Learn Capture the Flag!

John Hammond · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video 'Learn Capture the Flag!' by John Hammond covers Capture the Flag (CTF) challenges, cybersecurity, and hacking, with a focus on practical learning and hands-on experience. The video features Matt Ehrnschwender, who shares his experience with CTF challenges, reverse engineering, and binary exploitation.

Full Transcript

Learn cyber security and focus technical training with just hacking.com where all-star instructors and industry experts provide hands-on, affordable, and practical learning across courses, free upskill challenges, hack Hackalong training videos and capture the flag competitions. There's always something to hack. With new content twice a month, all throughout the year, plus by monthly live streams, you can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at justacking.com. Woohoo. I'm telling you, I'm sorry. The video always just gets me hyped up. It always gets me a little excited. Pretty pumped to hang out with you all. Thank you so so much for jumping in, joining us, hanging out, especially I think for some, you know, maybe a day off from work. Uh I was realizing looking at the calendar like, man, I'm still kind of working today. I got a lot of stuff on the docket. There's plenty on the calendar and on the schedule. But hey, thank you, thank you, thank you for joining for yet another Just Hacking Training live stream. And I got the shirt, I got the swag, I was bringing it along. I wanted to make sure, hey, we could rep represent a little bit. But I am super excited to chat with you all today. And thank you as usual because look, I know for a little bit of time, for like the first couple minutes, I got to do the spiel. Like I got to roll through the announcements. I got to roll through everything that the voices in the back of my head in production tell me, "Oh, we got to announce this. Hey, we got to make sure we can get this out and about." But let me say, there's a lot going on. I got a lot of really cool stuff to show you. But thank you again for your support and celebrating and trying to see what's all the cool stuff that we have been up to. So, if I may, I will share my screen and let's go take a look at what is the latest from Just Hacking Training. Remember that's justing.com. if you are jumping along and following along on the interwebs and let me get through the administr. Well, we are going to be recording this. This is recorded. In fact, this is always like available. Like the VOD, the replay of the live stream is like immediately automatically accessible on the same link that you've all been tuning in on. Whether that's YouTube or LinkedIn or Twitch or Facebook, Instagram, Snapchat, WhatsApp, I don't know, all the different places that we try to blast this out to to make sure we can hang out with you all. But in case you weren't able to catch it or if you want to go take a look on the events page over in the vital section in the top navigation that kind of shows you all that we are up to whether it's online, digital or it is in person. So look, these uh live streams again are just about everywhere that we can be. And I'm super excited because we're always trying to showcase, spotlight, and highlight some of the awesome, incredible, like allstar instructors, courseware developers, and folks that help us out with all this training. And look, I think we've got quite a crew here. It's kind of incredible. But I'm super stoked for today. We're going to be chatting with Matt, my good friend, my good buddy Matt. And we've worked together for years. He's been an incredible help support for one of the uh oh capture the flags that we'll host things over the past few years or even like research content. Hey, some of the videos that we get out on the channel. It's no surprise. It's no secret Matt's really oftentimes coming in clutch to help put together some of the genius hey demos and things that we can showcase. Um but with that, hey, we've been out on a whole lot of travel uh conferences that we've been out and about to. Uh something that we've been really excited about is being able to bring some training there or at least some representation, whether it's stickers, whether it's swag, whether it's just being able to hang out and be part of the party. Um but first and foremost, hey, making sure all of that education is accessible and available for you. So one thing that we've been trying to do is, hey, throw away do some giveaways really at recent events. I think thoughtcon, we had something previously out and about besides 312 and layer 8 conference. So, big shout out, big thank you uh for those folks that were supporting and present there with us. I hope we got to give away some awesome sweet stuff. Congratulations to all the winners at those recent events. And look, we got a lot going on as we get closer and closer to Defcon. Um, look, we will be present mostly in the IoT village, Internet of Things. So, you can come say hi, shake hands, chat a little bit. I would love to say hello. uh will also be helping out and be a little bit represented over at the red team village. So, I'm very excited about that. And I'll admit, got to be honest, I am helping host I'm hosting I'm helping host I am hosting the Scam Bait Village first time ever. Uh I was very, very happy and excited. We got to throw our hat in the ring and they had accepted a Scam Bait Village contest over in the contest area. So, if you're interested in that world, I'll be there. We'll be hanging out. We'll be making some calls. will be doing a lot of fun cool stuff. Uh so we'll see you there. With that, let me tell you about all the awesome stuff out and about after the events page. So one of my favorite courses, one of my favorite paths, training offerings that we have is constructing defense. I've literally sworn up and down this is genuinely like one of the flagship ways to get started in cyber security to kickstart and launch a career in cyber security because it's a lot of defense. It's a lot of hey working as a security operations center analyst. It's understanding some of the intrusions, the attack vectors, etc. So, we've had Condef, the nickname for constructing defense for quite a while, but now we're pretty pumped to try and bring to you Conde light, which is basically the do-ityourself version of constructing defense. It's the exact same course, the exact same material. Only change is that you get to spin up the entire lab kind of on your own. Uh, that helps us, you know, hey, clean up the price tag a little bit. I know sometimes that can be a gate or a barrier, but now it should be a lot more accessible. They're even like Luda scripts or sweet things to be able to oh spin it up off the fly real easy, but that way you get to run on your own home lab and your environment and infrastructure