 Hey everybody, welcome back to another YouTube video. My name is John Hammond We're doing some of the guide point security capture the flag competition in this video So I have a directory created here over on my Linux virtual machine I have the VPN file so I'm gonna go ahead and connect to their VPN I will pseudo open VPN that file there and type in my password so I can properly run that pseudo command All right. Looks like I am connected. So I will go ahead and skirt that right up there So it's not visible and we'll open up a Firefox web browser So I can go to 10 10 100 dot 100, which is their scoreboard here. I'm gonna go ahead and log in I had to save with last pass. My username is Han Jammon, right? I usually like to do that because it's fun And we'll sign in. All right. So in this video, I want to showcase Two challenges I want to showcase Kirby because that one was kind of cute and fun And I want to showcase alphabet soup. So or alphabet right alphabet right here Let's start with Kirby though. I think that'll be kind of the most fun here It says Kirby ate the flag for 200 points 77 solves in the miscellaneous category So I'm going to copy this link and that way once I hop over to my terminal. I'm gonna call this just YouTube Kirby There we go. And now I can W get that down When you try and do this, it will tell you like hey We can actually verify verify the certificate because it is using HTTPS However, it is a self-signed certificate. So W get will be kind of nice It'll just tell you like yo if you want to do this use the no check certificate here so I'm gonna copy that and Just run that same exact command with that flag But that arguments kind of in place now when I run this looks like it's downloading great And I have a challenge dot PNG with the whole token included though So I like to typically just rename that I'll just call it like challenge dot PNG. There we go All right, so it is of course a PNG image. It's just a picture of Kirby There it is that's uh That's as good as we get here folks picture of Kirby so the challenge description says Kirby ate the flag and That leads me to believe that This might be using like some nested files or some files inside of files or For some what it whatever reason Image editors or image viewers. Sorry actually do an interesting thing where once it finds the end of an image file Or like the ending bytes typically the signature for the the footer or the end of an image file It just stops reading. It'll just display the image that it can thus far. So you can like Jam pack other files inside of an image file And if you were to open it up in an image viewer totally doesn't care not gonna read it I wonder if that is the case here. So I would typically use some tools like foremost or bin walk Bin walk is super duper nice and that you could just use tacky and it'll extract it right if you want to use like a Hard to bin walk is what I tend to call it or like a forceful bin walk this syntax for whatever reason I've like memorized it's tack tack dd equals a dot star and then attack capital M Don't ask me what any of that means. I just blatantly have it memorized for whatever reason we could check the Bin walk man pages. I don't think I even have it installed I'm still working on my new rig So some of these tools I haven't pulled in all the way just yet But yeah, let's go ahead and download it and I can show you that or you could use the syntax of foremost, right? So foremost will do a very similar thing It'll just carve out the other known or found files within a given file like Using a scalpel carve all the stuff out. It is a file carver same thing you could end up doing with bin walk So just to do our due diligence. Let's look for that tack dd Yeah, yeah, yeah extract a any type of signature given the file extension execute command So if you use a dot star or whatever, it's like, let's just do anything and then Matryoshka or attack capital M will recursively scan extracted files Nice. Anyway, let's use foremost. So syntax is super-duper easy The image is called challenge dot PNG not Kirby dot PNG. So that's what I'll type in here Foremost that and it found something peculiar did a little hey We found out a flag dot zip although there are a lot of other random bytes in here So foremost we'll go ahead and create a directory in our current directory you can see I have an output folder here now and Inside of that we see PNG so it found some image files with the PNG file itself, right and a zip file So Examining the PNG. Yeah, we've just got our picture of Kirby still cool. Nothing extremely extravagant Let's go ahead and look at that zip file Hmm. It is in fact a zip file just running the file command on it So I will go ahead and unzip that zip file and now there is theoretically a flag dot zip file here Great. Let's unzip that Okay, now it actually came out with two files CC dot PNG and flag dot text So our immediate knee-jerk reaction is like yo, let's cat that flag mmm Looks a little wonky got some uh got some other Hex display apparently this looks like a hex dump This looks like something that xxd would put out or if you're opening it up in a hex editor like hex edit Or what is it gex or bless? I know there are a couple others that some folks might like Thing is if we were to try and recover this