1
00:00:00,720 --> 00:00:07,440
Hi, within this lecture, we're going to see what we can do to escalate our privileges because we are

2
00:00:07,440 --> 00:00:14,190
currently in the server as user Apache and we're going to see what we can do to make our way up.

3
00:00:14,670 --> 00:00:19,980
So what I'm going to do, I'm going to, of course, Kathy, password to be starting.

4
00:00:20,340 --> 00:00:23,310
OK, and here we have the route, of course.

5
00:00:23,790 --> 00:00:27,230
And let's see what we can see over here.

6
00:00:27,240 --> 00:00:33,840
We have the Apache, which is where we are currently m and we have is Epizyme.

7
00:00:33,840 --> 00:00:36,570
And we have quite various users over here.

8
00:00:36,570 --> 00:00:38,190
Like we have easy peasy.

9
00:00:38,430 --> 00:00:45,380
We have admin, we have free God and we have frisee itself.

10
00:00:45,870 --> 00:00:50,970
So I don't know, maybe we are going to see every one of those.

11
00:00:50,970 --> 00:00:57,260
Maybe we're going to just jump right into some of those and make our way up from there.

12
00:00:57,630 --> 00:01:02,940
So I'm going to cut that issue to see if we get any kind of description over here.

13
00:01:03,390 --> 00:01:08,310
So NUPE, we just see the goal and the IP address over there.

14
00:01:09,060 --> 00:01:13,790
So let's see what else we can get over here.

15
00:01:14,160 --> 00:01:20,240
So I'm going to try to go into the users, OK?

16
00:01:20,730 --> 00:01:22,470
And let me see where we are.

17
00:01:22,470 --> 00:01:24,840
We are in the route right now.

18
00:01:24,840 --> 00:01:30,450
If we run L.A., we can see the current folders and files that are available to us.

19
00:01:31,470 --> 00:01:33,390
Let's see if we can go to route.

20
00:01:33,600 --> 00:01:35,160
I'm going to succeed route.

21
00:01:35,160 --> 00:01:37,140
Of course, we cannot do that.

22
00:01:37,480 --> 00:01:42,000
OK, maybe we can go to some other users folder.

23
00:01:42,000 --> 00:01:44,610
Maybe we can find some kind of lead over there.

24
00:01:44,940 --> 00:01:46,320
So I'm going to go to home.

25
00:01:46,680 --> 00:01:51,660
And as you can see in the home, we have admin, easy peasy and foresty got.

26
00:01:52,020 --> 00:01:54,840
So I'm going to go into admin, OK?

27
00:01:54,870 --> 00:01:56,070
I cannot do that.

28
00:01:56,250 --> 00:01:58,200
I'm going to go into easy peasy.

29
00:01:58,590 --> 00:01:59,460
And here you go.

30
00:01:59,460 --> 00:02:00,510
We can't do that.

31
00:02:00,870 --> 00:02:08,340
And if we run, unless we have a lot of files and folders over here, apparently, OK, we have make

32
00:02:08,340 --> 00:02:08,960
dive.

33
00:02:09,990 --> 00:02:13,790
We have let me run the SLA and see it in a better way.

34
00:02:14,550 --> 00:02:22,980
So over here in the easy peasy, we have some kind of hidden files and folders over here, OK?

35
00:02:23,430 --> 00:02:28,800
And we have, I believe, some kind of binaries as well, like S.H., more charm.

36
00:02:29,280 --> 00:02:39,600
And let's see, we have Nano and yeah, we have not stopped Steve, which is good because we can read

37
00:02:39,600 --> 00:02:44,040
it, I believe looking for the I'm looking for permissions.

38
00:02:44,460 --> 00:02:48,150
I'm going to get the notes that text and here you go.

39
00:02:48,150 --> 00:02:52,680
It says, Yoaz, I made it possible for you to do some automated checks.

40
00:02:53,250 --> 00:03:01,500
I did only I love your access to user been system binaries so we can run some binaries in the user folder,

41
00:03:01,500 --> 00:03:02,220
which is good.

