1
00:00:00,570 --> 00:00:06,490
Hi, within this lecture, we're going to try and change our user to Davos if we can.

2
00:00:06,510 --> 00:00:12,300
We are currently in the Mamadu and we found out that we have to change our user to Davos.

3
00:00:12,450 --> 00:00:17,250
And most probably we're going to make our way up to the roof later on from Davos.

4
00:00:17,250 --> 00:00:17,670
Right.

5
00:00:18,210 --> 00:00:23,550
So right now, we've found something called antivirus Stoppie.

6
00:00:23,730 --> 00:00:31,200
And we know that this belongs to the user and we know that we have access to it somehow.

7
00:00:31,740 --> 00:00:37,640
We don't know yet if we can actually change it or executed, but we going to try and see.

8
00:00:38,010 --> 00:00:40,630
So what can we do with a python file?

9
00:00:40,920 --> 00:00:41,910
It's easy, right?

10
00:00:41,910 --> 00:00:47,210
We can write a reverse shell for Python and get the solution back as DeVillers.

11
00:00:47,700 --> 00:00:53,490
So what I'm going to do, I'm just going to go to Google, OK, and search for Python Reverso.

12
00:00:53,700 --> 00:01:01,130
So if you got the complete data collecting course from me, you know that we can actually write one

13
00:01:01,140 --> 00:01:01,950
ourselves.

14
00:01:02,400 --> 00:01:07,140
But let's be simple and I'm just going to go over here and write Python Reverse Shall code.

15
00:01:07,380 --> 00:01:09,780
And as you can see, there are a lot of over here.

16
00:01:09,780 --> 00:01:12,570
I'm just going to call a cheat sheet.

17
00:01:13,170 --> 00:01:14,550
And yet here you go.

18
00:01:14,700 --> 00:01:19,530
Every time I do that, I come across with Pentax Monkey and it always works.

19
00:01:20,100 --> 00:01:24,810
If you just see something like that, say see details and ignore the risk.

20
00:01:25,230 --> 00:01:28,410
So I'm going to go into the panties, monkey dot that.

21
00:01:28,410 --> 00:01:34,620
As you can see, there are a lot of reverse over here for different kind of programming languages like

22
00:01:35,310 --> 00:01:39,080
Basche, Perl, Python, B, Rubenesque.

23
00:01:39,100 --> 00:01:43,080
And so we're going to use this website a lot during the course.

24
00:01:43,590 --> 00:01:50,640
So as you can see, so this is Python two point seven, and we know that our server runs Python two

25
00:01:50,640 --> 00:01:51,300
point seven.

26
00:01:51,330 --> 00:01:55,170
This is how we get our scale in the first place.

27
00:01:55,170 --> 00:01:55,540
Right.

28
00:01:55,830 --> 00:02:00,330
So I'm going to take this and I'm just going to go under the CD.

29
00:02:00,870 --> 00:02:04,930
Salvy So let me run Ellerslie and here you go.

30
00:02:04,930 --> 00:02:07,770
We see the antivirus that provides a hidden file.

31
00:02:07,980 --> 00:02:10,740
I'm going to try and NENO into this antivirus.

32
00:02:10,740 --> 00:02:12,860
Previte and see if that works.

33
00:02:12,870 --> 00:02:13,470
Here you go.

34
00:02:13,470 --> 00:02:14,100
It works.

35
00:02:14,490 --> 00:02:18,870
So I'm going to paste the thing that we have copied from the Pentagon monkey.

36
00:02:19,260 --> 00:02:23,040
And over here, it's actually a one liner.

37
00:02:23,040 --> 00:02:28,710
So it's actually scripted in a way that you run this in terminal.

38
00:02:29,070 --> 00:02:31,500
But we're not going to run this in terminal.

39
00:02:31,500 --> 00:02:34,590
We're just going to run this as a python code itself.

40
00:02:34,770 --> 00:02:35,150
Right.

41
00:02:35,340 --> 00:02:41,280
So I'm just going to delete everything over here and I'm just going to delete the quotation marks and

42
00:02:41,280 --> 00:02:43,760
I'm just going to delete the test over here as well.

43
00:02:44,100 --> 00:02:44,450
Right.

44
00:02:44,840 --> 00:02:49,200
So if you know Python, you know exactly what I'm doing over here.

45
00:02:49,320 --> 00:02:54,880
I'm just trying to convert this into Python code, so I'm just going to import the socket.

46
00:02:55,320 --> 00:02:56,730
So this is a library.

47
00:02:56,730 --> 00:03:03,410
In order to make the connection, I'm going to import to subprocess and import the OS over here.

