 All right, we're back live and thank you, Tyler, for supporting DEF CON, supporting the community, supporting the Red Team Village, in order to have you here. With that said, without further ado, take it away. Hey, good evening, late night DEF CON. This is Fifty Shades of Pseudo Abuse, I'm Tyler Boykin, and this will be my talk. So we'll cover, do a quick about, and the intended audience level for this kind of thing is beginner to intermediate, and there's plenty of talks on some whiz, some cool advanced stuff, right? But I just figured we'd keep it in the beginner intermediate range, or if you're a more seasoned professional, you may pick up a few things, maybe a good refresher. We'll do a brief crash course on Pseudo, where it stands on the TTP, the MITRE kind of realm of things, and then we'll cover the Pseudoverse file. And then we'll hit up some enumeration and recon. And then we'll go into the fun stuff, which are all the examples. So a little bit about me, I'm an Aggie communications officer at the Marine Corps, cut my teeth with network engineering and information insurance. And then now I do security engineering for bi-light professional IT services. And so you can find me on Twitter and a few other places. Okay, so SuperUserDo, whether you're calling it Pseudo or Pseudo, where we're talking about the same thing, right? And it's basically any permitted user, the execute commands as another intended user, typically 90% of the time it's going to be approved, right? And the security policy, which is what we'll dive into as we're going into this determines what privileges, what allocations, what all can that user do. And the work on authentication, specific tokens are made on the Pseudo tracks, each and every failed or successful authentication. And it'll remember you for five minutes. So if you ever noticed that, and then so on. And so when you execute a command, and you'll see this later on too, unlike SU, as your security policy distates which environment you get. So whenever you are actually running Pseudo, you inherit all of that users in full environmental variables. For instance, you get the, unless it's explicitly stated otherwise. So you typically get their environment variables. You'll get a variety of IDs, right? And unless you specify otherwise, real effective user IDs, group IDs, right? You get a good variety of things up there, but it's as the target user. And so this is straight out of this, and these are straight out of the Pseudo man pages. I'm just going inch deep, mile wide stuff just to kind of give a little bit of a background. There is no easy way, right? There is no easy way. And this is to prevent a malicious user from escalating, abusing stuff if there are stuff that's allocated. Simply because there's the whole breadth of things. There's just the breadth of applications and features that can be manipulated maliciously. It gets rather hard. And so there are ways to mitigate this. You really crank down on the least privileged kind of method of the security and whatnot. But it's really, you have to be particularly stingent when allocating stuff. Okay, so we'll kind of shift gears here into PyTor. And so it falls under abuse, elevation control. So this shouldn't be anything new, right? This is pretty similar vernacular to what we've been talking about the past couple minutes. Adversaries may circumvent mechanisms designed to control and elevate privileges to higher level, and so on. And so where the Pseudo and the Pseudoers falls into is now the new format, which they went to sub-techniques. And I'll give you all a quick minute to read that. I think I'll got it. So, basically it says the same thing. Adversaries may perform Pseudo caching, and that's to where they go after those token files. And each user, and so in the directory, each user that attempts to authenticate via Pseudo gets their own specific directory, right? And then each attempt has its own little file, it's kind of cool. And then, so Adversaries may attempt to abuse the caching or misconfigurations in Pseudoers, in which that is where you'll actually wind up seeing, you'll wind up seeing a lot of the stuff for all this talk, or mostly out of Pseudoers misconfigurations. Okay, and that's a good segue. So Pseudoers, it's the primary, the primary configuration file when you're working with Pseudos, with Pseudo, it resides in Etsy. And technically, you can edit it with whatever you want to. That is not encouraged, because it is very syntax-picky. So, generally speaking, you make a copy of it and you use vi Pseudo. And if you use vi Pseudo to edit the file, right? It'll run the error checking, the syntax checking immediately upon exit. Or you can just, let's say, if you wanted to tweak something, mess with something. You can always just run the standalone checker on the file. So, and then, so that's what it's basically going to look like. You're going to have, if you make a misconfiguration anywhere in Pseudoers, it'll yell at you, like that. And then, and if you're good, then it tells you, okay. So, the Pseudoers is the, specifies the who, what, when, where. It's the BL, end-all, other documents contribute to this whole security order, this whole policy, but the main point of configuration, excuse me, is Pseudoers, right? And so, unlike by default, password authentication is required, but