Linux Privilege Escalation for Beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up YouTube welcome back for another video in today's video we're actually releasing a three hour version of our Linux privilege escalation for beginners course if you've ever taken a hacking course before or you've ever done a little bit of hacking you may know that you sometimes land on a machine and when you land on the machine you're not a root user or an administrative user and you have to escalate those privileges well that's what this course is about what happens when you land on a Linux machine and you're not a root user how do you escalate privileges well I'm going to show you in this course this course is actually a shortened condensed version of what is known as the same titled course on our Academy this is the only time I'm going to pitch anything in this course what you're getting out of this course is three hours out of a six and a half hour or so curriculum we're gonna go from the introduction all the way through the suid path right here this escalation path of suid we're going to stop here here and this will give you a very strong Foundation of what to look for and what to do for escalation now if you want to continue on throughout the course there is this escalation path for more suid capabilities scheduled tasks Etc and then there's also a Capstone challenge that's in the course that's not going to be in this YouTube video so if you're interested in unlocking the other three and a half hours of the course you can do so via our Academy I'll drop a link below otherwise this is completely free it still gives you a ton of knowledge and it's something that I don't really know that's out there on YouTube so should be all done we're going to go ahead and jump right into the introduction of the course and I'll catch you over there hello and welcome to Linux privilege escalation for beginners my name is Heath Adams and I'm going to be your instructor for this course a quick who am I I am a husband hacker military veteran gamer and I have way too many animals probably past the legal limit I am a former accountant turned cyber security geek and on the day-to-day I am an ethical hacker and business owner at TCM security which does ethical hacking and cyber security training you can see a list of my certifications below all ranging from your basic certifications all the way up to Advanced penetration testing and ethical hacking certifications if you are looking to find me on social media you can find me at the name of the Cyber Mentor I do have a twitch channel for live streaming a YouTube channel which has other hacking videos and career advice and if you wanted to reach out to me you can reach out to me at easiest over at Twitter and lastly I do have a couple other udemy courses one is practical ethical hacking which has over 150 000 students at this time recording and windows privilege escalation for beginners which is the counterpart to this Linux course so if you need anything from me that's how you reach out to me moving on let's talk about why this course so the main reason is to gain a better understanding of privilege escalation techniques and what is privilege escalation well let's say that you land on a machine you've hacked a machine you land on it and you are not system user you're not an administrator you're not root of that machine you are a lower level user and then you want to take over that machine you want to compromise it well you need to escalate your privileges and there are many techniques out there for both windows which we've covered in another course and Linux which you're going to be covering in this course that can allow you to do that so this course is going to help you gain an understanding on how to go from that low-level user to that high level user and it's also going to help you improve your Capture the Flag skill set so if you are looking to compete and capture the flag events if you are looking to do better on websites like hack the box or try hack me or cybersec labs this is really going to help you understand how you get from that low-level user and really escalate your skills to escalate machines and lastly it's going to help you prepare for certification courses so the oscp the CH the elearn security pts PTP PTX a lot of certification out there are now moving towards this practical exam environment so they have boxes that you have to hack into and not all of them are going to hack directly into a root user you actually have a low level user and you have to escalate so if you're looking to pass some of these certification courses you're going to need to understand how to do privilege escalation and be decent at it with that being said let's talk about the prerequisites and requirements of this course so this course does require some ethical hacking knowledge if you do not have ethical hacking knowledge you're probably going to be pretty lost and I would recommend that you start at the Practical ethical hacking course so this course does not hold your hand in terms of ethical hacking knowledge it assumes that you know basics of how to use Linux what a shell or reverse shell or buy and shell is how to do some basic file transfers and other commands it it basically requires you to have a basic understanding of ethical hacking if you don't have that again there are other courses that you probably should should take as a prerequisite you also need a ethical hacking workstation most of us use Linux but if you use Windows that's fine too whatever you like to utilize for your ethical hacking workstation you're going to need that for this course the bottom two are optional now access to a Windows machine is optional if you use a Windows machine that's fine or if you've got a VM for it that's fine if not not really a big deal there's one machine in this course that is going to be a buffer overflow type machine I'm just doing that to kind of prepare you for your skill set if you're looking to take exams such as the oscp or the PTP that have buffer overflow elements then you should be practicing that and I'm kind of incorporating that into this course so I'll be utilizing a Windows machine to do that you don't have to utilize Windows you can use Linux if you're comfortable with that as well but that's the only time we're going to use Windows and it's at the very end of this course and lastly a subscription to try hack me this entire course is built on try Hackney's platform and and we'll get into that in a little bit but try hack me is providing this all for free to us so if you go to the website anything I show you all you have to do is register for an account however there are benefits to having the subscription based access it being that you get your own dedicated machine things run a little bit faster you get access to more machines and more items within the website now I get no Kickbacks whatsoever and again this is all free completely optional you can choose to do it or not but it is my recommendation that it is well worth the subscription or the 10 or so for one month subscription to try hack me but we'll cover the website here in a later section and when we talk about our labs and Etc let's talk about what you're going to learn and that's probably why you're here and what you want to know so the big thing is we're going to learn how to enumerate Linux systems manually and then with tools I think enumeration is the biggest and most important part of hacking the better you are at a numerator the better hacker you're going to be so we're going to focus on how to do that manually and then I'll show you automated tools and then we'll kind of go through each of these escalation techniques and I'll show you how to do some of this hunting manually and then how you can identify them with your tools as well so on this list of techniques you're going to see we're going to talk about kernel exploits password hunting file permissions there's several pseudo exploits we're going to perform including a couple of recent cves from 2019 that I'm really excited about we'll talk about suid attacks we'll talk about capabilities attacks NFS scheduled tasks being cron jobs and systemd timers and we'll also do a Docker privilege escalation exploit in total you're going to do 11 vulnerable machines in this lab so 11 vulnerable machines you'll get tons of practice that doesn't include the custom lab that you're going to be doing so really there's like 12 vulnerable machines in this lab and there will be a Capstone challenge of five machines so I will be testing your knowledge once you get to the Capstone to see how well you can perform on your own with everything that you've learned in the course last but not least there are important resources that I cannot show you in the introduction video mainly what I'm after is I want to introduce you to the Discord Channel now we have a Discord channel of at this time over 15 000 people we have channels for the Practical ethical hacking course we have channels for the windows course and we'll have a channel for the Linux course so I'll introduce you to that and why that's important but in order to do that you're going to have to check out the bonus video per udemy policy so scroll to the very last video in this course and check out the bonus video before you start the Discord section will be a great place for you to come ask questions get real-time help and communicate with other students that are also working through the course with that being said that brings us to the end of this introduction video I'm very excited to see where this course goes and learn with you so let's go ahead and Jump Right In we're going to talk about resources and important course tips that will lead you to success before we dive head first into this course I need to provide you with some resources that will benefit you when it comes to privilege escalation on Linux and I kind of want to give you some overall advice so I'm going to share with you a few resources that I love to utilize when I'm doing privilege escalation these are cheat sheets something that I can quickly refer to and you'll find your own you'll see which ones you like which ones you don't like and kind of make this your own so I'll start with this got milk blog that I utilized when I was going through certifications and it's really really great it's a little dated it's from 2011 and it's really just more for enumeration and what to look for and it just goes in full detail look at all the different things that you can look for but when I say full detail it gives you all different kinds of ways to check for things like if we're looking for what the distribution type is or what the kernel version is or hey is there a printer in this environment and we'll cover some of these commands but not nearly as in detail as this goes into with quick copy and paste tricks and that's what a lot of these are this one is saying hey here's a lot of different ways that you can enumerate and I was reading through this again and I really like the way that got milk puts this there is no magic answer for privilege escalation there is just a lot of work and enumeration is key that is absolutely true enumeration is the biggest differentiator between in my opinion between a good hacker and someone that just doesn't end up getting it because they don't spend enough time on enumeration so make sure that you understand that you have to kind of go through this step by step you might not utilize every guide but you might utilize more than one guide when you're kind of looking through these things so the got milk is kind of the initial very very well known one however I do think there are some that come along that are maybe better or more put together one of those is payloads all the things if you come through here this has a nice tools and checklist it kind of gives you actually you'll see some some different options here so like if you're looking for a scheduled task for example you can click on schedule tasks drop all the way down to that and this is how you check for scheduled tasks and how you determine them or how about system D timers so you got Cron job system B timers or maybe looking for suid exploits and this could all sound foreign to you right now because we haven't covered them but this is telling you how to look for specific things and what you're looking for why you're looking for it even so I really do a appreciate this version and this checklist because it does cover quite a bit more just because it's a little bit newer than the got milk guide on top of that there are the hack tricks that it's one of my favorite websites too because it's put together by Carlos polyp who is the author of Lin peas and wind peas and some great scripts that we'll cover in this course and I've covered in other courses as well but he provides a checklist so you get in what are the first things you might look for vulnerable kernel that makes sense uh maybe processes known users passwords and you can click on these and just kind of see okay well what options do I have when it comes to a vulnerable kernel and here you go kernel exploits what are we looking for in kernel exploits well we might want to know the version we want to know the distribution the the you name and we might want to look for the kernel that we're running to see if there's any sort of Kernel exploit available to that here's some tools that are available for hunting these down and it's just it's really awesome stuff and last but not least is we have this guide as well well this shoe sushant 747 I'm probably butchering that but this is very well put together and concise so just hey let's search for these sorts of things so I you don't know what you're really getting into and as I guide you into this course I will give you the methodology on how I would hunt the easy wins and then we're just gonna have to dive in and kind of hunt if we don't see something right off the bat we're gonna really have to sink our teeth in and dig deeper and try to find some of these through enumeration so we'll come up with a decent methodology everybody kind of has their own but I'll give you mine and how I hunt down these things and hopefully we will improve so the one thing I want to point out too just for general advice or course tip is to make sure that you're taking notes there are plenty of good note-taking applications out there I personally use one called keep note however cherry tree is built into Kali Linux right here you can see cherry tree that's a great note-taking platform there are there's notion there's Joplin there's all kinds out there so I do recommend taking notes kind of making your own guide and just understanding why you're doing what you're doing don't just rush through this make sure you understand the reasoning behind this and if there's something that you don't understand the first time through maybe watch the video again make sure you're understanding everything before you're moving forward and I don't claim to be the best instructor for everything so if there's something that I am doing and you just don't get it you might need to utilize outside resources and have somebody else teach you and maybe that'll make it click so I I shouldn't be your only resource please do utilize other resources and make sure that you get the full picture and you understand before you move on to the next lesson so that is it we're going to go ahead and jump into our introduction to try hack me and our platform utilized for this lab and how we're going to access the lab and gain our initial shell so I will see you over in the next section all right are you ready to get started and learn about your lab and get access to your lab I'm ready for it so in this lab I'm going to be utilizing my Kali Linux machine I'm using Kali Linux 2019.3 so if you want to follow along with what I'm doing on the same operating system that's absolutely fine if you want to use a newer version of Cali that's fine if you want to use parrot that's fine whatever you're comfortable with even if you use Windows that's absolutely okay just make sure that you're capable of following along with what I'm doing so with that all being said we're going to be using a website called try hack me so if I go out to the web and you go to https and double dot slash slash tryhackme.com you'll be brought to the try Hackney website so go ahead and get registered it's completely free I have no Kickbacks to this website I have no referral link nothing I am just that big of a fan now everything that you're going to do is going to be completely free with me there are paid options I think it's like 10 to 13 bucks a month to actually have a VIP subscription the VIP gets you access to a lot more machines it gets you access to faster faster boxes better lab environment Etc but you can absolutely perform everything I'm going to show you 100 free at the time of recording for this so what you're going to do is you come on to try hack me now this is the dashboard you'll have your dashboard you can see how many rooms are out there what the users are what are some suggested rooms for you there are actually learning paths that are really cool on this site as well if you're a complete beginner you can enroll in that path or if you're looking to do a certification the offensive pen testing one is pretty good they've got all different primers as well but what we're going to be interested in primarily are the activities and I'll show you this in each video but you're just going to go to the activities and this is going to show you all the boxes that are out there now this is going to be called prives Arena and if you type it in right when I type it in right now you're going to see that it's not available to you yet it's not available publicly yet because I haven't launched the course thus I haven't launched the actual room but I'm going to show you the room here in a second here's an example of the windows prevask Arena that we used for the windows escalation course so if we go over to this room and it's going to be tryhackme.com forward slash room forward slash Linux provesque Arena of course I will put this link in the resources but you're going to come into here and you're going to have all of your connection options so you come in you're going to join the room there'll be a little join room button and then this is going to tell you how to get connected to the openvpn room if you've never done that before your first time through you're going to need to download an openvpn file and get connected via openvpn very straightforward you just download the file and then when you come into here you'll just say something along the lines of openvpn and you'll say whatever file you downloaded.obpn and that'll get you connected to the network once you if config you should see that you have a tunnel available to you so here's my tunnel connection right here I have my inet which is my ipv4 connection and I'm good to go so you should see something very similar once you actually get connected now once you deploy the room and you are good to go you come in here once you join the room and you're connected to the VPN you just come in here and you deploy the room okay so you hit deploy and when you deploy the room you're going to get an IP address so you can see I got 10.10.46.210 all right and I'm just going to copy this and when you utilize this you just copy it and you're going to SSH over to it I'm going to show you an example on my network because I actually have the box running over here so I've got the box right here running I'm just going to connect to it for the entirety