1 00:00:00,750 --> 00:00:08,180 Hi, within this lecture, we're going to continue over over the Warrior Challenge Bandits, level 19, 2 00:00:08,670 --> 00:00:13,320 now we have Bendit 20 that should do over here. 3 00:00:13,330 --> 00:00:15,360 So this is an executable. 4 00:00:15,630 --> 00:00:21,720 And if we just surround the file bandit and you do, we can see that this is an executable. 5 00:00:21,720 --> 00:00:22,560 Indeed. 6 00:00:23,280 --> 00:00:29,520 And there is a great hint on the right hand side which says that this is a sacred binary, which means 7 00:00:29,520 --> 00:00:34,180 that we get to run this in an escalated privileged fashion. 8 00:00:34,500 --> 00:00:36,660 So let me show you what I mean. 9 00:00:36,660 --> 00:00:41,500 It says that the password for this level can be found in the usual place. 10 00:00:41,910 --> 00:00:45,680 So remember, we have this password in the ETSI Bendit Pass. 11 00:00:45,990 --> 00:00:53,780 So if we run this cat at Suspended Pass and Bendit 19, then we can get the password for the 19. 12 00:00:53,970 --> 00:01:01,950 But if you run this Fassbender 20, then we cannot get this right because only Bandit 20 can cut this 13 00:01:01,950 --> 00:01:02,360 out. 14 00:01:02,730 --> 00:01:06,560 But if we run this bandit, we need to do OK. 15 00:01:06,810 --> 00:01:15,270 So this is a file that we can run as another user and in this case it's Bendit to any. 16 00:01:15,510 --> 00:01:21,010 OK, if you run this regularly, it will say that the running comment is another user. 17 00:01:21,540 --> 00:01:28,540 So this is what setted does actually we're going to deep dive into a sewage in the following sections. 18 00:01:29,070 --> 00:01:34,170 So right now I'm going to run it and you will see that Umbanda 2019. 19 00:01:34,320 --> 00:01:44,460 But if I run this Bandha 20 do ID now, you will see that my stupid's Bendit 20 so we can use this Bendit 20 00:01:44,460 --> 00:01:50,230 when you do to run comments as if we are Bendit 20. 21 00:01:50,530 --> 00:01:57,840 OK, and it means that we can easily cut out the Bendit Pass for the band at twenty. 22 00:01:58,380 --> 00:02:08,260 So all we got to do is just around then the 20 do Chad and Etsi Bendit pass benefits and Bendat 20. 23 00:02:09,030 --> 00:02:10,560 And here you go. 24 00:02:10,560 --> 00:02:14,660 We got back the password for the band The Twenty. 25 00:02:14,670 --> 00:02:22,200 Now I'm going to copy this and save it to my password Texte and if you don't know how to use a squid's 26 00:02:22,830 --> 00:02:27,440 we're going to deep dive into them, especially in the privileged escalation sections. 27 00:02:27,450 --> 00:02:28,680 Not no worries. 28 00:02:28,980 --> 00:02:37,650 They are temporary permissions and we can run as commands as if we are like escalated privilege fashion. 29 00:02:37,650 --> 00:02:45,090 OK, so I'm going to go into the band to train you right now and I'm just going to test to see if we 30 00:02:45,090 --> 00:02:47,010 got the right password or not. 31 00:02:47,550 --> 00:02:48,330 So here you go. 32 00:02:48,330 --> 00:02:53,010 We are inside of Band of Twenty, which means that we got the right password. 33 00:02:53,250 --> 00:02:57,440 So I'm going to go to the next level, which is to level twenty one. 34 00:02:57,450 --> 00:03:00,450 So this is about stupid's one more time. 35 00:03:01,470 --> 00:03:02,550 So let's see. 36 00:03:02,550 --> 00:03:06,210 Situated binary in the home directory that does the following. 37 00:03:06,330 --> 00:03:09,570 It makes a connection to localhost on the port. 38 00:03:09,570 --> 00:03:13,230 You specify as a command line argument. 39 00:03:13,230 --> 00:03:20,550 OK, so it then reads a line of text from the collection and compares it to the password in the previous 40 00:03:20,550 --> 00:03:22,110 level, then the twenty. 41 00:03:22,410 --> 00:03:26,340 If the password is correct, it will transmit the password for the next level. 