PicoCTF 2022 #01 - WELCOME & Basic File Exploit
Вставка
- Опубліковано 30 бер 2022
- Huge thanks to Snyk for sponsoring this video -- check if there are any vulnerabilities in YOUR projects FOR FREE: snyk.co/johnhammond
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
Disclaimer for this video. The if statement conditional that determines whether or not we give a flag is just checking if the entered number == 0 (is equal to zero). I'm just an idiot. No biggie 😂
I was cracking up big time when you first couldn't spell "please", then struggled to count the letters, and then went a mile trying to figure out what that statement does, as opposed to being super precise and efficient with every step, every command, and every explanation as you usually are. Pure gold. Way too human, you are an inspiration :)
We learnt the either way by breaking the api which will be easier to remember later .. 🙏
Thanks for taking more time than I took in solving this that's really an encouragement 😀😅😝❣️, for reversing any program be c or Java I look for the line that puts the flag , with this only i cracked them all.... In picoCTF2022 ❣️
We are all idiots, John. Thanks for the work!
Nah John. You ain't an idiot. If you was a c programmer you would be.
I really appreciate the subtle explanations of things like terminal navigation and why, or how you're doing something while still seamlessly teaching the broader point of the video, you sir have a gift for teaching and I'm enjoying the lessons from your content, keep it up!
One can only appreciate all the basic explanation you still add to your videos after all this time.
Super fun to watch and learned a lot of things!
Onto the next one! Thanks John for uploading all of these.
I really feel like the unedited and "searching" part of the video makes it even more interesting for someone like me (yay pen testing students)!
I had a lot of fun with these challenges! The first live CTF I've gotten to do since getting into this sort of thing in large part thanks to you. Excited to see you go through some!!!
Great Explanations even of the smaller things, really appreciate this as someone who wants to start out on cyber security! Keep up the great content!
You are hands down the most entertaining and best source of cybersecurity education on youtube. thank you for all the content you put out
thank you a lot John, i found out about this thing only because of you and i solved every single challenge that's less than 500 points :D. some took a lot of time even though they were simple but i liked it a lot anyway
congratz!
This was fantastic! Pico CTF has been my favorite ctf site so far.
Thank you for all that you do. I want to start doing these myself and try and follow along with your videos and do all of these lol. I love how you walk through the CTFs.
Your curiosity makes it even more interesting! Thanks
Welcome back Pico. Favorite series.
It was honestly very comforting to see someone I look up to also maybe struggle a little bit with code at first. It makes me feel not as dumb, ha ha!
Hi John. I saw you on with David Bombal and found your channel. I am the greenest of green, just starting to learn from scratch. When you first opened this up my eyes glazed over. Watching you work through it, and reading along, really made it less intimidating. I'm more confident that I can learn. Thanks for what you do. Edit: IDK where I got "Peter Hammond" from 😄
I got excited when you said it was for middle school and high-school kids. I thought me and my kid could give it a try. The you went to the first challenge and opened sublime and started going through code and I was so lost it wasn't even funny. Can you recommend a ctf like this for absolute beginners.
Unfortunaly they are not really a lots of ctf for begginer and i understand that when u don't know the basics of code and all that stuff it can be really discouraging but for ethical hacking the start is always pretty hard.
But if you are really motivated and really want to learn/teach ctf u should first learn network (just the basics of ip and how computer communicate), the basics of linux and bash (you can watch the playlist of Network chunk linux for ethical hacker) and finally a little bit of code like python or c++
It's totally fine to give up or just don't have the motivation but if i can give an advice of my experience you should learn/teach just a little bit but everyday and like that in one or two month this ctf will still be a little bit hard at first but you will have the skill to do some ctf
Hope i helped ^^
@@sachabourel9375 I have strong programming skills, but I don't know anything about network, how hard will it be for me to become a good ethical hacker?
@@maxim2727 in reality ethical hacking is really not difficult (and it's even easier if u already know some coding skill especially if it's python or bash script)
But like i said a little bit before the real difficulty it's that a lots of people (including me for a while) want to learn everything fast
So just take ur time make a schedule and learn a little bit everyday with the right teacher/online ressource u can be almost an expert in a couple of month
@@sachabourel9375 Hey Buddy thanks. I have strong coding skill in Python and C/C++, can you give me a roadmap, what to learn next? with resource when possible?
You're making me really want to check out Pico CTF!
thank you John for this amazing hands-on video, your videos help me a lot to build knowledge in this amazing field of offensive cybersecurity.
loved it, it reminds that the problems programming for different people sre very similar sometimes
Hi Big John, love your words and there's somthing new in your tutorial s, it's always like real..
Your videos are making me more excited 😊 Thanks
Thanks John!!
I didn't get this one as it took so much time. Surprised me it was the first challenge especially as last year's cat a file for the flag was a winner! The rest onwards were as expected. Still they are great challenges though. Another great video :)
"Virtual machine" he says, 1:51 am march 16th he says, either way I hope I could learn from this chill video!
Played Pico awhile back, was kind of proud of myself for doing well...until I realized the many users I was getting stomped by - were high schoolers 😑. Lol but that just got me even more motivated to get out there and learn more, so I'll head on over and play some more 🤣
I really enjoyed this! Your explanations were helpful, but not excessively drawn out. For someone like me, this type of video feels like talking to someone just slightly smarter/more experienced than you. You can understand, but they still make you think and question what you know.
enjoyed
!
