Hey there Thomas, thanks so much for all the kind words! Appreciate it. I do actually screen-record when I am working through CTF challenges for the first time, if just to get the footage and potentially repurpose it for later content. I could potentially share that as video, but it might be barebones (no audio) -- unless I were to go back and try and do commentary over it (which would mean, like, two times the work ahaha). I can try it sometime and see how it goes!

​@@_JohnHammond Thanks for your reply! I totally understand that there will be too much work to do commentary afterwards. I would very much like to watch the unedited video without audio. I'll get your excellent commentary in your "walkthrough" videos anyway so there's no need to do it twice. :-)

@@_JohnHammond hey John can you please explain what is the difference between the addresses returned by rop.call("puts" , [elf.got["puts"]] ) rop.call("puts") elf.symbols["puts"] Thanks you in advance

Does puts not return though? when you make a call its return address gets pushed to the stack, so its offset in that function you're calling, but when you return from that function that return address gets popped from the stack and it makes 0 difference beyond that maybe ROP does some extra stuff that provides the offset though

Thijs Bruineman Well, it does return. However, the system ABI for the x86_64 architecture guarantees a 16-byte aligned stack before a call. When the ROP instructions are loaded onto the stack, and system() is called, it makes use of this fact. So, by your stack has to be aligned to the 16-byte(sorry I said 16-bit in the initial comment) boundary. Regarding your concern about the function returning and thus not having an effect, what the ret instruction call actually does is it first pops the stack pointer, which in turn means it increments the stack pointer. This has the effect of adding the extra 8 bytes that might be needed to align the stack. Usually, what one would do is to simply use a ROP gadget that just has one ret call. However, in John’s case he made a call to puts, which if it has an odd number of instructions(I’m assuming) it will have the same effect.

Please do correct me if I’m misguided thanks!

I believe you can just pass align=8 to the ROP() constructor, and it will automatically align things for you. The default is align=4 (for 32 bit).

In below, Alex Skalozub exlains that "It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack. "

bat - cat with wings on github

@@MrJohnyBGood101 thank you!

Great tips man ;)

Here it is: github.com/sharkdp/bat

@@donfoumare Thank you so much!!!

at first, he was testing with the local executable and once he got it working he just switched his "p = process()" with "p = remote()" since pwntools is pretty flexible when switching from local to remote it's as easy as changing one line.

That executable is the program running on the server and listening for input. It's common during these CTF to be given a copy of the server program so that you can pull it apart and find your exploit. Once you find your exploit (like with ELF), you create your payload and send that to the server to get the flag :)

He uses this cat clone as a colorizing pager for man as described in the readme: github.com/sharkdp/bat

uh no, you don't, typing speed is what defines that. Takes literally a second to type python.

@@oofme6749 what a noob would say!

More favourable and aesthetic for the audience to type Python and run it instead of env

@@bruh_5555 the 1st line of py script has env blababla for a reason so that you can just type ./scriptname.py and there you go simple!

​@@JNET_Reloaded I personally enjoy typing out python because I don't find it needed to pass #!/usr/bin/env python3 at the beginning of the file. Also, "noob" I'm sure knowing more than 7 languages, known for teaching others the art, also known to help small businesses patch vulnerabilities, a reverse engineering professional, been doing it since 11 years old, doesn't count one as a noob. It's rather noobish that you made a comment about somebody not putting env in the program rather than realizing that it works and runs the same way. Its really funny. Grow up.

he said before it’s just habit. chill.

What do you mean ? Like for the URL part ? It is not necessary until it is, try to get that one : www.google.com/?smartass=JNET&PS1=maybe_not_so_smart

For what he's doing white space is ignored and it makes it easier to read so why does it matter? Also, he's said before that he likes to automate his attacks once he figures it out because it's good practice. Sure he could have pushed a bunch of crap into the netcat but he doesn't have to. If you don't like it make a video doing it your way for people to watch.

Making it more readable is not only valid but also recommended and should be standard practice. The only situations where you wouldn't do that is if you're in a competition or time is the primary concern.

@@WhiteHatHacking no its annoying empty lines and shit its gta stop. Basic auto takes out them spaces weve moved in from .bas files.

@@JNET_Reloaded lmao someone's never heard of PEP8 sit down dude.

@@kaushiksivashankar9621 its in the eye of the beholder tho i prefere not having lines just for 1 char thats messy to me!