Hello world, I'm Zanidd and today we will get the cake and we will eat it
Holy beep - pwn.
That's it. We have code execution on the fridge
You can already see the secret cake
Recipe wintermuteds todo list has mentioned that the door alarm on the fridge sounding all the time
This is usually a sign of the holey beep vulnerability before we do anything
We'll need to check out this
vulnerability
Because I've never heard of it.
So apparently. This is a real vulnerability with a CVE. Maybe we even
Have a step-by-step
Solution
Now that we've done a little mini research we can finally get to the cake
Let's download the file which I guess will be a zip file again, and let's go check it out
let me just clean up and
Find out what file type this is it's a zip archive as we would have guessed it already
We have the holey beep now. What is this? Holey beep a binary again
Let's just execute it for fun and profit
Holey beep period one period two - ok, let's say
- no such file or directory
Let's just create
Console file and then try to run it again
Okay, so I'm not getting anywhere here
We don't even have a server to connect to so I'm not I'm not sure if we have to connect to the server
We opened last time
But I'm guessing no because we didn't have to do this before and the holey beep
Doesn't seem to work on my local machine. So something is up
Okay, let's just try copying
The dev console device into the dev console device
This is taking a bit long, so maybe this will bear some fruits for us
hope you can see me better now and
We are still waiting
God damn it. How big is this console file? Wait, wait, wait, why do we make our lives heart?
Let's just create a link
I'm not sure if this is a smart idea but let's just try it for the sake of fun. And before we do that
We are going to create a snapshot because I'm not sure what this console
Actually does in Linux and I don't want
to ruin my system and then
Begin, everything from start or scratch.
So always make sure to
snapshot your virtual machine and
also always make sure to run your Kali in a
Virtual machine or a dedicated computer never on your main computer. Also, don't use it as main system
Let's just check out what happens
Except nothing. Let's actually run strings over this tool and
Maybe we'll be able to find something
Related to our f*cking cake
We will look for a proof-of-concept code
Well, okay, but that's just a local privilege escalation. What the hell what?
I'm totally lost here, but wait a minute
Let me just clean up
Why did I delete the exploit we have to connect to the server? Oh my god, I am so dumb
now that I
Know that I have to connect to the server
I connected to the server via the exploit with it last time and as you can see there is a dev here, so
I'm not sure we can switch directory and we
Have a console here
Which means that we also should have the holey beep we should have this on the server, too
so what I did here is just
find the file called Holey Beep, which is the same that we have on the server and
Now I'm trying to execute and we can do the same as before
but I'm not sure if that's useful in any manner and
Something happened what we could also do to make life
Easier is just find the file secret cake recipe
egg
recipe and
It happens to be that it's on the root of everything. Let's just change into the home directory
I forgot what he was called home user
Let's just go into home user all a bit seems to be an executable. So now
We would want to overwrite the dev stuff
with the cake recipe
So what we do is we create again a link but this time we do it on the server we connect
slash secret cake recipe to the
Console and we have of course first to make the dev
And we cannot create
maybe we can use the temp directories since the temp is
Open for everybody and it happens. There is already a dev
Console stuff in here. So we are going to create the link to what is called secret cake
recipe to
dev slash console and now we are going to run holey beep
We are going to run it just a bunch of
Times just to make sure we get everything
I'm not sure if this works or if we have to actually let's just
check out what this actually is and
Here it seems to be not really usable
I cannot read it unless I do a privilege escalation which the holey beep is
actually good for so let's just go into the
directory just try to
Execute it. The original one. I'm not sure why but we are going to make sure that we are going to kill it
as soon
As possible. We are going to try different methods to exploit this all
*BAM*
Hey, yes, nice
Ok, this worked. I just tried different methods of like stuff stopping the execution
The ioctl function used in this has a special behavior that allows us to I'm not sure how to explain it
but this method we used is to pass something that
will create an exception and
use a pipe with the same because if the pipe runs into an exception it blocks the write()
so we do this and
we read what's in the buffer of this program and
finally we get to the cake recipe and
now if you watch closely we have all of
the recipe and we have the last flag, which is
The cake wasn't a lie.
I
Repeat the cake wasn't a lie. Let's just enter this last thing in this pretty nice
CSS file and we have reached the end. I found the cake. Look at this some delicious cake. Mmm delicious
You should try this too. That's all for the Google capture-the-flag for me. Hit the like button if you reach
500 likes which is a pretty high expectation. I will do
Compilation of this challenge funny entertaining and educational and on Friday for my dear subscribers
That will be a v-loc. Also make sure to check in on Wednesday when I will tell you about a cool Wi-Fi hacking course
