 Hey, what's going on YouTube? My name is John Hammond. This is PicoCTF 2018, some more video write-ups here. So this challenge is called Leakme for 200 points in the binary exploitation category. It says, can you authenticate to this service and get the flag? Connect with this, and you're giving the source code and the binary. So I've downloaded both. I've got them here. Just see source code and a binary. So let's go ahead and mark that binary is executable. And let's go ahead and check out the source code. So they have a flag function that will just simply pop out the flag. Awesome. There is a main function that will allow a buffer to be created and set the permission so we can elevate our privileges once we actually run this on the server. And then it has a real password that it's actually being able to read out with some buffers set up. Looks like it will create these buffers kind of by hand with memset and it will ask, what is our name? Then we'll try and read our name with the length of the name, right? So 256. And interestingly enough, what it does here is it tries to check for the very end of our name based off where the new line is. So once we hit enter, it'll read in that new line. And if it goes ahead and finds that, if it finds the position, what it will do is it will go ahead and set that to a null byte character. If it's not there, then it will just say, okay, it's totally fine how it is. It will ignore it. So that's peculiar thing. And that is where our potential vulnerability lead will be. Then it says, please enter the password. It will go ahead and open up the password and display it if it actually has it available. And an interesting thing is we could take advantage of this locally, because we're actually seeing some string compares being used between the password and the real password. And otherwise, if we get the right password, it'll give us the flag. So let's go ahead and try this, right? If we wanted to run this locally, we totally could. Let's say auth, what my name? John Hammond, I'm just kidding. My name is please subscribe. Password file is missing. So if we were to create a password.text, please subscribe again. Then we could run this. Say John, and then hello, John, please enter the password. Anything, which we know was wrong. And it'll say incorrect password. If we check this out with Ltrace, we could see all this stuff happening. So if I said F gets what's my name, John, please enter the password. Anything, we would see it actually do the string compare and we could find the password. However, we don't have shell connectivity in this challenge. We can't really run Ltrace in the binary. All we have is this net cat to a connection. But we found peculiar thing where we were able to leak out the password potentially if we just don't have a null byte character that ends our name variable. So we got to keep in mind our name variable is 256 characters long. So if we actually fill out all of those and it won't be able to place a null byte character or terminate that position there, that string, we will potentially read out the next variable on the stack, which is password, right? Password is actually going to have that null byte so it'll properly display the string if we actually were to overwrite the one name. So we could leak out the password just like that. Let's go ahead and try it. We will need about 256 characters of anything, right? So all of these will give that to our auth, we read it and it will say the password that we already have literally just stored in password.text. So that's peculiar thing, right? We could go ahead and pipe that to the connection and we'll leak out what the password should be. So now that we know that, we can go ahead and actually interact with this service for real, give it any name, please sub, enter the password that we know and we get the flag. So just like that, cool, cool thing. What I'm gonna do is actually display this in a get flag script. I'll just enter the password within user line and stuff like that. So we'll read those out. Nope, what was wrong there? Oh, the dollar sign. So let's use a single quote. Works, let's get tail tech and one, gotcha. And that is our get flag script. I use print app so I could use the new line characters. You could just as easily use two like commands of echo and put them together and brand the season semicolons. I know I've done that before too, but it's whatever you're particularly comfortable with. I suppose it really doesn't matter. More than one way to skin a flag, skin a cat, skin a flag. That's the only thing that's how you say it, John. Skin a cat and Linux, cool. And we've got that challenge done and over with 200 more points on the board. Next challenge is called Now You Don't, which is not too difficult. So I'm gonna actually just bang it out in this challenge, in this video here. Let's mark leak me as complete. Sweet. Now let's make directory for Now You See Me. Or Now You Don't, Now You Don't, sorry. Oh, it exists because I probably pre-downloaded it. Yep, so let's check out what we have here. Just a PNG file. Let's check out what it actually is. Looks like a picture of just red. So what challenge is this? It's forensics, whatever. I guess I'd consider this more secondography. What we're gonna use is just kind of actually verifying that that is all red. So I'm gonna go for my Steg Solve tool. Easy, low-hanging fruit. If you don't have it, Google it. You can download it just fine. It's just a jar file. So what I'm gonna do is locate Steg Solve. Let's grab it. Java attack jar to run it. Hit O to open files in the current directory and just say Now You Don't, open the file. So we got red and we can view through all these different planes here. Or all these different ways of viewing the file. Once we get all the way to red plane one or red plane zero, you can see the flag. So let's go ahead and jot that down. Flag.text. Now You See Me. So that's the joke. Now You See Me, Now You Don't. Oh boy, I can't type. Five, three, two, three. Great. And that's that. So we can submit that and we're cruising. Another win. Mark that challenge as complete. And if you wanted to, you could write a simple solution.text. So you just remind yourself what you did to win that and solve that challenge. All right, hey, I want to give a quick shout out to the people that support me on Patreon. Thank you guys so much. I can't say it enough. One dollar a month on Patreon will give you a special shout out just like this at the end of every video. Just to make, I don't know, make you feel good, make you feel happy, make you feel like you're supporting some people that you like or something. If you like me, I don't know. Maybe you don't. I don't know why you watch this video. Five dollars or more on Patreon will give you early access to everything that are released on YouTube before it goes live. So I'd like to try and backlog some content and some videos to gradually release it, but I got to get better at that. Don't let that dissuade you. I appreciate your support and your love. Thank you. If you did like this video, please do like comment and subscribe. Join our Discord server and link in the description. It is a cool community full of CTO players, programmers and hackers. You can hang out with me and other cool people that are way smarter than me. It's an awesome CTF war camp where to be tackling a lot of the upcoming capture flag competitions and just looking at a lot of resources like war games over the wire, under the wire, Pico CTF 2017-2018 just to get better to learn and that's what it's all about, learning. So please do come hang out. Appreciate it. Hope to see you on Patreon. Hope to see you in the next video. Love you guys.