it's not going to end up being a readable plaintext flag You can kind of see the ASCII representation over on the side here and that's not what we want We kind of want the real thing if I were to do that though if I were just cat out that flag dot text You can pipe it into xxd tack R because that tack R will like recover or restore it We can check that out Checking out the man page here. Yep searching for tack R reverse operation convert or patch hex dump into the binary Good enough. So if we were to actually do that pass that in We just get that nonsense though that we had seen on that right hand side We could redirect this into like a new file But then it running file on new file so I could give us anything interesting So there must be something else at play here And that's why we want to go check out that other file. So Let's open this cc.png and that is apparently a picture of Cyberchef. I don't know if anyone might have recognized this, but it looks like it's using xor with the key of one However utf-8 encoding there standard scheme and to the hex dump. Okay, so that must be how it had done this Part of me wonders if we could do that in Python Because I went down this road of using xxd you'd like using command line stuff and now I just want to see hey Can I actually finish that? I'll open up Python 3 and I'll import like Xor from Pone so actually let me do that from Pone import Xor and when I say Pone I'm using Pone tools right so now I have the Xor function or I can just Xor like literally anything With literally anything else. I have an extra Have an extra comma in there my OCD our OCD the internet's OCD is gonna go crazy Let's go ahead and just simply open up that flag dot text. Well actually we called it new file, right? So let's read all those bytes out of it and let's just read that data. So let's say xord There we go. It's now going to be that value in bytes But if I were to try and run Xor the Pone tools function Xor With the Xor data and the number one that's not gonna work for us Part of me wonders if I could just pass it as a string and it looks like I could If I were to actually just make that a bite and ensure like yo Let's use that proper in coding for encode dot utf 8. There we go We still get our flag storm ctf miss one f1d 4 5 f etc. Etc nice Easy peasy. That's how we could do it in Python. Obviously. Yeah, if you wanted to fire up cyber chef, you totally good so let me do that I'll go to cyber chef and Little thing in case you didn't know you can actually upload a file into cyber chef You probably already knew that maybe that's like totally old hat to most everyone It blew my mind So that I don't know goes to show you can add this Like this arrow here Yeah, open file as input and then you can go ahead and like search for it with your file browser. So Where did I just put this? Oh, let me go to my YouTube Kirby one and zip New file dot zip because if you were to try and copy and paste all of these non printable characters It wouldn't work. It just wouldn't be the exact same data and that's why in this case we kind of like have to upload that to To cyber chef and the properties of XOR Tell us that hey if we were to just XOR that same data with the key of one But don't forget they're actually using that utf 8 encoding So you have to click on that drop-down box here specify that now you've got your flag and That challenge is done that took 10 minutes and it really shouldn't have but hey, I hope we explained it all and you had a good time So, uh, let's dive into something else here Now that we finished up that YouTube Kirby. Let's go ahead and create a directory for YouTube alphabet So hopping into this challenge. I'll scroll up here. You should be able to see That we have some Docker container information I had started a Docker container to prop this open And this was really kind of nice So I like the fact that we can go ahead and spin up our own per user instances or whatever for these challenges And we're given the challenge host and the port number. So I'm assuming I connect cat to this and I will paste in that Host and IP address info. I'll also paste in the port number So when I netcat to it, I get this response and it says give me up to 100 bytes and I'll encode it in base 64 Okay, so let's please sub. Hmm That doesn't look like normal base 64 So it says what was the base 64 alphabet that I used? I Have no idea and correct. Okay. The answer was that thing Goodbye so Okay Looks like what we have to do is figure out and determine what base 64 alphabet they might be using I'm gonna assume that the alphabet will change each time you connect to it because it just kind of told me the alphabet that it used So that's the answer that it's looking for it's not just gonna spill the beans and tell me Let's do another please sub and there we go. Yeah, there's a completely different alphabet. However, it's weird to me because In base 64, you don't sit you don't typically see characters like an exclamation point or a dollar sign or open curly brace ampersand Percent sign etc etc. So they might be doing something peculiar here If we were to Google right if we were just go ahead and take a look let's go to base 64 over on Wikipedia right base 64 and I've showcased this all the time as a group of binary text and coding schemes