of the labs I'm connecting to my home machine however that's just for ease of access and recording purposes you can completely come in here and SSH the IP address give it about two to three minutes before you can even run ping checks on it so you can do a ping against it and make sure that it's up as you can see it's only been 40 seconds and it's not up yet it does take a minute to spit up so give it some time for my sake I'm going to SSH and I'm going to SSH using the username of TCM and I'm going to do it to 192.168.4.67 you would just utilize this IP address here ssh in and the password is hacker with a capital h123 and you should get logged into your lab environment now here are the credentials they're right here in the lab okay so you see username hacker123 it tells you everything you need to do if you every tool you need is going to be in your user folder so throughout this course if you LS in here you can see that we have we've got shells in here we've got all kinds of different things in here we've got tools you won't have this access actually you'll just have a VPN file and tools but we'll build these out a little bit later if you CD into tools and LS you'll see that we have different exploits and things we're going to be utilizing throughout the course so there should be no downloading throughout the course unless there's a tool that you see me use that you want to use in terms of walkthroughs and stuff like that so it's very straightforward on top of that we're going to be utilizing all the different tasks in here so you see Task 1 task two so say you connected to the try hack Me Network okay you completed that task they'll turn green you're good to go on the next one you say hey I deployed this machine I am now logged in uh as the user via SSH so good job I'm I'm done there now we go into the first task which is going to be kernel exploits I encourage you to watch the videos and follow along that way but you can come through here as well and get credit once you're complete if there's anything that was you missed or you just didn't understand in here gives you step-by-step directions on how to completely do step by step everything that I did and allow you to still gain access via what I just did so you can complete the task as well and then if you look through all the tasks in the course are going to be completed in here now everything that you see here is part of the course there are more machines and boxes so this is counting as one machine and total we're going to touch on 11 different machines in the course so not everything is going to be done in this lab though a lot is going to be done you can see all the different tasks that we have to do so just keep note that I will inform you hey we're back on our lab or hey we're going to be attacking this box so I'll give you clear indication what we're going to be doing otherwise all you need to do here is just go through step by step follow the video if you see a video called kernel exploits and you see kernel exploits in here you're good to go if you see one called stored passwords guess what you're going to be following stored passwords so just follow along that way and you're going to be absolutely okay with that being said the first thing we're going to do before we do any of these tasks or task three we're going to start working with initial enumeration so I'm going to see you in the next section where we're doing enumeration we're learning some command line understanding what we're searching for and why we're searching for it and then we'll start moving into the actual exploitation after that so I'll catch you over in the next section okay we have exploited our machine we've got a low level shell which is being simulated here with our SSH we are now logged in as a user named TCM this user is not a root user and we need to elevate our privileges now if we go back to the fundamentals of hacking there are five stages of hacking the first three stages are information gathering then scanning an enumeration and then exploitation so going back to Our Roots we've got access to the machine so we had to do at least those first three steps we did scanning enumeration we did our exploitation we got there now we're in and we have a shell we have to repeat that process we have to go back and do more enumeration and so what we're going to cover in these next few videos is the initial enumeration steps we should be taking this is not all inclusive we're going to learn how to do more enumeration as we come across different escalation paths but these are the key or critical ones that you might just quickly look at to see if you could find quick wins without running any sort of tools so first up we're going to look at system enumeration so we're on the system and we want to just take a look at what we're working with right now we can see Debian but that's just the host name if we type in hostname we can see that as well so that's just an indicator that we're on a Debian machine but a better indicator of that might be doing you name Dash a which is going to tell us what our kernel is here and we're running on Linux Debian 2.6.32 this is super important to know and you can see we are running 8664 here AMD 64 so all indicators are 64-bit machine we run you name Dash a to use this in searching for exploitations the first exploit we're going to look at is what's called a kernel exploit and we'll talk about that here soon but we might just copy this Linux Debian 2.6.32 put that into Google and say hey are there any exploits for this and just see what pops up so you name Dash a is super important to look for in kind of hunting those easy wins down we can also take a look at something like cat proc version to do something similar we can take a look at the Etsy issue like this and you can see the distribution here now if we wanted to take a quick peek at the architecture we could just do something like LS CPU and you can see that we are running on 64-bit architecture here's anything about the CPU that you want to know how many threads how many CPUs what's the vendor type Etc and this may come into play I have actually seen some types of exploits where it requires multiple threads or multiple cores so if you look at this or you're up against an exploit and it says hey this exploit requires four cores and you do LS CPU and you see one core guess what the exploit's probably not going to work for you so it's a good way to narrow down architectures with the most important out of this but knowing the threads and the the core count actually is useful information as well so another thing that we might want to check out while we're in here that's system related is what services are running so we could do something like PS aux like this and to see what services are running if you're a Windows user primarily this is just like looking at your service manager and seeing what tasks are running or your task manager seeing what tasks are running and we can come in here and just kind of scroll down from the top you can see that it goes by what user is running what task or command so if we go all the way down to the bottom it goes in the order that they were issued here you can see that we just logged into the machine via SSH we're utilizing bash and we just executed this PSA ux so we're active a little bit we can see that we're active but we can also see some other things we can see if we come through here that there's an nginx server running with www data I see Apache running so there's got to be a web server probably on this machine I also see Roots running cron which is like a scheduled task we'll talk about that later I see a network file share we'll talk about that later so this is just some things that you could be looking at or these are things that you could be looking at just to say hey what's going on here what user is running what task and let's say that you're just curious more so about the root user you could say hey what user what what tasks are running as the root user so you could just graph the root out of this and then you're going to pull down all root users and I'll make this a little bigger and the one command here will pull down the root for this but everything else is root and you can see okay here are all the processes that root is running right now or if you were curious about yourself you could say TCM and see what processes you're running right now so this is just a quick and dirty way to look at some system information the big things we're after on the quick enumeration or initial numeration is we're trying to pull down that that kernel version what what kernel are we on uh is it vulnerable to anything and what architecture are we on because that's important as well of course we could look at the cores if we need to understanding your host name is somewhat important sometimes and the PS aux command to see the services running a little bit backtracking and why I said the the host name before leaving that there the host name is important because sometimes in Capture the Flag style events the host name will be related to one one of the exploits on hand for example if the exploit is called blue or the machine is called Blue the host name it might be eaten Eternal blue x-blade or if the Box I've seen a box called Jerry that might be related to a tomcat exploit so it's always useful to know the hostname when you hop onto it because that host name may give you an indicator as to what exploit is coming at least from a capture the flag perspective so that's it for this video we're going to go ahead and move on now to user enumeration moving on to user enumeration we're going to perform user enumeration to find out who we are what permissions we have and what we're capable of doing and we could do that with a few quick initial commands and then as we move on we can learn more commands that we can take advantage of so initially we're going to just do a quick who am I even though we can see it here we are TCM here's your host name more so we could do an ID and see what our user ID is here you can see it's a thousand or a group ID of a thousand this is telling me that we are just in the user group we're not a root user we don't have any sort of administration or administrative privileges here that I can identify right away we also want to look for what privileges we might have so we're going to look at the pseudo command to see what we can run as sudo and do a sudo-l and well we have quite a bit here I'm going to save this information for you for later but at Quick Glance it looks like we can run quite a few commands as the root user with no password meaning we could say sudo Nano and then a file here because it says hey there's no password required to run Nano as sudo so we can do that without any sort of password for root that's great now we'll go more into detail on how we could take advantage of a situation like this as well as the LD preload so we know what privileges we have we could also start looking at some files so maybe something like the Etsy password and in the Etsy password we could see the users not the password unfortunately that's where the password used to be stored back in the day but now they have this nice little placeholder for an X and we can see here that we have the root user of course and we have TCM the rest of these look pretty non-standard to me they are well they're standard they're just not users you can see here starting at 1000 we've got TCM and then if we had a few users they would be towards the bottom typically and then we have our route towards the top now if we wanted to kind of narrow this down we could also do that there's all kinds of little Kung Fu commands we could do we could do something like cat Etsy password and we can maybe just cut this we could say cut on a delimiter of a colon and then we'll do a field of one meaning like here's a delimiter here's a delimiter here's a delimiter here's field one two three so when I run this command I should just pull down all the users and okay so we kind of cut out all that other junk and you can see here are the users on the machine the rest of these look standard like I said with this being a user in this being root so we've only got two real users on this machine here now we can look and see if we have access to any sort of sensitive files maybe like cat Etsy shadow and we do and we'll discuss this later as to why this is bad and what we can do with it but these are the type of things you might want to look for what what files do I know of and what files can I maybe access can we access perhaps the Etsy group file and we can access the Etsy group file as well so these are the sort of things we want to kind of look at and see what we're capable of who we are what pseudo permissions we have and what sensitive file access we have we'll go more into sensitive files here in just a little bit as we progress through the course last but not least we might want to look at our history and see if there's anything juicy in history and you can see some commands that I've been running here but there there is history stored here so maybe there's some something interesting in here we'll talk about this a little bit later too but you always want to look through the history and if I'm hopping onto a machine the first couple of things that I'm doing right away is I'm figuring out who I am I'm figuring out what the architecture of the system is what pseudo-privileges they have and what history is available to me those are absolutely the quick wins if I can do a quick just immediate history find and find a password or if I can do a pseudo command even a pseudo switch user Dash like this and you can see that I can try to do a hacker one two three for the password and we're not allowed to do that so it's always worth trying to see if we could pseudo escalate into a different user as well or the root user but we're not able to do that here so all these quick little wins quick enumeration easy to do easy to find some things here it's already juicy information showing up on this machine so with that being said that's kind of the basics that I want you to know we're going to move on now to network enumeration so I will see you in the next video when we cover that next up are the commands for enumerating the network now Network enumeration is super important it lets us understand what our IP architecture is what we're interacting with and what may be open ports there are available to us internally that might not be exposed externally just kind of gives us a lay of the land so I'm going to show you a couple different commands to execute depending on the old versions versus kind of the new version so some of these won't work but I'm still going to type them anyway now depending on the version of Linux that you're on the old command would be if config and you could do an ifconfig and see if you can print out your information here you could also just do it in IPA and pull down the old if config or the new ifconfig and see what your IP address is so you can see here I've got a 192 168 467 and I'm on a slash 22 Network and you can see broadcast stress is a DOT 7.255 so I have what our inet here is and on top of this what's useful is sometimes these machines can be dual homed so meaning that we have one IP address maybe a 192.168.4 and then maybe we have like a second IP address of 10.10. whatever and that machine can communicate with two networks because it has two different Nicks running in it that could also be true if it has a route so it used to be a command of Route we could just say I P route here and if there was a route maybe to another Network that we identify here that would be useful as well you can see we have 192.1684 Network and we're sourcing that through our IP address via the default gateway of 192.1684.1 so we have at least one route in here but there's potential to have other routes another way to look at that too is with ARP tables ARP tables will tell us who we're communicating with and maybe there's a machine that we're talking with kind of back and forth or something along those lines and maybe there's traffic being generated across the network that we can identify as who we're interacting with so that could be useful as well and the command for that would be ARP Dash a which isn't going to work here but the new command would be ipnay n-e-i-g-h and you can see what has gone stale here and what is reachable now I'm communicating across this 4.51 network so this 4.51 is me we are reachable and these other two are stale but have been identified as at some point being in the network so lastly the command I want to show you is netstat I always do switches of ano now this is most of these are just like Windows and if you took the windows course we covered these as well but you want to identify what ports are open as well as what Communications exist say we had a shell in this machine and we come in here and we can see that other machines are talking to our machine over different ports so there's established connections that would send my Spidey senses off and say hey maybe there's something that I need to exploit between these two machines or that I need to identify as a potential exploit maybe there's traffic flowing or something I need to intercept here to really exploit this machine other things we want to identify are things like this this port 961 it doesn't look to be open to anything but the Local Host here one two seven zero zero one so we have this and we don't have this exposed externally our nmap scan didn't identify this so what's it doing what is 961 doing internally on UDP so these are things that we will kind of want to be thinking about in just exploring on the machine most importantly just get the lay of the land that's really what we want to know about the network what ports are open who are you communicating with who's out there what is our Network and what networks do we have access to so that is it for this video we're going to go ahead and move on to password hunting in the next video moving on to password hunting we're going to just spend a couple minutes here we're not going to go into too much detail because we have a whole section dedicated to this here coming up but the quick dirty commands that I want to show you for password hunting and sensitive file hunting are pretty neat so let's say that we want to look for passwords we want to actually color coordinate this we can use the grep command and we could do Color dash dash color equals Auto and then we're going to do a switch of Dash rnw with a forward slash in single quotes and then we're going to provide our term that we're going to search for so here I'm going to search for password and then I'm just going to say color equals always now we're going to spit that out to Dev null like this and what this is going to do is this is going to go out and look for the word password anywhere in files and it's going to spit it out in Red so that we can read it it's very very nice command so let's go ahead and run this and I'm going to I'm going to kill it at some point but let's just kind of scroll through here and see what we've got now we can kind of see that we just are pulling down the word password and any and all different things here so if the word password is found it's going to identify it and maybe we need to make this a little bit better we have the word password but maybe we need to do something like I don't know password equals and maybe that'll narrow down some of the the fines that we do here so we'll do a password equals and maybe that'll hunt something down instead of just finding the word