1
00:00:00,540 --> 00:00:00,980
Hi.

2
00:00:01,440 --> 00:00:04,750
Now we completed our gaining access.

3
00:00:05,070 --> 00:00:12,990
OK, so we're one step ahead and now we're going to see who we are and what we can do and what we can

4
00:00:12,990 --> 00:00:20,640
do to actually leverage our privileged escalation techniques or escalate our privilege in a way so that

5
00:00:20,640 --> 00:00:23,850
we can be rude in this CTF.

6
00:00:24,390 --> 00:00:32,640
Now, as you can see, I'm in the server, but I cannot even type unless and it says that unless is

7
00:00:32,640 --> 00:00:33,810
not defined.

8
00:00:34,260 --> 00:00:35,340
So it's not good.

9
00:00:35,550 --> 00:00:36,350
Let me try.

10
00:00:36,360 --> 00:00:36,960
Who am I?

11
00:00:37,140 --> 00:00:38,030
And here you go.

12
00:00:38,040 --> 00:00:40,000
I cannot even run.

13
00:00:40,230 --> 00:00:40,970
Where am I?

14
00:00:41,340 --> 00:00:42,770
Which is not good at all.

15
00:00:42,780 --> 00:00:45,480
So we don't have a shell over here.

16
00:00:45,630 --> 00:00:49,940
OK, we are in the system somehow, but we don't have a shell.

17
00:00:49,950 --> 00:00:58,020
We cannot actually run any comments like any Linux comments actually in order to see who we are or what

18
00:00:58,020 --> 00:00:58,650
we can do.

19
00:00:59,070 --> 00:01:05,230
Let me try to define my name, OK, and let me try to print my name.

20
00:01:05,610 --> 00:01:06,450
Here you go.

21
00:01:06,450 --> 00:01:07,290
It works.

22
00:01:07,510 --> 00:01:10,380
I believe this is kind of a python shell.

23
00:01:10,620 --> 00:01:14,250
And as you can see it say so over here, it's a python show.

24
00:01:14,430 --> 00:01:16,850
It's Python two point seven point nine.

25
00:01:17,430 --> 00:01:25,950
So we are in a situation that we can run Python commands in the server that we hacked, but it's not

26
00:01:25,950 --> 00:01:27,240
a shell again.

27
00:01:27,790 --> 00:01:33,090
Now, if you know how to create shells with Python, it's very good.

28
00:01:33,090 --> 00:01:35,640
If you don't know, I'm going to show you how it's done.

29
00:01:36,030 --> 00:01:37,340
So I have a file.

30
00:01:37,350 --> 00:01:38,340
Let me find it.

31
00:01:38,520 --> 00:01:47,990
I use it like taking a note, like for the most generally used, most commonly used comments in my seats.

32
00:01:48,000 --> 00:01:51,500
OK, so I suggest you do the same thing as well.

33
00:01:51,690 --> 00:01:53,940
So let me find it and you will see what I mean.

34
00:01:54,420 --> 00:01:56,490
I'm going to find it over here.

35
00:01:56,490 --> 00:01:56,670
Yeah.

36
00:01:56,670 --> 00:01:57,180
Here you go.

37
00:01:57,190 --> 00:01:59,130
It's it's called CTF Challenge.

38
00:01:59,370 --> 00:02:03,120
And these are the common comments that I used during RCTs.

39
00:02:03,360 --> 00:02:13,040
As you can see, there are a lot of things over here and there is a way to spawn the shell through Python.

40
00:02:13,380 --> 00:02:18,630
So in order to do that, we're going to use Python C, import Y, which is a library.

41
00:02:18,750 --> 00:02:20,430
OK, so Python Library.

42
00:02:20,790 --> 00:02:29,430
And over here we're going to call the Y and say Spon bin Bash or spon bin S.H. So whether we get as

43
00:02:29,430 --> 00:02:32,390
a shell or by Shell, it will be great for us.

44
00:02:32,850 --> 00:02:38,010
So of course I'm going to go with the bash first and if it doesn't work, I'm going to go with the same

45
00:02:38,010 --> 00:02:38,400
shell.

46
00:02:38,850 --> 00:02:40,410
So let me come over here.

47
00:02:40,410 --> 00:02:47,160
Since we are still in Python, we can just write this like that, OK, in Part II and we divide that

48
00:02:47,160 --> 00:02:49,380
spam and bin bash.

49
00:02:49,620 --> 00:02:51,510
All you have to do is just write this.

50
00:02:51,690 --> 00:02:53,790
OK, so here you go.

