1
00:00:00,810 --> 00:00:01,320
All right.

2
00:00:01,320 --> 00:00:05,130
So welcome back to Introduction to Exploit Development.

3
00:00:05,130 --> 00:00:13,320
And this time we are going to do our final capstone for Hacker Summer Camp 2022.

4
00:00:13,470 --> 00:00:22,200
And right now what I want you to do is before we do anything so this is actually your location for getting

5
00:00:22,200 --> 00:00:23,640
the new Docker container.

6
00:00:24,330 --> 00:00:26,790
There's going to be some changes in the course.

7
00:00:27,000 --> 00:00:34,470
And I want to tell you that now that instead of using a new debugger or peda the Python exploit development

8
00:00:34,470 --> 00:00:43,050
extension, it was not been updated since somewhere around December 2020 and I've been seeing a couple

9
00:00:43,050 --> 00:00:44,040
of bugs.

10
00:00:44,160 --> 00:00:51,330
So now we are going to be using the new debugger Jeff for Jeff pronounced Jeff.

11
00:00:51,540 --> 00:01:01,350
But before we do that, we want to make sure that we disable our let's see, our

12
00:01:05,030 --> 00:01:13,410
arsenal are from the from the Linux host because we are running Docker, right.

13
00:01:13,420 --> 00:01:18,630
And Docker and inherits the protections of the Linux host.

14
00:01:18,630 --> 00:01:23,520
So what I want to do, I'm sorry, I'm just going through my walkthroughs right now.

15
00:01:26,340 --> 00:01:27,180
Let's see.

16
00:01:28,080 --> 00:01:44,580
OC So pseudo echo two type process system kernel randomize virtual address space.

17
00:01:46,170 --> 00:01:53,670
You might have to do this as route and I'll explain why we're going to do like a really, really easy

18
00:01:53,670 --> 00:01:59,730
one because we want to prove

19
00:02:02,550 --> 00:02:10,169
normally by default your system is basically set of two for randomizing.

20
00:02:10,320 --> 00:02:22,350
Esler Normally it is, but in our previous exercise we did it as zero, but your default is two so that

21
00:02:22,350 --> 00:02:25,980
we can make sure that our binaries are randomized.

22
00:02:26,460 --> 00:02:29,340
Now, number two, I want you to do this.

23
00:02:29,340 --> 00:02:32,100
I want you to copy and pull.

24
00:02:32,110 --> 00:02:41,310
So the command is pseudo docker pull GitHub container repository IO slash 27, which is my GitHub repository

25
00:02:41,310 --> 00:02:47,190
intro exploit def dash cobra this character latest.

26
00:02:47,700 --> 00:02:55,080
So I already have it actually I'm just going to turn off my VPN if I have it because if I didn't mention

27
00:02:55,080 --> 00:03:02,220
this earlier, if you leave your VPN on for some reason, GitHub doesn't like it when you want privacy

28
00:03:02,220 --> 00:03:06,780
and it actually could prevent you from being able to pull your Docker containers.

29
00:03:07,830 --> 00:03:13,290
So we're going to use four methods in establishing our root chain, but for right now, we're going

30
00:03:13,290 --> 00:03:14,790
to start up our container.

31
00:03:14,790 --> 00:03:21,480
So what we're going to do is we're going to run the command to allow us to pipe localhost port two,

32
00:03:21,480 --> 00:03:28,620
2 to 2 to the container, which is listing on port 22.

33
00:03:28,710 --> 00:03:29,940
So we're going to run.

34
00:03:29,940 --> 00:03:45,920
Cito Docker Run double dash, dash it double dash privilege dash P 2 to 2, 2 to 22 GCR dash IO slash

35
00:03:45,930 --> 00:03:51,540
taxi seven slash intro exploit dev dash cobra latest.

36
00:03:52,020 --> 00:03:56,100
And for debugging purposes, we're going to execute the bash shell.

37
00:04:01,800 --> 00:04:03,840
So this is your vulnerable binary.

38
00:04:04,260 --> 00:04:09,160
And if I were to do this LSE route, that's your flag.

39
00:04:09,180 --> 00:04:14,560
I don't want to reveal the flag, but you just run the command cat route flag.

40
00:04:14,580 --> 00:04:20,760
But I want you to log in as a under-privileged user so that we can root this box and then we can work

41
00:04:20,760 --> 00:04:23,760
on it in order to capture the flag.

42
00:04:23,790 --> 00:04:28,320
This will be your quiz, and these are your four exercises.

43
00:04:29,130 --> 00:04:40,150
So what I want you to do now is open a new terminal and we're going to do s h ctf at local host dash

44
00:04:40,230 --> 00:04:42,270
p two, two, two, two.

45
00:04:45,400 --> 00:04:46,480
Say Yes.

