The Complete Linux Privilege Escalation Capstone | TryHackMe Junior Penetration Tester

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back what's going on today we will be doing what you have been waiting for so long the linux privilege escalation from the scene from the junior penetration tester pathway in this video as you can see this path this room is part of junior penetration tester pathway and this is what we have been waiting for for so long so today we will be doing it and we will walk you through all of the answers and all of the tasks basically we have 12 tasks and at the end we have a capstone challenge where we will be implementing all of the knowledge that we have gained so far to just capture the first and the second flag here okay so throughout the tasks you will have to deploy several machines all right so basically into that in task three you will have one machine when you finish from task three you will have to switch off the machine of the previous task and then launch the new machine of the current task so you will be just switching on switching off current machines or if you don't do that you will not be able to work properly on the challenge so let's start with the first task so remember to deploy the machine and if you don't want to read through all of that i'm gonna going to explain everything so we have a couple of questions to answer so let's jump right to the answers so let me take this to the right first thing we have what is the hostname of the target system don't forget that uh we need to connect with the machine so we have username carrying and password1 these credentials will not change throughout the challenge despite the fact that you will have to deploy different machines for every task all right so let's skip down to the questions and now shift this to the right starting with the machine so connect ssh carrying ads copying the ip address oh no no no wait sh karen i forgot the end and now we type in the password all right so we're in so let's answer let's take a look at the questions what is the host name with the target system what is the linux kernel version of the target system what linux is this what version of python language is uninstalled what vulnerabilities seem to affect the kernel of the target system so typical enumeration questions the kind of questions that you have that in order to answer you have to do some enumeration on the system and that is the precursor for a successful privilege escalation all right so to answer the host name question we type hostname and we receive the first answer this is the hostname of the machine next thing the linux kernel version we have three ways to find this the first one is cat etc issue okay here we can see the name of the linux system ubuntu right and this is the ubuntu version ubuntu 14.04 lts now the kernel version cat pro version here we get the linux version the next version 3.13 0 24 generic and if you want to find any vulnerability for that version you will use this version in google or an exploit database now the next question is asking what version of python is installed so to find that we can just interact or start python basically we got what we can do here we can just type python dash v this will start python right maybe it is not the uh tedious tidiest ways to find the version as you can see the python version is 276. ctrl d to exit or you can just type find dash find use the find command to search all directories for python files let's say python uh we forgot to uh yeah we need to just redirect the output to the developer but we didn't do that anyway control let me exit okay so let's take a look here so as you saw the host name is here this is the linux version the linux name and this is the version of the python installed what vulnerabilities seem to affect the kernel of the target system now you have the version here right you can take this and you search exploit so on your let's split the view so search exploit and you type in the name and type linux no results that's fine let's use google for that exploit so if you click on the first link you will see before even if you do not want to click on the link you can see the cve number uh but in order to be sure that this is the right cv we have to click on that and read through the title linux kernel 3 13 319 over layoffs local privilege escalation and this is the cv number which marks the answer for this question so this is the enumeration phase we understand now the host name understand the role of the machine understand the version of the operating system and now we uncovered a vulnerability so now you're off this task task for automated tools just check out the links to see what are the automated tools used to save you time and find privileged escalation vectors instead of the manual method that we will be taking on in this video task five now to start task five or i guess the task five no need to terminate the machine and start this one because task five is about exploiting the vulnerability we have just uncovered okay so the question is asking find and use the appropriate kernel exploit to gain root privileges on the target system what is the content of the flag all right so now we have availability right and now we have the exploit so you can just download the exploit to your machine i guess i have did that before let me download here see it the name of the exploit so 37292 37292 just download it to your machine all right and use the following command gcc37 this is okay no need for that so use this command to compile the exploit and this is your final file now next thing you do open python server sudo m oh sudo python now we open a python server