1
00:00:00,810 --> 00:00:07,710
Hi, within this lecture, we're going to try and become rude by exploiting the environment, variables

2
00:00:07,710 --> 00:00:11,580
or path like we have discussed in the previous lecture.

3
00:00:12,070 --> 00:00:19,790
OK, so far we know that this assisted binary is trying to run the service Apache to start.

4
00:00:19,980 --> 00:00:27,960
So I'm going to see if we can make our own way of service and make sure Linux finds it first rather

5
00:00:27,960 --> 00:00:36,030
than finding the regular service binary or regular service executable so that it gets executed by route

6
00:00:36,030 --> 00:00:37,320
and we become route.

7
00:00:37,890 --> 00:00:39,900
So let's see how it works.

8
00:00:39,930 --> 00:00:44,340
OK, again, we're going to create a file for us.

9
00:00:44,340 --> 00:00:49,700
We're going to try and create an executable and then we will make it in the path.

10
00:00:50,070 --> 00:00:51,730
So let me show you how it works.

11
00:00:52,200 --> 00:00:58,200
First, I'm going to create a key file and I'm going to use exactly what we have used before.

12
00:00:58,500 --> 00:01:03,690
And I'm just going to do this in one line so you can just take in all of this as well.

13
00:01:03,870 --> 00:01:10,560
I'm going to echo the C-code in the file because I don't know whether we have nanowire here or vem.

14
00:01:11,190 --> 00:01:15,710
And I mean, I know we have it, but I just wanted to show you this as well.

15
00:01:16,050 --> 00:01:21,820
So you have to write Echo with a single quotation mark in main.

16
00:01:22,310 --> 00:01:30,540
OK, so this is our entry point for our C code and it will return an integer and it doesn't mean that

17
00:01:30,540 --> 00:01:33,150
we have to return a specific one.

18
00:01:33,180 --> 00:01:35,630
We can just return whatever we want over here.

19
00:01:35,850 --> 00:01:37,830
OK, this is our main entry point.

20
00:01:37,830 --> 00:01:39,160
Main method over there.

21
00:01:39,600 --> 00:01:43,730
So I'm going to write our code under this main method.

22
00:01:44,130 --> 00:01:52,280
And again, I'm just going to use the set ID set UID tingay that we have seen before and be very nice.

23
00:01:52,290 --> 00:01:57,020
If you don't have nanogram in an environment that you can just use this.

24
00:01:57,570 --> 00:01:59,070
So open the calibration.

25
00:01:59,070 --> 00:02:01,680
Right, said Jidi to zero.

26
00:02:01,890 --> 00:02:04,650
OK, so this zero is important actually.

27
00:02:04,920 --> 00:02:08,780
So the JIDE zero and UID zero stands for the root.

28
00:02:08,970 --> 00:02:12,510
So make sure you are exactly right like this.

29
00:02:12,510 --> 00:02:22,950
OK, said Jide zero semicolon setted zero semicolon and then just use the system in order to spawn the

30
00:02:22,950 --> 00:02:27,410
Basche which is slash being slash Basche like this.

31
00:02:27,810 --> 00:02:36,750
OK, and then you can just return a number over here because we executed this or written this with Int

32
00:02:36,960 --> 00:02:37,540
Main.

33
00:02:37,830 --> 00:02:42,820
OK, so it expects to return some integer which is a whole number actually.

34
00:02:42,820 --> 00:02:46,990
If you don't know whether the integer is so this will return zero.

35
00:02:47,700 --> 00:02:54,600
And again, it's not very important what we return over here and let me just delete this parentheses

36
00:02:54,600 --> 00:03:00,770
and replace it with curly brace because I believe that's the way we should do it like that.

37
00:03:00,780 --> 00:03:01,010
Yeah.

38
00:03:01,020 --> 00:03:01,790
Here you go.

39
00:03:02,520 --> 00:03:04,110
Now I believe we are.

40
00:03:04,110 --> 00:03:10,850
OK, now I'm going to write this under a file under the temp folder called file called Service.

41
00:03:11,370 --> 00:03:13,530
OK, now we have the service.

42
00:03:13,530 --> 00:03:15,060
Let me get this out.

43
00:03:15,060 --> 00:03:16,430
So this is service.

44
00:03:16,800 --> 00:03:18,060
Here you go.

45
00:03:18,480 --> 00:03:21,390
Of course, this is just the code itself.

46
00:03:21,960 --> 00:03:30,690
Now, I believe we have to make this executable so that it can be executed when it's reached.

47
00:03:31,050 --> 00:03:39,810
OK, well, it's reached by the user or rence reached by the usted end file, OK?

48
00:03:39,810 --> 00:03:42,690
And I believe we have to make sure that.

49
00:03:43,590 --> 00:03:45,600
Let me just do this one more time.

50
00:03:45,600 --> 00:03:51,990
We have to make sure that I run this service, see, OK, because this is the C code and then we're

51
00:03:51,990 --> 00:04:00,230
going to convert this into an executable and call that C, OK, so I'm going to run this C temp service,

52
00:04:00,230 --> 00:04:06,360
Stazi, and the output will be temp service like this.

53
00:04:06,720 --> 00:04:11,310
So let me run SLA and see if it has overridden it.

54
00:04:11,320 --> 00:04:14,280
So let me try this play on temp actually.

55
00:04:15,030 --> 00:04:16,350
And here you go.

56
00:04:16,350 --> 00:04:19,260
Yeah, we have the service, that's the service executable.

57
00:04:19,260 --> 00:04:21,690
This is the thing that we are looking for now.

58
00:04:21,690 --> 00:04:30,360
We managed to convert this into executable and if we can make our Linux's the service first before the

59
00:04:30,360 --> 00:04:36,450
original service that has been put under user bean or something like that, then it will work.

