1
00:00:00,810 --> 00:00:07,410
Hi, we are currently in the level 17 of the band, the CDF, now we are going to go into the level

2
00:00:07,410 --> 00:00:08,070
18.

3
00:00:08,460 --> 00:00:13,200
So here we have the level 18 password log over here.

4
00:00:13,830 --> 00:00:20,550
It's important that you log every one of the passwords over here, not only for CTF reasons, but we

5
00:00:20,550 --> 00:00:27,540
can lose the connection any time, as you have may already experienced at this point.

6
00:00:27,750 --> 00:00:31,830
And I believe I have already lost my connection to Bendit 17.

7
00:00:32,640 --> 00:00:37,530
I'm going to just close it down and just join that again later on.

8
00:00:37,710 --> 00:00:45,450
Just for right now, I'm going to focus on the right hand side in order to understand what kind of challenge

9
00:00:45,450 --> 00:00:47,100
we are facing over here.

10
00:00:47,100 --> 00:00:51,390
Then we can go back and a cessation to Bendat 17 one more time.

11
00:00:51,660 --> 00:00:55,470
So there are two files, passwords that all that passwords are not new.

12
00:00:55,740 --> 00:01:00,360
So the password for the next level is in passwords that new actually.

13
00:01:00,690 --> 00:01:08,340
And that password is the only one that has been changed between the passwords that old and passwords

14
00:01:08,340 --> 00:01:08,910
that new.

15
00:01:09,360 --> 00:01:11,010
So it's fairly easy.

16
00:01:11,010 --> 00:01:16,110
The only string that has been altered is our password.

17
00:01:16,110 --> 00:01:18,670
So we're going to have to find that thing.

18
00:01:19,230 --> 00:01:26,610
OK, so let me just open a new terminal over here and its decision to bend at 17 because I had lost

19
00:01:26,610 --> 00:01:27,630
my connection.

20
00:01:28,290 --> 00:01:31,200
So I believe there is kind of a time out.

21
00:01:31,200 --> 00:01:40,620
So maybe if you wait something like two minutes or five minutes before writing stuff or interacting

22
00:01:40,620 --> 00:01:43,890
without interacting with it, it will lose the connection.

23
00:01:43,890 --> 00:01:45,840
But I don't know the logic behind it.

24
00:01:46,350 --> 00:01:48,590
So let me run SLA.

25
00:01:49,080 --> 00:01:52,980
Yeah, I believe I've changed my keyboard settings for some reason.

26
00:01:53,190 --> 00:02:00,720
I'm going to change my keyboard back to the Turkish version so you don't have to do that, obviously.

27
00:02:01,110 --> 00:02:02,820
So I'm going to run Ellerslie.

28
00:02:03,090 --> 00:02:04,680
OK, so here we go.

29
00:02:04,680 --> 00:02:09,120
We have those files over here, passwords that you and passwords that AWALT.

30
00:02:09,660 --> 00:02:11,000
So that's good.

31
00:02:11,580 --> 00:02:18,480
So we have to find the difference between them and there is a very basic command that does that for

32
00:02:18,480 --> 00:02:18,630
us.

33
00:02:18,630 --> 00:02:20,640
So let me just get this password.

34
00:02:20,910 --> 00:02:23,760
As you can see, there are a lot of passwords over here.

35
00:02:24,150 --> 00:02:30,950
It's actually very pretty much the same in the cat passwords that old as well.

36
00:02:30,990 --> 00:02:35,700
There are a lot of hashes, so there is only one difference and we have to find it.

37
00:02:36,360 --> 00:02:40,350
So, of course, you can think different kind of algorithms in order to do that.

38
00:02:40,500 --> 00:02:44,850
But there is one command which is diff, and it's given to us here.

39
00:02:45,120 --> 00:02:49,260
It says for difference and it's exactly what we want.

40
00:02:49,260 --> 00:02:56,730
It takes the difference between two files so you can just run diff, OK, and just write the passwords

41
00:02:56,730 --> 00:03:02,160
out all or passwords that new it will give you the difference between those two files.

42
00:03:02,160 --> 00:03:03,170
It's that easy.

43
00:03:03,630 --> 00:03:06,360
So we have two hashes over here.

44
00:03:06,510 --> 00:03:09,240
One of them is our password.

45
00:03:09,240 --> 00:03:12,780
I don't know which is the which one is that.

46
00:03:12,870 --> 00:03:18,480
But I believe since we have written the new first, the first one should be our password.

47
00:03:18,480 --> 00:03:20,010
So let's go for that one.

48
00:03:20,430 --> 00:03:24,570
Now, of course, if it doesn't work, we can always go for the other one as well.

49
00:03:24,990 --> 00:03:28,110
But right now I'm going to assume that is our password.

