1 00:00:00,540 --> 00:00:07,950 Hi, within this lecture, we're trying to finally become rude, by the way, little things that we 2 00:00:07,950 --> 00:00:09,230 have gathered over here. 3 00:00:09,660 --> 00:00:14,190 So first of all, I'm going to try to see what kind of passwords they are. 4 00:00:14,550 --> 00:00:21,810 So we gathered some passwords in the previous lecture so far here I'm admin, so I'm going to get the 5 00:00:21,810 --> 00:00:25,420 password over here to see what kind of users we have. 6 00:00:25,740 --> 00:00:34,680 We know we have route, but I don't believe those passwords belong to root because there were hints 7 00:00:34,680 --> 00:00:37,800 about free Østergaard and free Steed themselves. 8 00:00:38,130 --> 00:00:42,510 So most probably one of them belongs to Foresty Gut. 9 00:00:42,930 --> 00:00:46,500 And because we have seen this, who's your guard now? 10 00:00:47,130 --> 00:00:52,050 That's why I thought that this belonged to Freaks Foresty Guts. 11 00:00:52,510 --> 00:00:54,810 Of course, we're going to try and see. 12 00:00:55,260 --> 00:00:55,730 Right. 13 00:00:55,740 --> 00:00:58,890 So we have gathered this password. 14 00:00:58,890 --> 00:01:02,630 We have gethers hash over here and we decrypted it over there. 15 00:01:02,820 --> 00:01:06,840 So let there be foresty should be the password of the foresty gut. 16 00:01:07,080 --> 00:01:09,420 But we don't know where you're going to try and see. 17 00:01:09,420 --> 00:01:14,520 So I'm going to copy this one and come back over here and I'm admin over there. 18 00:01:14,670 --> 00:01:18,390 So I'm going to run Supriyadi Gut and see what happens. 19 00:01:19,530 --> 00:01:22,680 It says that standard in must be a twice. 20 00:01:22,680 --> 00:01:25,860 So OK, so we don't have a shadow over here. 21 00:01:25,890 --> 00:01:34,170 For some reason I'm going to try and spawn a show and then we can just try and run this one more time. 22 00:01:34,380 --> 00:01:36,290 So I'm going to open my notes over there. 23 00:01:36,630 --> 00:01:40,850 You know, the Python code that spawns I shall importunity. 24 00:01:40,890 --> 00:01:41,400 Why? 25 00:01:41,880 --> 00:01:43,450 So I'm going to do that. 26 00:01:43,530 --> 00:01:48,420 OK, so let me just try this one or this one. 27 00:01:48,690 --> 00:01:54,690 You can try either with Basche or S.H. and if it one doesn't work, the other might work. 28 00:01:55,020 --> 00:01:58,260 So I'm going to start with the S h over here. 29 00:01:58,840 --> 00:02:00,600 I believe you're in and I show. 30 00:02:00,600 --> 00:02:02,490 But let me try and see. 31 00:02:02,730 --> 00:02:07,590 OK, just make sure you post the video if you don't have that already. 32 00:02:08,040 --> 00:02:12,780 So I'm going to come back over here and paste this thing in and. 33 00:02:12,870 --> 00:02:13,290 Yep. 34 00:02:13,290 --> 00:02:14,460 Let me paste the clip. 35 00:02:14,460 --> 00:02:16,410 Clipboard or. 36 00:02:16,410 --> 00:02:17,180 Yeah, here you go. 37 00:02:17,190 --> 00:02:19,230 OK, now I hit enter. 38 00:02:19,860 --> 00:02:26,100 It seems like it's worked so well where my admin Lizzi Sue Foresty got. 39 00:02:26,940 --> 00:02:27,420 Here you go. 40 00:02:27,420 --> 00:02:29,400 It asks for a password so it worked. 41 00:02:29,760 --> 00:02:33,240 So I'm going to come back here and take the password one more time. 42 00:02:33,480 --> 00:02:35,310 I'm going to copy this one. 43 00:02:35,850 --> 00:02:41,550 OK, come back here and paste the password in and hit enter. 