 Hello everyone, my name is John Hammond. I'd like to show another challenge from angstrom ctf This is called inputter for 100 points in the miscellaneous category It has 238 solves at the time of recording It says clam really likes challenging himself when he learned about all these weird unprintable ASCII characters He just had to put them in a challenge Can you satisfy his knack for strange and hard to input category characters and we have the source here We can find it on the shell server there We can go ahead and download each of these I will go ahead and hop over to my terminal Let's make a directory for inputter Let's get over there. Let's W get that one and I failed being in between my double quotes. There we go Now we have the binary. Let's go check out the source. Let's also download that Just W get and paste that in here. So we have a C file here some C source code You can see okay We're just using the kind of standard libraries that we would use with string types And a flag size 128 okay defined as a pre-processor definition A print flag is a function just to go ahead and open the flag file and display it out on the screen Good enough our main function goes to the head and does some stuff with our output Kind of typically what you see for x sign at d services or things you can put in a ctf challenge It says okay We need to verify that our argument count is at least two arguments Or in fact only absolutely two arguments if it's not equal to that it will break it will return one And then we will determine. Okay. What is our argument? We'll string compare that argument that we supply with that string which is peculiar It uses a escape new line a single quote a backslash Okay, so escaping out the double quote and this not principal character backslash x zero seven We need to make sure that is right And then if we pass that test because it'll fail and exit the program if that doesn't work if that Passes then we'll go ahead and read in from standard input and we'll read in a null byte Hex one hex two x three again escape not printable characters Since your input isn't right and then if those if we pass those tests Then we'll go ahead and display the flag for us. Okay So obviously the gimmick in this challenge is being able to supply these arguments and supply this input Running it as a program So I had fumbled around with this for a little bit I wanted to see can I actually work with the program whatsoever Let's go ahead and mark that as executable so I can run it We need to supply an argument and we need to supply specifically that one that they've supplied You can't just include these in a string here because that backslash x isn't going to make any sense for the shell What you could do is you could try to display that out with python So I could use some dollar sign and open parentheses to go ahead and display that as a python Or some command substitution. So the output of that internal command But I would need to go ahead and use double quotes to specify the input for that python Text. So I would have to escape out the double quotes here and then bash would get very confused because of that escaped Quotes we could try and include that but I messed with that for the longest time and still could not seem to get it right I've figured let's use single quotes and that didn't particularly work for me Um, again needing to modify some of the things to include a single quote It just I wasn't getting that within bash all that easily. I thought well, what else could I particularly do? Checking out the hint again. The ctf was really really generous about hints It didn't take away points or anything it says there are other ways to run programs without using the shell So I thought hmm, okay, could I do something with like gdb? Would I be able to open up the input or supply an argument or modify what I'm usually working with because Maybe I could go ahead and read in that Standard input first I got kind of sketched out because that check Needed to include a null byte and I was like well null bytes are normally what would break a string in a c-style string But fgets actually doesn't particularly care about them if you're to go ahead and actually read that man three fgets, I think Okay, there we go. We could actually see this will end up reading a file until it actually gets an end of file Like response or a character there. So null bytes. It actually doesn't really care about which is good to know So what we could do is actually go ahead and use python to include this And I tried this I actually commented this out created like a modified dot c file Modified in that case apparently. So let's use python to just go ahead and print out this syntax We'll have those characters which can't be displayed, right because they're just non printable characters But I included that as some payload or something as a file for to check out that payload file And hex you could see those are the actual variables and I actually have some new lines in there Maybe I can go ahead and remove that I would need to import sys if I were to do that so I could use sys not centered out dot writes And I because I'm using bytes. I probably need buffer not right. There we go And that would need to be actually bytes. So I'd include a b prefix there Now if I were to hex edit payload, we don't have those or we have one null byte Because that's actually included. So excuse me one new line character. That's actually included Anyway, if I were to go ahead and compile that modified one that I created modified dot c Now I have an a dot out where it doesn't care about the argument I could just supply anything there and it would ask for my input In which case we could go ahead and actually cat out that payload and pipe it in there And it would display the flag which we would need to kind of create our own dummy flag And that way it would actually work for us. But okay, we need to still go ahead and get past that argument's information How could we do that? I thought about using gdb. I thought about doing some other things and I thought oh wait a second I've done something like this before in a previous ctf challenge This is actually way back to like insomnihack 2015 for the smart cat challenge I was like we could go ahead and send some information to this program with something like sub process in python So I thought let's go ahead and create a little python script. I'll go ahead and add my shebang line I'm using python 3 because that's what you should be doing So we'll import sub process and let's sub process check output Go ahead and get the output here And we could supply kind of as an array Or list let's run inputter and let's use that string that they needed to