 Yep, so as everyone knows, this is going to be an information session about CTF tools Hopefully to help you guys with With the in-class CTF on Tuesday We haven't seen the challenges, but Judging by what we know about professor Dupay Probably couldn't kind of guess what some of the tools you guys will need for this All right, so you guys know I'm Gabe and then there's proof and yeah, I'm poor I'm gonna be answering all your questions in the chat And I'll try my best to keep up with the chat as well. All right, so slide so overview We're gonna go over like system quick setting up your Linux virtual machine Just from some of the questions I got from in-class CTF Last Tuesday, and then we go over a net cap home tools S trace L trace Kidra and Rob Okay, so um, I recommend that you get a full-blown Linux machine. So like either use virtual box or VMware fee. I Usually I just got a license key off eBay for VMware I think it just runs smoother, but you don't really need it and And now also another tip is make sure you guys stay organized like there's gonna be plenty of challenges So it's imperative you stay organized the way I always organize it as I always have like I just make a folder called CTFs and then I just name a directory for each challenge and then Put in like my notes the flag itself and then whatever like down like binaries and stuff that's down in front of it Okay, so you will need Linux This is an issue that came up from some students from the last CTF So like if you try running it through the boot to sub system is not gonna work And if you try running on macOS it's not gonna work the reason why is because we're using 32-bit binaries And it's compiled on a boot to so you're gonna need that operating system to actually execute those executables Uh, I think the reason why the windows a boot to substance doesn't quite work very well is because it's not like a full-blown Linux machine, but I'm not 100% sure it's just not gonna work though as you can tell by these screenshots So then there's my setup I just set up a virtual box and SSH into it you guys can just read the slides and send me Emails or questions if you have more questions on the way I think set up and I use the boot to server version just because most of the things you're gonna do is command line and It stays on battery life. It stays on your hard drive memory like I don't have a potato for computer So I don't have a hard drive memory despair Okay, so the first tool we're gonna be going over is net cat So basically net cat is for reading and writing to some sort of network communication you're probably gonna Need to use this because They're the challenge are probably gonna get harder. So like other CTS will have like net cat challenges. So So I will just show a simple example. So this is from Pico 2019 CTF and basically just says to Use net cat to connect to this host at this port. So This is a really simple challenge like this figure so We'll just do So we'll just do and see for net cat 219. Show One dot Pico CTF calm and then the port is four seven two two nine And we just run that and this as you can tell this also my Linux virtual machine Okay, so normally this would work because the problem is The challenge changes the ports around and stuff for the different users, but that's basically we're gonna enter in your command line You'll get this So I highly recommend doing Pico CTF 2019 the general skill challenges for other Challenges to help you on in class CTF coming up Thursday. So yeah, so go live demos. They don't normally work out So yeah, so you have a long go on the Piazza post and there's a Yeah, sorry, I go on the Piazza post and Go, there's a download link with all like a lot of stuff we have on the slides All right, so as professor Dupay went class like in the big we got the big tool that he Went over his phone tools. So the reason why we're going over this is because so basically phone tools is a Python library Tool box that optimizes CTFs. Here's a link to download it It automates challenges Which you'll see an example coming up and the reason why we're teaching this to you is because you guys might have like some crazy Ridiculous challenges that you don't want to do by hand and it's not it's like someone that's pretty tedious So or like when an interactive shell isn't available So like your assignment six all the challenges you can complete on you know When you ssh it to the server, but the upcoming in class CTF might not let you do that and that's why we're teaching you net cat phone tools so It's just real fast and so that you don't have to read through the crazy amount of documentation on it So these are the functions. You're really going to be using and care about it's gonna be process remote receive until Sendline and interactive So or in that. Yeah, so like basically when we go through the example this will make more sense But yeah, so everything's like on the side of what you need. So those are the big ones that you're gonna worry about So the first example is gonna be land of sums. It was called originally called dank examples. This is from Mahalas from the Pone Devils We're gonna just run land of sums oh and So another reason why Pone Tools is also pretty useful is because sometimes you might not get source code So like some challenge you get the source code for it and in others you might not and so like for instance The land like the land of sums Example that we're going over that I posted on the Gazapos as well There's no source code for it. So you guys aren't gonna be able to read it So instead we're gonna you know run it