Python Library Exploitation | TryHackMe Wonderland

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back guys in today's video we're going to talk about horizontal privilege escalation and python module exploitation so previously we have talked about dives of privilege escalation and actually it was a try hack me video by the way um let's let's restate the types of privilege escalation and the difference between them so first we have the horizontal privileged escalation and the next one is vertical privileged escalation what's the difference here the difference is that in horizontal for example you land as dubbed up data okay now in horizontal privilege escalation you don't move up immediately to root you go from w to say user one you escalate to user one okay now user one happens to be a regular user but is more privileged than dub dub data then you manage to go from user one to user two now user two is not root but is actually more privileged than user one and finally you happen to go from user two to finally to the root account okay that is what we call the horizontal privileged escalation it takes more than one step to go from the current account to the root account it is not the case in the vertical one in the vertical one you land as dub dub data okay and with the aid of some exploit or with the presence of a secure defense misconfiguration in the os such as so with bit set file or a vulnerable os you manage to go from whether to immediately root account we call that the vertical privileged escalation it takes only one step to go from the current account to the root account okay now that's the first concept we learned in this video the next concept is python module exploitation okay so as if you know guys you know as most of you know that when you create a python script you have modules such as os import os so we call here import oh let me remove this one i didn't like it so some python modules are uh we have os module right and we have other mathematical modules we also have um random as you will see in the particular example random model called random so in order to import python modules we use the keyword as you know import os import random what's going to happen when we run the script okay when the python script runs it will look for these modules it will look for these models in under the python and installation path python and installation path okay now when it finds the corresponding directory for the module it will just import it what's gonna happen now if we create a file let's say called os dot py now this file happens to hold the same name as the module in the script right what's gonna happen now the python is gonna look for the module os once it finds a python library a python file with the name os it will import it so the priority goes like this it first looks in the current working directory so first looks in the current working directory okay then it looks under the python installation path say user python whatever okay if it finds ost oh it's here at the current working directory it's going to pick it up if it doesn't find it it's going to pick up the next one in the chain which happens to be the python installation path now in order to perform what's called python module exploitation first we have to create a python file okay which holds the name of one of the modules okay so in case we name that os.py we're going to have to move the os.py script that we have created okay to the same to be with the same location of the script say the script name is script dot py and say sql.py is under home okay script.ty so in order for python to choose your script as the module you can have to use oyster poi under home directory so that osd py and script py are under the same location only then python will choose your file as a module okay instead of the module or the original module that exists in the installation path now what's going to happen when you're defined or your script is imported as the module python will execute your script and ignore the rest so that's why the i type the definition as creating a python with file with the same module with the same module name but with different content so here we can choose the content we want and lastly the practical application that we will take for this video is wonderland try hack me so this is the machine let me close this one first okay this is the machine and we have two flags to retrieve from the machine so what to do now we're going to jump to the virtual machine and demonstrate this so did the in-map scan let's launch the browser beforehand okay in map scan we have 22 and we have 80. so as we do all the time we're gonna go with port 80 first so going to type e okay following the white rabbits you can read through this take a look at the page source nothing in here okay what you will do now as always you're gonna launch directory search and start your go buster so sudo go buster dir dash u and we copy this dash w user share word lists or we let's select this one dr buster or lists directory list two small okay and enter we have image and we have r if you go to r also you see keep going would you tell me please which way i ought to go from here view page source again nothing in here now this hints that we need to use this page in go buster so cancel this one and append here slash r and go so we have a you will see that we're gonna discover a way to access a directory that's actually kind of weird in in the name so if you go back now it's saying keep going what would you tell me please which way i ought to go from here so we go r and then we have a here as you can see so type a like that it's kind of tricky right but that's how you do it and then you will see that there is b and then there is another b and there is i to form a complete rabbit word as you can see now how i know this because i did the machine before guys that's why that's how i know this it's going to end up telling you that we have slash a slash b slash b i'm not going to wait for this now i'm going to show it at the end let's tackle this page now here if you view the page source guys you can see that there is under the style elements here we have alice and we have a password since we know that there is an open port for ssh we can attempt to log in to the ssh server with these credentials so the sh alice at okay grab in the password oh okay type is right now we're gonna hit enter okay yes password and now i've got access to alice easy simple as simple as that okay pwd where i am that's from alice la see what do we have so you have couple files among them is root of text weird enough you find root of text flag under this directory but perish and denied you can't view it also we have another script called wallers and the carpenter if you view the script this is the python script as you can see and this is where we apply the python module exploitation that's because it is random we can we can create a file i guess i got problem with the sound right okay so i'm going to repeat so we have import random what you will do later we're going to create a file called random.py place it under the home directory of alice that's how you will do python module exploitation okay never mind now let's see if we have user.txt file nothing let's see the root nothing weird enough i was able to see the two did you notice that okay let's look for the let's look for um the user flag so find dash type f exec execute no type file dash name so the file name should be user like that the text and everything will be exported to dev pass must proceed oops we have forgot this one and we're gonna look under all the directories no such file or directory yep i'm making mistakes today guys so this one should be devnet let's look for the user flag go buster has