you can specify no password. And, but unlike SU, where you authenticate as the user, which you are trying to do stuff as, so let's say, root, you have to authenticate as root. Pseudo, you know, we're using Pseudoers, you authenticate as the user calling it, right? And so, it's a little bit less. And so, the file is composed of two main parts. It has some other sections too, but for, I mean, you can go into a little bit more detail about that. But for the purposes of what we're doing here, right, you're going to have your aliases, which are kind of like variables and placeholders, right? And then, and then you have your user specs, which are the 5Ws, you know, and there's quite a few user specs. And for these examples, and so, when multiple entries stack up, you know, they're applied in order, you see that a lot in user specs. And then, if there's, and then it racks and stacks in for the last one. So, aliases, the interesting thing is that these syntax on the man pages are actually a little less, when you see them in a Pseudoers file, it kind of makes sense because stuff, right? But the format kind of, eh, but essentially it's alias type, name, and then you go on and you can specify whatever you're trying to alias. And then you have your defaults that you can always set to. And so, moving on a little bit, the Pseudo allows for shell-style globs and wildcards, you know, it's not actual regex, but I mean, if you've ever done anything in Bash or Shell or whatever, right? It's similar in functionality. An asterisk, you know, is one or more. And then question mark is that any single character, you can kind of do range, kind of splitting between brackets, and so on. But this isn't, it's not actual regex, but it functions similar what you see in Bash or you kind of shell. Okay, so we're down to the user specs. And this is actually a little bit more of the intuitive part, in my opinion, because it basically, it's the who, what, when, where. You have the who, where, in the parentheses, you have the as whom, and you can use colons to delineate further detail of, you know, into that, right? And then the what, and then sandwiched between the what are tag specs that kind of throw stipulations on some of the activities on how it's done. And we'll go into that with the next slide or two. And so, the run aspect, so for example, me at server, me at post server, you know, as operator, these commands, it's not too much. And so tag spec, and this is what I was talking about earlier, it sandwiches in between the as whom and the command part, right? And this can either greatly drastically make, you know, a red teamers life easier, or it can make it a little bit more difficult, make it more complicated. No password, you'll see sometimes set in the wall, so you can deliberately manipulate the environment when you're calling those commands. And no exec prevents, you know, DLL dynamically linked applications from actually calling shell on themself or running commands themselves, you know, so say, and there's, we have an example of that later on also. But I'm gonna hope for that no password, so much easier. Okay, so enumeration, so there's manually, right? You have sudo l, and if you're lucky, and you know, this could be for any kind of real world pen testing CTFs, could be for any type of thing, right? You have sudo l, and it may be as easy as that. The user that you may have compromised may be a sudoers, and when you do sudo l, you may get a listing of every, you know, what all that user can do, right? You have Etsy sudoers, it should hopefully it exists. If you can read it as an unprivileged user, I think there are bigger things going on, or you're in a CTF, you know, but I mean, that would help you help enumerate and get a bigger picture of things. In the event that you cannot, for instance, let's say you can't do sudo, but you're still trying to look at version numbers or whatever else, you can still get the version of the number from sudo with capital B and just do some googling. You know, maybe you can find a user or service that can't use sudo, and then you may be able to leverage that for exploitation. Etsy group, and so same thing, you can see additional users that may be in, you know, the sudoers group. And then one of the places, it logs into our log, for off-log, and so that's all manual stuff. And generally speaking, because this is a subset of privilege escalation, so you don't need as much expansive tools and resources to really enumerate what you have, per se, you know, like let's say if you're doing some other things. But there are automated things for MSF, you know, you've got post modules, I think the interpreter has a few also. And then there's some pretty well-known scripts too, like Linenum, anybody who's done like CTLs and some other things that use Linenum, that's a pretty well-known one. Fall of sudo is actually pretty neat also, and I make another reference to the creators of that. And that particular one in the middle references that for that particular CVE. And so, okay, so examples. So, this is from, you know, the creator, Fall of sudo, and it's, and this is more the degree of examples, because it's kind of a spectrum, right? And I like to use the fruit, the hanging fruit kind of analogies, right? So, the two examples, a complete lack of configuration, right? It's nothing, wide