 Hello and welcome this part of series. We're looking at the capture the flag 2018 from Google again This is probably brought to my attention by a guys. I subscribe to live overflow and This guy John him and John him and actually did a very good video on this particular one We're looking at the first admin UI project or challenge I should say and He admitted that you know first of all I watched his video before I started this so but he he said You know he got help And he explained how it works, but he didn't really have the thought process of how you would get there so I kind of you know walk backwards through this and I'm going to show you a little bit more in-depth on how you might come about figuring out the things and in fact Going through this in my mind. I actually found The the flag a little different than than he did It's kind of in a different way. Anyway, again, all I part of my project here is to write a script And that was also inspired by John Hammond here Therese script that automates each one of these so if you go to my Get lab get lab.com forward slash melex 1000 forward slash capital CTF and get all the scripts Let's go ahead and I'm in the folder from that project admin UI And I'm just going to run the script that's in here And what it's going to do is it's going to log into the server Pull out some information It's going to spit out some stuff here It's going to bring me into an hex editor because that's the next logical step for me So you actually have hex edit installed for this next part to work And we'll talk about this a little bit more actually didn't I actually use this and I found the flag but it Really wasn't because of this. I'll talk about that in a moment X add that with control C and it will Give me the flag which was found in the user's home. So how do we figure all that out? So let's go back to The page here and it's telling us again to use net cat to log into this So the scenario here is basically as an IOT device that you think you found a backdoor to you log in and Let's go ahead and just do that. I'm going to use and see net cat to get in here It's on port 1337 you have few options in here We can do one for access code or it's asking for a password which I actually haven't tried to be in but I believe that's probably The flag we're trying to find If you give the wrong one blah blah blah it's going to tell you, you know, that's incorrect and the authorities have been informed And it's going to disconnect you so we're going to reconnect Obviously three is quits the next option that we have that does anything is to which is to look at the end user license agreement and patch notes And really it's just patch notes and in here, you know, if you were to type something It's it's going to give you an error here saying no such file directory Which is a sign that it's trying to read a file and the file name you gave does not exist So let's go Accidentally hit one there. Let's log back in we'll go to and if we do version 3 We're going to hit enter here and it's going to give us the patch notes, you know So it's going to tell us that's roll back a version 2 because of random reasons So basically they didn't update but went back to an update of version 2 the rest is kind of blah blah blah It's fixing, you know, it's it's just made up stuff But that's a hit roll back to version 2. So if you go in here and we listen read read through version 2 Version 2 here actually says that there was a bug that they fixed That fixed Transversal bug through paths meaning that there was a bug that allowed you to get through To different directories from where you're at Which is exactly what we're trying to do So again, if we're trying to read We can try different things so like we can try reading files that we know exist So I can try just you know, you know first thing I would try is try running a command which isn't going to work So just list I can try to saying, you know forward slash which is a root directory which you know can be considered a file But it tells us that it actually doesn't give us an error there Which is a little different than if you were to type LS or something. It doesn't exist So now we know that it is seeing that as a file, but it's not printing it out. Okay So let's go back into that menu and let's try typing in a Folder name so ETC. Okay. Now it's telling us that that file doesn't exist. Okay, so maybe it didn't see the root directory and There are there are some files that are pretty much on most standard Systems But just to cut to the chase You're not going to be able to give it a full path What we want to do is transverse up through the directories, but we don't know how many directories we're in so Basically if you start let's go to if you start dot dot means up a level backslash dot dot up a level back Slash I'm gonna tell you now you can try to figure out by you know Maybe trying to print out a file that you know like f-stab or the password File from ETC Until you can figure out how many directories down you are so you can transverse up that many but really If you go too many That's fine. So really I think that we're three directories actually Yeah, we're three directories in because are actually two directories in we're in the home Folder of a user so we're in their home and their folder and as we're trying to find out the name of the folder We're in and the program that is actually running this menu program, but if you just give it a bunch of Dot-dot backslashes dot-dot backslashes. You can't give it too many And I just timed out there. So let's go ahead and reconnect So real quick. I'm going to actually open up Open up. So I'm on my local machine here and this Flag thing it actually taught me a lot this particular project things that I kind of knew didn't know a lot about And one of the things that I really