on my machine in order to be able to download the exploit to my targets so here we check out on the target what directory we are in okay let's go to temp make sure we are on the writeable directory and now we will get http let me check out the name or the address of my machine so this is my ip address what happened paste ofc the name of the exploit and we enter so we have downloaded exploit now to the machine let's check out the permissions so ofc can be read and written for karen let's give it execute permissions ofc and now execute ofc textbook now is being run finished let's make sure that we have successfully escalated the privileges to the root id and now we are the root on the system so that's the first way of escalating privileges looking for the version of the target system and trying to find out an expert for that version so finding the flag now cd home cd matt see the cat that is the flag one here okay next one using the sudo now let's uh let me check out if we need to terminate the machine uh okay so what are we gonna do now we're gonna terminate this one all right and contact six start this machine okay so the credentials are the same username current password one if you scroll down you see we have four questions how many programs can the user carry run on the target system would suit the rights so find out the number of programs and also the flag escalating the privilege on nmap and what is the hash of frank's password all right so now the machine is being deployed it's going to take approximately 25 seconds so in the meantime let's go back clear what we have done here and stop the python server now we will get ready for the new machine so ssh current at nine eight seven six five four three two one ip okay so yes password one okay how many programs can the user carry run on the target system with pseudorights so the question is asking right now we are caring here we need to find out if karen can run programs or some of the programs would sue the rights for that we have to issue pseudo-dash pseudo-l using pseudo-dash l we find that current can run find less nano as a pseudo or almost pseudorights so the number of programs is three right now to find to be able to escalate the privileges using the given information or the given permissions of karen we will use a website called gtfo bins in this site you are just and you if you forgiven some programs that you can run as pseudo just search for the programming i'm here and you will be able to do some privilege escalation if you have pseudorights over the program or if you are able to manipulate the path variable and other stuff you will find out later but use this site book it make it in your bookmarks or save it in your bookmarks so checking out this we have find less nano let's use nano so nano and select sudo now we're given a way to escalate the privileges with nano so first we type sudo nano nano is opened that's fine next we type control r control x so on your keyboard ctrl r ctrl x now as you can see we switch to command mode command to execute this is the command so copy that and paste it here enter executing so now it has executed oh sorry so id id now we have the root user simple as that finding the flag now cd home cd ubuntu catback2.exe and this is your flag for this task okay going back to the questions so we saw that we have three programs we can run as pseudo the flag is this next one how would you use nmap to spawn a root shell if your wizard had soda rights on nmap and this is how you do it this is called the nmap interactive mode and this is the command if you can run nmap as sudo with a privileged user an unprivileged user what is the hash of frank's password all right let's take this extract the hash of this guy so why is this i guess it's my start menu okay so ls um now cat etc shadow he will reveal all of the hashes for all users and this is the hash for frank up until here one take that and submit it as an answer so now we're done with this task so now we learned the next way to escape the privilege on linux which is using the pseudorights switch of the machine and switch now to the next one task seven sued start the machine so here in this task we escalate the privileges by searching for files or binaries that have the sewed bit set on them means that these files or binaries are executed if you execute them they are executed as the owner so if the owner is root right they are executed as the owner or as root these are some stuff if you want to read it all right so which user shares the name of a great comic book writer what is the password of user 2 and what is the content of the flag ok let's do some cleaning now here clear okay ssh karen at credentials status stay the same so this is the ip going down to the questions and now connecting yes all right which user shares the name of a great comic book writer so let's first understand we are we are karen i know that now cats atc passwords let's look look over the users so ubuntu and home jerry conoy conway and also we have user two current so the user that is requested in the question or mentioned in the question is this one next one this is g dave opens we don't need that for that what is the password of user two all right so here it means we have to do some privileged escalation in order to reveal the users right so now going back here now we will search for binaries or files that have the subwood bit set and exploit them so to do that we use the find command search all directories for files and we specify specific permissions dash zero four thousand and then we type dash ls to list all all of them and if there are any errors we output these errors to not so now we are being