that represent binary data It's so that typically you could pass data through a URL or some other Transformation transferring information protocol That doesn't get into like non-save characters like those exclamation points ampersand etc etc It's just going to end up using the principal characters for literally everything a Through Z in uppercase and a through Z in lowercase and then numbers and a plus sign and a forward slash And an equal sign for padding so What do we need to do to solve this challenge to figure out what language it might be using for base 64? so I had tried to do a couple things here and I'll kind of walk through my Thought process, but first let's get just a script I'll call it solve.py because we're feeling pretty confident and it will go with a python shebang line I'll zoom in on this here so you can see it and Let's go ahead and import Pone tools So let's just do a from Pone import all and I'll do that because we do need to go ahead and create a Remote like tubes object or a socket object essentially in the Pone tools speak I'll call that like S for whatever for socket and when they just specify the host and port information So before I define that S variable or that object for the socket We'll just say host and port can equal that information And I'll specify that IP address as a string, but this port can just remain as an integer So S now can equal remote which is a function We're going to end up calling through the Pone tools namespace even though we just brought it into the global context here Host and port there we go and then just for safekeeping We'll close that socket and then we'll operate kind of in the middle here to keep writing our code Obviously just a simple sanity check if we were to go ahead and run that we get an open connection and a closed connection So good enough. Let's go ahead and print our s dot receive And you don't need to pass in any arguments in this case because we're using Pone tools Normally for like the regular boilerplate default socket library. You might pass in like 4096 We do however need to know what this thing looks like when it is waiting for a prompt It's just going to give us one line supposedly. So let's actually receive until To force to make sure that we're waiting on our input. So now we can Get that prompt and then let's try and send some data to it The question is what do we want to send? I had thought originally when I was going through this like Oh, let's just send it all of those printable characters that you might see in regular base 64 now I spent a lot of time kind of going down this rabbit hole and then the epiphany hit me like a ton of bricks And you might already know the answer. You might already know the trick and the gimmick as to what to do Please bear with me. I'm going to showcase just my thought process kind of going through it But uh, let's let's grab the base 64 module because we are going to be doing some of our own base 64 encoding stuff So let's go ahead and determine the string that will send. We'll call it like simple to send whatever Um, we want our a b c d e f g etc. Etc. Uh, I'm going to actually import that from the string library so that way I can use string dot asky upper case and string dot asky lower case And actually make that lower case before I forget Add in our string dot digits and then add in just a string of the plus sign and the forward slash There we go. So now we have all of the base 64 kind of Characters that might end up being included in a regular base 64 encoded string So there we go. That is our entire set. You can see that that is If I paste it in here 64 characters selected right kind of down at the bottom hence the name base 64 Now when we connected over and over again when we were using netcat and we would just be like hey Please sub uh, the alphabet that it told us gave us Seemingly 65 characters because it included that equal sign of the very very end Right, so I'll copy this and uh, now you can see I have 65 characters selected on the very bottom of my left Screen here. So I'll actually make sure we include that equal sign Cool. Okay Now we can go ahead and send this right. So let's do a s dot send line, uh to send and let's see what we receive There we go. Um, let's go ahead and run this Okay, so now that data that's returned is going to end up being that Encoded with whatever language that it shows and of course it's going to be different every single time So, um, let's actually that that's going to be bytes here but let's strip that of the new line character at the very very end and let's decode that from like utf 8 and It's going to ask us Next hey What language or what is the alphabet that I use and then we're going to be prompted for an answer So for the sake of our own exploration, I'm actually just going to send Nothing So it will tell us what that Library what that alphabet that it used was so We'll send nothing and then we will wait to receive Actually, it tells us nope. Sorry. That's incorrect. The answer was all of this and it'll tell us the alphabet So for our own understanding now, we could carve out that information I'm going to go ahead and like split on spaces and just get the very very last one so split And let's get the very very last occurrence Now we should see. Okay. That is the Alphabet that