rather than a lot of the cloud environments that we'll have ready for you. So if you're interested in Conde light, again remember ginormous lab environment, Windows, Azure, Kubernetes, Linux, Red Team, Blue Team, Purple Team, Splunk Seam solution. It's so cool. There's a ton of great stuff there. So, I hope you get a chance to play now with Condite. Make that accessible for you. Just as well. Another sweet thing coming up soon. Let me say this is not yet released in public, but for those of you that were hanging out with us with Corey Macy last time when we got on the live stream, she is putting out a fishing course. And I'm so excited about this because it is all hands-on, all practical, all in the weeds, all getting onto the keyboard for a technical course. Whether you're doing penetration testing, whether you're doing rending, whether you're just trying to simulate, emulate, and get with what some adversaries might be doing for fishing, social engineering lures. Uh Corey is one of the best people to help shine the spotlight on that. Look at all the stuff that he'll cover. obviously setting up Go Fish, doing some of the OSEN email discovery, then doing some like web page and portal cloning using Evil Jinx, some session hijacking, account takeover, tons and tons of cool stuff. So, genuinely super excited for this. That's coming the very first of July, uh, at least the first week. And hey, making sure that's going to be out and about soon. But if you are willing to dive into the party with a pre-release, hey, we're going to do another sweet giveaway, some fun with that. Uh, you could. Top three winners of a random drawing could get constructing defense full version uh the Michelle bundle. So everything Michelle has out and about and uh my dark web and cyber crime course. So I hope that's a good thing to do. It is pay what you want. It is pay what you can. It is name your price. Uh you can bring it down to about $10. So I hope there's some love for the fishing course. With that I'm rambling. I am talking for way too long. But there's still so much more we got to talk about. Look, another sweet gift, something really cool that we were excited about. Father's Day, we wanted to celebrate. And Michall, you know, he's an angel. Bless his heart. He's all about getting education out and about. So, everything that he's done usually, more often than not, has been name your price. It's been pay what you want. You could set oh, you know what, minimum, maximum, whatever. But while we've traditionally set that $10 minimum like you just saw for fishing, hey, right now it's been going on for the past week up until tomorrow at midnight. Uh his OPSAT course, Privacy for Security Professionals, you can use that name your price. You can use that pay what you can and you can knock that down to straight up 0. So take a look at it over on the platform. Look at all the I'm here to double check. I'm here to see am I if I'm back. Am I back? Is the internet working for me? I'm going to cross my fingers and think that I'm back in action. Reream might be giving me a hard time today. I'll keep cruising though, just in case. I'm back. I'm back. Thank you, chat. I appreciate you. I don't know where I left off. I was hyping up the fact you can just enter zero dollars and that's the gist. Um, cool. Thanks, internet. Really appreciate that. It's so cool to be here. What a time to be alive. Look, I'm having fun. Forgive me, I'm goofing off, but the rest of the things we want to cruise through are a lot of the other free upskill challenges out and about. Uh, upskill challenges are completely free and then I promise I'll stop rambling super soon. I'm going to give myself to the 15-minute mark. So, I've got four more minutes to cruise through this. Look, um, Hack SpaceCon was incredible for us. It was a lot of fun, that conference and event because we got to meet some of the crew, some of the team members. They've been doing some incredible work over in space, like the security of satellites and hacking all that world. Uh, it's crazy cool. I want to give a big shout out to Adam. Uh, Adam has helped put together the space security upskill challenge. We also have Google Dorking available from Bailey Marshall. She is lovely and has been helping put out a lot of great stuff. Uh, again, completely free, available online. And another one, this one I'm hyped about, AWS security. So, Amazon, Amazon Web Services, AWS, right? But from the rockar himself, the legend Carlos Pullup. So, if folks aren't tracking, that is Hackrix. That's the guy who built Lindpiece, Windpiece, all the tooling that we're used to, maybe purple panda. And of course, if you're ever looking at the hack tricks um capability, like all the resources, all the archives, every educ education that they share, that is super duper cool. And I'm so happy he's joining the party. Uh getting started with AWS, but pretty soon I think we'll have some Azure and some GCP, Google Cloud Platform love in the mix. But I'll shout out to Carlos. He's a great dude. You know, we were hanging out. Good time. Another one here, if I may. Jennifer Jen has been putting out some phenomenal stuff. Uh, this one we actually want to convert to a blog post. Uh, this is traditionally like an upscale challenge, but I think it really works better as just kind of, hey, material on site, but if you're interested in more of that CTI or cyber threat intelligence, she covers a lot of the mind over malware, like the psychology, the mental workflows, process, the thinking of CTI. Super cool stuff. Now, let me get to the goodies. Let me get to the sweet transition to my good friend Matt. Uh for folks that aren't familiar, we have been sharing a lot of the capture the flag, the CTFs, like events, hosted competitions, games that we run, and we're helping immortalize them by getting them up and available on JHT on the Just Hacking Training platform. So, it doesn't have to be, oh, just running only for a weekend or only 48 hours or whatever day the game lives and dies. uh we'll make all the challenges still available for you here on demand. Spin them up in a whole virtual environment. You'll have a in browser Cali instance. You'll have the challenge virtual machine. You can VPN in a lot of good stuff. These are behind and I will say I know dollar signs make people scream and run around with their pitchforks. But because we're giving a lot of those virtual machines and making these things available for you because the hosting, it's just cloud costs, you know. You know. Anyway, we're going to be hyping up and chatting about one of my favorite challenges, and I'm a little selfish. I'll be the first to admit. Uh, talk to this was genuinely one of the web challenges that I had the most fun with, and we'll discuss it and showcase it later. But if you wanted to dive into the capture the flag here, uh, all