 What's up? What the fuck is up, Denny's? I mean, Jeff Conn? Hi, I'm Jimmy Two Times, and I'm here to talk about how I broke my Chromebook with the Pico Ducky. I'll also say this, I'm a goon, I've lost my voice, and I'm gonna do my best here, so bear with me. My name is Jimmy Two Times, Jim Olly, as I said before. I'm the CEO of Lost Rabbit Labs right now. I am a former member of the U.S. National Video Game Team. You can see some history there on osgrelics.com, old school gaming. My hacking led me to get involved in the video game industry back in the 80s. I was the first person to beat Mike Tyson's punch out, a bunch of NES and Sega Master System games, and I'm actually two characters into Sega Master System games. Zillion 2 and Wonder Boy and Monster Land represent 20 years martial arts student. I think that is important to be scholar warriorly, and our hacker, and everything we do. And so I just wanted to mention that, and I am dedicated to gamifying our craft, because this is all fucking fun. It's my first time presenting, been a goon for six years, sky talks for eight, and this is a huge honor. So thank you, DefCon, and thank you everybody for showing up. Appreciate it. So we will be covering gamified hacking, container breakouts, fuzzing strategy, LOL binning, living off the land, retro assessments, unorthodox methods, and one-liners for the fucking win. I will say the first off, this exploit is on an end of life Chromebook. It's a known vulnerability that's been patched two years ago. However, I think some of the techniques in here will help bug bounty and help other folks secure their Chromebooks. This Chromebook hack was done in factory reset state, and it was done living off of the land, really, mostly, or only at the end. One-liners, they're like keys. It's a string that will open a door, and every chance we can, we'll use them here. And the Pico Ducky, it is a key. It's a shim, it's a key, you can shove it in and it will open a door for you. So, gamified efforts. I feel like we're better at progressing when we have a challenge or an ankle weight on us, so it's often good to put yourself in jail and really be thorough on how to get out of there to research all aspects of your environment. Being tenacious, thorough, and exhaustive is key in a lot of what we do, looking for the anomaly or the needle in the haystack. So, performing retro hacking or retro assessment is really about taking maybe an older device and taking a look at it and see, you know, ten years ago we had a device we didn't know much about, ten years later we know way more, we're going to take it further if we take a look at it. Even if it's old, it's going to help us gain insight into the new versions we could create and some of the challenges that we need to solve. And again, putting yourself in jail here to expand your horizons. It's really about being thorough again with what's in front of you, not thinking you need an exploit or a zero-day, it's about being tenacious and trying all possibilities. So again, too long didn't read here. We took an old EOL Chromebook HP Pavilion 14 in an out-of-box experience state. And it's able, with the guest user, we're able to gain local access through a crash breakout when Linux isn't supposed to be enabled yet. And we're doing that by exploiting a command injection in the set underscore command set. And we're able to utilize shell scripts and the Kronos user accounts and root before developer mode has been enabled and before any passwords have been assigned to the existing users. One of the other exploits that was discovered was a command injection in D-Bus, and that is where we got our root from. We were able to fuzz a parameter there and gain root access. And again, there's a couple of tricks here, old school tricks, redirection operators, internal field separator, and we'll get more into that as we go. Passionate curiosity is absolutely not a crime. Is this not? Let's know that. Right to repair. It's our hardware. We bought it. We should be able to do what we want. If we're afraid of affecting somebody's upstream infrastructure, we can just sever the network, sever communications. In this case, I did not. I wanted to connect into the Google Cloud, and we did go from there. So these are all non-destructive techniques. Meaning we didn't have to open a laptop up, or we didn't have to do anything crazy to modify anything here. And again, I was inspired really to do it. I like kiosk breakouts. They're fun. You know, it's a challenge. They're small little CTFs. So anytime you can break out of a jail, you win. The hardware we're using here today is going to be HP Pavilion, Raspberry Pico, and the Pico Ducky software. And we'll talk about that in a second here. So one thing I'll mention here on the slide deck is it's done sort of in the form of a video game. So this is how to play the game. Set up the environment. We began by factory resetting the Chromebook. Power washing it. Then we boot it up. For the first time boot, we log in. And we log in as guests. That's how we play. The helpful commands here during the out-of-box experience are for fun. There's actually something called Shark Mode. I didn't know that. One time I was booting up. I pounded on all the keys. It's an actual technique to find stuff. Powdered the keys and I saw Shark Mode. Shark Mode. And I get to find out it's part of their enrollment process. But there's a bunch of shortcut keys we found there. And you can also force your out-of-box experience back into the original state by deleting a couple of files out of Home Chronos and removing any user on the system. So