1
00:00:00,660 --> 00:00:08,310
Hi, within this lecture, we're going to see Aldy preload, vulnerability and how to exploit it to

2
00:00:08,310 --> 00:00:09,420
become rude.

3
00:00:09,870 --> 00:00:12,060
Right now, we are in the tech gates.

4
00:00:12,060 --> 00:00:15,650
You can actually follow this along with there as well.

5
00:00:15,870 --> 00:00:19,170
So all you got to do is just run through the shell, as usual.

6
00:00:19,470 --> 00:00:21,540
And we see a lot of binaries over here.

7
00:00:21,540 --> 00:00:24,700
But also we see this thing over here as well.

8
00:00:25,020 --> 00:00:26,970
So helda preload.

9
00:00:27,740 --> 00:00:35,390
Right now, we have access to Aldy preload, so what does it mean once we try to execute any of these

10
00:00:35,390 --> 00:00:36,740
binaries over here?

11
00:00:37,310 --> 00:00:45,680
If we want, we can actually preload some kind of library or some kind of code to execute this before

12
00:00:45,890 --> 00:00:48,110
the original binary order.

13
00:00:48,890 --> 00:00:54,980
So maybe we want to do that in Linux or maybe we don't want to do that.

14
00:00:55,430 --> 00:01:01,670
If we are rude, of course, we have access to this, but even though we are not through this, permission

15
00:01:01,670 --> 00:01:02,880
is given to us.

16
00:01:03,140 --> 00:01:11,990
So if you see Aldy preload over here in the CTF or in a Pantusso, it means that you get to load a library

17
00:01:12,260 --> 00:01:17,590
before executing any of the commands or any of the binaries over here.

18
00:01:17,870 --> 00:01:24,350
So not depending on the binary that you execute, it will work.

19
00:01:24,350 --> 00:01:29,770
Whatever you write, whatever you actually supply here will work.

20
00:01:29,780 --> 00:01:34,370
So whether it's Panchita, whether it's anything else, it will work.

21
00:01:34,400 --> 00:01:38,830
OK, so of course you're going to have to try and see if this works or not.

22
00:01:39,140 --> 00:01:41,950
But again, in this case, we're going to do that.

23
00:01:42,410 --> 00:01:47,980
So in order to do this, we need to understand the C code over here.

24
00:01:48,260 --> 00:01:50,780
So I have shared the C code with you.

25
00:01:51,370 --> 00:01:55,940
So this is kind of a very small exploit that you're going to write.

26
00:01:56,400 --> 00:02:00,110
You can reach this from here anytime you want.

27
00:02:00,110 --> 00:02:07,220
But also I'm going to write it down here in order to preload this before executing any of the binaries

28
00:02:07,220 --> 00:02:07,790
over there.

29
00:02:08,210 --> 00:02:11,060
OK, so I'm going to show you how it's done as well.

30
00:02:11,270 --> 00:02:13,660
But first of all, we need a C code.

31
00:02:14,000 --> 00:02:20,960
So, again, anytime you can come back here and just write this so you don't have to take a note or

32
00:02:20,960 --> 00:02:23,840
something like that, but it's very simple.

33
00:02:24,050 --> 00:02:26,500
And all you got to do is just type this out.

34
00:02:27,170 --> 00:02:29,030
So I'm going to show you don't worry.

35
00:02:29,540 --> 00:02:34,410
So first of all, we are user and we see the Aldy preload is permitted.

36
00:02:34,700 --> 00:02:41,900
So what I'm going to do, I'm going to write the C code over here and just use this comment in order

37
00:02:41,900 --> 00:02:48,070
to create a shared object, which is kind of a executable but not really.

38
00:02:48,080 --> 00:02:58,640
OK, so this is kind of a ready to compile thingy and we can just use this to preload the shared object

39
00:02:58,940 --> 00:03:01,740
over here before executing any binary.

40
00:03:02,120 --> 00:03:03,670
So I'm going to use Nano.

41
00:03:03,710 --> 00:03:05,770
Of course, you can use anything you want.

42
00:03:05,990 --> 00:03:13,610
I'm going to call this library Dot C and over here I'm going to write test, for example, and let's

43
00:03:13,610 --> 00:03:16,010
see if we can actually see the library that.

44
00:03:16,010 --> 00:03:17,270
See, here you go.

45
00:03:17,280 --> 00:03:19,280
Now we can see it now.

46
00:03:19,280 --> 00:03:21,920
I'm going to narrow this thing one more time.

47
00:03:22,130 --> 00:03:27,080
So it means that we get to actually write some stuff in the user folder.

48
00:03:27,320 --> 00:03:32,990
If we cannot do that, we can try this in under DTMF folder, obviously.

49
00:03:33,460 --> 00:03:38,860
OK, so I'm going to delete this and come over here and start typing with me.

50
00:03:39,200 --> 00:03:50,620
So I'm going to bring in the standard libraries for so I'm going to write hash tag include and standard

51
00:03:50,630 --> 00:03:52,460
input output over here.

52
00:03:52,490 --> 00:03:54,710
OK, dot h like that.

53
00:03:55,410 --> 00:03:58,230
And we also need one more thing.

54
00:03:58,550 --> 00:04:09,860
So I'm going to say include OK sis types that h so these are the libraries that we will need and also

55
00:04:09,860 --> 00:04:13,720
don't forget to just standard library that over here.

56
00:04:13,730 --> 00:04:15,590
OK, so here you go.

57
00:04:15,680 --> 00:04:23,450
Now we, we have all we need over there, so bring in all of those things so that your code works,

58
00:04:23,630 --> 00:04:24,240
OK.

59
00:04:24,770 --> 00:04:31,610
So after that we are just importing the libraries that we need in order to make this run like in Python.