open, it's low hanging fruit, right? That's the lowest hanging fruit, and you should go for the lowest hanging fruit first, because that's those are the beginnings. Everything, or you might see, you know, they've tried to configure secure sets of rules, you know, but there may be a bug in one of the applications, it may be some flag, or they just didn't know, you know, and so, but they're trying, and or just may not be configured consistently throughout whatever they're doing, right? And so, which is actually pretty normal for any other kind of real, real system hardening and whatnot, and you get the lowest of the fruit, you get the open sudo, and then you got the top part, which is the fairly secure, as he's mentioning, but for today's purposes, we're going to be mostly resolving, residing, mostly the middle, you'll have a little bit of low fruit, and we'll have a little bit of the cool stuff up at the top, but the middle is going to be, that's where the fun playground is, because it's a little bit game here, in my opinion. Okay, so when you're doing this, and you know, you want to get creative and inventive, because you don't necessarily, when you're, you don't necessarily have to get it like a fancy CVE, per se, with these, you know, you don't have to, you don't have to make an alphanumeric fricking rock chain, you know, or anything like that, it's, you're just using what exists creatively, and so that's kind of the cool part about it, you know, and can you read something off limits, you know, can you write to something, if you can write to something, then you can go even, you can go really further then, right, can you, you know, are there, this is where you're scouring the man pages, right, and you're looking for flags, you're looking for little subtle things that may be kind of useful, and so that's why it's more, and that's why it's more fun, you know, and it's kind of a misnomer, escalate laterally, you may be able to move laterally, you know, I haven't really seen any non-root users, specified sudoers, but that's an option, you can do sudo as a different user, you know, and so, but if using that gets you to a different user, I mean, that's worth mentioning on a pentest report, right, and that may get you to something bigger and better, it's not always about up and down, sideways works too, right, and so, with that, we are now entering low-hanging fruit, so this is the easy stuff, open sudo, the classic example, right, wide open user authenticates as himself, his or herself, whatever, and then the system is their oyster, right, they're one step, they're keystrokes away from root, and so, you go into a little bit more, so these, any applications that directly result in a shell, you know, they're pretty much right next to there, you know, this is your sh, ksh, zh, whatever, right, su, you know, and any actual programming languages too, because those are, those can, again, cough up shells, you know, cough up shells, cough up functionality, those are pretty big gummies, you know, and so, then we go, this is kind of like a little bit higher, we're turning up the volume, you know, on the, on the creativity a little bit, right, and so, you have, you've got commands, right, and then, so you're not, they don't give you, they can't give you instant shells, but it's not right out the bat, so you gotta dig for, dig for stuff a little bit, and you have to use stuff unintended, you know, you gotta think outside the box, and so, that's why I think, that's why I kind of like some of these, and so here are a few examples, when you do wget, right, for instance, if you supply i as an input file, it'll tip to read each line in that file as, as its own URL and it'll tend to shoot it, so if you do sudo wget whatever, say etsy shadow, right, each line of etsy shadow is going to be, wget's going to try to resolve or make a request to each line of etsy shadow, I mean, it'll fail, but that's, that's file read, right, you're now reading sensitive files that you're not supposed to, you know, and same thing with curl, and this one's actually kind of cool, these are two web requests applications, and you don't even have to make an actual web request for them, really, you know, so it's kind of neat, and so you continue to offset, and then, it'll automatically find where to resume, and you basically specify the, the remote name, which is local, and so then you specify file, it actually steps, in this format here, file, you know, kind of like you're doing FTP or whatever, or HTTP, no, the location on the local system, and it'll download it, and you can just, and you can read it, it's actually pretty neat, base 64 is another interesting sample, that's file read, I think it does file write also, I'll double check, but essentially, right, you're looking at, it'll, it's file read, and if you pipe it into itself and supply the D flag, you know, you have the clear text, and you have it on 64, and then GCC, if you supply wrappers, right, it'll, it'll run the command that you supply, and all, and all params are passed comma separated after the initial command, you know, and this kind of, and then at the very end, we're tagging along, let's say you have kind of a bug, or like a big gaping kind of bug thing, right, and, you know, it, this kind of, it's kind of a mix between the high level and the low level, but any