51
00:02:53,790 --> 00:02:54,930
Now we have the shell.

52
00:02:55,290 --> 00:02:59,220
We exited out of this one and I can clear it and I can run.

53
00:02:59,220 --> 00:02:59,880
Who am I?

54
00:03:00,150 --> 00:03:01,310
Here you are.

55
00:03:01,740 --> 00:03:03,090
So I Mamadu.

56
00:03:03,090 --> 00:03:06,930
And for the ID, I belong to my own group.

57
00:03:06,930 --> 00:03:14,310
I believe it doesn't seem like I have the administrative privileges like route privileges over here.

58
00:03:14,460 --> 00:03:19,500
But of course we're going to try, say, to run unless you can see we get the first flag.

59
00:03:19,740 --> 00:03:21,210
So I'm going to get this out.

60
00:03:21,210 --> 00:03:22,110
And here you go.

61
00:03:22,620 --> 00:03:29,880
I'm not even going to bother with submitting this flag to anywhere, but I'm just going to make note

62
00:03:29,880 --> 00:03:30,390
of it.

63
00:03:30,420 --> 00:03:32,490
OK, this is we're keeping notes.

64
00:03:32,820 --> 00:03:42,450
So let me just go back here to scaffolder Omura Khandi have the that TNT and over here I'm just going

65
00:03:42,450 --> 00:03:50,910
to paste isn't and I'm not going to submit this to anywhere, but maybe later on I will need it for

66
00:03:50,910 --> 00:03:56,040
some reason for proceeding in our ICTV, so I'm just taking it not over here.

67
00:03:56,610 --> 00:04:00,360
So we got the first flag but we have two more to go.

68
00:04:00,360 --> 00:04:06,390
If you remember the description of the CTF, where you going to have to find the second flag and we're

69
00:04:06,390 --> 00:04:09,750
going to have to find the root flag as well.

70
00:04:09,750 --> 00:04:11,120
So far, so good.

71
00:04:11,760 --> 00:04:15,720
Now, let me check if we can find the flag to over here.

72
00:04:15,720 --> 00:04:19,030
So I'm going to call locate flag to that texte.

73
00:04:19,410 --> 00:04:20,370
And here you go.

74
00:04:20,370 --> 00:04:25,920
It's under home dev ops slash flag to that texte.

75
00:04:26,490 --> 00:04:28,440
So maybe we can read this.

76
00:04:28,440 --> 00:04:29,880
Maybe we can go over here.

77
00:04:29,880 --> 00:04:38,840
Let me just say the home develops and over here, let's try to get the flag to the taxi.

78
00:04:39,150 --> 00:04:40,070
And here you go.

79
00:04:40,470 --> 00:04:43,740
Just as expected, it says that permission denied.

80
00:04:44,070 --> 00:04:50,670
Even though we know it's over here, we cannot read it because it belongs to some other user called

81
00:04:50,670 --> 00:04:51,440
developer.

82
00:04:51,480 --> 00:04:58,350
OK, so actually Dev Ops, but the group of the developer is the developer.

83
00:04:58,680 --> 00:04:59,910
So over here we don't.

84
00:04:59,990 --> 00:05:05,180
Have that permission to read, it only develops user can read it as well.

85
00:05:05,210 --> 00:05:09,750
OK, so let me see what we can do over here.

86
00:05:10,220 --> 00:05:18,380
So what we can do actually try to escalate our privilege into the developes user rights.

87
00:05:18,380 --> 00:05:21,140
So we're going to try and go to that user.

88
00:05:21,470 --> 00:05:26,470
So I'm going to just say that's password and see what kind of users we have over here.

89
00:05:26,720 --> 00:05:33,800
So, of course, we have used root, we have the Mamadu, we have the developes and we're going to try

90
00:05:33,800 --> 00:05:36,510
and beat the devil in this case.

91
00:05:37,280 --> 00:05:45,290
So what I'm going to do over here is that you should do for, I believe, every penetration test or

92
00:05:45,290 --> 00:05:47,750
every CTF that you're going to come across.

93
00:05:47,990 --> 00:05:54,350
And we're going to talk about this a lot during the privilege escalation section of this course as well.

94
00:05:54,800 --> 00:06:01,490
Not and in fact, we're going to see a lot of different techniques in order to escalate our privileges

95
00:06:01,490 --> 00:06:03,070
in order to become rude.

96
00:06:03,290 --> 00:06:05,570
And this is actually one of them.

97
00:06:05,990 --> 00:06:07,970
And it's a very valid one.

