 Hey guys, if you happen to be watching this video before October 8, please do check the link in the description. There is a humble bundle current sale going on for learn you some code, which has a cool package full of like ebooks for F sharp, Java, Perl, Ruby, Python. Some really cool stuff if you want to get into some more programming and just kind of in the weeds with books and stuff. Also, it's an affiliate link, so on a sell out, it helps support the channel. If you want to help me out, that'd be cool. Or if you just want to learn some code, that's a cool way to do it. Thanks. See you soon. So I've gone ahead and downloaded all of these already. Just simple wget and the link to bring it into the home directory or wherever we're working in our file system. And I created a little connect.sh script that will just simply run that netcat command to connect to the service. So it says, give me something to say. And I'll say, please subscribe. And it says, please subscribe. Now tell me my secret in hex. I don't know what it's talking about. 0x dead beef, I guess. I don't know. And it says, no, you're wrong, whatever you lose. So we can do a couple of things. First of all, take a look at what this file actually is. We're given secret. And it is a 32 bit executable, simple binary here. And we're given the source code. But the hint tells us that this is the beginning of a format string attack. So if we wanted to, we could do some research. What is a format string attack? Google that. And O wasp is pretty good. That's pretty excellent at explaining vulnerabilities and stuff like that. And it is a common case, at least especially in binaries and in the C programming language, kind of in particular, where if the print def function, which is a common function that you'll see, especially within C. Normally that function will take in a string as an argument, and then it will expect other arguments like in different kinds of data types, like in numbers or a float, a double or even another string just to kind of add it in there to concatenate or whatever the case may be. And we're using a format specifier or an identifier like percent D for the decimal there or the digit percent X for a hexadecimal thing or percent S for a string. And you can see that that is just the definition. And it's expecting these things to be supplied as another argument. So we have an interesting thing. If that other parameter, if that other argument is actually not supplied, and we can control the first argument that goes to the print def function, because it reads the incoming arguments and the other data that it would expect right off the stack, right off the program's memory. So we can take advantage of that if we have an unsanitary or vulnerable function call with print def with input that we can control or an argument that we pass in that we have control over without any other variables or data following it like you would expect there like a date or any other information. So do we have this in our variable or in our in our script here in the the source code for this program? I don't know why I stumbled on every single word for that. Sorry. So we can take a look at the source code now because it's given to us. Looks like it opens up dev u random. So for some reason gets information. Okay, it looks like that must be how it generates the secret because it's reading out of dev u random to get some secret or a variable and some information that you wouldn't know. And then it says give us something to say, it will read in our input with f gets stored in a buffer of buffer length 64, and then it calls print def on the buffer or what we input without any arguments following. So if we were to supply some of those format specifiers and there's a nice table here in the o wasp article, it says, sure, percent X will read data from the stack percent s will read characters from the process memory percent n will actually write data. And that's the real complete attack and like complete ponage that happens when you do a real format string attack, not this kind of simple minute example, not this kind of basic baby thing. But when you're literally taking over the advanced taking over the print def function to like exploit the binary in write data to the whole rest of the stack. Okay, so it gives us some common parameters and examples so if we wanted to we could leak out a string or a pointer or hex that we may see on the stack or the rest of the programs memory. So enough of me trying to explain that let's just go ahead and run our local binary let's run percent X secret. Sorry, percent X is what I want to give as input here, and it gives me 40, which is clearly not what I entered it's clearly not percent X. That's because it's reading up the stack, but we only read it one thing, and maybe that's not the secret. In fact, what could that have been 40, is that anywhere that we would expect, maybe something that may be being passed into the function or whatever the case may be. Well, what is buff Len, because we're getting this as hexadecimal aren't we if I were to run secret again with percent P, you know that's a zero X 40. So what is zero X 40, we check it out in