 Everyone, in this week's recitation, we are going to go over the sixth assignment, which is based on application security. We have a set of challenges that we have hosted on a specific server. You access into the server, you solve each challenge, and you have to learn a specific program, which marks you as having solved the challenge, and that's how we would grade you based on how much you've solved and also the submission that you make. So all the challenges are actually hosted on this server here, hackme.csc365s20 or adamdupe.com. In order to get access to this server, you need to submit an empty file on this assignment here, PornageAccount, which will give you the username, password, pair that you need to use in order to SSH into this server here. The SSH command is also given here. It's the same as the SSH command that you were using for the bandit assignments. Once you SSH in, you can, all the challenges are located in slash bar slash challenge. And what you need to do is solve each challenge and run this program here, LEET, which would mark as you having solved the challenge, and that's how we would know that you have fixed and done solving the challenge. Once you solve the challenge, you can verify whether you executed LEET correctly by running this command called score, which will list all the challenges that you have solved as well as all the challenges that the other students have solved. Some of the tools that you will need for this assignment, OpStump, GDB, Ltrace, and Strace are all already installed on the server. You can run biashark locally. That would be a better thing for that specific challenge. And you should have SCP or any SSH tool that allows you to copy files to or from the server, okay? The evaluation and the extra credit details are all here. They're fairly self-explanatory. You can always take a look at it. Once you've solved all the challenges for the submission, you submit to this assignment here, Pornage, where you need to include a README file that has all these specific details, your name, your ASU ID, as well as a description of how you solved each level. If you wrote any source code for it, anything at all, for any of the levels, you can include them all. The description is also very important because that's how we test whether you have solved and understood the challenge correctly, right? Okay, so now with that done, I'm going to also show a demo of a few things that would be helpful for you to get up to speed with the assignment, right? So I'm going to quickly change the screen that I'm going to share, just give me a few minutes. Can you see a terminal that is shared right now? Okay, great. So the first thing that you have to do that I'm going to show you is how you actually SSH into the server. So I'm using a Linux machine right now, so I use the terminal to do it. If you're on a Windows machine, you can use the terminal, I believe SSH is there. Otherwise, you can use a party to SSH into the server or any other tool that you use, right? So the command is simply SSH, your username at the server. It asks you for the password, you enter that in and you would get a terminal displayed like this, okay? So the challenges are all located in this specific folder here slash var slash challenge. You can see all the challenges being listed here. You have to enter each specific directory and solve each challenge and that will show whether you have solved a challenge or not. And once you do that and execute lead, you can underscore command to see if you have solved the challenge. Now, I'm going to show you a very basic challenge that you can solve. Let's just look at just execute me, actually pretty simple. All you need to actually do is just execute this specific binary and it'll show you that congratulations, you have broken the level, just execute me and it's going to do some stuff that's this basically, all this output is basically done by lead, right? So this is the same output that you would see if you run lead correctly. And after you have solved the challenge, if you do score by dollar user, it'll show you that you have solved one specific challenge, right? To see which specific challenge you can run the entire score command that would display the entire scoreboard. You can see all the challenges that all the users have solved. As you can see here, I have solved the challenge, just execute me, right? So that's a very simple example on how you solve a challenge. For all challenges, you should see an output like this which shows that you have successfully broken that specific challenge, right? The next thing that I'm going to show you is how you can SCP a file into the server. So for that, just give me a second. So I have actually already solved the basic overflow challenge. I have the exploit here written, it's a Python file. So now I need to transfer this file onto the server. So the commands to do that is SCP, the file name that you want to copy, your username at the server, and the specific path where you want to copy the file to. You can omit the file name and introduce the same file name, but you have to specify at least the directory where the file has to be copied. So once you run this command, it'll ask you for the password again. Just enter the password in and it will copy the file onto the home folder. And if you go to the home folder, you would see this file here, basic overflow exploit.py. So run this specific command, SCP, the file that you want to copy, the destination, and it will do the copy, right? So that's the second thing that I wanted to show you, how you SCP files to the server. Now that we have copied this file, I'm also going to show you something that's more interesting. A more advanced solving, we are actually going to use this specific exploit here to solve the challenge, basic overflow. So I'm going to show you how to do that. So this specific challenge, it basically takes an argument and then it just terminates. Now this has a very specific, so whatever input you give, whatever exploit that you give, has to go through this specific argument, as you can see. Now this script that I have on my home folder, it prints out the exploit for this specific command. Now I want to give that output directly as inputs to this specific binary as an argument. So a quick way to do that is just run this executable file and do dollar cats, basic overflow, oops, sorry, tasks, basic overflow, and then you just do cats. So what this command basically does is take the output of this, sorry, it should not be cat, it should be Python, my bad. So what this does is it executes this specific command and whatever is printed to STD out by this script gets passed as the arguments to basic overflow. So when we run this, you'll see that my exploit was correct. It was passed properly and lead was executed and if you check the scoreboard again, it will show that I have solved basic overflow as well. So that is the nice technique that you have here. For some of the challenges, they also read input from STD in so you can use input redirection in order to pass the input to the command. So the input redirection, now if basic overflow actually read input from STD in, you would do something like this. So what happens here is this command gets executed and its input basically is passed into basic overflow STD in and then everything will just work as if you were normally typing the input from the command line. Because one of the reasons why we do this is because it allows us to programmatically do things rather than have to type everything out. But you can also always just write the output of this specific script to a file and then you can just give that file as input redirection here. That would also work very fine. So now that we know this, we also know how to look at the scoreboard. The last thing that I want to show you is how to copy files from