Hi John. Love your videos and took your word and played through this CTF. I would really love for you to cover the buffer overflow ones, I just couldn't get past the second one. And also the solfire one kept me captivated. Apparently very few got to solve that one...
Absolutely, the buffer overflow ones are on their way!! :)
Thanks John, the outro was lit tho
i think it will work either if you enter 0 and some random characters because the function "strtol" cuts the input into numbers and characters so if we enter for example "0AAA" it will return the 0 or if we enterd "123AAAA" it will return th "123" and if we either enter "AAAA" it will return 0 too because there is no numbers in the beginig of the output .
Just an advice, if you come across some CTF event you like or challenges that might interest the crowd, release the video later, that would be helpful but atleast post it on your social media about the event. It's April 1st and I completely missed the PicoCTF challenges because I hadn't visited it's website for a long time... Sad life!! 🥺🥺🥺
Cool vid
The picoCTF organizers didn't want writeups for the first week as they get the top teams to do writeups.
I'm still waiting to release my solfire (only got 5 other solves) writeup because of this.
Good goood
strtol converts a string into a long integer, so enter a string '0' you get a zero. But if even when you enter a string without digits you still get a zero. Only if you enter a string of digits bigger or lower than long min / max, you get the min max error. ;o)
Right, and that's a design flaw in the C standard library that's been around forever.
@@logiciananimal Not really. That kind of converter function works the same in e.g. [Visual] Basic 'val()' or similarily with implicit conversions like in Perl or PHP. Only some high level languages catch letter to number conversions as an error. I think Python is one of them.
@@jenselstner5527 This is why Option and those sorts of things was invented.
@@logiciananimal Some call it design flaw, others call it expected behaviour.
Reading the man page: "If there were no digits at all, strtol() stores the original value of nptr in *endptr (and returns 0)"
Longs are *signed*. LONG_MIN is far less than 0.
If ( (en=strtol(entry, NULL, 10)) == 0) {...}
Set en to what is returned by strtol(entry, NULL, 10), and check if it is 0 then do stuff. strtol(entry, NULL, 10) converts the number, potentially after white space and with base 10, at the beginning of the string entry and returns it.
This has nothing to do with errno.
Hey John, what do you think about Spring4Shell that just surfaced and hit the Java Spring Boot framework?
Was genuinely surprised by how many i got during the comp
You know I'm just going to go back in time and win the CTF for myself bahahahaha
Will chrome book chrosh work? Whenever I enter a line nothing shows up. Having a hard time following along
You broke my heart with the any of the other command line editors...
I use emacs on it and is glorious
In your videos, you always say that you fire up a virtual machine with Kali Linux. Do you use a full-fledged VM (vmware, virtualbox) or wsl2 with "kali-win-kex" that gives you a Kali desktop environment?
Should I get a desktop or a laptop as a student in hacking for the coming year? Is there any difference in how it can help me to set up vm, labs and heck myself having a laptop or a desktop? When you work as a professional later on are there different types of hackers, blue team, purple team etc that more often lean to using a desktop ver a laptop and vice versa?
Please be serious and get back to me with a good explanation of what to think of when choosing the right computer….
Thank you for all inputs and advices you guys can give me!
😎
It doesn't matter. You want a device that is comfortable for YOU to use. Fast and stable internet, enough Ram for 1-2 VMs and your favorite host os. Some people find having 2 monitors to be helpful
How to find out about challenges before they end?
i love y
hey John i"m new to ctf's and i got the flag within 3 minutes of interacting with the program. Just wondering why you are trying to break the program first. is it because logically programs aren't built for you to do exactly what they say in order to get the flag, and this one is the exception?
I've just managed to score 4100 in this challenge.....
I really suck at binary and crypto.......
Waiting for your amazing walkthrough
how far in crypto did you get?
@@yannisvh not much....
Maybe 2 or 3 of them...
I'm really bad at it
Where is the flag variable in the code set to the actual flag???
strtol = str to l = string to long
I usually play my xbox at 1:15 AM.
you feeling better bro? I hope so.....
I'm looking for CTF team
First thing I did was typed in “ flag “ and it spit me out the flag and was like umm okay…
Coding/ cybersecurity is just words plus commands basically right I'm a complete noob
pretty sure read takes the data line by line.
I am using LastPass, that didn't age well 😅
If you don't mind can I ask question?
@John, Kali in VM or WSL?
John is using a VM judging from the desktop environment, but WSL is enough for these challenges.
Can anyone explain to me how they write the flag on specific memory address as seen here :
static const char* flag = "[REDACTED]";
The memory address in this case is [REDACTED] = 5B 52 45 44 41 43 54 45 44 5D
I looked at the code and knew all it needed was a 0 or anything other than a number.
Why you moved from Ubuntu to Kali linux
Sir can you make course in Udemy about hack from zero to hero
Pretty sure you saw the code and entered 0 as the programmer intended and caught the flag! lol
John did your discord server get compromised? I really didn't take you as someone to put CoD over valuable Cybersecurity learning 😢
I understand that PicoCTF should be simple for newbees to get startet and to learn from. However, from about 5.50 in this video you totally lost me, I have absolutely no idea what is going on after that! 🙄😂
dude i think pico is great but the fact it wants to fucking save everything to my computer or my kali linux build is soooooooooo stupid
y you use echo "picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_1B9F5942}
" ????
what the echo dose ?