Chromebook Breakout - Escaping Jail Using a Pico Ducky
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 85 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/62215 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
HackerFamilie <Mathematik>ExploitInnerer PunktDienst <Informatik>SchlüsselverwaltungStrategisches SpielRundungSpieltheorieSega Enterprises Ltd.HackerGewicht <Ausgleichsrechnung>SelbstrepräsentationProgrammfehlerHilfesystemLochkarteComputersicherheitHorizontalePhysikalisches SystemMonster-GruppeComputerspielZeichenketteSoftwareschwachstelleSpieltheorieMultiplikationsoperatorSchwebungVersionsverwaltungProgrammierumgebungAggregatzustandFaktor <Algebra>Computeranimation
03:59
Nabel <Mathematik>Physikalisches SystemDefaultStellenringPasswortATMSoftwareentwicklerFaktor <Algebra>Divergente ReiheSoftwareschwachstelleInjektivitätAdditionMotion CapturingFunktion <Mathematik>Wurzel <Mathematik>Nichtlinearer OperatorDatenfeldSkriptspracheSoftwareentwicklerRootkitInjektivitätAggregatzustandDatenfeldParametersystemATMPasswortExploitNabel <Mathematik>SystemprogrammSchnittmengeSkriptspracheComputeranimation
04:58
HackerBinärdatenSkriptspracheDatenmodellSoftwareschwachstelleKiosksystemProdukt <Mathematik>HardwareGoogolComputersicherheitInformationArithmetisches MittelNotebook-ComputerHardwareKiosksystemSoftwareRechenschieberBildschirmmaskeComputerspielComputeranimation
05:58
Faktor <Algebra>DatenmodellLeistung <Physik>TouchscreenTermATMSchlüsselverwaltungProgrammierumgebungInverser LimesGraphische BenutzeroberflächeVerschiebungsoperatorSoftwareentwicklerWiederherstellung <Informatik>StellenringIntelVersionsverwaltungLoginUnternehmensarchitekturBootenMarketinginformationssystemSystemverwaltungZeitbereichKontrollstrukturRechnernetzAggregatzustandDemo <Programm>KiosksystemVorzeichen <Mathematik>SchnelltasteSpieltheorieRechenschieberFaktor <Algebra>SchnittmengeVideokonferenzBildschirmmaskeProgrammierumgebungBootenLeistung <Physik>MultiplikationsoperatorATMMereologiePhysikalisches SystemElektronische PublikationAggregatzustandSchnelltasteSchlüsselverwaltungComputeranimation
06:59
Lesen <Datenverarbeitung>SpielkonsoleStellenringInjektivitätSimulationModul <Datentyp>LastATMProgrammierumgebungNabel <Mathematik>NamensraumBrowserInformationProzessautomationParametersystemPunktMenütechnikGraphische BenutzeroberflächeVorgehensmodellSchnelltasteSoftwareentwicklerDatentypZellularer AutomatBildschirmfensterNabel <Mathematik>Projektive EbeneInformationHalbleiterspeicherSoftwareSpieltheorieBinärcodeWurm <Informatik>Graphische BenutzeroberflächeBrowserRadikal <Mathematik>Front-End <Software>RoutingEin-AusgabeUnrundheitProgramm/QuellcodeComputeranimation
08:35
TopologieZurücksetzung <Transaktion>Kanal <Bildverarbeitung>Wurm <Informatik>VorhersagbarkeitSpeicherabzugComputersicherheitFuzzy-LogikPhysikalisches SystemZusammenhängender GraphInformationGruppenoperationMailing-ListeMarketinginformationssystemInnerer PunktFuzzy-LogikMailing-ListeWurm <Informatik>ZeichenketteSoftwaretestUnrundheitGeradeSkriptspracheNabel <Mathematik>Computeranimation
09:39
E-MailFuzzy-LogikZeichenketteWurm <Informatik>Offene MengeRichtungInstallation <Informatik>Schreiben <Datenverarbeitung>FehlermeldungSpannweite <Stochastik>Ganze ZahlProzess <Informatik>Gerichtete MengeSpielkonsoleSoftwaretestROM <Informatik>BildschirmfensterFokalpunktEin-AusgabeProgrammfehlerFunktion <Mathematik>DateiformatParametersystemEinfache GenauigkeitSchnelltasteFuzzy-LogikElektronische PublikationSkriptspracheSchnittmengeSoftwareWurm <Informatik>FehlermeldungRechenschieberProjektive EbeneEin-AusgabeBildschirmfensterInformationBrowserBinärcodeMailing-ListeComputeranimationProgramm/Quellcode
10:59
Spannweite <Stochastik>E-FunktionGanze ZahlFehlermeldungProzess <Informatik>Gerichtete MengeSpielkonsoleSoftwaretestROM <Informatik>BildschirmfensterOffene MengeEin-AusgabeFokalpunktProgrammfehlerFunktion <Mathematik>ParametersystemInformationRechenwerkNabel <Mathematik>SchnelltasteFokalpunktFehlermeldungBinärcodeSchnitt <Mathematik>ResultanteZeichenketteFuzzy-LogikFlächeninhaltHilfesystemWurm <Informatik>Programm/QuellcodeComputeranimation
11:49
Mini-DiscFahne <Mathematik>ProgrammverifikationVerzeichnisdienstKonfiguration <Informatik>ClientPasswortDigitales ZertifikatKanal <Bildverarbeitung>Nabel <Mathematik>VariableFehlermeldungFunktion <Mathematik>Syntaktische AnalyseSpielkonsoleStandardabweichungInjektivitätMessage-PassingInterrupt <Informatik>GEDCOMServerZellularer AutomatChiffrierungLogischer SchlussDateisystemGrenzschichtablösungZehnAbstraktionsebeneInternetworkingAuthentifikationRechenwerkKartesische KoordinatenHill-DifferentialgleichungQuilt <Mathematik>Finite-Elemente-MethodeIntegralVorzeichen <Mathematik>TermExistenzsatzPeer-to-Peer-NetzMenütechnikSchriftzeichenerkennungFunktion <Mathematik>FehlermeldungFunktionalMereologieMinkowski-MetrikTouchscreenInjektivitätProzess <Informatik>Nabel <Mathematik>ProgrammfehlerResultanteRegulärer GraphFront-End <Software>Wurm <Informatik>Vorzeichen <Mathematik>HilfesystemComputeranimation
13:26
PufferspeicherStellenringWurzel <Mathematik>ExistenzsatzTelnetInjektivitätFunktion <Mathematik>Vorzeichen <Mathematik>Prozess <Informatik>SystemidentifikationChiffrierungEindringerkennungBildschirmfensterBinärdatenDualitätstheorieZellularer AutomatAdressraumDateisystemGruppenoperationRechenwerkDeterminanteOvalWeb-SeiteSpezielle unitäre GruppeServerFächer <Mathematik>SoftwaretestKonvexe HülleHackerSkriptspracheNotepad-ComputerCASE <Informatik>Dämon <Informatik>E-MailVariablePauli-PrinzipNichtlinearer OperatorProgrammierumgebungElektronische PublikationPasswortPhysikalisches SystemMailing-ListeTouchscreenDateisystemMessage-PassingInjektivitätFunktion <Mathematik>Ein-AusgabeBinärcodeVerzeichnisdienstPunktComputerunterstützte ÜbersetzungPoisson-KlammerParametersystemInformationNabel <Mathematik>Leistung <Physik>SkriptspracheOffene MengeFront-End <Software>Vorzeichen <Mathematik>Virtuelles privates NetzwerkClientSchnittmengeDateiverwaltungComputeranimation