password for everything because that could just really overwhelm us if you look at what we just found here in just seconds we might just want to hunt the word password equals and see where that goes so I'm going to go ahead and Ctrl C I'm just trying to give you ideas at this point but there you can see password just came through here and that is just a user share and map script that came back so nothing nothing there for us but I'm going to go ahead and Ctrl C and another thing that we might want to do is we might want to look for the phrase password as a file name so what if we say something like locate password and then we do something like more we pipe more and then we can see anywhere that there is the word password here in a file name and we might be able to identify a file containing sensitive passwords here we could do the same thing and narrow it down maybe password's too long we might just do pass like this we might do PWD or something along those lines and I'm going to control C here again so just be thinking outside the box it could be a lot of different things it might not just be password it might be pass or anything else now another thing that we can do is we can hunt down SSH keys so maybe there are SSH keys on this machine that we have access to and that might provide us access to another user or to a different machine in the network so it's always important to kind of hunt those down we can kind of do a fine forward slash Dash name and we could look for either authorized Keys which is a good one authorized keys or we could look for ID RSA like this and put that to devnoll search that and we found something called backup super secret keys idrsa that looks pretty interesting too so the big takeaway here for now in terms of password hunting is that we need to be able to get decent at searching through files because if we just use the term password you could see that a lot of things come back and it's not Beyond you to look through these I I absolutely encourage you to come through here and just look and read and see if you can identify and some of the deepest and best enumeration I have done has been going through hundreds if not thousands of lines just to find that one password hiding somewhere so it's very possible that when you actually do search based on this color here that you might have to do password equals or pass equals or even password to just deal with it and see what happens but there are all types of commands that you can run to kind of hunt these down once we get into automated tools it'll make life a little bit easier for you to kind of search for these and still see them in a visual perspective so hang tight for that don't feel too overwhelmed quite yet and just be thinking hey I want to look for I want to look for passwords I want to look for any sort of sensitive file that might contain the word password or even other things as we start to learn more about files that might be interesting SSH Keys Etc but again we have a whole section on this coming up so I just want to introduce you to the topic and we'll come back to it as we we get to it so from here we're going to move on to looking at automated tools so we're going to take a look at a few of my favorite tools that I like to use when I'm doing privilege escalation on Linux machines and see how they could take some of what I just showed you and automate the process make it way easier than hunting this manually so of course we have to learn the manual methods to understand what the automated tools are doing but now that we've learned some of these details we can kind of go back and see what some of the files that are being hunted what sort of things are being hunted by these automated tools and it's really really neat so I'll catch you in the next section as we start talking about automate data tools welcome to this section on exploring automated tools so up until this point we have just been working with command line running some basic commands and we have just been learning the ways of the manual methods now we're going to look at some tools that will do what we've done and multiply that probably to the 10th power in terms of search capability finding vulnerabilities and just spitting out output very quick and a lot faster than we could do on our own so I'm going to show you some of my favorite tools I've got four picked out and I've actually already loaded three of these onto a machine or onto this machine and if you want the four tool you can go ahead and download that as well so let's go ahead and go to Google I've already got all of these loaded and I will be providing these in the course resources so don't fret if you can't find them there will be links available if you click on the resources next to this video so the first tool is my favorite by far this is LIN peas which is the Linux privilege escalation awesome script if you took the windows privilege escalation course you saw the winpies version of this this tool is just absolutely amazing so it goes through it color coordinates everything it hunts down all these vulnerabilities you can see here this little pseudo-l it might be kind of small but even just for a quick example we talked about pseudo-l it's pulling down pseudo-l and seeing what the user can run with no password it's going to hunt down as much information as possible so let me make this a little bit smaller again super easy to download and install is just a DOT sh so it's going to run in bash there's no real dependencies or anything that we have to really worry about now on top of that we have similar tools so we've got linenum.sh same kind of concept it's going to go out there it's going to enumerate it's going to spit out information now I am an advocate of running Lin P's first and then kind of going through with other tools say you run limp piece and you just don't see anything nothing stands out to you then maybe it's time to move on run a different tool I have in the past many times found that one tool completely missed something that the other tool caught so it's always important to run multiple tools to know about them and that's why I'm introducing you to not just one because not one is just perfect they all have their own little niche so lyndonum.sh is one that I have used for years before Lynn peas and was kind of my go-to limp piece has taken that over but it doesn't mean that's not still a good tool and that it's not being updated it's been updated within the last five months so that's pretty good another one is the Linux exploit suggestor and you can always tell a good tool from or a popular tool from the amount of stars they have on GitHub this one has almost 2 000 and this was updated three days ago oh so this one is up to date it's going well this one will actually suggest different exploits based on what it's reading from the machine so you can see it'll run it and then it'll say hey here is the exploits that we are suggesting to you so it's kind of like the windows exploit suggestor or it's even like if you're thinking like the Metasploit suggestor it's just kind of like that where it says hey I'm identifying certain characteristics or traits of this machine based on that you should be looking at this x-blade and here's where you can find details about that exploit here's the download URL for the exploit Etc so super nice very easy to use we'll run all three of these and just kind of see what the output is the last one is Linux priv checker.pi so say you're in a situation where you have python on a machine and you're just not finding anything this would be a good one to use as well I use this all the time back in the day and this was also updated eight days ago so a very very up to date all of these they're staying up to date that's great now with this I have already put these on the machine so what we'll do is if you come into your machine here and you just do it a LS from your home folder you will see that there is a tools folder so if you CD tools the ls in here there's a few things in here but what we're concerned about right now is Linda NuMe limpies and the Linux exploit suggestor so go ahead and CD over to Lin P's and I will catch you over in the next video when we start to run these different ones and I'll explain some of the output that we're seeing and why it's important to us so go ahead and meet me over in the next video as we start to walk through some of these automated tools all right let's run some of these tools shall we so let's start with winps now if we just LS we can see here we've got olympies.sh all we have to do is winpies.sh hit enter and whoa that thing is flying it's in pretty color limp piece is amazing so if yours isn't flying that fast that's absolutely okay uh just give it some time if you need to pause go ahead and pause I'm going to scroll back up and just kind of show you what this does what is capable of and we'll kind of run through some of these tools so let's scroll all the way up if we can there's a lot here okay so this is supposed to be a ninja turtle uh didn't come out quite as clear on our our screen but I have seen it more Ninja turtle-like in other machines so anyway if we take a look at the legend here we see the red slash yellow is a 99 chance that it's a privileged escalation Vector this is pretty spot on I don't know if I'd give it 99 but it's pretty high that you need to at least look into it the red you should also look into and then this kind of just gives you other Legends but I always stop here if I see a red or red yellow kind of take a look so if we start looking with the basic information immediately it highlights the 2.6.32 of the Linux version this is something that we talked about and something that we should look for to see if there's any sort of Kernel exploit which we're going to get into here in just a little bit in a new section but this is identifying that already for us and this is just some of the things we looked at like this is just doing a U name Dash a or something along those lines this is doing a ID running that here we're running a hostname it's looking for writable folders Etc so some of the commands that we're running it's just automatically doing that for us and you saw how fast this went through we would not be able to do it this fast so this is why these automated scripts are super nice now you can come through here it's telling you again more system information pseudo version your path information it's got today's date if you're curious about that we can come through look at the environment are there printers uh what What's is ASR enabled there's a lot of information here maybe even more information that we really need but we can kind of scroll through and let's just kind of see what we can get an idea on now we can see the processes cron and services which we'll talk about later on in the course but this is just looking at that PSA ux again and you could tell that it actually ran PSA ux because here we are running limp piece and then it ran PSA ux it's going to look for binary processes and cron jobs we're going to scroll through this and you can see here there is a path of Home user that's highlighted so maybe there's something here that could be exploited uh keep going through we've got Network information kind of what we talked about we're pulling down uh DNS information we've got our IP information here in full detail any IP tables any active ports here's our netstat printout you can see the 127001 with this port 961 remember we identified that as being interesting so definitely something that we should look into why is there an open port here keep scrolling through we have user information was there anything found in clipboard we didn't find anything in clipboard here's our sudo Dash L we need to see what's here we're highlighting this LD preload which is exploitable all of these are exploitable too so it's very interesting once we get into the pseudo section we'll see how we can exploit some of these uh coming through again we find our super users root is identified as a super user which is true users with console were in there and then it provides all users and groups which we have done with it Etsy password Here uh come through who's logged in we're logged in who are the last logins you could see who logged in from where I've logged in from a couple different locations here recently and it's got that all stored in here scrolling through we can look at the password policy we can see any sort of software information to define something like my SQL or progressql and it isn't finding anything here so I'm just going to scroll through and see what else we can do okay we've got SSH that's permitting a root login so that's potentially vulnerable if we can find an SSH file or if we can find the password we can log in Via SSH as the root user which is very good we found something that says no root squash I wonder what that means maybe that'll come up again later in the NFS section so it's identifying quite a bit and I want you to just take away all the identifications that we're seeing here and keep this in the back your mind that we're seeing a lot of different things there's been a lot of yellow so obviously this machine is pretty vulnerable we're going to figure out how vulnerable it is as we go on but there's quite a bit that we can do and comes in here and says hey what sensitive files can we read remember we tried reading some sensitive files and says can I read the shadow file sure enough we can read the shadow file so that's really bad and hey can I read the root folder nope we can't do that but hey we can read the shadow file so that's pretty good and what files have been modified in the last five minutes this is actually pretty good if we're doing some sort of Cron job or you could see a backups Happening Here something called useless so what's going on in the last five minutes what files are being written to this machine if we're not doing anything then maybe something on a timer or a schedule is doing these and maybe we could take advantage of that so that would be something interesting to look at what's sitting inside of our home folder you get to see all the information that this is spitting out and I'm going really fast but this is just things that you know we can just identify look there's this backup coming here it looks for any kind of dot old files or backup files so we're just trying to identify some of these things let's keep scrolling through see and now it's looking for possible passwords inside of bash history oh look it found a potential password there so that's interesting you can see some commands that I was running with the the word password in there as well so it's finding suid bits it looks like or interesting writable files for us and the list just goes on and on here we're searching for the passwords inside of logs and it's only limiting it to 70 because you saw the printout that we did before where there was a bunch of passwords printed out when we search for password way more than 70 is looking for emails it's looking for a lot of stuff so let's keep scrolling through and now we're at the bottom you can see it's looking for potential passwords here it looks like we found maybe a client secret so it's looking for client Secrets here it's looking for a username password here as well so that is a quick rundown I'm almost out of breath because of all the information that it just spewed out at us and I don't expect you to understand everything right now the the big takeaway is wow what information did we just get okay and what are we trying to identify visually we're trying to identify First Look through this script we're trying to see what's that red yellow if we don't identify any red yellow then we go through another pass-through and say what's in red what are we missing here what do we need to look at and we just kind of go through this list do we see any interesting passwords in here and not everything that was that's vulnerable in here was red yellow right we did see a password uh in our history we we saw some interesting stuff I'll see if I can find it but we did see password in history right here and we've got root password one two three I wonder what that is so this didn't highlight whatsoever but the MySQL did so we can see red so I would always go through here look for the red yellow first go back look through the red if you're not identifying anything give it another go with another tool your eyes will become trained over time on how to look through these scripts and I am very much a heavyscript user when it comes to doing automated enumeration because it's just a Time Saver of course when I hop onto a machine like I said earlier in an earlier video I will absolutely come in here say who am I pseudo Dash L I'll look at the history I'm going to be typing those things out and just seeing what we can do and what we can identify very fast but if I can't identify it I'm bringing on Lin P's very quickly I'm looking for a writable folder where I can put it and I'm going to run limpies if limp piece doesn't work then we'll try another tool so let's take a look at another tool let's actually look at the Linux exploit suggestor now Lin and NuMe we'll just skip over linenum.sh is very similar to Lin P's and what it does it searches through all these things and just tries to find it if you want to run Lenny Noom feel free to run it see what it does get some experience with it and just take your time and read through these things just for the time's sake of video I just want to show you two tools instead of making a a very very long video here so we've got Linux exploit suggestor let's go ahead and just do a LS and we're going to go ahead and just run this as well okay and that was fast and these are just things that you know you it would take you so long to do look at all of these potential potential cves that came back on this machine so we've got CDE from 2010 all the way moving forward in some of these um are even probably newer than when this machine was released but I already see a couple vulnerabilities on here one in particular that we're going to be utilizing and that we should be identifying through this type of exploit searching so we'll talk about that as we get into that section but that's coming up actually in the next video so we'll kind of play off of what we found in how we can identify that so this is really it I just want you to get the takeaway of how awesome these automated scripts are now this doesn't make you a script Kitty to run this or anything along those lines it's important and it's very important to understand what commands were being run before and that's why I kind of said hey let's go through the manual commands first so that way you can understand when you see some of these things that we were going through where it's pulling down the OS information or the the user information we kind of know the command being run behind that and if you're ever actually curious to go through these you could always just do a let's go back to limpy's actually we can source code limpies here we don't even have to do the Nano on the machine we can go to limpees.sh and if you're curious as to what it does you can go right through here and see and I mean the codes is written out beautifully it tells you exactly what it's doing and you can read through I mean look at this look at this code look at this long amount of commands that they're doing for you in a very very short period of time there is over 2 000 lines of code here so very thankful for Carlos and for all these people that put these scripts together and make our lives a lot easier when