1
00:00:00,480 --> 00:00:07,530
Hi, within this lecture, we're going to see assorted permissions one more time, and actually this

2
00:00:07,530 --> 00:00:12,320
is, again, an advanced way of exploitation in order to escalate our privileges.

3
00:00:12,330 --> 00:00:17,430
So we are in the task 15 over here, file permissions, assurity bindery.

4
00:00:17,910 --> 00:00:25,170
So we're going to see how it works and we're going to work with environment variables over here or path.

5
00:00:25,440 --> 00:00:28,160
And you're going to see whether this in a minute.

6
00:00:28,530 --> 00:00:33,720
Now I'm going to right around the find thing that we have been running so far.

7
00:00:33,990 --> 00:00:42,780
OK, I'm going to search for the type of I'm going to find the permissions over here and just on that

8
00:00:42,780 --> 00:00:46,530
list and just put the output in dev null.

9
00:00:46,530 --> 00:00:51,470
But for some reason, it hasn't been executed or.

10
00:00:51,600 --> 00:00:51,980
Yep.

11
00:00:51,990 --> 00:00:52,740
Here you go.

12
00:00:52,740 --> 00:00:57,580
I have to say type and f like this with dash type.

13
00:00:58,060 --> 00:01:06,170
OK, so here we have seen the [REMOVED] over here, but also we have the sweet end.

14
00:01:06,480 --> 00:01:13,550
So as you ID ends, this is another binary that we have seen before, but we haven't looked into it.

15
00:01:13,830 --> 00:01:16,590
So right now I'm just going to focus on this.

16
00:01:16,800 --> 00:01:24,780
OK, in our case, in our scenario, we've found and Usted per mission over here and we are trying to

17
00:01:24,780 --> 00:01:26,190
understand what it does.

18
00:01:26,760 --> 00:01:34,790
Once we were on that it say starting venturer Apache to EBD and it says already running.

19
00:01:35,130 --> 00:01:41,120
So most probably does acidy or this binary starts Apache server.

20
00:01:41,640 --> 00:01:50,610
OK, and in order to confirm this, we can try a multiple things like we can run estrus as we have seen

21
00:01:50,610 --> 00:01:55,730
before, we can try string's, which is another way of seeing that.

22
00:01:55,920 --> 00:02:00,740
So let me just try this with as trace, OK, and run this.

23
00:02:01,290 --> 00:02:02,250
So here you go.

24
00:02:02,700 --> 00:02:05,250
What can we see with the asterisks?

25
00:02:05,250 --> 00:02:05,760
Let's see.

26
00:02:06,540 --> 00:02:15,150
So it says that again, we have no such file or directory is over here, but we have already covered

27
00:02:15,150 --> 00:02:15,510
that.

28
00:02:15,510 --> 00:02:22,290
Maybe there is a way to actually do this one more time within this binary as well.

29
00:02:22,530 --> 00:02:25,740
But we already covered that in the previous lecture.

30
00:02:26,070 --> 00:02:34,650
So we see operation not permitted over here with set use ID or arrested over here.

31
00:02:34,920 --> 00:02:39,330
So we have the Panchita permission denied for some reason.

32
00:02:39,540 --> 00:02:44,010
OK, so it's definitely trying to start the Apache to.

33
00:02:44,010 --> 00:02:49,700
We already seen it in the logs and we already seen it over here as well.

34
00:02:49,710 --> 00:02:55,230
So there's something going on with the Apache, OK, it says permission denied.

35
00:02:55,240 --> 00:03:05,040
I don't know why it's saying that, because in my opinion, it gives us the service is already running

36
00:03:05,040 --> 00:03:05,580
thingee.

37
00:03:05,580 --> 00:03:07,740
So it should have been executed.

38
00:03:08,010 --> 00:03:09,690
So I'm going to run this with strings.

39
00:03:10,080 --> 00:03:15,600
So if you run something with strings, you can't see the strings that you can find.

40
00:03:15,600 --> 00:03:19,440
It doesn't always give you the best result because this is a binary.

41
00:03:19,740 --> 00:03:23,310
We cannot get the whole source code or something like that.

42
00:03:23,550 --> 00:03:31,200
But if the source code or if it does something with the commands, with a string like this, for example,

43
00:03:31,200 --> 00:03:36,570
running service Apache to start in this case, we can actually see it.

44
00:03:36,780 --> 00:03:45,050
OK, so running strings may not give you the best output, but we can see some kind of clues like this.

45
00:03:45,300 --> 00:03:52,500
So in this case, we know that this is UID binary is trying to run service Apache to start.

46
00:03:53,160 --> 00:03:57,360
So we already knew that, but we didn't know how it ran that.

47
00:03:57,360 --> 00:04:03,260
So it's actually run that with a command like this service Apache to start.

48
00:04:03,750 --> 00:04:05,490
So let me show you something.

