 Hey everyone, this is Tiffany. I don't know if we hear soon as well. Hey, I'm right here. Oh, hey! Here, you say my name and I appear, you know? Like, be able to juice like that. Is everyone excited? You know what today is? Oh, the final, it's the last class. Come on now. Last class. I'm happy that you're excited about finals. Maybe we should just release more challenges. You know, yeah. Yeah, the more they like the final, the more challenges they get, right? Exactly. All right, cool. Well, thanks everyone. Sorry, I was setting up some software that Tiffany and I were talking about and my download that I was originally having was insanely slow. So I just want to verify that it pops up. Yep. Oh, and also, there we go. Cool. Do you still do it? Sometimes you need to still do your order together permission to read traffic. No, I'm going to read from a file so I think it should be fine. But let's see. Yeah, cool. Okay, so how do I do this without you guys seeing everything I'm doing? Okay, let's see. Sorry, I have to switch things because if I'm going to, I assume everyone wants to be able to see my screen or my text that I type. Cool. So I will launch it and before then we will... Actually, first what I'll do is I'll actually go over it so you all actually pay attention to me first and then I will launch it and then we can maybe play with the final CTF system together. How does that sound? Sounds good. Cool. So yay, thank you. Cool. That would be fun to do. All right, so slightly different setup for the final CTF and the midterm CTF. Part of that has to do with some of the challenges just don't really lend themselves to the midterm CTF environment. So we set it up slightly different but it's, you know, you still have access to it. So first things first, you should have received an email with your credentials. So what we did is we went on the CTF website, we took all your usernames and emails and we created passwords for you on the system. We also took the SSH keys that you had there. So if you had an SSH key loaded there, you should be able to access it without anything. So like for instance, my account is adamd at finalctf. So the URL is, or the server's DNS name is finalctf.cse365.io. So you SSH in there with your username and at that. And when you do that, you can get on the server. So I actually already had a connection setup but because I have my SSH key here, I already populated it here. So if you have an SSH key loaded, if you had an SSH key loaded to the CTF site, it should just work. Otherwise it will ask you for your password, you type in the password that we gave you in the email and you'll get access to this system. Okay. And of course it drops you like normal in home adamd. And this is a shared server. So if I look at home, you can probably see a bunch of names here, right? These are all of your accounts that came from the straight from the CTF site. If you haven't received the email in probably like 20 minutes or so, let me know. Because some of you put in the wrong email address when you signed up for the CTF site. So you'll probably need to ask us and we can, as long as you verify your identity, we can hook you up, check whatever email you signed up for on the CTF site. And cool. Okay. So then from there. Okay. So now that we're on this system, no, this is not up. You cannot access this. Like I said, I want you to pay attention to me right now. So I'm the only one who can access this system right now. I can look and I'm the only person on here. So what we can do. Okay. So what's the goal here? The goal is, and just like on the website, we have a scoreboard. So there's, if you run a program called score, it will show you there are 11 challenges here. So advanced overflow, basic overflow, find that past groups, just execute me, read secret, rot me, search, scare this house, stolen data and tidy up. So there's 11 challenges. Each challenge will be worth 12 points out of 100 and you can get up to 120 points extra credit. The question now is how do you start these challenges? So you don't need to click anything. Every, all the challenges are located in slash var slash challenge. So if you list that directory and var challenge, you'll see all the different challenges. So we have advanced overflow, basic overflow, find that past, right? All of the challenges here. So I'll give you a hint and by the end of this class each of you should have done this one challenge. First challenge is just execute me. So just execute me. So in each of these directories, if we look in here, you'll notice at least in this, you know, this styling, these are yellow. Why are these things in yellow here in my output? It's not because it's executable. This is executable, it's green, right? We can see these are executable. What's different about the permissions between those two? Yeah, what does the S in the permissions mean? Ooh, we talked about this when we talked about permissions way back. It's not sticky. Or I think it's, no, it's not, definitely not