of the challenges are available. All of the, uh, I will say hacking hub ones are available on the hacking hub platform. But if you want to dive in and see just about everything that we've been putting out the door with the capture the flag, that's going to be all the games so far previously like Cyberjutsu Con, Huntress CTF 2023, Nomcon 2024, Sneak 2023, Nomon 2025, and we'll be adding more and more and more of our past events, and we'll get to keep doing this for future games. So, that's pretty cool. I hope that's fun and worthwhile. And if you want to get the bundle, you can basically get all of them half off. Okay, with that, I think I'm done. I think I'm done rambling. Just at the 15 minute mark. Thanks so much. Cool. Look, I am stoked to really hang out with a good friend. I was uh leading up to the fact that, hey, we're going to get to join the party with Matt. Um, and I don't know if you've seen it, but there's a video on my channel that showcases like some reverse engineering, some like low-level, I think, beginnings of binary exploitation. Um, and it's a live, it's not, not to say a live stream, but it's a long form video with Matt. And Matt is basically like teaching me a lot of the reverse engineering of GEDra. Hey, some of the work that we could do for solving those low-level challenges. So, he is a wizard. He's a genius. And I'm just so grateful for him being uh willing to help out and help me learn and help create and help produce. Just a great great fellow with that. Matt, are you feeling good? Are you ready? Can I bring you in, dude? Thumbs up. Sort of. Looking good. All right. How's it going, Matt? Hey. Hey. Going good. How about you? I'm good, my friend. Thank you again for doing this thing again. Especially on like a work day. Yeah, a work day. Not not a work day. Holiday. I don't know. Yep. Yeah. Well, thanks for having me. Um, super excited to be here. Pretty cool. Never actually ventured in the live streaming phase, so this is interesting. Yeah, you're right. I guess the last thing we've done together is usually just a pre-recorded kind of thing. Uh, so I hope hey, we'll we'll enjoy the folks uh tuning in live with us. Happy to. I'm going to be struggle busing today, huh? Aren't I? Well, thank you for running the show without me here and there. Well, if if it works, it works. We'll we'll get through it. I appreciate you. Thank you for tolerating and sticking with me. Um, but what have you covered? What have you been digging into? Have you done your introductions? I don't know. Have you said hello to folks that might not know who you are just yet? Well, uh, yeah. So basically not a whole lot but um I started out sort of venturing in cyber security doing um doing CTFs. CTFs were kind of my sort of introduction to hacking and cyber security as a whole. Then from there I realized that yes even though CTFs are fun you can't really you know get a job doing them. So um started out venturing into different areas of cyber security. did uh some threat hunting and detection engineering, a little bit of malware analysis work, and then now I'm doing more on the offensive security, you know, red teaming side. So, that is awesome. I think it's so cool to see realistically uh transition or growth or like the trajectory of you know, hey, cutting your teeth on capture the flag challenges that make you still like super well-versed and build out a lot of kind of the grit like the determination, the stubbornness to like not put a problem away and then hey, you're now going to be keeping up for real work, for real threats, for emulating real threats, for a lot of that red team, oh, offense emulation, etc. Um, can you tell me a little bit about that work? How does it tie together? Did do any of the CTF stuffs lend themselves to the work that you do now and today? Yeah. So, a big thing is with CTFs as a whole, I sort of look like to look at them as puzzles. I know it's, you know, sort of weird, but it's like, you know, if you think about it, you know, you are doing security, but a lot of it is like it's really just really elaborate puzzle. And so that's always been my sort of like drive is I really like solving puzzles and doing the more offensive security side of things. It's a lot of that. It's a lot of the um stuff you'd be faced with in CTF saying, "Hey, we have this completely unfamiliar service and we have to try to find a security issue with it." It's like, "Okay, what do we do?" And then you're off to the races, you know, googling, researching, testing, and all that stuff. That's very handinhand with doing more of the security assessments and consulting. When did you uh kind of join the party with us, man? Looking back in history, is it like five years? Way way early days of like Verscon 2020 or so. It was around four or five years. Yeah. Yeah. Well, again, I know you've been putting together some incredible stuff, and I can't thank you enough for whether it's different CTF challenges or some of the video prep for demos we've been able to put on. Uh, I keep trying to make sure, hey, can can we can we help make sure Matt's happy? He's doing great stuff. I want to make sure, hey, we we make sure this is valuable and worthwhile for him. So, happy to have you here. Um, is there anything that you might have up your sleeve uh to kind of show us? Whether it's anything from the capture the flag world or just anything that you're working on that you think is cool. Um, I could show you some cool DIM tricks if you're interested in that. Yeah. No, I'm kidding. So, uh, we'll we'll go look at, um, we'll go look at the, uh, the Namcon CTF challenges we put up and then, um, walk through sort of like how you'd approach solving a CTF challenge for people who don't really do CTFs. Um, we can, uh, get your screen share up and about whenever you are ready. Um, and I can help maybe fill in some top cover if that's okay. Um, but for folks that have been able to hang out with us previously for different events, uh, when JHT's been out and about, oftentimes when we're working with IoT Village, hey, we've got like this really cool MQTT, uh, lab, little protocol exploration kind of learning scenario environment there. Uh, and Matt was the one that had helped Carrie play a part in, hey, making that thing a reality. Um, and even a past capture the flag challenge of yours, if you're willing to talk about it. I know we don't have it like off the cuff at the ready, but you've built out a whole like malware challenge based off of MQTT and other things like that, right? Yeah, I've done a lot of looking back, I've done a lot of things here and there, challenges here and there. Um, basically I started out doing more of the challenge development stuff and then, you know, next thing you know, you're at 800 challenges and you're like, "Okay, we uh we have too many now. Too many." And then now I've uh