 All right, folks, it's almost the end. But here we are again. Wanted to take a quick second and give a big thanks to our 2020 sponsors. That's checkmarks, Google and Offensive Security. Thank you all so much for helping to make the AppSec Village happen. We could have done it without you. If you haven't gotten your shirt yet, go to appsecvillage.com and pick up your t-shirt. Also, if you're interested in making sure that this is a lasting thing, go out and become a super fan for us. That would go a long way towards helping to make sure that hopefully if next year's DEF CON is in person, AppSec Village will be part of it. All right, without any further introduction or me talking, we are going to hear a talk from Mehmet Ines, a managing partner at Invictus in Cyber Intelligence. He's going to be talking about a Haven for Hackers, breaking a web security virtual appliance. With that, please help me welcome to the stage Mehmet. Let's talk about finding a zero-day vulnerabilities. In that presentation, I'm trying to take you all to the journey with me to finding different vulnerabilities in a security solutions and combination of them will give us a remote code execution with a root user. This is Mehmet. I've been doing vulnerability researching since 2005 and I'm working for a company in Invictus Cyber Security and Intelligence. And this is my Twitter address, mdisec, and PanTest.blog is a web page where me and my teammates are sharing our technical research. In here. Okay, so Haven for Hackers, third edition. Actually, there's a story behind of that title and it has started back in 2017. And I was doing a PanTesting for a company and there was a blue team members and they were telling me you are doing this, et cetera and et cetera. And I was start thinking about what happens if we somehow managed to break in into your team product that they are using and write a custom rule in order to become a totally invisible which are because they are telling us what they are seeing the product and if we become invisible, that would be so nice. So that idea led me to defining a remote code execution on a various different team and the log management solutions back in the 2017. And after one year, I was trying to send an email to friend of mine and that dude was not receiving any email from me at all. And it turned out that there was a problem on the email security gateways and they managed to solve the problem and eventually we started sending an email to each others and I was thinking that all right, there is a email security gateway products and what happens if I managed to break in into your email security gateways so that I can read all the emails incoming and the outgoing. So that idea motivate me to finding a zero-day remote code execution vulnerabilities on Simon Tech, Micro Focus and the TRANC macro. And previous year, I was working at another client and the project was hardening the client's network in order to finding a data acceleration scenarios. And they were telling me we have the web security solutions and only that device can connect to the internet. So all the clients has to go through that box and if you find a different way to exaltrate the data, that would be nice. And I was like, okay, so what happens if you find another zero-day vulnerability on especially the web security and the content filtering solutions. So when the attacker managed to execute a code on the client network for the data exaltation and the CT communication phase, they can explain the content filtering solution. So this is the today's topic. We are going to talk about these really vulnerabilities that I found on a very, very interesting product. And I have a case study for you. There is a product from the Trent macro, interscam web security virtual appliance. And I have done the vulnerability research on specifically that solutions and we are going to see what kind of vulnerabilities that I managed to find and using all of those vulnerabilities together, we are going to see some sort of code executions in the end. But before diving into the case study, I would like to a little bit talk about what is the content filtering in order to make it crystal clear to everyone. As you can see in the picture, there is a computer on the left which represents a client's network of the company. And those devices don't have a direct internet access. They have to go to the proxy service first and that proxy service goes to the internet so that the organization can do some sort of analysis and the rules on the client's network. So content filtering is happening in here right now. We can imagine that the content filtering solutions, they are kind of spatially implemented proxy service. And the term is given to do controlling the type of web content that employees, guests, customers can access while they are connected to the business wired or wireless network so that the business may want to apply control over the type of a content that can be accessed to stop employees by restricting access to certain type of web pages. And on top of that, also the content filtering is quite a good place to ensure malicious web pages cannot be accessed such as those used for phishing, malicious, distributing malware, et cetera, et cetera. So we are targeting that kind of products in this presentation. So at the beginning, I was like, I have a too many motivation like a targeting web filter solutions. Why we are doing this? And first and foremost, obviously, all the clients network are going to the internet through that solutions. That means if we manage to break in, we're gonna see the whole client's network internet traffic of the organization. And second motivation is, as I told you before, clients come to don't have a network access to the internet, they must go through the web filter. So we need to find a better way to see communication in the red teaming scenarios. And I believe web filter solutions is a quite a secure and stealth way to make a city communication. Of course, there is a loss of difference approach like a DNS beaconing, et cetera, et cetera. But I believe that is a very secure and stealth way. So all right, that is the brief introduction to do idea and the main motivation. And this is the methodology that I usually follow for my vulnerable to research projects. And if there is