sticky and it's not secure. It's not sticky. Yeah. Set UID, except it's not on the user ID. So if there's an S here in the RWX on the first thing, it would be a set user ID, which would mean that this stolen data runs as the user root. The S is on the group. So this means set group IG, exactly. So this means when you run this stolen data or this tidy up program, it's running as this group stolen dash data. And in fact, that's how we know when you solved things and what group you're in. So the goal is basically to get to all these groups and that's how we know you've solved things. So let's look at our old pal, just execute me. So var challenge, just execute me. Boom, already broke it. Look at that, we are great. And if I run score, I'm the first one on the scoreboard, hopefully you all can catch up to me and we can see that it's, I've completed just execute me. We also have a helper script here. It is, yeah, okay. Can't remember, is it a binary? Yeah, it's a binary. Okay, that's not very helpful, but anyways, so we have this leap binary. So if you run this and you've broken one of the levels, so if you run just execute me or something, or if you, if you can trick, the basic idea is if you can trick any command to execute group, so any of these set group ID commands, so anything like we saw in var challenge, like rot me, let's say, if you can get this binary and trick it to execute this leap command, it will automatically add you to the group because once you've broken this, you're now executing as this rot me user, but then you actually have to add yourself to the group, rot me. And so we actually do that with this leap. And actually if I run, I think I can show, I wanna var challenge, just execute me. So let's look at what actually happened with just execute me. So if I run it with S trace, what it is doing is go up, up, up, lots of output. That's okay. So it's doing stuff. It's running just execute me, just execute me goes and it is going to call exec VE user local bin leap. So the only thing that this just execute me does is execute the program user local bin leap. And actually it will write out and say, hmm, doesn't seem like you've broken a level yet. Try to break one of the levels of our challenge. So how come when I ran this, like this it works, but when I wanna run S trace, it tells me that it doesn't look like I've broken a level yet. When I run it here, it's telling me congratulations, you broke that level. So I'm getting different output. Yeah, exactly. So it's debugging, right? The fact that I'm debugging this binary and this binary is a set group ID program. So if you debug a binary, it drops privileges. So same thing if I tried to do GDB var challenge, just execute me, just execute me. If I do this and do run, I'll get the exact same output. It says, hmm, doesn't seem like you've broken a level yet, try to break one of the levels of our challenge and then call this command. So it's the same thing, right? This is why you're finding out with assignment five. If you run something in the debugger and you try to exploit it by changing RIP or whatever, it's not gonna give you the flag because you're not operating at those permissions. Cool, so any questions on the format here? Is there a file that we can create like files and like for assignment five, how we created like the Python scripts? Yeah, absolutely. So your home directory, you can put whatever you want in there. So you can feel free, obviously don't go crazy. It's a shared system. So I think there's some limits on sizes of files, but yeah, feel free to upload scripts here, download stuff from here, SCP, all that stuff that how you got files in and out of the other system work just the same on here. And they're not the same systems, right? So your files don't automatically transfer over anything, but you have full control over here. Any other questions? Will other challenges give us like a password or something? Or do they just kind of mark you get into a certain point? Let's check another challenge. So for instance, I'm trying to think of a search now. Find that pass is a good one. So we can look at the directory. We can see two things. We can see there's four files in here. There's a note, there's a program called find that pass which is set UID group ID. We have a find that pass dot PY and then we have this program called network trace. So which of these do we have to execute to actually try the challenge? Yeah, find that pass, not the Python file, the one that set UID. And if you are confused, that's why there is a file called note that says the binary find that pass is just a wrapper to call find that pass dot PY. There's no intended vulnerability in the find that pass binary. So let's do what it says. Let's execute it, find that pass. It says, hey, you hacker over there. I found a traffic dump that I know contains a password, but I don't know where it is. This traffic capture is in the file var challenge, find that pass network trace. You can use the tools TCP and wire