presented with all of the binaries that have this with bit set it might it kind it might be an overwhelming list but that is the game you have to uh just construct a way to be able to save time and select the appropriate binary or the right one that will get you there so we're finished and let's take this to the right i guess um we have to just do something about this so let me just paste the command one more time so mount at f user amount among these binaries i'm going to save you time all right check out the base64 if you go to gta 4 bins base 64 and click on sued you have a way to do that as you can see the first thing if you don't have it installed just uninstall it and now here we define a file so elf file equal to the file to read it means that we can manipulate basic support to read any sensitive file on the system in our case we want to read a user's password right so what we do now we type l file equal etc shadow and next we execute the command here to review the content of the file uh you might be right let's take this and take the rest of the command paste it so these are the contents of the file of the shadow file and these are the passwords user 2 this is the hash of this user copy it and answer with it but it's asking what is the password of it so we can copy the hash and use john the ripper to crack the password so here we i have just did that this is user two hash right use now john the ripper with the word is truck you and select user too you'll find out that the password what happened here i guess i have to show because i have done this before let me check out user too okay so this was the password password1 which is the same password as current right okay this is the password for this guy now check out the flag so here ls cd home let's see what is the flag 3 see the ubuntu lscat flag3.txt permission denied alright let's now change the user to user 2 and type in the password we have just found ls jesus id okay yes right now we have excluded the privileges right but not in a complete way we have to do we have to root the system so again sudo dash l password one okay let's do that again let's find out now with the user 2 the files or the binaries will suit bit set one more time or what we can do actually we can even use base64 to view the file with no need to root the system so just lfi home ubuntu flag3.txt and then we execute so user bin is 64. and this is the content of the flag no need to do root so we're done with this task these are the answers terminate and now move on to the next one task 8 task 8 will use something called capabilities again capabilities sewed sudo on binaries can be manipulated using gtfo bits so we're given the credentials and how many questions we have around four questions first one no need to answer it next we have how many binaries have set capabilities what other binary can be used through its capabilities and what is the content of the flag for so here now we will escalate the privileges using the capabilities on the next on the linux file system until the ip is shown let's do some cleaning so clear here clear and clear now ssh the credentials are the same keep coming to gtf opens okay karen at and on time thank you very much all right connect yes so three questions how many binaries have set capabilities okay okay so we are logged in id current now to get the list of or do to get the list of the applications or the binaries that have the capabilities set we use a command get cap dash r and we search all directories all right but don't forget probably this command will result in so many errors don't forget to do or output or direct the output to sorry direct errors to dev here now we get a clean list without any error for all of the apps that have the capabilities set and then we will see an appropriate application and use it here search for the application name with the capabilities you see here we have the capabilities here we can select that for the applications we have and then see a way to escalate the privileges all right so we started to get something user library linux gnu this is one okay it's the complete list so we have one two three four five six six number of applications have the capabilities set so now we have to use one select one and try to escalate the privileges with that one so we have view here let's search for the view so view capabilities do we have capabilities yes we have click on that so this is what we have to do take this comment but don't forget to change or put here python3 or it will not work because the machine has python 3 installed so let's make the modifications here and copy that paste view command not found all right let's copy that and put the full path of view home you're going to view hopefully it's going to work ah wait okay id and you are the root user simple as that now the content of the flag lscd home cd ubuntu lscatblack4.txt and this is your flag for this task so coming to the questions how many binaries we saw they were six what other binary can be used through its capabilities view what is the content of the flag we found out the content and finished terminate now next task nine escalate the privileges through clone jobs this task is kind of interesting we have three questions to answer do some cleaning ssh karen at oh no here so we have 45 seconds so if you go over the tasks here it's just explaining you the concepts and some examples for you to understand the concept of privileged escalation through chrome jobs technically we will check the cron jobs with etc chrome tab and see the available chrome jobs running periodically all right select one that is vulnerable and just escalate the privileges how many