a seven steps and we're gonna see every single step in details throughout the case study. And first and foremost, we have to find a way to get a free trial of the product that we're going to do vulnerable to research on it because you have to, you know, break into operating system level and you need to find all the source going on, et cetera, et cetera, and you have to test your vulnerabilities and eventually you're gonna implement the explicit for the vulnerabilities you found. So you have to find a way to get a free trial and it's not quite easy guys always. It's not quite easy. It's sometimes, and most of the times it requires to have a loss of meeting with the sales team. And if you find the free trial of the product, I strongly suggest you to start by reading the documentation because there is administrative documentation of these type of solutions. And there's a huge technical information about the product itself. So after that, we are going to find a way to have a roofed SSH access to the box because we are going to do the vulnerability research and most of the case, there is operating level hardening and we need to get rid of all of those hardening stuff. And after that, you are in a situation where you manage to install the software, I mean the solution, you read the documentation and you manage to overcome the operating level system hardening. And that is the moment that you need to start using product itself like a regular user because you have to understand all the features because those information will become so handy when you need to define a possible attack vector. So after that, we are going to talk about enumeration and the configuration step. And the most important phase is the defining possible attack vectors because you got all the information you need. It is a time to building attack scenarios and then find a vulnerability is a final step. We are going to see every single step throughout our case. And in that case, I mean the trunk micro, interest again, web security virtual appliance, 6.5 version, you can do all of it from the vendor web page. So getting a free trial was quite easy in specifically in that case. If you go to the Google and looking for the administrative documentation is an important keyword in here for the Google search, you can directly find the administrator file which is usually like a 300 pages. I strongly suggest you to read administrative documentation because you're gonna see very, very helpful information about the product. As you can see in here, administrative documentation tells us there is a different modes of the product. It can be transparent breach mode. It can be transparent breach mode with high availability, forward proxy, reverse proxy, ICAP, WCCP, et cetera, et cetera. So that product can be installed very different modes. And on the right side, you are seeing the forward proxy mode which tells you that product can participate in the proxy chains, forward all the traffic to the opposite stream proxy servers. And you will be seeing lots of graphics on the administrative documentation which will help you to understand about the product itself. So we are reading the funny manual as well. And we, of course, for the third step, after they're reading the documentation, you need to install the solution into your visualization system. During the installation, there was an admin user and password has been set during the installation and the product gives you opportunity to do SSH connection to the box with the administrator user. But the problem is there was a restricted shell on the SSH. There is a very, very limited tools that you can use in the SSH interface of the product. We need to find a way to have a directly SSH connection with a root user because we are going to do remote debugging. We wanna try to find out all the source codes and we're gonna do further analysis, et cetera, et cetera. So there's a little bit of a step before starting to the vulnerable to research. In that case, it was like quite easy because the product was distributed by the vendor as ISO file. So you can directly install it into your VMware or virtual box. And when you finish the installation, the idea is you can detach the VMDecad disk from the virtual machine that you just installed and then you can attach it to the difference links machine. And then you're gonna mount new disk and you are going to find a graph file because there was a password protection on the graph file and I wanna get rid of that protection as well. And you just need to remove the password protection line on the graph file. And after that, in order to get rid of the restricted sheltering, you can go to the SHT config file and you can enable to remove root login. And if you do that, you need to go to the ETC pass video file and add BIMBesh for the root user, which will give us a direct SSH connection with a root user without having any restricted shelter at all. And we have to undo every single tick that we have done so far. So that means you need to unmount the disk, detach the VMDecad file and attach it back to the original VM and reboot the machine actually. And in that case, you are going to have the direct root SSH connection to the box. This is important. We need to get rid of operating level hardening. So we are kind of ready to start using product itself. In that case, I choose the reverse proxy mode, but I believe all the vulnerabilities that we have found it exists no matter what is the installation mode at all. For the fourth step, I certainly suggest you to use a product for a day to get used to about the features itself because there is a lot of functionality as you can see in the picture. There is a URL access control, HTTP decryption. Right now we know that product can offload SSL at all. That means we can deploy SSL through the administrator interface. And there is an advanced threat protection on the left side of the menu. As you can see, I hope you are seeing my mouse pointer in here. There is advanced threat protection. That means all the HTTP or HTTPs traffic will be analyzed by the product in order to find out malicious activities because of that feature. So later of that presentation, guys, we are going to see how important it is to understand and getting familiar with the product interface. Yeah, it's quite