 Hello everyone and welcome to the fifth and final video in the video walk-throughs and guides for the Linux Offset Club online wargame. You can find online at linux.offset.club, but let's finish it up here. I'm going to change directory into the Linux Offset folder we've been working out of. In the last video, we had gotten the password for user13. That was a really cool recursive base64 problem. So now let's jump back in. User13.ssh from the Linux Offset Club. Connectivity is a little slow here. All right, I pause the video and now we are logged in. Cool. So what is this? Now we have a challenge and a challenge.c. So we have kind of a C program that we're working with, the executable binary here in our home directory. Can we just cat out password.txt? No, I guess not. Well, why not? We have to be row. Only root can read it and it looks like this challenge is a setUID binary. You can tell by that S here. So only this binary can read it. Only user14 or root. Okay. We're not user14. We're user13. So root is the only option. We've got to do that through this binary. Well, at least we have the source code. Let's look at that a little more closely. So include cheaders, our main function by default. What we do is we create a buffer, 1,000 characters long by default in null byte. And we loop through 1,000 times. Okay. And then we read into the buffer, standard input. Okay. So we type into it. And then we check if the length of the buffer is not c or what we're iterating through. It says failure. Okay. So we just have to like enter a string or enter some input that's the same length as the current counter that we're on. All right. Let's let's just try that challenge. What? Fail. Five is not equal to one. What? Okay. So we only have to only have to put in one character there. No. Fail two is not equal. Okay. So the new line character must be being read as well. Right. So enter nothing in that new, in that first line. One. Okay. Still good. Two. Three. Four. Five. Okay. So we have to do this a thousand times. Can't really do this by hand. Okay. Geez. Well, how do we do this? Um, I'm going to do it in Python. Right. Cause that might be easy. And we can use Python tax C. Just to do it from the command line print a times one or something. Or times two. And that's, that's real easy. So we can do a four I in range a thousand print a times I. Oh boy. Is that doing, is that doing what we want it to be doing? Is that doing what we think it should be doing? Shrinking the range down to 10. Looks like it is doing exactly what we want. So let's crank it back up to a thousand. And all this input we can pipe into the challenge. Oh boy. Okay. Geez. That was like lightning fast. I hope you kind of understand how that happened theoretically. When we gave it just like 10. It created all these characters, all these inputs. And we broke like ramp that up to maybe a hundred or even a thousand. What it's asking for all that input. We could just give it to the binary, pipe it in. And looks like it ran through all of it and just spit out the password for us. So okay. There's the password for user 14. Sweet. Let's get into user 14. Where are we at now? All right. Another binary. That looks like a set UID binary. And okay, we can only read password dot text. How can we read? Can we read password dot text in this? Oh, I'm stupid. I logged into user 15. What went wrong? Did I, is user, is user 13? I'm confusing myself stand by. Okay. No, I guess I am just confusing myself because they happen to have the user 14 password in the home directory. User 14. I guess they must have had to do that because of the last challenge or something. I don't know. Whatever. We can look at challenge.C because this is the attempt for user 15 here. Using this challenge. It's not what, it's not what the last one was. So let's check out what the difficulty is here. Well, not the binary. Let's check out the source code. See, it's more C code, C headers, main function. Okay. The password, you can't get it. Okay. That's clearly not the password. Let's use our deductive reasoning and the noggin says that's probably not it, but we need to be able to read user 15 password. Okay. So it reads an input over the length of the password, but it's incrementing by four. So Y and a T somewhere along like pieces of that string. It reads in a number puts it in a temporary variable, the address of that test. If temp is not equal to the integer form of that character in the password, it spits up and breaks. Okay. Weirdness, right? Huh. So the way that I solve this is actually by kind of going back home. Let's make a temporary directory. We do this in dev shm for shared memory. Nice. Okay. Whatever. And let's put a directory in there for ourselves. Cool. I actually just stole the source code and wanted to modify it on my own. I don't have a password that I can read out of in the database, but since we can just work with this string on our own, we can see what values it's actually expecting this temp variable to be. We don't need to read any input, but let's actually change this line to not test if temp is equal to this, but let's actually set temp equal to the password or what we would expect to see from it here. And then let's just print out what temp is. We can use the print def here and this format specifier percent D is printing out that integer that the decimal and let's give it a new line so we can see things clearly and let's just give it the temp variable that we have just set to what we want to be able to enter for the password. I think I have a extra parentheses in here. Yep. So now we're not cutting this out. We're doing the same loop that we were before, but we're just getting the value they expected to see totally messed up with white space. Sorry. And we're just printing it out to the screen. So we have an idea of what it's actually looking for. Let's try this. Let's compile that source code. No errors. Now we have a directory or a file in our directory called edit out. It's the default executable name. And these are the values that I guess it's seeing for the pointer or whatever nonsense is those integers that it expects. So let's bring this back to the server over here. And let's run the challenge and paste in these values. And boom. Cool. Just as easy as that we get the password for user 15. Let's check this out, man. Let's go ahead and put this in our files, our archives here. This is the password for user 15. Cool. So now if we went to user 15, pasting the password, check it out. Password.text. Ah. This is the end. It's the same password because this is the very last level. That's what it says online. On the internet user 15 is the last user. So we made it. We finished. We got to the end of the Linux Offset Club. Thank you guys for sticking with me. I want to share with you I have some of the code that I had written some of this and some of these challenges on my GitHub accessible for my personal GitHub. And the repository is called Linux Offensive Security Club with underscores in the name. It has all the passwords that I had found. And some of these I had .sh scripts for bash scripts where I'm using the SSH pass. Just be able to automate the connection through SSH with the password that you've already obtained in some of those other files. It's just getting the output from those files here. SSHing into them and then running these commands. Same thing for the public key in level four. Some of these where we're using the asterisk again, changing directories and stuff like that. Some of them where I had to do the things that couldn't really be automated like the base 64 stuff or what is it? I don't know what another. Yeah, the base 64 one for level nine is another good example. The recursive base 64 stuff, I think it could do. The ones where we're using a challenge like we had seen with the password Python one. One of these may have gone through or not. But if you wanted to check out some of these files, I don't know, I'm running out of words here, but I just wanted to show you they are on my GitHub account. And certainly feel free to check out my GitHub account. It's just my name, John Hammond, and hopefully you'll be able to find some good stuff in there. Thanks you guys. Thank you guys so much for watching. I really hope you guys enjoyed this series. Super small, kind of easy, really just a speed run. But at the same time, I hope you're learning some good things. So thank you guys for watching. Thanks for sticking with me and I'll see you in the next set of videos.