and see what happens. So it looks like the pretty simple easy one So add these two so that's nine plus 25 so 94 That's it. Okay, we won awesome pretty easy, right? well The problem is what happens if this challenge says it does this like a hundred times with random integers like Are you guys gonna spend a whole hour of class like hand jamming adding every single integer like together? I really hope not so So yeah, so like we're gonna need to find a way to like Make it automate this so I already gave you guys the solutions to this just so that that way you get an idea of how to use Pone Tools There yes, okay, cool So we just gonna go real fast what this code does I was gonna do a lot of demo But I really don't feel like typing anything. So the first thing so like we go back to these slides The first one is process right so the first so For this example, we're targeting a binary on our local machine But later on you guys might have to target on the server. So that's what remote is for So for this example, we're using process because we have the binaries on our machine But like for other challenges, you're gonna probably gonna use remote with and then there'll be like a given URL or and then a port number and There's another example in the slides later on that will show this So we're the first thing we're gonna do is we're gonna get standard out So like you're gonna do so this print statement is just here So the first thing is this process so Like it just targets the local process but you're most likely gonna be using remote for Like the other challenges when you have to do it on a remote server And then we're just gonna do receive until because in our example It's we just so we need to get the program to read in Until a certain point so we're just gonna read up until this please add Because that's all there is and then next we're gonna Receive until and then it accepts a byte amount. So like for this case we use 1024 and then we're gonna decode it into ASCII And then we're gonna parse the two integers. So like that's where that's why we're calling these nums because that's where we're getting the two integers 69 and 25 and Then basically here we're gonna actually do the arithmetic and then print out the cell and Then finally we're gonna do send line to send it back to the program itself And then we just we receive everything else afterwards and that's basically how you Oh, it gets it ran down. Does anyone have any questions or getting confused about that? but yeah, so I'll just look like this so I'm this probably won't be able to run just because I updated my server But yeah, so like you're gonna run rock paper scissors is gonna say this It's gonna ask what my hacker name is. I just typed in mr. Robot and then so I guess this challenge It says what the robot thinks you're gonna choose so in order to beat it It thinks you're gonna choose paper So it's probably gonna choose scissors because it thinks you're gonna choose paper So therefore you should choose rock So hence that's why I chose rock and then we went and then we keep going and then so like if you see up here Says win a hundred games Like if you get a challenge like this in class I really hope you and your teammates aren't playing this a hundred times especially like It's just gonna get a little ridiculous. So like towards the end Like here if you choose another If you like so like if you just choose something that's wrong You'll just crash the program and just start a hundred times again So this is why ponchos are so useful is to automate this and sorry I'm not providing solutions for it. This is something for you to try at home I think there's a pretty cool challenge to It it also like just mentally prepares you like, you know, not all challenges like some crazy binary reversing stuff All right, and then finally for our third one you could play this on the portable dot KR It's a simple buffer overflow a professor Do pay actually made a video on it how he saw beat it but This just gets back to the whole like you might not be able to get the binary You might not be able to download the binary to your local machine and exploit to get the flag Similar to like, you know your assignment six where you can just run basic overflow and then run your payload and get the flag this you might have to like Use some sort of automated like bone tools to send your payload to the specific server as specific for it. So I challenge you to do this on your own as well Before you look at the solution and then professor do pay as like a good 10 minute V of how he goes over it So it's just like bandit. If you guys cheat, I don't know like you won't learn anything, but Yeah All right. So finally we're going to now reverse challenges tools. So like so that's the RE in the challenges from last Tuesday if you remember So this is specifically challenging because this is when you don't get the source code You just get the binary and you know, there's no like dot c-pile for you to look at So these are some tools. I always usually run on like reversing challenges So like the first five on the left is like what I normally run for a numeration Which just means like my little process. So the first thing I was around just file because file will tell you what kind of file It is it'll tell you like what kind executable it is. So like if it's a Linux base executable or 32-bit or c4 bit and for this class I'm 90% sure we're only sticking with 32 bits. So you don't have to worry about any Higher crazier ones and then next is just run strings like they're like, you know Like your print statements will