this is our game map. We have a Chromebook. We want to choose our attack path. So we have the Chrome browser. We have the crush window, which has a limited shell. We can sideload, USB, SD, whatever else, inputs. We have network. And I started out first with the crush window just because Linux, Linux Terminal, we want shells. So I ended up going that route. And let's see here. Just looking at the crush shell by default. It's not Linux-enabled all the way in the back end, as far as you can tell. There's no shell command yet. But you do have crush dash dash dev and dash dash removable if you can run the binary. And let's see here. So fuzzing. We know we're going to have to fuzz. We know we're going to have to throw a lot of payloads at inputs. And we don't want to do that as a human. Your hands will hurt and your brain will hurt. So we started off here using the rubber ducky. I like doing rubber ducky stuff. But memory limitations, way too slow. So ask from the info booth. Thank you, ask. Let me know that the pico ducky software is awesome that Dave Bailey had created. And so I started this whole project out with rubber ducky. And I got far, but as soon as I used the pico, it just was night and day. And here we go. Round one, fight. So we know that we have a cross shell. We have some commands that we can utilize. You can go through those and extract them and put them in a text file. We're going to take all the commands and put them in commands.text. Then we're going to take some fuzz payloads and strings and shove them in another text file. This is how we're going to build our test harness and how we're going to try to attack the ducky or the chroma cure with using the ducky. So I just created a small python script. I call it fuzzy ducky. It takes the commands, one command per line, and the fuzz payload one per line, and it will mush them together for you, basically. Tons of payload lists out there, fuzz lists. I got to give a shout out to Dan Mack and Ernie for his little short fuzz list. Unique. And then of course we also have things like the sec list and big list of naughty strings and anything else you can throw at it. This is the fuzzy ducky script on the left. It's that simple, takes the commands in from one file and the commands in the fuzz from the other, puts them together, and converts it into the payload.dd file, which then can be transferred over to the pico ducky. And once again, thank you, Dave Bailey, for a great piece of software. You can find it at github.com, D-B-I-S-U. It uses circuit pi. It's all simple to set up, piece of cake. So we have our ducky. We have our shim. So we're going to open our Chromebook with the cross window, ctrl-alt-t, and we're going to direct the input into the browser window. From there we plug in our pico ducky, and it starts fuzzing every command. And it's probably hard to see some of these screenshots, but if you take a look at the slide deck, which is going to be available, you'd be able to see all these commands. And I wanted to kind of like, pick so it didn't happen on every aspect of this project. So it's all about sharing all this info so you can see what challenges I had and how I worked through things. When we run our flies list here, we don't see much the first iteration, but once we start getting into some of the other payloads and running binaries here, we saw a, where the Scooby-Doo is here, we can see that we got an eval error in the syntax error and unterminated quoted string, those are things to get excited about. We definitely saw other errors from commands that we tried to run, but we didn't really see anything that showed us we had an actual binary that would work yet. So we keep going, and we find, even just using a parentheses, let parentheses in right generates an error, and it tells you cut dash dash helps, and now we know cuts and it will help somehow. From there we keep on fuzzing, and once you see a result or something, you just want to focus in that one area, maybe add more characters, double the payloads, put a thousand characters after it, and keep nailing that one spot over and over again. So analyze the results, checking all the output, looking for anomalies and verbose errors. The command injection and going through that whole process is sometimes really tough. Even doing things like XSS, you can't always get the payload you're looking for unless you spend hours trying to figure out how to get it to work. IPF, we were able to use the internal, the IPF stuff here. We're using existing OS functions to create our variables and solve our challenges here, and then we use some redirection tricks for our output, because initially we had blind output, we can't see anything in the front part of the shell here. So we ended up trying to redirect output after getting blind results for a while, and we figured out here that using one and over to the ampere stand two here, we're going to run the error output, or the regular output through error. And that's going to pop it to the screen here. So this example here shows set underscore apn, and we have our parentheses at the bottom. And we have our parentheses, or sorry, takes here curl, dollar sign, IFS, that's our space character, dash dash help, dollar sign IFS one over to ampere stand two. That actually takes output and puts it through the cross shell to where you can see it, where normally you'd be on the back end. So now we have output, we're no longer blind. From there, I have like top, I say top 20, we said top 10, but the first initial top 20 info gathering commands, I would try to run at this point. You know, this would