 What's going on YouTube, John Hammond here, still looking at more Pico CTF 2018. Now we are on the grep2 challenge 125 points. It says this one is a little bit harder. Can you find the flag in this location on the file system on the shell server here? Remember grep is your friend So they don't give us a link to download any files here and we haven't gotten to that SSH or SSH keys Challenge to actually connect on our own to the shell server like through the command line So I'm just going to do it through their web shell, which I don't particularly like but whatever I guess I'll just live with it. My internet connection is still a little awful. So hopefully this doesn't too bad typing is slow You will want to just enter your username the first time that you try and connect and then Once you have an account you can go ahead and connect with that Account set up. Oh Forgot my last name here and then you can log in with the password that you use for the whole Pico CTF game and infrastructure So now that we were in the shell we can change directory to once I right-click and paste from browser this location and We now that we're in that directory we can LS and see what we have to work with We have a lot of files here or at least seemingly a lot of directories and folders So what I'm going to do is LS tack R to recursively look through them and see what we have and We do have a lot of files in here So significantly harder than the previous challenge when we just did grep one, right? It wasn't just one file to look through now We have many so we can still accomplish this very very easily though because grep offers another flag if I check out Man grep. I say flag not as the capture the flag flag that we're looking for but another argument or something That we can work with so Tack capital R will actually allow us to loop through stuff recursively I Don't know if my shell is actually behaving or I've just lost connection here Okay, so you could look through the man page But if you wanted to know that we should just use run grep minus R or tack R and then that will give us recursive control We can still go through lowercase O capital E So we still get our Pico CTF flag format and I'm typing this out, but the shell is just not working with it So hopefully once this all loads it will just bang out. Okay. Awesome. So once we run this it will find the file for us that has that string and We can retrieve the flag just like that. So I'm gonna go ahead and copy this I'm going to save it in a local copy. So flag dot text in our grep to file Oh, and I totally did not copy that for some reason Please copy There we go. Okay, cool. So that way we can mark grep to as complete Submit that and we were good to go next challenge is aca-shella, which is supposed to be a pun off of acapella and I think this challenge got a lot of hate and I feel bad saying that it's not it's not anything It's not indicative of anything else or anything of the problem designer But it just seemed like there were some struggle in this that didn't need to be there So it's never a bad idea to brush upon those Linux skills or learn some new ones before you set off on this adventure Connect with netcat to this host important So I'll move to the aca-shella directory that I have on netcat to it and hopefully my internet connection handles this Sweet we haven't gotten access into the file system, but we aren't root We have gotten access in the file system, but we aren't root. It's some sort of restricted shell I can see what you're typing, but I can't see your but I can't see what you're typing But I can see your output. I'll be here to help you along if you need help Just type echo help me and I'll see what I can do So let's just actually go ahead and try that echo help me With the exact same syntax they have with single quotes an exclamation point And so you got this have you looked for any directories? So I haven't yet. Let's just go ahead and LS look for some stuff and these are supposedly directories So I guess I'll change directory into secret. It says now we're cooking take a look around and tell me what you find So I'll LS again just list stuff and it says sabotage them get rid of all their Intel files So what I'm going to do rather than going from typing through Intel 1 until 2 into 3 it's ever just by hand I'm going to use Intel or RM to remove and then Intel underscore asterisk So any of those numbers will be a kind of gobbled up by that wild card and it says nice not they're all gone I think I can drop you a file of an exploit. It says type in echo drop it in which we can Type for us and it says I place to file the executable folders as it looks like the only place we can execute from run the script I wrote to have a little more impact on the system So let's go ahead into that executables file folder that we knew was there. I Can't tap complete And then now is a new directory. I'm sorry a new a new file in this directory. Don't look here So let's dot slash it because we know that is seemingly executable and it spits out a lot of interesting Hex for some reason Maybe it's doing some lead hacker thing. It says looking through the text above. I think I found the password I'm just having trouble with the username drags around to us. We kicked out soon quickly print the username of the screen So we can close our back door close our back door Whatever and log into the account directly. You have to find another way other than echo So what this is referring to is just trying to display your username like your your The username that you're running on the on the computer or some the simulated system that you're in So you run the who am I command? It says lead hacker Perfect one second. Okay. I think I've got what we're looking for I just need to copy a file to a place we can read try copying the file top secret in the temp directory in the passwords folder So I think I don't know if this has been patched But I think a couple people tripped up on this and I certainly did But kind of a secret was that you had to move into the home directory to be able to properly move this directory this file I don't know if this was patched. I don't know if this was fixed But I know there was a lot of complaints about it So we'll copy from the temp directory this file top secret into the passwords folder And it says quickly go read the file. So let's