crown jobs the flag content and matt's password probably in this task we will need also to escalate to root file system so this is the iep finally started connect take this to the right so we're connected now let's now view the running chrome jobs so cat etc chrome tab now we have four chrome jobs running as the root user as you can see if you see cron jobs running as root user try to find ways or opportunities for a privileged escalation because these scripts will run as root and if you're able to modify on one of them you will be able to do whatever you want as the root user so we have slash antivirus probably will not have access to the root directory so forget about this one next one root antivirus sh there is no path defined for this all right so this is a chance for escalating the privileges through the path environment variable but i'm not going to do that now because we will explain about the path environment variable in the next task the next one is root home caring backup sh so here we have a script in the home directory of karen so most probably karen has right access over that script if we check that out home karen back up sh and indeed karen has write access over the script she can modify on the script which means we can put in the script whatever you want and it will run as root probably we will we will put some sort of bash reversal open a listener here i'm going to open from now dash lvp4545 and receive the incoming connections as the root user last one root temp test with poi so let's see what is in the temp directory so in the temp directory there is no script called test.py so probably the administrator has deleted the script but they forgot to delete the chrome job so which means if we created now a script in this under the same name all right in the temp directory and the as the contents of the script we put some sort of python reversal it will run as the root system or the root user and you will be able to receive another reverse another reverse connection to your machine let's stick with this one it's the most appropriate for this task so now we head to home karen launch nano back up sh this is the script cd home admin one two three results zip dash are home admin download.zip so it's zipping a file and downloading zipping yeah sipping just seems like kind of backup script i know the name says just that but sometimes you see scripts with names and the contents of the script suggests something else so that's why it's also also always a good idea to understand the contents of the script so we will need to remove everything here and let me grab a reverse shell from my machine let's select bash reversal here four five four five and now the ip address of my machine is here change that and save it that's it now wait for an incoming connection to your machine we're gonna wait around one minute for the connection to trigger and we will receive it here on the right hand side hopefully so in the meantime let's see the questions how many crown jobs can you see we have four now what is the coordinate of the flag we need the incoming condition and now what smash bar that also we need the connection to trigger to answer these questions so the correction is not coming i guess because the we didn't adjust the permissions on this so let's give it execute permissions back up sh and wait for now see if it's gonna work okay as you can see now it worked so we have the root user now we check out the flag so id route cd home cd ubuntu ls cat black and this is your flag for this task now what is matte password cat etc shadow first extract the hash of the user mat this is the hash right and then we can just exit no need for the uh shell anymore ls put the uh hash in a file called matte and crack it with john the ripper so i'm gonna use now john user two instead of zero i'm gonna use math because i did this before so i'm gonna type math that's show the password format was one two three four five six so now we are off this task terminate next one start the machine so next one is about exploiting or escalating privileges through the path environment variable and actually in the last task we could have we could have done that on the antivirus script if you remember that but i just postponed that to this task because here we will talk about this so in this task we will see the question so we have three questions and in order to you know get the flag we have to escalate the privileges with the or using the path environment variable techniques so clear here do some cleaning now ssh karen as always and now we check the ip of the machine still booting up so take the ip now paste are you serious one more time oh because the machine has not yet booted so now it has booted yes password one so now we are logged in check out id now we are occurring okay so how do we go about finding out if we can exploit the path environment variable so excluding the path environment variable relies on the fact that you have to find out if there is a script running on the system which doesn't have the path environment variable set on the executable that is using in its content kind of vague right let's demonstrate that in this scenario so ls cd home see the who we are we are current cdmats all right cd back cdmur d or ch okay we have two here see the ubuntu okay so on that directory seems like we have a python script and we have a binary if we type file test so it is an executable binary in linux and it seems that this binary is at the binary that has been compiled after the script let's check out the python script nanothm.poi okay so this binary or the script seems like it is executing a binary called thm and that's what it does it is