1
00:00:01,110 --> 00:00:07,140
Hi, within this lecture, we're going to see another technique that we can use in order to escalate

2
00:00:07,140 --> 00:00:14,280
our privileges in Linux, and we're going to see this in another machine because it's relatively newly

3
00:00:14,280 --> 00:00:21,840
discovered, I discovered in 2019 and a lot of Linux servers around the world didn't actually upgrade

4
00:00:21,840 --> 00:00:25,400
themselves in order to pass the security over here.

5
00:00:25,650 --> 00:00:27,350
So let me show you what I mean.

6
00:00:27,600 --> 00:00:33,660
I'm going to go into the activities one more time, and this is a free machine as well.

7
00:00:33,930 --> 00:00:37,230
And I didn't even created or I didn't even upload it.

8
00:00:37,230 --> 00:00:41,940
We were just going to take leverage off somebody else's machine on this thingy.

9
00:00:42,240 --> 00:00:44,370
And I believe there more than once.

10
00:00:44,370 --> 00:00:52,470
But I will show you at least the most popular machine or at least what I liked most, because they laid

11
00:00:52,470 --> 00:00:56,470
out the theory as well in a very good way.

12
00:00:56,880 --> 00:01:07,860
So we are looking for seewhy 2019 and 40 to actually fourteen twenty eight and seven like this.

13
00:01:07,860 --> 00:01:10,390
OK, one four two eight seven.

14
00:01:10,860 --> 00:01:16,230
So as you can see, there is only one machine right now and I believe I have seen some others as well.

15
00:01:16,350 --> 00:01:20,450
Maybe it was in the hacked the box, but let me show you what it does.

16
00:01:20,580 --> 00:01:23,160
So I'm going to search for this online.

17
00:01:23,430 --> 00:01:31,940
And of course you will find it in Explode or any other C.V tracking Web sites over here.

18
00:01:32,130 --> 00:01:38,850
So let me just open a couple of these over there so that you can see how it's discovered and what are

19
00:01:38,850 --> 00:01:41,510
the technical things behind it.

20
00:01:41,940 --> 00:01:44,760
So I believe this is the Debian Web site.

21
00:01:44,760 --> 00:01:46,340
So let me come over here.

22
00:01:46,530 --> 00:01:53,600
Yep, it's been discovered in Debian and it says that it's related to pseudo commend itself.

23
00:01:53,880 --> 00:02:01,620
OK, attacker with access to RAM, as also your account can bypass certain policy blacklists.

24
00:02:02,100 --> 00:02:07,910
And I'm going to show you how it's done, how it's how it can be possible to bypass that security.

25
00:02:08,340 --> 00:02:12,510
OK, and over here, you don't have to do that by now.

26
00:02:12,510 --> 00:02:19,320
But by the way, I'm just showing you some kind of details or how you can find it online.

27
00:02:19,620 --> 00:02:23,130
But actually, if you can find this machine, don't try hack me.

28
00:02:23,280 --> 00:02:26,520
They laid out the theory behind it in a very good way.

29
00:02:26,760 --> 00:02:33,300
OK, so make sure you join the room over here and just deploy the machine, OK?

30
00:02:33,600 --> 00:02:38,730
And then you can just try to read the task over there.

31
00:02:39,120 --> 00:02:42,570
And for the first task task, it's just for deploying.

32
00:02:42,570 --> 00:02:49,980
We already know how it's done because we have sold our own machine in the tri hack me and for the task

33
00:02:49,980 --> 00:02:58,380
to secure, to bypass, I'm just going to say OK to this, OK, and go into the task to to read about

34
00:02:58,380 --> 00:02:59,840
the details over here.

35
00:03:00,300 --> 00:03:04,470
So as you can see, this is a vulnerability found in the unique pseudo.

36
00:03:05,070 --> 00:03:10,140
So pseudo is a command in Unix that allows you to execute programs as other users.

37
00:03:10,140 --> 00:03:11,310
We already knew that.

38
00:03:11,310 --> 00:03:11,700
Right.

39
00:03:12,180 --> 00:03:21,060
But what we didn't know or what we actually were learning here is that we can try to act like another

40
00:03:21,060 --> 00:03:30,480
user and we can try to just give the UID of the user, OK, so we can run this command pseudo Danciu

41
00:03:30,480 --> 00:03:32,910
and just give the uid of that user.

42
00:03:33,600 --> 00:03:36,840
So maybe you did know that, maybe you didn't know that.

43
00:03:37,350 --> 00:03:42,720
It's not very important because we can use the user names in the Linux as well.

44
00:03:42,900 --> 00:03:47,760
But it got really important when a certain guy figured out something.

45
00:03:48,690 --> 00:03:53,760
If you just come over here and you know, the route always has the idea of zero.

46
00:03:54,060 --> 00:04:00,540
So we knew that because we actually seen it in the same jewed, said UID code zencey.

47
00:04:01,140 --> 00:04:05,280
So over here it says that route is always zero.

