PicoCTF 2022 #01 - WELCOME & Basic File Exploit

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
before we dive into the video here is a quick note from today's sponsor there are so many vulnerabilities out there like prototype pollution sql injection remote code execution and more they're fun to play with in ctf challenges pen testing and ethical hacking but they're not so fun when they're in your own applications and that is where sneak comes in sneak automatically scans your code dependencies containers and config files finding and fixing vulnerabilities in real time here's how easy it is with sneak you can sign up for free with my link below import your repositories in there sneak just finds your vulnerabilities and it's not just looking for old deprecated libraries sneak literally found a serious command injection vulnerability in a project of mine so all i have to do is fix it with a single click sneak will open up fixing pull requests so you can just merge them into your repository and move on and it does this all from your existing tools ides the command line repos pipelines docker hub and so many more and you can see for yourself check it out and find out if there are any vulnerabilities affecting your projects it's all totally free and you can sign up using my link sneak dot co john hammond huge thanks to sneak for sponsoring this video in this video we are diving into pico ctf 2022 now i have to say i am super duper excited to get into this i have not yet played yet i have not yet opened up the game i've not yet looked through any of the challenges this is all going to be fresh i'm going in cold and hopefully we get some good content and some good footage out of it so without further ado let's dive in i'm gonna hop over to my computer screen here i am running a kali linux virtual machine and that is where hey i'll probably do all of my hacking and learn in cyber security through that actually before we dive in let me just add the disclaimer before we keep cruising if you aren't familiar with pico ctf pico ctf is a capture the flag or online cyber security game it's an activity it's a puzzle it's a toy it's something that you can use to learn cyber security concepts it leans you more towards hey being a hacker being a penetration tester being a red team or finding vulnerabilities and exploiting stuff with cves or small idiosyncrasies and software weaknesses and flaws etc it's super duper good at kind of guiding you into more complex topics it starts off very very beginner friendly and it's actually advertised hey this is a game for middle school and high school students but that's not to say hey anyone at an older age can play i am not a middle school or a high school student but i still really struggle with a lot of the later challenges anyway that's enough banter sorry let's get into it so i am here on my kali linux virtual machine i will open up my web browser over on the top left i am running google chrome for the moment and i'll go to picoctf.org now you'll notice hey picoctf is happening right now the game just got started march 15th through march 29th while i'm recording this it is currently 1 51 in the morning on march 16th this is hey the only time i get to play right but this is something that i will end up releasing all the videos and content for after the competition is over it is good sportsmanship to not share write-ups or solutions or guides to any of the challenges until after the competition is over and that is exactly why i'm gonna hold tight and hopefully we'll get to release a lot of good stuff once this game ends let's get to it so i'll go ahead and click the log in button over here if you aren't already registered you can go ahead and click the sign up button and create an account i do already have my username created a password set i'm using lastpass you should be using a password manager and let's go ahead and log in now this is going to throw me in the pico gym practice challenges and i have a couple challenges already solved but maybe i need to go navigate to this compete tab here or i can play the real ctf hey picoctf 2022 yeah let's do it let me hit play now and these are all of the challenges all right so let's start with i guess the top here let me look through this interface super quick in case i'm seeing something in the wrong order okay no looks like i can filter on different categories and again because this is like kind of a capture of the flag there are a lot of i mean it is a capsule flag right if you haven't heard of that before it's sort of like the olympics in cyber security there are a lot of different categories or activities that you might be able to play under whether it's binary exploitation or web application security or cryptography or forensics or anything of the like and it's a ton of fun they actually call this style of gameplay jeopardy and that hey it's one of those categories you might be able to play and complete tasks or activities under so let's get back to it i'm going to end up showcasing as many of the challenges as i can here uh but i guess we'll get started right away looks like i don't know basic file exploit for 100 is the at least top left option here so i'll go ahead and click on this card and it says this program provided allows you to write to a file and read what you wrote from it try playing around with it and see if you can break it you can connect the program with netcat and netcat is a command line utility that allows you to access a remote service or socket or an open port on a web server not just strictly a web server but any sort of technology in service gives us the host name and the port to connect to so we could just enter this on our command line if you're using linux or kali linux like me the program source code