important. Just use it like a normal user. So we have such access with a root user. So the initial step is always enumerating the services. This is what I'm doing. Of course, that would be a better way to do it, but this is my way to do. So I always looking for the nested command to find out what kind of services we have in the product itself. As you can see in here, there is a UWSGI which listens to port 6011. That means we are doing some sort of assumptions in that phase. So that most probably means there is a Python project running in the internal system. And there is a Java process which listings exact port of the administrator interface. That means we are going to deal with the Java when the times comes to do doing a research on the administrator interface. There's another UWSGI in here. And that is another important thing because as I said before, that product acts as a proxy service. So that must be as some service on the product itself in order to handle incoming HTTP connections from the user. So I ask IWSSD process that you are seeing in here, which listens for 8881. This is responsible for all the incoming connection from the client's network. So this is the majority part of the product itself because that is the one who is communicating with the clients. All right. So those are the services that we have in the product but we need to find which of those services are allowed to communicate with the different computers in the network because in the end we need to explain at least one of those services. So what I'm doing for to find out that information, I usually run an M-Mapscan from my main host to the product IP address or you can just use the IP table slash this command to find out the IP table's rules. So according to that rule, most of the internal services has been forbidden to network traffic from the outside of the machine. You guys are remembering the IWSGI service. If you keep doing enumeration, we are seeing very interesting information in here. As you can see in here, there is a supervisor of the which responsible for starting the solar service. So right now we know there is a purchase solar and lots of Python services in the box. So what is a purchase solar? It is an open source enterprise search platform written in Java. It's a major feature is included to full tech search, highlighting the time indexing, dynamic clustering, et cetera, et cetera. So that means that Python project that we are seeing in here is responsible reading and writing the log file into the purchase solar service. So most probably whenever the request comes to the proxy service from the clients network, that proxy service is sending some sort of signals to the Python project that we have seen in here. It's something like an internal microservice. So that Python project is taking the information and writing it into the purchase solar service. So whenever the administrator user tried to query something through the administrator interface, that request will be coming to the Python project as well because the naming convention in here is says the dashboard parts, main, stats parts, summary parts. There's a lot of log parsing and writing the those purchase solar service. And whenever it needs to be the access by the administrator interface, and that Python project is taking the responsibility again. It is quite important to know there is a purchase solar service within the box, but unfortunately, due to the IP tables rule that we have in here, we're not gonna be able to directly communicate with the purchase solar at the beginning, but later on the presentation, we will find a way to do it. So all right, let's talk about IWD SSD process. If you grab it from the process tree, you are seeing the full path of the binary. And if you look for the file type, it is a symbolic link to the IWD SSD process, which is SUID LFI binary. And there is a 61 module in that binary. So it's a very huge binary and we can of course target that process, target that process, but it will be requiring lots of reverse engineering. So of course we are going to do that at some point, but one of the most important attack surface, as you can imagine, it is a process service itself. So far, I believe I just spent 20 minutes, I guess, and we managed to collect enough level of information about product itself. So it is time to define attack vectors in a light of those information that we got so far. So we know that administrator interface is written with Java. And there is a process service, which is written with C++. I haven't told that before, but it is a C++ guys, it's my bad story. And there is a loss of internal services, but most of them are not accessible from outside of the box. And you guys are remembering, SSL, the encryption and advanced track protection features of the administrator interface. So we know that it does offloading the SSL, it pars HTML contents, scams files, et cetera, et cetera. So my idea at that phase, my idea was, okay, let's start with the administrator interface and we can go after process service if it needs to be, you know, let's start with administrator interface at the beginning. But there is a loss of possible attack scenarios as you can imagine, you know. One of two, if you wanna, let's say target the HTML parser of the product, like a browser exploitation, you can just send that phishing email to one of the employees of the company that contains a link. Whenever the user clicks on that link, that request will be sent to the process service and process service gonna take that request from the clients and it's gonna send exactly same request to do destination server, which is a web page that attacker can control. And whenever the process service gets the response, it performs analysis. It has to parse HTML content as a scandal file. So that means you can directly attack to the HTML parser engine of the product, you know. There is a loss of difference possible attack vectors, you know, that was just one example that just popped in my mind right now during the presentation, but we are going to talk about the administrator interface and then we're gonna talk about the process service. You know, as you know, it is a Java project and I like to working on the Java project and every single time, whenever I facing with a Java application, I always start