be ID and things to identify the file system, looking for uname and things like that, caddy netsy password, tailing bar log messages, and we were actually able to do all that. We're able to pull using again set underscore apn with the LS, dollar sign IFS, dash AL, dollar sign IFS and we have everything on the screen now from the password file and from the directory listing. Let's see here. Exfiltration tool. So while we're looking for binaries, we can run on the system. It's always good to try to figure out what you can use to input data and output data. So we want to upload, we want to exfiltrate. We were able to see that we had tar, curl, SFTP, scp, ssh, open SSL, open vpn, png, smb client, base 64, all available to us from behind the curtain there. So we're going to continue with command injection. We really want to get a shell at some point or get some more substantial foothold. So, we start fuzzing again all these binaries on the system and we notice that set underscore apn all of them are vulnerable to this command injection. But what we end up finding out is that some command injections require a parenthesis or brackets around the IFS as opposed to just dollar sign IFS. And when it does that, it splits out your parameters and runs them slightly differently. So on the right, you'll see IFS versus dollar sign brackets IFS. And when we run those four commands set underscore apn gw or the cellular underscore ppp or the wake on land there, we will see that three of those commands run as the shell scripts user. One of them runs as chrono. So we have an anomalous binary there that's running as a different user. So right now we have access potentially to two users on the backend system. We need to hack more so we are going to do that with the power glove. All right, so obtaining a reverse shell now that we know we can't really access anything locally per se through the window, we are going to try to get an out of ban shell or access here. So I took a laptop, a tacker box here, and I set up a shell script on it to make a name, pipes and temp directory to use open SSL to connect back into the Chromebook here. So on the Chromebook side we can take and actually let me finish that up. We also have a python simple web server running on the attacker box with the open SSL server with our generated key. So now back on the Chromebox we can do our set underscore APN command injection using curl dash cap L and we can run that script file on the Chromebook and we actually get a reverse shell now and we are shell scripts and I used the duckman over there for that user profile. So let's take a look at the other command set underscore cellular underscore PPP allow us access to the Kronos user. So let's see what happens when we try to get a reverse shell there. We do the same method and we find out we indeed end up as the Kronos user instead of shell scripts. So we have access to two users now we want to kind of compare them see how they are different see if there is any anomalies mount spaces name spaces capabilities. So now it's about trying to identify unique privileges or capabilities in these users. You're probably not going to be able to see all that I'm not sure but again it's more comparison around all the capabilities C groups name spaces and things like that for comparison and what we do see is that there are different mount points for these users. We know that the Chrome users are jailed in 365 they were using mini jail for most everything and so we know that some users are wrapped in a user script with a mini jail and restricted privileges or elevated. So we run some more commands here for info gathering and looking at the kernel we find there's a var log debug vboot noisy.log that has some information about the system etc our proc version tells us that we're running you can see that it's an older Chromebook there based on the date. Linux version is 3.8.11 and then again all the CPU cat issue all the OS related information sys control A and we can see where we're being blocked we can't do we have protected hard links and protected sim links so they've secured pretty good that way and so this is where I took the approach of trying to run every command on the system as each of those users literally being thorough and seeing if there was anything that would be anomalous elevate privileges or just do something weird so we found out if we try to run the Chrome OS set dev password we can't do that because we have no developer mode we found bugs binary on there that will dump all the logs for you and save them to a tar ball and of course now we can exfiltrate that with our FTP and curl and everything else we have running we can try to run some of the processes as chronos but they won't run because you don't have privileges like Chrome sandbox and some other disk commands PPP they'll let you know you're not root so you can validate that I have a screenshot over here just showing also that when we try to look at the CAP mem on a certain process P trace is not enabled for us to do that and it creates a log of that so again more information keep your eye on the logs as you're tinkering so one of the things we figured out I mentioned earlier crash-dev would upgrade your cross shell so if you actually do the command injection and do your cross or crash-dev you'll actually get the elevated cross shell and that gives you new commands you can live in a coal mine it puts you in the non-standard software there packet capture and sys trace for the other two so we upgrade and we start trying to run these other commands and we find that running the packet capture