bugs, right, that are incurred at Pseudo are going to have Pseudo consequences also, so where's my demo thing, okay, so, we will do some shell time, how about this, so L, section one, open Pseudo, so yeah Pseudo, L, right, anything, you do Pseudo, so cat root, root text, that's what it looks like, that's what I'm using for this particular, for these particular purposes, looks like that kind of jazz, right, so Pseudo L, and so this is pretty much the same thing too, if you run Pseudo, it's any of the top two, you're going to get an instant shell, creatively, I think the kind of neat one, and one that you can use for, if you're working, trying to get a non-limited shell is with the Python, and so Python and most interpreted kind of languages and some things except inline commands, correct, so for pity, pity spawn, pity the fool, bash, right, and so then your root, so pretty cut and dry, those are pretty, pretty straightforward, so now we're getting into a little bit more fun stuff with Wget and whatnot, so the, so if you notice it accepts an input file, and so that basically that's what it looks like, it tried to run the flag in our particular case as, you know, it tried to make a request to it and it obviously is going to fail because it's not, it's nothing, right, and so that's pretty, that was pretty neat when I first learned that, right, and so base 64, similar thing, similar thing, this was good, it comes in as, you're basically piping it to itself, you specify the D, which means decode, so here we go, wrapper, we have got root, it ran SH, and then last, and lastly for this little bit, curl, so it literally downloads and the spot, like into the local directory, we've got the flag, bada bing, bada boom, and so in this particular instance, it's just a small program, so you might have, right, just to show you an example, obviously, and didn't mention this before, but as we progress along, you'll see a common trend of applications having more than one exploitation vector, right, so it may not, it may not just be file read, it may can do file write, it may be able to do commands, right, is this depending on, you know, it just depends on how you work it and whatnot, and so in this particular case, it's the, you know, it basically takes in through standard input and sends that to system, right, so there's two, you know, at least two with this one, so I do sudo mycat, do root text, write file read, sensitive file read, but you can also, right, bnsh, get root, typical, you know, string exploitation, okay, okay, now we're going to get a little bit of fun now, so pager abuse, where are my, okay, those got mixed up, okay, so pagers, so whenever you run man or service or any kind of, any kind of terminal editor, and those things where you can scroll up, down, left, right, you know, that's called a terminal pager, and the interesting thing is that people know what it is, but they don't know what it is per se, but it's basically what happens by the scenes is a terminal pager gets called, and they accept extra commands when you supply an exclamation mark, anything proceeding that exclamation mark gets run, it's run as a command, so your editors, you know, dem, nano, et cetera, and so yeah, we'll go ahead and show that right quick, like, section two, pagers, if I can type, help, so yeah, if I do sudo man man, quick example, we're now in a terminal pager, you can go up, down, left, right, whatever, by simply typing stuff, it'll start parsing your input, and by doing exclamation mark, everything after this will be run as a system command, so vnsh, we're now root, et cetera, you know, and same thing with service, too, so sudo service, blank status, you get, I'm going to get all of them, and then kind of open up a pager, vnsh, easy be easy, and so a neat thing is, I, it incurred, you tend to forget these kinds of types of things, but let's say you do a service, but it doesn't have that particular, you know, much output, it's not really a, you know, it's more just kind of terminal fundamentals, perhaps, let's say you do cron status, right, and actually it does do a pager right there midway, but if, for whatever reason, if the pager ends prematurely, let's say it finishes, you can always just shrink your freaking terminal down to like here, you know, and then do it again, and you'll, and it'll, it'll open up the pager for you, so I think that's kind of neat, okay, so yes, get the gtfo bends, a lot of these are on gtfo bends, now I tried not to just go down and just start listing them off, I tried to grab a variety of different things, but so yeah, the gtfo bends is definitely very, very handy, if you're not using that, you're definitely crippling yourself in what you can do, okay, cron abuse, so this kind of goes without saying, if you can edit, if you can manipulate or run or do some, or do any kind of service types things as, as root, that's going to have root-like implications, you know, and so that's pretty, that's a pretty short slide, but so sudo l, or s-u-l, sorry, section three, cron l, yeah, and so in this particular instance, right, and so it's actually worth noting that if you do cron tab, you know, if you haven't done it before in the system, and you don't have, and you don't have the right environmental variable set, what's the first thing it asks you? It asks you, what editor, what