現場CTF，第二部分!- CS50 Live, EP. (LIVE CTF, PART 2! - CS50 Live, EP. 50)

字幕列表影片播放

All right.
Hello, world.
This is CS 50 on Twitch.
My name is Colt in Ogden and we're joined today again My ci's fifties.
Nick Wong.
Hello.
Good to see you on the street again.
What are we talking about?
Supposed to come back?
We're talking about C.
T s.
I saw some discussions in the chat, which was, you know, what is a c t f?
It's cool.
The fridge getting that's not at all what it stands for.
It stands for capture The flag on that is not.
Technically, we were joking a little bit earlier than it sounds very, really nontechnical for something that is somewhat technical.
But basically there's these kind of flags.
They're basically the strings of random characters or maybe meaningful characters or phrases.
They're hidden somewhere, maybe in a system or maybe as, like, some sort of abstracts like reward for solving puzzles.
And you have to go find him, eh?
So what we're doing today is a type of C T f, which is your get handed a system.
And there may be some vulnerabilities or kind of like puzzles they have to solve.
And when you solve them, you get these flags and the flags are actually, in our case.
Passwords to new levels.
Eso each level is actually a user on a UNIX on a into system.
And after we get a flag, we can use it as a password before the next level are the next user you mentioned there.
This is particularly server based CT, but there are filed based versions of Google's that they put out, and I think maybe another one that I'm missing up.
I think PICO, 2017 did have some wild stuff to it.
Big, I think, covers a wide range of like category where they have some like shh interfaces.
Sometimes it's just a puzzle like just decrypt this.
Some of them are like, Can you explain how this works, or can you pick the right answer?
Some of them are like, Here's a file.
Can you figure out what its meaning is?
And it's like a pea cap files Heathrow through wire shark or something on S O.
P.
C.
P.
D.
See if there's a really good job of covering a wide range of difficulties and also just types.
I like to focus on the box based ones just because my background is a little bit more tighter.
Security focus.
So it tends to be focused like a machine.
What vulnerabilities in house.
How do you figure it correctly?
Hopefully, people.
So is our school's cold.
As Lee Tuchman Billick yours and Texas affects to see.
I'm not sure I'm pronouncing that correctly, but thanks everybody.
So much for tuning in, uh, unrelated to see temps or anything.
Really content wise.
Today's episode is number 50 and this is this is a CS 50 show.
This is CS 50 on Twitch.
Yeah, and actually gonna take this opportunity to announce that we're actually rebranding.
So we are moving away from the name CS 50 on Twitch, given that we publish or we produce our content not only for YouTube and none for twitch, Facebook and YouTube and other platforms.
And so we're actually transitioning from strictly being seized 50 on twitch to being CS 50 alive in the chapel window.
In a little bit, it looks like it's kind of blocking that just a little bit.
Someone who's just a little bit.
But some folks might remember this from years prior, where we actually had a new show this wanted this back in, like 2013.
24.
It's a little before my way.
Current events show was 50 live, and David and Doug and others would come on and actually didn't show on Episode two of the robot.
Uh, but we dance the Macarena, actually, which is across wild.
But there we did this show based on current events and, you know, just given time constraints were unable to really bring the show.
We weren't able to do it as consistent as we wanted to.
So even that we've been doing this show and it's live broadcast multiple platforms.
They were sweet.
Francis need to see his 50 live.
Oh, so thank you for being upset.
50.
Thanks for being on this episode and for being on so many toes prior to with that announcement, I guess.
Why don't we?
Why don't we just get right into it?
I also realize that we're in the You think this is from my freshman year to this for a little while Because a lot of seats 50 in the air and I feel like I can feel it.
I can feel it.
You couldn't tell?
This is Let me, um, go ahead and transition to what I think.
I think yours is in right now.
So you that way see your gold back or show there.
That which is a remind people how again to get a show.
That's kind of like, Yeah.
So this is a program.
We'll go and find it.
This is the program.
See, Matrix, which looks like this normally on Max I can pipe.
That's a law cat.
Oops, sorry.
Can't type life when it gets this beautiful rainbow color.
I found that unlike a been two systems, I wasn't necessarily able Thio get this piping effect Quite right.
So there is kind of a bummer with that, but if you can figure it out I tried piping all of their like, varying standard outs and standard heirs to one output and see if I could get it Thio rainbow Color it.
But I'm not entirely sure how.
