1
00:00:00,960 --> 00:00:07,740
Hi, we didn't this lecture, we're going to deep dive into the grown ups that we have actually covered

2
00:00:07,740 --> 00:00:15,480
before in Bendat, we have seen a lot of grown ups and also exploited them in order to gain access to

3
00:00:15,480 --> 00:00:18,460
the next level or in order to escalate our privilege.

4
00:00:18,780 --> 00:00:22,080
So that's exactly what we are going to do within these lectures.

5
00:00:22,320 --> 00:00:28,350
But also we're going to deep dive into the current jobs now so that we can understand the theory in

6
00:00:28,350 --> 00:00:37,230
a better way, so that you can use it in your own good for upcoming acts or penetration test during

7
00:00:37,230 --> 00:00:37,930
your career.

8
00:00:38,400 --> 00:00:44,820
So let me locate the chromed over here, because I cannot seem to find the etsi cronie, as you can

9
00:00:44,820 --> 00:00:45,170
see.

10
00:00:45,600 --> 00:00:48,390
So I have a chromed over there.

11
00:00:48,390 --> 00:00:53,240
Like if I try to get this, it says that this is a directory.

12
00:00:53,640 --> 00:00:57,860
So let me address into that and see what we have over there.

13
00:00:58,140 --> 00:01:00,100
And apparently there is nothing over there.

14
00:01:00,120 --> 00:01:03,270
Let me run Al-Saleh and here you go.

15
00:01:03,990 --> 00:01:08,040
There is nothing over here but just a placeholder file which is hidden.

16
00:01:08,460 --> 00:01:11,960
And I don't think we have anything in the currency.

17
00:01:12,330 --> 00:01:15,450
But this is not the only thing that we should look for.

18
00:01:15,480 --> 00:01:17,910
We also have to look for Chrome tab.

19
00:01:18,540 --> 00:01:27,120
So if you can't the Azzi Chrome tab, you can see the chrome jobs that resides in your system as well.

20
00:01:27,120 --> 00:01:34,070
And you will get a more detailed look like this and remember what the current job is.

21
00:01:34,410 --> 00:01:44,040
So it's kind of a service that runs in background and it's scheduled so we can actually make it run

22
00:01:44,040 --> 00:01:45,620
in any time we want.

23
00:01:45,840 --> 00:01:50,460
And over here we see the shell and the path it uses.

24
00:01:51,180 --> 00:01:53,430
So let's see what else we have here.

25
00:01:53,430 --> 00:01:57,120
As you can see, we have a lot of comments or dare in.

26
00:01:57,120 --> 00:01:59,550
These are individual chrome jobs.

27
00:02:00,060 --> 00:02:03,270
So we're going to talk about what these stars mean.

28
00:02:03,660 --> 00:02:07,850
And over here, we can see the comment that it runs.

29
00:02:08,400 --> 00:02:17,520
So over here, we actually see some kind of CDX comment and we can see the ETSI Chrome daily, chrome

30
00:02:17,520 --> 00:02:18,870
weekly, chrome monthly.

31
00:02:19,560 --> 00:02:27,570
So it doesn't mean that it necessarily has to have those names over here, like daily, weekly, monthly.

32
00:02:27,840 --> 00:02:34,800
We can actually see where we actually run this or when we actually run this and we going to deep dive

33
00:02:34,800 --> 00:02:35,340
into that.

34
00:02:35,580 --> 00:02:43,380
And over here we see some overwrite that as H and also the compressed as over here.

35
00:02:43,890 --> 00:02:50,700
So next thing we can do, maybe we can try to just see what this alright that S.H. does.

36
00:02:51,030 --> 00:02:55,760
OK, so I'm going to get this and see if we can actually see this.

37
00:02:56,400 --> 00:03:00,870
It says that no such file or directory and it belongs to root.

38
00:03:01,200 --> 00:03:05,490
And as you can see, we run Al-Saleh, we cannot actually see it.

39
00:03:05,490 --> 00:03:07,310
So it isn't really there.

40
00:03:07,830 --> 00:03:15,660
So maybe it's something in the path, like maybe it's under the user, local or user, local being.

41
00:03:15,990 --> 00:03:23,850
We are in the home user folder right now, so it doesn't mean necessarily that it should be in the home

42
00:03:23,850 --> 00:03:25,020
user directory.

43
00:03:25,260 --> 00:03:28,170
So maybe it's in somewhere else in the path.

44
00:03:28,530 --> 00:03:33,210
OK, but in this case we can actually see the whole path over here.

45
00:03:33,210 --> 00:03:41,520
So user local being compressed at S.H. so I can just get that and get to see what happens inside of

46
00:03:41,520 --> 00:03:41,760
it.

47
00:03:42,180 --> 00:03:44,850
As you can see, this file really exists.

48
00:03:44,850 --> 00:03:47,460
OK, so there is nothing wrong over here.