49
00:04:05,490 --> 00:04:08,640
What does service do if we're on service?

50
00:04:08,880 --> 00:04:12,600
It actually runs that binary actually runs an executable.

51
00:04:12,600 --> 00:04:12,960
Right.

52
00:04:13,170 --> 00:04:15,750
And it gives us how we can use it.

53
00:04:15,960 --> 00:04:20,400
So it's the same thing with Python, actually, but we don't have Python over here.

54
00:04:20,550 --> 00:04:22,770
So let me show you my own Karlee.

55
00:04:22,980 --> 00:04:28,770
If I run Python, I go into the python, Shali and I can just run Python codes like this.

56
00:04:29,430 --> 00:04:31,380
So let me exit out of this one.

57
00:04:31,950 --> 00:04:34,380
And I believe I have to write it like this.

58
00:04:34,860 --> 00:04:43,560
So the question is, how does Linux understand when I run service or when I run Python or when I run

59
00:04:43,560 --> 00:04:44,640
something else?

60
00:04:45,150 --> 00:04:47,070
So there must be a logic.

61
00:04:47,070 --> 00:04:54,510
And the logic behind it is the environment variables or the path that we're going to see in this lecture.

62
00:04:54,900 --> 00:04:59,900
So it's the same in the Linux, it's same in Windows, and it's same in the Mac.

63
00:05:00,000 --> 00:05:07,470
As well, so we define some variables in an environment and then we run this, the operating system

64
00:05:07,470 --> 00:05:09,150
will know where to look at it.

65
00:05:09,630 --> 00:05:12,600
So in this case, it's looking at some folders.

66
00:05:12,600 --> 00:05:17,040
And if it finds the service binary transit, it executes it.

67
00:05:17,280 --> 00:05:24,870
If it finds the pattern that it executes it, OK, if it doesn't find if we don't give that information

68
00:05:24,870 --> 00:05:27,760
to the operating system, it cannot find it.

69
00:05:28,020 --> 00:05:33,000
So maybe in our server, Python is installed, but it doesn't know where it's located.

70
00:05:33,480 --> 00:05:39,480
So if you run print the same path like this, you can see your own path.

71
00:05:40,500 --> 00:05:47,960
So in this case, we get some no such father or directory over here, but also we see the user, Ben.

72
00:05:48,390 --> 00:05:56,790
So whatever resides under user local Benfold there, for example, it will be found and it will be executed.

73
00:05:57,030 --> 00:06:03,070
Once I write something over here, for example, Python should be under the user local bin.

74
00:06:03,630 --> 00:06:11,630
So if we go to user local bin like this, OK, or user bin, it really doesn't matter.

75
00:06:11,640 --> 00:06:14,400
Just go to user user slash bin.

76
00:06:14,700 --> 00:06:21,780
You will see a lot of folders or a lot of executables over here, like zip, zip, clog, something

77
00:06:21,780 --> 00:06:22,480
like this.

78
00:06:22,500 --> 00:06:29,450
OK, so there are a lot of executables and this is how actually my Linux knows when I write something,

79
00:06:29,730 --> 00:06:38,010
for example, if I write zip over here within any folder, OK, not in the user bin it knows to look

80
00:06:38,010 --> 00:06:41,410
at in user bin because it's defined in the path.

81
00:06:41,990 --> 00:06:47,370
OK, so if I run the zip code for example, I don't even know what zip cloak is.

82
00:06:47,670 --> 00:06:54,690
It will find it under user bin and it will execute it like this because it's defined in the path.

83
00:06:55,080 --> 00:07:01,650
Once I write this, it finds that it tries to find it in the user bin, user, local bin and every other

84
00:07:01,650 --> 00:07:03,470
folder that is defined in path.

85
00:07:04,050 --> 00:07:13,290
So what I mean is I can if I can change the service, for example, rather than it finds the original

86
00:07:13,290 --> 00:07:21,090
service in the path, maybe it can find my own version of service or something called service, like

87
00:07:21,090 --> 00:07:25,200
an executable that will lead me to an escalated privilege.

88
00:07:25,500 --> 00:07:27,410
Then I can become root.

89
00:07:27,960 --> 00:07:28,490
Right.

90
00:07:28,740 --> 00:07:30,020
So it's hard to do.

91
00:07:30,270 --> 00:07:36,570
We don't know whether we can change the path in a way that we want, but it's worth a shot because there

92
00:07:36,570 --> 00:07:42,030
is an inside binary that runs this command and we we are certain of that.

93
00:07:42,030 --> 00:07:43,500
We can see it in the strings.

94
00:07:43,680 --> 00:07:44,570
So why not?

95
00:07:44,580 --> 00:07:45,630
We tried this.

96
00:07:45,930 --> 00:07:48,480
That's what we are going to do within the next lecture.