15:47
Nabel <Mathematik>QuaderReverse EngineeringStellenringServerVerzeichnisdienstSkriptspracheIRIS-TChiffrierungATMReverse EngineeringSkriptspracheSchnittmengeQuaderGraphische BenutzeroberflächeNabel <Mathematik>Formation <Mathematik>BenutzerprofilBildschirmfensterElektronische PublikationNotebook-ComputerInjektivitätSchlüsselverwaltungServerOffene MengeVerzeichnisdienstBenutzerbeteiligungMetropolitan area networkComputeranimation
16:45
StapeldateiKnotenmengeQuaderNabel <Mathematik>VerzeichnisdienstStellenringServerReverse EngineeringClientATMSchlüsselverwaltungSpieltheorieInverser LimesAxiomWeb SiteGraphische BenutzeroberflächeReverse EngineeringNabel <Mathematik>PaarvergleichSkriptspracheEindeutigkeitIdentifizierbarkeitProgrammfehlerMinkowski-MetrikNamensraumComputeranimation
17:28
F-TestTUNIS <Programm>Innerer PunktLokales MinimumBildschirmfensterSkriptspracheModemKernel <Informatik>Fahne <Mathematik>VersionsverwaltungPhysikalisches SystemWeb logVerschlingungHill-DifferentialgleichungE-MailKreisringKonvexe HülleInklusion <Mathematik>RechenwerkVakuumInformationBaum <Mathematik>RuhmassePaarvergleichSkriptspracheGruppenoperationVersionsverwaltungGraphische BenutzeroberflächePunktNamensraumInformationPhysikalisches SystemVerschlingungKernel <Informatik>SimulationVarianzFirmwareComputerunterstützte ÜbersetzungBefehlsprozessorComputeranimationTabelle
18:51
SummierbarkeitDefaultGruppoidStellenringInterface <Schaltung>AuthentifikationMessage-PassingFunktion <Mathematik>Physikalisches SystemGEDCOMAdressraumURLDiskrete-Elemente-MethodeKonvexe HülleKernel <Informatik>BitrateKontrollstrukturp-BlockGeradeKonfiguration <Informatik>BEEPWeb logMeta-TagGesetz <Physik>Ganze FunktionNabel <Mathematik>COMSimulationElektronischer FingerabdruckWurzel <Mathematik>RechenwerkPhysikalischer EffektLoginMaximum-Entropie-MethodeComputerunterstützte ÜbersetzungRootkitProzess <Informatik>ATMPhysikalisches SystemPasswortKugelkappeFiletransferprotokollMini-DiscGraphische BenutzeroberflächeInformationProgrammfehlerSoftwareentwicklerBinärcodeComputeranimation
20:05
Cantor-DiskontinuumWurzel <Mathematik>SystemprogrammNabel <Mathematik>BewegungsunschärfeIdeal <Mathematik>MenütechnikNabel <Mathematik>SoftwareElektronische PublikationMotion CapturingProzess <Informatik>InjektivitätParametersystemRootkitSystemprogrammMinimumProgramm/Quellcode
21:08
QuaderWärmeübergangNabel <Mathematik>ServerInjektivitätInformationsspeicherungPhysikalisches SystemWeb logElektronische PublikationSteuerwerkReverse EngineeringStellenringGeradeHIP <Kommunikationsprotokoll>DatenbankGruppenoperationVersionsverwaltungInteraktives FernsehenGruppenkeimServerElektronische PublikationOffene MengeDatenbankNormalvektorWärmeübergangNabel <Mathematik>InjektivitätKonfiguration <Informatik>Radikal <Mathematik>Funktion <Mathematik>StellenringPaarvergleichMultiplikationsoperatorQuaderPhysikalisches SystemRechter WinkelComputeranimation
23:18
GruppenoperationDateisystemATMMIDI <Musikelektronik>Einfach zusammenhängender RaumFehlermeldungEindringerkennungDezimalbruchLokales MinimumNabel <Mathematik>Maß <Mathematik>Graphische BenutzeroberflächeServerInstallation <Informatik>Nabel <Mathematik>Physikalisches SystemSchnelltasteOffene MengeVarianzNotebook-ComputerSkriptspracheSchnittmengeWurm <Informatik>Ordnung <Mathematik>ClientZellularer AutomatBinärdatenQuaderBootenInjektivitätGraphische BenutzeroberflächeProzess <Informatik>Rechter WinkelReverse EngineeringPhysikalischer EffektComputeranimation
25:15
Lokales MinimumSchlüsselverwaltungRSA-VerschlüsselungElektronischer FingerabdruckNabel <Mathematik>Maß <Mathematik>Web SiteInklusion <Mathematik>GradientGoogolPERM <Computer>Flash-SpeicherRechenwerkPartitionsfunktionKonvexe HülleDatenbankSchnittmengeMailing-ListeFarbverwaltungssystemInformationsspeicherungSeidelGraphische BenutzeroberflächeNabel <Mathematik>KonfigurationsraumSkriptspracheSocket-SchnittstelleSchlüsselverwaltungGoogolVerzeichnisdienstRootkitGemeinsamer SpeicherBinärcodeElektronische PublikationPublic-Key-KryptosystemDatenbankQuellcodePhysikalisches SystemSoftwaretestProzess <Informatik>TypentheorieNormalvektorDämon <Informatik>VarianzArithmetische FolgeMaskierung <Informatik>Computeranimation
27:59
InformationKonditionszahlVerzeichnisdienstStrom <Mathematik>GruppenoperationNabel <Mathematik>UnendlichkeitMinkowski-MetrikRechenwerkKontrollstrukturGruppenkeimKernel <Informatik>FehlermeldungFontGraphische BenutzeroberflächeWurzel <Mathematik>Inklusion <Mathematik>COMKette <Mathematik>VererbungshierarchieSkriptspracheLokales MinimumSteuerwerkLastMP3MIDI <Musikelektronik>Serielle SchnittstelleFibonacci-FolgeProzess <Informatik>SLAM-VerfahrenHill-DifferentialgleichungTrägheitsmomentKonvexe HülleGeradeBildschirmfensterAusnahmebehandlungPRINCE2IRIS-TComputerschachKreisringHauptidealringMenütechnikSimulationGraphiktablettMinkowski-MetrikComputersicherheitGamecontrollerSpieltheorieEinsteckmodulKugelkappePhysikalisches SystemLoginBenutzeroberflächeComputerspielMAPSchlüsselverwaltungEgo-ShooterResultanteBitRootkitProgrammfehlerInstantiierungMessage-PassingMathematikFunktion <Mathematik>ParametersystemNamensraumDezimalzahlGraphische BenutzeroberflächeOrdnung <Mathematik>SymboltabelleMultiplikationsoperatorTypentheorieNatürliche ZahlNintendo Co. Ltd.WarpingProgramm/QuellcodeComputeranimation
