1
00:00:00,540 --> 00:00:08,510
Hi, within this section, we're going to focus on privileged escalation on Linux machines in next section.

2
00:00:08,550 --> 00:00:12,520
We're going to focus on privileged escalation for Windows machines as well.

3
00:00:12,720 --> 00:00:15,450
So don't worry about it for right now.

4
00:00:15,460 --> 00:00:19,740
We're going to solve our virtual challenges.

5
00:00:19,740 --> 00:00:23,280
Are vulnerable machines in try hack me.

6
00:00:23,610 --> 00:00:33,420
So Try Hack Me is a platform that is actually created for you to soldI vulnerable machines one more

7
00:00:33,420 --> 00:00:34,620
time like bellhop.

8
00:00:34,830 --> 00:00:42,810
But this time you're going to create a profile for you and then the machines that you will be solving

9
00:00:42,810 --> 00:00:44,990
will be recorded in that profile.

10
00:00:45,210 --> 00:00:54,270
So after you sold those machines, you get points, you get rewards, you get credit so that you get

11
00:00:54,270 --> 00:00:55,030
a ranking.

12
00:00:55,410 --> 00:01:01,920
So when you apply for a job in cybersecurity, you can actually show your profile to the employers.

13
00:01:02,190 --> 00:01:05,960
And you can say that, yeah, I have solved all these challenges.

14
00:01:06,180 --> 00:01:10,980
I have a good ranking in Try Hack Me and so much more.

15
00:01:11,340 --> 00:01:19,420
So it's a good idea to learn how Distri Hackney works for your cybersecurity career as well.

16
00:01:19,710 --> 00:01:26,490
So I have uploaded a virtual machine as a vulnerable machine in this tri hack me platform so that we

17
00:01:26,490 --> 00:01:29,280
can work on that later on.

18
00:01:29,280 --> 00:01:35,370
During the course, we're going to see an alternative of the tri hack me again, which is called Hack

19
00:01:35,370 --> 00:01:36,080
the Bugs.

20
00:01:36,300 --> 00:01:38,040
So let me show you what I mean.

21
00:01:38,040 --> 00:01:40,530
So it's called Hack the bugs that EU.

22
00:01:40,890 --> 00:01:42,750
So this is another platform.

23
00:01:42,930 --> 00:01:47,220
OK, we're going to do the windows, things in the hack, the box.

24
00:01:47,610 --> 00:01:56,610
But there is a paid option and a free option in the hack the box and also in try hack me as well for

25
00:01:56,610 --> 00:02:00,090
license and registration purposes.

26
00:02:00,240 --> 00:02:06,000
We're going to use the windows in the hack, the bugs and we're going to use the Linux in try hack me

27
00:02:06,390 --> 00:02:09,480
so into me you won't pay anything.

28
00:02:09,660 --> 00:02:17,460
But in the Windows section for the hack the bug section, you're going to need a VIP membership, at

29
00:02:17,460 --> 00:02:22,710
least for the time being that you solve those challenges.

30
00:02:22,740 --> 00:02:26,940
OK, I'm going to talk about that later on or just right now.

31
00:02:27,030 --> 00:02:28,270
Don't worry about it.

32
00:02:28,290 --> 00:02:32,070
Reject me is completely free for you, at least for this cause.

33
00:02:32,250 --> 00:02:37,890
Of course, there is a VIP section or VIP option intrigued me as well.

34
00:02:38,130 --> 00:02:41,460
I'm going to show you what I mean once we get into that.

35
00:02:42,060 --> 00:02:48,870
So first of all, we're going to have to create an account and then set our machine up so that we can

36
00:02:48,870 --> 00:02:57,360
communicate with the tri Hackney servers so that we can actually run on and map, scan or ping the target's

37
00:02:57,840 --> 00:03:00,300
vulnerable machine that we are working on.

38
00:03:00,930 --> 00:03:10,770
So as I said before, I have found a vulnerable machine and I modified it and put it in the tri hack

39
00:03:10,770 --> 00:03:10,980
me.

40
00:03:11,100 --> 00:03:13,590
OK, so I'm going to talk about it as well.

41
00:03:14,370 --> 00:03:19,230
So if you have an account in Try Hackney, you're more than fine to use it.

42
00:03:19,380 --> 00:03:22,260
But if you don't, I'm going to show you how to sign up.