Python. Oh, that's 64. And you can see in our source code in the program that's what's being used as the buffer length variable. So we're just reading again up the stack, the buffer that we're trying to read out of. We also got the buffer length because we can just read that out. So we can try this a little bit more. What's to stop us from inputting a bunch of percent P is a percent X is or whatever else we want to leak out. You can use whatever divider you want in here. And then we'll just keep looking at a bunch of these. We get zero X 40, zero X F 70 D, et cetera, et cetera, et cetera. And some of these you could piece together and try and track down what they may be like looking at the source code. But it or you may just recognize, okay, these things are clearly function addresses or something in the stack, whatever the case may be. However, one of these is our secret. And we want to know whatever offset or which of these is the right secret. We could try a couple and just simply guess, but that's not too smart. I kind of want to be a little bit more strategic in how we're figuring this out, not just not just guessing at an offset. You could, you totally could. I could just grab whatever one of these and keep trying it like trial and error until I got the flag. But there is a better way to do this. As you can see, the source code, if we got the correct secret, if we supplied it, we would just get the flag and it's going to run system on the server side. So we don't have a flag dot text file on our local binary. But since we're given the source code and we're given the binary, especially having the source code is super important for us because we can recompile this and actually explore what is the secret going to be. And would we be able to actually find it and find the offset for it when we use our print f attack? And you'll see this as I go along. But let's compile the original source code with debug symbols. So tack G for debugging symbols. And I'm going to say tack M32 because I'm running on a 64 bit system and I want it to be a 32 bit binary. So attack M32, the source code will be secret dot C and we'll call it like new binary or whatever. And we get a warning because it's actually detecting, hey, we're using an unsafe function here. We're giving ourselves a vulnerability. It says format is not a string literal and has no format arguments. So we're literally passing a variable that the user has control over and not giving those stack arguments. So we could, as we know in this OASP article and what we're learning right now, we can go through with a format string attack. Okay. Now that we have the binary, new binary, let's go ahead and run GDB on it. And I have GDB beta or the Python exploit development assistance thing. You don't need it in for what we're doing, but it is kind of handy. If you want to go ahead and look it up, you can grab it. Pretty, pretty simple, easy to install. There's a GitHub page for it. It's super duper handy. Okay. Python exploit development assistance for GDB. Awesome thing if you're doing a little bit more in GDB, but again, not necessary for what we're doing right now. So now that I've loaded new binary, what I'm going to do is actually disassemble the main function. So the main function as to where we start when we are running the source code, when you're running the program. And it's in, this is Intel syntax, yeah, because GDB beta will put it in Intel syntax automatically. So you can see through some of the assembly code here, what the program is doing, because we're just disassembling it. And if you want to reverse engineer it by looking at assembly, you totally could. Looks like we're calling open on the dev you random, we're reading it and going ahead and storing that as our secret variable, etc. Closing the file handle and doing some other things. So at this point at any of these instructions within the main function after we've read the secret variable and stored in something else. Because we've compiled this binary with debugging symbols, we could jump to a spot where secret is being filled and then check what the secret variable is. So that's kind of handy in using the canoe debugger here or any kind of debugger. Let's just take this address, just after we've closed out of the binary and supposedly read it, determine what our secret variable is. We can set up a breakpoint there. So I'm going to say B for break or break if you want for breakpoint and then B with an asterisk. So we know that, okay, I want this memory addresses to be where I'm going to break not a specific function name. So then I set the breakpoint, I'm going to hit R to run the binary. So it's going to get me up into that instruction just as we broke it and as we saw in our disassembly. And now we can print with GDB the value of secret, the variable that we know we're working with again because we compile this binary with debugging symbols. So that variable name is totally fine to use in GDB. If I check this variable out, we know we have this as our secret. That is the hexadecimal for it. So if I hit C to continue and we said, give me something to say, in this case, because now we're using the debugger