 Hey YouTube, my name is John Hammond and this is a video write-up for the challenge shellcode from Pico CTF 2018 So this is where 200 points it got mediocre solves. I think minor exploitation challenge We've seen this before in Pico CTF 2017. It doesn't seem to be too difficult. It's just a matter of finding some proper shellcode So if you don't know what shellcode is you could simply Google it but it is just kind of essentially machine code right or like like ops Intel processor instructions or compiled bytecode to do things to actually make a program Like actually do something else that it wasn't intended to do like properly give a shell usually That's why it's kind of called shellcode, but it's got it can do other things right just making it do something else So this program executes any input you give it can you get a shell you can find the program here in the source code On the shell server blah blah blah so you can download the stuff I've got it downloaded here and we can mark it as executable if we wanted to and then we can actually check out the source code So not really all that interesting just we know the okay It's gonna go ahead and execute whatever we give it in a buffer like as if it were code as if it were Like compiled instructions, so let's try and see if we can track down shellcode Let's we want to get a shell right so a resource that I use for this is shellstorm.org and their shellcode actually has just a page for a lot of interesting stuff and Let's say we're working on Intel x86 right, but we are working on Linux, so Let's find something that will execute bin bash Or bin sh or whatever the case may be something that will actually go ahead and give us Shell there are a lot of options here I like to have something that uses tack P. So it keeps privileges just fine And let's look for that. Let's just look for tack P Pin bash when a sage tech P that one will probably work Yeah, oh exact V and bash predict that one's perfect 33 bytes So what we care about is this hex right the actual machine instructions and op codes and assembly So let's go ahead and paste those in to sublime text I'm gonna cut up those new line characters and quotes And all the spaces as well. So that way we just have that in Python And then what I will do is I will have Python print that out So I'll use print paste it in here, and then that's essentially running bin bash Let's go ahead and give that to the bone function and it says thanks executing now, but it closes right away So why is that happening? Well? We aren't capturing it kind of the input that that that bash or the shell is waiting to receive So what we can do is we can actually execute our payload and then immediately following it So I'm gonna wrap these in parentheses right these commands here immediately following the execution of our payload will open up cat Or we'll run cat so standard input will remain open and that stuff will actually go to the bash shell So I can run LS. I can run who am I and you can see we're getting our commands back. So Now this is this is happening on our local box We want to be able to see how we can get it on the shell server So what we'll do is go ahead and connect to it and move to that directory I've got that ssh.script that I created earlier so I can simply Run that and log in I might have mistyped my password Yep, I did. I'm sorry. I Fail I'm John Hammond the fail will let's change directory there and let's copy and paste that payload that we have here We've got vulnerable and we can just run that payload and now we're executing bash run LS see who I am I'm still the user But I have the privileges to now read that flag dot text file and we've got flag. So that's simple, right? We've kind of done that before and Pico CTF 2017 Just a matter of tracking down shellcode and knowing what will do what what will actually kind of work for us I've tried to use poem tools before to generate some shellcode, but I never seem to get it right I think there are some tricks and tips to make she actually make that happen and make it do the right thing But what I just need to grab a shell and I don't have a huge limit at the amount of bytes I can put in I just use shellstorm because It's an awesome archive and a really good resource for a crap ton of shellcode. So Hey before I go, I do want to give a shout out to the people that support me on patreon Thank you so much guys one dollar a month on patreon will give you early. Whoa. Sorry was gonna say the wrong thing It's gonna say the next one following that one dollar a month on patreon I'll give you a special shout out just like this at the end of every video. It's not a lot I know it's small incentive, but hopefully it makes you feel like good Samaritan just a cool dude A nice guy get those warm fuzzy feelings in your heart helping helping out another guy Just trying to make in the world or something. I don't know. Thank you I appreciate all your support five dollars a month on page on as I said We'll give you early access to every video that are released on YouTube before it goes live So I like to try and backlog some stuff and then upload them to YouTube and to be released like kind of Scheduled on a schedule basis like maybe daily or whatever other timeline. So if you want the content immediately right when it's ready It's just five dollars and it certainly helps me out. I'm grateful for whatever you're willing to provide. Thank you Hey, if you did like this video, please do like comment and subscribe join our discord server link the description It's a cool community full of CTF players programmers and hackers We're already playing a lot of games just like this Pico CTF is gonna remain online as a wargaming just a place to practice your skills So don't stop playing and just get better man. That's awesome. It's all about learning That's what the discord server is for is just everyone to learn and just improve ourselves. So hey, thanks for watching I hope you didn't oh My god what's going on?