1
00:00:00,660 --> 00:00:06,340
Hi, within this section, we're going to try and escalate our privilege to become rude.

2
00:00:06,660 --> 00:00:15,180
Right now we are robots and I'm just going to run you name a OK, so we are on Ubuntu and I'm just going

3
00:00:15,180 --> 00:00:21,020
to get the Etsy issue here as well to see if we have any kind of information over there.

4
00:00:21,150 --> 00:00:28,530
And as you can see, we don't have that kind of information over here, but we know the Linux version

5
00:00:28,530 --> 00:00:29,040
over here.

6
00:00:29,050 --> 00:00:33,330
So we are in three point thirteen point on Ubuntu.

7
00:00:33,330 --> 00:00:39,060
So maybe there is a kernel exploit over there, but I'm going to go for another direction.

8
00:00:39,060 --> 00:00:45,060
So I'm just going to go for a tutorial like we have done before because we already know that, OK,

9
00:00:45,060 --> 00:00:52,460
it's worth a shot to see if we have anything like we can run like an administrator user.

10
00:00:52,980 --> 00:00:57,360
So if we want to the it will ask us for the password of the robot.

11
00:00:57,780 --> 00:00:58,590
And we know that.

12
00:00:58,590 --> 00:00:58,870
Right.

13
00:00:58,890 --> 00:01:01,130
So let me come over here.

14
00:01:01,440 --> 00:01:03,410
We have taken a note for that.

15
00:01:03,420 --> 00:01:05,420
So not Stotsky.

16
00:01:05,850 --> 00:01:11,100
And I'm just going to copy and paste the password and see if we can find something over here.

17
00:01:11,530 --> 00:01:15,110
So I'm just going to paste it and hit enter.

18
00:01:16,140 --> 00:01:17,700
So here you go.

19
00:01:17,700 --> 00:01:18,780
It doesn't work.

20
00:01:18,810 --> 00:01:28,020
So let me try and just run to the URL and no, let me just pastis and hit enter.

21
00:01:29,250 --> 00:01:30,480
Maybe I'm copying.

22
00:01:30,480 --> 00:01:31,470
It's wrong.

23
00:01:31,480 --> 00:01:36,450
So it says that three incorrect password attempts even though it's not right.

24
00:01:36,450 --> 00:01:37,280
Right.

25
00:01:38,400 --> 00:01:40,580
We managed to log in here.

26
00:01:40,740 --> 00:01:41,250
Yeah.

27
00:01:41,400 --> 00:01:43,440
I believe we copied the wrong thing.

28
00:01:43,440 --> 00:01:45,600
So I'm going to do that one more time.

29
00:01:45,930 --> 00:01:51,780
Come over here and just copy this thing one more time and make sure you copy it right.

30
00:01:52,350 --> 00:01:58,470
And come back and just run the same thing over here if we cannot pasted.

31
00:01:58,470 --> 00:02:00,090
So let me paste a clipboard.

32
00:02:00,090 --> 00:02:00,420
Yep.

33
00:02:00,600 --> 00:02:02,400
If a basically partite works.

34
00:02:02,850 --> 00:02:08,520
So I'm going around to dial one more time and this time I'm just going to paste a clipboard and hit

35
00:02:08,520 --> 00:02:11,030
enter and here you go.

36
00:02:11,040 --> 00:02:17,850
So user robot may not run pseudo on Linux, so we cannot even run pseudo dash out.

37
00:02:18,300 --> 00:02:26,790
But it doesn't mean that we are going to get our we're not going to get to run anything is super administrator

38
00:02:26,790 --> 00:02:28,080
users per user.

39
00:02:28,530 --> 00:02:35,100
So I'm going to run a finite command over here, which will be a comment that you're going to need for

40
00:02:35,100 --> 00:02:38,190
the rest of your life if you're going to be a pen tester.

41
00:02:38,370 --> 00:02:44,760
And this is not the command, by the way, I hit enter by mistake on an accident.

42
00:02:44,760 --> 00:02:46,860
So I'm just going to show you one more time.

43
00:02:47,640 --> 00:02:55,740
So if I run this like that, it will find the every file and folder over here on the server.

44
00:02:56,040 --> 00:03:03,830
OK, we will see something like permission denied and we will see something like that, the permissions

45
00:03:03,840 --> 00:03:05,160
available for us.

