 Hello, and welcome! Again, this video is part of a series, number 12 in the series. And if you aren't familiar with it, we're doing the CTF to capture the flag for Google 2018. Again, I was asked to do a shout out to this. I don't really know these guys, but I love their channels. LiveOrFlow, John Hammond, they're the ones, you know, I subscribed them, I saw them doing it and I thought I'd do some videos. I'm a little late to the game. But I'm trying to write scripts to automate all these and kind of work through and explain each one in detail as best I can for people who don't understand them. And I'm going to go over this one. I had to look this one up. I understand, you know, the concepts of what's happening. You know, I did admin UI, then I did admin UI too, a few videos ago, and I really stank it up. I did my best to explain it, it was a little over my head, and so was this one. So I'm not going to try to go into too much detail, but I'm going to explain it the best I can. And I do have a script that automates the process. So again, if we go to gitlab.com, forward slash metalx1000, forward slash CTF, that's capital CTF, hopefully I'll remember to put a link to this in the description of all these videos. There you can download all my scripts that we're going through in these videos and they will, you know, you can try them and follow along with these videos. Real quick, we'll just run this script, I give some output and then you see the flag. So this is a continuation, this is the third part of the same thing. So let me just cat out my script here. We have these two flags from the previous two admin UI flags, projects. We're just getting deeper into the same little server here, which is this server right here. This is information that we received from the Google website, the withgoogle.com website. So basically, this is an IoT device that we're supposedly digging deeper into and we're finding flaws in it and it's pointing out that, you know, lots of times if you see software with a lot of little spelling errors and stuff in it, in which I am a horrible speller so I'm guilty of this as well, but lots of times if you see spelling errors and stuff, little things wrong with software, that means the people who made it probably didn't put a lot of time, effort and heart into it so there's probably going to be bugs and there's bugs in all software, but definitely you see something like that. So basically what happens is, let me go ahead and use Netcat to log into this server. And when you do, you get these things, we can go into one here, which is this one I explained very well, the first one, you know, you're transversing up through directories and then going back down to find information about the currently running program and then you're able to find the director is running in and pull down the binary and look through it and stuff and that is how we were able to get the first flag. The second flag, we kind of did the same thing but had a backwards engineer, the binary a little bit more, which was, I understand the concepts, it was a little bit over my head. Well, we're doing the same thing again, but the first two flags are the passwords for this. So actually if I was to, let's just blah, blah, blah, to get out of that. So we'll say service access, one ask for password, I paste the first flag. Great, now it asks for a second password. So we'll take the second flag and type it in there. Perfect, now we have a shell here that we want to take advantage of. I really don't know, I forget, I think there was a command that we were able to run. I remember it was, but it's not important to what we're doing here. Let me again cut out my script here. Basically, if we run that again, press 1 to access, the service access, we can put in the first flag, this one here, pow. And instead of the second one, we can give it, or actually have, is that it right there? They're real access denied. Let me shrink this up some so I can read a little bit better. I'm passing at the same thing in my script here, but actually I believe any password of this length, which I think was 32 characters, would give you access to it. So let's give that a try, I didn't put that into the code, but let's go ahead and give it a try. So we'll access this, we'll put in this password. And it doesn't really matter, but we could go, again I think it's 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 1, 2. I count by 20s, I don't know why I've done that for years. Okay, hit enter and access denied. There is, again, I'm not going to go into details. There is a certain length of string that I believe you put in there. It doesn't matter what you put, it will be the second password. But it doesn't matter because we have both passwords. But the fact that you can do that shows that there is, you know, a problem with the way it checks things. And basically the, oh, invalid choice. Let me try that again. Sorry. Now paste this password and paste the second password. So basically what we're doing is a buffer overflow. Basically we're going to pass it a string of a certain length. And then that kind of runs past where it's supposed to in the program. And you can overwrite another part of the memory. And this is the kind of part that always blows my mind. So I haven't worked much with debuggers and decompilers and disassemblers really too much. But using them you can kind of see when someone writes something wrong to where you can do something like this. So from my understanding, we