42
00:03:02,820 --> 00:03:10,280
I did we were a copy a few extra often needed comments to my home directory, which is S.H. Mode, the

43
00:03:10,380 --> 00:03:14,490
F cat and copes crap and so many more.

44
00:03:14,730 --> 00:03:15,540
Great.

45
00:03:16,200 --> 00:03:23,130
Don't forget to specify the full path for each binary so we can actually use those binaries in order

46
00:03:23,130 --> 00:03:24,680
to create a reverse shuttle.

47
00:03:24,690 --> 00:03:31,860
I believe and we have a big tip over here, he says that just put a file called Run This in the temp,

48
00:03:32,100 --> 00:03:35,700
OK, each line within one comment.

49
00:03:35,700 --> 00:03:38,590
So we have to specify our wine line.

50
00:03:38,610 --> 00:03:46,110
You're over here to run those binaries, as far as I understand, so we can run around some binaries

51
00:03:46,110 --> 00:03:50,790
as admin user, but we have to create a file in order to do that.

52
00:03:51,270 --> 00:03:54,360
But we cannot KDA into that folder.

53
00:03:54,360 --> 00:04:03,480
So I believe we're going to have to see what kind of things we have over there by running an SLA or

54
00:04:03,480 --> 00:04:04,410
something like that.

55
00:04:04,410 --> 00:04:09,030
Let's see if we can check the notes that using this.

56
00:04:09,330 --> 00:04:11,010
Nope, we cannot do that.

57
00:04:11,010 --> 00:04:17,820
Even though they copy these binaries into the admin folder, we cannot directly reach it.

58
00:04:18,150 --> 00:04:20,700
We cannot write directly execute them.

59
00:04:20,970 --> 00:04:29,100
So if we could have done that, then it would make our way easier because we can run some binary commands

60
00:04:29,400 --> 00:04:33,660
and but there is a way to do that.

61
00:04:33,660 --> 00:04:39,810
It says I just put a file called Run This into AMPE and each Lemont each line.

62
00:04:39,810 --> 00:04:44,550
Should one include the one comment, then the output goes to the file.

63
00:04:44,550 --> 00:04:49,840
Crohn result in the temp and it should run every minute with my account privileges.

64
00:04:49,860 --> 00:04:52,620
So there is a chrome tab going on over here.

65
00:04:52,620 --> 00:04:59,940
Cron job, OK, and in that cron job it runs the run this file every minute.

66
00:05:00,620 --> 00:05:08,270
And if we can specify a one liner over there to run a binary and privilege escalator's privilege mode,

67
00:05:08,540 --> 00:05:14,030
then we can get a reversion back to us, then we can be admin user.

68
00:05:14,180 --> 00:05:18,800
I don't know if it will lead us to the root, but most probably it will.

69
00:05:19,010 --> 00:05:25,960
And its administrator user, maybe we can actually go into the root by not doing so many things later

70
00:05:25,970 --> 00:05:26,360
on.

71
00:05:26,870 --> 00:05:27,400
Right.

72
00:05:27,770 --> 00:05:32,120
So I'm going to do exactly like instructed over here.

73
00:05:32,420 --> 00:05:39,740
First of all, I'm going to see what kind of binaries under the user bin to see if we can run Python,

74
00:05:39,750 --> 00:05:40,640
for example.

75
00:05:42,020 --> 00:05:44,150
Let me see if we can run Python.

76
00:05:44,660 --> 00:05:45,380
And here you go.

77
00:05:45,380 --> 00:05:51,340
I lost the show and of course, in order to gain the show, I'm going to run an agency and we Alpay

78
00:05:51,350 --> 00:05:52,970
one to two for one more time.

79
00:05:53,360 --> 00:06:02,000
And I'm going to have to go into the Firefox and run this version one more time and let's see if we

80
00:06:02,000 --> 00:06:03,560
can get this over here.

