's going on. Performing intense computation, the dramatic function, and then flag segmentation fault, core dump. Damn it. Okay, there's a raise. So I could then do several things. I could finish to understand statically what's going on and solve it purely in a mathematical fashion. So there is data that is performed in compute and then this data is printed to the screen, but there's something in between. So I could do this purely statically and because it's lunch hour soon I won't do that. Otherwise, we could patch the binary. So we could remove the raise statement and then re-execute it without it. This involves patching it out. So changing whatever the call is by not. And it's kind of involved. So I'll show you another way dynamically. But so signals are caught by the processes and the process have an opportunity to do something with them. By default, most signals will have a process terminate and a debugger is a layer on top of your process that catches your signal and in the debugger you can tell it to ignore them. So what we're going to do is we're going to run that binary inside the debugger and see what we can do with that signal. So the classic debugger is a GDB and I happen to have a PONDBG wrapper around it so it's a lot more verbose and a lot more reverse engineering oriented. So by default, GDB doesn't have anything about the machine code. You basically usually use GDB along with source code because it's an open source operating system you have source code. So I advise people who are getting serious into reverse engineering and solving challenges like that they should install either PONDBG or Jeff, G-E-F or there's another one there's like three ones that are competing severely right now they all have pros and cons but me I'm lazy I use PONDBG since a while. Ok so we're going to run this So R then Enter So it started and we can see we have the output and then what did it say oh it says Programme received Six Seve Segmentation fault so basically the raise three is a segmentation fault that is sent to the DOS and the DOS sends it back to the process Now since I'm in the debugger C'est une trappe, et ça me plaît le processus. Ça me montre l'état du stack. C'est l'état des registres. Ensuite, vous avez le code qui est en train d'établir maintenant. Et ensuite, vous avez le stack. C'est beaucoup, c'est beaucoup. On n'est pas allé pour ça. Il n'y aura pas besoin d'une CTF 101 sur son propre. Il n'y aura pas besoin d'une autre chose. Mais ce que nous devons comprendre, la route facile, si vous voulez me dire, c'est qu'il y a le système d'opérations qui a envoyé un signal. Et dans le debugger, vous avez l'opportunité d'ignorer ce signal. Donc, c'est un moyen dynamique, un moyen laser de résolver ce challenge. Et donc, on va faire ça. Donc, on va juste continuer. Et puis, boum, nous avons le printf. Donc, c'est tout de suite l'instruction de la graisse. La graisse fonctionnelle est ignorée. Et donc, nous avons le truc. Mais si nous l'avons rappelé correctement, nous avons le flag-dash avant. Et c'est le fault de la segmentation qui a ajouté la graisse de retour. Donc, nous devons basicement apporter le FLAG-2, ce qui est l'output qu'on a. Donc, on va faire ça. Et ça conclure bien la CTF 101. Et je suis en temps, je pense. Peut-être que je suis trop court. Je ne sais pas. Est-ce que je suis supposed à être trois ou deux heures? Ne vérifiez pas. Je veux finir maintenant. Charteur. À 1. Non, mais OK. Donc, vous voulez que je... Vous voulez que je le fais stétiquement? Alors, vous voulez que je fais le crypto par hand et arrive à la même résultat? Je peux le faire si vous voulez. Mais si vous voulez que je fasse la nourriture, vous pouvez aller en nourriture. C'est comme vous choisissez. Je ne vois pas quelqu'un qui va y aller. Je vais me sentir compelled à le faire stétiquement. Non, non, non. Donc, je vais le faire. Comme, on dirait, c'est mal-were. Donc, vous ne voulez pas rassembler n'importe quoi. Parce qu'ils pourraient aller beaucoup de choses dans le start et tout le monde. Si vous ne l'avez pas confiance. Donc, ce que je vais faire, c'est que je vais focusser sur la fonction de la compétition. Je vais reproduire le crypto qu'ils font là-bas. Je n'ai pas fait ça pendant longtemps. Donc, ça ne peut pas fonctionner. On verra. Et ensuite, je vais essayer de faire ça et voir ce qu'est le résultat. Maintenant, ça ressemble à un cannerie de stack. Parce que du access Fs, CPU, Dengue, j'ai oublié ce qu'il s'appelle. Et c'est comparé après la fonction. Et si ce n'est pas valide, ça fait un fail de check stack. Donc, je vais ignorer cette partie. Maintenant, le début de ce que c'est envoyé à Chawan est local 48. Donc, ça commence ici. Donc, ce que je vais faire, c'est que je vais appender tout ceci ensemble. J'ai besoin d'appender 14. 