43
00:03:22,440 --> 00:03:26,760
So all you got to do is just come over here and say, join now, OK?

44
00:03:26,790 --> 00:03:32,700
And over here it will ask you to create a username and an email and password.

45
00:03:33,060 --> 00:03:39,330
So make sure you give your username, email and password and choose your experience level, which doesn't

46
00:03:39,330 --> 00:03:40,860
mean anything, really.

47
00:03:41,100 --> 00:03:42,810
Just choose whatever you want.

48
00:03:42,810 --> 00:03:47,070
You can choose complete beginner, early, intermediate, intermediate or advanced.

49
00:03:47,580 --> 00:03:48,720
It really doesn't matter.

50
00:03:48,720 --> 00:03:56,970
You will just see custom preferences or custom like offerings for you, but you can reach whatever you

51
00:03:56,970 --> 00:03:59,100
want in this whole website.

52
00:03:59,100 --> 00:04:07,800
OK, just sign up from here after which you will and enter your email and just confirm the account.

53
00:04:08,130 --> 00:04:14,790
Since I have already done that, I can just come over here to login page and say I'm not a robot and

54
00:04:14,790 --> 00:04:17,730
I can login with my username and password.

55
00:04:18,210 --> 00:04:26,430
So once I do that, it will take me to the dashboard of the tri hack me, which I can actually see what

56
00:04:26,430 --> 00:04:30,870
kind of rooms that I'm in, what kind of seats that I'm working on.

57
00:04:31,080 --> 00:04:34,200
So we're going to talk about what the room is right now.

58
00:04:34,200 --> 00:04:40,440
I'm just going to click on the dashboard and start loading for some reason then it's hasn't been completed

59
00:04:40,440 --> 00:04:42,270
yet, but it really doesn't matter.

60
00:04:42,630 --> 00:04:44,340
I'm just going to show you what to do.

61
00:04:44,640 --> 00:04:50,550
If you come over here, you can see the menu like compete, learn, develop, OK.

62
00:04:50,580 --> 00:04:57,750
And of course, the images and the menu options like ICA's can change over time.

63
00:04:57,960 --> 00:04:59,760
But first thing you should do.

64
00:05:00,040 --> 00:05:05,260
In here, when you come over here, just take a look at the dashboard to get familiar eyes a little

65
00:05:05,260 --> 00:05:05,510
bit.

66
00:05:05,710 --> 00:05:07,900
For example, you can see your current ranking.

67
00:05:07,900 --> 00:05:09,510
You can see how many users are there.

68
00:05:09,820 --> 00:05:16,620
Over here we have more than 240000 students or users right now.

69
00:05:16,780 --> 00:05:18,640
It will be more when you visit it.

70
00:05:19,150 --> 00:05:26,110
But if you come over here to activities, you can see a possible virtual machines, vulnerable machines,

71
00:05:26,620 --> 00:05:28,500
which you can work on actually.

72
00:05:28,840 --> 00:05:35,740
And after you complete complete the scores, I really suggest you come back here for free versions of

73
00:05:35,740 --> 00:05:38,980
the vulnerable machines and just try to solve them all together.

74
00:05:39,440 --> 00:05:42,150
OK, here we have some rooms here.

75
00:05:42,160 --> 00:05:47,110
We have some activities in which we can practice some sort of skills.

76
00:05:47,350 --> 00:05:52,020
Here we are two hundred six to seven public rooms, OK?

77
00:05:52,360 --> 00:06:00,760
And you can search for any term like Learn Linux, learn Windows, something like that, to find a related

78
00:06:00,760 --> 00:06:01,330
room.

79
00:06:01,540 --> 00:06:04,220
And you can just choose it from this list as well.

80
00:06:04,240 --> 00:06:06,520
So these are the most popular ones right now.

81
00:06:06,790 --> 00:06:14,440
What we want to do, we want to find is open VPN, OK, we can see that from our dashboard or we can

82
00:06:14,440 --> 00:06:21,910
see it from here as of why we are looking for a VPN, because that's how we actually establish a connection

83
00:06:22,150 --> 00:06:25,500
between try hack me and our recolor Linux machine.

84
00:06:26,140 --> 00:06:28,720
So I'm going to show you how to set this up.

85
00:06:29,020 --> 00:06:34,780
And if you cannot find it, you can just search for open VPN and just find the open VPN from here.