with the flag redacted can be downloaded here and we do have some hints we could use i would really recommend if you're doing this to learn if you're doing this to play make heavy use of those hints that's the whole point to learn have some fun i'm not trying to win i'm not trying to compete i just want to have the exposure to as much stuff as i can so let's get to it uh we could copy and paste this command and i'll hop over in my terminal i'm going to hit ctrl alt t on my keyboard and that'll open up a command line for me i have a ctf directory already created i'm going to run ls to just list out the stuff in my current directory i am in my home directory denoted by the tilde here so i'll change directory into that ctf folder and i'll go ahead and make a new directory for pico yeah okay cool i'm also going to make a directory for binary exploitation and the categories that i'm going to work through so this first challenge is called basic file exploit yeah so i'm going to hit tab to kind of auto complete that for me as i start typing it and there's nothing in this directory but we could go ahead and download some of these files here if i right click on this i can copy the link address and with that i can go ahead and run a wget command which will allow me to download it from the internet i'll paste in this link here i hit ctrl shift v on my keyboard hit enter and it should let me download that program looks like it does okay so i'm going to end up using a text editor and you could use whatever text center you might like whether you like nano one of the command line text editors or vi or vim any of the others i'm going to use sublime text i'm a big fan of sublime text if you happen to watch some of my other videos you know that's my go to so i'll tab autocomplete again that file name program redacted and this is what we're looking at oh so this is c code you could tell by the file extension here this is a dot c file c source code and it includes a whole lot of libraries a lot of these are built in libraries stuff you could tell by the less than and greater than symbols the arrows wakawakas you might hear them called that's all included imported into the program then we define a constant called weight looks like that number is set to 60 and we have a constant character flag as the variable okay it's currently set to redacted but our goal our objective is to retrieve this flag so we can solve that challenge now we have character data looks like this is a multi-dimensional array we have 10 entries all of a hundred length and we have input lengths being 10 i suppose and a number to keep track of the inputs currently set to zero so we have this function defined here looks like it will return an integer just kind of noting our c syntax here t get input based off of a character array of inputs based off an unsigned integer l i'm going to assume that's length we keep track of everything and we check if the length is less than or equal to zero oh looks like that needs to be supplied greater than zero and will return a negative value if it fails i'm assuming we empty the file descriptor set i'm going to assume fd is for file descriptor we listen to the input descriptor probably what we're typing in right in referring to standard input throwing in our input set and then we're going to wait for some seconds okay good enough now we are listing for the input stream for any activity waiting and ready for reading we're using the select function to be able to do that it'll end up getting some input storing it based off of a timeout value and checking hey if we are ready for reading if it fails oh there's an issue maybe we are able to read the input but if we are ready for input then we'll go ahead and use the read function uh i think and i could be totally wrong here read is interesting and it doesn't track null bytes i might be wrong in that i might be saying that completely wrong it's not using null bytes as an immediate terminator it's going to use the new line character i think i again could be totally wrong here they're passing in zero to refer to the standard input file descriptor storing it in the input with the length minus 1. an l here okay again that's passed into this function so if we read the bytes we minus that i guess the red bytes right it's checking if it is equal to a newline character at the very very end sure it will add its own null byte just like that okay so maybe that's checking for the read functionality and making sure that it has a null byte at the very very end if the red bytes are equal to zero hey okay nothing was returned whatever we can return exit out of the function no data was given otherwise there was a timeout that's got to come from that timeout that we just set up above now we have a void function that isn't going to return anything but it will data right i'm assuming okay based off of input this actually doesn't take any arguments to the function so i'm curious what that's up to oh this actually ends up running or please enter your data retrieving it with the function we just read based off of 100 characters and if there were a bad result like a negative 3 return value from this t get input function then it closes otherwise we please enter the length of your data ooh it'll actually take in the length interesting check for the failure it also needs to make sure hey this is a string to number value l i i would have to go maybe do some quick googling it's all about learning right doing some research please enter a valid length if our input is greater than 10 inputs where did inputs come from is that used in this function or is that because it's one of the constants yeah yeah yeah it's a global variable way up at the top okay um then we use str copy which does not care about the length it's not