60
00:04:36,690 --> 00:04:37,290
Right.

61
00:04:37,530 --> 00:04:39,900
Let's see if we can actually do that.

62
00:04:40,230 --> 00:04:47,340
So far, we haven't changed anything regarding to Pat right now and this is how you do it.

63
00:04:47,340 --> 00:04:53,040
You have to use expert comment and right path and just assign a path over here.

64
00:04:53,340 --> 00:04:59,820
So if you if we write TMP with a column path like this, then TMP will be put.

65
00:04:59,900 --> 00:05:07,100
In part, so this is exactly the comment that you should run, and now if I print the path now, as

66
00:05:07,100 --> 00:05:11,510
you can see, Tempy actually is shown in the first place.

67
00:05:11,780 --> 00:05:18,020
Now, if it's shown in the first place, then we are good to go because this is how it works.

68
00:05:18,020 --> 00:05:19,310
It works in order.

69
00:05:19,320 --> 00:05:23,620
OK, if it finds service under Tampoe, then that's it.

70
00:05:23,900 --> 00:05:28,700
It will not go and execute the one in the user local bin.

71
00:05:28,940 --> 00:05:31,860
It will execute the one in the top.

72
00:05:32,300 --> 00:05:40,730
OK, and now since we can export this path, then it's very good for us because now we have the service

73
00:05:40,730 --> 00:05:49,980
executable under Tampoe and if we can actually run the thing that we have been working on.

74
00:05:50,000 --> 00:05:58,190
Let me just run this find command one more time and let's change the type like this, OK?

75
00:05:58,370 --> 00:05:59,170
And here you go.

76
00:05:59,180 --> 00:06:02,570
Yeah, that's the that's the thing that I'm talking about.

77
00:06:02,570 --> 00:06:06,370
This is user local, been inside and why we're here.

78
00:06:06,650 --> 00:06:13,760
So if we run this, it will run service Apache to start end rather than original service under the user

79
00:06:13,760 --> 00:06:15,410
bin or user local bin.

80
00:06:15,950 --> 00:06:20,060
It will find the service executable that we run.

81
00:06:20,060 --> 00:06:21,590
And here you go then.

82
00:06:21,770 --> 00:06:22,120
Right.

83
00:06:22,130 --> 00:06:22,770
Where am I.

84
00:06:22,940 --> 00:06:25,610
We are route again.

85
00:06:25,880 --> 00:06:28,270
This is kind of advanced, OK?

86
00:06:28,280 --> 00:06:29,660
It's hard to find.

87
00:06:29,990 --> 00:06:33,650
It's hard to detect in a real life environment.

88
00:06:33,890 --> 00:06:40,610
So it was obvious over here because it has been named like as Eweida and something like this so that

89
00:06:40,610 --> 00:06:44,390
we can understand at least get a clue of what's going on.

90
00:06:44,630 --> 00:06:50,150
And you can see the details over here in the task here as well.

91
00:06:50,150 --> 00:06:52,670
You can just get the code from here as well.

92
00:06:53,210 --> 00:06:56,770
But again, if you get this, it will be big.

93
00:06:57,200 --> 00:07:05,480
OK, so I wanted to show you all of this things, all of this important things.

94
00:07:05,600 --> 00:07:11,930
And I really suggest you take a note of that in your own CTF challenge files.

95
00:07:12,230 --> 00:07:15,950
And again, I have shown you mine.

96
00:07:16,310 --> 00:07:19,880
And in fact, I believe I have to take this note as well.

97
00:07:19,880 --> 00:07:22,490
But because I don't have it over here, right.

98
00:07:22,490 --> 00:07:27,110
So I have this pseudo dash l and I'm going to do the same thing over here.

99
00:07:27,110 --> 00:07:31,970
I'm just going to take a note of this because I use this a lot in setpiece.

100
00:07:32,180 --> 00:07:40,700
If I find some way to just execute a second or a binary or a shared object, then I will use this,

101
00:07:41,120 --> 00:07:41,570
OK?

102
00:07:41,570 --> 00:07:43,670
It will be very beneficial for you.

103
00:07:43,790 --> 00:07:47,930
And again, you should you should take note of this as well.

104
00:07:48,110 --> 00:07:52,880
I believe I already have this, but I will see if I have it over here.

105
00:07:52,880 --> 00:07:53,570
Let's see.

106
00:07:53,900 --> 00:07:54,560
Yeah, here you go.

107
00:07:54,560 --> 00:08:01,340
I have this thing over here, but I can always search for the alternative one over here as well.

108
00:08:01,790 --> 00:08:02,960
So far, so good.

109
00:08:03,350 --> 00:08:10,910
Now, again, these are all advanced things, but we have seen the basics once basic once before.

110
00:08:11,330 --> 00:08:18,680
And maybe you can just take a note of this exploitation, the long C code that we have from before,

111
00:08:19,010 --> 00:08:20,880
because it's good as well.

112
00:08:20,950 --> 00:08:25,130
OK, so make sure you just put those things in the right place.

113
00:08:25,460 --> 00:08:26,480
And here you go.

114
00:08:26,480 --> 00:08:27,530
Now we are ready.

115
00:08:28,550 --> 00:08:34,280
So I believe these this section was a little bit hard.

116
00:08:34,520 --> 00:08:42,950
But again, once you get to actually sold the seats and once you get to have a little bit experience

117
00:08:42,950 --> 00:08:46,100
on those, then it will be better for you.

118
00:08:46,190 --> 00:08:48,640
It will be easier for you in time.

119
00:08:49,250 --> 00:08:50,450
So far, so good.

120
00:08:50,750 --> 00:08:54,770
I'm going to stop here and continue within the next lecture.