See matrix and roll cat work on the bottom are, uh, back in.
So however that ended up happening, it works on so Essex's bash.
This is fine.
It's, you know, it's an upgrade from from the people.
You agree.
I'm also a huge fan of looking my terminals.
My bash has a little kind of cute smiley face.
Hey, really not interesting for functionality.
But if I only type of command that doesn't exist, it tells me that I had an error, and you have All right.
Yeah, I just kind of do What if I go back Something that works, Then I get my smiley face back.
Giving like this is an important thing.
Exactly.
Just like keeping my terminal personal.
Uh, and you don't get a lot of very nice visual feedback with the Terminator.
Defoe Not not Norway.
A lot of times, things will succeed by giving you nothing.
Actually, yeah, they failed by yelling at you, so it's like I kind of like having you back.
Oh, and 00 Nina On oni oni down B j.
I'm not sure that's a tough one.
Call it the only way I'm behind that virtual machine for awhile past link where they looked for it.
Not entirely sure which virtual machine you aren't talking about.
Although my guess would be the cto on.
So there's actually a link.
We shortly orbit lead.
It s so if you go to this link, there is a beautiful block post by a tempting the chance of a person named Charlie.
Whoa!
And he wrote, That's kind of like set up, walk through on all subjects, anything on the CT if we're gonna do today, I followed his walk through to set everything up, and then that's when I stopped.
Um, so definitely a good a good thing to go and follow If you want to kind of play around on your own AWS instances, we're doing all this for free, but technically 38 of the U.
S.
So you're welcome to you.
Follow along if you like.
If you wantto get some cool bug bounty money from AWS than you could try and hack into the box for using today we've set up a firewall that hopefully drops all traffic but ours.
So if you find a way through, you know, let us now and then we'll tell you had to buy us and we'll share money against they're going to They're going to damage.
Tell Yeah, Uh uh, Sorrel CS tells us only means demon and Japanese.
This is true.
This is true.
It's good to know.
I don't know the whole lot of Japanese, but take your word for it.
People.
People are talking about CC line.
There's a scratch episode that was so nice.
It's been a while, but I vaguely remember that and then shut up to David in the chat.
David J.
Malin.
Thanks for joining us today, everyone.
Um And then also Yeah.
Shallots again for 50th episode, which I thanks to David for the support on the show, we've been able to get, uh, that far, So appreciate it.
All right, well, let's, uh, top into it, so we will kind of, like breeze through some of the parts that we did last time on.
Then we'll be on a new puzzle that either of us look that true.
Yeah, we're turning in for the first time.
We did do this.
We didn't use this part of the CCF s.
What kind of like a filter it it is set up correctly this time.
Sorry.
Before we kind of like the idea of the show, at least when I'm on, is usually to kind of show everyone what it looks like to go through things from scratch without any prior preparation.
Except for just knowing about it on dso the goal last time was kind of like, Well, just kind of set it up, you know, four minutes before the show starts and it'll work.
But there was a little bit more setup involved than I had realized in, so I messed it up.
And then we kind of dealt with the repercussions of that.
We were about to solve a couple puzzles.
We didn't still solve something which was cool, but this should be a little bit easier for us.
It's a fairly straightforward C t f.
I say that I'll mess up.
I'm positive.
Yeah, I also that big night points out that I had midterms last time, and that is 1% correct.
I was coming out for, like, four midterms and a final project paper presentation will ever know more of those.
Um, I got all the midterms back.
Not great, but like, you know, I am not is exhausted by those were over over and done with at this point.
Exactly.
Maybe that's that's so also wanted to point out that if you ever feel like I'm laughing too much, you're missing the joke.
You're not missing the joke.
I laugh too much.
Uh, come in a YouTube video from, like, four weeks ago or something.
It was like, I don't understand what's happening.
I just like loving everything was holding.
It's like a lady, so don't worry about.
All right, So for us, And for that, I need to do this too.
Yeah, this one also apply to you.
So we will go here.
And I don't know if the password is still here.
Um, I don't have the password anymore, but that's okay.
So you want you want to do something?
If you ever need to bring your screen up, let me know when I can.
Transition is back to our beautiful.
Not that title card, but the new CCD live title card, which today?
No worries.
It looks fantastic.
Let's see straight.
Uh, c TF.
And sorry.
I'll put you back there in a sec.
I just need the password for the first level so that we're not all.
And you'll notice I'm not even not even checking the passwords of the other levels.
