 Hello and welcome. This is a series. I've been doing Inspired by you know, obviously the Google capture flag 2018 But this whole capture flag thing has brought to my attention because I subscribe to live overflow and John Hemmendere and they both do great videos. I recommend checking out their channels. Also, I'm creating scripts for each one of these projects I create I finish and and They're all on my get lab get lab.com Ford slash Melix one thousand Ford slash capital CTF And there you can download and I've made scripts automate all of this which we're going to look at here in a moment And we're getting into This this one here right here admin you lie to which is a continuation of the previous one and And I'm gonna you know open here I actually had to look up some things on this one to to complete it And I'm gonna walk you through the steps as best I can so let's go ahead and I'm just gonna go into My script folder here from that that's on my Get lab page and here I have Actually, this one I might have done myself. It may have been admin UI 3 that I had to look up Anyway, let me go ahead and just run my script here. It's gonna dump a binary file It takes a little while strips it and then gets it. Yes, this one. I actually did I got some of the way through So let's go ahead and look at the code and so this is this is the flag for this project and I'll go add a new eye Okay, so here at the beginning Let me first jump down here. We're checking to see if these files exist because we need these programs To complete this this top part here I was trying to shorten up my code here rather than do full if then statements I was checking if the files exist and if they don't then print a message saying to please install gdb and and or binwalk and Exiting out of that since it's a separate function wasn't working. So Basically, this is just setting it up so that if these fail I can exit out of the script. That's all that's doing So this first part is just making sure you have dependencies installed again gdb Which is a the GNU debugger because we're going to try to debug this binary file and Binwalk which I've done many tutorials on in the past It's for extracting information from binary files. That's times binary files have multiple files embedded in them Binwalk makes it very easy to extract that stuff, especially working with firmware and other binary files So we're getting that binary file what we're doing is we are dumping the output So we have netcat going here which connects to this server Which was given to us by the by the Google capture the flag at this port This is wait two seconds and disconnect and we're doing is we're running command if you watch previous one We're going into option two then we're going to transverse up out of the directory in And back down into our home directory and again the way we do this is we're actually Sorry in a sub directory of this directory I believe so really all we had to do is move up one But the reason I back all that like this is because that's how I figured out eventually You can't do full paths on this if you just did you know forward slash like you're in the root directory It wouldn't find it but if you move up a level multiple times As long as you move up enough. It doesn't matter if you go too far You'll end up in the root directory and then you work your way back down into the home user and then there's the menu application Let me show you this real quick in case you didn't watch the previous video, which I do recommend I'm gonna go ahead and run this netcat To that server on port one three three seven you leave and you get this menu Option two will allow you to see version information But all it's really doing here is catting out a file or something along those lines If I was to put in something gibberish here, it's gonna sell us the file doesn't exist So in the last video we looked at that, you know, if we go in there and then we out like back out back out back out Back out we're gonna end up in our root directory and I showed you how to get into the proc self Maps should show us information on the current ring program So I explained that more in detail in the previous video. So that's what we're working with here And if we go back into my automated script here, basically, we're connecting We're pushing the number two, which is choosing the second option menu and then enter because you have to hit enter I've been to they were playing in this code Echo's gonna automatically put an enter after that and we're putting that into New cat netcat and what this gonna do is dump that menu the binary part of that menu And we're going to dump it into a temp file here And because the way I did this we actually have you should be able to just pull the the binary file And you wouldn't have to run netcat on this but the reason doing netcat is because when I do it like this You're actually getting we're running the program. So we're getting the text output from the menu application Let me show you real quick. So instead of just getting the the binary from the application when I run it like this We're gonna get the menu at the beginning and the output menu at the end there and we can quit out of that So I'm actually just running bin walk to strip off that beginning and end output from the menu There's probably a cleaner way to do it, but that's how I ended up doing it When you run Bin walk, it's going to we're using a dash e to extract everything From this temp file that we created Which is going to create a folder called underscore temp dot extracted unless it's already extracted something in which case It adds a number in the middle here, but luckily we clean up after this, but it's going to give us a binary file B6 dot ELF Which is if we should still be in their folder here if we run file on this It should be our binary executable that we just pulled from the menu and as you can see here It's an elf 64-bit Linux dynamically linked Executable file So we'll go back into our script here. We now have that we now have that executable theoretically we can run on a Linux machine But what we're gonna do here now is this is the part this is where we get into parts that I had to look up because I don't understand if we real quick here We're to run strings on this which is going to remove anything that's not an ASCII character from this file It's going to give us all those strings again. This is a before I stripped it so you can still the menu is still there actually Menus options. I guess maybe that's a text from Anyway, it doesn't matter Now I'm going to sort unique that just to get rid of any repeated lines and puts it up like order and then we're Going to grep dash I Means case and says to sensitive when we look for the word flag and you can see there's a few options here And we already found the flag one file just flag file from the