86
00:06:35,230 --> 00:06:44,800
So it will display different kind of instructions for different kind of operating systems like Windows,

87
00:06:44,800 --> 00:06:46,180
Mac OS and Linux.

88
00:06:46,460 --> 00:06:50,050
OK, and there they are in the form of tasks.

89
00:06:50,290 --> 00:06:52,720
So we're going to see what the task is.

90
00:06:52,720 --> 00:06:59,440
But task is, is actually when you get the question or when you get the tip like we have seen in the

91
00:06:59,440 --> 00:07:01,180
Bendit, then you do it.

92
00:07:01,180 --> 00:07:05,300
You can just say, OK, I have done it and just hit submit.

93
00:07:05,680 --> 00:07:09,220
OK, so over here, for example, I can just say completed.

94
00:07:09,430 --> 00:07:15,280
And if we are looking for a challenge, like a CTF, like a capture the flag, it will ask you for a

95
00:07:15,280 --> 00:07:21,830
flag and you get the flag you pasted over here and just say submit so that you get a point.

96
00:07:22,000 --> 00:07:24,190
So this is how this works, OK?

97
00:07:24,190 --> 00:07:30,790
This is how the system confirms that you sold a virtual machine or sold a CTF.

98
00:07:30,970 --> 00:07:34,840
You capture the flags and just submit it from there.

99
00:07:35,020 --> 00:07:38,980
But in this case, we don't have to capture a flag or something like that.

100
00:07:39,940 --> 00:07:40,690
It says that.

101
00:07:40,930 --> 00:07:47,560
Go to the access page, OK, and download your own open VPN file.

102
00:07:47,890 --> 00:07:54,790
So make sure you go to try hack me, slash access or follow the link on the first task because you're

103
00:07:54,790 --> 00:07:57,580
going to have to choose a server from here.

104
00:07:57,970 --> 00:08:04,030
So if you come over here, you can see the regular servers and you can just choose either of them and

105
00:08:04,030 --> 00:08:06,100
download your configuration file.

106
00:08:06,280 --> 00:08:08,980
So this configuration file belongs to you?

107
00:08:08,980 --> 00:08:10,150
It's specific to you.

108
00:08:10,150 --> 00:08:16,720
For example, mine is named after my name, as you can see, in fact, after my username.

109
00:08:16,900 --> 00:08:23,680
And I'm going to save this file because that's what I will use in order to connect to the tri Heckmann

110
00:08:23,680 --> 00:08:24,340
servers.

111
00:08:24,550 --> 00:08:29,170
So you should download your own and just follow along with me, OK?

112
00:08:29,440 --> 00:08:34,630
After that, you can come over here to task for which is the connecting with Linux.

113
00:08:34,930 --> 00:08:42,160
So it says that run through the app, install open VPN, which will install the open VPN tool to your

114
00:08:42,160 --> 00:08:44,290
Linux and Inch'Allah Linux.

115
00:08:44,290 --> 00:08:45,910
It comes with preinstalled.

116
00:08:46,120 --> 00:08:47,920
So you don't need to do this step.

117
00:08:47,920 --> 00:08:55,090
But if for some reason, if it's not installed, just do this and then you can just run the file that

118
00:08:55,090 --> 00:08:56,170
you have downloaded.

119
00:08:56,470 --> 00:09:04,060
So I'm going to go into downloads around L.A. and I'm going to grab my name because there are a lot

120
00:09:04,060 --> 00:09:06,520
of files in my downloads folder, I believe.

121
00:09:06,850 --> 00:09:07,480
Here you go.

122
00:09:07,480 --> 00:09:10,780
So I see my own weepin file over here.

123
00:09:10,780 --> 00:09:13,900
So you will see yours in your downloads folder.

124
00:09:14,890 --> 00:09:19,510
So what you have to do, you have to run the open VPN.

125
00:09:19,540 --> 00:09:24,910
OK, you can just say open VPN and run it from here like this.

126
00:09:25,420 --> 00:09:31,720
So once you do that, it will just connect, it will just connect to this VPN and it will send your

127
00:09:31,720 --> 00:09:37,870
request through this VPN so that you can communicate with the tri HECM servers.

128
00:09:38,020 --> 00:09:39,820
As you can see, fire on if config.

129
00:09:39,820 --> 00:09:46,900
I still see the Channel two four, but also I get a tunnel over here which is zero and I have an IP

130
00:09:46,900 --> 00:09:49,200
address related to that tunnel.