I only have one of the password is available to me because we are honorable people over here.
All right, so this is where we're going is level one at 54.
1319 to 32 on DSO just doesn't f y I You guys should not be able to access this as Colton.
Kind of types that in this should block you.
I hope if it does not watch you let us know.
Yeah, I know how everyone's gonna speed in.
There s so we're gonna hope that you guys don't get it on and then I'll paste the password for you.
My preferred handle, his powerhouse of the is also might get hope hasn't ifwe on.
And that is the password that we have to paste.
Whoa.
Okay, so which part of you w 60?
Yeah.
Remember, there are a lot of lot of things on the screen at the moment.
I'll make this a little bit bigger on, and you'll notice that as opposed to last time, we actually get instructions and introductions and things, which is kind of list.
Gave me the last letter.
Sorry, I am that I think that's correct.
Urine doesn't matter.
Any of the other information after this point Handle preferred.
Handle it all that you can do it.
I just which is my get up.
Yes, as cane point tempt.
You're not allowed to connect to those.
Yeah, that it.
I'm really glad you got it Will connect to that.
You're not supposed to be able to connect to that.
That is just for us to use your welcome to set your own up If you follow the Bentley that Colton posted up in the top or set it up yourself.
But I'm very glad you're not a killer.
Set it up on their own.
Yeah, And the reason for that is we basically just want to make sure.
Oh, I can't practice, eh?
So basically, we just want to make sure that you guys were, you know, messing around while we're in here.
Um, and so you'll notice that if I do w I can see this kind of just some sys admin stuff.
I could see that there are three users.
Two of them are in libolo.
One that's me and Colton.
The 3rd 1 is myself from this screen, which is the C t F user.
Himself or herself.
Eso love alot one.
So it's never seen the sea TF and then your version of level of one, right?
So level it one is kind of just if you imagine, a CDF has several different like levels of difficulty that level it.
One is actually a user in this case, but it also represents the first level of difficulty eso it's the easiest level.
But it is also, in our case, a actual user that we can log into a machine abs on.
And that's why these kinds of SETI EFS are somewhat interesting is they do give you some exposure to an actual system, usually a clinic system.
They're fairly easy to set up on Lennox distributions.
So this one is in a bin to system and we have several users.
We actually have level.
Uh, we can We can point out which ones we have are.
Actually, I guess I'll tail, uh, let's see password.
And that tells us that we have these seven users where we have user's level a 12345 and six, and then we have the final user, which is the flag.
So if you are able to log in as the flag, you win those user groups, those air, each individual users, they have their own associated groups, but they're all also individual users.
It's interesting on then.
The CDF user is an administrative user so that your industry Okay, so I'm logged in twice.
This screen has logged in as the administrator and lock on his cell.
Or a little one.
Someone asked, Is that just a little country?
Yeah, actually, there's a cute little story buying that.
I when I took CS 50 as a freshman, was my first the s class.
I hadn't program before, and I was like, Oh, this is really fun.
I'll just kind of mess around And I was interested in studying bioengineering.
I still study bioengineering, but I've added CS on my teeth.
The time was like, Oh, you guys have to make get hopes And I was like Okay, sure, I'll get our account.
I was bio persons.
I was like a powerhouse of the cell might of country.
And it's funny, you know well, and so I made my good hug user as Pirates of the Cell and everyone else made their get up user names like, you know, first name, last name, some string of numbers.
And so my t f was like Well, who is this person in my section?
Powerhouses So I think we've since coordinated that CS 50 so they don't have to worry about it.
But at the time was very confused, who this person was, and he asked in class, like, you know, who is this?
I was like, Oh, that's me.
And then I was wondering why no one else had been called for their weird handles.
And the reason was the Allied normal ones.
So yeah, keeping it.
And I really like it.
And most of my own line stuff is related in some way or another two powers in the cell or some other spelling.
Only within the last couple of years to all within 43.
Jeez, that's crazy.
Yeah.
So we're currently in this directory.
You actually should have a different directory, if you might.
Yeah.
Mine's got, like, a P nine.
Yeah, I hope so.
You get some kind of random strings.
This is just scrap space.
So we're allowed to like, uh, you know, do things in this directory.
So I actually have a rentable file for the incredible file system, Not the whole thing, But this part is actually rideable, so I'm gonna actually alias some stuff.
I'm gonna alias the command scratch to take us to this kind of scrap space on.