48
00:03:03,720 --> 00:03:12,440
So subprocess is for running the system comments and also for a running operating system functionalities

49
00:03:12,450 --> 00:03:13,140
over here.

50
00:03:13,530 --> 00:03:17,940
So I'm going to delete these semicolons because we don't need them anymore.

51
00:03:18,240 --> 00:03:20,190
OK, we were running a python code.

52
00:03:20,190 --> 00:03:22,370
We don't need semicolons in Python.

53
00:03:22,740 --> 00:03:28,270
So over here I'm just going to delete those and just align everything over there.

54
00:03:28,590 --> 00:03:31,530
So if you know Python, this is very easy for you.

55
00:03:31,560 --> 00:03:39,060
If you don't know it, just try to bear with me and just try to make your code look exactly like mine.

56
00:03:39,540 --> 00:03:46,110
So over here, as you can see, we have the IP address and the port address that we want to send this

57
00:03:46,110 --> 00:03:47,320
connection to.

58
00:03:47,820 --> 00:03:53,460
So in this case, I'm just going to change it to our own if config results.

59
00:03:53,460 --> 00:03:59,730
So I'm going to run I have config over here and see it stannow to four in my color Linux.

60
00:03:59,850 --> 00:04:02,030
So I'm going to make this tunnel too far.

61
00:04:02,190 --> 00:04:04,700
OK, and port is not very important.

62
00:04:04,710 --> 00:04:06,840
You can leave it as one, two, three, four.

63
00:04:07,020 --> 00:04:12,050
Just say control or enter and control, exit to exit out of this one.

64
00:04:12,510 --> 00:04:15,000
And let me check this over here.

65
00:04:15,300 --> 00:04:21,930
I'm going to come over here and say Nat Cat and we're going to listen for connections coming from port.

66
00:04:21,930 --> 00:04:22,980
One, two, three, four.

67
00:04:23,280 --> 00:04:25,620
You're going to have to say in Volpi for that.

68
00:04:25,890 --> 00:04:31,080
So we have learned about this stuff during the completed collision course.

69
00:04:31,320 --> 00:04:35,790
I hope you got it or I hope you know what I'm doing right now.

70
00:04:36,390 --> 00:04:41,400
So we're here in the antivirus Stoppie, as you can see, saved.

71
00:04:41,610 --> 00:04:42,450
So it's good.

72
00:04:42,810 --> 00:04:46,620
So we have to find a way, you know, to execute this.

73
00:04:46,860 --> 00:04:55,550
So I'm going to run that slash or python, that antivirus stoppie and see if it works or not.

74
00:04:56,010 --> 00:04:59,370
So as you can see, I managed to run this and here you go.

75
00:04:59,660 --> 00:05:10,250
Now, I have a connection from the server, so I'm going to go to ID and yep, seems like we are Mamadu,

76
00:05:11,300 --> 00:05:12,310
it's weird.

77
00:05:12,350 --> 00:05:18,020
As you can see, we're trying to execute this as the dev ops.

78
00:05:18,470 --> 00:05:24,650
But since we are user, Mamadu, maybe it's not being executed as dev ops.

79
00:05:24,830 --> 00:05:25,860
So it's kind of weird.

80
00:05:25,890 --> 00:05:28,760
So I'm going to control Sead of that one, OK?

81
00:05:28,800 --> 00:05:34,220
It clearly doesn't work and I'm just going to say it again.

82
00:05:34,460 --> 00:05:35,840
Nope, it doesn't work.

83
00:05:36,380 --> 00:05:43,700
So what I'm going to do here, I'm going to try and go to seed Home Depot ups and try to get the flag

84
00:05:43,700 --> 00:05:44,940
to that text.

85
00:05:45,650 --> 00:05:51,140
And obviously it doesn't work even though we get a shall we get the Shayla's, Mamadu?

86
00:05:51,710 --> 00:05:56,330
So it's strange, but we're going out to try and solve this one.

87
00:05:56,330 --> 00:05:56,750
Right.

88
00:05:57,320 --> 00:06:03,390
So over here, actually, when I was solving this CTF, I got a little bit confused.

89
00:06:03,770 --> 00:06:05,900
Let me try and tired out of this one.

90
00:06:06,080 --> 00:06:08,770
Maybe like with quitte or exit.

91
00:06:09,140 --> 00:06:10,160
Now it doesn't work.

92
00:06:10,160 --> 00:06:12,760
We lost this connection over here as well.

93
00:06:13,250 --> 00:06:13,690
Right.

94
00:06:13,910 --> 00:06:18,650
So let me out exit out of this one and just run this one more time.