fires off a process using userlibexec debugd and it's a capture utility and it puts it in a mini-jail if we look at the bottom here you can see we have a root process running mini-jail with some other parameters here the capture utility the file descriptor and the device before I moved on I actually provisioned my attacker box to the fullest I could to communicate with the Chromebook we actually had SMB on there so you can do SMB transfers you can do peer-to-peer obviously the open SSL was on there as well you can run a local open SSL around the Chromebook as well and you can log in locally if you needed to which we'll look at here in a second as well but all these commands are just the normal Linux commands that you would run versus the Chromebook command injection formatted commands as for comparison so after tinkering for some time I realized why didn't I just try to run bash from the shell like since I had a command injection well it worked but there was no output but again we know we have our redirector and if you do exec you know one redirector ampersand two we now see the output in our terminal so now we actually have a full local Linux shell it's local it didn't need to have an external system to do the shell so we've basically done a breakout right there and we can validate that we're chrono still we can do all the same kind of commands we were running before but of course we don't have to do any command injections we're just free to roam so one of the things I tried to do here was make a one-liner to basically write to the bash rc so that would permanently put in the exact command there for the redirector that just makes it persistent for that session ncenter is another one breakouts with ncenter I did sqlite you can actually get out of the sqlite and run in the .shell bash command from there there's a few other ways that you can do it let's see here dash is on there as well and we have sqlite on there which is nice because there's a lot of sqlite database files on the Chromebook so that's right there over with our other user then shell scripts we go back and we run our if you remember here set underscore apn allows the shell scripts user whereas set underscore cellular underscore ppp is our chrono user so we want our shell scripts user and the way we do that is by provisioning OpenSSL locally running our command injection with and actually we have to run it with chrono to actually have it bind to the system or it doesn't have the right permissions with shell scripts so it's kind of hybrid but we end up getting a shell here and this shell that we get is kind of special chrono's user shuts off when you log out it shuts all the processes off for chrono's or if you close the laptop lid if you're using the shell script reverse shell it doesn't shut down it stays up and running because it doesn't get killed by the chrono's user's processes so we have local access and again this is just how to set it up you have to set up your key your serpium and we throw that in var temp and it turns out var temp's got some persistence there across reboots and chrome tab one we would do our set cellular command chrono's user for our open SSL and in our second tab we start the open SSL client running as the shell scripts user with our set underscore apn and again we had we had some issues with the payload so we had to use base64 to pass it through which works just fine since we have it on the chromebook and I haven't really mentioned it yet but in order to get our interactive TTY we use user bin script dash qc and using bash there you can use dash or sh or whatever else you wanted so now we have two users locally we no longer need our attacker box here's the other cool thing we found out that we have hard coded keys on the chromebook they're test keys that the chrome OS has and they're stored in user share chrome OS dash SSH dash config keys and so what we can do is we can actually if we couldn't access the private key it turns out we can just curl it from chromium google source dot com where they have the SSH under stored keys dot tar dot gz file we save it to the chromebook we provision them into the temp director we could use our temp as well we schmod it we run our SSH on a non-standard port and it's running and then we can log in locally then with the shell scripts user by SSH or we're already shell scripts but we use SSH to log in locally using those private keys that are hard coded then matching with our keys we put in temp and we're able to log in as chronos via shell scripts user so a little priv escalation through living off the land again so really we're trying to get root I guess I mean you know we're still really investigating the system but we really do want to find root so again we're going to look at the users again just validate what we have here chronos cannot run the pseudo binary whereas shell scripts can you can write to a var temp and you can write to home slash chronos for persistence shell scripts can do var temp but not the chronos directory the chronos user can modify all SQLite 3 database files on the system because the logged in user for the Chromebook is chronos so we're able to manipulate those files the shell scripts user has access to debug d and privilege processes though so both accounts look good to continue investigating so again looking at some more normal privest type of stuff looking for low hanging fruit and we didn't really find any of that we do see files that may run as root or with root privileges but the way they've done jailing it was pretty secure sockets we saw some of the sockets laying around so we