more transitioned into uh actual like infrastructure hosting for CTF. So, that's been a lot of fun. Um, if you've done any of John's recent CTFs, including Nomcon, I was probably in the background typing away at infrastructure, making sure that's all sound. But, you know, it's infrastructure, so things always break. We keep uh we keep joking the the Kubernetes aren't kooetting or something. The cubes aren't netting. We we joke. Anyway, but yeah, so here are the challenges that were from Nomon 2025 CTF. So, as John said earlier, what we've been trying to do is we have this giant archive of a kid is probably like 900 challenges at this point and we were debating on what to do with them and we decided why not make them available for people to try. Um, so all of these are sort of pay what you can and again we wanted to make them available for people. However, the problem is there's, you know, you can't have anything for free. So a lot of the costs really are for infrastructure. But here we have all of our challenges that were available in Nomon 2025 CTF. So you can go through online, register for the course, and then just play for them. play through them. So, John wanted to look at the talk challenge. Um, that was one of his his sort of babies that caused a lot of pain and suffering for a lot of the people trying to solve it. But, um, this is a web challenge. It's one of the harder web challenge. you can see by the hard um and then here which is super neat about the uh core stack sort of structure is that it provides you with a virtual machine. So here we have two virtual machines. We have the challenges virtual machine and the Cali virtual machine. Um the Cali virtual machine is one that you can connect to and then it has everything already set up. So you don't even need to have a virtual machine. you could just, you know, be on your phone in the airport and just, you know, solving CTF challenges. It's super super convenient, super handy. Everything is just already here. And then for the challenges machine, so some of the challenges that we were running, we were running off of our infrastructure. And how those challenges are designed is you have to connect to some sort of network service, so like a website or whatever. And if you have that service running on the machine that you're using, that kind of defeats the purpose because your your your goal is to try to, you know, break into the service. And if if it's running on your machine, you could just, you know, you already have access to it. So here it's the machine that holds all of the challenges that have some sort of network service. So like this one has, as an example, you know, it's running at port 504 on the challenges machine. And on top of that, if you're one of those people who, you know, you say, "Hey, this cool, you know, web RDP session is pretty cool, there's also a way to download a VPN for connecting." So, if on your machine you have better, you know, tooling or you don't have to worry about configuring tooling on the remote machine, you can download the VPN config. Then I'll open up a terminal and I can just connect to the network straight away. I don't know if folks remember, but in the early days I was kind of screaming and shouting. I think I I might have been the squeaky wheel that was, "Hey, can we please get a VPN connectivity?" Because browserbased labs are cool. I'll admit I think, hey, getting something Apache Guacamole, you click into it. That's nice and handy. But I just really like being able to, hey, hit hit the machine, interact with the service without, you know, that thing in the middle. Um, I think that is I I like the VPN personally. Hey, get to bring in your own tooling. Especially for a capture the flag environment, it's good to bring your box. Yep. So, now I just, you know, connected to the VPN. Standard OpenVPN you'd find in, you know, hack the box, try hackme, all these other wonderful labs. So, now that I'm connected, I should be able to reach this machine. So, challenge VM is this IP address. So, I'm just going to copy that. And it's 5004. Fingers crossed. I I pray to the demo gods. Excellent. Step. So, it's a super basic website. You can upload a file. Um, then you can also view the files that you've uploaded. So, I have this uploaded. Delete them. Very super basic. And then on top of that on the um challenge machine that Cali provided they have the source code for it. So if I can go here into the talk directory which you know John being true to John's form always names his challenge is great. Thank you. I was I was just so pleased with the premise of this. So, I'd love to ramble and rant about sort of I don't know my my idea, my thinking, the the fun in in architecting quote unquote the challenge. Um, but uh that should be fun for us to dig down into. Yeah, it's funny. I've always now gotten in the habit of adding a password to the zip archives or files that we downloaded no matter what. Cuz when we have like the malware category for a lot of different capture the flag challenges, if there's shady, sketchy, bad code in there, they'll like take down whatever provider or hosting thing that we use, which is not a good look. Domain reputation on my CTF just tanks. Well, I remember I think every CTF if I try to post the link on Twitter, Twitter just says no. Yeah, they've banned CTF. And on top of that, it's the uh there are some challenges where we just forget to upload a uh we just forget to put a password on the zip and we just get an email from our hosting provider like, hey, you have malware on your website. You should probably fix that. And I know I want it there. And yeah, we and we're like, oh yeah, that's supposed to be there. However, we have to try to explain to them, yeah, we want malware on our website. It's a interesting conversation but anyway here is the uh application. So I have this also on my local machine. Make it easier. Great. So this is what is provided for the machine. We have a Docker file. Um pretty standard for CTFs. What they do is they run everything in Docker. Docker makes everything easy. So if we need wanted to, we could either just copy and paste these commands to run it or we could just use Docker to run it locally for testing. Uh we have this flag which is just a you know fake flag just for people wanting to test stuff locally. They can do that. Uh the solve I that was my sort of playing around with this before the uh live stream. But anyway, the app is the actual source code. So it's a basic Flask application. So if you're familiar with Python, Python Flask is a web um web framework for creating websites, APIs. Super super easy to get started with. And yeah, so just go to the sort of entry point of the application. Um it's just you know running on port 5000. Debug is set to true. So we have you know debug output and we can go to the index route. So the