81
00:06:03,560 --> 00:06:13,140
So 10 to 16 and CYO uploads shelled out PMG or that PMG.

82
00:06:13,580 --> 00:06:14,260
Here you go.

83
00:06:14,300 --> 00:06:15,410
I believe it works.

84
00:06:15,470 --> 00:06:15,850
Here you go.

85
00:06:15,870 --> 00:06:17,300
I have to you one more time.

86
00:06:17,810 --> 00:06:18,530
So great.

87
00:06:18,650 --> 00:06:21,290
I don't know if we have the python or not.

88
00:06:21,710 --> 00:06:29,010
So I'm going to run unless and I'm going to go to the home folder one more time and into the easy peasy

89
00:06:29,900 --> 00:06:32,030
to see that node one more time.

90
00:06:32,240 --> 00:06:33,700
I'm going to run Al-Saleh SLA.

91
00:06:33,980 --> 00:06:34,790
Here you go.

92
00:06:35,150 --> 00:06:38,900
I'm going to get the NATO xda and here we are.

93
00:06:39,230 --> 00:06:44,180
So far I tried to see if we have Python over here and I failed to do that.

94
00:06:44,180 --> 00:06:47,480
So we're going to have to take a different result over here.

95
00:06:48,080 --> 00:06:55,700
And first of all, I'm really I really need to see what kind of think that I should put into the run

96
00:06:55,700 --> 00:06:56,480
this file.

97
00:06:56,690 --> 00:07:02,780
So I'm going to try and let's allow into this user and see what kind of things that we have over there,

98
00:07:03,230 --> 00:07:03,890
OK?

99
00:07:04,370 --> 00:07:11,700
And we're going to try and if we can have a python running over here, then we're going to try that.

100
00:07:12,260 --> 00:07:19,490
So what I'm going to do, I'm going to unless I play into the user bin and see all the available binaries

101
00:07:19,580 --> 00:07:20,220
for me.

102
00:07:20,270 --> 00:07:21,920
So right away.

103
00:07:22,220 --> 00:07:26,500
And user slash bin, here you go.

104
00:07:26,540 --> 00:07:29,030
I believe we managed to see that.

105
00:07:29,030 --> 00:07:32,090
And we have a lot of things going on over here.

106
00:07:32,090 --> 00:07:36,140
As you can see, we have a lot of binaries inside of our server.

107
00:07:36,680 --> 00:07:42,170
And I think we should do grep because it will take some time to find it from here.

108
00:07:42,170 --> 00:07:50,780
So I'm going to say, unless L-A user bin and I'm going to pipe this into the grep and I'm going to

109
00:07:50,780 --> 00:07:54,350
grab the python and here we have the python.

110
00:07:54,530 --> 00:08:01,520
I believe we only have Python two, but it's OK, right, because we have the reverse scale codes for

111
00:08:01,520 --> 00:08:03,980
Python two independent monkey.

112
00:08:04,250 --> 00:08:06,050
We can take leverage of that.

113
00:08:06,380 --> 00:08:15,650
And if we can make this work, then I can just create a ram this file as they use the python and just

114
00:08:15,800 --> 00:08:18,610
execute this file, for example.

115
00:08:18,620 --> 00:08:26,030
OK, so I'm going to go for the Panthers monkey one more time and I'm going to search for Python reverse

116
00:08:26,030 --> 00:08:28,340
Shokichi like we have done before.

117
00:08:28,640 --> 00:08:30,560
I'm going to open the Panthers monkey.

118
00:08:31,190 --> 00:08:36,980
And if you cannot go into the Panthers monkey, by the way, you can just use what I'm using.

119
00:08:37,340 --> 00:08:39,440
You can just type the python comments.

120
00:08:39,920 --> 00:08:41,330
I believe you right now.

121
00:08:41,330 --> 00:08:43,700
You see how this works.

122
00:08:43,730 --> 00:08:52,850
OK, so let's open a new tab and do this in the local and we can just do this under the free folder.