42 00:03:27,210 --> 00:03:28,140 Yep. 43 00:03:28,140 --> 00:03:33,780 So we're going to give the band the training password and it will give us the band, the twenty one 44 00:03:33,780 --> 00:03:36,030 password and. 45 00:03:36,330 --> 00:03:36,960 Yep. 46 00:03:36,960 --> 00:03:37,500 Great. 47 00:03:37,500 --> 00:03:47,190 So let me try this then again, since this is about acid's, it will give us some kind of like an escalated 48 00:03:47,190 --> 00:03:51,330 privilege and we will take leverage of that. 49 00:03:51,330 --> 00:03:58,200 And again, this is a legitimate privilege escalation technique so that we're going to see those a lot 50 00:03:58,200 --> 00:03:59,580 in the following sections. 51 00:03:59,910 --> 00:04:02,130 But for right now, we're just practicing it. 52 00:04:02,130 --> 00:04:08,250 OK, so let me just take the level to any password over here, OK? 53 00:04:08,250 --> 00:04:09,060 We have that. 54 00:04:09,570 --> 00:04:12,320 So let me see what we have here in the bend. 55 00:04:12,320 --> 00:04:12,930 The twenty. 56 00:04:13,110 --> 00:04:15,420 So there should be a file, OK? 57 00:04:15,450 --> 00:04:15,770 Yep. 58 00:04:15,780 --> 00:04:16,320 Here you go. 59 00:04:16,320 --> 00:04:17,370 As you connect. 60 00:04:17,820 --> 00:04:23,310 So when we run this as you connect, um, let's see what it asks us. 61 00:04:23,700 --> 00:04:27,900 This program will connect to you in part on localhost using TCP. 62 00:04:27,900 --> 00:04:28,530 Great. 63 00:04:28,680 --> 00:04:33,870 If it receives the correct password from the other side, the next password is transmitted back. 64 00:04:34,950 --> 00:04:36,900 So this is kind of tricky. 65 00:04:36,900 --> 00:04:42,060 It doesn't ask us to give the password to this part. 66 00:04:42,510 --> 00:04:44,640 OK, so we cannot do that. 67 00:04:44,640 --> 00:04:55,470 I believe it asks us to transmit the password from another to another terminal or another connection, 68 00:04:55,470 --> 00:04:56,490 something like that. 69 00:04:57,180 --> 00:04:59,700 So let me try to run and then map. 70 00:05:00,020 --> 00:05:09,200 To see the open ports over here in our local host, and I believe we have to find the TCP port to transmit 71 00:05:09,200 --> 00:05:13,160 that information, so we have DSH. 72 00:05:13,160 --> 00:05:14,320 Yep, here you go. 73 00:05:14,330 --> 00:05:15,450 We have DSH. 74 00:05:15,470 --> 00:05:20,240 Obviously, we have some kind of different things over there. 75 00:05:20,480 --> 00:05:23,970 And I believe we have seen this 30000. 76 00:05:24,040 --> 00:05:26,480 We have used them in the previous challenges. 77 00:05:26,810 --> 00:05:27,260 Right. 78 00:05:27,500 --> 00:05:29,960 We have the Seek's thousands over here. 79 00:05:29,960 --> 00:05:31,730 Maybe we can do something with those. 80 00:05:31,730 --> 00:05:32,350 I don't know. 81 00:05:32,810 --> 00:05:35,630 We have this 113 ident. 82 00:05:36,710 --> 00:05:41,120 Let's try either of these like sixty ten. 83 00:05:41,570 --> 00:05:45,470 OK, did it connect. 84 00:05:45,650 --> 00:05:48,010 Let's try to copy and paste some stuff. 85 00:05:48,680 --> 00:05:50,480 Let's see if this works or not. 86 00:05:50,600 --> 00:05:52,490 Let's come over here. 87 00:05:52,490 --> 00:05:56,600 Let's face this and let's see the enter. 88 00:05:56,900 --> 00:05:58,790 It doesn't do anything right. 89 00:05:59,750 --> 00:06:04,160 So maybe we can try with the other ports here as well. 90 00:06:05,300 --> 00:06:08,900 But again, I believe it's looking for something else. 91 00:06:09,890 --> 00:06:18,800 So let me try to connect like something like 444 for which is which doesn't exist here anyway. 92 00:06:19,280 --> 00:06:30,080 Maybe we can create a port over here by just running that's cat or cat and we can try to connect back 93 00:06:30,080 --> 00:06:32,930 to that port from another terminal. 94 00:06:32,930 --> 00:06:34,100 Which makes sense to you. 95 00:06:34,190 --> 00:06:38,060 Right, because let's try that net cat. 96 00:06:38,060 --> 00:06:44,030 Listen, four four four four eight will just try listening, start listening. 