have strings and hope and that would just you know find the strings in the file Then you got L trace and S chase which we'll go over soon Gdb which I did a recession about I think two weeks ago now on it and then Gidra which we'll go over and This information session and then there's also the object dump read-off and bin walk You guys could look those up and try them out yourself But these are really good tools for reversing challenges It just helps you like gauge what kind of file there are and like how you can try to read into it So this is just let S trace will look look like so this a dot out is just a simple Hello world application and just showing you like what your output is so cis cis S trace Just stands for system trace and it will trace all the system calls and signals like you see all this Garbo that I I will not know what's going on But it just goes back to like how when programs execute It's doing a lot more in the background than you think and then this is L traces library trace Which I find myself using more just because you could see like it just checks traces the library And so like this simple program is just hello world app and there it is So like the print print f function to library function, right? It's just standard input output and it just shows you like oh, they're like it just got called So that's those are some useful tools. I would refer back to this slide and you know Try these different tools to like look at your reversing challenges come Thursday or Tuesday Tuesday, right? Yeah All right, so now we're gonna go over a Gidra Oh Okay, there goes. Okay, so it is a reverse engineering tool by the NSA supports x86 assembly perfect because that's what we're doing working on It's free It ran in Java so it's cost compatible and then so when you download it, it's gonna be Saved like this so you just double-click it opens or you can just do dot slash on like Linux machines For Mac users, you're gonna get this warning. So you gotta go these security preferences and click open anyways All right, cool. So This is just gonna be a fast like Like the same hello world application that we had earlier. So yeah, so this one's super simple Just so you get you to see even see what the program does Gidra. So just double-click on the executable is ran Java. So it's cross travel Cross platform So just let it load up So we're gonna do new project because that's what's gonna be we'll just call it temp to Or temp one or two for now finish and then you're gonna click the little dragon icon to open it up So all you gotta do is just do file import file And I just did that and so for this one is just a dot out. That's just hello world. So you click select to import It's gonna like kind of it kind of has its own like, you know, it'll run file and I know see that it's a executable x86 Linux. So Okay, and there's gonna say has been analyzed yet. So you want to analyze it click yes And then I always check box the decompiler parameter ID and you'll see and it just helps with like The naming of variables and you'll see why in a minute. So cool. Uh, like Yeah, so it looks like really crazy Really intimidating, right? So oh and then you finally scroll down says like function and you could finally see some stuff that like We've kind of review in class. It's like you got like your sub RSP. So stack pointer and then some stuff so This is how you could like read the assembly you can always use object up But for this case just so we could speed it up along We're just gonna go to the symbol tree and we're gonna go to filter. So like most programs You almost say all of them but most programs have a main function, right? So we're just gonna search up main and Of course, we got a main function So hop on that and I'll jump to where the main functions located and then on the right here You can see there's a decompile has a decompiler for you. That's freaking awesome Like there you go. So like we could see that this program is Main and then takes in nothing and it calls print f return zero And as I as you can see you could like click around your decompiling see like in the assembly where it's at um, I Would not take this as gospel like Gidra is not perfect It's doing its best but for like these simple applications and hopefully the CTF problems it this should be plenty for you guys like Like like you don't have to you should learn the basics of how to read x86 for this class but as you can see like Gidra and these types of tool kind of helps with that. So like that's The super easy example for it a hello world and then all these are on the slides as well So you don't have to just watch my recording. So like that's opening a project Importing the file Make sure I always like to do the decompile parameter ID You don't have to and then so like yeah, every program has a main So we're gonna you know like search for main and then we'll start from there And then like and then from there you can jump to different functions. So now I'm gonna pass it off along to for this example and This is from a crack me and There's also a YouTube channel that kind of explains how to go on with this. So I'm gonna stop sharing All right, so I'm gonna show you guys how to like break one small challenge on Gidra So I'm gonna open up Gidra So like I said in Linux you like you have to do the dot slash For the executable to run it in Windows and Mac. I'm pretty sure you just double-click and I'll open it for you All right, so I think that it's this challenge over here. That's correct All right, so it asked me if I want to analyze it and I'll hit yes and then I'll click