the server to your local machine. That's actually necessary for one of the challenges which is find that pass. If you actually run the find that pass binary, it would actually print out a lot of text for you. We'll tell you that there is a traffic dump here which is suspected to contain the password, but the person does not know where the password in the traffic capture is. So you have the traffic capture file here and this command also prints out to you how you actually copy the file to your local machine for analysis. So the full command is given here, scp, the username at the server and then the path of the file that you want to copy and the destination directory where you want to copy it. So it's just the inverse of the scp command that we run to copy a file onto the server. We just specify this file on the server that we want to copy into our local and we also specify a directory on the local machine where we want to copy it to. This default command, this copies this file into dot which is the current working directory. All right, let me quickly check. Okay, so that's mostly the tips that I wanted to share with you. Now, if you have any questions, please post on the chat and I'd be happy to answer them. So we have a question here. After breaking a level, I ran lead and it said I haven't broken the level yet. Then it most likely is the case that you haven't broken that specific level. Lead specifically runs when you have broken the level so how you break a level is when you actually run lead as with the privilege that that level specifically has. So if lead says you haven't done it, it most likely means that you haven't broken the level. I know this is a very vague answer that doesn't really help you. If you can maybe create a private post on Piazza with a little bit more details, maybe we can help you out there. But if lead says you haven't broken the level, then you haven't broken the level. We have another question here. Any recommendations on how to approach the group challenge? This advice is mostly generic and not necessarily for the group challenge alone. The objective in almost all of these cases is to run leads as another specific group, right? Now, specifically for the group challenge, you need to be a member of the group groups and then run lead. So your objective should be to somehow become a member of that group named groups so that you can run lead. Now, the executable file for the groups challenge doesn't give you any hints. You don't have to exploit it in any way. But what you should think about is how can you become a part of that group groups so that you can run the command lead? Does that make sense? If you have a follow-up question, please feel free to post and I can always answer better if that can answer the question. So we have another question here. Could you run lead on your terminal to see what would happen? Now, if you broke the level correctly and you run lead, you will see an output like this. What I'm highlighting on the screen here, which says congratulations, you broke the level and it adds you to the group and then that's how you break the level. Now, if you run lead incorrectly without breaking the level, the output will look something like this. So if you see an output like what I have on the screen right now, that means that you didn't break the level. And if you did break the level correctly, you would see an output like what I have highlighted now. I hope that helps. You have another question here. Everywhere I try to change my group requires the password for groups. I feel like I'm approaching it wrong. It's a very specific question, so I'm going to answer it in a DM for anybody who's following the video or listening in right now. I'm just going to say that the approach that the objective that is being done is correct. But there are of course many ways to do it, but I can say that they're thinking on the right track. It is to change the group or add yourself to the group somehow so that you can then run lead. The direction that they're progressing in is correct, but the issue that they have is very specific, so I'm only just going to DM them later about it. They actually, if you could create a post on Piazza, a private one would be good. With a little bit more description on what you did, then I can always answer it. The chat here is also public, so I don't want to answer here. But I can tell you you're on the right track that much I can tell you. No, please pick the Piazza post private, thanks. We have another question here. Could you explain a bit about the heat secret? Do you have a specific question that would help me explain better because I'm not sure what exactly you want to know about that challenge. If you could ask a more specific question, that would be good. Okay, we have the follow-up question that clarifies your original question. Seth said, you read, on reading the source code, the person says that it seems to compare the valid password and you need to find the correct password somewhere. Yes, that's correct. The binary, if I'm just going to quickly pull up the source code. So yes, as you can see, it's actually comparing the two passwords and you somehow have to make sure that the comparison turns out to be correct. The key thing to remember is, in order to get the shell, you only want this STRCMP to be correct. And you don't necessarily need to know the password. You just need to make sure that the two passwords that are read here and here turn out to be the same. I hope that makes things a little bit more clear. That's one of the things in the challenges for this assignment. Be sure you clearly understand what the objective should be because sometimes if you're understanding it's slightly different. It changes your entire approach and how you will probably solve this challenge. So in this case, you want the comparisons to be the same. You want both the passwords that are read to be the same. I hope that makes sense. If not, please just post another question on the chat. I'd be happy to clarify things well into you. Also just something that I thought would be highlighting based on something that I just realized. Sorry, just give me a second. So for this assignment challenge that you have here, secure this house. You should actually execute this specific binary here and not the Python file directly. So even in the challenge like find that pass when you have the Python file and this specific file here, please don't execute the Python file. You should execute this specific binary there. That is the one that you actually need to attack and exploit. If you manage to exploit this correctly and then try to run lead, it may not work. So be sure that you're actually running the correct binary. Someone had mentioned earlier that they ran lead but it didn't work even though they had broken the level. Perhaps this was the issue. I think that person left. So hopefully he would see the video again later and find out that this was probably the issue. Just thought I'd add this also. Another piece of useful information that I thought would be good to add. So for some of the challenges like basic overflow, advanced overflow and RoPi, you might end up using GDB to sort of debug and maybe solve the challenge. An important thing to remember is if you are exploit works within GDB, that doesn't mean you actually solve the challenge. You still need to make the exploit work outside of GDB because GDB drops the privileges. So if you were to run lead from within GDB, it wouldn't work, right? But that's it. You can use GDB to debug your exploit and make sure that it works. And once you have it working inside GDB, then you can again try it outside of GDB. That's a nice way of making sure that your exploit is actually correct or debugging it if you have any issues. But don't run lead from within GDB. It's not going to break the level.