it comes to hunting and escalation on these machines so that's it that is the brief rundown of the automated tools from here we're going to start working on actual exploitation escalation and we're going to start with kernel exploits first so I'll catch you over in the next video as we discuss kernel exploitation all right we've made it to our first exploitation section and I know I'm excited so I hope you're excited as well so the first thing we're going to talk about are called kernel exploits and before we can exploit kernels we need to talk about what a kernel is and you can see here I've got this lovely picture which I have sourced from Wikipedia there's no shame in that and you can see the colonel lives here in the middle of the applications and the hardware you got your CPU your memory your devices and really what is a kernel a kernel is just a computer program that controls everything in the system and what it's doing is it's facilitating the interactions here between these Hardware components and software components so you could basically think of a kernel as a translator what is doing is it's converting these input output requests or i o requests into instruction sets okay so it is sitting here in between the applications or the software and the hardware components now what is so important about a kernel well when it comes to exploitation kernel exploits are something that we look for especially when we're trying to do any sort of privilege escalation if you took the windows course we talked about Windows based kernel exploits guess what there are Linux based kernel exploits as well now these are very complicated in terms of developing finding and exploiting but thankfully there are researchers that put these together for us and identify it so it can make it a lot easier on us from our standpoint all we have to do is identify the operating system or the version that we're on and see or try to identify if there are any known kernel exploits we're not sitting here trying to write kernel exploits by any means because that would be incredibly difficult but identifying them and running exploit against them pretty straightforward so what we're going to do is we're going to go out and we're going to do the youname dash a like you saw us do in Linux and try to see if we can identify a vulnerable version of a kernel so let's go ahead and take a look at one more thing really quick so if we take a look here there is a GitHub called kernel exploits I'm going to share this in the resources you can kind of just take a look at the amount of Kernel exploits there are and this is by far not even close to them I actually see some that I know for a fact are missing but common ones are called dirty cow which is not in here the Full Nelson half Nelson are our big ones as well this memo Dipper is one p Trace K mod there's quite a few in here that I see right off the top of my my head that are just very very familiar to me but you'll learn how to identify these you can come into resources like this or as you're going to see here shortly you can literally just Google but what we're looking for is something just like this like hey Ubuntu 12.0.4.0 running 3.2.0-23 that has a kernel vulnerability so we're going to see what our version is vulnerable to here to here in a second and move on so I'll catch you in the next video as we actually escalate via a kernel exploit all right let's identify the exploit we are after and how we are going to exploit it so we've kind of covered the manual method if you do it you name Dash a here you can see that we have this Linux Debian 2.6.32 I like to copy this whole thing and just kind of fire into Google we could also use like searchploit against this and see if we can find anything but if we come over here and we just go to Google and see what sticks to exploit and see if anything comes up and we see okay we're seeing something on Linux kernel 2.6.32 let's copy or open this in a new one then we see one here and let's see what shows up we got a 2013 and 2016 on this now we've got a Dev ptmx keystroke timing local disclosure that's not telling us for sure that we're doing any sort of escalation it looks like this is just determining the password length of a local user who runs Su that's not really what we want so let's close that out ah race condition privilege escalation Etsy password method Okay so we've got uh something called dirty cow which is claiming to do a race condition privilege escalation for us so that's interesting this would be something that I would want to look deeper into and it says on here hey Linux kernel version 2.6.22 to 3.9 that's a pretty wide Gap if you ask me if we come back we're on 2.6.32 which seems to meet that criteria as to fitting in between this Gap here so indicators early on point to dirty cow as being a potential exploit so we can come read through here and see what it does it says this exploit is used to modify user values according to your needs the default is firefart it tells us hey when you download this you're going to compile this and then you're going to execute it and you can execute it or execute with a new password and then you can switch user if you need to there are various versions of dirty cow dirty cow is very very well known exploit and this is one that if you're just getting into privilege escalation that I guarantee you you're going to see again at least once so let's take a look at another method so if we see the into our tools and we do an LS we can see that we have the Linux exploit suggestor in here we could utilize that as well so we could say something like CD Intel Linux explosive gesture and we've run this before but we'll run it again really quick and just let that fire off if we scroll through here dirty cow should show up and look it does so it definitely identifies dirty cow and you can see that it's tagging it based on the version that we're running um so I would come look through here as well it's not like as clear-cut unfortunately I mean there's a lot of exploits if we're just scrolling through here that says hey you've got all these exploits available to you um I I wish it was more hey like you should really really look here first but it is identified here so something to think about and of course there's other tools that you can run to see if it identifies it as well but moving on to the exploit itself uh we've already got the tools folder here so if we actually LS you could see that there's a dirty Cal folder so you don't have to go download anything everything is put together for you so let's go ahead and just CD into this dirty cow folder and here's what we're gonna do we're going to this LS you can see there is a cow dot C in here so we're just going to compile this with GCC we're going to say hey let's compile we're going to do a dash P thread here and then we're just going to say cow.c and we'll just make this output whatever we want we could just call it cow and should compile if we LS you can see now cow is sitting in here compiled let's do a quick ID if I could type ID you can see where the user TCM okay let's go ahead and try executing the exploit and see what happens so let's do a DOT forward slash Cal let that run and now this will take just a second uh so go ahead and if you need to pause the video go ahead and pause and then come back once you have your next screen or your command prompt back all right so it still says we are TCM what gives well if you see here it says hey we're backing up user bin password to Temp back well what if we type in password now ah yes so we've taken advantage of this it's actually overwritten this psswd or password and when we execute the password command it elevates us to root so now we are the root user so we have successfully elevated this machine and that's it this is really kernel exploits are very straightforward again from the pen tester perspective or the CTF perspective in the sense that we hunt down what kernel version we're running and we try to identify and see if there are any exploits available to US based on that kernel version so we can do it from a Google method which I kind of prefer because it's just quick and easy or we can actually use utilize tools and you see the tools did identify that this was actually vulnerable as well so that's it for kernel exploits in the next section we're going to talk about passwords and file permissions and see what can be left behind on a machine that could be used maliciously by us so I'll catch you over in the next video welcome to the passwords and file permissions section so in this section we're going to look at a few different escalation paths we're going to look at stored passwords which we've already kind of hunted in the earlier enumeration section we're going to look for weak file permissions and we're also going to look for SSH keys and I will show you once we access those or once we hunt those how we can abuse those to gain escalation into the machine so we won't spend too much time on this just a quick overview let's go ahead and dive right into stored passwords so the first topic we're going to look at is stored passwords and like I mentioned in a previous video one of the first commands I like to run when I get onto a machine is the history command now if we have access to the history command and we can review history it's great we could type in history and see history here we can scroll through we actually do have a password here you can see somebody try to connect to mySQL with user and password another thing too before we get into that is that you can cat out the bash history here so if you do it actually LS La you can see that hiding here is your bash history so if we come here we just do a cat bash history you could attempt to see the batch history too now it's not as pretty as the other one however it still works so let's type in history again I'm just going to show you what we got going on here so if we scroll all the way up again reading through this we could see that there was a username and password in here so we've got root and password one two three you can see all the users actions what they were up to you can see that the directory like Linux exploit suggestion was made and changes to files are made and even some of the earlier hunting that we have done but here we can look for sensitive items and I have seen all kinds of crazy things in the history from passwords to locations of sensitive items or even just little tips that content creators leave behind just for you to kind of get an idea now it's a very easy win doesn't always happen but it's something that you should be looking for so to prove point on escalation at least point one here we can do a switch user of root and just type in password one two three and we are now root so that was a password found in a file now I've showed you the color hunting way where we have the red and it kind of highlighted the password and everything else that little tip and trick came from payloads all the things if we actually scroll through here on payloads all the things and we come down to looting for passwords just click on this there's a second command so here's that First Command where we were hunting the passwords and we had color it was all pretty this find command works really well too for the directory that you're in so we want to take a quick peek and see what we can have in front of us if we say we just want to search in this folder right here we're in our home folder let me just clear the screen and I just want to paste this in and search for the word password for anything here in our home folder well I'm going to go ahead and just execute that and it works really fast now the if you scroll through it's going to be mostly wind peas all the way up to the top it's gonna be most of our scripting but if we come down looking towards the bottom you can actually see well the very very bottom look it pulls batch history it pulls that same MySQL command out where we see the root and password but we also see this IR SSI config and it says Hey Message Nick serve that we are going to identify and we are using password three two one now this box of course is built off of a lab that was pre-existing this lab was modified by myself and the original password lab was password321 so if we were hunting for passwords or anything here you could see that this was actually stored in a file here sitting inside of a hidden file this IR SSI config file in our directory now that's one way of hunting for things as well the other thing that you might have to do and this is this can get really comprehensive remember we utilized we're utilizing manual commands we can also utilize things like Lin peas to hunt or even Linux suggestor if we LS and CD into tools and LS again actually linenum or Lin P's are really great at this the exploit suggestor is not the one that we want to run but we can run the let's go ahead and go to CD Lin piece and we can run limpes here and this might take a second and while we're doing this I'm going to talk through some other stuff too so run through wimpies let's see if it pulls down anything I actually don't know if it's going to or not but what we're trying to do here is automate the hunting process because it's going to do some hunting for us and you can see it's looking for a password here but we really want to hunt the hunt the passwords and if this can do something a lot quicker for us than we can do I'm all for it the other thing we might want to look into is doing manual review so understanding the file system and seeing what's there when we're hunting these passwords and trying to elevate that way and we'll cover that in just a second but we can scroll through here and you can see that it's searching for pass W of any sort so it's looking for either pass a wd or password and it's looking to see if they can find this anywhere and there's any sort of configuration so you can hunt through this and look and just see if there's anything in here that would indicate that there is a password you found the MySQL password here so it's definitely highlighting out you know important items that you might want to look for and I'm not going to spend too much time on this but automating this process is a great way to do this too so don't be afraid of tool automation just kind of again like we talked about in the beginning understand what it's doing and why it's doing it now the last thing I want to show you is if we go back to our home folder and we LS we need to look around at what's in front of us sometimes it's not always clear-cut searching for a file hunting down that configuration sometimes it's right in front of our faces so here we've got this myvpn.o VPN it's an openvpn file so if we cat the myvpn file and we take a quick peek you can see that there's an auth user pass here for this file now if we come into here and we cut this out you can see that the user of user and password 321 are actually stored in this file so we have credentials for this user again we had a user that used to exist a password 321 that user doesn't exist anymore however we still have them left behind in memory so we have identifying items here that show hey passwords are stored in files we can find them and they're not hiding too terribly and another thing that I could show you too is just some more command line kung fu is if you want to take this further so say you just want to do quick searches maybe you do history and instead of looking through the entire history you could just grip on pass and then look we just pull down immediately password I don't know if I recommend doing that per se unless you're just doing like a quick and dirty script like this however I like to read through the entire history when I'm going through it because you might see more than just passwords you might see configurations and sensitive files and stuff but for for that's it really for the most part when it comes to password hunting again I recommend utilizing scripting for this it's going to be really difficult to kind of hunt it down but also don't be afraid to enumerate and look at what's in front of you because scripts are going to pull down on certain keywords like pass or password but maybe there's a word in there that's just not pulling down on or maybe there's an authorized key or some specific configuration to what's in front of you and there may be that you have to run something like a PS aux on this and see what services are running and maybe some Services running like Apache for example that has uh credentials hidden inside of the web server so you don't know where you're gonna have to look you have to just kind of do that enumeration process says feel what's around you and then start hunting the passwords but this is kind of to give you a basic indicator on what you're looking for and how you can utilize your tools to actually discover some of these passwords so that's it for this video in the next video we're going to cover weak file permissions and what we can do to abuse them all right on to weak file permissions so when we're looking for weak file permissions what we're looking for is do we have access to a file that we shouldn't or do we have executable or right access to a file we shouldn't can we modify something can we do anything malicious with files that we shouldn't be able to access as a user so in this example we're going to look at the Etsy password and Etsy Shadow files and see how we can compromise a machine with access to those so let's first go ahead and look at the file permission so I'm going to do an ls-la and just look at the Etsy password and then I'm also going to do an ls-la and look at the Etsy shadow now as a regular user you should have read access to the Etsy password this looks appropriate to me so you can see we have read read so we have read access here now if we look at the Etsy Shadow we should not have any read access whatsoever the read write or the read access should be on the root and root only but here or the people that have the ability to access that file such as administrators but here we could see that we have read access as a regular non-admin user on this machine so what does that mean well we can access the shadow file and let's talk about more about what the password and Shadow files are and why they're important so first let's cut out the Etsy password now Etsy password I mean it's called password it does not contain any passwords this is why it's readable it's World readable to all users this just allows us to identify what users are here on the machine and we kind of talked about this already we could see the user we can see the groups the ID Etc that this these users are a part of well why is it called the password file back in the day this used to actually store passwords in the password file now that's stored in the shadow file all we get here is this wonderful little placeholder of an X so this x is holding your password from your Shadow file if we actually cut out the shadow file I can prove a little bit of point and then once we get a little bit more malicious with this you'll see what I mean as well but you can see here in the shadow file that we have this long hash okay and we'll talk about identifying this hash here in in a second but we have this hash now if we were to plug this hash here in for this x that would fill in the blank we would know here as this placeholder that okay that goes into here and that is this user when they go in and try to log in with their password if it ties this hash they get successfully logged in now we can do a few malicious things unfortunately we don't have any read write