this one and then you don't have to but I'm gonna Check this and then hit analyze All right, so I think it has analyzed the binary now the first thing we want to do is search for the main function because most Binary's have a main function. That's entry point to the program All right, so Once we click on that We're gonna get something like this. So this is the disassemble code of the binary and this is the decompiled version of it So the first thing what I use usually do is I change the default signature of the main function because As we all know most of the programs they start with this So as soon as I hit okay, it's gonna change a lot of variables as you will see in there So as you saw that it changed a lot of things in there Again, so if I do undo so The first thing you notice is there's a variable that's being initialized and then there's a if Condition So if you read the if condition it says argc equals to two. So what does that mean? It means Two arguments are supposed to be provided in order to enter this If condition or else it's just going to exit the program so First condition is always the name of the binary and then the second condition is what you enter is in as an argument So the first variable and It says string length argv So this is the length of the string that the user inputs when It he runs he or she runs it in the terminal So I'm just going to rename this to make it even more clear to our One length And as you see it changed the variable names and all the different instances it occurred so the next thing we are gonna see is So our our goal is to print the flag right so we're just gonna go start from the beginning and then try to Go into the condition where it prints a flag so the next thing we see is if the length of the Input is 10 So we know that the length of the input is supposed to be 10 in order to get the flag And then the next thing is if argv one four so this means the first argument The the second argument so the first index This fourth fourth index is supposed to be an ad in order to Reach this condition, so let's try running the binary By fulfilling all the conditions given in there So as you see if we don't enter anything it will go through It wouldn't work so what we need to do is fulfill all the conditions in there So we need to do our rev and then the length is supposed to be 10 So we could enter anything like a d cd, but we need to make sure the fifth character is an ad So I'm gonna enter that and one two five six seven and there you go. There's our flag So that's how you reverse engineer a binary and get the flag So I think gave it gave will show you the next Binary that I created. All right. So, yeah So, yeah, that's a pretty simple one. So once again, everything's in the slides. So just recap. He's just renaming stuff You can also double-click the function and see what it does and you can just see it Just just a message that's like a use it failed. So And then you can also click back to like go back to the function and then basically you're gonna read some code Because yeah reading. That's what we do in this class, right? Because we quote code and how to hack and break it so Yep, so there's my payload. I just use a's and It's a prove actually created this awesome take home trial for you guys to try out. It's called crack this 32 I think I'm guessing 32 stands for 32 bit It's in the same folder and I challenge you guys to use gidra and do a similar approach and try to find the flag yourself We're not yeah, if you yeah, if you guys need help with the solution just hit me up on this quarter It's true. It's given there. Yep. All right Yeah, and then we'll also be staying after the research for half an hour and just three guys hit up questions and stuff I know there's a lot so All right So I know this is a really complicated topic. So we're gonna I'm gonna go over Rob. So Let's do it So first off we got to understand buffer or flow like you have to understand buffer or flow before you can understand Rob unfortunately, so the first the thing with buffer overflows is It's like this vulnerability has been out since like C came out, right? So we have created mechanisms in place to prevent people from overflowing the buffer over and Doing stuff they're not supposed to so some of the things that we made was an X which is no XQ and DEP or data prevention and data execution prevention So basically like when you fill up your buffer with A's and try to run some sort of shell code like your own code Which we're talking about shell code. It's your own, right? It just says oh, hey, why why is this program trying to execute another program from the stack? Don't and it just kills a program. So that's what an X and DEP does and then There's ASLR where we talk about this in class where basically This the memory keys moving every time you run the program just to prevent you from like ever You know finding where your buffer is and then writing a bunch of A's into it and then hopefully overflowing a buffer So the problem with that is like you have to keep the program to keep to keep running You have to keep running the program to brute forces, right? So instead of the stack what Rob does is we're gonna target the registers and I think that's like really cool So the idea big idea of Rob is you're chaining a bunch of gadgets to execute code so the big thing with this to understand it's It's a code reuse attack like you are limited to the instructions in the binary Like you cannot input your own shell code to this. That's the difference between a Rob and a buffer overflow So like remember shell code is