shark to view this file. You can even take the file to your local machine for offline analysis using from your local machine, scp. So it's actually giving you the scp command to use. So scp is secure copy. So we can use this command to copy that file to our local machine. And now it's saying, we believe that the admin log onto a web server. So find their password, which is base 64 encoded. Luckily we have a hash to the password prove that you can identify the password by giving us the admin's password. So let's say it's admin, it doesn't match too bad. So the goal here is to analyze this network trace and figure out what the password is. And actually what I wanna do before I open it up to everything is actually demonstrate this because we didn't get a chance to go over showing you wire shark. So I can go to temp scp. Yes, I will post this. What is that? Finalctf.cse365.io. Oh, obviously I need to change username to Adam D. And so then it copies network trace locally. So that file is there. And now let me switch over to wire shark. Cool, can you all see this wire shark screen? Yes, thank you. Okay, so what we're gonna do is open up that file I just put. So that, and if we run, shoot, I should have showed it, but if we run file on it, it would tell us it's a pcap file. And so we can open up in Adam. I think it was temp, yep, Adam temp network trace. Cool, so this is a wire shark. So this is, you know, we're not gonna go super in depth in it here, but if you remember back to networking, this is capturing every packet that was sent. So there's some, oh, 11,000 packets. Yeah, 11,000 packets. So based on the information that was in the challenge, your goal is to recover this password. And so, you know, wire shark is really cool. You can look at, so it takes like TCP packets. So you can see it parses it out here. So all of the parts of the packet that we talked about in our examples. So we know the relative time that this was sent, the source IP, destination IP, the protocols TCP, the length of the packet, the ports here. So it's saying it's from 5357, sorry, 5357 to port 80 with a SIN packet. So it's a SIN packet to start something. Sequence numbers, acknowledgement numbers, length, all that stuff. And the cool thing is you can dig in here and see all of the ethernet headers. You can see all of the IP headers. Everything is parsed from this packet. The TCP information. You can do cool things in wire shark like right click and say, you can say follow the TCP stream. So it then shows you a new view and it shows you the client and server sending data to each other that it's parsed from that entire TCP stream. How does it know that these are all part of the same TCP stream? No, no, networking knowledge. We haven't thought about paging it in and out of our brains, not the IP headers. From, yeah, so two things, right? So same source IP, same destination IP, same source port, same destination port. And then it follows the SIN-SINAC-AC and follows the sequence numbers to make sure that everything in there and it knows the order and everything. So it reassembles from this the flow and the contents here. And cool, and you could do things like all kinds of filters here. You can say what, I think it's TCP.port equals 80 and this would show you all the packets in here that are either from or to port 80. You could do all kinds of cool filters. So anyways, the goal of part of this assignment, as you know, the networking stuff came after the midterm. So this allows you to dig into some cool networking stuff. Any questions on wire shark? And we're gonna ask maybe some folks. And so if you have good resources, feel free to share with the class of like videos that are really good that describe how to use wire shark or and stuff like that. Any questions on wire shark right now? No, all I can think of right now is you guys is in the let me in meme. So I feel like that's where you are right now and you just wanna get access to the server. So how about I do that? All right, let me, I have to go into AWS and open it up. I restricted it so that only my IP address has access, not even Tiffany has access to the server yet. So I guess hopefully I didn't mess everything up completely. Security groups, this one. All right, edit inbound rules. And again, only port 22 is open. So you, there's no website there. You have to SSH into this machine. All right, it should be up. So you should be able to SSH to the machine. Can somebody do that with their credentials and verify that it works? Yes, it's cool. So I can see, oh, nice, a good amount of people in here. Cool, so goal right now is, and it's basically for the rest of the class. I mean, Tiffany and I will be here to answer any questions or anything. Let me, I'm gonna break up this recording. So I'm gonna split it into two of just this and then the questions and all that stuff. So let me, oh, Tiffany, it's recording to your computer. Yes, it's recording. Oh, I need to stop recording. Sorry. Can you stop recording, please? Yes.