they used We don't need to print out this portion anymore when it prompts us. Hey, what was that? um but We see our new encoded rendition and their new library. So What could we do here? Uh, I'll show you Rather than doing this print For the very very first one. I'm actually going to make this a little function. Um, so I could Get one encoded representation of a M I guess or a message because I can't use string or I don't want to use that string variable because it, uh It's already being used by that module so The to send I really Can move out because now that getting coded function will end up being A function that can take in an argument or we'll pass in a message here So we'll send line message And then we will receive until to get what it was encoded. So They're encoding I guess they're encoded and then we'll determine what the alphabet was. So their alphabet Good good good and Now Once that's done. We can simply return They're encoded And their alphabet so we could kind of examine those Now Once we've done all that I kind of just want to put all these side by side so we can look at them And I promise I I'm not going to drive us into this wall For all that much longer. I just kind of want to showcase this and visualize what I was thinking Let me go ahead and print out our What do we want to send? Because our alphabet is actually going to end up being this Rather than our original to send we'll call that our alphabet So our alphabet Can equal and I'll use an f string here good we'll say our message And we'll just say message equals Please subscribe Duh, we could actually just send the whole alphabet. Do we want to send the whole alphabet? Let's just yeah, let's just send our alphabet. I hope that's not too confusing But our message can equal that Um, and I'm going to add some spaces in here so we can see it But then let's go ahead and get They're encoded and their alphabet and actually we don't even want to send Our message out because we can't already know what it is. We should get our encoded Which can be a regular base 64 encoding of this base 64 dot b64 encode of our message, right so Our encoded the reason that I'm doing this is that I want to see if there's a relationship or some sort of mapping between our how our base 64 Looks when we render it normally or we encode it with a natural base 64 encoding or And and how it compares right to their encoded when they use their own custom language so once we get the encoded rendition of our message Then we can display Our alphabet their alphabet our message their etc etc so our encoded and They're encoded good and their alphabet um We are going to make a little bit more room Their alphabet and they're encoded. Okay. Okay. Okay. Okay. Let's go. Let's run this Let's just see how it looks so I can get this kind of idea across and it needs bytes Of course, so our message should actually be encoded As utfa see how that looks there we go. Our message is not defined Getting coded message is what that should be called not our message Now let's try that Okay, um, uh the logging is kind of getting in the middle So i'm going to actually turn that off. I'm going to use context dot log level I'll set that to critical So that way pwn tools won't display all that debugging information Okay Now, oh our encoded is going to be base 64 with it with a bytes thing there, but uh, Let's let's let's decode that decode utfa There we go Okay so Maybe this is hard to read or maybe this is weird. Um because kind of it it's Lengthy and long we should send a smaller string. How about that? Uh, so rather than message being our alphabet, let's just use message to be that please subscribe I keep changing my mind, you know How about that okay Now I won't harp on this for all that much longer. I promise I will bring us to the solution idea But I had a thought and maybe maybe i'm misremembering it right now, but I noticed That our alphabet when we encoded it our capital a became a c and when they Uh, oh shoot their alphabet Let's try that again Our a became a c. I have a space in there and that's going to drive me crazy Our a became a c When we encoded it Or I guess it it's a p that we were sending because of a please subscribe So maybe that maybe i'm getting this relationship completely wrong. However When they encoded it My uh our letter p became an s a lowercase s so The c that we had lined up with this p Or no Oh goodness. I'm dying let's Oh my goodness this whole idea is falling apart That's a hard part because I was like trying to remember like what what relationship did I see? I know I saw something uh our a Becomes a capital q And that's that is what we're sending here right so in the case of them When we took our a it became a lowercase s So our q Over here bringing that down vertically you can see that their position of q is an s Um Am I down one way? No. No. No. No. No. Sorry q q This this idea was getting was like really messing with my head Our encoded our original unencoded a became q when it is encoded So if we look at the position of q in our alphabet And if we were to take a look at what it was in their encoded rendition our Undy unencoded a became an s with their language so that q in Our position an our alphabet Became an s in their alphabet so using That strange mapping you could potentially figure out