by reading the configuration file because, you know, the web.examls, trust.examl, you know, all of those XML files contains a very good, high level of understanding information about the software that we are going to do vulnerability research. And I don't wanna live in an SSH connection during wall vulnerability research. So we need to find that all the location of the jar file by using just find comment on the step two. And then you can copy all of them to your main host to further analysis because we are going to deal with loss of jar files. And I strongly suggest you to use IDEs. I used to use GDI for the compiling or the jar files, but those kind of project has hundreds of different jar files. And if you put all of the jar files into the GDI, why it wasn't working for me, it was just crashing or freezing because it has to compile all the class and the functions and they need to find all the cross calls. So I strongly suggest you to use IntelliJ or Eclipse for that purpose. And if you are up to use the IntelliJ IDE, there is a Java the compiler jar file under the compiler library, which comes by default with IntelliJ, I guess. And you can compile all the jar files under the lib folder. You can change the name, of course. And we are going to put all the compile files under the lib dash, the compile folder. And if you go to the IntelliJ interface and look for the project settings, there is a library section in here. You can import those libraries and sources altogether which will tell the IntelliJ to, this is my, you know, Java software. IntelliJ will take the rest of the job. It's gonna process all the classes and you're gonna be able to just, you know, finding a function that you are interested and you will be just clicking it to go to the definition. And also you can find a very interesting function that might be some problem in the definition. You can just by using the IDEs, you can find all the different locations where the specific function has been called. So I strongly suggest you to be a friend with IntelliJ or Eclipse if you are up to a wonderful research on Java application guys. So, I beg your pardon. So we have access to the source code of the administrator interface. So we are ready to do for the last step which was finding a vulnerability. There is a difference approach to do it like a, you know, top to bottom or bottom to top, you know, bottom to top means you know the potentially vulnerable functions on the Java let's say and you can directly search those function within the code base. And if you believe that you just find a very interesting, very insecurity use those potential vulnerable function you can start from the bottom to go to the top in order to find out whether you are controlled to parameter that passed through all the function calls or you can start from top to bottom which is like, you know, start by reading the filter or the middleware definitions and the classes look for the authentication mechanism and then search for all the controller or the request handler definition which will be an important because that is the location where you can see the user controller parameters, et cetera, et cetera. In that case, I was being top to bottom approach. I choose that approach for because of not very specific reason I was like, you know, doing fun funny time on the Sunday and I was just start reading the source code and it was like a top to bottom approach. I wish I could show you all the code bases and everything but I believe I don't have enough time to do it. So I just grabbed a very specific function definition which name is a month device. It has to be a post request to be able to execute the function definition. And there is a very interesting if statement in here. It tells you if the request is coming from the local host, it is okay. But if the request is not coming from the local host I'm gonna validate your session and your privilege as well. Since we don't have the username, the password, you know this is going to be a problem for us because it is a password protections if the request is not coming from the local host. And there is a one function call in here, get token which will have a very important role on our exfoliation, we will come back in later. So that was the important part of the function and we are moving to do more important stuff. So it tells us that the request must be a post request and the post body it is taken from the request and it is a GSM object. And we're gonna get the one device string from the GSM data and that part is quite interesting because it performs some sort of escaping. So if the one device contains a double code it will be escaped. If it contains a back tick dollar sign it will be escaped by the backslash. But the problem is if it contains backslash it will escape backslash one more time. So if we have the double code it will be escaped one time and it will be escaping backslash one more time in here. There isn't some sort of problem in here. And after that there is a function call which is a Israelut mount device and it takes our parameter that we can control. And if we manage to pass that if statement we are going to see as a UI help for CMD which is tend to execute operating system command with a parameter that we are controlled. So we need to skip that if statement it has to be returned through. So let's have a look at that one. Israelut mount device it is just like a very weak blacklisting. It tells you it cannot be contained bash, bnsh, Python slash pearl, Python, et cetera, et cetera. It validates, it performs some sort of blacklisting on that one. But the problem is it has the vice face at the beginning of the pearl and the Python command in here. It's a very weak blacklisting. We can bypass that without having any problem. So we have to keep that in our mind if we've managed to find a vulnerability. So all right, we can pass that part and we can reach in here. So it is time to read the XAUI helper CMD. XAUI helper CMD it is going to execute UI helper binary with a sub CMD which is a command that we can control. So what is UI helper? It is located in here and it has a root privilege and there is a SUID bit. So all the commands will be executed with a root user. So if you find a way to execute our command that command will be executed with the root privileges