access so I'm just going to talk theory behind this and still tell you how we can escalate this machine now if we were able to modify the Etsy password we could delete this x out of here if there's no placeholder then we don't have a password and we could just pseudo switch user into root or we could switch user into root and be fine we'd log in as root on the other hand we can get rid of the password or hash to a different password where we know what the hash is and then we would be able to log in as root we could also modify the groups of our user so say we have this group of 1000 we could change this or we could change our ID to zero for example and just become the root user there's a lot of different things that we could do if we can modify here we can't modify but not saying that you won't be able to see that at some point I guarantee some point you're going to see an ability to modify a password or Shadow file so always keep your wheels spinning on what your file permissions are here we are limited in our file permissions but we do have read access to the shadow file which is a big big No-No so this will get identified if you run this through any of the scripting that's our scripts that are in our tools so Lin piece will pick this up very easily I'm not going to show you that this time around I'm just going to tell you it's going to get identified and if we come into here we can see we have a couple of different hashes we've got R hash as TCM user and we've got the root hash so how can we take advantage of this well there are some tools that we can utilize so what I like to do is I like to copy out the Etsy password here first so if you cat the Etsy password and just copy the contents I'm gonna go put this onto my machine so I'm just going to make a new tab make this a little bit bigger and then I'm just going to G edit whatever your favorite tool is and just say password you can use Nano or Vim or VI if you're crazy and then we can just paste that in there and come through grab the shadow file copy all of its contents copy that and then I'm going to come back into this other one and just G edit I'm going to call this shadow I'm going to paste this complete the extra line I copied save this and then now we can utilize a tool called unshadow so if I type in unshadow this is built into Cali you can see hey I want the password file and I want the shadow file so we could just say unshadow password shadow and look what this is going to do it's going to come through here and you see that placeholder remember the X where the X used to be well guess what it's putting that hash in there and it's kind of just filling in that blank with that hash and this is what is called an unshadowed file so let's go ahead and copy this all this detail here and I'm going to just do a g edit and I'll call this unshadowed although I'm not going to save this so I'm just doing this to quickly copy and paste so I'm going to delete all these out all I want are the users with hashes and I realize this is very small so if you can't see this I'm sorry but all I've done is deleted anything that didn't have a hash so you should have a root and a TCM user at this point and then all you're going to do from here is you're going to just copy these so I'm copying these now I'm just going to demonstrate you can absolutely do this save this file and run this in your Linux I'm going to run this through hashcat on my Windows system just to show you and we'll we'll kind of cover that out so I'm saving this to a file my Windows system we also need to identify the hashing type so if we go to Google and we say hash cat hash types it's a good one to put in and you should get this example hashes here on hashcad.net so I'm going to go ahead and just click on that and if you come through here it's got all the different modes that we can run for hashing now what I like to do is I like to just look at the hash and the hashes starts with dollar sign six dollar sign so if I do a control F and I do dollar sign six dollar sign immediately it pulls up Shaw 512 or Shaw 512 Crypt and you can see an example hash here and it says Hey we've got 1800 on the mode here so what we're going to do and through the power of video editing I just want to save a little bit of time I'm going to share with you my already used hash cat output just because it's a little slow to actually do a shot 512 even with Rocky this took it took a minute with Rocky which most hashes take me a few seconds and I'm running on a 2080 TI just for perspective so if I scroll up just a little bit I took those two passwords and I just put them through hashcat here so I did hashcad64.exe because I'm running this on Windows I'm utilizing my GPU as opposed to utilizing the CPU of the VM I'm running I did a mode of 1800 which we identified I have my creds.txtrocky DOT text and then I'm optimizing this with a dash capital O now this scrolled through we came in here and we cracked one of the hashes this dollar sign six dollar sign TV forward slash we'll go look it up is password one two three and you can see that we only cracked one out of two hashes so we know we cracked the root hash because we know tcm's password is hacker123 now obviously hacker123 apparently is not in the Rock You list that's okay if you use any other word list you would probably find it pretty easily uh however we actually didn't crack it with Rocky which I was surprised to see so from there we could easily just take the password that we uncovered of this user and Elevate our privileges with the switch user to root again a password one two three and here we are we are now the root user based on the data that we saw in the shadow file so this boils down to again permissions that are excessive so it's always important to look for these things and just see where we have access to again the quick wins are looking at the history looking at pseudo and then starting to look at file permissions and just see now these are things that I would use again identified with a script it's just a lot easier to look at your script roll through and see what's there but this one would absolutely light up like a Christmas tree or whatever tree here on a script so just keep in mind just start thinking about these things what files should I be looking for I've actually had this question come up in interviews before in terms of hey what sensitive files would you look for on a on a Linux system so keep your wheels spinning but this is just one example of how we can utilize weak file permissions to elevate to root on a machine so that's it for this video in the next video we're going to cover quickly how to hunt SSH keys and abuse that functionality all right last video in this section let's talk about hunting for SSH keys now we're going to utilize the payloads all the things website if you go back here under the Looting for passwords section if we scroll down just a little bit there is this SSH key sensitive files and you can see that we're either going to be looking for perhaps authorized keys or an ID RSA so let's hunt for both of these really quick and then we're going to talk about what these are so I'm just going to copy and paste these commands in and see okay are there any authorized keys on this machine not that we can access at least and what about the other one let's go ahead and check for the ID RSA I'm going to go ahead and paste that and okay we do find a backups super secret Keys ID RSA but before we get into that and how to abuse this what are authorized Keys what's an ID RSA well with SSH we can do something like SSH not SSH key gen and that is something that we can run and generate some keys now these keys are what is called a key pair we get a public key and a private key now the public key would be copied to an SSH server and we'll leave that key on that server and that's how it knows how to identify us as Who We Are we also have what is called an authorized key or a private key actually the authorized key sorry would be stored the public key would be stored in the authorize key folder the private key on our end is something that we keep so the user keeps the private key the authorized keys are stored in the authorized key folder so what we're checking to see is there are there any authorized Keys who has SSH access what can we find about this do we have anything called an ID RSA on our side so what we're looking for is idrsa which is a private key that's our private key now if we're looking through files and we see well there's a backup of an idrsa maybe that backup is utilized somewhere so if we go and just look at this let's just cut out the backups super secret key ID RSA and it really doesn't tell us too much it just says hey open SSH private key and then you see the private key information so we don't have a lot well if we don't know where it goes we can just kind of shoot a shot in the dark here with this this could easily go to another server we don't know where it goes but we have discovered a key and this key will allow us SSH access to a machine so what we can do is we can open up on our end a new window and I'm just going to call this I'm going to G edit I'm going to call this ID RSA which I may already have in here I do might be the same one it's not let's go ahead and save this and what we'll do is we're going to SSH into this server as root and see if we can get access to it so let's go ahead I'm going to control C out of here because I have or exit out of here I've forgotten the IP it's 4.67 on my end so okay I'm going to come back here and I'm going to do SSH Dash I actually I'm not we're going to CH mod we're going to change the mode to six zero zero I do believe on idrsa we'll see if I'm correct and then we're going to SSH to root or Dash I idrsa so we're going to use the private key that we have generated here and then we're going to try root at 192.168-467. and there you go we are now logged in as root so we're utilizing instead of having to use a password we're utilizing a private key now somewhere in this root folder if we lsla we can see there's a DOT SSH folder we can CD to dot SSH LS La here you can see there's an authorized Keys folder so in the authorized Keys folder we know that or actually there's authorized Keys sorry in the authorized key file it's cata authorize Keys uh you can see that there is a root at Cali this is a me I generated this key and this is how I have access but you can utilize that same key pair it's looking for that key pair so this is the public key and then we're looking for the private key which we have access to and that's how we are able to gain access to this machine so hopefully the public private key pairs make sense we are just hunting for anything when we're looking on these machines we're just hunting for a quick win and this is again another quick win we don't know where it goes we have to just try it out see but this is very very common from a CTF standpoint when it comes to just looking for for Keys like this and even a pen test standpoint if you end up on a Linux machine and you want to see if if you have any sort of idrsa or any sort of keys that can access you or leverage you to Pivot to another area in the network it's always worth looking for so that is it for this section we're going to move on to one of my favorite types of escalation which are pseudo privilege escalation techniques and we've got a bunch to cover so I will see you in the next section when we cover sudo welcome to the escalation path section of sudo now Sudo is probably my favorite escalation path and I'm really excited to teach it and really quickly what is sudo in case we don't know what Sudo is well it is according to the man page something that allows a system administrator to delegate authority to give certain users or groups of users the ability to run some or all commands as root basically it allows us to run a command as root and we're going to see how we can abuse that functionality in this section now we've got five different ways that we're going to abuse that we're going to do pseudo shell escaping we're going to look at intended functionality we're going to look at LD preloads and then we've got a couple of new 2019 cves that I want to share with you and are pretty exciting as well so all in all we're going to start getting into actual box exploitation we're going to have three boxes in this section that we're going to try to compromise and then we're going to try to escalate so we're going to start to get Hands-On practice now moving forward through each section in this course so let's go ahead and Dive Right In we're going to start talking about pseudo shell escaping so I'll see you over in the next video all right first up our pseudo shell escapes so if we do a pseudo Dash L on our machine we go sudo Dash l we can see that we have the option here for quite a bit of things if we're looking with root no password we can run quite a few things here as root now if I'm looking at this and I'm saying well I can run something as root I don't have to provide a root password how can I abuse this to escalate to root so we could do what's called shell escaping I'm going to actually show you a great resource so if we go to Google and we go GTFO bins I'll leave it to your interpretation to what that means but GTFO bins and you open this in a new tab you can search amongst binaries let's take a look at one of them that we have we have access to well Vim is a good one let's take a look at Vim so let's go back and we're going to go here and go to Vim we'll search that okay and let's click into Vim here on the binary and it says okay if you have a shell it can be used to break out from restricted environments by spawning an interactive system shell that's great we can get a reverse shell with them we can get a non-interactive reverse shell bind shell we can do file uploads file downloads file write read suid-is sudo so I want you to be aware of all the things that you're seeing here this GTFO bins this is an amazing amazing resource this is something that I utilize all the time when I'm trying to take advantage of privilege escalation especially when it's related to pseudo or I see some sort of item or binary that's running that I have no idea what it's doing so this could be from a shell functionality like you saw it could be hey I want to get a reverse shell using that tool can I do that or maybe there's seoid which we haven't talked about yet but we'll probably come back to GTFO bins for that there's a lot of things here that we can utilize and right at the top all we have to do is Click sudo and it says hey we can maybe do a shell escape sequence here with sudo so let's go ahead and try we could just do sudo uh vim and then we can try this Command right here so this is going to use sudo it's going to say hey we're going to utilize vim and then we're going to issue this bin sh and hopefully get a shell as the root user so let's go ahead and paste that and see what happens okay we've got an sh shell it's not bash but it's sh we can do who am I and we are now root on this so we just utilized that pseudo easily to switch over to uh and over to switch to root so that's an example of a shell escape sequence now there are quite a few that we can do let's see if we can exit here and okay let's uh we're still in we're still in Vim let's do a quit okay now we're back into TCM here so if you didn't catch that I typed exit enter and then if you do a queue like that you can quit out of them okay so we have other ones that we can do so let's take a look at one of those what about awk awk this one's interesting right let's see if we have a escape sequence for this so if we go back to GTFO bins and we let's just go back one or two we type in awk okay and then from here I'm just going to go right into hey I've got pseudo privileges what can I do with pseudo privileges and then we could do this pseudo awk begin system bin sh let's go into here I'm going to go ahead and paste this and then I'm just going to make this bin bash this time around hit enter and look who we are we are no other than root so because we have pseudo privileges because we have access to this binary some of these binaries have functionalities that allow us to escape and we can get into a root user just by doing this now this is awesome GTFO bins is one of the best resources out there now I'm going to show you one other resource as well so I'm going to provide the GTFO bins and I'm going to provide this resource which is try hack me and this try hack me box that I'm going to show you here is completely free so you can see it's a free room and this box is called Linux prevask playground so if you go to room prevas playground I'm going to link this in the resources as well you can come in here and this box has 80 suid and sudo priv asks it says likely many more okay we haven't gotten to suid yet but I want you to take note of this because this is a great way to practice and if you're ever curious you can go into the write-ups and you can start opening some of these up and you could see okay somebody did an escalation via Vim so obviously there's a Vim one in there but you can come through here and see okay what type of escalations are in here and what are people doing so somebody's doing a write-up for all the suids right here here's some for pseudo and all the shell escapes if you actually look it's kind of hard to see but if we make this really big you could see the sudo-l entry with no password there are all kinds of no password entries so if you want somewhere to come in practice these this one is a great one to come practice and just understand what you're looking at and getting just experience to different types of binaries and how to exploit them so again your best friend in these situations especially with Sudo is GTFO bin so if I see a pseudo-l and I see something in here I'm coming right to GTFO bins and just pulling this down so hopefully that makes sense from here what we're going to do and if you want to practice by the way before I move on to the next video if you want to practice I encourage you to come through and see if you can exploit any of these other ones and gain access with that so I'm only showing you two but there's plenty in here to do uh and and gain access to abuse functionality and gain root on these machines so from here we're going to move on and we're going to quickly look at intended functionality of sudo and see how we can escalate via that so I'll catch you over in the next video all right now let's talk about exploiting sudo with intended functionality so let's talk about this from a different perspective if we do a pseudo Dash l let's pretend that we are a or an administrator we're a web site administrator and we need access to this Apache 2. it's part of our job to utilize Apache 2 to maintain the website do whatever we need to do now if we were to go to GTFO bins and we come in here and we type Apache well we can look right here it's not in here but maybe there's some sort of intended functionality in Apache 2 that we can issue or run as and gain access to something so what if I go to Google and in Google I say okay I know I've got Apache I know I have sudo and I could say privilege escalation we could even do Apache 2 that's fine and the first thing that comes up says abusing pseudo Linux privilege escalation so we come in here and it looks like it's a little guide they've got a bunch of different ones so maybe we'll just copy and we'll do a control F and find this and I'm gonna make this website a little bigger so that we can see it uh and then we can see if we scroll down here it says using