and we know what secret variable is, we could literally put in anything I can put in a hello or more please subscribe and it would just spit that out of us. We don't even need to use the format string attack. So now tell me my secret in hex. Well, we know it so I can just paste it in there and it says, hey, you got it. And it would essentially try and execute system cat flag for us, but it's not going to work in this case. So now that we know, okay, we know we can find the secret variable, that value, let's find out where it is on the stack. So what I'm going to do is run this one more time. Probably just break out and do this again. Disass main. After we go ahead and close the file to scripture that we're looking at be at that address, run it, check out what the secret variable is. It's FC five nine F four three six. Okay, great. So now we can continue. And just give me something to say, now let's go ahead and try and use percent P over and over and over again. Until we get to maybe an idea where, okay, probably we've read enough of the stack to find the secret variable. It looks like it is one, two, three, four, six, seven, eight, eight offset eight positions in eight variables or eight pieces of data off the stack. So is that going to be something that we can easily track down every single time? Probably. Let's go ahead and try this. And actually, I think there is a format specifier to denote what specific one you want, like what what offset off the stack you want. I think the syntax, if I try it again, continue should be dollar sign a percent percent eight or the number that you want and then it's dollar sign P or whatever you're trying to actually the format specifier that you want. So now this would be the secret. We can pass it in. And now we've got it. Cool. So let's use that payload on the actual server side. Let's say, give me something to say, let's use dollar sign or percent sign eight dollar sign P. So we know we have it in hex and we're getting the eighth offset or the eighth position out of it. It's FZ. I'm sorry, F seven, blah, blah, blah. Taste it in here. Oh, no, we're wrong. Okay. Well, okay. I guess we'll just abort that entire idea. Maybe it's because of the environment that GDB said that sets up or the new binary. However, it was compiled. Maybe someone was different in some of the compilation flags, whatever, but we can try other segments of the stack that we're looking for. And okay, zero X three is clearly not it. Let's try the sixth offset and using that payload. And now we have, okay, some of it looks more random and we can pass that in and get the flag just like that. That's kind of lame. And I'm sorry that I, I guess I was completely wrong in how I wanted to approach it. You can probably correct me in the comments. However, you can just as I said, kind of track down the variable by kind of just guessing or trial and error and looping through the entire stack space if you want to find out what that secret variable may be since it's just going to test it for you. And again, if you wanted to, you could write a get flag script for this. You could cut this up and bash or use Python and PON tools to put it together. But hopefully kind of a little bit more understanding of what the format string attack is and how we could take advantage of it, at least in this kind of small, basic trivial example. But this is the flag. If you wanted to, yeah, let's go ahead and just save this as flag dot text. And you could submit that for some points on the scoreboard here. Moving up in the world and mark that challenge as complete. Hey, I want to give a quick shout out to the people that support me on Patreon. Thank you guys so much. It's just phenomenal. You know, it's honestly just incredible. It's surreal and unreal to me that you guys out of the goodness of your hearts would just be willing to kind of help out me. You know, I don't do a whole lot. I mess up and make stupid videos that are dumb and have lots of flubs in them, whatever. So thank you. I can't say it enough. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything that I release on YouTube before it goes live. It is a shared Google Drive folder. So that way you, while YouTube just kind of like I will record stuff in bulk and I'll have YouTube set them on a scheduled release. So they'll just kind of be delivered kind of gradually and maybe daily or whatever the case may be. But if you want the content immediately right when it's ready, that that's the best way to do it. So hey, please do join our Discord server. Link in description. It's a cool community full of CTO players, programmers and hackers. Hang out with me. Other cool people get psyched and stoked. Psyched and stoked at the same time as psyched, I think. And would that be spelled with a P? Like psyched or with an S? Like and stoked. Like how would you start that? Would you just like switch? Alright. Just join our Discord server. We're going to be playing Pico CTF 2018 and other cool capital flag competitions as they come and roll out. Please do. I'd love to see you on Patreon. I'd love to see you on the next video. Like, comment and subscribe and stuff. I'm bad at this. Later.