131
00:09:49,210 --> 00:09:53,260
So ten nine one nine nine two one three for me.

132
00:09:53,500 --> 00:09:55,840
So of course it will be different for you.

133
00:09:56,350 --> 00:09:59,790
So once I see that license, once I see the tangible.

134
00:10:00,320 --> 00:10:04,070
Then it means that I can connect to the tri hacked me servers.

135
00:10:04,640 --> 00:10:07,820
OK, so over here it says that get connected.

136
00:10:08,360 --> 00:10:13,630
Since we done that, I believe it will just show up connected right now.

137
00:10:14,180 --> 00:10:15,320
So let's see.

138
00:10:15,960 --> 00:10:17,740
Let's come over here.

139
00:10:18,010 --> 00:10:26,330
I'm going to search for D.B. and ask, OK, so it won't show up here because I made this private so

140
00:10:26,330 --> 00:10:31,280
that no one else can reach it except from the students of this course.

141
00:10:31,550 --> 00:10:35,900
So I'm going to come over here and I'm going to go into that room.

142
00:10:36,380 --> 00:10:42,190
So the room is basically our virtual machine where a vulnerable machine is located.

143
00:10:42,440 --> 00:10:45,990
So it's room DBI and privacy for me.

144
00:10:46,130 --> 00:10:47,420
So this is the link.

145
00:10:47,630 --> 00:10:53,210
But I believe you cannot actually reach that link by just typing in the browser.

146
00:10:53,400 --> 00:10:59,660
I'm going to share a link with you in the resources of this lecture so that you can actually enroll

147
00:10:59,660 --> 00:11:04,650
in this room, so that you can see all the things that I'm seeing right now.

148
00:11:05,150 --> 00:11:09,280
OK, so this is the room that we will be working on.

149
00:11:09,410 --> 00:11:12,790
As you can see, there are a lot of tasks over here.

150
00:11:12,800 --> 00:11:18,080
So each task represents a privileged escalation technique.

151
00:11:18,710 --> 00:11:24,560
All we have to do is just follow along with this and we can try every privilege escalation technique

152
00:11:24,560 --> 00:11:25,270
over here.

153
00:11:25,610 --> 00:11:32,300
I'm going to take you over to most of the most popular ones, most common ones that you're going to

154
00:11:32,300 --> 00:11:36,080
come across within RCTs or PANTHEISTIC.

155
00:11:36,620 --> 00:11:38,960
So I'm going to show you one more time.

156
00:11:38,960 --> 00:11:42,260
As I said before, I found this machine online.

157
00:11:42,620 --> 00:11:45,440
So I'm going to show you where I found this.

158
00:11:45,620 --> 00:11:52,670
And I have modified this a little bit to make this suitable for our own testing course.

159
00:11:53,000 --> 00:11:55,850
So I'm going to search for privilege, escalation and GitHub.

160
00:11:56,000 --> 00:11:57,650
You don't have to do that by now.

161
00:11:57,650 --> 00:12:05,570
I'm just doing this so that you know, that I got this from someone and I want to credit this guy,

162
00:12:05,570 --> 00:12:10,010
which is ciggie Qahar or something like that.

163
00:12:10,010 --> 00:12:11,870
Maybe I'm mispronouncing it.

164
00:12:12,230 --> 00:12:19,040
But again, this guy is great because he came up with this privilege escalation workshop in which he

165
00:12:19,040 --> 00:12:26,440
created the vulnerable limbic system, a system that we are going to use in this course.

166
00:12:26,440 --> 00:12:31,250
So we are basing our vulnerable machines on this guy's workshop.

167
00:12:31,400 --> 00:12:33,160
So thank you for that.

168
00:12:33,650 --> 00:12:34,600
I don't know.

169
00:12:34,610 --> 00:12:42,580
I don't know even the guy, but I have actually benefited from that a lot.

170
00:12:42,800 --> 00:12:43,900
Thank you very much.

171
00:12:44,240 --> 00:12:52,370
So over here, I got this descriptions from the guitar page as well, but I have just made it so that

172
00:12:52,370 --> 00:13:01,730
you can find it for each task, OK, chronologically or in a way that you can follow logically, OK,

173
00:13:01,730 --> 00:13:04,250
so that it would make sense to you.

174
00:13:04,820 --> 00:13:10,940
And I'm not going to just follow along or one by one over here, OK?