We'll have that just CD into, um, Peter meeting.
So we could, like, copy files here and then those files we can manipulate.
But we can't manipulate the original file exactly.
So now if I type scratch, I'll end up back where I belong on this lets me like right things to the file system, because the way the CDF is kind of attended a I should have a chat, since it was hard to see what's going on here.
Let me do that real quick.
I can also move my terminal.
Apologies, everybody.
Actually, I might work better if it's like and that way, at least his commands like filter upward.
You see stuff trying to refresh my screen too much.
We'll see if that works.
Hopefully that works.
Yeah, so this way I can kind of keep my scratch directory as I go as we log into murder like further users, I'll probably forget to do this at least once, and then we'll have to do it again.
But basically this is just kind of set up a sw far is like how this is set up.
Uh, the over already overreaching system isn't going to system has a serious of users.
Each of those uses represents a level on blast.
User is called the Flag, and that's the users trying to log in as if you can successfully log in as the flag.
Then you went, That's That's the game Now it's intended to be such that each level is more and more difficult as you go on.
Andi.
I think that given the CDF, that's probably true.
Um, from there.
What we're trying to do is the overarching system actually has mounted a kind of file system that we're currently in as level 01 through six that is read only except for a small portion, which is rideable as well.
And that small portion is where you can like right files, copy files over rewrite text if you want on and so on.
And that lets you kind of control how things are working very convenient.
I think so.
That's kind of set up is like a give you some space to move around to explore the system work.
You'll notice that if you go up a directory and type, unless you actually are not able to see what other users temporary spaces exist on.
That makes perfect sense.
We're all in the same like, rideable sub portion of the file system, so it makes sense that we can't see each other's subspace is and then copied them.
That would be kind of silly.
So Sam is just like that scratch like yeah, and so temples of the scratch scratch.
The main thing is a great way of putting it.
And then underneath that there are some divisions allocated folders exactly.
And if you type CD, you do end up actually in a home directory on and it is the level 01 home directory on If I type Well, which is now correctly alias, Um, it's for those of you that weren't here last time.
I kept having well, it's just a habit of mine, and it was doing nothing.
He was like, cannot found and I had the Really is it every time this time of day liest by default, just great.
We see that we have our dot password file.
Sophie got cat that we get the password that we logged in with.
That's the current user's password Now, if we go up a directory and then into level of two, for example, we could take a little again.
We can't cat their password file, unfortunately, but we see that they also bastard file.
And so the way the CDF is structured is in everybody's home directory.
They have a dot password file, and it is their password and also kind of their flag.
So if we can capture it, then we can log in as them and we can move on to the next level.
And so the eventual goal excuse me, is to get this one.
Uh, sorry.
That bastard.
If we can get this particular file, then we would.
That is the eventual goal.
I highly doubt we'll get there within an hour and 15 minutes or so.
But, you know, never say never in all that on DSO, The goal of this will basically be to see how far we can get and kind of explore.
We're currently on level one.
We got to get to level two.
The other thing that we have in the c t f er so into that habit of just like cd dot dot l s s L a would be a better happen.
You'll notice that we also have this folder or a directory called Levels On.
If we go into this, we find a bunch of executive ALS.
So level one will run the prints to us the current time.
If you were here last time, you remember that this is a particularly vulnerable application on then level oh, too.
We can't run at the moment, but we will be able to eventually Ondas faras Lexus admitting and kind of like UNIX goes The paradigm is everything's a file and you get to see all sorts of kind of things as you go.
Um and so you'll notice that this, like D here at the beginning.
If I do l l Which Lisette the long form every raise files that stands for directory and then everything else is sets of permissions.
I don't really remember what s stands for.
Uh, probably, I mean, guarantee it's meaningful, but you have these kind of like are blank, uh, ex patterns hoops.
And there are three sets of those.
So one of them's for the rate user.
One of them's for once everybody.
One of them's for the group that owns this.
And then one of them is for the user that owns it.
And they Oh, thank you.
Yeah.
Someone pointed out the Chinese.
They set you I d s o it sets the user idea of the process.
Wanted to know it is a great way of reminding me of what?
That, um great point.
So everything else is pretty much just like, Can I read it?
Can I write to it?
Can I execute it?
So, um, and those if those flags air set, then you conduce those If you can't stand, you can't.
They're fairly self explanatory.
There are also often encoded it as the the binary representation.