44 00:02:41,790 --> 00:02:42,540 Here you go. 45 00:02:42,540 --> 00:02:46,170 Now we are presented with a bash and if you're on, where am I? 46 00:02:46,200 --> 00:02:47,520 We are foresty got. 47 00:02:47,910 --> 00:02:50,640 So this is the third user that we are in. 48 00:02:51,000 --> 00:02:56,970 So if you're on PVD, we are in the home admin so I'm going to go back. 49 00:02:57,750 --> 00:02:59,060 We cannot even run. 50 00:02:59,210 --> 00:03:00,930 I said I believe so. 51 00:03:00,930 --> 00:03:02,580 Let me run that literally over here. 52 00:03:02,580 --> 00:03:02,760 Yeah. 53 00:03:02,760 --> 00:03:03,330 Here you go. 54 00:03:03,600 --> 00:03:07,560 We have the CD Foresty Free Stick got for directory over here. 55 00:03:07,560 --> 00:03:08,850 I'm going to CD into that. 56 00:03:09,180 --> 00:03:15,060 And if I on that SLA, uh, nothing seems to be here in fact. 57 00:03:15,060 --> 00:03:22,050 So we have the best logout profile in Benghazi, but I don't think this will do much in our case. 58 00:03:22,350 --> 00:03:31,890 OK, so we're gonna have to use our standard procedure for privileged escalation and be very that within 59 00:03:31,890 --> 00:03:37,290 the next section, we're going to deep dive into the privileged escalation and learn about a lot more 60 00:03:37,290 --> 00:03:41,280 techniques than that we than we ever learned in this course. 61 00:03:41,280 --> 00:03:43,890 OK, we get to learn one by one. 62 00:03:44,310 --> 00:03:47,760 But right now I'm just going to run fine slash user frisee. 63 00:03:47,760 --> 00:03:52,530 Got to see what kind of files do we have access to. 64 00:03:53,130 --> 00:03:58,500 OK, and as you can see, we can see all the permission denied over here. 65 00:03:58,740 --> 00:04:05,390 And it seems that we have a VAR folder, we have a free Steagles folder under var folder as well. 66 00:04:06,090 --> 00:04:10,970 So this is always a good idea to see what kind of things that we have access to. 67 00:04:11,490 --> 00:04:13,230 So I'm going to go into that folder. 68 00:04:13,530 --> 00:04:15,660 OK, Arendelle, that's L.A.. 69 00:04:16,140 --> 00:04:20,310 So as you can see, we have a basic story and a secret admin stuff thingy. 70 00:04:20,640 --> 00:04:24,990 So I'm going to get this out to see what kind of things can we do. 71 00:04:25,200 --> 00:04:31,350 So this historic thing is might have been more active than in real life as well. 72 00:04:31,800 --> 00:04:40,290 So I'm going to just get this out to see what kind of comments that have been executed on this user. 73 00:04:40,560 --> 00:04:49,920 So as you can see, user previously executed, LSP, DNS, LJH and CD script admin stuff and apparently 74 00:04:49,920 --> 00:04:51,720 admin stuff is a folder. 75 00:04:52,140 --> 00:04:57,960 And inside of that folder there is a do come and do Comtesse. 76 00:04:57,960 --> 00:04:59,940 So dukedom should be an executable. 77 00:05:00,950 --> 00:05:10,790 So they have some kind of pseudo thing is going on over there, so maybe do call me some kind of stupid 78 00:05:10,790 --> 00:05:12,640 binary like we have seen before. 79 00:05:12,910 --> 00:05:16,400 For example, over here we see that pseudo you foresty. 80 00:05:16,910 --> 00:05:20,420 So running this do come as free, Steve. 81 00:05:20,430 --> 00:05:21,440 We are not free, Steve. 82 00:05:21,440 --> 00:05:22,400 Are free to God. 83 00:05:22,790 --> 00:05:28,510 And it runs, alas, for every file on that server. 84 00:05:28,910 --> 00:05:34,460 And over here we see the pseudo you free the free Seagate's secret admin stuff. 85 00:05:34,460 --> 00:05:37,350 Neukom Ellas and exit. 86 00:05:38,000 --> 00:05:41,480 OK, so there is a binary called Do Come. 87 00:05:41,480 --> 00:05:50,060 We are certain of that we can execute it and apparently we can run some kind of different things like 88 00:05:50,480 --> 00:05:54,110 we can execute this dukedom is another user. 89 00:05:54,320 --> 00:06:02,060 I don't know if we can execute this route or some other user or I don't know if this will help me if 90 00:06:02,060 --> 00:06:06,530 I can execute this free steep as in this case. 91 00:06:06,800 --> 00:06:09,230 OK, but it's worth a shot. 92 00:06:09,230 --> 00:06:09,710 Right? 