46
00:03:05,370 --> 00:03:11,670
So we cannot find we cannot actually go and take a look at those files.

47
00:03:12,090 --> 00:03:15,780
And this is not going to do us good.

48
00:03:16,050 --> 00:03:18,980
But I'm going to show you the correct command.

49
00:03:19,000 --> 00:03:22,800
As you can see, we cannot even see the things over here.

50
00:03:22,800 --> 00:03:24,510
We cannot even see the whole list.

51
00:03:25,050 --> 00:03:28,380
So I'm going to show you a much better way to run that command.

52
00:03:28,620 --> 00:03:33,930
And this is not what I had intended to do in the first place as well.

53
00:03:34,380 --> 00:03:37,260
So I'm going to run a faint comment again.

54
00:03:37,440 --> 00:03:40,050
But this time I'm going to be very specific.

55
00:03:40,860 --> 00:03:42,750
So I'm going to say fine slash.

56
00:03:42,870 --> 00:03:50,100
So I'm searching for the files inside of the whole server over here, not in the current directory.

57
00:03:50,760 --> 00:03:57,300
And we're going to find a command that has a specific permissions set.

58
00:03:57,870 --> 00:04:01,610
And let me just show you the command from my notes over here.

59
00:04:01,890 --> 00:04:04,050
So this is the thing that we are looking for.

60
00:04:04,380 --> 00:04:09,210
So we are trying to find binaries that have the as uid set.

61
00:04:09,510 --> 00:04:12,210
So we have seen this before in the bendat.

62
00:04:12,450 --> 00:04:22,770
So this is actually going to give us the files that has been given for like has been given a special

63
00:04:22,770 --> 00:04:31,620
permission by administrator user so that we can actually run this as as if we are an administrator and

64
00:04:31,620 --> 00:04:41,310
this is supposed to be a temporary or maybe some kind of like a bypass solution for the administrators.

65
00:04:41,580 --> 00:04:51,150
OK, but if it exists, if we can find something that is going to give us leverage of running this as

66
00:04:51,150 --> 00:04:56,490
an administrator and getting back a route shall, then we are going to use it.

67
00:04:56,850 --> 00:04:59,580
And again, this set UID thing.

68
00:04:59,940 --> 00:05:07,740
Is big and bright, but by this time, I suggest you take a note of this comment and I will show you

69
00:05:07,740 --> 00:05:11,300
another comment in a second, take all all of that as well.

70
00:05:11,520 --> 00:05:18,450
But in the privileged escalation section, we're going to deep dive into this and understand the stupid

71
00:05:18,450 --> 00:05:23,970
logic and how it's done and what happens in the background as well.

72
00:05:24,330 --> 00:05:33,150
OK, so just make sure that taken note of this and it will give us the files that we can actually run.

73
00:05:33,750 --> 00:05:38,600
And these files belong to Ruth User or some kind of administrator user.

74
00:05:39,030 --> 00:05:43,570
And if this doesn't work, you can always run the comment like this as well.

75
00:05:43,830 --> 00:05:54,450
So this is kind of finding the permissions and the output of this is going to go into the dev now,

76
00:05:54,600 --> 00:05:55,790
which is nothing.

77
00:05:55,800 --> 00:05:57,940
So it's going into the nulls.

78
00:05:58,200 --> 00:06:00,570
OK, so now means empty.

79
00:06:00,570 --> 00:06:02,260
Nothing, nada voit.

80
00:06:02,880 --> 00:06:06,330
OK, so this is what we're going to do, make sure you copy.

81
00:06:06,330 --> 00:06:12,750
These are just supposed to read your rights on your own and just write it over there and I'm just going

82
00:06:12,750 --> 00:06:13,650
to hit enter.

83
00:06:13,770 --> 00:06:19,980
And as you can see right now, this is much more shorter than what we have seen over here.

84
00:06:20,670 --> 00:06:24,220
As you can see, we only get a couple of things over there.

85
00:06:24,780 --> 00:06:27,570
So these are the comments.

86
00:06:27,570 --> 00:06:28,920
These are the files.

87
00:06:28,920 --> 00:06:30,330
These are the binaries.

88
00:06:30,360 --> 00:06:33,570
OK, executables that we can execute.

89
00:06:34,110 --> 00:06:45,120
And if we can make it work, if we can find that binary, that will give us the leverage of becoming

90
00:06:45,120 --> 00:06:47,650
a root, then it's going to be really good.