So you'll often see people do like ch mod 75 blocks.
And what that means is basically, you're using the binary representation of seven, which is 111 on and then five and five, which is what, 101 and 101 on DSO.
What those will do is it will say okay, set this one all too true sent this group to true in false and true and then set the last one to also true false untrue on that basically just means anyone can read and executed.
Not everyone can write to it necessarily.
S Oh, yeah, all.
It's really useful things to know.
But basically, when we look into this directory, we have this level of one executable, and you'll notice that the user who owns it is level one.
The group that owns it is level two, and I can run it.
But I can't necessarily, Um right.
Do it.
I'm not given any individual permissions.
Eso If I'm not in the group, then I can't necessarily do anything useful.
I can only execute it on tux man humorously points out, ch mod 777 can't go wrong.
Right on dhe Certainly go wrong.
That is very wrong.
I have seen people do stuff like this.
Uh, so sage, mod recursive.
I believe it's capital, my girl.
That would be back.
This is a pretty unfortunate command.
Has been run occasionally by, you know, you might see like a troll post on stack overflow or something tells you do this.
Or you might see an equivalently troll post.
That's like our m r F star.
Um, this is a equivalent one.
It's when I was works.
That's also bad.
Don't run it e round like a bridge machine if you want.
I think a lot of more catastrophic band.
Yeah, that was, like, more directly down this rabbit.
You'll you'll find your file systems pretty well.
Too safe.
It's Ah, safer space, you know?
Yeah, You're a space efficient after your system will take up a lot of space, actually, um, so we have this level of one and the stripe.
See, Taff is really not like a systems CDF, so we don't really have to verify that.
Like the code that they hand us, the C code is the code that got compiled to it.
Weaken more or less.
Assume that it is just is a note.
In general, you really shouldn't assume that if I give you source code and a binary.
But I don't tell you how I compiled it and you didn't compile it yourself.
You have no real guarantee that, like they even used the same compiler that you might use a home and that might be as trivial is like, you know, they use a random compiler like a different version of GCC or whatever.
It might be a non trivial as they right there by aware.
Or they edited the compilers so that it prevents AIDS or upends malware to anything it compiles.
That would be really bad.
Also, they could have just compiled completely different code to that executable and then left you a random binary or a random source code.
And you have no idea.
So generally, if you're not compiling code in like a security sense, you really don't know if it is what it says it is.
But in this case, we're gonna just kind of go off that assumption right after I tell you that you can't do that, we're gonna do it.
And that's because that's not the point of the C.
T.
F S O.
The CDF actually focuses on, like, logic, puzzles and kind.
Do you know our file system works rather than that?
But I'd be kind of fun.
Bobby Knight points out that you could just alias are bizarre.
Start that start to CD or L s Tax man responds to that evil.
I agree.
That's pretty demonic.
Um, but very funny.
Yeah, that's very, very entertaining on it's very funny.
Kind of like Ah, yes, it's their work, computer and other screwed.
So maybe, like that's like virtual machines or something.
I might put that in for my club.
For your cyber security.
Have that be like I love old 70 something.
All right, So, um, with that, let's do some analysis of this source.
And so just as enough, why we did this one.
We do know the answer.
I do actually enhancer to this one.
We also know the answer roughly to the 2nd 1 So we're really gonna, like, start working on purchase and things on the third and fourth polls.
But we'll go through this one for the people who are currently here, and we'll take suggestions from the audience kind of like every time.
But we'll also kind of point out things that are going on here, something I didn't know last time.
But I do know now is how system works.
The system checks the current, execute his path sorry environment and looks for this string as a key in that environment dictionary and then executes whatever is on the other end of that s o.
You'll notice that if we do like and, um, nips and we can't I'm losing my mind.
Have a cup for dates.
We won't really find anything.
I'm sorry.
I don't know why I removed the quotes Dramatic, but whatever.
So if we got for date after piping out our user environments, we don't seem to get anything super interesting.
Um, and you'll notice that That I guess, might mean nothing to everyone, but just for fun.
Jeez, I'm gonna also alias date are Sorry.
I'm going Thio Export.
Uh, date is equivalents to let's do like, a what's a common one?
Oh, I'm gonna tow escape those.
Actually, we don't have to escape anything.
Echo works like this.
We'll do that on now.
If I run this executable again, nothing interesting happens.
So what might be kind of interesting to dio for?
User's is saying Okay, then maybe we should go and investigate how the system function works.