46
00:04:47,470 --> 00:04:49,660
And your password is player.

47
00:04:51,980 --> 00:04:54,260
And now we're going to open another Thomas session.

48
00:04:54,710 --> 00:04:59,360
So Thomas new dash se workspace

49
00:05:02,510 --> 00:05:05,240
and we are of our four old binaries.

50
00:05:05,360 --> 00:05:11,840
So our first exercise before we do anything, we want to make sure that ASL is still enabled and the

51
00:05:11,840 --> 00:05:14,600
quickest way to check is to run the linker command.

52
00:05:14,600 --> 00:05:15,950
So LD

53
00:05:18,860 --> 00:05:27,470
run again, run it again and notice how the memory address ranges are constantly being randomized,

54
00:05:27,470 --> 00:05:30,650
which means outer space layout randomization is on.

55
00:05:30,710 --> 00:05:37,460
So in our first exercise, we want to make sure that we're going to do something that's really, really,

56
00:05:37,460 --> 00:05:38,390
really simple.

57
00:05:38,390 --> 00:05:45,020
And it's basically we have a unused shell function within the first exercise, which is volume.

58
00:05:46,580 --> 00:05:54,410
Before we go on to something more advanced like abusing system calls in a different function that was

59
00:05:54,410 --> 00:05:58,940
in this binary to volume or replacing.

60
00:05:58,940 --> 00:06:01,400
We will keep on going on with this.

61
00:06:01,400 --> 00:06:05,510
So let's just start from the basics and then from the basics.

62
00:06:05,510 --> 00:06:11,810
We'll start continually to build rope chains, to be able to push things like shell variables into the

63
00:06:12,050 --> 00:06:13,070
data segment.

64
00:06:13,550 --> 00:06:21,620
And then finally we will use the RET to plot attack, which is the return to linkage procedure or linkage

65
00:06:21,620 --> 00:06:27,890
table, which is a which is basically a pointer to the global offset table over the got.

66
00:06:28,250 --> 00:06:32,120
And that will be our final challenge for fall four vote.

67
00:06:32,810 --> 00:06:37,670
So first let's do object up dash DX Bone.

68
00:06:41,280 --> 00:06:51,330
And if you go up, we have something called a unused shell function, which has not been called in any

69
00:06:51,330 --> 00:06:52,500
part of the program.

70
00:06:52,770 --> 00:06:59,370
But we're going to abuse this with a drop chain to do a very, very straightforward SLR bypass and real

71
00:06:59,370 --> 00:07:00,570
applications.

72
00:07:00,580 --> 00:07:06,630
You might actually see like a new shell functions or shell functions that are not intended to be done.

73
00:07:07,890 --> 00:07:12,750
In the second exercise, we will actually go for our

74
00:07:15,480 --> 00:07:15,600
out.

75
00:07:16,170 --> 00:07:18,090
Let me just open up the student code.

76
00:07:33,320 --> 00:07:33,710
All right.

77
00:07:33,710 --> 00:07:35,510
Well, that's my previous work.

78
00:07:35,780 --> 00:07:39,440
But what I'm going to do is I want to start this from scratch.

79
00:07:39,650 --> 00:07:41,240
No, I don't care.

80
00:07:41,690 --> 00:07:43,820
Or bass just dropping into the container.

81
00:07:45,470 --> 00:07:58,130
So we're going to use object dump dash dx phone grep unused and we're going to grab this memory address

82
00:07:58,400 --> 00:08:00,110
of the unused shell function.

83
00:08:01,400 --> 00:08:04,160
Now to do a simple rock chain.

84
00:08:04,400 --> 00:08:07,920
I've been teaching about how to do manual rock chaining before.

85
00:08:07,940 --> 00:08:12,140
We only need to do one more thing, which is use ROPPER.

86
00:08:12,950 --> 00:08:19,160
So ROPPER is already preinstalled in debugger in this container.

87
00:08:19,160 --> 00:08:20,720
So we're going to ROPPER.

88
00:08:27,000 --> 00:08:38,640
And then we're to run file volume and then want to search for a def one return and we want this instruction.

89
00:08:39,990 --> 00:08:52,140
So in our source code, let's write the following notes unused shell func equals this memory address

90
00:08:52,140 --> 00:08:54,090
which we pulled from here.

91
00:08:56,670 --> 00:08:58,680
Make sure to end it with a zero.

92
00:09:00,810 --> 00:09:01,440
From the top.

93
00:09:01,440 --> 00:09:04,440
From an import star.

94
00:09:07,500 --> 00:09:08,160
I'm sorry.

95
00:09:08,160 --> 00:09:13,320
People are annoying me on my phone and we get our return instruction.

96
00:09:13,830 --> 00:09:15,420
Make sure to copy this.