98
00:06:07,970 --> 00:06:12,870
And it actually is valid in the real life examples as well.

99
00:06:13,370 --> 00:06:22,010
So what I'm going to do, I'm going to try and see if we can find a file that we can just run and execute

100
00:06:22,530 --> 00:06:27,860
that belongs to the dev ops, but we can run it from the user, Mamadu, as well.

101
00:06:28,190 --> 00:06:34,230
Maybe that file will give us some kind of leverage in order to change our user.

102
00:06:34,560 --> 00:06:36,320
OK, maybe it will.

103
00:06:36,320 --> 00:06:38,580
Maybe it won't, but it's worth a shot.

104
00:06:39,230 --> 00:06:47,480
And by the way, there are a lot of tools that we can use for privilege escalation like Lynn Inam or

105
00:06:48,290 --> 00:06:53,210
Lin S.H. So we're going to see some of those in the following sections.

106
00:06:53,510 --> 00:07:00,530
But it's always a good idea to look for these manually so you can run the you name a, for example,

107
00:07:00,530 --> 00:07:03,620
and see what kind of kernel that you're in.

108
00:07:03,770 --> 00:07:10,610
And you can see if you have any kind of kernel exploits in order to escalate your privilege.

109
00:07:10,910 --> 00:07:17,660
We're going to take a look of those and we're going to take so much more steps in order to learn about

110
00:07:17,660 --> 00:07:18,980
privilege, escalation.

111
00:07:19,620 --> 00:07:22,900
Right now, I'm just going to show you one, OK?

112
00:07:23,210 --> 00:07:28,160
And if it doesn't work, of course, we're going to go and see other ones as well.

113
00:07:28,640 --> 00:07:34,190
We're going to see what kind of steps should we take in order to escalate our privileges in a given

114
00:07:34,310 --> 00:07:36,530
Linux environment right now.

115
00:07:36,540 --> 00:07:37,790
Let me show you what I mean.

116
00:07:37,800 --> 00:07:43,820
We're going to use, find and you know how to use find because we have learned it in the previous section.

117
00:07:43,820 --> 00:07:44,140
Right.

118
00:07:44,360 --> 00:07:51,740
So we use this command in order to find some files and folders that belongs to some kind of user or

119
00:07:51,740 --> 00:07:57,320
that belongs to some kind of group or that is inside some kind of size.

120
00:07:57,620 --> 00:08:05,510
So I'm going to just run find that or slash said Badrinath Slash, because we're just running for the

121
00:08:05,510 --> 00:08:06,280
whole server.

122
00:08:06,590 --> 00:08:08,210
We have seen that, remember?

123
00:08:08,780 --> 00:08:12,110
And I'm going to search for user dev ops.

124
00:08:12,650 --> 00:08:14,900
So I'm not user dev ops right now.

125
00:08:14,900 --> 00:08:18,680
I'm user Mamadu, but it's a good idea to run it.

126
00:08:18,980 --> 00:08:28,160
And as you can see, Linux gives us the files and also the permissions that we need or that we have

127
00:08:28,370 --> 00:08:32,580
in order to run or see or just write to that file.

128
00:08:33,230 --> 00:08:38,300
So over here, as you can see, there are a lot of files over there, but these are all permissions

129
00:08:38,300 --> 00:08:41,840
denied, so we cannot do anything with them.

130
00:08:41,990 --> 00:08:46,880
Maybe we can use it for information gathering purposes, but we cannot see them.

131
00:08:46,880 --> 00:08:49,630
We cannot write them or we cannot execute them.

132
00:08:50,120 --> 00:08:56,660
So I'm going to try and find something that we can actually run or see or execute.

133
00:08:57,050 --> 00:09:00,740
And over here we see the flag to texte.

134
00:09:00,950 --> 00:09:05,270
It doesn't say permission denied, but we have seen it right.

135
00:09:05,780 --> 00:09:07,020
We cannot see that.

136
00:09:07,550 --> 00:09:17,260
So over here, we have some other file called Antivirus Stop by and under its Arvi folder over here.

137
00:09:17,480 --> 00:09:23,480
So it's Vertica to look at that, if we can see it or if we can write it or if we can execute it.

138
00:09:24,140 --> 00:09:30,500
It's a little bit suspicious to seek some kind of antivirus python file that is going on over there.

139
00:09:30,500 --> 00:09:30,920
Right.

140
00:09:31,310 --> 00:09:33,590
So we better take a look at that.

141
00:09:33,590 --> 00:09:38,630
And also, we have these TMP folder called Test or Tempy file.

142
00:09:38,630 --> 00:09:39,920
I don't know what it is yet.