have always said that I need to know more about is the proc folder So on a lake system and I guess most Unix and Unix like systems There is a folder in your root directory called proc and proc is basically generated when the computer starts up and it Keeps track of everything and everything is a file so you can find out what processes are running You can actually interact With things like LEDs and stuff on your computer, but you can find out a lot Memory usage PIDs of pro applications what files are accessing what? So real quick here. I want to give you an example. I'm gonna move just into my temp folder I'm just gonna make something called I'll just call it some Flag okay, just a little working directory for me. So top screen up here You know, we're ignoring that for now down here. We're on my local machine and If I was to cat out forward slash proc Actually, that's let's list out proc. I'm gonna get very in depth here. Okay, so I'll make it full screen here You have all this you have all these these different folders at that associate themselves with different processes and whatnot But you'll notice that there is a folder in here And it's actually, you know, so the color here. Let's go ahead and do forward slash proc forward slash self And we do that you can see that it is pointing to one of these directories Let me go ahead and open up a another shell here and run that same command You notice it's pointing to a different director and I go back up here run that again It's a different directory and actually I didn't need to split them to show you that because it's not the shell that I'm in basically self is pointing to The directory here, which I believe is the PID the process ID of the Current process that you're running. So every time I run list I'm starting a new process and that self is going to direct it to that process so if we're inside an application and We cat this out Files inside this cell folder because we don't know which one of these you know on that system Which one of these folders is going to be that menu application? That's what we want to find but if we're inside that application that application is Able to cat stuff out. It's going to show us if we use self the information for that application So I'm gonna try to clarify that a little bit more. I'm gonna make a quick shell script here Let's call it go dot sh, you know bash script and I will cat um forward slash proc forward slash self and then within there there is a file called command line, okay? And actually if I run this it's not gonna give me The information about my shell script because this is a script a script is basically you know a plain text file That's executing a command. It's just a serious man. It's a script a script of what to do, okay? So we're going to run that and what it's going to do is actually it's going to tell me cat and it's not going to put a New line character. So if I do that, it's a little confusing the way this is Set up here But basically it's telling me my command is cat that that's one of the places you can look There's actually another option in here. If we go back here self forward slash Maps I believe it is And I'm not listing it. I want to cat it out It's actually telling me that you know what program I'm running and what files. It's linked to it's dynamically linking to these these lib files so I know the name of our command and We're running so I can actually look in either of those files From within our menu because we know that we can cat out files from within the menu so again the script that I ran is running friends now if I make a C program so let me do that real quick. I'm going to Vim main dot C and I have some Vim shortcuts here So I'm just going to type CDCC and put in a little template here to read a file and Right here if I just take this and Oh, this is my did I pick the wrong one? Or did I mess up my template here? Let me see real quick Okay, I did fix that real quick my my templates were backwards my read and write templates should be right now C is not my best programming language one of the reasons. I have some templates for this But I'm gonna come in here. I'm gonna type GCC and Put in my template for reading a file. Okay, and by the fall. I'm just gonna have it read this file That we're in right now Let me clear out these empty lines down here. So come out. I can say GCC The main file here and I'll put I'll just call it main now if I run main it's going to output that C code file. Let's go back in there Vim and we will Say forward slash proc forward slash self forward slash command line Now if I recompile it and run main it's going to output that proc file Which the self is now going to link to this program I hope that makes sense. It's gonna run that and it basically it just outputs The name of the program we're running. I hope that makes sense. So like if I was to rename it move main to Blah blah blah and we were to run blah blah blah now. It's gonna tell me the name of the file is blah blah blah Okay, and that's what we need to know for our project here. So let's Go back into this go to Now if I go dot dot backslash dot dot backslash dot dot backslash Dot backslash just a number of times to make sure we go back far enough that we go proc forward slash self forward slash Manline it's gonna tell me the program that we're currently running in Which is saying dot main? Which actually doesn't help us too much. So I think what I ended up doing that should really be looking at my script here I'm going to do again dot dot backslash dot backslash dot backslash dot backslash proc forward slash self forward slash maps and Right here you can see yes That was a better option because the other one's showing the command as it's run this one showing the full directory So now we know what the root user or not the root user But the