 Hey folks, Adam DuPay here and today I'm going to be doing a live hack through of the punnables.kr level shell shock. So let's dive right in. So the title should be an immediate giveaway. If you don't know what shell shock is, I highly recommend you go read up on this vulnerability and bash. It is super interesting and so I'm actually really excited that we'll be able to hopefully this challenge will have something to do with that. So let's read this. It says, mommy there was a shocking news about bash. That's true. I bet you already know, but let's just make sure. And this actually really ties in with my hacking philosophy. So I truly believe that if you really want to learn how to break something, you need to not only be able to understand the theory and understand how stacks works, how string copy works, how everything actually works. Because fundamentally, at the end of the day, hacking is all about knowledge and using your knowledge to control a program and force it to do something that it wasn't intended to do. But the other thing is the knowledge is not the only thing. You need to actually put fingers to keyboard and actually be able to hack and exploit these things. So let's dive right into this one. So here we are. So we're, we have the shell shock binary again. So this is one which has a set group ID on shell shock Pone, which has the same permissions as the flag. The interesting thing here is there's a bash in this directory. So we have shell shock and self shock and dot C. So let's jump in and see what this code is all about. Perfect. So this actually makes sense. So what it's doing, so it's calling set effective UID based on the get effective group ID, right, what group ID, group ID, okay, so it's setting your IDs to your group. So it's actually turning us into the shell shock Pone user, which is the group that we're executing as. Yeah. So this is what this is doing. You should definitely read up on these man pages if you don't understand what this is doing. But this is basically set UID gives us an effective user ID and this is changing our actual user ID to this and it's calling system home shell shock bash dot S Echo shock me. So if we do shell shock, we'll see shock me. If we run file on bash. So now what we can do is a few things. So what I know off the top of my head about the shell shock vulnerability is what bash would do is if an environment variable was set. Then so what bash would do is it would go through all of the environment variables that are stored in the local environment. And if there's anything that looks like a function definition, it would actually execute that function. So rather than actually look at what a bash what a shell shock exploit looks like and then use that to do what I want to do here. What I'm going to do here is I'm going to try to challenge myself to see if I can do this just based off of what I know about shell shock. So it Well, maybe I could do man bash and look for basically I want to know what does a function look like in bash. And so shell function definitions a shell function is an object that's called like a simple command next to a compound command with a set of new positional parameters shell functions are declared as follows. See, there's a functions below. So that sounds interesting. That's definitely where I want to be. Okay, so it stores identical to a function, the debug type. So the problem is if I remember correctly, so So how do we pass. So one thing we can try to do is And looking at the shell shock code, right, so we can't actually control this parameter that gets passed in here. So it's calling home shell shock bash dot see so we don't control anything in here. We know it's just calling that. So but what we can do is we can change maybe the path if we wanted to do that. And this is how so any arguments you put here, this is going to be passed as environment variables. So for instance, and the way to kind of test this for yourself if you've never played around with this, you can use Env to look at an output all of the current variables. So if we say foo equals equals bar and then run Env, we'll see foo equals bar in the environment. So this means I need to build up some kind of Adam equals some kind of payload and then call this shell shock. The problem is now so I already tried to challenge myself to look through it for here. Variables local to the function any built in variables function names. The problem is I don't know the exact syntax. So I'm trying to see if there's a way to store a command here to figure out what's the syntax for storing a function. But let's see. Okay, aliases allow you to do various things. Command execution environment 2004 14. So that's the one this came out. So this must be definitely must be a so if I do bash version, it'll tell me it's two dot four dot two dot. And if I just do bash, tell me that this is a non vulnerable version. Okay, great. So, all right, that's not very useful. So let's look at how to store a function in bash. And what this was done is this was done in order to saving bash functions. There we go. I think this is what we want. So this was used if you wanted to pass if you wanted to invoke bash or another process and pass a function. So you know what, let's just so maybe you can take a second and try to figure this out on your own. But I want to get this done with so shell shock software bug. So this was in 2014. So this timeframe is perfect. It was one of the first to use this kind of thing. Okay, so function definitions, environment variables. Yes, this is exactly what we want. So I wonder if they'll have an exploit here. And so super dangerous because there we go. I see it did have something like this. Okay, so here's our function definition. And then Adam is going to we're going to set equal to this. And anything we do after here is going to be after this semi colon so we just should be able to do cat flag shell shock. There we go. So that was a success. Man, that was super easy. And so this was super important because anything that allows you to like forget hub when you check out a git repo, you're actually SSHing into that machine. And so you could use the so the environment variable SSH original command you could set when you SSHed in web servers that use CGI so CGI creates environment variables. So this was super dangerous. There's a tons of different exploitation vectors here. So here we go. We can copy this in and we can get our flag. All right, so this is actually a great I love challenges like this that actually force you to look at and understand different types of real world vulnerabilities. And the crazy thing about shell shock when you research this and look into this is this was around for 20 plus years. So this vulnerability has just remained latent in software. So that kind of helps make you think, well, what about other vulnerabilities and other types of software that I use all the time. So all right, thanks everyone. And I will see you next time.