60
00:04:31,880 --> 00:04:38,180
And remember Python, I'm going to create a method over here which will start with void.

61
00:04:38,510 --> 00:04:43,590
So void means null, nada, nil, OK, it will return nothing.

62
00:04:44,000 --> 00:04:48,110
So this will get executed, but it will just return nothing.

63
00:04:48,500 --> 00:04:50,480
And I'm going to call this in it.

64
00:04:50,720 --> 00:04:56,570
And this will be the first thing that should get executed once we write this.

65
00:04:56,650 --> 00:05:00,220
OK, so let me do this over here.

66
00:05:00,890 --> 00:05:03,760
Don't forget that the curly braces over there.

67
00:05:04,190 --> 00:05:15,530
After that, I'm going to just bring four spaces over here and write you unset environment onsets Aneth.

68
00:05:15,860 --> 00:05:22,560
And over here you need to specify the Aldy preload over here, OK?

69
00:05:22,940 --> 00:05:24,530
So like this.

70
00:05:25,010 --> 00:05:26,420
So it has to be exact.

71
00:05:26,560 --> 00:05:34,870
So follow along with me again, bring in one tap, so just leave a space of one tab like four four spaces

72
00:05:34,870 --> 00:05:39,410
over here and then just write the rest of the code.

73
00:05:39,880 --> 00:05:44,860
So what we do here is actually valid for the other codes as well.

74
00:05:44,860 --> 00:05:52,710
Other than preload, all you got to do is just write set jaideep, which is group ID over here, OK,

75
00:05:52,990 --> 00:05:55,560
and just make it zero which is root.

76
00:05:56,050 --> 00:06:04,270
So I'm going to hit one more time and tab if tap doesn't work, just bring in the spaces and just run

77
00:06:04,850 --> 00:06:05,920
citywide id.

78
00:06:05,920 --> 00:06:09,280
This is user idea, I'm going to make it root as well.

79
00:06:09,970 --> 00:06:20,470
So finally I'm going to come over here and just write system and call the bean bag or age depending

80
00:06:20,470 --> 00:06:22,840
on the situation over here.

81
00:06:22,930 --> 00:06:24,590
And don't forget the semicolon.

82
00:06:24,940 --> 00:06:25,990
So that's it.

83
00:06:26,410 --> 00:06:33,580
Actually, all we are doing over here is setting the group idea end user ID to zero and spawning the

84
00:06:33,580 --> 00:06:40,270
Basche, spawning the shell so it will make us root and it will spawn a child for us.

85
00:06:40,690 --> 00:06:46,830
OK, so this is a standard C code other than preload, you can use this in other cases as well.

86
00:06:47,470 --> 00:06:54,130
So I'm going to say this with control or enter and hit control x to get out of this one.

87
00:06:54,430 --> 00:06:57,140
Now, Library C is over there.

88
00:06:57,480 --> 00:07:04,270
OK, now Library C contains the exploit code, so I'm going to use the jack over here.

89
00:07:04,570 --> 00:07:13,420
So make sure you type the exact parameters I'm doing and this parameters can be retrieved from the tri

90
00:07:13,420 --> 00:07:14,410
hack me again.

91
00:07:14,830 --> 00:07:17,350
So you got to do shared.

92
00:07:17,350 --> 00:07:27,070
Oh and after that this stands for the output and I'm going to save this under TMP and I'm going to name

93
00:07:27,070 --> 00:07:29,710
this like library that is OK.

94
00:07:29,710 --> 00:07:32,880
And so stands for the shared object that I've talked about.

95
00:07:33,250 --> 00:07:40,280
And finally, you have to specify the library that C with no start files like that.

96
00:07:40,810 --> 00:07:44,140
So make sure you take a note of these parameters.

97
00:07:44,350 --> 00:07:47,350
And even if you don't, you can get this from the trajectory.

98
00:07:47,350 --> 00:07:48,380
Me, as I said before.

99
00:07:48,730 --> 00:07:57,490
So basically we're compiling this into a shared object as a file so that we can actually run a pseudo

100
00:07:57,490 --> 00:08:03,000
Ali preload and make it equal to the shared object file that we have created.

101
00:08:03,220 --> 00:08:11,710
And in order to do that, all you got to do is just say equals sign and make it into the path that we

102
00:08:11,710 --> 00:08:17,480
have supplied, like TMP Library that as o like this.

103
00:08:18,010 --> 00:08:26,140
OK, so of course if we didn't have this pseudo permission over here for the Aldy preload, then it

104
00:08:26,140 --> 00:08:26,890
wouldn't work.

105
00:08:27,340 --> 00:08:32,240
But right now we have some specified for unmap.

106
00:08:32,470 --> 00:08:40,960
OK, and if I run with my now as you can see I am root over here.

107
00:08:40,990 --> 00:08:48,510
You see it is specified exactly like this for a patch to and that's it.

108
00:08:48,910 --> 00:08:55,750
So you can try it with unmap, you can try it with the battuta or any other binary that you see in that

109
00:08:55,750 --> 00:08:58,600
list and it will get executed.

110
00:08:58,600 --> 00:09:04,270
All it's doing over here is said JID, said Eweida and spawning the Basche.

111
00:09:04,570 --> 00:09:10,210
So make sure you remembered that it it is not mandatory for you to know about.

112
00:09:10,220 --> 00:09:18,580
See, I haven't written a project in C for years right now, but again, it's very easy once you know

113
00:09:18,580 --> 00:09:20,850
any programming language.

114
00:09:21,130 --> 00:09:23,920
So make sure you got this.

115
00:09:24,130 --> 00:09:30,160
Once you exit out of this one, we are using one more time and we're going to continue with the previous

116
00:09:30,250 --> 00:09:32,380
escalation within the next lecture.