93 00:06:10,130 --> 00:06:12,490 So I'm going to go into that folder. 94 00:06:12,800 --> 00:06:15,200 I didn't know that was a folder. 95 00:06:15,200 --> 00:06:16,520 I thought it was a file. 96 00:06:16,520 --> 00:06:20,210 So I'm going to just CD into that Scribd admin stuff. 97 00:06:20,810 --> 00:06:26,930 So if we groundlessly we see to do come and OK, so this belongs to root. 98 00:06:27,200 --> 00:06:34,190 So it really doesn't matter if we run this as root or if we run this as foresty or something like that 99 00:06:34,190 --> 00:06:36,680 because it already belongs to root. 100 00:06:36,680 --> 00:06:41,290 If and I believe we have an issue, I'd permission over here. 101 00:06:41,630 --> 00:06:48,800 So again, in the next section we're going to talk about acid's in a lot more detail. 102 00:06:49,010 --> 00:06:52,670 OK, we have seen this in the Bendit section. 103 00:06:53,210 --> 00:07:00,350 Maybe you haven't understood yet, at least the technicalities, but we're going to try and show you 104 00:07:00,350 --> 00:07:02,390 much more in the following section. 105 00:07:03,050 --> 00:07:09,610 So let me try to run this shuto, you free tingay and see if we can make it run. 106 00:07:09,890 --> 00:07:12,260 OK, so it asks for a password. 107 00:07:12,260 --> 00:07:17,570 Let me give the password and it says that. 108 00:07:17,570 --> 00:07:18,680 So try again. 109 00:07:18,680 --> 00:07:23,310 I believe we couldn't actually get the password for the free God. 110 00:07:23,330 --> 00:07:29,060 Let me copy this one and come back here and paste the selection and enter. 111 00:07:29,360 --> 00:07:29,720 Yep. 112 00:07:29,720 --> 00:07:30,920 We can run this. 113 00:07:30,920 --> 00:07:41,000 As you can see, I have for just testing purposes I ran these pseudo you free do come slashed you OK. 114 00:07:41,390 --> 00:07:45,110 We can run this as another user apparently. 115 00:07:45,830 --> 00:07:51,500 And in fact I really don't care about the another user part at all because what I have in mind is that 116 00:07:51,680 --> 00:07:58,610 I run this executing a python reverse shell one more time, using this do come executable. 117 00:07:59,180 --> 00:08:05,210 Since it belongs to root, it may we may get the chance to execute this as a root and get a reverse 118 00:08:05,210 --> 00:08:07,130 callback from root user. 119 00:08:07,430 --> 00:08:07,790 Right. 120 00:08:07,790 --> 00:08:10,340 So that's what we did in previously. 121 00:08:10,550 --> 00:08:12,500 And now we're going to do the same thing. 122 00:08:12,500 --> 00:08:14,690 At least we will attempt to do the same thing. 123 00:08:15,230 --> 00:08:19,070 So I'm going to come over here to one of our tabs. 124 00:08:19,910 --> 00:08:25,460 I believe we have this python called a reverse charcoaled somewhere over here. 125 00:08:25,460 --> 00:08:25,760 Right. 126 00:08:25,760 --> 00:08:28,220 So I'm going to just try and find it. 127 00:08:28,550 --> 00:08:37,300 So I'm going to go into my var w-w HDMI folder because that's where we put the Python shield up, right? 128 00:08:37,340 --> 00:08:37,730 Yep. 129 00:08:37,730 --> 00:08:38,420 Here you go. 130 00:08:38,750 --> 00:08:40,420 That's the thing that I'm looking for. 131 00:08:40,430 --> 00:08:48,620 So I'm going to not go into that and I'm going to see my IP is correct, but I'm going to change the 132 00:08:48,620 --> 00:08:50,990 port because we are already using that. 133 00:08:51,170 --> 00:08:53,870 So I'm going to just make it three three three three. 134 00:08:54,530 --> 00:08:56,450 So I'm going to download this. 135 00:08:56,450 --> 00:08:59,180 OK, so I'm going to start my Pache server. 