using scrn which might be something that we could potentially take advantage of and exploit in that whole binary exploitation world you have an entry number that's displayed out and then you have a data read function okay so we have data write and data read data read does a very similar thing except it's setting the output in memory you get the entry number of our data t get input entry four if r is equal equal to negative three we can again exit if the entry number is equal to an entry then it will print the flag and see to the end am i understanding that correctly if you just give it the entry number of your data it'll print out the flag or hmm we could play with that i'm probably just i'm cursively reading that way too quickly to process it but let's explore we might just be able to bump around and explore stuff i welcome my echo chamber looking at the main function now right otherwise it puts what it was able to retrieve type 1 to enter a phrase into our database type 2 to echo it out and type 3 to exit we use our t input to get input to retrieve stuff exit if necessary if command is equal to not a number please put in a valid number so this is going to happen this check if it's scr of your input is equal to zero that's if it fails like if it can't read a proper number out of that is that what's going to end up giving us the flag um we could write and then we could read and that's about it okay making maybe breaking boundaries elsewhere will be helpful huh so we know that there is a mem set of 100 based on our output variables and values it's setting it full of null bytes when we read something but there must be something that we could just break and beat up in one of these values let's play with the program how about that i'm going to go ahead and grab this netcat connection command so i could play with the program and let's go ahead and paste that in hello welcome to my echo chamber this is exactly the output that we just saw in the source code right we could type one to enter a phrase into our database type 2 to echo a phrase in our database and type 3 to exit the program let's verify that 3 works to exit if i enter something like a please put in a valid number no data given i'm just trying to spam it with something that's not expecting but oh is it reading it as in those pairs of three right yeah but the no data given function or that output comes from something else doesn't it no data given comes from read bytes so is it still ending up reading the function is it still oh no no no this all comes from the t get input so anyway let's use the program for its real functionality let's enter a phrase into our database with one please enter your data i'll say please subscribe totally misspelling please please enter the length of your data ooh it asks me for my data first and then it wants to know how long the characters are right so this is what we have five characters here six for the space um and then this is nine yep i can totally count four and then five so what did i just say six plus nine fifteen i can do math so that is actually 15 my entry number is 1. right successful would you like to do anything else yeah let's go ahead and read that i want the entry number of one and then it tells me please subscribe good enough let's try and write a program or let's try and write a phrase again saying my data can be an empty string oh with no data given then enter the length of your data let's say 100 my entry number is 2. yeah so now i'm entry number 2 and it read nothing just fine so what can we take advantage of here trying to think about this just a little bit if we could write something with hello obviously entering a length of just three would then give me trying to read that the first three characters but maybe there's something else we could do what were these bounds there was a hint in here at the very very end maybe breaking boundaries elsewhere will be helpful this is the fun detective work of what we're up to here let's read let's let's enter something a bunch of data and maybe we could actually i'm just holding down the a character i'm going to paste this a couple times oh that actually broke something and that hey it was trying to continue reading after the fact but it wants to know a real number what if i entered like a strange horrible negative number yeah my entry number is four right successful wait a second what what uh let me get a fresh clean slate right let's enter a phrase hello and let's try and enter a negative value i want to read that now and that broke something but it's not giving me the flag so the condition of us getting the flag was if i'll control f for flag here if the entry number equals to the length or excuse me an entry and if that fails no if if it is equal to zero in which case we saw the same structure earlier here when it had a problem please put in a valid number so if our entry number is just something like a does that give us anything worthwhile let's echo a phrase a oh it doesn't have any data right so okay so let's give it something hello length of my data can be again 100 or even a thousand sure our entry number is one would you like to enter anything else let's echo the phrase and let's say enter the entry number let's enter the values a was that it all along did i did i milk that for more than i absolutely needed to it's just going to break if i were to give it a value that was not a number let's let me try that one more time we got the flag right and that's what that was that's what this big long string that we just saw previously hey make sure to check your inputs um can i echo that will that give me proper syntax highlighting there we go this is the flag that we want to submit we just solved that challenge but i want to verify hey if i were to enter a phrase