index route is the route that we viewed when we visited the website. Um it is this podcast episode. So going through we can see with flask it tells you what types of methods it accepts. So there's a get request, post request. So we can send both of these types of requests and then this function will be called whenever we hit that. Here it's doing a filter off of a post request. So this will be executed if we're sending a post request. We scroll down. If it's not a post request, then it will just render the upload template. So this is our, you know, it's what we're seeing on the website. we have this upload template because we're sending a git request through our web browser. So going through um if I were to approach this challenge uh any sort of you know CTF challenge the first thing I do is I find sort of what can I affect in the application? So where where can I do things that sort of control the application? Where are my inputs to this application? So in this application we have um we can upload a file via a post request. So that file gets saved here and if there's no file it just redirects us away. And then you know anytime you have any sort of like file uploads or any sort of you know data coming from an untrusted source the first thing you should do from like a development standpoint is just validate that um validate that input. Input validation is you know important. You basically want to treat it as radioactive any sort of input from the user. So here it gets the file name of the uploaded file uh gets the extension and everything and then later on it will go and check if it's an MP3 can try to convert it remove it and everything. So now one thing that sort of sticks out to me in this challenge is you know with dealing with input from untrusted sources the first thing you want to do before you do anything is validation. However all of the validation occurs right around here. But what it does do is it saves the file first. So we're technically you know doing something with untrusted input before we're validating it. So that's something worth you know worth keeping an eye on and saying okay how can I you know further use this to my advantage and then later on it's checking is this a valid MP3 so we'll go there is valid MP3 it's just going to use calls to ffmpeg and ff probe to see is this an actual you know audio file being uploaded And it's also going to check if the tags contain an episode name. Um it's checking to see if our you know metadata in the file is also valid too. So let's go back. And then here it's just doing some various uh import input normalization. So you know it's creating a loud output, normalized output and then it is going on to get the metadata. So uh a lot of types of file formats will embed metadata in it and then it's the website is using FF probe to extract that metadata and then that metadata is going to be used as you know sort of like naming scheme for the episode. And then it's just going to go and it's going to save the file and the metadata. So that's basically it for this route. Um we could look at the other routes. However, there is there aren't many. There's only episodes for listing episodes uh episode file name delete. So there's not a whole lot of sort of functionality in this application. So now looking at you know what could be the potential vulnerabilities for this one and if you look there's a lot of sort of good input validation so using like flask secure file name um albeit it is using a comparison on the MP3 file extension so you could potentially upload a file with ampp3 format but it could be an image for an example. So there's not really a lot of validation there. However, there isn't really something we can do to take advantage of that. So for example, if we upload a image file but with a nonmp with an MP3 file extension, it'll assume that it is an MP3 file. But one thing that I mentioned before is that it saves the file before it actually validates it. So if we up upload the file and then after this validation is done but it checks it's not a valid MP3 it doesn't actually delete the file. So it's kind of curious because it's like okay so if it's not valid don't you want to delete it? You could just upload a bunch of you know garbage files and then next thing you know it's you have all of your data you know stored up there. And then another thing scrolling down is when you get past you know the uh normalization and all of that you can see that it will get extract the metadata from the um file. Now what may seem weird to people is that even though it's the metadata of the file the metadata is also user input. So all of the validation above with secure file name that we're doing for the actual uploaded file itself, we also have to do that same validation on the metadata of the file because as you can see it is extracting that metadata out and using it in the pro.standard out. So this metadata right here is essentially all user control data. And if we go, it's going to check to see if we have a format and then it's going to create a target path with the metadata format tags. So it's going to go through the and get the tags from the metadata and it's going to get the episode and secure and if the episode is not specified, it's going to create a secure file name with the original file name. So what's interesting here is this is sort of using a sort of fallback methodology. So it's checking to see if the tags value is in the metadata. If it's not, it's going to be empty. And it's going to check to see if the episode name is in that, you know, tags value. And if it's not, it's going to be a secure file name. So whatever is used as the metadata episode name is going to be stored is going to be used here for this metadata and it's going to be appended to this target path. The vulnerability here is that this metadata and the tags and episode name are not being validated. So we can put in whatever data we want. We could put in you know quotes, exclamation marks, whatever. So this target path is essentially all user control in terms of the context of the uh user you know interacting with the application. So here that target path is being passed to ffmpeg- i with the original path and then the uh metadata is being spit out to this target path. So what this allows us to do is get an arbitrary file rate on the server because we can control this episode name. this episode name is not being sanitized for you know special characters and then that value is being passed to ffmpeg you know the command line and it's using that to write to that path. So we can essentially write any data we want. Now how you would exploit this is you would first upload two files. You'd upload one file which is your sort of you know okay file. It's your valid file and then that file file would go through the check and you know see hey is this valid and it will go