 What's up, YouTube? Welcome back to the video on the Pico CTF 2018 Caps to Flag Competition. This is a video write-up for the Challenge Buffer Overflow 2 in the Biner Exploitation category. The Challenge Bomb here is, all right, this time you'll need to control some arguments. Can you get the flag from this program? You can find it here on the Shell server and you have the source code given. So let's go ahead and download these things. I've got a directory all set up for it. We just got to work with it here. We are given the source code, so that will be super-duper handy for us. We don't have to worry about trying to reverse engineer a ton. We are given the code. So let's open it up in Sublime Text. Okay, we have, let's see, some includes here, a defined definition for the buffer size and the flag size. This must be the length of either the string or the buffer that we're working with. The Win function looks like it simply opens the flag, determines whether or not it's actually there. You do want to be running it on the Shell server. Okay, so maybe we'll have to create a fake flag if we're testing locally. And it needs to actually have the arguments of dead beef and dead code. Okay, just in hex. We will need to input those in, let's see, like little endian, right? Because the binder needs to be able to read and process it in its own language or what it's used to. But if those aren't supplied, it won't give us the flag. Buff is where the flag is going to be read into. So the only way for us to see the flag is whether or not we can get those arguments set up correctly. This shouldn't be too much of a challenge for us. We have a vulnerable function here, running with a buffer size and a buffer here that it's just reading with the gets function. And we know that gets is very, very dangerous. If you haven't seen that before, just check out the man page for gets. It should tell you never, ever use gets because it does not determine the end of the string. It does not actually check the boundaries as to whether or not you are overflowing a buffer. So that's the vulnerability we can take advantage of. We inherit the next users, excuse me, sorry, we inherit the next, the set UID users permission. So we can actually read the flag file probably once we log into the shell server. And then it asks us enter a string and it gives us the vulnerable function. So let's try and run this, see if we can work with the binary. Let's make it executable. It should tell us anything. If we try to buffer overflow it, maybe it's trying to. Oh, we'd actually jump to this when function, right? We want to be able to buffer overflow there. So let's try and make that happen. We'll use Python taxi print a like 100 times to go ahead and get a lot of output. And we can just give that to the vulnerable function. We want to find where this buffer overflow is. So let's give it a couple more until we get a segfault. Let's go eight times. There's a segfault. Let's check out the very end of D message to see where we are overflowing and nothing useful there. So let's go a little bit more. Let's go 12 in and I get him using increments by four here. General protection, et cetera, et cetera. Okay, let's see what 16 gives us. Okay, now we have a segfault at a given address that is all A's or 4141, 4141 in hex, right? Because that's what the capital A is in hex. So we know that following 12, we can go ahead and get any address that we want to jump to. So if we were to give it the address of that win function, that would allow us to jump to that function. So let's try and do that. Let's go ahead and actually find the address of the win function. I'm going to use redelf tack S to see the symbols here on the binary. I see win right here and this is the information for it. Okay, let's just, I'm going to use another window down here so I can use Python and then I'll import the Pone library. Okay, and then I'll Pone P32 on the hex value of this. So that function just in itself, you may have seen me use it before. If not, all it's doing is converting it to little endian as a simple string for us. You can do the same with a built-in library. If you don't have Pone tools installed, although I totally recommend it, Pone tools is awesome. You can import structs and then struct.pack with a special formatter, the less than sign for little endian and capital I for an injure. And then you would get again, give it the hexadecimal value that you want. Place it in there and it gives me the exact same output. Okay, so let's go ahead and use this now in our payload. Going back to the top window here. You can see I'm going to, instead of entering a lot of bees, I'll put in this hexadecimal value or little endian format for the Win function. Now we're running the Win function. It tells me the flag file is missing, problem is misconfigured, and that's good. That way we know, okay, we are in fact running the Win function according to the source code. Let's create a fake flag that we can work with just locally. Let's say John, please