49
00:03:47,820 --> 00:03:55,250
But I believe the overwrite S.H. doesn't exist or it exists in some other folder rather than home user.

50
00:03:55,620 --> 00:04:03,930
So this may be a path for us to go like a lead that we can follow over here because it will be looked

51
00:04:03,940 --> 00:04:05,870
in the home user folder first.

52
00:04:06,180 --> 00:04:12,840
So if we create overwrite that as H file in the home user folder, then it will be executed as root

53
00:04:13,080 --> 00:04:21,060
over here and we can understand that it will be executed as a current job.

54
00:04:21,360 --> 00:04:29,280
And maybe we should try to understand then it's going to be executed so that we can write a script to

55
00:04:29,280 --> 00:04:36,210
become root and we can just write a reversal or something like that in order to become root by using

56
00:04:36,210 --> 00:04:36,710
this lead.

57
00:04:36,730 --> 00:04:37,110
Right.

58
00:04:37,560 --> 00:04:39,870
So it's a good practice for us.

59
00:04:40,470 --> 00:04:47,730
But again, there are a lot of other information over here that we didn't cover and we should covered

60
00:04:47,730 --> 00:04:51,260
that in order to understand how current jobs work.

61
00:04:51,660 --> 00:04:59,790
So over here, we see a lot of stars and they actually indicate then this is going to be executed.

62
00:04:59,790 --> 00:04:59,880
The.

63
00:05:00,050 --> 00:05:03,260
Or in which period this is going to be executed?

64
00:05:03,560 --> 00:05:06,930
OK, is it daily, is it weekly, is it monthly?

65
00:05:07,370 --> 00:05:09,960
So we have a lot of stars over here.

66
00:05:09,980 --> 00:05:12,500
So what do all of those things mean?

67
00:05:13,730 --> 00:05:17,810
We have to understand how to read these columns over here.

68
00:05:17,820 --> 00:05:19,490
I have to read this like a table.

69
00:05:19,880 --> 00:05:23,140
So for the first column, we have minutes, OK?

70
00:05:23,180 --> 00:05:25,030
And the second one is the hour.

71
00:05:25,310 --> 00:05:26,970
So a sense for our.

72
00:05:27,260 --> 00:05:30,850
So this is day of month, day of month.

73
00:05:31,190 --> 00:05:35,980
So this is the month itself and this one is day of week.

74
00:05:36,440 --> 00:05:41,790
OK, so these numbers indicate when it's going to be executed.

75
00:05:42,230 --> 00:05:47,060
So if we see stories like this, it means every minute.

76
00:05:47,460 --> 00:05:53,990
OK, and if we see a specific number over here, it indicates the minute, for example, in this case,

77
00:05:53,990 --> 00:05:55,160
17 minutes.

78
00:05:55,940 --> 00:06:03,000
So we're going to just deep dive into this so that you can understand it in a better way.

79
00:06:03,320 --> 00:06:05,840
So let me show you a very quick way to do that.

80
00:06:06,080 --> 00:06:10,880
I'm just going to search for crosstab guru, quantum dot guru.

81
00:06:10,890 --> 00:06:13,070
So this is a website, OK?

82
00:06:13,130 --> 00:06:17,270
And this is not the only Web site that you can see this, but this is a very good one.

83
00:06:17,480 --> 00:06:22,260
So if you cannot make it run, you can just search for other Web sites as well.

84
00:06:22,490 --> 00:06:24,260
But let me show you what I mean.

85
00:06:24,650 --> 00:06:32,060
If you just write the stars over here or if you write the numbers over here, it will just give you

86
00:06:32,060 --> 00:06:32,910
what it means.

87
00:06:33,590 --> 00:06:38,780
So if you see five stars, it means at every minute.

88
00:06:39,110 --> 00:06:45,990
So overwrite S.H. and these compress that S.H. will get executed every minute.

89
00:06:46,670 --> 00:06:53,810
So if we write 17 here, for example, it will be executed at the minute 17.

90
00:06:53,820 --> 00:06:57,120
So every 17 minutes it will be executed.

91
00:06:57,710 --> 00:07:07,310
So if we write 70, 25 over here and six for the next step, it means that it will get executed every

92
00:07:07,310 --> 00:07:09,350
day at six o'clock.

93
00:07:09,740 --> 00:07:11,810
Twenty five past 6:00.

94
00:07:12,290 --> 00:07:15,100
OK, so let's try the other ones.

95
00:07:15,110 --> 00:07:17,210
Of course we have everyone.

96
00:07:17,240 --> 00:07:20,350
I read a script, executed it route over here.

97
00:07:20,690 --> 00:07:22,780
So this will give us some clues.

98
00:07:22,780 --> 00:07:29,120
So this could be four to seven and let's see, four, seven, six.

