1
00:00:00,540 --> 00:00:07,950
Hi, within this lecture, we're trying to finally become rude, by the way, little things that we

2
00:00:07,950 --> 00:00:09,230
have gathered over here.

3
00:00:09,660 --> 00:00:14,190
So first of all, I'm going to try to see what kind of passwords they are.

4
00:00:14,550 --> 00:00:21,810
So we gathered some passwords in the previous lecture so far here I'm admin, so I'm going to get the

5
00:00:21,810 --> 00:00:25,420
password over here to see what kind of users we have.

6
00:00:25,740 --> 00:00:34,680
We know we have route, but I don't believe those passwords belong to root because there were hints

7
00:00:34,680 --> 00:00:37,800
about free Østergaard and free Steed themselves.

8
00:00:38,130 --> 00:00:42,510
So most probably one of them belongs to Foresty Gut.

9
00:00:42,930 --> 00:00:46,500
And because we have seen this, who's your guard now?

10
00:00:47,130 --> 00:00:52,050
That's why I thought that this belonged to Freaks Foresty Guts.

11
00:00:52,510 --> 00:00:54,810
Of course, we're going to try and see.

12
00:00:55,260 --> 00:00:55,730
Right.

13
00:00:55,740 --> 00:00:58,890
So we have gathered this password.

14
00:00:58,890 --> 00:01:02,630
We have gethers hash over here and we decrypted it over there.

15
00:01:02,820 --> 00:01:06,840
So let there be foresty should be the password of the foresty gut.

16
00:01:07,080 --> 00:01:09,420
But we don't know where you're going to try and see.

17
00:01:09,420 --> 00:01:14,520
So I'm going to copy this one and come back over here and I'm admin over there.

18
00:01:14,670 --> 00:01:18,390
So I'm going to run Supriyadi Gut and see what happens.

19
00:01:19,530 --> 00:01:22,680
It says that standard in must be a twice.

20
00:01:22,680 --> 00:01:25,860
So OK, so we don't have a shadow over here.

21
00:01:25,890 --> 00:01:34,170
For some reason I'm going to try and spawn a show and then we can just try and run this one more time.

22
00:01:34,380 --> 00:01:36,290
So I'm going to open my notes over there.

23
00:01:36,630 --> 00:01:40,850
You know, the Python code that spawns I shall importunity.

24
00:01:40,890 --> 00:01:41,400
Why?

25
00:01:41,880 --> 00:01:43,450
So I'm going to do that.

26
00:01:43,530 --> 00:01:48,420
OK, so let me just try this one or this one.

27
00:01:48,690 --> 00:01:54,690
You can try either with Basche or S.H. and if it one doesn't work, the other might work.

28
00:01:55,020 --> 00:01:58,260
So I'm going to start with the S h over here.

29
00:01:58,840 --> 00:02:00,600
I believe you're in and I show.

30
00:02:00,600 --> 00:02:02,490
But let me try and see.

31
00:02:02,730 --> 00:02:07,590
OK, just make sure you post the video if you don't have that already.

32
00:02:08,040 --> 00:02:12,780
So I'm going to come back over here and paste this thing in and.

33
00:02:12,870 --> 00:02:13,290
Yep.

34
00:02:13,290 --> 00:02:14,460
Let me paste the clip.

35
00:02:14,460 --> 00:02:16,410
Clipboard or.

36
00:02:16,410 --> 00:02:17,180
Yeah, here you go.

37
00:02:17,190 --> 00:02:19,230
OK, now I hit enter.

38
00:02:19,860 --> 00:02:26,100
It seems like it's worked so well where my admin Lizzi Sue Foresty got.

39
00:02:26,940 --> 00:02:27,420
Here you go.

40
00:02:27,420 --> 00:02:29,400
It asks for a password so it worked.

41
00:02:29,760 --> 00:02:33,240
So I'm going to come back here and take the password one more time.

42
00:02:33,480 --> 00:02:35,310
I'm going to copy this one.

43
00:02:35,850 --> 00:02:41,550
OK, come back here and paste the password in and hit enter.

44
00:02:41,790 --> 00:02:42,540
Here you go.

45
00:02:42,540 --> 00:02:46,170
Now we are presented with a bash and if you're on, where am I?

46
00:02:46,200 --> 00:02:47,520
We are foresty got.

47
00:02:47,910 --> 00:02:50,640
So this is the third user that we are in.

