Everything Is Just Dandy!

Executing Linux Binaries Without Touching Disk – Living Off The Land with DDExec and Dirty Pipe Demo

IppSec
IppSec
2022 04 04
https://www.youtube.com/watch?v=MaBurwnrI4s
00:00 – Intro, the stream is here: https://www.twitch.tv/videos/1445106911
00:45 – Start of the video, showing what is new about this technique
02:17 – Running through the example, showing we can change the filename in ps to anything we want
03:15 – Showing what this looks like in the ps output
04:15 – Explaining what I don’t like about the example used on the website
04:55 – Explaining what process substitution is, which is a really good way to pass arguments to bash scripts when piping with curl
06:00 – Testing process substitution with ddexec locally
07:45 – Showing how to execute this with DirtyPipe
09:45 – Successful execution of DitryPipe
10:30 – Showing a dirtypipe that changes the root password, changing the default password it uses
13:20 – Showing we changed the password, and then trolling myself because this box has PAM_WORDLE installed
14:45 – Finding a DirtyPipe exploit that modifies a SetUID
16:30 – Cheating at our game of Hacker Wordle, to make sure we actually changed the root password earlier.