pass it just all these As. And then these last few characters is overwriting a point in memory that points to something. So when we actually run this, and of course it's not working now. Oh, wait. Yes, that's it. You run that and then you type quit to get out of that. And instead of saying goodbye and going back to the main menu or exiting, you now have access to a shell. And if we were to cat out another flag for you, we get our key here. So let's do that all over again. We're going to go in here. We're going to grab our first flag that we got two projects ago. Grab the second one as the second. Again, you got to press one first. Then pass it the first password. Then pass it the second password. Again, there's other things you can put in there to get that. And then we can take this command. And again, the first part of this is basically just filling up space and the last few characters is pointing to a point in memory of the program that's basically bringing us somewhere else. So it says unknown command like it normally would. But now if we hit type quit, we can now list out and run other commands like find or let's see, I haven't played around with this. See how big the hard drive is. Get an idea of the files in here. So yeah, and present working directory. And yes, so we're in home user. And again, as I said in the previous ones that the program runs, the program is in the user's home directory. Right here, this is our main program and our first flag. But there is a directory called patch notes. And that's actually when you go into look at the version numbers, that's where you are. That's why you have to back up a directory to get the flag or do what I did where I back all the way up to the root and then back down. So yeah, my theory on that was right from two videos ago. So let me show you, I didn't show you what's actually supposed to happen. So let me real quick cat this cat out my script so that I have the passwords right there. We'll log in. We'll press one, which I always forget to do. And then we'll pass the first password. We'll pass the second password. And then normally if I go blah, blah, blah, and it says unknown command and I type and quit, it just brings us back to the main menu. But if we were to do the same things again, and second password, and then we were to pass it this string here and then type quit, it says buy. And it doesn't look like we're at a prompt, I wonder what other programs they have in here. Yeah, I didn't think that would work. Anyway, so that's a quick overview. Again, not the best explanation because it's a little, I know the concept, but I don't really understand how you get there. There are notes out there that you can look up online, which is what I did. Basically, you're going to use a debugger to look through this and you can somehow figure out, I'm going to look into it more. And if I figure out more, I might do another video on this, but I just wanted to show you that in general. And let me see something real quick right here. I want to try something. I want to echo this into the 36 characters here. One, two, three, four. So yeah, I thought... Oh, that's... Yeah, 36. So you want 36 characters. Let me try this real quick because I'm pretty sure that this worked earlier. Type in the first password, and now I said 32 before, but one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, 13, 14, 15, 16. Nope. I'm 99% sure that when I was reading up on this and that I did it, there's a certain length of characters you can put in there for the second password and it gives you access. And that's like the first step to realizing there's something wrong with the program, or at least one of the first steps. Anyway, not the best explanation, but I kind of walked you through it. If you understand it more or if you have a good write-up on it that explains things very well, comment below, I appreciate it. Because this sort of thing that intrigues me and I've played around a lot with binary files in the past, but I haven't really used debuggers and stuff too much in the past or decompilers because really a lot of that stuff, from my understanding, you need to understand assembly is better. And I have looked into assembly. I've made a simple bootloader once in assembly just following directions from a tutorial and playing around with it a little bit. But I just don't have the motivation to really get in depth in it because 99% of what I do, it's beyond me. It's like learning that is learning that so that you understand things better so you can do stuff like this better but I don't do stuff like this often. So my motivation, I'm intrigued by it, but not enough to actually learn it maybe someday. I do thank you for watching again. Go ahead and visit my website, which is filmsbychrist.com. That's Chris of the K. There should be a link in the description there. You can search through all the videos on both my channels. And map or binary files. I go over some things with hex editors. You can search through my videos very quick there. And if you like my videos, be sure to subscribe, like, comment, and share. And if you really, really like them, which I hope you do think about supporting, either check out the description of this video for my Patreon channel, which is patreon.com. Or go to the support section on my website. You can support me through PayPal or Patreon. And if you can't do that, sharing this video helps a lot, supposedly. I do thank you for watching. And as always, I hope that you have a great day.