30:35
VererbungshierarchieMIDI <Musikelektronik>InformationWurzel <Mathematik>SummierbarkeitAuthentifikationVerschlingungHill-DifferentialgleichungVerzeichnisdienstStrom <Mathematik>Konvexe HülleCodeFehlermeldungStatistische SchlussweiseSchlussregelQuick-SortPi <Zahl>ViereckLokales MinimumSummengleichungKontrollstrukturProgrammbibliothekNabel <Mathematik>System FTypentheorieInformationElektronische PublikationLoginAbschattungNamensraumSkalarproduktZeitrichtungProgrammierumgebungTouchscreenProzess <Informatik>Quick-SortMinimumProgramm/QuellcodeComputeranimation
31:51
Nabel <Mathematik>KontrollstrukturProzess <Informatik>GruppenkeimWurzel <Mathematik>GruppenoperationHash-AlgorithmusTermStellenringW3C-StandardLokales MinimumKonvexe HülleSummierbarkeitKonfiguration <Informatik>Formation <Mathematik>E-MailGammafunktionInformationRechenwerkInformationProgrammierumgebungFunktion <Mathematik>Dämon <Informatik>RootkitMultiplikationsoperatorNabel <Mathematik>BinärdatenMaskierung <Informatik>DateiformatProzess <Informatik>Minkowski-MetrikReelle ZahlComputerspielDeskriptive StatistikRechter WinkelGruppenoperationPasswortGraphische BenutzeroberflächeStellenringComputeranimation
34:19
RechnernetzE-MailComputersicherheitNetzwerkbetriebssystemLoopMenütechnikGraphische BenutzeroberflächeGammafunktionProgrammverifikationSoftwarewartungPolygonnetzInverser LimesMalwareGeradeWurzel <Mathematik>GruppenoperationNabel <Mathematik>Reverse EngineeringEinfach zusammenhängender RaumProgrammierumgebungRootkitSchnittmengeOffene MengeZellularer AutomatReelle ZahlProgramm/QuellcodeComputeranimation
35:33
NamensraumStellenringGruppenkeimUnendlichkeitGraphische BenutzeroberflächeBenutzerfreundlichkeitWurzel <Mathematik>ProgrammierumgebungLASER <Mikrocomputer>DebuggingKontrollstrukturRechenwerkVererbungshierarchieTermNabel <Mathematik>ATMBitmap-GraphikGEDCOMKreisringGamecontrollerProzess <Informatik>GruppenoperationW3C-StandardBitrateStandortbezogener DienstAuthentifikationFlächeninhaltSchnittmengeElektronischer FingerabdruckGraphische BenutzeroberflächeVersionsverwaltungElektronische PublikationRootkitMinkowski-MetrikInformationDifferenteLesen <Datenverarbeitung>ATMSoftwareentwicklerProgrammierumgebungKonfigurationsraumSocket-SchnittstelleRechter WinkelAbgeschlossene MengeComputeranimation
36:57
Physikalisches SystemRechenwerkCodeSystemaufrufQuellcodeDienst <Informatik>Virtuelle MaschineObjekt <Kategorie>Wurzel <Mathematik>SurjektivitätDämon <Informatik>Computerunterstützte ÜbersetzungIntelLokales MinimumGammafunktionSLAM-VerfahrenBus <Informatik>SummengleichungNormierter RaumCodeProzess <Informatik>Ein-AusgabeNatürliche ZahlRootkitVerzeichnisdienstSkriptspracheKonfiguration <Informatik>Physikalisches SystemProgramm/Quellcode
38:08
Bus <Informatik>MathematikDienst <Informatik>StellenringSpezialrechnerBootenPhysikalisches SystemSpitze <Mathematik>Service providerInnerer PunktFehlermeldungMenütechnikProxy ServerKryptologieGraphische BenutzeroberflächeCOMKategorie <Mathematik>Elektronische PublikationCodeFunktion <Mathematik>SkriptspracheInterface <Schaltung>ResultanteVerzeichnisdienstPhysikalisches SystemTypentheorie
39:13
Interface <Schaltung>Physikalisches SystemGraphische BenutzeroberflächeKryptologieDienst <Informatik>StellenringHecke-OperatorZeichenketteFehlermeldungRechenwerkObjekt <Kategorie>DatentypFirewallSystemaufrufInformationStichprobenumfangGraphische BenutzeroberflächePasswortATMSoftwareentwicklerDefaultInterface <Schaltung>MultiplikationsoperatorDämon <Informatik>RootkitKeller <Informatik>SoftwareschwachstelleProgramm/QuellcodeComputeranimation
40:43
TermWurzel <Mathematik>ZeichenketteEin-AusgabeInjektivitätPhysikalisches SystemGammafunktionSummierbarkeitGEDCOMBootenEvolutionsstabile StrategieMotion CapturingDoS-AttackeMotion CapturingMultiplikationsoperatorFuzzy-LogikDateiverwaltungRootkitBootenSystemprogrammMereologieInjektivitätURLSoftwareschwachstelleSoftwaretestProgramm/QuellcodeComputeranimation
41:41
Vollständiger VerbandElektronische PublikationFunktion <Mathematik>Wiederherstellung <Informatik>InjektivitätStapeldateiSchlüsselverwaltungEin-AusgabePhysikalisches SystemZeichenketteWurzel <Mathematik>ATMKonfigurationsraumDigitalfilterNabel <Mathematik>Prozess <Informatik>Wort <Informatik>Rechter WinkelRootkitGraphische BenutzeroberflächeTabelleMotion CapturingMultiplikationsoperatorProgramm/QuellcodeComputeranimation
42:56
Elektronischer FingerabdruckCAN-BusInklusion <Mathematik>Wurzel <Mathematik>AbschattungSimulationSchlüsselverwaltungRootkitGeradeProgrammierumgebungComputerunterstützte ÜbersetzungDateiverwaltungElektronische PublikationPasswortAbschattungSkriptspracheNamensraumTabelleComputeranimation
43:46
RSA-VerschlüsselungSchlüsselverwaltungKonfigurationsraumKreisringChiffrierungPasswortFirmwareCookie <Internet>Nabel <Mathematik>Reverse EngineeringMenütechnikPASS <Programm>MAPUltraviolett-PhotoelektronenspektroskopieLokales MinimumMaximum-Entropie-MethodeTypentheorieGraphische BenutzeroberflächeWurm <Informatik>Nabel <Mathematik>Reverse EngineeringFormale SpracheSpielkonsoleElektronische PublikationDateiformatSkriptsprachePasswortFormation <Mathematik>FunktionalSchlüsselverwaltungRootkitCachingProzess <Informatik>ZweiLeistung <Physik>UnrundheitDefaultKryptologieGamecontrollerComputeranimation
45:32
VersionsverwaltungLoginCookie <Internet>GruppenoperationRechnernetzSpeicherabzugWeb logTabelleInformationInformationsspeicherungDefaultGraphische BenutzeroberflächeInformationsmanagementVollständiger VerbandURLDatentypMailing-ListeURLDefaultGoogolMultiplikationsoperatorPhysikalisches SystemCookie <Internet>DateiverwaltungFunktion <Mathematik>EinsElektronische PublikationGraphische BenutzeroberflächeKonfiguration <Informatik>PlastikkarteComputerspielAbzählenGruppenoperationSoftwareComputeranimation