50
00:03:28,110 --> 00:03:32,670
So I'm going to save this and I'm just going to save it as levels eighteen.

51
00:03:33,330 --> 00:03:40,950
And I'm going to exit out of this one and I'm going to go into the at eighteen.

52
00:03:41,640 --> 00:03:43,080
And here you go.

53
00:03:43,080 --> 00:03:50,520
Let me just try to connect to the band at eighteen and let me test this and see if this works or not.

54
00:03:51,690 --> 00:03:53,610
And here you go.

55
00:03:53,610 --> 00:03:57,540
I believe it's worked, but we get some error.

56
00:03:58,050 --> 00:03:58,950
No, it says that.

57
00:03:58,950 --> 00:03:59,730
Bye bye.

58
00:04:00,030 --> 00:04:02,010
And yeah, here you go.

59
00:04:02,010 --> 00:04:03,600
We have that tip over here.

60
00:04:03,600 --> 00:04:05,010
So we have that note.

61
00:04:05,010 --> 00:04:09,120
If you have sold this level and see bye bye then trying to log in to Bendit 18.

62
00:04:09,360 --> 00:04:11,340
This is related to the next level.

63
00:04:11,340 --> 00:04:12,270
Bendit nineteen.

64
00:04:12,270 --> 00:04:16,380
OK, so I believe there is some sort of a new challenge.

65
00:04:16,380 --> 00:04:18,000
Let's go to Bendit eighteen.

66
00:04:18,420 --> 00:04:23,130
So the password for the next level is stored in a file.

67
00:04:23,150 --> 00:04:25,110
Read me in the home directory.

68
00:04:25,680 --> 00:04:36,300
Unfortunately someone has modified Bekasi to log you out when you log in with SS H so it's a little

69
00:04:36,300 --> 00:04:37,310
bit tricky.

70
00:04:37,320 --> 00:04:47,340
I think so if we log in Wii's S.H. So there is a file called Benghazi and it's it's configured to log

71
00:04:47,340 --> 00:04:50,640
us out and it's interesting.

72
00:04:51,060 --> 00:04:56,220
So all the comments that we need to solve this level is a sausage and cat.

73
00:04:57,330 --> 00:04:59,730
So it's getting a little bit hard as you can.

74
00:04:59,760 --> 00:05:08,390
You see, and I believe we can overcome this with SNH, OK, since this is the only lead that we have

75
00:05:08,390 --> 00:05:20,390
over here, and in order to do that, we have to use, as I say, parameter as the capability of changing

76
00:05:20,390 --> 00:05:26,180
the shell that we are trying to login to so we can do that with DSH.

77
00:05:26,210 --> 00:05:30,590
OK, but we have to specify some new parameters.

78
00:05:30,830 --> 00:05:32,810
We are just saying log in.

79
00:05:33,050 --> 00:05:38,330
But Bendat 18 to that host in this case.

80
00:05:38,540 --> 00:05:39,050
Right.

81
00:05:39,350 --> 00:05:43,360
And rather than Benghazi, we need to cancel out this Benghazi.

82
00:05:43,730 --> 00:05:49,150
So we need to change to another child rather than Bashar over here.

83
00:05:49,460 --> 00:05:51,920
So let me go to Google dot com and search for it.

84
00:05:52,350 --> 00:05:55,640
I'm going to say yes as a child, as H.

85
00:05:55,850 --> 00:06:01,970
So rather than Bash, of course I'm going to go with the S.H. There are different kind of shows that

86
00:06:01,970 --> 00:06:05,280
we can use when we try to open the section in a terminal.

87
00:06:06,020 --> 00:06:10,960
So choosing the shell that SSA uses, that is exactly what I'm looking for.

88
00:06:11,330 --> 00:06:12,560
And here you go.

89
00:06:12,560 --> 00:06:17,300
It's yeah, it's exactly the same thing that we are asking for.

90
00:06:17,300 --> 00:06:23,540
It's using Basche and we need to change it to something else so we can use change.

91
00:06:23,540 --> 00:06:30,160
S.H. Nope, it's it can be used after we log in, but we cannot even log in.

92
00:06:30,650 --> 00:06:40,610
So here we have something like as as H l and the T flag forces a pseudo trial reallocation.

93
00:06:41,090 --> 00:06:41,330
Yeah.

94
00:06:41,330 --> 00:06:52,220
We can try this T flag and our flag spawns a log in shell so we can use those flags in order to try

95
00:06:52,220 --> 00:06:55,570
and change our shallower there.

96
00:06:55,580 --> 00:07:02,420
So let me just scan these other solutions here a little bit and I believe we don't have anything else.

97
00:07:02,420 --> 00:07:04,250
Let's try this t flag.

98
00:07:04,850 --> 00:07:09,320
So I'm going to give T flag over here, OK?