97 00:06:44,420 --> 00:06:54,860 And if I just, um, connect to the 20 from another terminal over here, OK, and give the password 98 00:06:54,860 --> 00:06:55,460 over there. 99 00:06:56,210 --> 00:06:57,110 Let's do that. 100 00:06:57,110 --> 00:06:58,280 Let's come over here. 101 00:06:58,520 --> 00:07:02,060 Just open another session in another terminal. 102 00:07:02,430 --> 00:07:05,330 OK, now I have to say for twenty twenty. 103 00:07:06,020 --> 00:07:08,810 Now let me try this one more time. 104 00:07:08,810 --> 00:07:10,650 If you connect four four four four. 105 00:07:11,270 --> 00:07:11,410 Yeah. 106 00:07:11,430 --> 00:07:13,400 It says that it couldn't connect. 107 00:07:13,550 --> 00:07:15,410 Let me come back over here. 108 00:07:15,560 --> 00:07:18,490 As you can see we're listening or there. 109 00:07:19,100 --> 00:07:24,050 So this port should be opened but I cannot connect it for some reason. 110 00:07:24,800 --> 00:07:33,050 Maybe we should specify the localhost and ports explicitly, OK, and try like that because we don't 111 00:07:33,050 --> 00:07:36,350 know how DSU connect things works. 112 00:07:36,350 --> 00:07:38,300 OK, that's an executable. 113 00:07:39,020 --> 00:07:43,130 I believe we have to just specify the port that we are trying to connect to. 114 00:07:43,580 --> 00:07:48,380 But again, this way we will be much more certain. 115 00:07:48,380 --> 00:07:56,390 So I'm going to say localhost MP for four four and over there I'm just going to try it one more time. 116 00:07:57,200 --> 00:07:58,010 And here you go. 117 00:07:58,010 --> 00:08:03,440 I believe this work now, so make sure you're on the same command like that. 118 00:08:03,980 --> 00:08:09,770 And I'm going to copy and paste the thing over here one more time because we are instructed to do that. 119 00:08:09,770 --> 00:08:10,190 Right? 120 00:08:10,610 --> 00:08:16,880 So give the password to any vendor to any and receive the password to anyone. 121 00:08:17,060 --> 00:08:18,050 Yeah, here you go. 122 00:08:18,050 --> 00:08:19,190 Now, it worked. 123 00:08:19,850 --> 00:08:25,250 I believe we got the thing here and the from the other terminal as well. 124 00:08:25,790 --> 00:08:27,620 So great. 125 00:08:27,620 --> 00:08:29,820 I'm going to copy and paste this thing. 126 00:08:30,770 --> 00:08:31,910 Let me see which one. 127 00:08:31,910 --> 00:08:33,430 We're going to get that there. 128 00:08:33,440 --> 00:08:34,430 The same I believe. 129 00:08:34,550 --> 00:08:38,480 So I'm going to copy this one and here you go. 130 00:08:39,140 --> 00:08:41,720 Now let me try one more time. 131 00:08:42,290 --> 00:08:44,690 I'm going to go with this one if I can. 132 00:08:44,690 --> 00:08:45,560 Yeah, here you go. 133 00:08:46,160 --> 00:08:53,270 Now I'm going to exit out of this one and just try to connect to the the twenty one. 134 00:08:54,200 --> 00:08:57,410 So let's try this and see if this works or not. 135 00:08:58,250 --> 00:09:02,420 So I believe this was a little bit different, right? 136 00:09:02,420 --> 00:09:04,190 It's a little bit interesting. 137 00:09:04,880 --> 00:09:07,340 We already knew how to work with that cat. 138 00:09:07,490 --> 00:09:11,030 And again, it doesn't work for some reason. 139 00:09:11,030 --> 00:09:12,260 Let me try one more time. 140 00:09:12,260 --> 00:09:15,980 Maybe I couldn't copy even though I tried hard. 141 00:09:15,980 --> 00:09:17,900 So let me try one more time. 142 00:09:19,310 --> 00:09:24,440 And as I was saying, it was a little bit interesting in the section. 143 00:09:24,440 --> 00:09:27,050 However, we have learned something, I believe. 144 00:09:27,500 --> 00:09:29,300 So it's good to go now. 145 00:09:29,300 --> 00:09:36,650 We are inside of Bandha twenty one and don't forget to Neno here and just save your password so that 146 00:09:36,650 --> 00:09:38,300 you can keep a good log. 147 00:09:38,840 --> 00:09:44,600 So I'm going to stop here and continue with the level twenty one within the next lecture.