subscribe. Cool. So let's go ahead and run this. And seg fault, score dumped, are we jumping to the Win function? Seem to be, but just returning. Okay, that works fine for us. Let's see if we can get these arguments in here. Where are we going to return to after this? Well, right now our program doesn't know. Remember on the stack, when you get to EBP or the base pointer, plus four is the return address when we're building a new stack frame, right? So the following four bytes should be a return address. Let's go CCC, so you understand a little bit more. It's not the same example. Now when I run this, we get a seg fault, FID message tailed this. Now we're going to 43, 43, 43, 43. So we would normally jump to this function because it has, we have not supplied the arguments and our function is just going to return. Now we want to go ahead and supply these arguments, right? We need arg1 and arg2. We're given the values that we need here and they're just in hex. So that works just fine for us. We can use the same thing with Python to go ahead and convert these to Lillendian. I'll paste them in here. Now we have dead beef as a string that we want. I'll concatenate that into our payload here and then we'll do the same thing for dead code. We can go ahead and convert that to Lillendian just doing it in Python. Got the string that we need and we will tack that on to our payload. Great. Now when we run this, I get the flag and we're still getting a segmentation fault. That's fine, but we're running enough of the code that we need to. So now that we have our payload, let's go ahead and redirect that into payload.text. And I suppose we can actually just copy this because we're going to need it once we're on the shell server. So let's go ahead and connect to it, ssh.sh to log in. See if I can remember my password here. Sweet. We're right. I'm going to paste this down below. So I have it because I need to copy and paste this location on the shell server. So we can quick and easy just change directory there. Great. Now I'm in that directory and we would be able to read the real flag dot text. Obviously, we can't just straight up read it because we don't have that user's privileges. And that's why it has that set GSID and all that other crap and main function so we can inherit their privileges and permissions. So since we have our payload, let's go ahead and copy that. Let's echo that out. So there it is. And now let's pipe it into the vulnerable binary and we're given the flag just like that. I know it looks a little bit of a mess here, but you can see it. Pico CTF addresses are easy and some hex bytes. So just like that, we have our flag. All right, let's go ahead and submit this. Hope that made a little bit of sense. It's everything that you already know, right? From watching the other videos, you know that above the stack frame, right? The base pointer plus four, the bytes following the address of where you're going or where you're jumping on the function here is your return address, which we can sit to be anything or garbage, right? And then you have the arguments that follow. So arg1, dead beef, and then arg2, dead code. We're just applying again in the Lendian because we need it in the format the binary can read and understand. So cool. Let's go ahead and make that the flag file. No longer the please subscribe, but please do that. That'd be awesome. Join our Discord server and we can mark that challenge as complete. Another one done. Awesome. Thank you guys so much for watching. Before I go, I do want to give a quick and special shout out to the people that support me on Patreon. Thank you guys so much. I cannot say this enough. I say it at the end of every video, but it's still never enough. $1 a month on Patreon will give you a special shout out just like this at the end of every video. No matter when or where you kind of donate, I am grateful. So your name will be up here forever. Gal, I'm never going to take your name off this. Appreciate you, man. I love it. I love it. $5 a month on Patreon will give you early access if you're going to release on YouTube before it goes live. What that means is I like to try and record videos in bulk. I try, but sometimes fail because life gets in the way, but I am very, very grateful for any support that you give. So $5 a month and you get access to a shared Google Drive folder where I will just throw a lot of the videos before YouTube gradually releases them on maybe a daily or every other day schedule. So if you want that content right when it's hot, that's the best way to do it. Please do join our Discord server. Link in the description. Cool community full of CTF players, programmers and hackers. You'll find a lot of smart people there. Smarter than me. You can come chat with me, hang out with me. And hopefully that's nice. Hopefully that's fun. I don't know if you like that. If you'd like this video, please do like, comment and subscribe. And I will see you in the next video. Hope to see you on Patreon, but I love you guys. Take it easy.