99
00:07:09,590 --> 00:07:15,560
And I'm going to specify the shell at the end like we have seen in one of the examples.

100
00:07:15,560 --> 00:07:17,120
OK, so let's see.

101
00:07:17,120 --> 00:07:18,410
Where was that example.

102
00:07:18,410 --> 00:07:19,100
Yeah, here you go.

103
00:07:19,460 --> 00:07:27,020
As as h now I'm not going to use as S.H. I'm just going to use the old bean S.H..

104
00:07:27,020 --> 00:07:30,980
Right, so it should work if this T flag works.

105
00:07:31,550 --> 00:07:34,580
So all you got to do is just come to the end of this end.

106
00:07:34,580 --> 00:07:34,970
Right.

107
00:07:34,970 --> 00:07:40,610
Bean S.H. in single quotation marks by the way, a single quotation marks like test.

108
00:07:41,210 --> 00:07:48,560
So if I hit enter it will ask me for the password and let me give the password and let's see if we can

109
00:07:48,560 --> 00:07:49,700
come over here.

110
00:07:50,390 --> 00:07:50,660
Yeah.

111
00:07:50,660 --> 00:07:53,150
Let me just take the password one more time.

112
00:07:53,150 --> 00:07:56,630
Let me get the password to see it.

113
00:07:56,630 --> 00:07:59,210
Didn't even accept the password.

114
00:07:59,510 --> 00:08:04,490
I believe we are doing something wrong over here so let me pasted and hit enter.

115
00:08:05,060 --> 00:08:05,300
Yeah.

116
00:08:05,300 --> 00:08:08,240
It says no such file and directory.

117
00:08:08,420 --> 00:08:13,180
It cannot find the bin S.H. So let me just try it like this.

118
00:08:13,190 --> 00:08:14,750
It will make much more sense.

119
00:08:15,050 --> 00:08:17,150
Slash bin slash as H.

120
00:08:17,300 --> 00:08:22,520
OK, and let me give the password one more time and here you go.

121
00:08:22,520 --> 00:08:26,000
We have the shell I believe so we are inside of the shell.

122
00:08:26,210 --> 00:08:27,920
Where am I on banded.

123
00:08:27,920 --> 00:08:28,730
Eighteen.

124
00:08:28,730 --> 00:08:30,170
So good.

125
00:08:30,170 --> 00:08:31,120
So far so good.

126
00:08:31,130 --> 00:08:39,730
So if I run unless I will see the readme and let's see um let's get the read me and here you go.

127
00:08:39,730 --> 00:08:44,000
We have the file, we have the password for the level nineteen.

128
00:08:44,720 --> 00:08:52,790
So it's very easy to go to the level nineteen from eighteen but it's also not easy to open the level

129
00:08:52,790 --> 00:08:53,150
eighteen.

130
00:08:53,150 --> 00:08:58,490
If you don't know you can change the shell with DSH, right.

131
00:08:59,090 --> 00:09:03,050
Of course it can be found easily like we did with Googling.

132
00:09:03,410 --> 00:09:06,110
But again, it's ahady, I believe.

133
00:09:06,740 --> 00:09:13,130
So we are inside of eighteen now and we have the password for the nineteen.

134
00:09:13,280 --> 00:09:15,200
I believe we are done over here.

135
00:09:15,500 --> 00:09:23,360
So if I didn't see that as a comment in the tips, by the way, it would be very hard for me to understand

136
00:09:23,690 --> 00:09:25,640
that I need to change this.

137
00:09:25,790 --> 00:09:31,340
And also it gives us the Benghazi tip over here.

138
00:09:31,490 --> 00:09:33,500
So it was easy for me to find.

139
00:09:33,500 --> 00:09:41,060
But if I didn't have the Benghazi tip and the NSA tip over there, maybe it would take me much more

140
00:09:41,060 --> 00:09:42,530
longer to figure this out.

141
00:09:43,040 --> 00:09:51,140
So let me try say when the nineteen and for some reason we cannot come over here and let me just copy

142
00:09:51,140 --> 00:09:53,960
that one more time and say pace selection.

143
00:09:53,960 --> 00:09:54,680
And here you go.

144
00:09:54,860 --> 00:09:57,410
We are inside of Bendit 19.

145
00:09:58,100 --> 00:09:59,590
So far, so good.

146
00:09:59,740 --> 00:10:09,040
Let me open the Bendit 19 over there, and now we're going to go into the band level 20, so you're

147
00:10:09,040 --> 00:10:11,590
going inside of a new thing, said Eweida.

148
00:10:11,800 --> 00:10:18,910
OK, I'm going to come over here and just stop this and continue within the next lecture to go into

149
00:10:18,910 --> 00:10:20,500
the band at level 20.