did try to connect the sockets here we had cups available avahi demon and a couple other things didn't really make any progress there so now I go for the unorthodox methods crashing glitching and creating anomalies and it's something that we did back in the old video game days where for instance in the sega master system if you cartridge tilted there was sometimes a second game on the chip Sega Genesis I think the first like 10 or so games that came out had both the Japanese chips and the American games on there and they didn't have time to remove other chips so they left them both then so if you cartridge still you can actually get a second game on these old games I'll do one more NES Nintendo the first Nintendo there was a game called Xanaac it was a space shooter and if you took a zapper gun and plugged it into port two and went on the first controller and then lifted the game up on the Nintendo a little bit till it kind of flickered and you push it back down when you saw the game into a fucked up symbol you knew you had it and it let you access level selectors and all kinds of weird stuff you'd hit the select key and you'd warp three levels or hit the A button just anomalous behavior so we're going to kind of go for some of that here by doing nested jails and trying to overlap name spaces and things of that nature so looking at all of your logs you got var log chrome home chronos chrome underscore debug log var log ui ui.latus and of course var log messages and secure and D messages those are really all we had to look at our output and our results here so we tried to do mini jail by using weird orders of their parameters and we found that you can access a root user and that's normal you can take mini jail and create a root user into a container restrict all the privs but they were anomalous types of user environments and permission set so when we did this mini jail dash cap u dash small m tick tick dash cap m tick tick with a nobody user it sets it to root and nobody nobody and we can see that it's still home chronos we caused some weird name pipes to happen and overlap and delete each other occasionally we did some weirdness here there's some logs in here that you can look at later just to see the result but we were able to figure out that running certain commands would cause a kind of a shadow pts or a tty and they would overlap in the actual screen for the user so it might be kind of hard to see on the far left here but they tried to exit out of this and it logged me out but then I'm trying to type stuff and then you can see at the bottom it starts getting weird, something died here crash prompt shows up but then we got three dots and an arrow over here same kind of thing we tried to exit crash we exited I won't let it exit because it says it's only XI so our characters are being split in some way and we have no idea, no visibility into that so again tinkering more will provide more information in our logs, trying to do pseudos in certain environments would actually half work sort of and leave interesting logs and we were able to again overlap file descriptors and namespace in really weird ways that didn't gain us any extra permissions but we did gain a lot of information in how weird an anomalous these overlapping processes could cause the TTYs to be so we're going to pull back a minute and look at all the users and we're going to we're going to look at etsy password and etsy group for all of our possible users and groups here and we can use minijail to specify our user a group and then we can specify a shell or a command to run after it and so we spent a lot of time just kind of enumerating we could be the bin user and daemon and adm and turns out if you have a user ID that doesn't exist your name is I have no name at localhost again over here some of the output from some of the minijail environment and set here and you can see nobody nobody nobody sometimes you see we got cops here nobody kind of provision some of the users but we don't know if they'll work the right way if we don't have the right mount spaces and capabilities for them but it's interesting to just go through all that and see if you can find some weird place to prove there and there's definitely room to play there let's visit all of our cellmates shall we on the Chromebook there's a man called pinky that will tell you the real world or the real life user information in a quick format there so that's easy enough to kind of go through you can see what shells are set for each user and description so here we did again our minijail messing around with the root trying to create a root user and we use this dash take zero one thousand one one thousand representing the kronos user and we're trying to see if we can somehow access user one here user ID user ID zero they'll actually do a swap when you run minijail so that when you leave the container you get your original rights back out and we found through tampering you could actually custom really anomalous stuff where you had slight root access or you could run root commands that would start to run and maybe fail because you weren't in the right environment but it still disclose information and keeps on providing you with what you need to move forward so we're going to try to get that root user out using a reverse shell here since we couldn't get it locally maybe there's something with the set underscore commands that gets provisioned and does a privask or something so we try to do a reverse shell and do our open SSL connection here we see that we are root ID zero but we are GID nobody and group nobody here so that is