136 00:08:59,510 --> 00:09:06,950 I'm going to download this from my Apache server and put it in a in a folder where I can just reach 137 00:09:06,950 --> 00:09:09,290 it so that I can execute it. 138 00:09:09,290 --> 00:09:10,130 We do come. 139 00:09:10,830 --> 00:09:13,640 So I'm inside of secret admin stuff. 140 00:09:14,060 --> 00:09:16,700 Let me try to just download over here. 141 00:09:16,700 --> 00:09:20,300 If it doesn't work, I'm going to go into the temp and do the same thing. 142 00:09:20,810 --> 00:09:22,820 So I'm going to say Python held up. 143 00:09:22,820 --> 00:09:23,240 Why? 144 00:09:23,960 --> 00:09:27,740 And let me try to hit enter. 145 00:09:27,740 --> 00:09:28,160 Yep. 146 00:09:28,160 --> 00:09:28,790 Here you go. 147 00:09:28,790 --> 00:09:29,390 It worked. 148 00:09:29,900 --> 00:09:32,480 So I have the python scale over here. 149 00:09:32,840 --> 00:09:40,040 So by using do come now I'm just going to do the do this thing over here, OK? 150 00:09:40,820 --> 00:09:47,960 I'm going to try and run the exact same comment, but rather than less, I'm going to of course, try 151 00:09:47,990 --> 00:09:52,310 and run the python file that we have downloaded over here. 152 00:09:52,310 --> 00:09:53,190 We do come. 153 00:09:53,780 --> 00:09:59,600 So whether we choose the stuff as a user over here or not, I don't know. 154 00:09:59,680 --> 00:10:05,970 He was going to make a difference, but I'm just going to try this, so I'm going to run user in Python, 155 00:10:05,980 --> 00:10:08,680 I know it exists because we have seen that before. 156 00:10:09,040 --> 00:10:15,580 And I'm going to run the VA and there we are in the Foresty. 157 00:10:15,580 --> 00:10:15,970 Right. 158 00:10:16,270 --> 00:10:27,130 So Foresty got and a DOD secret admin stuff and finally the python shell that PEEVEY. 159 00:10:27,670 --> 00:10:32,080 So let's try and see if we can do this. 160 00:10:32,310 --> 00:10:40,840 OK, so it will run the do come executable and so that we will get the chance to execute this with Python 161 00:10:40,840 --> 00:10:41,950 as route user. 162 00:10:41,950 --> 00:10:45,490 And I don't know how this will work or not what we're going to see. 163 00:10:45,490 --> 00:10:53,410 So I'm going to listen D for three, two, three, three over here and let me come back and hit, enter 164 00:10:54,070 --> 00:10:58,080 and let's see if it works or not. 165 00:10:58,420 --> 00:10:59,140 Here you go. 166 00:10:59,140 --> 00:11:02,120 We have on this a show so if I run who am I. 167 00:11:02,290 --> 00:11:04,330 We are finally rude. 168 00:11:04,930 --> 00:11:06,810 So let me run the. 169 00:11:06,880 --> 00:11:13,180 Yep we are in the secret admin stuff so I'm going to go back and let me repeatably. 170 00:11:13,190 --> 00:11:13,480 Yep. 171 00:11:13,480 --> 00:11:19,270 We are in rude so I'm going to interrupt Falder and Leslie and here you go. 172 00:11:19,270 --> 00:11:27,190 Freestar leaks secrets that texte you can catch that and get your precious flag over here. 173 00:11:27,190 --> 00:11:29,350 OK, so here you go. 174 00:11:29,350 --> 00:11:31,890 Congratulations on meeting the leaks. 175 00:11:32,650 --> 00:11:34,990 So this is our flag. 176 00:11:35,320 --> 00:11:44,920 So as you can see, took a lot more to actually escalate our privileges than to actually hack in to 177 00:11:44,920 --> 00:11:45,610 the server. 178 00:11:45,850 --> 00:11:48,760 So I believe this was a good gate. 179 00:11:48,760 --> 00:11:56,890 Good Bridgman for our way into the escalation section, privileges escalation section, because we're 180 00:11:56,890 --> 00:12:00,070 going to deep dive into them in the next section. 181 00:12:00,250 --> 00:12:10,120 OK, so the purpose of the CTF was to give you an idea about how hard this previously escalation can 182 00:12:10,360 --> 00:12:17,650 get during practice and during real Pentair think we're going to deal with those in the upcoming section, 183 00:12:17,650 --> 00:12:19,750 which is privilege escalation.