actually have included as an argument I thought let's go ahead and do that There we go, let's mark that as a variable and we can go ahead and print that out The hard part is with using check output if we actually did get that correct if it successfully read our input Well, then it would try to read the input if it successfully got the argument It would try to read our input and then it would tell me well Okay, that failed because it returned to status one But seemingly we were able to get past the argument section Using check output isn't going to help us We should go ahead and use popin or process open and we could actually go ahead and go ahead and view our standard out And set that to sub process that pipe And we could actually do p dot centered out dot read perfect And we'd actually want to supply standard input, but first let's go ahead and see why that would error It says your input isn't right now. We can see standard output easily Rather than just using check output We could also supply our standard input because now that we know we got to your input isn't right We know we actually successfully passed that first test Comparing our argument with that special string python is lying out is actually allowing us to use that non printable byte That character there and it will properly understand these escaped double quotes or single quotes or new line characters So that's why python is kind of a better solution for this Let's go ahead and use that Standard in and some Python black is going to try and clean that for me now because we actually have access to that standard input buffer I could use p dot centered in dot write and we could supply as standard input to the program the actual buffer Or input that we need There we go And now that that's done We should be able to read what that program would spit out for us because we successfully supplied That's oh and we just actually supply that as bytes because we're inputting with the process and python 3 It should go ahead and say your argument's just fine and your Excuse me your input is just fine. So it would go ahead and work for us That's seemingly not working. So let me kind of double check that I might do include another new line there um If we don't need those and it's actually used without standard output So we could also be able to see it. There we go. Okay oddball send it up dot read Oh, it would just go ahead and display it for us. So we don't need to we don't need to do that great Okay, so that will work so We are using our dummy flag now, but we need to do this actually on the server So on the server, they give us the location and you could access it with the shell Or they give you some ssh credentials. So you can see on your profile page So I actually have that copied and created for myself. So I can go ahead and run ssh Actually, let me do that because I don't think I've done that with um This Folder structure Let's get our username and the password Team at that and let's go ahead and grab that password. I'm going to use ssh pass So I don't have to include that tack p. There we go. Okay, so now I can log in Just fine And let's actually make that a simple ssh script so I can do that for later things ssh dot ssh Just so I can document it and don't need to type that in every single screen time Mark that as executable Wow, let's learn to type john Showcase and videos for the people now. We're back on the ssh server and the path to that If we go check out what that challenge is it says that it is living in problems 2020 inputter So what we can do is we can change the directory into that and we can see the flag source code and everything there But we can't read the flag. We need to actually use our inputter program to be able to do that to be able to read it So, uh, let's call that inputter using the script So let's move into like dev shm And okay, let's create a script for us. So like solve dot pi We can use nano because we're on that machine there Go ahead and rest that and let's use the actual specific path. Let's use um It was problems 2020 inputter So we're using an absolute path to reference the binary and now we could go ahead and mark that as executable And try and run it like so But it gives us no love So, uh, something that I kind of noticed and realized that it's not being able to actually do this Let me maybe python 2 would actually Work just fine for this Then we wouldn't need the bytes in that case Oh, it says okay, it did run it says you seem know what you're doing Cannot read the flag file. The problem is it's working out of this current directory So it's trying to find your flag file in dev shm If we were to create our own dummy flag again, then it would be able to go ahead and create it I don't know why this is so slow right now Now it could read the flag file, but it's in our current directory It's just going to give us the dummy flag. So we would need to do this from the actual directory problems 2020 I can't autocomplete even goodness Now to run that directory we could go ahead and run our dev shm Absolute path to our script solve dot pi and it should be able to Give the proper input to the inputter that program and then be able to read that flag dot text file Inside of this directory. So let me whack and a little bit to see why it's taking so long. There we go You seem know what you're doing and it spits out the flag So that is that that is actually using python to go ahead and manipulate and modify And actually supply arguments that have some special characters in there Alongside the argument and the input using it with standard input, etc. So Thank you guys so much for watching. I hope you guys enjoyed this one if you didn't Um, sorry Anyway, let's go ahead and put our real flag in here Now that we know that we have that save and we can move our ape script to like a simple get flag script Because we know hey, that is what we could actually do and if you wanted to we could go ahead and take note inside of our get flag script and say, hey um copy this into dev shm or temp and then Use the absolute path to the binary Run the program from the problems 2020 inputter Directory so it can properly Read the flag and then just for our own sanity We can save the flag there and you would be able to submit that for a hundred points and uh, that's that so All right guys, I hope you enjoyed this video If you did please you press that like button if you didn't hit the dislike button twice So that way I know how much you hated it and subscribe and comment and do the whole youtube algorithm things I'd love to see you guys on patreon paypal discord twitter linkedin facebook etc All right, I'm gonna end this video. Thanks everybody. I'll see you in the next one