through here. Now while you're uploading that valid file you also upload a fake file and that fake file since it's going to be saved too you have essentially a race condition here. So you have your your upload file being uploaded. It gets saved and you have your malicious file being uploaded too and it's get save overwriting that original file. Then when it goes down here, you know, your your malicious file is not going to be valid. So it's going to redirect. However, the file is still saved. It's not deleted. So while the good file is still being processed, your malicious file isn't being processed anymore. And then your good file is going to have the um meta data embedded in the tags to get the target path. And then that's how you achieve your file overwrite. So because this is a rather complex, you know, exploit to write out. Instead of writing it from scratch, I'm just going to pull up the solution for it. Um, and the reason I'm pulling up the solution is mainly because you do not want to see me typing all of this out painstakingly without any words and many many typos. So let's go through the solution what the solution is for this. So here is starting the talk tow exploit. So tctile means time of check, time of use. So basically it's checking here. It's checking here. So here's the you know time of check and then later on you have the time of use. So talk to exploit. Uh what is a race condition? So arrays condition is where you essentially have a situation where a program is executing. However, during the execution phase, you can impact what's going on. So here's an example pretty much a basic example of like a talk to vulnerability. So say you have like a small Python application, okay? and you want to read in some input as an argument. So we want to do like our input file is let's see. So this basically just takes in you know the argument specified on the command line and you know the input file. Now what we want to do is we want to check you know does this file actually exist. So I think it's like what? OS dot I know it's here. Is it just OS.path is exist? O yeah exists exists file. So we're checking if um we exist. If not exists we're going to exit one. So basically you're checking hey does this file exist then you know if the file does exist we can read it in. So file data equals open input file read binary. Now what may be a little bit subtle is that there's actually a race condition here. So here we're checking if this file exists and between that exist check then we're you actually reading in the file. So if we're doing some sort of other validation here to see like hey what type of file is it? Is it a sim link? Is it a directory etc etc etc. During this execution phase we can swap out that file and that's where the the race condition sort of occurs because we're checking we're doing this input validation ahead of time before actually reading in the file. Whereas what you should be doing is eliminating all external factors you can. So reading in the file before doing the validation instead of val validating the file on disk before reading it because again the user can go and do whatever they want to that file while these checks are being validated and that's essentially what is happening here. So we upload the file. So that's the the uh file being uploaded and on top of that we can upload another file that is going to execute sort of in parallel. So you have two instances of this code running and then it's checking is this a valid MP3 here. However, it's then using that file later on. So it's you know time of check is up here, time of use is up here. So the the goal as like an application developer is to try to sort of minimize this window and try to use the file while you're checking it instead of checking it ahead of time and then using it. So that's a sort of what a race condition is. They're not they're super common. However, they're not commonly talked about or discussed because race condition vulnerabilities are very hard to exploit since you have to deal with so many different external factors like timing. you know, how how uh how good the system is and and everything. They're very finicky to get right. So, going over the exploit, what we do is we create an innocent MP3. So, this is our, you know, fake good MP3 that's going to be processed as a regular MP3 file. And we're also going to create a evil MP3. So, this evil MP3 is going to have some metadata embedded. And what this metadata does is it's going to have an episode name associated with it and it's going to have that path path traversal. So here this episode name, you know, this path right here is going to be put right here with this target path. And this target path is now, you know, something we control. So what is going to be written to this target path? Well, the actual metadata itself is going to be written to this target path. So in this metadata content, we have, you know, the FF metadata, then we have the episode name. So all of this is going to be written to the um target file. So it's sort of like the the path reversal vulnerability is being embedded in the metadata. However, whatever path we're specifying is also the metadata itself. So it's sort of like stepping on each other's toes a little bit. But how this uh exploit is working for this vulnerability is what it's doing is it's doing the path reversal and it's overwriting itself. So this code that is running this app.py is that is running is going to be overwritten by whatever we specified through the path traversal and what's going to be used is this reverse shell code. So when Python is running and Python is running the files uploaded the path traversal happens our app.py is now a reverse shell and then Python's going to execute that reverse shell and we get code execution on the host. So that's sort of how this vulnerability works. Um it's very finicky to get right and that's just the nature of race conditions. That's why they're not really, you don't really see them a lot nowadays as being, you know, this new CVE that appears. But yeah, this is the uh talk to challenge from uh from nomconf. So yeah, that's this whole sort of premise behind it is you have this race condition which allows a fi file overwrite and this exploit is going to overwrite the actual application.py PI file for reverse shell that will get back as to get code execution on the web server. Does the uh solve script show the like time delay? Do we have a super slight sleep in there anywhere or like as we're uploading both? Yeah. Yeah. So here you have what is here. So it's going to you know stepping through the race condition. For me I like to picture like two parallel paths. So you have like one path which is you know the normal path and one path which is the path you're trying to modify but it creates our innocent you know MP3 file creates our malicious MP3 file