46:52
SoftwareentwicklerHoaxSpieltheorieArchitektur <Informatik>SystemplattformBootenSicherungskopiep-BlockIndexberechnungMini-DiscKraftElektronischer FingerabdruckHypermediaGraphische BenutzeroberflächeFuzzy-LogikURLRippen <Informatik>Dämon <Informatik>GoogolSocketHilfesystemFehlermeldungDokumentenserverQuellcodeVirtual Home EnvironmentBrowserPhysikalisches SystemGraphische BenutzeroberflächeSocketHilfesystemElektronische PublikationParametersystemFunktion <Mathematik>Computeranimation
48:04
Inverser LimesInformationComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
What's up? What the fuck is up, Denny's? I mean, DEATHCON? Hi, I'm Jimmy Two Times, and I'm here to talk about how I broke my Chromebook with a Pico Ducky. I'll also say this, I'm a goon, I've lost my voice, and I'm gonna do my best here, so bear with me.
00:24
My name is Jimmy Two Times, Jim Ali, as I said before. I'm the CEO of Lost Rabbit Labs right now. I am a former member of the US National Video Game Team. You can see some history there on
00:43
OSGrelics.com, old-school gaming. My hacking led me to get involved in the video game industry back in the 80s. I was the first person to beat Mike Tyson's Punch Out, a bunch of NES and Sega Master System games, and I'm actually two characters in two Sega Master System games, Zillion Two and
01:05
Wonder Boy in Monster Land represent. I'm a 20 years martial arts student. I think that it is important to be Scholar Warriorly and our hacker in everything we do, and so I just wanted to mention that, and I
01:23
am dedicated to gamifying our craft, because this is all fucking fun. It's my first time presenting, been a goon for six years, guy talks for eight, and this is a huge honor, so thank you DEATHCON, and thank you everybody for showing up. Appreciate it.
01:45
So we will be covering gamified hacking, container breakouts, fuzzing strategy, LOL binning, living off the land, retro assessments, unorthodox methods, and one-liners for the fucking win. I will say
02:04
that first off, this exploit is on an end-of-life Chromebook. It's a known vulnerability that's been patched two years ago, however I think some of the techniques in here will help bug bounty and help other folks secure their Chromebooks. This Chromebook hack was done in factory reset
02:26
state, and it was done living off of the land really, mostly or only at the end. One-liners, they're like keys. It's a string that will open a door, and every chance we can we'll use them here,
02:41
and the Pico Ducky, it is a key. It's a shim, it's a key, you can shove it in and we'll open a door for you. So gamified efforts. I feel like we're better at progressing when we have a challenge or an ankle weight on us, so it's often good to put yourself in jail and really be thorough on
03:06
how to get out of there to research all aspects of your environment. Being tenacious, thorough, and exhaustive is key in a lot of what we do, looking for the anomaly or the needle in the haystack. So performing retro hacking or retro assessments is really about taking maybe an older
03:25
device and taking a look at it and see, you know, 10 years ago we had a device we didn't know much about, 10 years later we know way more. We're gonna take it further if we take a look at it, even if it's old, it's gonna help us gain insight into the new versions we could create and some of
03:40
the challenges that we need to solve. And again, putting yourself in jail here to expand your horizons. This is really about being thorough again with what's in front of you, not thinking you need an exploit or a zero day, or it's about being tenacious and trying all possibilities. So
04:00
again, too long didn't read here. Took an old EOL Chromebook, HP Pavilion 14, in an out-of-box experience state, and it's able, with the guest user, we're able to gain local access through a cross-breakout when Linux isn't supposed to be enabled yet. And we're doing that by exploiting
04:20
a command injection in the set underscore command set. And we're able to utilize shell scripts and the Kronos user accounts and root before developer mode has been enabled and before any passwords have been assigned to the existing users. One of the other exploits that was discovered was a
04:41
command injection in Dbus, and that is where we got our root from. We were able to fuzz a parameter there and gain root access. And again, there's a couple of tricks here, old school tricks, redirection operators, internal field separator, and we'll get more into that as we go. Passionate curiosity is absolutely not a crime. It's not. It's no that. Right to repair. It's our
05:07
hardware. We bought it. We should be able to do what we want. If we're afraid of affecting somebody's upstream infrastructure, we can just sever the network, sever communications. In this case, I did not. I wanted to connect into the Google Cloud, and we did go from there. So these
05:25
are all non-destructive techniques, meaning we didn't have to open a laptop up or we didn't have to do anything crazy to modify anything here. And again, I was inspired really to do it. I like kiosk breakouts. They're fun. It's a challenge. They're small little CTFs. So anytime you can
05:42
break out of a jail, you win. The hardware we're using here today is gonna be HP Pavilion, Raspberry Pico, and the Pico Ducky software. And again, we'll talk about that in a second here. So one thing I'll mention here on the slide deck is it's done sort of in the form of a video game.