175
00:13:10,940 --> 00:13:14,120
I'm just going to follow along with my own curriculum.

176
00:13:14,390 --> 00:13:20,240
But we're going to take you over to the most common ones as well as much as possible.

177
00:13:20,240 --> 00:13:27,020
So if you run, deploy if you just hit on the blog, as you can see, our machine is deployed over here.

178
00:13:27,260 --> 00:13:29,210
So it's called Debian privacy.

179
00:13:29,780 --> 00:13:39,490
And within one minute we will see the IP address of that machine in here and it expires within fifty

180
00:13:39,500 --> 00:13:43,430
nine minutes if we don't add an additional hour from here.

181
00:13:43,760 --> 00:13:47,540
So it will take us much more to solve all the questions.

182
00:13:47,870 --> 00:13:55,940
So I believe it's a good idea for you to add one hour and after you finish your job over here, don't

183
00:13:56,180 --> 00:14:03,140
forget to click on terminate so that you don't actually create a burden for the tri Heckmann servers

184
00:14:03,320 --> 00:14:04,460
for no reason.

185
00:14:04,910 --> 00:14:12,110
So again, so this will deploy our virtual machine and this will deploy the virtual machine that I have

186
00:14:12,110 --> 00:14:18,710
uploaded specifically for this course for you and will give you an IP address and you will be able to

187
00:14:18,710 --> 00:14:26,150
directly reach that IP address and ping that IP address from your next machine because you have downloaded

188
00:14:26,150 --> 00:14:31,430
your own or VPN and ran it in your own Linux machine.

189
00:14:31,670 --> 00:14:36,650
OK, so if you have skipped that step for some reason, don't forget to do it.

190
00:14:37,010 --> 00:14:38,000
So here you go.

191
00:14:38,010 --> 00:14:39,890
This is our IP address.

192
00:14:40,220 --> 00:14:45,230
So once you just terminate this and run it one more time, it may change.

193
00:14:45,410 --> 00:14:54,140
But right now it has the same subnet as I have in my town, zero, as you can see.

194
00:14:54,560 --> 00:14:58,100
So it's ten, ten, one, nine, seven fifty six for me.

195
00:14:58,460 --> 00:14:59,450
So I'm going to try.

196
00:14:59,900 --> 00:15:05,430
That want to see if I can actually reach that and here you go.

197
00:15:05,690 --> 00:15:10,070
As you can see, I can go and reach that, it's very good.

198
00:15:10,120 --> 00:15:16,820
Now, we have established the connection between our callisthenics and between the tri hug me server

199
00:15:16,820 --> 00:15:18,830
that we have deployed here.

200
00:15:18,830 --> 00:15:21,020
We see the username and password.

201
00:15:21,350 --> 00:15:27,240
So we have the root password and the user password here as well.

202
00:15:27,500 --> 00:15:34,940
You won't need the root password, OK, because we will always login as user and try to make our way

203
00:15:35,240 --> 00:15:36,640
to become rude.

204
00:15:36,890 --> 00:15:44,860
But if you need for some reason, the user password is James three to one and root password is James.

205
00:15:44,870 --> 00:15:45,690
One, two, three.

206
00:15:46,100 --> 00:15:51,770
So in order to assess each into that, you have to write as a user at IP address.

207
00:15:52,010 --> 00:15:55,350
OK, this is not the IP address, this is the password.

208
00:15:55,790 --> 00:15:58,320
So let me get the IP address one more time.

209
00:15:58,940 --> 00:16:06,650
So all you got to do is just round this and give James three to one s password once you hit, enter.

210
00:16:07,010 --> 00:16:12,770
OK, and again, if you want to, you can direct DSH as route as well.

211
00:16:12,770 --> 00:16:21,830
But it won't make sense because all the practices that we are going to do is to become route via using

212
00:16:21,830 --> 00:16:22,610
the user.

213
00:16:22,770 --> 00:16:25,960
OK, so I'm going to paste this thing in and here you go.

214
00:16:25,970 --> 00:16:29,550
We are connected to the server so we are not hacking in.

215
00:16:29,570 --> 00:16:37,010
I already gave you the passwords because we will practice privilege escalation in this section rather

216
00:16:37,010 --> 00:16:37,950
than hacking in.

217
00:16:38,450 --> 00:16:42,350
So we're going to stop here and start within the next lecture.