Apache command sadly you can't get shell and you can't edit system files but you can view system files okay so there's an intended functionality of Apache that will allow us to view system files and I have seen this in other places let's take a look so it says hey why don't we run sudo and try to view the Etsy Shadow file okay we know we can view the shadow file but let's pretend that we couldn't view this Shadow file otherwise let's go ahead and just paste this and you can see that we can view the shadow file here we see the root right here so we're seeing the root of or we're seeing the the hash here for for root on the shadow file so we're able to abuse this now I've seen some very very creative uses of intended functionality one of the best ones that I've seen was utilizing wget to do something very similar and let me show you that really quick this is from a write-up that I did a while ago but I kind of want to share this with you and I'll share it as something that you can look at on intended functionality this is a hack the Box machine called Sunday and you can tell my love for Borat here but if you come down once we get into the actual escalation part and we come in where the user we run pseudo Dash L and you can see that we have a user bin wget and okay well maybe this user was given the Privileges to run wget because they needed to download files or they needed to grab files from a web server Etc but if you do some digging on wget there is functionality of it that allows us to exploit this machine if we scroll down just a little bit you can see that I ran a sudo wget and then there was a post file command that allows me to select a file which of course I picked Etsy Shadow and I transferred it to myself I was listening here over on netcat and I transferred and look what I did I grabbed the root hash similar to what we did with Apache 2 here it's intended functionality of this specific binary but we were able to abuse it in a way where we could transfer a file or gain some sort of escalation so I'll share this with you as well in terms of the article but just be thinking just because there's nothing if we do a pseudo-l and there's you come to GTFO bins and there's just no sort of Escape or any way to abuse use that doesn't mean there's not a way around or there's not something that we can do to utilize that feature still to gain access and escalate the machine so always be thinking about outside the box definitely work on your Google skills and make sure that you can search some of these things and try to hunt these down they're not always as obvious I remember when I was doing this wget I read through the Man pages of wget until I understood the complete functionality because my initial thought was wget you could only get things right that's the whole functionality of wget but that's not true there's a way to actually export as well so very very cool feature and took a lot of research but that's sometimes What It Takes and that's why I wanted to show you this example so that's it for this one we're going to go ahead and move on to the LD preload and see why that is vulnerable so I'll see you over in the next video now on to escalation attacks via LD preload this is going to be a somewhat complex topic but we're going to introduce it at a high level and what I want you to take away from this is how to identify the vulnerability and how to exploit the vulnerability there is going to be descriptions of everything and you might not understand all of it and there's going to be C code and you might not know C and that's absolutely fine I'm going to do my best to walk you through it if you find that you should need more information feel free to go look for more information as well but again very high level you just need to understand why we're identifying the vulnerability and how to exploit it so let's go ahead and do a pseudo-l and here you can see that we have this environment variable or it says LD underscore preload okay and what is LD preload well it's also known as pre-loading so preloading is a feature of the LD if you've ever seen LD which is the dynamic Linker and that's available on most Unix systems so what we're doing is we're going to be pre-loading a library user-specific share library for any other shared libraries are loaded meaning we're going to run sudo here with this LD preload and we're going to run it on any command that we want but we're going to be able to execute our own library and preload that before we run anything else so remember we're loading before all other libraries okay so we're going to make a malicious library in order to do that and so what we're going to do here is we're going to do a file we'll just use Nano we'll say Nano and we'll just call this shell dot C okay okay so we're going to write this in C and we're just going to write it like this we're going to say include and we're going to include the standard input output we're going to include the sys types dot h we're also going to include standard libraries all right now that we've got those set up we're going to go ahead and just do a void in it right here and we're going to declare a few things so let's talk about what we're declaring so first things first I'm just doing four spaces for these unset environment and we're going to do LD underscore preload and then once we do that what we're going to do here is we're going to set a GID of 0 and we're going to also and I missed the I missed something up here this is important our code would not have ran without that set GID of 0 set uid of 0 and what do we think those indicate I'll let you think about it here for a second we'll cover the code here once it's all typed out and then we're going to do a system bin Bash then we're going to close this off all right let's think about this code here so up at the top we are including our standard i o our standard libraries and our sys types and then we're coming down here and we're just saying Hey I want to unset an environment variable which is just this led preload and then I'm going to go ahead and set GID or group ID of 0 uid or user ID of 0 who is zero in our system that's root and then I want system to execute bin bash when I do this so we are doing this all through the preload feature so we're going to preload this so is how we're going to export this as an so we're going to preload the so and then we're going to execute it so let's go ahead and control X and we'll save this with the Y hit enter and then we just need to go ahead and GCC this so we're going to compile this with GCC we're going to do fpic right here which I actually had to look this one up this is uh means position independent code that means regardless of where your shell addressing is this is going to function so we're also going to need a shared and then we're going to take our output we'll just call this shell.so and we need our file that we're compiling which is shell.c and lastly we're just going to say no start files okay and then we're going to hit enter now that that's compiled what we can do here is we can do an LS you can see the shell.so is here so all we need to do now is run sudo LD preload and then we just use our shell.so here and then all we have to do is we just have to say some something we can run as root so it could be like Apache 2 awk Vim it doesn't really matter anything that we can run at sudo here so we just select Apache 2 hit enter ah I have messed up okay so shell.so that's accurate but we need to call the full path so let's call this out as home user or wherever you put this file shell.so now let's try that again and now we are root okay so we took that file remember we in our C file we said hey I want to become root I want to execute bin Bash and once we did this it took this preload it executed this first and then we are now root because we executed that first so this LD preload being able to preload a library it's Bad News Bears all right and that's really what I want you to know I want you to know more so than anything else that if you run a pseudo-l and you see LD preload your little Spidey senses should be going off and then how you can generate this very very basic code you don't have to remember it you don't have to understand the full functionality though it helps but you just have to say hey LD preload I remember seeing that I'm gonna go look up how to prevs that you can copy a code that's out there already compile it and then you are good to go so that is it for this video from here we're going to put you to a test now and see how well you have been following along we're going to do a challenge machine here coming up and then we'll continue on with more pseudo lessons so I'll see you in the next video foreign welcome to your first challenge machine so all the machines we're going to do in this course are on try hack me and now that we've played around with sudo a little bit I want to see where you're at in skill set so what we're going to do is we're going to go to try hackme.com and you can go ahead and click on activities and in here we're going to specifically search for simple CTF so if you start typing in simple you could see beginner level CTF and we're going to start easy we're going to see how you fared so far so what we're going to do is I just want you to go ahead and join this room so once you're logged in click on join room and then go ahead and deploy this machine once you deploy you can go through if you want and answer all these questions but your main goal here is to one get access to the machine at a low level and then two root the machine completely so once you're done with that go ahead and move on to the next video we'll cover a walk through I'll cover my methodology and we'll move on with that if at any point you get stuck you can watch the video there are also plenty of write-ups here for this machine so if you're curious to see how other people did it you could also look at the write-ups and go from there so I will catch you over in the next video as we walk through this machine all right let's walk through this machine shall we so I deployed the machine I am at 10.10.149.152 while I'm attacking this and I could see that Port 21 for FTP has come back we have Anonymous login I also see Port 80 for Apache and then I see Port 2222 which is actually running SSH now we should do our standard checks across the board make sure that there are no exploits for any of these the vs ftpd the Apache or the open SSH assuming we did those checks and moved on then we can continue on without any exploits of being available there I would always go check the FTP first so let me go ahead I'm going to copy this so that way I don't have to keep doing oh they have a nice little copy feature that's new okay I'm going to go ahead and just paste this here and then we're going to try to FTP anonymously and see what's available in this folder so I'll do anonymous and then let's do LS and they've got a FTP folder it looks like with CD and FTP failed to change directory uh looks like we're not able to do anything in here maybe we can put files but if we don't have a way to execute then this probably isn't the best path to go which leads me to believe maybe that we start looking at the web path for now because Port 2222 that's great SSH but if there's no vulnerability here and unless there's a weak password or something in use then it's likely that we're going to have to attack the web server and just go that route and I can see there there is an open EMR 5013 and the robots.txt so that could be something that we explore let's go ahead and just go out to the web and you can see it is just an Apache default page now when we try to go out to this file here this uh this directory you're going to see that it doesn't have anything associated with it so let's go ahead and try it and it's actually not found so we don't have any any indication here we're seeing that we're running on 2.4.18 we're going against an Ubuntu machine but other than that we really don't have any indicator so I'm going to dive into the toolkit instead and I'm going to go ahead and try to do some directory busting now depending on which tool you like to use here that's absolutely fine a dirt Buster works fine derb any of those will work go Buster I'm going to use dur search which I am becoming more and more fond of so I'm going to go ahead and CD over to opt and once I run this I'll show you where to you can get this from as well so the command is something along the lines of python3 search Dash URL and then we're going to do http and of course I had already copied the HTTP so let's do that and then I like to search for well we know that it is uh it's running Apache I'm going to do PHP and HTML on this and then I'm going to exclude a few things I don't want to come back with any 400s 401s or 403s and before I run the search we'll go out and just show you Dura search actually I'm going to execute this and I'm going to go show you Dura search while this is searching so if you want Dura search all you got to do is go to Google type in dur search and you can see the first link that comes up is right here this is a great I will put this in the resources of this video as well and all you got to do is follow the instructions just do a git clone on this CD in the dura search and then execute Dura search no installation nothing really needed so it works very very well and this is going to run we'll see how it does here it's at 30 or so percent we'll see how it does I'm gonna go ahead and pause right here and then I'm going to come back so you pause as well if you need to if you're following along if you already done this then just go ahead and keep watching the video okay so the task just completed and you can see here that it brought back a 301 which is a redirect on simple so let's go ahead and just open this link and see what happens here it says home pen test it and it says CMS Made Simple so this is a simple CMS we got version 2.2.8 you can search sploit this you can do whatever you want I'll make it bigger so you can see down here but CMS made simple version 2.2.8 so if we go out to the Google machines and we just say CMS Made Simple ah Look what comes up 2.2.8 exploit I haven't done one of these before I remember it um so I know that there is and we can see here a SQL injection vulnerability that was discovered and yes this is 2019-9053 so it's actually fairly recent let's go ahead and go to the exploit database and see what they've got and here we go 2.2.10 or older we've got SQL injection so let's go ahead and see what they've got I'm going to just download this python script it looks like so I'm going to download the python script save it and what it's saying is we're going to need a URL a word list and a Dash C for crack as an option so let's go ahead and go over to our downloads or wherever you save it CD to downloads and I'm going to just Python 3 this and see what happens and this one was four six six three Five Dot pi and maybe it's just python not python3 let's try that there we go okay so we need to specify URL example usage no cracking password example usage with cracking password and we need to provide a word list so what I'm thinking here is we do a dash U for URL and we just go we go http and we'll grab this URL that we found actually we'll just grab this whole thing and I'm going to paste this back into here and then we're going to do a dash dash crack like it says and then we're going to do a dash w and then we need to path to a word list I'm going to go ahead so this is going to try to crack passwords of hashes that it gets and pulls down I'm going to try with the worst 100 passwords so I'm going to go out to Google and if we do worst 100 or how about top 100 SEC list is my favorite you could see 10 million password list top 100 so that's the one I want to use and again I'll link this in the resources as well but let's grab this data I'm going to copy it and then I'm just going to open a new tab here and I'm just going to do G edit top 100.txt how about that paste and Save and we'll see if this one works we'll go in and then I'm going to provide that word list and then we'll just do top 100 .txt should have saved should be there see if it works okay and I'm gonna let this run and we'll see how we fare when it's all said and done so go ahead and I'm going to pause the video on my end if you're just watching go ahead and keep watching all right so we get the results back and we get a username we get an email we got a password hash with the salt it didn't crack for us so it looks like the 100 word list is probably too small we probably needed something a little bit bigger we can copy this and kind of go out and see if we just go to Google if there's anything out there for it uh I already did a little bit of looking but yeah you could look through like md5 lists or you could see that there's md5 hashing you can go check and see if there's any sort of wordless out there now it did pull up on the simple CTF that it was secret we absolutely could go back and do this again with it being um with a better word list or a longer word list this just took about I don't know 10 or 15 minutes to actually get through this part so I'm gonna let this just kind of go this time we'll just do Secret but just know if you got it good job you utilize the right word list if not Google is your friend you can search for these things hunted down when it finds the the hash like this as well so I'm gonna go ahead and just cheat a little bit we're gonna go and now try to SSH into this machine utilizing the credentials that we found so what I'm going to do here is I'm going to go back to try hack me and copy this address and I just want to try to SSH here so we're going to say SSH and we'll do Mitch at and then we'll just paste this then we're going to go ahead and do Port 2222 we'll type in yes to accept this and then we're going to say secret as the password all right and now we are the low level user so let's talk through methodology here what are some things that I told you would work really really well if you were attempting a machine while we're on here we can try quickly just doing history and seeing what the history is no history found we could do lsla and we could try to cap The Bash history if we want and see if that works okay so we see the user flag here um you can see somebody made the user flag good job keep up uh so you can see a little bit of history from whoever was in here making this box but no credentials or anything so next thing I want to check is sudo dash out quickly check that and looky there we've got a root no password of user bin Vim where have we seen this before we have seen this before with the pseudo challenges so what might we do here well we can do a GTFO bins remember the GTFO bins and we can just go do that real quick GTFO bins and see what happens with the uh with the Vim here so I'm just going to do Vim and we'll do sudo click on that and pseudovim here let's try it see if it works okay got some weird stuff back let's see ID are we still no we're root it worked just did some weird stuff there for a second so it did Elevate us there are other ways to do this by the way you don't have to do we're executing a command so there's a way if you just go sudo-vim and you go into Vim um and then you come in here and you just do Bash you do an exclamation bash when you come down here like this you should be able to exit and be on bash as well and see here we are as root that would work just as fine um but this little one-liner command works as well so um things to think about takeaways there but this was your first