would you like to use, and so then you have editor, you know, editor-styled exploits, and with whatever kind of services you can, you can do also, so in this particular case, sudo l, so let's do sudo cron tab e, and I already have something set up, but now we're in fricking vim, right, so any kind of easy peasy, but you can also, it's also the implication that you can edit the root, the root's cron tab, and run stuff as root, any kind of services, and in this particular case, I have this little script here, and all it does is, just for the example, it basically reads in root text and writes it to the current directory. It's pretty easy peasy, so sudo service, and you have to wait a minute, and let me see what's going on on the discord, okay, so at some point, probably in a minute, I might not just wait for it, but we'll see root text should hopefully populate up here, but I don't think I'll wait for that, so it'll have to deal with it. Okay, so now we're getting into a little bit more fun stuff, LD preload is actually kind of neat, so, and you need a bit of a background to understand what's going on, so LD preload, it's an exploit, you're abusing a feature that is intended to be used with dynamically linked binaries, whereas with all the methods and all the stuff is resolved at runtime, whereas it's statically linked, you get that bigger file, if you statically link everything, but you don't have to worry about shared objects being all messed up and whatever, you have everything in one nice big package, but this gives you, but obviously with dynamic linking, you do have a smaller file size, and you have your typical, your libc and a bunch of other things to worry about, but I mean overall it's a little bit more flexible, and so with the LD preload is actually, you can essentially tell it to load that stuff before it loads the other stuff, right, and so you can essentially overwrite any kind of method or function in whatever application you're running, you know, and then so we need to put a little too, put a few things together, you're combining a custom functionality with a binary that's being run as sudo, you know, and obviously that's going to equal fun, pretty fun, you know, and so and you'll see this in the environment, whenever you, and these are the, whenever I've seen it, it's been in the environment, and the binary also has to be compiled for it, and so the syntax for when you want to do, go about business with this, the sudo, LD preload, you specify, you can, you can make it, you can export it to the, to the M to your environmental variables, or you can just run it all one, like how we're about to do here in a minute, so demo, so L section for LD preload, so this particular case, we can run the example, and I tried to cite, I got some of these examples right out the internet, I tried to cite them, you can find these, I'll link to them, so if you want to look at them, reference them too, so in this particular case, the example was, it's a, it runs a loop, and it prints 10 random numbers, it calls ran, and it outputs the standard out 10 numbers, so in this particular case, because it's a dynamically linked, right, we could provide our own stuff, and we have the, the LD preload environment, environmental variable set, so in this particular case, cat, d random, and basically it's going to overwrite the ran function, and it'll just return 42, so example c, right here, right, and so it's, you're basically going to make, essentially you're going to make that do what you want it to, which is kind of, which is kind of cool, so for this particular example, so pseudo LD preload d, let's see what is this, d random random shared object to example, and as you see, we basically made random do what we want to, so it's no longer random, it just prints 10 42s instead of a bunch of actual random, so taking that a step further, oh, oh, we can manipulate the file as pseudo, so what do we do, we get evil, you know, and in this particular case, we're overwriting in it, which happens right off the bat, and, you know, we basically pop shell, so using a similar type thing, evil, we are now, it's pretty cool, and another cool thing is that it will finish running the rest of the application once we exit, see, because we, we only overwrote in it, we didn't overwrite the rest of it, so it's kind of neat, okay, installers, so it goes without saying, right, that installing any kind of application is a security concern, especially if you're going to install it as admin, as root, any kind of privileged accounts, right, and so these can definitely be leveraged in various kinds of ways, pip, apt-get, d-package, you name it, and so, like, for instance, a lot of these have multiple, let's say apt-get and, you know, d-package, they both use, they both invoke a pager, you can do stuff during install, providing custom functionality, for example, pip, when you run setup, hi, or when it's set up, you can specify entire methods for doing stuff, you know, it becomes your oyster, so obviously installing things, right, as root, is a big, critical security consideration, okay, we will hit that up, l-section, installer, sorry, okay, so pseudo-l, okay, so how does one make that a shared object? I can, you compile and link, you basically don't do a full compile, you don't do the full process for compile, and we can pull, I'm