not root all the way we can check in the environment again here to see who we really are and we find out that we're Howard the duck, the Kronos user and we know that our ID equals user our user that we have here is not really our real root user it's just mapped to the outside of the minijail to Kronos which again is expected that's how it's supposed to work but maybe there is some kind of way to get again this user out so we went back in with set seller PPP tried our reverse shell again through the minijail bash command and if we do an SU it actually would give us limited root we were able to run SU dash with that minijail configuration from there we try to run other root commands and find out maybe we're limited still we don't have the right mount space I'm the right capabilities yet so we keep on tinkering here we're trying to break it we're trying SU we're trying sudo and we're getting all kinds of different information back from our phony root user here if we run Krono sandbox before we couldn't run that now it tells us that the set UID sandbox provides API version 1 but you need zero and it says close bad file descriptor and read on socket pair success I don't know why but that all popped up from that I wasn't able to use it anyway another one here showing the difference between the first bad root user that we didn't do the open SSL and the SU with if we run deb install there it says your environment appears to be incomplete when changing to root did you remember to run the full command don't forget the dash so they literally tell you what you need to run so I ran sudo su dash and now when I run deb install it just says that it's not in developer mode so that tells me I've gained some kind of privilege escalation there in a small way so being thorough again and looking at everything I was kind of at a dead end so we have D bus on the system and D bus is all over the place now and there are a lot of insecurities there's a lot of processes that can be run as root and for some reason we don't we're not as resilient around the code and checking input sanitization there so D bus can also be complicated to go through there's just a lot of data to look at so I pretty much wrote a bash script to help me identify all the endpoints and do introspect and things of that nature but it's still good to go through them manually and look at things I did a lot of grep being there I would grep for policy user equals root in the D bus-1 system D directory through all the confiles to see what was root versus chronos versus shill that's a good place to start there and from there we start trying to maybe figure out if we can run some of these commands and again through introspection we're going to do an introspect and see what all of our options are this is a script that I wrote it's a really nominal script but it will connect to D bus and it will actually output all of the interfaces and members inside of a file and you can easily grep those in as well and when you do when you connect to D bus that's running versus you know asking for the activatable members through introspect or interfaces different results back it's better for you to actually connect to the D bus and see what it spits out they might be obfuscating code or this or that so you just got to try it and what we end up with is a whole bunch of text files that basically get spit out into attempt directory and I had it pre-populate the GD bus monitor system for all of them so I could quickly just enumerate through those and then spit the files out in this type of way to where we can see crypto home dot com and whoops all of the members here and all of the calls that we can make so crypto home has to do with encrypting the users you know information and it looks like we can access that in some way and of course because we are chronos we know we should be able to access that maybe for our own user so again some of the method and signal exploration that was done here these are some of the sample commands and some of the endpoints you know that actually worked for us we were able to get like our sanitized user name from the crypto home interface here and information about blues our bluetooth stack of vahidi and everything that's you know using D bus so we're going to try to start running some of those to see what happens and if we have access to all those some commands we were able to run they would run as root but we couldn't do anything some commands would actually run you can you know ping you're not allowed to ping by default before developer mode on chronos but you can use D bus to do it you can set the user password you can't do it for you could do it but you can't do it before dev mode has been disabled and then we looked at enabling chrome features here just try in and it says use of this tool is restricted to dev mode so we're just being blocked in a lot of ways from running some of this stuff so now it's time to try to find a vulnerability and so this is where the fuzzing comes in again we didn't need to use a pico for this part per se because we had the file system but we found again this packet capture start which if you remember back we saw that the packet capture utility runs as root so we have D bus here and we know that we can run a packet capture because we tested it and so once we get into the fuzzing we find out that there is a place that accepts a command and it's coming off of the ht location and so the way I test blind injections like that is to is to do reboot it's just a really quick way to do it so I was able to find that reboot would run as root through this command injection