48
00:02:51,000 --> 00:02:56,970
So if you're on PVD, we are in the home admin so I'm going to go back.

49
00:02:57,750 --> 00:02:59,060
We cannot even run.

50
00:02:59,210 --> 00:03:00,930
I said I believe so.

51
00:03:00,930 --> 00:03:02,580
Let me run that literally over here.

52
00:03:02,580 --> 00:03:02,760
Yeah.

53
00:03:02,760 --> 00:03:03,330
Here you go.

54
00:03:03,600 --> 00:03:07,560
We have the CD Foresty Free Stick got for directory over here.

55
00:03:07,560 --> 00:03:08,850
I'm going to CD into that.

56
00:03:09,180 --> 00:03:15,060
And if I on that SLA, uh, nothing seems to be here in fact.

57
00:03:15,060 --> 00:03:22,050
So we have the best logout profile in Benghazi, but I don't think this will do much in our case.

58
00:03:22,350 --> 00:03:31,890
OK, so we're gonna have to use our standard procedure for privileged escalation and be very that within

59
00:03:31,890 --> 00:03:37,290
the next section, we're going to deep dive into the privileged escalation and learn about a lot more

60
00:03:37,290 --> 00:03:41,280
techniques than that we than we ever learned in this course.

61
00:03:41,280 --> 00:03:43,890
OK, we get to learn one by one.

62
00:03:44,310 --> 00:03:47,760
But right now I'm just going to run fine slash user frisee.

63
00:03:47,760 --> 00:03:52,530
Got to see what kind of files do we have access to.

64
00:03:53,130 --> 00:03:58,500
OK, and as you can see, we can see all the permission denied over here.

65
00:03:58,740 --> 00:04:05,390
And it seems that we have a VAR folder, we have a free Steagles folder under var folder as well.

66
00:04:06,090 --> 00:04:10,970
So this is always a good idea to see what kind of things that we have access to.

67
00:04:11,490 --> 00:04:13,230
So I'm going to go into that folder.

68
00:04:13,530 --> 00:04:15,660
OK, Arendelle, that's L.A..

69
00:04:16,140 --> 00:04:20,310
So as you can see, we have a basic story and a secret admin stuff thingy.

70
00:04:20,640 --> 00:04:24,990
So I'm going to get this out to see what kind of things can we do.

71
00:04:25,200 --> 00:04:31,350
So this historic thing is might have been more active than in real life as well.

72
00:04:31,800 --> 00:04:40,290
So I'm going to just get this out to see what kind of comments that have been executed on this user.

73
00:04:40,560 --> 00:04:49,920
So as you can see, user previously executed, LSP, DNS, LJH and CD script admin stuff and apparently

74
00:04:49,920 --> 00:04:51,720
admin stuff is a folder.

75
00:04:52,140 --> 00:04:57,960
And inside of that folder there is a do come and do Comtesse.

76
00:04:57,960 --> 00:04:59,940
So dukedom should be an executable.

77
00:05:00,950 --> 00:05:10,790
So they have some kind of pseudo thing is going on over there, so maybe do call me some kind of stupid

78
00:05:10,790 --> 00:05:12,640
binary like we have seen before.

79
00:05:12,910 --> 00:05:16,400
For example, over here we see that pseudo you foresty.

80
00:05:16,910 --> 00:05:20,420
So running this do come as free, Steve.

81
00:05:20,430 --> 00:05:21,440
We are not free, Steve.

82
00:05:21,440 --> 00:05:22,400
Are free to God.

83
00:05:22,790 --> 00:05:28,510
And it runs, alas, for every file on that server.

84
00:05:28,910 --> 00:05:34,460
And over here we see the pseudo you free the free Seagate's secret admin stuff.

85
00:05:34,460 --> 00:05:37,350
Neukom Ellas and exit.

86
00:05:38,000 --> 00:05:41,480
OK, so there is a binary called Do Come.

87
00:05:41,480 --> 00:05:50,060
We are certain of that we can execute it and apparently we can run some kind of different things like

88
00:05:50,480 --> 00:05:54,110
we can execute this dukedom is another user.

89
00:05:54,320 --> 00:06:02,060
I don't know if we can execute this route or some other user or I don't know if this will help me if

90
00:06:02,060 --> 00:06:06,530
I can execute this free steep as in this case.