like your own Code like code that you're trying to inject into the program to make it do stuff with Rob You're limited to only the instructions in the binary. So like that's why it's a it's really important. You understand that too So if you remember from your 230 class, which I don't think many of you guys do pop Places the top of the stack to a designated register. So like when you pop EBP the base pointer They'll pop it off the top of the stack into the register EBP So like that's just a you know recall from 230. I know unless you guys fire. I don't remember this You're like registers. Yeah deal with those again. Yeah for Rob. You do so think of gadgets as Instruction groups that end with return. So like if you remember in like assembly of like return instructions So that's what we're gonna be like exploiting so like Hence that's where the return part a return oriented programming is So we're gonna be like utilizing those return instructions and then we get the arguments from pop So like up here like as you pop stuff off the stack and get saved into the registers. So that's Where gadgets are essentially doing And then you're gonna try to organize those registers in a way that allows you to execute some sort of code that you're trying to run. So Here's an example is like So like when the program calls a leave so look we start like this return address one So like move so like your prologue like Move this the base pointer into the stack pointer and then pop the base pointer off So now EBP gets saved into a register and then so like We can manipulate that and then into our gadget Which is like these instruction sequences and then you could do continue to do it again and again And then so you have like that a bunch of nth instructions executed and a bunch of returns that return to the stack and then to your gadget and then to the stack it back So that's what this image is basically saying is and that's what what rock is. You're using those return Return calls to exploit some sort of program So this one is a lot this one like hopefully this part will make more sense So like this website has the Linux syscall references So like sys x excuse you You could see like ebx ecx edx. Those are registers, right? So what essentially you're doing with Rob is you're using those gadgets to get these like registers ready in In a certain way so that way You can call this library function and you gotta remember like that's why I stress that It's these are a code reuse attack like you're not injecting your own show codes this you're literally like using those like you're using those leave from the stack and Getting these registers set up in a way that you could call these sys like these different syscalls So we're just using this one as an example as an example But you know this in sysk like this syscall might not be the exact one So like this website is really useful. So like you hop if we hop onto it Like you there's like all these different library functions and stuff that you can like these syscalls that you can utilize and exploit so Let's see So yeah, like you're so like if you want it So like as you can see like these registers have to be set up in a certain way And then like your register really will do your and then so this one is specifically for 32 bit if you're dealing with 64 bit It's gonna be a whole new ballgame, but that's the big idea of Rob Does anyone have any questions? I know like I didn't understand at first I know a lot of students like probably did not understand when professor do pay was going to work class. So that's why I wanted to like Give you the guys the big picture of Rob Okay, so let's see if I have yeah, so here's my exit. Here's an example of what a exploit will look like So like as you can see like there's there's different tools that'll help me create these so So like you can see here that you're popping ebx doing return and then injecting something and then you're popping eek ebx doing return and putting this in and as you can see like you read through these comments and stuff you could like see like those different returns and That's what you're basically using in in rock so So some rock tips so refer back to professor do pay's lecture and hopefully My explanation kind of helps now understand the big picture and hopefully you can now understand what professor do pays explaining If you don't we'll be here for you know office hours after this Understand what instruction you're trying to exploit. So like remember like you're you can only exploit whatever Instructions are in the binary. So like and then there's also like this chart that tells you like the different syscology can use You still need to control EIP like That's why we teach buffer overflow first because you need to be able to control the stack to the point where you could make it Jump around and do other stuff and the reason why you're this is different than buffer overflow It's because you're not injecting your own shellcode onto the stack. You're using like The coat like the binary's own libraries against it and I think I think that's like one of the coolest thing and it's really trippy But yeah, and then so I would research automated tools like rock and rocker and Hopefully good luck on assignment six because that's unfortunately. That's actually a really simple the rock challenge So yeah, and then if you think this stuff was cool check out home doubles and then there's like this awesome meme of like what you guys would be like on Tuesday like Especially now that you guys are using that as your final and then anyone have any questions You