99
00:07:29,120 --> 00:07:32,230
And the the last one is seven.

100
00:07:32,660 --> 00:07:38,420
So let's see yet at six forty seven on Sundays.

101
00:07:39,030 --> 00:07:43,550
So this is again a very revered current job, but this is how it gets executed.

102
00:07:43,550 --> 00:07:43,940
Right.

103
00:07:44,630 --> 00:07:53,230
So it gets executed every week and it gets executed exactly at six forty seven at some days.

104
00:07:53,900 --> 00:08:06,580
So if we just go over here and make it into 52 and one and start so six, 52 on day of month first.

105
00:08:07,160 --> 00:08:12,810
OK, so this is how you understand when it's going to be executed.

106
00:08:12,830 --> 00:08:18,890
This is very important because maybe you can find a very good vulnerability over here.

107
00:08:18,890 --> 00:08:23,540
Maybe you can just run a script, OK, and it will be executed as route.

108
00:08:23,930 --> 00:08:32,420
But if it's not every minute or if it's not every day, maybe you will have to wait for a month in order

109
00:08:32,420 --> 00:08:33,730
to get that RUCHA.

110
00:08:34,010 --> 00:08:35,660
And it's not very practical.

111
00:08:35,660 --> 00:08:36,000
Right.

112
00:08:36,200 --> 00:08:40,370
So in this case we know that overate S.H. and compress that.

113
00:08:40,370 --> 00:08:43,640
I say you will get executed like every minute.

114
00:08:43,670 --> 00:08:49,850
So if we can overwrite them then it will be great because we will just wait for a minute and we can

115
00:08:49,850 --> 00:08:50,900
get the child back.

116
00:08:51,770 --> 00:08:59,810
So again, this is the current map, so don't forget to go for the cat at second tab when you try to

117
00:08:59,810 --> 00:09:03,600
find the locate the grown ups in your pants.

118
00:09:04,160 --> 00:09:06,890
So what I'm going to do, of course, I'm going to create a home.

119
00:09:06,890 --> 00:09:14,420
Right, S.H., I'm going to echo up being Basche to Tampoe Bash and put a semicolon over here.

120
00:09:14,570 --> 00:09:20,690
I'm just going to give and Sue I.D. to TMB Bash over there.

121
00:09:20,960 --> 00:09:24,650
Since it's going to be executed as root, it will be possible.

122
00:09:25,040 --> 00:09:32,270
And then I'm going to just put this into home user override that.

123
00:09:32,270 --> 00:09:35,220
S.H. So far, so good.

124
00:09:35,440 --> 00:09:41,090
OK, so we have done this before, but I'm going to also make it executable.

125
00:09:41,960 --> 00:09:47,690
Since I created that file as a user, I can just make it executable as user as well.

126
00:09:47,920 --> 00:09:50,420
OK, so great.

127
00:09:50,690 --> 00:09:59,390
Now, since I put this in the home user folder and since I know that home user is the first.

128
00:09:59,560 --> 00:10:08,410
I think that it should be looking in the path, then I can just wait for a minute and become route right,

129
00:10:08,860 --> 00:10:11,250
because it will be executed every minute.

130
00:10:11,740 --> 00:10:14,240
So now it exists over here.

131
00:10:15,040 --> 00:10:24,340
So whatever we can do over here, what we can do right now is just to just go for the top bash like

132
00:10:24,340 --> 00:10:25,470
this, OK?

133
00:10:25,490 --> 00:10:29,220
And if it got executed, then we're going to get the route.

134
00:10:29,710 --> 00:10:36,640
So make sure you put the dash over here like we have done before and hit enter or just wait a minute

135
00:10:36,640 --> 00:10:43,930
and hit enter to see if you can become route, because if it got executed, then we will spawn this

136
00:10:43,930 --> 00:10:44,330
shell.

137
00:10:45,580 --> 00:10:51,680
So let me run the Lesli to Tempe, Basche or Tempe over here.

138
00:10:52,030 --> 00:10:53,260
Yeah, we see the Basche.

139
00:10:53,410 --> 00:10:53,650
Yeah.

140
00:10:53,650 --> 00:10:54,160
Here you go.

141
00:10:54,160 --> 00:10:55,180
We see the Basche.

142
00:10:55,360 --> 00:10:57,000
I got copied over here.

143
00:10:57,010 --> 00:11:00,600
That's how we can actually understand if it got executed or not.

144
00:11:00,880 --> 00:11:02,020
So if I run this.

145
00:11:02,020 --> 00:11:02,730
Here you go.

146
00:11:02,770 --> 00:11:07,510
I got the badge and if I run who I am I, I am route as usual.

147
00:11:07,930 --> 00:11:08,260
Good.

148
00:11:08,270 --> 00:11:08,950
Right.

149
00:11:09,430 --> 00:11:13,450
So let's stop here and continue within the next lecture.