and it's going to upload our innocent one in a new thread. So, this is going to be, you know, non-blocking and it's going to continue. And then here, it's going to upload our malicious one in a new thread, but this one's going to block for 1.5 seconds because what we want to do is we want to get, you know, we want to get our malicious one in that race window so that it overwrites the the good one. Super finicky to get right. And that's why we have these, you know, time. delays. Yeah, I had a lot of fun putting this one together. Uh, and if I may just ramble because, uh, I wanted the presentation, right? I really try to keep in mind like, oh, what's the CTF player like psychology as they're going through because when you see an upload form, you can immediately get these like knee-jerk reactions like, oh, I can upload like a web shell. Oh, I can upload a payload. But when it tries to limit it and says like, "Look, you can upload an audio file. Oh, an MP3 file." Okay, it shoots down like, "Oh, okay. Dang. Uh, I can't really upload an immediate easy payload." But is it really going to be checking if it's an MP3 file or not? So, they dig into the code to see, okay, what did they do to determine that the magic bytes, the signatures, etc. But then when you can see the source code, oh, it uses ffmpeg to do some like more processing. And then I I had a lot of fun with that because then it puts a lot of the like concern and the the wonderings of oh while you're scrolling through the source code maybe at first blush it like looks quote unquote secure. They they use secure file name. They use ospath.base name. They have all these smart subprocess calls. No shell equals true true crap. So like hopefully enough to kind of throw you off. Um, but then when you see that arbitrary file, write, I made that a little messy because it's within the metadata of an FFmpeg like MP3 file. So, originally, and this is really funny and because if I may, Matt, what like a day before the Nomcon CTF started, I asked you like, "Hey, can you look through this? Can you see are there any unintentionals, quote unquote, and you didn't find any, did you? You didn't see any other unexpected solutions than kind of what we were thinking, did you? No, I didn't see so I didn't see any unintended ones. But I think the fun one you were worried about was like deleting an episode, right? Yeah. So, one thing, so one vulnerability I did see here is that um granted this was before this is literally like the night before the CTF at like midnight or 1:00 a.m. So I was like, "Hey, can you find bugs in my code?" And I'm like, "Yeah, sure." So what I did find is this is, you know, changed now, but there's no input sanitation sanitization here. So you had an unintentional vulnerability where you could just delete whatever file you wanted. So if the user wanted to, they could, you know, do a directory traversal and delete app.py and the whole application is done. But that's just the nature of, you know, not only just CCF challenge development, but just development in general is that the unintentionals are just so they're hard. Yeah. So when we got to play the game and real users and real players were solving this challenge, in my mind, I still like consider this kind of an unintentional, although it's really not. And there's a really kind of funny nuance there because I wanted the vone to be the arbitrary right like hey you can clobber whatever you want on the file system through that messy ffmpeg man of data time of check time of use race condition but I left the debug mode for flask to be true. So that way if the app were to change, like if the Python code were to be modified, it would reload and refresh and then now run the new code under the impression and kind of expecting hacker CTF player to clobber the entire app. But that had some hiccups because you're trying to operate inside of legitimate ffmpeg metadata. So now it has to be totally perfectly valid Python code, which throws another wrench in the works. And that's why I had this gross like, oh, minify thing, blah, blah, blah. But some other players were really, really, really smart because they used their arbitrary file write capability to write over like the flask templates. So like the HTML like oh, manage.html or index.html. So then they didn't destroy and wreck the entire app, but they could give themselves a new vulnerability like serverside template injection where they can use the curly braces and flask to now pop or run whatever code they wanted to. But then you didn't have the restrictions of trying to cram Python code into ffmpeg metadata. You could just use basically HTML and that worked out super well. So I felt like that helped skip over one part. So, kind of an unintentional, but they really still use the race condition arbitrary file, right? So, I can't be too upset, but I am uh I I was just pleased with how this challenge came to light. Anyway, yeah, I remember uh people were saying that you know instead of clobbering the whole application so that if your exploit fails the application is wiped out. Yeah. they were uh doing the server side what they were doing is they were actually using the file write to introduce a new vulnerability into the application. So it's you know it's sort of a pretty slick technique of hey instead of you know trying to do everything in this the single exploit let's try using the exploit to create a new vulnerability that we then you know exploit. I think maybe at the end of the day there were 20 or so teams that had solved this. I think we had like what 8,000 8,000 players on the scoreboard. I don't know how many teams that would have made, but uh I I hope I hope it earned the hard tag in that difficulty suggestion. Yeah, it's it's interesting because a lot of times, you know, we learned this the the hard way, but something that we think is hard or that we think is easy, not everybody else else thinks is hard or easy. So, it's like, yeah, so it's like, you know, this challenge, you know, might be might be hard to us. However, you might have somebody who's like, oh yeah, I was, you know, exploiting a race condition the other way. I see it obvious and that's easy for them. What do you think? Are you still playing capture the flag these days or here and there? I mean, I know you're doing infrastructure work and hosting when you get to be on that side of the game. Uh, but I know, hey, for real work, so to speak, it's not always, oh, trying to go find the next MD5 hash, right? Yeah. I've the main reason for me pivoting to infrastructure is just because I've written so many challenges and it's just so hard to find something new and fresh. It's like Yep. Yeah. I think at this point I've written just for you know the CTFs we've hosted probably over a hundred and it's like how many you know buffer overflows could you reiterate upon or how