06:05
So this is how to play the game. Set up the environment. We began by factory resetting the Chromebook, power washing it. Then we boot it up. For the first time boot, we log in, and we log in as guests. That's how we play. The helpful commands here during the out-of-box experience
06:27
are for fun. There's actually something called shark mode. I didn't know that. One time I was booting up, I pounded on all the keys. It's an actual technique to find stuff. Pounded the keys, and I saw shark mode. Shark mode. And I got to find out it's part of their enrollment process.
06:42
But there's a bunch of shortcut keys we found there. And you can also force your out-of-box experience back into the original state by deleting a couple of files out of home Kronos and removing any user on the system. So this is our game map. We have a Chromebook. We
07:04
want to choose our attack path. So we have the Chrome browser. We have the cross window, which has a limited shell. We can sideload, USB, SD, whatever else inputs. We have network. And I started off first with the cross window just because Linux. Linux terminal. We want shells.
07:25
So I ended up going that route. And let's see here. Just looking at the cross shell by default, it's not Linux enabled all the way in the back end. As far as you can tell, there's no shell
07:41
command yet. But you do have cross dash dash dev and dash dash removable if you can run the binary. And let's see here. So fuzzing. We want to, we know we're gonna have to fuzz. We know we're gonna have to throw a lot of payloads at inputs. And we don't want to do that as a human. Hands will hurt.
08:03
And your brain will hurt. So we started off here using the rubber ducky. I like doing rubber ducky stuff, but memory limitations, way too slow. So ask from the info booth, thank you ask, let me know that the Pico ducky software is awesome that Dave Bailey had created. And so I started the
08:26
engage, or I started this whole project out with a rubber ducky. And I got far, but as soon as I put use the Pico, it just was night and day. And here we go, round one, fight. So we know that we
08:41
have a cross shell. We have some commands that we can utilize. You can go through those and extract them and put them in a text file. We're gonna take all the commands and put them in commands dot text. Then we're gonna take some fuzz payloads and strings and shove them in another text file. This is how we're gonna build our test harness and how we're gonna try to attack the
09:04
duck or the chroma care with using the ducky. So I just created a small python script. I call it fuzzy ducky. It takes the commands one command per line and the fuzz payload one per line and it will mush them together for you basically. Tons of payload lists out there, fuzz list. I gotta give
09:24
a shout out to Dan McInerney for his little short fuzz list. Very interesting and unique. And then of course we also have things like the sec list and big list of naughty strings and anything else you can throw at it. This is the fuzzy ducky script on the left. It's that simple.
09:43
Takes the commands in from one file and the commands and then the fuzz from the other, puts them together and converts it into the payload.dd file which then can be transferred over to the pico ducky. And once again thank you Dave Bailey for a great piece of software. You can find it at github.com d-b-i-s-u. It uses circuit pi. It's so simple to set up. Piece of cake.
10:09
So we have our ducky. We have our shim. So we're gonna open our Chromebook with the cross window. Control-Alt-T and we're going to direct the input into the browser window. From there we plug in
10:23
our pico ducky and it starts fuzzing every command. And it's probably hard to see some of these screenshots but if you take a look at the slide deck which is gonna be available, you'll be able to see all these commands. And I wanted to kind of like pix or it didn't happen on every aspect of this project. So it's all about sharing all this info so you can see what challenges I had
10:44
and how I worked through things. When we run our fuzz list here we don't see much the first iteration but once we start getting in to some of the other payloads and running binaries here we we saw a where the scooby-doo is here. We can see that we got an eval error and a syntax error
11:08
and unterminated quoted string. Those are things to get excited about. We definitely saw other errors from commands that we tried to run but we didn't really see anything that showed us we had
11:20
an actual binary that would work yet. So we keep going and we find even just using a parenthesis left parenthesis and right generates an error and it tells you cut dash dash help. So now we know cuts involved somehow. From there we keep on fuzzing and you know once you see a result or something you just want to focus in that one area maybe add more characters double the payloads put
11:44
a thousand characters after it and keep nailing that one spot over and over again. So analyze the results checking all the output looking for anomalies and verbose errors. The command injection and going through that whole process is sometimes really tough even doing things like xss you can't
12:03
always get the payload you're looking for unless you spend hours you know trying to figure out how to get it to work. IPF we were able to use the internal yeah the IPF stuff here where is it okay we're using existing OS functions to create like our variables and solve our challenges here
12:24
and then we use some redirection tricks for our output because initially we have blind output we can't see anything in the front part of the shell here. So we ended up trying to redirect output after getting blind results for a while and we figured out here that using one and over to the
12:47
ampersand two here we're going to run the error output or the regular output through error and that's going to pop it to the screen here. So this example here shows set underscore apn
13:02
and we have our parentheses or sorry ticks here curl dollar sign ifs notice that's our space character dash dash help dollar sign ifs one over to ampersand two that actually takes output and puts it through the cross shell to where you can see it where normally be on the back end.