91
00:06:47,910 --> 00:06:54,210
Of course, there is a possibility that we get a lot of things over here, but none of them will serve

92
00:06:54,210 --> 00:06:55,860
the purpose of becoming root.

93
00:06:56,430 --> 00:07:04,290
But it's worth a shot to see what kind of things that we have here and try to find our way to become

94
00:07:04,290 --> 00:07:04,740
root.

95
00:07:05,340 --> 00:07:09,420
For example, right now I can see that I can run the password.

96
00:07:09,440 --> 00:07:11,430
Komander user being password comment.

97
00:07:11,880 --> 00:07:15,590
OK, changing the password won't make me root.

98
00:07:16,080 --> 00:07:26,130
So we have changed Shell, which is c, h, S.H. We have pseudo, we have N map which is weird and we're

99
00:07:26,130 --> 00:07:27,750
going to take a look at that.

100
00:07:28,290 --> 00:07:38,400
And we have this tingay going on over here like SSL key sign VM where user acidy wrappers.

101
00:07:39,150 --> 00:07:42,120
So maybe we can take a look at those two.

102
00:07:42,120 --> 00:07:45,270
But SSL key is just for signing your key.

103
00:07:45,270 --> 00:07:50,400
Maybe if it was S.H., then we can we could have done something with it.

104
00:07:50,610 --> 00:08:01,450
But this is only for signing key in order to create like I parameter tingay to log in to the SSA servers.

105
00:08:02,040 --> 00:08:05,970
So over here we have decrypt get device.

106
00:08:05,970 --> 00:08:14,250
I don't know what it does, OK, but we have N map and I believe we can find something to do with the

107
00:08:14,250 --> 00:08:24,410
map and it's very easy to search for the binaries and see if we can actually use them to become root.

108
00:08:25,170 --> 00:08:32,160
So let me come over here and run and map help in my own terminal, in my own colonics and see if we

109
00:08:32,160 --> 00:08:38,190
can find something even remotely related to a privileged escalation.

110
00:08:38,710 --> 00:08:41,640
And of course, if we cannot find it over here.

111
00:08:41,910 --> 00:08:48,660
OK, let me run this one more time with scrapping the shuttle, for example.

112
00:08:49,020 --> 00:08:50,780
Nope, there is nothing over there.

113
00:08:51,030 --> 00:08:52,410
Let me run terminal.

114
00:08:52,680 --> 00:08:53,910
There is nothing over there.

115
00:08:54,060 --> 00:09:02,340
I'm trying to find something that will lead me to execute a comment as root as an administrator user.

116
00:09:02,460 --> 00:09:05,520
OK, I cannot find it.

117
00:09:05,790 --> 00:09:13,320
So I'm just going to open the Firefox, OK, I'm going to close this down and I'm going to open the

118
00:09:13,320 --> 00:09:21,420
Firefox and I'm going to go to Google dot com and I will just run this search for this and map comment.

119
00:09:21,870 --> 00:09:25,350
OK, terminal, something like this.

120
00:09:25,350 --> 00:09:27,900
I want to run a comment using an map.

121
00:09:28,410 --> 00:09:35,700
So if we can do this then we can execute the comment as if we are route, then we can get a child back

122
00:09:35,700 --> 00:09:36,330
as a route.

123
00:09:36,870 --> 00:09:38,640
So let me find this.

124
00:09:39,010 --> 00:09:41,710
Let me try to find it so tough.

125
00:09:41,710 --> 00:09:43,320
Fifteen, a map command.

126
00:09:43,320 --> 00:09:45,660
That's not the thing that we are looking for.

127
00:09:45,990 --> 00:09:48,900
Command line options, maybe.

128
00:09:49,350 --> 00:09:57,120
Let me come over here and just search for an interactive show, something like this.

129
00:09:57,840 --> 00:09:59,820
Maybe this will give us more clues.

130
00:10:00,380 --> 00:10:07,130
On this one, yeah, executed Chalco commence, yep, that's exactly what I'm looking for, so go for

131
00:10:07,130 --> 00:10:09,320
this gatefold Beenz.

132
00:10:09,920 --> 00:10:17,030
So GTR phobias, Yaphet, it can be used to break out from restricted environments by spawning an interactive

133
00:10:17,030 --> 00:10:17,440
shell.