123
00:08:52,970 --> 00:08:58,640
I'm going to open and now Python shall dot p y over here.

124
00:08:58,670 --> 00:09:01,340
OK, so I'm going to paste this thing in.

125
00:09:01,760 --> 00:09:07,400
And since this is a one liner, we can just put this in there on this folder as well, but it won't

126
00:09:07,400 --> 00:09:11,020
know how to run the python from the user binaries.

127
00:09:11,020 --> 00:09:18,650
So what I'm going to do, I'm just going to turn this into a regular python called, as we have done

128
00:09:18,650 --> 00:09:19,300
before.

129
00:09:19,340 --> 00:09:27,110
OK, I'm going to import the library's SOCAP subprocess and the operating system libraries over here.

130
00:09:27,290 --> 00:09:31,490
So I'm going to define the Zucchet as s.

131
00:09:31,490 --> 00:09:35,030
So this is how the circuit works, as you might remember.

132
00:09:35,540 --> 00:09:38,720
And over here, I'm just going to give my own IP address.

133
00:09:38,960 --> 00:09:43,190
And we need to change the port here as well, because we have used the one, two, three, four.

134
00:09:43,310 --> 00:09:49,370
I'm going to make it Phi Phi Phi Phi Phi, but you can just use any port that you want that is not in

135
00:09:49,370 --> 00:09:50,360
currently use.

136
00:09:50,370 --> 00:09:58,400
OK, so I'm coming over here to delete the semicolons because we don't need them in the regular python

137
00:09:58,400 --> 00:09:58,940
code.

138
00:09:59,680 --> 00:10:00,710
And here you go.

139
00:10:00,970 --> 00:10:06,380
So it will give us some as a child and I'm going to delete those things as well.

140
00:10:06,580 --> 00:10:07,450
So here you go.

141
00:10:07,480 --> 00:10:08,950
Our Python code is ready.

142
00:10:08,950 --> 00:10:13,030
If you want, you can just post this video and write it on your own.

143
00:10:13,030 --> 00:10:17,040
Make sure you write exactly like what you have seen over there.

144
00:10:17,620 --> 00:10:19,200
So let me get this.

145
00:10:19,210 --> 00:10:20,030
And here you go.

146
00:10:20,380 --> 00:10:31,600
So I'm going to take this and put it into my Web server over here, OK, in my user var e-mail folder.

147
00:10:31,600 --> 00:10:36,400
So wah wah slash double level W and slash HTML.

148
00:10:37,030 --> 00:10:38,730
So this copy that thing.

149
00:10:38,740 --> 00:10:43,790
So I'm going to run my Pache server like we have done before.

150
00:10:44,170 --> 00:10:48,960
So I have a python child up in my Pache server.

151
00:10:49,090 --> 00:10:54,460
So what I'm going to do, I'm going to just use we get over here and as you can see we have the we yet.

152
00:10:54,820 --> 00:11:02,240
So I'm going to go on the stamp because that's where we should actually execute this, as you can see

153
00:11:02,240 --> 00:11:02,890
in the top.

154
00:11:02,920 --> 00:11:08,350
We don't have anything right now, but we're going to have soon if I run this correct.

155
00:11:08,620 --> 00:11:17,290
So we get HTP or too far for me and write your own IP address over here in order to test this and just

156
00:11:17,290 --> 00:11:19,630
write the thing that you have just copied.

157
00:11:19,840 --> 00:11:20,970
And here you go.

158
00:11:21,010 --> 00:11:27,560
I managed to download the Python shell in my server, so I'm going to run this cat.

159
00:11:27,850 --> 00:11:28,800
And here you go.

160
00:11:29,110 --> 00:11:30,700
We have the python shell.

161
00:11:31,090 --> 00:11:37,570
So rather than trying to run this python shall over here, we can actually run this by Dongzhou right

162
00:11:37,570 --> 00:11:37,870
now.