14 est le length. Ouais, 14. Non, ce n'est pas ça. Où est 14? Peut-être que c'est arrivé. OK, on va essayer avec et sans. Donc, je vais basically juste extracter tout ce que c'est. Et ensuite, je vais Chawan la chose. Et on va voir si on arrive à le même résultat. OK. Donc, ce que j'ai fait, j'ai commencé mon notebook iPad. J'ai fait un concept très rough que je peux cacher les bêtes. Donc, les bêtes, ici, c'est que je passe les bêtes. Maintenant, ça ressemble à une force. Mais bientôt, ce n'est pas une force. Et puis, je fais un digest sur ça. Donc, j'espère que ce sera le même résultat que ce que j'ai essayé. C'est ce qui se passe dans le crack. Je suis plus et plus fier que que ce n'est pas un résultat. Oh, j'ai oublié les quotes. OK, maintenant, c'est ce qui se passe dans le crack. C'est suffisant. Je ne pense pas que ce soit ce que nous espérons. On compare. B5488. OK, donc, j'ai essayé et je vais essayer en haut. Je ne pense pas que ça va fonctionner. Donc, il y a quelque chose. Et ça pourrait être en DNS. Et ça pourrait être le moyen que Gaidra présente l'information. Je devrais devenir meilleur. Ou le moyen que l'assemblée parce que Gaidra me montre quelque chose. Mais ce n'est pas nécessaire. Et j'ai oublié, j'ai une source code. Allez-y, let's take a look at the source code. C'est la chute, par contre. Je ne suis pas supposed à avoir la source code, mais je ne veux pas être comme ça. OK, donc, c'est une chute. C'est une chose d'apprentissant que nous faisons ici. Que Gaidra ne peut pas le faire. OK, on va essayer de convertir-la comme ça. Oui, vous le voyez. Donc, c'est intéressant. Et c'est une bonne décision et des challenges comme ça. Donc, de toute façon, le moyen que l'assemblée transforme ceci peut être pour beaucoup de raisons que je ne sais pas. Les compilers sont fascinés. Mais le compilier a décidé que c'est trop inefficient. Et il va juste utiliser les registres pour construire la chute pour que vous puissiez passer à la function de Chao One. Mais en faisant ça, ça fait qu'ils soient comme ça dans l'assemblée. Et même dans l'assemblée, c'est des rares x. Je pense que ce sont des rares x. Et je pense que c'est pourquoi ce n'est pas en train de fonctionner. Comme 73, 20, 6F75, 73, 20, 6F75. Non, ça ne fait pas le sens. 20 serait un espace, mais oh, ASCII, 20. Peut-être pas. OK. Donc, sorry. Hex 20. ASCII, 20. Dessements 20. Mais Hex, c'est pas... Je ne sais plus, c'est quoi. Je ne sais pas si c'est printable. OK, OK. Donc, je n'ai pas l'Ida. Donc, on regarde l'Ida et on voit si c'est différent. Compute, c'est bien. Les strings sont ici. Ah, ici, on peut casser comme un string. OK. Donc, si on fait ça, on peut voir que c'est au-delà. Et encore, c'est probablement la façon dont la machine fonctionne. Elle s'attache à un région de réception et puis, parce que Shahwan expecte un buffer. Donc c'est comme... ce buffer commence ici, et va ici, et c'est probablement la première fois dans le revers. Mais ensuite, on va avoir tous les strings en haut-bas. Donc, il n'y a pas de façon que vous ayez que ce soit l'une de mes titans. C'est le capital et pas d'exclamation. On va le faire. C'est pas le bide-streng, on va le ajouter ici. On a B54, ça semble que nous avons le B5, et je pense que depuis que j'ai déjà soumetté, je devrais encore avoir déjà soumetté ou quelque chose. Ok, donc vous devez me confier sur ce point parce que c'est que, basiquement, vous avez déjà soumetté, même si vous mettez le right ou le wrong answer. Mais c'est un autre moyen de faire ça statiquement. Cependant, c'est un peu difficile pour Guaidra. La façon dont ils mettent ça dans un char n'est pas aidé. Nous avons réalisé que c'est un string. Mais si nous avons réalisé que c'était un string, peut-être... Ah, ici c'est, regarde, regarde. Donc, dans le code C, c'est mauvais. Mais dans l'assemblée, c'est ok. Donc, c'est possible sans payer 3 grammes pour faire ça. Et ça conclut CTF 101. Je vais me dépasser un peu, et vous devez venir et voir si vous avez des questions. J'espère que vous avez appris, au moins, quelque chose ou deux. C'est l'objectif ici. Et merci pour votre participation. Mais en à chaque fois, je fais ça, ça chie. C'est vraiment en dynamique.