 Hello, YouTube. Welcome back to some more Pico CTF 2018. I'm your host, John Hammond. So in this challenge, we're looking at assembly zero for 150 points in the reversing or reverse engineering category. It says, what does SM zero or ASM zero with these arguments return? Submit the function, I'm sorry, submit the flag as a hexadecimal value starting with zero X. Submission for this question will not be the normal flag format. So it's not wrapped in Pico CTF. We're given the source, we can download it. And let's just kind of take note of the function and the arguments that are going through it. So I downloaded this already. I'm just going to go ahead and sublet, open it up in sublime text. I'll drag it over to the side here and I'll create a new pane so I can look at it. I'm sorry, this stuff was when I was testing. So let's say we are running this function ASM zero zero X to a and zero X for F. And we're given this function ASM zero in assembly here. So this looks like Intel syntax. And I've covered the difference between Intel and AT&T syntax before. But right now we have just a super simple function. It seems like really, really short, but we're just trying to figure out what is the value or what is being returned here. And in that case is what is the value of EAX, right? So the final value of EAX once we are done at the end of this function here. So we have a little bit of stuff going on. For one thing, we push EBP or the base pointer, right? And we move EBP to ESP or the stack pointer. So these two things are the function prologue, right? Those happen at the beginning of every single function. So they're not incredibly important, at least not for what the function is really doing from what we want to see or care about. The next part, it says it moves EAX to be this value. And this is EBP plus zero X8. So we know it's a word, we know it's some, I guess, four byte information. I may be wrong on saying that, sorry. But we've got a value at EBP plus zero X. So EBP is the base pointer, right? And we're using that as to where ESP or the stack pointer was, and it's pushed onto the stack. So when we get a function prologue, we're building out a stack frame for the specific function. So I want to go ahead and try to help you visualize that over here. Let's say this kind of block that I'm building is our stack frame. So we go ahead and we push EBP to some position on the stack, let's just say right here EBP, because above that, we had all the arguments that were originally pushed onto the stack in the original return address that would be where you would go back to in the code after this function were to exit. So that is what's above the EBP or the base pointer on the stack. So let's say return address. And now we have the arguments that come that we would have originally passed to that function. Those are also pushed onto the stack before it. So those are the function arguments or argument variables. How about that? Normally, once you have variables declared also inside the function, you'll have them beneath the EBP or the base pointer, so local variables. And we can spread this out a little bit if you want to just to make it a little bit more visible. But what I'm trying to say is that EBP right now is our reference. And you can see that kind of literally in use within the code because EBP plus or minus will allow us to access different parts of like valuable information for us, like the return address, like the argument variables or like the local variables. So these are all different, like these are all separated by each other by a difference of four or four bytes. So when we see EBP plus four, that means that we're referring to the return address. When we see EBP plus eight, we know we're referring to the first argument that we've passed to this function. Or because again, that difference of four, it's just the next one on the on moving up. When we go to EBP plus zero XC, that's hex, right? It's just hexadecimal 12. So it's just four from zero X eight. So that would be the second argument that we've passed to this zero X four F. So that means we can kind of understand what these lines are doing. We can say that now EAX is being set to equal the first argument. So let's take note of that EAX equals zero X to a and the numbers may be different for whatever is it you actually have in your code. But EBX is going to then equal zero X for F. So that works just there. EBX, right? Now we're saying EAX to equal EBX, EAX equals EBX, which ultimately means that EAX is going to end up zero X for F, zero X for F. And then we have our punk or I'm sorry, our function epilogue, the very, very end of the function, where we say, okay, move the stack pointer back to EBP, go ahead and pop it off the stack and then return. So that means we're at the very, very end of our function, we'll go back to where we originally were supposed to go because of our return address. But now we know the final value of EAX or what this function will return. And that's going to be zero X for F or the second argument that we've passed to this function. So let's go ahead and copy it. Go over here, submit it. And we got it right. Awesome. So that's that. That's just all there is to it. Assembly zero was simple, right? But it just kind of took a little bit more of an understanding of what a stack frame looks like when you enter a function. And just being able to know, okay, Intel syntax, reading from left to right, these are the arguments that are going through it. And what it returns is what it really means is the value of EAX at the very, very end. So if we wanted to, we could totally save that as our flag zero X for F. And that's it. That's all we really need there. So perfect. Let's move that assembly challenge to be complete. And let's move into the next challenge here, buffer overflow zero. So it says, let's start off simple. Can you overflow the right buffer in this program to get the flag? You can also find it at buffer overflow, this thing on the shell server, we're given the source. Okay, so I have this file, these files down a little already, buffer overflow zero, we're given the source and the binary. Let's check them all out. Yeah, binary is Vaughn and the C source code is Vaughn dot C. So let's make the Vaughn executable. And let's check out what the source code is here. Vaughn dot C. I'll make this one big screen. So we are in the main function, let's go right there, because that's the very start of where the program will begin, noting noting that C code, it tries to open up the flag dot text file. And if it can't read it says something is wrong. So that's fine. Looks like we will probably need to