163
00:11:37,870 --> 00:11:45,580
But it will give us the shell, but it will give us the shell as the current user that we are in, as

164
00:11:45,580 --> 00:11:52,300
in I believe we are in the Apache user in order to get this in a privileged way, in an escalated privileged

165
00:11:52,300 --> 00:12:00,520
way, we need to make this run with the current job it was talking about so that it can run as admin

166
00:12:00,520 --> 00:12:00,960
user.

167
00:12:01,810 --> 00:12:05,560
So what we are going to do, we're going to do as instructed before.

168
00:12:05,590 --> 00:12:11,670
We're going to have to create a run this file and in that run this file, we have to specify something.

169
00:12:11,680 --> 00:12:17,630
So in order to do that, I'm going to just run echo and say user being Python.

170
00:12:17,680 --> 00:12:25,630
OK, so it's going to use the python over here under the user bin folder and it's going to execute the

171
00:12:25,630 --> 00:12:30,310
top python shell that pivo and don't forget to place a space between them.

172
00:12:30,790 --> 00:12:34,540
And I'm going to put this into a file called Run This.

173
00:12:34,540 --> 00:12:39,520
And since we are currently in the TMP folder, we can just execute this over here.

174
00:12:39,910 --> 00:12:41,740
OK, I'm going to run this.

175
00:12:41,900 --> 00:12:44,170
It will be run within one minute.

176
00:12:44,170 --> 00:12:46,600
I believe, as you can see, if you run it, let's play.

177
00:12:46,600 --> 00:12:52,690
We can see this if you're on Ketron this, it will just run this command and it also complies with the

178
00:12:52,690 --> 00:12:55,080
one line rule as well.

179
00:12:55,390 --> 00:12:59,470
So I'm going to say and can we help Phi Phi Phi Phi Phi over here?

180
00:12:59,800 --> 00:13:03,760
And within one minute it should get executed.

181
00:13:04,090 --> 00:13:06,550
OK, let me run it one more time.

182
00:13:06,730 --> 00:13:13,150
As you can see, this will create something called, I believe, result chrome or something like that.

183
00:13:13,330 --> 00:13:20,950
And once we see that it will it will mean that it gets it gets executed in a regular way.

184
00:13:21,160 --> 00:13:24,400
Let's see how this thing was called.

185
00:13:24,400 --> 00:13:32,770
Let me come over here to top and see if we can get the note back and it will pass some time as well.

186
00:13:32,770 --> 00:13:33,550
Here you go.

187
00:13:33,880 --> 00:13:41,110
Yeah, it will just create a file called Chrome Result, OK, in the TMB.

188
00:13:41,110 --> 00:13:44,890
So if you see the chrome result, it means that it got executed.

189
00:13:45,610 --> 00:13:48,790
So this is not a rule in a regular server.

190
00:13:48,850 --> 00:13:51,790
This is the rule that others CTF made possible.

191
00:13:51,790 --> 00:13:52,120
Right.

192
00:13:52,420 --> 00:13:54,220
So if I run, I was like, here you go.

193
00:13:54,250 --> 00:13:55,420
You see the chrome result.

194
00:13:55,600 --> 00:13:57,250
Let me go back and here you go.

195
00:13:57,250 --> 00:13:59,200
We have the S.H. Show.

196
00:13:59,440 --> 00:14:01,060
So if you're on, who am I?

197
00:14:01,060 --> 00:14:03,040
We are admin right now.

198
00:14:03,430 --> 00:14:11,080
So we managed to become admin, but I believe we are not currently Ruzzo, so we cannot go and be rude

199
00:14:11,380 --> 00:14:12,220
directly.

200
00:14:12,400 --> 00:14:14,860
So let me get the ATSE password over.

201
00:14:14,860 --> 00:14:16,510
Here we are.

202
00:14:16,810 --> 00:14:19,000
We can see the route, we can see the admin.

203
00:14:19,150 --> 00:14:22,000
But there are some couple of other users here as well.

204
00:14:22,120 --> 00:14:27,760
So we might take a look at those ones as well in the upcoming lecture.