134
00:10:17,660 --> 00:10:19,580
That is exactly what I'm looking for.

135
00:10:19,610 --> 00:10:26,630
OK, so all I have to do is just run and not interactive and run exclamation mark.

136
00:10:26,630 --> 00:10:28,160
S.H. apparently.

137
00:10:28,160 --> 00:10:29,180
Let me try that.

138
00:10:29,450 --> 00:10:33,020
So I'm going to and not interactive like this.

139
00:10:33,260 --> 00:10:42,620
So we are inside of that, OK, and I'm just going to run exclamation mark as H so here we are, we

140
00:10:42,620 --> 00:10:46,130
are in and I say Shell red me around, who am I.

141
00:10:46,140 --> 00:10:55,640
And Hiria we are route that worked because it has a special permission and map has a special permission

142
00:10:55,640 --> 00:10:58,370
and map has assisted suicide.

143
00:10:58,370 --> 00:11:00,710
Permission has been given to us.

144
00:11:01,490 --> 00:11:03,320
It has been given to us.

145
00:11:03,320 --> 00:11:05,270
So we have to search for it.

146
00:11:05,270 --> 00:11:08,690
We have to look deep for it in order to find it, as you can see.

147
00:11:08,870 --> 00:11:13,670
And this works in real life scenarios, OK, because it happens all the time.

148
00:11:14,120 --> 00:11:22,220
Administrators give you idea access to regular users or some kind of developer users all the time so

149
00:11:22,220 --> 00:11:28,340
that if you can leverage that, then it's OK and you can't even find it by Googling it.

150
00:11:28,340 --> 00:11:29,600
It's no big deal.

151
00:11:30,170 --> 00:11:33,830
So let me just locate the tree.

152
00:11:33,830 --> 00:11:37,790
Let me just locate how should we run this?

153
00:11:37,990 --> 00:11:38,890
The long run.

154
00:11:39,290 --> 00:11:40,160
See the route.

155
00:11:40,460 --> 00:11:40,700
Yeah.

156
00:11:40,700 --> 00:11:41,240
Here you go.

157
00:11:41,240 --> 00:11:42,260
See Tree of Tree.

158
00:11:42,530 --> 00:11:47,360
So let me just cut key tree of tree over here and here you go.

159
00:11:47,360 --> 00:11:52,100
We got the final flag over there, so that's great.

160
00:11:52,130 --> 00:11:56,150
As you can see, we managed to complete this CTF.

161
00:11:56,540 --> 00:12:04,430
And again, if you got confused for this set you thingy or if you got confused for finding alternatives

162
00:12:04,430 --> 00:12:13,340
like COL exploits or any other ways of exploiting or just finding someone new abilities to become root,

163
00:12:13,490 --> 00:12:14,600
then don't worry.

164
00:12:14,750 --> 00:12:20,480
As I said before, we're going to take a deep dive into that in a couple of sections.

165
00:12:20,690 --> 00:12:27,480
We're just going to have a section for Linux privilege escalation and the section for Windows privileges

166
00:12:27,480 --> 00:12:31,040
escalation as well, because they are very much different.

167
00:12:31,430 --> 00:12:43,100
But here we took the advantage of set asides as you and we found map can be run as route and we executed

168
00:12:43,100 --> 00:12:46,310
some commands using that leverage.

169
00:12:46,310 --> 00:12:47,420
And here we are.

170
00:12:47,420 --> 00:12:48,290
We are route.

171
00:12:48,890 --> 00:12:54,830
OK, so Mr. Robot is kind of like maybe intermediate kind of thing.

172
00:12:55,040 --> 00:13:01,430
So if you have a previous cybersecurity experience, I believe you understood everything that has been

173
00:13:01,430 --> 00:13:02,600
going on over there.

174
00:13:02,870 --> 00:13:05,990
So, again, if you got confused at some point, don't worry.

175
00:13:06,260 --> 00:13:10,100
We're going to see how it works in the following sections.

176
00:13:10,430 --> 00:13:12,800
Now, we're going to stop here.

177
00:13:12,920 --> 00:13:17,570
And don't forget to take a note of that in map interactive thing as well.

178
00:13:17,720 --> 00:13:23,060
It may come in handy in the following sections or in your real life examples as well.

179
00:13:23,510 --> 00:13:27,680
So we're going to stop here and continue within the next section together.