13:23
So now we have output we're no longer blind. From there I have like top twice a top 20 we said about top 10 but the first initial top 20 info gathering commands I would try to run at this point you know this would be id and things to identify the file system looking for uname and
13:44
things like that catting etsy password tailing bar log messages and we were actually able to do all that we're able to pull using again set underscore apn with the ls dollar sign ifs dash al dollar sign ifs and we have everything on the screen now from the password file and from the directory
14:05
listing and let's see here exfiltration tools so while we're looking for binaries we can run on the system it's always good to try to figure out what you can use to input data and output data so we want to upload we want to exfiltrate we were able to see that we had tar curl sftp
14:28
scp ssh open ssl open vpn ping smb client and base64 all available to us from behind the curtain there so we're going to continue with command injection you know we
14:41
really want to get a shell at some point or get some more substantial foothold so we start fuzzing again all these binaries on the system and we notice that set underscore apn all of them are vulnerable to this command injection but what we end up finding out is that some command injections
15:00
require a parentheses or brackets around the ifs as opposed to just dollar sign ifs and when it does that it splits out your parameters and runs them slightly differently so on the right you'll see ifs versus dollar sign brackets ifs and when we run those four commands set underscore apn
15:24
or the arp gw or the cellular underscore ppp or the wake on land there we will see that three of those commands run as the shill scripts user one of them runs as chrono so we have an anomalous binary there that's running as a different user so right now we have access potentially to two
15:41
users on the back end system we need to hack more so we are going to do that with the power glove all right so obtaining a reverse shell now that we know we can't really access anything locally per se through the window we are going to try to get an out of band shell or access here so i took
16:01
a laptop attacker box here and i set up a shell a script on it to make a name pipes and temp directory to use open ssl to connect back into the chrome book here so on the chrome book side we can take and actually let me finish that up we also have a python simple web server running on the attacker
16:23
box with the open ssl server with our generated key so now back on the chrome box we can do our set underscore apn command injection using curl dash gap l and we can run that script file on the chrome book and we actually get a reverse shell now and we are shill scripts and i used the duck
16:42
man over there for that user profile so let's take a look at the other command set underscore cellular underscore ppp allowed us access to the chronos user so let's see what happens when we try to get a reverse shell there we do the same method and we find out we indeed end up as the
17:03
chronos user instead of shell scripts so we have access to two users now we want to kind of compare them see how they're different see if there's any anomalies mount spaces namespaces capabilities so now it's about trying to identify unique privileges or capabilities in these users
17:29
this you're probably not going to be able to see all that i'm not sure but again it's more comparison around all the capabilities c groups namespaces and things like that for comparison and what we do see is that there are different mount points for these users we know that the
17:44
chrome users are jailed and in this version of chrome it was 65 they were using mini jail for most everything and so we know that some users are wrapped in a user script with a mini jail
18:01
and restricted privileges or elevated so we run some more commands here for info gathering and looking at the kernel we find there's a var log debug vboot noisy dot log that has some information about the system firmware etc our our proc version tells us that we're running
18:24
and you can see that it's an older chromic there based on the date linux version is 3.8.11 and then again all the cpu cat issue all the os related information sys control a and we can see
18:42
where we're being blocked we can't do we have protected hard links and protected sim links so they've secured it pretty good that way and so this is where i took the approach of trying to run every command on the system as each of those users literally being thorough and seeing if there
19:02
was anything that would be anomalous elevate privileges or you know just do something weird so we found out if we try to run the chrome os set dev password we can't do that because we have no developer mode we found you generate logs binary on there that will dump all the logs for
19:21
you and save them to a tar ball and of course now we can exfiltrate that with our ftp and curl and everything else we have running we can try to run some of the processes as chronos but they won't run because you don't have privileges so like chrome sandbox and some other disk commands ppp
19:45
they won't give you uh they'll let you know you're not root so you can validate that i have a screenshot over here just showing also that when we tried to look at the cap mem on a certain process p trace is not enabled for us to do that and it creates a
20:01
log of that so again more information keep your eye on the logs as you're tinkering so one of the things we figured out i mentioned earlier cross uh dash dash dev would upgrade your cross shell so if you actually do the command injection here and do your cross or cross dash dash dev you'll actually get the elevated cross shell and that gives you new
20:24
commands you can live in a coal mine it puts you in the you know the non-standard uh software there packet capture and systrace for the other two so we upgrade and we start trying to run these other commands and we find that running the packet
20:44
capture fires off a process using user libexec debug d and it's a capture utility and it puts it in a mini jail if we look at the bottom here you can see we have a root process running mini jail with some other parameters here the capture utility the file descriptor and the device
21:09
before i moved on i actually provisioned my attacker box to the fullest i could to communicate with the chromebook to give me all options available we actually had smb on there so you can do smb transfers you can do peer-to-peer obviously the open ssl was on there as well
21:26
you can run a local open ssl server on the chromebook as well and you can log in locally if you needed to which we'll look at here in a second as well but all these commands are just the normal linux commands that you would run versus the
21:42
chromebook command injection formatted commands just for comparison so after tinkering for some time i realized why didn't i just try to run bash from the shell like a command injection well it worked but there was no output but again we know we have our
22:03
redirector and if you do exec you know one redirect to ampersand two we now see the output in our terminal so now we actually have a full local linux shell it's local it didn't need to have an external system to do the shell so we've basically done a breakout right there and we can
22:24
validate that we're chrono still we can do all the same kind of commands we were running before but of course we don't have to do any command injections we're just free to roam so one of the things i tried to do here was make a one-liner to basically write to the bash rc so that would
22:40
permanently put in the exact command there too for the redirector that just makes it persistent for that session um ncenter is another one um breakouts with ncenter i did sqlite you can actually get out there with sqlite and run in the dot shell bash command from there um there's a few other ways
23:04
that you can do it um let's see here uh dash is on there as well and we have sqlite on there which is nice because they use a lot of sqlite database files on the chromebook so that's right there over with our other user then shell scripts we go back and we run our uh if you remember here set
23:25
underscore apn allows uh the shell scripts user whereas set underscore cellular underscore ppp is our chronos user so we want we want our shell scripts user and the way we do that is by provisioning open ssl locally and then running our command injection with uh and actually we have to
23:47
run it with chronos to actually have it bind to the system or it doesn't have the right permissions with shell scripts so it's kind of hybridy but we end up getting a shell here and this shell that
24:00
we get is kind of special chronos user shuts off when you log out it shuts all the processes off for chronos or if you close the laptop lid if you're using the shell scripts reverse shell it doesn't shut down it stays up and running because it doesn't get killed by the chronos users processes so we have local access and again this is just how to set it up you have to set up
24:24
your key your cert pm and we throw that in var temp and it turns out var temps got some persistence there across reboots in croton chrome tab one we would do our set cellular command as our chronos user for our open ssl and then our second tab we start the open ssl client running as a shell
24:47
scripts user with our set underscore apn and again we had uh we had some issues with the payload so we had to use basics for to pass it through which works just fine since we have it on the chromebook and i haven't really mentioned it yet but in order to get our interactive tty we use
25:03