sure, if somebody doesn't share that with you, we can grab that here after this, but basically you make it a shared object, and it can be used by other other dynamically linked applications, so let me grab my thing, right, quick kill, okay, so for the pager, right, pager abuse, pseudo apt-get, change log, see, we now have a pager, so the old stuff still applies, right, and so having that kind of mentality that, oh yeah, we're familiar territory, right, it'll help us for later on, right, and so in this example, we have apt-get shell package, and all it's doing, you're basically providing custom functionality, and it runs at the very end, so all you gotta do, you can specify, instead of making a normal web request out, you specify a local file for which to draw from, and then it basically goes, like that, that's pretty cool, so, and the same thing with, when you go to setup, or setup, excuse me, pip, so in this particular case, we have a setup pile that you'd see in any kind, if you're installing any kind of module, any kind of thing written in Python or whatever, you'll have your setup pile, right, and in this particular case, it actually does a reverse shell, and so I'm gonna use, I need a split screen for a minute, I think that one was 1, 2, 3, 4, 5, okay, so 1, 2, 3, 4, 5, if we do sudo pip install dot, dot to specify from the local directory, and we do, and we have bada bing, right, pretty cool, all that jazz, okay, right on, right on, so path and secure path, so these, so if we recall back, right, globs and whatnot, you know, are acceptable within the sudo res file, to include, you know, the asterisk, star, whatever is, what are more, question marks, new characters, and so on, so, and this is kind of in the same family as your normal environmental variable path, right, it's in the same vein of exploitation, if the, if you see asterisks, you know, you see stars in the sudo res file, you can have similar consequences, too, so it's kind of similar in this particular case, not exactly, but for example, if you see a dot and m, it's gonna read from the current directory first, wherever it's being evoked, and then it goes on, right, it goes on down the line, right, and if you see an asterisk, that means anything for that directory, and so that's what's happening in this particular case, you know, anything in bin, you know, is pre-game, and so obviously that's not particularly secure, and so it's interesting enough for sudo res, right, you have the secure path, so if you don't actually trust, like, the environmental variables at the lower level, to be like well-formed or whatever, or to be secure, you can kind of override that with your own secure path, you know, but obviously if the secure path is misconfigured, you know, that's fun for more, more than one person involved, so and in this particular example, we made secure path temp, to show that it's kind of like misconfiguration of sorts, so l section 6 path, and for this one, I'm doing the bin, yeah, so and it's also, it's also worth noting, right, and other kind of privileged escalation mindset, that you know, I could run anything in this directory, and so as sudo, so you can basically write your own ship, you can do whatever, and it'll do, you know, you'll run what you want, so in this particular case, I just made id, it runs shell, it's weird, but whatever, you know, and so sudo, let me copy all that, I ain't typing it yourself, boom, id, we have shell, pretty, it's pretty, pretty intuitive, and then sudo l, so this particular one, it's going to check, it's going to check temp first, because that's misconfiguration on the secure path, and it's particular one, and there's actually another exploit later on that utilizes double stars, but this is for the example, this purposes, you know, where is usually, where is ping usually at, ping is usually user bin, right, but obviously, if we do sudo temp, and ahead of time, temp to ping, right, you get the flag, because in that particular file, it does the same thing, it's just reading and printing, right, and so that's just insecure path considerations when you're using globs and whatnot, okay, so we're getting there, we're getting there, okay, so this one's kind of neat, so editors and sudo edit, so you have your obvious kind of blatant stuff, you already got your pager whatnot, and anything of editors, you have file read, file write, any kind of commands, but how it does some things are kind of weird, right, and so there's a few new things I stumbled upon while I was even making this, you know, in the past months, so, and we will include an actual CVE with this also, because it's kind of in the same line of things, and so, and this is the actual CVE, it's on exploit DB, sudo edit does not check the full path, so if you use double globs, and so the POC for this is you create a sim link to anything sensitive, right, anything sensitive, and it'll resolve that as correct, and it'll run it, you know, and you're good, it's pretty cool, so we will get to keyboard mashing, L, section, seven, edit course, clear, sudo L, okay, so we can do that one first, so in this particular example, we have two direct, two directories, test, test to do with protected, which is the actual sim link to it, that is a, it's going to Etsy shadow right now, and then we have, let me scooch that up a little bit for