which is something very, very important for us. And finally, that function calls XACMD which is basically calls runtime.getRuntive.exec. So obviously we have command injection vulnerability in here. So we believe that we have the vulnerability in here and we need to do the proof of concept. Thanks to do reading a funny manual and the product feature steps of the methodology we know where is which administrator interface I mean, which many of them it is going to execute that specific endpoint. Of course you can build it from scratch but this is more easier for me. As you can see, that is the post request and there is a month device and we can inject our command in here because the dollar sign it will be used for the execution and the dollar sign escaped one time and the backslash escape one more time which means there is no escaping at all that backslash escaping did another one and there is nothing related with the dollar sign which will helping us to inject our command. So basically we are executing sleep command with a 15 seconds with administrator, with a root privilege. So let's talk about the exploitation of that vulnerability as well. I'm one of the meta-split contributors and I usually using the Python dropper for the exploitation when I especially exploiting the Linux machines but there's a problem about the Python dropper from the MSF venom of the meta-split it has to be include the double code that wraps up our dropper command in order to pass it to the Python process. So that means we're not gonna be able to directly use it because as you know, double course has been escaped on the backend service. So the idea is that we can use Perl because Perl can take a parameter with a single code which is allowed to use and basically the idea is simple. I want to execute Python dropper but I'm gonna put that Python command into the Perl command. So basically during the exploitation we are going to execute Perl which is going to execute first step of the Python dropper. When the Python executed, it communicates with the handler and how it sends the second stage. So there's a, you know, plus of execution one and after and there is a Ruby code as you can see in here that we can build a Perl command which includes which contains our Python command. So it's a quite nice trick. So I reported that vulnerabilities to the ZDI and of course ZDI told me that the authentication is required to exploit the vulnerability but we are going to see that the exploitation can be bypassed guys. So we have to bypass authentication. Those are the initial ideas. We can find a stored cross-executive vulnerability because we can force authenticated user to send HTTP requests to the month device endpoint where we have the command injection. And since the user going to be manipulated by JavaScript, that request will be sent to the endpoint with the authenticated user. So we don't have to be thinking about authentication request, authentication stuff. And another idea is it would be handy to find something SSRFish vulnerability, some sort of some type of SSRF vulnerability quite could be handy in order to communicate with internal services so that we can send a request from the localhost to the endpoint or you can go directly after the authentication bypass. I don't have too much time. I'm just gonna show you how I find a stored cross-execupting on the administrator interface. So as you can see in here, that is a very basic HTTP request to the proxy service. It tells to the proxy service that I'm gonna, you know, that I want to send a GET request to the pentas dot below and proxy service does the job and sends the response back to the user. So that activities is being written into the administrator interface. Guys, remember the Python and the Apache Solar stuff that we hope that we have talked 15 minutes ago. You know, that activities has been written to the Apache Solar database, which is represented into the administrator interface. So the idea is that we can control that data in here because we can tell anything we want to the proxy service. So the idea is quite simple. As an attacker, we are going to intentionally download a very, very known malware through the proxy service. So proxy product can detect it and produce a log file and it will be like, you know, ringing all the alarms, you know, I call them malware, et cetera, et cetera. But the data will be written into the Apache Solar, which is being used in the administrator interface and very, very specifically in here. So when the system administrator logs in and checks what's happening, we can execute JavaScript code on the system administrator browser. And thanks to that JavaScript code, we can send an IX request to the vulnerable endpoint that we have found in the first place. So, you know, there was a quite interesting XSS vulnerability because whenever the browser sending requests to the proxy, they are performing the full URL encoding in here, but I'm manually crafting the request to the proxy service. That means there will be a no encoding and that data is not being encoded on the administrator interface. Basically, we have a cross-site scripting spatial, the store cross-site scripting vulnerability in here. So instead of popping up other bugs, we can just call IX request to the endpoint that we have the command injection. So that was, I reported that vulnerability to the ZDI as well. And as you can see in the vulnerability description, attacker can leverage this in a conjunction with other vulnerabilities to execute code in the context of the root user. But guys, you know, cross-site scripting is a cool. I'm not underestimating any kind of vulnerabilities, but it is just not enough for me because there is a huge setback which requires the user interaction for the exploitation. I was like, okay, I just find something very cool, you know, intentional downloading of malware, etc., etc., that is what's simple and cool. But I need to find a better way to continue the exploitation. But, you know, I got another idea while I was spending a time to find the excesses through the proxy service. So the idea is targeting proxy service itself. So as you can remember from the previous slides, that is the HTTP request, the very simple HTTP request to the proxy service itself. It tells the proxy service that I want to