something for us okay not finished so there is no file called user.txt let me check out here obtain the flag in user.txt but we haven't find anything okay maybe we can we're going to find this later when we have obtained a higher privileges guys so let's now try to escalate the privileges from alice to other users so let's cat etc pass the wd see what all the users we have so we have rabbits we have hater hater mad hatter mad hatter alice and rabbit we are else so most players are gonna escalate either to hatter and or robert sudo dash el password for alice okay so we can run sudo without password we can run sudo as rabbit here if we run the script wallers and the carpenter now he will perform what what i called the python or the python module exploitation let's go back to home ls see the ls ls so we have the python script here we're going to create a file called random.py nanorandom.py and why random i'm going to repeat because it's the same name as the module name written under the python script so dot py and here we're gonna use content that we actually craft so slash user slash pin slash python 3.6 and now import pty we're gonna just spawn regular shell pty dot spawn bin slash bash okay so ls now we have random now we have the script now when we run the script here it's gonna call our script here as the module name because it's it's under the current working directory of the script which actually which actually holds more priority than the location uh the default location of the module itself so let's run this one as rabbit sudo dash u rabbit okay what do we have pty has no attribute spawn i guess i have made a typo here nano random so spawn is wrong it should be like that now and i run sudo that's you rabbit as you can see now m rabbit so what happened guys is when i executed descriptive as rabbit instead of executing the actual content of the script it actually executed my python script that i created randomly diy okay right now we are rabbit so pwd i'm under alice set city back go to rabbits and i have an application called tea party ls-la as you can see the binary has the civic bit set which means if we execute this it will execute as root okay so let's let's see let's execute this one welcome to the tea party the mad hatter will be here soon probably by friday ask very nicely and i will give you some tea while you wait for him enter and we got segmentation fold maybe you will say let's go to buffer overflow path you can do that but it's not the recommended way of solving the challenge so what i will do here i'm going to download this to my machine and find out how we can escalate to the hatcher from this binary obviously it's from here so new tab i'm going to use sudo stp alice at can use scp guys to download the binary to my machine since we have an active ssh connection as alice along with the password and then download let's see where is this pwd it's under home rabbit and the final is tea party i guess we're gonna need to give permissions for us to download the file so we're gonna say search mode home rabbit okay let's now try to download this one slash home slash rabbit and download this to the current working directory in my machine alice password copy that uh yep it is the final c party yep keep asking me for passwords keep asking me for passwords okay it's here ls this is a tea party strings the first thing you do when analyzing these files or binary files is using strings what do we have in here this is a start welcome to tea party the mad hatter will be here soon slash bin slash echo dash and probably by date it actually invokes the date to give you the date where or when mad hatter will be here and display the date but notice that as you can see the echo application or the binary is being called using its absolute path but date is not being actually called using its path which means we can actually use a trick or exploitation method or privileged escalation method uh to actually you know exploit this so since this one or this binary is not being called using its absolute path we can exploit or we can explode this using the binary or the uh the environment variable privilege escalation method what do i mean by this we're going to create now a new file or a new you know application or binary called dates it's our own let's do that so nano dates permission denied okay so under this we're gonna say bin bash slash spin slash slash ls i guess the machine has gone crazy now okay guys i'm gonna have to recreate the connection so unfortunate for this to happen gonna have again to use alice oh my goodness you have to be very patient when you do these kind of machines you have to be patient or you can drive yourself crazy seeing yourself repeating the same steps over and over over and over so sudo l okay pwd lsa okay sudo dash you rabbits and we're going to execute this to gain access back as rabbit cd back cd rabbit so we have the date cat date been bashed that's good now we're gonna export path equal home rabbit what's going to happen here guys is that i'm using now home rabbit as one of the paths in the environment variable so when t part is running or i run t party now it's gonna look for the date binary first in order to look for the date binary according to the value of the environment variable the first path in the environment variable value is this one my path so we can execute my date here which will give us the shell as the next user so run tea party now mmm does it work let's see why this one didn't work got date and i guess we have forgot to give this execution permissions let's try now the party and you are the next user hi there so id that's fine now the last step is to we actually have gone through most users alice rabbit and this one last one is to see if we can escalate to root so one of the methods guys is to see if you got uh see if there are capabilities right so let me see here uh the command used to view the capabilities you have to use my notes for this so linux privilege escalation capabilities yeah listing capabilities for binaries for further exploitation let's use this one and yes we got capabilities for peer capabilities set yeah so then you can use etfopins website to learn the exploitation method so let's go to gta 4 pins guys so gtfo bins and search for peerl capabilities and this is the command let's use this one first maybe we can have to define the full path of peril here so maybe it's under user bin pill and then paste in this what happened something isn't adding up for me here guys i don't know why i get permission denied when i execute bureau what's the problem lsla user bin grep hero so i can execute why how how the hell i cannot execute this i am listed as a group lets me see id but i am within rabbit group that's why that's why i cannot execute this it's giving me mission denied i am not under the hatter group okay so what i'm gonna do guys let's see the home let me go back to see the hatter and there is a password here this pattern i'm gonna put this password into use i'm gonna ssh to hatter in a new connection so new tab ssh hatter at yes and password id and now i am within hatter group so let's go back and take this one escalate to root user bin pill who am i root now it works cd root ls so we have used the text let's grab the flag the user flag okay escalate the privileges what is in the what is the flag in rudo text so remember rototex was located under alice home see the alice gets root and this is the red flag okay then so that was it i hope you guys found that beneficial and helpful and see you in the next video

Info

Channel: Motasem Hamdan

Views: 1,943

Rating: undefined out of 5

Keywords: Python, Linux

Id: Qe0Qw6wQE8U

Channel Id: undefined

Length: 27min 6sec (1626 seconds)

Published: Fri Apr 01 2022