91
00:06:06,800 --> 00:06:09,230
OK, but it's worth a shot.

92
00:06:09,230 --> 00:06:09,710
Right?

93
00:06:10,130 --> 00:06:12,490
So I'm going to go into that folder.

94
00:06:12,800 --> 00:06:15,200
I didn't know that was a folder.

95
00:06:15,200 --> 00:06:16,520
I thought it was a file.

96
00:06:16,520 --> 00:06:20,210
So I'm going to just CD into that Scribd admin stuff.

97
00:06:20,810 --> 00:06:26,930
So if we groundlessly we see to do come and OK, so this belongs to root.

98
00:06:27,200 --> 00:06:34,190
So it really doesn't matter if we run this as root or if we run this as foresty or something like that

99
00:06:34,190 --> 00:06:36,680
because it already belongs to root.

100
00:06:36,680 --> 00:06:41,290
If and I believe we have an issue, I'd permission over here.

101
00:06:41,630 --> 00:06:48,800
So again, in the next section we're going to talk about acid's in a lot more detail.

102
00:06:49,010 --> 00:06:52,670
OK, we have seen this in the Bendit section.

103
00:06:53,210 --> 00:07:00,350
Maybe you haven't understood yet, at least the technicalities, but we're going to try and show you

104
00:07:00,350 --> 00:07:02,390
much more in the following section.

105
00:07:03,050 --> 00:07:09,610
So let me try to run this shuto, you free tingay and see if we can make it run.

106
00:07:09,890 --> 00:07:12,260
OK, so it asks for a password.

107
00:07:12,260 --> 00:07:17,570
Let me give the password and it says that.

108
00:07:17,570 --> 00:07:18,680
So try again.

109
00:07:18,680 --> 00:07:23,310
I believe we couldn't actually get the password for the free God.

110
00:07:23,330 --> 00:07:29,060
Let me copy this one and come back here and paste the selection and enter.

111
00:07:29,360 --> 00:07:29,720
Yep.

112
00:07:29,720 --> 00:07:30,920
We can run this.

113
00:07:30,920 --> 00:07:41,000
As you can see, I have for just testing purposes I ran these pseudo you free do come slashed you OK.

114
00:07:41,390 --> 00:07:45,110
We can run this as another user apparently.

115
00:07:45,830 --> 00:07:51,500
And in fact I really don't care about the another user part at all because what I have in mind is that

116
00:07:51,680 --> 00:07:58,610
I run this executing a python reverse shell one more time, using this do come executable.

117
00:07:59,180 --> 00:08:05,210
Since it belongs to root, it may we may get the chance to execute this as a root and get a reverse

118
00:08:05,210 --> 00:08:07,130
callback from root user.

119
00:08:07,430 --> 00:08:07,790
Right.

120
00:08:07,790 --> 00:08:10,340
So that's what we did in previously.

121
00:08:10,550 --> 00:08:12,500
And now we're going to do the same thing.

122
00:08:12,500 --> 00:08:14,690
At least we will attempt to do the same thing.

123
00:08:15,230 --> 00:08:19,070
So I'm going to come over here to one of our tabs.

124
00:08:19,910 --> 00:08:25,460
I believe we have this python called a reverse charcoaled somewhere over here.

125
00:08:25,460 --> 00:08:25,760
Right.

126
00:08:25,760 --> 00:08:28,220
So I'm going to just try and find it.

127
00:08:28,550 --> 00:08:37,300
So I'm going to go into my var w-w HDMI folder because that's where we put the Python shield up, right?

128
00:08:37,340 --> 00:08:37,730
Yep.

129
00:08:37,730 --> 00:08:38,420
Here you go.

130
00:08:38,750 --> 00:08:40,420
That's the thing that I'm looking for.

131
00:08:40,430 --> 00:08:48,620
So I'm going to not go into that and I'm going to see my IP is correct, but I'm going to change the

132
00:08:48,620 --> 00:08:50,990
port because we are already using that.

133
00:08:51,170 --> 00:08:53,870
So I'm going to just make it three three three three.

134
00:08:54,530 --> 00:08:56,450
So I'm going to download this.

135
00:08:56,450 --> 00:08:59,180
OK, so I'm going to start my Pache server.

136
00:08:59,510 --> 00:09:06,950
I'm going to download this from my Apache server and put it in a in a folder where I can just reach

137
00:09:06,950 --> 00:09:09,290
it so that I can execute it.