so I I tried to run a bunch of commands and none of them would work really unless they were only one word commands and vi almost worked for me when you run vi there it runs two processes as chronos and one as root but you can't access it and you can't break out of the shell but I found that there is a binary called ex that lets us actually get what we need out of it so this right here is our let me go back here this is our full attack path to root this is the whole provisioning process on the Chromebook that you need to do that I talked about before and when you run this packet capture command you can see that every other time I hit enter I get a different prompt now that's matching up with what we saw before where things were kind of going into the back so what we found is that one of those processes is root and one is chronos so we just figure let's just run the same command twice and it's going to work so I did that and it worked I was able to get SSH run turn on IP tables and let SSH run through so now we can send SSH to our own local port 22 using the home chronos SSH keys and we can log in as root and when we actually look at our environment there we're root, that's it, we're done and so we look at environment and set commands to validate that we're going to go back and look at some of the other commands we haven't run before, check namespaces everything lines up we are root now and so we're going to there's IP tables command there again we can run fdisk now we can try chromos at the password it will work for us now and we can actually cat the devmo-password out and see that we can run debugfs and access file systems there and actually cat the Etsy shadow file so we know we're root all the way so taking the pico ducky I put one script on the pico ducky so if I plug it into my Chromebook it takes about 30 seconds and it will go through this process and it will leave three tabs up on the Chromebook one is shell scripts, one is chronos and one is root so that is where the master key for the ducky comes in again just trying to be efficient do one liners so again here's the actual payload.dd type of format would look like so if you're not doing it on the command line you're doing it through the pico obviously you have to use the ducky language there so that's what the pico.dd file looks like that's not the whole thing bonus round now that we're root we can run bluetooth control we don't have to use the bt console anymore and we can do what we want there we can find any crypto wi-fi password and barcashill default.pro file and use an echo into tr there and then we can also start messing around firmware updating another trick was again if you stop powerd it will allow all of the users to not be you'll have a persistent shell and the shell won't close when you close the lid on the Chromebook that's already required I hated having to open the lid back up and wait so I figured that out if you stop powerd you don't have to you can just keep the lid closed and work on it some of the other things are able to do is inject reverse shell into the bash rc for the chronos user so when they log in I would get a reverse shell out of band then we can tamper with the sql light files and enumerate the chrome and file functions of the url bar so real quick sql lights everywhere in there all of our google data is in there there's credit card data in there there's your history and then shout out to my boys over here poncho and red team wins and we got all their brides back when I worked at coal fire here we did something called cookie baking and we figured out we could stuff cookies by deleting an existing cookie and even if it was encrypted we could put it back in as a null encrypted cookie and it would work so here's an example of stopping that cookie basically using the sql light file and it says lrl was here using the pico ducky you can do a chrome enumeration using the url bar and if you don't know what options there are you can get them from chrome colon slash slash about you can grab the file system and you can do the network action predictor by typing one letter at a time and it will auto fill for you although it won't tell you all the commands in fact you can grab the system for more and find there's hidden ones that they don't tell you about here's our file system so by default you can actually access file system output from the browser this is without exploiting this is normal use so in the chrome browser you can look at the home chrono user downloads even if they're not logged in they may put something there as a non in chrono the non authenticated of the system they shouldn't see that quick little shout out here avahi daemon so I found a socket and run and I used curl to connect to it and you can use the unix dash socket parameter for curl to do that and it gave me output that told me that I should try help so I actually just changed the HTTP verb to help and it spit out this available commands I went and googled it and I found on github there is a C file here that references that code and we have a if fuck equals go fuck yourself in there avahi um anyway that will just lead me into my shout out to Ray Leota from Goodfellas who passed away here as well and go fuck yourself that is the end of my talk um if you like any information about what I've done with this script or see it work reach out to me I'm happy to show it to you um again I'm the CEO at Lost Rabbit Labs like to shout out to my team Tyler and Chris over there and again thank you for the opportunity to speak here at Defcon it was an honor and a pleasure and have the best Defcon ever