 Hey everyone and welcome back to the YouTube video on PicoCTF 2018 and this video I want to take a look at the resources challenge It's only worth 50 points It says we put together a bunch of resources to help you out on their website If you go there you might even find a flag and here is the link to the page and it offers just a link You can click on right here. This challenge is a little trivial. It's not too hard Really, it's just look at this page and read through it You've got some links here to check out general skills cryptography web exploitation friends expiring reversing and a lot of other really cool stuff Honestly, I haven't gone through this yet We should they have a feature YouTube channel. So that's pretty neat. Oh totally want to take a look at that. Oh It's mr. Carlisle. He is fantastic I know him kind of personally through some of my stuff at the military academies So there's a lot of really interesting like content here that you can totally read through and I would recommend it And it's honestly just a good place to go to when you don't know the answer to One challenge or something that you may be looking at kind of under that umbrella of the category You know of the challenge that you're working on and it's awesome when you're doing that in CTF So this is certainly a good resource and that's important to kind of have in our back pocket at the very bottom Below this video tutorials here. It says thanks for reading the resources page Here's the flag for your time which you can copy and paste take note of and I'll actually do that I'm gonna create a flag dot text file as I usually do and We can go ahead and head back to the original page submit it for our 50 points We can put this together in a get flag script if we just copy the link address as we usually do I'm going to use curl which you may have seen or used before if not You can just pseudo app install curl if you don't have it installed on your system or whatever package manager that you need So curl will allow us to make a request to the web page and view the output of the page So like literally seeing the HTML source. You can see the flag right here in the output So what I'm going to do now is go ahead and pipe that to grep and a lot of times I've done this in previous videos So hopefully it's nothing new But if it's a new technique for you as you're starting to watch these videos for the first time cool. Hope you enjoy Grep grep will let us search at least when we're piping at least of the output that we give into the program And I'm using tack oh for only so I want to return only the search results that I return and Wanted to filter for to begin with and tack capital e to get regular expressions or extended regular expression support So that way I can use the flag format Pico CTF and then the curly braces And I'm going to use some regular expressions inside here to say period and then a star So period to match anything and then a star or asterisk to match multiple or like as much of you can of that So once I run through that it says a little bit of the curl connection stuff So I'm going to go ahead and make that silent with tack s and then I'm going to use tack tack color equals none on grep So we don't get that red color and that just that will return only the flag for us. So that's pretty handy Okay, I'm gonna go ahead and make a get flag script with that. So nano Been dashes a shebang line to pump that there mark that as executable It runs just fine and we can mark that challenge as complete All right, what do we got next these are? This are this is these are words Reversing warm-up number one 50 points throughout your journey. You'll have to run many programs Can you navigate to this on the shell server and run this program to retrieve the flag? So allows us to download the program? Let's go ahead and do that. I'm going to make directory for reversing warm-up number one head to that directory W get that file and If you have not used Linux before or you just don't particularly know how to run stuff You will want to dot slash and that's kind of a Term I suppose the colloquial name that I'm going to go ahead and use that I normally use Because you want to say in this current directory. So the period or the dot to mean the current directory Relative to it. I want to run this file or whatever program we want to run Except it has to be marked as an executable So the way you can do that is the simple chmod command to like change or modify make make Modifications of the file to add permissions to it and plus X that X or the executable bit will mark it as executable And we just have to supply the file that we want there So now if I run dot slash run Actually, if I were to check out LS, you can see it's highlighted green And let's take out you can see I've added the executable bit to all of the columns here So myself or the owner the group that owns it. That's the third column Again, I still me in my group that owns it and then everyone so everyone can run this now dot slash run and we get the flag so if we wanted to put that as get flag or redirect that to a static file and we can actually just move the program itself to named get flag simple stuff Okay Let's go ahead and submit this flag easy and As usual mark this challenge as complete Okay, next challenge reversing warm-up number two is can you decode the following string from base 64 format into ASCII? So base 64 is super duper common and capsule