run this on the server. So it gets us that flag file that we particularly need. And it looks like it will read it, set up a signal, if it gets a psych fault to try and run this sigsev handler. And it'll get the UID and then you get it. So it looks like it will get privileges from whatever other owner runs this file. And it'll determine, okay, if we have an argument, if argc is greater than one, it'll pass that argument argv1 to this Vaughn function. Otherwise, it says, okay, it takes an argument. So Vaughn does need an argument. It says Vaughn or vulnerable function takes an input about 16 characters, and it tries to copy it onto a buffer from our input. So we have a 16 character buffer that we just have to overflow and break. And supposedly it'll handle that segmentation fault. Once we overflow that buffer, overwrite maybe a return address, as you saw, just in that stack frame, because we're just this is a, this is a function, right? So it's stack frame has this local variable right below ebp. And then right after it, the return address. So we have to overflow a little bit more, just to overflow ebp in the return address. And then we'll get a seg fault because our program won't know where to go next if we like corrupt the instruction pointer there. And that's what StringCup will allow us to do because it's not going to check the length of our inputs. It does, it's not using the better version of str or strn copy where you can limit the amount of characters that it's going through. And in the handler for the function, the, the segmentation fault, it will display the flag. So let's go ahead and try and solve this, right? Looks like we're gonna have to do it on their server. So hopefully we can just copy this location. And I'll try and load this page and really, really hope it won't crap out on me because of my internet, but we'll see how we do. John Hammond YouTube. Looks like we're cruising so far. Try and zoom in a little bit so you can see this better. I'll change directory to that location. Go there. And it looks like we have flag.txt that we could look at, but we're not able to read it. If we actually check the permissions here, only buffer overflow zero is allowed to read it. Like if I, again, if I were to try and run cat flag.txt, I'm not allowed to, that's why we needed to have that vol function and the vol.c where it is literally grabbing these permissions and trying to set them as we read it as so this, this program will be allowed to read the flag, but we are not. Okay. So let's try and run vol. It says it needs an argument. So let's give it a crap ton of A's, right? I'm just gonna hold down literally the A key and it breaks just like that. That's pretty neat. That's pretty cool, right? So what I'm gonna do next is just try and change that argument to some command substitution. So I'm gonna use a dollar sign parentheses and do some command substitution. I'm going to use Python and then tax C to just run a command as Python. And then I'm going to say print a or lowercase a whatever we want times, let's say 16 was just the size of that buffer, right? And then if I tried to pump that to 20, it says, okay, cool, we received that just fine. And we just overwrote the base pointer. Great. Now, if I were to go one above it, I would start to leak into the return address because we know that that's a difference of four, the four bytes for the return address. And it literally just some random A character is probably not going to be a location memory, like even if it just intersects with a little just a little bit. So let's go 21. Let's see if it breaks. Oh, it doesn't yet. Cool. That's fine. Let's go 22. Whatever. Maybe I'm wrong. I probably am. Let's go 23. Still nothing. What about 24? Are we overloading anything yet? Segmentation fault. Cool. Do I have a do I have a flag that's pumping out? I don't. What the heck? Maybe we're not returning this all the way that we should be. This is odd because I'm testing a little bit more and I actually got the flag to come out with 29. And it looks like 28 will get it as well. But 27 just gets a regular segmentation fault. So I'm curious what is hitting that handler function and actually and actually rolling it with it. One otherwise kind of segmentation fault on its own doesn't call that function. That's peculiar thing, but I guess that blows some holes in what I was trying to explain, but whatever. Bear with me. I appreciate you guys watching and stuff, you know. So we got the flag. Let's go ahead and copy this. Let's jot it down and let's save it for this challenge. And now flag that text. Great. Move that to be noted as complete. And let's go ahead and submit this. Yeah. But for overflow zero, 150 points in the bag. Quick shout out to the people that support me on Patreon. Thank you guys so much. I say it all the time, but it's still never enough. Thank you. $1 a month on Patreon or more will give you a special shout out just like this at the end of every video. It's nothing crazy. I know not a big incentive, but if you want your name and lights or whatever reason, some kind of recognition, I'm grateful for it. And hopefully it fills your heart and soul with those warm fuzzies. Good Samaritan D. It really helps me out certainly. Every little bit helps me and I don't know, makes me see some kind of potential in this, right? Like maybe if this could grow, this could ever become something bigger. I would love for that to be the case. So grateful for you guys. $5 a month or more will give you early access to everything that are released on YouTube before it goes live. That does not include capture the flag video right ups while a capture the flag competition is still going on. That's why I couldn't really showcase a lot of these Pico CTF videos like before the end of Pico CTF, right? I'm not going to just not going to share those because I don't want to share the solutions while the game is still going on. So, but again, if I've got some content that I'm ready to kind of have backlogged and let YouTube release and upload and kind of schedule on its own, maybe at a daily, daily upload schedule, that's how you can get that behind the scene scoop if you want that and get the content right when it's ready, right when it's hot, right when it's fresh. And it's super duper helps me. So, thanks. Hey, if you did like this video, please do like, comment and subscribe. Join our Discord server link in the description. It's a cool community full of CTF players, programs and hackers. Hope to see you in the next video guys. Hope to see you on Patreon. Love you. Bye. I'm going to have a stroke one of these days. I'm trying to record this section.