user bin script dash qc and using bash there you could use dash or sh or whatever else you wanted so now we have two users locally we no longer need our attacker box here's the other cool thing we found out that we have hard-coded keys on the chromebook through
25:25
test keys that the chrome os has and they're stored in user share chrome os dash ssh dash config keys and so what we can do is we can actually if we couldn't access the private key
25:40
it turns out we can just curl it from chromium google source.com where they have the ssh under stored keys dot tar.gz file we save it to the chromebook we provision them into the temp director we could use var temp as well we schmod it we run our ssh on a non-standard port and it's running and then we can log in locally then with the shell scripts user by ssh or we're already
26:09
shell scripts but we use ssh to log in locally using those private keys that are hard-coded then matching with our keys we put in temp and we're able to log in as chronos via shell scripts user
26:24
so a little priv escalation through living off the land again so really we're trying to get root i guess i mean you know we're still really investigating the system but we really do want to find root so again we're going to look at the
26:45
users again just validate what we have here chronos cannot run the pseudo binary whereas shell scripts can you can write to a var temp and you can write to home slash chronos for persistence
27:00
um shell scripts can do var temp but not the chronos directory the chronos user can modify all sqlite three database files on the system because the logged in user for the chromebook is chronos so we're able to manipulate those files the shell scripts user has access to
27:21
debug d and privileged processes though so you know both both accounts looks good to continue investigating so again looking at some more uh normal previous type of stuff looking for low hanging fruit and we didn't really find any of that we do see files that may run as root or
27:41
root privileges but the way they've done jailing it was pretty secure sockets we saw some of the sockets laying around so we did try to connect the sockets here we had cups available avahi demon and a couple other things didn't really make any progress there
28:00
so now i go for the unorthodox methods crashing glitching and creating anomalies and it's something that we did back in the old video game days where for instance in the sega master system if you cartridge tilted there was sometimes a second game on the chip uh sega genesis i think the first like 10 or so games that came out had both the japanese chips and the american games
28:26
on there and they didn't have time to remove the other chips so they left them both in so if you cartridge tilt you can actually get a second game out of these old games um i'll do one more nes uh nintendo uh the first nintendo there was a game called xanac it was a space shooter and if you
28:45
took a zapper gun and plugged it into port 2 and went on the first controller and then lifted the game up on the nintendo a little bit till it kind of flickered and pushed it back down when you saw the high score change to a fucked up symbol you knew you had it and it let you access level
29:03
selectors and all kinds of weird stuff you'd hit the select key you need to warp three levels or hit the a button just anomalous behavior so we're going to kind of go for some of that here by doing nested jails and trying to overlap namespaces and things of that nature so looking at all of your logs you got varlog chrome home chronos chrome underscore debug log
29:26
varlog ui ui.latest and of course varlog messages and secure and d message those are really you know all we had to look at our output and our results here so we tried to do mini jail by using weird
29:43
orders of their parameters and we found that you can access a root user and that's normal you can take mini gl and create a root user into a container and restrict all the privs but they were anomalous types of user environments and permission set so when we did this mini jail dash
30:03
cap u decimal m tick tick dash cap m tick tick with a nobody user it sets it to root and nobody nobody and we can see that still home chronos we caused some weird name pipes to happen and
30:24
overlap and delete each other occasionally we did some suid weirdness here there's some logs in here that you can look at later just to see the results but we were able to figure out that
30:41
running certain commands would cause a kind of a shadow pts or a tty and they would overlap in the actual screen for the user so it might be kind of hard to see on the far left here but i tried to exit out of this and it logged me out but then i'm trying to type stuff and then you can see
31:00
at the bottom it starts getting weird something died here crush prompt shows up but then we got three dots and an arrow over here same kind of thing we try to exit crush we exit it i won't let it exit because it says it's only xi so our characters are being split in some way and we
31:21
have no idea no visibility into that so again tinkering more will provide more information in our logs trying to do pseudos in certain environments would actually half work sort of and leave interesting logs and we were able to again overlap file descriptors and namespace in
31:42
really weird ways that didn't gain us any extra permissions but we did gain a lot of information and how weird and anomalous these overlapping processes could cause the ttys to be so we're gonna pull back a minute and look at all the users and we're gonna
32:05
we're gonna look at etsy password and etsy group for all of our possible users and groups here and we can use mini jl to specify our user a group and then we can specify a shell or a command to run after it and so we spent time just kind of enumerating we could be the bin user and daemon
32:25
and adm and turns out if you have a user id that doesn't exist your name is i have no name at local host again over here some of the output from some of the mini jl environment and set here and you
32:43
can see nobody nobody nobody sometimes you see you know we got cups here nobody so again we can kind of provision some of the users but we don't know if they'll work the right way if we don't have the right mountain spaces and capabilities for them but it's interesting to just go through all that and see if you can find some weird place to prove that's there and there's definitely room to play
33:04
there um let's visit all of our cellmates shall we so on the chrome book there's a command called pinky that will tell you the real world or the real life user information in a quick format there so that's easy enough to kind of go through you can see what shells are set for each user and
33:24
uh description so here we did uh again our mini jl messing around with the root uh trying to create a root user and we use this dash um take zero one thousand one one thousand representing
33:46
the chronos user and we're trying to see if we can somehow access uh user one here user id one and user id zero they'll they'll actually do a swap when you run mini jl so that when you leave the container you get your original rights back out and we found through tampering you could
34:05
actually cause some really anomalous stuff where you had slight root access or you could run root commands that would start to run and maybe fail because you weren't in the right environment but disclose information it keeps on providing you with what you need to move forward
34:25
so we're going to try to get that you that root user out using a reverse shell here since we couldn't get it locally maybe there's something with the set underscore commands that gets provisioned and does a prove ask or something so we try to do excuse me a reverse shell and do our
34:42
open ssl connection here we see that we are root id zero but we are gid nobody and group nobody here so that is not rude all the way we can check in the environment again here to see who we really are and we find out that we're howard the duck the chronos user and we know that our id equals user
35:07
our user that we have here is not really our real you a real root user it's just mapped to the outside of the mini jl to chronos which again is expected that's how it's supposed to work but maybe there is some kind of way to get again this user out so we went back in with set cellular
35:24
ppp tried our reverse shell again through this or the mini gel bash command and if we do an su it actually would give us limited root we were able to run su dash with that mini gel configuration
35:41
from there we try to run other root commands and find out maybe we're limited still we don't have the right mount space we don't have the right capabilities yet so we keep on tinkering here we're trying to break it we're trying su we're trying pseudo and we're getting all kinds of different information back from our phony user here if we run chrome sandbox before we couldn't
36:03
run that now it tells us that the set uid sandbox provides api version 1 but you need zero and it says close bad file descriptor and read on socket pair success i don't know why but that all popped up from that um wasn't able to use it in any way um another one here showing the difference between
36:26
the first bad root user that we didn't do the open ssl and the su with if we run dev install there it says your environment appears to be incomplete when changing to root did you remember to run the
36:41
full command don't forget the dash so they literally tell you what you need to run so i ran pseudo su dash and now when i run dev install it just says that it's on developer mode so that tells me i've gained some kind of privilege escalation there in a small way so being thorough
37:01