flag competitions. If you haven't seen it before can simply Google it base 64 on Wikipedia is a Type of encoding or a scheme of representing characters and data information in a peculiar way It is pretty easy to identify because it'll look like a lot of seemingly random like letters and uppercase lowercase letters with occasional numbers thrown in and The only other characters aside from that that are acceptable are a plus sign and a forward slash So those are the acceptable characters in the base 64 format and you'll see those just Maybe rarely but the most common stuff are seemingly random Uppercase lowercase letters more uppercase than usual sometimes and that's what makes it kind of easily identifiable the most important telltale about base 64 is that it ends the Like the very very end of the string or of the encoded data is a normally a set of equal signs It's it doesn't have to have a set of equal signs Because the the reason that the equal signs are there is because the length of this data has to be a multiple of four so if the encoded information like if the transformation of regular letters into their encoded form does not end up giving you a perfect factor of four like Multiplicant if that's a word multiplicant I don't know if it's not a multiplication factor or if it's not a multiple of four It will add these equal signs at the very very end as padding to make sure that it will eventually like it you'll have one two three or None sets of equal signs there at the very very end to make sure that it's a length of a multiple of four So peculiar thing in this case We don't have a equal sign of the very very end and okay If we wanted to you could just go an online tool to base 64 decode information There are a lot of these that are crappy and stupid and dumb and they waste a lot of time in my opinion I want to be able to automate this process I want to be able to do it from the command line or from Python or whatever that we're working with so there is a utility base 64 that you just have on your command line and Normally, I would echo stuff into this. I would just pipe it in and that will decode it for us just fine Another tactic that I've kind of seen which may be another interesting style is if you read it in at the very very end by using these Three less than redirection signs so just like that and you'll still decode it as you would expect Python can do this as well. You can just have a string and you can do dot decode Base 64 and that's the route that you should go another option is to import the entire base 64 module and then run base 64 dot b64 decode on it But I want to get in the habit more of just simply using the string Dot decode base 64 because you don't need to import a whole module and just seems to be a little little better a little faster Whatever nicer so that is the flag we can go ahead and actually make it specific directory for that Reversing warm-up to actually I'm gonna mark this as complete already since we know that we've got the flag at this point and we can go ahead and Do just that I'm gonna use Python to actually print out the Pico CTF portion of it that I want and Then I'll get the percent s in there and I'll percent it with our string that we have decoded from base 64 Okay Now we have a simple get flag script Not particularly necessary in Python because I did it from the command line one So I guess I don't know why I did that I'm using bash to just call Python, but simple stuff You could done that you could have done that in just Python if you wanted to and created a Python script just like that I I should have done that Cool, let's go ahead and run that redirect it to flag dot text Throw it in our clipboard so we can submit it for points and Keep winning cool. Hope you guys enjoyed this video. It's been fun I think the first set of the Pico CTF challenges are for someone that does a little bit of CTF stuff Like it is used to this kind of material this kind of content this stuff is pretty easy to run through and I'm trying to describe what I can and If you haven't seen before and hopefully I'm not jumping into too difficult of concepts or or being too quick on the keyboard for some Interesting things. Why is there a typo here? Krypto All right, I want to give a quick shout out to the people that support me on patreon. Thank you guys so much You're the best you are what keep me Motivated and a reason to wake up in the morning. Why does it always sound like I'm like depressed whenever I give this this? Thank you spiel one dollar a month on patreon will give you a special shout out Just like this at the end of every video five dollars or more on patreon We'll give you early access to anything that I release on YouTube before it goes live I need to be better, but actually getting some content backlogged and ready to be visible in there But hopefully that does not dissuade you from helping support I'm grateful if you did like this video, please you like comment and subscribe Link in the description is to join our discord server if you want to hang out with me other cool people It's really just a cool community full of CTF players programmers and hackers So if you want to hang out with any of us and tackle other catch-the-flag competitions Not just pico or even discuss more of pico now that the game is over It's a great place to do that. So thank you guys so much. Hope to see you on patreon. Hope to see you in the next video I love you. Bye