in my thing i'll say hello legitimate length let's say that's 5 characters long now if i want to read a value if i were to just give it garbage not a real number then it spits out the flag so again i didn't have to do anything special or fancy there maybe it was just kind of knowing and making sense of what that if statement really was doing it'll just display the flag if this is not a number and we could probably examine that let me uh check out the man pages for str2l nope man pages are the manual pages right and you would have to tell it hey i want this from a specific man page of i think like the programming stuff i is that three or is that eight or i might just have to google and check it out let's go do that c function str to l ooh now i'm on like a weird tutorials point website there has to be a man page for that i would think oh it's three did i not get that right no move okay whatever convert a string to a long integer right so this is going to end up returning a func returning a value right you could tell it has a long return value long being a kind of number or integer a very long one right so we could check out if it fails the return value up here the str2l function returns the result of the conversion unless the value would underflow or overflow if an underflow occurs str still returns long min if an overflow occurs str2l returns long max in both cases error number is set to air range okay so i'm going to assume long min would just be zero could we play with that let's play with that super quick because again this is just for learning if i try to compile our program redacted i'm going to use gcc like a new compiler collection that'll just put it in c by default and now i've created this a dot out program i'll dot slash that to run it and there we have the program but let me modify now i'll copy this program redacted and i'll put it into like tinker.c how about that so back in our text editor let me open up i hit ctrl o on my keyboard let me open up that tinker.c file and let's maybe scroll on down to our main function and let's just rip out all this stuff we don't need it what i want to do is i just want to check out the value of long min that constant should be brought in the space of everything that we loaded right fingers crossed let's gcc that tanker script that we wrote or excuse me nope broke a whole lot of stuff mmm that wasn't going to come for us okay so what is a c long min value cnc plus plus here's a reference here long min no that's not zero should we have actually could we enter zero for our function for that result let's i'm hitting the up arrow on my keyboard to scroll through some of this history let's uh enter a phrase hello uh length can be five right and then let's read it and why enter entry number zero and that's still wrong that still gives us the flag could we enter something that isn't an entry let's do hello uh length is five let's read it again and let's say an entry of a thousand not present but 0 would work all that was simply doing was checking if it was 0 and 0 could very well be returned hmm my understanding in there is still wonky but learned a lot along the way let me look for a zero in this oh oh this is it right here errors the implementation might also set air no to e in val in case no conversion was performed no digits were seen and zero is returned ah so airno is uh what it considers its return value or is that just going to be some it's got to be let's check it out number for the last error okay so it's tracking errors and that is a little bit more of an understanding of what the heck was going on in all of the c code i know hey this was supposed to be a fundamental and beginner video and pico ctf and it threw us right in the lines then playing with some c code um and was that really binary exploitation i don't know it's not like we were doing any voodoo magic witchcraft with the heap and the stack and all that but we got to kind of dig into how that all pieced together when you have a function that or at least an if statement that wasn't checking the right rendition of inputted data and that's what it's all about hey finding some weird idiosyncrasy software flaw gimmick and vulnerability where an end user or a hacker could maybe do something different and make the program do something that maybe wasn't expecting it to do before we tune out here we gotta make sure we actually go ahead and submit that flag that we just got so hop on over to my screen one more time and i know that i still had this flag in my clipboard you can see i was able to copy and paste it earlier and now i have that displayed still and something that i can go ahead and paste with that said let's go back over to the picoctf gameboard and scroll down and submit the flag right here looks like i can just paste it in hit submit flag and hooray we have earned 100 points and we are on the scoreboard we are on the leaderboard and we are on our way solving some challenges so that's the fun that comes from that and that's the fun that we're gonna get into in picoctf i hope you had some fun watching this video i know i for one did forgive me for the long-winded stuff and maybe my own tiptoe tap dancing to try and do some research and learning but i hope there was value in there for you thank you so so much everyone for watching if you enjoyed this video please do all those youtube algorithm things you'll like the video comment subscribe really helps the channel grow thank you so much everyone i'll see in the next one take care [Music] with [Music] [Music] you
Info
Channel: John Hammond
Views: 138,893
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: -iRG9_zFRC4
Channel Id: undefined
Length: 27min 22sec (1642 seconds)
Published: Thu Mar 31 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.