Right?
So I said, Okay, maybe it's the environments.
And that's what I claimed to have remembered.
So generally, when I purchase e t f like this, it's pretty much always useful to anything you don't fully understand.
You go Google on people was like, I don't know.
You shouldn't google things like you're so slow.
It's like, yeah, um, that's true.
In, like, a specialized field, right?
So if I'm sitting there and I'm a systems engineer and I need to go Google every time I want to understand how a colonel like, uh, like a protective control transfer works.
Yeah, that's unfortunate.
You're you're probably fired.
But if you're googling around for things that aren't necessarily in your domain specific field, then it makes perfect sense.
Andi, Actually, this one is in my kind of, like, domain specific fields in that I'm a generalist, killed a student, but we're gonna go let anyway, just to kind of double verifying things.
All right, I gotta have that one open.
He gets a c.
My problem.
Since there's not really anything interesting, there s O in CIA system, uh, function.
Gotta look Google searching algorithms.
So until that's okay, we get this intact for the system.
Function in the sea language is that it returns some imager.
Probably like a succeeded or didn't it?
Takes in some string, literal Andi.
It says a command line that will be executed by the operating systems command processor.
Okay, so that's pretty reasonable, reasonably straightforward.
But maybe we return and we say OK, system function returns.
Nuns, your valuable.
Everyone on DSO we want to say Okay, um how can we edit this too?
I guess Get it to work to our advantage.
Right?
And as we saw last time, there is a way to get this to work.
Fairly straightforward, but you'll notice that this actually just looks for things in the path, not things in environment.
So that should be kind of your first clue that maybe what we're attempting as like, our intuition for how this might work was not quite right.
And when we look at this, it says it's a command line that'll be executed.
Okay, Reasonable.
So what I can do and what I did is a solution last time that there are simpler one liners that would also work is gonna say, Okay, I want it to look for certain commands that it can run.
So I'm gonna go into my scrap space if I could spell scratch correctly, Um, and in here, I can create whatever I want, So I'm actually gonna move the current folder heard file.
That's there to date.
CH Model also takes arguments like this instead of just the standard like numbers representing binary.
And I'm going to allow date to be executed so I can execute.
Date doesn't do anything interesting, but I can execute it regardless on defiant Nano date because I love Nana.
Sorry for all the vim users who are like Oh my God, you're so slow, young man bananas.
It's very simple and very, very simple men.
It's not a baby.
I don't think that them for better when you learn how to use it.
Oh, for sure.
If I knew how to use them, I would want you very much, much more intelligent and to of course, I would also be much faster.
But you will be horrified to know that I also can't touch type.
So if you see me looking at my key words going, finding keys, I have a terrible, terrible time saver.
I have been working on it, but I would touch type of the speed of light.
Can you believe it makes us for two years?
So you know what, count?
That doesn't excuse.
That's a pretty miserable little accountant and a crazy Kiki craft as well as boots.
Ck A trickster is eating.
You follow.
I love the little the name right names it just always fascinating.
Also.
Now, if I execute date, you'll notice that in print Said hello to my counsel.
Uh oh.
I just realized I know you guys were able to see that.
I think basically I added a date.
I gave it my kind of favorite shebang Been bash on di gave it an executable, uh, kind of command.
And now, if I go back into this levels typing in the real world horrifies me because I wasn't There is a curse with typing live.
Exactly.
So anytime anything live, it's over with or with somebody else in front of you every time, every single time, and you'll notice that when I go and run level of one again doesn't really do anything interesting.
But what I can do is I can say, Okay, you know what?
Let's update my path.
Let's pretend Oh, I probably shouldn't go back into scratch just to make this a little bit easier s.
So what I can do is like an export path, which is a variable that represents where things look, uh, where, like, programs look when they're trying to, like, do stuff on.
I can run this command, which updates path to include the current directory as well, and you'll notice that if I echo it, it also includes this directory, which is my current one on DDE.
What that means is that if I go to run a command say date, for example, it'll check that first so it checks everything in your path in order from left to right on.
But that means that now date, instead of being the system date, is my God, I can't type for the life of me eyes actually, the date that it found first, which is in my scratch based.
So now if I go into levels again, I guess I could have equivalently done CD Dutch.
For those, either not like you are like me and only typing as much.
If I run level of one this time, it returns to me.
Hello, and that's pretty useful.