many heap exploits can you do? It's like it's hard to get good ideas. Totally. Well, thank you. Thank you. Thank you, Matt, for walking through and showcasing some of these things. Um, can I ask what's on the horizon for you? I don't know. What are you thinking of doing next? What is there anything you're Oh, new projects, new things that you're chasing. Appreciate all your support with the Just Hacking Training end. We're going to keep doing more CTFs like these. We're going to keep getting new education out the door. Um, but anything personally for you? Uh, not really much for me. Um, just keeping myself busy, you know, on the side. But, um, really it's more of just, you know, CTFs are always fun. You know, it's always fun just, you know, seeing what all things can go wrong during the CTF and trying to figure out how to fix them, you know, with the nick of time. And meanwhile, you have people messaging you like, why is, you know, this challenge not working? Why is this challenge not working? Why is the entire challenges page down? and you get that adrenaline rush of, you know, debugging on the spot. Yeah, there are always hiccups. I think it it is kind of a tradition, you know, a certain right of passage in hosting a game, but it's a lot of fun. Uh, and an interesting challenge. You don't get other point. So, yeah. And it's also made me realize, you know, just how hard hosting CTFs actually is. I mean, you always say like, "Oh man, CCF's sad." You know, they're, you know, just not doing anything or they're just not good at this. And you're like, "No, it's it's hard." Well, thank you again and again, Matt. It's super cool to spend some time to hang out with you. I hope we can maybe record another video sometime soon if we're getting into any of the more I don't know malware that you're cutting up or hey some difference tradecraft or reverse engineering or anything that you might have another sweet passion for. Um, but look, if there are any questions over in the chat, anything left over the last couple moments while we're hanging out, would love to banter. But, uh, if not, I know we're reaching the top of the hour, my friends. I'm super stoked for what's coming up next in Just Hacking Training. Again, the fishing course I'm really looking forward to. Um, and I think we'll have even more of those upscale challenges, those hackalongs, those CTF archives and things hopefully to keep giving you some good stuff. All righty, Matt. I think we'll tune out then. Yeah. Um, I mean, if anybody has any questions, you know, about CTFs, um, if how can folks find you? How can chat and see what you're up to, though? Can anyone get in touch with you if they would ever like to? Yeah. Uh, I mean the easiest ways of contacting me are if you want to are either Twitter, um, I tend to hang out in the um, hang out in John's Discord if you're a member of John's Discord and then yeah, so those are the main places or uh, sometimes I don't know who here is a CTF person or who here is a security person, but I hang out in the um, it's the Blood Hound Gang Slack, so it's more of the Red Teamer area. red teamer side of things, not really CTFs. I kind of step my foot in a lot of different puddles. So, it's sort of, you know, like, oh yeah, I know that person from, you know, doing CTFs and it's like, oh, now he's doing detection engineering or, you know, or like I'll see people, you know, I saw that uh Alden, who is somebody who who also does CTFs, wrote this insanely cool blog post on reverse engineering some malware, and I'm like, oh, you know, show everybody world. I'm going to be super duper selfish, but I absolutely want to showcase their incredible writeup. I'm sorry. No, I was reading that the other day and I'm like, wait a second. You have an Apple script to bash to bash again to Nim to Golang to C++. It's like you have like every language you could possibly run on a MacBook running and then it's all this, you know, malware tool chain. I love that one. And I'm sorry. I didn't mean to totally nerd get us nerd sniped at the very end with a tangent, but that's just too cool of a story to tell. Um, look, thank you again and again and again, Matt. I'm going to keep rambling, say it all too often, but I really do mean it. Uh, it's awesome and I just am grateful for your support. Thank you for doing all this thing. Will we see you at Defcon? Will you be there for hacker summer camp? Most likely no. No. Up for the up for debate. Okay. But well, I hope if I can help say the word. It's just it's just a hike. Yep. No, hike and half. Thank you so much for tuning in everybody. I think we are all done for now, but I hope to see you on just hacking training. You can uh you know, we got a cool tagline. Oh, forget the noise and just get to just hacking. So, thank you all. Until next time, I'll see you in the next

Original Description

Just Hacking Training livestream with Matt Ehrnschwender at 10am PT/1pm ET on Thursday, June 19 https://justhacking.com
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches viewers about Capture the Flag (CTF) challenges, cybersecurity, and hacking, with a focus on practical learning and hands-on experience. Viewers will learn how to identify vulnerabilities in web applications, exploit common web vulnerabilities, and use tools like Docker and Flask for CTF challenges.

Key Takeaways
  1. Connect to the VPN
  2. Copy the IP address of the challenge VM
  3. Access the challenge machine via the VPN
  4. Upload a file to the challenge machine
  5. View the uploaded files on the challenge machine
  6. Run everything in Docker for CTFs
  7. Create a basic Flask application
  8. Validate input from untrusted sources
  9. Check file extension and convert MP3 files
  10. Use FFprobe to verify audio file format
💡 Input validation is crucial in preventing arbitrary file write vulnerabilities, and using tools like FFprobe can help verify audio file format and extract metadata from files.

Related Reads

📰
We Didn’t Lose to Hackers. We Lost to Complexity.
Learn how companies like Salesloft and CrowdStrike approach secure AI-by-design to mitigate cybersecurity risks
Medium · Cybersecurity
📰
Your SSL Cert Expired Saturday at 2 A.M. Customers Notified You at 9.
Learn how to avoid losing revenue due to expired SSL certificates and improve your monitoring strategy
Medium · Programming
📰
incident response is becoming an agent review workflow
Incident response is evolving into an agent review workflow, leveraging AI to diagnose and fix issues, making human review more efficient
Dev.to · Paulo Victor Leite Lima Gomes
📰
The ‘first’ AI-run ransomware attack still needed a human
AI-run ransomware attacks are emerging, but still require human intervention, highlighting the need for ongoing cybersecurity vigilance
TechCrunch AI
Up next
Why Cyber security is important for your SEO
Menerva Digital
Watch →