challenge so we're going to continuously do boxes through here and of course if it's in the pseudo section pretty good chance that it was going to be pseudo so uh My Hope For You at this point was that you used your simple enumeration skills that you've learned so far and you took that and applied it to this machine and you were able to root the machine it was pretty straightforward in sense of how to find access you just had to do a little bit of directory busting get access to that and then just be really patient with the exploit because it does take a while so um after that you get on the machine and you can see that getting root really wasn't that bad it was something that we actually had seen before and you now have a little bit more practice so from here we're going to go ahead and talk about a couple of different cves that have recently come up in the last year or so so these are 2019 cves and they both apply to pseudo so we're going to cover those and we actually have walkthroughs for those too via try hack me so let's go ahead and cover the first one I'll meet you in the next video and we'll discuss it more in depth okay on to some more recent vulnerabilities so this first vulnerability is from 2019 you can see the release date on this is 10 15 2019 that is less than a year ago at the time of recording and you can see the cve was 2019 14 to 87. now this one's a nice little walk through and you can see here that it just says hey we're going to run sudo-l and then we're going to get something back and when we get that back it's going to say all exclamation root bin Bash what does that mean well when it says exclamation root it means not root so what it's saying is this user hacker here cannot run bin bash as Roo so if you want to take a look at what the pseudoers looks like in sudoers you can see that it says hacker does not have root access to bin Bash and then we could actually exploit this so because of this does not have access to root there is a specific vulnerability that was discovered now if we take a look at the vulnerability all we have to do is type in sudo then Dash U hash dash one bin bash and then guess what we execute as root very straightforward I am seeing this all over the place right now and I'm seeing it all over the place with capture the flag events too so definitely something to keep in mind keeping your back pocket and put in your notebook because this one is common okay and so what is it doing why why do we care why is this happening well it says here that sudo doesn't check for the existence of the specified user ID and it executes with the arbitrary user ID with sudo-priv so when we do this it returns as zero which is the root ID now we were doing a live stream not that long ago and this vulnerability came up and somebody in the chat was asking hey what happens if you change it to something other than negative one can you take over any ID and the answer is yes say you have a user ID at like one zero zero three and we want to change that ID we would just put a plus sign here and do one zero zero three now only works for the user one time and will transfer over to that user but we can't go back if that makes sense so we would have to only perform the sudo from where the pseudo exists but we can use this to take over any user with this vulnerability which is super nice however of course we're going to want to take over root but if we want to take over somebody else we could too just a little side tidbit but here negative one is going to put us right at zero and we will be the root user since uh that's where it goes so let's go ahead and go to a box I'm going to go ahead and have you go to activities and then I want you to type in sudo and I'm going to have you spin up this box give it a few minutes to load and then we're going to get connected in the next video and actually test this exploit out so pseudo security bypass make sure it says 2019 14 287 go ahead and click on this I just actually joined the room not that long ago and deployed the machine so go ahead and get in there join the room deploy the machine and make sure you can access this machine so I will see you in the next video when we actually cover how to exploit this all right let's test this one out so they actually give us for this box they give us the low level users we don't have to do any exploitation right now which is okay but we come through here and we can do uh just copy this IP address here and we'll go scroll down just a little bit into this tab and you can see the username and password or try hack me and try hack me so I'm just going to open up a new window make this larger and then what we'll go ahead and do is we'll just SSH to try hack me at and I'll paste that IP address and then we'll do this over Port 2222 okay I'm going to accept the fingerprint and then I'm going to go ahead and do try hack me let that work and here we are we are in so remember we're going to do a pseudo-l list out those privileges and you can see what's in here for us so we've got this this looks familiar right the exclamation root bin bash no password so we shouldn't be able to run this but guess what we can so I'm going to cheat just a little bit I'm going to go in here and just copy the command that we need to run but I will paste it give you time to actually do the same and of course I will provide the resource for both of these I'll have this other one in the in both videos just in case but uh so go ahead you're going to do a sudo Dash U pound sign dash one or a negative one space bin bash like that go ahead and hit enter and guess what you are you are the root user so you could say ID and we are root now if you want credit for this machine and you want to get some points you can say okay here's the flag so there's going to be a flag here we can run bin bash so I won't do all these with you but just because it's a short video we'll go ahead and capture the flag and we'll go in and we'll grab that root flag as well so let's go ahead and CD over to root LS and we'll cat out that root dot text capture that and of course it's elite security bypass so we'll copy that and get credit for finishing this room out cool easy enough so we got one more of these to do it is another 2019 cve and make sure you're taking good notes on these because they might show up again all right so just a little little foreshadowing for the future but uh I will see you in the next video when we move on and look at 2019 18634 all right we're at the last video in this section so we're going to do another box from try hack me so if you come to activities again all you have to do is type in sudo one more time and now there's this sudo buffer overflow which is cve 2019 18634 again this is another exploit that has been released within the last year very relevant and I keep seeing it all over the place so let's go ahead and just join the room and we're going to deploy this as well now while we deploy this I'm going to kind of use their guide to kind of help you understand I'm just going to say we've deployed and then we're going to SSH into this machine here in a second it should be same credentials as well so let's go down to the buffer overflow and you can see here that we have this cve and when they actually look at the pseudoers and you're going to see a pseudo-l here in a second of it but when they look at the pseudoers there is a environment variable here that says PW feedback now if you've ever been typing in your password on a Linux machine and you see that asterisks are in place of nothing usually when you type in your password nothing happens you just don't see anything but if there's actual little asterisks being typed in there that's the PW feedback being set okay so when the PW feedback is set in a very specific version of sudo it can be abused now there are certain versions that are vulnerable to this and we're going to do it on one of these here now so if we actually scroll down let's go ahead and take a look at the Box we'll log into the box and then we'll talk more about the exploit itself so let's go ahead to a new window I'm going to copy this real quick and then I'm going to log in do SSH it said port 44444 and then we're going to do try hack me at and we'll do the Box IP address say yes okay so if I'm typing in try Hackney right now for the password you're not seeing anything right so just imagine that's how Linux typically works but in this instance if we were to try to change password or not change faster we try to log into maybe say sudo let's see if it works we'll switch user into root nothing there so that didn't work let's try sudo switch user into root and see if that works there you go see the asterisks that's that PW feedback right there so I'm going to go ahead and just hit enter it's going to ask me a bunch of times for the password I'm stuck in this for at least one more to enter and then okay so after this we're going to go ahead I'm going to clear screen now so let's do a pseudo-l and take a look at this uh we'll do try hack me as the password and we may not run sudo so we can't see that let's see if we can cat out the Etsy sudoers we have no permission there either so what about the version of sudo so let's try doing a pseudo Dash capital V you can see we're on 1.8.21 P2 all right let's go ahead and take a look at this cve I'm clicking in here I'll provide a link for this but if you Google the cve and click on any of the links it says hey any sudo before 1.8.26 was vulnerable to this and what did we just see we saw 1.8.21 so definitely a vulnerability here so how do we identify this if we can't run pseudo shell we can't see the environment we can't see pseudoers well I think the only way to really do this is with a pseudo switch user right we say pseudo switch user and we try switching into a different user and you saw the password being there the PW feedback was enabled so something to check for is something to think about especially if your pseudo version here is below 1.8.26 so it takes a little bit more digging maybe some hey gotcha kind of deal because it's not out there in a parent but if you do see that when you're trying this on a box then you might know hey I might want to go check for this vulnerability so this is one again that's been coming up I've seen it on quite a few CTS recently so okay we have the vulnerability identified how do we actually exploit this well there are several versions out there that are vulnerable uh or vulnerable there are several exploits out there made specifically for this now try hack me has gone out and actually put the file in here they've compiled it they've shown you how they've compiled it if you're interested in that but they're using this specific one right here so um they're using this one I will link this as a resource as well and they have the C code here if you want to read the C code and you understand the C code it's quite long and not as easy as your typical buffer overflow but there is a buffer overflow that exists in this in this box here or in the pseudo that allows this to happen so here's what's going to happen now we're going to run this C code and see what happens so if we go back into the machine and we just do an LS we can see we have exploit let's go ahead and just try to run that exploit okay it says try again and you can see we write an ID and now we are root so that's really it this is just an example of one more modern privilege escalation technique that you might start running into especially against older machines now again that PW feedback has to be enabled so if it's not enabled this one you might not really see there are some versions especially if you read through this try hack me write up it's a really nice write-up and they talk about some versions where this is automatically enabled by default which is Linux Mint and Elementary OS so if you see that on one of those then you might run into that there but chances are it's it's going to be one of those you have to kind of dig for but I would be on the lookout for it simply because it is so new it's so modern and it's going to be utilized I feel like at least for next year or two so that's it for this lesson and that's it for this section from here we're going to move on to talking about Su IDs and how we can escalate via suid attacks so I will see you over in the next section now let's talk about suid or what is known as the set user ID this has to deal with permission settings so if we take a look at something like lsla and I'm just on my regular SSH connection that we've been working with in this lab you can see here that we have our read write execute this read blank execute read blank execute so these are our file permissions all right and then we could tell if it's a directory or a file here now how do we operate these or how do we read and understand these so they're in three sets of groups right so the first group here is the rewrite execute of the file owner this is the read write execute of the group and this is the read write execute for everybody else so you can see who the file owner is here and then you can see the file owner for root let's take an example of let's try lsla on Etsy Shadow which is going to be something definitely owned by root so you can see root owns this now root has read write privileges on this the group also has read write privileges on this and then we just have read access though in a perfect world the normal world we would not have any remember this is intentionally vulnerable here so we would not see any read write access here or any read access now what can we do with this information or how does this information pertain to us in suids well we have options right so if say we wanted to make a certain file executable we could do like chmod plus X on that file it would make it executable or you may have seen something along the lines of chmod 777 and that stands for across the board I want read write execute and why does that why does that do that well if we look at this from a bits perspective we can have four bits here for read two bits for right and one bit for execute so what does that equal if you add all those together that equals 7. so if you see 7 that means hey on the first group or first set of three I want seven and that says okay read write execute well if you saw 4 there then you would just have read or if you saw six and you have rewrite 7B execute of course so you could do that and that's a way of thinking about this and kind of understanding it from a bits perspective as well so now in comes the s-u-i-d permission or the set user ID which allows users to execute a file with permissions of a specified user so the files that have suid permissions run with higher privileges now if we were to set a uid on this group right here that would be an suid okay and just stay with me you would see an S right here if we were to do a group instead of an Su ID for the user if we did a group that would be called an sgid and you would also see an S here and the last one if we were to do it for everybody else you would actually see a t here and that is known as a sticky bit for this course in this lesson we're going to focus on the suid or hunting down this s in that location now everything is vulnerable that has the suid permission set you kind of have to dig and learn and understand what files have these permissions and why they have these permissions or you know if it's vulnerable or not so of course we can use GTFO bins for that and I'll show you how to do that here shortly but let's go ahead and delete this out and let's run a command to kind of hunt these down how would we find these how do we hunt these down so we're going to do a fine command and then we're going to do a forward slash which is saying hey we're going to start from the top or the root of the file system and then we're going to say Dash perm for permissions and we're going to State what permissions we're looking for so we're going to say Dash U equals s so we want all the files owned by the root user and we're going to have an S here right so that's what we're looking for we're looking for that s so with that we're going to say what type we're looking for we're looking for files and we're just going to throw this into Dev null meaning it's going to go into the abyss and we're going to go ahead and search for this okay and we get a bunch back here so we see different types that have coming through and okay we've got sudo uh pseudo edit password we even got ping when some of these are just standard we're we're used to seeing them and you'll kind of learn these over time but let's take a look at one let's look at this chsh okay so let's copy that and let me just Let's do an ls-la just on that file I want you to be able to see and understand exactly what I'm talking about so if you see this look RWS we have the suid here remember if we had an S here that would be sgid and then a t here would be a sticky bit so what we are hunting is the S here with that one command that's it you run that one command you hunt it now when we're hunting these down we could easily do this with a tool such as Lin piece to run and Hunt these down however I again I want you to understand the manual method the reasoning behind what we're looking for and then once we tie it all together we can go to something like GTFO bins Dot github.io all right and we come in here and we can look specifically for suid we can click on suid and see which ones have suid and we can just compare compare and contrast to what we've seen right if we do the find command again okay so sudo password G password I'm just going to pull some of these out and see if maybe there's anything in here let's go with well I see Nano Nano's in there I don't see password I don't see G password is pseudo in here sudo's not was Nano in ours uh Nano was not in here so you'd have to hunt these through but that's okay I'm gonna give you a sample of this and we're gonna have tons of suida samples here coming up soon so again not all these are going to be vulnerable but at least one of these will be and we're gonna find out here shortly um how we can take advantage of different suid vulnerabilities but before we do all that I've got a challenge for you so we're going to do another box off of try hack me let's open up a new window and go to try hack me and this is a great box this is part of their uh security or offensive not offensive security just I guess offensive path uh certifications path and if you go to learning paths they have these learning paths here that are great what is it called offensive pen testing that's it offensive pen testing path so if we actually go into the uh activities and just search for this we come in here and we just type in vulnerversity now this kind of tells you a little bit of what it's about and if you have any confusion on anything there's actually a walk through video here but it tells you kind of step by step what you're looking for how to compromise the machine and even talks to you about the seoid in the sticky bits I think it's a great great example however I want to challenge you to do this on your own so try to do this on your own just come in here deploy the machine completely do it on your own and give it a go and then once you do if you get the low level user go ahead and try to do it all the way through in the next video we'll cover how to compromise the foothold and then once we compromise the foothold we'll cover how to hunt down the suid what we're specifically looking for and how to take advantage of this now in this instance we're not going to try to get root I'm just going to cheat a little bit and