I can now arbitrarily change the output, and I know that it's owned by the group level of two, which means it has access to anything else that is owned by a little too like file that we were kind of interested in here.
So I'm gonna Nano What date is instead of having it echo?
Hello?
I'm going to actually have a cat out for me.
Um, let's see.
I remember this, uh, password.
It was home.
Was it levels, I think.
Well, so this one is actually their users directory.
I think that's about right.
Well, double check.
That s O Okay, let's get here.
And we can actually os uh, home level of to just double check that director exists.
We're good.
Um, and I forgot the space bar killer.
No way I'm going to show that to you.
Um, I guess, but Oh, and I can't run that.
Um, that's unfortunate.
Oh, sorry.
Um, just to do right, because I can't have this actually be running from their boobs s.
So what will actually do is we will have Let's just rewrite do I can't catch it, because I can't have it do that.
Let me think of what I actually wanted to D'oh.
I wanted to execute this command.
Um well, we get alias date my work next on this return of we mess around with systems.
D'oh!
When in doubt always.
You pseudo.
Yep.
Yeah, I wish.
I wish we could you sit down?
Uh, well, let's try it.
Ah, good point.
No, Can't do soon.
Um, we got a thing about this slightly more carefully.
Now that we're in a proper file system.
Uh oh.
I see.
An interesting I mean, I could try e realize you're reading off.
It was, You know, I don't know anything about your anything now.
It's not anything, eh?
So we get this permission denied error, and that basically means that cat is being run by Not by me, which is not useful.
S o we want is for a dot level of one to execute.
I'm sorry, Type.
We want level.
01 to execute this system.
Call where date is actually just level o two's password returned to us on DSO the way that we could go ahead and try out different ways to do that would be something like, What's your name?
The things that we've done so far, which is creating a version of this that it's easy is, um I was gonna say Oh, sorry.
If we're going to scratch, I'll show you what I'm talking about.
Like texture allies, we have this version of date which is executable and it's owned by level of one in level one.
We might actually be able to do this, uh, little to date.
I can't change the industry that unfortunate.
Um, So what I will do then?
Did you get it working last time?
Well, last time we had some extra help because we also had access to the owner of the system.
So I think my permissions were set by accident.
Yes, this requires slightly more finesse than what we currently are attempting, but that's okay.
Um, so let me actually do this.
Oops.
So we're gonna do is move dates to dated.
Now, if I type date, I'll still get this error.
But that's because my alias, which says, Okay, date is this on.
And then if I run level of one, this goes back to doing what it was doing normally.
And so what you can dio is actually this if you do, which date that actually tells you it's been slashed Eight.
That's all reasonable.
So we want to be able to do is we want to get the output of kind of catting, uh, level O two's password file, but we're not given permission for that because it's being however, this is being executed when we run level of one.
It's not transferring the kind of permission sent from level one to the command underneath, although it really should under my understanding.
So what we're gonna do is play around with kind of just different ways of getting it To do that, we could do it in kind of a one liner sense.
Um, where?
Let's see if we two what we could probably d'oh is this, um let me get back into my scratch, spade.
Oh, so my scratch bases also owned by the wrong, um person don't buy me and only my group so we can actually try.
And Dio is Theo get dates to be executed by this, and I want dates to be on my current power, so I think I can set in.
Oh, no.
It is a function from maybe not this language or this system.
That's okay.
Um, so what we'll go ahead and do is see if I can get a cat did version of that file printed out to us, and I'm gonna think through at the moment s o there are There should be a way that I can think of at the moment.
It doesn't deal with export, but it's close.
Um, let me think about what I'm trying to do.
Nice, Justin.
Cool.
I'm trying.
Trying to recall.
So you're going goal is to print out what's in dot pastor file in level of two.
Right.
You got it.
Which would be just cat.
Uh, there are other versions of that commander work, but I'm also trying thio get it to use kind of the right, um, executioner.
So wise in executing date as since this executable has the level.
Oh, to permissions.
Yeah.
Why is it not executing the file as level of two?
Well, that is a great question.
My understanding is that it's because of where date is actually written, which is not ideal.
So what I needed to do is use kind of my own custom command on.
I don't remember how I would set.
That just is like a general command line statement, and I believe it deals with, um, the like.
I could set kind of this date command, um, in my current directory.
Oh, actually, something that I could do is alias date, uh, itself.
Oh, I can't read it by going to bin.
I'm fairly certain everything here is on.