97
00:09:16,470 --> 00:09:18,690
Return equals this.

98
00:09:25,090 --> 00:09:26,170
Let's see.

99
00:09:26,200 --> 00:09:29,990
Let's just say I tap one pie.

100
00:09:32,500 --> 00:09:37,930
If you have not noticed yet, we have switched to Python three due to the deprecation of Python two

101
00:09:37,960 --> 00:09:51,220
and Python two is no longer supported and working on a very simple buffer buffer overflow to a rob chain

102
00:09:51,220 --> 00:09:52,960
to exploit the shell function.

103
00:09:53,500 --> 00:09:58,780
So the commands now or the code is buff equals bytes.

104
00:09:58,810 --> 00:10:06,340
A remember in Python three, you have to specify it as bytes, so you have to append a little B right

105
00:10:06,340 --> 00:10:06,940
here.

106
00:10:08,050 --> 00:10:11,530
Let me open this up and make this bigger.

107
00:10:11,530 --> 00:10:12,670
How do you zoom in on this?

108
00:10:12,670 --> 00:10:27,160
Say, Oh my God, you are not a way you can zoom in o control plus oc buff.

109
00:10:28,870 --> 00:10:35,350
We knew that if we write 208 bytes it would overwrite the base pointer.

110
00:10:35,680 --> 00:10:40,600
So we can say overwrite base pointer.

111
00:10:43,710 --> 00:10:47,250
And then we can do bytes.

112
00:10:47,340 --> 00:10:51,420
Hex 42 times eight.

113
00:10:52,830 --> 00:10:57,570
Overwrite the return stack pointer.

114
00:11:00,480 --> 00:11:07,020
And finally, because now we overrode the stack pointer in our previous fuzzy exercises or that was

115
00:11:07,020 --> 00:11:07,710
capitalized.

116
00:11:07,710 --> 00:11:12,930
Sorry, we can now put in our return instruction from here.

117
00:11:13,050 --> 00:11:15,910
So pack 64 reds.

118
00:11:16,500 --> 00:11:27,450
Now, in case you're wondering, this is the equivalent of saying struct pack, little Indian rat.

119
00:11:28,380 --> 00:11:30,570
That's basically the same exact thing.

120
00:11:30,720 --> 00:11:34,170
So we're just using PO tools to make this much more convenient.

121
00:11:34,800 --> 00:11:38,610
But now we're going to pop our onion shell function.

122
00:11:38,610 --> 00:11:44,820
So we're going to use buff plus equals PAX 64, which is a function within the open tools library,

123
00:11:45,240 --> 00:11:46,980
unused shell function.

124
00:11:48,300 --> 00:11:57,840
And then we're going to use this dot standard out, that buffer dot right buff and then we're going

125
00:11:57,840 --> 00:12:02,250
to copy of this into our container.

126
00:12:03,210 --> 00:12:11,460
So let's control B shift double quote then attempt one py

127
00:12:14,370 --> 00:12:31,170
copy and paste this and then we're going to run the command python 3x1 dot py semicolon cat semicolon

128
00:12:31,680 --> 00:12:43,710
wrap this in parentheses pipe dot so we now sent the buffer into standard in press enter again and then

129
00:12:43,710 --> 00:12:53,940
we're press ID on my route and less route flag dot text.

130
00:12:55,080 --> 00:13:00,840
And at the very final video that I'm gonna make, I'll reveal the flag.

131
00:13:00,840 --> 00:13:07,410
But at this point you could have just ran the command route flag text, but we're not going to do that.

132
00:13:07,410 --> 00:13:08,730
We'll just escape that.

133
00:13:08,820 --> 00:13:14,220
But this is your first walkthrough, and it's just a really, really basic thing to abuse a new shell

134
00:13:14,220 --> 00:13:15,060
function.

135
00:13:15,060 --> 00:13:23,340
And the next exercise, we're going to find a system call to using the bin date command to be able to

136
00:13:24,510 --> 00:13:25,740
do our exploit.

137
00:13:26,100 --> 00:13:30,540
So in our next section, just keep your container running.

138
00:13:31,350 --> 00:13:37,380
We're going to walk through all of this again and we're going to go for our next exploit.

139
00:13:37,380 --> 00:13:39,870
We're going to try to do this one baby step at a time.

140
00:13:39,870 --> 00:13:50,760
Remember, Asla is still on so von and our next vulnerable binary to Von, as you can see, also has

141
00:13:50,760 --> 00:13:52,410
a randomized space address.

142
00:13:52,800 --> 00:13:55,800
So that's your first exercise.

143
00:13:55,800 --> 00:14:03,360
And I will reveal the flag, which I will add as a quiz to the last exercise, which you need to complete

144
00:14:03,360 --> 00:14:04,230
this course.