us here, there we go, all right, and so the bar, I just, I just made some dirts, and this one is, it's actually really nothing, I think it has some stuff on it, I forget what I put on there, but either way the user can't access either of them, because they are, you know, it does not have the permissions, right, but so if I were to do sudo, sudo edit, right, and then specify test, test to protected, so it is worth noting that if you, fat finger something, you fat finger it, you know, you, it will ask you for a password, so if you specify no password on a security policy, and whatever you're doing is prompting you for a password, then that action is not covered under the policy, and you're likely not going to be able to do it, there we go, okay, so now we are in Etsy shadow, I must have been fat fingering something, so, and so this next example is actually kind of cool, so we have this entry right here, it's no password, so they're trying to lock us down to them, but they also have no exec, and so if we recall it, no exec is, it means no shells, or you can't run commands, you especially can't pop shells, right, and they are trying to lock us down to where we can only edit this particular file, which doesn't exist, but that's what, but you can obviously open it, you can create the file, and then save, or do whatever, and them, so, and we'll test that theory, right, pseudo, them, let's say we want to do root.txt, right, can't do it, because we're being prompted by a password, let's say if we use pseudo, them, and we actually do go to this, right, so obviously, and if we try to do our typical shenanigans, right, nope, denied, no shell for you, right, it's pretty cool, but, but, but here's a neat trick, you can, you can source externally from within editors to, to doing your own stuff, so colon E for edit R for write, for read, right, exactly, so I think that's pretty neat, and then you can basically get, you can basically kind of like wiggle around from inside, kind of like that, okay, we are hooking and jabbing, we got a couple more, and then we are done skis, so PW feedback, this is, this one is an actual, this is also an actual CVE, and has an exploit DB entry, so basically, in older renditions of pseudo, it'll ask you for, you know, your password, but when you supply stuff via standard input, it gives little, it gives little stars, and essentially, there is a stack based up buffer overflow, it's too many, you know, too much, too much input with the, through standard input, and you supply long enough of a string, you can then put in whatever malicious badness, goodness, that you want, and so, and it's actually pretty, it's pretty self, it's actually pretty simple exploit, you know, and it's pretty, it's pretty simple to check out, and we will go ahead and do that, however I need to see what user, one second, I need to get what I call these, because I don't call them all intuitive names per se, eight, well that one is, okay, okay, PW feedback, right, so pseudo L, in this particular case, we do, yeah, see, we do need it at this time, we do need it to prompt us for a password, so we can actually exploit, you know, we can smash the stack basically, and so, and I have two POCs, and then I think ones you can find it on, I think I'll link to at least one of these, they're pretty self-explanatory, so this first one, it's, I mean, a hundred days, it's a hundred days terminated by null, and it does this 50 times, and then after that, you can pipe in whatever stuff, you know, whatever commands you want, generally speaking, after the S, and so, so for instance, if I were to do pseudo, actually, POC, we are rude, right, and notice in here, we're not actually supplying a password, because it did ask us for a password, right, so if we do pseudo whatever, it asks us for a password, and we have to supply it, but because we smashed the stack, basically, and then supplied our own command, that's basically how we wouldn't limit our business there, and the same thing with POC too, is the same concept, is this more fanciness, in that case, it does a reverse shell, you know, like before, okay, we have about 10 minutes left, I'm going to go ahead, and now we can do that one too, why not, why not, Tmux, that's curious, oh my god, well they almost, they all almost worked, I might have to fuck with that later, but they'll get the general principle, demo gods, so okay, limited shells, this one's actually pretty neat, and I learned this actually doing by doing pentester academy, you know, and so, and if you're trying to look for different neat kind of ways to enhance your existing skill set, right, or learn completely new things, I highly encourage that, you know, I'm not trying to, I'm not trying to show for pentester academy your bivik, but I mean, he's a great instructor, and they have some great coursework, and so in this particular one, just showing this particular example, and it's kind of a hypothetical too, right, so you say you have a particular, you have, you have used credentials, you can do, normally you would be able to do sudo as a user, but you do not have a full TTY, let's say for whatever reason, you can't make a full TTY, you can't do the SOCAT, the STTY raw echo trick, you know, all those normal things, let's say it's not, those aren't working, but you still have a limited shell, and you