Yeah, I was gonna say I could actually just create a, um, like a version of date.
That is a liest.
And did they miss a date?
Just out of curiosity.
Might as well.
What?
Not that nice seeing, you know, that looks about right.
Um, yeah.
So my guess is that it's the way that I've written it, um, isn't quite right.
But I also am aware that I should be able to set it, and I'm not.
I'm blanking on their command.
So he's over there.
We'll go in how to set up a command on.
This is something I should know.
Um, no.
Windows, windows Next be useful.
D'oh!
Yeah.
They tell you how to set the path variable correctly.
Um, What was said?
Set Commune.
Yeah.
Let's take a look.
It's sent.
Um, gotta look, man, they just snowman.
They just unfortunates what a set do on its own.
Did you do well?
Kind of.
Just keep looking around.
I am somewhat confused as to why that doesn't quite work.
It is very annoying.
You'll notice that there's like, handle is set here.
And what we're looking for is actually just where I can set my never looks where I can set it.
Commands to be run, um, called date dates right there.
So data set here, but Dave is obviously not what's actually being run.
Um, and so I can't actually, uh, do that one, Unfortunately, because that one, I believe, would actually execute the right permissions.
I am somewhat surprised that this one was not Oh, Well, actually, no, I'm not.
Um I really should have done this.
D'oh!
So what we're doing is called an experiment way here, trying out some things.
So what we're gonna do is we're gonna try out a bunch of different things and is because it was using that.
I was having it used my own bash.
That would make sense.
Yeah, So, yeah, don't overcomplicate things building to remember now what I can do it don't explain for people from my name is so, uh, you know, it's very easy to over complicate stuff.
So if I go back to that directory, uh, I nah, no date also, what do you want to explain what we just did, right?
So we'll go through kind of the whole thing here.
So I had this flag at the top, which was, you know, execute using slash Bing bing bash.
And when I went thio level level of one.
So level one is now currently executing whatever command I put in date, Andi is supposedly executing it with the right permissions.
Executing his part of level oh two's group and level of one is the user.
The problem was that it was saying permission denied on.
I was kind of confused by that as well.
I actually didn't notice that I had done something that would mess that up.
But if you look in that folder, do you do in that directory?
Sorry.
No same word.
If you look in that file executable, if I remove the shebang been bash, which tells it explicitly which shell to use and things that might not have the right permissions.
It's kind of dictates some of the permissions and you'll notice that this actually works just fine and in fact gives us the password for level two on.
The reason for that is just that I was kind of accidentally messing with the permissions with which things were being run, whereas I should have left those alone as much as possible.
Good to know.
Uh, so from here, uh, what we can do is Oh, sorry.
We should also explain what this is.
So basically, if you look in level 01 a cz a like the code that supposedly is being run on, I believe is being run There is this kind of, like print after the current time flush standard outsiders wipe out whatever things Aaron, your buffer on dhe, then call the system date.
So this is the whatever these command line argument.
Sorry.
Whatever the command line function date is, according to the user calls this file or this executable on.
And what I've done is I've exported my path variable, which is where your computer moves, where a Lennox's computer will look for things that could be executed.
Andi, I've changed it such that it uses this directory first.
Which means that if there is something in that directory that is executable on, it's called date, it's gonna execute that instead of whatever it finds later on.
Because of that, we now have access to whatever level two has access to.
So that means that I can do sue level.
Oh, to sue being switch flips.
Well, suit doesn't exist, All right?
Unless it's a level two at 1 27 0 or one.
And yet that's fine on.
We're gonna pace that password.
And here we are now in the new, um, new user.
So we have gone up a little, we get a new temporary directory on and all that jazz.
So what I basically did there was I just s a station to the machine itself from where I was.
And what this basically does for me, is it says Okay, you've now moved up a level, and you're on the next level, which is level two on Dhe from here.
What I'm able to do is attempt level of two, so you'll notice I get a new scratch directory again.
I can't actually see other people scratch directories, and I get my own home directory this time, not password has level two's password.
So from here, if you noticed at the top here, they give us some instructions.
Oh, that's cute.
Thank you.
Straight.
So they give us some like, congrats.
You know, pat yourself on the back.
You made it up from the first level.
Excuse me and you get the password to the next level is in limbo.
Three's directory.
Now this one is Web based eso.
We want to go ahead and go to a browser at level two dot PHP on the server.
We have to use kind of the standard password authentication, and t