go into the passwords folder We know that top secret is now in there. So let's go ahead and display that cat out top secret And it gives some spiel on major general john scofield And his west point speech I'm not a west point guy. I went to a different service academy. Not that it was any better Until we had the flag cool. Let's go ahead and mark that as complete So you're going to kind of base your own opinion off of that challenge It's I thought it was peculiar But a lot of people seem to trip up on it when we really shouldn't have had to this next challenge is called client side is still bad It's another web exploitation challenge. We can assume that we're going to be looking at javascript, right? So the client side programming language Challenge prompt is I forgot my password again, but this time there doesn't seem to be reset. Can you help me? So let's check this link here I should have opened that in a new tab. It says welcome to the secure login server Please enter your credentials to proceed. I'm going to control you to view the source. See what we're really working with here Looks like we have a standard md5 limitation so we can check out that javascript code But apparently it's not found apparently that just doesn't exist So good to know rest of the html there is pretty boring and stupid Looks like it is calling the verify function and then returning false kind of no matter And so that way it doesn't submit a form or anything Um, but this verify function is to define up here in this segment of javascript code Looks like it just gets the element that we're typing in so the password Field the password input right id equals pass get element by d get the value out of it And then it's trying to split up what looks to be the flag in segments of forms checking. Okay if the substring Meets all this criteria. It says you got the flag. This is building out the flag for us Right, you can kind of see it coming to life and pico ctf client is bad as your blah blah blah So let's go ahead and put this together. I'm going to go into sublime text And let's just I'm going to grab with regular expressions anything that's inside of the curly braces here In fact, I'll just find all and then cut them and then paste them in So then I can now remove all the Single quotes I suppose and let's save this to Just put it in the client side is still bad. Uh, I guess like notes dot text that we we could use here So now we can move into that directory and let's cat out notes dot text, but let's go ahead and reverse all the lines in there Oh Did I do that wrong? Oh, yes, uh, we want to not reverse each line, but the order of the line So let's let's tack So reverse of cat tack notes dot text and now we have it all there So now let's remove all of the new lines And build out the flag here And that's it. We can redirect that to flag dot text You could build a a script if you want to do that or just a simple get flag script where you curl the the page here and it and You know what? Let's do it. Let's go ahead and do some bash magic. Let's curl The page Oh, I forgot I have the view source in the link here my bad Okay, so now let's just Get the first couple lines following it. So let's Tail minus n Is it plus one? I forget. I always forget how to get like the The last couple lines Maybe that's not what I want. Let's get the Last 20 lines. No, all right screw it. Let's use head And let's get the first 20 lines. Okay, cool Then we can Try and run our cut command where we cut with uh the single quote as a field limiter. Let's get the second column here And let's head or tail just this one two three four five six seven lines to minus n I guess eight because we Want the curly brace at the end. Let's Tack s to silence curl Then let's go ahead and tack to reverse all these and and then remove all the new lines Just as we've done before so we keep adding on to our our pipe And eventually we will just carve out the flag just like that So that is kind of our standalone get flag script, which works pretty well for us And it does some some nice One-liner bash magic. So that's pretty cool Mark that as executable We've already got our flag, right? Yep. So let's just pipe that into our clipboard Go ahead and submit it 150 points and we're still cruising awesome Cool mark this challenge as complete. I hope you guys enjoyed this video I hope it was kind of cool for one thing just doing some bash magic at the very very end there And then exploring some of the interesting challenges that that pico ctfs. So Hey quick shout out to the people that support me on patreon. Thank you guys so much. I cannot say it enough Uh, I say that every time and it's still not enough. Thank you. Thank you. Thank you. Thank you Thank you one dollar a month on patreon will give you a special shout out just like this at the end of every video I know it's not much, but it's just a little like hey make your heart feel good You're you're a good Samaritan you're helping a dude like me put food on the table And I'm grateful for I really appreciate it $5 a month will give you early access to any of my videos that are released on youtube because I try to record a lot of videos kind of like Ahead of time right get a backlog of content and then gradually the youtube release them by schedule If you want the content right when it's ready right when it's hot Fresh out of the oven. That's the best way to do it and I'm grateful for for your support So if you did like this video, please do like comment and subscribe helps me grow helps the channel grow Please do join our discord server link in the description. It is a cool community full of ctf players programmers and hackers You can hang out with me and other cool people Uh, we're gonna be tackling other competitions like this pico ctf 2018 was awesome And for people that are still like going to be we're using it as a war game or a reference to kind of learn from Just getting started and capture the flag. That's awesome. And it'll never go away like that That's an incredible resource And if you want to team up do some cool stuff with other cool people as others ctfs come down the line That's a great place to do that. I'm talking too much. Thanks guys. I love you. Hope to see you in the next video Hope to see you on patreon. Hope to see you In real life someday. I don't know we can meet up. Sure beer and be cool