have the ability to run sudo, because you can run sudo and you have the user's credentials, right, so you can use, in this example, the expect command, right, and the expect command basically simulates user interactivity, and command, you know, on the map page, this is alphabetically, but there's always, there's four of them that you would practically really need to know if you, in order to run this example, spawn, which spawns the command, or whatever you supply, send is providing input to standard input, expect parses, I think it does both standard out and standard error, I haven't tested that, but I think it does both, at least does standard out, and then you have interact, and then that basically goes hand on, it's hands on at that point, it's kind of like, if you're used potentools with Python, right, it's like the interactive, similar, similar kind of mentality there, and so I'll break that, I'll break this down, expect C, you're supplying to command, you then spawn sudo s, so it's kind of like a spawn to spawn to spawn thing, right, sudo s, in this case, we're just going to read root dot text, you know, we spawn that process, it then, we then look for with globs, it supports globing too, so you don't have to be exact, exactly, you can do a little bit of wiggle room when you're doing your expect, we'll look for password, because that's typically what you see whenever you're prompted, you know, by sudo, we will provide the password, you know, and which in this case, it's always the username, because for demo samples, you have to, you do have to provide your own enter, and then you interact, so demo okey-dokey, and this one will require a limited shell, or require a reverse, I forget, okay, so in this case, I made a shitty little, didn't really make, oh it's one, two, three, four, I'm sorry, four, so it's a little crummy shell, you can't do any dang, you don't have an environment, there's no terminals, no nothing, it's bare bones, what you might see, it's what you might see if you're doing a CTF, a real life pen test, you know, where you don't actually have functionality, or you know, it's limited shell, it's a limited shell, it's a limited shell, right, no, you got nothing really per se, so in this particular instance, we will then, we can then supply the big glob that we had previously, and so hit enter, and there's our flag, so we're at the finish line now, and this one's actually a pretty quick one, and it's more recent too, this one is, it doesn't check for the existence of the user, and so when it runs, it executes with the arbitrary user ID, and it returns as zero, zero is also root's ID, right, and so, and then it matches the executor privileges, or whatever you specify on the end of it, and you can test that out too, because if you specify, see in the as whom clause of this user spec, you can specify you can't run stuff as root for instance, right, and so this particular one, I actually do need a copy and paste, my username is the, it's not as intuitive, okay, sudo l, right, so generally speaking, if I try to do anything, either not as this particular application, or if I try to do that but as root, it's obviously not going to work, because it is explicitly stated in the user spec, however, given this particular type of sudo, you don't have to worry about that, right, and so let me get, excuse me while I whip that out, okay, so yeah, you simply just do sudo, you, and there's tons of scripts too, where you basically scrape the, you scrape the internet, looking for this pretty, they're pretty nifty, so if I try, well if I try to run anything other than those two, you'll get prompted by password, which means, you know, given that there's no password, you see asking for password, you're wrong, so we'll just do id, and we're root, we at least have the roots uid, and if we do bash, we are now root, okay, that is good, so a recap, we covered sudo, sudoers, you know, we went through open sudo, we covered a bunch of easier application stuff, that's out of, this is out of order a little bit, disregarded, now, and so, so yeah, we covered a variety of things from different angles, from GTFO bins, to some CBEs, from stuff from exploitdb, and just try to develop the whole mindset, right, that, you know, you can really dig into sudo, and get creative, and really have fun, really have fun with it, and so I tried to cite as much pop, I tried to cite everything that I could pull from, and I included that at the very end, if you happen to see your material featured in here, and I did not give you proper citation, just let me know, and I'll add it, I'm not trying to plagiarize your stuff, you know, I try to give all the citation credit where it is due, and that is my talk, okay, do we have any questions? I was trying to get the mute button working, but yeah, basically, first of all, thank you so much for supporting us, and for the great presentation here, we're accepting questions through Discord, and if you just join us, you know, in the bottom of the screen, there should be, whether you're on Twitch or YouTube, there should be a link to our website, and of course, from there, you can actually get to our Discord channel, so if you have any questions for Tyler, please do so there, we're gonna go in a brief break, and then the next presenter will start in about 15 minutes, thank you again.