1
00:00:02,220 --> 00:00:03,220
See if we're funny.

2
00:00:03,240 --> 00:00:03,610
All right.

3
00:00:03,630 --> 00:00:04,290
Awesome.

4
00:00:04,830 --> 00:00:10,920
So while I'm encoding the last bit of the first exploit development video, I am going to be showing

5
00:00:10,920 --> 00:00:13,860
you the how to drop chain in 64 bit.

6
00:00:14,190 --> 00:00:17,360
So first, I want you to turn off Asla.

7
00:00:17,370 --> 00:00:25,890
We haven't yet got to the Asla bypass yet, and we are going to pull the image.

8
00:00:26,430 --> 00:00:30,840
The image is called the pseudo docker pull.

9
00:00:32,820 --> 00:00:42,990
Let's see, you can write ups GHC I0 slash 27 slash tpz dash barracuda latest.

10
00:00:43,980 --> 00:00:46,230
So I already have this image.

11
00:00:46,650 --> 00:00:49,950
And the next command you want to run is.

12
00:00:53,710 --> 00:00:57,220
This so we can just exit this.

13
00:00:58,270 --> 00:01:04,930
In this module, we're going to use a rock chain to you can actually just pretend this pseudo by way

14
00:01:04,959 --> 00:01:08,230
we're going to use a rock chain to do a privilege escalation.

15
00:01:08,230 --> 00:01:11,050
So I don't want you to be carrying the flag.

16
00:01:11,650 --> 00:01:13,120
The flag is right here, by the way.

17
00:01:13,120 --> 00:01:15,220
We fly right here.

18
00:01:15,280 --> 00:01:20,860
But I don't want you to be cheating by carrying the flag or reading the flag like that.

19
00:01:20,860 --> 00:01:23,440
I want you to login as a under-privileged user.

20
00:01:23,770 --> 00:01:31,960
So we're going to log in using if you use net stat that up rep 2 to 2.

21
00:01:35,230 --> 00:01:38,890
As you can see, we have a port redirection to the stock container.

22
00:01:38,890 --> 00:01:47,350
So to run this challenge, we're going to do pseudo Docker run double dash, dash IETF, we're interactive,

23
00:01:47,350 --> 00:01:55,630
double dash privilege, redirect our main host port to two, two, two, two to the stage server within

24
00:01:55,630 --> 00:01:57,310
the actual image.

25
00:01:57,610 --> 00:01:59,050
And then we start the image.

26
00:01:59,050 --> 00:02:03,220
And then for debugging purposes, we still run the bash terminal.

27
00:02:03,580 --> 00:02:13,630
So to log in, what you want to do is sfh ctf at local host dash p two, two, two, two your password

28
00:02:13,630 --> 00:02:23,370
is player and if you want to run to mux you're bash less.

29
00:02:23,560 --> 00:02:25,660
This is your vulnerable binary right here.

30
00:02:26,650 --> 00:02:29,710
So if you want to run RT Mux just run.

31
00:02:29,710 --> 00:02:30,640
RT Mux.

32
00:02:31,750 --> 00:02:37,180
I haven't actually figured out how to make the default shell for the S-H bash.

33
00:02:37,180 --> 00:02:41,380
I will update the video or update the container so you all get a bash terminal.

34
00:02:41,380 --> 00:02:43,810
So let's just open to bash thermals.

35
00:02:43,870 --> 00:02:50,320
So bash and then control the shift double bash again.

36
00:02:51,070 --> 00:02:53,920
So that way we can work on our exploit, nano exploit.

37
00:02:54,190 --> 00:02:58,150
PY And then we're going to run a debugging session.

38
00:02:58,150 --> 00:03:01,240
So I was in a bit of a run for time.

39
00:03:05,560 --> 00:03:09,370
So the vulnerable binary here in 64 bit.

40
00:03:09,400 --> 00:03:10,960
It doesn't need a sturdy copy.

41
00:03:10,960 --> 00:03:18,360
It actually uses jit se, which is a read primitive and we actually are going to skip the fuzzing section.

42
00:03:18,370 --> 00:03:25,420
I will add the fuzzing section back in eventually, but at this point we want to make sure that we can

43
00:03:25,420 --> 00:03:29,050
actually overwrite the return instruction pointer.

44
00:03:29,050 --> 00:03:36,610
So on x 64 systems, we need to make a in return instruction pointer, right?

45
00:03:36,610 --> 00:03:44,240
So let's create another terminal C controller.

46
00:03:44,260 --> 00:03:51,760
That's why the code you can use these code, but on parrot they have what they call a totem exploit.

47
00:03:51,760 --> 00:03:52,390
PY.

48
00:03:59,750 --> 00:04:01,400
And let's delete all of this.

49
00:04:02,240 --> 00:04:09,380
So I'm going to add the fuzzing section again later once I'm done with DEFCON and Crows versus Jo's

50
00:04:09,440 --> 00:04:10,700
Security B-sides.

51
00:04:11,240 --> 00:04:15,590
But we're going to make another Python three script shebang.

52
00:04:15,590 --> 00:04:20,209
User bin Python three my god, this thing is slow now.

53
00:04:20,450 --> 00:04:23,870
Thanks, because I'm encoding that stupid video.

54
00:04:27,640 --> 00:04:28,390
What on earth?

55
00:04:32,820 --> 00:04:33,180
Yes.

56
00:04:33,180 --> 00:04:34,440
That's because I'm encoding.

57
00:04:34,710 --> 00:04:35,310
Good Lord.

58
00:04:44,830 --> 00:04:45,610
Yeah.

59
00:04:45,790 --> 00:04:46,210
Has been.

60
00:04:46,780 --> 00:04:47,710
Oh, my God.

61
00:04:47,740 --> 00:04:48,160
Hold on.

62
00:04:48,160 --> 00:04:49,690
Let me just edit out this video.