95
00:06:18,980 --> 00:06:22,870
And, yep, we managed to exit out of that one.

96
00:06:23,000 --> 00:06:25,520
So we are in the user, Mamadu, over here.

97
00:06:25,790 --> 00:06:30,440
But we cannot just get this connection as drops.

98
00:06:31,160 --> 00:06:39,110
So you can try to reboot this in order to maybe trigger the execution of that Python file.

99
00:06:39,770 --> 00:06:45,860
You can try to do pseudo reboot, but we don't even know the password for the Mamadu.

100
00:06:46,280 --> 00:06:50,840
And as you can see, I'm trying some other solutions over here.

101
00:06:51,200 --> 00:07:00,320
Maybe we can try to go into our candombe and try to get the notes that we have over here.

102
00:07:00,560 --> 00:07:09,710
Maybe we can try this password in order to reboot these files over here at maybe the Mamadu has this

103
00:07:09,710 --> 00:07:10,340
password.

104
00:07:10,490 --> 00:07:10,820
Yep.

105
00:07:10,820 --> 00:07:13,340
Mamadu has this password in the server as well.

106
00:07:13,970 --> 00:07:19,070
But Mamadu cannot do that because he's not in the Soudas file.

107
00:07:19,100 --> 00:07:21,560
As you can see, we cannot reboot that.

108
00:07:21,950 --> 00:07:28,070
And magically, as you can see, we got the connection back from the server.

109
00:07:28,580 --> 00:07:30,860
So if you run it, we are dev ops.

110
00:07:31,310 --> 00:07:32,750
So how did it happen?

111
00:07:33,200 --> 00:07:35,600
We didn't even do anything over here.

112
00:07:36,140 --> 00:07:41,660
So it made me think that, yep, this is a grown up.

113
00:07:41,660 --> 00:07:42,200
Right.

114
00:07:42,410 --> 00:07:45,680
So it's been like running for some time.

115
00:07:45,680 --> 00:07:49,220
So if you wait a couple of minutes, it's going to get executed.

116
00:07:49,400 --> 00:07:52,550
It's going to give us the connection back.

117
00:07:52,730 --> 00:07:56,060
So that's why I just tried to see the ground.

118
00:07:56,180 --> 00:07:58,730
Maybe we can check for the Chrome tab as well.

119
00:07:58,940 --> 00:08:05,790
But again, it should have been a chrome tab or it should have been a crown job because how else we

120
00:08:05,790 --> 00:08:07,520
were going to get this right?

121
00:08:08,680 --> 00:08:10,190
Just listening for our connection.

122
00:08:10,190 --> 00:08:11,720
I'm waiting for a couple of minutes.

123
00:08:11,870 --> 00:08:16,640
It got back the connection from the user dev ops.

124
00:08:16,940 --> 00:08:23,810
So it doesn't work if we execute it on our own as user Mamadu, it actually works, but we get the connection

125
00:08:23,810 --> 00:08:24,080
back.

126
00:08:24,080 --> 00:08:31,550
As Mamadu But if we just do nothing and if we just start listening on our terminal, then we're going

127
00:08:31,550 --> 00:08:32,270
to get this.

128
00:08:32,270 --> 00:08:39,050
So it has to it should have been like a chrome tab or current job or something.

129
00:08:39,230 --> 00:08:46,970
So it's been running in the background and it got executed and then we got back the connection.

130
00:08:47,330 --> 00:08:48,260
Very good.

131
00:08:48,650 --> 00:08:56,570
Now, over here in the shell that we have, let's try to go to home drops one more time.

132
00:08:56,810 --> 00:09:01,880
And if we catch the flight to Texte now, we're going to get this flak.

133
00:09:01,880 --> 00:09:07,040
As you can see, we get the second flag over here, which is very good.

134
00:09:07,160 --> 00:09:08,900
So I'm going to take a note of this.

135
00:09:09,200 --> 00:09:16,700
OK, so I'm going to Nonno into my notes that the extreme or not extreme and let me just save the flag,

136
00:09:16,700 --> 00:09:17,580
too, as well.

137
00:09:18,140 --> 00:09:24,410
Now, let me paint is over here and control or enter control x.

138
00:09:24,860 --> 00:09:25,580
Here you go.

139
00:09:25,790 --> 00:09:32,510
Now, there is one thing left to do which is becoming route because we are right now the ropes.

140
00:09:32,840 --> 00:09:37,370
We're going to try and escalate our privileges one more time.

141
00:09:37,550 --> 00:09:38,090
Right.

142
00:09:38,390 --> 00:09:42,410
So that's what we're going to do within the next lecture together.