138
00:09:09,290 --> 00:09:10,130
We do come.

139
00:09:10,830 --> 00:09:13,640
So I'm inside of secret admin stuff.

140
00:09:14,060 --> 00:09:16,700
Let me try to just download over here.

141
00:09:16,700 --> 00:09:20,300
If it doesn't work, I'm going to go into the temp and do the same thing.

142
00:09:20,810 --> 00:09:22,820
So I'm going to say Python held up.

143
00:09:22,820 --> 00:09:23,240
Why?

144
00:09:23,960 --> 00:09:27,740
And let me try to hit enter.

145
00:09:27,740 --> 00:09:28,160
Yep.

146
00:09:28,160 --> 00:09:28,790
Here you go.

147
00:09:28,790 --> 00:09:29,390
It worked.

148
00:09:29,900 --> 00:09:32,480
So I have the python scale over here.

149
00:09:32,840 --> 00:09:40,040
So by using do come now I'm just going to do the do this thing over here, OK?

150
00:09:40,820 --> 00:09:47,960
I'm going to try and run the exact same comment, but rather than less, I'm going to of course, try

151
00:09:47,990 --> 00:09:52,310
and run the python file that we have downloaded over here.

152
00:09:52,310 --> 00:09:53,190
We do come.

153
00:09:53,780 --> 00:09:59,600
So whether we choose the stuff as a user over here or not, I don't know.

154
00:09:59,680 --> 00:10:05,970
He was going to make a difference, but I'm just going to try this, so I'm going to run user in Python,

155
00:10:05,980 --> 00:10:08,680
I know it exists because we have seen that before.

156
00:10:09,040 --> 00:10:15,580
And I'm going to run the VA and there we are in the Foresty.

157
00:10:15,580 --> 00:10:15,970
Right.

158
00:10:16,270 --> 00:10:27,130
So Foresty got and a DOD secret admin stuff and finally the python shell that PEEVEY.

159
00:10:27,670 --> 00:10:32,080
So let's try and see if we can do this.

160
00:10:32,310 --> 00:10:40,840
OK, so it will run the do come executable and so that we will get the chance to execute this with Python

161
00:10:40,840 --> 00:10:41,950
as route user.

162
00:10:41,950 --> 00:10:45,490
And I don't know how this will work or not what we're going to see.

163
00:10:45,490 --> 00:10:53,410
So I'm going to listen D for three, two, three, three over here and let me come back and hit, enter

164
00:10:54,070 --> 00:10:58,080
and let's see if it works or not.

165
00:10:58,420 --> 00:10:59,140
Here you go.

166
00:10:59,140 --> 00:11:02,120
We have on this a show so if I run who am I.

167
00:11:02,290 --> 00:11:04,330
We are finally rude.

168
00:11:04,930 --> 00:11:06,810
So let me run the.

169
00:11:06,880 --> 00:11:13,180
Yep we are in the secret admin stuff so I'm going to go back and let me repeatably.

170
00:11:13,190 --> 00:11:13,480
Yep.

171
00:11:13,480 --> 00:11:19,270
We are in rude so I'm going to interrupt Falder and Leslie and here you go.

172
00:11:19,270 --> 00:11:27,190
Freestar leaks secrets that texte you can catch that and get your precious flag over here.

173
00:11:27,190 --> 00:11:29,350
OK, so here you go.

174
00:11:29,350 --> 00:11:31,890
Congratulations on meeting the leaks.

175
00:11:32,650 --> 00:11:34,990
So this is our flag.

176
00:11:35,320 --> 00:11:44,920
So as you can see, took a lot more to actually escalate our privileges than to actually hack in to

177
00:11:44,920 --> 00:11:45,610
the server.

178
00:11:45,850 --> 00:11:48,760
So I believe this was a good gate.

179
00:11:48,760 --> 00:11:56,890
Good Bridgman for our way into the escalation section, privileges escalation section, because we're

180
00:11:56,890 --> 00:12:00,070
going to deep dive into them in the next section.

181
00:12:00,250 --> 00:12:10,120
OK, so the purpose of the CTF was to give you an idea about how hard this previously escalation can

182
00:12:10,360 --> 00:12:17,650
get during practice and during real Pentair think we're going to deal with those in the upcoming section,

183
00:12:17,650 --> 00:12:19,750
which is privilege escalation.