tell you the goal here is not to get root the goal here is to take advantage of something within the system to go ahead and get root so your goal is to capture the root flag that is in the slash root folder and the root flag is called root text so your end goal is to capture slash root slash root dot text okay so go ahead and try to do that once you do that meet me back and we will go ahead and cover the walkthrough and how I would have done it so I will see you in the next few videos all right let's take down another box shall we so looking at this nmap scan coming back we have Port 21 open which is always something of Interest we should go see if we can log in anonymously of course Port 22 again SSH I'm not really concerned about unless we find credentials to log into this machine or there's a vulnerability here I just don't see it 139 445 is always of Interest too if we can SMB client over to Samba and we can see if we can log in anonymously that's always a good option uh the 3128 is a proxy but 3333 is HTTP and it looks like it's hosting a website for volun University so if I'm doing this box this one stands out right away so I've been debating back and forth so I want to show you looking for 21 okay we go out to FTP and try to look I think you're at that at that point if you're already in this course by now you would go search FTP right wmm methodology just do the quick wins FTP and do 139 445 just see if SMB client has any information you could also use something like metasploy or another tool like enume for Linux to come in here and just see what version of samba's running but it's actually pulling down 4.3.11 so we we have some some information here about this and version information so maybe there's a vulnerability related to that I would be checking versions of course first low hanging fruit anything but this bowling University stands out to me like a sore thumb it doesn't mean that it couldn't be a rabbit hole however given the the machine and the this is something that you have to look at too is you have to look at the machine I think this one was rated easy or maybe moderate I don't think that it would be a rabbit hole so you just have to kind of gauge that as well but with that being said I'm gonna just kind of skip ahead and I'm just going to copy this IP address and go ahead and go out to this port of 3333 see what's out there okay so we have this Von University website and we don't have a lot of information on it um so when I'm on a website especially like this this looks like a legitimate website I want to usually open up burp Suite I'm gonna see where the links go but if you're looking at the links like if you can see down below the links are all going to just uh just right here so it's a pound so it's just not going anywhere so unless I could find something here that's of Interest I don't I don't think this is maybe where we want to go I think we're probably going to do something that's going out to Vimeo it looks like none of these are really going to uh be of of interest to us so I would load burpsy especially if I had Pro I would load burp Suite here and just see where it goes let's see where the Subscribe goes right back to the top yep nothing here of interest um we can load burp sweep just in case and we'll hit OK and I'm just going to close this out go next start burp I've got the foxy proxy over here so I'm just going to use that to set my vert proxy settings and then I'm going to refresh this and take the intercept off I'm also going to add this to scope really quick so if we go to Target actually I can just right click and add to scope and then from there I'm also going to just say show only in scope items so let's do that okay so now we got this now in theory the item should be loading here it's pulling down any sort of data it's finding from the HTML or it's crawling kind of crawling we don't have the full crawl feature anymore because that's a pro Edition kind of deal so we don't have that but we could still do some directory brute forcing while we're kind of going through the site and seeing if any of these Pages load anything so I I kind of want to do that and I'm going to use again I think I'm just going to use the brute forcer we've been using so let's go ahead and CD over to opt and we'll do dur search and same kind of syntax Python 3 we'll do dir search we'll do U and then I'm going to copy this address here and paste that in all right and then we're going to just do let's see does do we have any information on this website I'm not seeing any information in regards to this website so we will just do HTML for now on this one and see what what pops back I'll do e HTML and we'll do exclude 400 401 403 all right so we'll let this run kind of see what comes back if anything and so go ahead we'll pause the video or I'll pause on my side and then we're going to go ahead and come right back so if you're following along go ahead and pause and then meet me when your scan is done okay we're back and if you look at this CSS doesn't Stand Out fonts images JavaScript I mean those don't really stand out uh JavaScript might be something of interest if we're going to take a look at some of the the JavaScript that's there but first and foremost I think internal stands out the most so I'm going to open that and see where this takes us and what Journey oh it takes us to a file upload that's perfect all right so let's go ahead and try to upload to this um so let's do an example first let's go and I'm going to go to downloads and this could just be like as a you watching for now but I want to try to upload shell.php and just kind of see what happens it says extension not allowed so we're not allowed to upload the shell.php okay if we can't upload.php maybe we can upload some other file types um let's go ahead and try doing a PHP on this reverse shell here and we'll kind of go from there so we already have a uh well we have PHP we can go grab so if we go and do something like if we go to Google I've got a couple on my machine but I'm going to show you how to how to grab one of these I like using the PHP reverse shell from pen tester monkey so if you've never grabbed this one the pen tester monkey reverse shell or pen test monkey if you click into this and just copy it and I've got a little enlarged all you have to do if you scroll down just a bit where you see the slash slash change this all you got to do is change the port you want to use for reverse shell and you just need to change the IP address to your IP address okay so I'm going to open up G edit here on one that I've already got and all you got to do is copy and paste this and change that so I'm just going to G edit actually I have it in downloads CD downloads I'm going to G edit the shell and I got one for php5 that I've used my colors are all funky but that's okay we've got this 10.11.4.114 is actually my IP address and actually 7777 is fine for me too this is one I've used in another video but we're gonna go ahead and keep this because my IP address hadn't changed so I'm going to go ahead and minimize this and what we'll do with this file is we're going to go ahead and try to upload it but what we're going to do when we upload it is we're going to take burp suite and we're just going to intercept this okay so let's go to file upload I'm going to upload the shell.php5 which is a different type of extension and then I'm going to come in here and I'm going to submit and there's a couple things that we can do here so we could send this to repeater copy and send a repeater and you can see that it's taking the the file name here right so we can send this and see what the response is and it says extension not allowed all right so the other thing that we could do we could sit here and just keep changing this until we find something that might work the other thing that we can do is we can come in here and we can go and just right click and send to intruder and we can use Intruder instead so if we clear this and we just highlight this dot php5 here we can hit add on that and we'll just use a sniper attack which means we're going to one-off attack this specific area that we just highlighted so what we can do is we can take a bunch of different options and let's go ahead and do that we're going to go to payloads and we could just say something like well we know PHP doesn't work but there's also php3 there's php4 there's php5 which we just saw didn't work there's phtml uh so if we're trying to do there's actually a php6 as well uh so we can just try to go through this if we're trying to do PHP just because the PHP itself the extension's not there doesn't mean that we can't utilize different PHP here so we're going to try different extensions to try to bypass this extension and see if that works for us now the other thing that we caught from repeater was this extension not allowed so we can copy this I like doing this with my Intruder is we can go over to options and scroll down this grep match right here I like to clear that and say yes and then we'll just paste for extension not allowed and then I also like to follow redirections down at the very bottom I just say always and then we can just come to start attack here so quick quick recap we've intercepted the request we've selected this file extension because the issue is on the extension remember it's saying extension not allowed so we're going to try to fuzz the extension and we're going to use these payloads so it's going to send this request four times and it's going to say Hey try it with php3 try with php4 try it with phtml try out php6 okay and then it's going to grip on the output that we chose so I'm going to start this attack and kind of show you what that looks like it's just saying hey you're using Community Edition we're going to slow down this attack because we want you to pay for this all right looking at this there's a couple things that we notice we see that uh two different things right 737 on the length for everything except this phtml so there's a different length here we could sort by length and just check and see okay did one change on length it did another thing to look for is status sometimes the status code is different like you might see a 301 redirect or have a redirects here that would indicate a successful attempt as well the last thing that we could look at is this extension right here so it says extension not allowed well this one didn't trigger a check mark where the rest it did so this is kind of where that grep comes in handy especially if you're doing really really long lists and the links aren't as accurate as these ones are or as concise or together so what we're going to do is where it looks like this P HTML worked fine okay so we've got phtml I'm going to turn this intercept off and I'm going to refresh here and see if there's anything okay so we just got the file upload page so we should be able to do is see if we can get to like an uploads or something along those lines now that we've uploaded this file so let's go ahead and try this actually let's upload and just see what the standard look is for this I'm going to rename this really quick actually I'm going to go rename it in the folder itself just make life easier where is it downloads and then I'm going to rename this to phtml and then we're just going to put this through and see what happens submit and just says success so we've got nothing here to indicate where it's going chances are it's going to like an uploads folder so we can uploads and see if that does anything okay and you have it here if you didn't know where this was you're like how did he just get to this it's very common for there to just be an uploads folder however if you need to hunt down you could again run something like a directory bust on internal itself and you would definitely find this upload so just to save time this is one thing I would guess or I would just try to take the the next step in Brute Force the internal directory itself so we got the shell.phtml I'm going to go ahead and just do a netcat on nvlp all sevens and then I'm going to click this link and hopefully things go well for us okay and you can see ID of uid of 33 www.data PWD we are just at the base here LS okay so we are in as this www data user we are the low level user which is expected now from here if you weren't able to get this far but you still want to try to prevent this machine take what you learned in the video before this one try to hunt down the different types and try to get that flag okay so you're gonna you're gonna be able to search for suid something should stand out via the methodology that I taught you and you should be able to utilize that to get the root flag meet me in the next video we're going to cover exactly how we do that foreign let's pick up right where we left off so I'm going to go ahead and just paste that command that I used in the first video if you need a second to go ahead and type this out type it out remember it's just that find command we're looking for that suid bit set and we're going to go ahead and search for that so we can go ahead and just hit enter it's going to do some searching might take a second to get through the entire box and you can see it came back with quite a few things all right and some of these look familiar again sudo c-h-sh password these are ones we saw on the last one right but if you went through this list as I kind of told you to do and you went through the GTFO bins you should have found one that stood out so let's go ahead and go through GTFO bins and if we just do on the suyd capability we take quite a bit out let me scroll down to the one that you were looking for it is systemctl okay systemctl is the one that you're after now if you come in here it gives you a nice description it says it runs with the suid bit set and may be exploited to access the file system escalate or maintain access with elevated privileges working as an suid back door so we have options here okay so we're going to do is we're going to run the commands that we see here we're going to modify this just a little bit and we're going to use this to execute let me make this a little bigger just so you guys can see it so we're going to run this sudo sh okay and then from there we're going to do this this command here this just set a a variable and then we're going to Echo out this line here through the very end line by line we'll take this and then from there we should be able to do this system link and then system enable that should execute everything okay so let's run through this line by line really quick so we're going to create this environmental variable right and we're just calling it here they're calling it TF you can call it whatever pretty much whatever you want and we're doing a make temp.service so we're making a a service a system CTL or systemd service okay that's what this dot service is with the make temp that's a command that we're going to use to create a temporary file on the system as a service so we're going to come through here and we're going to Echo the command starting out now when the service starts what's going to happen is we're going to call out bin sh and we're going to execute a command with bin sh and that command that we're going to run is not going to be ID we're going to say hey go ahead and just run and we're going to say forward slash root forward slash root dot txt to grab we'll put it into the temp output that's fine and that should in theory output our root flag to the output folder okay or to the to the output file in temp then lastly we're going to install and what we're going to do is we're going to run this at the Run level of multi-user.target and that's going to all be put into this right here this environmental variable variable of the target file or TF again I'm guessing is what they're calling it but we're just going to call it TF here that's fine I've seen people call it other things but it's literally whatever you want to call it and then we're going to use this link command here so what we're going to do if you read the man page of the system CTL this is just setting up a link it's making our file available for uh for running via system CTL and then here in layman's terms we're going to enable this if you want to find out more information about all of this you're welcome to read The Man pages and go further but let's go ahead and dive into making this exploitable okay so I'm going to copy this whole command and I'm just going to paste this into a text editor now you won't be able to read this very well but I'm going to walk you through line by line as to what I'm copying and what I'm pasting in so let's go ahead and just get this over here and what we're going to do is we're going to take this I'm going to delete out this one shot we actually don't need this one shot I'm going to delete out this ID command as well because remember we're executing bin sh I'm going to actually put in here cat then we're going to do root root dot txt so I'm going to execute cat root root.txt and just get out the flag here and then what we're going to do is we're going to call this as a full path so we're going to say bin forward slash system TTL report slash then we have the link there we're going to do forward slash bin systemctl as well okay so I'll paste this slowly just in case you didn't catch this I'm going to copy this here paste this in that's line one okay line two starts the echo and we might be able to paste this in all at once but I'm going to take it line by line here okay good we see the greater than symbol which is what we want to see because we're going to paste this all in at once kind of or into the echo command I should say until we close it off with the second apostrophe go ahead and copy this paste this all right we've got the dollar sign back now we just create that link okay Sim link is created and now we enable this okay it's a created Sim link now this should have gone to Temp output So in theory if we cat temp output we've got a root flag and that's it so from start to finish again we took advantage of the suid bit being set meaning as a user we're able to execute something special as somebody more privileged than us here being the root user so we were able to take advantage of that suid being set and because of that we're able to escalate our privileges here so that is it for this video in the next section we're going to go ahead and cover more suid escalation we've got shared object injection binary Sim links and environmental variables so we'll kind of talk through those and see what we can do with all three of those so I'll see you over in the next video okay we have reached the conclusion of this condensed course again if you just got through all of this you are now through this suid portion here we have again other suid escalations capabilities scheduled tasks way more Linux perfect escalation to go including that Capstone challenge so if you're interested this course is thirty dollars on our Academy and I'll drop a link to that in the description below if you enjoyed this video please do consider liking it subscribing to the channel we drop videos and course content and educational content all the time so we would love to have you as a subscriber outside of that I won't keep you any longer I thank you so much for joining me through this course hopefully you learned something and found some valuable information here and I'll see you over in the next video

Info

Channel: The Cyber Mentor

Views: 61,980

Rating: undefined out of 5

Keywords:

Id: ZTnwg3qCdVM

Channel Id: undefined

Length: 173min 12sec (10392 seconds)

Published: Fri Feb 03 2023