communicate with the Pantheon stock block. Proxy service sends requests, get the response and send it back to the user, right? So what happens if I tell the proxy service that I want you to communicate with yourself? In that case, it told me there is a, you know, self-referential request to proxy are forbidden. And I was like, all right, that means there is some sort of controls and lots of if statements in the proxy service itself. What happens if I manage to trick the proxy service to communicate with an internal service? That was the main idea. So that is the function, get end user authentication function. I set a break point in here, which produced exactly same error message that we have seen in here. And I just sent the same request and it hit the break point and it tells you that get user notification or the notification has been called by the preparer proxy loop rejection, which has been called by the handle proxy loop, which has been called by the due processing. So we're going to read all of those functions. So within the due processing, there is a one function call, which is a ease-reverse proxy. And the function is the member of the htproxy config cache. So basically product try to understand like am I being placed as a reverse proxy? And in that case, handle proxy loop has been called, this function that we have seen on the previous slide. And that function calls TM socket address is same ADDR. That is the important part because that function performs full URL comparison with a URL of the proxy service with URL of the user try to communicate. So if it is a same address, it calls preparer proxy loop rejection call and we are seeing that error message. So I just changed the port number to the Apache Solar Service. And due to that changes, there will be a no match in the full URL comparison on the proxy service. And there is administrator interface of the Apache Solar Service. I'm just can communicate with it because of a very interesting bug in the proxy service. So as you can see in here, I'm allowed to communicate with the Apache Solar Service administrator interface. So all right, that was another I'm very, very, very important vulnerability because we can, we are going to leverage this vulnerability to the bypass authentication on the systems. And in the end, we're gonna chain all of them together guys. So Apache Solar Service in the box, I mean in the product was very old version because it's not quite easy to upgrade your third party dependencies like Apache Solar or database servers. And in these type of solutions, it's quite hard to upgrade to newer versions. So there was a very, very old vulnerability in Apache Solar Service, but it is exactly what I need. It is arbitrarium file read vulnerability. So that is the name of the collection and there is a replication endpoint and the command has to be a file content and you can try was back to the root folder and then you can call whatever you want and that will gives you to reading any content of the file. So at the beginning I wasn't, there was no way to communicate with Apache Solar Service, but we find a very interesting bug and by exploiting that bug, we are going to read anything we want. So far, so good. I want you to remind the get talking function. It was like a way behind of our presentation. Guys, all right. Do you remember that get talking function? It is going to help us what we are going to achieve in here because let me, yeah, because that function takes cookies from the HTTP request and it returns the value, but the problem is it's pre-taught the value and the name of two cookies, but the job application is running by the Tomcat process. So those standard outputs, data will be written into the log file, which is a Catalina dot art file. So due to that little function, all of those valid station IDs written into the log file and we have arbitrary file read vulnerability. So what we are going to do that, we're going to exploit two vulnerability together in order to get the content of the Catalina dot art file, which contains a variety of session IDs. And then we are going to collect all the session IDs together and we can go to administrator interface in order to exploit command injection vulnerability with the active session IDs. So the idea is actually quite simple, guys. We are going to, in the first step, we are going to exploit a comparison bug in the proxy servers, which help us to communicate with the Apache solar service that is running within the product itself. And this is a very old software which has a vulnerability and it is arbitrary file reads and combination of that vulnerability, we are going to read Catalina dot art file and we're gonna, by using regx, we're gonna extract all the session IDs that we have. And there is a check session endpoint. I haven't talked about it because it was quite easy. There is a check session endpoint in the product. We are going to test all the session IDs we have in order to find out whether it is still active or not. And if you find the active session, we are going to exploit the command injection vulnerability and we are going to be executing operating system command with a root privilege, which will give us a C2 reverse shell to our command and control server. That is the idea. And of course, I have implemented a method split module that performs all of those steps automatically. And I have a video for it. I guess, yeah, yeah, time is good. I guess I still have a minutes. So let's see. And by the way, that method split module has been merged to do master branch of the method split project. You are just, you know, can go and fetch the module and install the product on your lab and, you know, have fun. So when we run, as you can see in here, it's try to, it's exploits reverse process service and extract the Katerina.out file. And that was, of course, this is a demonstration. There's only one session IDs in the log file and it's not active. And by using the session IDs, it goes to the command injection vulnerability and it's execute operating system command, which is a pro command. Pro command contains a Python command, you know, and all of those steps has been automatically done. And as you can see in here, we have a root session on the back filter solution of the company, guys. That's it. Thank you very much.