executing a binary called thm that's it so now how do we know that this script presents an opportunity for exploding the path environment variable as you can see if there is no path defined for the script it means the system will look in the path environment variable to find that executable and the first match it finds it will execute right so now this is the mistake here in the script there is no defined path for that that's why now we can manipulate the environment variable path we can insert our path insert also a binary in our path and let the script execute the binary from our path how this how is this done so we first check out the environment variable so you see we have user local s bin the local bin etc so how about we add a temporary directory here right and then create a binary called thm and put it there so the first thing we do export path equal slash temp path echo path as you can see the temp directory now has been prepended to the very first of the environment variable now the system or linux system when trying to find out the binary thm it will first look at the temp all right now if we cd to attempt and create a directory create a file called thm before doing that the author has put a binary called test let's see what this binder does um thm not found so i try to execute this binary it's saying thm not found and as i told you this binary is seen or seems like a compiled version of the html py got this i know this doesn't make sense but yeah i know that but just trying um ls la so see the test binary here has the sewed bit set and can be run as root if we check out the term directory now okay so our job here our job is to create a binary under the name thm in the temp directory so let's now create that binary cd temp nano thm and it includes some simple code to change users let's see what do i have in here go to linux uh this one could work this one will work so we take the c code this will also this will switch the uid and g id of the user right to the root system or the root user now we have a binary called thm we will just now give it execute permissions and also we will give it the sewer bit set so now the thm is here what's going to happen now we will go back to the home directory and cd to mur d or ch and execute one of these now when we execute one of these the system will look for the thm and since there is no path defined here it will it will pull the thm we just created in the temp directory and execute it as root so now test temp dhm syntax error unexpected okay let's try with the python one python and sound there is no python temp syntax ever unexpected alice [Music] cat stamp tsm everything seems to be all right in this nd file so it's saying i have i have got an error in my script nano temp thm void set your id set your ide system remove this option maybe it's gonna work okay so the problem is the binary thm does not have the suite bit set uh-huh ch mode s thm all right now we execute cd home cd mur d08 and it's not working now all right let's get the different one so rm thm all right and now we create a simple one let's try echo only bin bash and export that to thm so chmod 777 thm all right now let's try to execute test file it worked now the reason for that there was a problem in the previous code not a an actual problem in the code but in the execution of the test file so now it worked and now we find the flag so id root cd back cdmat catblack6.txt and this is your flag for this task terminate deploy the next one so the next one is the last task before the capstone challenge last task here is about nfs or network file share so in this task we will find another way or explore another way of escalating your privileges in the linux file system by manipulating shared folders and remote management interfaces so we have now here around four tasks or three actually how many mountable shares how many shares and what is the content of the flag let's do some cleaning before we switch to this task ssh karen at no need for the gtfo pins anymore yeah we will keep it actually for the capstone challenge i remember that now copy this okay switch this to the right so we have been told that this machine is running shares so first thing to exclude the privileges or enumerate the shares we can use show mount dash e and the ip of the machine so we have around or we have three shares shared folder temp backup now the issue is selecting the appropriate one and mounting the appropriate one to your file system so that's why on the machine we have just compromised we use cat etc export to see the configurations of these shares we look for the shares that have read writes and no root squash if a share has read write a note squash by the current user it means we can mount it to our system and create an executable in that chair after creating the executable in the share we can execute the executable from the target machine and gain root access so in my case i selected the home ubuntu shared folder so sue uh though dash i i'm gonna script tomorrow to my machine now switch to the system because i will need to deal with shares so i don't want any headaches for the permissions denied stuff cd ls all right see the amount okay so i'm going to remove the junior pin rm-r grv and now we will create or i'm going to mount directly now the i'm going to mount this one to my machine so the command to do that what we will do here we just type mount dash o now we will define the directory on my system to which the share will be mounted all right and also i will define the target share which is this one so read write we have redirect permissions on the share and then we put the ip address of the target machine followed