143
00:09:40,190 --> 00:09:44,120
Test and we're going to take a look of those.

144
00:09:44,810 --> 00:09:52,220
So I'm going to copy this file because I will try to see the content of it and I will try to see what

145
00:09:52,220 --> 00:09:53,260
we can do with it.

146
00:09:53,960 --> 00:09:59,390
So what I'm going to do, I'm going to copy this file and also bear in mind that we have this.

147
00:09:59,950 --> 00:10:01,180
Test fail as well.

148
00:10:01,360 --> 00:10:04,880
So maybe we can take a look at that and see what we can do with it.

149
00:10:05,710 --> 00:10:13,240
And if you do find something like that in a real life testing scenario, of course, take a look at

150
00:10:13,240 --> 00:10:14,690
those as well.

151
00:10:14,830 --> 00:10:21,670
If you can find anything that you can run or see or write as another user, it's better to take a look

152
00:10:21,670 --> 00:10:22,260
at those.

153
00:10:22,750 --> 00:10:27,670
So I'm going to come over here and see if we have something like test over here.

154
00:10:28,030 --> 00:10:33,060
Yeah, we have tests, but it only say says test.

155
00:10:33,760 --> 00:10:37,540
So I believe there is nothing interesting over here.

156
00:10:37,730 --> 00:10:39,400
Maybe we can check this out.

157
00:10:40,060 --> 00:10:44,030
And here you go for the SRB folder for the antivirus.

158
00:10:44,050 --> 00:10:46,840
That's why we have this script.

159
00:10:47,260 --> 00:10:48,820
So it's open.

160
00:10:49,060 --> 00:10:55,600
Tempy Test editor writes it, it opens it to write it and it writes test.

161
00:10:56,260 --> 00:10:58,840
So it's kind of connected, right.

162
00:10:58,870 --> 00:11:07,390
So when this antivirus that Peevey is executed, then we will see this test folder or test file appearing.

163
00:11:07,660 --> 00:11:16,090
And it's it seems that it's already been executed for us, maybe user that was already executed this

164
00:11:16,090 --> 00:11:20,410
before, or maybe this is kind of a crohn job.

165
00:11:20,740 --> 00:11:28,390
So I'm going to go into the ground and just run Al-Saleh and see what kind of things that we have over

166
00:11:28,390 --> 00:11:28,810
here.

167
00:11:29,080 --> 00:11:34,060
We have the place holder and I believe, which it's nothing.

168
00:11:34,360 --> 00:11:41,890
But if we go for the Annacone and if we cut the electron, then we can see it's kind of a crown job.

169
00:11:42,370 --> 00:11:48,120
And over here it actually runs something.

170
00:11:48,190 --> 00:11:51,130
OK, let me see what it runs.

171
00:11:51,370 --> 00:11:53,970
So I'm going to get the B here as well.

172
00:11:54,580 --> 00:11:56,010
So.

173
00:11:56,200 --> 00:11:56,800
Yep.

174
00:11:56,810 --> 00:12:00,910
So this is for every 30 minutes.

175
00:12:00,910 --> 00:12:04,300
It's for cleaning the section, I believe.

176
00:12:04,960 --> 00:12:10,750
And I don't think this is related with the antivirus.

177
00:12:10,750 --> 00:12:11,710
That's p why.

178
00:12:11,710 --> 00:12:14,960
Let me just get the placeholder here as well.

179
00:12:15,340 --> 00:12:16,930
So this is just a placeholder.

180
00:12:17,530 --> 00:12:22,180
So again, I don't know if we have this over here.

181
00:12:22,450 --> 00:12:26,190
We we can see how we can take a look at that later on.

182
00:12:26,740 --> 00:12:31,000
But again, we know that this antivirus that P.

183
00:12:31,000 --> 00:12:33,240
Y has been executed.

184
00:12:33,520 --> 00:12:38,740
So what I'm trying to do over here is actually we can run this file.

185
00:12:38,740 --> 00:12:39,880
We can run this.

186
00:12:40,540 --> 00:12:45,010
Let me see this antivirus, that profile as another user.

187
00:12:45,370 --> 00:12:50,980
And we don't know actually if we can execute this, but we can try to see it.

188
00:12:50,980 --> 00:12:52,930
We can try to write it and change it.

189
00:12:53,140 --> 00:12:59,650
So maybe we can manipulate this and run it as develops and get the system back from the Web, says,

190
00:12:59,650 --> 00:13:06,520
well, let's stop urine test all of this within the next lecture and see if that works or not.