user were logged in at as is which is user And what by and every running now the next step I did In this whole process was and if we quit out of this If we looked at my script again So we log in and I did the whole Proc self maps thing and then I grew up through that to get the root directory The name of the file that we're in which is home user main And then here what I ended up doing is I actually dump the entire binary and look for strings flag CTS so let me go ahead and just copy that and run that one command. So What we're doing here is I'm actually echoing in the number two So the number two is saying select, you know, it's like typing to which is read the you the License agreements and patch notes and then backslash end with this dash e over here is saying enter And then we're running this command right here So basically we're going to be catting out the main file there and then we're piping that into Netcat waiting three seconds and then we're going to run the strings command which the strings command if you pipe in Binary information it's going to strip anything that's not an ASCII character away from that So basically even this with plain text and I'm going to then grep for both the keywords flag and CTF the dash I says don't matter what the case is let's go ahead and run that Boom and you can see that we get a number of things out here This here looks interesting, but I'm pretty sure I went there and didn't see anything there And there's the flag so the next step I took again I'm just walking you through the process of this of my mindset hex edit I Dumped that whole file into a file called temp. So here we here I hit tab to come over here into our column to the far right. I'm gonna hit forward slash flag And I saw this thing. It said patch notes forward slash Flag and now it looks like there's a dot there, but that's not a dot. These are empty space So there's look if I move my cursor My cursor's over that dot now if I hit tab it moves me back and forth So I'm over here now hit tab them over here notice my tab on it the same character It says zero zero. There's a lot of zero zeros Those are null characters not a dot not a period if I was a hit period here and then go back over here You can see no longer says zero zero it says to ease so don't be confused. That's not a dot So the first thing I did was I checked the root directory for dot flag and the root directory for flag And then I checked the home directory for dot flag and the home directory for flag And I did end up finding it in the home directory Under flag which I thought that I got from this here But really I think that was just luck and really just Common sense on an easy project like this to you know check for that file in those locations So again, just walking through my mindset here if we were to netcat back into here. Let's go ahead and just This remove all this stuff So again, I'll go to and I'll go You know just a number of these doesn't matter as long as it's more, you know than I need and Then I said home forward slash user forward slash flag cats out that file and here is our flag So that was my process getting through it Obviously the steps are a lot easier just doing it But I hope that that my explaining of my thought process on how I went through all this Gives you a little more idea on things you can do and hope I mean I learned a lot on the proc folder I was unaware of that self-folder. I've played around with proc before and going into processes and stuff I did not realize there was that that symbolic link Of self that associates itself with whatever program you're running So with that Now I think that John Hammond did something he when he found it I think he just did dot dot slash flag Yeah, and that works too Which confuses me a little bit because that's moving up one directory but I Should be in the directory Well, I guess That you know, let me let me see something real quick here. Oh, I really don't know what folder. I can't really search The files here. I'm assuming that when the program starts It's going into a subdirectory where these Licenses are and that's why you're dot dot slashing up to get into the flag because if the main the main program this menu program Didn't change directories when it started you should be able to do flag and run it But since you had to do dot dot forward slash flag The program must go into a subdirectory. I would assume which is probably where the text files for these version notes are So I'm not really sure how he got dot dot forward slash flag And I'm not sure if he's sure how he got that But that's why I had to go through this with myself with my mind and figure out how do I figure out all this stuff and the whole proc Maps was something very useful But again knowing that you have to use that self-folder on the proc for the current fold her current commander running Something new and that's probably gonna come in very handy doing playing around with programs like this in the future I'm surprised. I'd never come across that before anyway Again films right Chris calm. That's Chris decay. There's a link in the description there. You can search through all my videos Let me go there real quick You can also go to Support if you want to support me also check out the little links in the description of this video patreon.com for slash Melix 1,000 if you'll become a patron of mine if you also You'd rather there's a PayPal link here. You can do one time or reoccurring payments I appreciate the support if you can't support financially think about supporting me with likes shares comments Subscribing that stuff, you know, I hope helps they say it helps and You know, hopefully I'll figure out a few more of these capture the flags and get you a few more of these videos out I do. Thank you for watching and I hope that you have a great day