by the path to the shared home you're going to shared folder and next slash mnc and guess what i guess we have to all right i know that i just executed the command i want to save the command in the history so i'm going to create directory now called gr pen test and now execute the command again gr and test so now we are mounting the shared boulder to the machine to my to the pen test ls cd gr and now he will create a simple code to escalate the privileges on the target machine when we create this code here from my machine it will be synchronized or mounted or copied whatever you want to call it to the shared folder here so i can execute it from there let's see now if i have permissions on that folder oh you want to shared folder okay nothing in there now until now um okay it seems like we don't have right permissions on that folder let me check backup all right let's continue with this ubuntu id we have on ubuntu actually that's good because the shared folder is contained inside ubuntu alright now in my machine i'm going to create a simple c code nano code.c and just copy the code i have tried before combine code.c code okay so now we switch to the target machine go to home see want to see the shared folder now we have the code here execute the code or give it execute permissions first uh okay let's do that here cs mode x code and now execute here and now you are current oh no didn't work so i guess we forgot something okay so here i think we need to give it the suit bit set execute code again and now you are the root user so questions cd back cd back for the flag cdmat ls catflax7.txt and this is the end of this task so how many mountable shares we found they were three how many shares have the north squash also three and this is the flag terminate and now the last challenge finally the capstone one so until the uh ip is shown i'm gonna do some cleaning as well i'm gonna switch back to so here clear okay i'm gonna click x it doesn't work um sh karen at so in the last challenge we're given totally different credentials leonard okay let's use in our then leonard s and the password we're given normal machine linux machine where we will employ all of the knowledge we have gained so far to escalate the privileges so let's see now the ip address will be popped up in a second not the second actually nine eight seven six five four three two one okay let's just get in and this is the password taking kinda some time taking longer than expected let me check out the machine so it is running i don't know why we are not able to connect since the machine did not boot up yet um well okay paste so long story short guys in order to complete the capstone challenge you will have to find the appropriate way to escalate the privileges you may need to go over all of the techniques we have gained we have learned so far but in this video i'm here to help you and save you time so i'm not going to do some trial and error in this video on this challenge i'm just going or stepping right to the correct way if you will so the correct way is to search for the binaries that have the sewed bit set after we look through the binaries that have the suit bit set we will find one that we can use which is you guessed that right it is base 64. and again what we will do here we will use the base64 from the detail pins define a file to read as we have done before is 64. suit so the file you would like to read is first the flag file first where is the flag one file cd home see the so we have the root flag flag too we only have the misty flag see the messy flag permission denied celia leo not so i guess it is in domestic so we define a file here home let me see flag1.txt and then we use base64 to view the contents of that file no such file or directory ah let's search for that file then find all directories dash name flag one dot txt dash type file and now output or redirect everything to dev see what is that file so we don't have satisfy is that possible ls cd leo nerd lsla home permission denied okay so i think we need to think of another way to find that flag home we see flight.xt um so it is not here as paired the output no such file or directory um ok i have another way so let's use the l file here to just escalate our privileges right so now etc shadow and now if we output the contents of the htc shadow we can crack misses passwords and get into their folder this is the hash of missy we take this of course take it and now i have done this before so ls i have missy hash here type john missy is password1 so now we switch to missy and finally break the castle so now cd back ls cd missy cd uh yeah that's why did the work so city desktop maybe in there nope cd back try documents got flag one a type i guess it's a windows machine nope cat flag one xt and this is the flag one next to find the next flag we have to read the root machine read the go back so we have this one root flag in order to extract this flag we can now go back and define a new file with base64 so a new file is here home root flag flag 2 txt and then execute paste and this is the root flag which marks the end of this challenge i hope you enjoyed this journey guys i hope you learned all of the things that you're supposed to learn from this challenge i will update the linux privileged escalation notified with everything we have learned here of course if you want to get all of the notes you have to subscribe to the channel membership so that's it for today and see you in the next video

Info

Channel: Motasem Hamdan

Views: 58,098

Rating: undefined out of 5

Keywords: Linux, training

Id: 7WQndt-1WzE

Channel Id: undefined

Length: 64min 40sec (3880 seconds)

Published: Tue Oct 26 2021