previous project But you can also see there's flags too and there's also these output here which are From what I was reading when you find that if we went to a hex editor we can find those too so if I open up hex edit and Our binary file here and I tab over I can then hit forward slash search and I can search for this It's going to bring us right here, and if you look through that You can see those there, and you're not not sure if you can tell what they are from there Control C to get out of that, but if we run GDB at the GNU debugger Let me up our font size here a little bit and we point it towards that file Let me let me double check my script here. That's okay. We actually want to run it like this What we're doing here is we're saying to run on this file the b6 File which our binary file and we're grabbing this that we saw in the strings, which is a Global variable, so let me just go ahead and run that manually like so And it's going to give us this output saying that it equals this which is actually our flag with a little extra data here I guess there was no null character in there To prevent us from continuing on to the next thing so like when you're pulling stuff from the binary file There's there's a lot of no files not a lot of no characters so if we go back into hex edit here and Into our binary file here You can see all these what look like periods, but most of them are not if they represented as zeros on this side that means they're no characters and No character basically tells you to stop. I've done videos on this in the past. Basically you can modify Plaintext strings in a binary file as long as you don't go past that null character sometimes you do and it corrupts the file and sometimes you Do and it just continues on into another variable So basically what we have here let me run this is This is what that equals, but for some reason it continued on to the next part of the code So really we can strip that off which my code does and then we're left with this code here Which is our flag that needs to be converted into ASCII characters and again? This is something I found online. I tried to manually do it and I wasn't really getting it, but we're running a Python Command here, so I'm actually dumping this command into a Python script Which I should be able to run without dumping into a script I put it in there and then I run that script as Python and what that's going to do is Take the output of this which we were just looking at and convert it to ASCII characters So basically the I'm going to try to explain this as best I can Dot join so if we didn't do dot join we're going to get this as an array so basically it's going to show each character as a Separate item in the array so you get each character in quotations with a common X to it join It's just going to basically remove that and put them all as one string So char is going to convert this back into a character, which is what we want, but we can't do it directly What we're using is this function here to convert octal into I'm not going to pretend like I remember what all this does, but basically we're taking an integer number That's an octal. I don't know how this information is figured out. So I apologize for that I'm trying to explain again this This flag was a little little bit This part was all me and then we get to this these two lines here and that was stuff I had to look up. So I'm going to try to explain as best I can So again, you can see that we have the parentheses here, which is the square brackets Which is saying this is an array which we're joining here But we're taking the output of the password that we got and we're going to be Putting it into here each character And then we're going to convert it from or to octal. Okay, I'm done explaining that I don't want to go off the wrong way basically This is a Python command that's going to basically take what we have Convert it convert it again paste it all together is basically what it's doing And then I do a little cleanup of removing that script at the end which gets us If we run my script Okay, just oh just as I find it I clear it out. There we go. So it's dumping the binary From the server then stripping it and then we get our output here so From the global variable this so again if I was to take this code here and actually remove that slash bin SH and I'm going to cat out my script here just to show you a little more detail on what's happening I'm going to take this. Okay, that's good I'm going to recreate our Python script here and then I'm going to Take the output that the debugger gave us minus that Bin SH and I'm going to go into our tip here and where I have This I'm going to paste in What we got oops And if we Python out that file we get Our code here, but let me let me backwards that a little bit again if I remove the join Function here and basically I think if I remove all this I was doing playing around with this yesterday trying to understand it more I think that this will work There we go. So there is without that join function. We get an array here with with our flag But every each character is separated into a different item in that array So the joints basically just sticking all that together as a single string So I hope that explains that part a little bit more and again if we were to go into Python and type in char and give it a number like 65 or actually Char is not defined. Oh, I think it's there we go 65 that gives us an a so it's basically taking the numeric output the And converting it to ASCII so if we go back Into our script here or even just look at it up here So this X is Being put in there from what we're getting over here But at first we're converting it here and I'm trying to explain something that's above my head and I shouldn't be doing that I hope I cleared that up a little bit or made it more confusing Anyway, you can pick that apart if you understand that that last little part a little bit better than me Like I get the general concept. I just can't really explain it So I obviously don't know it that well be sure to comment below and I appreciate it I hope this cleared if you didn't understand this this little project here at all I hope I cleared it up a little bit go ahead and download my code and look at it I feel bad that I can't explain that last little bit better but anyway, I do thank you for watching and Hopefully the rest of the videos in this series are a little better than this one again We're going to go into admin UI 3 next which again, I can't remember that one off the top of my head I did it yesterday That one be overhead, but then there's a few others that I can explain a little bit better as always Thank you for watching. Please visit films by Chris calm. That's Chris of the K There's a link in the description as always. I thank you for watching and I hope that you have a great day