okay the location of what is what in uh their encoded alphabet to know The each individual specific Letter translation in our alphabet versus their alphabet However, that has a problem Because what if some of the letters aren't included in their encoded response? Like I don't see a capital a in here. Do you? So what is it going to take to determine that capital a? Do we just keep sending it more stuff and hoping that we actually see the relationship and mapping? It's not always going to end up working out that way. So that I actually never saw Work um actually Is that in my previous code? I never I didn't write it on this machine. I wrote it on my laptop. Okay, so I guess we're not going to end up seeing that That was the original thought and maybe that was horrendously explained out loud I I thought there was a relationship and there was but it wouldn't get all of the data and all the information So now that we've burned a whole lot of time. Let's actually crank through this in the best way that we could Rather than sending our original alphabet of all of the letters that you might find in base 64 All the capital a lowercase letters zero through nine digits and plus and and forward slash Here's the here's the deal. Here's the gimmick Let's take Our message for what the normal alphabet would look like if you were doing code it with base 64 and do a normal base 64 Decoding on it. So we'll decode it before we send it so we could see What it looks like and really what alphabet they're going to end up using when they use their alphabet like they're encoding We'll look identical to their alphabet and I'll show you what I mean So let's take our alphabet and let's base 64 decode it What we're going to end up sending let's decode that walkie idea, right But now when we send that data Our original one will look like Our message except it's going to be the base 64 encoded version So when we send it to them, they will encode it with their language and it will just straight up tell us The language. Let me show you that There we go so A b c d blah blah blah blah when we send it Their alphabet is going to be exactly their encoded representation just about So their encoded representation actually up to 64 characters and then adding an equal sign in there is going to be Their alphabet every single time Ta-da Ta-da Ta-da That's it. That's the gimmick. So what we could just take that right? We could just go ahead and grab their encoded and let's say We think the alphabet is right Found alphabet I guess Can be their encoded value up to the 64th place adding in an equal sign And that's it. So found alphabet Can equal The found alphabet and that should match The alphabet that we retrieved from them as a proof of concept. Yep It does and it will every single time. So that is how you could determine what alphabet they'll be using Now we just have to send it to them. So Let's go ahead and do that In our Let's just take the exact same code. We don't even need to run the uh getting coded function, but let's just kind of take it Here we go So the message that we send is the base 64 decoded alphabet And when we retrieve it we get their encoder representation And now we'll send them the found alphabet that we Determined from them And then let's go ahead and do a s dot receive We don't need to force the broken alphabet down to the very very bottom. So let's actually remove that last line there But let's see if that will tell us the flag right away Oh It actually says incorrect But it is in fact the exact same alphabet. We just saw that and we just tested it gimmick here and gotcha Uh When we use send line, I guess that it must be doing something we were adding some other new line character in there And it is reading it literally and interpretively so Don't use send line And it will take it Check it out Ta-da That's it. It's correct And that is the alphabet challenge. I'm sorry. I drug you through that Uh, I didn't mean to do all that kind of verbose showcase there But I think I hope that that kind of explains the idea a little bit more Or you get to see some of the thought process and the side by side as to how all these things look when they're working together so We did it like that's it. We could uh just Arri find all and like carve out that flag If we wanted to make our script a little bit more formal, but We solved it and I think that's all that we really should do in this video because this came this it's got to be a little bit more Long and lengthy than I expected But uh, I hope that you guys enjoyed that pace I didn't want to go like blazingly fast through this But I hope it was in good and enjoyable and uh, thanks so much for watching I I do want to do more of the guide point security capture the flag videos Uh, it's kind of just a matter of me making time to record them and uh, there's you know, like a lot on Everyone's plate Life gets in the way at all. So, uh, but there are some plans and I do want to showcase more of them I I knew there. I know there are a good few challenges that I do want to bring to you All right, that's the end of the video everybody. Thanks so much for watching Please do all the youtube algorithm things Please like the video comment the video subscribe to the video and I would love to see you in the next video Thanks everybody. Bye