48
00:04:05,400 --> 00:04:11,670
So you can try to become route like pseudo dash you hashtag zero and try to run the command.

49
00:04:11,820 --> 00:04:18,750
And of course it won't work, OK, because there is a security configuration there that it will not

50
00:04:18,750 --> 00:04:20,010
let you run this.

51
00:04:20,370 --> 00:04:24,900
But what if what if you just put a minus zero over there?

52
00:04:25,320 --> 00:04:32,190
OK, so some guy discovered that if you put a minus zero rather than zero over here, minus one, I

53
00:04:32,190 --> 00:04:40,620
mean not minus zero, minus zero vs. well rather than zero, if you put minus one over there, then

54
00:04:40,620 --> 00:04:49,470
it becomes like confused and it actually bypasses that secret, the conflict and it gets executed as

55
00:04:49,470 --> 00:04:49,860
root.

56
00:04:50,670 --> 00:04:52,920
So let me add sensation to this.

57
00:04:52,920 --> 00:04:56,910
Think, OK, the username and password is try hech me.

58
00:04:57,420 --> 00:04:59,940
OK, I'm going to S.H. into this.

59
00:05:00,530 --> 00:05:07,910
And I'm going to say yes, and we're going to try this, so the password should be try hech me and here

60
00:05:07,910 --> 00:05:11,300
you go, we are inside of to try help me if we run.

61
00:05:11,300 --> 00:05:13,030
Unless I lay, nothing is over here.

62
00:05:13,040 --> 00:05:18,460
We don't need any kind of thing or folder or file in order to crack this.

63
00:05:18,800 --> 00:05:21,440
So what I'm going to do, I'm going to run this OK.

64
00:05:21,650 --> 00:05:29,360
So I'm going to run pseudo that's you and give you the zero over here in order to try and execute this

65
00:05:29,360 --> 00:05:29,990
as root.

66
00:05:30,320 --> 00:05:32,630
So I'm going to execute this as being Basche.

67
00:05:32,840 --> 00:05:34,490
It will ask me for a password.

68
00:05:34,490 --> 00:05:39,080
I'm going to give it a try hack me password and here you go.

69
00:05:39,080 --> 00:05:40,100
It doesn't accept it.

70
00:05:40,100 --> 00:05:41,810
Let me try it one more time.

71
00:05:42,170 --> 00:05:42,580
Yeah.

72
00:05:42,590 --> 00:05:42,820
Yeah.

73
00:05:42,830 --> 00:05:47,940
Even though it accepts it, it will say that the user tricked me is not allowed to execute beaten back

74
00:05:47,960 --> 00:05:50,420
shares route on to the privacy of course.

75
00:05:50,870 --> 00:05:54,500
But if I do this like mine is to let me see.

76
00:05:54,920 --> 00:05:55,220
Yeah.

77
00:05:55,220 --> 00:05:58,040
It says that I have no name ok.

78
00:05:58,280 --> 00:06:01,770
But if we execute this like yeah.

79
00:06:01,850 --> 00:06:06,050
It cannot find that id ok if we're on who am I.

80
00:06:06,530 --> 00:06:14,590
But if we execute this like let me exit and execute this as minus one and here you go.

81
00:06:14,600 --> 00:06:15,650
Now we are rude.

82
00:06:16,160 --> 00:06:21,800
So it's actually koshetz in the rules for some reason.

83
00:06:22,100 --> 00:06:29,930
And the reason is that we actually managed to bypass the security by running minus one over here.

84
00:06:30,170 --> 00:06:37,670
So let me get the texte over there so that we can actually copy this selection and put it in the try

85
00:06:37,880 --> 00:06:39,830
me to gain a little bit ranking.

86
00:06:39,830 --> 00:06:40,040
Right.

87
00:06:40,040 --> 00:06:42,530
So you can just do this on your own as well.

88
00:06:43,040 --> 00:06:45,890
So what comment are you allowed to run with?

89
00:06:45,890 --> 00:06:46,610
Pseudo.

90
00:06:46,790 --> 00:06:47,720
Yeah, bash.

91
00:06:48,200 --> 00:06:49,790
We have run bimbette.

92
00:06:49,910 --> 00:06:50,210
Right.

93
00:06:50,210 --> 00:06:50,960
So yeah.

94
00:06:50,960 --> 00:06:52,570
Perico correct answer.

95
00:06:53,270 --> 00:07:02,300
So again, this is a very actually easy vulnerability to just use in order to escalate your privilege,

96
00:07:02,630 --> 00:07:06,650
but also very creative one to discovery.

97
00:07:06,650 --> 00:07:10,700
So congratulations on this guy or whoever discovered it.

98
00:07:11,030 --> 00:07:17,120
And again, don't forget to try this because it's relatively new and you can actually see this in real

99
00:07:17,120 --> 00:07:18,500
life, Pantex as well.

100
00:07:18,860 --> 00:07:22,280
So let me stop you continue it in the next section.