again and looking at everything i was kind of at a dead end so we have dbus on the system and dbus is all over the place now and there are a lot of insecurities there's a lot of processes that can be run as root and for some reason we don't we're not as resilient around the code and checking input sanitization there um so dbus can also be complicated to go through there's just a lot of
37:27
data to look at so i pretty much wrote a bash script to help me identify all the endpoints and do introspect and things of that nature but it's still good to go through them manually and look at things i did a lot of grepping there i would grab for policy user equals root in the
37:45
etsy dbus dash one system d directory through all the confiles to see what was root versus chronos versus shill um that's that's a good place to start there and from there we start trying to maybe figure out if we can run some of these commands um and again through introspection
38:04
we're going to do an introspect and see what all of our options are um this is a script that i wrote it says it's a really nominal script but it will connect to dbus and it will actually output all of the uh the interfaces and members inside of a file
38:24
and you can easily grab those in as well and when you do um when you connect to dbus uh that's running versus you know asking for the activatable uh members through introspect or interfaces you get different results back it's better for you to
38:45
actually connect to the dbus and see what it spits out they might be obfuscating code or this or that so you just kind of try it and what we end up with is a whole bunch of text files that basically get spit out into a temp directory and i had it pre-populated the gdbus monitor system for all
39:04
of them so i could quickly just enumerate through those and then spit the files out uh in this type of way to where we can see cryptohome.conf and whoops all of the um all of the members here and all the calls that we can make so cryptohome has to do with encrypting the user's you know
39:23
information and it looks like we can access that in some way and of course because we are chronos we know we should be able to access that maybe for our own user so again some of the method and signal exploration that was done here these are some of the sample commands and some of the end points um you know that actually worked for us we were able to get like our sanitized username from
39:46
the cryptohome interface here and information about blues our bluetooth stack of vahe demon everything that's you know using dbus so we're going to try to start running some
40:01
of those to see what happens and if we have access to all those some commands we were able to run they would run as root but we couldn't do anything some commands would actually run you can you know ping you're not allowed to ping by default before developer mode on chronos but you can use dbus to do it you can set the user password you can't do it for or you could you could do it but you can't
40:28
do it before dev mode has been disabled and then we looked at enabling chrome features here just trying and it says use of this tool is restricted to dev mode so we're just being blocked in a lot
40:41
of ways from running some of this stuff so now it's time to try to find a vulnerability and so this is where the fuzzing comes in again we didn't need to use a pico for this part per se because we have the file system but um we found again this packet capture start which if you remember back
41:05
we saw that the packet capture utility runs as root so we have dbus here and we know that we can run a packet capture because we tested it and so once we get into the fuzzing we find out that there is a place that accepts a command and it's coming off of the ht location and so the way i
41:27
test blind injections like that is to is to um do reboot it's just really quick way to do it so i was able to find that reboot would run as root through this command injection so i i tried to
41:44
run a bunch of commands and none of them would work really unless they were only one word commands and vi almost worked for me when you run vi there it runs two processes as chronos and one as root but you can't access it and you can't break out of the shell but i found that there's a binary
42:04
called ex that lets us actually get what we need out of it so this right here is our let me go back here this is our full attack path to root um this is the whole provisioning process on the chrome book that you need to do that i talked about before and when you run this packet capture
42:26
command you can see that every other time i hit enter i get a different prompt now that's matching up with what we saw before where things were kind of going into the back so what we found is that one of those processes is root and one is chronos so we just figure uh let's just run the same
42:45
command twice and it's gonna work so i did that and it worked i was able to get ssh running uh turn on ip tables and let ssh run through so now we can ssh to our own local port 22
43:02
using the home chronos ssh keys and we can log in as root and when we actually look at our environment there we're root that's it we're done and so we look at environment and set commands to validate that we're going to go back and look at some of the other commands we haven't run before check namespaces everything lines up we are root now and so we're gonna uh there's a ip
43:26
tables command there again we can run fdisk now we can try chromos set the password it won't uh it will work for us now and we can actually cat the devmo dash password out and see that we can run debug fs and access file systems there and actually cat the etsy shadow file
43:46
so we know we're root all the way so taking the pico ducky i put one script on the pico ducky so if i plug it into my chromebook it takes about 30 seconds and it will go through this process
44:00
and it will leave three tabs up on the chromebook one is shill scripts one is chronos and one is root so that is where the master key for the ducky comes in again just trying to be efficient do one-liners so again here's the actual payload.dd type of format would look like so if you're not doing it on the command line you're going through the pico you obviously have to use the ducky
44:23
language there so that's what the payload.dd file looks like that's not the whole thing bonus round now that we're root we can run bluetooth control we don't have to use the bt console anymore and we can do what we want there we can find any crypt to the wi-fi password and bar cache you'll default that profile and use an echo into tr there and then we can also
44:47
start messing around with firmware updating another trick was again if you stop power d it will allow all of the users to not be you'll have a persistent shell and the shell won't close
45:01
when you close the lid on the chromebook that's already required i hated having to open the lid back up and wait so i figured that out if you stop power d you don't have to you can just keep the lid closed and work on it um some of the other things are able to do is inject reverse shell into the bash rc for the chronus user so when they log in i would get a reverse shell out
45:23
of band then we can tamper with the sql light files and enumerate the chrome and file functions of the url bar so real quick uh sql lights everywhere in there all of our google data is in there there's credit card data in there there's your history um and then shout out to my boys over
45:46
here poncho and red team wins and who we got all their price um back when i worked uh at coal fire here we did something called cookie baking and we figured out we could stuff cookies by deleting an
46:02
existing cookie and even if it was encrypted we could put it back in as a null encrypted cookie and it would it would work so here's an example of stuffing that cookie basically using the sql life file and it says lrl was here i'm using the pico ducky you can do a chrome uh enumeration
46:23
using the url bar and if you don't know what options there are you can get them from chrome colon slash slash about you can grab the file system and you can do the network action predictor by typing one letter at a time and it will auto fill for you although it won't tell you all the
46:40
commands in fact you can grab the system for more and find those hidden ones that they don't tell you about here's our file system so by default you can actually access file system output from the browser this is without exploiting this is normal use so in the chrome browser you can look
47:01
at the home chronos user downloads even if they're not logged in they may put something there as a non in chronos or the non uh authenticated of the system they shouldn't see that um quick quick little shout out here avahi damon so i found a socket laying in and run and i use
47:25
curl to connect to it and you can use the uh unix dash socket parameter for curl to do that and it gave me output that told me that i should try help so i actually just changed the http verb to help and it spit out this available commands i went and google it and i found on github there
47:45
is a c file here that references that code and we have a if fuck equals go fuck yourself in there um anyway that will just lead me into my shout out to ray leota from goodfellas who passed away here
48:02
as well and go fuck yourself that is the end of my talk um if you would like any information about what i've done or the script or see it work reach out to me i'm happy to show it to you um again i'm the ceo at lost rabbit labs like a shout out to my team tyler and chris over there and again thank
48:22
you for the opportunity to speak here at defcon it was an honor and a pleasure and have the best defcon ever